From 0a9488e2eaa99b875d61bd5b86e86ba588b27be4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Jan 2019 13:01:41 +0100 Subject: [PATCH] 4.9-stable patches added patches: arm64-kaslr-ensure-randomized-quantities-are-clean-to-the-poc.patch block-loop-use-global-lock-for-ioctl-operation.patch blockdev-fix-livelocks-on-loop-device.patch disable-msi-also-when-pcie-octeon.pcie_disable-on.patch loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch loop-fold-__loop_release-into-loop_release.patch loop-get-rid-of-loop_index_mutex.patch lsm-check-for-null-cred-security-on-free.patch media-vb2-vb2_mmap-move-lock-up.patch media-vivid-fix-error-handling-of-kthread_run.patch media-vivid-set-min-width-height-to-a-value-0.patch mfd-tps6586x-handle-interrupts-on-suspend.patch mips-fix-n32-compat_ipc_parse_version.patch netfilter-ebtables-account-ebt_table_info-to-kmemcg.patch omap2fb-fix-stack-memory-disclosure.patch sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch selinux-fix-gpf-on-invalid-policy.patch sunrpc-handle-enomem-in-rpcb_getport_async.patch tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enable.patch tipc-fix-uninit-value-in-tipc_nl_compat_doit.patch tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_stats.patch tipc-fix-uninit-value-in-tipc_nl_compat_link_set.patch tipc-fix-uninit-value-in-tipc_nl_compat_name_table_dump.patch --- ...ized-quantities-are-clean-to-the-poc.patch | 70 +++++++ ...-use-global-lock-for-ioctl-operation.patch | 195 ++++++++++++++++++ ...lockdev-fix-livelocks-on-loop-device.patch | 123 +++++++++++ ...lso-when-pcie-octeon.pcie_disable-on.patch | 40 ++++ ...loop_ctl_mutex-in-loop_control_ioctl.patch | 40 ++++ ...old-__loop_release-into-loop_release.patch | 64 ++++++ .../loop-get-rid-of-loop_index_mutex.patch | 161 +++++++++++++++ ...check-for-null-cred-security-on-free.patch | 41 ++++ .../media-vb2-vb2_mmap-move-lock-up.patch | 65 ++++++ ...id-fix-error-handling-of-kthread_run.patch | 57 +++++ ...id-set-min-width-height-to-a-value-0.patch | 35 ++++ ...ps6586x-handle-interrupts-on-suspend.patch | 94 +++++++++ ...ips-fix-n32-compat_ipc_parse_version.patch | 41 ++++ ...les-account-ebt_table_info-to-kmemcg.patch | 56 +++++ .../omap2fb-fix-stack-memory-disclosure.patch | 41 ++++ ...ate-sctp_sockaddr_entry-with-kzalloc.patch | 74 +++++++ .../selinux-fix-gpf-on-invalid-policy.patch | 34 +++ queue-4.9/series | 23 +++ ...-handle-enomem-in-rpcb_getport_async.patch | 44 ++++ ...alue-in-tipc_nl_compat_bearer_enable.patch | 189 +++++++++++++++++ ...-uninit-value-in-tipc_nl_compat_doit.patch | 94 +++++++++ ...e-in-tipc_nl_compat_link_reset_stats.patch | 133 ++++++++++++ ...nit-value-in-tipc_nl_compat_link_set.patch | 76 +++++++ ...ue-in-tipc_nl_compat_name_table_dump.patch | 100 +++++++++ 24 files changed, 1890 insertions(+) create mode 100644 queue-4.9/arm64-kaslr-ensure-randomized-quantities-are-clean-to-the-poc.patch create mode 100644 queue-4.9/block-loop-use-global-lock-for-ioctl-operation.patch create mode 100644 queue-4.9/blockdev-fix-livelocks-on-loop-device.patch create mode 100644 queue-4.9/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch create mode 100644 queue-4.9/loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch create mode 100644 queue-4.9/loop-fold-__loop_release-into-loop_release.patch create mode 100644 queue-4.9/loop-get-rid-of-loop_index_mutex.patch create mode 100644 queue-4.9/lsm-check-for-null-cred-security-on-free.patch create mode 100644 queue-4.9/media-vb2-vb2_mmap-move-lock-up.patch create mode 100644 queue-4.9/media-vivid-fix-error-handling-of-kthread_run.patch create mode 100644 queue-4.9/media-vivid-set-min-width-height-to-a-value-0.patch create mode 100644 queue-4.9/mfd-tps6586x-handle-interrupts-on-suspend.patch create mode 100644 queue-4.9/mips-fix-n32-compat_ipc_parse_version.patch create mode 100644 queue-4.9/netfilter-ebtables-account-ebt_table_info-to-kmemcg.patch create mode 100644 queue-4.9/omap2fb-fix-stack-memory-disclosure.patch create mode 100644 queue-4.9/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch create mode 100644 queue-4.9/selinux-fix-gpf-on-invalid-policy.patch create mode 100644 queue-4.9/sunrpc-handle-enomem-in-rpcb_getport_async.patch create mode 100644 queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enable.patch create mode 100644 queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_doit.patch create mode 100644 queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_stats.patch create mode 100644 queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_set.patch create mode 100644 queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_name_table_dump.patch diff --git a/queue-4.9/arm64-kaslr-ensure-randomized-quantities-are-clean-to-the-poc.patch b/queue-4.9/arm64-kaslr-ensure-randomized-quantities-are-clean-to-the-poc.patch new file mode 100644 index 00000000000..3cab365e138 --- /dev/null +++ b/queue-4.9/arm64-kaslr-ensure-randomized-quantities-are-clean-to-the-poc.patch @@ -0,0 +1,70 @@ +From 1598ecda7b239e9232dda032bfddeed9d89fab6c Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 15 Jan 2019 20:47:07 +0100 +Subject: arm64: kaslr: ensure randomized quantities are clean to the PoC + +From: Ard Biesheuvel + +commit 1598ecda7b239e9232dda032bfddeed9d89fab6c upstream. + +kaslr_early_init() is called with the kernel mapped at its +link time offset, and if it returns with a non-zero offset, +the kernel is unmapped and remapped again at the randomized +offset. + +During its execution, kaslr_early_init() also randomizes the +base of the module region and of the linear mapping of DRAM, +and sets two variables accordingly. However, since these +variables are assigned with the caches on, they may get lost +during the cache maintenance that occurs when unmapping and +remapping the kernel, so ensure that these values are cleaned +to the PoC. + +Acked-by: Catalin Marinas +Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR") +Cc: # v4.6+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/kaslr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/kaslr.c ++++ b/arch/arm64/kernel/kaslr.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -43,7 +44,7 @@ static __init u64 get_kaslr_seed(void *f + return ret; + } + +-static __init const u8 *get_cmdline(void *fdt) ++static __init const u8 *kaslr_get_cmdline(void *fdt) + { + static __initconst const u8 default_cmdline[] = CONFIG_CMDLINE; + +@@ -109,7 +110,7 @@ u64 __init kaslr_early_init(u64 dt_phys, + * Check if 'nokaslr' appears on the command line, and + * return 0 if that is the case. + */ +- cmdline = get_cmdline(fdt); ++ cmdline = kaslr_get_cmdline(fdt); + str = strstr(cmdline, "nokaslr"); + if (str == cmdline || (str > cmdline && *(str - 1) == ' ')) + return 0; +@@ -178,5 +179,8 @@ u64 __init kaslr_early_init(u64 dt_phys, + module_alloc_base += (module_range * (seed & ((1 << 21) - 1))) >> 21; + module_alloc_base &= PAGE_MASK; + ++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base)); ++ __flush_dcache_area(&memstart_offset_seed, sizeof(memstart_offset_seed)); ++ + return offset; + } diff --git a/queue-4.9/block-loop-use-global-lock-for-ioctl-operation.patch b/queue-4.9/block-loop-use-global-lock-for-ioctl-operation.patch new file mode 100644 index 00000000000..064ef088da4 --- /dev/null +++ b/queue-4.9/block-loop-use-global-lock-for-ioctl-operation.patch @@ -0,0 +1,195 @@ +From 310ca162d779efee8a2dc3731439680f3e9c1e86 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 8 Nov 2018 14:01:02 +0100 +Subject: block/loop: Use global lock for ioctl() operation. + +From: Tetsuo Handa + +commit 