1. 21 Aug, 2020 40 commits
    • Peilin Ye's avatar
      Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() · aea77913
      Peilin Ye authored
      commit 51c19bf3 upstream.
      
      Check upon `num_rsp` is insufficient. A malformed event packet with a
      large `num_rsp` number makes hci_extended_inquiry_result_evt() go out
      of bounds. Fix it.
      
      This patch fixes the following syzbot bug:
      
          https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
      
      Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aea77913
    • Takashi Iwai's avatar
      ALSA: seq: oss: Serialize ioctls · 5a48144e
      Takashi Iwai authored
      commit 80982c7e upstream.
      
      Some ioctls via OSS sequencer API may race and lead to UAF when the
      port create and delete are performed concurrently, as spotted by a
      couple of syzkaller cases.  This patch is an attempt to address it by
      serializing the ioctls with the existing register_mutex.
      
      Basically OSS sequencer API is an obsoleted interface and was designed
      without much consideration of the concurrency.  There are very few
      applications with it, and the concurrent performance isn't asked,
      hence this "big hammer" approach should be good enough.
      
      Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com
      Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com
      Suggested-by: default avatarHillf Danton <hdanton@sina.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a48144e
    • Roi Dayan's avatar
      net/mlx5e: Don't support phys switch id if not in switchdev mode · 0216f889
      Roi Dayan authored
      Support for phys switch id ndo added for representors and if
      we do not have representors there is no need to support it.
      Since each port return different switch id supporting this
      block support for creating bond over PFs and attaching to bridge
      in legacy mode.
      
      This bug doesn't exist upstream as the code got refactored and the
      netdev api is totally different.
      
      Fixes: cb67b832 ("net/mlx5e: Introduce SRIOV VF representors")
      Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0216f889
    • Erik Ekman's avatar
      USB: serial: qcserial: add EM7305 QDL product ID · 487862fd
      Erik Ekman authored
      commit d2a4309c upstream.
      
      When running qmi-firmware-update on the Sierra Wireless EM7305 in a Toshiba
      laptop, it changed product ID to 0x9062 when entering QDL mode:
      
      usb 2-4: new high-speed USB device number 78 using xhci_hcd
      usb 2-4: New USB device found, idVendor=1199, idProduct=9062, bcdDevice= 0.00
      usb 2-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
      usb 2-4: Product: EM7305
      usb 2-4: Manufacturer: Sierra Wireless, Incorporated
      
      The upgrade could complete after running
       # echo 1199 9062 > /sys/bus/usb-serial/drivers/qcserial/new_id
      
      qcserial 2-4:1.0: Qualcomm USB modem converter detected
      usb 2-4: Qualcomm USB modem converter now attached to ttyUSB0
      Signed-off-by: default avatarErik Ekman <erik@kryo.se>
      Link: https://lore.kernel.org/r/20200717185118.3640219-1-erik@kryo.se
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      487862fd
    • Jiang Ying's avatar
      ext4: fix direct I/O read error · c8e44688
      Jiang Ying authored
      This patch is used to fix ext4 direct I/O read error when
      the read size is not aligned with block size.
      
      Then, I will use a test to explain the error.
      
      (1) Make a file that is not aligned with block size:
      	$dd if=/dev/zero of=./test.jar bs=1000 count=3
      
      (2) I wrote a source file named "direct_io_read_file.c" as following:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <unistd.h>
      	#include <sys/file.h>
      	#include <sys/types.h>
      	#include <sys/stat.h>
      	#include <string.h>
      	#define BUF_SIZE 1024
      
      	int main()
      	{
      		int fd;
      		int ret;
      
      		unsigned char *buf;
      		ret = posix_memalign((void **)&buf, 512, BUF_SIZE);
      		if (ret) {
      			perror("posix_memalign failed");
      			exit(1);
      		}
      		fd = open("./test.jar", O_RDONLY | O_DIRECT, 0755);
      		if (fd < 0){
      			perror("open ./test.jar failed");
      			exit(1);
      		}
      
      		do {
      			ret = read(fd, buf, BUF_SIZE);
      			printf("ret=%d\n",ret);
      			if (ret < 0) {
      				perror("write test.jar failed");
      			}
      		} while (ret > 0);
      
      		free(buf);
      		close(fd);
      	}
      
      (3) Compile the source file:
      	$gcc direct_io_read_file.c -D_GNU_SOURCE
      
      (4) Run the test program:
      	$./a.out
      
      	The result is as following:
      	ret=1024
      	ret=1024
      	ret=952
      	ret=-1
      	write test.jar failed: Invalid argument.
      
      I have tested this program on XFS filesystem, XFS does not have
      this problem, because XFS use iomap_dio_rw() to do direct I/O
      read. And the comparing between read offset and file size is done
      in iomap_dio_rw(), the code is as following:
      
      	if (pos < size) {
      		retval = filemap_write_and_wait_range(mapping, pos,
      				pos + iov_length(iov, nr_segs) - 1);
      
      		if (!retval) {
      			retval = mapping->a_ops->direct_IO(READ, iocb,
      						iov, pos, nr_segs);
      		}
      		...
      	}
      
      ...only when "pos < size", direct I/O can be done, or 0 will be return.
      
      I have tested the fix patch on Ext4, it is up to the mustard of
      EINVAL in man2(read) as following:
      	#include <unistd.h>
      	ssize_t read(int fd, void *buf, size_t count);
      
      	EINVAL
      		fd is attached to an object which is unsuitable for reading;
      		or the file was opened with the O_DIRECT flag, and either the
      		address specified in buf, the value specified in count, or the
      		current file offset is not suitably aligned.
      
      So I think this patch can be applied to fix ext4 direct I/O error.
      
