1. 08 Apr, 2018 40 commits
    • Dennis Wassenberg's avatar
      Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list · dbc9a953
      Dennis Wassenberg authored
      commit b56af54a upstream.
      
      Reset i8042 before probing because of insufficient BIOS initialisation of
      the i8042 serial controller. This makes Synaptics touchpad detection
      possible. Without resetting the Synaptics touchpad is not detected because
      there are always NACK messages from AUX port.
      Signed-off-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbc9a953
    • Frank Mori Hess's avatar
      staging: comedi: ni_mio_common: ack ai fifo error interrupts. · 5efa3b75
      Frank Mori Hess authored
      commit e1d9fc04 upstream.
      
      Ack ai fifo error interrupts in interrupt handler to clear interrupt
      after fifo overflow.  It should prevent lock-ups after the ai fifo
      overflows.
      
      Cc: <stable@vger.kernel.org> # v4.2+
      Signed-off-by: default avatarFrank Mori Hess <fmh6jj@gmail.com>
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5efa3b75
    • Andy Lutomirski's avatar
      fs/proc: Stop trying to report thread stacks · 96450e0f
      Andy Lutomirski authored
      commit b18cb64e upstream.
      
      This reverts more of:
      
        b7643757 ("procfs: mark thread stack correctly in proc/<pid>/maps")
      
      ... which was partially reverted by:
      
        65376df5 ("proc: revert /proc/<pid>/maps [stack:TID] annotation")
      
      Originally, /proc/PID/task/TID/maps was the same as /proc/TID/maps.
      
      In current kernels, /proc/PID/maps (or /proc/TID/maps even for
      threads) shows "[stack]" for VMAs in the mm's stack address range.
      
      In contrast, /proc/PID/task/TID/maps uses KSTK_ESP to guess the
      target thread's stack's VMA.  This is racy, probably returns garbage
      and, on arches with CONFIG_TASK_INFO_IN_THREAD=y, is also crash-prone:
      KSTK_ESP is not safe to use on tasks that aren't known to be running
      ordinary process-context kernel code.
      
      This patch removes the difference and just shows "[stack]" for VMAs
      in the mm's stack range.  This is IMO much more sensible -- the
      actual "stack" address really is treated specially by the VM code,
      and the current thread stack isn't even well-defined for programs
      that frequently switch stacks on their own.
      Reported-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Linux API <linux-api@vger.kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Tycho Andersen <tycho.andersen@canonical.com>
      Link: http://lkml.kernel.org/r/3e678474ec14e0a0ec34c611016753eea2e1b8ba.1475257877.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96450e0f
    • Eric Biggers's avatar
      crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one · 551bf1b7
      Eric Biggers authored
      commit 8f461b1e upstream.
      
      With ecb-cast5-avx, if a 128+ byte scatterlist element followed a
      shorter one, then the algorithm accidentally encrypted/decrypted only 8
      bytes instead of the expected 128 bytes.  Fix it by setting the
      encryption/decryption 'fn' correctly.
      
      Fixes: c12ab20b ("crypto: cast5/avx - avoid using temporary stack buffers")
      Cc: <stable@vger.kernel.org> # v3.8+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      551bf1b7
    • Herbert Xu's avatar
      crypto: ahash - Fix early termination in hash walk · 66a0fae0
      Herbert Xu authored
      commit 900a081f upstream.
      
      When we have an unaligned SG list entry where there is no leftover
      aligned data, the hash walk code will incorrectly return zero as if
      the entire SG list has been processed.
      
      This patch fixes it by moving onto the next page instead.
      Reported-by: default avatarEli Cooper <elicooper@gmx.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66a0fae0
    • Alexander Gerasiov's avatar
      parport_pc: Add support for WCH CH382L PCI-E single parallel port card. · 463aa3ad
      Alexander Gerasiov authored
      commit 823f7923 upstream.
      
      WCH CH382L is a PCI-E adapter with 1 parallel port. It is similair to CH382
      but serial ports are not soldered on board. Detected as
      Serial controller: Device 1c00:3050 (rev 10) (prog-if 05 [16850])
      Signed-off-by: default avatarAlexander Gerasiov <gq@redlab-i.ru>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      463aa3ad
    • Oliver Neukum's avatar
      media: usbtv: prevent double free in error case · 607a6b7b
      Oliver Neukum authored
      commit 50e70445 upstream.
      
      Quoting the original report:
      
      It looks like there is a double-free vulnerability in Linux usbtv driver
      on an error path of usbtv_probe function. When audio registration fails,
      usbtv_video_free function ends up freeing usbtv data structure, which
      gets freed the second time under usbtv_video_fail label.
      
      usbtv_audio_fail:
      
              usbtv_video_free(usbtv); =>
      
                 v4l2_device_put(&usbtv->v4l2_dev);
      
                    => v4l2_device_put
      
                        => kref_put
      
                            => v4l2_device_release
      
        => usbtv_release (CALLBACK)
      
                                   => kfree(usbtv) (1st time)
      
      usbtv_video_fail:
      
              usb_set_intfdata(intf, NULL);
      
              usb_put_dev(usbtv->udev);
      
              kfree(usbtv); (2nd time)
      
      So, as we have refcounting, use it
      Reported-by: default avatarYavuz, Tuba <tuba@ece.ufl.edu>
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      607a6b7b
    • Colin Ian King's avatar
      mei: remove dev_err message on an unsupported ioctl · 2c9a9254
      Colin Ian King authored
      commit bb0829a7 upstream.
      
      Currently the driver spams the kernel log on unsupported ioctls which is
      unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway.
      I suspect this was originally for debugging purposes but it really is not
      required so remove it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c9a9254
    • Johan Hovold's avatar
      USB: serial: cp210x: add ELDAT Easywave RX09 id · b2dce196
      Johan Hovold authored
      commit 1f1e82f7 upstream.
      
