1. 20 Dec, 2017 17 commits
    • Javier Martinez Canillas's avatar
      usb: phy: isp1301: Add OF device ID table · a1d72bc1
      Javier Martinez Canillas authored
      
      [ Upstream commit fd567653 ]
      
      The driver doesn't have a struct of_device_id table but supported devices
      are registered via Device Trees. This is working on the assumption that a
      I2C device registered via OF will always match a legacy I2C device ID and
      that the MODALIAS reported will always be of the form i2c:<device>.
      
      But this could change in the future so the correct approach is to have an
      OF device ID table if the devices are registered via OF.
      Signed-off-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1d72bc1
    • Ilan peer's avatar
      mac80211: Fix addition of mesh configuration element · 75252bfe
      Ilan peer authored
      commit 57629915 upstream.
      
      The code was setting the capabilities byte to zero,
      after it was already properly set previously. Fix it.
      
      The bug was found while debugging hwsim mesh tests failures
      that happened since the commit mentioned below.
      
      Fixes: 76f43b4c ("mac80211: Remove invalid flag operations in mesh TSF synchronization")
      Signed-off-by: default avatarIlan Peer <ilan.peer@intel.com>
      Reviewed-by: default avatarMasashi Honma <masashi.honma@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Cc: Richard Schütz <rschuetz@uni-koblenz.de>
      Cc: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75252bfe
    • Eric Biggers's avatar
      KEYS: add missing permission check for request_key() destination · 13e86efb
      Eric Biggers authored
      commit 4dca6ea1 upstream.
      
      When the request_key() syscall is not passed a destination keyring, it
      links the requested key (if constructed) into the "default" request-key
      keyring.  This should require Write permission to the keyring.  However,
      there is actually no permission check.
      
      This can be abused to add keys to any keyring to which only Search
      permission is granted.  This is because Search permission allows joining
      the keyring.  keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
      then will set the default request-key keyring to the session keyring.
      Then, request_key() can be used to add keys to the keyring.
      
      Both negatively and positively instantiated keys can be added using this
      method.  Adding negative keys is trivial.  Adding a positive key is a
      bit trickier.  It requires that either /sbin/request-key positively
      instantiates the key, or that another thread adds the key to the process
      keyring at just the right time, such that request_key() misses it
      initially but then finds it in construct_alloc_key().
      
      Fix this bug by checking for Write permission to the keyring in
      construct_get_dest_keyring() when the default keyring is being used.
      
      We don't do the permission check for non-default keyrings because that
      was already done by the earlier call to lookup_user_key().  Also,
      request_key_and_link() is currently passed a 'struct key *' rather than
      a key_ref_t, so the "possessed" bit is unavailable.
      
      We also don't do the permission check for the "requestor keyring", to
      continue to support the use case described by commit 8bbf4976
      ("KEYS: Alter use of key instantiation link-to-keyring argument") where
      /sbin/request-key recursively calls request_key() to add keys to the
      original requestor's destination keyring.  (I don't know of any users
      who actually do that, though...)
      
      Fixes: 3e30148c ("[PATCH] Keys: Make request-key create an authorisation key")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13e86efb
    • Chandan Rajendra's avatar
      ext4: fix crash when a directory's i_size is too small · ef7ce82b
      Chandan Rajendra authored
      commit 9d5afec6 upstream.
      
      On a ppc64 machine, when mounting a fuzzed ext2 image (generated by
      fsfuzzer) the following call trace is seen,
      
      VFS: brelse: Trying to free free buffer
      WARNING: CPU: 1 PID: 6913 at /root/repos/linux/fs/buffer.c:1165 .__brelse.part.6+0x24/0x40
      .__brelse.part.6+0x20/0x40 (unreliable)
      .ext4_find_entry+0x384/0x4f0
      .ext4_lookup+0x84/0x250
      .lookup_slow+0xdc/0x230
      .walk_component+0x268/0x400
      .path_lookupat+0xec/0x2d0
      .filename_lookup+0x9c/0x1d0
      .vfs_statx+0x98/0x140
      .SyS_newfstatat+0x48/0x80
      system_call+0x58/0x6c
      
      This happens because the directory that ext4_find_entry() looks up has
      inode->i_size that is less than the block size of the filesystem. This
      causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not
      reading any of the directory file's blocks. This renders the entries in
      bh_use[] array to continue to have garbage data. buffer_uptodate() on
      bh_use[0] can then return a zero value upon which brelse() function is
      invoked.
      
      This commit fixes the bug by returning -ENOENT when the directory file
      has no associated blocks.
      Reported-by: default avatarAbdul Haleem <abdhalee@linux.vnet.ibm.com>
      Signed-off-by: default avatarChandan Rajendra <chandan@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef7ce82b
    • Eryu Guan's avatar
      ext4: fix fdatasync(2) after fallocate(2) operation · 2c367eda
      Eryu Guan authored
      commit c894aa97 upstream.
      
