From 98d231d298e8cf4711f57d4f5319e8750dce70ca Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 28 May 2019 17:24:54 +0200 Subject: [PATCH] 4.19-stable patches added patches: acct_on-don-t-mess-with-freeze-protection.patch at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch media-cpia2-fix-use-after-free-in-cpia2_exit.patch media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch media-vb2-add-waiting_in_dqbuf-flag.patch media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch ovl-relax-warn_on-for-overlapping-layers-use-case.patch ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch --- ...on-don-t-mess-with-freeze-protection.patch | 73 +++++++++ ...rigger-if-usb_register_driver-failed.patch | 89 +++++++++++ ...fix-multicast-tt-tvlv-worker-locking.patch | 111 ++++++++++++++ ...er-free-read-in-__dev_map_entry_free.patch | 123 +++++++++++++++ ...arning-in-__alloc_pages_nodemask-bug.patch | 51 +++++++ ...ia2-fix-use-after-free-in-cpia2_exit.patch | 124 ++++++++++++++++ ...-after-free-in-serial_ir_init_module.patch | 140 ++++++++++++++++++ .../media-vb2-add-waiting_in_dqbuf-flag.patch | 113 ++++++++++++++ ...-instead-of-kfree-for-dev-bitmap_cap.patch | 37 +++++ ...n_on-for-overlapping-layers-use-case.patch | 85 +++++++++++ queue-4.19/series | 11 ++ ...-dereference-in-ssb_host_pcmcia_exit.patch | 94 ++++++++++++ 12 files changed, 1051 insertions(+) create mode 100644 queue-4.19/acct_on-don-t-mess-with-freeze-protection.patch create mode 100644 queue-4.19/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch create mode 100644 queue-4.19/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch create mode 100644 queue-4.19/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch create mode 100644 queue-4.19/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch create mode 100644 queue-4.19/media-cpia2-fix-use-after-free-in-cpia2_exit.patch create mode 100644 queue-4.19/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch create mode 100644 queue-4.19/media-vb2-add-waiting_in_dqbuf-flag.patch create mode 100644 queue-4.19/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch create mode 100644 queue-4.19/ovl-relax-warn_on-for-overlapping-layers-use-case.patch create mode 100644 queue-4.19/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch diff --git a/queue-4.19/acct_on-don-t-mess-with-freeze-protection.patch b/queue-4.19/acct_on-don-t-mess-with-freeze-protection.patch new file mode 100644 index 00000000000..17c0677142b --- /dev/null +++ b/queue-4.19/acct_on-don-t-mess-with-freeze-protection.patch @@ -0,0 +1,73 @@ +From 9419a3191dcb27f24478d288abaab697228d28e6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 4 Apr 2019 21:04:13 -0400 +Subject: acct_on(): don't mess with freeze protection + +From: Al Viro + +commit 9419a3191dcb27f24478d288abaab697228d28e6 upstream. + +What happens there is that we are replacing file->path.mnt of +a file we'd just opened with a clone and we need the write +count contribution to be transferred from original mount to +new one. That's it. We do *NOT* want any kind of freeze +protection for the duration of switchover. + +IOW, we should just use __mnt_{want,drop}_write() for that +switchover; no need to bother with mnt_{want,drop}_write() +there. + +Tested-by: Amir Goldstein +Reported-by: syzbot+2a73a6ea9507b7112141@syzkaller.appspotmail.com +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/internal.h | 2 -- + include/linux/mount.h | 2 ++ + kernel/acct.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -80,9 +80,7 @@ extern int sb_prepare_remount_readonly(s + + extern void __init mnt_init(void); + +-extern int __mnt_want_write(struct vfsmount *); + extern int __mnt_want_write_file(struct file *); +-extern void __mnt_drop_write(struct vfsmount *); + extern void __mnt_drop_write_file(struct file *); + + /* +--- a/include/linux/mount.h ++++ b/include/linux/mount.h +@@ -86,6 +86,8 @@ extern bool mnt_may_suid(struct vfsmount + + struct path; + extern struct vfsmount *clone_private_mount(const struct path *path); ++extern int __mnt_want_write(struct vfsmount *); ++extern void __mnt_drop_write(struct vfsmount *); + + struct file_system_type; + extern struct vfsmount *vfs_kern_mount(struct file_system_type *type, +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -227,7 +227,7 @@ static int acct_on(struct filename *path + filp_close(file, NULL); + return PTR_ERR(internal); + } +- err = mnt_want_write(internal); ++ err = __mnt_want_write(internal); + if (err) { + mntput(internal); + kfree(acct); +@@ -252,7 +252,7 @@ static int acct_on(struct filename *path + old = xchg(&ns->bacct, &acct->pin); + mutex_unlock(&acct->lock); + pin_kill(old); +- mnt_drop_write(mnt); ++ __mnt_drop_write(mnt); + mntput(mnt); + return 0; + } diff --git