      However Ext4 introduces direct I/O read using iomap infrastructure
      on kernel 5.5, the patch is commit <b1b4705d>
      ("ext4: introduce direct I/O read using iomap infrastructure"),
      then Ext4 will be the same as XFS, they all use iomap_dio_rw() to do direct
      I/O read. So this problem does not exist on kernel 5.5 for Ext4.
      
      >From above description, we can see this problem exists on all the kernel
      versions between kernel 3.14 and kernel 5.4. It will cause the Applications
      to fail to read. For example, when the search service downloads a new full
      index file, the search engine is loading the previous index file and is
      processing the search request, it can not use buffer io that may squeeze
      the previous index file in use from pagecache, so the serch service must
      use direct I/O read.
      
      Please apply this patch on these kernel versions, or please use the method
      on kernel 5.5 to fix this problem.
      
      Fixes: 9fe55eea ("Fix race when checking i_size on direct i/o read")
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarWang Long <wanglong19@meituan.com>
      Signed-off-by: default avatarJiang Ying <jiangying8582@126.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8e44688
    • Linus Torvalds's avatar
      random32: move the pseudo-random 32-bit definitions to prandom.h · 82461648
      Linus Torvalds authored
      commit c0842fbc upstream.
      
      The addition of percpu.h to the list of includes in random.h revealed
      some circular dependencies on arm64 and possibly other platforms.  This
      include was added solely for the pseudo-random definitions, which have
      nothing to do with the rest of the definitions in this file but are
      still there for legacy reasons.
      
      This patch moves the pseudo-random parts to linux/prandom.h and the
      percpu.h include with it, which is now guarded by _LINUX_PRANDOM_H and
      protected against recursive inclusion.
      
      A further cleanup step would be to remove this from <linux/random.h>
      entirely, and make people who use the prandom infrastructure include
      just the new header file.  That's a bit of a churn patch, but grepping
      for "prandom_" and "next_pseudo_random32" "struct rnd_state" should
      catch most users.
      
      But it turns out that that nice cleanup step is fairly painful, because
      a _lot_ of code currently seems to depend on the implicit include of
      <linux/random.h>, which can currently come in a lot of ways, including
      such fairly core headfers as <linux/net.h>.
      
      So the "nice cleanup" part may or may never happen.
      
      Fixes: 1c9df907 ("random: fix circular include dependency on arm64 after addition of percpu.h")
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82461648
    • Linus Torvalds's avatar
      random32: remove net_rand_state from the latent entropy gcc plugin · 8ce7dd3f
      Linus Torvalds authored
      commit 83bdc727 upstream.
      
      It turns out that the plugin right now ends up being really unhappy
      about the change from 'static' to 'extern' storage that happened in
      commit f227e3ec ("random32: update the net random state on interrupt
      and activity").
      
      This is probably a trivial fix for the latent_entropy plugin, but for
      now, just remove net_rand_state from the list of things the plugin
      worries about.
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Cc: Emese Revfy <re.emese@gmail.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ce7dd3f
    • Willy Tarreau's avatar
      random: fix circular include dependency on arm64 after addition of percpu.h · 746fe496
      Willy Tarreau authored
      commit 1c9df907 upstream.
      
      Daniel Díaz and Kees Cook independently reported that commit
      f227e3ec ("random32: update the net random state on interrupt and
      activity") broke arm64 due to a circular dependency on include files
      since the addition of percpu.h in random.h.
      
      The correct fix would definitely be to move all the prandom32 stuff out
      of random.h but for backporting, a smaller solution is preferred.
      
      This one replaces linux/percpu.h with asm/percpu.h, and this fixes the
      problem on x86_64, arm64, arm, and mips.  Note that moving percpu.h
      around didn't change anything and that removing it entirely broke
      differently.  When backporting, such options might still be considered
      if this patch fails to help.
      
      [ It turns out that an alternate fix seems to be to just remove the
        troublesome <asm/pointer_auth.h> remove from the arm64 <asm/smp.h>
        that causes the circular dependency.
      
        But we might as well do the whole belt-and-suspenders thing, and
        minimize inclusion in <linux/random.h> too. Either will fix the
        problem, and both are good changes.   - Linus ]
      Reported-by: default avatarDaniel Díaz <daniel.diaz@linaro.org>
      Reported-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarMarc Zyngier <maz@kernel.org>
      Fixes: f227e3ec
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      746fe496
    • Grygorii Strashko's avatar
      ARM: percpu.h: fix build error · 473b095f
      Grygorii Strashko authored
      commit aa54ea90 upstream.
      
      Fix build error for the case:
        defined(CONFIG_SMP) && !defined(CONFIG_CPU_V6)
      
      config: keystone_defconfig
      
        CC      arch/arm/kernel/signal.o
        In file included from ../include/linux/random.h:14,
                          from ../arch/arm/kernel/signal.c:8:
        ../arch/arm/include/asm/percpu.h: In function ‘__my_cpu_offset’:
        ../arch/arm/include/asm/percpu.h:29:34: error: ‘current_stack_pointer’ undeclared (first use in this function); did you mean ‘user_stack_pointer’?
            : "Q" (*(const unsigned long *)current_stack_pointer));
                                           ^~~~~~~~~~~~~~~~~~~~~
                                           user_stack_pointer
      
      Fixes: f227e3ec ("random32: update the net random state on interrupt and activity")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      473b095f
    • Willy Tarreau's avatar
      random32: update the net random state on interrupt and activity · 5aa78397
      Willy Tarreau authored
      commit f227e3ec upstream.
      
      This modifies the first 32 bits out of the 128 bits of a random CPU's
      net_rand_state on interrupt or CPU activity to complicate remote
      observations that could lead to guessing the network RNG's internal
      state.
      