      Currently, fallocate(2) with KEEP_SIZE followed by a fdatasync(2)
      then crash, we'll see wrong allocated block number (stat -c %b), the
      blocks allocated beyond EOF are all lost. fstests generic/468
      exposes this bug.
      
      Commit 67a7d5f5 ("ext4: fix fdatasync(2) after extent
      manipulation operations") fixed all the other extent manipulation
      operation paths such as hole punch, zero range, collapse range etc.,
      but forgot the fallocate case.
      
      So similarly, fix it by recording the correct journal tid in ext4
      inode in fallocate(2) path, so that ext4_sync_file() will wait for
      the right tid to be committed on fdatasync(2).
      
      This addresses the test failure in xfstests test generic/468.
      Signed-off-by: default avatarEryu Guan <eguan@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c367eda
    • Adam Wallis's avatar
      dmaengine: dmatest: move callback wait queue to thread context · 52425e04
      Adam Wallis authored
      commit 6f6a23a2 upstream.
      
      Commit adfa543e ("dmatest: don't use set_freezable_with_signal()")
      introduced a bug (that is in fact documented by the patch commit text)
      that leaves behind a dangling pointer. Since the done_wait structure is
      allocated on the stack, future invocations to the DMATEST can produce
      undesirable results (e.g., corrupted spinlocks).
      
      Commit a9df21e3 ("dmaengine: dmatest: warn user when dma test times
      out") attempted to WARN the user that the stack was likely corrupted but
      did not fix the actual issue.
      
      This patch fixes the issue by pushing the wait queue and callback
      structs into the the thread structure. If a failure occurs due to time,
      dmaengine_terminate_all will force the callback to safely call
      wake_up_all() without possibility of using a freed pointer.
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=197605
      Fixes: adfa543e ("dmatest: don't use set_freezable_with_signal()")
      Reviewed-by: default avatarSinan Kaya <okaya@codeaurora.org>
      Suggested-by: default avatarShunyong Yang <shunyong.yang@hxt-semitech.com>
      Signed-off-by: default avatarAdam Wallis <awallis@codeaurora.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52425e04
    • Steven Rostedt's avatar
      sched/rt: Do not pull from current CPU if only one CPU to pull · af36d95a
      Steven Rostedt authored
      commit f73c52a5 upstream.
      
      Daniel Wagner reported a crash on the BeagleBone Black SoC.
      
      This is a single CPU architecture, and does not have a functional
      arch_send_call_function_single_ipi() implementation which can crash
      the kernel if that is called.
      
      As it only has one CPU, it shouldn't be called, but if the kernel is
      compiled for SMP, the push/pull RT scheduling logic now calls it for
      irq_work if the one CPU is overloaded, it can use that function to call
      itself and crash the kernel.
      
      Ideally, we should disable the SCHED_FEAT(RT_PUSH_IPI) if the system
      only has a single CPU. But SCHED_FEAT is a constant if sched debugging
      is turned off. Another fix can also be used, and this should also help
      with normal SMP machines. That is, do not initiate the pull code if
      there's only one RT overloaded CPU, and that CPU happens to be the
      current CPU that is scheduling in a lower priority task.
      
      Even on a system with many CPUs, if there's many RT tasks waiting to
      run on a single CPU, and that CPU schedules in another RT task of lower
      priority, it will initiate the PULL logic in case there's a higher
      priority RT task on another CPU that is waiting to run. But if there is
      no other CPU with waiting RT tasks, it will initiate the RT pull logic
      on itself (as it still has RT tasks waiting to run). This is a wasted
      effort.
      
      Not only does this help with SMP code where the current CPU is the only
      one with RT overloaded tasks, it should also solve the issue that
      Daniel encountered, because it will prevent the PULL logic from
      executing, as there's only one CPU on the system, and the check added
      here will cause it to exit the RT pull code.
      Reported-by: default avatarDaniel Wagner <wagi@monom.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-rt-users <linux-rt-users@vger.kernel.org>
      Fixes: 4bdced5c ("sched/rt: Simplify the IPI based RT balancing logic")
      Link: http://lkml.kernel.org/r/20171202130454.4cbbfe8d@vmware.local.homeSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af36d95a
    • Mathias Nyman's avatar
      xhci: Don't add a virt_dev to the devs array before it's fully allocated · f98ee9c0
      Mathias Nyman authored
      commit 5d9b70f7 upstream.
      
      Avoid null pointer dereference if some function is walking through the
      devs array accessing members of a new virt_dev that is mid allocation.
      
      Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its
      members are properly allocated.
      
      issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port
      
      "Quick analysis suggests that xhci_alloc_virt_device() is not mutex
      protected. If so, there is a time frame where xhci->devs[slot_id] is set
      but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL."
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f98ee9c0
    • Sukumar Ghorai's avatar
      Bluetooth: btusb: driver to enable the usb-wakeup feature · ffc75657
      Sukumar Ghorai authored
      commit a0085f25 upstream.
      
      BT-Controller connected as platform non-root-hub device and
      usb-driver initialize such device with wakeup disabled,
      Ref. usb_new_device().
      
