From 14d4a023145bafc7581b101805c3b696eac5f805 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 15 Jun 2019 18:11:04 +0200 Subject: [PATCH] 4.4-stable patches added patches: asoc-cs42xx8-add-regcache-mask-dirty.patch bcache-fix-stack-corruption-by-preceding_key.patch cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch i2c-acorn-fix-i2c-warning.patch mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch ptrace-restore-smp_rmb-in-__ptrace_may_access.patch signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch --- ...asoc-cs42xx8-add-regcache-mask-dirty.patch | 34 +++++ ...ix-stack-corruption-by-preceding_key.patch | 127 ++++++++++++++++++ ...of-css_tryget_online-in-task_get_css.patch | 88 ++++++++++++ ...fix-race-in-ocfs2_dentry_attach_lock.patch | 97 +++++++++++++ queue-4.4/i2c-acorn-fix-i2c-warning.patch | 33 +++++ ...y-leak-in-__memcg_init_list_lru_node.patch | 71 ++++++++++ ...store-smp_rmb-in-__ptrace_may_access.patch | 63 +++++++++ queue-4.4/series | 8 ++ ...rnel-memory-with-ptrace_peek_siginfo.patch | 72 ++++++++++ 9 files changed, 593 insertions(+) create mode 100644 queue-4.4/asoc-cs42xx8-add-regcache-mask-dirty.patch create mode 100644 queue-4.4/bcache-fix-stack-corruption-by-preceding_key.patch create mode 100644 queue-4.4/cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch create mode 100644 queue-4.4/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch create mode 100644 queue-4.4/i2c-acorn-fix-i2c-warning.patch create mode 100644 queue-4.4/mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch create mode 100644 queue-4.4/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch create mode 100644 queue-4.4/signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch diff --git a/queue-4.4/asoc-cs42xx8-add-regcache-mask-dirty.patch b/queue-4.4/asoc-cs42xx8-add-regcache-mask-dirty.patch new file mode 100644 index 0000000000..01ea15450d --- /dev/null +++ b/queue-4.4/asoc-cs42xx8-add-regcache-mask-dirty.patch @@ -0,0 +1,34 @@ +From ad6eecbfc01c987e0253371f274c3872042e4350 Mon Sep 17 00:00:00 2001 +From: "S.j. Wang" +Date: Thu, 16 May 2019 06:04:29 +0000 +Subject: ASoC: cs42xx8: Add regcache mask dirty + +From: S.j. Wang + +commit ad6eecbfc01c987e0253371f274c3872042e4350 upstream. + +Add regcache_mark_dirty before regcache_sync for power +of codec may be lost at suspend, then all the register +need to be reconfigured. + +Fixes: 0c516b4ff85c ("ASoC: cs42xx8: Add codec driver +support for CS42448/CS42888") +Cc: +Signed-off-by: Shengjiu Wang +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/cs42xx8.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/cs42xx8.c ++++ b/sound/soc/codecs/cs42xx8.c +@@ -561,6 +561,7 @@ static int cs42xx8_runtime_resume(struct + msleep(5); + + regcache_cache_only(cs42xx8->regmap, false); ++ regcache_mark_dirty(cs42xx8->regmap); + + ret = regcache_sync(cs42xx8->regmap); + if (ret) { diff --git a/queue-4.4/bcache-fix-stack-corruption-by-preceding_key.patch b/queue-4.4/bcache-fix-stack-corruption-by-preceding_key.patch new file mode 100644 index 0000000000..21f3beb42d --- /dev/null +++ b/queue-4.4/bcache-fix-stack-corruption-by-preceding_key.patch @@ -0,0 +1,127 @@ +From 31b90956b124240aa8c63250243ae1a53585c5e2 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 10 Jun 2019 06:13:34 +0800 +Subject: bcache: fix stack corruption by PRECEDING_KEY() + +From: Coly Li + +commit 31b90956b124240aa8c63250243ae1a53585c5e2 upstream. + +Recently people report bcache code compiled with gcc9 is broken, one of +the buggy behavior I observe is that two adjacent 4KB I/Os should merge +into one but they don't. Finally it turns out to be a stack corruption +caused by macro PRECEDING_KEY(). + +See how PRECEDING_KEY() is defined in bset.h, +437 #define PRECEDING_KEY(_k) \ +438 ({ \ +439 struct bkey *_ret = NULL; \ +440 \ +441 if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \ +442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ +443 \ +444 if (!