1. 02 Aug, 2018 2 commits
    • Anton Vasilyev's avatar
      HID: intel_ish-hid: tx_buf memory leak on probe/remove · 50fa9259
      Anton Vasilyev authored
      ish_dev_init() allocates 512*176 bytes memory for tx_buf and stores it at
      &dev->wr_free_list_head.link list on ish_probe().
      But there is no deallocation of this memory in ish_remove() and in
      ish_probe() error path.
      So current intel-ish-ipc provides 88 KB memory leak for each
      probe/release.
      
      The patch replaces kzalloc allocation by devm_kzalloc and removes
      ishtp_device *dev deallocation by kfree.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAnton Vasilyev <vasilyev@ispras.ru>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      50fa9259
    • Srinivas Pandruvada's avatar
      HID: intel-ish-hid: Prevent loading of driver on Mehlow · a1e9a9c0
      Srinivas Pandruvada authored
      On Mehlow Xeon-E workstation, ISH PCI device is enabled but without ISH
      firmware. Here the ISH device PCI device id was reused for some non Linux
      storage drivers. So this was not done for enabling ISH. But this has a
      undesirable side effect for Linux.
      
      Here the ISH driver will be loaded via PCI enumeration and will try to do
      reset sequence. But reset sequence will wait till timeout as there is no
      real ISH firmware is present to take action. This delay will add to boot
      time of Linux (This platform will still continue to boot after this
      timeout).
      
      To avoid this boot delay we need to prevent loading of ISH drivers on
      this platform. So we need to have hack to avoid treating this device as
      ISH on this platform. To identify this workstation, we need some runtime
      method. Luckily there are special PCI id on this workstation to
      distinguish from the client version of this platform. On client version,
      the ISH is supported using same PCI device id. So this change look for
      the presence of PCI device IDs A309 and A30A and exit.
      Signed-off-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      a1e9a9c0
  2. 10 Jul, 2018 1 commit
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · 092150a2
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - spectrev1 pattern fix in hiddev from Gustavo A. R. Silva
      
       - bounds check fix for hid-debug from Daniel Rosenberg
      
       - regression fix for HID autobinding from Benjamin Tissoires
      
       - removal of excessive logging from i2c-hid driver from Jason Andryuk
      
       - fix specific to 2nd generation of Wacom Intuos devices from Jason
         Gerecke
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: hiddev: fix potential Spectre v1
        HID: i2c-hid: Fix "incomplete report" noise
        HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
        HID: debug: check length before copy_to_user()
        HID: core: allow concurrent registration of drivers
      092150a2
  3. 09 Jul, 2018 3 commits
    • Russell King - ARM Linux's avatar
      Update TDA998x maintainer entry · bdf33113
      Russell King - ARM Linux authored
      Update my TDA998x HDMI encoder MAINTAINERS entry to include the
      dt-bindings header, and a keyword pattern to catch patches containing
      the DT compatible.  Also change the status to "maintained" rather than
      "supported".
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bdf33113
    • Gustavo A. R. Silva's avatar
      HID: hiddev: fix potential Spectre v1 · 4f65245f
      Gustavo A. R. Silva authored
      uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
      indirectly controlled by user-space, hence leading to a potential exploitation
      of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
      drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
      drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
      drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)
      
      Fix this by sanitizing such structure fields before using them to index
      report->field, field->usage and hid->collection
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      4f65245f
    • Jason Andryuk's avatar
      HID: i2c-hid: Fix "incomplete report" noise · ef6eaf27
      Jason Andryuk authored
      Commit ac75a041 ("HID: i2c-hid: fix size check and type usage") started
      writing messages when the ret_size is <= 2 from i2c_master_recv.  However, my
      device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
      moving the pointing stick or touchpad.  It varies, but you get ~50 messages
      each time which spams the log hard.
      
      [  95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
      
      This has also been observed with a i2c-ALP0017.
      