      Note that depending on some network devices' interrupt rate moderation
      or binding, this re-seeding might happen on every packet or even almost
      never.
      
      In addition, with NOHZ some CPUs might not even get timer interrupts,
      leaving their local state rarely updated, while they are running
      networked processes making use of the random state.  For this reason, we
      also perform this update in update_process_times() in order to at least
      update the state when there is user or system activity, since it's the
      only case we care about.
      Reported-by: default avatarAmit Klein <aksecurity@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5aa78397
    • Thomas Gleixner's avatar
      x86/i8259: Use printk_deferred() to prevent deadlock · dfd6b6e8
      Thomas Gleixner authored
      commit bdd65589 upstream.
      
      0day reported a possible circular locking dependency:
      
      Chain exists of:
        &irq_desc_lock_class --> console_owner --> &port_lock_key
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&port_lock_key);
                                     lock(console_owner);
                                     lock(&port_lock_key);
        lock(&irq_desc_lock_class);
      
      The reason for this is a printk() in the i8259 interrupt chip driver
      which is invoked with the irq descriptor lock held, which reverses the
      lock operations vs. printk() from arbitrary contexts.
      
      Switch the printk() to printk_deferred() to avoid that.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/87365abt2v.fsf@nanos.tec.linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dfd6b6e8
    • Wanpeng Li's avatar
      KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled · 575350ea
      Wanpeng Li authored
      commit d2286ba7 upstream.
      
      Prevent setting the tscdeadline timer if the lapic is hw disabled.
      
      Fixes: bce87cce (KVM: x86: consolidate different ways to test for in-kernel LAPIC)
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      Message-Id: <1596165141-28874-1-git-send-email-wanpengli@tencent.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      575350ea
    • Andrea Righi's avatar
      xen-netfront: fix potential deadlock in xennet_remove() · 6015a692
      Andrea Righi authored
      [ Upstream commit c2c63310 ]
      
      There's a potential race in xennet_remove(); this is what the driver is
      doing upon unregistering a network device:
      
        1. state = read bus state
        2. if state is not "Closed":
        3.    request to set state to "Closing"
        4.    wait for state to be set to "Closing"
        5.    request to set state to "Closed"
        6.    wait for state to be set to "Closed"
      
      If the state changes to "Closed" immediately after step 1 we are stuck
      forever in step 4, because the state will never go back from "Closed" to
      "Closing".
      
      Make sure to check also for state == "Closed" in step 4 to prevent the
      deadlock.
      
      Also add a 5 sec timeout any time we wait for the bus state to change,
      to avoid getting stuck forever in wait_event().
      Signed-off-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6015a692
    • Raviteja Narayanam's avatar
      Revert "i2c: cadence: Fix the hold bit setting" · 0102ed8c
      Raviteja Narayanam authored
      [ Upstream commit 0db9254d ]
      
      This reverts commit d358def7.
      
      There are two issues with "i2c: cadence: Fix the hold bit setting" commit.
      
      1. In case of combined message request from user space, when the HOLD
      bit is cleared in cdns_i2c_mrecv function, a STOP condition is sent
      on the bus even before the last message is started. This is because when
      the HOLD bit is cleared, the FIFOS are empty and there is no pending
      transfer. The STOP condition should occur only after the last message
      is completed.
      
      2. The code added by the commit is redundant. Driver is handling the
      setting/clearing of HOLD bit in right way before the commit.
      
      The setting of HOLD bit based on 'bus_hold_flag' is taken care in
      cdns_i2c_master_xfer function even before cdns_i2c_msend/cdns_i2c_recv
      functions.
      
      The clearing of HOLD bit is taken care at the end of cdns_i2c_msend and
      cdns_i2c_recv functions based on bus_hold_flag and byte count.
      Since clearing of HOLD bit is done after the slave address is written to
      the register (writing to address register triggers the message transfer),
      it is ensured that STOP condition occurs at the right time after
      completion of the pending transfer (last message).
      Signed-off-by: default avatarRaviteja Narayanam <raviteja.narayanam@xilinx.com>
      Acked-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0102ed8c
    • Yoshihiro Shimoda's avatar
      net: ethernet: ravb: exit if re-initialization fails in tx timeout · 94791d92
      Yoshihiro Shimoda authored
      [ Upstream commit 015c5d5e ]
      
      According to the report of [1], this driver is possible to cause
      the following error in ravb_tx_timeout_work().
      
      ravb e6800000.ethernet ethernet: failed to switch device to config mode
      
      This error means that the hardware could not change the state
      from "Operation" to "Configuration" while some tx and/or rx queue
      are operating. After that, ravb_config() in ravb_dmac_init() will fail,
      and then any descriptors will be not allocaled anymore so that NULL
      pointer dereference happens after that on ravb_start_xmit().
      
      To fix the issue, the ravb_tx_timeout_work() should check
      the return values of ravb_stop_dma() and ravb_dmac_init().
      If ravb_stop_dma() fails, ravb_tx_timeout_work() re-enables TX and RX
      and just exits. If ravb_dmac_init() fails, just exits.
      
      [1]
      https://lore.kernel.org/linux-renesas-soc/20200518045452.2390-1-dirk.behme@de.bosch.com/Reported-by: default avatarDirk Behme <dirk.behme@de.bosch.com>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarSergei Shtylyov <sergei.shtylyov@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      94791d92
    • Liam Beguin's avatar
      parisc: add support for cmpxchg on u8 pointers · 78c4268b
      Liam Beguin authored
      [ Upstream commit b344d6a8 ]
      
      The kernel test bot reported[1] that using set_mask_bits on a u8 causes
      the following issue on parisc:
      
      	hppa-linux-ld: drivers/phy/ti/phy-tusb1210.o: in function `tusb1210_probe':
      	>> (.text+0x2f4): undefined reference to `__cmpxchg_called_with_bad_pointer'
      	>> hppa-linux-ld: (.text+0x324): undefined reference to `__cmpxchg_called_with_bad_pointer'
      	hppa-linux-ld: (.text+0x354): undefined reference to `__cmpxchg_called_with_bad_pointer'
      
      Add support for cmpxchg on u8 pointers.
      
