1. 27 Jan, 2017 40 commits
    • Robert Doebbelin's avatar
      fuse: do not use iocb after it may have been freed · 77eed176
      Robert Doebbelin authored
      commit 7cabc61e upstream.
      
      There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
      iocb that could have been freed if async io has already completed.  The fix
      in this case is simple and obvious: cache the result before starting io.
      
      It was discovered by KASan:
      
      Kernel: ==================================================================
      Kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390
      Signed-off-by: default avatarRobert Doebbelin <robert@quobyte.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: bcba24cc ("fuse: enable asynchronous processing direct IO")
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      77eed176
    • Calvin Owens's avatar
      sg: Fix double-free when drives detach during SG_IO · 96954119
      Calvin Owens authored
      commit f3951a37 upstream.
      
      In sg_common_write(), we free the block request and return -ENODEV if
      the device is detached in the middle of the SG_IO ioctl().
      
      Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
      end up freeing rq->cmd in the already free rq object, and then free
      the object itself out from under the current user.
      
      This ends up corrupting random memory via the list_head on the rq
      object. The most common crash trace I saw is this:
      
        ------------[ cut here ]------------
        kernel BUG at block/blk-core.c:1420!
        Call Trace:
        [<ffffffff81281eab>] blk_put_request+0x5b/0x80
        [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
        [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
        [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
        [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
        [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
        [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
        [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
        [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
        [<ffffffff81602afb>] tracesys+0xdd/0xe2
          RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
      
      The solution is straightforward: just set srp->rq to NULL in the
      failure branch so that sg_finish_rem_req() doesn't attempt to re-free
      it.
      
      Additionally, since sg_rq_end_io() will never be called on the object
      when this happens, we need to free memory backing ->cmd if it isn't
      embedded in the object itself.
      
      KASAN was extremely helpful in finding the root cause of this bug.
      Signed-off-by: default avatarCalvin Owens <calvinowens@fb.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Acked-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      96954119
    • Takashi Iwai's avatar
      xc2028: Fix use-after-free bug properly · f093600f
      Takashi Iwai authored
      commit 22a1e778 upstream.
      
      The commit 8dfbcc43 ("[media] xc2028: avoid use after free") tried
      to address the reported use-after-free by clearing the reference.
      
      However, it's clearing the wrong pointer; it sets NULL to
      priv->ctrl.fname, but it's anyway overwritten by the next line
      memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
      
      OTOH, the actual code accessing the freed string is the strcmp() call
      with priv->fname:
      	if (!firmware_name[0] && p->fname &&
      	    priv->fname && strcmp(p->fname, priv->fname))
      		free_firmware(priv);
      
      where priv->fname points to the previous file name, and this was
      already freed by kfree().
      
      For fixing the bug properly, this patch does the following:
      
      - Keep the copy of firmware file name in only priv->fname,
        priv->ctrl.fname isn't changed;
      - The allocation is done only when the firmware gets loaded;
      - The kfree() is called in free_firmware() commonly
      
      Fixes: commit 8dfbcc43 ('[media] xc2028: avoid use after free')
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f093600f
    • Omar Sandoval's avatar
      block: fix use-after-free in sys_ioprio_get() · 075030bd
      Omar Sandoval authored
      commit 8ba86821 upstream.
      
      get_task_ioprio() accesses the task->io_context without holding the task
      lock and thus can race with exit_io_context(), leading to a
      use-after-free. The reproducer below hits this within a few seconds on
      my 4-core QEMU VM:
      
      int main(int argc, char **argv)
      {
      	pid_t pid, child;
      	long nproc, i;
      
      	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
      	syscall(SYS_ioprio_set, 1, 0, 0x6000);
      
      	nproc = sysconf(_SC_NPROCESSORS_ONLN);
      
      	for (i = 0; i < nproc; i++) {
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				pid = fork();
      				assert(pid != -1);
      				if (pid == 0) {
      					_exit(0);
      				} else {
      					child = wait(NULL);
      					assert(child == pid);
      				}
      			}
      		}
      
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      				syscall(SYS_ioprio_get, 2, 0);
      			}
      		}
      	}
      
      	for (;;) {
      		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      		syscall(SYS_ioprio_get, 2, 0);
      	}
      
      	return 0;
      }
      
      This gets us KASAN dumps like this:
      