      [ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
      
      Only print the message when ret_size is totally invalid and less than 2 to cut
      down on the log spam.
      
      Fixes: ac75a041 ("HID: i2c-hid: fix size check and type usage")
      Reported-by: default avatarJohn Smith <john-s-84@gmx.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason Andryuk <jandryuk@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      ef6eaf27
  4. 08 Jul, 2018 13 commits
    • Linus Torvalds's avatar
      Linux 4.18-rc4 · 1e4b044d
      Linus Torvalds authored
      1e4b044d
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · ca04b3cc
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A small collection of fixes, sort of the usual at this point, all for
        i.MX or OMAP:
      
         - Enable ULPI drivers on i.MX to avoid a hang
      
         - Pinctrl fix for touchscreen on i.MX51 ZII RDU1
      
         - Fixes for ethernet clock references on am3517
      
         - mmc0 write protect detection fix for am335x
      
         - kzalloc->kcalloc conversion in an OMAP driver
      
         - USB metastability fix for USB on dra7
      
         - Fix touchscreen wakeup on am437x"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: imx_v4_v5_defconfig: Select ULPI support
        ARM: imx_v6_v7_defconfig: Select ULPI support
        ARM: dts: omap3: Fix am3517 mdio and emac clock references
        ARM: dts: am335x-bone-common: Fix mmc0 Write Protect
        bus: ti-sysc: Use 2-factor allocator arguments
        ARM: dts: dra7: Disable metastability workaround for USB2
        ARM: dts: imx51-zii-rdu1: fix touchscreen pinctrl
        ARM: dts: am437x: make edt-ft5x06 a wakeup source
      ca04b3cc
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 23adbe6f
      Linus Torvalds authored
      Pull x86/pti updates from Thomas Gleixner:
       "Two small fixes correcting the handling of SSB mitigations on AMD
        processors"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
        x86/bugs: Update when to check for the LS_CFG SSBD mitigation
      23adbe6f
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6f27a640
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
      
       - Prevent an out-of-bounds access in mtrr_write()
      
       - Break a circular dependency in the new hyperv IPI acceleration code
      
       - Address the build breakage related to inline functions by enforcing
         gnu_inline and explicitly bringing native_save_fl() out of line,
         which also adds a set of _ARM_ARG macros which provide 32/64bit
         safety.
      
       - Initialize the shadow CR4 per cpu variable before using it.
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mtrr: Don't copy out-of-bounds data in mtrr_write
        x86/hyper-v: Fix the circular dependency in IPI enlightenment
        x86/paravirt: Make native_save_fl() extern inline
        x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
        compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
        x86/mm/32: Initialize the CR4 shadow before __flush_tlb_all()
      6f27a640
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6fb2489d
      Linus Torvalds authored
      Pull scheduler fixes from Thomas Gleixner:
      
       - The hopefully final fix for the reported race problems in
         kthread_parkme(). The previous attempt still left a hole and was
         partially wrong.
      
       - Plug a race in the remote tick mechanism which triggers a warning
         about updates not being done correctly. That's a false positive if
         the race condition is hit as the remote CPU is idle. Plug it by
         checking the condition again when holding run queue lock.
      
       - Fix a bug in the utilization estimation of a run queue which causes
         the estimation to be 0 when a run queue is throttled.
      
       - Advance the global expiration of the period timer when the timer is
         restarted after a idle period. Otherwise the expiry time is stale and
         the timer fires prematurely.
      
