1. 29 Mar, 2017 9 commits
  2. 23 Mar, 2017 12 commits
  3. 10 Mar, 2017 2 commits
    • Alexander Potapenko's avatar
      selinux: check for address length in selinux_socket_bind() · e2f586bd
      Alexander Potapenko authored
      KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
      uninitialized memory in selinux_socket_bind():
      
      ==================================================================
      BUG: KMSAN: use of unitialized memory
      inter: 0
      CPU: 3 PID: 1074 Comm: packet2 Tainted: G    B           4.8.0-rc6+ #1916
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48
       ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550
       0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002
      Call Trace:
       [<     inline     >] __dump_stack lib/dump_stack.c:15
       [<ffffffff825759c8>] dump_stack+0x238/0x290 lib/dump_stack.c:51
       [<ffffffff818bdee6>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008
       [<ffffffff818bf0fb>] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424
       [<ffffffff822dae71>] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288
       [<ffffffff8229357c>] security_socket_bind+0x1ec/0x240 security/security.c:1240
       [<ffffffff84265d98>] SYSC_bind+0x358/0x5f0 net/socket.c:1366
       [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
       [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
       [<ffffffff8518217c>] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:?
      chained origin: 00000000ba6009bb
       [<ffffffff810bb7a7>] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67
       [<     inline     >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
       [<     inline     >] kmsan_save_stack mm/kmsan/kmsan.c:337
       [<ffffffff818bd2b8>] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530
       [<ffffffff818bf033>] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380
       [<ffffffff84265b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356
       [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
       [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
       [<ffffffff8518217c>] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:?
      origin description: ----address@SYSC_bind (origin=00000000b8c00900)
      ==================================================================
      
      (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
      
      , when I run the following program as root:
      
      =======================================================
        #include <string.h>
        #include <sys/socket.h>
        #include <netinet/in.h>
      
        int main(int argc, char *argv[]) {
          struct sockaddr addr;
          int size = 0;
          if (argc > 1) {
            size = atoi(argv[1]);
          }
          memset(&addr, 0, sizeof(addr));
          int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
          bind(fd, &addr, size);
          return 0;
        }
      =======================================================
      
      (for different values of |size| other error reports are printed).
      
      This happens because bind() unconditionally copies |size| bytes of
      |addr| to the kernel, leaving the rest uninitialized. Then
      security_socket_bind() reads the IP address bytes, including the
      uninitialized ones, to determine the port, or e.g. pass them further to
      sel_netnode_find(), which uses them to calculate a hash.
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      [PM: fixed some whitespace damage]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      e2f586bd
    • Nicolas Iooss's avatar
      selinux: include sys/socket.h in host programs to have PF_MAX · c017c71c
      Nicolas Iooss authored
      Compiling with clang and -Wundef makes the compiler report a usage of
      undefined PF_MAX macro in security/selinux/include/classmap.h:
      
          In file included from scripts/selinux/mdp/mdp.c:48:
          security/selinux/include/classmap.h:37:31: warning: no previous
          extern declaration for non-static variable 'secclass_map'
          [-Wmissing-variable-declarations]
          struct security_class_mapping secclass_map[] = {
                                        ^
          security/selinux/include/classmap.h:235:5: error: 'PF_MAX' is not
          defined, evaluates to 0 [-Werror,-Wundef]
          #if PF_MAX > 43
              ^
          In file included from scripts/selinux/genheaders/genheaders.c:17:
          security/selinux/include/classmap.h:37:31: warning: no previous
          extern declaration for non-static variable 'secclass_map'
          [-Wmissing-variable-declarations]
          struct security_class_mapping secclass_map[] = {
                                        ^
          security/selinux/include/classmap.h:235:5: error: 'PF_MAX' is not
          defined, evaluates to 0 [-Werror,-Wundef]
          #if PF_MAX > 43
              ^
      
      PF_MAX is defined in include/linux/socket.h but not in
      include/uapi/linux/socket.h. Therefore host programs have to rely on the
      definition from libc's /usr/include/bits/socket.h, included by
      <sys/socket.h>.
      