310ca162d779efee8a2dc3731439680f3e9c1e86 upstream. + +syzbot is reporting NULL pointer dereference [1] which is caused by +race condition between ioctl(loop_fd, LOOP_CLR_FD, 0) versus +ioctl(other_loop_fd, LOOP_SET_FD, loop_fd) due to traversing other +loop devices at loop_validate_file() without holding corresponding +lo->lo_ctl_mutex locks. + +Since ioctl() request on loop devices is not frequent operation, we don't +need fine grained locking. Let's use global lock in order to allow safe +traversal at loop_validate_file(). + +Note that syzbot is also reporting circular locking dependency between +bdev->bd_mutex and lo->lo_ctl_mutex [2] which is caused by calling +blkdev_reread_part() with lock held. This patch does not address it. + +[1] https://syzkaller.appspot.com/bug?id=f3cfe26e785d85f9ee259f385515291d21bd80a3 +[2] https://syzkaller.appspot.com/bug?id=bf154052f0eea4bc7712499e4569505907d15889 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Jan Kara +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 42 +++++++++++++++++++++--------------------- + drivers/block/loop.h | 1 - + 2 files changed, 21 insertions(+), 22 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -82,6 +82,7 @@ + + static DEFINE_IDR(loop_index_idr); + static DEFINE_MUTEX(loop_index_mutex); ++static DEFINE_MUTEX(loop_ctl_mutex); + + static int max_part; + static int part_shift; +@@ -1033,7 +1034,7 @@ static int loop_clr_fd(struct loop_devic + */ + if (atomic_read(&lo->lo_refcnt) > 1) { + lo->lo_flags |= LO_FLAGS_AUTOCLEAR; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return 0; + } + +@@ -1082,12 +1083,12 @@ static int loop_clr_fd(struct loop_devic + if (!part_shift) + lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; + loop_unprepare_queue(lo); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + /* +- * Need not hold lo_ctl_mutex to fput backing file. +- * Calling fput holding lo_ctl_mutex triggers a circular ++ * Need not hold loop_ctl_mutex to fput backing file. ++ * Calling fput holding loop_ctl_mutex triggers a circular + * lock dependency possibility warning as fput can take +- * bd_mutex which is usually taken before lo_ctl_mutex. ++ * bd_mutex which is usually taken before loop_ctl_mutex. + */ + fput(filp); + return 0; +@@ -1350,7 +1351,7 @@ static int lo_ioctl(struct block_device + struct loop_device *lo = bdev->bd_disk->private_data; + int err; + +- mutex_lock_nested(&lo->lo_ctl_mutex, 1); ++ mutex_lock_nested(&loop_ctl_mutex, 1); + switch (cmd) { + case LOOP_SET_FD: + err = loop_set_fd(lo, mode, bdev, arg); +@@ -1359,7 +1360,7 @@ static int lo_ioctl(struct block_device + err = loop_change_fd(lo, bdev, arg); + break; + case LOOP_CLR_FD: +- /* loop_clr_fd would have unlocked lo_ctl_mutex on success */ ++ /* loop_clr_fd would have unlocked loop_ctl_mutex on success */ + err = loop_clr_fd(lo); + if (!err) + goto out_unlocked; +@@ -1395,7 +1396,7 @@ static int lo_ioctl(struct block_device + default: + err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL; + } +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + out_unlocked: + return err; +@@ -1528,16 +1529,16 @@ static int lo_compat_ioctl(struct block_ + + switch(cmd) { + case LOOP_SET_STATUS: +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_set_status_compat( + lo, (const struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + case LOOP_GET_STATUS: +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: +@@ -1581,7 +1582,7 @@ static void __lo_release(struct loop_dev + if (atomic_dec_return(&lo->lo_refcnt)) + return; + +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { + /* + * In autoclear mode, stop the loop thread +@@ -1598,7 +1599,7 @@ static void __lo_release(struct loop_dev + loop_flush(lo); + } + +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + } + + static void lo_release(struct gendisk *disk, fmode_t mode) +@@ -1644,10 +1645,10 @@ static int unregister_transfer_cb(int id + struct loop_device *lo = ptr; + struct loop_func_table *xfer = data; + +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + if (lo->lo_encryption == xfer) + loop_release_xfer(lo); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return 0; + } + +@@ -1813,7 +1814,6 @@ static int loop_add(struct loop_device * + if (!part_shift) + disk->flags |= GENHD_FL_NO_PART_SCAN; + disk->flags |= GENHD_FL_EXT_DEVT; +- mutex_init(&lo->lo_ctl_mutex); + atomic_set(&lo->lo_refcnt, 0); + lo->lo_number = i; + spin_lock_init(&lo->lo_lock); +@@ -1926,19 +1926,19 @@ static long loop_control_ioctl(struct fi + ret = loop_lookup(&lo, parm); + if (ret < 0) + break; +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + } + if (atomic_read(&lo->lo_refcnt) > 0) { + ret = -EBUSY; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + } + lo->lo_disk->private_data = NULL; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + idr_remove(&loop_index_idr, lo->lo_number); + loop_remove(lo); + break; +--- a/drivers/block/loop.h ++++ b/drivers/block/loop.h +@@ -55,7 +55,6 @@ struct loop_device { + + spinlock_t lo_lock; + int lo_state; +- struct mutex lo_ctl_mutex; + struct kthread_worker worker; + struct task_struct *worker_task; + bool use_dio; diff --git a/queue-4.9/blockdev-fix-livelocks-on-loop-device.patch b/queue-4.9/blockdev-fix-livelocks-on-loop-device.patch new file mode 100644 index 00000000000..73261a5c9a2 --- /dev/null +++ b/queue-4.9/blockdev-fix-livelocks-on-loop-device.patch @@ -0,0 +1,123 @@ +From 04906b2f542c23626b0ef6219b808406f8dddbe9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 14 Jan 2019 09:48:10 +0100 +Subject: blockdev: Fix livelocks on loop device + +From: Jan Kara + +commit 04906b2f542c23626b0ef6219b808406f8dddbe9 upstream. + +bd_set_size() updates also block device's block size. This is somewhat +unexpected from its name and at this point, only blkdev_open() uses this +functionality. Furthermore, this can result in changing block size under +a filesystem mounted on a loop device which leads to livelocks inside +__getblk_gfp() like: + +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 10863 Comm: syz-executor0 Not tainted 4.18.0-rc5+ #151 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google +01/01/2011 +RIP: 0010:__sanitizer_cov_trace_pc+0x3f/0x50 kernel/kcov.c:106 +... +Call Trace: + init_page_buffers+0x3e2/0x530 fs/buffer.c:904 + grow_dev_page fs/buffer.c:947 [inline] + grow_buffers fs/buffer.c:1009 [inline] + __getblk_slow fs/buffer.c:1036 [inline] + __getblk_gfp+0x906/0xb10 fs/buffer.c:1313 + __bread_gfp+0x2d/0x310 fs/buffer.c:1347 + sb_bread include/linux/buffer_head.h:307 [inline] + fat12_ent_bread+0x14e/0x3d0 fs/fat/fatent.c:75 + fat_ent_read_block fs/fat/fatent.c:441 [inline] + fat_alloc_clusters+0x8ce/0x16e0 fs/fat/fatent.c:489 + fat_add_cluster+0x7a/0x150 fs/fat/inode.c:101 + __fat_get_block fs/fat/inode.c:148 [inline] +... + +Trivial reproducer for the problem looks like: + +truncate -s 1G /tmp/image +losetup /dev/loop0 /tmp/image +mkfs.ext4 -b 1024 /dev/loop0 +mount -t ext4 /dev/loop0 /mnt +losetup -c /dev/loop0 +l /mnt + +Fix the problem by moving initialization of a block device block size +into a separate function and call it when needed. + +Thanks to Tetsuo Handa for help with +debugging the problem. + +Reported-by: syzbot+9933e4476f365f5d5a1b@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/block_dev.