       - Cure the drift between the bandwidth timer and the runqueue
         accounting, which leads to bogus throttling of runqueues
      
       - Place the call to cpufreq_update_util() correctly so the function
         will observe the correct number of running RT tasks and not a stale
         one.
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        kthread, sched/core: Fix kthread_parkme() (again...)
        sched/util_est: Fix util_est_dequeue() for throttled cfs_rq
        sched/fair: Advance global expiration when period timer is restarted
        sched/fair: Fix bandwidth timer clock drift condition
        sched/rt: Fix call to cpufreq_update_util()
        sched/nohz: Skip remote tick on idle task entirely
      6fb2489d
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f5c926b9
      Linus Torvalds authored
      Pull objtool fix from Thomas Gleixner:
       "A single fix for objtool to address a bug in handling the cold
        subfunction detection for aliased functions which was added recently.
        The bug causes objtool to enter an infinite loop"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Support GCC 8 '-fnoreorder-functions'
      f5c926b9
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 124b99fb
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - add missing RETs in x86 aegis/morus
      
       - fix build error in arm speck
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: x86 - Add missing RETs
        crypto: arm/speck - fix building in Thumb2 mode
      124b99fb
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 70a2dc6a
      Linus Torvalds authored
      Pull ext4 bugfixes from Ted Ts'o:
       "Bug fixes for ext4; most of which relate to vulnerabilities where a
        maliciously crafted file system image can result in a kernel OOPS or
        hang.
      
        At least one fix addresses an inline data bug could be triggered by
        userspace without the need of a crafted file system (although it does
        require that the inline data feature be enabled)"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: check superblock mapped prior to committing
        ext4: add more mount time checks of the superblock
        ext4: add more inode number paranoia checks
        ext4: avoid running out of journal credits when appending to an inline file
        jbd2: don't mark block as modified if the handle is out of credits
        ext4: never move the system.data xattr out of the inode body
        ext4: clear i_data in ext4_inode_info when removing inline data
        ext4: include the illegal physical block in the bad map ext4_error msg
        ext4: verify the depth of extent tree in ext4_find_extent()
        ext4: only look at the bg_flags field if it is valid
        ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
        ext4: always check block group bounds in ext4_init_block_bitmap()
        ext4: always verify the magic number in xattr blocks
        ext4: add corruption check in ext4_xattr_set_entry()
        ext4: add warn_on_error mount option
      70a2dc6a
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 8979319f
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix a use-after-free in the endpoint code (Dan Carpenter)
      
       - Stop defaulting CONFIG_PCIE_DW_PLAT_HOST to yes (Geert Uytterhoeven)
      
       - Fix an nfp regression caused by a change in how we limit the number
         of VFs we can enable (Jakub Kicinski)
      
       - Fix failure path cleanup issues in the new R-Car gen3 PHY support
         (Marek Vasut)
      
       - Fix leaks of OF nodes in faraday, xilinx-nwl, xilinx (Nicholas Mc
         Guire)
      
      * tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        nfp: stop limiting VFs to 0
        PCI/IOV: Reset total_VFs limit after detaching PF driver
        PCI: faraday: Add missing of_node_put()
        PCI: xilinx-nwl: Add missing of_node_put()
        PCI: xilinx: Add missing of_node_put()
        PCI: endpoint: Use after free in pci_epf_unregister_driver()
        PCI: controller: dwc: Do not let PCIE_DW_PLAT_HOST default to yes
        PCI: rcar: Clean up PHY init on failure
        PCI: rcar: Shut the PHY down in failpath
      8979319f
    • Linus Torvalds's avatar
      Merge tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6 · b2d44d14
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Five smb3/cifs fixes for stable (including for some leaks and memory
        overwrites) and also a few fixes for recent regressions in packet
        signing.
      
        Additional testing at the recent SMB3 test event, and some good work
        by Paulo and others spotted the issues fixed here. In addition to my
        xfstest runs on these, Aurelien and Stefano did additional test runs
        to verify this set"
      
      * tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
        cifs: Fix infinite loop when using hard mount option
        cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
        cifs: Fix memory leak in smb2_set_ea()
        cifs: fix SMB1 breakage
        cifs: Fix validation of signed data in smb2
        cifs: Fix validation of signed data in smb3+
        cifs: Fix use after free of a mid_q_entry
      b2d44d14
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping · 4f572efd
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
       "Revert an incorrect dma-mapping commit for 4.18-rc"
      
      * tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping:
        Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"
      4f572efd
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma · 89ac2233
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "We have few odd driver fixes and one email update change for you this
        time:
      
         - Driver fixes for k3dma (off by one), pl330 (burst residue
           granularity) and omap-dma (incorrect residue_granularity)
      
         - Sinan's email update"
      
      * tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
        dmaengine: pl330: report BURST residue granularity
        MAINTAINERS: Update email-id of Sinan Kaya
        dmaengine: ti: omap-dma: Fix OMAP1510 incorrect residue_granularity
      89ac2233
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi · ea9561cf
      Linus Torvalds authored
      Pull IPMI fixes from Corey Minyard:
       "A couple of small fixes: one to the BMC side of things that fixes an
        interrupt issue, and one oops fix if init fails in a certain way on
        the client driver"
      
      * tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi:
        ipmi: kcs_bmc: fix IRQ exception if the channel is not open
        ipmi: Cleanup oops on initialization failure
      ea9561cf
  5. 07 Jul, 2018 4 commits
  6. 06 Jul, 2018 10 commits
  7. 05 Jul, 2018 7 commits
    • Olof Johansson's avatar
      Merge tag 'omap-for-v4.18/fixes-signed' of... · f0463f36
      Olof Johansson authored
      Merge tag 'omap-for-v4.18/fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes
      
      Fixes for omap for v4.18-rc cycle
      
      Few dts fixes for regressions for various SoCs and
      devices for touchscreen wake, dra7 USB quirk, pinmux
      for beaglebone mmc, and emac clock.
      
      Also included is a change for ti-sysc to use kcalloc
      that Kees wanted to get into v4.18 as that's the last
      one he wanted to fix for improved defense against
      allocation overflows.
      
      * tag 'omap-for-v4.18/fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
        ARM: dts: omap3: Fix am3517 mdio and emac clock references
        ARM: dts: am335x-bone-common: Fix mmc0 Write Protect
        bus: ti-sysc: Use 2-factor allocator arguments
        ARM: dts: dra7: Disable metastability workaround for USB2
        ARM: dts: am437x: make edt-ft5x06 a wakeup source
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      f0463f36
    • Linus Torvalds's avatar
      Fix up non-directory creation in SGID directories · 0fa3ecd8
      Linus Torvalds authored
      sgid directories have special semantics, making newly created files in
      the directory belong to the group of the directory, and newly created
      subdirectories will also become sgid.  This is historically used for
      group-shared directories.
      
      But group directories writable by non-group members should not imply
      that such non-group members can magically join the group, so make sure
      to clear the sgid bit on non-directories for non-members (but remember
      that sgid without group execute means "mandatory locking", just to
      confuse things even more).
      Reported-by: default avatarJann Horn <jannh@google.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0fa3ecd8
    • Christoph Hellwig's avatar
      Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up... · 7ec916f8
      Christoph Hellwig authored
      Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"
      
      This commit may cause a less than required dma mask to be used for
      some allocations, which apparently leads to module load failures for
      iwlwifi sometimes.
      
      This reverts commit d657c5c7.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarFabio Coatti <fabio.coatti@gmail.com>
      Tested-by: default avatarFabio Coatti <fabio.coatti@gmail.com>
      7ec916f8
    • Stefano Brivio's avatar
      cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() · 729c0c9d
      Stefano Brivio authored
      smb{2,3}_create_lease_buf() store a lease key in the lease
      context for later usage on a lease break.
      
      In most paths, the key is currently sourced from data that
      happens to be on the stack near local variables for oplock in
      SMB2_open() callers, e.g. from open_shroot(), whereas
      smb2_open_file() properly allocates space on its stack for it.
      
