1. 10 Oct, 2018 8 commits
  2. 29 Sep, 2018 29 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.159 · 9c6cd3f3
      Greg Kroah-Hartman authored
      9c6cd3f3
    • Steve Wise's avatar
      iw_cxgb4: only allow 1 flush on user qps · 82ea790a
      Steve Wise authored
      commit 308aa2b8 upstream.
      
      Once the qp has been flushed, it cannot be flushed again.  The user qp
      flush logic wasn't enforcing it however.  The bug can cause
      touch-after-free crashes like:
      
      Unable to handle kernel paging request for data at address 0x000001ec
      Faulting instruction address: 0xc008000016069100
      Oops: Kernel access of bad area, sig: 11 [#1]
      ...
      NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
      LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
      Call Trace:
      [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
      [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
      [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
      [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
      [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
      [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
      [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
      [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
      [c000000000444da4] __fput+0xe4/0x2f0
      
      So fix flush_qp() to only flush the wq once.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      82ea790a
    • Roderick Colenbrander's avatar
      HID: sony: Support DS4 dongle · 44c2e8a5
      Roderick Colenbrander authored
      commit de66a1a0 upstream.
      
      Add support for USB based DS4 dongle device, which allows connecting
      a DS4 through Bluetooth, but hides Bluetooth from the host system.
      Signed-off-by: default avatarRoderick Colenbrander <roderick.colenbrander@sony.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      44c2e8a5
    • Roderick Colenbrander's avatar
      HID: sony: Update device ids · ce144dbf
      Roderick Colenbrander authored
      commit cf1015d6 upstream.
      
      Support additional DS4 model.
      Signed-off-by: default avatarRoderick Colenbrander <roderick.colenbrander@sony.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce144dbf
    • Catalin Marinas's avatar
      arm64: Add trace_hardirqs_off annotation in ret_to_user · d2e646c7
      Catalin Marinas authored
      commit db3899a6 upstream.
      
      When a kernel is built with CONFIG_TRACE_IRQFLAGS the following warning
      is produced when entering userspace for the first time:
      
        WARNING: at /work/Linux/linux-2.6-aarch64/kernel/locking/lockdep.c:3519
        Modules linked in:
        CPU: 1 PID: 1 Comm: systemd Not tainted 4.4.0-rc3+ #639
        Hardware name: Juno (DT)
        task: ffffffc9768a0000 ti: ffffffc9768a8000 task.ti: ffffffc9768a8000
        PC is at check_flags.part.22+0x19c/0x1a8
        LR is at check_flags.part.22+0x19c/0x1a8
        pc : [<ffffffc0000fba6c>] lr : [<ffffffc0000fba6c>] pstate: 600001c5
        sp : ffffffc9768abe10
        x29: ffffffc9768abe10 x28: ffffffc9768a8000
        x27: 0000000000000000 x26: 0000000000000001
        x25: 00000000000000a6 x24: ffffffc00064be6c
        x23: ffffffc0009f249e x22: ffffffc9768a0000
        x21: ffffffc97fea5480 x20: 00000000000001c0
        x19: ffffffc00169a000 x18: 0000005558cc7b58
        x17: 0000007fb78e3180 x16: 0000005558d2e238
        x15: ffffffffffffffff x14: 0ffffffffffffffd
        x13: 0000000000000008 x12: 0101010101010101
        x11: 7f7f7f7f7f7f7f7f x10: fefefefefefeff63
        x9 : 7f7f7f7f7f7f7f7f x8 : 6e655f7371726964
        x7 : 0000000000000001 x6 : ffffffc0001079c4
        x5 : 0000000000000000 x4 : 0000000000000001
        x3 : ffffffc001698438 x2 : 0000000000000000
        x1 : ffffffc9768a0000 x0 : 000000000000002e
        Call trace:
        [<ffffffc0000fba6c>] check_flags.part.22+0x19c/0x1a8
        [<ffffffc0000fc440>] lock_is_held+0x80/0x98
        [<ffffffc00064bafc>] __schedule+0x404/0x730
        [<ffffffc00064be6c>] schedule+0x44/0xb8
        [<ffffffc000085bb0>] ret_to_user+0x0/0x24
        possible reason: unannotated irqs-off.
        irq event stamp: 502169
        hardirqs last  enabled at (502169): [<ffffffc000085a98>] el0_irq_naked+0x1c/0x24
        hardirqs last disabled at (502167): [<ffffffc0000bb3bc>] __do_softirq+0x17c/0x298
        softirqs last  enabled at (502168): [<ffffffc0000bb43c>] __do_softirq+0x1fc/0x298
        softirqs last disabled at (502143): [<ffffffc0000bb830>] irq_exit+0xa0/0xf0
      