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -114,6 +114,20 @@ void invalidate_bdev(struct block_device + } + EXPORT_SYMBOL(invalidate_bdev); + ++static void set_init_blocksize(struct block_device *bdev) ++{ ++ unsigned bsize = bdev_logical_block_size(bdev); ++ loff_t size = i_size_read(bdev->bd_inode); ++ ++ while (bsize < PAGE_SIZE) { ++ if (size & bsize) ++ break; ++ bsize <<= 1; ++ } ++ bdev->bd_block_size = bsize; ++ bdev->bd_inode->i_blkbits = blksize_bits(bsize); ++} ++ + int set_blocksize(struct block_device *bdev, int size) + { + /* Size must be a power of two, and between 512 and PAGE_SIZE */ +@@ -1209,18 +1223,9 @@ EXPORT_SYMBOL(check_disk_change); + + void bd_set_size(struct block_device *bdev, loff_t size) + { +- unsigned bsize = bdev_logical_block_size(bdev); +- + inode_lock(bdev->bd_inode); + i_size_write(bdev->bd_inode, size); + inode_unlock(bdev->bd_inode); +- while (bsize < PAGE_SIZE) { +- if (size & bsize) +- break; +- bsize <<= 1; +- } +- bdev->bd_block_size = bsize; +- bdev->bd_inode->i_blkbits = blksize_bits(bsize); + } + EXPORT_SYMBOL(bd_set_size); + +@@ -1297,8 +1302,10 @@ static int __blkdev_get(struct block_dev + } + } + +- if (!ret) ++ if (!ret) { + bd_set_size(bdev,(loff_t)get_capacity(disk)<<9); ++ set_init_blocksize(bdev); ++ } + + /* + * If the device is invalidated, rescan partition +@@ -1333,6 +1340,7 @@ static int __blkdev_get(struct block_dev + goto out_clear; + } + bd_set_size(bdev, (loff_t)bdev->bd_part->nr_sects << 9); ++ set_init_blocksize(bdev); + } + } else { + if (bdev->bd_contains == bdev) { diff --git a/queue-4.9/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch b/queue-4.9/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch new file mode 100644 index 00000000000..195aaafdf83 --- /dev/null +++ b/queue-4.9/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch @@ -0,0 +1,40 @@ +From a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 Mon Sep 17 00:00:00 2001 +From: YunQiang Su +Date: Tue, 8 Jan 2019 13:45:10 +0800 +Subject: Disable MSI also when pcie-octeon.pcie_disable on + +From: YunQiang Su + +commit a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 upstream. + +Octeon has an boot-time option to disable pcie. + +Since MSI depends on PCI-E, we should also disable MSI also with +this option is on in order to avoid inadvertently accessing PCIe +registers. + +Signed-off-by: YunQiang Su +Signed-off-by: Paul Burton +Cc: pburton@wavecomp.com +Cc: linux-mips@vger.kernel.org +Cc: aaro.koskinen@iki.fi +Cc: stable@vger.kernel.org # v3.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/pci/msi-octeon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mips/pci/msi-octeon.c ++++ b/arch/mips/pci/msi-octeon.c +@@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void) + int irq; + struct irq_chip *msi; + +- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { ++ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) { ++ return 0; ++ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { + msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0; + msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1; + msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2; diff --git a/queue-4.9/loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch b/queue-4.9/loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch new file mode 100644 index 00000000000..37b56164cb7 --- /dev/null +++ b/queue-4.9/loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch @@ -0,0 +1,40 @@ +From 628bd85947091830a8c4872adfd5ed1d515a9cf2 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 12 Nov 2018 08:42:14 -0700 +Subject: loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() + +From: Tetsuo Handa + +commit 628bd85947091830a8c4872adfd5ed1d515a9cf2 upstream. + +Commit 0a42e99b58a20883 ("loop: Get rid of loop_index_mutex") forgot to +remove mutex_unlock(&loop_ctl_mutex) from loop_control_ioctl() when +replacing loop_index_mutex with loop_ctl_mutex. + +Fixes: 0a42e99b58a20883 ("loop: Get rid of loop_index_mutex") +Reported-by: syzbot +Reviewed-by: Ming Lei +Reviewed-by: Jan Kara +Signed-off-by: Tetsuo Handa +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1929,12 +1929,10 @@ static long loop_control_ioctl(struct fi + break; + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; +- mutex_unlock(&loop_ctl_mutex); + break; + } + if (atomic_read(&lo->lo_refcnt) > 0) { + ret = -EBUSY; +- mutex_unlock(&loop_ctl_mutex); + break; + } + lo->lo_disk->private_data = NULL; diff --git a/queue-4.9/loop-fold-__loop_release-into-loop_release.patch b/queue-4.9/loop-fold-__loop_release-into-loop_release.patch new file mode 100644 index 00000000000..f18eff4424b --- /dev/null +++ b/queue-4.9/loop-fold-__loop_release-into-loop_release.patch @@ -0,0 +1,64 @@ +From 967d1dc144b50ad005e5eecdfadfbcfb399ffff6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 8 Nov 2018 14:01:03 +0100 +Subject: loop: Fold __loop_release into loop_release + +From: Jan Kara + +commit 967d1dc144b50ad005e5eecdfadfbcfb399ffff6 upstream. + +__loop_release() has a single call site. Fold it there. This is +currently not a huge win but it will make following replacement of +loop_index_mutex more obvious. + +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1575,12 +1575,15 @@ out: + return err; + } + +-static void __lo_release(struct loop_device *lo) ++static void lo_release(struct gendisk *disk, fmode_t mode) + { ++ struct loop_device *lo; + int err; + ++ mutex_lock(&loop_index_mutex); ++ lo = disk->private_data; + if (atomic_dec_return(&lo->lo_refcnt)) +- return; ++ goto unlock_index; + + mutex_lock(&loop_ctl_mutex); + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { +@@ -1590,7 +1593,7 @@ static void __lo_release(struct loop_dev + */ + err = loop_clr_fd(lo); + if (!err) +- return; ++ goto unlock_index; + } else { + /* + * Otherwise keep thread (if running) and config, +@@ -1600,12 +1603,7 @@ static void __lo_release(struct loop_dev + } + + mutex_unlock(&loop_ctl_mutex); +-} +- +-static void lo_release(struct gendisk *disk, fmode_t mode) +-{ +- mutex_lock(&loop_index_mutex); +- __lo_release(disk->private_data); ++unlock_index: + mutex_unlock(&loop_index_mutex); + } + diff --git a/queue-4.9/loop-get-rid-of-loop_index_mutex.patch b/queue-4.9/loop-get-rid-of-loop_index_mutex.patch new file mode 100644 index 00000000000..79ad0d185bf --- /dev/null +++ b/queue-4.9/loop-get-rid-of-loop_index_mutex.patch @@ -0,0 +1,161 @@ +From 0a42e99b58a208839626465af194cfe640ef9493 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 8 Nov 2018 14:01:04 +0100 +Subject: loop: Get rid of loop_index_mutex + +From: Jan Kara + +commit 0a42e99b58a208839626465af194cfe640ef9493 upstream. + +Now that loop_ctl_mutex is global, just get rid of loop_index_mutex as +there is no good reason to keep these two separate and it just +complicates the locking. + +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 39 ++++++++++++++++++++------------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -81,7 +81,6 @@ + #include + + static DEFINE_IDR(loop_index_idr); +-static DEFINE_MUTEX(loop_index_mutex); + static DEFINE_MUTEX(loop_ctl_mutex); + + static int max_part; +@@ -1560,9 +1559,11 @@ static int lo_compat_ioctl(struct block_ + static int lo_open(struct block_device *bdev, fmode_t mode) + { + struct loop_device *lo; +- int err = 0; ++ int err; + +- mutex_lock(&loop_index_mutex); ++ err = mutex_lock_killable(&loop_ctl_mutex); ++ if (err) ++ return err; + lo = bdev->bd_disk->private_data; + if (!lo) { + err = -ENXIO; +@@ -1571,7 +1572,7 @@ static int lo_open(struct block_device * + + atomic_inc(&lo->lo_refcnt); + out: +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return err; + } + +@@ -1580,12 +1581,11 @@ static void lo_release(struct gendisk *d + struct loop_device *lo; + int err; + +- mutex_lock(&loop_index_mutex); ++ mutex_lock(&loop_ctl_mutex); + lo = disk->private_data; + if (atomic_dec_return(&lo->lo_refcnt)) +- goto