From dcc67a4c2cee4935a23f05a86569671ec9cd9132 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 16 Jun 2020 13:21:10 +0200 Subject: [PATCH] 5.7-stable patches added patches: drm-vkms-hold-gem-object-while-still-in-use.patch fat-don-t-allow-to-mount-if-the-fat-length-0.patch mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch perf-add-cond_resched-to-task_function_call.patch --- ...s-hold-gem-object-while-still-in-use.patch | 78 +++++++++++++++++++ ...t-allow-to-mount-if-the-fat-length-0.patch | 42 ++++++++++ ...-fix-a-memory-leak-in-sysfs_slab_add.patch | 77 ++++++++++++++++++ ...d-cond_resched-to-task_function_call.patch | 68 ++++++++++++++++ queue-5.7/series | 4 + 5 files changed, 269 insertions(+) create mode 100644 queue-5.7/drm-vkms-hold-gem-object-while-still-in-use.patch create mode 100644 queue-5.7/fat-don-t-allow-to-mount-if-the-fat-length-0.patch create mode 100644 queue-5.7/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch create mode 100644 queue-5.7/perf-add-cond_resched-to-task_function_call.patch diff --git a/queue-5.7/drm-vkms-hold-gem-object-while-still-in-use.patch b/queue-5.7/drm-vkms-hold-gem-object-while-still-in-use.patch new file mode 100644 index 00000000000..e011b4d2db3 --- /dev/null +++ b/queue-5.7/drm-vkms-hold-gem-object-while-still-in-use.patch @@ -0,0 +1,78 @@ +From 0ea2ea42b31abc1141f2fd3911f952a97d401fcb Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Mon, 27 Apr 2020 18:44:05 -0300 +Subject: drm/vkms: Hold gem object while still in-use + +From: Ezequiel Garcia + +commit 0ea2ea42b31abc1141f2fd3911f952a97d401fcb upstream. + +We need to keep the reference to the drm_gem_object +until the last access by vkms_dumb_create. + +Therefore, the put the object after it is used. + +This fixes a use-after-free issue reported by syzbot. + +While here, change vkms_gem_create() symbol to static. + +Reported-and-tested-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com +Signed-off-by: Ezequiel Garcia +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Link: https://patchwork.freedesktop.org/patch/msgid/20200427214405.13069-1-ezequiel@collabora.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vkms/vkms_drv.h | 5 ----- + drivers/gpu/drm/vkms/vkms_gem.c | 11 ++++++----- + 2 files changed, 6 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/vkms/vkms_drv.h ++++ b/drivers/gpu/drm/vkms/vkms_drv.h +@@ -117,11 +117,6 @@ struct drm_plane *vkms_plane_init(struct + enum drm_plane_type type, int index); + + /* Gem stuff */ +-struct drm_gem_object *vkms_gem_create(struct drm_device *dev, +- struct drm_file *file, +- u32 *handle, +- u64 size); +- + vm_fault_t vkms_gem_fault(struct vm_fault *vmf); + + int vkms_dumb_create(struct drm_file *file, struct drm_device *dev, +--- a/drivers/gpu/drm/vkms/vkms_gem.c ++++ b/drivers/gpu/drm/vkms/vkms_gem.c +@@ -97,10 +97,10 @@ vm_fault_t vkms_gem_fault(struct vm_faul + return ret; + } + +-struct drm_gem_object *vkms_gem_create(struct drm_device *dev, +- struct drm_file *file, +- u32 *handle, +- u64 size) ++static struct drm_gem_object *vkms_gem_create(struct drm_device *dev, ++ struct drm_file *file, ++ u32 *handle, ++ u64 size) + { + struct vkms_gem_object *obj; + int ret; +@@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(s + return ERR_CAST(obj); + + ret = drm_gem_handle_create(file, &obj->gem, handle); +- drm_gem_object_put_unlocked(&obj->gem); + if (ret) + return ERR_PTR(ret); + +@@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *fi + args->size = gem_obj->size; + args->pitch = pitch; + ++ drm_gem_object_put_unlocked(gem_obj); ++ + DRM_DEBUG_DRIVER("Created object of size %lld\n", size); + + return 0; diff --git a/queue-5.7/fat-don-t-allow-to-mount-if-the-fat-length-0.patch b/queue-5.7/fat-don-t-allow-to-mount-if-the-fat-length-0.patch new file mode 100644 index 00000000000..f72928282ee --- /dev/null +++ b/queue-5.7/fat-don-t-allow-to-mount-if-the-fat-length-0.patch @@ -0,0 +1,42 @@ +From b1b65750b8db67834482f758fc385bfa7560d228 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Thu, 4 Jun 2020 16:50:56 -0700 +Subject: fat: don't allow to mount if the FAT length == 0 + +From: OGAWA Hirofumi + +commit b1b65750b8db67834482f758fc385bfa7560d228 upstream. + +If FAT length == 0, the image doesn't have any data. And it can be the +cause of overlapping the root dir and FAT entries. + +Also Windows treats it as invalid format. + +Reported-by: syzbot+6f1624f937d9d6911e2d@syzkaller.appspotmail.com +Signed-off-by: OGAWA Hirofumi +Signed-off-by: Andrew Morton +Cc: Marco Elver +Cc: Dmitry Vyukov +Link: http://lkml.kernel.org/r/87r1wz8mrd.fsf@mail.parknet.co.jp +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -1520,6 +1520,12 @@ static int fat_read_bpb(struct super_blo + goto out; + } + ++ if (bpb->fat_fat_length == 0 && bpb->fat32_length == 0) { ++ if (!silent) ++ fat_msg(sb, KERN_ERR, "bogus number of FAT sectors"); ++ goto out; ++ } ++ + error = 0; + + out: diff --git a/queue-5.7/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-5.7/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch new file mode 100644 index 00000000000..4ca10f339b3 --- /dev/null +++ b/queue-5.7/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch @@ -0,0 +1,77 @@ +From dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 3 Jun 2020 15:56:21 -0700 +Subject: mm/slub: fix a memory leak in sysfs_slab_add() + +From: Wang Hai + +commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 upstream. + +syzkaller reports for memory leak when kobject_init_and_add() returns an +error in the function sysfs_slab_add() [1] + +When this happened, the function kobject_put() is not called for the +corresponding kobject, which potentially leads to memory leak. + +This patch fixes the issue by calling kobject_put() even if +kobject_init_and_add() fails. + +[1] + BUG: memory leak + unreferenced object 0xffff8880a6d4be88 (size 8): + comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s) + hex dump (first 8 bytes): + 70 69 64 5f 33 00 ff ff pid_3... + backtrace: + kstrdup+0x35/0x70 mm/util.c:60 + kstrdup_const+0x3d/0x50 mm/util.c:82 + kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 + kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289 + kobject_add_varg lib/kobject.c:384 [inline] + kobject_init_and_add+0xd8/0x170 lib/kobject.c:473 + sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811 + __kmem_cache_create+0x50a/0x570 mm/slub.c:4384 + create_cache+0x113/0x1e0 mm/slab_common.c:407 + kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505 + kmem_cache_create+0xd/0x10 mm/slab_common.c:564 + create_pid_cachep kernel/pid_namespace.c:54 [inline] + create_pid_namespace kernel/pid_namespace.c:96 [inline] + copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148 + create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95 + unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229 + ksys_unshare+0x3d2/0x770 kernel/fork.c:2969 + __do_sys_unshare kernel/fork.c:3037 [inline] + __se_sys_unshare kernel/fork.c:3035 [inline] + __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035 + do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295 + +Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -5809,8 +5809,10 @@ static int sysfs_slab_add(struct kmem_ca + + s->kobj.kset = kset; + err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name); +- if (err) ++ if (err) { ++ kobject_put(&s->kobj); + goto out; ++ } + + err = sysfs_create_group(&s->kobj, &slab_attr_group); + if (err) diff --git a/queue-5.7/perf-add-cond_resched-to-task_function_call.patch b/queue-5.7/perf-add-cond_resched-to-task_function_call.patch new file mode 100644 index 00000000000..adc4440b6bc --- /dev/null +++ b/queue-5.7/perf-add-cond_resched-to-task_function_call.patch @@ -0,0 +1,68 @@ +From 2ed6edd33a214bca02bd2b45e3fc3038a059436b Mon Sep 17 00:00:00 2001 +From: Barret Rhoden +Date: Tue, 14 Apr 2020 18:29:20 -0400 +Subject: perf: Add cond_resched() to task_function_call() + +From: Barret Rhoden + +commit 2ed6edd33a214bca02bd2b45e3fc3038a059436b upstream. + +Under rare circumstances, task_function_call() can repeatedly fail and +cause a soft lockup. + +There is a slight race where the process is no longer running on the cpu +we targeted by the time remote_function() runs. The code will simply +try again. If we are very unlucky, this will continue to fail, until a +watchdog fires. This can happen in a heavily loaded, multi-core virtual +machine. + +Reported-by: syzbot+bb4935a5c09b5ff79940@syzkaller.appspotmail.com +Signed-off-by: Barret Rhoden +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200414222920.121401-1-brho@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -95,11 +95,11 @@ static void remote_function(void *data) + * @info: the function call argument + * + * Calls the function @func when the task is currently running. This might +- * be on the current CPU, which just calls the function directly ++ * be on the current CPU, which just calls the function directly. This will ++ * retry due to any failures in smp_call_function_single(), such as if the ++ * task_cpu() goes offline concurrently. + * +- * returns: @func return value, or +- * -ESRCH - when the process isn't running +- * -EAGAIN - when the process moved away ++ * returns @func return value or -ESRCH when the process isn't running + */ + static int + task_function_call(struct task_struct *p, remote_function_f func, void *info) +@@ -112,11 +112,16 @@ task_function_call(struct task_struct *p + }; + int ret; + +- do { +- ret = smp_call_function_single(task_cpu(p), remote_function, &data, 1); +- if (!ret) +- ret = data.ret; +- } while (ret == -EAGAIN); ++ for (;;) { ++ ret = smp_call_function_single(task_cpu(p), remote_function, ++ &data, 1); ++ ret = !ret ? data.ret : -EAGAIN; ++ ++ if (ret != -EAGAIN) ++ break; ++ ++ cond_resched(); ++ } + + return ret; + } diff --git a/queue-5.7/series b/queue-5.7/series index 7a55c545ee1..cfa6330ca96 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -142,3 +142,7 @@ ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch smack-slab-out-of-bounds-in-vsscanf.patch +drm-vkms-hold-gem-object-while-still-in-use.patch +mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch +fat-don-t-allow-to-mount-if-the-fat-length-0.patch +perf-add-cond_resched-to-task_function_call.patch -- 2.47.3