      At present wakeup-capability get enabled by hid-input device from usb
      function driver(e.g. BT HID device) at runtime. Again some functional
      driver does not set usb-wakeup capability(e.g LE HID device implement
      as HID-over-GATT), and can't wakeup the host on USB.
      
      Most of the device operation (such as mass storage) initiated from host
      (except HID) and USB wakeup aligned with host resume procedure. For BT
      device, usb-wakeup capability need to enable form btusc driver as a
      generic solution for multiple profile use case and required for USB remote
      wakeup (in-bus wakeup) while host is suspended. Also usb-wakeup feature
      need to enable/disable with HCI interface up and down.
      Signed-off-by: default avatarSukumar Ghorai <sukumar.ghorai@intel.com>
      Signed-off-by: default avatarAmit K Bag <amit.k.bag@intel.com>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: Matthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ffc75657
    • Yan, Zheng's avatar
      ceph: drop negative child dentries before try pruning inode's alias · 8c7c3d5b
      Yan, Zheng authored
      commit 040d7860 upstream.
      
      Negative child dentry holds reference on inode's alias, it makes
      d_prune_aliases() do nothing.
      Signed-off-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c7c3d5b
    • Shuah Khan's avatar
      usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer · 2862cfca
      Shuah Khan authored
      commit be6123df upstream.
      
      stub_send_ret_submit() handles urb with a potential null transfer_buffer,
      when it replays a packet with potential malicious data that could contain
      a null buffer. Add a check for the condition when actual_length > 0 and
      transfer_buffer is null.
      Reported-by: default avatarSecunia Research <vuln@secunia.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2862cfca
    • Alan Stern's avatar
      USB: core: prevent malicious bNumInterfaces overflow · dfdf5fa3
      Alan Stern authored
      commit 48a4ff1c upstream.
      
      A malicious USB device with crafted descriptors can cause the kernel
      to access unallocated memory by setting the bNumInterfaces value too
      high in a configuration descriptor.  Although the value is adjusted
      during parsing, this adjustment is skipped in one of the error return
      paths.
      
      This patch prevents the problem by setting bNumInterfaces to 0
      initially.  The existing code already sets it to the proper value
      after parsing is complete.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dfdf5fa3
    • David Kozub's avatar
      USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID · 05de6fa5
      David Kozub authored
      commit 62354454 upstream.
      
      There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails
      with the following error:
      
      [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [sda] tag#0 Sense Key : Illegal Request [current]
      [sda] tag#0 Add. Sense: Invalid field in cdb
      
      The issue occurs both with UAS (occasionally) and mass storage
      (immediately after mounting a FS on a disk in the enclosure).
      
      Enabling US_FL_BROKEN_FUA quirk solves this issue.
      
      This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure
      for both UAS and mass storage.
      Signed-off-by: default avatarDavid Kozub <zub@linux.fjfi.cvut.cz>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05de6fa5
    • Changbin Du's avatar
      tracing: Allocate mask_str buffer dynamically · a34419b3
      Changbin Du authored
      commit 90e406f9 upstream.
      
      The default NR_CPUS can be very large, but actual possible nr_cpu_ids
      usually is very small. For my x86 distribution, the NR_CPUS is 8192 and
      nr_cpu_ids is 4. About 2 pages are wasted.
      
      Most machines don't have so many CPUs, so define a array with NR_CPUS
      just wastes memory. So let's allocate the buffer dynamically when need.
      
      With this change, the mutext tracing_cpumask_update_lock also can be
      removed now, which was used to protect mask_str.
      
      Link: http://lkml.kernel.org/r/1512013183-19107-1-git-send-email-changbin.du@intel.com
      
      Fixes: 36dfe925 ("ftrace: make use of tracing_cpumask")
      Signed-off-by: default avatarChangbin Du <changbin.du@intel.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a34419b3
    • NeilBrown's avatar
      autofs: fix careless error in recent commit · c60db4f6
      NeilBrown authored
      commit 302ec300 upstream.
      
      Commit ecc0c469 ("autofs: don't fail mount for transient error") was
      meant to replace an 'if' with a 'switch', but instead added the 'switch'
      leaving the case in place.
      
      Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name
      Fixes: ecc0c469 ("autofs: don't fail mount for transient error")
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Cc: Ian Kent <raven@themaw.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c60db4f6
    • Eric Biggers's avatar
      crypto: salsa20 - fix blkcipher_walk API usage · 8a311b04
      Eric Biggers authored
      commit ecaaab56 upstream.
      
      When asked to encrypt or decrypt 0 bytes, both the generic and x86
      implementations of Salsa20 crash in blkcipher_walk_done(), either when
      doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
      because walk->buffer and walk->page have not been initialized.
      
      The bug is that Salsa20 is calling blkcipher_walk_done() even when
      nothing is in 'walk.nbytes'.  But blkcipher_walk_done() is only meant to
      be called when a nonzero number of bytes have been provided.
      