unlock_index; ++ goto out_unlock; + +- mutex_lock(&loop_ctl_mutex); + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { + /* + * In autoclear mode, stop the loop thread +@@ -1593,7 +1593,7 @@ static void lo_release(struct gendisk *d + */ + err = loop_clr_fd(lo); + if (!err) +- goto unlock_index; ++ return; + } else { + /* + * Otherwise keep thread (if running) and config, +@@ -1602,9 +1602,8 @@ static void lo_release(struct gendisk *d + loop_flush(lo); + } + ++out_unlock: + mutex_unlock(&loop_ctl_mutex); +-unlock_index: +- mutex_unlock(&loop_index_mutex); + } + + static const struct block_device_operations lo_fops = { +@@ -1890,7 +1889,7 @@ static struct kobject *loop_probe(dev_t + struct kobject *kobj; + int err; + +- mutex_lock(&loop_index_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_lookup(&lo, MINOR(dev) >> part_shift); + if (err < 0) + err = loop_add(&lo, MINOR(dev) >> part_shift); +@@ -1898,7 +1897,7 @@ static struct kobject *loop_probe(dev_t + kobj = NULL; + else + kobj = get_disk(lo->lo_disk); +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + *part = 0; + return kobj; +@@ -1908,9 +1907,13 @@ static long loop_control_ioctl(struct fi + unsigned long parm) + { + struct loop_device *lo; +- int ret = -ENOSYS; ++ int ret; ++ ++ ret = mutex_lock_killable(&loop_ctl_mutex); ++ if (ret) ++ return ret; + +- mutex_lock(&loop_index_mutex); ++ ret = -ENOSYS; + switch (cmd) { + case LOOP_CTL_ADD: + ret = loop_lookup(&lo, parm); +@@ -1924,7 +1927,6 @@ static long loop_control_ioctl(struct fi + ret = loop_lookup(&lo, parm); + if (ret < 0) + break; +- mutex_lock(&loop_ctl_mutex); + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; + mutex_unlock(&loop_ctl_mutex); +@@ -1936,7 +1938,6 @@ static long loop_control_ioctl(struct fi + break; + } + lo->lo_disk->private_data = NULL; +- mutex_unlock(&loop_ctl_mutex); + idr_remove(&loop_index_idr, lo->lo_number); + loop_remove(lo); + break; +@@ -1946,7 +1947,7 @@ static long loop_control_ioctl(struct fi + break; + ret = loop_add(&lo, -1); + } +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + return ret; + } +@@ -2029,10 +2030,10 @@ static int __init loop_init(void) + THIS_MODULE, loop_probe, NULL, NULL); + + /* pre-create number of devices given by config or max_loop */ +- mutex_lock(&loop_index_mutex); ++ mutex_lock(&loop_ctl_mutex); + for (i = 0; i < nr; i++) + loop_add(&lo, i); +- mutex_unlock(&loop_index_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + printk(KERN_INFO "loop: module loaded\n"); + return 0; diff --git a/queue-4.9/lsm-check-for-null-cred-security-on-free.patch b/queue-4.9/lsm-check-for-null-cred-security-on-free.patch new file mode 100644 index 00000000000..4dd386665d9 --- /dev/null +++ b/queue-4.9/lsm-check-for-null-cred-security-on-free.patch @@ -0,0 +1,41 @@ +From a5795fd38ee8194451ba3f281f075301a3696ce2 Mon Sep 17 00:00:00 2001 +From: James Morris +Date: Wed, 16 Jan 2019 15:41:11 -0800 +Subject: LSM: Check for NULL cred-security on free + +From: James Morris + +commit a5795fd38ee8194451ba3f281f075301a3696ce2 upstream. + +From: Casey Schaufler + +Check that the cred security blob has been set before trying +to clean it up. There is a case during credential initialization +that could result in this. + +Signed-off-by: Casey Schaufler +Acked-by: John Johansen +Signed-off-by: James Morris +Reported-by: syzbot+69ca07954461f189e808@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + security/security.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/security/security.c ++++ b/security/security.c +@@ -904,6 +904,13 @@ int security_cred_alloc_blank(struct cre + + void security_cred_free(struct cred *cred) + { ++ /* ++ * There is a failure case in prepare_creds() that ++ * may result in a call here with ->security being NULL. ++ */ ++ if (unlikely(cred->security == NULL)) ++ return; ++ + call_void_hook(cred_free, cred); + } + diff --git a/queue-4.9/media-vb2-vb2_mmap-move-lock-up.patch b/queue-4.9/media-vb2-vb2_mmap-move-lock-up.patch new file mode 100644 index 00000000000..4a2f7f7576f --- /dev/null +++ b/queue-4.9/media-vb2-vb2_mmap-move-lock-up.patch @@ -0,0 +1,65 @@ +From cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 13 Nov 2018 09:06:46 -0500 +Subject: media: vb2: vb2_mmap: move lock up + +From: Hans Verkuil + +commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream. + +If a filehandle is dup()ped, then it is possible to close it from one fd +and call mmap from the other. This creates a race condition in vb2_mmap +where it is using queue data that __vb2_queue_free (called from close()) +is in the process of releasing. + +By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided +since __vb2_queue_free is called with the same mutex locked. So vb2_mmap +now reads consistent buffer data. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-core.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1916,9 +1916,13 @@ int vb2_mmap(struct vb2_queue *q, struct + return -EINVAL; + } + } ++ ++ mutex_lock(&q->mmap_lock); ++ + if (vb2_fileio_is_active(q)) { + dprintk(1, "mmap: file io in progress\n"); +- return -EBUSY; ++ ret = -EBUSY; ++ goto unlock; + } + + /* +@@ -1926,7 +1930,7 @@ int vb2_mmap(struct vb2_queue *q, struct + */ + ret = __find_plane_by_offset(q, off, &buffer, &plane); + if (ret) +- return ret; ++ goto unlock; + + vb = q->bufs[buffer]; + +@@ -1942,8 +1946,9 @@ int vb2_mmap(struct vb2_queue *q, struct + return -EINVAL; + } + +- mutex_lock(&q->mmap_lock); + ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma); ++ ++unlock: + mutex_unlock(&q->mmap_lock); + if (ret) + return ret; diff --git a/queue-4.9/media-vivid-fix-error-handling-of-kthread_run.patch b/queue-4.9/media-vivid-fix-error-handling-of-kthread_run.patch new file mode 100644 index 00000000000..0ba9f5e0960 --- /dev/null +++ b/queue-4.9/media-vivid-fix-error-handling-of-kthread_run.patch @@ -0,0 +1,57 @@ +From 701f49bc028edb19ffccd101997dd84f0d71e279 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 29 Oct 2018 06:15:31 -0400 +Subject: media: vivid: fix error handling of kthread_run + +From: Hans Verkuil + +commit 701f49bc028edb19ffccd101997dd84f0d71e279 upstream. + +kthread_run returns an error pointer, but elsewhere in the code +dev->kthread_vid_cap/out is checked against NULL. + +If kthread_run returns an error, then set the pointer to NULL. + +I chose this method over changing all kthread_vid_cap/out tests +elsewhere since this is more robust. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+53d5b2df0d9744411e2e@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-kthread-cap.c | 5 ++++- + drivers/media/platform/vivid/vivid-kthread-out.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/vivid/vivid-kthread-cap.c ++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c +@@ -877,8 +877,11 @@ int vivid_start_generating_vid_cap(struc + "%s-vid-cap", dev->v4l2_dev.name); + + if (IS_ERR(dev->kthread_vid_cap)) { ++ int err = PTR_ERR(dev->kthread_vid_cap); ++ ++ dev->kthread_vid_cap = NULL; + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); +- return PTR_ERR(dev->kthread_vid_cap); ++ return err; + } + *pstreaming = true; + vivid_grab_controls(dev, true); +--- a/drivers/media/platform/vivid/vivid-kthread-out.c ++++ b/drivers/media/platform/vivid/vivid-kthread-out.c +@@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struc + "%s-vid-out", dev->v4l2_dev.name); + + if (IS_ERR(dev->kthread_vid_out)) { ++ int err = PTR_ERR(dev->kthread_vid_out); ++ ++ dev->kthread_vid_out = NULL; + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); +- return PTR_ERR(dev->kthread_vid_out); ++ return err; + } + *pstreaming = true; + vivid_grab_controls(dev, true); diff --git a/queue-4.9/media-vivid-set-min-width-height-to-a-value-0.patch b/queue-4.9/media-vivid-set-min-width-height-to-a-value-0.patch new file mode 100644 index 00000000000..307fe709488 --- /dev/null +++ b/queue-4.9/media-vivid-set-min-width-height-to-a-value-0.patch @@ -0,0 +1,35 @@ +From 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 29 Oct 2018 13:32:38 -0400 +Subject: media: vivid: set min width/height to a value > 0 + +From: Hans Verkuil + +commit 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 upstream. + +The capture DV timings capabilities allowed for a minimum width and +height of 0. So passing a timings struct with 0 values is allowed +and will later cause a division by zero. + +Ensure that the width and height must be >= 16 to avoid this. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+57c3d83d71187054d56f@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/vivid/vivid-vid-common.c ++++ b/drivers/media/platform/vivid/vivid-vid-common.c +@@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_d + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 14000000, 775000000, ++ V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 14000000, 775000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_CVT | V4L2_DV_BT_STD_GTF, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED) diff --git a/queue-4.9/mfd-tps6586x-handle-interrupts-on-suspend.patch b/queue-4.9/mfd-tps6586x-handle-interrupts-on-suspend.patch new file mode 100644 index 00000000000..13c7628f2ed --- /dev/null +++ b/queue-4.9/mfd-tps6586x-handle-interrupts-on-suspend.patch @@ -0,0 +1,94 @@ +From ac4ca4b9f4623ba5e1ea7a582f286567c611e027 Mon Sep 17 00:00:00 2001 +From: Jonathan Hunter +Date: Tue, 13 Nov 2018 08:56:31 +0000 +Subject: mfd: tps6586x: Handle interrupts on suspend + +From: Jonathan Hunter + +commit ac4ca4b9f4623ba5e1ea7a582f286567c611e027 upstream. + +The tps6586x driver creates an irqchip that is used by its various child +devices for managing interrupts. The tps6586x-rtc device is one of its +children that uses the tps6586x irqchip. When using the tps6586x-rtc as +a wake-up device from suspend, the following is seen: + + PM: Syncing filesystems ... done. + Freezing user space processes ... (elapsed 0.001 seconds) done. + OOM killer disabled. + Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done. + Disabling non-boot CPUs ... + Entering suspend state LP1 + Enabling non-boot CPUs ... + CPU1 is up + tps6586x 3-0034: failed to read interrupt status + tps6586x 3-0034: failed to read interrupt status + +The reason why the tps6586x interrupt status cannot be read is because +the tps6586x interrupt is not masked during suspend and when the +tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is +seen before the i2c controller has been resumed in order to read the +tps6586x interrupt status. + +The tps6586x-rtc driver sets it's interrupt as a wake-up source during +suspend, which gets propagated to the parent tps6586x interrupt. +However, the tps6586x-rtc driver cannot disable it's interrupt during +suspend otherwise we would never be woken up and so the tps6586x must +disable it's interrupt instead. + +Prevent the tps6586x interrupt handler from executing on exiting suspend +before the i2c controller has been resumed by disabling the tps6586x +interrupt on entering suspend and re-enabling it on resuming from +suspend. + +Cc: stable@vger.kernel.org +Signed-off-by: Jon Hunter +Reviewed-by: Dmitry Osipenko +Tested-by: Dmitry Osipenko +Acked-by: Thierry Reding +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/tps6586x.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/mfd/tps6586x.c ++++ b/drivers/mfd/tps6586x.c +@@ -594,6 +594,29 @@ static int tps6586x_i2c_remove(struct i2 + return 0; + } + ++static int __maybe_unused tps6586x_i2c_suspend(struct device *dev) ++{ ++ struct tps6586x *tps6586x = dev_get_drvdata(dev); ++ ++ if (tps6586x->client->irq) ++ disable_irq(tps6586x->client->irq); ++ ++ return 0; ++} ++ ++static int __maybe_unused tps6586x_i2c_resume(struct device *dev) ++{ ++ struct tps6586x *tps6586x = dev_get_drvdata(dev); ++ ++ if (tps6586x->client->irq) ++ enable_irq(tps6586x->client->irq); ++ ++ return 0; ++} ++ ++static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend, ++ tps6586x_i2c_resume); ++ + static const struct i2c_device_id tps6586x_id_table[] = { + { "tps6586x", 0 }, + { }, +@@ -604,6 +627,7 @@ static struct i2c_driver tps6586x_driver + .driver = { + .name = "tps6586x", + .of_match_table = of_match_ptr(tps6586x_of_match), ++ .pm = &tps6586x_pm_ops, + }, + .probe = tps6586x_i2c_probe, + .remove = tps6586x_i2c_remove, diff --git a/queue-4.9/mips-fix-n32-compat_ipc_parse_version.patch b/queue-4.9/mips-fix-n32-compat_ipc_parse_version.patch new file mode 100644 index 00000000000..8fec6f4ed6c --- /dev/null +++ b/queue-4.9/mips-fix-n32-compat_ipc_parse_version.patch @@ -0,0 +1,41 @@ +From 5a9372f751b5350e0ce3d2ee91832f1feae2c2e5 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 10 Jan 2019 17:24:31 +0100 +Subject: mips: fix n32 compat_ipc_parse_version + +From: Arnd Bergmann + +commit 5a9372f751b5350e0ce3d2ee91832f1feae2c2e5 upstream. + +While reading through the sysvipc implementation, I noticed that the n32 +semctl/shmctl/msgctl system calls behave differently based on whether +o32 support is enabled or not: Without o32, the IPC_64 flag passed by +user space is rejected but calls without that flag get IPC_64 behavior. + +As far as I can tell, this was inadvertently changed by a cleanup patch +but never noticed by anyone, possibly nobody has tried using sysvipc +on n32 after linux-3.19. + +Change it back to the old behavior now. + +Fixes: 78aaf956ba3a ("MIPS: Compat: Fix build error if CONFIG_MIPS32_COMPAT but no compat ABI.") +Signed-off-by: Arnd Bergmann +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: stable@vger.kernel.org # 3.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -3135,6 +3135,7 @@ config MIPS32_O32 + config MIPS32_N32 + bool "Kernel support for n32 binaries" + depends on 64BIT ++ select ARCH_WANT_COMPAT_IPC_PARSE_VERSION + select COMPAT + select MIPS32_COMPAT + select SYSVIPC_COMPAT if SYSVIPC diff --git a/queue-4.9/netfilter-ebtables-account-ebt_table_info-to-kmemcg.patch b/queue-4.9/netfilter-ebtables-account-ebt_table_info-to-kmemcg.patch new file mode 100644 index 00000000000..85729092273 --- /dev/null +++ b/queue-4.9/netfilter-ebtables-account-ebt_table_info-to-kmemcg.patch @@ -0,0 +1,56 @@ +From e2c8d550a973bb34fc28bc8d0ec996f84562fb8a Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Wed, 2 Jan 2019 19:14:31 -0800 +Subject: netfilter: ebtables: account ebt_table_info to kmemcg + +From: Shakeel Butt + +commit e2c8d550a973bb34fc28bc8d0ec996f84562fb8a upstream. + +The [ip,ip6,arp]_tables use x_tables_info internally and the underlying +memory is already accounted to kmemcg. Do the same for ebtables. The +syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the +whole system from a restricted memcg, a potential DoS. + +By accounting the ebt_table_info, the memory used for ebt_table_info can +be contained within the memcg of the allocating process. However the +lifetime of ebt_table_info is independent of the allocating process and +is tied to the network namespace. So, the oom-killer will not be able to +relieve the memory pressure due to ebt_table_info memory. The memory for +ebt_table_info is allocated through vmalloc. Currently vmalloc does not +handle the oom-killed allocating process correctly and one large +allocation can bypass memcg