      This happens because we disable interrupts in ret_to_user before calling
      schedule() in work_resched. This patch adds the necessary
      trace_hardirqs_off annotation.
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      d2e646c7
    • Li Dongyang's avatar
      ext4: don't mark mmp buffer head dirty · e77dd99d
      Li Dongyang authored
      commit fe18d649 upstream.
      
      Marking mmp bh dirty before writing it will make writeback
      pick up mmp block later and submit a write, we don't want the
      duplicate write as kmmpd thread should have full control of
      reading and writing the mmp block.
      Another reason is we will also have random I/O error on
      the writeback request when blk integrity is enabled, because
      kmmpd could modify the content of the mmp block(e.g. setting
      new seq and time) while the mmp block is under I/O requested
      by writeback.
      Signed-off-by: default avatarLi Dongyang <dongyangli@ddn.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e77dd99d
    • Theodore Ts'o's avatar
      ext4: fix online resizing for bigalloc file systems with a 1k block size · 47af9976
      Theodore Ts'o authored
      commit 5f8c1093 upstream.
      
      An online resize of a file system with the bigalloc feature enabled
      and a 1k block size would be refused since ext4_resize_begin() did not
      understand s_first_data_block is 0 for all bigalloc file systems, even
      when the block size is 1k.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47af9976
    • Theodore Ts'o's avatar
      ext4: fix online resize's handling of a too-small final block group · 70083af5
      Theodore Ts'o authored
      commit f0a459de upstream.
      
      Avoid growing the file system to an extent so that the last block
      group is too small to hold all of the metadata that must be stored in
      the block group.
      
      This problem can be triggered with the following reproducer:
      
      umount /mnt
      mke2fs -F -m0 -b 4096 -t ext4 -O resize_inode,^has_journal \
      	-E resize=1073741824 /tmp/foo.img 128M
      mount /tmp/foo.img /mnt
      truncate --size 1708M /tmp/foo.img
      resize2fs /dev/loop0 295400
      umount /mnt
      e2fsck -fy /tmp/foo.img
      Reported-by: default avatarTorsten Hilbrich <torsten.hilbrich@secunet.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70083af5
    • Theodore Ts'o's avatar
      ext4: recalucate superblock checksum after updating free blocks/inodes · 66671ee8
      Theodore Ts'o authored
      commit 4274f516 upstream.
      
      When mounting the superblock, ext4_fill_super() calculates the free
      blocks and free inodes and stores them in the superblock.  It's not
      strictly necessary, since we don't use them any more, but it's nice to
      keep them roughly aligned to reality.
      
      Since it's not critical for file system correctness, the code doesn't
      call ext4_commit_super().  The problem is that it's in
      ext4_commit_super() that we recalculate the superblock checksum.  So
      if we're not going to call ext4_commit_super(), we need to call
      ext4_superblock_csum_set() to make sure the superblock checksum is
      consistent.
      
      Most of the time, this doesn't matter, since we end up calling
      ext4_commit_super() very soon thereafter, and definitely by the time
      the file system is unmounted.  However, it doesn't work in this
      sequence:
      
      mke2fs -Fq -t ext4 /dev/vdc 128M
      mount /dev/vdc /vdc
      cp xfstests/git-versions /vdc
      godown /vdc
      umount /vdc
      mount /dev/vdc
      tune2fs -l /dev/vdc
      
      With this commit, the "tune2fs -l" no longer fails.
      Reported-by: default avatarChengguang Xu <cgxu519@gmx.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66671ee8
    • Theodore Ts'o's avatar
      ext4: avoid divide by zero fault when deleting corrupted inline directories · 7619c7f6
      Theodore Ts'o authored
      commit 4d982e25 upstream.
      
