1. 14 Aug, 2018 40 commits
    • Julian Anastasov's avatar
      ipvs: fix buffer overflow with sync daemon and service · c109858a
      Julian Anastasov authored
      BugLink: https://bugs.launchpad.net/bugs/1784382
      
      [ Upstream commit 52f96757 ]
      
      syzkaller reports for buffer overflow for interface name
      when starting sync daemons [1]
      
      What we do is that we copy user structure into larger stack
      buffer but later we search NUL past the stack buffer.
      The same happens for sched_name when adding/editing virtual server.
      
      We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
      being used as size in include/uapi/linux/ip_vs.h, so they
      include the space for NUL.
      
      As using strlcpy is wrong for unsafe source, replace it with
      strscpy and add checks to return EINVAL if source string is not
      NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
      
      For the netlink interface reduce the len parameter for
      IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
      so that we get proper EINVAL.
      
      [1]
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
      RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
      RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
      R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
      R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
      FS:  00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        strlen include/linux/string.h:270 [inline]
        strlcpy include/linux/string.h:293 [inline]
        do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
        udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
        ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
        tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
        sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
        __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
        __do_sys_setsockopt net/socket.c:1914 [inline]
        __se_sys_setsockopt net/socket.c:1911 [inline]
        __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
        do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x447369
      RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
      RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
      R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
      de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
      90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
      
      Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
      Fixes: e4ff6751 ("ipvs: add sync_maxlen parameter for the sync daemon")
      Fixes: 4da62fc7 ("[IPVS]: Fix for overflows")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c109858a
    • Paolo Abeni's avatar
      netfilter: ebtables: handle string from userspace with care · f8fc846f
      Paolo Abeni authored
      BugLink: https://bugs.launchpad.net/bugs/1784382
      
      [ Upstream commit 94c752f9 ]
      
      strlcpy() can't be safely used on a user-space provided string,
      as it can try to read beyond the buffer's end, if the latter is
      not NULL terminated.
      
      Leveraging the above, syzbot has been able to trigger the following
      splat:
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
      [inline]
      BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
      net/bridge/netfilter/ebtables.c:1957 [inline]
      BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
      net/bridge/netfilter/ebtables.c:2059 [inline]
      BUG: KASAN: stack-out-of-bounds in size_entry_mwt
      net/bridge/netfilter/ebtables.c:2155 [inline]
      BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
      net/bridge/netfilter/ebtables.c:2194
      Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
      
      CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        check_memory_region_inline mm/kasan/kasan.c:260 [inline]
        check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
        memcpy+0x37/0x50 mm/kasan/kasan.c:303
        strlcpy include/linux/string.h:300 [inline]
        compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
        ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
        size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
        compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
        compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
        compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
        compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
        compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
        compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
        inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
        compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
        compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
        __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
        __do_compat_sys_setsockopt net/compat.c:416 [inline]
        __se_compat_sys_setsockopt net/compat.c:413 [inline]
        __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
        do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
        do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
        entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7fb3cb9
      RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x2fffc0000000000()
      raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fix the issue replacing the unsafe function with strscpy() and
      taking care of possible errors.
      
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      f8fc846f
    • Eric Dumazet's avatar
      xfrm6: avoid potential infinite loop in _decode_session6() · 7d74f1f2
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1784382
      
      [ Upstream commit d9f92772 ]
      
      syzbot found a way to trigger an infinitie loop by overflowing
      @offset variable that has been forced to use u16 for some very
      obscure reason in the past.
      
      We probably want to look at NEXTHDR_FRAGMENT handling which looks
      wrong, in a separate patch.
      
      In net-next, we shall try to use skb_header_pointer() instead of
      pskb_may_pull().
      
      watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
      Modules linked in:
      irq event stamp: 13885653
      hardirqs last  enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
      hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
      softirqs last  enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
      softirqs last  enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
      softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
      CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
      RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
      RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
      RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
      R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
      R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
      FS:  0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
       __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
       xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
       icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
       icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
       icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
       ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
       dst_input include/net/dst.h:450 [inline]
       ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
       __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
       netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
       napi_frags_finish net/core/dev.c:5226 [inline]
       napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
       tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
       tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
       call_write_iter include/linux/fs.h:1784 [inline]
       do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
       do_iter_write+0x185/0x5f0 fs/read_write.c:959
       vfs_writev+0x1c7/0x330 fs/read_write.c:1004
       do_writev+0x112/0x2f0 fs/read_write.c:1039
       __do_sys_writev fs/read_write.c:1112 [inline]
       __se_sys_writev fs/read_write.c:1109 [inline]
       __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      7d74f1f2
    • Alex Williamson's avatar
      vfio/pci: Hide broken INTx support from user · 317faecb
      Alex Williamson authored
      BugLink: http://bugs.launchpad.net/bugs/1779830
      
      INTx masking has two components, the first is that we need the ability
      to prevent the device from continuing to assert INTx.  This is
      provided via the DisINTx bit in the command register and is the only
      thing we can really probe for when testing if INTx masking is
      supported.  The second component is that the device needs to indicate
      if INTx is asserted via the interrupt status bit in the device status
      register.  With these two features we can generically determine if one
      of the devices we own is asserting INTx, signal the user, and mask the
      interrupt while the user services the device.
      
      Generally if one or both of these components is broken we resort to
      APIC level interrupt masking, which requires an exclusive interrupt
      since we have no way to determine the source of the interrupt in a
      shared configuration.  This often makes it difficult or impossible to
      configure the system for userspace use of the device, for an interrupt
      mode that the user may not need.
      