limit enforcement. So, with this patch, +at least the small allocations will be contained. For large allocations, +we need to fix vmalloc. + +Reported-by: syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com +Signed-off-by: Shakeel Butt +Reviewed-by: Kirill Tkhai +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1147,14 +1147,16 @@ static int do_replace(struct net *net, c + tmp.name[sizeof(tmp.name) - 1] = 0; + + countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; +- newinfo = vmalloc(sizeof(*newinfo) + countersize); ++ newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT, ++ PAGE_KERNEL); + if (!newinfo) + return -ENOMEM; + + if (countersize) + memset(newinfo->counters, 0, countersize); + +- newinfo->entries = vmalloc(tmp.entries_size); ++ newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT, ++ PAGE_KERNEL); + if (!newinfo->entries) { + ret = -ENOMEM; + goto free_newinfo; diff --git a/queue-4.9/omap2fb-fix-stack-memory-disclosure.patch b/queue-4.9/omap2fb-fix-stack-memory-disclosure.patch new file mode 100644 index 00000000000..7052b558964 --- /dev/null +++ b/queue-4.9/omap2fb-fix-stack-memory-disclosure.patch @@ -0,0 +1,41 @@ +From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001 +From: Vlad Tsyrklevich +Date: Fri, 11 Jan 2019 14:34:38 +0100 +Subject: omap2fb: Fix stack memory disclosure + +From: Vlad Tsyrklevich + +commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream. + +Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE, +OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO +cases could all leak uninitialized stack memory--either due to +uninitialized padding or 'reserved' fields. + +Fix them by clearing the shared union used to store copied out data. + +[1] https://github.com/vlad902/kernel-uninitialized-memory-checker + +Signed-off-by: Vlad Tsyrklevich +Reviewed-by: Kees Cook +Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver") +Cc: security@kernel.org +[b.zolnierkie: prefix patch subject with "omap2fb: "] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c ++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, un + + int r = 0; + ++ memset(&p, 0, sizeof(p)); ++ + switch (cmd) { + case OMAPFB_SYNC_GFX: + DBG("ioctl SYNC_GFX\n"); diff --git a/queue-4.9/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch b/queue-4.9/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch new file mode 100644 index 00000000000..7fe45570d21 --- /dev/null +++ b/queue-4.9/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch @@ -0,0 +1,74 @@ +From 400b8b9a2a17918f8ce00786f596f530e7f30d50 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 14 Jan 2019 18:34:02 +0800 +Subject: sctp: allocate sctp_sockaddr_entry with kzalloc + +From: Xin Long + +commit 400b8b9a2a17918f8ce00786f596f530e7f30d50 upstream. + +The similar issue as fixed in Commit 4a2eb0c37b47 ("sctp: initialize +sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists +in sctp_inetaddr_event, as Alexander noticed. + +To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp +ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist(). + +Reported-by: Alexander Potapenko +Signed-off-by: Xin Long +Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/ipv6.c | 5 +---- + net/sctp/protocol.c | 4 +--- + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct n + + switch (ev) { + case NETDEV_UP: +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v6.sin6_family = AF_INET6; +- addr->a.v6.sin6_port = 0; +- addr->a.v6.sin6_flowinfo = 0; + addr->a.v6.sin6_addr = ifa->addr; + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; + addr->valid = 1; +@@ -413,7 +411,6 @@ static void sctp_v6_copy_addrlist(struct + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v6.sin6_family = AF_INET6; +- addr->a.v6.sin6_port = 0; + addr->a.v6.sin6_addr = ifp->addr; + addr->a.v6.sin6_scope_id = dev->ifindex; + addr->valid = 1; +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -151,7 +151,6 @@ static void sctp_v4_copy_addrlist(struct + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v4.sin_family = AF_INET; +- addr->a.v4.sin_port = 0; + addr->a.v4.sin_addr.s_addr = ifa->ifa_local; + addr->valid = 1; + INIT_LIST_HEAD(&addr->list); +@@ -777,10 +776,9 @@ static int sctp_inetaddr_event(struct no + + switch (ev) { + case NETDEV_UP: +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v4.sin_family = AF_INET; +- addr->a.v4.sin_port = 0; + addr->a.v4.sin_addr.s_addr = ifa->ifa_local; + addr->valid = 1; + spin_lock_bh(&net->sctp.local_addr_lock); diff --git a/queue-4.9/selinux-fix-gpf-on-invalid-policy.patch b/queue-4.9/selinux-fix-gpf-on-invalid-policy.patch new file mode 100644 index 00000000000..31cadae2d4c --- /dev/null +++ b/queue-4.9/selinux-fix-gpf-on-invalid-policy.patch @@ -0,0 +1,34 @@ +From 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Wed, 9 Jan 2019 10:55:10 -0500 +Subject: selinux: fix GPF on invalid policy + +From: Stephen Smalley + +commit 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 upstream. + +levdatum->level can be NULL if we encounter an error while loading +the policy during sens_read prior to initializing it. Make sure +sens_destroy handles that case correctly. + +Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/policydb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -726,7 +726,8 @@ static int sens_destroy(void *key, void + kfree(key); + if (datum) { + levdatum = datum; +- ebitmap_destroy(&levdatum->level->cat); ++ if (levdatum->level) ++ ebitmap_destroy(&levdatum->level->cat); + kfree(levdatum->level); + } + kfree(datum); diff --git a/queue-4.9/series b/queue-4.9/series index e2ca0f58cd6..9a4eb4ace20 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -24,3 +24,26 @@ scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch scsi-sd-fix-cache_type_store.patch crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch +mips-fix-n32-compat_ipc_parse_version.patch +mfd-tps6586x-handle-interrupts-on-suspend.patch +arm64-kaslr-ensure-randomized-quantities-are-clean-to-the-poc.patch +disable-msi-also-when-pcie-octeon.pcie_disable-on.patch +omap2fb-fix-stack-memory-disclosure.patch +media-vivid-fix-error-handling-of-kthread_run.patch +media-vivid-set-min-width-height-to-a-value-0.patch +lsm-check-for-null-cred-security-on-free.patch +media-vb2-vb2_mmap-move-lock-up.patch +sunrpc-handle-enomem-in-rpcb_getport_async.patch +netfilter-ebtables-account-ebt_table_info-to-kmemcg.patch +selinux-fix-gpf-on-invalid-policy.patch +blockdev-fix-livelocks-on-loop-device.patch +sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch +tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_stats.patch +tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enable.patch +tipc-fix-uninit-value-in-tipc_nl_compat_link_set.patch +tipc-fix-uninit-value-in-tipc_nl_compat_name_table_dump.patch +tipc-fix-uninit-value-in-tipc_nl_compat_doit.patch +block-loop-use-global-lock-for-ioctl-operation.patch +loop-fold-__loop_release-into-loop_release.patch +loop-get-rid-of-loop_index_mutex.patch +loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch diff --git a/queue-4.9/sunrpc-handle-enomem-in-rpcb_getport_async.patch b/queue-4.9/sunrpc-handle-enomem-in-rpcb_getport_async.patch new file mode 100644 index 00000000000..1fce7f1701b --- /dev/null +++ b/queue-4.9/sunrpc-handle-enomem-in-rpcb_getport_async.patch @@ -0,0 +1,44 @@ +From 81c88b18de1f11f70c97f28ced8d642c00bb3955 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 20 Dec 2018 10:35:11 -0500 +Subject: sunrpc: handle ENOMEM in rpcb_getport_async + +From: J. Bruce Fields + +commit 81c88b18de1f11f70c97f28ced8d642c00bb3955 upstream. + +If we ignore the error we'll hit a null dereference a little later. + +Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com +Signed-off-by: J. Bruce Fields +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/rpcb_clnt.