1. 16 Aug, 2016 17 commits
    • Dave Weinstein's avatar
      arm: oabi compat: add missing access checks · 0107ea0e
      Dave Weinstein authored
      commit 7de24996 upstream.
      
      Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
      This fixes CVE-2016-3857, a local privilege escalation under
      CONFIG_OABI_COMPAT.
      Reported-by: default avatarChiachih Wu <wuchiachih@gmail.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarNicolas Pitre <nico@linaro.org>
      Signed-off-by: default avatarDave Weinstein <olorin@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0107ea0e
    • Bjørn Mork's avatar
      cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind · 66e5d7b4
      Bjørn Mork authored
      commit 4d06dd53 upstream.
      
      usbnet_link_change will call schedule_work and should be
      avoided if bind is failing. Otherwise we will end up with
      scheduled work referring to a netdev which has gone away.
      
      Instead of making the call conditional, we can just defer
      it to usbnet_probe, using the driver_info flag made for
      this purpose.
      
      Fixes: 8a34b0ae ("usbnet: cdc_ncm: apply usbnet_link_change")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66e5d7b4
    • Mika Westerberg's avatar
      i2c: i801: Allow ACPI SystemIO OpRegion to conflict with PCI BAR · 3088903a
      Mika Westerberg authored
      commit a7ae8195 upstream.
      
      Many Intel systems the BIOS declares a SystemIO OpRegion below the SMBus
      PCI device as can be seen in ACPI DSDT table from Lenovo Yoga 900:
      
        Device (SBUS)
        {
            OperationRegion (SMBI, SystemIO, (SBAR << 0x05), 0x10)
            Field (SMBI, ByteAcc, NoLock, Preserve)
            {
                HSTS,   8,
                Offset (0x02),
                HCON,   8,
                HCOM,   8,
                TXSA,   8,
                DAT0,   8,
                DAT1,   8,
                HBDR,   8,
                PECR,   8,
                RXSA,   8,
                SDAT,   16
            }
      
      There are also bunch of AML methods that that the BIOS can use to access
      these fields. Most of the systems in question AML methods accessing the
      SMBI OpRegion are never used.
      
      Now, because of this SMBI OpRegion many systems fail to load the SMBus
      driver with an error looking like one below:
      
        ACPI Warning: SystemIO range 0x0000000000003040-0x000000000000305F
             conflicts with OpRegion 0x0000000000003040-0x000000000000304F
             (\_SB.PCI0.SBUS.SMBI) (20160108/utaddress-255)
        ACPI: If an ACPI driver is available for this device, you should use
             it instead of the native driver
      
      The reason is that this SMBI OpRegion conflicts with the PCI BAR used by
      the SMBus driver.
      
      It turns out that we can install a custom SystemIO address space handler
      for the SMBus device to intercept all accesses through that OpRegion. This
      allows us to share the PCI BAR with the AML code if it for some reason is
      using it. We do not expect that this OpRegion handler will ever be called
      but if it is we print a warning and prevent all access from the SMBus
      driver itself.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=110041Reported-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reported-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Suggested-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Acked-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarJean Delvare <jdelvare@suse.de>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3088903a
    • Hector Marco-Gisbert's avatar
      x86/mm/32: Enable full randomization on i386 and X86_32 · 979a61a0
      Hector Marco-Gisbert authored
      commit 8b8addf8 upstream.
      
      Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
      the stack and the executable are randomized but not other mmapped files
      (libraries, vDSO, etc.). This patch enables randomization for the
      libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
      
      By default on i386 there are 8 bits for the randomization of the libraries,
      vDSO and mmaps which only uses 1MB of VA.
      
      This patch preserves the original randomness, using 1MB of VA out of 3GB or
      4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
      
      The first obvious security benefit is that all objects are randomized (not
      only the stack and the executable) in legacy mode which highly increases
      the ASLR effectiveness, otherwise the attackers may use these
      non-randomized areas. But also sensitive setuid/setgid applications are
      more secure because currently, attackers can disable the randomization of
      these applications by setting the ulimit stack to "unlimited". This is a
      very old and widely known trick to disable the ASLR in i386 which has been
      allowed for too long.
      
      Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
      personality flag, but fortunately this doesn't work on setuid/setgid
      applications because there is security checks which clear Security-relevant
      flags.
      
