From bae1ae67d72bf376e8f750b8fe33ba64c27f8bd5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 May 2020 13:35:10 +0200 Subject: [PATCH] 4.19-stable patches added patches: arm64-hugetlb-avoid-potential-null-dereference.patch coredump-fix-crash-when-umh-is-disabled.patch mm-page_alloc-fix-watchdog-soft-lockups-during-set_zone_contiguous.patch staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch --- ...tlb-avoid-potential-null-dereference.patch | 56 ++++++++ ...edump-fix-crash-when-umh-is-disabled.patch | 123 ++++++++++++++++++ ...t-lockups-during-set_zone_contiguous.patch | 62 +++++++++ queue-4.19/series | 4 + ...return-value-of-gasket_get_bar_index.patch | 39 ++++++ 5 files changed, 284 insertions(+) create mode 100644 queue-4.19/arm64-hugetlb-avoid-potential-null-dereference.patch create mode 100644 queue-4.19/coredump-fix-crash-when-umh-is-disabled.patch create mode 100644 queue-4.19/mm-page_alloc-fix-watchdog-soft-lockups-during-set_zone_contiguous.patch create mode 100644 queue-4.19/staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch diff --git a/queue-4.19/arm64-hugetlb-avoid-potential-null-dereference.patch b/queue-4.19/arm64-hugetlb-avoid-potential-null-dereference.patch new file mode 100644 index 00000000000..c754f872df0 --- /dev/null +++ b/queue-4.19/arm64-hugetlb-avoid-potential-null-dereference.patch @@ -0,0 +1,56 @@ +From 027d0c7101f50cf03aeea9eebf484afd4920c8d3 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 5 May 2020 13:59:30 +0100 +Subject: arm64: hugetlb: avoid potential NULL dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mark Rutland + +commit 027d0c7101f50cf03aeea9eebf484afd4920c8d3 upstream. + +The static analyzer in GCC 10 spotted that in huge_pte_alloc() we may +pass a NULL pmdp into pte_alloc_map() when pmd_alloc() returns NULL: + +| CC arch/arm64/mm/pageattr.o +| CC arch/arm64/mm/hugetlbpage.o +| from arch/arm64/mm/hugetlbpage.c:10: +| arch/arm64/mm/hugetlbpage.c: In function ‘huge_pte_alloc’: +| ./arch/arm64/include/asm/pgtable-types.h:28:24: warning: dereference of NULL ‘pmdp’ [CWE-690] [-Wanalyzer-null-dereference] +| ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ +| arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ +| |arch/arm64/mm/hugetlbpage.c:232:10: +| |./arch/arm64/include/asm/pgtable-types.h:28:24: +| ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ +| arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ + +This can only occur when the kernel cannot allocate a page, and so is +unlikely to happen in practice before other systems start failing. + +We can avoid this by bailing out if pmd_alloc() fails, as we do earlier +in the function if pud_alloc() fails. + +Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit") +Signed-off-by: Mark Rutland +Reported-by: Kyrill Tkachov +Cc: # 4.5.x- +Cc: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/hugetlbpage.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/mm/hugetlbpage.c ++++ b/arch/arm64/mm/hugetlbpage.c +@@ -218,6 +218,8 @@ pte_t *huge_pte_alloc(struct mm_struct * + ptep = (pte_t *)pudp; + } else if (sz == (PAGE_SIZE * CONT_PTES)) { + pmdp = pmd_alloc(mm, pudp, addr); ++ if (!pmdp) ++ return NULL; + + WARN_ON(addr & (sz - 1)); + /* diff --git a/queue-4.19/coredump-fix-crash-when-umh-is-disabled.patch b/queue-4.19/coredump-fix-crash-when-umh-is-disabled.patch new file mode 100644 index 00000000000..f2741e3a395 --- /dev/null +++ b/queue-4.19/coredump-fix-crash-when-umh-is-disabled.patch @@ -0,0 +1,123 @@ +From 3740d93e37902b31159a82da2d5c8812ed825404 Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain +Date: Thu, 16 Apr 2020 16:28:59 +0000 +Subject: coredump: fix crash when umh is disabled + +From: Luis Chamberlain + +commit 3740d93e37902b31159a82da2d5c8812ed825404 upstream. + +Commit 64e90a8acb859 ("Introduce STATIC_USERMODEHELPER to mediate +call_usermodehelper()") added the optiont to disable all +call_usermodehelper() calls by setting STATIC_USERMODEHELPER_PATH to +an empty string. When this is done, and crashdump is triggered, it +will crash on null pointer dereference, since we make assumptions +over what call_usermodehelper_exec() did. + +This has been reported by Sergey when one triggers a a coredump +with the following configuration: + +``` +CONFIG_STATIC_USERMODEHELPER=y +CONFIG_STATIC_USERMODEHELPER_PATH="" +kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e +``` + +The way disabling the umh was designed was that call_usermodehelper_exec() +would just return early, without an error. But coredump assumes +certain variables are set up for us when this happens, and calls +ile_start_write(cprm.file) with a NULL file. + +[ 2.819676] BUG: kernel NULL pointer dereference, address: 0000000000000020 +[ 2.819859] #PF: supervisor read access in kernel mode +[ 2.820035] #PF: error_code(0x0000) - not-present page +[ 2.820188] PGD 0 P4D 0 +[ 2.820305] Oops: 0000 [#1] SMP PTI +[ 2.820436] CPU: 2 PID: 89 Comm: a Not tainted 5.7.0-rc1+ #7 +[ 2.820680] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190711_202441-buildvm-armv7-10.arm.fedoraproject.org-2.fc31 04/01/2014 +[ 2.821150] RIP: 0010:do_coredump+0xd80/0x1060 +[ 2.821385] Code: e8 95 11 ed ff 48 c7 c6 cc a7 b4 81 48 8d bd 28 ff +ff ff 89 c2 e8 70 f1 ff ff 41 89 c2 85 c0 0f 84 72 f7 ff ff e9 b4 fe ff +ff <48> 8b 57 20 0f b7 02 66 25 00 f0 66 3d 00 8 +0 0f 84 9c 01 00 00 44 +[ 2.822014] RSP: 0000:ffffc9000029bcb8 EFLAGS: 00010246 +[ 2.822339] RAX: 0000000000000000 RBX: ffff88803f860000 RCX: 000000000000000a +[ 2.822746] RDX: 0000000000000009 RSI: 0000000000000282 RDI: 0000000000000000 +[ 2.823141] RBP: ffffc9000029bde8 R08: 0000000000000000 R09: ffffc9000029bc00 +[ 2.823508] R10: 0000000000000001 R11: ffff88803dec90be R12: ffffffff81c39da0 +[ 2.823902] R13: ffff88803de84400 R14: 0000000000000000 R15: 0000000000000000 +[ 2.824285] FS: 00007fee08183540(0000) GS:ffff88803e480000(0000) knlGS:0000000000000000 +[ 2.824767] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.825111] CR2: 0000000000000020 CR3: 000000003f856005 CR4: 0000000000060ea0 +[ 2.825479] Call Trace: +[ 2.825790] get_signal+0x11e/0x720 +[ 2.826087] do_signal+0x1d/0x670 +[ 2.826361] ? force_sig_info_to_task+0xc1/0xf0 +[ 2.826691] ? force_sig_fault+0x3c/0x40 +[ 2.826996] ? do_trap+0xc9/0x100 +[ 2.827179] exit_to_usermode_loop+0x49/0x90 +[ 2.827359] prepare_exit_to_usermode+0x77/0xb0 +[ 2.827559] ? invalid_op+0xa/0x30 +[ 2.827747] ret_from_intr+0x20/0x20 +[ 2.827921] RIP: 0033:0x55e2c76d2129 +[ 2.828107] Code: 2d ff ff ff e8 68 ff ff ff 5d c6 05 18 2f 00 00 01 +c3 0f 1f 80 00 00 00 00 c3 0f 1f 80 00 00 00 00 e9 7b ff ff ff 55 48 89 +e5 <0f> 0b b8 00 00 00 00 5d c3 66 2e 0f 1f 84 0 +0 00 00 00 00 0f 1f 40 +[ 2.828603] RSP: 002b:00007fffeba5e080 EFLAGS: 00010246 +[ 2.828801] RAX: 000055e2c76d2125 RBX: 0000000000000000 RCX: 00007fee0817c718 +[ 2.829034] RDX: 00007fffeba5e188 RSI: 00007fffeba5e178 RDI: 0000000000000001 +[ 2.829257] RBP: 00007fffeba5e080 R08: 0000000000000000 R09: 00007fee08193c00 +[ 2.829482] R10: 0000000000000009 R11: 0000000000000000 R12: 000055e2c76d2040 +[ 2.829727] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 2.829964] CR2: 0000000000000020 +[ 2.830149] ---[ end trace ceed83d8c68a1bf1 ]--- +``` + +Cc: # v4.11+ +Fixes: 64e90a8acb85 ("Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper()") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199795 +Reported-by: Tony Vroon +Reported-by: Sergey Kvachonok +Tested-by: Sergei Trofimovich +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20200416162859.26518-1-mcgrof@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/coredump.c | 8 ++++++++ + kernel/umh.c | 5 +++++ + 2 files changed, 13 insertions(+) + +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -753,6 +753,14 @@ void do_coredump(const siginfo_t *siginf + if (displaced) + put_files_struct(displaced); + if (!dump_interrupted()) { ++ /* ++ * umh disabled with CONFIG_STATIC_USERMODEHELPER_PATH="" would ++ * have this set to NULL. ++ */ ++ if (!cprm.file) { ++ pr_info("Core dump to |%s disabled\n", cn.corename); ++ goto close_fail; ++ } + file_start_write(cprm.file); + core_dumped = binfmt->core_dump(&cprm); + file_end_write(cprm.file); +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -522,6 +522,11 @@ EXPORT_SYMBOL_GPL(fork_usermode_blob); + * Runs a user-space application. The application is started + * asynchronously if wait is not set, and runs as a child of system workqueues. + * (ie. it runs with full root capabilities and optimized affinity). ++ * ++ * Note: successful return value does not guarantee the helper was called at ++ * all. You can't rely on sub_info->{init,cleanup} being called even for ++ * UMH_WAIT_* wait modes as STATIC_USERMODEHELPER_PATH="" turns all helpers ++ * into a