      Add device id for ELDAT Easywave RX09 tranceiver.
      Reported-by: default avatarJan Jansen <nattelip@hotmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2dce196
    • Clemens Werther's avatar
      USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator · 38849aab
      Clemens Werther authored
      commit 6555ad13 upstream.
      
      Add device id for Harman FirmwareHubEmulator to make the device
      auto-detectable by the driver.
      Signed-off-by: default avatarClemens Werther <clemens.werther@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38849aab
    • Major Hayden's avatar
      USB: serial: ftdi_sio: add RT Systems VX-8 cable · eb1e79ea
      Major Hayden authored
      commit 9608e5c0 upstream.
      
      This patch adds a device ID for the RT Systems cable used to
      program Yaesu VX-8R/VX-8DR handheld radios. It uses the main
      FTDI VID instead of the common RT Systems VID.
      Signed-off-by: default avatarMajor Hayden <major@mhtx.net>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb1e79ea
    • John Stultz's avatar
      usb: dwc2: Improve gadget state disconnection handling · da15e8c6
      John Stultz authored
      commit d2471d4a upstream.
      
      In the earlier commit dad3f793 ("usb: dwc2: Make sure we
      disconnect the gadget state"), I was trying to fix up the
      fact that we somehow weren't disconnecting the gadget state,
      so that when the OTG port was plugged in the second time we
      would get warnings about the state tracking being wrong.
      
      (This seems to be due to a quirk of the HiKey board where
      we do not ever get any otg interrupts, particularly the session
      end detected signal. Instead we only see status change
      interrupt.)
      
      The fix there was somewhat simple, as it just made sure to
      call dwc2_hsotg_disconnect() before we connected things up
      in OTG mode, ensuring the state handling didn't throw errors.
      
      But in looking at a different issue I was seeing with UDC
      state handling, I realized that it would be much better
      to call dwc2_hsotg_disconnect when we get the state change
      signal moving to host mode.
      
      Thus, this patch removes the earlier disconnect call I added
      and moves it (and the needed locking) to the host mode
      transition.
      
      Cc: Wei Xu <xuwei5@hisilicon.com>
      Cc: Guodong Xu <guodong.xu@linaro.org>
      Cc: Amit Pundir <amit.pundir@linaro.org>
      Cc: YongQin Liu <yongqin.liu@linaro.org>
      Cc: John Youn <johnyoun@synopsys.com>
      Cc: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
      Cc: Douglas Anderson <dianders@chromium.org>
      Cc: Chen Yu <chenyu56@huawei.com>
      Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: linux-usb@vger.kernel.org
      Acked-by: default avatarMinas Harutyunyan <hminas@synopsys.com>
      Tested-by: default avatarMinas Harutyunyan <hminas@synopsys.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da15e8c6
    • Paolo Bonzini's avatar
      scsi: virtio_scsi: always read VPD pages for multiqueue too · 68b9cb3a
      Paolo Bonzini authored
      commit a680f1d4 upstream.
      
      Multi-queue virtio-scsi uses a different scsi_host_template struct.  Add
      the .device_alloc field there, too.
      
      Fixes: 25d1d50e
      Cc: stable@vger.kernel.org
      Cc: David Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: default avatarFam Zheng <famz@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68b9cb3a
    • Alexander Potapenko's avatar
      llist: clang: introduce member_address_is_nonnull() · 1b94a87c
      Alexander Potapenko authored
      commit beaec533 upstream.
      
      Currently llist_for_each_entry() and llist_for_each_entry_safe() iterate
      until &pos->member != NULL.  But when building the kernel with Clang,
      the compiler assumes &pos->member cannot be NULL if the member's offset
      is greater than 0 (which would be equivalent to the object being
      non-contiguous in memory).  Therefore the loop condition is always true,
      and the loops become infinite.
      
      To work around this, introduce the member_address_is_nonnull() macro,
      which casts object pointer to uintptr_t, thus letting the member pointer
      to be NULL.
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Tested-by: default avatarSodagudi Prasad <psodagud@codeaurora.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b94a87c
    • Szymon Janc's avatar
      Bluetooth: Fix missing encryption refresh on Security Request · 3d3df56e
      Szymon Janc authored
      commit 64e759f5 upstream.
      
      If Security Request is received on connection that is already encrypted
      with sufficient security master should perform encryption key refresh
      procedure instead of just ignoring Slave Security Request
      (Core Spec 5.0 Vol 3 Part H 2.4.6).
      
      > ACL Data RX: Handle 3585 flags 0x02 dlen 6
            SMP: Security Request (0x0b) len 1
              Authentication requirement: Bonding, No MITM, SC, No Keypresses (0x09)
      < HCI Command: LE Start Encryption (0x08|0x0019) plen 28
              Handle: 3585
              Random number: 0x0000000000000000
              Encrypted diversifier: 0x0000
              Long term key: 44264272a5c426a9e868f034cf0e69f3
      > HCI Event: Command Status (0x0f) plen 4
            LE Start Encryption (0x08|0x0019) ncmd 1
              Status: Success (0x00)
      > HCI Event: Encryption Key Refresh Complete (0x30) plen 3
              Status: Success (0x00)
              Handle: 3585
      Signed-off-by: default avatarSzymon Janc <szymon.janc@codecoup.pl>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d3df56e
    • Florian Westphal's avatar
      netfilter: x_tables: add and use xt_check_proc_name · 9aaaa409
      Florian Westphal authored
      commit b1d0a5d0 upstream.
      
      recent and hashlimit both create /proc files, but only check that
      name is 0 terminated.
      
      This can trigger WARN() from procfs when name is "" or "/".
      Add helper for this and then use it for both.
      
