From babee0bbaba0f6760c055996b3efc709b4a655d7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 6 Oct 2019 18:40:33 +0200 Subject: [PATCH] 5.2-stable patches added patches: 9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch kexec-bail-out-upon-sigkill-when-allocating-memory.patch kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch nfc-fix-attrs-checks-in-netlink-interface.patch vfs-set-fs_context-user_ns-for-reconfigure.patch --- ...eak-in-v9fs_cache_session_get_cookie.patch | 44 ++++++++++ ...-upon-sigkill-when-allocating-memory.patch | 41 ++++++++++ ...ert-an-interrupt-w-o-lapic_in_kernel.patch | 76 +++++++++++++++++ ...ix-attrs-checks-in-netlink-interface.patch | 49 +++++++++++ queue-5.2/series | 5 ++ ...t-fs_context-user_ns-for-reconfigure.patch | 82 +++++++++++++++++++ 6 files changed, 297 insertions(+) create mode 100644 queue-5.2/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch create mode 100644 queue-5.2/kexec-bail-out-upon-sigkill-when-allocating-memory.patch create mode 100644 queue-5.2/kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch create mode 100644 queue-5.2/nfc-fix-attrs-checks-in-netlink-interface.patch create mode 100644 queue-5.2/vfs-set-fs_context-user_ns-for-reconfigure.patch diff --git a/queue-5.2/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch b/queue-5.2/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch new file mode 100644 index 00000000000..b624f50f490 --- /dev/null +++ b/queue-5.2/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch @@ -0,0 +1,44 @@ +From 962a991c5de18452d6c429d99f3039387cf5cbb0 Mon Sep 17 00:00:00 2001 +From: Bharath Vedartham +Date: Thu, 23 May 2019 01:15:19 +0530 +Subject: 9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie + +From: Bharath Vedartham + +commit 962a991c5de18452d6c429d99f3039387cf5cbb0 upstream. + +v9fs_cache_session_get_cookie assigns a random cachetag to v9ses->cachetag, +if the cachetag is not assigned previously. + +v9fs_random_cachetag allocates memory to v9ses->cachetag with kmalloc and uses +scnprintf to fill it up with a cachetag. + +But if scnprintf fails, v9ses->cachetag is not freed in the current +code causing a memory leak. + +Fix this by freeing v9ses->cachetag it v9fs_random_cachetag fails. + +This was reported by syzbot, the link to the report is below: +https://syzkaller.appspot.com/bug?id=f012bdf297a7a4c860c38a88b44fbee43fd9bbf3 + +Link: http://lkml.kernel.org/r/20190522194519.GA5313@bharath12345-Inspiron-5559 +Reported-by: syzbot+3a030a73b6c1e9833815@syzkaller.appspotmail.com +Signed-off-by: Bharath Vedartham +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/cache.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/9p/cache.c ++++ b/fs/9p/cache.c +@@ -51,6 +51,8 @@ void v9fs_cache_session_get_cookie(struc + if (!v9ses->cachetag) { + if (v9fs_random_cachetag(v9ses) < 0) { + v9ses->fscache = NULL; ++ kfree(v9ses->cachetag); ++ v9ses->cachetag = NULL; + return; + } + } diff --git a/queue-5.2/kexec-bail-out-upon-sigkill-when-allocating-memory.patch b/queue-5.2/kexec-bail-out-upon-sigkill-when-allocating-memory.patch new file mode 100644 index 00000000000..761e780abef --- /dev/null +++ b/queue-5.2/kexec-bail-out-upon-sigkill-when-allocating-memory.patch @@ -0,0 +1,41 @@ +From 7c3a6aedcd6aae0a32a527e68669f7dd667492d1 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 25 Sep 2019 16:47:33 -0700 +Subject: kexec: bail out upon SIGKILL when allocating memory. + +From: Tetsuo Handa + +commit 7c3a6aedcd6aae0a32a527e68669f7dd667492d1 upstream. + +syzbot found that a thread can stall for minutes inside kexec_load() after +that thread was killed by SIGKILL [1]. It turned out that the reproducer +was trying to allocate 2408MB of memory using kimage_alloc_page() from +kimage_load_normal_segment(). Let's check for SIGKILL before doing memory +allocation. + +[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e + +Link: http://lkml.kernel.org/r/993c9185-d324-2640-d061-bed2dd18b1f7@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Eric