      The broken code is part of an optimization that tries to make only one
      call to salsa20_encrypt_bytes() to process inputs that are not evenly
      divisible by 64 bytes.  To fix the bug, just remove this "optimization"
      and use the blkcipher_walk API the same way all the other users do.
      
      Reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int algfd, reqfd;
                  struct sockaddr_alg addr = {
                          .salg_type = "skcipher",
                          .salg_name = "salsa20",
                  };
                  char key[16] = { 0 };
      
                  algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(algfd, (void *)&addr, sizeof(addr));
                  reqfd = accept(algfd, 0, 0);
                  setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
                  read(reqfd, key, sizeof(key));
          }
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: eb6f13eb ("[CRYPTO] salsa20_generic: Fix multi-page processing")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a311b04
    • Eric Biggers's avatar
      crypto: hmac - require that the underlying hash algorithm is unkeyed · 43cd7f38
      Eric Biggers authored
      commit af3ff804 upstream.
      
      Because the HMAC template didn't check that its underlying hash
      algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
      through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
      being used without having been keyed, resulting in sha3_update() being
      called without sha3_init(), causing a stack buffer overflow.
      
      This is a very old bug, but it seems to have only started causing real
      problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
      because the innermost hash's state is ->import()ed from a zeroed buffer,
      and it just so happens that other hash algorithms are fine with that,
      but SHA-3 is not.  However, there could be arch or hardware-dependent
      hash algorithms also affected; I couldn't test everything.
      
      Fix the bug by introducing a function crypto_shash_alg_has_setkey()
      which tests whether a shash algorithm is keyed.  Then update the HMAC
      template to require that its underlying hash algorithm is unkeyed.
      
      Here is a reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
      
          int main()
          {
              int algfd;
              struct sockaddr_alg addr = {
                  .salg_type = "hash",
                  .salg_name = "hmac(hmac(sha3-512-generic))",
              };
              char key[4096] = { 0 };
      
              algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
              bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
              setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
          }
      
      Here was the KASAN report from syzbot:
      
          BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341  [inline]
          BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0  crypto/sha3_generic.c:161
          Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
      
          CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
          Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  Google 01/01/2011
          Call Trace:
            __dump_stack lib/dump_stack.c:17 [inline]
            dump_stack+0x194/0x257 lib/dump_stack.c:53
            print_address_description+0x73/0x250 mm/kasan/report.c:252
            kasan_report_error mm/kasan/report.c:351 [inline]
            kasan_report+0x25b/0x340 mm/kasan/report.c:409
            check_memory_region_inline mm/kasan/kasan.c:260 [inline]
            check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
            memcpy+0x37/0x50 mm/kasan/kasan.c:303
            memcpy include/linux/string.h:341 [inline]
            sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
            crypto_shash_update+0xcb/0x220 crypto/shash.c:109
            shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
            crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
            hmac_finup+0x182/0x330 crypto/hmac.c:152
            crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
            shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
            crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
            hmac_setkey+0x36a/0x690 crypto/hmac.c:66
            crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
            shash_async_setkey+0x47/0x60 crypto/shash.c:207
            crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
            hash_setkey+0x40/0x90 crypto/algif_hash.c:446
            alg_setkey crypto/af_alg.c:221 [inline]
            alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
            SYSC_setsockopt net/socket.c:1851 [inline]
            SyS_setsockopt+0x189/0x360 net/socket.c:1830
            entry_SYSCALL_64_fastpath+0x1f/0x96
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43cd7f38
  2. 16 Dec, 2017 23 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.106 · 4231b6a9
      Greg Kroah-Hartman authored
      4231b6a9
    • Vincent Pelletier's avatar
      usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping · 5c6db4af
      Vincent Pelletier authored
      commit 30bf90cc upstream.
      
      Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation:
      
      [  100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421
      [  100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python
      [  100.867954] 2 locks held by python/1880:
      [  100.867961]  #0:  (&epfile->mutex){....}, at: [<f8188627>] ffs_mutex_lock+0x27/0x30 [usb_f_fs]
      [  100.868020]  #1:  (&(&ffs->eps_lock)->rlock){....}, at: [<f818ad4b>] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs]
      [  100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118
      [  100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48
      [  100.868093] Call Trace:
      [  100.868122]  dump_stack+0x47/0x62
      [  100.868156]  ___might_sleep+0xfd/0x110
      [  100.868182]  __might_sleep+0x68/0x70
      [  100.868217]  kmem_cache_alloc_trace+0x4b/0x200
      [  100.868248]  ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
      [  100.868302]  dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3]
      [  100.868343]  usb_ep_alloc_request+0x16/0xc0 [udc_core]
      [  100.868386]  ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs]
      [  100.868424]  ? _raw_spin_unlock_irqrestore+0x27/0x40
      [  100.868457]  ? kiocb_set_cancel_fn+0x57/0x60
      [  100.868477]  ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs]
      [  100.868512]  ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs]
      [  100.868551]  ? security_file_permission+0x9c/0xd0
      [  100.868587]  ? rw_verify_area+0xac/0x120
      [  100.868633]  aio_read+0x9d/0x100
      [  100.868692]  ? __fget+0xa2/0xd0
      [  100.868727]  ? __might_sleep+0x68/0x70
      [  100.868763]  SyS_io_submit+0x471/0x680
      [  100.868878]  do_int80_syscall_32+0x4e/0xd0
      [  100.868921]  entry_INT80_32+0x2a/0x2a
      [  100.868932] EIP: 0xb7fbb676
      [  100.868941] EFLAGS: 00000292 CPU: 1
      [  100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368
      [  100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638
      [  100.868973]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
      Signed-off-by: default avatarVincent Pelletier <plr.vincent@gmail.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSiqi Lin <siqilin@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c6db4af
    • Marc Zyngier's avatar
      arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one · a5fa9efe
      Marc Zyngier authored
      commit 5553b142 upstream.
      
      VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
      VTTBR address. It seems to currently be off by one, thereby only
      allowing up to 39-bit addresses (instead of 40-bit) and also
      insufficiently checking the alignment. This patch fixes it.
      
      This patch is the 32bit pendent of Kristina's arm64 fix, and
      she deserves the actual kudos for pinpointing that one.
      
      Fixes: f7ed45be ("KVM: ARM: World-switch implementation")
      Cc: <stable@vger.kernel.org> # 3.9
      Reported-by: default avatarKristina Martsenko <kristina.martsenko@arm.com>
      Reviewed-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a5fa9efe
    • Greg Kroah-Hartman's avatar
      Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" · 9f5a8d61
      Greg Kroah-Hartman authored
      This reverts commit 87e2bd89 which is
      commit edc3b912 upstream.
      
      Turns there was too many other issues with this patch to make it viable
      for the stable tree.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Jones <davej@codemonkey.org.uk>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: linux-efi@vger.kernel.org
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "Ghannam, Yazen" <Yazen.Ghannam@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f5a8d61
    • Greg Kroah-Hartman's avatar
      Revert "x86/efi: Hoist page table switching code into efi_call_virt()" · 34933c2c
      Greg Kroah-Hartman authored
      This reverts commit b73adb60 which is
      commit c9f2a9a6 upstream.
      
      Turns there was too many other issues with this patch to make it viable
      for the stable tree.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Jones <davej@codemonkey.org.uk>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: linux-efi@vger.kernel.org
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "Ghannam, Yazen" <Yazen.Ghannam@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34933c2c
    • Greg Kroah-Hartman's avatar
      Revert "x86/efi: Build our own page table structures" · 1dfe268d
      Greg Kroah-Hartman authored
      This reverts commit 36e0f05a which is
      commit 67a9108e upstream.
      
      Turns there was too many other issues with this patch to make it viable
      for the stable tree.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Jones <davej@codemonkey.org.uk>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: linux-efi@vger.kernel.org
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "Ghannam, Yazen" <Yazen.Ghannam@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1dfe268d
    • Eric Dumazet's avatar
      net/packet: fix a race in packet_bind() and packet_notifier() · b90f87c6
      Eric Dumazet authored
      
      [ Upstream commit 15fe076e ]
      
      syzbot reported crashes [1] and provided a C repro easing bug hunting.
      
      When/if packet_do_bind() calls __unregister_prot_hook() and releases
      po->bind_lock, another thread can run packet_notifier() and process an
      NETDEV_UP event.
      
      This calls register_prot_hook() and hooks again the socket right before
      first thread is able to grab again po->bind_lock.
      
      Fixes this issue by temporarily setting po->num to 0, as suggested by
      David Miller.
      
      [1]
      dev_remove_pack: ffff8801bf16fa80 not found
      ------------[ cut here ]------------
      kernel BUG at net/core/dev.c:7945!  ( BUG_ON(!list_empty(&dev->ptype_all)); )
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      device syz0 entered promiscuous mode
      CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff8801cc57a500 task.stack: ffff8801cc588000
      RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
      RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
      RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
      RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
      device syz0 entered promiscuous mode
      RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
      R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
      FS:  0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
       tun_detach drivers/net/tun.c:670 [inline]
       tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
       __fput+0x333/0x7f0 fs/file_table.c:210
       ____fput+0x15/0x20 fs/file_table.c:244
       task_work_run+0x199/0x270 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x9bb/0x1ae0 kernel/exit.c:865
       do_group_exit+0x149/0x400 kernel/exit.c:968
       SYSC_exit_group kernel/exit.c:979 [inline]
       SyS_exit_group+0x1d/0x20 kernel/exit.c:977
       entry_SYSCALL_64_fastpath+0x1f/0x96
      RIP: 0033:0x44ad19
      
      Fixes: 30f7ea1c ("packet: race condition in packet_bind")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Francesco Ruggeri <fruggeri@aristanetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b90f87c6
    • Mike Maloney's avatar
      packet: fix crash in fanout_demux_rollover() · f50e9c87
      Mike Maloney authored
      
      syzkaller found a race condition fanout_demux_rollover() while removing
      a packet socket from a fanout group.
      
      po->rollover is read and operated on during packet_rcv_fanout(), via
      fanout_demux_rollover(), but the pointer is currently cleared before the
      synchronization in packet_release().   It is safer to delay the cleanup
      until after synchronize_net() has been called, ensuring all calls to
      packet_rcv_fanout() for this socket have finished.
      