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Reported-by: <syzbot+0502b00edac2a0680b61@syzkaller.appspotmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9aaaa409
    • Florian Westphal's avatar
      netfilter: bridge: ebt_among: add more missing match size checks · eaa0e4e1
      Florian Westphal authored
      commit c8d70a70 upstream.
      
      ebt_among is special, it has a dynamic match size and is exempt
      from the central size checks.
      
      commit c4585a28 ("bridge: ebt_among: add missing match size checks")
      added validation for pool size, but missed fact that the macros
      ebt_among_wh_src/dst can already return out-of-bound result because
      they do not check value of wh_src/dst_ofs (an offset) vs. the size
      of the match that userspace gave to us.
      
      v2:
      check that offset has correct alignment.
      Paolo Abeni points out that we should also check that src/dst
      wormhash arrays do not overlap, and src + length lines up with
      start of dst (or vice versa).
      v3: compact wormhash_sizes_valid() part
      
      NB: Fixes tag is intentionally wrong, this bug exists from day
      one when match was added for 2.6 kernel. Tag is there so stable
      maintainers will notice this one too.
      
      Tested with same rules from the earlier patch.
      
      Fixes: c4585a28 ("bridge: ebt_among: add missing match size checks")
      Reported-by: <syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eaa0e4e1
    • Steffen Klassert's avatar
      xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems · d92ab7b1
      Steffen Klassert authored
      commit 19d7df69 upstream.
      
      We don't have a compat layer for xfrm, so userspace and kernel
      structures have different sizes in this case. This results in
      a broken configuration, so refuse to configure socket policies
      when trying to insert from 32 bit userspace as we do it already
      with policies inserted via netlink.
      
      Reported-and-tested-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      [use is_compat_task() - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d92ab7b1
    • Greg Hackmann's avatar
      net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() · 503d43a9
      Greg Hackmann authored
      commit 0dcd7876 upstream.
      
      f7c83bcb ("net: xfrm: use __this_cpu_read per-cpu helper") added a
      __this_cpu_read() call inside ipcomp_alloc_tfms().
      
      At the time, __this_cpu_read() required the caller to either not care
      about races or to handle preemption/interrupt issues.  3.15 tightened
      the rules around some per-cpu operations, and now __this_cpu_read()
      should never be used in a preemptible context.  On 3.15 and later, we
      need to use this_cpu_read() instead.
      
      syzkaller reported this leading to the following kernel BUG while
      fuzzing sendmsg:
      
      BUG: using __this_cpu_read() in preemptible [00000000] code: repro/3101
      caller is ipcomp_init_state+0x185/0x990
      CPU: 3 PID: 3101 Comm: repro Not tainted 4.16.0-rc4-00123-g86f84779 #154
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      Call Trace:
       dump_stack+0xb9/0x115
       check_preemption_disabled+0x1cb/0x1f0
       ipcomp_init_state+0x185/0x990
       ? __xfrm_init_state+0x876/0xc20
       ? lock_downgrade+0x5e0/0x5e0
       ipcomp4_init_state+0xaa/0x7c0
       __xfrm_init_state+0x3eb/0xc20
       xfrm_init_state+0x19/0x60
       pfkey_add+0x20df/0x36f0
       ? pfkey_broadcast+0x3dd/0x600
       ? pfkey_sock_destruct+0x340/0x340
       ? pfkey_seq_stop+0x80/0x80
       ? __skb_clone+0x236/0x750
       ? kmem_cache_alloc+0x1f6/0x260
       ? pfkey_sock_destruct+0x340/0x340
       ? pfkey_process+0x62a/0x6f0
       pfkey_process+0x62a/0x6f0
       ? pfkey_send_new_mapping+0x11c0/0x11c0
       ? mutex_lock_io_nested+0x1390/0x1390
       pfkey_sendmsg+0x383/0x750
       ? dump_sp+0x430/0x430
       sock_sendmsg+0xc0/0x100
       ___sys_sendmsg+0x6c8/0x8b0
       ? copy_msghdr_from_user+0x3b0/0x3b0
       ? pagevec_lru_move_fn+0x144/0x1f0
       ? find_held_lock+0x32/0x1c0
       ? do_huge_pmd_anonymous_page+0xc43/0x11e0
       ? lock_downgrade+0x5e0/0x5e0
       ? get_kernel_page+0xb0/0xb0
       ? _raw_spin_unlock+0x29/0x40
       ? do_huge_pmd_anonymous_page+0x400/0x11e0
       ? __handle_mm_fault+0x553/0x2460
       ? __fget_light+0x163/0x1f0
       ? __sys_sendmsg+0xc7/0x170
       __sys_sendmsg+0xc7/0x170
       ? SyS_shutdown+0x1a0/0x1a0
       ? __do_page_fault+0x5a0/0xca0
       ? lock_downgrade+0x5e0/0x5e0
       SyS_sendmsg+0x27/0x40
       ? __sys_sendmsg+0x170/0x170
       do_syscall_64+0x19f/0x640
       entry_SYSCALL_64_after_hwframe+0x42/0xb7
      RIP: 0033:0x7f0ee73dfb79
      RSP: 002b:00007ffe14fc15a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ee73dfb79
      RDX: 0000000000000000 RSI: 00000000208befc8 RDI: 0000000000000004
      RBP: 00007ffe14fc15b0 R08: 00007ffe14fc15c0 R09: 00007ffe14fc15c0
      R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000400440
      R13: 00007ffe14fc16b0 R14: 0000000000000000 R15: 0000000000000000
      Signed-off-by: default avatarGreg Hackmann <ghackmann@google.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      503d43a9
    • Roland Dreier's avatar
      RDMA/ucma: Introduce safer rdma_addr_size() variants · f9105c23
      Roland Dreier authored
      commit 84652aef upstream.
      
      There are several places in the ucma ABI where userspace can pass in a
      sockaddr but set the address family to AF_IB.  When that happens,
      rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
      and the ucma kernel code might end up copying past the end of a buffer
      not sized for a struct sockaddr_ib.
      