      [1] https://lore.kernel.org/patchwork/patch/1272617/#1468946Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarLiam Beguin <liambeguin@gmail.com>
      Tested-by: default avatarDave Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      78c4268b
    • Navid Emamdoost's avatar
      nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame · 8be68d5c
      Navid Emamdoost authored
      [ Upstream commit 1e8fd3a9 ]
      
      The implementation of s3fwrn5_recv_frame() is supposed to consume skb on
      all execution paths. Release skb before returning -ENODEV.
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8be68d5c
    • Laurence Oberman's avatar
      qed: Disable "MFW indication via attention" SPAM every 5 minutes · 357f6ddc
      Laurence Oberman authored
      [ Upstream commit 1d61e218 ]
      
      This is likely firmware causing this but its starting to annoy customers.
      Change the message level to verbose to prevent the spam.
      Note that this seems to only show up with ISCSI enabled on the HBA via the
      qedi driver.
      Signed-off-by: default avatarLaurence Oberman <loberman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      357f6ddc
    • Geert Uytterhoeven's avatar
      usb: hso: Fix debug compile warning on sparc32 · d9af6f8f
      Geert Uytterhoeven authored
      [ Upstream commit e0484010 ]
      
      On sparc32, tcflag_t is "unsigned long", unlike on all other
      architectures, where it is "unsigned int":
      
          drivers/net/usb/hso.c: In function ‘hso_serial_set_termios’:
          include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 4 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=]
          drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’
             hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
             ^~~~~~~
          include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 5 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=]
          drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’
             hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
             ^~~~~~~
      
      As "unsigned long" is 32-bit on sparc32, fix this by casting all tcflag_t
      parameters to "unsigned int".
      While at it, use "%u" to format unsigned numbers.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d9af6f8f
    • Robin Murphy's avatar
      arm64: csum: Fix handling of bad packets · 55402e17
      Robin Murphy authored
      [ Upstream commit 05fb3dbd ]
      
      Although iph is expected to point to at least 20 bytes of valid memory,
      ihl may be bogus, for example on reception of a corrupt packet. If it
      happens to be less than 5, we really don't want to run away and
      dereference 16GB worth of memory until it wraps back to exactly zero...
      
      Fixes: 0e455d8e ("arm64: Implement optimised IP checksum helpers")
      Reported-by: default avatarguodeqing <geffrey.guo@huawei.com>
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      55402e17
    • Remi Pommarel's avatar
      mac80211: mesh: Free pending skb when destroying a mpath · 04c5d1c5
      Remi Pommarel authored
      [ Upstream commit 5e43540c ]
      
      A mpath object can hold reference on a list of skb that are waiting for
      mpath resolution to be sent. When destroying a mpath this skb list
      should be cleaned up in order to not leak memory.
      
      Fixing that kind of leak:
      
      unreferenced object 0xffff0000181c9300 (size 1088):
        comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00  ..........6.....
          02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
        backtrace:
          [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
          [<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178
          [<00000000ceeaa916>] sk_alloc+0x34/0x228
          [<00000000ca1f1d04>] inet_create+0x198/0x518
          [<0000000035626b1c>] __sock_create+0x134/0x328
          [<00000000a12b3a87>] __sys_socket+0xb0/0x158
          [<00000000ff859f23>] __arm64_sys_socket+0x40/0x58
          [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
          [<0000000005b5157d>] el0_svc+0x8/0xc
      unreferenced object 0xffff000012973a40 (size 216):
        comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff  ................
        backtrace:
          [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
          [<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8
          [<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320
          [<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0
          [<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28
          [<000000006919d2dd>] __ip_append_data+0xba4/0x11f0
          [<0000000083477587>] ip_make_skb+0x14c/0x1a8
          [<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0
          [<000000005aabe255>] inet_sendmsg+0x5c/0x80
          [<000000008651ea08>] __sys_sendto+0x15c/0x218
          [<000000003505c99b>] __arm64_sys_sendto+0x74/0x90
          [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
          [<0000000005b5157d>] el0_svc+0x8/0xc
      
      Fixes: 2bdaf386 (mac80211: mesh: move path tables into if_mesh)
      Signed-off-by: default avatarRemi Pommarel <repk@triplefau.lt>
      Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.ltSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      04c5d1c5
    • Remi Pommarel's avatar
      mac80211: mesh: Free ie data when leaving mesh · 3212d624
      Remi Pommarel authored
      [ Upstream commit 6a01afcf ]
      
      At ieee80211_join_mesh() some ie data could have been allocated (see
      copy_mesh_setup()) and need to be cleaned up when leaving the mesh.
      
