From bb6a8781591dd14f5ee5879848f226af5be37b6e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 4 Mar 2021 15:35:32 +0100 Subject: [PATCH] 5.11-stable patches added patches: erofs-fix-shift-out-of-bounds-of-blkszbits.patch jfs-more-checks-for-invalid-superblock.patch media-mceusb-sanity-check-for-prescaler-value.patch media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch media-zr364xx-fix-memory-leaks-in-probe.patch mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch mptcp-fix-spurious-retransmissions.patch nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch riscv-get-rid-of-max_early_mapping_size.patch sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch smackfs-restrict-bytes-count-in-smackfs-write-functions.patch tomoyo-ignore-data-race-while-checking-quota.patch udlfb-fix-memory-leak-in-dlfb_usb_probe.patch vfio-type1-use-follow_pte.patch xfs-fix-assert-failure-in-xfs_setattr_size.patch --- ...fix-shift-out-of-bounds-of-blkszbits.patch | 37 +++ ...s-more-checks-for-invalid-superblock.patch | 82 +++++++ ...usb-sanity-check-for-prescaler-value.patch | 42 ++++ ...-shift-out-of-bounds-in-std_validate.patch | 32 +++ ...ia-zr364xx-fix-memory-leaks-in-probe.patch | 181 +++++++++++++++ ...ary-address-expansion-of-pmd-sharing.patch | 83 +++++++ .../mptcp-fix-spurious-retransmissions.patch | 101 +++++++++ ...s-for-destroy_on_disconnect-properly.patch | 211 ++++++++++++++++++ ...ve-warn_once-on-malformed-rx-packets.patch | 57 +++++ ...-cloned-skb-in-skb_prepare_for_shift.patch | 54 +++++ ...cv-get-rid-of-max_early_mapping_size.patch | 98 ++++++++ ..._locked_down_task-with-irqs-disabled.patch | 61 +++++ queue-5.11/series | 17 ++ ...tes-count-in-smackfs-write-functions.patch | 108 +++++++++ ...gnore-data-race-while-checking-quota.patch | 177 +++++++++++++++ ...fb-fix-memory-leak-in-dlfb_usb_probe.patch | 59 +++++ queue-5.11/vfio-type1-use-follow_pte.patch | 65 ++++++ ...x-assert-failure-in-xfs_setattr_size.patch | 35 +++ 18 files changed, 1500 insertions(+) create mode 100644 queue-5.11/erofs-fix-shift-out-of-bounds-of-blkszbits.patch create mode 100644 queue-5.11/jfs-more-checks-for-invalid-superblock.patch create mode 100644 queue-5.11/media-mceusb-sanity-check-for-prescaler-value.patch create mode 100644 queue-5.11/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch create mode 100644 queue-5.11/media-zr364xx-fix-memory-leaks-in-probe.patch create mode 100644 queue-5.11/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch create mode 100644 queue-5.11/mptcp-fix-spurious-retransmissions.patch create mode 100644 queue-5.11/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch create mode 100644 queue-5.11/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch create mode 100644 queue-5.11/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch create mode 100644 queue-5.11/riscv-get-rid-of-max_early_mapping_size.patch create mode 100644 queue-5.11/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch create mode 100644 queue-5.11/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch create mode 100644 queue-5.11/tomoyo-ignore-data-race-while-checking-quota.patch create mode 100644 queue-5.11/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch create mode 100644 queue-5.11/vfio-type1-use-follow_pte.patch create mode 100644 queue-5.11/xfs-fix-assert-failure-in-xfs_setattr_size.patch diff --git a/queue-5.11/erofs-fix-shift-out-of-bounds-of-blkszbits.patch b/queue-5.11/erofs-fix-shift-out-of-bounds-of-blkszbits.patch new file mode 100644 index 00000000000..059dd032a05 --- /dev/null +++ b/queue-5.11/erofs-fix-shift-out-of-bounds-of-blkszbits.patch @@ -0,0 +1,37 @@ +From bde545295b710bdd13a0fcd4b9fddd2383eeeb3a Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Wed, 20 Jan 2021 09:30:16 +0800 +Subject: erofs: fix shift-out-of-bounds of blkszbits + +From: Gao Xiang + +commit bde545295b710bdd13a0fcd4b9fddd2383eeeb3a upstream. + +syzbot generated a crafted bitszbits which can be shifted +out-of-bounds[1]. So directly print unsupported blkszbits +instead of blksize. + +[1] https://lore.kernel.org/r/000000000000c72ddd05b9444d2f@google.com + +Link: https://lore.kernel.org/r/20210120013016.14071-1-hsiangkao@aol.com +Reported-by: syzbot+c68f467cd7c45860e8d4@syzkaller.appspotmail.com +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -158,8 +158,8 @@ static int erofs_read_superblock(struct + blkszbits = dsb->blkszbits; + /* 9(512 bytes) + LOG_SECTORS_PER_BLOCK == LOG_BLOCK_SIZE */ + if (blkszbits != LOG_BLOCK_SIZE) { +- erofs_err(sb, "blksize %u isn't supported on this platform", +- 1 << blkszbits); ++ erofs_err(sb, "blkszbits %u isn't supported on this platform", ++ blkszbits); + goto out; + } + diff --git a/queue-5.11/jfs-more-checks-for-invalid-superblock.patch b/queue-5.11/jfs-more-checks-for-invalid-superblock.patch new file mode 100644 index 00000000000..e9897508613 --- /dev/null +++ b/queue-5.11/jfs-more-checks-for-invalid-superblock.patch @@ -0,0 +1,82 @@ +From 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 18 Dec 2020 12:17:16 -0800 +Subject: JFS: more checks for invalid superblock + +From: Randy Dunlap + +commit 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 upstream. + +syzbot is feeding invalid superblock data to JFS for mount testing. +JFS does not check several of the fields -- just assumes that they +are good since the JFS_MAGIC and version fields are good. + +In this case (syzbot reproducer), we have s_l2bsize == 0xda0c, +pad == 0xf045, and s_state == 0x50, all of which are invalid IMO. +Having s_l2bsize == 0xda0c causes this UBSAN warning: + UBSAN: shift-out-of-bounds in fs/jfs/jfs_mount.c:373:25 + shift exponent -9716 is negative + +s_l2bsize can be tested for correctness. pad can be tested for non-0 +and punted. s_state can be tested for its valid values and punted. + +Do those 3 tests and if any of them fails, report the superblock as +invalid/corrupt and let fsck handle it. + +With this patch, chkSuper() says this when JFS_DEBUG is enabled: + jfs_mount: Mount Failure: superblock is corrupt! + Mount JFS Failure: -22 + jfs_mount failed w/return code = -22 + +The obvious problem with this method is that next week there could +be another syzbot test that uses different fields for invalid values, +this making this like a game of whack-a-mole. + +syzkaller link: https://syzkaller.appspot.com/bug?extid=36315852ece4132ec193 + +Reported-by: syzbot+36315852ece4132ec193@syzkaller.appspotmail.com +Reported-by: kernel test robot # v2 +Signed-off-by: Randy Dunlap +Signed-off-by: Dave Kleikamp +Cc: jfs-discussion@lists.sourceforge.net +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_filsys.h | 1 + + fs/jfs/jfs_mount.c | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -268,5 +268,6 @@ + * fsck() must be run to repair + */ + #define FM_EXTENDFS 0x00000008 /* file system extendfs() in progress */ ++#define FM_STATE_MAX 0x0000000f /* max value of s_state */ + + #endif /* _H_JFS_FILSYS */ +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + #include "jfs_incore.h" + #include "jfs_filsys.h" +@@ -366,6 +367,15 @@ static int chkSuper(struct super_block * + sbi->bsize = bsize; + sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize); + ++ /* check some fields for possible corruption */ ++ if (sbi->l2bsize != ilog2((u32)bsize) || ++ j_sb->pad != 0 || ++ le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) { ++ rc = -EINVAL; ++ jfs_err("jfs_mount: Mount Failure: superblock is corrupt!"); ++ goto out; ++ } ++ + /* + * For now, ignore s_pbsize, l2bfactor. All I/O going through buffer + * cache. diff --git a/queue-5.11/media-mceusb-sanity-check-for-prescaler-value.patch b/queue-5.11/media-mceusb-sanity-check-for-prescaler-value.patch new file mode 100644 index 00000000000..d4e312ba129 --- /dev/null +++ b/queue-5.11/media-mceusb-sanity-check-for-prescaler-value.patch @@ -0,0 +1,42 @@ +From 9dec0f48a75e0dadca498002d25ef4e143e60194 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Tue, 19 Jan 2021 14:53:50 +0100 +Subject: media: mceusb: sanity check for prescaler value + +From: Sean Young + +commit 9dec0f48a75e0dadca498002d25ef4e143e60194 upstream. + +prescaler larger than 8 would mean the carrier is at most 152Hz, +which does not make sense for IR carriers. + +Reported-by: syzbot+6d31bf169a8265204b8d@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -701,11 +701,18 @@ static void mceusb_dev_printdata(struct + data[0], data[1]); + break; + case MCE_RSP_EQIRCFS: ++ if (!data[0] && !data[1]) { ++ dev_dbg(dev, "%s: no carrier", inout); ++ break; ++ } ++ // prescaler should make sense ++ if (data[0] > 8) ++ break; + period = DIV_ROUND_CLOSEST((1U << data[0] * 2) * + (data[1] + 1), 10); + if (!period) + break; +- carrier = (1000 * 1000) / period; ++ carrier = USEC_PER_SEC / period; + dev_dbg(dev, "%s carrier of %u Hz (period %uus)", + inout, carrier, period); + break; diff --git a/queue-5.11/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch b/queue-5.11/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch new file mode 100644 index 00000000000..0641925667b --- /dev/null +++ b/queue-5.11/media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch @@ -0,0 +1,32 @@ +From 048c96e28674f15c0403deba2104ffba64544a06 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 20 Jan 2021 09:28:02 +0100 +Subject: media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate + +From: Hans Verkuil + +commit 048c96e28674f15c0403deba2104ffba64544a06 upstream. + +If a menu has more than 64 items, then don't check menu_skip_mask +for items 65 and up. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+42d8c7c3d3e594b34346@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -2165,7 +2165,8 @@ static int std_validate(const struct v4l + case V4L2_CTRL_TYPE_INTEGER_MENU: + if (ptr.p_s32[idx] < ctrl->minimum || ptr.p_s32[idx] > ctrl->maximum) + return -ERANGE; +- if (ctrl->menu_skip_mask & (1ULL << ptr.p_s32[idx])) ++ if (ptr.p_s32[idx] < BITS_PER_LONG_LONG && ++ (ctrl->menu_skip_mask & BIT_ULL(ptr.p_s32[idx]))) + return -EINVAL; + if (ctrl->type == V4L2_CTRL_TYPE_MENU && + ctrl->qmenu[ptr.p_s32[idx]][0] == '\0') diff --git a/queue-5.11/media-zr364xx-fix-memory-leaks-in-probe.patch b/queue-5.11/media-zr364xx-fix-memory-leaks-in-probe.patch new file mode 100644 index 00000000000..93289781b00 --- /dev/null +++ b/queue-5.11/media-zr364xx-fix-memory-leaks-in-probe.patch @@ -0,0 +1,181 @@ +From ea354b6ddd6f09be29424f41fa75a3e637fea234 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 21 Jan 2021 07:44:00 +0100 +Subject: media: zr364xx: fix memory leaks in probe() + +From: Dan Carpenter + +commit ea354b6ddd6f09be29424f41fa75a3e637fea234 upstream. + +Syzbot discovered that the probe error handling doesn't clean up the +resources allocated in zr364xx_board_init(). There are several +related bugs in this code so I have re-written the error handling. + +1) Introduce a new function zr364xx_board_uninit() which cleans up + the resources in zr364xx_board_init(). +2) In zr364xx_board_init() if the call to zr364xx_start_readpipe() + fails then release the "cam->buffer.frame[i].lpvbits" memory + before returning. This way every function either allocates + everything successfully or it cleans up after itself. +3) Re-write the probe function so that each failure path goto frees + the most recent allocation. That way we don't free anything + before it has been allocated and we can also verify that + everything is freed. +4) Originally, in the probe function the "cam->v4l2_dev.release" + pointer was set to "zr364xx_release" near the start but I moved + that assignment to the end, after everything had succeeded. The + release function was never actually called during the probe cleanup + process, but with this change I wanted to make it clear that we + don't want to call zr364xx_release() until everything is + allocated successfully. + +Next I re-wrote the zr364xx_release() function. Ideally this would +have been a simple matter of copy and pasting the cleanup code from +probe and adding an additional call to video_unregister_device(). But +there are a couple quirks to note. + +1) The probe function does not call videobuf_mmap_free() and I don't + know where the videobuf_mmap is allocated. I left the code as-is to + avoid introducing a bug in code I don't understand. +2) The zr364xx_board_uninit() has a call to zr364xx_stop_readpipe() + which is a change from the original behavior with regards to + unloading the driver. Calling zr364xx_stop_readpipe() on a stopped + pipe is not a problem so this is safe and is potentially a bugfix. + +Reported-by: syzbot+b4d54814b339b5c6bbd4@syzkaller.appspotmail.com +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/zr364xx/zr364xx.c | 49 ++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 18 deletions(-) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -1181,15 +1181,11 @@ out: + return err; + } + +-static void zr364xx_release(struct v4l2_device *v4l2_dev) ++static void zr364xx_board_uninit(struct zr364xx_camera *cam) + { +- struct zr364xx_camera *cam = +- container_of(v4l2_dev, struct zr364xx_camera, v4l2_dev); + unsigned long i; + +- v4l2_device_unregister(&cam->v4l2_dev); +- +- videobuf_mmap_free(&cam->vb_vidq); ++ zr364xx_stop_readpipe(cam); + + /* release sys buffers */ + for (i = 0; i < FRAMES; i++) { +@@ -1200,9 +1196,19 @@ static void zr364xx_release(struct v4l2_ + cam->buffer.frame[i].lpvbits = NULL; + } + +- v4l2_ctrl_handler_free(&cam->ctrl_handler); + /* release transfer buffer */ + kfree(cam->pipe->transfer_buffer); ++} ++ ++static void zr364xx_release(struct v4l2_device *v4l2_dev) ++{ ++ struct zr364xx_camera *cam = ++ container_of(v4l2_dev, struct zr364xx_camera, v4l2_dev); ++ ++ videobuf_mmap_free(&cam->vb_vidq); ++ v4l2_ctrl_handler_free(&cam->ctrl_handler); ++ zr364xx_board_uninit(cam); ++ v4l2_device_unregister(&cam->v4l2_dev); + kfree(cam); + } + +@@ -1376,11 +1382,14 @@ static int zr364xx_board_init(struct zr3 + /* start read pipe */ + err = zr364xx_start_readpipe(cam); + if (err) +- goto err_free; ++ goto err_free_frames; + + DBG(": board initialized\n"); + return 0; + ++err_free_frames: ++ for (i = 0; i < FRAMES; i++) ++ vfree(cam->buffer.frame[i].lpvbits); + err_free: + kfree(cam->pipe->transfer_buffer); + cam->pipe->transfer_buffer = NULL; +@@ -1409,12 +1418,10 @@ static int zr364xx_probe(struct usb_inte + if (!cam) + return -ENOMEM; + +- cam->v4l2_dev.release = zr364xx_release; + err = v4l2_device_register(&intf->dev, &cam->v4l2_dev); + if (err < 0) { + dev_err(&udev->dev, "couldn't register v4l2_device\n"); +- kfree(cam); +- return err; ++ goto free_cam; + } + hdl = &cam->ctrl_handler; + v4l2_ctrl_handler_init(hdl, 1); +@@ -1423,7 +1430,7 @@ static int zr364xx_probe(struct usb_inte + if (hdl->error) { + err = hdl->error; + dev_err(&udev->dev, "couldn't register control\n"); +- goto fail; ++ goto unregister; + } + /* save the init method used by this camera */ + cam->method = id->driver_info; +@@ -1496,7 +1503,7 @@ static int zr364xx_probe(struct usb_inte + if (!cam->read_endpoint) { + err = -ENOMEM; + dev_err(&intf->dev, "Could not find bulk-in endpoint\n"); +- goto fail; ++ goto unregister; + } + + /* v4l */ +@@ -1507,10 +1514,11 @@ static int zr364xx_probe(struct usb_inte + + /* load zr364xx board specific */ + err = zr364xx_board_init(cam); +- if (!err) +- err = v4l2_ctrl_handler_setup(hdl); + if (err) +- goto fail; ++ goto unregister; ++ err = v4l2_ctrl_handler_setup(hdl); ++ if (err) ++ goto board_uninit; + + spin_lock_init(&cam->slock); + +@@ -1525,16 +1533,21 @@ static int zr364xx_probe(struct usb_inte + err = video_register_device(&cam->vdev, VFL_TYPE_VIDEO, -1); + if (err) { + dev_err(&udev->dev, "video_register_device failed\n"); +- goto fail; ++ goto free_handler; + } ++ cam->v4l2_dev.release = zr364xx_release; + + dev_info(&udev->dev, DRIVER_DESC " controlling device %s\n", + video_device_node_name(&cam->vdev)); + return 0; + +-fail: ++free_handler: + v4l2_ctrl_handler_free(hdl); ++board_uninit: ++ zr364xx_board_uninit(cam); ++unregister: + v4l2_device_unregister(&cam->v4l2_dev); ++free_cam: + kfree(cam); + return err; + } diff --git a/queue-5.11/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch b/queue-5.11/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch new file mode 100644 index 00000000000..0136d34723b --- /dev/null +++ b/queue-5.11/mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch @@ -0,0 +1,83 @@ +From a1ba9da8f0f9a37d900ff7eff66482cf7de8015e Mon Sep 17 00:00:00 2001 +From: Li Xinhai +Date: Wed, 24 Feb 2021 12:06:54 -0800 +Subject: mm/hugetlb.c: fix unnecessary address expansion of pmd sharing + +From: Li Xinhai + +commit a1ba9da8f0f9a37d900ff7eff66482cf7de8015e upstream. + +The current code would unnecessarily expand the address range. Consider +one example, (start, end) = (1G-2M, 3G+2M), and (vm_start, vm_end) = +(1G-4M, 3G+4M), the expected adjustment should be keep (1G-2M, 3G+2M) +without expand. But the current result will be (1G-4M, 3G+4M). Actually, +the range (1G-4M, 1G) and (3G, 3G+4M) would never been involved in pmd +sharing. + +After this patch, we will check that the vma span at least one PUD aligned +size and the start,end range overlap the aligned range of vma. + +With above example, the aligned vma range is (1G, 3G), so if (start, end) +range is within (1G-4M, 1G), or within (3G, 3G+4M), then no adjustment to +both start and end. Otherwise, we will have chance to adjust start +downwards or end upwards without exceeding (vm_start, vm_end). + +Mike: + +: The 'adjusted range' is used for calls to mmu notifiers and cache(tlb) +: flushing. Since the current code unnecessarily expands the range in some +: cases, more entries than necessary would be flushed. This would/could +: result in performance degradation. However, this is highly dependent on +: the user runtime. Is there a combination of vma layout and calls to +: actually hit this issue? If the issue is hit, will those entries +: unnecessarily flushed be used again and need to be unnecessarily reloaded? + +Link: https://lkml.kernel.org/r/20210104081631.2921415-1-lixinhai.lxh@gmail.com +Fixes: 75802ca66354 ("mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible") +Signed-off-by: Li Xinhai +Suggested-by: Mike Kravetz +Reviewed-by: Mike Kravetz +Cc: Peter Xu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5304,21 +5304,23 @@ static bool vma_shareable(struct vm_area + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end) + { +- unsigned long a_start, a_end; ++ unsigned long v_start = ALIGN(vma->vm_start, PUD_SIZE), ++ v_end = ALIGN_DOWN(vma->vm_end, PUD_SIZE); + +- if (!(vma->vm_flags & VM_MAYSHARE)) ++ /* ++ * vma need span at least one aligned PUD size and the start,end range ++ * must at least partialy within it. ++ */ ++ if (!(vma->vm_flags & VM_MAYSHARE) || !(v_end > v_start) || ++ (*end <= v_start) || (*start >= v_end)) + return; + + /* Extend the range to be PUD aligned for a worst case scenario */ +- a_start = ALIGN_DOWN(*start, PUD_SIZE); +- a_end = ALIGN(*end, PUD_SIZE); ++ if (*start > v_start) ++ *start = ALIGN_DOWN(*start, PUD_SIZE); + +- /* +- * Intersect the range with the vma range, since pmd sharing won't be +- * across vma after all +- */ +- *start = max(vma->vm_start, a_start); +- *end = min(vma->vm_end, a_end); ++ if (*end < v_end) ++ *end = ALIGN(*end, PUD_SIZE); + } + + /* diff --git a/queue-5.11/mptcp-fix-spurious-retransmissions.patch b/queue-5.11/mptcp-fix-spurious-retransmissions.patch new file mode 100644 index 00000000000..c303a7d964e --- /dev/null +++ b/queue-5.11/mptcp-fix-spurious-retransmissions.patch @@ -0,0 +1,101 @@ +From 64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 11 Feb 2021 15:30:39 -0800 +Subject: mptcp: fix spurious retransmissions + +From: Paolo Abeni + +commit 64b9cea7a0afe579dd2682f1f1c04f2e4e72fd25 upstream. + +Syzkaller was able to trigger the following splat again: + +WARNING: CPU: 1 PID: 12512 at net/mptcp/protocol.c:761 mptcp_reset_timer+0x12a/0x160 net/mptcp/protocol.c:761 +Modules linked in: +CPU: 1 PID: 12512 Comm: kworker/1:6 Not tainted 5.10.0-rc6 #52 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Workqueue: events mptcp_worker +RIP: 0010:mptcp_reset_timer+0x12a/0x160 net/mptcp/protocol.c:761 +Code: e8 4b 0c ad ff e8 56 21 88 fe 48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 00 48 83 c4 40 5b 5d 41 5c c3 e8 36 21 88 fe <0f> 0b 41 bc c8 00 00 00 eb 98 e8 e7 b1 af fe e9 30 ff ff ff 48 c7 +RSP: 0018:ffffc900018c7c68 EFLAGS: 00010293 +RAX: ffff888108cb1c80 RBX: 1ffff92000318f8d RCX: ffffffff82ad0307 +RDX: 0000000000000000 RSI: ffffffff82ad036a RDI: 0000000000000007 +RBP: ffff888113e2d000 R08: ffff888108cb1c80 R09: ffffed10227c5ab7 +R10: ffff888113e2d5b7 R11: ffffed10227c5ab6 R12: 0000000000000000 +R13: ffff88801f100000 R14: ffff888113e2d5b0 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff88811b500000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fd76a874ef8 CR3: 000000001689c005 CR4: 0000000000170ee0 +Call Trace: + mptcp_worker+0xaa4/0x1560 net/mptcp/protocol.c:2334 + process_one_work+0x8d3/0x1200 kernel/workqueue.c:2272 + worker_thread+0x9c/0x1090 kernel/workqueue.c:2418 + kthread+0x303/0x410 kernel/kthread.c:292 