_ret->low) \ +445 _ret->high--; \ +446 _ret->low--; \ +447 } \ +448 \ +449 _ret; \ +450 }) + +At line 442, _ret points to address of a on-stack variable combined by +KEY(), the life range of this on-stack variable is in line 442-446, +once _ret is returned to bch_btree_insert_key(), the returned address +points to an invalid stack address and this address is overwritten in +the following called bch_btree_iter_init(). Then argument 'search' of +bch_btree_iter_init() points to some address inside stackframe of +bch_btree_iter_init(), exact address depends on how the compiler +allocates stack space. Now the stack is corrupted. + +Fixes: 0eacac22034c ("bcache: PRECEDING_KEY()") +Signed-off-by: Coly Li +Reviewed-by: Rolf Fokkens +Reviewed-by: Pierre JUHEN +Tested-by: Shenghui Wang +Tested-by: Pierre JUHEN +Cc: Kent Overstreet +Cc: Nix +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bset.c | 16 +++++++++++++--- + drivers/md/bcache/bset.h | 34 ++++++++++++++++++++-------------- + 2 files changed, 33 insertions(+), 17 deletions(-) + +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -823,12 +823,22 @@ unsigned bch_btree_insert_key(struct btr + struct bset *i = bset_tree_last(b)->data; + struct bkey *m, *prev = NULL; + struct btree_iter iter; ++ struct bkey preceding_key_on_stack = ZERO_KEY; ++ struct bkey *preceding_key_p = &preceding_key_on_stack; + + BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); + +- m = bch_btree_iter_init(b, &iter, b->ops->is_extents +- ? PRECEDING_KEY(&START_KEY(k)) +- : PRECEDING_KEY(k)); ++ /* ++ * If k has preceding key, preceding_key_p will be set to address ++ * of k's preceding key; otherwise preceding_key_p will be set ++ * to NULL inside preceding_key(). ++ */ ++ if (b->ops->is_extents) ++ preceding_key(&START_KEY(k), &preceding_key_p); ++ else ++ preceding_key(k, &preceding_key_p); ++ ++ m = bch_btree_iter_init(b, &iter, preceding_key_p); + + if (b->ops->insert_fixup(b, k, &iter, replace_key)) + return status; +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -417,20 +417,26 @@ static inline bool bch_cut_back(const st + return __bch_cut_back(where, k); + } + +-#define PRECEDING_KEY(_k) \ +-({ \ +- struct bkey *_ret = NULL; \ +- \ +- if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \ +- _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \ +- \ +- if (!_ret->low) \ +- _ret->high--; \ +- _ret->low--; \ +- } \ +- \ +- _ret; \ +-}) ++/* ++ * Pointer '*preceding_key_p' points to a memory object to store preceding ++ * key of k. If the preceding key does not exist, set '*preceding_key_p' to ++ * NULL. So the caller of preceding_key() needs to take care of memory ++ * which '*preceding_key_p' pointed to before calling preceding_key(). ++ * Currently the only caller of preceding_key() is bch_btree_insert_key(), ++ * and it points to an on-stack variable, so the memory release is handled ++ * by stackframe itself. ++ */ ++static inline void preceding_key(struct bkey *k, struct bkey **preceding_key_p) ++{ ++ if (KEY_INODE(k) || KEY_OFFSET(k)) { ++ (**preceding_key_p) = KEY(KEY_INODE(k), KEY_OFFSET(k), 0); ++ if (!