Biederman +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kexec_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -300,6 +300,8 @@ static struct page *kimage_alloc_pages(g + { + struct page *pages; + ++ if (fatal_signal_pending(current)) ++ return NULL; + pages = alloc_pages(gfp_mask & ~__GFP_ZERO, order); + if (pages) { + unsigned int count, i; diff --git a/queue-5.2/kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch b/queue-5.2/kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch new file mode 100644 index 00000000000..690d208e758 --- /dev/null +++ b/queue-5.2/kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch @@ -0,0 +1,76 @@ +From a073d7e3ad687a7ef32b65affe80faa7ce89bf92 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 16 Sep 2019 15:42:32 +0800 +Subject: KVM: hyperv: Fix Direct Synthetic timers assert an interrupt w/o lapic_in_kernel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit a073d7e3ad687a7ef32b65affe80faa7ce89bf92 upstream. + +Reported by syzkaller: + + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] PREEMPT SMP KASAN + RIP: 0010:__apic_accept_irq+0x46/0x740 arch/x86/kvm/lapic.c:1029 + Call Trace: + kvm_apic_set_irq+0xb4/0x140 arch/x86/kvm/lapic.c:558 + stimer_notify_direct arch/x86/kvm/hyperv.c:648 [inline] + stimer_expiration arch/x86/kvm/hyperv.c:659 [inline] + kvm_hv_process_stimers+0x594/0x1650 arch/x86/kvm/hyperv.c:686 + vcpu_enter_guest+0x2b2a/0x54b0 arch/x86/kvm/x86.c:7896 + vcpu_run+0x393/0xd40 arch/x86/kvm/x86.c:8152 + kvm_arch_vcpu_ioctl_run+0x636/0x900 arch/x86/kvm/x86.c:8360 + kvm_vcpu_ioctl+0x6cf/0xaf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2765 + +The testcase programs HV_X64_MSR_STIMERn_CONFIG/HV_X64_MSR_STIMERn_COUNT, +in addition, there is no lapic in the kernel, the counters value are small +enough in order that kvm_hv_process_stimers() inject this already-expired +timer interrupt into the guest through lapic in the kernel which triggers +the NULL deferencing. This patch fixes it by don't advertise direct mode +synthetic timers and discarding the inject when lapic is not in kernel. + +syzkaller source: https://syzkaller.appspot.com/x/repro.c?x=1752fe0a600000 + +Reported-by: syzbot+dff25ee91f0c7d5c1695@syzkaller.appspotmail.com +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/hyperv.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -645,7 +645,9 @@ static int stimer_notify_direct(struct k + .vector = stimer->config.apic_vector + }; + +- return !kvm_apic_set_irq(vcpu, &irq, NULL); ++ if (lapic_in_kernel(vcpu)) ++ return !kvm_apic_set_irq(vcpu, &irq, NULL); ++ return 0; + } + + static void stimer_expiration(struct kvm_vcpu_hv_stimer *stimer) +@@ -1854,7 +1856,13 @@ int kvm_vcpu_ioctl_get_hv_cpuid(struct k + + ent->edx |= HV_FEATURE_FREQUENCY_MSRS_AVAILABLE; + ent->edx |= HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE; +- ent->edx |= HV_STIMER_DIRECT_MODE_AVAILABLE; ++ ++ /* ++ * Direct Synthetic timers only make sense with in-kernel ++ * LAPIC ++ */ ++ if (lapic_in_kernel(vcpu)) ++ ent->edx |= HV_STIMER_DIRECT_MODE_AVAILABLE; + + break; + diff --git a/queue-5.2/nfc-fix-attrs-checks-in-netlink-interface.patch b/queue-5.2/nfc-fix-attrs-checks-in-netlink-interface.patch new file mode 100644 index 00000000000..256925f3322 --- /dev/null +++ b/queue-5.2/nfc-fix-attrs-checks-in-netlink-interface.patch @@ -0,0 +1,49 @@ +From 18917d51472fe3b126a3a8f756c6b18085eb8130 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Mon, 29 Jul 2019 16:35:01 +0300 +Subject: NFC: fix attrs checks in netlink interface + +From: Andrey Konovalov + +commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream. + +nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX +attribute being present, but doesn't check whether it is actually +provided by the user. Same goes for nfc_genl_fw_download() and +NFC_ATTR_FIRMWARE_NAME. + +This patch adds appropriate checks. + +Found with syzkaller. + +Signed-off-by: Andrey Konovalov +Signed-off-by: Andy Shevchenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/netlink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -970,7 +970,8 @@ static int nfc_genl_dep_link_down(struct + int rc; + u32 idx; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_TARGET_INDEX]) + return -EINVAL; + + idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); +@@ -1018,7 +1019,8 @@ static int nfc_genl_llc_get_params(struc + struct sk_buff *msg = NULL; + u32 idx; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_FIRMWARE_NAME]) + return -EINVAL; + + idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); diff --git a/queue-5.2/series b/queue-5.2/series index 603075e7ded..403507f16b3 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -130,3 +130,8 @@ soundwire-fix-regmap-dependencies-and-align-with-oth.patch smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch dm-raid-fix-updating-of-max_discard_sectors-limit.patch +nfc-fix-attrs-checks-in-netlink-interface.patch +kexec-bail-out-upon-sigkill-when-allocating-memory.patch +kvm-hyperv-fix-direct-synthetic-timers-assert-an-interrupt-w-o-lapic_in_kernel.patch +9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch +vfs-set-fs_context-user_ns-for-reconfigure.patch diff --git a/queue-5.2/vfs-set-fs_context-user_ns-for-reconfigure.patch b/queue-5.2/vfs-set-fs_context-user_ns-for-reconfigure.patch new file mode 100644 index 00000000000..d3eeac5bf6e --- /dev/null +++ b/queue-5.2/vfs-set-fs_context-user_ns-for-reconfigure.patch @@ -0,0 +1,82 @@ +From 1dd9bc08cf1420d466dd8dcfcc233777e61ca5d2 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 21 Aug 2019 22:16:33 -0700 +Subject: vfs: set fs_context::user_ns for reconfigure + +From: Eric Biggers + +commit 1dd9bc08cf1420d466dd8dcfcc233777e61ca5d2 upstream. + +fs_context::user_ns is used by fuse_parse_param(), even during remount, +so it needs to be set to the existing value for reconfigure. + +Reproducer: + + #include + #include + + int main() + { + char opts[128]; + int fd = open("/dev/fuse", O_RDWR); + + sprintf(opts, "fd=%d,rootmode=040000,user_id=0,group_id=0", fd); + mkdir("mnt", 0777); + mount("foo", "mnt", "fuse.foo", 0, opts); + mount("foo", "mnt", "fuse.foo", MS_REMOUNT, opts); + } + +Crash: + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP + CPU: 0 PID: 129 Comm: syz_make_kuid Not tainted 5.3.0-rc5-next-20190821 #3 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014 + RIP: 0010:map_id_range_down+0xb/0xc0 kernel/user_namespace.c:291 + [...] + Call Trace: + map_id_down kernel/user_namespace.c:312 [inline] + make_kuid+0xe/0x10 kernel/user_namespace.c:389 + fuse_parse_param+0x116/0x210 fs/fuse/inode.c:523 + vfs_parse_fs_param+0xdb/0x1b0 fs/fs_context.c:145 + vfs_parse_fs_string+0x6a/0xa0 fs/fs_context.c:188 + generic_parse_monolithic+0x85/0xc0 fs/fs_context.c:228 + parse_monolithic_mount_data+0x1b/0x20 fs/fs_context.c:708 + do_remount fs/namespace.c:2525 [inline] + do_mount+0x39a/0xa60 fs/namespace.c:3107 + ksys_mount+0x7d/0xd0 fs/namespace.c:3325 + __do_sys_mount fs/namespace.c:3339 [inline] + __se_sys_mount fs/namespace.c:3336 [inline] + __x64_sys_mount+0x20/0x30 fs/namespace.c:3336 + do_syscall_64+0x4a/0x1a0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Reported-by: syzbot+7d6a57304857423318a5@syzkaller.appspotmail.com +Fixes: 408cbe695350 ("vfs: Convert fuse to use the new mount API") +Cc: David Howells +Cc: Miklos Szeredi +Signed-off-by: Eric Biggers +Reviewed-by: David Howells +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fs_context.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -279,10 +279,8 @@ static struct fs_context *alloc_fs_conte + fc->user_ns = get_user_ns(reference->d_sb->s_user_ns); + break; + case FS_CONTEXT_FOR_RECONFIGURE: +- /* We don't pin any namespaces as the superblock's +- * subscriptions cannot be changed at this point. +- */ + atomic_inc(&reference->d_sb->s_active); ++ fc->user_ns = get_user_ns(reference->d_sb->s_user_ns); + fc->root = dget(reference); + break; + } -- 2.47.2