      Fix this by introducing new variants
      
          int rdma_addr_size_in6(struct sockaddr_in6 *addr);
          int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
      
      that are type-safe for the types used in the ucma ABI and return 0 if the
      size computed is bigger than the size of the type passed in.  We can use
      these new variants to check what size userspace has passed in before
      copying any addresses.
      
      Reported-by: <syzbot+6800425d54ed3ed8135d@syzkaller.appspotmail.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9105c23
    • Leon Romanovsky's avatar
      RDMA/ucma: Don't allow join attempts for unsupported AF family · 71ac483e
      Leon Romanovsky authored
      commit 0c81ffc6 upstream.
      
      Users can provide garbage while calling to ucma_join_ip_multicast(),
      it will indirectly cause to rdma_addr_size() return 0, making the
      call to ucma_process_join(), which had the right checks, but it is
      better to check the input as early as possible.
      
      The following crash from syzkaller revealed it.
      
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286
      RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12
      RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998
      R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00
      FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900
      CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
      CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       memcpy include/linux/string.h:344 [inline]
       ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421
       ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633
       __vfs_write+0xef/0x970 fs/read_write.c:480
       vfs_write+0x189/0x510 fs/read_write.c:544
       SYSC_write fs/read_write.c:589 [inline]
       SyS_write+0xef/0x220 fs/read_write.c:581
       do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
       do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
       entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f9ec99
      RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100
      RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de
      55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90
      90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0
      
      Fixes: 5bc2b7b3 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
      Reported-by: <syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71ac483e
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that device exists prior to accessing it · d25946f6
      Leon Romanovsky authored
      commit c8d3bcbf upstream.
      
      Ensure that device exists prior to accessing its properties.
      
      Reported-by: <syzbot+71655d44855ac3e76366@syzkaller.appspotmail.com>
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d25946f6
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that device is connected prior to access it · 3197b8c7
      Leon Romanovsky authored
      commit 4b658d1b upstream.
      
      Add missing check that device is connected prior to access it.
      
      [   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
      [   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
      [   55.360255]
      [   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b #91
      [   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   55.363264] Call Trace:
      [   55.363833]  dump_stack+0x5c/0x77
      [   55.364215]  kasan_report+0x163/0x380
      [   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
      [   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
      [   55.366410]  ucma_init_qp_attr+0x111/0x200
      [   55.366846]  ? ucma_notify+0xf0/0xf0
      [   55.367405]  ? _get_random_bytes+0xea/0x1b0
      [   55.367846]  ? urandom_read+0x2f0/0x2f0
      [   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
      [   55.369104]  ? refcount_inc_not_zero+0x9/0x60
      [   55.369583]  ? refcount_inc+0x5/0x30
      [   55.370155]  ? rdma_create_id+0x215/0x240
      [   55.370937]  ? _copy_to_user+0x4f/0x60
      [   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
      [   55.372127]  ? _copy_from_user+0x5e/0x90
      [   55.372720]  ucma_write+0x174/0x1f0
      [   55.373090]  ? ucma_close_id+0x40/0x40
      [   55.373805]  ? __lru_cache_add+0xa8/0xd0
      [   55.374403]  __vfs_write+0xc4/0x350
      [   55.374774]  ? kernel_read+0xa0/0xa0
      [   55.375173]  ? fsnotify+0x899/0x8f0
      [   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
      [   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   55.377522]  ? handle_mm_fault+0x174/0x320
      [   55.378169]  vfs_write+0xf7/0x280
      [   55.378864]  SyS_write+0xa1/0x120
      [   55.379270]  ? SyS_read+0x120/0x120
      [   55.379643]  ? mm_fault_error+0x180/0x180
      [   55.380071]  ? task_work_run+0x7d/0xd0
      [   55.380910]  ? __task_pid_nr_ns+0x120/0x140
      [   55.381366]  ? SyS_read+0x120/0x120
      [   55.381739]  do_syscall_64+0xeb/0x250
      [   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   55.382841] RIP: 0033:0x7fc2ef803e99
      [   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
      [   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
      [   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
      [   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
      [   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
      [   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
      [   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
      8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
      48 89 04 24 e8 3a 4f 1e ff 48
      [   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
      [   55.532648] CR2: 00000000000000b0
      [   55.534396] ---[ end trace 70cee64090251c0b ]---
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Fixes: d541e455 ("IB/core: Convert ah_attr from OPA to IB when copying to user")
      Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3197b8c7
    • Leon Romanovsky's avatar
      RDMA/ucma: Ensure that CM_ID exists prior to access it · d4fee2fe
      Leon Romanovsky authored
      commit e8980d67 upstream.
      
      Prior to access UCMA commands, the context should be initialized
      and connected to CM_ID with ucma_create_id(). In case user skips
      this step, he can provide non-valid ctx without CM_ID and cause
      to multiple NULL dereferences.
      
      Also there are situations where the create_id can be raced with
      other user access, ensure that the context is only shared to
      other threads once it is fully initialized to avoid the races.
      
