From 52a0c30404fe5bedecb9da23a63624ef6c42284c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 3 Feb 2020 13:04:49 +0000 Subject: [PATCH] 4.9-stable patches added patches: bluetooth-fix-race-condition-in-hci_release_sock.patch media-af9005-uninitialized-variable-printked.patch media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch media-gspca-zero-usb_buf.patch mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch reiserfs-fix-memory-leak-of-journal-device-string.patch ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch --- ...x-race-condition-in-hci_release_sock.patch | 44 +++++++ ...9005-uninitialized-variable-printked.patch | 31 +++++ ...f-remote-control-state-can-t-be-read.patch | 48 ++++++++ ...dvb-usb-urb.c-initialize-actlen-to-0.patch | 38 ++++++ queue-4.9/media-gspca-zero-usb_buf.patch | 42 +++++++ ...ut-of-bounds-write-in-mpol_parse_str.patch | 59 ++++++++++ ...memory-leak-of-journal-device-string.patch | 41 +++++++ queue-4.9/series | 8 ++ ...-deadlock-in-interrupt-context-issue.patch | 111 ++++++++++++++++++ 9 files changed, 422 insertions(+) create mode 100644 queue-4.9/bluetooth-fix-race-condition-in-hci_release_sock.patch create mode 100644 queue-4.9/media-af9005-uninitialized-variable-printked.patch create mode 100644 queue-4.9/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch create mode 100644 queue-4.9/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch create mode 100644 queue-4.9/media-gspca-zero-usb_buf.patch create mode 100644 queue-4.9/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch create mode 100644 queue-4.9/reiserfs-fix-memory-leak-of-journal-device-string.patch create mode 100644 queue-4.9/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch diff --git a/queue-4.9/bluetooth-fix-race-condition-in-hci_release_sock.patch b/queue-4.9/bluetooth-fix-race-condition-in-hci_release_sock.patch new file mode 100644 index 00000000000..2939ce2b23c --- /dev/null +++ b/queue-4.9/bluetooth-fix-race-condition-in-hci_release_sock.patch @@ -0,0 +1,44 @@ +From 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 15 Jan 2020 20:49:04 +0300 +Subject: Bluetooth: Fix race condition in hci_release_sock() + +From: Dan Carpenter + +commit 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 upstream. + +Syzbot managed to trigger a use after free "KASAN: use-after-free Write +in hci_sock_bind". I have reviewed the code manually and one possibly +cause I have found is that we are not holding lock_sock(sk) when we do +the hci_dev_put(hdev) in hci_sock_release(). My theory is that the bind +and the release are racing against each other which results in this use +after free. + +Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com +Signed-off-by: Dan Carpenter +Signed-off-by: Johan Hedberg +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -826,6 +826,8 @@ static int hci_sock_release(struct socke + if (!sk) + return 0; + ++ lock_sock(sk); ++ + switch (hci_pi(sk)->channel) { + case HCI_CHANNEL_MONITOR: + atomic_dec(&monitor_promisc); +@@ -873,6 +875,7 @@ static int hci_sock_release(struct socke + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); + ++ release_sock(sk); + sock_put(sk); + return 0; + } diff --git a/queue-4.9/media-af9005-uninitialized-variable-printked.patch b/queue-4.9/media-af9005-uninitialized-variable-printked.patch new file mode 100644 index 00000000000..8a2df0972db --- /dev/null +++ b/queue-4.9/media-af9005-uninitialized-variable-printked.patch @@ -0,0 +1,31 @@ +From 51d0c99b391f0cac61ad7b827c26f549ee55672c Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:15:37 +0100 +Subject: media: af9005: uninitialized variable printked + +From: Sean Young + +commit 51d0c99b391f0cac61ad7b827c26f549ee55672c upstream. + +If usb_bulk_msg() fails, actual_length can be uninitialized. + +Reported-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/af9005.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -567,7 +567,7 @@ static int af9005_boot_packet(struct usb + u8 *buf, int size) + { + u16 checksum; +- int act_len, i, ret; ++ int act_len = 0, i, ret; + + memset(buf, 0, size); + buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff); diff --git a/queue-4.9/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch b/queue-4.9/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch new file mode 100644 index 00000000000..bb093501cbc --- /dev/null +++ b/queue-4.9/media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch @@ -0,0 +1,48 @@ +From eecc70d22ae51225de1ef629c1159f7116476b2e Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 10 Nov 2019 11:04:40 +0100 +Subject: media: digitv: don't continue if remote control state can't be read + +From: Sean Young + +commit eecc70d22ae51225de1ef629c1159f7116476b2e upstream. + +This results in an uninitialized variable read. + +Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/digitv.