      One possible configuration of broken INTx masking is that the DisINTx
      support is fully functional, but the interrupt status bit never
      signals interrupt assertion.  In this case we do have the ability to
      prevent the device from asserting INTx, but lack the ability to
      identify the interrupt source.  For this case we can simply pretend
      that the device lacks INTx support entirely, keeping DisINTx set on
      the physical device, virtualizing this bit for the user, and
      virtualizing the interrupt pin register to indicate no INTx support.
      We already support virtualization of the DisINTx bit and already
      virtualize the interrupt pin for platforms without INTx support.  By
      tying these components together, setting DisINTx on open and reset,
      and identifying devices broken in this particular way, we can provide
      support for them w/o the handicap of APIC level INTx masking.
      
      Intel i40e (XL710/X710) 10/20/40GbE NICs have been identified as being
      broken in this specific way.  We leave the vfio-pci.nointxmask option
      as a mechanism to bypass this support, enabling INTx on the device
      with all the requirements of APIC level masking.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Cc: John Ronciak <john.ronciak@intel.com>
      Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
      (cherry picked from commit 45074405)
      Signed-off-by: default avatarJoseph Salisbury <joseph.salisbury@canonical.com>
      Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      Acked-by: default avatarKleber Souza <kleber.souza@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      317faecb
    • Colin Ian King's avatar
      UBUNTU: SAUCE: (noup) zfs to 0.6.5.6-0ubuntu25 · dfbc4d40
      Colin Ian King authored
      BugLink: http://bugs.launchpad.net/bugs/1781364
      
      This is a sync of zfs 0.6.5.6-0ubuntu25 that fixes a mount/umount deadlock
      for upstream ZFS commit ac09630d8b0b ("Fix zpl_mount() deadlock")
      
      ZFS commit 93b43af inadvertently introduced the following scenario which
      can result in a deadlock.  This issue was most easily reproduced by
      LXD containers using a ZFS storage backend but should be reproducible
      under any workload which is frequently mounting and unmounting.
      
      -- THREAD A --
      spa_sync()
        spa_sync_upgrades()
          rrw_enter(&dp->dp_config_rwlock, RW_WRITER, FTAG); <- Waiting on B
      
      -- THREAD B --
      mount_fs()
        zpl_mount()
          zpl_mount_impl()
            dmu_objset_hold()
              dmu_objset_hold_flags()
                dsl_pool_hold()
                  dsl_pool_config_enter()
                    rrw_enter(&dp->dp_config_rwlock, RW_READER, tag);
          sget()
            sget_userns()
              grab_super()
                down_write(&s->s_umount); <- Waiting on C
      
      -- THREAD C --
      cleanup_mnt()
        deactivate_super()
          down_write(&s->s_umount);
          deactivate_locked_super()
            zpl_kill_sb()
              kill_anon_super()
                generic_shutdown_super()
                  sync_filesystem()
                    zpl_sync_fs()
                      zfs_sync()
                        zil_commit()
                          txg_wait_synced() <- Waiting on A
      Signed-off-by: default avatarBrian Behlendorf <behlendorf1@llnl.gov>
      (backport from ZFS upstream commit ac09630d8b0bf6c92084a30fdaefd03fd0adbdc1)
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Acked-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      dfbc4d40
    • Colin Ian King's avatar
      UBUNTU: SAUCE: Allow mounting datasets more than once (LP: #1759848) · 01d0aa14
      Colin Ian King authored
      BugLink: https://bugs.launchpad.net/bugs/1759848
      
      Currently mounting an already mounted zfs dataset results in an
      error, whereas it is typically allowed with other filesystems.
      This causes some bad interactions with mount namespaces. Take
      this sequence for example:
      
       - Create a dataset
       - Create a snapshot of the dataset
       - Create a clone of the snapshot
       - Create a new mount namespace
       - Rename the original dataset
      
      The rename results in unmounting and remounting the clone in the
      original mount namespace, however the remount fails because the
      dataset is still mounted in the new mount namespace. (Note that
      this means the mount in the new mount namespace is never being
      unmounted, so perhaps the unmount/remount of the clone isn't
      actually necessary.)
      
      The problem here is a result of the way mounting is implemented
      in the kernel module. Since it is not mounting block devices it
      uses mount_nodev() instead of the usual mount_bdev(). However,
      mount_nodev() is written for filesystems for which each mount is
      a new instance (i.e. a new super block), and zfs should be able
      to detect when a mount request can be satisfied using an existing
      super block.
      
      Change zpl_mount() to call sget() directly with it's own test
      callback. Passing the objset_t object as the fs data allows
      checking if a superblock already exists for the dataset, and in
      that case we just need to return a new reference for the sb's
      root dentry.
      
      [ Sync'd from zfsutils-linux, from a patch by Seth Forshee and
        backported to zfs 0.6.5.6. Note that this also contains
        some zfstutils changes between 0.6.5.6-0ubuntu20 and
        0.6.5.6-0ubuntu24 which go also sync'd into this fix, which
        is expected part of the zfs sync'ing ]
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      01d0aa14
    • Shankara Pailoor's avatar
      jfs: Fix inconsistency between memory allocation and ea_buf->max_size · bb6f99c1
      Shankara Pailoor authored
      CVE-2018-12233
      
      The code is assuming the buffer is max_size length, but we weren't
      allocating enough space for it.
      Signed-off-by: default avatarShankara Pailoor <shankarapailoor@gmail.com>
      Signed-off-by: default avatarDave Kleikamp <dave.kleikamp@oracle.com>
      (cherry picked from commit 92d34134)
      Signed-off-by: default avatarPaolo Pisati <paolo.pisati@canonical.com>
      Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      bb6f99c1
    • Siva Rebbagondla's avatar
      UBUNTU: SAUCE: Redpine: improve cancel_hw_scan handling to fix kernel panic · 858395eb
      Siva Rebbagondla authored
      BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1773410
      BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1777850
      
      Kernel panic is observed when network manager is stopped or Interface is
      is DOWN, while system is entering into hibernation. The root cause of the
      issue is scan work function keeps running even after cancel_hw_scan() call.
      Issue is resolved by calling cancel_work_sync().
      