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 + +The mptcp_worker tries to update the MPTCP retransmission timer +even if such timer is not currently scheduled. + +The mptcp_rtx_head() return value is bogus: we can have enqueued +data not yet transmitted. The above may additionally cause spurious, +unneeded MPTCP-level retransmissions. + +Fix the issue adding an explicit clearing of the rtx queue before +trying to retransmit and checking for unacked data. +Additionally drop an unneeded timer stop call and the unused +mptcp_rtx_tail() helper. + +Reported-by: Christoph Paasch +Fixes: 6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks") +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 3 +-- + net/mptcp/protocol.h | 11 ++--------- + 2 files changed, 3 insertions(+), 11 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -364,8 +364,6 @@ static void mptcp_check_data_fin_ack(str + + /* Look for an acknowledged DATA_FIN */ + if (mptcp_pending_data_fin_ack(sk)) { +- mptcp_stop_timer(sk); +- + WRITE_ONCE(msk->snd_data_fin_enable, 0); + + switch (sk->sk_state) { +@@ -2299,6 +2297,7 @@ static void mptcp_worker(struct work_str + if (!test_and_clear_bit(MPTCP_WORK_RTX, &msk->flags)) + goto unlock; + ++ __mptcp_clean_una(sk); + dfrag = mptcp_rtx_head(sk); + if (!dfrag) + goto unlock; +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -325,20 +325,13 @@ static inline struct mptcp_data_frag *mp + return list_last_entry(&msk->rtx_queue, struct mptcp_data_frag, list); + } + +-static inline struct mptcp_data_frag *mptcp_rtx_tail(const struct sock *sk) ++static inline struct mptcp_data_frag *mptcp_rtx_head(const struct sock *sk) + { + struct mptcp_sock *msk = mptcp_sk(sk); + +- if (!before64(msk->snd_nxt, READ_ONCE(msk->snd_una))) ++ if (msk->snd_una == READ_ONCE(msk->snd_nxt)) + return NULL; + +- return list_last_entry(&msk->rtx_queue, struct mptcp_data_frag, list); +-} +- +-static inline struct mptcp_data_frag *mptcp_rtx_head(const struct sock *sk) +-{ +- struct mptcp_sock *msk = mptcp_sk(sk); +- + return list_first_entry_or_null(&msk->rtx_queue, struct mptcp_data_frag, list); + } + diff --git a/queue-5.11/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch b/queue-5.11/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch new file mode 100644 index 00000000000..b16a6089c9c --- /dev/null +++ b/queue-5.11/nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch @@ -0,0 +1,211 @@ +From c9a2f90f4d6b9d42b9912f7aaf68e8d748acfffd Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 22 Feb 2021 15:09:53 -0500 +Subject: nbd: handle device refs for DESTROY_ON_DISCONNECT properly + +From: Josef Bacik + +commit c9a2f90f4d6b9d42b9912f7aaf68e8d748acfffd upstream. + +There exists a race where we can be attempting to create a new nbd +configuration while a previous configuration is going down, both +configured with DESTROY_ON_DISCONNECT. Normally devices all have a +reference of 1, as they won't be cleaned up until the module is torn +down. However with DESTROY_ON_DISCONNECT we'll make sure that there is +only 1 reference (generally) on the device for the config itself, and +then once the config is dropped, the device is torn down. + +The race that exists looks like this + +TASK1 TASK2 +nbd_genl_connect() + idr_find() + refcount_inc_not_zero(nbd) + * count is 2 here ^^ + nbd_config_put() + nbd_put(nbd) (count is 1) + setup new config + check DESTROY_ON_DISCONNECT + put_dev = true + if (put_dev) nbd_put(nbd) + * free'd here ^^ + +In nbd_genl_connect() we assume that the nbd ref count will be 2, +however clearly that won't be true if the nbd device had been setup as +DESTROY_ON_DISCONNECT with its prior configuration. Fix this by getting +rid of the runtime flag to check if we need to mess with the nbd device +refcount, and use the device NBD_DESTROY_ON_DISCONNECT flag to check if +we need to adjust the ref counts. This was reported by syzkaller with +the following kasan dump + +BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline] +BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] +BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76 +Read of size 4 at addr ffff888143bf71a0 by task systemd-udevd/8451 + +CPU: 0 PID: 8451 Comm: systemd-udevd Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 + __kasan_report mm/kasan/report.c:396 [inline] + kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 + check_memory_region_inline mm/kasan/generic.c:179 [inline] + check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 + instrument_atomic_read include/linux/instrumented.h:71 [inline] + atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] + refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76 + refcount_dec_and_mutex_lock+0x19/0x140 lib/refcount.c:115 + nbd_put drivers/block/nbd.c:248 [inline] + nbd_release+0x116/0x190 drivers/block/nbd.c:1508 + __blkdev_put+0x548/0x800 fs/block_dev.c:1579 + blkdev_put+0x92/0x570 fs/block_dev.c:1632 + blkdev_close+0x8c/0xb0 fs/block_dev.c:1640 + __fput+0x283/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x190 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201 + __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] + syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fc1e92b5270 +Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 +RSP: 002b:00007ffe8beb2d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1e92b5270 +RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007 +RBP: 00007fc1ea16f710 R08: 000000000000004a R09: 0000000000000008 +R10: 0000562f8cb0b2a8 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000562f8cb0afd0 R14: 0000000000000003 R15: 000000000000000e + +Allocated by task 1: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:401 [inline] + ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 + kmalloc include/linux/slab.h:552 [inline] + kzalloc include/linux/slab.h:682 [inline] + nbd_dev_add+0x44/0x8e0 drivers/block/nbd.c:1673 + nbd_init+0x250/0x271 drivers/block/nbd.c:2394 + do_one_initcall+0x103/0x650 init/main.c:1223 + do_initcall_level init/main.c:1296 [inline] + do_initcalls init/main.c:1312 [inline] + do_basic_setup init/main.c:1332 [inline] + kernel_init_freeable+0x605/0x689 init/main.c:1533 + kernel_init+0xd/0x1b8 init/main.c:1421 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 + +Freed by task 8451: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 + ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 + kasan_slab_free include/linux/kasan.h:192 [inline] + slab_free_hook mm/slub.c:1547 [inline] + slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 + slab_free mm/slub.c:3143 [inline] + kfree+0xdb/0x3b0 mm/slub.c:4139 + nbd_dev_remove drivers/block/nbd.c:243 [inline] + nbd_put.part.0+0x180/0x1d0 drivers/block/nbd.c:251 + nbd_put drivers/block/nbd.c:295 [inline] + nbd_config_put+0x6dd/0x8c0 drivers/block/nbd.c:1242 + nbd_release+0x103/0x190 drivers/block/nbd.c:1507 + __blkdev_put+0x548/0x800 fs/block_dev.c:1579 + blkdev_put+0x92/0x570 fs/block_dev.c:1632 + blkdev_close+0x8c/0xb0 fs/block_dev.c:1640 + __fput+0x283/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x190 