      [  109.088108] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      [  109.090315] IP: ucma_connect+0x138/0x1d0
      [  109.092595] PGD 80000001dc02d067 P4D 80000001dc02d067 PUD 1da9ef067 PMD 0
      [  109.095384] Oops: 0000 [#1] SMP KASAN PTI
      [  109.097834] CPU: 0 PID: 663 Comm: uclose Tainted: G    B 4.16.0-rc1-00062-g2975d5de #45
      [  109.100816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [  109.105943] RIP: 0010:ucma_connect+0x138/0x1d0
      [  109.108850] RSP: 0018:ffff8801c8567a80 EFLAGS: 00010246
      [  109.111484] RAX: 0000000000000000 RBX: 1ffff100390acf50 RCX: ffffffff9d7812e2
      [  109.114496] RDX: 1ffffffff3f507a5 RSI: 0000000000000297 RDI: 0000000000000297
      [  109.117490] RBP: ffff8801daa15600 R08: 0000000000000000 R09: ffffed00390aceeb
      [  109.120429] R10: 0000000000000001 R11: ffffed00390aceea R12: 0000000000000000
      [  109.123318] R13: 0000000000000120 R14: ffff8801de6459c0 R15: 0000000000000118
      [  109.126221] FS:  00007fabb68d6700(0000) GS:ffff8801e5c00000(0000) knlGS:0000000000000000
      [  109.129468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  109.132523] CR2: 0000000000000020 CR3: 00000001d45d8003 CR4: 00000000003606b0
      [  109.135573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  109.138716] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  109.142057] Call Trace:
      [  109.144160]  ? ucma_listen+0x110/0x110
      [  109.146386]  ? wake_up_q+0x59/0x90
      [  109.148853]  ? futex_wake+0x10b/0x2a0
      [  109.151297]  ? save_stack+0x89/0xb0
      [  109.153489]  ? _copy_from_user+0x5e/0x90
      [  109.155500]  ucma_write+0x174/0x1f0
      [  109.157933]  ? ucma_resolve_route+0xf0/0xf0
      [  109.160389]  ? __mod_node_page_state+0x1d/0x80
      [  109.162706]  __vfs_write+0xc4/0x350
      [  109.164911]  ? kernel_read+0xa0/0xa0
      [  109.167121]  ? path_openat+0x1b10/0x1b10
      [  109.169355]  ? fsnotify+0x899/0x8f0
      [  109.171567]  ? fsnotify_unmount_inodes+0x170/0x170
      [  109.174145]  ? __fget+0xa8/0xf0
      [  109.177110]  vfs_write+0xf7/0x280
      [  109.179532]  SyS_write+0xa1/0x120
      [  109.181885]  ? SyS_read+0x120/0x120
      [  109.184482]  ? compat_start_thread+0x60/0x60
      [  109.187124]  ? SyS_read+0x120/0x120
      [  109.189548]  do_syscall_64+0xeb/0x250
      [  109.192178]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [  109.194725] RIP: 0033:0x7fabb61ebe99
      [  109.197040] RSP: 002b:00007fabb68d5e98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
      [  109.200294] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fabb61ebe99
      [  109.203399] RDX: 0000000000000120 RSI: 00000000200001c0 RDI: 0000000000000004
      [  109.206548] RBP: 00007fabb68d5ec0 R08: 0000000000000000 R09: 0000000000000000
      [  109.209902] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fabb68d5fc0
      [  109.213327] R13: 0000000000000000 R14: 00007fff40ab2430 R15: 00007fabb68d69c0
      [  109.216613] Code: 88 44 24 2c 0f b6 84 24 6e 01 00 00 88 44 24 2d 0f
      b6 84 24 69 01 00 00 88 44 24 2e 8b 44 24 60 89 44 24 30 e8 da f6 06 ff
      31 c0 <66> 41 83 7c 24 20 1b 75 04 8b 44 24 64 48 8d 74 24 20 4c 89 e7
      [  109.223602] RIP: ucma_connect+0x138/0x1d0 RSP: ffff8801c8567a80
      [  109.226256] CR2: 0000000000000020
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Reported-by: <syzbot+36712f50b0552615bf59@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4fee2fe
    • Leon Romanovsky's avatar
      RDMA/ucma: Fix use-after-free access in ucma_close · 7b22ab5f
      Leon Romanovsky authored
      commit ed65a4dc upstream.
      
      The error in ucma_create_id() left ctx in the list of contexts belong
      to ucma file descriptor. The attempt to close this file descriptor causes
      to use-after-free accesses while iterating over such list.
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Reported-by: <syzbot+dcfd344365a56fbebd0f@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b22ab5f
    • Leon Romanovsky's avatar
      RDMA/ucma: Check AF family prior resolving address · c5f3efad
      Leon Romanovsky authored
      commit 2975d5de upstream.
      
      Garbage supplied by user will cause to UCMA module provide zero
      memory size for memcpy(), because it wasn't checked, it will
      produce unpredictable results in rdma_resolve_addr().
      