      ...skipping...
      [ 1171.913244] BUG: unable to handle page request at 00000000001067e38
      [ 1171.913248] IP: cfg80211_scan_done+0xb0/0xc0 [cfg80211]
      [ 1171.913554] Hardware name: Dell Inc. Edge Gateway 3003/      , BIOS 01.00.06 01/22/2018
      [ 1171.913668] Workqueue: phy1 ieee80211_scan_work [mac80211]
      [ 1171.913773] RIP: 0010:cfg80211_scan_done+0xb0/0xc0 [cfg80211]
      [ 1171.913780] RSP: 0018:ffffc1fe41b47dc8 EFLAGS: 00010286
      [ 1171.913789] RAX: 0000000000000001 RBX: ffffffffc0e60120 RCX: 0000000100080006
      [ 1171.913794] RDX: ffff9eeab7e3bc58 RSI: ffff9eeab0c69080 RDI: ffff9eeab7e3bc00
      [ 1171.913799] RBP: ffff9eeab7e3bc00 R08: 00000000b7e3b201 R09: 0000000100080006
      [ 1171.913805] R10: ffffc1fe41b47d20 R11: 0000000000000000 R12: ffff9eeab0c69080
      [ 1171.913810] R13: 0000000000000022 R14: ffff9eeab0c68760 R15: ffff9eeab7af3c00
      [ 1171.913817] FS:  0000000000000000(0000) GS:ffff9eeab0000000(0000) knlGS:0000000000000000
      [ 1171.913823] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1171.913828] CR2: 00007f76c73ac190 CR3: 000000006e20a000 CR4: 00000000001006f0
      [ 1171.913833] Call Trace:
      [ 1171.913864]  ? rsi_mac80211_sta_remove+0x260/0x260 [rsi_91x]
      [ 1171.913971]  __ieee80211_scan_completed+0xb1/0x390 [mac80211]
      [ 1171.914078]  ieee80211_scan_work+0x7e/0x480 [mac80211]
      [ 1171.914098]  process_one_work+0x142/0x3d0
      [ 1171.914111]  worker_thread+0x229/0x440
      [ 1171.914122]  kthread+0xf5/0x130
      [ 1171.914132]  ? process_one_work+0x3d0/0x3d0
      [ 1171.914140]  ? kthread_associate_blkcg+0x90/0x90
      [ 1171.914152]  ret_from_fork+0x35/0x40
      Signed-off-by: default avatarSiva Rebbagondla <siva.rebbagondla@redpinesignals.com>
      Acked-by: default avatarAnthony Wong <anthony.wong@canonical.com>
      Acked-by: default avatarShrirang Bagul <shrirang.bagul@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      858395eb
    • Shrirang Bagul's avatar
      UBUNTU: SAUCE: (no-up) upgrade IXXAT USB SocketCAN driver · 190dd881
      Shrirang Bagul authored
      BugLink: http://bugs.launchpad.net/bugs/1783241
      
      The support for IXXAT USB SocketCAN devices was introduced in:
      cddf5820 UBUNTU: SAUCE: (no-up) Support IXXAT USB SocketCAN device
      
      This patch upgrades the driver with following changes:
      - support adapters for CL1 (Communication Layer for legacy devices) and
        CL2 (current devices)
      - removed CAN-IDM100 support (Microchip Rev A microcontroller)
      - add CAN-IDM101 support (Microchip Rev B microcontroller)
      - add Error-Passive recognition
      - move CAN message handling to the core module
      - use ktime API for timestamps
      - fixes Linux kernel coding style issues
      
      Changes from HMS/Dell's original driver dump "arev-2018-07-04":
      - driver name retained from "beta-2018-05-07" for debain packaging
        compatibility
        IXXAT_USB_DRIVER_NAME "ixxat_usb2can" ->"ixx_usb"
      - source files renamed to retain the old names SRU'ed for "beta-2018-05-07"
        renamed: ixxat_usb_cl1.c -> ixx_usb_cl1.c
        renamed: ixxat_usb_cl2.c -> ixx_usb_cl2.c
        renamed: ixxat_usb_core.c -> ixx_usb_core.c
        renamed: ixxat_usb_core.h -> ixx_usb_core.h
        deleted: ixx_usb_fd.c
        deleted: ixx_usb_v2.c
      Signed-off-by: default avatarShrirang Bagul <shrirang.bagul@canonical.com>
      Acked-by: default avatarAnthony Wong <anthony.wong@canonical.com>
      Acked-by: default avatarWen-chien Jesse Sung <jesse.sung@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      190dd881
    • Eric Sandeen's avatar
      xfs: don't call xfs_da_shrink_inode with NULL bp · 7525ab47
      Eric Sandeen authored
      CVE-2018-13094
      
      xfs_attr3_leaf_create may have errored out before instantiating a buffer,
      for example if the blkno is out of range.  In that case there is no work
      to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops
      if we try.
      