      The address of those local variables holding the oplock is then
      passed to create_lease_buf handlers via SMB2_open(), and 16
      bytes near oplock are used. This causes a stack out-of-bounds
      access as reported by KASAN on SMB2.1 and SMB3 mounts (first
      out-of-bounds access is shown here):
      
      [  111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
      [  111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
      [  111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
      [  111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [  111.536838] Call Trace:
      [  111.537528]  dump_stack+0xc2/0x16b
      [  111.540890]  print_address_description+0x6a/0x270
      [  111.542185]  kasan_report+0x258/0x380
      [  111.544701]  smb3_create_lease_buf+0x399/0x3b0 [cifs]
      [  111.546134]  SMB2_open+0x1ef8/0x4b70 [cifs]
      [  111.575883]  open_shroot+0x339/0x550 [cifs]
      [  111.591969]  smb3_qfs_tcon+0x32c/0x1e60 [cifs]
      [  111.617405]  cifs_mount+0x4f3/0x2fc0 [cifs]
      [  111.674332]  cifs_smb3_do_mount+0x263/0xf10 [cifs]
      [  111.677915]  mount_fs+0x55/0x2b0
      [  111.679504]  vfs_kern_mount.part.22+0xaa/0x430
      [  111.684511]  do_mount+0xc40/0x2660
      [  111.698301]  ksys_mount+0x80/0xd0
      [  111.701541]  do_syscall_64+0x14e/0x4b0
      [  111.711807]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  111.713665] RIP: 0033:0x7f372385b5fa
      [  111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
      [  111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
      [  111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
      [  111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
      [  111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
      [  111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000
      
      [  111.735448] The buggy address belongs to the page:
      [  111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  111.739890] flags: 0x17ffffc0000000()
      [  111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
      [  111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  111.746679] page dumped because: kasan: bad access detected
      
      [  111.750482] Memory state around the buggy address:
      [  111.752562]  ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
      [  111.754991]  ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      [  111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
      [  111.759801]                                               ^
      [  111.762034]  ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
      [  111.764486]  ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  111.766913] ==================================================================
      
      Lease keys are however already generated and stored in fid data
      on open and create paths: pass them down to the lease context
      creation handlers and use them.
      Suggested-by: default avatarAurélien Aptel <aaptel@suse.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Fixes: b8c32dbb ("CIFS: Request SMB2.1 leases")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      729c0c9d
    • Paulo Alcantara's avatar
      cifs: Fix infinite loop when using hard mount option · 7ffbe655
      Paulo Alcantara authored
      For every request we send, whether it is SMB1 or SMB2+, we attempt to
      reconnect tcon (cifs_reconnect_tcon or smb2_reconnect) before carrying
      out the request.
      
      So, while server->tcpStatus != CifsNeedReconnect, we wait for the
      reconnection to succeed on wait_event_interruptible_timeout(). If it
      returns, that means that either the condition was evaluated to true, or
      timeout elapsed, or it was interrupted by a signal.
      
      Since we're not handling the case where the process woke up due to a
      received signal (-ERESTARTSYS), the next call to
      wait_event_interruptible_timeout() will _always_ fail and we end up
      looping forever inside either cifs_reconnect_tcon() or smb2_reconnect().
      
      Here's an example of how to trigger that:
      
      $ mount.cifs //foo/share /mnt/test -o
      username=foo,password=foo,vers=1.0,hard
      
      (break connection to server before executing bellow cmd)
      $ stat -f /mnt/test & sleep 140
      [1] 2511
      
      $ ps -aux -q 2511
      USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
      root      2511  0.0  0.0  12892  1008 pts/0    S    12:24   0:00 stat -f
      /mnt/test
      
      $ kill -9 2511
      
      (wait for a while; process is stuck in the kernel)
      $ ps -aux -q 2511
      USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
      root      2511 83.2  0.0  12892  1008 pts/0    R    12:24  30:01 stat -f
      /mnt/test
      