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/sunrpc/rpcb_clnt.c ++++ b/net/sunrpc/rpcb_clnt.c +@@ -770,6 +770,12 @@ void rpcb_getport_async(struct rpc_task + case RPCBVERS_3: + map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID]; + map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC); ++ if (!map->r_addr) { ++ status = -ENOMEM; ++ dprintk("RPC: %5u %s: no memory available\n", ++ task->tk_pid, __func__); ++ goto bailout_free_args; ++ } + map->r_owner = ""; + break; + case RPCBVERS_2: +@@ -792,6 +798,8 @@ void rpcb_getport_async(struct rpc_task + rpc_put_task(child); + return; + ++bailout_free_args: ++ kfree(map); + bailout_release_client: + rpc_release_client(rpcb_clnt); + bailout_nofree: diff --git a/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enable.patch b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enable.patch new file mode 100644 index 00000000000..7b2ad399595 --- /dev/null +++ b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enable.patch @@ -0,0 +1,189 @@ +From 0762216c0ad2a2fccd63890648eca491f2c83d9a Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Mon, 14 Jan 2019 17:22:26 +0800 +Subject: tipc: fix uninit-value in tipc_nl_compat_bearer_enable + +From: Ying Xue + +commit 0762216c0ad2a2fccd63890648eca491f2c83d9a upstream. + +syzbot reported: + +BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484 +CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x306/0x460 lib/dump_stack.c:113 + kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 + __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 + strlen+0x3b/0xa0 lib/string.c:484 + nla_put_string include/net/netlink.h:1011 [inline] + tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline] + tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344 + tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440179 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179 +RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00 +R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline] + kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180 + kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104 + kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2727 [inline] + __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x422/0xe90 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:996 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] + netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +The root cause is that we don't validate whether bear name is a valid +string in tipc_nl_compat_bearer_enable(). + +Meanwhile, we also fix the same issue in the following functions: +tipc_nl_compat_bearer_disable() +tipc_nl_compat_link_stat_dump() +tipc_nl_compat_media_set() +tipc_nl_compat_bearer_set() + +Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -380,6 +380,7 @@ static int tipc_nl_compat_bearer_enable( + struct nlattr *prop; + struct nlattr *bearer; + struct tipc_bearer_config *b; ++ int len; + + b = (struct tipc_bearer_config *)TLV_DATA(msg->req); + +@@ -387,6 +388,10 @@ static int tipc_nl_compat_bearer_enable( + if (!bearer) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ if (!string_is_valid(b->name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name)) + return -EMSGSIZE; + +@@ -412,6 +417,7 @@ static int tipc_nl_compat_bearer_disable + { + char *name; + struct nlattr *bearer; ++ int len; + + name = (char *)TLV_DATA(msg->req); + +@@ -419,6 +425,10 @@ static int tipc_nl_compat_bearer_disable + if (!bearer) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ if (!string_is_valid(name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name)) + return -EMSGSIZE; + +@@ -479,6 +489,7 @@ static int tipc_nl_compat_link_stat_dump + struct nlattr *prop[TIPC_NLA_PROP_MAX + 1]; + struct nlattr *stats[TIPC_NLA_STATS_MAX + 1]; + int err; ++ int len; + + if (!attrs[TIPC_NLA_LINK]) + return -EINVAL; +@@ -505,6 +516,11 @@ static int tipc_nl_compat_link_stat_dump + return err; + + name = (char *)TLV_DATA(msg->req); ++ ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ if (!string_is_valid(name, len)) ++ return -EINVAL; ++ + if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) + return 0; + +@@ -645,6 +661,7 @@ static int tipc_nl_compat_media_set(stru + struct nlattr *prop; + struct nlattr *media; + struct tipc_link_config *lc; ++ int len; + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +@@ -652,6 +669,10 @@ static int tipc_nl_compat_media_set(stru + if (!media) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME); ++ if (!string_is_valid(lc->name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name)) + return -EMSGSIZE; + +@@ -672,6 +693,7 @@ static int tipc_nl_compat_bearer_set(str + struct nlattr *prop; + struct nlattr *bearer; + struct tipc_link_config *lc; ++ int len; + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +@@ -679,6 +701,10 @@ static int tipc_nl_compat_bearer_set(str + if (!bearer) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME); ++ if (!string_is_valid(lc->name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name)) + return -EMSGSIZE; + diff --git a/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_doit.patch b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_doit.patch new file mode 100644 index 00000000000..b8224be9884 --- /dev/null +++ b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_doit.patch @@ -0,0 +1,94 @@ +From 2753ca5d9009c180dbfd4c802c80983b4b6108d1 Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Mon, 14 Jan 2019 17:22:29 +0800 +Subject: tipc: fix uninit-value in tipc_nl_compat_doit + +From: Ying Xue + +commit 2753ca5d9009c180dbfd4c802c80983b4b6108d1 upstream. + +BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335 +CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 + tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335 + tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153 + genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] + genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43fda9 +RSP: 002b:00007ffd0c184ba8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 +RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 00000000004016d0 +R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] + netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +In tipc_nl_compat_recv(), when the len variable returned by +nlmsg_attrlen() is 0, the message is still treated as a valid one, +which is obviously unresonable. When len is zero, it means the +message not only doesn't contain any valid TLV payload, but also +TLV header is not included. Under this stituation, tlv_type field +in TLV header is still accessed in tipc_nl_compat_dumpit() or +tipc_nl_compat_doit(), but the field space is obviously illegal. +Of course, it is not initialized. + +Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com +Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -1240,7 +1240,7 @@ static int tipc_nl_compat_recv(struct sk + } + + len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); +- if (len && !TLV_OK(msg.req, len)) { ++ if (!len || !TLV_OK(msg.req, len)) { + msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED); + err = -EOPNOTSUPP; + goto send; diff --git a/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_stats.patch b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_stats.patch new file mode 100644 index 