      This also seems to fix a flaw where the original error from
      xfs_attr3_leaf_create gets overwritten in the cleanup case, and it
      removes a pointless assignment to bp which isn't used after this.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969Reported-by: default avatarXu, Wen <wen.xu@gatech.edu>
      Tested-by: default avatarXu, Wen <wen.xu@gatech.edu>
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      (cherry picked from commit bb3d48dc)
      Signed-off-by: default avatarPo-Hsu Lin <po-hsu.lin@canonical.com>
      Acked-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      7525ab47
    • Linus Torvalds's avatar
      Fix up non-directory creation in SGID directories · d97ac6b8
      Linus Torvalds authored
      BugLink: https://launchpad.net/bugs/1779923
      CVE-2018-13405
      
      sgid directories have special semantics, making newly created files in
      the directory belong to the group of the directory, and newly created
      subdirectories will also become sgid.  This is historically used for
      group-shared directories.
      
      But group directories writable by non-group members should not imply
      that such non-group members can magically join the group, so make sure
      to clear the sgid bit on non-directories for non-members (but remember
      that sgid without group execute means "mandatory locking", just to
      confuse things even more).
      Reported-by: default avatarJann Horn <jannh@google.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      (cherry picked from commit 0fa3ecd8)
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarPo-Hsu Lin <po-hsu.lin@canonical.com>
      Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      d97ac6b8
    • Paolo Pisati's avatar
      UBUNTU: snapcraft.yaml: copy retpoline-extract-one to scripts before build · c34ccc6d
      Paolo Pisati authored
      BugLink: http://bugs.launchpad.net/bugs/1782116
      
      The Ubuntu kernel source code depends on the presence of the
      retpoline-extract-one file in the script directory during build (see
      scripts/Makefile.build::cmd_ubuntu_retpoline) - such a file lives in the debian
      directory and is copied to scripts during the 'debian/rules clean' phase.
      
      Snapcraft is oblivious to the debian details, and the clean target is never
      invoked, breaking the normal kernel build (make defconfig; make ...).
      
      To workaround that, before starting the build, make snapcraft do the copy and
      fix the build.
      Signed-off-by: default avatarPaolo Pisati <paolo.pisati@canonical.com>
      Acked-by: default avatarKleber Souza <kleber.souza@canonical.com>
      Acked-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c34ccc6d
    • Bert Kenward's avatar
    • Bert Kenward's avatar
      sfc: make TSO version a per-queue parameter · 4a76ed31
      Bert Kenward authored
      BugLink: https://bugs.launchpad.net/bugs/1783152
      
      The Solarflare 8000 series NIC will use a new TSO scheme. The current
      driver refuses to load if the current TSO scheme is not found. Remove
      that check and instead make the TSO version a per-queue parameter.
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      (cherry picked from commit 93171b14)
      Signed-off-by: default avatarMauricio Faria de Oliveira <mauricio.oliveira@canonical.com>
      Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      Acked-by: default avatarKleber Souza <kleber.souza@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      4a76ed31
    • Siva Rebbagondla's avatar
      UBUNTU: SAUCE: Redpine: improve kernel thread handling to fix kernel panic · 38d3d4d7
      Siva Rebbagondla authored
      BugLink: https://bugs.launchpad.net/bugs/1777858
      
      While running regressions, observed below kernel panic when sdio disconnect
      called. The root cause of this issue is, kthread_stop() is taking care of
      wait_for_completion() by default. Hence, removing wait_for_completion()
      from rsi_disconnect().
      
      ... skipping ...
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff810a63df>] exit_creds+0x1f/0x50
      PGD 0
      Oops: 0002 [#1] SMP
      CPU: 0 PID: 6502 Comm: rmmod Tainted: G           OE   4.4.0-128-generic #154-Ubuntu
      Hardware name: Dell Inc. Edge Gateway 3003/      , BIOS 01.00.00 04/17/2017
      Stack:
      ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000
      ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000
      ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15
      Call Trace:
      [<ffffffff8108160a>] __put_task_struct+0x5a/0x140
      [<ffffffff810a484b>] kthread_stop+0x10b/0x110
      [<ffffffffc09bed15>] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
      [<ffffffff81578bcb>] ? __pm_runtime_resume+0x5b/0x80
      [<ffffffff816f0918>] sdio_bus_remove+0x38/0x100
      [<ffffffff8156cc64>] __device_release_driver+0xa4/0x150
      [<ffffffff8156d7a5>] driver_detach+0xb5/0xc0
      [<ffffffff8156c6c5>] bus_remove_driver+0x55/0xd0
      [<ffffffff8156dfbc>] driver_unregister+0x2c/0x50
      [<ffffffff816f0b8a>] sdio_unregister_driver+0x1a/0x20
      [<ffffffffc09bf0f5>] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
      [<ffffffff8110cad8>] SyS_delete_module+0x1b8/0x210
      [<ffffffff81851dc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
      Signed-off-by: default avatarSiva Rebbagondla <siva.rebbagondla@redpinesignals.com>
      Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      Acked-by: default avatarShrirang Bagul <shrirang.bagul@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      [klebers: fixed Buglink]
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      38d3d4d7
    • Greg Kroah-Hartman's avatar
    • Michael Ellerman's avatar
      crypto: vmx - Remove overly verbose printk from AES init routines · e7baced3
      Michael Ellerman authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 1411b521 upstream.
      
      In the vmx AES init routines we do a printk(KERN_INFO ...) to report
      the fallback implementation we're using.
      