      Fix the issue by using sys/socket.h in mdp and genheaders. When
      classmap.h is included by security/selinux/avc.c, it uses the kernel
      definition of PF_MAX, which makes the test consistent.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      c017c71c
  4. 06 Mar, 2017 3 commits
  5. 05 Mar, 2017 4 commits
    • Stephen Smalley's avatar
      selinux: fix kernel BUG on prlimit(..., NULL, NULL) · 84e6885e
      Stephen Smalley authored
      commit 79bcf325e6b32b3c ("prlimit,security,selinux: add a security hook
      for prlimit") introduced a security hook for prlimit() and implemented it
      for SELinux.  However, if prlimit() is called with NULL arguments for both
      the new limit and the old limit, then the hook is called with 0 for the
      read/write flags, since the prlimit() will neither read nor write the
      process' limits.  This would in turn lead to calling avc_has_perm() with 0
      for the requested permissions, which triggers a BUG_ON() in
      avc_has_perm_noaudit() since the kernel should never be invoking
      avc_has_perm() with no permissions.  Fix this in the SELinux hook by
      returning immediately if the flags are 0.  Arguably prlimit64() itself
      ought to return immediately if both old_rlim and new_rlim are NULL since
      it is effectively a no-op in that case.
      
      Reported by the lkp-robot based on trinity testing.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      84e6885e
    • Stephen Smalley's avatar
      prlimit,security,selinux: add a security hook for prlimit · 791ec491
      Stephen Smalley authored
      When SELinux was first added to the kernel, a process could only get
      and set its own resource limits via getrlimit(2) and setrlimit(2), so no
      MAC checks were required for those operations, and thus no security hooks
      were defined for them. Later, SELinux introduced a hook for setlimit(2)
      with a check if the hard limit was being changed in order to be able to
      rely on the hard limit value as a safe reset point upon context
      transitions.
      
      Later on, when prlimit(2) was added to the kernel with the ability to get
      or set resource limits (hard or soft) of another process, LSM/SELinux was
      not updated other than to pass the target process to the setrlimit hook.
      This resulted in incomplete control over both getting and setting the
      resource limits of another process.
      
      Add a new security_task_prlimit() hook to the check_prlimit_permission()
      function to provide complete mediation.  The hook is only called when
      acting on another task, and only if the existing DAC/capability checks
      would allow access.  Pass flags down to the hook to indicate whether the
      prlimit(2) call will read, write, or both read and write the resource
      limits of the target process.
      
      The existing security_task_setrlimit() hook is left alone; it continues
      to serve a purpose in supporting the ability to make decisions based on
      the old and/or new resource limit values when setting limits.  This
      is consistent with the DAC/capability logic, where
      check_prlimit_permission() performs generic DAC/capability checks for
      acting on another task, while do_prlimit() performs a capability check
      based on a comparison of the old and new resource limits.  Fix the
      inline documentation for the hook to match the code.
      
      Implement the new hook for SELinux.  For setting resource limits, we
      reuse the existing setrlimit permission.  Note that this does overload
      the setrlimit permission to mean the ability to set the resource limit
      (soft or hard) of another process or the ability to change one's own
      hard limit.  For getting resource limits, a new getrlimit permission
      is defined.  This was not originally defined since getrlimit(2) could
      only be used to obtain a process' own limits.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      791ec491
    • Linus Torvalds's avatar
      Linux 4.11-rc1 · c1ae3cfa
      Linus Torvalds authored
      c1ae3cfa
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8d70eeb8
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix double-free in batman-adv, from Sven Eckelmann.
      
       2) Fix packet stats for fast-RX path, from Joannes Berg.
      
       3) Netfilter's ip_route_me_harder() doesn't handle request sockets
          properly, fix from Florian Westphal.
      
       4) Fix sendmsg deadlock in rxrpc, from David Howells.
      
       5) Add missing RCU locking to transport hashtable scan, from Xin Long.
      
       6) Fix potential packet loss in mlxsw driver, from Ido Schimmel.
      
       7) Fix race in NAPI handling between poll handlers and busy polling,
          from Eric Dumazet.
      
       8) TX path in vxlan and geneve need proper RCU locking, from Jakub
          Kicinski.
      
       9) SYN processing in DCCP and TCP need to disable BH, from Eric
          Dumazet.
      
      10) Properly handle net_enable_timestamp() being invoked from IRQ
          context, also from Eric Dumazet.
      
      11) Fix crash on device-tree systems in xgene driver, from Alban Bedel.
      
      12) Do not call sk_free() on a locked socket, from Arnaldo Carvalho de
          Melo.
      
      13) Fix use-after-free in netvsc driver, from Dexuan Cui.
      
      14) Fix max MTU setting in bonding driver, from WANG Cong.
      
      15) xen-netback hash table can be allocated from softirq context, so use
          GFP_ATOMIC. From Anoob Soman.
      
      16) Fix MAC address change bug in bgmac driver, from Hari Vyas.
      