      By using 'hard' mount point means that cifs.ko will keep retrying
      indefinitely, however we must allow the process to be killed otherwise
      it would hang the system.
      Signed-off-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      7ffbe655
    • Stefano Brivio's avatar
      cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting · f46ecbd9
      Stefano Brivio authored
      A "small" CIFS buffer is not big enough in general to hold a
      setacl request for SMB2, and we end up overflowing the buffer in
      send_set_info(). For instance:
      
       # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
       # touch /mnt/test/acltest
       # getcifsacl /mnt/test/acltest
       REVISION:0x1
       CONTROL:0x9004
       OWNER:S-1-5-21-2926364953-924364008-418108241-1000
       GROUP:S-1-22-2-1001
       ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
       ACL:S-1-22-2-1001:ALLOWED/0x0/R
       ACL:S-1-22-2-1001:ALLOWED/0x0/R
       ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
       ACL:S-1-1-0:ALLOWED/0x0/R
       # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest
      
      this setacl will cause the following KASAN splat:
      
      [  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
      [  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012
      
      [  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
      [  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [  330.784395] Call Trace:
      [  330.784789]  dump_stack+0xc2/0x16b
      [  330.786777]  print_address_description+0x6a/0x270
      [  330.787520]  kasan_report+0x258/0x380
      [  330.788845]  memcpy+0x34/0x50
      [  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
      [  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
      [  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
      [  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
      [  330.840367]  __vfs_setxattr+0x84/0xb0
      [  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
      [  330.843848]  vfs_setxattr+0xc2/0xd0
      [  330.845519]  setxattr+0x258/0x320
      [  330.859211]  path_setxattr+0x15b/0x1b0
      [  330.864392]  __x64_sys_setxattr+0xc0/0x160
      [  330.866133]  do_syscall_64+0x14e/0x4b0
      [  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  330.878503] RIP: 0033:0x7ff2e507db0a
      [  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
      [  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
      [  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
      [  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
      [  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
      [  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
      [  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550
      
      [  330.901057] Allocated by task 1012:
      [  330.902888]  kasan_kmalloc+0xa0/0xd0
      [  330.904714]  kmem_cache_alloc+0xc8/0x1d0
      [  330.906615]  mempool_alloc+0x11e/0x380
      [  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
      [  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
      [  330.912551]  send_set_info+0x198/0xc20 [cifs]
      [  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
      [  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
      [  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
      [  330.920426]  __vfs_setxattr+0x84/0xb0
      [  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
      [  330.924213]  vfs_setxattr+0xc2/0xd0
      [  330.926008]  setxattr+0x258/0x320
      [  330.927762]  path_setxattr+0x15b/0x1b0
      [  330.929592]  __x64_sys_setxattr+0xc0/0x160
      [  330.931459]  do_syscall_64+0x14e/0x4b0
      [  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  330.936843] Freed by task 0:
      [  330.938588] (stack is not available)
      
      [  330.941886] The buggy address belongs to the object at ffff88010d5e2800
       which belongs to the cache cifs_small_rq of size 448
      [  330.946362] The buggy address is located 96 bytes inside of
       448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
      [  330.950722] The buggy address belongs to the page:
      [  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
      [  330.955665] flags: 0x17ffffc0008100(slab|head)
      [  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
      [  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      [  330.963005] page dumped because: kasan: bad access detected
      
      [  330.967039] Memory state around the buggy address:
      [  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      [  330.976956]                                            ^
      [  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  330.984225] ==================================================================
      
      Fix this by allocating a regular CIFS buffer in
      smb2_plain_req_init() if the request command is SMB2_SET_INFO.
      Reported-by: default avatarJianhong Yin <jiyin@redhat.com>
      Fixes: 366ed846 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Reviewed-and-tested-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      f46ecbd9
    • Paulo Alcantara's avatar
      cifs: Fix memory leak in smb2_set_ea() · 6aa0c114
      Paulo Alcantara authored
      This patch fixes a memory leak when doing a setxattr(2) in SMB2+.
      Signed-off-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      6aa0c114