(*preceding_key_p)->low) ++ (*preceding_key_p)->high--; ++ (*preceding_key_p)->low--; ++ } else { ++ (*preceding_key_p) = NULL; ++ } ++} + + static inline bool bch_ptr_invalid(struct btree_keys *b, const struct bkey *k) + { diff --git a/queue-4.4/cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch b/queue-4.4/cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch new file mode 100644 index 0000000000..9ff1cd857c --- /dev/null +++ b/queue-4.4/cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch @@ -0,0 +1,88 @@ +From 18fa84a2db0e15b02baa5d94bdb5bd509175d2f6 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 29 May 2019 13:46:25 -0700 +Subject: cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() + +From: Tejun Heo + +commit 18fa84a2db0e15b02baa5d94bdb5bd509175d2f6 upstream. + +A PF_EXITING task can stay associated with an offline css. If such +task calls task_get_css(), it can get stuck indefinitely. This can be +triggered by BSD process accounting which writes to a file with +PF_EXITING set when racing against memcg disable as in the backtrace +at the end. + +After this change, task_get_css() may return a css which was already +offline when the function was called. None of the existing users are +affected by this change. + + INFO: rcu_sched self-detected stall on CPU + INFO: rcu_sched detected stalls on CPUs/tasks: + ... + NMI backtrace for cpu 0 + ... + Call Trace: + + dump_stack+0x46/0x68 + nmi_cpu_backtrace.cold.2+0x13/0x57 + nmi_trigger_cpumask_backtrace+0xba/0xca + rcu_dump_cpu_stacks+0x9e/0xce + rcu_check_callbacks.cold.74+0x2af/0x433 + update_process_times+0x28/0x60 + tick_sched_timer+0x34/0x70 + __hrtimer_run_queues+0xee/0x250 + hrtimer_interrupt+0xf4/0x210 + smp_apic_timer_interrupt+0x56/0x110 + apic_timer_interrupt+0xf/0x20 + + RIP: 0010:balance_dirty_pages_ratelimited+0x28f/0x3d0 + ... + btrfs_file_write_iter+0x31b/0x563 + __vfs_write+0xfa/0x140 + __kernel_write+0x4f/0x100 + do_acct_process+0x495/0x580 + acct_process+0xb9/0xdb + do_exit+0x748/0xa00 + do_group_exit+0x3a/0xa0 + get_signal+0x254/0x560 + do_signal+0x23/0x5c0 + exit_to_usermode_loop+0x5d/0xa0 + prepare_exit_to_usermode+0x53/0x80 + retint_user+0x8/0x8 + +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org # v4.2+ +Fixes: ec438699a9ae ("cgroup, block: implement task_get_css() and use it in bio_associate_current()") +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cgroup.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -453,7 +453,7 @@ static inline struct cgroup_subsys_state + * + * Find the css for the (@task, @subsys_id) combination, increment a + * reference on and return it. This function is guaranteed to return a +- * valid css. ++ * valid css. The returned css may already have been offlined. + */ + static inline struct cgroup_subsys_state * + task_get_css(struct task_struct *task, int subsys_id) +@@ -463,7 +463,13 @@ task_get_css(struct task_struct *task, i + rcu_read_lock(); + while (true) { + css = task_css(task, subsys_id); +- if (likely(css_tryget_online(css))) ++ /* ++ * Can't use css_tryget_online() here. A task which has ++ * PF_EXITING set may stay associated with an offline css. ++ * If such task calls this function, css_tryget_online() ++ * will keep failing. ++ */ ++ if (likely(css_tryget(css))) + break; + cpu_relax(); + } diff --git a/queue-4.4/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch b/queue-4.4/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch new file mode 100644 index 0000000000..0ca2264a7e --- /dev/null +++ b/queue-4.4/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch @@ -0,0 +1,97 @@ +From be99ca2716972a712cde46092c54dee5e6192bf8 Mon Sep 17 00:00:00 2001 +From: Wengang Wang +Date: Thu, 13 Jun 2019 15:56:01 -0700 +Subject: fs/ocfs2: fix race in ocfs2_dentry_attach_lock() + +From: Wengang Wang + +commit be99ca2716972a712cde46092c54dee5e6192bf8 upstream. + +ocfs2_dentry_attach_lock() can be executed in parallel threads against the +same dentry. Make that race safe. The race is like this: + + thread A thread B + +(A1) enter ocfs2_dentry_attach_lock, +seeing dentry->d_fsdata is NULL, +and no alias found