      This patch always randomizes the mmap_legacy_base address, removing the
      possibility to disable the ASLR by setting the stack to "unlimited".
      Signed-off-by: default avatarHector Marco-Gisbert <hecmargi@upv.es>
      Acked-by: default avatarIsmael Ripoll Ripoll <iripoll@upv.es>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarArjan van de Ven <arjan@linux.intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: akpm@linux-foundation.org
      Cc: kees Cook <keescook@chromium.org>
      Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.esSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Laura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      979a61a0
    • Benjamin Tissoires's avatar
      HID: sony: do not bail out when the sixaxis refuses the output report · 6e124249
      Benjamin Tissoires authored
      commit 19f4c2ba upstream.
      
      When setting the operational mode, some third party (Speedlink Strike-FX)
      gamepads refuse the output report. Failing here means we refuse to
      initialize the gamepad while this should be harmless.
      
      The weird part is that the initial commit that added this: a7de9b86
      ("HID: sony: Enable Gasia third-party PS3 controllers") mentions this
      very same controller as one requiring this output report.
      Anyway, it's broken for one user at least, so let's change it.
      We will report an error, but at least the controller should work.
      
      And no, these devices present themselves as legacy Sony controllers
      (VID:PID of 054C:0268, as in the official ones) so there are no ways
      of discriminating them from the official ones.
      
      https://bugzilla.redhat.com/show_bug.cgi?id=1255325Reported-and-tested-by: default avatarMax Fedotov <thesourcehim@gmail.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Cc: Laura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e124249
    • Christophe Le Roy's avatar
      PNP: Add Broadwell to Intel MCH size workaround · d71d4ace
      Christophe Le Roy authored
      commit a77060f0 upstream.
      
      Add device ID 0x1604 for Broadwell to commit cb171f7a ("PNP:
      Work around BIOS defects in Intel MCH area reporting").
      
      >From a Lenovo ThinkPad T550:
      
        system 00:01: [io  0x1800-0x189f] could not be reserved
        system 00:01: [io  0x0800-0x087f] has been reserved
        system 00:01: [io  0x0880-0x08ff] has been reserved
        system 00:01: [io  0x0900-0x097f] has been reserved
        system 00:01: [io  0x0980-0x09ff] has been reserved
        system 00:01: [io  0x0a00-0x0a7f] has been reserved
        system 00:01: [io  0x0a80-0x0aff] has been reserved
        system 00:01: [io  0x0b00-0x0b7f] has been reserved
        system 00:01: [io  0x0b80-0x0bff] has been reserved
        system 00:01: [io  0x15e0-0x15ef] has been reserved
        system 00:01: [io  0x1600-0x167f] has been reserved