successful no-op. + */ + int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) + { diff --git a/queue-4.19/mm-page_alloc-fix-watchdog-soft-lockups-during-set_zone_contiguous.patch b/queue-4.19/mm-page_alloc-fix-watchdog-soft-lockups-during-set_zone_contiguous.patch new file mode 100644 index 00000000000..6d738f9c637 --- /dev/null +++ b/queue-4.19/mm-page_alloc-fix-watchdog-soft-lockups-during-set_zone_contiguous.patch @@ -0,0 +1,62 @@ +From e84fe99b68ce353c37ceeecc95dce9696c976556 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 7 May 2020 18:35:46 -0700 +Subject: mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() + +From: David Hildenbrand + +commit e84fe99b68ce353c37ceeecc95dce9696c976556 upstream. + +Without CONFIG_PREEMPT, it can happen that we get soft lockups detected, +e.g., while booting up. + + watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:1] + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.6.0-next-20200331+ #4 + Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 + RIP: __pageblock_pfn_to_page+0x134/0x1c0 + Call Trace: + set_zone_contiguous+0x56/0x70 + page_alloc_init_late+0x166/0x176 + kernel_init_freeable+0xfa/0x255 + kernel_init+0xa/0x106 + ret_from_fork+0x35/0x40 + +The issue becomes visible when having a lot of memory (e.g., 4TB) +assigned to a single NUMA node - a system that can easily be created +using QEMU. Inside VMs on a hypervisor with quite some memory +overcommit, this is fairly easy to trigger. + +Signed-off-by: David Hildenbrand +Signed-off-by: Andrew Morton +Reviewed-by: Pavel Tatashin +Reviewed-by: Pankaj Gupta +Reviewed-by: Baoquan He +Reviewed-by: Shile Zhang +Acked-by: Michal Hocko +Cc: Kirill Tkhai +Cc: Shile Zhang +Cc: Pavel Tatashin +Cc: Daniel Jordan +Cc: Michal Hocko +Cc: Alexander Duyck +Cc: Baoquan He +Cc: Oscar Salvador +Cc: +Link: http://lkml.kernel.org/r/20200416073417.5003-1-david@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1422,6 +1422,7 @@ void set_zone_contiguous(struct zone *zo + if (!__pageblock_pfn_to_page(block_start_pfn, + block_end_pfn, zone)) + return; ++ cond_resched(); + } + + /* We confirm that there is no hole */ diff --git a/queue-4.19/series b/queue-4.19/series index cf92c2dd181..213f2bad32f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -24,3 +24,7 @@ usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch tracing-add-a-vmalloc_sync_mappings-for-safe-measure.patch kvm-arm-vgic-fix-limit-condition-when-writing-to-gicd_iactiver.patch kvm-arm64-fix-32bit-pc-wrap-around.patch +arm64-hugetlb-avoid-potential-null-dereference.patch +mm-page_alloc-fix-watchdog-soft-lockups-during-set_zone_contiguous.patch +staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch +coredump-fix-crash-when-umh-is-disabled.patch diff --git a/queue-4.19/staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch b/queue-4.19/staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch new file mode 100644 index 00000000000..4e6d4bde656 --- /dev/null +++ b/queue-4.19/staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch @@ -0,0 +1,39 @@ +From 769acc3656d93aaacada814939743361d284fd87 Mon Sep 17 00:00:00 2001 +From: Oscar Carter +Date: Fri, 1 May 2020 17:51:18 +0200 +Subject: staging: gasket: Check the return value of gasket_get_bar_index() + +From: Oscar Carter + +commit 769acc3656d93aaacada814939743361d284fd87 upstream. + +Check the return value of gasket_get_bar_index function as it can return +a negative one (-EINVAL). If this happens, a negative index is used in +the "gasket_dev->bar_data" array. + +Addresses-Coverity-ID: 1438542 ("Negative array index read") +Fixes: 9a69f5087ccc2 ("drivers/staging: Gasket driver framework + Apex driver") +Signed-off-by: Oscar Carter +Cc: stable +Reviewed-by: Richard Yeh +Link: https://lore.kernel.org/r/20200501155118.13380-1-oscar.carter@gmx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/gasket/gasket_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/staging/gasket/gasket_core.c ++++ b/drivers/staging/gasket/gasket_core.c +@@ -933,6 +933,10 @@ do_map_region(const struct gasket_dev *g + gasket_get_bar_index(gasket_dev, + (vma->vm_pgoff << PAGE_SHIFT) + + driver_desc->legacy_mmap_address_offset); ++ ++ if (bar_index < 0) ++ return DO_MAP_REGION_INVALID; ++ + phys_base = gasket_dev->bar_data[bar_index].phys_base + phys_offset; + while (mapped_bytes < map_length) { + /* -- 2.47.3