00000000000..f0fc14b3a79 --- /dev/null +++ b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_stats.patch @@ -0,0 +1,133 @@ +From 8b66fee7f8ee18f9c51260e7a43ab37db5177a05 Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Mon, 14 Jan 2019 17:22:25 +0800 +Subject: tipc: fix uninit-value in tipc_nl_compat_link_reset_stats + +From: Ying Xue + +commit 8b66fee7f8ee18f9c51260e7a43ab37db5177a05 upstream. + +syzbot reports following splat: + +BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486 +CPU: 1 PID: 11057 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #2 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295 + strlen+0x3b/0xa0 lib/string.c:486 + nla_put_string include/net/netlink.h:1154 [inline] + tipc_nl_compat_link_reset_stats+0x1f0/0x360 net/tipc/netlink_compat.c:760 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline] + tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline] + tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x305/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x457ec9 +Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f2557338c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f25573396d4 +R13: 00000000004cb478 R14: 00000000004d86c8 R15: 00000000ffffffff + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2759 [inline] + __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383 + __kmalloc_reserve net/core/skbuff.c:137 [inline] + __alloc_skb+0x309/0xa20 net/core/skbuff.c:205 + alloc_skb include/linux/skbuff.h:998 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x305/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +The uninitialised access happened in tipc_nl_compat_link_reset_stats: + nla_put_string(skb, TIPC_NLA_LINK_NAME, name) + +This is because name string is not validated before it's used. + +Reported-by: syzbot+e01d94b5a4c266be6e4c@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -87,6 +87,11 @@ static int tipc_skb_tailroom(struct sk_b + return limit; + } + ++static inline int TLV_GET_DATA_LEN(struct tlv_desc *tlv) ++{ ++ return TLV_GET_LEN(tlv) - TLV_SPACE(0); ++} ++ + static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len) + { + struct tlv_desc *tlv = (struct tlv_desc *)skb_tail_pointer(skb); +@@ -166,6 +171,11 @@ static struct sk_buff *tipc_get_err_tlv( + return buf; + } + ++static inline bool string_is_valid(char *s, int len) ++{ ++ return memchr(s, '\0', len) ? true : false; ++} ++ + static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + struct tipc_nl_compat_msg *msg, + struct sk_buff *arg) +@@ -741,6 +751,7 @@ static int tipc_nl_compat_link_reset_sta + { + char *name; + struct nlattr *link; ++ int len; + + name = (char *)TLV_DATA(msg->req); + +@@ -748,6 +759,10 @@ static int tipc_nl_compat_link_reset_sta + if (!link) + return -EMSGSIZE; + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ if (!string_is_valid(name, len)) ++ return -EINVAL; ++ + if (nla_put_string(skb, TIPC_NLA_LINK_NAME, name)) + return -EMSGSIZE; + diff --git a/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_set.patch b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_set.patch new file mode 100644 index 00000000000..2274c415b79 --- /dev/null +++ b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_link_set.patch @@ -0,0 +1,76 @@ +From edf5ff04a45750ac8ce2435974f001dc9cfbf055 Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Mon, 14 Jan 2019 17:22:27 +0800 +Subject: tipc: fix uninit-value in tipc_nl_compat_link_set + +From: Ying Xue + +commit edf5ff04a45750ac8ce2435974f001dc9cfbf055 upstream. + +syzbot reports following splat: + +BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486 +CPU: 1 PID: 9306 Comm: syz-executor172 Not tainted 4.20.0-rc7+ #2 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313 + strlen+0x3b/0xa0 lib/string.c:486 + nla_put_string include/net/netlink.h:1154 [inline] + __tipc_nl_compat_link_set net/tipc/netlink_compat.c:708 [inline] + tipc_nl_compat_link_set+0x929/0x1220 net/tipc/netlink_compat.c:744 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline] + tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline] + tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x305/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +The uninitialised access happened in + nla_put_string(skb, TIPC_NLA_LINK_NAME, lc->name) + +This is because lc->name string is not validated before it's used. + +Reported-by: syzbot+d78b8a29241a195aefb8@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -753,9 +753,14 @@ static int tipc_nl_compat_link_set(struc + struct tipc_link_config *lc; + struct tipc_bearer *bearer; + struct tipc_media *media; ++ int len; + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + ++ len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ if (!string_is_valid(lc->name, len)) ++ return -EINVAL; ++ + media = tipc_media_find(lc->name); + if (media) { + cmd->doit = &tipc_nl_media_set; diff --git a/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_name_table_dump.patch b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_name_table_dump.patch new file mode 100644 index 00000000000..4d5bf91ab1b --- /dev/null +++ b/queue-4.9/tipc-fix-uninit-value-in-tipc_nl_compat_name_table_dump.patch @@ -0,0 +1,100 @@ +From 974cb0e3e7c963ced06c4e32c5b2884173fa5e01 Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Mon, 14 Jan 2019 17:22:28 +0800 +Subject: tipc: fix uninit-value in tipc_nl_compat_name_table_dump + +From: Ying Xue + +commit 974cb0e3e7c963ced06c4e32c5b2884173fa5e01 upstream. + +syzbot reported: + +BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] +BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline] +BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826 +CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x306/0x460 lib/dump_stack.c:113 + kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 + __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 + __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] + __fswab32 include/uapi/linux/swab.h:59 [inline] + tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826 + __tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205 + tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline] + tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440179 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffecec49318 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179 +RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00 +R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline] + kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180 + kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104 + kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2727 [inline] + __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x422/0xe90 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:996 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] + netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 + __sys_sendmsg net/socket.c:2154 [inline] + __do_sys_sendmsg net/socket.c:2163 [inline] + __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 + do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +We cannot take for granted the thing that the length of data contained +in TLV is longer than the size of struct tipc_name_table_query in +tipc_nl_compat_name_table_dump(). + +Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -815,6 +815,8 @@ static int tipc_nl_compat_name_table_dum + }; + + ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req); ++ if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query)) ++ return -EINVAL; + + depth = ntohl(ntq->depth); + -- 2.47.2