        system 00:01: [io  0x1640-0x165f] has been reserved
        system 00:01: [mem 0xf8000000-0xfbffffff] could not be reserved
        system 00:01: [mem 0xfed1c000-0xfed1ffff] has been reserved
        system 00:01: [mem 0xfed10000-0xfed13fff] has been reserved
        system 00:01: [mem 0xfed18000-0xfed18fff] has been reserved
        system 00:01: [mem 0xfed19000-0xfed19fff] has been reserved
        system 00:01: [mem 0xfed45000-0xfed4bfff] has been reserved
        system 00:01: Plug and Play ACPI device, IDs PNP0c02 (active)
        [...]
        resource sanity check: requesting [mem 0xfed10000-0xfed15fff], which spans more than pnp 00:01 [mem 0xfed10000-0xfed13fff]
        ------------[ cut here ]------------
        WARNING: CPU: 2 PID: 1 at /build/linux-CrHvZ_/linux-4.2.6/arch/x86/mm/ioremap.c:198 __ioremap_caller+0x2ee/0x360()
        Info: mapping multiple BARs. Your kernel is fine.
        Modules linked in:
        CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.2.0-1-amd64 #1 Debian 4.2.6-1
        Hardware name: LENOVO 20CKCTO1WW/20CKCTO1WW, BIOS N11ET34W (1.10 ) 08/20/2015
         0000000000000000 ffffffff817e6868 ffffffff8154e2f6 ffff8802241efbf8
         ffffffff8106e5b1 ffffc90000e98000 0000000000006000 ffffc90000e98000
         0000000000006000 0000000000000000 ffffffff8106e62a ffffffff817e68c8
        Call Trace:
         [<ffffffff8154e2f6>] ? dump_stack+0x40/0x50
         [<ffffffff8106e5b1>] ? warn_slowpath_common+0x81/0xb0
         [<ffffffff8106e62a>] ? warn_slowpath_fmt+0x4a/0x50
         [<ffffffff810742a3>] ? iomem_map_sanity_check+0xb3/0xc0
         [<ffffffff8105dade>] ? __ioremap_caller+0x2ee/0x360
         [<ffffffff81036ae6>] ? snb_uncore_imc_init_box+0x66/0x90
         [<ffffffff810351a8>] ? uncore_pci_probe+0xc8/0x1a0
         [<ffffffff81302d7f>] ? local_pci_probe+0x3f/0xa0
         [<ffffffff81303ea4>] ? pci_device_probe+0xc4/0x110
         [<ffffffff813d9b1e>] ? driver_probe_device+0x1ee/0x450
         [<ffffffff813d9dfb>] ? __driver_attach+0x7b/0x80
         [<ffffffff813d9d80>] ? driver_probe_device+0x450/0x450
         [<ffffffff813d796a>] ? bus_for_each_dev+0x5a/0x90
         [<ffffffff813d9091>] ? bus_add_driver+0x1f1/0x290
         [<ffffffff81b37fa8>] ? uncore_cpu_setup+0xc/0xc
         [<ffffffff813da73f>] ? driver_register+0x5f/0xe0
         [<ffffffff81b38074>] ? intel_uncore_init+0xcc/0x2b0
         [<ffffffff81b37fa8>] ? uncore_cpu_setup+0xc/0xc
         [<ffffffff8100213e>] ? do_one_initcall+0xce/0x200
         [<ffffffff8108a100>] ? parse_args+0x140/0x4e0
         [<ffffffff81b2b0cb>] ? kernel_init_freeable+0x162/0x1e8
         [<ffffffff815443f0>] ? rest_init+0x80/0x80
         [<ffffffff815443fe>] ? kernel_init+0xe/0xf0
         [<ffffffff81553e5f>] ? ret_from_fork+0x3f/0x70
         [<ffffffff815443f0>] ? rest_init+0x80/0x80
        ---[ end trace 472e7959536abf12 ]---
      
