From fb389a2fa5a057c3df9ee82bb4086d13f3892d7e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Jan 2021 15:28:01 +0100 Subject: [PATCH] 5.10-stable patches added patches: alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch bfs-don-t-use-warning-string-when-it-s-just-info.patch bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch fbcon-disable-accelerated-scrolling.patch fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch media-gp8psk-initialize-stats-at-power-control-logic.patch misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch reiserfs-add-check-for-an-invalid-ih_entry_count.patch scsi-cxgb4i-fix-tls-dependency.patch zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch --- ...ess-runtime-avail-always-in-spinlock.patch | 153 ++++++++++++++ ...ool-for-snd_seq_queue-internal-flags.patch | 44 ++++ ...e-warning-string-when-it-s-just-info.patch | 42 ++++ ...erdev-device-and-free-hu-in-h5_close.patch | 42 ++++ ...n-parsing-multiple-source-parameters.patch | 49 +++++ ...ze-early-when-mounting-a-file-system.patch | 89 +++++++++ ...-of-bounds-in-sanity_check_raw_super.patch | 67 +++++++ .../fbcon-disable-accelerated-scrolling.patch | 188 ++++++++++++++++++ ...otential-deadlock-in-send_sig-io-urg.patch | 127 ++++++++++++ ...pped-flag-when-sq-thread-is-unparked.patch | 98 +++++++++ ...tialize-stats-at-power-control-logic.patch | 45 +++++ ...ells-in-vmci_ctx_get_chkpt_doorbells.patch | 34 ++++ ...-check-for-an-invalid-ih_entry_count.patch | 41 ++++ .../scsi-cxgb4i-fix-tls-dependency.patch | 45 +++++ queue-5.10/series | 15 ++ ...-module_license-out-of-dfltcc_syms.c.patch | 112 +++++++++++ 16 files changed, 1191 insertions(+) create mode 100644 queue-5.10/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch create mode 100644 queue-5.10/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch create mode 100644 queue-5.10/bfs-don-t-use-warning-string-when-it-s-just-info.patch create mode 100644 queue-5.10/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch create mode 100644 queue-5.10/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch create mode 100644 queue-5.10/ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch create mode 100644 queue-5.10/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch create mode 100644 queue-5.10/fbcon-disable-accelerated-scrolling.patch create mode 100644 queue-5.10/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch create mode 100644 queue-5.10/io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch create mode 100644 queue-5.10/media-gp8psk-initialize-stats-at-power-control-logic.patch create mode 100644 queue-5.10/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch create mode 100644 queue-5.10/reiserfs-add-check-for-an-invalid-ih_entry_count.patch create mode 100644 queue-5.10/scsi-cxgb4i-fix-tls-dependency.patch create mode 100644 queue-5.10/zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch diff --git a/queue-5.10/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch b/queue-5.10/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch new file mode 100644 index 00000000000..738d1032be9 --- /dev/null +++ b/queue-5.10/alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch @@ -0,0 +1,153 @@ +From 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 6 Dec 2020 09:35:27 +0100 +Subject: ALSA: rawmidi: Access runtime->avail always in spinlock + +From: Takashi Iwai + +commit 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 upstream. + +The runtime->avail field may be accessed concurrently while some +places refer to it without taking the runtime->lock spinlock, as +detected by KCSAN. Usually this isn't a big problem, but for +consistency and safety, we should take the spinlock at each place +referencing this field. + +Reported-by: syzbot+a23a6f1215c84756577c@syzkaller.appspotmail.com +Reported-by: syzbot+3d367d1df1d2b67f5c19@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201206083527.21163-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 49 +++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 35 insertions(+), 14 deletions(-) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -95,11 +95,21 @@ static inline unsigned short snd_rawmidi + } + } + +-static inline int snd_rawmidi_ready(struct snd_rawmidi_substream *substream) ++static inline bool __snd_rawmidi_ready(struct snd_rawmidi_runtime *runtime) ++{ ++ return runtime->avail >= runtime->avail_min; ++} ++ ++static bool snd_rawmidi_ready(struct snd_rawmidi_substream *substream) + { + struct snd_rawmidi_runtime *runtime = substream->runtime; ++ unsigned long flags; ++ bool ready; + +- return runtime->avail >= runtime->avail_min; ++ spin_lock_irqsave(&runtime->lock, flags); ++ ready = __snd_rawmidi_ready(runtime); ++ spin_unlock_irqrestore(&runtime->lock, flags); ++ return ready; + } + + static inline int snd_rawmidi_ready_append(struct snd_rawmidi_substream *substream, +@@ -1019,7 +1029,7 @@ int snd_rawmidi_receive(struct snd_rawmi + if (result > 0) { + if (runtime->event) + schedule_work(&runtime->event_work); +- else if (snd_rawmidi_ready(substream)) ++ else if (__snd_rawmidi_ready(runtime)) + wake_up(&runtime->sleep); + } + spin_unlock_irqrestore(&runtime->lock, flags); +@@ -1098,7 +1108,7 @@ static ssize_t snd_rawmidi_read(struct f + result = 0; + while (count > 0) { + spin_lock_irq(&runtime->lock); +- while (!snd_rawmidi_ready(substream)) { ++ while (!