      [   42.873814] BUG: KASAN: null-ptr-deref in rdma_resolve_addr+0xc8/0xfb0
      [   42.874816] Write of size 28 at addr 00000000000000a0 by task resaddr/1044
      [   42.876765]
      [   42.876960] CPU: 1 PID: 1044 Comm: resaddr Not tainted 4.16.0-rc1-00057-gaa56a5293d7e #34
      [   42.877840] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   42.879691] Call Trace:
      [   42.880236]  dump_stack+0x5c/0x77
      [   42.880664]  kasan_report+0x163/0x380
      [   42.881354]  ? rdma_resolve_addr+0xc8/0xfb0
      [   42.881864]  memcpy+0x34/0x50
      [   42.882692]  rdma_resolve_addr+0xc8/0xfb0
      [   42.883366]  ? deref_stack_reg+0x88/0xd0
      [   42.883856]  ? vsnprintf+0x31a/0x770
      [   42.884686]  ? rdma_bind_addr+0xc40/0xc40
      [   42.885327]  ? num_to_str+0x130/0x130
      [   42.885773]  ? deref_stack_reg+0x88/0xd0
      [   42.886217]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
      [   42.887698]  ? unwind_get_return_address_ptr+0x50/0x50
      [   42.888302]  ? replace_slot+0x147/0x170
      [   42.889176]  ? delete_node+0x12c/0x340
      [   42.890223]  ? __radix_tree_lookup+0xa9/0x160
      [   42.891196]  ? ucma_resolve_ip+0xb7/0x110
      [   42.891917]  ucma_resolve_ip+0xb7/0x110
      [   42.893003]  ? ucma_resolve_addr+0x190/0x190
      [   42.893531]  ? _copy_from_user+0x5e/0x90
      [   42.894204]  ucma_write+0x174/0x1f0
      [   42.895162]  ? ucma_resolve_route+0xf0/0xf0
      [   42.896309]  ? dequeue_task_fair+0x67e/0xd90
      [   42.897192]  ? put_prev_entity+0x7d/0x170
      [   42.897870]  ? ring_buffer_record_is_on+0xd/0x20
      [   42.898439]  ? tracing_record_taskinfo_skip+0x20/0x50
      [   42.899686]  __vfs_write+0xc4/0x350
      [   42.900142]  ? kernel_read+0xa0/0xa0
      [   42.900602]  ? firmware_map_remove+0xdf/0xdf
      [   42.901135]  ? do_task_dead+0x5d/0x60
      [   42.901598]  ? do_exit+0xcc6/0x1220
      [   42.902789]  ? __fget+0xa8/0xf0
      [   42.903190]  vfs_write+0xf7/0x280
      [   42.903600]  SyS_write+0xa1/0x120
      [   42.904206]  ? SyS_read+0x120/0x120
      [   42.905710]  ? compat_start_thread+0x60/0x60
      [   42.906423]  ? SyS_read+0x120/0x120
      [   42.908716]  do_syscall_64+0xeb/0x250
      [   42.910760]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   42.912735] RIP: 0033:0x7f138b0afe99
      [   42.914734] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
      [   42.917134] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
      [   42.919487] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
      [   42.922393] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
      [   42.925266] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
      [   42.927570] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
      [   42.930047]
      [   42.932681] Disabling lock debugging due to kernel taint
      [   42.934795] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
      [   42.936939] IP: memcpy_erms+0x6/0x10
      [   42.938864] PGD 80000001bea92067 P4D 80000001bea92067 PUD 1bea96067 PMD 0
      [   42.941576] Oops: 0002 [#1] SMP KASAN PTI
      [   42.943952] CPU: 1 PID: 1044 Comm: resaddr Tainted: G    B 4.16.0-rc1-00057-gaa56a5293d7e #34
      [   42.946964] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   42.952336] RIP: 0010:memcpy_erms+0x6/0x10
      [   42.954707] RSP: 0018:ffff8801c8b479c8 EFLAGS: 00010286
      [   42.957227] RAX: 00000000000000a0 RBX: ffff8801c8b47ba0 RCX: 000000000000001c
      [   42.960543] RDX: 000000000000001c RSI: ffff8801c8b47bbc RDI: 00000000000000a0
      [   42.963867] RBP: ffff8801c8b47b60 R08: 0000000000000000 R09: ffffed0039168ed1
      [   42.967303] R10: 0000000000000001 R11: ffffed0039168ed0 R12: ffff8801c8b47bbc
      [   42.970685] R13: 00000000000000a0 R14: 1ffff10039168f4a R15: 0000000000000000
      [   42.973631] FS:  00007f138b79a700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
      [   42.976831] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   42.979239] CR2: 00000000000000a0 CR3: 00000001be908002 CR4: 00000000003606a0
      [   42.982060] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   42.984877] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   42.988033] Call Trace:
      [   42.990487]  rdma_resolve_addr+0xc8/0xfb0
      [   42.993202]  ? deref_stack_reg+0x88/0xd0
      [   42.996055]  ? vsnprintf+0x31a/0x770
      [   42.998707]  ? rdma_bind_addr+0xc40/0xc40
      [   43.000985]  ? num_to_str+0x130/0x130
      [   43.003410]  ? deref_stack_reg+0x88/0xd0
      [   43.006302]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
      [   43.008780]  ? unwind_get_return_address_ptr+0x50/0x50
      [   43.011178]  ? replace_slot+0x147/0x170
      [   43.013517]  ? delete_node+0x12c/0x340
      [   43.016019]  ? __radix_tree_lookup+0xa9/0x160
      [   43.018755]  ? ucma_resolve_ip+0xb7/0x110
      [   43.021270]  ucma_resolve_ip+0xb7/0x110
      [   43.023968]  ? ucma_resolve_addr+0x190/0x190
      [   43.026312]  ? _copy_from_user+0x5e/0x90
      [   43.029384]  ucma_write+0x174/0x1f0
      [   43.031861]  ? ucma_resolve_route+0xf0/0xf0
      [   43.034782]  ? dequeue_task_fair+0x67e/0xd90
      [   43.037483]  ? put_prev_entity+0x7d/0x170
      [   43.040215]  ? ring_buffer_record_is_on+0xd/0x20
      [   43.042990]  ? tracing_record_taskinfo_skip+0x20/0x50
      [   43.045595]  __vfs_write+0xc4/0x350
      [   43.048624]  ? kernel_read+0xa0/0xa0
      [   43.051604]  ? firmware_map_remove+0xdf/0xdf
      [   43.055379]  ? do_task_dead+0x5d/0x60
      [   43.058000]  ? do_exit+0xcc6/0x1220
      [   43.060783]  ? __fget+0xa8/0xf0
      [   43.063133]  vfs_write+0xf7/0x280
      [   43.065677]  SyS_write+0xa1/0x120
      [   43.068647]  ? SyS_read+0x120/0x120
      [   43.071179]  ? compat_start_thread+0x60/0x60
      [   43.074025]  ? SyS_read+0x120/0x120
      [   43.076705]  do_syscall_64+0xeb/0x250
      [   43.079006]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   43.081606] RIP: 0033:0x7f138b0afe99
      [   43.083679] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
      [   43.086802] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
      [   43.089989] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
      [   43.092866] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
      [   43.096233] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
      [   43.098913] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
      [   43.101809] Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
      c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48
      89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
      [   43.107950] RIP: memcpy_erms+0x6/0x10 RSP: ffff8801c8b479c8
      
      Reported-by: <syzbot+1d8c43206853b369d00c@syzkaller.appspotmail.com>
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5f3efad
    • Florian Westphal's avatar
      xfrm_user: uncoditionally validate esn replay attribute struct · 83ee89c6
      Florian Westphal authored
      commit d97ca5d7 upstream.
      