      [   35.526914] ==================================================================
      [   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
      [   35.530009] Read of size 2 by task ioprio-gpf/363
      [   35.530009] =============================================================================
      [   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
      [   35.530009] -----------------------------------------------------------------------------
      
      [   35.530009] Disabling lock debugging due to kernel taint
      [   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
      [   35.530009] 	___slab_alloc+0x55d/0x5a0
      [   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
      [   35.530009] 	kmem_cache_alloc_node+0x84/0x200
      [   35.530009] 	create_task_io_context+0x2b/0x370
      [   35.530009] 	get_task_io_context+0x92/0xb0
      [   35.530009] 	copy_process.part.8+0x5029/0x5660
      [   35.530009] 	_do_fork+0x155/0x7e0
      [   35.530009] 	SyS_clone+0x19/0x20
      [   35.530009] 	do_syscall_64+0x195/0x3a0
      [   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
      [   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
      [   35.530009] 	__slab_free+0x27b/0x3d0
      [   35.530009] 	kmem_cache_free+0x1fb/0x220
      [   35.530009] 	put_io_context+0xe7/0x120
      [   35.530009] 	put_io_context_active+0x238/0x380
      [   35.530009] 	exit_io_context+0x66/0x80
      [   35.530009] 	do_exit+0x158e/0x2b90
      [   35.530009] 	do_group_exit+0xe5/0x2b0
      [   35.530009] 	SyS_exit_group+0x1d/0x20
      [   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
      [   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
      [   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
      [   35.530009] ==================================================================
      
      Fix it by grabbing the task lock while we poke at the io_context.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Acked-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      075030bd
    • Dan Carpenter's avatar
      [media] xc2028: unlock on error in xc2028_set_config() · 6f9247bc
      Dan Carpenter authored
      commit 210bd104 upstream.
      
      We have to unlock before returning -ENOMEM.
      
      Fixes: 8dfbcc43 ('[media] xc2028: avoid use after free')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6f9247bc
    • Mauro Carvalho Chehab's avatar
      [media] xc2028: avoid use after free · 74e3d04c
      Mauro Carvalho Chehab authored
      commit 8dfbcc43 upstream.
      
      If struct xc2028_config is passed without a firmware name,
      the following trouble may happen:
      
      [11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
      [11009.907491] ==================================================================
      [11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
      [11009.907992] Read of size 1 by task modprobe/28992
      [11009.907994] =============================================================================
      [11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
      [11009.907999] -----------------------------------------------------------------------------
      
      [11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
      [11009.908012] 	___slab_alloc+0x581/0x5b0
      [11009.908014] 	__slab_alloc+0x51/0x90
      [11009.908017] 	__kmalloc+0x27b/0x350
      [11009.908022] 	xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
      [11009.908026] 	usb_hcd_submit_urb+0x1e8/0x1c60
      [11009.908029] 	usb_submit_urb+0xb0e/0x1200
      [11009.908032] 	usb_serial_generic_write_start+0xb6/0x4c0
      [11009.908035] 	usb_serial_generic_write+0x92/0xc0
      [11009.908039] 	usb_console_write+0x38a/0x560
      [11009.908045] 	call_console_drivers.constprop.14+0x1ee/0x2c0
      [11009.908051] 	console_unlock+0x40d/0x900
      [11009.908056] 	vprintk_emit+0x4b4/0x830
      [11009.908061] 	vprintk_default+0x1f/0x30
      [11009.908064] 	printk+0x99/0xb5
      [11009.908067] 	kasan_report_error+0x10a/0x550
      [11009.908070] 	__asan_report_load1_noabort+0x43/0x50
      [11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
      [11009.908077] 	__slab_free+0x2ec/0x460
      [11009.908080] 	kfree+0x266/0x280
      [11009.908083] 	xc2028_set_config+0x90/0x630 [tuner_xc2028]
      [11009.908086] 	xc2028_attach+0x310/0x8a0 [tuner_xc2028]
      [11009.908090] 	em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
      [11009.908094] 	em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
      [11009.908098] 	em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
      [11009.908101] 	em28xx_register_extension+0xd9/0x190 [em28xx]
      [11009.908105] 	em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
      [11009.908108] 	do_one_initcall+0x141/0x300
      [11009.908111] 	do_init_module+0x1d0/0x5ad
      [11009.908114] 	load_module+0x6666/0x9ba0
      [11009.908117] 	SyS_finit_module+0x108/0x130
      [11009.908120] 	entry_SYSCALL_64_fastpath+0x16/0x76
      [11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
      [11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
      
