1. 21 Oct, 2017 11 commits
  2. 18 Oct, 2017 29 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.93 · e1fe3813
      Greg Kroah-Hartman authored
      e1fe3813
    • Mathias Krause's avatar
      x86/alternatives: Fix alt_max_short macro to really be a max() · ad505a7b
      Mathias Krause authored
      commit 6b32c126 upstream.
      
      The alt_max_short() macro in asm/alternative.h does not work as
      intended, leading to nasty bugs. E.g. alt_max_short("1", "3")
      evaluates to 3, but alt_max_short("3", "1") evaluates to 1 -- not
      exactly the maximum of 1 and 3.
      
      In fact, I had to learn it the hard way by crashing my kernel in not
      so funny ways by attempting to make use of the ALTENATIVE_2 macro
      with alternatives where the first one was larger than the second
      one.
      
      According to [1] and commit dbe4058a ("x86/alternatives: Fix
      ALTERNATIVE_2 padding generation properly") the right handed side
      should read "-(-(a < b))" not "-(-(a - b))". Fix that, to make the
      macro work as intended.
      
      While at it, fix up the comments regarding the additional "-", too.
      It's not about gas' usage of s32 but brain dead logic of having a
      "true" value of -1 for the < operator ... *sigh*
      
      Btw., the one in asm/alternative-asm.h is correct. And, apparently,
      all current users of ALTERNATIVE_2() pass same sized alternatives,
      avoiding to hit the bug.
      
      [1] http://graphics.stanford.edu/~seander/bithacks.html#IntegerMinOrMaxReviewed-and-tested-by: default avatarBorislav Petkov <bp@suse.de>
      Fixes: dbe4058a ("x86/alternatives: Fix ALTERNATIVE_2 padding generation properly")
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Borislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/1507228213-13095-1-git-send-email-minipli@googlemail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad505a7b
    • Johan Hovold's avatar
      USB: serial: console: fix use-after-free after failed setup · 20856345
      Johan Hovold authored
      commit 299d7572 upstream.
      
      Make sure to reset the USB-console port pointer when console setup fails
      in order to avoid having the struct usb_serial be prematurely freed by
      the console code when the device is later disconnected.
      
      Fixes: 73e487fd ("[PATCH] USB console: fix disconnection issues")
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20856345
    • Shrirang Bagul's avatar
      USB: serial: qcserial: add Dell DW5818, DW5819 · 6c14436b
      Shrirang Bagul authored
      commit f5d9644c upstream.
      
      Dell Wireless 5819/5818 devices are re-branded Sierra Wireless MC74
      series which will by default boot with vid 0x413c and pid's 0x81cf,
      0x81d0, 0x81d1, 0x81d2.
      Signed-off-by: default avatarShrirang Bagul <shrirang.bagul@canonical.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c14436b
    • Henryk Heisig's avatar
      USB: serial: option: add support for TP-Link LTE module · 34592e06
      Henryk Heisig authored
      commit 837ddc47 upstream.
      
      This commit adds support for TP-Link LTE mPCIe module is used
      in in TP-Link MR200v1, MR6400v1 and v2 routers.
      Signed-off-by: default avatarHenryk Heisig <hyniu@o2.pl>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34592e06
    • Andreas Engel's avatar
      USB: serial: cp210x: add support for ELV TFD500 · ac22f49f
      Andreas Engel authored
      commit c496ad83 upstream.
      
      Add the USB device id for the ELV TFD500 data logger.
      Signed-off-by: default avatarAndreas Engel <anen-nospam@gmx.net>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac22f49f
    • Jeffrey Chu's avatar
      USB: serial: ftdi_sio: add id for Cypress WICED dev board · b1f5a269
      Jeffrey Chu authored
      commit a6c215e2 upstream.
      
      Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB
      device IDs to ftdi_sio driver.
      Signed-off-by: default avatarJeffrey Chu <jeffrey.chu@cypress.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1f5a269
    • Vitaly Mayatskikh's avatar
      fix unbalanced page refcounting in bio_map_user_iov · 399c4609
      Vitaly Mayatskikh authored
      commit 95d78c28 upstream.
      
      bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
      IO vector has small consecutive buffers belonging to the same page.
      bio_add_pc_page merges them into one, but the page reference is never
      dropped.
      Signed-off-by: default avatarVitaly Mayatskikh <v.mayatskih@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      399c4609
    • Andreas Gruenbacher's avatar
      direct-io: Prevent NULL pointer access in submit_page_section · f3b53849
      Andreas Gruenbacher authored
      commit 899f0429 upstream.
      
      In the code added to function submit_page_section by commit b1058b98,
      sdio->bio can currently be NULL when calling dio_bio_submit.  This then
      leads to a NULL pointer access in dio_bio_submit, so check for a NULL
      bio in submit_page_section before trying to submit it instead.
      
      Fixes xfstest generic/250 on gfs2.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3b53849
    • Andrew Gabbasov's avatar
      usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options · ac94abbb
      Andrew Gabbasov authored
      commit aec17e1e upstream.
      
      KASAN enabled configuration reports an error
      
          BUG: KASAN: use-after-free in usb_composite_overwrite_options+...
                      [libcomposite] at addr ...
          Read of size 1 by task ...
      
      when some driver is un-bound and then bound again.
      For example, this happens with FunctionFS driver when "ffs-test"
      test application is run several times in a row.
      
      If the driver has empty manufacturer ID string in initial static data,
      it is then replaced with generated string. After driver unbinding
      the generated string is freed, but the driver data still keep that
      pointer. And if the driver is then bound again, that pointer
      is re-used for string emptiness check.
      
      The fix is to clean up the driver string data upon its unbinding
      to drop the pointer to freed memory.
      
      Fixes: cc2683c3 ("usb: gadget: Provide a default implementation of default manufacturer string")
      Signed-off-by: default avatarAndrew Gabbasov <andrew_gabbasov@mentor.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac94abbb
    • Takashi Iwai's avatar
      ALSA: line6: Fix leftover URB at error-path during probe · 16c1ef65
      Takashi Iwai authored
      commit c95072b3 upstream.
      
      While line6_probe() may kick off URB for a control MIDI endpoint, the
      function doesn't clean up it properly at its error path.  This results
      in a leftover URB action that is eventually triggered later and causes
      an Oops like:
        general protection fault: 0000 [#1] PREEMPT SMP KASAN
        CPU: 1 PID: 0 Comm: swapper/1 Not tainted
        RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619
        RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76
        Call Trace:
         <IRQ>
         line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326
         __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
         usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845
         dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965
         call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281
         ....
      
      Since the whole clean-up procedure is done in line6_disconnect()
      callback, we can simply call it in the error path instead of
      open-coding the whole again.  It'll fix such an issue automagically.
      
      The bug was spotted by syzkaller.
      
      Fixes: eedd0e95 ("ALSA: line6: Don't forget to call driver's destructor at error path")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16c1ef65
    • Takashi Iwai's avatar
      ALSA: caiaq: Fix stray URB at probe error path · 5b01343a
      Takashi Iwai authored
      commit 99fee508 upstream.
      
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: default avatarJohan Hovold <johan@kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b01343a
    • Takashi Iwai's avatar
      ALSA: seq: Fix copy_from_user() call inside lock · ca2523c9
      Takashi Iwai authored
      commit 5803b023 upstream.
      
      The event handler in the virmidi sequencer code takes a read-lock for
      the linked list traverse, while it's calling snd_seq_dump_var_event()
      in the loop.  The latter function may expand the user-space data
      depending on the event type.  It eventually invokes copy_from_user(),
      which might be a potential dead-lock.
      
      The sequencer core guarantees that the user-space data is passed only
      with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
      and always takes read-lock().  For avoiding the problem above, this
      patch introduces rwsem for non-atomic case, while keeping rwlock for
      atomic case.
      