      17) strparser needs to destroy strp_wq on module exit, from WANG Cong.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
        strparser: destroy workqueue on module exit
        sfc: fix IPID endianness in TSOv2
        sfc: avoid max() in array size
        rds: remove unnecessary returned value check
        rxrpc: Fix potential NULL-pointer exception
        nfp: correct DMA direction in XDP DMA sync
        nfp: don't tell FW about the reserved buffer space
        net: ethernet: bgmac: mac address change bug
        net: ethernet: bgmac: init sequence bug
        xen-netback: don't vfree() queues under spinlock
        xen-netback: keep a local pointer for vif in backend_disconnect()
        netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails
        netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups
        netfilter: nf_conntrack_sip: fix wrong memory initialisation
        can: flexcan: fix typo in comment
        can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
        can: gs_usb: fix coding style
        can: gs_usb: Don't use stack memory for USB transfers
        ixgbe: Limit use of 2K buffers on architectures with 256B or larger cache lines
        ixgbe: update the rss key on h/w, when ethtool ask for it
        ...
      8d70eeb8
  6. 04 Mar, 2017 10 commits
    • Linus Torvalds's avatar
      Merge tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 2d62e076
      Linus Torvalds authored
      Pull more KVM updates from Radim Krčmář:
       "Second batch of KVM changes for the 4.11 merge window:
      
        PPC:
         - correct assumption about ASDR on POWER9
         - fix MMIO emulation on POWER9
      
        x86:
         - add a simple test for ioperm
         - cleanup TSS (going through KVM tree as the whole undertaking was
           caused by VMX's use of TSS)
         - fix nVMX interrupt delivery
         - fix some performance counters in the guest
      
        ... and two cleanup patches"
      
      * tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: nVMX: Fix pending events injection
        x86/kvm/vmx: remove unused variable in segment_base()
        selftests/x86: Add a basic selftest for ioperm
        x86/asm: Tidy up TSS limit code
        kvm: convert kvm.users_count from atomic_t to refcount_t
        KVM: x86: never specify a sample period for virtualized in_tx_cp counters
        KVM: PPC: Book3S HV: Don't use ASDR for real-mode HPT faults on POWER9
        KVM: PPC: Book3S HV: Fix software walk of guest process page tables
      2d62e076
    • Linus Torvalds's avatar
      Merge tag 'docs-4.11-fixes' of git://git.lwn.net/linux · be834aaf
      Linus Torvalds authored
      Pull documentation fixes from Jonathan Corbet:
       "A few fixes for the docs tree, including one for a 4.11 build
        regression"
      
      * tag 'docs-4.11-fixes' of git://git.lwn.net/linux:
        Documentation/sphinx: fix primary_domain configuration
        docs: Fix htmldocs build failure
        doc/ko_KR/memory-barriers: Update control-dependencies section
        pcieaer doc: update the link
        Documentation: Update path to sysrq.txt
      be834aaf
    • Linus Torvalds's avatar
      Merge tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 91aff98b
      Linus Torvalds authored
      Pull staging/IIO driver fixes from Greg KH:
       "Here are a few small staging and IIO driver fixes for issues that
        showed up after the big set if changes you merged last week.
      
        Nothing major, just small bugs resolved in some IIO drivers, a lustre
        allocation fix, and some RaspberryPi driver fixes for reported
        problems, as well as a MAINTAINERS entry update.
      
        All of these have been in linux-next for a week with no reported
        issues"
      
      * tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: fsl-mc: fix warning in DT ranges parser
        MAINTAINERS: Remove Noralf Trønnes as fbtft maintainer
        staging: vchiq_2835_arm: Make cache-line-size a required DT property
        staging: bcm2835/mmal-vchiq: unlock on error in buffer_from_host()
        staging/lustre/lnet: Fix allocation size for sv_cpt_data
        iio: adc: xilinx: Fix error handling
        iio: 104-quad-8: Fix off-by-one error when addressing flag register
        iio: adc: handle unknow of_device_id data
      91aff98b
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 33a8b3e9
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - vmalloc stack regression in CCM
      
       - Build problem in CRC32 on ARM
      
       - Memory leak in cavium
      
       - Missing Kconfig dependencies in atmel and mediatek
      
       - XTS Regression on some platforms (s390 and ppc)
      