      A specially crafted file system can trick empty_inline_dir() into
      reading past the last valid entry in a inline directory, and then run
      into the end of xattr marker. This will trigger a divide by zero
      fault.  Fix this by using the size of the inline directory instead of
      dir->i_size.
      
      Also clean up error reporting in __ext4_check_dir_entry so that the
      message is clearer and more understandable --- and avoids the division
      by zero trap if the size passed in is zero.  (I'm not sure why we
      coded it that way in the first place; printing offset % size is
      actually more confusing and less useful.)
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200933Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7619c7f6
    • Gustavo A. R. Silva's avatar
      tty: vt_ioctl: fix potential Spectre v1 · 1aa698b6
      Gustavo A. R. Silva authored
      commit e97267cb upstream.
      
      vsa.console is indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/tty/vt/vt_ioctl.c:711 vt_ioctl() warn: potential spectre issue
      'vc_cons' [r]
      
      Fix this by sanitizing vsa.console before using it to index vc_cons
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarAlan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1aa698b6
    • Lyude Paul's avatar
      drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() · 64436716
      Lyude Paul authored
      commit 6833fb1e upstream.
      
      It's true we can't resume the device from poll workers in
      nouveau_connector_detect(). We can however, prevent the autosuspend
      timer from elapsing immediately if it hasn't already without risking any
      sort of deadlock with the runtime suspend/resume operations. So do that
      instead of entirely avoiding grabbing a power reference.
      Signed-off-by: default avatarLyude Paul <lyude@redhat.com>
      Reviewed-by: default avatarKarol Herbst <kherbst@redhat.com>
      Acked-by: default avatarDaniel Vetter <daniel@ffwll.ch>
      Cc: stable@vger.kernel.org
      Cc: Lukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64436716
    • Junxiao Bi's avatar
      ocfs2: fix ocfs2 read block panic · 98e14c52
      Junxiao Bi authored
      commit 234b69e3 upstream.
      
      While reading block, it is possible that io error return due to underlying
      storage issue, in this case, BH_NeedsValidate was left in the buffer head.
      Then when reading the very block next time, if it was already linked into
      journal, that will trigger the following panic.
      
