From 8d9a793af32f147a363ceadc69655e65d837c4a9 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 9 Dec 2019 19:53:39 +0100
Subject: [PATCH] 4.19-stable patches

added patches:
	can-slcan-fix-use-after-free-read-in-slcan_open.patch
	jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
	kernfs-fix-ino-wrap-around-detection.patch
	tty-vt-keyboard-reject-invalid-keycodes.patch
---
 ...ix-use-after-free-read-in-slcan_open.patch | 65 +++++++++++++++++++
 ...ible-overflow-in-jbd2_log_space_left.patch | 49 ++++++++++++++
 ...kernfs-fix-ino-wrap-around-detection.patch | 63 ++++++++++++++++++
 queue-4.19/series                             |  4 ++
 ...-vt-keyboard-reject-invalid-keycodes.patch | 52 +++++++++++++++
 5 files changed, 233 insertions(+)
 create mode 100644 queue-4.19/can-slcan-fix-use-after-free-read-in-slcan_open.patch
 create mode 100644 queue-4.19/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
 create mode 100644 queue-4.19/kernfs-fix-ino-wrap-around-detection.patch
 create mode 100644 queue-4.19/tty-vt-keyboard-reject-invalid-keycodes.patch

diff --git a/queue-4.19/can-slcan-fix-use-after-free-read-in-slcan_open.patch b/queue-4.19/can-slcan-fix-use-after-free-read-in-slcan_open.patch
new file mode 100644
index 00000000000..388375bd857
--- /dev/null
+++ b/queue-4.19/can-slcan-fix-use-after-free-read-in-slcan_open.patch
@@ -0,0 +1,65 @@
+From 9ebd796e24008f33f06ebea5a5e6aceb68b51794 Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 27 Nov 2019 08:40:26 +0200
+Subject: can: slcan: Fix use-after-free Read in slcan_open
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.
+
+Slcan_open doesn't clean-up device which registration failed from the
+slcan_devs device list. On next open this list is iterated and freed
+device is accessed. Fix this by calling slc_free_netdev in error path.
+
+Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
+identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
+trace from the Syzbot slip report:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: Marc Kleine-Budde <mkl@pengutronix.de>
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/slcan.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -613,6 +613,7 @@ err_free_chan:
+ 	sl->tty = NULL;
+ 	tty->disc_data = NULL;
+ 	clear_bit(SLF_INUSE, &sl->flags);
++	slc_free_netdev(sl->dev);
+ 	free_netdev(sl->dev);
+ 
+ err_exit:
diff --git a/queue-4.19/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch b/queue-4.19/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
new file mode 100644
index 00000000000..1f0bfdc3fbc
--- /dev/null
+++ b/queue-4.19/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
@@ -0,0 +1,49 @@
+From add3efdd78b8a0478ce423bb9d4df6bd95e8b335 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 5 Nov 2019 17:44:07 +0100
+Subject: jbd2: Fix possible overflow in jbd2_log_space_left()
+
+From: Jan Kara <jack@suse.cz>
+
+commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream.
+
+When number of free space in the journal is very low, the arithmetic in
+jbd2_log_space_left() could underflow resulting in very high number of
+free blocks and thus triggering assertion failure in transaction commit
+code complaining there's not enough space in the journal:
+
+J_ASSERT(journal->j_free > 1);
+
+Properly check for the low number of free blocks.
+
+CC: stable@vger.kernel.org
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/jbd2.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -1587,7 +1587,7 @@ static inline int jbd2_space_needed(jour
+ static inline unsigned long jbd2_log_space_left(journal_t *journal)
+ {
+ 	/* Allow for rounding errors */
+-	unsigned long free = journal->j_free - 32;
++	long free = journal->j_free - 32;
+ 
+ 	if (journal->j_committing_transaction) {
+ 		unsigned long committing = atomic_read(&journal->
+@@ -1596,7 +1596,7 @@ static inline unsigned long jbd2_log_spa
+ 		/* Transaction + control blocks */
+ 		free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT);
+ 	}
+-	return free;
++	return max_t(long, free, 0);
+ }
+ 
+ /*
diff --git a/queue-4.19/kernfs-fix-ino-wrap-around-detection.patch b/queue-4.19/kernfs-fix-ino-wrap-around-detection.patch
new file mode 100644
index 00000000000..8a34c4a8c7c
--- /dev/null
+++ b/queue-4.19/kernfs-fix-ino-wrap-around-detection.patch
@@ -0,0 +1,63 @@
+From e23f568aa63f64cd6b355094224cc9356c0f696b Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 4 Nov 2019 15:54:29 -0800
+Subject: kernfs: fix ino wrap-around detection
+
+From: Tejun Heo <tj@kernel.org>
+
+commit e23f568aa63f64cd6b355094224cc9356c0f696b upstream.