__snd_rawmidi_ready(runtime)) { + wait_queue_entry_t wait; + + if ((file->f_flags & O_NONBLOCK) != 0 || result > 0) { +@@ -1115,9 +1125,11 @@ static ssize_t snd_rawmidi_read(struct f + return -ENODEV; + if (signal_pending(current)) + return result > 0 ? result : -ERESTARTSYS; +- if (!runtime->avail) +- return result > 0 ? result : -EIO; + spin_lock_irq(&runtime->lock); ++ if (!runtime->avail) { ++ spin_unlock_irq(&runtime->lock); ++ return result > 0 ? result : -EIO; ++ } + } + spin_unlock_irq(&runtime->lock); + count1 = snd_rawmidi_kernel_read1(substream, +@@ -1255,7 +1267,7 @@ int __snd_rawmidi_transmit_ack(struct sn + runtime->avail += count; + substream->bytes += count; + if (count > 0) { +- if (runtime->drain || snd_rawmidi_ready(substream)) ++ if (runtime->drain || __snd_rawmidi_ready(runtime)) + wake_up(&runtime->sleep); + } + return count; +@@ -1444,9 +1456,11 @@ static ssize_t snd_rawmidi_write(struct + return -ENODEV; + if (signal_pending(current)) + return result > 0 ? result : -ERESTARTSYS; +- if (!runtime->avail && !timeout) +- return result > 0 ? result : -EIO; + spin_lock_irq(&runtime->lock); ++ if (!runtime->avail && !timeout) { ++ spin_unlock_irq(&runtime->lock); ++ return result > 0 ? result : -EIO; ++ } + } + spin_unlock_irq(&runtime->lock); + count1 = snd_rawmidi_kernel_write1(substream, buf, NULL, count); +@@ -1526,6 +1540,7 @@ static void snd_rawmidi_proc_info_read(s + struct snd_rawmidi *rmidi; + struct snd_rawmidi_substream *substream; + struct snd_rawmidi_runtime *runtime; ++ unsigned long buffer_size, avail, xruns; + + rmidi = entry->private_data; + snd_iprintf(buffer, "%s\n\n", rmidi->name); +@@ -1544,13 +1559,16 @@ static void snd_rawmidi_proc_info_read(s + " Owner PID : %d\n", + pid_vnr(substream->pid)); + runtime = substream->runtime; ++ spin_lock_irq(&runtime->lock); ++ buffer_size = runtime->buffer_size; ++ avail = runtime->avail; ++ spin_unlock_irq(&runtime->lock); + snd_iprintf(buffer, + " Mode : %s\n" + " Buffer size : %lu\n" + " Avail : %lu\n", + runtime->oss ? "OSS compatible" : "native", +- (unsigned long) runtime->buffer_size, +- (unsigned long) runtime->avail); ++ buffer_size, avail); + } + } + } +@@ -1568,13 +1586,16 @@ static void snd_rawmidi_proc_info_read(s + " Owner PID : %d\n", + pid_vnr(substream->pid)); + runtime = substream->runtime; ++ spin_lock_irq(&runtime->lock); ++ buffer_size = runtime->buffer_size; ++ avail = runtime->avail; ++ xruns = runtime->xruns; ++ spin_unlock_irq(&runtime->lock); + snd_iprintf(buffer, + " Buffer size : %lu\n" + " Avail : %lu\n" + " Overruns : %lu\n", +- (unsigned long) runtime->buffer_size, +- (unsigned long) runtime->avail, +- (unsigned long) runtime->xruns); ++ buffer_size, avail, xruns); + } + } + } diff --git a/queue-5.10/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch b/queue-5.10/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch new file mode 100644 index 00000000000..eb845d9dbff --- /dev/null +++ b/queue-5.10/alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch @@ -0,0 +1,44 @@ +From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 6 Dec 2020 09:34:56 +0100 +Subject: ALSA: seq: Use bool for snd_seq_queue internal flags + +From: Takashi Iwai + +commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream. + +The snd_seq_queue struct contains various flags in the bit fields. +Those are categorized to two different use cases, both of which are +protected by different spinlocks. That implies that there are still +potential risks of the bad operations for bit fields by concurrent +accesses. + +For addressing the problem, this patch rearranges those flags to be +a standard bool instead of a bit field. + +Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_queue.h ++++ b/sound/core/seq/seq_queue.h +@@ -26,10 +26,10 @@ struct snd_seq_queue { + + struct snd_seq_timer *timer; /* time keeper for this queue */ + int owner; /* client that 'owns' the timer */ +- unsigned int locked:1, /* timer is only accesibble by owner if set */ +- klocked:1, /* kernel lock (after START) */ +- check_again:1, +- check_blocked:1; ++ bool locked; /* timer is only accesibble by owner if set */ ++ bool klocked; /* kernel lock (after START) */ ++ bool check_again; /* concurrent access happened during check */ ++ bool check_blocked; /* queue being checked */ + + unsigned int flags; /* status flags */ + unsigned int info_flags; /* info for sync */ diff --git a/queue-5.10/bfs-don-t-use-warning-string-when-it-s-just-info.patch b/queue-5.10/bfs-don-t-use-warning-string-when-it-s-just-info.patch new file mode 100644 index 00000000000..518d59debf0 --- /dev/null +++ b/queue-5.10/bfs-don-t-use-warning-string-when-it-s-just-info.patch @@ -0,0 +1,42 @@ +From dc889b8d4a8122549feabe99eead04e6b23b6513 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 15 Dec 2020 20:45:44 -0800 +Subject: bfs: don't use WARNING: string when it's just info. + +From: Randy Dunlap + +commit dc889b8d4a8122549feabe99eead04e6b23b6513 upstream. + +Make the printk() [bfs "printf" macro] seem less severe by changing +"WARNING:" to "NOTE:". + + warns us about using WARNING or BUG in a format string +other than in WARN() or BUG() family macros. bfs/inode.c is doing just +that in a normal printk() call, so change the "WARNING" string to be +"NOTE". + +Link: https://lkml.kernel.org/r/20201203212634.17278-1-rdunlap@infradead.org +Reported-by: syzbot+3fd34060f26e766536ff@syzkaller.appspotmail.com +Signed-off-by: Randy Dunlap +Cc: Dmitry Vyukov +Cc: Al Viro +Cc: "Tigran A. Aivazian" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/bfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/bfs/inode.c ++++ b/fs/bfs/inode.c +@@ -350,7 +350,7 @@ static int bfs_fill_super(struct super_b + + info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1; + if (info->si_lasti == BFS_MAX_LASTI) +- printf("WARNING: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id); ++ printf("NOTE: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id); + else if (info->si_lasti > BFS_MAX_LASTI) { + printf("Impossible last inode number %lu > %d on %s\n", info->si_lasti, BFS_MAX_LASTI, s->s_id); + goto out1; diff --git a/queue-5.10/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch b/queue-5.10/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch new file mode 100644 index 00000000000..77859d222c9 --- /dev/null +++ b/queue-5.10/bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch @@ -0,0 +1,42 @@ +From 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Wed, 30 Sep 2020 00:28:15 +0530 +Subject: Bluetooth: hci_h5: close serdev device and free hu in h5_close + +From: Anant Thazhemadam + +commit 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 upstream. + +When h5_close() gets called, the memory allocated for the hu gets +freed only if hu->serdev doesn't exist. This leads to a memory leak. +So when h5_close() is requested, close the serdev device instance and +free the memory allocated to the hu entirely instead. + +Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4 +Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com +Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_h5.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -251,8 +251,12 @@ static int h5_close(struct hci_uart *hu) + if (h5->vnd && h5->vnd->close) + h5->vnd->close(h5); + +- if (!hu->serdev) +- kfree(h5); ++ if (hu->serdev) ++ serdev_device_close(hu->serdev); ++ ++ kfree_skb(h5->rx_skb); ++ kfree(h5); ++ h5 = NULL; + + return 0; + } diff --git a/queue-5.10/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch b/queue-5.10/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch new file mode 100644 index 00000000000..88b8f16d0c8 --- /dev/null +++ b/queue-5.10/cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch @@ -0,0 +1,49 @@ +From 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Thu, 10 Dec 2020 09:29:43 +0800 +Subject: cgroup: Fix memory leak when parsing multiple source parameters + +From: Qinglang Miao + +commit 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc upstream. + +A memory leak is found in cgroup1_parse_param() when multiple source +parameters overwrite fc->source in the fs_context struct without free. + +unreferenced object 0xffff888100d930e0 (size 16): + comm "mount", pid 520, jiffies 4303326831 (age 152.783s) + hex dump (first 16 bytes): + 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........ + backtrace: + [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0 + [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150 + [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0 + [<000000000f750198>] path_mount+0xee1/0x1820 + [<0000000004756de2>] do_mount+0xea/0x100 + [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0 + +Fix this bug by permitting a single source parameter and rejecting with +an error all subsequent ones. + +Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing") +Reported-by: Hulk Robot +Signed-off-by: Qinglang Miao +Reviewed-by: Zefan Li +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup-v1.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_contex + opt = fs_parse(fc, cgroup1_fs_parameters, param, &result); + if (opt == -ENOPARAM) { + if (strcmp(param->key, "source") == 0) { ++ if (fc->source) ++ return invalf(fc, "Multiple sources not supported"); + fc->source = param->string; + param->string = NULL; + return 0; diff --git a/queue-5.10/ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch b/queue-5.10/ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch new file mode 100644 index 00000000000..f5b500b0a41 --- /dev/null +++ b/queue-5.10/ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch @@ -0,0 +1,89 @@ +From c9200760da8a728eb9767ca41a956764b28c1310 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 9 Dec 2020 15:59:11 -0500 +Subject: ext4: check for invalid block size early when mounting a file system + +From: Theodore Ts'o + +commit c9200760da8a728eb9767ca41a956764b28c1310 upstream. + +Check for valid block size directly by validating s_log_block_size; we +were doing this in two places. First, by calculating blocksize via +BLOCK_SIZE << s_log_block_size, and then checking that the blocksize +was valid. And then secondly, by checking s_log_block_size directly. + +The first check is not reliable, and can trigger an UBSAN warning if +s_log_block_size on a maliciously corrupted superblock is greater than +22. This is harmless, since the second test will correctly reject the +maliciously fuzzed file system, but to make syzbot shut up, and +because the two checks are duplicative in any case, delete the +blocksize check, and move the s_log_block_size earlier in +ext4_fill_super(). + +Signed-off-by: Theodore Ts'o +Reported-by: syzbot+345b75652b1d24227443@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 40 ++++++++++++++++------------------------ + 1 file changed, 16 insertions(+), 24 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4186,18 +4186,25 @@ static int ext4_fill_super(struct super_ + */ + sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT; + +- blocksize = BLOCK_SIZE << le32_to_cpu(es->s_log_block_size); +- +- if (blocksize == PAGE_SIZE) +- set_opt(sb, DIOREAD_NOLOCK); +- +- if (blocksize < EXT4_MIN_BLOCK_SIZE || +- blocksize > EXT4_MAX_BLOCK_SIZE) { ++ if (le32_to_cpu(es->s_log_block_size) > ++ (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { + ext4_msg(sb, KERN_ERR, +- "Unsupported filesystem blocksize %d (%d log_block_size)", +- blocksize, le32_to_cpu(es->s_log_block_size)); ++ "Invalid log block