      [203748.702517] kernel BUG at fs/ocfs2/buffer_head_io.c:342!
      [203748.702533] invalid opcode: 0000 [#1] SMP
      [203748.702561] Modules linked in: ocfs2 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sunrpc dm_switch dm_queue_length dm_multipath bonding be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i iw_cxgb4 cxgb4 cxgb3i libcxgbi iw_cxgb3 cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_devintf iTCO_wdt iTCO_vendor_support dcdbas ipmi_ssif i2c_core ipmi_si ipmi_msghandler acpi_pad pcspkr sb_edac edac_core lpc_ich mfd_core shpchp sg tg3 ptp pps_core ext4 jbd2 mbcache2 sr_mod cdrom sd_mod ahci libahci megaraid_sas wmi dm_mirror dm_region_hash dm_log dm_mod
      [203748.703024] CPU: 7 PID: 38369 Comm: touch Not tainted 4.1.12-124.18.6.el6uek.x86_64 #2
      [203748.703045] Hardware name: Dell Inc. PowerEdge R620/0PXXHP, BIOS 2.5.2 01/28/2015
      [203748.703067] task: ffff880768139c00 ti: ffff88006ff48000 task.ti: ffff88006ff48000
      [203748.703088] RIP: 0010:[<ffffffffa05e9f09>]  [<ffffffffa05e9f09>] ocfs2_read_blocks+0x669/0x7f0 [ocfs2]
      [203748.703130] RSP: 0018:ffff88006ff4b818  EFLAGS: 00010206
      [203748.703389] RAX: 0000000008620029 RBX: ffff88006ff4b910 RCX: 0000000000000000
      [203748.703885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000023079fe
      [203748.704382] RBP: ffff88006ff4b8d8 R08: 0000000000000000 R09: ffff8807578c25b0
      [203748.704877] R10: 000000000f637376 R11: 000000003030322e R12: 0000000000000000
      [203748.705373] R13: ffff88006ff4b910 R14: ffff880732fe38f0 R15: 0000000000000000
      [203748.705871] FS:  00007f401992c700(0000) GS:ffff880bfebc0000(0000) knlGS:0000000000000000
      [203748.706370] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [203748.706627] CR2: 00007f4019252440 CR3: 00000000a621e000 CR4: 0000000000060670
      [203748.707124] Stack:
      [203748.707371]  ffff88006ff4b828 ffffffffa0609f52 ffff88006ff4b838 0000000000000001
      [203748.707885]  0000000000000000 0000000000000000 ffff880bf67c3800 ffffffffa05eca00
      [203748.708399]  00000000023079ff ffffffff81c58b80 0000000000000000 0000000000000000
      [203748.708915] Call Trace:
      [203748.709175]  [<ffffffffa0609f52>] ? ocfs2_inode_cache_io_unlock+0x12/0x20 [ocfs2]
      [203748.709680]  [<ffffffffa05eca00>] ? ocfs2_empty_dir_filldir+0x80/0x80 [ocfs2]
      [203748.710185]  [<ffffffffa05ec0cb>] ocfs2_read_dir_block_direct+0x3b/0x200 [ocfs2]
      [203748.710691]  [<ffffffffa05f0fbf>] ocfs2_prepare_dx_dir_for_insert.isra.57+0x19f/0xf60 [ocfs2]
      [203748.711204]  [<ffffffffa065660f>] ? ocfs2_metadata_cache_io_unlock+0x1f/0x30 [ocfs2]
      [203748.711716]  [<ffffffffa05f4f3a>] ocfs2_prepare_dir_for_insert+0x13a/0x890 [ocfs2]
      [203748.712227]  [<ffffffffa05f442e>] ? ocfs2_check_dir_for_entry+0x8e/0x140 [ocfs2]
      [203748.712737]  [<ffffffffa061b2f2>] ocfs2_mknod+0x4b2/0x1370 [ocfs2]
      [203748.713003]  [<ffffffffa061c385>] ocfs2_create+0x65/0x170 [ocfs2]
      [203748.713263]  [<ffffffff8121714b>] vfs_create+0xdb/0x150
      [203748.713518]  [<ffffffff8121b225>] do_last+0x815/0x1210
      [203748.713772]  [<ffffffff812192e9>] ? path_init+0xb9/0x450
      [203748.714123]  [<ffffffff8121bca0>] path_openat+0x80/0x600
      [203748.714378]  [<ffffffff811bcd45>] ? handle_pte_fault+0xd15/0x1620
      [203748.714634]  [<ffffffff8121d7ba>] do_filp_open+0x3a/0xb0
      [203748.714888]  [<ffffffff8122a767>] ? __alloc_fd+0xa7/0x130
      [203748.715143]  [<ffffffff81209ffc>] do_sys_open+0x12c/0x220
      [203748.715403]  [<ffffffff81026ddb>] ? syscall_trace_enter_phase1+0x11b/0x180
      [203748.715668]  [<ffffffff816f0c9f>] ? system_call_after_swapgs+0xe9/0x190
      [203748.715928]  [<ffffffff8120a10e>] SyS_open+0x1e/0x20
      [203748.716184]  [<ffffffff816f0d5e>] system_call_fastpath+0x18/0xd7
      [203748.716440] Code: 00 00 48 8b 7b 08 48 83 c3 10 45 89 f8 44 89 e1 44 89 f2 4c 89 ee e8 07 06 11 e1 48 8b 03 48 85 c0 75 df 8b 5d c8 e9 4d fa ff ff <0f> 0b 48 8b 7d a0 e8 dc c6 06 00 48 b8 00 00 00 00 00 00 00 10
      [203748.717505] RIP  [<ffffffffa05e9f09>] ocfs2_read_blocks+0x669/0x7f0 [ocfs2]
      [203748.717775]  RSP <ffff88006ff4b818>
      
      Joesph ever reported a similar panic.
      Link: https://oss.oracle.com/pipermail/ocfs2-devel/2013-May/008931.html
      
      Link: http://lkml.kernel.org/r/20180912063207.29484-1-junxiao.bi@oracle.comSigned-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Changwei Ge <ge.changwei@h3c.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98e14c52
    • Vincent Pelletier's avatar
      scsi: target: iscsi: Use hex2bin instead of a re-implementation · afba6121
      Vincent Pelletier authored
      commit 18164943 upstream.
      