      This fixes the following kmemleak report:
      
      unreferenced object 0xffff0000116bc600 (size 128):
        comm "wpa_supplicant", pid 608, jiffies 4294898983 (age 293.484s)
        hex dump (first 32 bytes):
          30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00  0...............
          00 0f ac 08 00 00 00 00 c4 65 40 00 00 00 00 00  .........e@.....
        backtrace:
          [<00000000bebe439d>] __kmalloc_track_caller+0x1c0/0x330
          [<00000000a349dbe1>] kmemdup+0x28/0x50
          [<0000000075d69baa>] ieee80211_join_mesh+0x6c/0x3b8 [mac80211]
          [<00000000683bb98b>] __cfg80211_join_mesh+0x1e8/0x4f0 [cfg80211]
          [<0000000072cb507f>] nl80211_join_mesh+0x520/0x6b8 [cfg80211]
          [<0000000077e9bcf9>] genl_family_rcv_msg+0x374/0x680
          [<00000000b1bd936d>] genl_rcv_msg+0x78/0x108
          [<0000000022c53788>] netlink_rcv_skb+0xb0/0x1c0
          [<0000000011af8ec9>] genl_rcv+0x34/0x48
          [<0000000069e41f53>] netlink_unicast+0x268/0x2e8
          [<00000000a7517316>] netlink_sendmsg+0x320/0x4c0
          [<0000000069cba205>] ____sys_sendmsg+0x354/0x3a0
          [<00000000e06bab0f>] ___sys_sendmsg+0xd8/0x120
          [<0000000037340728>] __sys_sendmsg+0xa4/0xf8
          [<000000004fed9776>] __arm64_sys_sendmsg+0x44/0x58
          [<000000001c1e5647>] el0_svc_handler+0xd0/0x1a0
      
      Fixes: c80d545d (mac80211: Let userspace enable and configure vendor specific path selection.)
      Signed-off-by: default avatarRemi Pommarel <repk@triplefau.lt>
      Link: https://lore.kernel.org/r/20200704135007.27292-1-repk@triplefau.ltSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3212d624
    • Thomas Falcon's avatar
      ibmvnic: Fix IRQ mapping disposal in error path · 7be8343a
      Thomas Falcon authored
      [ Upstream commit 27a2145d ]
      
      RX queue IRQ mappings are disposed in both the TX IRQ and RX IRQ
      error paths. Fix this and dispose of TX IRQ mappings correctly in
      case of an error.
      
      Fixes: ea22d51a ("ibmvnic: simplify and improve driver probe function")
      Signed-off-by: default avatarThomas Falcon <tlfalcon@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7be8343a
    • Ido Schimmel's avatar
      mlxsw: core: Free EMAD transactions using kfree_rcu() · 38823915
      Ido Schimmel authored
      [ Upstream commit 3c8ce24b ]
      
      The lifetime of EMAD transactions (i.e., 'struct mlxsw_reg_trans') is
      managed using RCU. They are freed using kfree_rcu() once the transaction
      ends.
      
      However, in case the transaction failed it is freed immediately after being
      removed from the active transactions list. This is problematic because it is
      still possible for a different CPU to dereference the transaction from an RCU
      read-side critical section while traversing the active transaction list in
      mlxsw_emad_rx_listener_func(). In which case, a use-after-free is triggered
      [1].
      
      Fix this by freeing the transaction after a grace period by calling
      kfree_rcu().
      
      [1]
      BUG: KASAN: use-after-free in mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
      Read of size 8 at addr ffff88800b7964e8 by task syz-executor.2/2881
      
      CPU: 0 PID: 2881 Comm: syz-executor.2 Not tainted 5.8.0-rc4+ #44
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xf6/0x16e lib/dump_stack.c:118
       print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
       mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
       mlxsw_core_skb_receive+0x571/0x700 drivers/net/ethernet/mellanox/mlxsw/core.c:2061
       mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline]
       mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651
       tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550
       __do_softirq+0x223/0x964 kernel/softirq.c:292
       asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711
       </IRQ>
       __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
       run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
       do_softirq_own_stack+0x109/0x140 arch/x86/kernel/irq_64.c:77
       invoke_softirq kernel/softirq.c:387 [inline]
       __irq_exit_rcu kernel/softirq.c:417 [inline]
       irq_exit_rcu+0x16f/0x1a0 kernel/softirq.c:429
       sysvec_apic_timer_interrupt+0x4e/0xd0 arch/x86/kernel/apic/apic.c:1091
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:587
      RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
      RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
      RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
      Code: e8 2a c3 f4 fc 48 89 ef e8 12 96 f5 fc f6 c7 02 75 11 53 9d e8 d6 db 11 fd 65 ff 0d 1f 21 b3 56 5b 5d c3 e8 a7 d7 11 fd 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 05 21 b3 56 ff 74 24 08 48 8d
      RSP: 0018:ffff8880446ffd80 EFLAGS: 00000286
      RAX: 0000000000000006 RBX: 0000000000000286 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa94ecea9
      RBP: ffff888012934408 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000001 R11: fffffbfff57be301 R12: 1ffff110088dffc1
      R13: ffff888037b817c0 R14: ffff88802442415a R15: ffff888024424000
       __do_sys_perf_event_open+0x1b5d/0x2bd0 kernel/events/core.c:11874
       do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x473dbd
      Code: Bad RIP value.
      RSP: 002b:00007f21e5e9cc28 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
      RAX: ffffffffffffffda RBX: 000000000057bf00 RCX: 0000000000473dbd
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040
      RBP: 000000000057bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000003 R11: 0000000000000246 R12: 000000000057bf0c
      R13: 00007ffd0493503f R14: 00000000004d0f46 R15: 00007f21e5e9cd80
      
      Allocated by task 871:
       save_stack+0x1b/0x40 mm/kasan/common.c:48
       set_track mm/kasan/common.c:56 [inline]
       __kasan_kmalloc mm/kasan/common.c:494 [inline]
       __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467
       kmalloc include/linux/slab.h:555 [inline]
       kzalloc include/linux/slab.h:669 [inline]
       mlxsw_core_reg_access_emad+0x70/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1812
       mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
       mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
       update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
       process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
       worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
       kthread+0x355/0x470 kernel/kthread.c:291
       ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
      