size: %u", ++ le32_to_cpu(es->s_log_block_size)); + goto failed_mount; + } ++ if (le32_to_cpu(es->s_log_cluster_size) > ++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { ++ ext4_msg(sb, KERN_ERR, ++ "Invalid log cluster size: %u", ++ le32_to_cpu(es->s_log_cluster_size)); ++ goto failed_mount; ++ } ++ ++ blocksize = EXT4_MIN_BLOCK_SIZE << le32_to_cpu(es->s_log_block_size); ++ ++ if (blocksize == PAGE_SIZE) ++ set_opt(sb, DIOREAD_NOLOCK); + + if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) { + sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE; +@@ -4416,21 +4423,6 @@ static int ext4_fill_super(struct super_ + if (!ext4_feature_set_ok(sb, (sb_rdonly(sb)))) + goto failed_mount; + +- if (le32_to_cpu(es->s_log_block_size) > +- (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { +- ext4_msg(sb, KERN_ERR, +- "Invalid log block size: %u", +- le32_to_cpu(es->s_log_block_size)); +- goto failed_mount; +- } +- if (le32_to_cpu(es->s_log_cluster_size) > +- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { +- ext4_msg(sb, KERN_ERR, +- "Invalid log cluster size: %u", +- le32_to_cpu(es->s_log_cluster_size)); +- goto failed_mount; +- } +- + if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) { + ext4_msg(sb, KERN_ERR, + "Number of reserved GDT blocks insanely large: %d", diff --git a/queue-5.10/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch b/queue-5.10/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch new file mode 100644 index 00000000000..cac77c7d79e --- /dev/null +++ b/queue-5.10/f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch @@ -0,0 +1,67 @@ +From e584bbe821229a3e7cc409eecd51df66f9268c21 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 9 Dec 2020 16:49:36 +0800 +Subject: f2fs: fix shift-out-of-bounds in sanity_check_raw_super() + +From: Chao Yu + +commit e584bbe821229a3e7cc409eecd51df66f9268c21 upstream. + +syzbot reported a bug which could cause shift-out-of-bounds issue, +fix it. + +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 + sanity_check_raw_super fs/f2fs/super.c:2812 [inline] + read_raw_super_block fs/f2fs/super.c:3267 [inline] + f2fs_fill_super.cold+0x16c9/0x16f6 fs/f2fs/super.c:3519 + mount_bdev+0x34d/0x410 fs/super.c:1366 + legacy_get_tree+0x105/0x220 fs/fs_context.c:592 + vfs_get_tree+0x89/0x2f0 fs/super.c:1496 + do_new_mount fs/namespace.c:2896 [inline] + path_mount+0x12ae/0x1e70 fs/namespace.c:3227 + do_mount fs/namespace.c:3240 [inline] + __do_sys_mount fs/namespace.c:3448 [inline] + __se_sys_mount fs/namespace.c:3425 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+ca9a785f8ac472085994@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/super.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2744,7 +2744,6 @@ static int sanity_check_raw_super(struct + block_t total_sections, blocks_per_seg; + struct f2fs_super_block *raw_super = (struct f2fs_super_block *) + (bh->b_data + F2FS_SUPER_OFFSET); +- unsigned int blocksize; + size_t crc_offset = 0; + __u32 crc = 0; + +@@ -2778,10 +2777,10 @@ static int sanity_check_raw_super(struct + } + + /* Currently, support only 4KB block size */ +- blocksize = 1 << le32_to_cpu(raw_super->log_blocksize); +- if (blocksize != F2FS_BLKSIZE) { +- f2fs_info(sbi, "Invalid blocksize (%u), supports only 4KB", +- blocksize); ++ if (le32_to_cpu(raw_super->log_blocksize) != F2FS_BLKSIZE_BITS) { ++ f2fs_info(sbi, "Invalid log_blocksize (%u), supports only %u", ++ le32_to_cpu(raw_super->log_blocksize), ++ F2FS_BLKSIZE_BITS); + return -EFSCORRUPTED; + } + diff --git a/queue-5.10/fbcon-disable-accelerated-scrolling.patch b/queue-5.10/fbcon-disable-accelerated-scrolling.patch new file mode 100644 index 00000000000..75cb2a40395 --- /dev/null +++ b/queue-5.10/fbcon-disable-accelerated-scrolling.patch @@ -0,0 +1,188 @@ +From 39aead8373b3c20bb5965c024dfb51a94e526151 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Thu, 29 Oct 2020 14:22:29 +0100 +Subject: fbcon: Disable accelerated scrolling + +From: Daniel Vetter + +commit 39aead8373b3c20bb5965c024dfb51a94e526151 upstream. + +So ever since syzbot discovered fbcon, we have solid proof that it's +full of bugs. And often the solution is to just delete code and remove +features, e.g. 50145474f6ef ("fbcon: remove soft scrollback code"). + +Now the problem is that most modern-ish drivers really only treat +fbcon as an dumb kernel console until userspace takes over, and Oops +printer for some emergencies. Looking at drm drivers and the basic +vesa/efi fbdev drivers shows that only 3 drivers support any kind of +acceleration: + +- nouveau, seems to be enabled by default +- omapdrm, when a DMM remapper exists using remapper rewriting for + y/xpanning +- gma500, but that is getting deleted now for the GTT remapper trick, + and the accelerated copyarea never set the FBINFO_HWACCEL_COPYAREA + flag, so unused (and could be deleted already I think). + +No other driver supportes accelerated fbcon. And fbcon is the only +user of this accel code (it's not exposed as uapi through ioctls), +which means we could garbage collect fairly enormous amounts of code +if we kill this. + +Plus because syzbot only runs on virtual hardware, and none of the +drivers for that have acceleration, we'd remove a huge gap in testing. +And there's no other even remotely comprehensive testing aside from +syzbot. + +This patch here just disables the acceleration code by always +redrawing when scrolling. The plan is that once this has been merged +for well over a year in released kernels, we can start to go around +and delete a lot of code. + +v2: +- Drop a few more unused local variables, somehow I missed the +compiler warnings (Sam) +- Fix typo in comment (Jiri) +- add a todo entry for the cleanup (Thomas) + +v3: Remove more unused variables (0day) + +Reviewed-by: Tomi Valkeinen +Reviewed-by: Thomas Zimmermann +Reviewed-by: Greg Kroah-Hartman +Acked-by: Sam Ravnborg +Cc: Jiri Slaby +Cc: Bartlomiej Zolnierkiewicz +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Ben Skeggs +Cc: nouveau@lists.freedesktop.org +Cc: Tomi Valkeinen +Cc: Daniel Vetter +Cc: Jiri Slaby +Cc: "Gustavo A. R. Silva" +Cc: Tetsuo Handa +Cc: Peilin Ye +Cc: George Kennedy +Cc: Nathan Chancellor +Cc: Peter Rosin +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201029132229.4068359-1-daniel.vetter@ffwll.ch +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/gpu/todo.rst | 18 +++++++++++++++ + drivers/video/fbdev/core/fbcon.c | 45 ++++++--------------------------------- + 2 files changed, 26 insertions(+), 37 deletions(-) + +--- a/Documentation/gpu/todo.rst ++++ b/Documentation/gpu/todo.rst +@@ -273,6 +273,24 @@ Contact: Daniel Vetter, Noralf Tronnes + + Level: Advanced + ++Garbage collect fbdev scrolling acceleration ++-------------------------------------------- ++ ++Scroll acceleration is disabled in fbcon by hard-wiring p->scrollmode = ++SCROLL_REDRAW. There's a ton of code this will allow us to remove: ++- lots of code in fbcon.c ++- a bunch of the hooks in fbcon_ops, maybe the remaining hooks could be called ++ directly instead of the function table (with a switch on p->rotate) ++- fb_copyarea is unused after this, and can be deleted from all drivers ++ ++Note that not all acceleration code can be deleted, since clearing and cursor ++support is still accelerated, which might be good candidates for further ++deletion projects. ++ ++Contact: Daniel Vetter ++ ++Level: Intermediate ++ + idr_init_base() + --------------- + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1033,7 +1033,7 @@ static void fbcon_init(struct vc_data *v + struct vc_data *svc = *default_mode; + struct fbcon_display *t, *p = &fb_display[vc->vc_num]; + int logo = 1, new_rows, new_cols, rows, cols, charcnt = 256; +- int cap, ret; ++ int ret; + + if (WARN_ON(info_idx == -1)) + return; +@@ -1042,7 +1042,6 @@ static void fbcon_init(struct vc_data *v + con2fb_map[vc->vc_num] = info_idx; + + info = registered_fb[con2fb_map[vc->vc_num]]; +- cap = info->flags; + + if (logo_shown < 0 && console_loglevel <= CONSOLE_LOGLEVEL_QUIET) + logo_shown = FBCON_LOGO_DONTSHOW; +@@ -1147,11 +1146,13 @@ static void fbcon_init(struct vc_data *v + + ops->graphics = 0; + +- if ((cap & FBINFO_HWACCEL_COPYAREA) && +- !(cap & FBINFO_HWACCEL_DISABLED)) +- p->scrollmode = SCROLL_MOVE; +- else /* default to something safe */ +- p->scrollmode = SCROLL_REDRAW; ++ /* ++ * No more hw acceleration for fbcon. ++ * ++ * FIXME: Garbage collect all the now dead code after sufficient time ++ * has passed. ++ */ ++ p->scrollmode = SCROLL_REDRAW; + + /* + * ++guenther: console.c:vc_allocate() relies on initializing +@@ -1961,45 +1962,15 @@ static void updatescrollmode(struct fbco + { + struct fbcon_ops *ops = info->fbcon_par; + int fh = vc->vc_font.height; +- int cap = info->flags; +- u16 t = 0; +- int ypan = FBCON_SWAP(ops->rotate, info->fix.ypanstep, +- info->fix.xpanstep); +- int ywrap = FBCON_SWAP(ops->rotate, info->fix.ywrapstep, t); + int yres = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + int vyres = FBCON_SWAP(ops->rotate, info->var.yres_virtual, + info->var.xres_virtual); +- int good_pan = (cap & FBINFO_HWACCEL_YPAN) && +- divides(ypan, vc->vc_font.height) && vyres > yres; +- int good_wrap = (cap & FBINFO_HWACCEL_YWRAP) && +- divides(ywrap, vc->vc_font.height) && +- divides(vc->vc_font.height, vyres) && +- divides(vc->vc_font.height, yres); +- int reading_fast = cap & FBINFO_READS_FAST; +- int fast_copyarea = (cap & FBINFO_HWACCEL_COPYAREA) && +- !(cap & FBINFO_HWACCEL_DISABLED); +- int fast_imageblit = (cap & FBINFO_HWACCEL_IMAGEBLIT) && +- !(cap & FBINFO_HWACCEL_DISABLED); + + p->vrows = vyres/fh; + if (yres > (fh * (vc->vc_rows + 1))) + p->vrows -= (yres - (fh * vc->vc_rows)) / fh; + if ((yres % fh) && (vyres % fh < yres % fh)) + p->vrows--; +- +- if (good_wrap || good_pan) { +- if (reading_fast || fast_copyarea) +- p->scrollmode = good_wrap ? +- SCROLL_WRAP_MOVE : SCROLL_PAN_MOVE; +- else +- p->scrollmode = good_wrap ? SCROLL_REDRAW : +- SCROLL_PAN_REDRAW; +- } else { +- if (reading_fast || (fast_copyarea && !fast_imageblit)) +- p->scrollmode = SCROLL_MOVE; +- else +- p->scrollmode = SCROLL_REDRAW; +- } + } + + #define PITCH(w) (((w) + 7) >> 3) diff --git a/queue-5.10/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch b/queue-5.10/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch new file mode 100644 index 00000000000..e236cec3d5e --- /dev/null +++ b/queue-5.10/fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch @@ -0,0 +1,127 @@ +From 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Thu, 5 Nov 2020 14:23:51 +0800 +Subject: fcntl: Fix potential deadlock in send_sig{io, urg}() + +From: Boqun Feng + +commit 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c upstream. + +Syzbot reports a potential deadlock found by the newly added recursive +read deadlock detection in lockdep: + +[...] ======================================================== +[...] WARNING: possible irq lock inversion dependency detected +[...] 5.9.0-rc2-syzkaller #0 Not tainted +[...] -------------------------------------------------------- +[...] syz-executor.1/10214 just changed the state of lock: +[...] ffff88811f506338 (&f->f_owner.lock){.+..}-{2:2}, at: send_sigurg+0x1d/0x200 +[...] but this lock was taken by another, HARDIRQ-safe lock in the past: +[...] (&dev->event_lock){-...