      This change has the following effects, in order of descreasing importance:
      
      1) Prevent a stack buffer overflow
      
      2) Do not append an unnecessary NULL to an anyway binary buffer, which
         is writing one byte past client_digest when caller is:
         chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
      
      The latter was found by KASAN (see below) when input value hes expected size
      (32 hex chars), and further analysis revealed a stack buffer overflow can
      happen when network-received value is longer, allowing an unauthenticated
      remote attacker to smash up to 17 bytes after destination buffer (16 bytes
      attacker-controlled and one null).  As switching to hex2bin requires
      specifying destination buffer length, and does not internally append any null,
      it solves both issues.
      
      This addresses CVE-2018-14633.
      
      Beyond this:
      
      - Validate received value length and check hex2bin accepted the input, to log
        this rejection reason instead of just failing authentication.
      
      - Only log received CHAP_R and CHAP_C values once they passed sanity checks.
      
      ==================================================================
      BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
      Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
      
      CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G           O      4.17.8kasan.sess.connops+ #2
      Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
      Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
      Call Trace:
       dump_stack+0x71/0xac
       print_address_description+0x65/0x22e
       ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
       kasan_report.cold.6+0x241/0x2fd
       chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
       chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
       ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
       ? ftrace_caller_op_ptr+0xe/0xe
       ? __orc_find+0x6f/0xc0
       ? unwind_next_frame+0x231/0x850
       ? kthread+0x1a0/0x1c0
       ? ret_from_fork+0x35/0x40
       ? ret_from_fork+0x35/0x40
       ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
       ? deref_stack_reg+0xd0/0xd0
       ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
       ? is_module_text_address+0xa/0x11
       ? kernel_text_address+0x4c/0x110
       ? __save_stack_trace+0x82/0x100
       ? ret_from_fork+0x35/0x40
       ? save_stack+0x8c/0xb0
       ? 0xffffffffc1660000
       ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
       ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
       ? process_one_work+0x35c/0x640
       ? worker_thread+0x66/0x5d0
       ? kthread+0x1a0/0x1c0
       ? ret_from_fork+0x35/0x40
       ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
       ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
       chap_main_loop+0x172/0x570 [iscsi_target_mod]
       ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
       ? rx_data+0xd6/0x120 [iscsi_target_mod]
       ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
       ? cyc2ns_read_begin.part.2+0x90/0x90
       ? _raw_spin_lock_irqsave+0x25/0x50
       ? memcmp+0x45/0x70
       iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
       ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
       ? del_timer+0xe0/0xe0
       ? memset+0x1f/0x40
       ? flush_sigqueue+0x29/0xd0
       iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
       ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
       ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
       process_one_work+0x35c/0x640
       worker_thread+0x66/0x5d0
       ? flush_rcu_work+0x40/0x40
       kthread+0x1a0/0x1c0
       ? kthread_bind+0x30/0x30
       ret_from_fork+0x35/0x40
      
      The buggy address belongs to the page:
      page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x17fffc000000000()
      raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
       ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
      >ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
                                                    ^
       ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
       ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
      ==================================================================
      Signed-off-by: default avatarVincent Pelletier <plr.vincent@gmail.com>
      Reviewed-by: default avatarMike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      afba6121
    • Vasily Khoruzhick's avatar
      neighbour: confirm neigh entries when ARP packet is received · c6e38642
      Vasily Khoruzhick authored
      [ Upstream commit f0e0d044 ]
      
      Update 'confirmed' timestamp when ARP packet is received. It shouldn't
      affect locktime logic and anyway entry can be confirmed by any higher-layer
      protocol. Thus it makes sense to confirm it when ARP packet is received.
      
