1. 09 Sep, 2018 33 commits
  2. 05 Sep, 2018 7 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.154 · 4d9339a1
      Greg Kroah-Hartman authored
      4d9339a1
    • Scott Bauer's avatar
      cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status · eb08a285
      Scott Bauer authored
      commit 8f3fafc9 upstream.
      
      Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()"
      
      There is another cast from unsigned long to int which causes
      a bounds check to fail with specially crafted input. The value is
      then used as an index in the slot array in cdrom_slot_status().
      Signed-off-by: default avatarScott Bauer <scott.bauer@intel.com>
      Signed-off-by: default avatarScott Bauer <sbauer@plzdonthack.me>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb08a285
    • Mike Christie's avatar
      iscsi target: fix session creation failure handling · aba1ba97
      Mike Christie authored
      commit 26abc916 upstream.
      
      The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
      iscsi_login_set_conn_values. If the function fails later like when we
      alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
      iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
      iscsi_target_login_sess_out and access the freed memory.
      
      This patch has iscsi_login_zero_tsih_s1 either completely setup the
      session or completely tear it down, so later in
      iscsi_target_login_sess_out we can just check for it being set to the
      connection.
      
      Cc: stable@vger.kernel.org
      Fixes: 0957627a ("iscsi-target: Fix sess allocation leak in...")
      Signed-off-by: default avatarMike Christie <mchristi@redhat.com>
      Acked-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarMatthew Wilcox <willy@infradead.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aba1ba97
    • Bart Van Assche's avatar
      scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock · a49097fb
      Bart Van Assche authored
      commit 0ee223b2 upstream.
      
      A long time ago the unfortunate decision was taken to add a self-deletion
      attribute to the sysfs SCSI device directory. That decision was unfortunate
      because self-deletion is really tricky. We can't drop that attribute
      because widely used user space software depends on it, namely the
      rescan-scsi-bus.sh script. Hence this patch that avoids that writing into
      that attribute triggers a deadlock. See also commit 7973cbd9 ("[PATCH]
      add sysfs attributes to scan and delete scsi_devices").
      
      This patch avoids that self-removal triggers the following deadlock:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.18.0-rc2-dbg+ #5 Not tainted
      ------------------------------------------------------
      modprobe/6539 is trying to acquire lock:
      000000008323c4cd (kn->count#202){++++}, at: kernfs_remove_by_name_ns+0x45/0x90
      
      but task is already holding lock:
      00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&shost->scan_mutex){+.+.}:
             __mutex_lock+0xfe/0xc70
             mutex_lock_nested+0x1b/0x20
             scsi_remove_device+0x26/0x40 [scsi_mod]
             sdev_store_delete+0x27/0x30 [scsi_mod]
             dev_attr_store+0x3e/0x50
             sysfs_kf_write+0x87/0xa0
             kernfs_fop_write+0x190/0x230
             __vfs_write+0xd2/0x3b0
             vfs_write+0x101/0x270
             ksys_write+0xab/0x120
             __x64_sys_write+0x43/0x50
             do_syscall_64+0x77/0x230
             entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      -> #0 (kn->count#202){++++}:
             lock_acquire+0xd2/0x260
             __kernfs_remove+0x424/0x4a0
             kernfs_remove_by_name_ns+0x45/0x90
             remove_files.isra.1+0x3a/0x90
             sysfs_remove_group+0x5c/0xc0
             sysfs_remove_groups+0x39/0x60
             device_remove_attrs+0x82/0xb0
             device_del+0x251/0x580
             __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
             scsi_forget_host+0x37/0xb0 [scsi_mod]
             scsi_remove_host+0x9b/0x150 [scsi_mod]
             sdebug_driver_remove+0x4b/0x150 [scsi_debug]
             device_release_driver_internal+0x241/0x360
             device_release_driver+0x12/0x20
             bus_remove_device+0x1bc/0x290
             device_del+0x259/0x580
             device_unregister+0x1a/0x70
             sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
             scsi_debug_exit+0x76/0xe8 [scsi_debug]
             __x64_sys_delete_module+0x1c1/0x280
             do_syscall_64+0x77/0x230
             entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&shost->scan_mutex);
                                     lock(kn->count#202);
                                     lock(&shost->scan_mutex);
        lock(kn->count#202);
      