}-{2:2} +[...] +[...] +[...] and interrupts could create inverse lock ordering between them. +[...] +[...] +[...] other info that might help us debug this: +[...] Chain exists of: +[...] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock +[...] +[...] Possible interrupt unsafe locking scenario: +[...] +[...] CPU0 CPU1 +[...] ---- ---- +[...] lock(&f->f_owner.lock); +[...] local_irq_disable(); +[...] lock(&dev->event_lock); +[...] lock(&new->fa_lock); +[...] +[...] lock(&dev->event_lock); +[...] +[...] *** DEADLOCK *** + +The corresponding deadlock case is as followed: + + CPU 0 CPU 1 CPU 2 + read_lock(&fown->lock); + spin_lock_irqsave(&dev->event_lock, ...) + write_lock_irq(&filp->f_owner.lock); // wait for the lock + read_lock(&fown-lock); // have to wait until the writer release + // due to the fairness + + spin_lock_irqsave(&dev->event_lock); // wait for the lock + +The lock dependency on CPU 1 happens if there exists a call sequence: + + input_inject_event(): + spin_lock_irqsave(&dev->event_lock,...); + input_handle_event(): + input_pass_values(): + input_to_handler(): + handler->event(): // evdev_event() + evdev_pass_values(): + spin_lock(&client->buffer_lock); + __pass_event(): + kill_fasync(): + kill_fasync_rcu(): + read_lock(&fa->fa_lock); + send_sigio(): + read_lock(&fown->lock); + +To fix this, make the reader in send_sigurg() and send_sigio() use +read_lock_irqsave() and read_lock_irqrestore(). + +Reported-by: syzbot+22e87cdf94021b984aa6@syzkaller.appspotmail.com +Reported-by: syzbot+c5e32344981ad9f33750@syzkaller.appspotmail.com +Signed-off-by: Boqun Feng +Signed-off-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fcntl.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -781,9 +781,10 @@ void send_sigio(struct fown_struct *fown + { + struct task_struct *p; + enum pid_type type; ++ unsigned long flags; + struct pid *pid; + +- read_lock(&fown->lock); ++ read_lock_irqsave(&fown->lock, flags); + + type = fown->pid_type; + pid = fown->pid; +@@ -804,7 +805,7 @@ void send_sigio(struct fown_struct *fown + read_unlock(&tasklist_lock); + } + out_unlock_fown: +- read_unlock(&fown->lock); ++ read_unlock_irqrestore(&fown->lock, flags); + } + + static void send_sigurg_to_task(struct task_struct *p, +@@ -819,9 +820,10 @@ int send_sigurg(struct fown_struct *fown + struct task_struct *p; + enum pid_type type; + struct pid *pid; ++ unsigned long flags; + int ret = 0; + +- read_lock(&fown->lock); ++ read_lock_irqsave(&fown->lock, flags); + + type = fown->pid_type; + pid = fown->pid; +@@ -844,7 +846,7 @@ int send_sigurg(struct fown_struct *fown + read_unlock(&tasklist_lock); + } + out_unlock_fown: +- read_unlock(&fown->lock); ++ read_unlock_irqrestore(&fown->lock, flags); + return ret; + } + diff --git a/queue-5.10/io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch b/queue-5.10/io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch new file mode 100644 index 00000000000..8f48e936f97 --- /dev/null +++ b/queue-5.10/io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch @@ -0,0 +1,98 @@ +From 65b2b213484acd89a3c20dbb524e52a2f3793b78 Mon Sep 17 00:00:00 2001 +From: Xiaoguang Wang +Date: Thu, 19 Nov 2020 17:44:46 +0800 +Subject: io_uring: check kthread stopped flag when sq thread is unparked + +From: Xiaoguang Wang + +commit 65b2b213484acd89a3c20dbb524e52a2f3793b78 upstream. + +syzbot reports following issue: +INFO: task syz-executor.2:12399 can't die for more than 143 seconds. +task:syz-executor.2 state:D stack:28744 pid:12399 ppid: 8504 flags:0x00004004 +Call Trace: + context_switch kernel/sched/core.c:3773 [inline] + __schedule+0x893/0x2170 kernel/sched/core.c:4522 + schedule+0xcf/0x270 kernel/sched/core.c:4600 + schedule_timeout+0x1d8/0x250 kernel/time/timer.c:1847 + do_wait_for_common kernel/sched/completion.c:85 [inline] + __wait_for_common kernel/sched/completion.c:106 [inline] + wait_for_common kernel/sched/completion.c:117 [inline] + wait_for_completion+0x163/0x260 kernel/sched/completion.c:138 + kthread_stop+0x17a/0x720 kernel/kthread.c:596 + io_put_sq_data fs/io_uring.c:7193 [inline] + io_sq_thread_stop+0x452/0x570 fs/io_uring.c:7290 + io_finish_async fs/io_uring.c:7297 [inline] + io_sq_offload_create fs/io_uring.c:8015 [inline] + io_uring_create fs/io_uring.c:9433 [inline] + io_uring_setup+0x19b7/0x3730 fs/io_uring.c:9507 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45deb9 +Code: Unable to access opcode bytes at RIP 0x45de8f. +RSP: 002b:00007f174e51ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 +RAX: ffffffffffffffda RBX: 0000000000008640 RCX: 000000000045deb9 +RDX: 0000000000000000 RSI: 0000000020000140 RDI: 00000000000050e5 +RBP: 000000000118bf58 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c +R13: 00007ffed9ca723f R14: 00007f174e51b9c0 R15: 000000000118bf2c +INFO: task syz-executor.2:12399 blocked for more than 143 seconds. + Not tainted 5.10.0-rc3-next-20201110-syzkaller #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + +Currently we don't have a reproducer yet, but seems that there is a +race in current codes: +=> io_put_sq_data + ctx_list is empty now. | +==> kthread_park(sqd->thread); | + | T1: sq thread is parked now. +==> kthread_stop(sqd->thread); | + KTHREAD_SHOULD_STOP is set now.