      Fixes: 77d71233 ("neighbour: update neigh timestamps iff update is effective")
      Signed-off-by: default avatarVasily Khoruzhick <vasilykh@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6e38642
    • Colin Ian King's avatar
      net: hp100: fix always-true check for link up state · b8214c55
      Colin Ian King authored
      [ Upstream commit a7f38002 ]
      
      The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value
      that is always non-zero and hence the wait for the link to drop always
      terminates prematurely.  Fix this by using a logical not operator instead
      of a bitwise complement.  This issue has been in the driver since
      pre-2.6.12-rc2.
      
      Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b8214c55
    • Willy Tarreau's avatar
      net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT · fee0d234
      Willy Tarreau authored
      [ Upstream commit 9824dfae ]
      
      Fields ->dev and ->next of struct ipddp_route may be copied to
      userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
      to CAP_NET_ADMIN though. Let's manually copy the relevant fields
      instead of using memcpy().
      
      BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
      Cc: Jann Horn <jannh@google.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fee0d234
    • Eric Dumazet's avatar
      ipv6: fix possible use-after-free in ip6_xmit() · 2ec3b47a
      Eric Dumazet authored
      [ Upstream commit bbd6528d ]
      
      In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
      we need to call skb_set_owner_w() before consuming original skb,
      otherwise we risk a use-after-free.
      
      Bring IPv6 in line with what we do in IPv4 to fix this.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ec3b47a
    • Toke Høiland-Jørgensen's avatar
      gso_segment: Reset skb->mac_len after modifying network header · cb66016b
      Toke Høiland-Jørgensen authored
      [ Upstream commit c56cae23 ]
      
      When splitting a GSO segment that consists of encapsulated packets, the
      skb->mac_len of the segments can end up being set wrong, causing packet
      drops in particular when using act_mirred and ifb interfaces in
      combination with a qdisc that splits GSO packets.
      
      This happens because at the time skb_segment() is called, network_header
      will point to the inner header, throwing off the calculation in
      skb_reset_mac_len(). The network_header is subsequently adjust by the
      outer IP gso_segment handlers, but they don't set the mac_len.
      
      Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
      gso_segment handlers, after they modify the network_header.
      
      Many thanks to Eric Dumazet for his help in identifying the cause of
      the bug.
      Acked-by: default avatarDave Taht <dave.taht@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb66016b
    • Joel Fernandes (Google)'s avatar
      mm: shmem.c: Correctly annotate new inodes for lockdep · 4da7f35b
      Joel Fernandes (Google) authored
      commit b45d71fb upstream.
      
      Directories and inodes don't necessarily need to be in the same lockdep
      class.  For ex, hugetlbfs splits them out too to prevent false positives
      in lockdep.  Annotate correctly after new inode creation.  If its a
      directory inode, it will be put into a different class.
      
      This should fix a lockdep splat reported by syzbot:
      