      Freed by task 871:
       save_stack+0x1b/0x40 mm/kasan/common.c:48
       set_track mm/kasan/common.c:56 [inline]
       kasan_set_free_info mm/kasan/common.c:316 [inline]
       __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455
       slab_free_hook mm/slub.c:1474 [inline]
       slab_free_freelist_hook mm/slub.c:1507 [inline]
       slab_free mm/slub.c:3072 [inline]
       kfree+0xe6/0x320 mm/slub.c:4052
       mlxsw_core_reg_access_emad+0xd45/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1819
       mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
       mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
       update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
       process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
       worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
       kthread+0x355/0x470 kernel/kthread.c:291
       ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
      
      The buggy address belongs to the object at ffff88800b796400
       which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 232 bytes inside of
       512-byte region [ffff88800b796400, ffff88800b796600)
      The buggy address belongs to the page:
      page:ffffea00002de500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00002de500 order:2 compound_mapcount:0 compound_pincount:0
      flags: 0x100000000010200(slab|head)
      raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c402500
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88800b796380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88800b796400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88800b796480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
       ffff88800b796500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88800b796580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: caf7297e ("mlxsw: core: Introduce support for asynchronous EMAD register access")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      38823915
    • Ido Schimmel's avatar
      mlxsw: core: Increase scope of RCU read-side critical section · 26ac4d0d
      Ido Schimmel authored
      [ Upstream commit 7d8e8f34 ]
      
      The lifetime of the Rx listener item ('rxl_item') is managed using RCU,
      but is dereferenced outside of RCU read-side critical section, which can
      lead to a use-after-free.
      
      Fix this by increasing the scope of the RCU read-side critical section.
      
      Fixes: 93c1edb2 ("mlxsw: Introduce Mellanox switch driver core")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      26ac4d0d
    • Jakub Kicinski's avatar
      mlx4: disable device on shutdown · 7a23750f
      Jakub Kicinski authored
      [ Upstream commit 3cab8c65 ]
      
      It appears that not disabling a PCI device on .shutdown may lead to
      a Hardware Error with particular (perhaps buggy) BIOS versions:
      
          mlx4_en: eth0: Close port called
          mlx4_en 0000:04:00.0: removed PHC
          reboot: Restarting system
          {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
          {1}[Hardware Error]: event severity: fatal
          {1}[Hardware Error]:  Error 0, type: fatal
          {1}[Hardware Error]:   section_type: PCIe error
          {1}[Hardware Error]:   port_type: 4, root port
          {1}[Hardware Error]:   version: 1.16
          {1}[Hardware Error]:   command: 0x4010, status: 0x0143
          {1}[Hardware Error]:   device_id: 0000:00:02.2
          {1}[Hardware Error]:   slot: 0
          {1}[Hardware Error]:   secondary_bus: 0x04
          {1}[Hardware Error]:   vendor_id: 0x8086, device_id: 0x2f06
          {1}[Hardware Error]:   class_code: 000604
          {1}[Hardware Error]:   bridge: secondary_status: 0x2000, control: 0x0003
          {1}[Hardware Error]:   aer_uncor_status: 0x00100000, aer_uncor_mask: 0x00000000
          {1}[Hardware Error]:   aer_uncor_severity: 0x00062030
          {1}[Hardware Error]:   TLP Header: 40000018 040000ff 791f4080 00000000
      [hw error repeats]
          Kernel panic - not syncing: Fatal hardware error!
          CPU: 0 PID: 2189 Comm: reboot Kdump: loaded Not tainted 5.6.x-blabla #1
          Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 05/05/2017
      
      Fix the mlx4 driver.
      
      This is a very similar problem to what had been fixed in:
      commit 0d98ba8d ("scsi: hpsa: disable device during shutdown")
      to address https://bugzilla.kernel.org/show_bug.cgi?id=199779.
      
      Fixes: 2ba5fbd6 ("net/mlx4_core: Handle AER flow properly")
      Reported-by: default avatarJake Lawrence <lawja@fb.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7a23750f
    • Johan Hovold's avatar
      net: lan78xx: fix transfer-buffer memory leak · 1c7c7eb7
      Johan Hovold authored
      [ Upstream commit 63634aa6 ]
      
      The interrupt URB transfer-buffer was never freed on disconnect or after
      probe errors.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1c7c7eb7
    • Johan Hovold's avatar
      net: lan78xx: add missing endpoint sanity check · 0e87ce58
      Johan Hovold authored
      [ Upstream commit 8d8e95fd ]
      
      Add the missing endpoint sanity check to prevent a NULL-pointer
      dereference should a malicious device lack the expected endpoints.
      
      Note that the driver has a broken endpoint-lookup helper,
      lan78xx_get_endpoints(), which can end up accepting interfaces in an
      altsetting without endpoints as long as *some* altsetting has a bulk-in
      and a bulk-out endpoint.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0e87ce58
    • Michael Karcher's avatar
      sh: Fix validation of system call number · 795a4314
      Michael Karcher authored
      [ Upstream commit 04a8a3d0 ]
      
      The slow path for traced system call entries accessed a wrong memory
      location to get the number of the maximum allowed system call number.
      Renumber the numbered "local" label for the correct location to avoid
      collisions with actual local labels.
      Signed-off-by: default avatarMichael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
      Tested-by: default avatarJohn Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
      Fixes: f3a83088 ("sh: Add a few missing irqflags tracing markers.")
      Signed-off-by: default avatarRich Felker <dalias@libc.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      795a4314
    • YueHaibing's avatar
      net/x25: Fix null-ptr-deref in x25_disconnect · 10ceab64
      YueHaibing authored
      commit 8999dc89 upstream.
      