        00:00.0 Host bridge: Intel Corporation Broadwell-U Host Bridge -OPI (rev 09)
                Subsystem: Lenovo Device 2223
                Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
                Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx-
                Latency: 0
                Capabilities: [e0] Vendor Specific Information: Len=0c <?>
                Kernel driver in use: bdw_uncore
        00: 86 80 04 16 06 00 90 20 09 00 00 06 00 00 00 00
        10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        20: 00 00 00 00 00 00 00 00 00 00 00 00 aa 17 23 22
        30: 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00
      Signed-off-by: default avatarChristophe Le Roy <christophe.fish@gmail.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Laura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d71d4ace
    • Josh Boyer's avatar
      PNP: Add Haswell-ULT to Intel MCH size workaround · 02170f4a
      Josh Boyer authored
      commit ed1f0eee upstream.
      
      Add device ID 0x0a04 for Haswell-ULT to the list of devices with MCH
      problems.
      
      From a Lenovo ThinkPad T440S:
      [    0.188604] pnp: PnP ACPI init
      [    0.189044] system 00:00: [mem 0x00000000-0x0009ffff] could not be reserved
      [    0.189048] system 00:00: [mem 0x000c0000-0x000c3fff] could not be reserved
      [    0.189050] system 00:00: [mem 0x000c4000-0x000c7fff] could not be reserved
      [    0.189052] system 00:00: [mem 0x000c8000-0x000cbfff] could not be reserved
      [    0.189054] system 00:00: [mem 0x000cc000-0x000cffff] could not be reserved
      [    0.189056] system 00:00: [mem 0x000d0000-0x000d3fff] has been reserved
      [    0.189058] system 00:00: [mem 0x000d4000-0x000d7fff] has been reserved
      [    0.189060] system 00:00: [mem 0x000d8000-0x000dbfff] has been reserved
      [    0.189061] system 00:00: [mem 0x000dc000-0x000dffff] has been reserved
      [    0.189063] system 00:00: [mem 0x000e0000-0x000e3fff] could not be reserved
      [    0.189065] system 00:00: [mem 0x000e4000-0x000e7fff] could not be reserved
      [    0.189067] system 00:00: [mem 0x000e8000-0x000ebfff] could not be reserved
      [    0.189069] system 00:00: [mem 0x000ec000-0x000effff] could not be reserved
      [    0.189071] system 00:00: [mem 0x000f0000-0x000fffff] could not be reserved
      [    0.189073] system 00:00: [mem 0x00100000-0xdf9fffff] could not be reserved
      [    0.189075] system 00:00: [mem 0xfec00000-0xfed3ffff] could not be reserved
      [    0.189078] system 00:00: [mem 0xfed4c000-0xffffffff] could not be reserved
      [    0.189082] system 00:00: Plug and Play ACPI device, IDs PNP0c01 (active)
      [    0.189216] system 00:01: [io  0x1800-0x189f] could not be reserved
      [    0.189220] system 00:01: [io  0x0800-0x087f] has been reserved
      [    0.189222] system 00:01: [io  0x0880-0x08ff] has been reserved
      [    0.189224] system 00:01: [io  0x0900-0x097f] has been reserved
      [    0.189226] system 00:01: [io  0x0980-0x09ff] has been reserved
      [    0.189229] system 00:01: [io  0x0a00-0x0a7f] has been reserved
      [    0.189231] system 00:01: [io  0x0a80-0x0aff] has been reserved
      [    0.189233] system 00:01: [io  0x0b00-0x0b7f] has been reserved
      [    0.189235] system 00:01: [io  0x0b80-0x0bff] has been reserved
      [    0.189238] system 00:01: [io  0x15e0-0x15ef] has been reserved
      [    0.189240] system 00:01: [io  0x1600-0x167f] has been reserved
      [    0.189242] system 00:01: [io  0x1640-0x165f] has been reserved
      [    0.189246] system 00:01: [mem 0xf8000000-0xfbffffff] could not be reserved
      [    0.189249] system 00:01: [mem 0x00000000-0x00000fff] could not be reserved
      [    0.189251] system 00:01: [mem 0xfed1c000-0xfed1ffff] has been reserved
      [    0.189254] system 00:01: [mem 0xfed10000-0xfed13fff] has been reserved
      [    0.189256] system 00:01: [mem 0xfed18000-0xfed18fff] has been reserved
      [    0.189258] system 00:01: [mem 0xfed19000-0xfed19fff] has been reserved
      [    0.189261] system 00:01: [mem 0xfed45000-0xfed4bfff] has been reserved
      [    0.189264] system 00:01: Plug and Play ACPI device, IDs PNP0c02 (active)
      [....]
      [    0.583653] resource sanity check: requesting [mem 0xfed10000-0xfed15fff], which spans more than pnp 00:01 [mem 0xfed10000-0xfed13fff]
      [    0.583654] ------------[ cut here ]------------
      [    0.583660] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:198 __ioremap_caller+0x2c5/0x380()
      [    0.583661] Info: mapping multiple BARs. Your kernel is fine.
      [    0.583662] Modules linked in:
      