      > ======================================================
      > WARNING: possible circular locking dependency detected
      > 4.18.0-rc8-next-20180810+ #36 Not tainted
      > ------------------------------------------------------
      > syz-executor900/4483 is trying to acquire lock:
      > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: inode_lock
      > include/linux/fs.h:765 [inline]
      > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at:
      > shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
      >
      > but task is already holding lock:
      > 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
      > drivers/staging/android/ashmem.c:448
      >
      > which lock already depends on the new lock.
      >
      > -> #2 (ashmem_mutex){+.+.}:
      >        __mutex_lock_common kernel/locking/mutex.c:925 [inline]
      >        __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073
      >        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088
      >        ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
      >        call_mmap include/linux/fs.h:1844 [inline]
      >        mmap_region+0xf27/0x1c50 mm/mmap.c:1762
      >        do_mmap+0xa10/0x1220 mm/mmap.c:1535
      >        do_mmap_pgoff include/linux/mm.h:2298 [inline]
      >        vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
      >        ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
      >        __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
      >        __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
      >        __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
      >        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      >        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      >
      > -> #1 (&mm->mmap_sem){++++}:
      >        __might_fault+0x155/0x1e0 mm/memory.c:4568
      >        _copy_to_user+0x30/0x110 lib/usercopy.c:25
      >        copy_to_user include/linux/uaccess.h:155 [inline]
      >        filldir+0x1ea/0x3a0 fs/readdir.c:196
      >        dir_emit_dot include/linux/fs.h:3464 [inline]
      >        dir_emit_dots include/linux/fs.h:3475 [inline]
      >        dcache_readdir+0x13a/0x620 fs/libfs.c:193
      >        iterate_dir+0x48b/0x5d0 fs/readdir.c:51
      >        __do_sys_getdents fs/readdir.c:231 [inline]
      >        __se_sys_getdents fs/readdir.c:212 [inline]
      >        __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212
      >        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      >        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      >
      > -> #0 (&sb->s_type->i_mutex_key#9){++++}:
      >        lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
      >        down_write+0x8f/0x130 kernel/locking/rwsem.c:70
      >        inode_lock include/linux/fs.h:765 [inline]
      >        shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
      >        ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455
      >        ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
      >        vfs_ioctl fs/ioctl.c:46 [inline]
      >        file_ioctl fs/ioctl.c:501 [inline]
      >        do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
      >        ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
      >        __do_sys_ioctl fs/ioctl.c:709 [inline]
      >        __se_sys_ioctl fs/ioctl.c:707 [inline]
      >        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
      >        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      >        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      >
      > other info that might help us debug this:
      >
      > Chain exists of:
      >   &sb->s_type->i_mutex_key#9 --> &mm->mmap_sem --> ashmem_mutex
      >
      >  Possible unsafe locking scenario:
      >
      >        CPU0                    CPU1
      >        ----                    ----
      >   lock(ashmem_mutex);
      >                                lock(&mm->mmap_sem);
      >                                lock(ashmem_mutex);
      >   lock(&sb->s_type->i_mutex_key#9);
      >
      >  *** DEADLOCK ***
      >
      > 1 lock held by syz-executor900/4483:
      >  #0: 0000000025208078 (ashmem_mutex){+.+.}, at:
      > ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448
      
      Link: http://lkml.kernel.org/r/20180821231835.166639-1-joel@joelfernandes.orgSigned-off-by: default avatarJoel Fernandes (Google) <joel@joelfernandes.org>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarNeilBrown <neilb@suse.com>
      Suggested-by: default avatarNeilBrown <neilb@suse.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4da7f35b
    • Vaibhav Nagarnaik's avatar
      ring-buffer: Allow for rescheduling when removing pages · fed4d566
      Vaibhav Nagarnaik authored
      commit 83f36555 upstream.
      
      When reducing ring buffer size, pages are removed by scheduling a work
      item on each CPU for the corresponding CPU ring buffer. After the pages
      are removed from ring buffer linked list, the pages are free()d in a
      tight loop. The loop does not give up CPU until all pages are removed.
      In a worst case behavior, when lot of pages are to be freed, it can
      cause system stall.
      
      After the pages are removed from the list, the free() can happen while
      the work is rescheduled. Call cond_resched() in the loop to prevent the
      system hangup.
      
      Link: http://lkml.kernel.org/r/20180907223129.71994-1-vnagarnaik@google.com
      
      Cc: stable@vger.kernel.org
      Fixes: 83f40318 ("ring-buffer: Make removal of ring buffer pages atomic")
      Reported-by: default avatarJason Behmer <jbehmer@google.com>
      Signed-off-by: default avatarVaibhav Nagarnaik <vnagarnaik@google.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fed4d566
    • Boris Ostrovsky's avatar
      xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code · 28ca9ed1
      Boris Ostrovsky authored
      commit 70513d58 upstream.
      
      Otherwise we may leak kernel stack for events that sample user
      registers.
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28ca9ed1
    • Juergen Gross's avatar
      xen/netfront: don't bug in case of too many frags · bd146804
      Juergen Gross authored
      commit ad4f15dc upstream.
      
      Commit 57f230ab ("xen/netfront: raise max number of slots in
      xennet_get_responses()") raised the max number of allowed slots by one.
      This seems to be problematic in some configurations with netback using
      a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS
      defined as 18 instead of nowadays 17).
      
      Instead of BUG_ON() in this case just fall back to retransmission.
      