      To further simplify synchronization around the rollover structure, set
      po->rollover in fanout_add() only if there are no errors.  This removes
      the need for rcu in the struct and in the call to
      packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...).
      
      Crashing stack trace:
       fanout_demux_rollover+0xb6/0x4d0 net/packet/af_packet.c:1392
       packet_rcv_fanout+0x649/0x7c8 net/packet/af_packet.c:1487
       dev_queue_xmit_nit+0x835/0xc10 net/core/dev.c:1953
       xmit_one net/core/dev.c:2975 [inline]
       dev_hard_start_xmit+0x16b/0xac0 net/core/dev.c:2995
       __dev_queue_xmit+0x17a4/0x2050 net/core/dev.c:3476
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3509
       neigh_connected_output+0x489/0x720 net/core/neighbour.c:1379
       neigh_output include/net/neighbour.h:482 [inline]
       ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120
       ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146
       NF_HOOK_COND include/linux/netfilter.h:239 [inline]
       ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163
       dst_output include/net/dst.h:459 [inline]
       NF_HOOK.constprop.35+0xff/0x630 include/linux/netfilter.h:250
       mld_sendpack+0x6a8/0xcc0 net/ipv6/mcast.c:1660
       mld_send_initial_cr.part.24+0x103/0x150 net/ipv6/mcast.c:2072
       mld_send_initial_cr net/ipv6/mcast.c:2056 [inline]
       ipv6_mc_dad_complete+0x99/0x130 net/ipv6/mcast.c:2079
       addrconf_dad_completed+0x595/0x970 net/ipv6/addrconf.c:4039
       addrconf_dad_work+0xac9/0x1160 net/ipv6/addrconf.c:3971
       process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2113
       worker_thread+0x223/0x1990 kernel/workqueue.c:2247
       kthread+0x35e/0x430 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432
      
      Fixes: 0648ab70 ("packet: rollover prepare: per-socket state")
      Fixes: 509c7a1e ("packet: avoid panic in packet_getsockopt()")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarMike Maloney <maloney@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f50e9c87
    • Hangbin Liu's avatar
      sit: update frag_off info · d6189fa4
      Hangbin Liu authored
      
      [ Upstream commit f859b4af ]
      
      After parsing the sit netlink change info, we forget to update frag_off in
      ipip6_tunnel_update(). Fix it by assigning frag_off with new value.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6189fa4
    • Håkon Bugge's avatar
      rds: Fix NULL pointer dereference in __rds_rdma_map · 6c154d53
      Håkon Bugge authored
      
      [ Upstream commit f3069c6d ]
      
      This is a fix for syzkaller719569, where memory registration was
      attempted without any underlying transport being loaded.
      
      Analysis of the case reveals that it is the setsockopt() RDS_GET_MR
      (2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable.
      
      Here is an example stack trace when the bug is hit:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
      IP: __rds_rdma_map+0x36/0x440 [rds]
      PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0
      Oops: 0000 [#1] SMP
      Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4
      dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp
      coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul
      ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd
      iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd
      shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core
      auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2
      mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect
      sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm
      crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror
      dm_region_hash dm_log dm_mod
      CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2
      Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017
      task: ffff882f9190db00 task.stack: ffffc9002b994000
      RIP: 0010:__rds_rdma_map+0x36/0x440 [rds]
      RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202
      RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580
      RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002
      R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580
      R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc
      FS:  00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0
      Call Trace:
       rds_get_mr+0x56/0x80 [rds]
       rds_setsockopt+0x172/0x340 [rds]
       ? __fget_light+0x25/0x60
       ? __fdget+0x13/0x20
       SyS_setsockopt+0x80/0xe0
       do_syscall_64+0x67/0x1b0
       entry_SYSCALL64_slow_path+0x25/0x25
      RIP: 0033:0x7fbff9b117f9
      RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9
      RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b
      RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860
      R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000
      R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021
      
      Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48
      89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48>
      83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08
      
      The fix is to check the existence of an underlying transport in
      __rds_rdma_map().
      Signed-off-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c154d53
    • Jon Maloy's avatar
      tipc: fix memory leak in tipc_accept_from_sock() · 827fd89b
      Jon Maloy authored
      
      [ Upstream commit a7d5f107 ]
      
      When the function tipc_accept_from_sock() fails to create an instance of
      struct tipc_subscriber it omits to free the already created instance of
      struct tipc_conn instance before it returns.
      
      We fix that with this commit.
      Reported-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      827fd89b
    • Al Viro's avatar
      more bio_map_user_iov() leak fixes · 047a7bb1
      Al Viro authored
      commit 2b04e8f6 upstream.
      
      we need to take care of failure exit as well - pages already
      in bio should be dropped by analogue of bio_unmap_pages(),
      since their refcounts had been bumped only once per reference
      in bio.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      047a7bb1
    • Heiko Carstens's avatar
      s390: always save and restore all registers on context switch · 3a620404
      Heiko Carstens authored
      commit fbbd7f1a upstream.
      