      [    0.583666] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.3.3-303.fc23.x86_64 #1
      [    0.583668] Hardware name: LENOVO 20AR001GXS/20AR001GXS, BIOS GJET86WW (2.36 ) 12/04/2015
      [    0.583670]  0000000000000000 0000000014cf7e59 ffff880214a1baf8 ffffffff813a625f
      [    0.583673]  ffff880214a1bb40 ffff880214a1bb30 ffffffff810a07c2 00000000fed10000
      [    0.583675]  ffffc90000cb8000 0000000000006000 0000000000000000 ffff8800d6381040
      [    0.583678] Call Trace:
      [    0.583683]  [<ffffffff813a625f>] dump_stack+0x44/0x55
      [    0.583686]  [<ffffffff810a07c2>] warn_slowpath_common+0x82/0xc0
      [    0.583688]  [<ffffffff810a085c>] warn_slowpath_fmt+0x5c/0x80
      [    0.583692]  [<ffffffff810a6fba>] ? iomem_map_sanity_check+0xba/0xd0
      [    0.583695]  [<ffffffff81065835>] __ioremap_caller+0x2c5/0x380
      [    0.583698]  [<ffffffff81065907>] ioremap_nocache+0x17/0x20
      [    0.583701]  [<ffffffff8103a119>] snb_uncore_imc_init_box+0x79/0xb0
      [    0.583705]  [<ffffffff81038900>] uncore_pci_probe+0xd0/0x1b0
      [    0.583707]  [<ffffffff813efda5>] local_pci_probe+0x45/0xa0
      [    0.583710]  [<ffffffff813f118d>] pci_device_probe+0xfd/0x140
      [    0.583713]  [<ffffffff814d9b52>] driver_probe_device+0x222/0x480
      [    0.583715]  [<ffffffff814d9e34>] __driver_attach+0x84/0x90
      [    0.583717]  [<ffffffff814d9db0>] ? driver_probe_device+0x480/0x480
      [    0.583720]  [<ffffffff814d762c>] bus_for_each_dev+0x6c/0xc0
      [    0.583722]  [<ffffffff814d930e>] driver_attach+0x1e/0x20
      [    0.583724]  [<ffffffff814d8e4b>] bus_add_driver+0x1eb/0x280
      [    0.583727]  [<ffffffff81d6af1a>] ? uncore_cpu_setup+0x12/0x12
      [    0.583729]  [<ffffffff814da680>] driver_register+0x60/0xe0
      [    0.583733]  [<ffffffff813ef78c>] __pci_register_driver+0x4c/0x50
      [    0.583736]  [<ffffffff81d6affc>] intel_uncore_init+0xe2/0x2e6
      [    0.583738]  [<ffffffff81d6af1a>] ? uncore_cpu_setup+0x12/0x12
      [    0.583741]  [<ffffffff81002123>] do_one_initcall+0xb3/0x200
      [    0.583745]  [<ffffffff810be500>] ? parse_args+0x1a0/0x4a0
      [    0.583749]  [<ffffffff81d5c1c8>] kernel_init_freeable+0x189/0x223
      [    0.583752]  [<ffffffff81775c40>] ? rest_init+0x80/0x80
      [    0.583754]  [<ffffffff81775c4e>] kernel_init+0xe/0xe0
      [    0.583758]  [<ffffffff81781adf>] ret_from_fork+0x3f/0x70
      [    0.583760]  [<ffffffff81775c40>] ? rest_init+0x80/0x80
      [    0.583765] ---[ end trace 077c426a39e018aa ]---
      
      00:00.0 Host bridge [0600]: Intel Corporation Haswell-ULT DRAM Controller [8086:0a04] (rev 0b)
      	Subsystem: Lenovo Device [17aa:220c]
      	Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
      	Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx-
      	Latency: 0
      	Capabilities: <access denied>
      	Kernel driver in use: hsw_uncore
      
      Link: https://bugzilla.redhat.com/show_bug.cgi?id=1300955
      Tested-by: <robo@tcp.sk>
      Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Laura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02170f4a
    • Hannes Reinecke's avatar
      scsi: ignore errors from scsi_dh_add_device() · 5a6f9d06
      Hannes Reinecke authored
      commit 221255ae upstream.
      
      device handler initialisation might fail due to a number of
      reasons. But as device_handlers are optional this shouldn't
      cause us to disable the device entirely.
      So just ignore errors from scsi_dh_add_device().
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: Laura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a6f9d06
    • Ben Hutchings's avatar
      ipath: Restrict use of the write() interface · 694dfd0e
      Ben Hutchings authored
      Commit e6bd18f5 ("IB/security: Restrict use of the write()
      interface") fixed a security problem with various write()
      implementations in the Infiniband subsystem.  In older kernel versions
      the ipath_write() function has the same problem and needs the same
      restriction.  (The ipath driver has been completely removed upstream.)
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      694dfd0e
    • Soheil Hassas Yeganeh's avatar
      tcp: consider recv buf for the initial window scale · 9c946c93
      Soheil Hassas Yeganeh authored
      [ Upstream commit f626300a ]
      
      tcp_select_initial_window() intends to advertise a window
      scaling for the maximum possible window size. To do so,
      it considers the maximum of net.ipv4.tcp_rmem[2] and
      net.core.rmem_max as the only possible upper-bounds.
      However, users with CAP_NET_ADMIN can use SO_RCVBUFFORCE
      to set the socket's receive buffer size to values
      larger than net.ipv4.tcp_rmem[2] and net.core.rmem_max.
      Thus, SO_RCVBUFFORCE is effectively ignored by
      tcp_select_initial_window().
      