      However with a slow console this can significantly affect the speed of
      crypto operations. Using 'cryptsetup benchmark' the removal of the
      printk() leads to a ~5x speedup for aes-cbc decryption.
      
      So remove them.
      
      Fixes: 8676590a ("crypto: vmx - Adding AES routines for VMX module")
      Fixes: 8c755ace ("crypto: vmx - Adding CBC routines for VMX module")
      Fixes: 4f7f60d3 ("crypto: vmx - Adding CTR routines for VMX module")
      Fixes: cc333cd6 ("crypto: vmx - Adding GHASH routines for VMX module")
      Cc: stable@vger.kernel.org # v4.1+
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      e7baced3
    • Ethan Lee's avatar
      Input: goodix - add new ACPI id for GPD Win 2 touch screen · 038be6e6
      Ethan Lee authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 5ca4d1ae upstream.
      
      GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp
      
      Tested on a unit from the first production run sent to Indiegogo backers
      Signed-off-by: default avatarEthan Lee <flibitijibibo@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      038be6e6
    • Gil Kupfer's avatar
      vmw_balloon: fixing double free when batching mode is off · 401b9f88
      Gil Kupfer authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit b23220fe upstream.
      
      The balloon.page field is used for two different purposes if batching is
      on or off. If batching is on, the field point to the page which is used
      to communicate with with the hypervisor. If it is off, balloon.page
      points to the page that is about to be (un)locked.
      
      Unfortunately, this dual-purpose of the field introduced a bug: when the
      balloon is popped (e.g., when the machine is reset or the balloon driver
      is explicitly removed), the balloon driver frees, unconditionally, the
      page that is held in balloon.page.  As a result, if batching is
      disabled, this leads to double freeing the last page that is sent to the
      hypervisor.
      
      The following error occurs during rmmod when kernel checkers are on, and
      the balloon is not empty:
      
      [   42.307653] ------------[ cut here ]------------
      [   42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable]
      [   42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
      [   42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi
      [   42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5
      [   42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016
      [   42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000
      [   42.313290] RIP: 0010:__free_pages+0x38/0x40
      [   42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246
      [   42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006
      [   42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0
      [   42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000
      [   42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4
      [   42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200
      [   42.314550] FS:  00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000
      [   42.314599] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0
      [   42.314864] Call Trace:
      [   42.315774]  vmballoon_pop+0x102/0x130 [vmw_balloon]
      [   42.315816]  vmballoon_exit+0x42/0xd64 [vmw_balloon]
      [   42.315853]  SyS_delete_module+0x1e2/0x250
      [   42.315891]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [   42.315924] RIP: 0033:0x7f3af5b0e8e7
      [   42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [   42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7
      [   42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248
      [   42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [   42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130
      [   42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0
      [   42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48
      [   42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98
      [   42.325735] ---[ end trace 872e008e33f81508 ]---
      
      To solve the bug, we eliminate the dual purpose of balloon.page.
      
      Fixes: f220a80f ("VMware balloon: add batching to the vmw_balloon.")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarOleksandr Natalenko <onatalen@redhat.com>
      Signed-off-by: default avatarGil Kupfer <gilkup@gmail.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Reviewed-by: default avatarXavier Deguillard <xdeguillard@vmware.com>
      Tested-by: default avatarOleksandr Natalenko <oleksandr@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      401b9f88
    • Marek Szyprowski's avatar
      serial: samsung: fix maxburst parameter for DMA transactions · c0a45817
      Marek Szyprowski authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit aa2f80e7 upstream.
      
      The best granularity of residue that DMA engine can report is in the BURST
      units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE
      if it relies on exact number of bytes transferred by DMA engine.
      
      Fixes: 62c37eed ("serial: samsung: add dma reqest/release functions")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Acked-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c0a45817
    • Linus Torvalds's avatar
      Clarify (and fix) MAX_LFS_FILESIZE macros · ff367c3c
      Linus Torvalds authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 0cc3b0ec upstream.
      
      We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
      filesystems (and other IO targets) that know they are 64-bit clean and
      don't have any 32-bit limits in their IO path.
      
      It turns out that our 32-bit value for that limit was bogus.  On 32-bit,
      the VM layer is limited by the page cache to only 32-bit index values,
      but our logic for that was confusing and actually wrong.  We used to
      define that value to
      
      	(((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
      
      which is actually odd in several ways: it limits the index to 31 bits,
      and then it limits files so that they can't have data in that last byte
      of a page that has the highest 31-bit index (ie page index 0x7fffffff).
      
      Neither of those limitations make sense.  The index is actually the full
      32 bit unsigned value, and we can use that whole full page.  So the
      maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".
      
      However, we do wan tto avoid the maximum index, because we have code
      that iterates over the page indexes, and we don't want that code to
      overflow.  So the maximum size of a file on a 32-bit host should
      actually be one page less than the full 32-bit index.
      
      So the actual limit is ULONG_MAX << PAGE_SHIFT.  That means that we will
      not actually be using the page of that last index (ULONG_MAX), but we
      can grow a file up to that limit.
      
      The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
      Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
      volume.  It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
      byte less), but the actual true VM limit is one page less than 16TiB.
      
      This was invisible until commit c2a9737f ("vfs,mm: fix a dead loop
      in truncate_inode_pages_range()"), which started applying that
      MAX_LFS_FILESIZE limit to block devices too.
      
      NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
      actually just the offset type itself (loff_t), which is signed.  But for
      clarity, on 64-bit, just use the maximum signed value, and don't make
      people have to count the number of 'f' characters in the hex constant.
      