      The switch_to() macro has an optimization to avoid saving and
      restoring register contents that aren't needed for kernel threads.
      
      There is however the possibility that a kernel thread execve's a user
      space program. In such a case the execve'd process can partially see
      the contents of the previous process, which shouldn't be allowed.
      
      To avoid this, simply always save and restore register contents on
      context switch.
      
      Cc: <stable@vger.kernel.org> # v2.6.37+
      Fixes: fdb6d070 ("switch_to: dont restore/save access & fpu regs for kernel threads")
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a620404
    • Masamitsu Yamazaki's avatar
      ipmi: Stop timers before cleaning up the module · 99962aff
      Masamitsu Yamazaki authored
      commit 4f7f5551 upstream.
      
      System may crash after unloading ipmi_si.ko module
      because a timer may remain and fire after the module cleaned up resources.
      
      cleanup_one_si() contains the following processing.
      
              /*
               * Make sure that interrupts, the timer and the thread are
               * stopped and will not run again.
               */
              if (to_clean->irq_cleanup)
                      to_clean->irq_cleanup(to_clean);
              wait_for_timer_and_thread(to_clean);
      
              /*
               * Timeouts are stopped, now make sure the interrupts are off
               * in the BMC.  Note that timers and CPU interrupts are off,
               * so no need for locks.
               */
              while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) {
                      poll(to_clean);
                      schedule_timeout_uninterruptible(1);
              }
      
      si_state changes as following in the while loop calling poll(to_clean).
      
        SI_GETTING_MESSAGES
          => SI_CHECKING_ENABLES
           => SI_SETTING_ENABLES
            => SI_GETTING_EVENTS
             => SI_NORMAL
      
      As written in the code comments above,
      timers are expected to stop before the polling loop and not to run again.
      But the timer is set again in the following process
      when si_state becomes SI_SETTING_ENABLES.
      
        => poll
           => smi_event_handler
             => handle_transaction_done
                // smi_info->si_state == SI_SETTING_ENABLES
               => start_getting_events
                 => start_new_msg
                  => smi_mod_timer
                    => mod_timer
      
      As a result, before the timer set in start_new_msg() expires,
      the polling loop may see si_state becoming SI_NORMAL
      and the module clean-up finishes.
      
      For example, hard LOCKUP and panic occurred as following.
      smi_timeout was called after smi_event_handler,
      kcs_event and hangs at port_inb()
      trying to access I/O port after release.
      
          [exception RIP: port_inb+19]
          RIP: ffffffffc0473053  RSP: ffff88069fdc3d80  RFLAGS: 00000006
          RAX: ffff8806800f8e00  RBX: ffff880682bd9400  RCX: 0000000000000000
          RDX: 0000000000000ca3  RSI: 0000000000000ca3  RDI: ffff8806800f8e40
          RBP: ffff88069fdc3d80   R8: ffffffff81d86dfc   R9: ffffffff81e36426
          R10: 00000000000509f0  R11: 0000000000100000  R12: 0000000000]:000000
          R13: 0000000000000000  R14: 0000000000000246  R15: ffff8806800f8e00
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
       --- <NMI exception stack> ---
      
      To fix the problem I defined a flag, timer_can_start,
      as member of struct smi_info.
      The flag is enabled immediately after initializing the timer
      and disabled immediately before waiting for timer deletion.
      
      Fixes: 0cfec916 ("ipmi: Start the timer and thread on internal msgs")
      Signed-off-by: default avatarYamazaki Masamitsu <m-yamazaki@ah.jp.nec.com>
      [Adjusted for recent changes in the driver.]
      [Some fairly major changes went into the IPMI driver in 4.15, so this
       required a backport as the code had changed and moved to a different
       file.  The 4.14 version of this patch moved some code under an
       if statement and there was an API change causing it to not apply to
       4.4-4.6.]
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99962aff
    • Paul Moore's avatar
      audit: ensure that 'audit=1' actually enables audit for PID 1 · b3495712
      Paul Moore authored
      
      [ Upstream commit 173743dd ]
      
      Prior to this patch we enabled audit in audit_init(), which is too
      late for PID 1 as the standard initcalls are run after the PID 1 task
      is forked.  This means that we never allocate an audit_context (see
      audit_alloc()) for PID 1 and therefore miss a lot of audit events
      generated by PID 1.
      