      To fix this, consider the maximum of net.ipv4.tcp_rmem[2],
      net.core.rmem_max and socket's initial buffer space.
      
      Fixes: b0573dea ("[NET]: Introduce SO_{SND,RCV}BUFFORCE socket options")
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Suggested-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c946c93
    • Manish Chopra's avatar
      qed: Fix setting/clearing bit in completion bitmap · e23696bc
      Manish Chopra authored
      [ Upstream commit 59d3f1ce ]
      
      Slowpath completion handling is incorrectly changing
      SPQ_RING_SIZE bits instead of a single one.
      
      Fixes: 76a9a364 ("qed: fix handling of concurrent ramrods")
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarYuval Mintz <Yuval.Mintz@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e23696bc
    • Vegard Nossum's avatar
      net/irda: fix NULL pointer dereference on memory allocation failure · fc9b7c08
      Vegard Nossum authored
      [ Upstream commit d3e6952c ]
      
      I ran into this:
      
          kasan: CONFIG_KASAN_INLINE enabled
          kasan: GPF could be caused by NULL-ptr deref or user memory access
          general protection fault: 0000 [#1] PREEMPT SMP KASAN
          CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
          task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
          RIP: 0010:[<ffffffff82bbf066>]  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
          RSP: 0018:ffff880111747bb8  EFLAGS: 00010286
          RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
          RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
          RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
          R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
          R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
          FS:  00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
          Stack:
           0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
           ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
           ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
          Call Trace:
           [<ffffffff82bca542>] irda_connect+0x562/0x1190
           [<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
           [<ffffffff825b4489>] SyS_connect+0x9/0x10
           [<ffffffff8100334c>] do_syscall_64+0x19c/0x410
           [<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
          RIP  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
           RSP <ffff880111747bb8>
          ---[ end trace 4cda2588bc055b30 ]---
      
      The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
      and then irttp_connect_request() almost immediately dereferences it.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc9b7c08
    • Florian Fainelli's avatar
      net: bgmac: Fix infinite loop in bgmac_dma_tx_add() · 863c8bb8
      Florian Fainelli authored
      [ Upstream commit e86663c4 ]
      
      Nothing is decrementing the index "i" while we are cleaning up the
      fragments we could not successful transmit.
      
      Fixes: 9cde9450 ("bgmac: implement scatter/gather support")
      Reported-by: coverity (CID 1352048)
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      863c8bb8
    • Beniamino Galvani's avatar
      bonding: set carrier off for devices created through netlink · 0020fa53
      Beniamino Galvani authored
      [ Upstream commit 005db31d ]
      
      Commit e826eafa ("bonding: Call netif_carrier_off after
      register_netdevice") moved netif_carrier_off() from bond_init() to
      bond_create(), but the latter is called only for initial default
      devices and ones created through sysfs:
      
       $ modprobe bonding
       $ echo +bond1 > /sys/class/net/bonding_masters
       $ ip link add bond2 type bond
       $ grep "MII Status" /proc/net/bonding/*
       /proc/net/bonding/bond0:MII Status: down
       /proc/net/bonding/bond1:MII Status: down
       /proc/net/bonding/bond2:MII Status: up
      
      Ensure that carrier is initially off also for devices created through
      netlink.
      Signed-off-by: default avatarBeniamino Galvani <bgalvani@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0020fa53
    • Julian Anastasov's avatar
      ipv4: reject RTNH_F_DEAD and RTNH_F_LINKDOWN from user space · a9c22185
      Julian Anastasov authored
      [ Upstream commit 80610229 ]
      
      Vegard Nossum is reporting for a crash in fib_dump_info
      when nh_dev = NULL and fib_nhs == 1:
      