+
+When the 32bit ino wraps around, kernfs increments the generation
+number to distinguish reused ino instances.  The wrap-around detection
+tests whether the allocated ino is lower than what the cursor but the
+cursor is pointing to the next ino to allocate so the condition never
+triggers.
+
+Fix it by remembering the last ino and comparing against that.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: 4a3ef68acacf ("kernfs: implement i_generation")
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/kernfs/dir.c        |    5 ++---
+ include/linux/kernfs.h |    1 +
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/kernfs/dir.c
++++ b/fs/kernfs/dir.c
+@@ -624,7 +624,6 @@ static struct kernfs_node *__kernfs_new_
+ {
+ 	struct kernfs_node *kn;
+ 	u32 gen;
+-	int cursor;
+ 	int ret;
+ 
+ 	name = kstrdup_const(name, GFP_KERNEL);
+@@ -637,11 +636,11 @@ static struct kernfs_node *__kernfs_new_
+ 
+ 	idr_preload(GFP_KERNEL);
+ 	spin_lock(&kernfs_idr_lock);
+-	cursor = idr_get_cursor(&root->ino_idr);
+ 	ret = idr_alloc_cyclic(&root->ino_idr, kn, 1, 0, GFP_ATOMIC);
+-	if (ret >= 0 && ret < cursor)
++	if (ret >= 0 && ret < root->last_ino)
+ 		root->next_generation++;
+ 	gen = root->next_generation;
++	root->last_ino = ret;
+ 	spin_unlock(&kernfs_idr_lock);
+ 	idr_preload_end();
+ 	if (ret < 0)
+--- a/include/linux/kernfs.h
++++ b/include/linux/kernfs.h
+@@ -186,6 +186,7 @@ struct kernfs_root {
+ 
+ 	/* private fields, do not use outside kernfs proper */
+ 	struct idr		ino_idr;
++	u32			last_ino;
+ 	u32			next_generation;
+ 	struct kernfs_syscall_ops *syscall_ops;
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index a4260a59949..4d51560e3e3 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -220,3 +220,7 @@ xfrm-interface-fix-list-corruption-for-x-netns.patch
 xfrm-interface-fix-management-of-phydev.patch
 cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch
 cifs-fix-smb2-oplock-break-processing.patch
+tty-vt-keyboard-reject-invalid-keycodes.patch
+can-slcan-fix-use-after-free-read-in-slcan_open.patch
+kernfs-fix-ino-wrap-around-detection.patch
+jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
diff --git a/queue-4.19/tty-vt-keyboard-reject-invalid-keycodes.patch b/queue-4.19/tty-vt-keyboard-reject-invalid-keycodes.patch
new file mode 100644
index 00000000000..1b34042a8ce
--- /dev/null
+++ b/queue-4.19/tty-vt-keyboard-reject-invalid-keycodes.patch
@@ -0,0 +1,52 @@
+From b2b2dd71e0859436d4e05b2f61f86140250ed3f8 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 22 Nov 2019 12:42:20 -0800
+Subject: tty: vt: keyboard: reject invalid keycodes
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.
+
+Do not try to handle keycodes that are too big, otherwise we risk doing
+out-of-bounds writes:
+
+BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
+...
+ kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+ kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+ input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
+ input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
+ input_pass_values drivers/input/input.c:949 [inline]
+ input_set_keycode+0x290/0x320 drivers/input/input.c:954
+ evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
+ evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
+
+In this case we were dealing with a fuzzed HID device that declared over
+12K buttons, and while HID layer should not be reporting to us such big
+keycodes, we should also be defensive and reject invalid data ourselves as
+well.
+
+Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/keyboard.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -1491,7 +1491,7 @@ static void kbd_event(struct input_handl
+ 
+ 	if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev))
+ 		kbd_rawcode(value);
+-	if (event_type == EV_KEY)
++	if (event_type == EV_KEY && event_code <= KEY_MAX)
+ 		kbd_keycode(event_code, value, HW_RAW(handle->dev));
+ 
+ 	spin_unlock(&kbd_event_lock);
-- 
2.47.3