       *** DEADLOCK ***
      
      2 locks held by modprobe/6539:
       #0: 00000000efaf9298 (&dev->mutex){....}, at: device_release_driver_internal+0x68/0x360
       #1: 00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod]
      
      stack backtrace:
      CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Call Trace:
       dump_stack+0xa4/0xf5
       print_circular_bug.isra.34+0x213/0x221
       __lock_acquire+0x1a7e/0x1b50
       lock_acquire+0xd2/0x260
       __kernfs_remove+0x424/0x4a0
       kernfs_remove_by_name_ns+0x45/0x90
       remove_files.isra.1+0x3a/0x90
       sysfs_remove_group+0x5c/0xc0
       sysfs_remove_groups+0x39/0x60
       device_remove_attrs+0x82/0xb0
       device_del+0x251/0x580
       __scsi_remove_device+0x19f/0x1d0 [scsi_mod]
       scsi_forget_host+0x37/0xb0 [scsi_mod]
       scsi_remove_host+0x9b/0x150 [scsi_mod]
       sdebug_driver_remove+0x4b/0x150 [scsi_debug]
       device_release_driver_internal+0x241/0x360
       device_release_driver+0x12/0x20
       bus_remove_device+0x1bc/0x290
       device_del+0x259/0x580
       device_unregister+0x1a/0x70
       sdebug_remove_adapter+0x8b/0xf0 [scsi_debug]
       scsi_debug_exit+0x76/0xe8 [scsi_debug]
       __x64_sys_delete_module+0x1c1/0x280
       do_syscall_64+0x77/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html.
      
      Fixes: ac0ece91 ("scsi: use device_remove_file_self() instead of device_schedule_callback()")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      a49097fb
    • Bart Van Assche's avatar
      scsi: sysfs: Introduce sysfs_{un,}break_active_protection() · 461a6385
      Bart Van Assche authored
      commit 2afc9166 upstream.
      
      Introduce these two functions and export them such that the next patch
      can add calls to these functions from the SCSI core.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      461a6385
    • Paul Burton's avatar
      MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 · bb190ace
      Paul Burton authored
      commit 690d9163 upstream.
      
      Some versions of GCC suboptimally generate calls to the __multi3()
      intrinsic for MIPS64r6 builds, resulting in link failures due to the
      missing function:
      
          LD      vmlinux.o
          MODPOST vmlinux.o
        kernel/bpf/verifier.o: In function `kmalloc_array':
        include/linux/slab.h:631: undefined reference to `__multi3'
        fs/select.o: In function `kmalloc_array':
        include/linux/slab.h:631: undefined reference to `__multi3'
        ...
      
      We already have a workaround for this in which we provide the
      instrinsic, but we do so selectively for GCC 7 only. Unfortunately the
      issue occurs with older GCC versions too - it has been observed with
      both GCC 5.4.0 & GCC 6.4.0.
      
      MIPSr6 support was introduced in GCC 5, so all major GCC versions prior
      to GCC 8 are affected and we extend our workaround accordingly to all
      MIPS64r6 builds using GCC versions older than GCC 8.
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Reported-by: default avatarVladimir Kondratiev <vladimir.kondratiev@intel.com>
      Fixes: ebabcf17 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds")
      Patchwork: https://patchwork.linux-mips.org/patch/20297/
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 4.15+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb190ace
    • Maciej W. Rozycki's avatar
      MIPS: Correct the 64-bit DSP accumulator register size · 79ffdc48
      Maciej W. Rozycki authored
      commit f5958b4c upstream.
      
      Use the `unsigned long' rather than `__u32' type for DSP accumulator
      registers, like with the regular MIPS multiply/divide accumulator and
      general-purpose registers, as all are 64-bit in 64-bit implementations
      and using a 32-bit data type leads to contents truncation on context
      saving.
      
      Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing
      casts that are similarly not used with multiply/divide accumulator or
      general-purpose register accesses.
      Signed-off-by: default avatarMaciej W. Rozycki <macro@mips.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Fixes: e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.")
      Patchwork: https://patchwork.linux-mips.org/patch/19329/
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-fsdevel@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org # 2.6.15+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      79ffdc48