       - Memory overrun in CCM test vector
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: vmx - Use skcipher for xts fallback
        crypto: vmx - Use skcipher for cbc fallback
        crypto: testmgr - Pad aes_ccm_enc_tv_template vector
        crypto: arm/crc32 - add build time test for CRC instruction support
        crypto: arm/crc32 - fix build error with outdated binutils
        crypto: ccm - move cbcmac input off the stack
        crypto: xts - Propagate NEED_FALLBACK bit
        crypto: api - Add crypto_requires_off helper
        crypto: atmel - CRYPTO_DEV_MEDIATEK should depend on HAS_DMA
        crypto: atmel - CRYPTO_DEV_ATMEL_TDES and CRYPTO_DEV_ATMEL_SHA should depend on HAS_DMA
        crypto: cavium - fix leak on curr if curr->head fails to be allocated
        crypto: cavium - Fix couple of static checker errors
      33a8b3e9
    • Linus Torvalds's avatar
      Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 0710f3ff
      Linus Torvalds authored
      Pull misc final vfs updates from Al Viro:
       "A few unrelated patches that got beating in -next.
      
        Everything else will have to go into the next window ;-/"
      
      * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        hfs: fix hfs_readdir()
        selftest for default_file_splice_read() infoleak
        9p: constify ->d_name handling
      0710f3ff
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · a3b4924b
      Linus Torvalds authored
      Pull more SCSI updates from James Bottomley:
       "This is the set of stuff that didn't quite make the initial pull and a
        set of fixes for stuff which did.
      
        The new stuff is basically lpfc (nvme), qedi and aacraid. The fixes
        cover a lot of previously submitted stuff, the most important of which
        probably covers some of the failing irq vectors allocation and other
        fallout from having the SCSI command allocated as part of the block
        allocation functions"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (59 commits)
        scsi: qedi: Fix memory leak in tmf response processing.
        scsi: aacraid: remove redundant zero check on ret
        scsi: lpfc: use proper format string for dma_addr_t
        scsi: lpfc: use div_u64 for 64-bit division
        scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m
        scsi: cciss: correct check map error.
        scsi: qla2xxx: fix spelling mistake: "seperator" -> "separator"
        scsi: aacraid: Fixed expander hotplug for SMART family
        scsi: mpt3sas: switch to pci_alloc_irq_vectors
        scsi: qedf: fixup compilation warning about atomic_t usage
        scsi: remove scsi_execute_req_flags
        scsi: merge __scsi_execute into scsi_execute
        scsi: simplify scsi_execute_req_flags
        scsi: make the sense header argument to scsi_test_unit_ready mandatory
        scsi: sd: improve TUR handling in sd_check_events
        scsi: always zero sshdr in scsi_normalize_sense
        scsi: scsi_dh_emc: return success in clariion_std_inquiry()
        scsi: fix memory leak of sdpk on when gd fails to allocate
        scsi: sd: make sd_devt_release() static
        scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.
        ...
      a3b4924b
    • WANG Cong's avatar
      strparser: destroy workqueue on module exit · f78ef7cd
      WANG Cong authored
      Fixes: 43a0c675 ("strparser: Stream parser for messages")
      Cc: Tom Herbert <tom@herbertland.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f78ef7cd
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 20b83643
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are:
      
      1) Missing check for full sock in ip_route_me_harder(), from
         Florian Westphal.
      
      2) Incorrect sip helper structure initilization that breaks it when
         several ports are used, from Christophe Leroy.
      
      3) Fix incorrect assumption when looking up for matching with adjacent
         intervals in the nft_set_rbtree.
      
      4) Fix broken netlink event error reporting in nf_tables that results
         in misleading ESRCH errors propagated to userspace listeners.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20b83643
    • Linus Torvalds's avatar
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 0b94da8d
      Linus Torvalds authored
      Pull libnvdimm fixes from Dan Williams:
       "A fix and regression test case for nvdimm namespace label
        compatibility.
      
        Details:
      
         - An "nvdimm namespace label" is metadata on an nvdimm that
           provisions dimm capacity into a "namespace" that can host a block
           device / dax-filesytem, or a device-dax character device.
      
           A namespace is an object that other operating environment and
           platform firmware needs to comprehend for capabilities like booting
           from an nvdimm.
      
           The label metadata contains a checksum that Linux was not
           calculating correctly leading to other environments rejecting the
           Linux label.
      
         These have received a build success notification from the kbuild
         robot, and a positive test result from Nick who reported the problem"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        nfit, libnvdimm: fix interleave set cookie calculation
        tools/testing/nvdimm: make iset cookie predictable
      0b94da8d
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.11-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · e27fd02d
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - fix NULL pointer dereferences in many DesignWare-based drivers due to
         refactoring error
      
       - fix Altera config write breakage due to my refactoring error
      
      * tag 'pci-v4.11-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: altera: Fix TLP_CFG_DW0 for TLP write
        PCI: dwc: Fix crashes seen due to missing assignments
      e27fd02d