      So just use LLONG_MAX for the 64-bit case.  That was what the value had
      been before too, just written out as a hex constant.
      
      Fixes: c2a9737f ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
      Reported-and-tested-by: default avatarDoug Nazar <nazard@nazar.ca>
      Cc: Andreas Dilger <adilger@dilger.ca>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Dave Kleikamp <shaggy@kernel.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Rafael Tinoco <rafael.tinoco@linaro.org>
      [backported to 4.4.y due to requests of failed LTP tests - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      ff367c3c
    • Linus Walleij's avatar
      gpio: No NULL owner · a85d35d2
      Linus Walleij authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 7d18f0a1 upstream.
      
      Sometimes a GPIO is fetched with NULL as parent device, and
      that is just fine. So under these circumstances, avoid using
      dev_name() to provide a name for the GPIO line.
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Cc: Daniel Rosenberg <drosen@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      a85d35d2
    • Andy Lutomirski's avatar
      x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c code · 130d3b38
      Andy Lutomirski authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 02f39b23 upstream.
      
      The crypto code was checking both use_eager_fpu() and
      defined(X86_FEATURE_EAGER_FPU).  The latter was nonsensical, so
      remove it.  This will avoid breakage when we remove
      X86_FEATURE_EAGER_FPU.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: pbonzini@redhat.com
      Link: http://lkml.kernel.org/r/1475627678-20788-2-git-send-email-riel@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      130d3b38
    • Kevin Easton's avatar
      af_key: Always verify length of provided sadb_key · 8e5289f7
      Kevin Easton authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 4b66af2d upstream.
      
      Key extensions (struct sadb_key) include a user-specified number of key
      bits.  The kernel uses that number to determine how much key data to copy
      out of the message in pfkey_msg2xfrm_state().
      
      The length of the sadb_key message must be verified to be long enough,
      even in the case of SADB_X_AALG_NULL.  Furthermore, the sadb_key_len value
      must be long enough to include both the key data and the struct sadb_key
      itself.
      
      Introduce a helper function verify_key_len(), and call it from
      parse_exthdrs() where other exthdr types are similarly checked for
      correctness.
      Signed-off-by: default avatarKevin Easton <kevin@guarana.org>
      Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8e5289f7
    • Andy Lutomirski's avatar
      x86/fpu: Hard-disable lazy FPU mode · c4b27d30
      Andy Lutomirski authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit ca6938a1 upstream.
      
      Since commit:
      
        58122bf1 ("x86/fpu: Default eagerfpu=on on all CPUs")
      
      ... in Linux 4.6, eager FPU mode has been the default on all x86
      systems, and no one has reported any regressions.
      
      This patch removes the ability to enable lazy mode: use_eager_fpu()
      becomes "return true" and all of the FPU mode selection machinery is
      removed.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: pbonzini@redhat.com
      Link: http://lkml.kernel.org/r/1475627678-20788-3-git-send-email-riel@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c4b27d30
    • Yu-cheng Yu's avatar
      x86/fpu: Revert ("x86/fpu: Disable AVX when eagerfpu is off") · 057994ed
      Yu-cheng Yu authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit a65050c6 upstream.
      
      Leonid Shatz noticed that the SDM interpretation of the following
      recent commit:
      
        394db20c ("x86/fpu: Disable AVX when eagerfpu is off")
      
      ... is incorrect and that the original behavior of the FPU code was correct.
      
      Because AVX is not stated in CR0 TS bit description, it was mistakenly
      believed to be not supported for lazy context switch. This turns out
      to be false:
      
        Intel Software Developer's Manual Vol. 3A, Sec. 2.5 Control Registers:
      
         'TS Task Switched bit (bit 3 of CR0) -- Allows the saving of the x87 FPU/
          MMX/SSE/SSE2/SSE3/SSSE3/SSE4 context on a task switch to be delayed until
          an x87 FPU/MMX/SSE/SSE2/SSE3/SSSE3/SSE4 instruction is actually executed
          by the new task.'
      
        Intel Software Developer's Manual Vol. 2A, Sec. 2.4 Instruction Exception
        Specification:
      
         'AVX instructions refer to exceptions by classes that include #NM
          "Device Not Available" exception for lazy context switch.'
      
      So revert the commit.
      Reported-by: default avatarLeonid Shatz <leonid.shatz@ravellosystems.com>
      Signed-off-by: default avatarYu-cheng Yu <yu-cheng.yu@intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
      Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1457569734-3785-1-git-send-email-yu-cheng.yu@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      057994ed
    • yu-cheng yu's avatar
      x86/fpu: Disable AVX when eagerfpu is off · 3db9ce10
      yu-cheng yu authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 394db20c upstream.
      
      When "eagerfpu=off" is given as a command-line input, the kernel
      should disable AVX support.
      
      The Task Switched bit used for lazy context switching does not
      support AVX. If AVX is enabled without eagerfpu context
      switching, one task's AVX state could become corrupted or leak
      to other tasks. This is a bug and has bad security implications.
      
      This only affects systems that have AVX/AVX2/AVX512 and this
      issue will be found only when one actually uses AVX/AVX2/AVX512
      _AND_ does eagerfpu=off.
      
      Reference: Intel Software Developer's Manual Vol. 3A
      
      Sec. 2.5 Control Registers:
      TS Task Switched bit (bit 3 of CR0) -- Allows the saving of the
      x87 FPU/ MMX/SSE/SSE2/SSE3/SSSE3/SSE4 context on a task switch
      to be delayed until an x87 FPU/MMX/SSE/SSE2/SSE3/SSSE3/SSE4
      instruction is actually executed by the new task.
      