by +ocfs2_find_local_alias, so kmalloc +a new ocfs2_dentry_lock structure +to local variable "dl", dl1 + + ..... + + (B1) enter ocfs2_dentry_attach_lock, + seeing dentry->d_fsdata is NULL, + and no alias found by + ocfs2_find_local_alias so kmalloc + a new ocfs2_dentry_lock structure + to local variable "dl", dl2. + + ...... + +(A2) set dentry->d_fsdata with dl1, +call ocfs2_dentry_lock() and increase +dl1->dl_lockres.l_ro_holders to 1 on +success. + ...... + + (B2) set dentry->d_fsdata with dl2 + call ocfs2_dentry_lock() and increase + dl2->dl_lockres.l_ro_holders to 1 on + success. + + ...... + +(A3) call ocfs2_dentry_unlock() +and decrease +dl2->dl_lockres.l_ro_holders to 0 +on success. + .... + + (B3) call ocfs2_dentry_unlock(), + decreasing + dl2->dl_lockres.l_ro_holders, but + see it's zero now, panic + +Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.com +Signed-off-by: Wengang Wang +Reported-by: Daniel Sobe +Tested-by: Daniel Sobe +Reviewed-by: Changwei Ge +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dcache.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ocfs2/dcache.c ++++ b/fs/ocfs2/dcache.c +@@ -310,6 +310,18 @@ int ocfs2_dentry_attach_lock(struct dent + + out_attach: + spin_lock(&dentry_attach_lock); ++ if (unlikely(dentry->d_fsdata && !alias)) { ++ /* d_fsdata is set by a racing thread which is doing ++ * the same thing as this thread is doing. Leave the racing ++ * thread going ahead and we return here. ++ */ ++ spin_unlock(&dentry_attach_lock); ++ iput(dl->dl_inode); ++ ocfs2_lock_res_free(&dl->dl_lockres); ++ kfree(dl); ++ return 0; ++ } ++ + dentry->d_fsdata = dl; + dl->dl_count++; + spin_unlock(&dentry_attach_lock); diff --git a/queue-4.4/i2c-acorn-fix-i2c-warning.patch b/queue-4.4/i2c-acorn-fix-i2c-warning.patch new file mode 100644 index 0000000000..7d73487c06 --- /dev/null +++ b/queue-4.4/i2c-acorn-fix-i2c-warning.patch @@ -0,0 +1,33 @@ +From ca21f851cc9643af049226d57fabc3c883ea648e Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 11 Jun 2019 17:48:18 +0100 +Subject: i2c: acorn: fix i2c warning + +From: Russell King + +commit ca21f851cc9643af049226d57fabc3c883ea648e upstream. + +The Acorn i2c driver (for RiscPC) triggers the "i2c adapter has no name" +warning in the I2C core driver, resulting in the RTC being inaccessible. +Fix this. + +Fixes: 2236baa75f70 ("i2c: Sanity checks on adapter registration") +Signed-off-by: Russell King +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-acorn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/i2c/busses/i2c-acorn.c ++++ b/drivers/i2c/busses/i2c-acorn.c +@@ -83,6 +83,7 @@ static struct i2c_algo_bit_data ioc_data + + static struct i2c_adapter ioc_ops = { + .nr = 0, ++ .name = "ioc", + .algo_data = &ioc_data, + }; + diff --git a/queue-4.4/mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch b/queue-4.4/mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch new file mode 100644 index 0000000000..5132b6cd87 --- /dev/null +++ b/queue-4.4/mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch @@ -0,0 +1,71 @@ +From 3510955b327176fd4cbab5baa75b449f077722a2 Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Thu, 13 Jun 2019 15:55:49 -0700 +Subject: mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node + +From: Shakeel Butt + +commit 3510955b327176fd4cbab5baa75b449f077722a2 upstream. + +Syzbot reported following memory leak: + +ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79 +BUG: memory leak +unreferenced object 0xffff888114f26040 (size 32): + comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s) + hex dump (first 32 bytes): + 40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff @`......@`...... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + slab_post_alloc_hook mm/slab.h:439 [inline] + slab_alloc mm/slab.c:3326 [inline] + kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + kmalloc include/linux/slab.h:547 [inline] + __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352 + memcg_init_list_lru_node mm/list_lru.c:375 [inline] + memcg_init_list_lru mm/list_lru.c:459 [inline] + __list_lru_init+0x193/0x2a0 mm/list_lru.c:626 + alloc_super+0x2e0/0x310 fs/super.c:269 + sget_userns+0x94/0x2a0 fs/super.c:609 + sget+0x8d/0xb0 fs/super.c:660 + mount_nodev+0x31/0xb0 fs/super.c:1387 + fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236 + legacy_get_tree+0x27/0x80 fs/fs_context.c:661 + vfs_get_tree+0x2e/0x120 fs/super.c:1476 + do_new_mount fs/namespace.c:2790 [inline] + do_mount+0x932/0xc50 fs/namespace.c:3110 + ksys_mount+0xab/0x120 fs/namespace.c:3319 + __do_sys_mount fs/namespace.c:3333 [inline] + __se_sys_mount fs/namespace.c:3330 [inline] + __x64_sys_mount+0x26/0x30 fs/namespace.c:3330 + do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This is a simple off by one bug on the error path. + +Link: http://lkml.kernel.org/r/20190528043202.99980-1-shakeelb@google.com +Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists") +Reported-by: syzbot+f90a420dfe2b1b03cb2c@syzkaller.appspotmail.com +Signed-off-by: Shakeel Butt +Acked-by: Michal Hocko +Reviewed-by: Kirill Tkhai +Cc: [4.0+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/list_lru.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -313,7 +313,7 @@ static int __memcg_init_list_lru_node(st + } + return 0; + fail: +- __memcg_destroy_list_lru_node(memcg_lrus, begin, i - 1); ++ __memcg_destroy_list_lru_node(memcg_lrus, begin, i); + return -ENOMEM; + } + diff --git a/queue-4.4/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch b/queue-4.4/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch new file mode 100644 index 0000000000..7aa8ebd8e1 --- /dev/null +++ b/queue-4.4/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch @@ -0,0 +1,63 @@ +From f6581f5b55141a95657ef5742cf6a6bfa20a109f Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 29 May 2019 13:31:57 +0200 +Subject: ptrace: restore smp_rmb() in __ptrace_may_access() + +From: Jann Horn + +commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream. + +Restore the read memory barrier in __ptrace_may_access() that was deleted +a couple years ago. Also add comments on this barrier and the one it pairs +with to explain why they're there (as far as I understand). + +Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks") +Cc: stable@vger.kernel.org +Acked-by: Kees Cook +Acked-by: Oleg Nesterov +Signed-off-by: Jann Horn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cred.c | 9 +++++++++ + kernel/ptrace.c | 10 ++++++++++ + 2 files changed, 19 insertions(+) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -447,6 +447,15 @@ int commit_creds(struct cred *new) + if (task->mm) + set_dumpable(task->mm, suid_dumpable); + task->pdeath_signal = 0; ++ /* ++ * If a task drops privileges and becomes nondumpable, ++ * the dumpability change must become visible before ++ * the credential change; otherwise, a __ptrace_may_access() ++ * racing with this change may be able to attach to a task it ++ * shouldn't be able to attach to (as if the task had dropped ++ * privileges without becoming nondumpable). ++ * Pairs with a read barrier in __ptrace_may_access(). ++ */ + smp_wmb(); + } + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -292,6 +292,16 @@ static int __ptrace_may_access(struct ta + return -EPERM; + ok: + rcu_read_unlock(); ++ /* ++ * If a task drops privileges and becomes nondumpable (through a syscall ++ * like setresuid()) while we are trying to access it, we must ensure ++ * that the dumpability is read after the credentials; otherwise, ++ * we may be able to attach to a task that we shouldn't be able to ++ * attach to (as if the task had dropped privileges without becoming ++ * nondumpable). ++ * Pairs with a write barrier in commit_creds(). ++ */ ++ smp_rmb(); + mm = task->mm; + if (mm && + ((get_dumpable(mm) != SUID_DUMP_USER) && diff --git a/queue-4.4/series b/queue-4.4/series index 56c3f3d0ce..739822b847 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -40,3 +40,11 @@ futex-fix-futex-lock-the-wrong-page.patch revert-bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch alsa-seq-cover-unsubscribe_port-in-list_mutex.patch libata-extend-quirks-for-the-st1000lm024-drives-with-nolpm-quirk.patch +mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch +fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch +signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch +ptrace-restore-smp_rmb-in-__ptrace_may_access.patch +i2c-acorn-fix-i2c-warning.patch +bcache-fix-stack-corruption-by-preceding_key.patch +cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch +asoc-cs42xx8-add-regcache-mask-dirty.patch diff --git a/queue-4.4/signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch b/queue-4.4/signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch new file mode 100644 index 0000000000..c6caad27f0 --- /dev/null +++ b/queue-4.4/signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch @@ -0,0 +1,72 @@ +From f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Tue, 28 May 2019 18:46:37 -0500 +Subject: signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO + +From: Eric W. Biederman + +commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 upstream. + +Recently syzbot in conjunction with KMSAN reported that +ptrace_peek_siginfo can copy an uninitialized siginfo to userspace. +Inspecting ptrace_peek_siginfo confirms this. + +The problem is that off when initialized from args.off can be +initialized to a negaive value. At which point the "if (off >= 0)" +test to see if off became negative fails because off started off +negative. + +Prevent the core problem by adding a variable found that is only true +if a siginfo is found and copied to a temporary in preparation for +being copied to userspace. + +Prevent args.off from being truncated when being assigned to off by +testing that off is <= the maximum possible value of off. Convert off +to an unsigned long so that we should not have to truncate args.off, +we have well defined overflow behavior so if we add another check we +won't risk fighting undefined compiler behavior, and so that we have a +type whose maximum value is easy to test for. + +Cc: Andrei Vagin +Cc: stable@vger.kernel.org +Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com +Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/ptrace.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -673,6 +673,10 @@ static int ptrace_peek_siginfo(struct ta + if (arg.nr < 0) + return -EINVAL; + ++ /* Ensure arg.off fits in an unsigned long */ ++ if (arg.off > ULONG_MAX) ++ return 0; ++ + if (arg.flags & PTRACE_PEEKSIGINFO_SHARED) + pending = &child->signal->shared_pending; + else +@@ -680,7 +684,8 @@ static int ptrace_peek_siginfo(struct ta + + for (i = 0; i < arg.nr; ) { + siginfo_t info; +- s32 off = arg.off + i; ++ unsigned long off = arg.off + i; ++ bool found = false; + + spin_lock_irq(&child->sighand->siglock); + list_for_each_entry(q, &pending->list, list) { +@@ -691,7 +696,7 @@ static int ptrace_peek_siginfo(struct ta + } + spin_unlock_irq(&child->sighand->siglock); + +- if (off >= 0) /* beyond the end of the list */ ++ if (!found) /* beyond the end of the list */ + break; + + #ifdef CONFIG_COMPAT -- 2.39.2