      [11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
      [11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
      [11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
      [11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
      [11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
      [11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
      [11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
      [11009.908158] Call Trace:
      [11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
      [11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
      [11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
      [11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
      [11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
      [11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
      [11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
      [11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
      [11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
      [11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
      [11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
      [11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
      [11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
      [11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
      [11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
      [11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
      [11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
      [11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
      [11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
      [11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
      [11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
      [11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
      [11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
      [11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
      [11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
      [11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
      [11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
      [11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
      [11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
      [11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
      [11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
      [11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
      [11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
      [11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
      [11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
      [11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
      [11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
      [11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
      [11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
      [11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
      [11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
      [11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
      [11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
      [11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
      [11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
      [11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
      [11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
      [11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
      [11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
      [11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
      [11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
      [11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
      [11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
      [11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
      [11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
      [11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
      [11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
      [11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
      [11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
      [11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
      [11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
      [11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
      [11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
      [11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
      [11009.908396] Memory state around the buggy address:
      [11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
      [11009.908405]                                            ^
      [11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [11009.908411] ==================================================================
      
      In order to avoid it, let's set the cached value of the firmware
      name to NULL after freeing it. While here, return an error if
      the memory allocation fails.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      74e3d04c
    • Benjamin Poirier's avatar
      bna: Add synchronization for tx ring. · 32dacf49
      Benjamin Poirier authored
      commit d667f785 upstream.
      
      We received two reports of BUG_ON in bnad_txcmpl_process() where
      hw_consumer_index appeared to be ahead of producer_index. Out of order
      write/read of these variables could explain these reports.
      
      bnad_start_xmit(), as a producer of tx descriptors, has a few memory
      barriers sprinkled around writes to producer_index and the device's
      doorbell but they're not paired with anything in bnad_txcmpl_process(), a
      consumer.
      
      Since we are synchronizing with a device, we must use mandatory barriers,
      not smp_*. Also, I didn't see the purpose of the last smp_mb() in
      bnad_start_xmit().
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      32dacf49
    • Vlad Tsyrklevich's avatar
      vfio/pci: Fix integer overflows, bitmask check · e4f13c5f
      Vlad Tsyrklevich authored
      commit 05692d70 upstream.
      
      The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
      user-supplied integers, potentially allowing memory corruption. This
      patch adds appropriate integer overflow checks, checks the range bounds
      for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
      in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
      VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
      vfio_pci_set_irqs_ioctl().
      
      Furthermore, a kzalloc is changed to a kcalloc because the use of a
      kzalloc with an integer multiplication allowed an integer overflow
      condition to be reached without this patch. kcalloc checks for overflow
      and should prevent a similar occurrence.
      Signed-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e4f13c5f
    • Heinrich Schuchardt's avatar
      apparmor: do not expose kernel stack · c0b039ec
      Heinrich Schuchardt authored
      commit f4ee2def upstream.
      
      Do not copy uninitalized fields th.td_hilen, th.td_data.
      Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c0b039ec
    • John Johansen's avatar
      apparmor: fix module parameters can be changed after policy is locked · a5d852b9
      John Johansen authored
      commit 58acf9d9 upstream.
      
      the policy_lock parameter is a one way switch that prevents policy
      from being further modified. Unfortunately some of the module parameters
      can effectively modify policy by turning off enforcement.
      
      split policy_admin_capable into a view check and a full admin check,
      and update the admin check to test the policy_lock parameter.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a5d852b9
    • John Johansen's avatar
      apparmor: fix oops in profile_unpack() when policy_db is not present · d035c957
      John Johansen authored
      commit 5f20fdfe upstream.
      
      BugLink: http://bugs.launchpad.net/bugs/1592547
      
      If unpack_dfa() returns NULL due to the dfa not being present,
      profile_unpack() is not checking if the dfa is not present (NULL).
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d035c957
    • John Johansen's avatar
      66bffcb5
    • John Johansen's avatar
      1e612988
    • John Johansen's avatar
      apparmor: fix refcount race when finding a child profile · 7a203ea2
      John Johansen authored
      commit de7c4cc9 upstream.
      
      When finding a child profile via an rcu critical section, the profile
      may be put and scheduled for deletion after the child is found but
      before its refcount is incremented.
      
