From edd77f41b6e777d89800f89b54c2a80089bbd85c Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 23 Jun 2020 15:34:15 +0200 Subject: [PATCH] Drop "kernel/relay.c: handle alloc_percpu returning NULL in relay_open" --- debian/changelog | 1 - ...andle-alloc_percpu-returning-NULL-in.patch | 71 ------------------- debian/patches/series | 1 - 3 files changed, 73 deletions(-) delete mode 100644 debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch diff --git a/debian/changelog b/debian/changelog index 268d78b3c..79efde8f3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -448,7 +448,6 @@ linux (4.19.127-1) UNRELEASED; urgency=medium - HID: sony: Fix for broken buttons on DS3 USB dongles - HID: i2c-hid: add Schneider SCL142ALM to descriptor override - p54usb: add AirVasT USB stick device-id - - kernel/relay.c: handle alloc_percpu returning NULL in relay_open - mmc: fix compilation of user API - scsi: ufs: Release clock if DMA map fails - net: dsa: mt7530: set CPU port to fallback mode diff --git a/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch b/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch deleted file mode 100644 index 0772ccfbe..000000000 --- a/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch +++ /dev/null @@ -1,71 +0,0 @@ -From: Daniel Axtens -Date: Thu, 4 Jun 2020 16:51:27 -0700 -Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open -Origin: https://git.kernel.org/linus/54e200ab40fc14c863bcc80a51e20b7906608fce -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19462 - -alloc_percpu() may return NULL, which means chan->buf may be set to NULL. -In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an -invalid pointer: - - BUG: Unable to handle kernel data access at 0x7dae0000 - Faulting instruction address: 0xc0000000003f3fec - ... - NIP relay_open+0x29c/0x600 - LR relay_open+0x270/0x600 - Call Trace: - relay_open+0x264/0x600 (unreliable) - __blk_trace_setup+0x254/0x600 - blk_trace_setup+0x68/0xa0 - sg_ioctl+0x7bc/0x2e80 - do_vfs_ioctl+0x13c/0x1300 - ksys_ioctl+0x94/0x130 - sys_ioctl+0x48/0xb0 - system_call+0x5c/0x68 - -Check if alloc_percpu returns NULL. - -This was found by syzkaller both on x86 and powerpc, and the reproducer -it found on powerpc is capable of hitting the issue as an unprivileged -user. - -Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") -Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com -Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com -Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com -Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com -Signed-off-by: Daniel Axtens -Signed-off-by: Andrew Morton -Reviewed-by: Michael Ellerman -Reviewed-by: Andrew Donnellan -Acked-by: David Rientjes -Cc: Akash Goel -Cc: Andrew Donnellan -Cc: Guenter Roeck -Cc: Salvatore Bonaccorso -Cc: [4.10+] -Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net -Signed-off-by: Linus Torvalds ---- - kernel/relay.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/kernel/relay.c b/kernel/relay.c -index 90c7a002436d..dc82705e1cff 100644 ---- a/kernel/relay.c -+++ b/kernel/relay.c -@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename, - return NULL; - - chan->buf = alloc_percpu(struct rchan_buf *); -+ if (!chan->buf) { -+ kfree(chan); -+ return NULL; -+ } -+ - chan->version = RELAYFS_CHANNEL_VERSION; - chan->n_subbufs = n_subbufs; - chan->subbuf_size = subbuf_size; --- -2.27.0.rc0 - diff --git a/debian/patches/series b/debian/patches/series index 7c1319b05..7b2fed92e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -296,7 +296,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch bugfix/all/mm-Fix-mremap-not-considering-huge-pmd-devmap.patch bugfix/x86/srbds/0001-x86-cpu-Add-a-steppings-field-to-struct-x86_cpu_id.patch bugfix/x86/srbds/0002-x86-cpu-Add-table-argument-to-cpu_matches.patch