      We should check null before do x25_neigh_put in x25_disconnect,
      otherwise may cause null-ptr-deref like this:
      
       #include <sys/socket.h>
       #include <linux/x25.h>
      
       int main() {
          int sck_x25;
          sck_x25 = socket(AF_X25, SOCK_SEQPACKET, 0);
          close(sck_x25);
          return 0;
       }
      
      BUG: kernel NULL pointer dereference, address: 00000000000000d8
      CPU: 0 PID: 4817 Comm: t2 Not tainted 5.7.0-rc3+ #159
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-
      RIP: 0010:x25_disconnect+0x91/0xe0
      Call Trace:
       x25_release+0x18a/0x1b0
       __sock_release+0x3d/0xc0
       sock_close+0x13/0x20
       __fput+0x107/0x270
       ____fput+0x9/0x10
       task_work_run+0x6d/0xb0
       exit_to_usermode_loop+0x102/0x110
       do_syscall_64+0x23c/0x260
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Reported-by: syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com
      Fixes: 4becb7ee ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10ceab64
    • Xiyu Yang's avatar
      net/x25: Fix x25_neigh refcnt leak when x25 disconnect · 08560e93
      Xiyu Yang authored
      commit 4becb7ee upstream.
      
      x25_connect() invokes x25_get_neigh(), which returns a reference of the
      specified x25_neigh object to "x25->neighbour" with increased refcnt.
      
      When x25 connect success and returns, the reference still be hold by
      "x25->neighbour", so the refcount should be decreased in
      x25_disconnect() to keep refcount balanced.
      
      The reference counting issue happens in x25_disconnect(), which forgets
      to decrease the refcnt increased by x25_get_neigh() in x25_connect(),
      causing a refcnt leak.
      
      Fix this issue by calling x25_neigh_put() before x25_disconnect()
      returns.
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08560e93
    • Rolf Eike Beer's avatar
      install several missing uapi headers · d472b7e2
      Rolf Eike Beer authored
      Commit fcc8487d ("uapi: export all headers
      under uapi directories") changed the default to install all headers not marked
      to be conditional. This takes the list of headers listed in the commit message
      and manually adds an export for those that are already present in this kernel
      version.
      
      Found during an attempt to build mtd-utils 2.1.2 as it wants hash_info.h, which
      exists since 3.13 but has not been installed until the above mentioned commit,
      which ended up in 4.12.
      Signed-off-by: default avatarRolf Eike Beer <eb@emlix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d472b7e2
    • Nicolas Dichtel's avatar
      uapi: includes linux/types.h before exporting files · 5a41bdbb
      Nicolas Dichtel authored
      commit 9078b4ee upstream.
      
      Some files will be exported after a following patch. 0-day tests report the
      following warning/error:
      ./usr/include/linux/bcache.h:8: include of <linux/types.h> is preferred over <asm/types.h>
      ./usr/include/linux/bcache.h:11: found __[us]{8,16,32,64} type without #include <linux/types.h>
      ./usr/include/linux/qrtr.h:8: found __[us]{8,16,32,64} type without #include <linux/types.h>
      ./usr/include/linux/cryptouser.h:39: found __[us]{8,16,32,64} type without #include <linux/types.h>
      ./usr/include/linux/pr.h:14: found __[us]{8,16,32,64} type without #include <linux/types.h>
      ./usr/include/linux/btrfs_tree.h:337: found __[us]{8,16,32,64} type without #include <linux/types.h>
      ./usr/include/rdma/bnxt_re-abi.h:45: found __[us]{8,16,32,64} type without #include <linux/types.h>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      reb: left out include/uapi/rdma/bnxt_re-abi.h as it's not in this kernel version
      Signed-off-by: default avatarRolf Eike Beer <eb@emlix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a41bdbb
    • Rik van Riel's avatar
      xfs: fix missed wakeup on l_flush_wait · b1835045
      Rik van Riel authored
      commit cdea5459 upstream.
      
      The code in xlog_wait uses the spinlock to make adding the task to
      the wait queue, and setting the task state to UNINTERRUPTIBLE atomic
      with respect to the waker.
      
      Doing the wakeup after releasing the spinlock opens up the following
      race condition:
      
      Task 1					task 2
      add task to wait queue
      					wake up task
      set task state to UNINTERRUPTIBLE
      
      This issue was found through code inspection as a result of kworkers
      being observed stuck in UNINTERRUPTIBLE state with an empty
      wait queue. It is rare and largely unreproducable.
      
      Simply moving the spin_unlock to after the wake_up_all results
      in the waker not being able to see a task on the waitqueue before
      it has set its state to UNINTERRUPTIBLE.
      
      This bug dates back to the conversion of this code to generic
      waitqueue infrastructure from a counting semaphore back in 2008
      which didn't place the wakeups consistently w.r.t. to the relevant
      spin locks.
      
      [dchinner: Also fix a similar issue in the shutdown path on
      xc_commit_wait. Update commit log with more details of the issue.]
      
      Fixes: d748c623 ("[XFS] Convert l_flushsema to a sv_t")
      Reported-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarRik van Riel <riel@surriel.com>
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Cc: stable@vger.kernel.org # 4.9.x-4.19.x
      [modified for contextual change near xlog_state_do_callback()]
      Signed-off-by: default avatarSamuel Mendoza-Jonas <samjonas@amazon.com>
      Reviewed-by: default avatarFrank van der Linden <fllinden@amazon.com>
      Reviewed-by: default avatarSuraj Jitindar Singh <surajjs@amazon.com>
      Reviewed-by: default avatarBenjamin Herrenschmidt <benh@amazon.com>
      Reviewed-by: default avatarAnchal Agarwal <anchalag@amazon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1835045
    • Peilin Ye's avatar
      rds: Prevent kernel-infoleak in rds_notify_queue_get() · 2b9c45b6
      Peilin Ye authored
      commit bbc8a99e upstream.
      
      rds_notify_queue_get() is potentially copying uninitialized kernel stack
      memory to userspace since the compiler may leave a 4-byte hole at the end
      of `cmsg`.
      