a/queue-4.19/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch b/queue-4.19/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch new file mode 100644 index 00000000000..013ace6d330 --- /dev/null +++ b/queue-4.19/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch @@ -0,0 +1,89 @@ +From 09ac2694b0475f96be895848687ebcbba97eeecf Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 8 Apr 2019 11:45:29 +0800 +Subject: at76c50x-usb: Don't register led_trigger if usb_register_driver failed + +From: YueHaibing + +commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream. + +Syzkaller report this: + +[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338 +[ 1213.469530] #PF error: [normal kernel read fault] +[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0 +[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI +[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 +[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0 +[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d +[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246 +[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6 +[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0 +[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004 +[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900 +[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0 +[ 1213.473514] FS: 00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 +[ 1213.473514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0 +[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1213.473514] PKRU: 55555554 +[ 1213.473514] Call Trace: +[ 1213.473514] led_trigger_register+0x112/0x3f0 +[ 1213.473514] led_trigger_register_simple+0x7a/0x110 +[ 1213.473514] ? 0xffffffffc1c10000 +[ 1213.473514] at76_mod_init+0x77/0x1000 [at76c50x_usb] +[ 1213.473514] do_one_initcall+0xbc/0x47d +[ 1213.473514] ? perf_trace_initcall_level+0x3a0/0x3a0 +[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 +[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 +[ 1213.473514] do_init_module+0x1b5/0x547 +[ 1213.473514] load_module+0x6405/0x8c10 +[ 1213.473514] ? module_frob_arch_sections+0x20/0x20 +[ 1213.473514] ? kernel_read_file+0x1e6/0x5d0 +[ 1213.473514] ? find_held_lock+0x32/0x1c0 +[ 1213.473514] ? cap_capable+0x1ae/0x210 +[ 1213.473514] ? __do_sys_finit_module+0x162/0x190 +[ 1213.473514] __do_sys_finit_module+0x162/0x190 +[ 1213.473514] ? __ia32_sys_init_module+0xa0/0xa0 +[ 1213.473514] ? __mutex_unlock_slowpath+0xdc/0x690 +[ 1213.473514] ? wait_for_completion+0x370/0x370 +[ 1213.473514] ? vfs_write+0x204/0x4a0 +[ 1213.473514] ? do_syscall_64+0x18/0x450 +[ 1213.473514] do_syscall_64+0x9f/0x450 +[ 1213.473514] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 1213.473514] RIP: 0033:0x462e99 +[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000 +[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc +[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 + +If usb_register failed, no need to call led_trigger_register_simple. + +Reported-by: Hulk Robot +Fixes: 1264b951463a ("at76c50x-usb: add driver") +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/atmel/at76c50x-usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/atmel/at76c50x-usb.c ++++ b/drivers/net/wireless/atmel/at76c50x-usb.c +@@ -2585,8 +2585,8 @@ static int __init at76_mod_init(void) + if (result < 0) + printk(KERN_ERR DRIVER_NAME + ": usb_register failed (status %d)\n", result); +- +- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); ++ else ++ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); + return result; + } + diff --git a/queue-4.19/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch b/queue-4.19/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch new file mode 100644 index 00000000000..966ee18879d --- /dev/null +++ b/queue-4.19/batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch @@ -0,0 +1,111 @@ +From a3c7cd0cdf1107f891aff847ad481e34df727055 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Wed, 24 Apr 2019 03:19:14 +0200 +Subject: batman-adv: mcast: fix multicast tt/tvlv worker locking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit a3c7cd0cdf1107f891aff847ad481e34df727055 upstream. + +Syzbot has reported some issues with the locking assumptions made for +the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in +batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add(). +While hard/not reproduceable for us so far it seems that the +delayed_work_pending() we use might not be quite safe from reordering. + +Therefore this patch adds an explicit, new spinlock to protect the +update of the mla_list and flags in bat_priv and then removes the +WARN_ON(delayed_work_pending()). + +Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com +Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com +Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com +Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com +Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/main.c | 1 + + net/batman-adv/multicast.c | 11 +++-------- + net/batman-adv/types.h | 5 +++++ + 3 files changed, 9 insertions(+), 8 deletions(-) + +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -160,6 +160,7 @@ int batadv_mesh_init(struct net_device * + spin_lock_init(&bat_priv->tt.commit_lock); + spin_lock_init(&bat_priv->gw.list_lock); + #ifdef CONFIG_BATMAN_ADV_MCAST ++ spin_lock_init(&bat_priv->mcast.mla_lock); + spin_lock_init(&bat_priv->mcast.want_lists_lock); + #endif + spin_lock_init(&bat_priv->tvlv.container_list_lock); +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -325,8 +325,6 @@ static void batadv_mcast_mla_list_free(s + * translation table except the ones listed in the given mcast_list. + * + * If mcast_list is NULL then all are retracted. +- * +- * Do not call outside of the mcast worker! (or cancel mcast worker first) + */ + static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv, + struct hlist_head *mcast_list) +@@ -334,8 +332,6 @@ static void batadv_mcast_mla_tt_retract( + struct batadv_hw_addr *mcast_entry; + struct hlist_node *tmp; + +- WARN_ON(delayed_work_pending(&bat_priv->mcast.work)); +- + hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list, + list) { + if (mcast_list && +@@ -359,8 +355,6 @@ static void batadv_mcast_mla_tt_retract( + * + * Adds multicast listener announcements from the given mcast_list to the + * translation table if they have not been added yet. +- * +- * Do not call outside of the mcast worker! (or cancel mcast worker first) + */ + static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv, + struct hlist_head *mcast_list) +@@ -368,8 +362,6 @@ static void batadv_mcast_mla_tt_add(stru + struct batadv_hw_addr *mcast_entry; + struct hlist_node *tmp; + +- WARN_ON(delayed_work_pending(&bat_priv->mcast.work)); +- + if (!mcast_list) + return; + +@@ -658,7 +650,10 @@ static void batadv_mcast_mla_update(stru + priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work); + bat_priv = container_of(priv_mcast, struct batadv_priv, mcast); + ++ spin_lock(&bat_priv->mcast.mla_lock); + __batadv_mcast_mla_update(bat_priv); ++ spin_unlock(&bat_priv->mcast.mla_lock); ++ + batadv_mcast_start_timer(bat_priv); + } + +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -1216,6 +1216,11 @@ struct batadv_priv_mcast { + unsigned char bridged:1; + + /** ++ * @mla_lock: a lock protecting mla_list and mla_flags ++ */ ++ spinlock_t mla_lock; ++ ++ /** + * @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP + * traffic + */ diff --git a/queue-4.19/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch b/queue-4.19/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch new file mode 100644 index 00000000000..9c3108d8711 --- /dev/null +++ b/queue-4.19/bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch @@ -0,0 +1,123 @@ +From 2baae3545327632167c0180e9ca1d467416f1919 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 13 May 2019 09:59:16 -0700 +Subject: bpf: devmap: fix use-after-free Read in __dev_map_entry_free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 2baae3545327632167c0180e9ca1d467416f1919 upstream. + +synchronize_rcu() is fine when the rcu callbacks only need +to free memory (kfree_rcu() or direct kfree() call rcu call backs) + +__dev_map_entry_free() is a bit more complex, so we need to make +sure that call queued __dev_map_entry_free() callbacks have completed. + +sysbot report: + +BUG: KASAN: use-after-free in dev_map_flush_old kernel/bpf/devmap.c:365 +[inline] +BUG: KASAN: use-after-free in __dev_map_entry_free+0x2a8/0x300 +kernel/bpf/devmap.c:379 +Read of size 8 at addr ffff8801b8da38c8 by task ksoftirqd/1/18 + +CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.17.0+ #39 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 + dev_map_flush_old kernel/bpf/devmap.c:365 [inline] + __dev_map_entry_free+0x2a8/0x300 kernel/bpf/devmap.c:379 + __rcu_reclaim kernel/rcu/rcu.h:178 [inline] + rcu_do_batch kernel/rcu/tree.c:2558 [inline] + invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline] + __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline] + rcu_process_callbacks+0xe9d/0x1760 kernel/rcu/tree.c:2802 + __do_softirq+0x2e0/0xaf5 kernel/softirq.c:284 + run_ksoftirqd+0x86/0x100 kernel/softirq.c:645 + smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 + kthread+0x345/0x410 kernel/kthread.c:240 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 + +Allocated by task 6675: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 + kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 + kmalloc include/linux/slab.h:513 [inline] + kzalloc include/linux/slab.h:706 [inline] + dev_map_alloc+0x208/0x7f0 kernel/bpf/devmap.c:102 + find_and_alloc_map kernel/bpf/syscall.c:129 [inline] + map_create+0x393/0x1010 kernel/bpf/syscall.c:453 + __do_sys_bpf kernel/bpf/syscall.c:2351 [inline] + __se_sys_bpf kernel/bpf/syscall.c:2328 [inline] + __x64_sys_bpf+0x303/0x510 kernel/bpf/syscall.c:2328 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 26: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 + __cache_free mm/slab.c:3498 [inline] + kfree+0xd9/0x260 mm/slab.c:3813 + dev_map_free+0x4fa/0x670 kernel/bpf/devmap.c:191 + bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:262 + process_one_work+0xc64/0x1b70 kernel/workqueue.c:2153 + worker_thread+0x181/0x13a0 kernel/workqueue.c:2296 + kthread+0x345/0x410 kernel/kthread.c:240 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 + +The buggy address belongs to the object at ffff8801b8da37c0 + which belongs to the cache kmalloc-512 of size 512 +The buggy address is located 264 bytes inside of + 512-byte region [ffff8801b8da37c0, ffff8801b8da39c0) +The buggy address belongs to the page: +page:ffffea0006e368c0 count:1 mapcount:0 mapping:ffff8801da800940 +index:0xffff8801b8da3540 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffffea0007217b88 ffffea0006e30cc8 ffff8801da800940 +raw: ffff8801b8da3540 ffff8801b8da3040 0000000100000004 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8801b8da3780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8801b8da3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +> ffff8801b8da3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8801b8da3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8801b8da3980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + +Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+457d3e2ffbcf31aee5c0@syzkaller.appspotmail.com +Acked-by: Toke Høiland-Jørgensen +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/devmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -164,6 +164,9 @@ static void dev_map_free(struct bpf_map + bpf_clear_redirect_map(map); + synchronize_rcu(); + ++ /* Make sure prior __dev_map_entry_free() have completed. */ ++ rcu_barrier(); ++ + /* To ensure all pending flush operations have completed wait for flush + * bitmap to indicate all flush_needed bits to be zero on _all_ cpus. + * Because the above synchronize_rcu() ensures the map is disconnected diff --git a/queue-4.19/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch b/queue-4.19/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch new file mode 100644 index 00000000000..b7f5e919f6a --- /dev/null +++ b/queue-4.19/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch @@ -0,0 +1,51 @@ +From 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Thu, 11 Apr 2019 19:25:12 +0200 +Subject: fbdev: fix WARNING in __alloc_pages_nodemask bug + +From: Jiufei Xue + +commit 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f upstream. + +Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug. + +WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377 +__alloc_pages_nodemask+0x4da/0x2130 +Kernel panic - not syncing: panic_on_warn set ... + +Call Trace: + alloc_pages_current+0xb1/0x1e0 + kmalloc_order+0x1f/0x60 + kmalloc_order_trace+0x1d/0x120 + fb_alloc_cmap_gfp+0x85/0x2b0 + fb_set_user_cmap+0xff/0x370 + do_fb_ioctl+0x949/0xa20 + fb_ioctl+0xdd/0x120 + do_vfs_ioctl+0x186/0x1070 + ksys_ioctl+0x89/0xa0 + __x64_sys_ioctl+0x74/0xb0 + do_syscall_64+0xc8/0x550 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This is a warning about order >= MAX_ORDER and the order is from +userspace ioctl. Add flag __NOWARN to silence this warning. + +Signed-off-by: Jiufei Xue +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbcmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/core/fbcmap.c ++++ b/drivers/video/fbdev/core/fbcmap.c +@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm + int size = len * sizeof(u16); + int ret = -ENOMEM; + ++ flags |= __GFP_NOWARN; ++ + if (cmap->len != len) { + fb_dealloc_cmap(cmap); + if (!len) diff --git a/queue-4.19/media-cpia2-fix-use-after-free-in-cpia2_exit.patch b/queue-4.19/media-cpia2-fix-use-after-free-in-cpia2_exit.patch new file mode 100644 index 00000000000..1ba330f9af0 --- /dev/null +++ b/queue-4.19/media-cpia2-fix-use-after-free-in-cpia2_exit.patch @@ -0,0 +1,124 @@ +From dea37a97265588da604c6ba80160a287b72c7bfd Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 6 Mar 2019 07:45:08 -0500 +Subject: media: cpia2: Fix use-after-free in cpia2_exit + +From: YueHaibing + +commit dea37a97265588da604c6ba80160a287b72c7bfd upstream. + +Syzkaller report this: + +BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 +Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363 + +CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 + sysfs_remove_file include/linux/sysfs.h:519 [inline] + driver_remove_file+0x40/0x50 drivers/base/driver.c:122 + usb_remove_newid_files drivers/usb/core/driver.c:212 [inline] + usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005 + cpia2_exit+0xa/0x16 [cpia2] + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc +R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff + +Allocated by task 8363: + set_track mm/kasan/common.c:85 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495 + kmalloc include/linux/slab.h:545 [inline] + kzalloc include/linux/slab.h:740 [inline] + bus_add_driver+0xc0/0x610 drivers/base/bus.c:651 + driver_register+0x1bb/0x3f0 drivers/base/driver.c:170 + usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965 + 0xffffffffc1b4817c + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 8363: + set_track mm/kasan/common.c:85 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457 + slab_free_hook mm/slub.c:1430 [inline] + slab_free_freelist_hook mm/slub.c:1457 [inline] + slab_free mm/slub.c:3005 [inline] + kfree+0xe1/0x270 mm/slub.c:3957 + kobject_cleanup lib/kobject.c:662 [inline] + kobject_release lib/kobject.c:691 [inline] + kref_put include/linux/kref.h:67 [inline] + kobject_put+0x146/0x240 lib/kobject.c:708 + bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732 + driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 + usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980 + 0xffffffffc1b4817c + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881f59a6b40 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 48 bytes inside of + 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40) +The buggy address belongs to the page: +page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0 +flags: 0x2fffc0000000200(slab) +raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc +>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ^ + ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + +cpia2_init does not check return value of cpia2_init, if it failed +in usb_register_driver, there is already cleanup using driver_unregister. +No need call cpia2_usb_cleanup on module exit. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cpia2/cpia2_v4l.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/usb/cpia2/cpia2_v4l.c ++++ b/drivers/media/usb/cpia2/cpia2_v4l.c +@@ -1244,8 +1244,7 @@ static int __init cpia2_init(void) + LOG("%s v%s\n", + ABOUT, CPIA_VERSION); + check_parameters(); +- cpia2_usb_init(); +- return 0; ++ return cpia2_usb_init(); + } + + diff --git a/queue-4.19/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch b/queue-4.19/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch new file mode 100644 index 00000000000..82546a653cf --- /dev/null +++ b/queue-4.19/media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch @@ -0,0 +1,140 @@ +From 56cd26b618855c9af48c8301aa6754ced8dd0beb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 5 Mar 2019 00:40:26 -0500 +Subject: media: serial_ir: Fix use-after-free in serial_ir_init_module + +From: YueHaibing + +commit 56cd26b618855c9af48c8301aa6754ced8dd0beb upstream. + +Syzkaller report this: + +BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 +Read of size 8 at addr ffff8881dc7ae030 by task syz-executor.0/6249 + +CPU: 1 PID: 6249 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + ? 0xffffffffc1728000 + sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 + sysfs_remove_file include/linux/sysfs.h:519 [inline] + driver_remove_file+0x40/0x50 drivers/base/driver.c:122 + remove_bind_files drivers/base/bus.c:585 [inline] + bus_remove_driver+0x186/0x220 drivers/base/bus.c:725 + driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 + serial_ir_init_module+0x169/0x1000 [serial_ir] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9450132c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00007f9450132c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94501336bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 + +Allocated by task 6249: + set_track mm/kasan/common.c:85 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495 + kmalloc include/linux/slab.h:545 [inline] + kzalloc include/linux/slab.h:740 [inline] + bus_add_driver+0xc0/0x610 drivers/base/bus.c:651 + driver_register+0x1bb/0x3f0 drivers/base/driver.c:170 + serial_ir_init_module+0xe8/0x1000 [serial_ir] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 6249: + set_track mm/kasan/common.c:85 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457 + slab_free_hook mm/slub.c:1430 [inline] + slab_free_freelist_hook mm/slub.c:1457 [inline] + slab_free mm/slub.c:3005 [inline] + kfree+0xe1/0x270 mm/slub.c:3957 + kobject_cleanup lib/kobject.c:662 [inline] + kobject_release lib/kobject.c:691 [inline] + kref_put include/linux/kref.h:67 [inline] + kobject_put+0x146/0x240 lib/kobject.c:708 + bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732 + driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 + serial_ir_init_module+0x14c/0x1000 [serial_ir] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881dc7ae000 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 48 bytes inside of + 256-byte region [ffff8881dc7ae000, ffff8881dc7ae100) +The buggy address belongs to the page: +page:ffffea000771eb80 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0 +flags: 0x2fffc0000000200(slab) +raw: 02fffc0000000200 ffffea0007d14800 0000000400000002 ffff8881f6c02e00 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881dc7adf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8881dc7adf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8881dc7ae000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881dc7ae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881dc7ae100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 + +There are already cleanup handlings in serial_ir_init error path, +no need to call serial_ir_exit do it again in serial_ir_init_module, +otherwise will trigger a use-after-free issue. + +Fixes: fa5dc29c1fcc ("[media] lirc_serial: move out of staging and rename to serial_ir") + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/serial_ir.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/media/rc/serial_ir.c ++++ b/drivers/media/rc/serial_ir.c +@@ -773,8 +773,6 @@ static void serial_ir_exit(void) + + static int __init serial_ir_init_module(void) + { +- int result; +- + switch (type) { + case IR_HOMEBREW: + case IR_IRDEO: +@@ -802,12 +800,7 @@ static int __init serial_ir_init_module( + if (sense != -1) + sense = !!sense; + +- result = serial_ir_init(); +- if (!result) +- return 0; +- +- serial_ir_exit(); +- return result; ++ return serial_ir_init(); + } + + static void __exit serial_ir_exit_module(void) diff --git a/queue-4.19/media-vb2-add-waiting_in_dqbuf-flag.patch b/queue-4.19/media-vb2-add-waiting_in_dqbuf-flag.patch new file mode 100644 index 00000000000..0b898ed7324 --- /dev/null +++ b/queue-4.19/media-vb2-add-waiting_in_dqbuf-flag.patch @@ -0,0 +1,113 @@ +From d65842f7126aa1a87fb44b7c9980c12630ed4f33 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 19 Nov 2018 06:09:00 -0500 +Subject: media: vb2: add waiting_in_dqbuf flag + +From: Hans Verkuil + +commit d65842f7126aa1a87fb44b7c9980c12630ed4f33 upstream. + +Calling VIDIOC_DQBUF can release the core serialization lock pointed to +by vb2_queue->lock if it has to wait for a new buffer to arrive. + +However, if userspace dup()ped the video device filehandle, then it is +possible to read or call DQBUF from two filehandles at the same time. + +It is also possible to call REQBUFS from one filehandle while the other +is waiting for a buffer. This will remove all the buffers and reallocate +new ones. Removing all the buffers isn't the problem here (that's already +handled correctly by DQBUF), but the reallocating part is: DQBUF isn't +aware that the buffers have changed. + +This is fixed by setting a flag whenever the lock is released while waiting +for a buffer to arrive. And checking the flag where needed so we can return +-EBUSY. + +Signed-off-by: Hans Verkuil +Reported-by: Syzbot +Reviewed-by: Tomasz Figa +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/videobuf2/videobuf2-core.c | 22 ++++++++++++++++++++++ + include/media/videobuf2-core.h | 1 + + 2 files changed, 23 insertions(+) + +--- a/drivers/media/common/videobuf2/videobuf2-core.c ++++ b/drivers/media/common/videobuf2/videobuf2-core.c +@@ -668,6 +668,11 @@ int vb2_core_reqbufs(struct vb2_queue *q + return -EBUSY; + } + ++ if (q->waiting_in_dqbuf && *count) { ++ dprintk(1, "another dup()ped fd is waiting for a buffer\n"); ++ return -EBUSY; ++ } ++ + if (*count == 0 || q->num_buffers != 0 || + (q->memory != VB2_MEMORY_UNKNOWN && q->memory != memory)) { + /* +@@ -797,6 +802,10 @@ int vb2_core_create_bufs(struct vb2_queu + } + + if (!q->num_buffers) { ++ if (q->waiting_in_dqbuf && *count) { ++ dprintk(1, "another dup()ped fd is waiting for a buffer\n"); ++ return -EBUSY; ++ } + memset(q->alloc_devs, 0, sizeof(q->alloc_devs)); + q->memory = memory; + q->waiting_for_buffers = !q->is_output; +@@ -1466,6 +1475,11 @@ static int __vb2_wait_for_done_vb(struct + for (;;) { + int ret; + ++ if (q->waiting_in_dqbuf) { ++ dprintk(1, "another dup()ped fd is waiting for a buffer\n"); ++ return -EBUSY; ++ } ++ + if (!q->streaming) { + dprintk(1, "streaming off, will not wait for buffers\n"); + return -EINVAL; +@@ -1493,6 +1507,7 @@ static int __vb2_wait_for_done_vb(struct + return -EAGAIN; + } + ++ q->waiting_in_dqbuf = 1; + /* + * We are streaming and blocking, wait for another buffer to + * become ready or for streamoff. Driver's lock is released to +@@ -1513,6 +1528,7 @@ static int __vb2_wait_for_done_vb(struct + * the locks or return an error if one occurred. + */ + call_void_qop(q, wait_finish, q); ++ q->waiting_in_dqbuf = 0; + if (ret) { + dprintk(1, "sleep was interrupted\n"); + return ret; +@@ -2361,6 +2377,12 @@ static size_t __vb2_perform_fileio(struc + if (!data) + return -EINVAL; + ++ if (q->waiting_in_dqbuf) { ++ dprintk(3, "another dup()ped fd is %s\n", ++ read ? "reading" : "writing"); ++ return -EBUSY; ++ } ++ + /* + * Initialize emulator on first call. + */ +--- a/include/media/videobuf2-core.h ++++ b/include/media/videobuf2-core.h +@@ -551,6 +551,7 @@ struct vb2_queue { + unsigned int start_streaming_called:1; + unsigned int error:1; + unsigned int waiting_for_buffers:1; ++ unsigned int waiting_in_dqbuf:1; + unsigned int is_multiplanar:1; + unsigned int is_output:1; + unsigned int copy_timestamp:1; diff --git a/queue-4.19/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch b/queue-4.19/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch new file mode 100644 index 00000000000..1c281af5920 --- /dev/null +++ b/queue-4.19/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch @@ -0,0 +1,37 @@ +From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Thu, 4 Apr 2019 10:56:46 -0400 +Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap + +From: Alexander Potapenko + +commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream. + +syzkaller reported crashes on kfree() called from +vivid_vid_cap_s_selection(). This looks like a simple typo, as +dev->bitmap_cap is allocated with vzalloc() throughout the file. + +Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output +parts") + +Signed-off-by: Alexander Potapenko +Reported-by: Syzbot +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -992,7 +992,7 @@ int vivid_vid_cap_s_selection(struct fil + v4l2_rect_map_inside(&s->r, &dev->fmt_cap_rect); + if (dev->bitmap_cap && (compose->width != s->r.width || + compose->height != s->r.height)) { +- kfree(dev->bitmap_cap); ++ vfree(dev->bitmap_cap); + dev->bitmap_cap = NULL; + } + *compose = s->r; diff --git a/queue-4.19/ovl-relax-warn_on-for-overlapping-layers-use-case.patch b/queue-4.19/ovl-relax-warn_on-for-overlapping-layers-use-case.patch new file mode 100644 index 00000000000..24792bdaba8 --- /dev/null +++ b/queue-4.19/ovl-relax-warn_on-for-overlapping-layers-use-case.patch @@ -0,0 +1,85 @@ +From acf3062a7e1ccf67c6f7e7c28671a6708fde63b0 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 28 Mar 2019 17:38:29 +0200 +Subject: ovl: relax WARN_ON() for overlapping layers use case + +From: Amir Goldstein + +commit acf3062a7e1ccf67c6f7e7c28671a6708fde63b0 upstream. + +This nasty little syzbot repro: +https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000 + +Creates overlay mounts where the same directory is both in upper and lower +layers. Simplified example: + + mkdir foo work + mount -t overlay none foo -o"lowerdir=.,upperdir=foo,workdir=work" + +The repro runs several threads in parallel that attempt to chdir into foo +and attempt to symlink/rename/exec/mkdir the file bar. + +The repro hits a WARN_ON() I placed in ovl_instantiate(), which suggests +that an overlay inode already exists in cache and is hashed by the pointer +of the real upper dentry that ovl_create_real() has just created. At the +point of the WARN_ON(), for overlay dir inode lock is held and upper dir +inode lock, so at first, I did not see how this was possible. + +On a closer look, I see that after ovl_create_real(), because of the +overlapping upper and lower layers, a lookup by another thread can find the +file foo/bar that was just created in upper layer, at overlay path +foo/foo/bar and hash the an overlay inode with the new real dentry as lower +dentry. This is possible because the overlay directory foo/foo is not +locked and the upper dentry foo/bar is in dcache, so ovl_lookup() can find +it without taking upper dir inode shared lock. + +Overlapping layers is considered a wrong setup which would result in +unexpected behavior, but it shouldn't crash the kernel and it shouldn't +trigger WARN_ON() either, so relax this WARN_ON() and leave a pr_warn() +instead to cover all cases of failure to get an overlay inode. + +The error returned from failure to insert new inode to cache with +inode_insert5() was changed to -EEXIST, to distinguish from the error +-ENOMEM returned on failure to get/allocate inode with iget5_locked(). + +Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com +Fixes: 01b39dcc9568 ("ovl: use inode_insert5() to hash a newly...") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/dir.c | 2 +- + fs/overlayfs/inode.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -260,7 +260,7 @@ static int ovl_instantiate(struct dentry + * hashed directory inode aliases. + */ + inode = ovl_get_inode(dentry->d_sb, &oip); +- if (WARN_ON(IS_ERR(inode))) ++ if (IS_ERR(inode)) + return PTR_ERR(inode); + } else { + WARN_ON(ovl_inode_real(inode) != d_inode(newdentry)); +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -832,7 +832,7 @@ struct inode *ovl_get_inode(struct super + int fsid = bylower ? oip->lowerpath->layer->fsid : 0; + bool is_dir, metacopy = false; + unsigned long ino = 0; +- int err = -ENOMEM; ++ int err = oip->newinode ? -EEXIST : -ENOMEM; + + if (!realinode) + realinode = d_inode(lowerdentry); +@@ -917,6 +917,7 @@ out: + return inode; + + out_err: ++ pr_warn_ratelimited("overlayfs: failed to get inode (%i)\n", err); + inode = ERR_PTR(err); + goto out; + } diff --git a/queue-4.19/series b/queue-4.19/series index 7e7a9bea5e3..9f889aa3965 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -29,3 +29,14 @@ brcmfmac-assure-ssid-length-from-firmware-is-limited.patch brcmfmac-add-subtype-check-for-event-handling-in-data-path.patch arm64-errata-add-workaround-for-cortex-a76-erratum-1463225.patch btrfs-honor-path-skip_locking-in-backref-code.patch +ovl-relax-warn_on-for-overlapping-layers-use-case.patch +fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch +media-cpia2-fix-use-after-free-in-cpia2_exit.patch +media-serial_ir-fix-use-after-free-in-serial_ir_init_module.patch +media-vb2-add-waiting_in_dqbuf-flag.patch +media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch +ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch +bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch +batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch +at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch +acct_on-don-t-mess-with-freeze-protection.patch diff --git a/queue-4.19/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch b/queue-4.19/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch new file mode 100644 index 00000000000..d90828f4ac7 --- /dev/null +++ b/queue-4.19/ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch @@ -0,0 +1,94 @@ +From b2c01aab9646ed8ffb7c549afe55d5349c482425 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 6 Mar 2019 19:56:58 +0800 +Subject: ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit + +From: YueHaibing + +commit b2c01aab9646ed8ffb7c549afe55d5349c482425 upstream. + +Syzkaller report this: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468 +Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d +RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206 +RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952 +RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030 +RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed +R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000 +R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000 +FS: 00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + sysfs_remove_file include/linux/sysfs.h:519 [inline] + driver_remove_file+0x40/0x50 drivers/base/driver.c:122 + pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline] + pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209 + ssb_modexit+0xa/0x1b [ssb] + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc +R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff +Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6 + [last unloaded: 3c59x] +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace 3913cbf8011e1c05 ]--- + +In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed, +however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver +unconditionally, which may tigger a NULL pointer dereference issue as above. + +Reported-by: Hulk Robot +Fixes: 399500da18f7 ("ssb: pick PCMCIA host code support from b43 driver") +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/bridge_pcmcia_80211.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/ssb/bridge_pcmcia_80211.c ++++ b/drivers/ssb/bridge_pcmcia_80211.c +@@ -113,16 +113,21 @@ static struct pcmcia_driver ssb_host_pcm + .resume = ssb_host_pcmcia_resume, + }; + ++static int pcmcia_init_failed; ++ + /* + * These are not module init/exit functions! + * The module_pcmcia_driver() helper cannot be used here. + */ + int ssb_host_pcmcia_init(void) + { +- return pcmcia_register_driver(&ssb_host_pcmcia_driver); ++ pcmcia_init_failed = pcmcia_register_driver(&ssb_host_pcmcia_driver); ++ ++ return pcmcia_init_failed; + } + + void ssb_host_pcmcia_exit(void) + { +- pcmcia_unregister_driver(&ssb_host_pcmcia_driver); ++ if (!pcmcia_init_failed) ++ pcmcia_unregister_driver(&ssb_host_pcmcia_driver); + } -- 2.39.5