      Pid: 50, comm: netlink.exe Not tainted 4.7.0-rc5+
      RIP: 0033:[<00000000602b3d18>]
      RSP: 0000000062623890  EFLAGS: 00010202
      RAX: 0000000000000000 RBX: 000000006261b800 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000024 RDI: 000000006245ba00
      RBP: 00000000626238f0 R08: 000000000000029c R09: 0000000000000000
      R10: 0000000062468038 R11: 000000006245ba00 R12: 000000006245ba00
      R13: 00000000625f96c0 R14: 00000000601e16f0 R15: 0000000000000000
      Kernel panic - not syncing: Kernel mode fault at addr 0x2e0, ip 0x602b3d18
      CPU: 0 PID: 50 Comm: netlink.exe Not tainted 4.7.0-rc5+ #581
      Stack:
       626238f0 960226a02 00000400 000000fe
       62623910 600afca7 62623970 62623a48
       62468038 00000018 00000000 00000000
      Call Trace:
       [<602b3e93>] rtmsg_fib+0xd3/0x190
       [<602b6680>] fib_table_insert+0x260/0x500
       [<602b0e5d>] inet_rtm_newroute+0x4d/0x60
       [<60250def>] rtnetlink_rcv_msg+0x8f/0x270
       [<60267079>] netlink_rcv_skb+0xc9/0xe0
       [<60250d4b>] rtnetlink_rcv+0x3b/0x50
       [<60265400>] netlink_unicast+0x1a0/0x2c0
       [<60265e47>] netlink_sendmsg+0x3f7/0x470
       [<6021dc9a>] sock_sendmsg+0x3a/0x90
       [<6021e0d0>] ___sys_sendmsg+0x300/0x360
       [<6021fa64>] __sys_sendmsg+0x54/0xa0
       [<6021fac0>] SyS_sendmsg+0x10/0x20
       [<6001ea68>] handle_syscall+0x88/0x90
       [<600295fd>] userspace+0x3fd/0x500
       [<6001ac55>] fork_handler+0x85/0x90
      
      $ addr2line -e vmlinux -i 0x602b3d18
      include/linux/inetdevice.h:222
      net/ipv4/fib_semantics.c:1264
      
      Problem happens when RTNH_F_LINKDOWN is provided from user space
      when creating routes that do not use the flag, catched with
      netlink fuzzer.
      
      Currently, the kernel allows user space to set both flags
      to nh_flags and fib_flags but this is not intentional, the
      assumption was that they are not set. Fix this by rejecting
      both flags with EINVAL.
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Fixes: 0eeb075f ("net: ipv4 sysctl option to ignore routes when nexthop link is down")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Cc: Dinesh Dutt <ddutt@cumulusnetworks.com>
      Cc: Scott Feldman <sfeldma@gmail.com>
      Reviewed-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9c22185
    • Jason Baron's avatar
      tcp: enable per-socket rate limiting of all 'challenge acks' · 5413f1a5
      Jason Baron authored
      [ Upstream commit 083ae308 ]
      
      The per-socket rate limit for 'challenge acks' was introduced in the
      context of limiting ack loops:
      
      commit f2b2c582 ("tcp: mitigate ACK loops for connections as tcp_sock")
      
      And I think it can be extended to rate limit all 'challenge acks' on a
      per-socket basis.
      
      Since we have the global tcp_challenge_ack_limit, this patch allows for
      tcp_challenge_ack_limit to be set to a large value and effectively rely on
      the per-socket limit, or set tcp_challenge_ack_limit to a lower value and
      still prevents a single connections from consuming the entire challenge ack
      quota.
      
      It further moves in the direction of eliminating the global limit at some
      point, as Eric Dumazet has suggested. This a follow-up to:
      Subject: tcp: make challenge acks less predictable
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Yue Cao <ycao009@ucr.edu>
      Signed-off-by: default avatarJason Baron <jbaron@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5413f1a5
    • Eric Dumazet's avatar
      tcp: make challenge acks less predictable · 72c2d3bc
      Eric Dumazet authored
      [ Upstream commit 75ff39cc ]
      
      Yue Cao claims that current host rate limiting of challenge ACKS
      (RFC 5961) could leak enough information to allow a patient attacker
      to hijack TCP sessions. He will soon provide details in an academic
      paper.
      
      This patch increases the default limit from 100 to 1000, and adds
      some randomization so that the attacker can no longer hijack
      sessions without spending a considerable amount of probes.
      
      Based on initial analysis and patch from Linus.
      
      Note that we also have per socket rate limiting, so it is tempting
      to remove the host limit in the future.
      
      v2: randomize the count of challenge acks per second, not the period.
      
      Fixes: 282f23c6 ("tcp: implement RFC 5961 3.2")
      Reported-by: default avatarYue Cao <ycao009@ucr.edu>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72c2d3bc
  2. 10 Aug, 2016 23 commits