      Protect against this by repeating the lookup if the profiles refcount
      is 0 and is one its way to deletion.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7a203ea2
    • John Johansen's avatar
      c49d78b4
    • John Johansen's avatar
      apparmor: ensure the target profile name is always audited · 15021f31
      John Johansen authored
      commit f7da2de0 upstream.
      
      The target profile name was not being correctly audited in a few
      cases because the target variable was not being set and gotos
      passed the code to set it at apply:
      
      Since it is always based on new_profile just drop the target var
      and conditionally report based on new_profile.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      15021f31
    • John Johansen's avatar
      apparmor: fix audit full profile hname on successful load · 26805d78
      John Johansen authored
      commit 7ee6da25 upstream.
      
      Currently logging of a successful profile load only logs the basename
      of the profile. This can result in confusion when a child profile has
      the same name as the another profile in the set. Logging the hname
      will ensure there is no confusion.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      26805d78
    • John Johansen's avatar
      apparmor: fix log failures for all profiles in a set · 0762dc3a
      John Johansen authored
      commit bf15cf0c upstream.
      
      currently only the profile that is causing the failure is logged. This
      makes it more confusing than necessary about which profiles loaded
      and which didn't. So make sure to log success and failure messages for
      all profiles in the set being loaded.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0762dc3a
    • John Johansen's avatar
    • John Johansen's avatar
      apparmor: internal paths should be treated as disconnected · d310760c
      John Johansen authored
      commit bd35db8b upstream.
      
      Internal mounts are not mounted anywhere and as such should be treated
      as disconnected paths.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d310760c
    • John Johansen's avatar
      apparmor: fix disconnected bind mnts reconnection · 393776e0
      John Johansen authored
      commit f2e561d1 upstream.
      
      Bind mounts can fail to be properly reconnected when PATH_CONNECT is
      specified. Ensure that when PATH_CONNECT is specified the path has
      a root.
      
      BugLink: http://bugs.launchpad.net/bugs/1319984Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      393776e0
    • John Johansen's avatar
    • John Johansen's avatar
      apparmor: exec should not be returning ENOENT when it denies · 2ee5e7af
      John Johansen authored
      commit 9049a792 upstream.
      
      The current behavior is confusing as it causes exec failures to report
      the executable is missing instead of identifying that apparmor
      caused the failure.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2ee5e7af
    • John Johansen's avatar
      apparmor: fix uninitialized lsm_audit member · 087e1f32
      John Johansen authored
      commit b6b1b81b upstream.
      
      BugLink: http://bugs.launchpad.net/bugs/1268727
      
      The task field in the lsm_audit struct needs to be initialized if
      a change_hat fails, otherwise the following oops will occur
      
      BUG: unable to handle kernel paging request at 0000002fbead7d08
      IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
      PGD 1e3f35067 PUD 0
      Oops: 0002 [#1] SMP
      Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
      CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF          O 3.13.0-7-generic #25-Ubuntu
      Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
      task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
      RIP: 0010:[<ffffffff8171153e>]  [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
      RSP: 0018:ffff880212987b68  EFLAGS: 00010006
      RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
      RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
      RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
      R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
      R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
      FS:  00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
      Stack:
       ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
       0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
       0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
      Call Trace:
       [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
       [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
       [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
       [<ffffffff81075fee>] send_sig_info+0x1e/0x30
       [<ffffffff8130242d>] aa_audit+0x13d/0x190
       [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
       [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
       [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
       [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
       [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
       [<ffffffff812cee56>] security_setprocattr+0x16/0x20
       [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
       [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
       [<ffffffff811b8039>] SyS_write+0x49/0xa0
       [<ffffffff8171a1bf>] tracesys+0xe1/0xe6
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      087e1f32
    • John Johansen's avatar
      apparmor: fix replacement bug that adds new child to old parent · 401f89b9
      John Johansen authored
      commit ec34fa24 upstream.
      
      When set atomic replacement is used and the parent is updated before the
      child, and the child did not exist in the old parent so there is no
      direct replacement then the new child is incorrectly added to the old
      parent. This results in the new parent not having the child(ren) that
      it should and the old parent when being destroyed asserting the
      following error.
      
      AppArmor: policy_destroy: internal error, policy '<profile/name>' still
      contains profiles
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      401f89b9
    • John Johansen's avatar
      6265dbd4
    • Sachin Prabhu's avatar
      Fix regression which breaks DFS mounting · f75bde09
      Sachin Prabhu authored
      commit d171356f upstream.
      