      Also while we're at it: the superfluous irq flags is dropped in
      snd_virmidi_input_open().
      Reported-by: default avatarJia-Ju Bai <baijiaju1990@163.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca2523c9
    • Takashi Iwai's avatar
      ALSA: seq: Fix use-after-free at creating a port · 23709ae9
      Takashi Iwai authored
      commit 71105998 upstream.
      
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: default avatarMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23709ae9
    • Takashi Iwai's avatar
      ALSA: usb-audio: Kill stray URB at exiting · dc7c3bd0
      Takashi Iwai authored
      commit 124751d5 upstream.
      
      USB-audio driver may leave a stray URB for the mixer interrupt when it
      exits by some error during probe.  This leads to a use-after-free
      error as spotted by syzkaller like:
        ==================================================================
        BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
        Call Trace:
         <IRQ>
         __dump_stack lib/dump_stack.c:16
         dump_stack+0x292/0x395 lib/dump_stack.c:52
         print_address_description+0x78/0x280 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351
         kasan_report+0x23d/0x350 mm/kasan/report.c:409
         __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
         snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
         __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
         ....
      
        Allocated by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
         kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
         kmalloc ./include/linux/slab.h:493
         kzalloc ./include/linux/slab.h:666
         snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
         create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
         snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
         usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
         ....
      
        Freed by task 1484:
         save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
         save_stack+0x43/0xd0 mm/kasan/kasan.c:447
         set_track mm/kasan/kasan.c:459
         kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
         slab_free_hook mm/slub.c:1390
         slab_free_freelist_hook mm/slub.c:1412
         slab_free mm/slub.c:2988
         kfree+0xf6/0x2f0 mm/slub.c:3919
         snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
         snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
         __snd_device_free+0x1ff/0x380 sound/core/device.c:91
         snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
         snd_card_do_free sound/core/init.c:461
         release_card_device+0x47/0x170 sound/core/init.c:181
         device_release+0x13f/0x210 drivers/base/core.c:814
         ....
      
      Actually such a URB is killed properly at disconnection when the
      device gets probed successfully, and what we need is to apply it for
      the error-path, too.
      
      In this patch, we apply snd_usb_mixer_disconnect() at releasing.
      Also introduce a new flag, disconnected, to struct usb_mixer_interface
      for not performing the disconnection procedure twice.
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc7c3bd0
    • Joerg Roedel's avatar
      iommu/amd: Finish TLB flush in amd_iommu_unmap() · 050c4bbc
      Joerg Roedel authored
      commit ce76353f upstream.
      
      The function only sends the flush command to the IOMMU(s),
      but does not wait for its completion when it returns. Fix
      that.
      
      Fixes: 601367d7 ('x86/amd-iommu: Remove iommu_flush_domain function')
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      050c4bbc
    • Kazuya Mizuguchi's avatar
      usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet · eb7f3167
      Kazuya Mizuguchi authored
      commit 29c7f3e6 upstream.
      
      The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of
      USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a
      zero-length packet. Otherwise, a transfer completion interruption
      of USB-DMAC doesn't happen. Even if the driver changes the sequence,
      normal operations (transmit/receive without zero-length packet) will
      not cause any side-effects. So, this patch fixes the sequence anyway.
      Signed-off-by: default avatarKazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
      [shimoda: revise the commit log]
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb7f3167
    • Haozhong Zhang's avatar
      KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit · 6a92b999
      Haozhong Zhang authored
      commit 8eb3f87d upstream.
      
      When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
      guest CR4. Before this CR4 loading, the guest CR4 refers to L2
      CR4. Because these two CR4's are in different levels of guest, we
      should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
      is used to handle guest writes to its CR4, checks the guest change to
      CR4 and may fail if the change is invalid.
      
      The failure may cause trouble. Consider we start
        a L1 guest with non-zero L1 PCID in use,
           (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
      and
        a L2 guest with L2 PCID disabled,
           (i.e. L2 CR4.PCIDE == 0)
      and following events may happen:
      
      1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
         into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
         of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
         vcpu->arch.cr4) is left to the value of L2 CR4.
      