      Sec. 13.4.1 Using the TS Flag to Control the Saving of the X87
      FPU and SSE State
      When the TS flag is set, the processor monitors the instruction
      stream for x87 FPU, MMX, SSE instructions. When the processor
      detects one of these instructions, it raises a
      device-not-available exeception (#NM) prior to executing the
      instruction.
      Signed-off-by: default avatarYu-cheng Yu <yu-cheng.yu@intel.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
      Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: yu-cheng yu <yu-cheng.yu@intel.com>
      Link: http://lkml.kernel.org/r/1452119094-7252-5-git-send-email-yu-cheng.yu@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      3db9ce10
    • Borislav Petkov's avatar
      x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros · b02a765f
      Borislav Petkov authored
      BugLink: https://bugs.launchpad.net/bugs/1777389
      
      commit 362f924b upstream.
      
      Those are stupid and code should use static_cpu_has_safe() or
      boot_cpu_has() instead. Kill the least used and unused ones.
      
      The remaining ones need more careful inspection before a conversion can
      happen. On the TODO.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/1449481182-27541-4-git-send-email-bp@alien8.de
      Cc: David Sterba <dsterba@suse.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Matt Mackall <mpm@selenic.com>
      Cc: Chris Mason <clm@fb.com>
      Cc: Josef Bacik <jbacik@fb.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      b02a765f
    • Juergen Gross's avatar
    • Sanjay Kumar Konduri's avatar
      UBUNTU: SAUCE: Redpine: fix soft-ap invisible issue · 72ef9e76
      Sanjay Kumar Konduri authored
      BugLink: http://bugs.launchpad.net/bugs/1773400
      
      Observed third party station is unable to scan redpine AP, when soft-ap
      wizard invoked. This is because power save is not disabled for soft-ap
      mode. Hence, disabling power save for soft-ap mode.
      Signed-off-by: default avatarSanjay Kumar Konduri <sanjay.konduri@redpinesignals.com>
      Signed-off-by: default avatarSiva Rebbagondla <siva.rebbagondla@redpinesignals.com>
      Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      72ef9e76
    • Greg Kroah-Hartman's avatar
    • Eric Dumazet's avatar
      net: metrics: add proper netlink validation · 71a5a413
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit 5b5e7a0d ]
      
      Before using nla_get_u32(), better make sure the attribute
      is of the proper size.
      
      Code recently was changed, but bug has been there from beginning
      of git.
      
      BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
      CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
       __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
       rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
       fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
       rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
       fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
       inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
       rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x455a09
      RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09
      RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
      RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
       __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
       fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
       fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
       fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
       inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
       rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2753 [inline]
       __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:988 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
       netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: a919525a ("net: Move fib_convert_metrics to metrics file")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      71a5a413
    • Florian Fainelli's avatar
      net: phy: broadcom: Fix bcm_write_exp() · 44c1a154
      Florian Fainelli authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit 79fb218d ]
      
      On newer PHYs, we need to select the expansion register to write with
      setting bits [11:8] to 0xf. This was done correctly by bcm7xxx.c prior
      to being migrated to generic code under bcm-phy-lib.c which
      unfortunately used the older implementation from the BCM54xx days.
      
      Fix this by creating an inline stub: bcm_write_exp_sel() which adds the
      correct value (MII_BCM54XX_EXP_SEL_ER) and update both the Cygnus PHY
      and BCM7xxx PHY drivers which require setting these bits.
      
      broadcom.c is unchanged because some PHYs even use a different selector
      method, so let them specify it directly (e.g: SerDes secondary selector).
      
      Fixes: a1cba561 ("net: phy: Add Broadcom phy library for common interfaces")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      44c1a154
    • Eric Dumazet's avatar
      rtnetlink: validate attributes in do_setlink() · d7cfff5e
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit 644c7eeb ]
      
      It seems that rtnl_group_changelink() can call do_setlink
      while a prior call to validate_linkmsg(dev = NULL, ...) could
      not validate IFLA_ADDRESS / IFLA_BROADCAST
      
      Make sure do_setlink() calls validate_linkmsg() instead
      of letting its callers having this responsibility.
      
      With help from Dmitry Vyukov, thanks a lot !
      
      BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
      BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
      BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
      CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
       __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
       is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
       eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
       eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
       dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
       do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
       rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
       rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
       rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x455a09
      RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
      RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
      RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
       kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
       __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
       do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
       rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
       rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
       rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2753 [inline]
       __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:988 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
       netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: e7ed828f ("netlink: support setting devgroup parameters")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      d7cfff5e
    • Dan Carpenter's avatar
      team: use netdev_features_t instead of u32 · 8c9f3c48
      Dan Carpenter authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit 25ea6654 ]
      
      This code was introduced in 2011 around the same time that we made
      netdev_features_t a u64 type.  These days a u32 is not big enough to
      hold all the potential features.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8c9f3c48
    • Jack Morgenstein's avatar
      net/mlx4: Fix irq-unsafe spinlock usage · f638d584
      Jack Morgenstein authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit d546b67c ]
      
      spin_lock/unlock was used instead of spin_un/lock_irq
      in a procedure used in process space, on a spinlock
      which can be grabbed in an interrupt.
      