      Patch a6b5058f results in -EREMOTE returned by is_path_accessible() in
      cifs_mount() to be ignored which breaks DFS mounting.
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f75bde09
    • Sachin Prabhu's avatar
      a6802847
    • Sachin Prabhu's avatar
      Compare prepaths when comparing superblocks · a0ebbc68
      Sachin Prabhu authored
      commit c1d8b24d upstream.
      
      The patch
      Fs/cifs: make share unaccessible at root level mountable
      makes use of prepaths when any component of the underlying path is
      inaccessible.
      
      When mounting 2 separate shares having different prepaths but are other
      wise similar in other respects, we end up sharing superblocks when we
      shouldn't be doing so.
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Tested-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Acked-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a0ebbc68
    • Sachin Prabhu's avatar
      Fix memory leaks in cifs_do_mount() · d912360d
      Sachin Prabhu authored
      commit 4214ebf4 upstream.
      
      Fix memory leaks introduced by the patch
      Fs/cifs: make share unaccessible at root level mountable
      
      Also move allocation of cifs_sb->prepath to cifs_setup_cifs_sb().
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Tested-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Acked-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d912360d
    • Aurelien Aptel's avatar
      fs/cifs: make share unaccessible at root level mountable · 4cc7ad85
      Aurelien Aptel authored
      commit a6b5058f upstream.
      
      if, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but
      not any of the path components above:
      
      - store the /sub/dir/foo prefix in the cifs super_block info
      - in the superblock, set root dentry to the subpath dentry (instead of
        the share root)
      - set a flag in the superblock to remember it
      - use prefixpath when building path from a dentry
      
      fixes bso#8950
      Signed-off-by: default avatarAurelien Aptel <aaptel@suse.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4cc7ad85
    • Benjamin Poirier's avatar
      vmxnet3: Wake queue from reset work · 669b0c45
      Benjamin Poirier authored
      commit 277964e1 upstream.
      
      vmxnet3_reset_work() expects tx queues to be stopped (via
      vmxnet3_quiesce_dev -> netif_tx_disable). However, this races with the
      netif_wake_queue() call in netif_tx_timeout() such that the driver's
      start_xmit routine may be called unexpectedly, triggering one of the BUG_ON
      in vmxnet3_map_pkt with a stack trace like this:
      
      RIP: 0010:[<ffffffffa00cf4bc>] vmxnet3_map_pkt+0x3ac/0x4c0 [vmxnet3]
       [<ffffffffa00cf7e0>] vmxnet3_tq_xmit+0x210/0x4e0 [vmxnet3]
       [<ffffffff813ab144>] dev_hard_start_xmit+0x2e4/0x4c0
       [<ffffffff813c956e>] sch_direct_xmit+0x17e/0x1e0
       [<ffffffff813c96a7>] __qdisc_run+0xd7/0x130
       [<ffffffff813a6a7a>] net_tx_action+0x10a/0x200
       [<ffffffff810691df>] __do_softirq+0x11f/0x260
       [<ffffffff81472fdc>] call_softirq+0x1c/0x30
       [<ffffffff81004695>] do_softirq+0x65/0xa0
       [<ffffffff81069b89>] local_bh_enable_ip+0x99/0xa0
       [<ffffffffa031ff36>] destroy_conntrack+0x96/0x110 [nf_conntrack]
       [<ffffffff813d65e2>] nf_conntrack_destroy+0x12/0x20
       [<ffffffff8139c6d5>] skb_release_head_state+0xb5/0xf0
       [<ffffffff8139d299>] skb_release_all+0x9/0x20
       [<ffffffff8139cfe9>] __kfree_skb+0x9/0x90
       [<ffffffffa00d0069>] vmxnet3_quiesce_dev+0x209/0x340 [vmxnet3]
       [<ffffffffa00d020a>] vmxnet3_reset_work+0x6a/0xa0 [vmxnet3]
       [<ffffffff8107d7cc>] process_one_work+0x16c/0x350
       [<ffffffff810804fa>] worker_thread+0x17a/0x410
       [<ffffffff810848c6>] kthread+0x96/0xa0
       [<ffffffff81472ee4>] kernel_thread_helper+0x4/0x10
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      669b0c45
    • Trond Myklebust's avatar
      NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT · dfdab4c4
      Trond Myklebust authored
      commit 809fd143 upstream.
      
