From b32cb9cfd8cf872f40d76e118e3e00fd7c95f9e1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 16 Jun 2020 13:19:45 +0200 Subject: [PATCH] 4.4-stable patches added patches: fat-don-t-allow-to-mount-if-the-fat-length-0.patch mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch --- ...t-allow-to-mount-if-the-fat-length-0.patch | 42 ++++++++++ ...-fix-a-memory-leak-in-sysfs_slab_add.patch | 77 +++++++++++++++++++ queue-4.4/series | 2 + 3 files changed, 121 insertions(+) create mode 100644 queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch create mode 100644 queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch diff --git a/queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch b/queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch new file mode 100644 index 00000000000..b9a428d159d --- /dev/null +++ b/queue-4.4/fat-don-t-allow-to-mount-if-the-fat-length-0.patch @@ -0,0 +1,42 @@ +From b1b65750b8db67834482f758fc385bfa7560d228 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Thu, 4 Jun 2020 16:50:56 -0700 +Subject: fat: don't allow to mount if the FAT length == 0 + +From: OGAWA Hirofumi + +commit b1b65750b8db67834482f758fc385bfa7560d228 upstream. + +If FAT length == 0, the image doesn't have any data. And it can be the +cause of overlapping the root dir and FAT entries. + +Also Windows treats it as invalid format. + +Reported-by: syzbot+6f1624f937d9d6911e2d@syzkaller.appspotmail.com +Signed-off-by: OGAWA Hirofumi +Signed-off-by: Andrew Morton +Cc: Marco Elver +Cc: Dmitry Vyukov +Link: http://lkml.kernel.org/r/87r1wz8mrd.fsf@mail.parknet.co.jp +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -1422,6 +1422,12 @@ static int fat_read_bpb(struct super_blo + goto out; + } + ++ if (bpb->fat_fat_length == 0 && bpb->fat32_length == 0) { ++ if (!silent) ++ fat_msg(sb, KERN_ERR, "bogus number of FAT sectors"); ++ goto out; ++ } ++ + error = 0; + + out: diff --git a/queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch new file mode 100644 index 00000000000..a794b12c69b --- /dev/null +++ b/queue-4.4/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch @@ -0,0 +1,77 @@ +From dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 3 Jun 2020 15:56:21 -0700 +Subject: mm/slub: fix a memory leak in sysfs_slab_add() + +From: Wang Hai + +commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 upstream. + +syzkaller reports for memory leak when kobject_init_and_add() returns an +error in the function sysfs_slab_add() [1] + +When this happened, the function kobject_put() is not called for the +corresponding kobject, which potentially leads to memory leak. + +This patch fixes the issue by calling kobject_put() even if +kobject_init_and_add() fails. + +[1] + BUG: memory leak + unreferenced object 0xffff8880a6d4be88 (size 8): + comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s) + hex dump (first 8 bytes): + 70 69 64 5f 33 00 ff ff pid_3... + backtrace: + kstrdup+0x35/0x70 mm/util.c:60 + kstrdup_const+0x3d/0x50 mm/util.c:82 + kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 + kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289 + kobject_add_varg lib/kobject.c:384 [inline] + kobject_init_and_add+0xd8/0x170 lib/kobject.c:473 + sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811 + __kmem_cache_create+0x50a/0x570 mm/slub.c:4384 + create_cache+0x113/0x1e0 mm/slab_common.c:407 + kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505 + kmem_cache_create+0xd/0x10 mm/slab_common.c:564 + create_pid_cachep kernel/pid_namespace.c:54 [inline] + create_pid_namespace kernel/pid_namespace.c:96 [inline] + copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148 + create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95 + unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229 + ksys_unshare+0x3d2/0x770 kernel/fork.c:2969 + __do_sys_unshare kernel/fork.c:3037 [inline] + __se_sys_unshare kernel/fork.c:3035 [inline] + __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035 + do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295 + +Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -5424,8 +5424,10 @@ static int sysfs_slab_add(struct kmem_ca + + s->kobj.kset = cache_kset(s); + err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name); +- if (err) ++ if (err) { ++ kobject_put(&s->kobj); + goto out; ++ } + + err = sysfs_create_group(&s->kobj, &slab_attr_group); + if (err) diff --git a/queue-4.4/series b/queue-4.4/series index a5755333811..9348abf0168 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -40,3 +40,5 @@ ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch smack-slab-out-of-bounds-in-vsscanf.patch +mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch +fat-don-t-allow-to-mount-if-the-fat-length-0.patch -- 2.47.3