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201 + __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] + syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff888143bf7000 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 416 bytes inside of + 1024-byte region [ffff888143bf7000, ffff888143bf7400) +The buggy address belongs to the page: +page:000000005238f4ce refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143bf0 +head:000000005238f4ce order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x57ff00000010200(slab|head) +raw: 057ff00000010200 ffffea00004b1400 0000000300000003 ffff888010c41140 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888143bf7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888143bf7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888143bf7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888143bf7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Reported-and-tested-by: syzbot+429d3f82d757c211bff3@syzkaller.appspotmail.com +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -78,8 +78,7 @@ struct link_dead_args { + #define NBD_RT_HAS_PID_FILE 3 + #define NBD_RT_HAS_CONFIG_REF 4 + #define NBD_RT_BOUND 5 +-#define NBD_RT_DESTROY_ON_DISCONNECT 6 +-#define NBD_RT_DISCONNECT_ON_CLOSE 7 ++#define NBD_RT_DISCONNECT_ON_CLOSE 6 + + #define NBD_DESTROY_ON_DISCONNECT 0 + #define NBD_DISCONNECT_REQUESTED 1 +@@ -1924,12 +1923,21 @@ again: + if (info->attrs[NBD_ATTR_CLIENT_FLAGS]) { + u64 flags = nla_get_u64(info->attrs[NBD_ATTR_CLIENT_FLAGS]); + if (flags & NBD_CFLAG_DESTROY_ON_DISCONNECT) { +- set_bit(NBD_RT_DESTROY_ON_DISCONNECT, +- &config->runtime_flags); +- set_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); +- put_dev = true; ++ /* ++ * We have 1 ref to keep the device around, and then 1 ++ * ref for our current operation here, which will be ++ * inherited by the config. If we already have ++ * DESTROY_ON_DISCONNECT set then we know we don't have ++ * that extra ref already held so we don't need the ++ * put_dev. ++ */ ++ if (!test_and_set_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) ++ put_dev = true; + } else { +- clear_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); ++ if (test_and_clear_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) ++ refcount_inc(&nbd->refs); + } + if (flags & NBD_CFLAG_DISCONNECT_ON_CLOSE) { + set_bit(NBD_RT_DISCONNECT_ON_CLOSE, +@@ -2100,15 +2108,13 @@ static int nbd_genl_reconfigure(struct s + if (info->attrs[NBD_ATTR_CLIENT_FLAGS]) { + u64 flags = nla_get_u64(info->attrs[NBD_ATTR_CLIENT_FLAGS]); + if (flags & NBD_CFLAG_DESTROY_ON_DISCONNECT) { +- if (!test_and_set_bit(NBD_RT_DESTROY_ON_DISCONNECT, +- &config->runtime_flags)) ++ if (!test_and_set_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) + put_dev = true; +- set_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); + } else { +- if (test_and_clear_bit(NBD_RT_DESTROY_ON_DISCONNECT, +- &config->runtime_flags)) ++ if (test_and_clear_bit(NBD_DESTROY_ON_DISCONNECT, ++ &nbd->flags)) + refcount_inc(&nbd->refs); +- clear_bit(NBD_DESTROY_ON_DISCONNECT, &nbd->flags); + } + + if (flags & NBD_CFLAG_DISCONNECT_ON_CLOSE) { diff --git a/queue-5.11/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch b/queue-5.11/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch new file mode 100644 index 00000000000..7b3e1babff5 --- /dev/null +++ b/queue-5.11/net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch @@ -0,0 +1,57 @@ +From 27e9c1de529919d8dd7d072415d3bcae77709300 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Thu, 28 Jan 2021 12:41:04 +0100 +Subject: net/af_iucv: remove WARN_ONCE on malformed RX packets + +From: Alexander Egorenkov + +commit 27e9c1de529919d8dd7d072415d3bcae77709300 upstream. + +syzbot reported the following finding: + +AF_IUCV failed to receive skb, len=0 +WARNING: CPU: 0 PID: 522 at net/iucv/af_iucv.c:2039 afiucv_hs_rcv+0x174/0x190 net/iucv/af_iucv.c:2039 +CPU: 0 PID: 522 Comm: syz-executor091 Not tainted 5.10.0-rc1-syzkaller-07082-g55027a88ec9f #0 +Hardware name: IBM 3906 M04 701 (KVM/Linux) +Call Trace: + [<00000000b87ea538>] afiucv_hs_rcv+0x178/0x190 net/iucv/af_iucv.c:2039 +([<00000000b87ea534>] afiucv_hs_rcv+0x174/0x190 net/iucv/af_iucv.c:2039) + [<00000000b796533e>] __netif_receive_skb_one_core+0x13e/0x188 net/core/dev.c:5315 + [<00000000b79653ce>] __netif_receive_skb+0x46/0x1c0 net/core/dev.c:5429 + [<00000000b79655fe>] netif_receive_skb_internal+0xb6/0x220 net/core/dev.c:5534 + [<00000000b796ac3a>] netif_receive_skb+0x42/0x318 net/core/dev.c:5593 + [<00000000b6fd45f4>] tun_rx_batched.isra.0+0x6fc/0x860 drivers/net/tun.c:1485 + [<00000000b6fddc4e>] tun_get_user+0x1c26/0x27f0 drivers/net/tun.c:1939 + [<00000000b6fe0f00>] tun_chr_write_iter+0x158/0x248 drivers/net/tun.c:1968 + [<00000000b4f22bfa>] call_write_iter include/linux/fs.h:1887 [inline] + [<00000000b4f22bfa>] new_sync_write+0x442/0x648 fs/read_write.c:518 + [<00000000b4f238fe>] vfs_write.part.0+0x36e/0x5d8 fs/read_write.c:605 + [<00000000b4f2984e>] vfs_write+0x10e/0x148 fs/read_write.c:615 + [<00000000b4f29d0e>] ksys_write+0x166/0x290 fs/read_write.c:658 + [<00000000b8dc4ab4>] system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 +Last Breaking-Event-Address: + [<00000000b8dc64d4>] __s390_indirect_jump_r14+0x0/0xc + +Malformed RX packets shouldn't generate any warnings because +debugging info already flows to dropmon via the kfree_skb(). + +Signed-off-by: Alexander Egorenkov +Reviewed-by: Julian Wiedmann +Signed-off-by: Julian Wiedmann +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/iucv/af_iucv.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -2036,7 +2036,6 @@ static int afiucv_hs_rcv(struct sk_buff + char nullstring[8]; + + if (!pskb_may_pull(skb, sizeof(*trans_hdr))) { +- WARN_ONCE(1, "AF_IUCV failed to receive skb, len=%u", skb->len); + kfree_skb(skb); + return NET_RX_SUCCESS; + } diff --git a/queue-5.11/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch b/queue-5.11/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch new file mode 100644 index 00000000000..affabc2092c --- /dev/null +++ b/queue-5.11/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch @@ -0,0 +1,54 @@ +From 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Mon, 1 Feb 2021 17:04:20 +0100 +Subject: net: fix up truesize of cloned skb in skb_prepare_for_shift() + +From: Marco Elver + +commit 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 upstream. + +Avoid the assumption that ksize(kmalloc(S)) == ksize(kmalloc(S)): when +cloning an skb, save and restore truesize after pskb_expand_head(). This +can occur if the allocator decides to service an allocation of the same +size differently (e.g. use a different size class, or pass the +allocation on to KFENCE). + +Because truesize is used for bookkeeping (such as sk_wmem_queued), a +modified truesize of a cloned skb may result in corrupt bookkeeping and +relevant warnings (such as in sk_stream_kill_queues()). + +Link: https://lkml.kernel.org/r/X9JR/J6dMMOy1obu@elver.google.com +Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Marco Elver +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210201160420.2826895-1-elver@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3292,7 +3292,19 @@ EXPORT_SYMBOL(skb_split); + */ + static int skb_prepare_for_shift(struct sk_buff *skb) + { +- return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ int ret = 0; ++ ++ if (skb_cloned(skb)) { ++ /* Save and restore truesize: pskb_expand_head() may reallocate ++ * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we ++ * cannot change truesize at this point. ++ */ ++ unsigned int save_truesize = skb->truesize; ++ ++ ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ skb->truesize = save_truesize; ++ } ++ return ret; + } + + /** diff --git a/queue-5.11/riscv-get-rid-of-max_early_mapping_size.patch b/queue-5.11/riscv-get-rid-of-max_early_mapping_size.patch new file mode 100644 index 00000000000..fcaf5a47038 --- /dev/null +++ b/queue-5.11/riscv-get-rid-of-max_early_mapping_size.patch @@ -0,0 +1,98 @@ +From 0f02de4481da684aad6589aed0ea47bd1ab391c9 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Sun, 21 Feb 2021 09:22:33 -0500 +Subject: riscv: Get rid of MAX_EARLY_MAPPING_SIZE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +commit 0f02de4481da684aad6589aed0ea47bd1ab391c9 upstream. + +At early boot stage, we have a whole PGDIR to map the kernel, so there +is no need to restrict the early mapping size to 128MB. Removing this +define also allows us to simplify some compile time logic. + +This fixes large kernel mappings with a size greater than 128MB, as it +is the case for syzbot kernels whose size was just ~130MB. + +Note that on rv64, for now, we are then limited to PGDIR size for early +mapping as we can't use PGD mappings (see [1]). That should be enough +given the relative small size of syzbot kernels compared to PGDIR_SIZE +which is 1GB. + +[1] https://lore.kernel.org/lkml/20200603153608.30056-1-alex@ghiti.fr/ + +Reported-by: Dmitry Vyukov +Signed-off-by: Alexandre Ghiti +Tested-by: Dmitry Vyukov +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/mm/init.c | 21 +++++---------------- + 1 file changed, 5 insertions(+), 16 deletions(-) + +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -226,8 +226,6 @@ pgd_t swapper_pg_dir[PTRS_PER_PGD] __pag + pgd_t trampoline_pg_dir[PTRS_PER_PGD] __page_aligned_bss; + pte_t fixmap_pte[PTRS_PER_PTE] __page_aligned_bss; + +-#define MAX_EARLY_MAPPING_SIZE SZ_128M +- + pgd_t early_pg_dir[PTRS_PER_PGD] __initdata __aligned(PAGE_SIZE); + + void __set_fixmap(enum fixed_addresses idx, phys_addr_t phys, pgprot_t prot) +@@ -302,13 +300,7 @@ static void __init create_pte_mapping(pt + + pmd_t trampoline_pmd[PTRS_PER_PMD] __page_aligned_bss; + pmd_t fixmap_pmd[PTRS_PER_PMD] __page_aligned_bss; +- +-#if MAX_EARLY_MAPPING_SIZE < PGDIR_SIZE +-#define NUM_EARLY_PMDS 1UL +-#else +-#define NUM_EARLY_PMDS (1UL + MAX_EARLY_MAPPING_SIZE / PGDIR_SIZE) +-#endif +-pmd_t early_pmd[PTRS_PER_PMD * NUM_EARLY_PMDS] __initdata __aligned(PAGE_SIZE); ++pmd_t early_pmd[PTRS_PER_PMD] __initdata __aligned(PAGE_SIZE); + pmd_t early_dtb_pmd[PTRS_PER_PMD] __initdata __aligned(PAGE_SIZE); + + static pmd_t *__init get_pmd_virt_early(phys_addr_t pa) +@@ -330,11 +322,9 @@ static pmd_t *get_pmd_virt_late(phys_add + + static phys_addr_t __init alloc_pmd_early(uintptr_t va) + { +- uintptr_t pmd_num; ++ BUG_ON((va - PAGE_OFFSET) >> PGDIR_SHIFT); + +- pmd_num = (va - PAGE_OFFSET) >> PGDIR_SHIFT; +- BUG_ON(pmd_num >= NUM_EARLY_PMDS); +- return (uintptr_t)&early_pmd[pmd_num * PTRS_PER_PMD]; ++ return (uintptr_t)early_pmd; + } + + static phys_addr_t __init alloc_pmd_fixmap(uintptr_t va) +@@ -452,7 +442,7 @@ asmlinkage void __init setup_vm(uintptr_ + uintptr_t va, pa, end_va; + uintptr_t load_pa = (uintptr_t)(&_start); + uintptr_t load_sz = (uintptr_t)(&_end) - load_pa; +- uintptr_t map_size = best_map_size(load_pa, MAX_EARLY_MAPPING_SIZE); ++ uintptr_t map_size; + #ifndef __PAGETABLE_PMD_FOLDED + pmd_t fix_bmap_spmd, fix_bmap_epmd; + #endif +@@ -464,12 +454,11 @@ asmlinkage void __init setup_vm(uintptr_ + * Enforce boot alignment requirements of RV32 and + * RV64 by only allowing PMD or PGD mappings. + */ +- BUG_ON(map_size == PAGE_SIZE); ++ map_size = PMD_SIZE; + + /* Sanity check alignment and size */ + BUG_ON((PAGE_OFFSET % PGDIR_SIZE) != 0); + BUG_ON((load_pa % map_size) != 0); +- BUG_ON(load_sz > MAX_EARLY_MAPPING_SIZE); + + pt_ops.alloc_pte = alloc_pte_early; + pt_ops.get_pte_virt = get_pte_virt_early; diff --git a/queue-5.11/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch b/queue-5.11/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch new file mode 100644 index 00000000000..59005066b38 --- /dev/null +++ b/queue-5.11/sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch @@ -0,0 +1,61 @@ +From 1b7af295541d75535374325fd617944534853919 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Sat, 29 Aug 2020 10:22:24 -0700 +Subject: sched/core: Allow try_invoke_on_locked_down_task() with irqs disabled + +From: Peter Zijlstra + +commit 1b7af295541d75535374325fd617944534853919 upstream. + +The try_invoke_on_locked_down_task() function currently requires +that interrupts be enabled, but it is called with interrupts +disabled from rcu_print_task_stall(), resulting in an "IRQs not +enabled as expected" diagnostic. This commit therefore updates +try_invoke_on_locked_down_task() to use raw_spin_lock_irqsave() instead +of raw_spin_lock_irq(), thus allowing use from either context. + +Link: https://lore.kernel.org/lkml/000000000000903d5805ab908fc4@google.com/ +Link: https://lore.kernel.org/lkml/20200928075729.GC2611@hirez.programming.kicks-ass.net/ +Reported-by: syzbot+cb3b69ae80afd6535b0e@syzkaller.appspotmail.com +Signed-off-by: Peter Zijlstra +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3478,7 +3478,7 @@ out: + + /** + * try_invoke_on_locked_down_task - Invoke a function on task in fixed state +- * @p: Process for which the function is to be invoked. ++ * @p: Process for which the function is to be invoked, can be @current. + * @func: Function to invoke. + * @arg: Argument to function. + * +@@ -3496,12 +3496,11 @@ out: + */ + bool try_invoke_on_locked_down_task(struct task_struct *p, bool (*func)(struct task_struct *t, void *arg), void *arg) + { +- bool ret = false; + struct rq_flags rf; ++ bool ret = false; + struct rq *rq; + +- lockdep_assert_irqs_enabled(); +- raw_spin_lock_irq(&p->pi_lock); ++ raw_spin_lock_irqsave(&p->pi_lock, rf.flags); + if (p->on_rq) { + rq = __task_rq_lock(p, &rf); + if (task_rq(p) == rq) +@@ -3518,7 +3517,7 @@ bool try_invoke_on_locked_down_task(stru + ret = func(p, arg); + } + } +- raw_spin_unlock_irq(&p->pi_lock); ++ raw_spin_unlock_irqrestore(&p->pi_lock, rf.flags); + return ret; + } + diff --git a/queue-5.11/series b/queue-5.11/series index a90fa65921f..6f18c002092 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -1,3 +1,20 @@ net-usb-qmi_wwan-support-zte-p685m-modem.patch iwlwifi-add-new-cards-for-so-and-qu-family.patch x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch +jfs-more-checks-for-invalid-superblock.patch +sched-core-allow-try_invoke_on_locked_down_task-with-irqs-disabled.patch +udlfb-fix-memory-leak-in-dlfb_usb_probe.patch +media-mceusb-sanity-check-for-prescaler-value.patch +erofs-fix-shift-out-of-bounds-of-blkszbits.patch +media-v4l2-ctrls.c-fix-shift-out-of-bounds-in-std_validate.patch +media-zr364xx-fix-memory-leaks-in-probe.patch +xfs-fix-assert-failure-in-xfs_setattr_size.patch +net-af_iucv-remove-warn_once-on-malformed-rx-packets.patch +smackfs-restrict-bytes-count-in-smackfs-write-functions.patch +tomoyo-ignore-data-race-while-checking-quota.patch +net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch +mptcp-fix-spurious-retransmissions.patch +riscv-get-rid-of-max_early_mapping_size.patch +nbd-handle-device-refs-for-destroy_on_disconnect-properly.patch +mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch +vfio-type1-use-follow_pte.patch diff --git a/queue-5.11/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch b/queue-5.11/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch new file mode 100644 index 00000000000..f17dda7400a --- /dev/null +++ b/queue-5.11/smackfs-restrict-bytes-count-in-smackfs-write-functions.patch @@ -0,0 +1,108 @@ +From 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 Mon Sep 17 00:00:00 2001 +From: Sabyrzhan Tasbolatov +Date: Thu, 28 Jan 2021 17:58:01 +0600 +Subject: smackfs: restrict bytes count in smackfs write functions + +From: Sabyrzhan Tasbolatov + +commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream. + +syzbot found WARNINGs in several smackfs write operations where +bytes count is passed to memdup_user_nul which exceeds +GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. + +Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, +smk_write_net6addr accepts any label or -DELETE. I couldn't find +any general rule for other label lengths except SMK_LABELLEN, +SMK_LONGLABEL, SMK_CIPSOMAX which are documented. + +Let's constrain, in general, smackfs label lengths for PAGE_SIZE. +Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. + +Here is a quick way to reproduce the WARNING: +python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel + +Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com +Signed-off-by: Sabyrzhan Tasbolatov +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smackfs.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct + return -EPERM; + if (*ppos != 0) + return -EINVAL; +- if (count < SMK_NETLBLADDRMIN) ++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) + return -EINVAL; + + data = memdup_user_nul(buf, count); +@@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct + return -EPERM; + if (*ppos != 0) + return -EINVAL; +- if (count < SMK_NETLBLADDRMIN) ++ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) + return -EINVAL; + + data = memdup_user_nul(buf, count); +@@ -1834,6 +1834,10 @@ static ssize_t smk_write_ambient(struct + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ /* Enough data must be present */ ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ if (count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2092,6 +2099,9 @@ static ssize_t smk_write_unconfined(stru + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ if (count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2648,6 +2658,10 @@ static ssize_t smk_write_syslog(struct f + if (!smack_privileged(CAP_MAC_ADMIN)) + return -EPERM; + ++ /* Enough data must be present */ ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) + return PTR_ERR(data); +@@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(st + return -EPERM; + + /* ++ * No partial write. + * Enough data must be present. + */ + if (*ppos != 0) + return -EINVAL; ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; + + data = memdup_user_nul(buf, count); + if (IS_ERR(data)) diff --git a/queue-5.11/tomoyo-ignore-data-race-while-checking-quota.patch b/queue-5.11/tomoyo-ignore-data-race-while-checking-quota.patch new file mode 100644 index 00000000000..6932eea0a89 --- /dev/null +++ b/queue-5.11/tomoyo-ignore-data-race-while-checking-quota.patch @@ -0,0 +1,177 @@ +From 5797e861e402fff2bedce4ec8b7c89f4248b6073 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 1 Feb 2021 11:52:11 +0900 +Subject: tomoyo: ignore data race while checking quota + +From: Tetsuo Handa + +commit 5797e861e402fff2bedce4ec8b7c89f4248b6073 upstream. + +syzbot is reporting that tomoyo's quota check is racy [1]. But this check +is tolerant of some degree of inaccuracy. Thus, teach KCSAN to ignore +this data race. + +[1] https://syzkaller.appspot.com/bug?id=999533deec7ba6337f8aa25d8bd1a4d5f7e50476 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +--- + security/tomoyo/file.c | 16 ++++++++-------- + security/tomoyo/network.c | 8 ++++---- + security/tomoyo/util.c | 24 ++++++++++++------------ + 3 files changed, 24 insertions(+), 24 deletions(-) + +--- a/security/tomoyo/file.c ++++ b/security/tomoyo/file.c +@@ -362,14 +362,14 @@ static bool tomoyo_merge_path_acl(struct + { + u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) + ->perm; +- u16 perm = *a_perm; ++ u16 perm = READ_ONCE(*a_perm); + const u16 b_perm = container_of(b, struct tomoyo_path_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -437,7 +437,7 @@ static bool tomoyo_merge_mkdev_acl(struc + { + u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, + head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_mkdev_acl, head) + ->perm; + +@@ -445,7 +445,7 @@ static bool tomoyo_merge_mkdev_acl(struc + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -517,14 +517,14 @@ static bool tomoyo_merge_path2_acl(struc + { + u8 * const a_perm = &container_of(a, struct tomoyo_path2_acl, head) + ->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_path2_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -655,7 +655,7 @@ static bool tomoyo_merge_path_number_acl + { + u8 * const a_perm = &container_of(a, struct tomoyo_path_number_acl, + head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_path_number_acl, head) + ->perm; + +@@ -663,7 +663,7 @@ static bool tomoyo_merge_path_number_acl + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +--- a/security/tomoyo/network.c ++++ b/security/tomoyo/network.c +@@ -233,14 +233,14 @@ static bool tomoyo_merge_inet_acl(struct + { + u8 * const a_perm = + &container_of(a, struct tomoyo_inet_acl, head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_inet_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +@@ -259,14 +259,14 @@ static bool tomoyo_merge_unix_acl(struct + { + u8 * const a_perm = + &container_of(a, struct tomoyo_unix_acl, head)->perm; +- u8 perm = *a_perm; ++ u8 perm = READ_ONCE(*a_perm); + const u8 b_perm = container_of(b, struct tomoyo_unix_acl, head)->perm; + + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; +- *a_perm = perm; ++ WRITE_ONCE(*a_perm, perm); + return !perm; + } + +--- a/security/tomoyo/util.c ++++ b/security/tomoyo/util.c +@@ -1058,30 +1058,30 @@ bool tomoyo_domain_quota_is_ok(struct to + + if (ptr->is_deleted) + continue; ++ /* ++ * Reading perm bitmap might race with tomoyo_merge_*() because ++ * caller does not hold tomoyo_policy_lock mutex. But exceeding ++ * max_learning_entry parameter by a few entries does not harm. ++ */ + switch (ptr->type) { + case TOMOYO_TYPE_PATH_ACL: +- perm = container_of(ptr, struct tomoyo_path_acl, head) +- ->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_path_acl, head)->perm); + break; + case TOMOYO_TYPE_PATH2_ACL: +- perm = container_of(ptr, struct tomoyo_path2_acl, head) +- ->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_path2_acl, head)->perm); + break; + case TOMOYO_TYPE_PATH_NUMBER_ACL: +- perm = container_of(ptr, struct tomoyo_path_number_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_path_number_acl, head) ++ ->perm); + break; + case TOMOYO_TYPE_MKDEV_ACL: +- perm = container_of(ptr, struct tomoyo_mkdev_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_mkdev_acl, head)->perm); + break; + case TOMOYO_TYPE_INET_ACL: +- perm = container_of(ptr, struct tomoyo_inet_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_inet_acl, head)->perm); + break; + case TOMOYO_TYPE_UNIX_ACL: +- perm = container_of(ptr, struct tomoyo_unix_acl, +- head)->perm; ++ data_race(perm = container_of(ptr, struct tomoyo_unix_acl, head)->perm); + break; + case TOMOYO_TYPE_MANUAL_TASK_ACL: + perm = 0; diff --git a/queue-5.11/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch b/queue-5.11/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch new file mode 100644 index 00000000000..c3fa16b2388 --- /dev/null +++ b/queue-5.11/udlfb-fix-memory-leak-in-dlfb_usb_probe.patch @@ -0,0 +1,59 @@ +From 5c0e4110f751934e748a66887c61f8e73805f0f9 Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Tue, 15 Dec 2020 14:30:22 +0800 +Subject: udlfb: Fix memory leak in dlfb_usb_probe + +From: Zqiang + +commit 5c0e4110f751934e748a66887c61f8e73805f0f9 upstream. + +The dlfb_alloc_urb_list function is called in dlfb_usb_probe function, +after that if an error occurs, the dlfb_free_urb_list function need to +be called. + +BUG: memory leak +unreferenced object 0xffff88810adde100 (size 32): + comm "kworker/1:0", pid 17, jiffies 4294947788 (age 19.520s) + hex dump (first 32 bytes): + 10 30 c3 0d 81 88 ff ff c0 fa 63 12 81 88 ff ff .0........c..... + 00 30 c3 0d 81 88 ff ff 80 d1 3a 08 81 88 ff ff .0........:..... + backtrace: + [<0000000019512953>] kmalloc include/linux/slab.h:552 [inline] + [<0000000019512953>] kzalloc include/linux/slab.h:664 [inline] + [<0000000019512953>] dlfb_alloc_urb_list drivers/video/fbdev/udlfb.c:1892 [inline] + [<0000000019512953>] dlfb_usb_probe.cold+0x289/0x988 drivers/video/fbdev/udlfb.c:1704 + [<0000000072160152>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [<00000000a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 + [<00000000c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 + [<00000000e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 + [<00000000de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 + [<00000000463fbcb4>] __device_attach+0x122/0x250 drivers/base/dd.c:912 + [<00000000b881a711>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 + [<00000000364bbda5>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 + [<00000000eecca418>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 + [<00000000edfeca2d>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 + [<000000001830872b>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 + [<00000000a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 + [<00000000c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 + [<00000000e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 + [<00000000de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 + +Reported-by: syzbot+c9e365d7f450e8aa615d@syzkaller.appspotmail.com +Signed-off-by: Zqiang +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201215063022.16746-1-qiang.zhang@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1017,6 +1017,7 @@ static void dlfb_ops_destroy(struct fb_i + } + vfree(dlfb->backing_buffer); + kfree(dlfb->edid); ++ dlfb_free_urb_list(dlfb); + usb_put_dev(dlfb->udev); + kfree(dlfb); + diff --git a/queue-5.11/vfio-type1-use-follow_pte.patch b/queue-5.11/vfio-type1-use-follow_pte.patch new file mode 100644 index 00000000000..196e2c7d001 --- /dev/null +++ b/queue-5.11/vfio-type1-use-follow_pte.patch @@ -0,0 +1,65 @@ +From 07956b6269d3ed05d854233d5bb776dca91751dd Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Tue, 16 Feb 2021 15:49:34 -0700 +Subject: vfio/type1: Use follow_pte() + +From: Alex Williamson + +commit 07956b6269d3ed05d854233d5bb776dca91751dd upstream. + +follow_pfn() doesn't make sure that we're using the correct page +protections, get the pte with follow_pte() so that we can test +protections and get the pfn from the pte. + +Fixes: 5cbf3264bc71 ("vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()") +Reviewed-by: Jason Gunthorpe +Reviewed-by: Cornelia Huck +Reviewed-by: Peter Xu +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/vfio_iommu_type1.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -431,9 +432,11 @@ static int follow_fault_pfn(struct vm_ar + unsigned long vaddr, unsigned long *pfn, + bool write_fault) + { ++ pte_t *ptep; ++ spinlock_t *ptl; + int ret; + +- ret = follow_pfn(vma, vaddr, pfn); ++ ret = follow_pte(vma->vm_mm, vaddr, &ptep, &ptl); + if (ret) { + bool unlocked = false; + +@@ -447,9 +450,17 @@ static int follow_fault_pfn(struct vm_ar + if (ret) + return ret; + +- ret = follow_pfn(vma, vaddr, pfn); ++ ret = follow_pte(vma->vm_mm, vaddr, &ptep, &ptl); ++ if (ret) ++ return ret; + } + ++ if (write_fault && !pte_write(*ptep)) ++ ret = -EFAULT; ++ else ++ *pfn = pte_pfn(*ptep); ++ ++ pte_unmap_unlock(ptep, ptl); + return ret; + } + diff --git a/queue-5.11/xfs-fix-assert-failure-in-xfs_setattr_size.patch b/queue-5.11/xfs-fix-assert-failure-in-xfs_setattr_size.patch new file mode 100644 index 00000000000..2a84c81e61c --- /dev/null +++ b/queue-5.11/xfs-fix-assert-failure-in-xfs_setattr_size.patch @@ -0,0 +1,35 @@ +From 88a9e03beef22cc5fabea344f54b9a0dfe63de08 Mon Sep 17 00:00:00 2001 +From: Yumei Huang +Date: Fri, 22 Jan 2021 16:48:19 -0800 +Subject: xfs: Fix assert failure in xfs_setattr_size() + +From: Yumei Huang + +commit 88a9e03beef22cc5fabea344f54b9a0dfe63de08 upstream. + +An assert failure is triggered by syzkaller test due to +ATTR_KILL_PRIV is not cleared before xfs_setattr_size. +As ATTR_KILL_PRIV is not checked/used by xfs_setattr_size, +just remove it from the assert. + +Signed-off-by: Yumei Huang +Reviewed-by: Brian Foster +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_iops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -846,7 +846,7 @@ xfs_setattr_size( + ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL)); + ASSERT(S_ISREG(inode->i_mode)); + ASSERT((iattr->ia_valid & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| +- ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); ++ ATTR_MTIME_SET|ATTR_TIMES_SET)) == 0); + + oldsize = inode->i_size; + newsize = iattr->ia_size; -- 2.47.3