From a4d27b3d3aacee02abbf8c0cb4f9d8064db44c49 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 1 Oct 2021 10:16:20 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...l-destroy-mutex-before-kobject_put-f.patch | 70 ++++++++++ ...l-use-kobject-release-method-to-free.patch | 131 ++++++++++++++++++ queue-4.19/series | 3 + ...of-bound-vmalloc-access-in-imageblit.patch | 71 ++++++++++ 4 files changed, 275 insertions(+) create mode 100644 queue-4.19/cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch create mode 100644 queue-4.19/cpufreq-schedutil-use-kobject-release-method-to-free.patch create mode 100644 queue-4.19/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch diff --git a/queue-4.19/cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch b/queue-4.19/cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch new file mode 100644 index 00000000000..3cae9413f92 --- /dev/null +++ b/queue-4.19/cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch @@ -0,0 +1,70 @@ +From d5b5b4f5458f21a1be12209c9392f7d7bfd7be3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 16:56:23 +0000 +Subject: cpufreq: schedutil: Destroy mutex before kobject_put() frees the + memory + +From: James Morse + +[ Upstream commit cdef1196608892b9a46caa5f2b64095a7f0be60c ] + +Since commit e5c6b312ce3c ("cpufreq: schedutil: Use kobject release() +method to free sugov_tunables") kobject_put() has kfree()d the +attr_set before gov_attr_set_put() returns. + +kobject_put() isn't the last user of attr_set in gov_attr_set_put(), +the subsequent mutex_destroy() triggers a use-after-free: +| BUG: KASAN: use-after-free in mutex_is_locked+0x20/0x60 +| Read of size 8 at addr ffff000800ca4250 by task cpuhp/2/20 +| +| CPU: 2 PID: 20 Comm: cpuhp/2 Not tainted 5.15.0-rc1 #12369 +| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development +| Platform, BIOS EDK II Jul 30 2018 +| Call trace: +| dump_backtrace+0x0/0x380 +| show_stack+0x1c/0x30 +| dump_stack_lvl+0x8c/0xb8 +| print_address_description.constprop.0+0x74/0x2b8 +| kasan_report+0x1f4/0x210 +| kasan_check_range+0xfc/0x1a4 +| __kasan_check_read+0x38/0x60 +| mutex_is_locked+0x20/0x60 +| mutex_destroy+0x80/0x100 +| gov_attr_set_put+0xfc/0x150 +| sugov_exit+0x78/0x190 +| cpufreq_offline.isra.0+0x2c0/0x660 +| cpuhp_cpufreq_offline+0x14/0x24 +| cpuhp_invoke_callback+0x430/0x6d0 +| cpuhp_thread_fun+0x1b0/0x624 +| smpboot_thread_fn+0x5e0/0xa6c +| kthread+0x3a0/0x450 +| ret_from_fork+0x10/0x20 + +Swap the order of the calls. + +Fixes: e5c6b312ce3c ("cpufreq: schedutil: Use kobject release() method to free sugov_tunables") +Cc: 4.7+ # 4.7+ +Signed-off-by: James Morse +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq_governor_attr_set.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cpufreq_governor_attr_set.c b/drivers/cpufreq/cpufreq_governor_attr_set.c +index 52841f807a7e..45fdf30cade3 100644 +--- a/drivers/cpufreq/cpufreq_governor_attr_set.c ++++ b/drivers/cpufreq/cpufreq_governor_attr_set.c +@@ -77,8 +77,8 @@ unsigned int gov_attr_set_put(struct gov_attr_set *attr_set, struct list_head *l + if (count) + return count; + +- kobject_put(&attr_set->kobj); + mutex_destroy(&attr_set->update_lock); ++ kobject_put(&attr_set->kobj); + return 0; + } + EXPORT_SYMBOL_GPL(gov_attr_set_put); +-- +2.33.0 + diff --git a/queue-4.19/cpufreq-schedutil-use-kobject-release-method-to-free.patch b/queue-4.19/cpufreq-schedutil-use-kobject-release-method-to-free.patch new file mode 100644 index 00000000000..3db5f5412cf --- /dev/null +++ b/queue-4.19/cpufreq-schedutil-use-kobject-release-method-to-free.patch @@ -0,0 +1,131 @@ +From 77bbc2f4ea01d5c8a837a42af0c8ba494063e5bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 15:29:17 +0800 +Subject: cpufreq: schedutil: Use kobject release() method to free + sugov_tunables + +From: Kevin Hao + +[ Upstream commit e5c6b312ce3cc97e90ea159446e6bfa06645364d ] + +The struct sugov_tunables is protected by the kobject, so we can't free +it directly. Otherwise we would get a call trace like this: + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30 + WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100 + Modules linked in: + CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507 + Hardware name: Marvell OcteonTX CN96XX board (DT) + pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) + pc : debug_print_object+0xb8/0x100 + lr : debug_print_object+0xb8/0x100 + sp : ffff80001ecaf910 + x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80 + x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000 + x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20 + x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010 + x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365 + x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69 + x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0 + x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001 + x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000 + x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000 + Call trace: + debug_print_object+0xb8/0x100 + __debug_check_no_obj_freed+0x1c0/0x230 + debug_check_no_obj_freed+0x20/0x88 + slab_free_freelist_hook+0x154/0x1c8 + kfree+0x114/0x5d0 + sugov_exit+0xbc/0xc0 + cpufreq_exit_governor+0x44/0x90 + cpufreq_set_policy+0x268/0x4a8 + store_scaling_governor+0xe0/0x128 + store+0xc0/0xf0 + sysfs_kf_write+0x54/0x80 + kernfs_fop_write_iter+0x128/0x1c0 + new_sync_write+0xf0/0x190 + vfs_write+0x2d4/0x478 + ksys_write+0x74/0x100 + __arm64_sys_write+0x24/0x30 + invoke_syscall.constprop.0+0x54/0xe0 + do_el0_svc+0x64/0x158 + el0_svc+0x2c/0xb0 + el0t_64_sync_handler+0xb0/0xb8 + el0t_64_sync+0x198/0x19c + irq event stamp: 5518 + hardirqs last enabled at (5517): [] console_unlock+0x554/0x6c8 + hardirqs last disabled at (5518): [] el1_dbg+0x28/0xa0 + softirqs last enabled at (5504): [] __do_softirq+0x4d0/0x6c0 + softirqs last disabled at (5483): [] irq_exit+0x1b0/0x1b8 + +So split the original sugov_tunables_free() into two functions, +sugov_clear_global_tunables() is just used to clear the global_tunables +and the new sugov_tunables_free() is used as kobj_type::release to +release the sugov_tunables safely. + +Fixes: 9bdcb44e391d ("cpufreq: schedutil: New governor based on scheduler utilization data") +Cc: 4.7+ # 4.7+ +Signed-off-by: Kevin Hao +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/cpufreq_schedutil.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 1b7ec822dc75..60f0e0e048f0 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -591,9 +591,17 @@ static struct attribute *sugov_attributes[] = { + NULL + }; + ++static void sugov_tunables_free(struct kobject *kobj) ++{ ++ struct gov_attr_set *attr_set = container_of(kobj, struct gov_attr_set, kobj); ++ ++ kfree(to_sugov_tunables(attr_set)); ++} ++ + static struct kobj_type sugov_tunables_ktype = { + .default_attrs = sugov_attributes, + .sysfs_ops = &governor_sysfs_ops, ++ .release = &sugov_tunables_free, + }; + + /********************** cpufreq governor interface *********************/ +@@ -693,12 +701,10 @@ static struct sugov_tunables *sugov_tunables_alloc(struct sugov_policy *sg_polic + return tunables; + } + +-static void sugov_tunables_free(struct sugov_tunables *tunables) ++static void sugov_clear_global_tunables(void) + { + if (!have_governor_per_policy()) + global_tunables = NULL; +- +- kfree(tunables); + } + + static int sugov_init(struct cpufreq_policy *policy) +@@ -761,7 +767,7 @@ out: + fail: + kobject_put(&tunables->attr_set.kobj); + policy->governor_data = NULL; +- sugov_tunables_free(tunables); ++ sugov_clear_global_tunables(); + + stop_kthread: + sugov_kthread_stop(sg_policy); +@@ -788,7 +794,7 @@ static void sugov_exit(struct cpufreq_policy *policy) + count = gov_attr_set_put(&tunables->attr_set, &sg_policy->tunables_hook); + policy->governor_data = NULL; + if (!count) +- sugov_tunables_free(tunables); ++ sugov_clear_global_tunables(); + + mutex_unlock(&global_tunables_lock); + +-- +2.33.