1. 18 Oct, 2018 1 commit
    • Wenwen Wang's avatar
      dm ioctl: harden copy_params()'s copy_from_user() from malicious users · 800a7340
      Wenwen Wang authored
      In copy_params(), the struct 'dm_ioctl' is first copied from the user
      space buffer 'user' to 'param_kernel' and the field 'data_size' is
      checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload
      up to its 'data' member).  If the check fails, an error code EINVAL will be
      returned.  Otherwise, param_kernel->data_size is used to do a second copy,
      which copies from the same user-space buffer to 'dmi'.  After the second
      copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'.
      Given that the buffer 'user' resides in the user space, a malicious
      user-space process can race to change the content in the buffer between
      the two copies.  This way, the attacker can inject inconsistent data
      into 'dmi' (versus previously validated 'param_kernel').
      
      Fix redundant copying of 'minimum_data_size' from user-space buffer by
      using the first copy stored in 'param_kernel'.  Also remove the
      'data_size' check after the second copy because it is now unnecessary.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      800a7340
  2. 16 Oct, 2018 3 commits
  3. 11 Oct, 2018 4 commits
  4. 10 Oct, 2018 1 commit
    • Mike Snitzer's avatar
      dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled · beb9caac
      Mike Snitzer authored
      It is best to avoid any extra overhead associated with bio completion.
      DM core will indirectly call a DM target's .end_io if it is defined.
      In the case of DM linear, there is no need to do so (for every bio that
      completes) if CONFIG_DM_ZONED is not enabled.
      
      Avoiding an extra indirect call for every bio completion is very
      important for ensuring DM linear doesn't incur more overhead that
      further widens the performance gap between dm-linear and raw block
      devices.
      
      Fixes: 0be12c1c ("dm linear: add support for zoned block devices")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      beb9caac
  5. 09 Oct, 2018 2 commits
    • Damien Le Moal's avatar
      dm: fix report zone remapping to account for partition offset · 9864cd5d
      Damien Le Moal authored
      If dm-linear or dm-flakey are layered on top of a partition of a zoned
      block device, remapping of the start sector and write pointer position
      of the zones reported by a report zones BIO must be modified to account
      for the target table entry mapping (start offset within the device and
      entry mapping with the dm device).  If the target's backing device is a
      partition of a whole disk, the start sector on the physical device of
      the partition must also be accounted for when modifying the zone
      information.  However, dm_remap_zone_report() was not considering this
      last case, resulting in incorrect zone information remapping with
      targets using disk partitions.
      
      Fix this by calculating the target backing device start sector using
      the position of the completed report zones BIO and the unchanged
      position and size of the original report zone BIO. With this value
      calculated, the start sector and write pointer position of the target
      zones can be correctly remapped.
      
      Fixes: 10999307 ("dm: introduce dm_remap_zone_report()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      9864cd5d
    • Shenghui Wang's avatar
      dm cache: destroy migration_cache if cache target registration failed · c7cd5550
      Shenghui Wang authored
      Commit 7e6358d2 ("dm: fix various targets to dm_register_target
      after module __init resources created") inadvertently introduced this
      bug when it moved dm_register_target() after the call to KMEM_CACHE().
      
      Fixes: 7e6358d2 ("dm: fix various targets to dm_register_target after module __init resources created")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarShenghui Wang <shhuiw@foxmail.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      c7cd5550
  6. 07 Oct, 2018 7 commits
  7. 06 Oct, 2018 1 commit
    • Greg Kroah-Hartman's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · c1d84a1b
      Greg Kroah-Hartman authored
      Dave writes:
        "Networking fixes:
      
        1) Fix truncation of 32-bit right shift in bpf, from Jann Horn.
      
        2) Fix memory leak in wireless wext compat, from Stefan Seyfried.
      
        3) Use after free in cfg80211's reg_process_hint(), from Yu Zhao.
      
        4) Need to cancel pending work when unbinding in smsc75xx otherwise
           we oops, also from Yu Zhao.
      
        5) Don't allow enslaving a team device to itself, from Ido Schimmel.
      
        6) Fix backwards compat with older userspace for rtnetlink FDB dumps.
           From Mauricio Faria.
      
        7) Add validation of tc policy netlink attributes, from David Ahern.
      
        8) Fix RCU locking in rawv6_send_hdrinc(), from Wei Wang."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (26 commits)
        net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
        ipv6: take rcu lock in rawv6_send_hdrinc()
        net: sched: Add policy validation for tc attributes
        rtnetlink: fix rtnl_fdb_dump() for ndmsg header
        yam: fix a missing-check bug
        net: bpfilter: Fix type cast and pointer warnings
        net: cxgb3_main: fix a missing-check bug
        bpf: 32-bit RSH verification must truncate input before the ALU op
        net: phy: phylink: fix SFP interface autodetection
        be2net: don't flip hw_features when VXLANs are added/deleted
        net/packet: fix packet drop as of virtio gso
        net: dsa: b53: Keep CPU port as tagged in all VLANs
        openvswitch: load NAT helper
        bnxt_en: get the reduced max_irqs by the ones used by RDMA
        bnxt_en: free hwrm resources, if driver probe fails.
        bnxt_en: Fix enables field in HWRM_QUEUE_COS2BW_CFG request
        bnxt_en: Fix VNIC reservations on the PF.
        team: Forbid enslaving team device to itself
        net/usb: cancel pending work when unbinding smsc75xx
        mlxsw: spectrum: Delete RIF when VLAN device is removed
        ...
      c1d84a1b
  8. 05 Oct, 2018 21 commits