| +===> kthread_unpark(k); | + | T2: sq thread is now unparkd, run again. + | + | T3: sq thread is now preempted out. + | +===> wake_up_process(k); | + | + | T4: Since sqd ctx_list is empty, needs_sched will be true, + | then sq thread sets task state to TASK_INTERRUPTIBLE, + | and schedule, now sq thread will never be waken up. +===> wait_for_completion | + +I have artificially used mdelay() to simulate above race, will get same +stack like this syzbot report, but to be honest, I'm not sure this code +race triggers syzbot report. + +To fix this possible code race, when sq thread is unparked, need to check +whether sq thread has been stopped. + +Reported-by: syzbot+03beeb595f074db9cfd1@syzkaller.appspotmail.com +Signed-off-by: Xiaoguang Wang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -6802,8 +6802,16 @@ static int io_sq_thread(void *data) + * kthread parking. This synchronizes the thread vs users, + * the users are synchronized on the sqd->ctx_lock. + */ +- if (kthread_should_park()) ++ if (kthread_should_park()) { + kthread_parkme(); ++ /* ++ * When sq thread is unparked, in case the previous park operation ++ * comes from io_put_sq_data(), which means that sq thread is going ++ * to be stopped, so here needs to have a check. ++ */ ++ if (kthread_should_stop()) ++ break; ++ } + + if (unlikely(!list_empty(&sqd->ctx_new_list))) + io_sqd_init_new(sqd); diff --git a/queue-5.10/media-gp8psk-initialize-stats-at-power-control-logic.patch b/queue-5.10/media-gp8psk-initialize-stats-at-power-control-logic.patch new file mode 100644 index 00000000000..96e8764d203 --- /dev/null +++ b/queue-5.10/media-gp8psk-initialize-stats-at-power-control-logic.patch @@ -0,0 +1,45 @@ +From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 27 Nov 2020 07:40:21 +0100 +Subject: media: gp8psk: initialize stats at power control logic + +From: Mauro Carvalho Chehab + +commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream. + +As reported on: + https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/ + +if gp8psk_usb_in_op() returns an error, the status var is not +initialized. Yet, this var is used later on, in order to +identify: + - if the device was already started; + - if firmware has loaded; + - if the LNBf was powered on. + +Using status = 0 seems to ensure that everything will be +properly powered up. + +So, instead of the proposed solution, let's just set +status = 0. + +Reported-by: syzbot +Reported-by: Willem de Bruijn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/gp8psk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/gp8psk.c ++++ b/drivers/media/usb/dvb-usb/gp8psk.c +@@ -182,7 +182,7 @@ out_rel_fw: + + static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff) + { +- u8 status, buf; ++ u8 status = 0, buf; + int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct); + + if (onoff) { diff --git a/queue-5.10/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch b/queue-5.10/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch new file mode 100644 index 00000000000..19ce496921b --- /dev/null +++ b/queue-5.10/misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch @@ -0,0 +1,34 @@ +From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Mon, 23 Nov 2020 04:15:34 +0530 +Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() + +From: Anant Thazhemadam + +commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream. + +A kernel-infoleak was reported by syzbot, which was caused because +dbells was left uninitialized. +Using kzalloc() instead of kmalloc() fixes this issue. + +Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com +Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -743,7 +743,7 @@ static int vmci_ctx_get_chkpt_doorbells( + return VMCI_ERROR_MORE_DATA; + } + +- dbells = kmalloc(data_size, GFP_ATOMIC); ++ dbells = kzalloc(data_size, GFP_ATOMIC); + if (!dbells) + return VMCI_ERROR_NO_MEM; + diff --git a/queue-5.10/reiserfs-add-check-for-an-invalid-ih_entry_count.patch b/queue-5.10/reiserfs-add-check-for-an-invalid-ih_entry_count.patch new file mode 100644 index 00000000000..5c6e46ad098 --- /dev/null +++ b/queue-5.10/reiserfs-add-check-for-an-invalid-ih_entry_count.patch @@ -0,0 +1,41 @@ +From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Sun, 1 Nov 2020 06:09:58 -0800 +Subject: reiserfs: add check for an invalid ih_entry_count + +From: Rustam Kovhaev + +commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream. + +when directory item has an invalid value set for ih_entry_count it might +trigger use-after-free or out-of-bounds read in bin_search_in_dir_item() + +ih_entry_count * IH_SIZE for directory item should not be larger than +ih_item_len + +Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com +Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7 +Signed-off-by: Rustam Kovhaev +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/stree.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -454,6 +454,12 @@ static int is_leaf(char *buf, int blocks + "(second one): %h", ih); + return 0; + } ++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } + prev_location = ih_location(ih); + } + diff --git a/queue-5.10/scsi-cxgb4i-fix-tls-dependency.patch b/queue-5.10/scsi-cxgb4i-fix-tls-dependency.patch new file mode 100644 index 00000000000..fac868fd2fa --- /dev/null +++ b/queue-5.10/scsi-cxgb4i-fix-tls-dependency.patch @@ -0,0 +1,45 @@ +From cb5253198f10a4cd79b7523c581e6173c7d49ddb Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 8 Dec 2020 14:05:05 -0800 +Subject: scsi: cxgb4i: Fix TLS dependency + +From: Randy Dunlap + +commit cb5253198f10a4cd79b7523c581e6173c7d49ddb upstream. + +SCSI_CXGB4_ISCSI selects CHELSIO_T4. The latter depends on TLS || TLS=n, so +since 'select' does not check dependencies of the selected symbol, +SCSI_CXGB4_ISCSI should also depend on TLS || TLS=n. + +This prevents the following kconfig warning and restricts SCSI_CXGB4_ISCSI +to 'm' whenever TLS=m. + +WARNING: unmet direct dependencies detected for CHELSIO_T4 + Depends on [m]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_CHELSIO [=y] && PCI [=y] && (IPV6 [=y] || IPV6 [=y]=n) && (TLS [=m] || TLS [=m]=n) + Selected by [y]: + - SCSI_CXGB4_ISCSI [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && INET [=y] && (IPV6 [=y] || IPV6 [=y]=n) && ETHERNET [=y] + +Link: https://lore.kernel.org/r/20201208220505.24488-1-rdunlap@infradead.org +Fixes: 7b36b6e03b0d ("[SCSI] cxgb4i v5: iscsi driver") +Cc: Karen Xie +Cc: linux-scsi@vger.kernel.org +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/cxgbi/cxgb4i/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/cxgbi/cxgb4i/Kconfig ++++ b/drivers/scsi/cxgbi/cxgb4i/Kconfig +@@ -4,6 +4,7 @@ config SCSI_CXGB4_ISCSI + depends on PCI && INET && (IPV6 || IPV6=n) + depends on THERMAL || !THERMAL + depends on ETHERNET ++ depends on TLS || TLS=n + select NET_VENDOR_CHELSIO + select CHELSIO_T4 + select CHELSIO_LIB diff --git a/queue-5.10/series b/queue-5.10/series index 4874cc9c28d..5bd7881658e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -20,3 +20,18 @@ io_uring-fix-io_sqe_files_unregister-hangs.patch kernel-io_uring-cancel-io_uring-before-task-works.patch uapi-move-constants-from-linux-kernel.h-to-linux-const.h.patch tools-headers-uapi-sync-linux-const.h-with-the-kernel-headers.patch +cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch +zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch +scsi-cxgb4i-fix-tls-dependency.patch +bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch +fbcon-disable-accelerated-scrolling.patch +reiserfs-add-check-for-an-invalid-ih_entry_count.patch +misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch +media-gp8psk-initialize-stats-at-power-control-logic.patch +f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch +alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch +alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch +bfs-don-t-use-warning-string-when-it-s-just-info.patch +ext4-check-for-invalid-block-size-early-when-mounting-a-file-system.patch +fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch +io_uring-check-kthread-stopped-flag-when-sq-thread-is-unparked.patch diff --git a/queue-5.10/zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch b/queue-5.10/zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch new file mode 100644 index 00000000000..e3fcc347495 --- /dev/null +++ b/queue-5.10/zlib-move-export_symbol-and-module_license-out-of-dfltcc_syms.c.patch @@ -0,0 +1,112 @@ +From 605cc30dea249edf1b659e7d0146a2cf13cbbf71 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 29 Dec 2020 15:15:04 -0800 +Subject: zlib: move EXPORT_SYMBOL() and MODULE_LICENSE() out of dfltcc_syms.c + +From: Randy Dunlap + +commit 605cc30dea249edf1b659e7d0146a2cf13cbbf71 upstream. + +In commit 11fb479ff5d9 ("zlib: export S390 symbols for zlib modules"), I +added EXPORT_SYMBOL()s to dfltcc_inflate.c but then Mikhail said that +these should probably be in dfltcc_syms.c with the other +EXPORT_SYMBOL()s. + +However, that is contrary to the current kernel style, which places +EXPORT_SYMBOL() immediately after the function that it applies to, so +move all EXPORT_SYMBOL()s to their respective function locations and +drop the dfltcc_syms.c file. Also move MODULE_LICENSE() from the +deleted file to dfltcc.c. + +[rdunlap@infradead.org: remove dfltcc_syms.o from Makefile] + Link: https://lkml.kernel.org/r/20201227171837.15492-1-rdunlap@infradead.org + +Link: https://lkml.kernel.org/r/20201219052530.28461-1-rdunlap@infradead.org +Fixes: 11fb479ff5d9 ("zlib: export S390 symbols for zlib modules") +Signed-off-by: Randy Dunlap +Cc: Acked-by: Ilya Leoshkevich +Acked-by: Christian Borntraeger +Cc: Zaslonko Mikhail +Cc: Heiko Carstens +Cc: Vasily Gorbik +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/zlib_dfltcc/Makefile | 2 +- + lib/zlib_dfltcc/dfltcc.c | 6 +++++- + lib/zlib_dfltcc/dfltcc_deflate.c | 3 +++ + lib/zlib_dfltcc/dfltcc_syms.c | 17 ----------------- + 4 files changed, 9 insertions(+), 19 deletions(-) + +--- a/lib/zlib_dfltcc/Makefile ++++ b/lib/zlib_dfltcc/Makefile +@@ -8,4 +8,4 @@ + + obj-$(CONFIG_ZLIB_DFLTCC) += zlib_dfltcc.o + +-zlib_dfltcc-objs := dfltcc.o dfltcc_deflate.o dfltcc_inflate.o dfltcc_syms.o ++zlib_dfltcc-objs := dfltcc.o dfltcc_deflate.o dfltcc_inflate.o +--- a/lib/zlib_dfltcc/dfltcc.c ++++ b/lib/zlib_dfltcc/dfltcc.c +@@ -1,7 +1,8 @@ + // SPDX-License-Identifier: Zlib + /* dfltcc.c - SystemZ DEFLATE CONVERSION CALL support. */ + +-#include ++#include ++#include + #include "dfltcc_util.h" + #include "dfltcc.h" + +@@ -53,3 +54,6 @@ void dfltcc_reset( + dfltcc_state->dht_threshold = DFLTCC_DHT_MIN_SAMPLE_SIZE; + dfltcc_state->param.ribm = DFLTCC_RIBM; + } ++EXPORT_SYMBOL(dfltcc_reset); ++ ++MODULE_LICENSE("GPL"); +--- a/lib/zlib_dfltcc/dfltcc_deflate.c ++++ b/lib/zlib_dfltcc/dfltcc_deflate.c +@@ -4,6 +4,7 @@ + #include "dfltcc_util.h" + #include "dfltcc.h" + #include ++#include + #include + + /* +@@ -34,6 +35,7 @@ int dfltcc_can_deflate( + + return 1; + } ++EXPORT_SYMBOL(dfltcc_can_deflate); + + static void dfltcc_gdht( + z_streamp strm +@@ -277,3 +279,4 @@ again: + goto again; /* deflate() must use all input or all output */ + return 1; + } ++EXPORT_SYMBOL(dfltcc_deflate); +--- a/lib/zlib_dfltcc/dfltcc_syms.c ++++ /dev/null +@@ -1,17 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0-only +-/* +- * linux/lib/zlib_dfltcc/dfltcc_syms.c +- * +- * Exported symbols for the s390 zlib dfltcc support. +- * +- */ +- +-#include +-#include +-#include +-#include "dfltcc.h" +- +-EXPORT_SYMBOL(dfltcc_can_deflate); +-EXPORT_SYMBOL(dfltcc_deflate); +-EXPORT_SYMBOL(dfltcc_reset); +-MODULE_LICENSE("GPL"); -- 2.47.3