1. 19 Feb, 2019 8 commits
  2. 18 Feb, 2019 2 commits
    • Colin Ian King's avatar
      net/mlx4_en: fix spelling mistake: "quiting" -> "quitting" · 21d2cb49
      Colin Ian King authored
      There is a spelling mistake in a en_err error message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21d2cb49
    • Mao Wenan's avatar
      net: crypto set sk to NULL when af_alg_release. · 9060cb71
      Mao Wenan authored
      KASAN has found use-after-free in sockfs_setattr.
      The existed commit 6d8c50dc ("socket: close race condition between sock_close()
      and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
      that crypto module forgets to set the sk to NULL after af_alg_release.
      
      KASAN report details as below:
      BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
      Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
      
      CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       dump_stack+0xca/0x13e
       print_address_description+0x79/0x330
       ? vprintk_func+0x5e/0xf0
       kasan_report+0x18a/0x2e0
       ? sockfs_setattr+0x120/0x150
       sockfs_setattr+0x120/0x150
       ? sock_register+0x2d0/0x2d0
       notify_change+0x90c/0xd40
       ? chown_common+0x2ef/0x510
       chown_common+0x2ef/0x510
       ? chmod_common+0x3b0/0x3b0
       ? __lock_is_held+0xbc/0x160
       ? __sb_start_write+0x13d/0x2b0
       ? __mnt_want_write+0x19a/0x250
       do_fchownat+0x15c/0x190
       ? __ia32_sys_chmod+0x80/0x80
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       __x64_sys_fchownat+0xbf/0x160
       ? lockdep_hardirqs_on+0x39a/0x5e0
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462589
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
      f7 48 89 d6 48 89
      ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
      48 c7 c1 bc ff ff
      ff f7 d8 64 89 01 48
      RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
      RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
      RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
      RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
      R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
      
      Allocated by task 4185:
       kasan_kmalloc+0xa0/0xd0
       __kmalloc+0x14a/0x350
       sk_prot_alloc+0xf6/0x290
       sk_alloc+0x3d/0xc00
       af_alg_accept+0x9e/0x670
       hash_accept+0x4a3/0x650
       __sys_accept4+0x306/0x5c0
       __x64_sys_accept4+0x98/0x100
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4184:
       __kasan_slab_free+0x12e/0x180
       kfree+0xeb/0x2f0
       __sk_destruct+0x4e6/0x6a0
       sk_destruct+0x48/0x70
       __sk_free+0xa9/0x270
       sk_free+0x2a/0x30
       af_alg_release+0x5c/0x70
       __sock_release+0xd3/0x280
       sock_close+0x1a/0x20
       __fput+0x27f/0x7f0
       task_work_run+0x136/0x1b0
       exit_to_usermode_loop+0x1a7/0x1d0
       do_syscall_64+0x461/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Syzkaller reproducer:
      r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
      0xffffffffffffffff, 0x0)
      r1 = socket$alg(0x26, 0x5, 0x0)
      getrusage(0x0, 0x0)
      bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
      'sha256-ssse3\x00'}, 0x80)
      r2 = accept(r1, 0x0, 0x0)
      r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
      r4 = dup3(r3, r0, 0x0)
      fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
      
      Fixes: 6d8c50dc ("socket: close race condition between sock_close() and sockfs_setattr()")
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9060cb71
  3. 17 Feb, 2019 12 commits
  4. 16 Feb, 2019 14 commits
  5. 15 Feb, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190215' of git://git.kernel.dk/linux-block · 24f0a487
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Ensure we insert into the hctx dispatch list, if a request is marked
         as DONTPREP (Jianchao)
      
       - NVMe pull request, single missing unlock on error fix (Keith)
      
       - MD pull request, single fix for a potentially data corrupting issue
         (Nate)
      
       - Floppy check_events regression fix (Yufen)
      
      * tag 'for-linus-20190215' of git://git.kernel.dk/linux-block:
        md/raid1: don't clear bitmap bits on interrupted recovery.
        floppy: check_events callback should not return a negative number
        nvme-pci: add missing unlock for reset error
        blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue
      24f0a487
    • Linus Torvalds's avatar
      Merge tag 'for-5.0/dm-fixes-3' of... · ae3fa8bd
      Linus Torvalds authored
      Merge tag 'for-5.0/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix bug in DM crypt's sizing of its block integrity tag space,
         resulting in less memory use when DM crypt layers on DM integrity.
      
       - Fix a long-standing DM thinp crash consistency bug that was due to
         improper handling of FUA. This issue is specific to writes that fill
         an entire thinp block which needs to be allocated.
      
      * tag 'for-5.0/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm thin: fix bug where bio that overwrites thin block ignores FUA
        dm crypt: don't overallocate the integrity tag space
      ae3fa8bd
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · dfeae337
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "A couple of MMC fixes intended for v5.0-rc7.
      
        MMC core:
         - Fix deadlock bug for block I/O requests
      
        MMC host:
         - sunxi: Disable broken HS-DDR mode for H5 by default
         - sunxi: Avoid unsupported speed modes declared via DT
         - meson-gx: Restore interrupt name"
      
      * tag 'mmc-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: meson-gx: fix interrupt name
        mmc: block: handle complete_work on separate workqueue
        mmc: sunxi: Filter out unsupported modes declared in the device tree
        mmc: sunxi: Disable HS-DDR mode for H5 eMMC controller by default
      dfeae337
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-02-15-1' of git://anongit.freedesktop.org/drm/drm · 545aabcb
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Usual pull request, little larger than I'd like but nothing too
        strange in it. Willy found an bug in the lease ioctl calculations, but
        it's a drm master only ioctl which makes it harder to mess with.
      
       i915:
         - combo phy programming fix
         - opregion version check fix for VBT RVDA lookup
         - gem mmap ioctl race fix
         - fbdev hpd during suspend fix
         - array size bounds check fix in pmu
      
        amdgpu:
         - Vega20 psp fix
         - Add vrr range to debugfs for freesync debugging
      
        sched:
         - Scheduler race fix
      
        vkms:
         - license header fixups
      
        imx:
         - Fix CSI register offsets for i.MX51 and i.MX53.
         - Fix delayed page flip completion events on i.MX6QP due to
           unexpected behaviour of the PRE when issuing NOP buffer updates to
           the same buffer address.
         - Stop throwing errors for plane updates on disabled CRTCs when a
           userspace process is killed while a plane update is pending.
         - Add missing of_node_put cleanup in imx_ldb_bind"
      
      * tag 'drm-fixes-2019-02-15-1' of git://anongit.freedesktop.org/drm/drm:
        drm: Use array_size() when creating lease
        drm/amdgpu/psp11: TA firmware is optional (v3)
        drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
        drm/i915/opregion: fix version check
        drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
        drm/i915: Block fbdev HPD processing during suspend
        drm/i915/pmu: Fix enable count array size and bounds checking
        drm/i915/cnl: Fix CNL macros for Voltage Swing programming
        drm/i915/icl: combo port vswing programming changes per BSPEC
        drm/vkms: Fix license inconsistent
        drm/amd/display: Expose connector VRR range via debugfs
        drm/sched: Always trace the dependencies we wait on, to fix a race.
        gpu: ipu-v3: pre: don't trigger update if buffer address doesn't change
        gpu: ipu-v3: Fix CSI offsets for imx53
        drm/imx: imx-ldb: add missing of_node_puts
        gpu: ipu-v3: Fix i.MX51 CSI control registers offset
        drm/imx: ignore plane updates on disabled crtcs
      545aabcb