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/dvb-usb/digitv.c ++++ b/drivers/media/usb/dvb-usb/digitv.c +@@ -233,18 +233,22 @@ static struct rc_map_table rc_map_digitv + + static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { +- int i; ++ int ret, i; + u8 key[5]; + u8 b[4] = { 0 }; + + *event = 0; + *state = REMOTE_NO_KEY_PRESSED; + +- digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4); ++ ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4); ++ if (ret) ++ return ret; + + /* Tell the device we've read the remote. Not sure how necessary + this is, but the Nebula SDK does it. */ +- digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0); ++ ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0); ++ if (ret) ++ return ret; + + /* if something is inside the buffer, simulate key press */ + if (key[1] != 0) diff --git a/queue-4.9/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch b/queue-4.9/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch new file mode 100644 index 00000000000..ebc39416986 --- /dev/null +++ b/queue-4.9/media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch @@ -0,0 +1,38 @@ +From 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 12 Nov 2019 10:22:28 +0100 +Subject: media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 + +From: Hans Verkuil + +commit 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 upstream. + +This fixes a syzbot failure since actlen could be uninitialized, +but it was still used. + +Syzbot link: + +https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1 + +Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Acked-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c +@@ -11,7 +11,7 @@ + int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf, + u16 rlen, int delay_ms) + { +- int actlen,ret = -ENOMEM; ++ int actlen = 0, ret = -ENOMEM; + + if (!d || wbuf == NULL || wlen == 0) + return -EINVAL; diff --git a/queue-4.9/media-gspca-zero-usb_buf.patch b/queue-4.9/media-gspca-zero-usb_buf.patch new file mode 100644 index 00000000000..322292b2e6e --- /dev/null +++ b/queue-4.9/media-gspca-zero-usb_buf.patch @@ -0,0 +1,42 @@ +From de89d0864f66c2a1b75becfdd6bf3793c07ce870 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 12 Nov 2019 10:22:24 +0100 +Subject: media: gspca: zero usb_buf + +From: Hans Verkuil + +commit de89d0864f66c2a1b75becfdd6bf3793c07ce870 upstream. + +Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to +ensure it is property zeroed. This fixes various syzbot errors +about uninitialized data. + +Syzbot links: + +https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074 +https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2 +https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e + +Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/gspca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -2043,7 +2043,7 @@ int gspca_dev_probe2(struct usb_interfac + pr_err("couldn't kzalloc gspca struct\n"); + return -ENOMEM; + } +- gspca_dev->usb_buf = kmalloc(USB_BUF_SZ, GFP_KERNEL); ++ gspca_dev->usb_buf = kzalloc(USB_BUF_SZ, GFP_KERNEL); + if (!gspca_dev->usb_buf) { + pr_err("out of memory\n"); + ret = -ENOMEM; diff --git a/queue-4.9/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch b/queue-4.9/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch new file mode 100644 index 00000000000..fb241e10d9e --- /dev/null +++ b/queue-4.9/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch @@ -0,0 +1,59 @@ +From c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 30 Jan 2020 22:11:07 -0800 +Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str() + +From: Dan Carpenter + +commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream. + +What we are trying to do is change the '=' character to a NUL terminator +and then at the end of the function we restore it back to an '='. The +problem is there are two error paths where we jump to the end of the +function before we have replaced the '=' with NUL. + +We end up putting the '=' in the wrong place (possibly one element +before the start of the buffer). + +Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain +Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com +Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") +Signed-off-by: Dan Carpenter +Acked-by: Vlastimil Babka +Dmitry Vyukov +Cc: Michal Hocko +Cc: Dan Carpenter +Cc: Lee Schermerhorn +Cc: Andrea Arcangeli +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2744,6 +2744,9 @@ int mpol_parse_str(char *str, struct mem + char *flags = strchr(str, '='); + int err = 1; + ++ if (flags) ++ *flags++ = '\0'; /* terminate mode string */ ++ + if (nodelist) { + /* NUL-terminate mode or flags string */ + *nodelist++ = '\0'; +@@ -2754,9 +2757,6 @@ int mpol_parse_str(char *str, struct mem + } else + nodes_clear(nodes); + +- if (flags) +- *flags++ = '\0'; /* terminate mode string */ +- + for (mode = 0; mode < MPOL_MAX; mode++) { + if (!strcmp(str, policy_modes[mode])) { + break; diff --git a/queue-4.9/reiserfs-fix-memory-leak-of-journal-device-string.patch b/queue-4.9/reiserfs-fix-memory-leak-of-journal-device-string.patch new file mode 100644 index 00000000000..bffc874d6db --- /dev/null +++ b/queue-4.9/reiserfs-fix-memory-leak-of-journal-device-string.patch @@ -0,0 +1,41 @@ +From 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 