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 1d9c3384ca2..11bcb6b716d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -53,3 +53,6 @@ tcp-create-a-helper-to-model-exponential-backoff.patch tcp-adjust-rto_base-in-retransmits_timed_out.patch xen-balloon-fix-balloon-kthread-freezing.patch qnx4-work-around-gcc-false-positive-warning-bug.patch +tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch +cpufreq-schedutil-use-kobject-release-method-to-free.patch +cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch diff --git a/queue-4.19/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch b/queue-4.19/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch new file mode 100644 index 00000000000..b535dafe21a --- /dev/null +++ b/queue-4.19/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch @@ -0,0 +1,71 @@ +From 6857ba2c75ae6993d897b44b501933e92a927ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 10:45:09 -0300 +Subject: tty: Fix out-of-bound vmalloc access in imageblit + +From: Igor Matheus Andrade Torrente + +[ Upstream commit 3b0c406124719b625b1aba431659f5cdc24a982c ] + +This issue happens when a userspace program does an ioctl +FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct +containing only the fields xres, yres, and bits_per_pixel +with values. + +If this struct is the same as the previous ioctl, the +vc_resize() detects it and doesn't call the resize_screen(), +leaving the fb_var_screeninfo incomplete. And this leads to +the updatescrollmode() calculates a wrong value to +fbcon_display->vrows, which makes the real_y() return a +wrong value of y, and that value, eventually, causes +the imageblit to access an out-of-bound address value. + +To solve this issue I made the resize_screen() be called +even if the screen does not need any resizing, so it will +"fix and fill" the fb_var_screeninfo independently. + +Cc: stable # after 5.15-rc2 is out, give it time to bake +Reported-and-tested-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com +Signed-off-by: Igor Matheus Andrade Torrente +Link: https://lore.kernel.org/r/20210628134509.15895-1-igormtorrente@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index b2b5f19fb2fb..72e3989dffa6 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1218,8 +1218,25 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, + new_row_size = new_cols << 1; + new_screen_size = new_row_size * new_rows; + +- if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) +- return 0; ++ if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) { ++ /* ++ * This function is being called here to cover the case ++ * where the userspace calls the FBIOPUT_VSCREENINFO twice, ++ * passing the same fb_var_screeninfo containing the fields ++ * yres/xres equal to a number non-multiple of vc_font.height ++ * and yres_virtual/xres_virtual equal to number lesser than the ++ * vc_font.height and yres/xres. ++ * In the second call, the struct fb_var_screeninfo isn't ++ * being modified by the underlying driver because of the ++ * if above, and this causes the fbcon_display->vrows to become ++ * negative and it eventually leads to out-of-bound ++ * access by the imageblit function. ++ * To give the correct values to the struct and to not have ++ * to deal with possible errors from the code below, we call ++ * the resize_screen here as well. ++ */ ++ return resize_screen(vc, new_cols, new_rows, user); ++ } + + if (new_screen_size > KMALLOC_MAX_SIZE || !new_screen_size) + return -EINVAL; +-- +2.33.0 + -- 2.47.3