      Fixes: 57f230ab ("xen/netfront: raise max number of slots in xennet_get_responses()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd146804
    • Mario Limonciello's avatar
      platform/x86: alienware-wmi: Correct a memory leak · 39b38432
      Mario Limonciello authored
      commit ff0e9f26 upstream.
      
      An ACPI buffer that was allocated was not being freed after use.
      Signed-off-by: default avatarMario Limonciello <mario.limonciello@dell.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDarren Hart (VMware) <dvhart@infradead.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39b38432
    • Willy Tarreau's avatar
      ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO · 66d1019a
      Willy Tarreau authored
      commit 49434c6c upstream.
      
      snd_emu10k1_fx8010_ioctl(SNDRV_EMU10K1_IOCTL_INFO) allocates
      memory using kmalloc() and partially fills it by calling
      snd_emu10k1_fx8010_info() before returning the resulting
      structure to userspace, leaving uninitialized holes. Let's
      just use kzalloc() here.
      
      BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.htmlSigned-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Cc: Jann Horn <jannh@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66d1019a
    • Takashi Sakamoto's avatar
      ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping · 1da7fa63
      Takashi Sakamoto authored
      commit 493626f2 upstream.
      
      When executing 'fw_run_transaction()' with 'TCODE_WRITE_BLOCK_REQUEST',
      an address of 'payload' argument is used for streaming DMA mapping by
      'firewire_ohci' module if 'size' argument is larger than 8 byte.
      Although in this case the address should not be on kernel stack, current
      implementation of ALSA bebob driver uses data in kernel stack for a cue
      to boot M-Audio devices. This often brings unexpected result, especially
      for a case of CONFIG_VMAP_STACK=y.
      
      This commit fixes the bug.
      
      Reference: https://bugzilla.kernel.org/show_bug.cgi?id=201021
      Reference: https://forum.manjaro.org/t/firewire-m-audio-410-driver-wont-load-firmware/51165
      Fixes: a2b2a779('ALSA: bebob: Send a cue to load firmware for M-Audio Firewire series')
      Cc: <stable@vger.kernel.org> # v3.16+
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1da7fa63
    • Sébastien Szymanski's avatar
      ASoC: cs4265: fix MMTLR Data switch control · 68d542be
      Sébastien Szymanski authored
      commit 90a3b7f8 upstream.
      
      The MMTLR bit is in the CS4265_SPDIF_CTL2 register at address 0x12 bit 0
      and not at address 0x0 bit 1. Fix this.
      Signed-off-by: default avatarSébastien Szymanski <sebastien.szymanski@armadeus.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68d542be
    • Suren Baghdasaryan's avatar
      NFC: Fix the number of pipes · b413ee04
      Suren Baghdasaryan authored
      commit e285d5bf upstream.
      
      According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
      is 7 bits long which allows for 128 unique pipe IDs. Because
      NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
      as the max pipe ID, its value should be 128 instead of 127.
      
      nfc_hci_recv_from_llc extracts pipe ID from packet header using
      NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
      Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
      pipes array having only 127 elements and pipe ID of 127 the OOB memory
      access will result.
      
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Allen Pais <allen.pais@oracle.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b413ee04
    • Suren Baghdasaryan's avatar
      NFC: Fix possible memory corruption when handling SHDLC I-Frame commands · ec56e98f
      Suren Baghdasaryan authored
      commit 674d9de0 upstream.
      
      When handling SHDLC I-Frame commands "pipe" field used for indexing
      into an array should be checked before usage. If left unchecked it
      might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).
      
      Malformed NFC HCI frames could be injected by a malicious NFC device
      communicating with the device being attacked (remote attack vector),
      or even by an attacker with physical access to the I2C bus such that
      they could influence the data transfers on that bus (local attack vector).
      skb->data is controlled by the attacker and has only been sanitized in
      the most trivial ways (CRC check), therefore we can consider the
      create_info struct and all of its members to tainted. 'create_info->pipe'
      with max value of 255 (uint8) is used to take an offset of the
      hdev->pipes array of 127 elements which can lead to OOB write.
      
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Allen Pais <allen.pais@oracle.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Suggested-by: default avatarKevin Deus <kdeus@google.com>
      Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec56e98f
  3. 26 Sep, 2018 3 commits