12 Dec 2019 11:30:03 +0100 +Subject: reiserfs: Fix memory leak of journal device string + +From: Jan Kara + +commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream. + +When a filesystem is mounted with jdev mount option, we store the +journal device name in an allocated string in superblock. However we +fail to ever free that string. Fix it. + +Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com +Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -599,6 +599,7 @@ static void reiserfs_put_super(struct su + reiserfs_write_unlock(s); + mutex_destroy(&REISERFS_SB(s)->lock); + destroy_workqueue(REISERFS_SB(s)->commit_wq); ++ kfree(REISERFS_SB(s)->s_jdev); + kfree(s->s_fs_info); + s->s_fs_info = NULL; + } +@@ -2217,6 +2218,7 @@ error_unlocked: + kfree(qf_names[j]); + } + #endif ++ kfree(sbi->s_jdev); + kfree(sbi); + + s->s_fs_info = NULL; diff --git a/queue-4.9/series b/queue-4.9/series index 787659577a7..18d5304621f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -29,3 +29,11 @@ iio-gyro-st_gyro-inline-per-sensor-data.patch iio-gyro-st_gyro-fix-l3gd20h-support.patch tools-lib-fix-builds-when-glibc-contains-strlcpy.patch arm64-kbuild-remove-compressed-images-on-make-arch-arm64-dist-clean.patch +mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch +reiserfs-fix-memory-leak-of-journal-device-string.patch +media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch +media-af9005-uninitialized-variable-printked.patch +media-gspca-zero-usb_buf.patch +media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch +ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch +bluetooth-fix-race-condition-in-hci_release_sock.patch diff --git a/queue-4.9/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch b/queue-4.9/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch new file mode 100644 index 00000000000..742ff70b864 --- /dev/null +++ b/queue-4.9/ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch @@ -0,0 +1,111 @@ +From 9a655c77ff8fc65699a3f98e237db563b37c439b Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Mon, 13 Jan 2020 11:48:42 +0800 +Subject: ttyprintk: fix a potential deadlock in interrupt context issue + +From: Zhenzhong Duan + +commit 9a655c77ff8fc65699a3f98e237db563b37c439b upstream. + +tpk_write()/tpk_close() could be interrupted when holding a mutex, then +in timer handler tpk_write() may be called again trying to acquire same +mutex, lead to deadlock. + +Google syzbot reported this issue with CONFIG_DEBUG_ATOMIC_SLEEP +enabled: + +BUG: sleeping function called from invalid context at +kernel/locking/mutex.c:938 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/1 +1 lock held by swapper/1/0: +... +Call Trace: + + dump_stack+0x197/0x210 + ___might_sleep.cold+0x1fb/0x23e + __might_sleep+0x95/0x190 + __mutex_lock+0xc5/0x13c0 + mutex_lock_nested+0x16/0x20 + tpk_write+0x5d/0x340 + resync_tnc+0x1b6/0x320 + call_timer_fn+0x1ac/0x780 + run_timer_softirq+0x6c3/0x1790 + __do_softirq+0x262/0x98c + irq_exit+0x19b/0x1e0 + smp_apic_timer_interrupt+0x1a3/0x610 + apic_timer_interrupt+0xf/0x20 + + +See link https://syzkaller.appspot.com/bug?extid=2eeef62ee31f9460ad65 for +more details. + +Fix it by using spinlock in process context instead of mutex and having +interrupt disabled in critical section. + +Reported-by: syzbot+2eeef62ee31f9460ad65@syzkaller.appspotmail.com +Signed-off-by: Zhenzhong Duan +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20200113034842.435-1-zhenzhong.duan@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ttyprintk.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/char/ttyprintk.c ++++ b/drivers/char/ttyprintk.c +@@ -18,10 +18,11 @@ + #include + #include + #include ++#include + + struct ttyprintk_port { + struct tty_port port; +- struct mutex port_write_mutex; ++ spinlock_t spinlock; + }; + + static struct ttyprintk_port tpk_port; +@@ -100,11 +101,12 @@ static int tpk_open(struct tty_struct *t + static void tpk_close(struct tty_struct *tty, struct file *filp) + { + struct ttyprintk_port *tpkp = tty->driver_data; ++ unsigned long flags; + +- mutex_lock(&tpkp->port_write_mutex); ++ spin_lock_irqsave(&tpkp->spinlock, flags); + /* flush tpk_printk buffer */ + tpk_printk(NULL, 0); +- mutex_unlock(&tpkp->port_write_mutex); ++ spin_unlock_irqrestore(&tpkp->spinlock, flags); + + tty_port_close(&tpkp->port, tty, filp); + } +@@ -116,13 +118,14 @@ static int tpk_write(struct tty_struct * + const unsigned char *buf, int count) + { + struct ttyprintk_port *tpkp = tty->driver_data; ++ unsigned long flags; + int ret; + + + /* exclusive use of tpk_printk within this tty */ +- mutex_lock(&tpkp->port_write_mutex); ++ spin_lock_irqsave(&tpkp->spinlock, flags); + ret = tpk_printk(buf, count); +- mutex_unlock(&tpkp->port_write_mutex); ++ spin_unlock_irqrestore(&tpkp->spinlock, flags); + + return ret; + } +@@ -172,7 +175,7 @@ static int __init ttyprintk_init(void) + { + int ret = -ENOMEM; + +- mutex_init(&tpk_port.port_write_mutex); ++ spin_lock_init(&tpk_port.spinlock); + + ttyprintk_driver = tty_alloc_driver(1, + TTY_DRIVER_RESET_TERMIOS | -- 2.47.3