      This patch enables audit as early as possible to help ensure that when
      PID 1 is forked it can allocate an audit_context if required.
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3495712
    • Keefe Liu's avatar
      ipvlan: fix ipv6 outbound device · 1b9baf30
      Keefe Liu authored
      
      [ Upstream commit ca29fd7c ]
      
      When process the outbound packet of ipv6, we should assign the master
      device to output device other than input device.
      Signed-off-by: default avatarKeefe Liu <liuqifa@huawei.com>
      Acked-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b9baf30
    • David Howells's avatar
      afs: Connect up the CB.ProbeUuid · cdfe2d0a
      David Howells authored
      
      [ Upstream commit f4b3526d ]
      
      The handler for the CB.ProbeUuid operation in the cache manager is
      implemented, but isn't listed in the switch-statement of operation
      selection, so won't be used.  Fix this by adding it.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cdfe2d0a
    • Majd Dibbiny's avatar
      IB/mlx5: Assign send CQ and recv CQ of UMR QP · 452ae091
      Majd Dibbiny authored
      
      [ Upstream commit 31fde034 ]
      
      The UMR's QP is created by calling mlx5_ib_create_qp directly, and
      therefore the send CQ and the recv CQ on the ibqp weren't assigned.
      
      Assign them right after calling the mlx5_ib_create_qp to assure
      that any access to those pointers will work as expected and won't
      crash the system as might happen as part of reset flow.
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      452ae091
    • Mark Bloch's avatar
      IB/mlx4: Increase maximal message size under UD QP · 3d1d4642
      Mark Bloch authored
      
      [ Upstream commit 5f22a1d8 ]
      
      Maximal message should be used as a limit to the max message payload allowed,
      without the headers. The ConnectX-3 check is done against this value includes
      the headers. When the payload is 4K this will cause the NIC to drop packets.
      
      Increase maximal message to 8K as workaround, this shouldn't change current
      behaviour because we continue to set the MTU to 4k.
      
      To reproduce;
      set MTU to 4296 on the corresponding interface, for example:
      ifconfig eth0 mtu 4296 (both server and client)
      
      On server:
      ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096
      
      On client:
      ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096
      
      Fixes: 6e0d733d ("IB/mlx4: Allow 4K messages for UD QPs")
      Signed-off-by: default avatarMark Bloch <markb@mellanox.com>
      Reviewed-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d1d4642
    • Herbert Xu's avatar
      xfrm: Copy policy family in clone_policy · 8bfafc97
      Herbert Xu authored
      
      [ Upstream commit 0e74aa1d ]
      
      The syzbot found an ancient bug in the IPsec code.  When we cloned
      a socket policy (for example, for a child TCP socket derived from a
      listening socket), we did not copy the family field.  This results
      in a live policy with a zero family field.  This triggers a BUG_ON
      check in the af_key code when the cloned policy is retrieved.
      
      This patch fixes it by copying the family field over.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bfafc97
    • Jason Baron's avatar
      jump_label: Invoke jump_label_test() via early_initcall() · 5c15c5c8
      Jason Baron authored
      
      [ Upstream commit 92ee46ef ]
      
      Fengguang Wu reported that running the rcuperf test during boot can cause
      the jump_label_test() to hit a WARN_ON(). The issue is that the core jump
      label code relies on kernel_text_address() to detect when it can no longer
      update branches that may be contained in __init sections. The
      kernel_text_address() in turn assumes that if the system_state variable is
      greter than or equal to SYSTEM_RUNNING then __init sections are no longer
      valid (since the assumption is that they have been freed). However, when
      rcuperf is setup to run in early boot it can call kernel_power_off() which
      sets the system_state to SYSTEM_POWER_OFF.
      
      Since rcuperf initialization is invoked via a module_init(), we can make
      the dependency of jump_label_test() needing to complete before rcuperf
      explicit by calling it via early_initcall().
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarJason Baron <jbaron@akamai.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1510609727-2238-1-git-send-email-jbaron@akamai.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c15c5c8
    • Arvind Yadav's avatar
      atm: horizon: Fix irq release error · 1b85cd5d
      Arvind Yadav authored
      
      [ Upstream commit bde533f2 ]
      
      atm_dev_register() can fail here and passed parameters to free irq
      which is not initialised. Initialization of 'dev->irq' happened after
      the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
      free_irq().
      Signed-off-by: default avatarArvind Yadav <arvind.yadav.cs@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b85cd5d
    • Xin Long's avatar
      sctp: use the right sk after waking up from wait_buf sleep · dde5bbd5
      Xin Long authored
      
      [ Upstream commit cea0cc80 ]
      
      Commit dfcb9f4f ("sctp: deny peeloff operation on asocs with threads
      sleeping on it") fixed the race between peeloff and wait sndbuf by
      checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().
      
      But it actually doesn't work, as even if waitqueue_active returns false
      the waiting sndbuf thread may still not yet hold sk lock. After asoc is
      peeled off, sk is not asoc->base.sk any more, then to hold the old sk
      lock couldn't make assoc safe to access.
      
      This patch is to fix this by changing to hold the new sk lock if sk is
      not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
      new sk.
      
      With this fix, there is no more race between peeloff and waitbuf, the
      check 'waitqueue_active' in sctp_do_peeloff can be removed.
      
      Thanks Marcelo and Neil for making this clear.
      
      v1->v2:
        fix it by changing to lock the new sock instead of adding a flag in asoc.
      Suggested-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dde5bbd5