      In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
      unfortunately does not always initialize that 4-byte hole. Fix it by using
      memset() instead.
      
      Cc: stable@vger.kernel.org
      Fixes: f037590f ("rds: fix a leak of kernel memory")
      Fixes: bdbe6fbc ("RDS: recv.c")
      Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b9c45b6
    • Tetsuo Handa's avatar
      fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. · 1231b93e
      Tetsuo Handa authored
      [ Upstream commit 033724d6 ]
      
      syzbot is reporting general protection fault in bitfill_aligned() [1]
      caused by integer underflow in bit_clear_margins(). The cause of this
      problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
      
      If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
      is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
      bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
      info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
      try to overrun the __iomem region and causes general protection fault.
      
      Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
      
        new_cols = (cols ? cols : vc->vc_cols);
        new_rows = (lines ? lines : vc->vc_rows);
      
      exception. Since cols and lines are calculated as
      
        cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
        rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
        cols /= vc->vc_font.width;
        rows /= vc->vc_font.height;
        vc_resize(vc, cols, rows);
      
      in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
      and var.yres < vc->vc_font.height makes rows = 0. This means that
      
        const int fd = open("/dev/fb0", O_ACCMODE);
        struct fb_var_screeninfo var = { };
        ioctl(fd, FBIOGET_VSCREENINFO, &var);
        var.xres = var.yres = 1;
        ioctl(fd, FBIOPUT_VSCREENINFO, &var);
      
      easily reproduces integer underflow bug explained above.
      
      Of course, callers of vc_resize() are not handling vc_do_resize() failure
      is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
      as a band-aid workaround, this patch checks integer underflow in
      "struct fbcon_ops"->clear_margins call, assuming that
      vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
      cause integer overflow.
      
      [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6Reported-and-tested-by: default avatarsyzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jpSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1231b93e
    • Joerg Roedel's avatar
      x86, vmlinux.lds: Page-align end of ..page_aligned sections · ce93e016
      Joerg Roedel authored
      [ Upstream commit de2b41be ]
      
      On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is
      page-aligned, but the end of the .bss..page_aligned section is not
      guaranteed to be page-aligned.
      
      As a result, objects from other .bss sections may end up on the same 4k
      page as the idt_table, and will accidentially get mapped read-only during
      boot, causing unexpected page-faults when the kernel writes to them.
      
      This could be worked around by making the objects in the page aligned
      sections page sized, but that's wrong.
      
      Explicit sections which store only page aligned objects have an implicit
      guarantee that the object is alone in the page in which it is placed. That
      works for all objects except the last one. That's inconsistent.
      
      Enforcing page sized objects for these sections would wreckage memory
      sanitizers, because the object becomes artificially larger than it should
      be and out of bound access becomes legit.
      
      Align the end of the .bss..page_aligned and .data..page_aligned section on
      page-size so all objects places in these sections are guaranteed to have
      their own page.
      
      [ tglx: Amended changelog ]
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      ce93e016
    • Sami Tolvanen's avatar
      x86/build/lto: Fix truncated .bss with -fdata-sections · 70061298
      Sami Tolvanen authored
      [ Upstream commit 6a03469a ]
      
      With CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y, we compile the kernel with
      -fdata-sections, which also splits the .bss section.
      
      The new section, with a new .bss.* name, which pattern gets missed by the
      main x86 linker script which only expects the '.bss' name. This results
      in the discarding of the second part and a too small, truncated .bss
      section and an unhappy, non-working kernel.
      
      Use the common BSS_MAIN macro in the linker script to properly capture
      and merge all the generated BSS sections.
      Signed-off-by: default avatarSami Tolvanen <samitolvanen@google.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20190415164956.124067-1-samitolvanen@google.com
      [ Extended the changelog. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      70061298
    • Wang Hai's avatar
      9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work · 294711f9
      Wang Hai authored
      [ Upstream commit 74d6a5d5 ]
      
      p9_read_work and p9_fd_cancelled may be called concurrently.
      In some cases, req->req_list may be deleted by both p9_read_work
      and p9_fd_cancelled.
      
      We can fix it by ignoring replies associated with a cancelled
      request and ignoring cancelled request if message has been received
      before lock.
      
      Link: http://lkml.kernel.org/r/20200612090833.36149-1-wanghai38@huawei.com
      Fixes: 60ff779c ("9p: client: remove unused code and any reference to "cancelled" function")
      Cc: <stable@vger.kernel.org> # v3.12+
      Reported-by: syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Signed-off-by: default avatarDominique Martinet <asmadeus@codewreck.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      294711f9
    • Dominique Martinet's avatar
      9p/trans_fd: abort p9_read_work if req status changed · e73153ef
      Dominique Martinet authored
      [ Upstream commit e4ca13f7 ]
      
      p9_read_work would try to handle an errored req even if it got put to
      error state by another thread between the lookup (that worked) and the
      time it had been fully read.
      The request itself is safe to use because we hold a ref to it from the
      lookup (for m->rreq, so it was safe to read into the request data buffer
      until this point), but the req_list has been deleted at the same time
      status changed, and client_cb already has been called as well, so we
      should not do either.
      
      Link: http://lkml.kernel.org/r/1539057956-23741-1-git-send-email-asmadeus@codewreck.orgSigned-off-by: default avatarDominique Martinet <dominique.martinet@cea.fr>
      Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e73153ef