      2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
         kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
         because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
         CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
      
      Fixes: 4704d0be ("KVM: nVMX: Exiting from L2 to L1")
      Cc: qemu-stable@nongnu.org
      Signed-off-by: default avatarHaozhong Zhang <haozhong.zhang@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a92b999
    • Herbert Xu's avatar
      crypto: shash - Fix zero-length shash ahash digest crash · 03bd90fc
      Herbert Xu authored
      commit b61907bb upstream.
      
      The shash ahash digest adaptor function may crash if given a
      zero-length input together with a null SG list.  This is because
      it tries to read the SG list before looking at the length.
      
      This patch fixes it by checking the length first.
      
      Reported-by: Stephan Müller<smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Tested-by: default avatarStephan Müller <smueller@chronox.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03bd90fc
    • Jaejoong Kim's avatar
      HID: usbhid: fix out-of-bounds bug · 2929cb99
      Jaejoong Kim authored
      commit f043bfc9 upstream.
      
      The hid descriptor identifies the length and type of subordinate
      descriptors for a device. If the received hid descriptor is smaller than
      the size of the struct hid_descriptor, it is possible to cause
      out-of-bounds.
      
      In addition, if bNumDescriptors of the hid descriptor have an incorrect
      value, this can also cause out-of-bounds while approaching hdesc->desc[n].
      
      So check the size of hid descriptor and bNumDescriptors.
      
      	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
      	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
      
      	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
      	4.14.0-rc1-42251-gebb2c243 #169
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	Workqueue: usb_hub_wq hub_event
      	Call Trace:
      	__dump_stack lib/dump_stack.c:16
      	dump_stack+0x292/0x395 lib/dump_stack.c:52
      	print_address_description+0x78/0x280 mm/kasan/report.c:252
      	kasan_report_error mm/kasan/report.c:351
      	kasan_report+0x22f/0x340 mm/kasan/report.c:409
      	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
      	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
      	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
      	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
      	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
      	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
      	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
      	hub_port_connect drivers/usb/core/hub.c:4903
      	hub_port_connect_change drivers/usb/core/hub.c:5009
      	port_event drivers/usb/core/hub.c:5115
      	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
      	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
      	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
      	kthread+0x3a1/0x470 kernel/kthread.c:231
      	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2929cb99
    • Peter Ujfalusi's avatar
      dmaengine: edma: Align the memcpy acnt array size with the transfer · e7485f0f
      Peter Ujfalusi authored
      commit 87a2f622 upstream.
      
      Memory to Memory transfers does not have any special alignment needs
      regarding to acnt array size, but if one of the areas are in memory mapped
      regions (like PCIe memory), we need to make sure that the acnt array size
      is aligned with the mem copy parameters.
      
      Before "dmaengine: edma: Optimize memcpy operation" change the memcpy was set
      up in a different way: acnt == number of bytes in a word based on
      __ffs((src | dest | len), bcnt and ccnt for looping the necessary number of
      words to comlete the trasnfer.
      
      Instead of reverting the commit we can fix it to make sure that the ACNT size
      is aligned to the traswnfer.
      
      Fixes: df6694f8 (dmaengine: edma: Optimize memcpy operation)
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7485f0f
    • Paul Burton's avatar
      MIPS: math-emu: Remove pr_err() calls from fpu_emu() · 29b202eb
      Paul Burton authored
      commit ca8eb05b upstream.
      
      The FPU emulator includes 2 calls to pr_err() which are triggered by
      invalid instruction encodings for MIPSr6 cmp.cond.fmt instructions.
      These cases are not kernel errors, merely invalid instructions which are
      already handled by delivering a SIGILL which will provide notification
      that something failed in cases where that makes sense.
      
      In cases where that SIGILL is somewhat expected & being handled, for
      example when crashme happens to generate one of the affected bad
      encodings, the message is printed with no useful context about what
      triggered it & spams the kernel log for no good reason.
      