      This caused the stack trace below to be displayed (on kernel
      4.17.0-rc1 compiled with Lock Debugging enabled):
      
      [  154.661474] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
      [  154.668909] 4.17.0-rc1-rdma_rc_mlx+ #3 Tainted: G          I
      [  154.675856] -----------------------------------------------------
      [  154.682706] modprobe/10159 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
      [  154.690254] 00000000f3b0e495 (&(&qp_table->lock)->rlock){+.+.}, at: mlx4_qp_remove+0x20/0x50 [mlx4_core]
      [  154.700927]
      and this task is already holding:
      [  154.707461] 0000000094373b5d (&(&cq->lock)->rlock/1){....}, at: destroy_qp_common+0x111/0x560 [mlx4_ib]
      [  154.718028] which would create a new lock dependency:
      [  154.723705]  (&(&cq->lock)->rlock/1){....} -> (&(&qp_table->lock)->rlock){+.+.}
      [  154.731922]
      but this new dependency connects a SOFTIRQ-irq-safe lock:
      [  154.740798]  (&(&cq->lock)->rlock){..-.}
      [  154.740800]
      ... which became SOFTIRQ-irq-safe at:
      [  154.752163]   _raw_spin_lock_irqsave+0x3e/0x50
      [  154.757163]   mlx4_ib_poll_cq+0x36/0x900 [mlx4_ib]
      [  154.762554]   ipoib_tx_poll+0x4a/0xf0 [ib_ipoib]
      ...
      to a SOFTIRQ-irq-unsafe lock:
      [  154.815603]  (&(&qp_table->lock)->rlock){+.+.}
      [  154.815604]
      ... which became SOFTIRQ-irq-unsafe at:
      [  154.827718] ...
      [  154.827720]   _raw_spin_lock+0x35/0x50
      [  154.833912]   mlx4_qp_lookup+0x1e/0x50 [mlx4_core]
      [  154.839302]   mlx4_flow_attach+0x3f/0x3d0 [mlx4_core]
      
      Since mlx4_qp_lookup() is called only in process space, we can
      simply replace the spin_un/lock calls with spin_un/lock_irq calls.
      
      Fixes: 6dc06c08 ("net/mlx4: Fix the check in attaching steering rules")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      f638d584
    • Shahed Shaikh's avatar
      qed: Fix mask for physical address in ILT entry · c565b27b
      Shahed Shaikh authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit fdd13dd3 ]
      
      ILT entry requires 12 bit right shifted physical address.
      Existing mask for ILT entry of physical address i.e.
      ILT_ENTRY_PHY_ADDR_MASK is not sufficient to handle 64bit
      address because upper 8 bits of 64 bit address were getting
      masked which resulted in completer abort error on
      PCIe bus due to invalid address.
      
      Fix that mask to handle 64bit physical address.
      
      Fixes: fe56b9e6 ("qed: Add module with basic common support")
      Signed-off-by: default avatarShahed Shaikh <shahed.shaikh@cavium.com>
      Signed-off-by: default avatarAriel Elior <ariel.elior@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c565b27b
    • Willem de Bruijn's avatar
      packet: fix reserve calculation · 9f8c53fd
      Willem de Bruijn authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit 9aad13b0 ]
      
      Commit b84bbaf7 ("packet: in packet_snd start writing at link
      layer allocation") ensures that packet_snd always starts writing
      the link layer header in reserved headroom allocated for this
      purpose.
      
      This is needed because packets may be shorter than hard_header_len,
      in which case the space up to hard_header_len may be zeroed. But
      that necessary padding is not accounted for in skb->len.
      
      The fix, however, is buggy. It calls skb_push, which grows skb->len
      when moving skb->data back. But in this case packet length should not
      change.
      
      Instead, call skb_reserve, which moves both skb->data and skb->tail
      back, without changing length.
      
      Fixes: b84bbaf7 ("packet: in packet_snd start writing at link layer allocation")
      Reported-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      9f8c53fd
    • Daniele Palmas's avatar
      net: usb: cdc_mbim: add flag FLAG_SEND_ZLP · 32abb33a
      Daniele Palmas authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit 9f7c7283 ]
      
      Testing Telit LM940 with ICMP packets > 14552 bytes revealed that
      the modem needs FLAG_SEND_ZLP to properly work, otherwise the cdc
      mbim data interface won't be anymore responsive.
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      32abb33a
    • Eric Dumazet's avatar
      net/packet: refine check for priv area size · 44bb7ef9
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1777063
      
      [ Upstream commit eb73190f ]
      
      syzbot was able to trick af_packet again [1]
      
      Various commits tried to address the problem in the past,
      but failed to take into account V3 header size.
      
      [1]
      
      tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
      BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
      BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
      Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106
      
      CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: ipv6_addrconf addrconf_dad_work
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1b9/0x294 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
       __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
       prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
       prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
       __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
       packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
       tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
       dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
       xmit_one net/core/dev.c:3049 [inline]
       dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
       __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
       dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
       neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
       neigh_output include/net/neighbour.h:482 [inline]
       ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
       ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
       NF_HOOK_COND include/linux/netfilter.h:277 [inline]
       ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
       dst_output include/net/dst.h:444 [inline]
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
       ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
       addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
       process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
       worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
       kthread+0x345/0x410 kernel/kthread.c:240
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
      
      The buggy address belongs to the page:
      page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80
      flags: 0x2fffc0000000000()
      raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80
      raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
       ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      
      Fixes: 2b6867c2 ("net/packet: fix overflow in check for priv area size")
      Fixes: dc808110 ("packet: handle too big packets for PACKET_V3")
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      44bb7ef9