      If the OPEN rpc call to the server fails with an ENOENT call, nfs_atomic_open
      will create a negative dentry for that file, however it currently fails
      to call nfs_set_verifier(), thus causing the dentry to be immediately
      revalidated on the next call to nfs_lookup_revalidate() instead of following
      the usual lookup caching rules.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      dfdab4c4
    • Jan Kara's avatar
      posix_acl: Clear SGID bit when setting file permissions · a88a2be3
      Jan Kara authored
      commit 07393101 upstream.
      
      When file permissions are modified via chmod(2) and the user is not in
      the owning group or capable of CAP_FSETID, the setgid bit is cleared in
      inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
      permissions as well as the new ACL, but doesn't clear the setgid bit in
      a similar way; this allows to bypass the check in chmod(2).  Fix that.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a88a2be3
    • Nicolas Iooss's avatar
      ite-cir: initialize use_demodulator before using it · 1c4d4c69
      Nicolas Iooss authored
      commit 7ec03e60 upstream.
      
      Function ite_set_carrier_params() uses variable use_demodulator after
      having initialized it to false in some if branches, but this variable is
      never set to true otherwise.
      
      This bug has been found using clang -Wsometimes-uninitialized warning
      flag.
      
      Fixes: 620a32bb ("[media] rc: New rc-based ite-cir driver for
      several ITE CIRs")
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1c4d4c69
    • Arnd Bergmann's avatar
      ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation · cfa2ba99
      Arnd Bergmann authored
      commit f0e8faa7 upstream.
      
      This function clearly never worked and always returns true,
      as pointed out by gcc-7:
      
      arch/arm/mach-ux500/pm.c: In function 'prcmu_is_cpu_in_wfi':
      arch/arm/mach-ux500/pm.c:137:212: error: ?:
      using integer constants in boolean context, the expression
      will always evaluate to 'true' [-Werror=int-in-bool-context]
      
      With the added braces, the condition actually makes sense.
      
      Fixes: 34fe6f10 ("mfd : Check if the other db8500 core is in WFI")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cfa2ba99
    • Dave Martin's avatar
      arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields · f38a504f
      Dave Martin authored
      commit ad9e202a upstream.
      
      We cannot preserve partial fields for hardware breakpoints, because
      the values written by userspace to the hardware breakpoint
      registers can't subsequently be recovered intact from the hardware.
      
      So, just reject attempts to write incomplete fields with -EINVAL.
      
      Fixes: 478fcb2c ("arm64: Debugging support")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Acked-by: default avatarWill Deacon <Will.Deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f38a504f
    • Dave Martin's avatar
      arm64/ptrace: Avoid uninitialised struct padding in fpr_set() · 4949014b
      Dave Martin authored
      commit aeb1f39d upstream.
      
      This patch adds an explicit __reserved[] field to user_fpsimd_state
      to replace what was previously unnamed padding.
      
      This ensures that data in this region are propagated across
      assignment rather than being left possibly uninitialised at the
      destination.
      
      Fixes: 60ffc30d ("arm64: Exception handling")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Acked-by: default avatarWill Deacon <Will.Deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4949014b
    • Dave Martin's avatar
      arm64/ptrace: Preserve previous registers for short regset write · e4b2d082
      Dave Martin authored
      commit 9a17b876 upstream.
      
      Ensure that if userspace supplies insufficient data to
      PTRACE_SETREGSET to fill all the registers, the thread's old
      registers are preserved.
      
      Fixes: 478fcb2c ("arm64: Debugging support")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Acked-by: default avatarWill Deacon <Will.Deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e4b2d082
    • Fabien Parent's avatar
      ARM: dts: da850-evm: fix read access to SPI flash · 983a8a1c
      Fabien Parent authored
      commit 43849785 upstream.
      
      Read access to the SPI flash are broken on da850-evm, i.e. the data
      read is not what is actually programmed on the flash.
      According to the datasheet for the M25P64 part present on the da850-evm,
      if the SPI frequency is higher than 20MHz then the READ command is not
      usable anymore and only the FAST_READ command can be used to read data.
      
      This commit specifies in the DTS that we should use FAST_READ command
      instead of the READ command.
      Tested-by: default avatarKevin Hilman <khilman@baylibre.com>
      Signed-off-by: default avatarFabien Parent <fparent@baylibre.com>
      [nsekhar@ti.com: subject line adjustment]
      Signed-off-by: default avatarSekhar Nori <nsekhar@ti.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      983a8a1c