      Remove the pr_err() calls to make crashme run silently & treat the bad
      encodings the same way we do others, with a SIGILL & no further kernel
      log output.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: f8c3c671 ("MIPS: math-emu: Add support for the CMP.condn.fmt R6 instruction")
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/17253/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29b202eb
    • Alan Stern's avatar
      USB: dummy-hcd: Fix deadlock caused by disconnect detection · 2fff3c5c
      Alan Stern authored
      commit ab219221 upstream.
      
      The dummy-hcd driver calls the gadget driver's disconnect callback
      under the wrong conditions.  It should invoke the callback when Vbus
      power is turned off, but instead it does so when the D+ pullup is
      turned off.
      
      This can cause a deadlock in the composite core when a gadget driver
      is unregistered:
      
      [   88.361471] ============================================
      [   88.362014] WARNING: possible recursive locking detected
      [   88.362580] 4.14.0-rc2+ #9 Not tainted
      [   88.363010] --------------------------------------------
      [   88.363561] v4l_id/526 is trying to acquire lock:
      [   88.364062]  (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547e03>] composite_disconnect+0x43/0x100 [libcomposite]
      [   88.365051]
      [   88.365051] but task is already holding lock:
      [   88.365826]  (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
      [   88.366858]
      [   88.366858] other info that might help us debug this:
      [   88.368301]  Possible unsafe locking scenario:
      [   88.368301]
      [   88.369304]        CPU0
      [   88.369701]        ----
      [   88.370101]   lock(&(&cdev->lock)->rlock);
      [   88.370623]   lock(&(&cdev->lock)->rlock);
      [   88.371145]
      [   88.371145]  *** DEADLOCK ***
      [   88.371145]
      [   88.372211]  May be due to missing lock nesting notation
      [   88.372211]
      [   88.373191] 2 locks held by v4l_id/526:
      [   88.373715]  #0:  (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
      [   88.374814]  #1:  (&(&dum_hcd->dum->lock)->rlock){....}, at: [<ffffffffa05bd48d>] dummy_pullup+0x7d/0xf0 [dummy_hcd]
      [   88.376289]
      [   88.376289] stack backtrace:
      [   88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9
      [   88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [   88.379504] Call Trace:
      [   88.380019]  dump_stack+0x86/0xc7
      [   88.380605]  __lock_acquire+0x841/0x1120
      [   88.381252]  lock_acquire+0xd5/0x1c0
      [   88.381865]  ? composite_disconnect+0x43/0x100 [libcomposite]
      [   88.382668]  _raw_spin_lock_irqsave+0x40/0x54
      [   88.383357]  ? composite_disconnect+0x43/0x100 [libcomposite]
      [   88.384290]  composite_disconnect+0x43/0x100 [libcomposite]
      [   88.385490]  set_link_state+0x2d4/0x3c0 [dummy_hcd]
      [   88.386436]  dummy_pullup+0xa7/0xf0 [dummy_hcd]
      [   88.387195]  usb_gadget_disconnect+0xd8/0x160 [udc_core]
      [   88.387990]  usb_gadget_deactivate+0xd3/0x160 [udc_core]
      [   88.388793]  usb_function_deactivate+0x64/0x80 [libcomposite]
      [   88.389628]  uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
      
      This patch changes the code to test the port-power status bit rather
      than the port-connect status bit when deciding whether to isue the
      callback.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarDavid Tulloh <david@tulloh.id.au>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fff3c5c
    • Paul E. McKenney's avatar
      rcu: Allow for page faults in NMI handlers · 5fd45516
      Paul E. McKenney authored
      commit 28585a83 upstream.
      
      A number of architecture invoke rcu_irq_enter() on exception entry in
      order to allow RCU read-side critical sections in the exception handler
      when the exception is from an idle or nohz_full CPU.  This works, at
      least unless the exception happens in an NMI handler.  In that case,
      rcu_nmi_enter() would already have exited the extended quiescent state,
      which would mean that rcu_irq_enter() would (incorrectly) cause RCU
      to think that it is again in an extended quiescent state.  This will
      in turn result in lockdep splats in response to later RCU read-side
      critical sections.
      