      The sanity test added in ecd79187 can be bypassed, validation
      only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
      and just checks if the attribute itself is present.
      
      So always validate.  Alternative is to reject if we have the attribute
      without the flag but that would change abi.
      
      Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com
      Cc: Mathias Krause <minipli@googlemail.com>
      Fixes: ecd79187 ("xfrm_user: ensure user supplied esn replay window is valid")
      Fixes: d8647b79 ("xfrm: Add user interface for esn and big anti-replay windows")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83ee89c6
    • Nick Desaulniers's avatar
      arm64: avoid overflow in VA_START and PAGE_OFFSET · 28dae08f
      Nick Desaulniers authored
      commit 82cd5880 upstream.
      
      The bitmask used to define these values produces overflow, as seen by
      this compiler warning:
      
      arch/arm64/kernel/head.S:47:8: warning:
            integer overflow in preprocessor expression
        #elif (PAGE_OFFSET & 0x1fffff) != 0
               ^~~~~~~~~~~
      arch/arm64/include/asm/memory.h:52:46: note:
            expanded from macro 'PAGE_OFFSET'
        #define PAGE_OFFSET             (UL(0xffffffffffffffff) << (VA_BITS -
      1))
                                            ~~~~~~~~~~~~~~~~~~  ^
      
      It would be preferrable to use GENMASK_ULL() instead, but it's not set
      up to be used from assembly (the UL() macro token pastes UL suffixes
      when not included in assembly sources).
      Suggested-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Suggested-by: default avatarYury Norov <ynorov@caviumnetworks.com>
      Suggested-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      [natechancellor: KIMAGE_VADDR doesn't exist]
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28dae08f
    • Matthias Kaehlcke's avatar
      selinux: Remove redundant check for unknown labeling behavior · eca9e0af
      Matthias Kaehlcke authored
      commit 270e8573 upstream.
      
      The check is already performed in ocontext_read() when the policy is
      loaded. Removing the array also fixes the following warning when
      building with clang:
      
      security/selinux/hooks.c:338:20: error: variable 'labeling_behaviors'
          is not needed and will not be emitted
          [-Werror,-Wunneeded-internal-declaration]
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      [natechancellor: inode_doinit_with_dentry still present]
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eca9e0af
    • Matthias Kaehlcke's avatar
      netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch · 46e7cb4d
      Matthias Kaehlcke authored
      commit a2b7cbdd upstream.
      
      Not all parameters passed to ctnetlink_parse_tuple() and
      ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
      functions. Since this is intended change the argument type of to be an
      unsigned integer value.
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [natechancellor: ctnetlink_exp_dump_tuple is still inline]
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46e7cb4d
    • Arnd Bergmann's avatar
      tty: provide tty_name() even without CONFIG_TTY · d04166f3
      Arnd Bergmann authored
      commit 188e3c5c upstream.
      
      The audit subsystem just started printing the name of the tty,
      but that causes a build failure when CONFIG_TTY is disabled:
      
      kernel/built-in.o: In function `audit_log_task_info':
      memremap.c:(.text+0x5e34c): undefined reference to `tty_name'
      kernel/built-in.o: In function `audit_set_loginuid':
      memremap.c:(.text+0x63b34): undefined reference to `tty_name'
      
      This adds tty_name() to the list of functions that are provided
      as trivial stubs in that configuration.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: db0a6fb5 ("audit: add tty field to LOGIN event")
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      [natechancellor: tty_paranoia_check still exists]
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d04166f3
    • Richard Guy Briggs's avatar
      audit: add tty field to LOGIN event · 54585370
      Richard Guy Briggs authored
      commit db0a6fb5 upstream.
      
      The tty field was missing from AUDIT_LOGIN events.
      
      Refactor code to create a new function audit_get_tty(), using it to
      replace the call in audit_log_task_info() and to add it to
      audit_log_set_loginuid().  Lock and bump the kref to protect it, adding
      audit_put_tty() alias to decrement it.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54585370
    • Matthias Kaehlcke's avatar
      frv: declare jiffies to be located in the .data section · 1b15e77f
      Matthias Kaehlcke authored
      commit 60b0a8c3 upstream.
      
      Commit 7c30f352 ("jiffies.h: declare jiffies and jiffies_64 with
      ____cacheline_aligned_in_smp") removed a section specification from the
      jiffies declaration that caused conflicts on some platforms.
      
      Unfortunately this change broke the build for frv:
      
        kernel/built-in.o: In function `__do_softirq': (.text+0x6460): relocation truncated to fit: R_FRV_GPREL12 against symbol
            `jiffies' defined in *ABS* section in .tmp_vmlinux1
        kernel/built-in.o: In function `__do_softirq': (.text+0x6574): relocation truncated to fit: R_FRV_GPREL12 against symbol
            `jiffies' defined in *ABS* section in .tmp_vmlinux1
        kernel/built-in.o: In function `pwq_activate_delayed_work': workqueue.c:(.text+0x15b9c): relocation truncated to fit: R_FRV_GPREL12 against
            symbol `jiffies' defined in *ABS* section in .tmp_vmlinux1
        ...
      
      Add __jiffy_arch_data to the declaration of jiffies and use it on frv to
      include the section specification.  For all other platforms
      __jiffy_arch_data (currently) has no effect.
      
      Fixes: 7c30f352 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp")
      Link: http://lkml.kernel.org/r/20170516221333.177280-1-mka@chromium.orgSigned-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarDavid Howells <dhowells@redhat.com>
      Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b15e77f
    • Matthias Kaehlcke's avatar
      jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp · 16d18bf7
      Matthias Kaehlcke authored
      commit 7c30f352 upstream.
      
      jiffies_64 is defined in kernel/time/timer.c with
      ____cacheline_aligned_in_smp, however this macro is not part of the
      declaration of jiffies and jiffies_64 in jiffies.h.
      