      This commit therefore causes rcu_irq_enter() and rcu_irq_exit() to
      take no action if there is an rcu_nmi_enter() in effect, thus avoiding
      the unscheduled return to RCU quiescent state.  This in turn should
      make the kernel safe for on-demand RCU voyeurism.
      
      Link: http://lkml.kernel.org/r/20170922211022.GA18084@linux.vnet.ibm.com
      
      Cc: stable@vger.kernel.org
      Fixes: 0be964be ("module: Sanitize RCU usage and locking")
      Reported-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5fd45516
    • Luca Coelho's avatar
      iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD · 45bd4e40
      Luca Coelho authored
      commit 97bce57b upstream.
      
      The MCAST_FILTER_CMD can get quite large when we have many mcast
      addresses to set (we support up to 255).  So the command should be
      send as NOCOPY to prevent a warning caused by too-long commands:
      
      WARNING: CPU: 0 PID: 9700 at /root/iwlwifi/stack-dev/drivers/net/wireless/intel/iwlwifi/pcie/tx.c:1550 iwl_pcie_enqueue_hcmd+0x8c7/0xb40 [iwlwifi]
      Command MCAST_FILTER_CMD (0x1d0) is too large (328 bytes)
      
      This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196743Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      45bd4e40
    • Peng Xu's avatar
      nl80211: Define policy for packet pattern attributes · 6a6c61d8
      Peng Xu authored
      commit ad670233 upstream.
      
      Define a policy for packet pattern attributes in order to fix a
      potential read over the end of the buffer during nla_get_u32()
      of the NL80211_PKTPAT_OFFSET attribute.
      
      Note that the data there can always be read due to SKB allocation
      (with alignment and struct skb_shared_info at the end), but the
      data might be uninitialized. This could be used to leak some data
      from uninitialized vmalloc() memory, but most drivers don't allow
      an offset (so you'd just get -EINVAL if the data is non-zero) or
      just allow it with a fixed value - 100 or 128 bytes, so anything
      above that would get -EINVAL. With brcmfmac the limit is 1500 so
      (at least) one byte could be obtained.
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarPeng Xu <pxu@qti.qualcomm.com>
      Signed-off-by: default avatarJouni Malinen <jouni@qca.qualcomm.com>
      [rewrite description based on SKB allocation knowledge]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a6c61d8
    • Pavel Shilovsky's avatar
      CIFS: Reconnect expired SMB sessions · f2bb4bcc
      Pavel Shilovsky authored
      commit 511c54a2 upstream.
      
      According to the MS-SMB2 spec (3.2.5.1.6) once the client receives
      STATUS_NETWORK_SESSION_EXPIRED error code from a server it should
      reconnect the current SMB session. Currently the client doesn't do
      that. This can result in subsequent client requests failing by
      the server. The patch adds an additional logic to the demultiplex
      thread to identify expired sessions and reconnect them.
      Signed-off-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2bb4bcc
    • Darrick J. Wong's avatar
      ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets · bd368269
      Darrick J. Wong authored
      commit 1bd8d6cd upstream.
      
      In the ext4 implementations of SEEK_HOLE and SEEK_DATA, make sure we
      return -ENXIO for negative offsets instead of banging around inside
      the extent code and returning -EFSCORRUPTED.
      Reported-by: default avatarMateusz S <muttdini@gmail.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd368269
    • Arend Van Spriel's avatar
      brcmfmac: add length check in brcmf_cfg80211_escan_handler() · 6721969c
      Arend Van Spriel authored
      commit 17df6453 upstream.
      
      Upon handling the firmware notification for scans the length was
      checked properly and may result in corrupting kernel heap memory
      due to buffer overruns. This fix addresses CVE-2017-0786.
      
      Cc: Kevin Cernekee <cernekee@chromium.org>
      Reviewed-by: default avatarHante Meuleman <hante.meuleman@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
      Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6721969c