      As a result clang generates the following warning:
      
        kernel/time/timer.c:57:26: error: section does not match previous declaration [-Werror,-Wsection]
        __visible u64 jiffies_64 __cacheline_aligned_in_smp = INITIAL_JIFFIES;
                                 ^
        include/linux/cache.h:39:36: note: expanded from macro '__cacheline_aligned_in_smp'
                                           ^
        include/linux/cache.h:34:4: note: expanded from macro '__cacheline_aligned'
                         __section__(".data..cacheline_aligned")))
                         ^
        include/linux/jiffies.h:77:12: note: previous attribute is here
        extern u64 __jiffy_data jiffies_64;
                   ^
        include/linux/jiffies.h:70:38: note: expanded from macro '__jiffy_data'
      
      Link: http://lkml.kernel.org/r/20170403190200.70273-1-mka@chromium.orgSigned-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
      Cc: Grant Grundler <grundler@chromium.org>
      Cc: Michael Davidson <md@google.com>
      Cc: Greg Hackmann <ghackmann@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16d18bf7
    • Mark Charlebois's avatar
      fs: compat: Remove warning from COMPATIBLE_IOCTL · 00732963
      Mark Charlebois authored
      commit 9280cdd6 upstream.
      
      cmd in COMPATIBLE_IOCTL is always a u32, so cast it so there isn't a
      warning about an overflow in XFORM.
      
      From: Mark Charlebois <charlebm@gmail.com>
      Signed-off-by: default avatarMark Charlebois <charlebm@gmail.com>
      Signed-off-by: default avatarBehan Webster <behanw@converseincode.com>
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00732963
    • Matthias Kaehlcke's avatar
      selinux: Remove unnecessary check of array base in selinux_set_mapping() · 76fa23e7
      Matthias Kaehlcke authored
      commit 342e9157 upstream.
      
      'perms' will never be NULL since it isn't a plain pointer but an array
      of u32 values.
      
      This fixes the following warning when building with clang:
      
      security/selinux/ss/services.c:158:16: error: address of array
      'p_in->perms' will always evaluate to 'true'
      [-Werror,-Wpointer-bool-conversion]
                      while (p_in->perms && p_in->perms[k]) {
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76fa23e7
    • Matthias Kaehlcke's avatar
      cpumask: Add helper cpumask_available() · 2abc2436
      Matthias Kaehlcke authored
      commit f7e30f01 upstream.
      
      With CONFIG_CPUMASK_OFFSTACK=y cpumask_var_t is a struct cpumask
      pointer, otherwise a struct cpumask array with a single element.
      
      Some code dealing with cpumasks needs to validate that a cpumask_var_t
      is not a NULL pointer when CONFIG_CPUMASK_OFFSTACK=y. This is typically
      done by performing the check always, regardless of the underlying type
      of cpumask_var_t. This works in both cases, however clang raises a
      warning like this when CONFIG_CPUMASK_OFFSTACK=n:
      
      kernel/irq/manage.c:839:28: error: address of array
      'desc->irq_common_data.affinity' will always evaluate to 'true'
      [-Werror,-Wpointer-bool-conversion]
      
      Add the inline helper cpumask_available() which only performs the
      pointer check if CONFIG_CPUMASK_OFFSTACK=y.
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Cc: Grant Grundler <grundler@chromium.org>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Greg Hackmann <ghackmann@google.com>
      Cc: Michael Davidson <md@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Link: http://lkml.kernel.org/r/20170412182030.83657-1-mka@chromium.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2abc2436
    • Matthias Kaehlcke's avatar
      genirq: Use cpumask_available() for check of cpumask variable · ce4f4ffc
      Matthias Kaehlcke authored
      commit d170fe7d upstream.
      
      This fixes the following clang warning when CONFIG_CPUMASK_OFFSTACK=n:
      
      kernel/irq/manage.c:839:28: error: address of array
      'desc->irq_common_data.affinity' will always evaluate to 'true'
      [-Werror,-Wpointer-bool-conversion]
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Cc: Grant Grundler <grundler@chromium.org>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Greg Hackmann <ghackmann@google.com>
      Cc: Michael Davidson <md@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Link: http://lkml.kernel.org/r/20170412182030.83657-2-mka@chromium.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce4f4ffc
    • Nick Desaulniers's avatar
      netfilter: nf_nat_h323: fix logical-not-parentheses warning · a8f9bab6
      Nick Desaulniers authored
      commit eee6ebba upstream.
      
      Clang produces the following warning:
      
      net/ipv4/netfilter/nf_nat_h323.c:553:6: error:
      logical not is only applied to the left hand side of this comparison
        [-Werror,-Wlogical-not-parentheses]
      if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
          ^
      add parentheses after the '!' to evaluate the comparison first
      add parentheses around left hand side expression to silence this warning
      
      There's not necessarily a bug here, but it's cleaner to return early,
      ex:
      
      if (x)
        return
      ...
      
      rather than:
      
      if (x == 0)
        ...
      else
        return
      
      Also added a return code check that seemed to be missing in one
      instance.
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8f9bab6
    • Nick Desaulniers's avatar
      Input: mousedev - fix implicit conversion warning · 1a4106d6
      Nick Desaulniers authored
      commit dae1a432 upstream.
      
      Clang warns:
      
      drivers/input/mousedev.c:653:63: error: implicit conversion from 'int'
      to 'signed char' changes value from 200 to -56
      [-Wconstant-conversion]
        client->ps2[1] = 0x60; client->ps2[2] = 3; client->ps2[3] = 200;
                                                                  ~ ^~~
      As the PS2 data is really a stream of bytes, let's switch to using u8 type
      for it, which silences this warning.
      Signed-off-by: default avatarNick Desaulniers <nick.desaulniers@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: Nathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a4106d6