1. 05 Sep, 2018 29 commits
  2. 24 Aug, 2018 11 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.9.124 · e8d49e42
      Greg Kroah-Hartman authored
      e8d49e42
    • Jann Horn's avatar
      reiserfs: fix broken xattr handling (heap corruption, bad retval) · 696d906b
      Jann Horn authored
      commit a13f085d upstream.
      
      This fixes the following issues:
      
      - When a buffer size is supplied to reiserfs_listxattr() such that each
        individual name fits, but the concatenation of all names doesn't fit,
        reiserfs_listxattr() overflows the supplied buffer.  This leads to a
        kernel heap overflow (verified using KASAN) followed by an out-of-bounds
        usercopy and is therefore a security bug.
      
      - When a buffer size is supplied to reiserfs_listxattr() such that a
        name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
        truncates the list of names; I have verified that if the only xattr on a
        file has a longer name than the supplied buffer length, listxattr()
        incorrectly returns zero.
      
      With my patch applied, -ERANGE is returned in both cases and the memory
      corruption doesn't happen anymore.
      
      Credit for making me clean this code up a bit goes to Al Viro, who pointed
      out that the ->actor calling convention is suboptimal and should be
      changed.
      
      Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
      Fixes: 48b32a35 ("reiserfs: use generic xattr handlers")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
      Cc: Eric Biggers <ebiggers@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      696d906b
    • Esben Haabendal's avatar
      i2c: imx: Fix race condition in dma read · 44745bd1
      Esben Haabendal authored
      commit bed4ff1e upstream.
      
      This fixes a race condition, where the DMAEN bit ends up being set after
      I2C slave has transmitted a byte following the dummy read.  When that
      happens, an interrupt is generated instead, and no DMA request is generated
      to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).
      
      Fixed by setting the DMAEN bit before the dummy read.
      Signed-off-by: default avatarEsben Haabendal <eha@deif.com>
      Acked-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44745bd1
    • Lukas Wunner's avatar
      PCI: pciehp: Fix unprotected list iteration in IRQ handler · 86a3d597
      Lukas Wunner authored
      commit 1204e35b upstream.
      
      Commit b440bde7 ("PCI: Add pci_ignore_hotplug() to ignore hotplug
      events for a device") iterates over the devices on a hotplug port's
      subordinate bus in pciehp's IRQ handler without acquiring pci_bus_sem.
      It is thus possible for a user to cause a crash by concurrently
      manipulating the device list, e.g. by disabling slot power via sysfs
      on a different CPU or by initiating a remove/rescan via sysfs.
      
      This can't be fixed by acquiring pci_bus_sem because it may sleep.
      The simplest fix is to avoid the list iteration altogether and just
      check the ignore_hotplug flag on the port itself.  This works because
      pci_ignore_hotplug() sets the flag both on the device as well as on its
      parent bridge.
      
      We do lose the ability to print the name of the device blocking hotplug
      in the debug message, but that's probably bearable.
      
      Fixes: b440bde7 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86a3d597
    • Lukas Wunner's avatar
      PCI: pciehp: Fix use-after-free on unplug · 3fcdcdd5
      Lukas Wunner authored
      commit 281e878e upstream.
      
      When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
      hotplug_slot struct is deregistered and thus freed before freeing the
      IRQ.  The IRQ handler and the work items it schedules print the slot
      name referenced from the freed structure in various informational and
      debug log messages, each time resulting in a quadruple dereference of
      freed pointers (hotplug_slot -> pci_slot -> kobject -> name).
      
      At best the slot name is logged as "(null)", at worst kernel memory is
      exposed in logs or the driver crashes:
      
        pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present
      
      An attacker may provoke the bug by unplugging multiple devices on a
      Thunderbolt daisy chain at once.  Unplugging can also be simulated by
      powering down slots via sysfs.  The bug is particularly easy to trigger
      in poll mode.
      
      It has been present since the driver's introduction in 2004:
      https://git.kernel.org/tglx/history/c/c16b4b14d980
      
      Fix by rearranging teardown such that the IRQ is freed first.  Run the
      work items queued by the IRQ handler to completion before freeing the
      hotplug_slot struct by draining the work queue from the ->release_slot
      callback which is invoked by pci_hp_deregister().
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org # v2.6.4
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fcdcdd5
    • Myron Stowe's avatar
      PCI: Skip MPS logic for Virtual Functions (VFs) · 73aae596
      Myron Stowe authored
      commit 3dbe97ef upstream.
      
      PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
      Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
      VFs.  Just prior to the table it states:
      
        "PF and VF functionality is defined in Section 7.5.3.4 except where
         noted in Table 9-16.  For VF fields marked 'RsvdP', the PF setting
         applies to the VF."
      
      All of which implies that with respect to Max_Payload_Size Supported
      (MPSS), MPS, and MRRS values, we should not be paying any attention to the
      VF's fields, but rather only to the PF's.  Only looking at the PF's fields
      also logically makes sense as it's the sole physical interface to the PCIe
      bus.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
      Fixes: 27d868b5 ("PCI: Set MPS to match upstream bridge")
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org # 4.3+
      Cc: Keith Busch <keith.busch@intel.com>
      Cc: Sinan Kaya <okaya@kernel.org>
      Cc: Dongdong Liu <liudongdong3@huawei.com>
      Cc: Jon Mason <jdmason@kudzu.us>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73aae596
    • Lukas Wunner's avatar
      PCI: hotplug: Don't leak pci_slot on registration failure · f2842452
      Lukas Wunner authored
      commit 4ce64358 upstream.
      
      If addition of sysfs files fails on registration of a hotplug slot, the
      struct pci_slot as well as the entry in the slot_list is leaked.  The
      issue has been present since the hotplug core was introduced in 2002:
      https://git.kernel.org/tglx/history/c/a8a2069f432c
      
      Perhaps the idea was that even though sysfs addition fails, the slot
      should still be usable.  But that's not how drivers use the interface,
      they abort probe if a non-zero value is returned.
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org # v2.4.15+
      Cc: Greg Kroah-Hartman <greg@kroah.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2842452
    • John David Anglin's avatar
      parisc: Remove unnecessary barriers from spinlock.h · eba0611e
      John David Anglin authored
      commit 3b885ac1 upstream.
      
      Now that mb() is an instruction barrier, it will slow performance if we issue
      unnecessary barriers.
      
      The spinlock defines have a number of unnecessary barriers.  The __ldcw()
      define is both a hardware and compiler barrier.  The mb() barriers in the
      routines using __ldcw() serve no purpose.
      
      The only barrier needed is the one in arch_spin_unlock().  We need to ensure
      all accesses are complete prior to releasing the lock.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Cc: stable@vger.kernel.org # 4.0+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eba0611e
    • Willem de Bruijn's avatar
      packet: refine ring v3 block size test to hold one frame · 59629848
      Willem de Bruijn authored
      commit 4576cd46 upstream.
      
      TPACKET_V3 stores variable length frames in fixed length blocks.
      Blocks must be able to store a block header, optional private space
      and at least one minimum sized frame.
      
      Frames, even for a zero snaplen packet, store metadata headers and
      optional reserved space.
      
      In the block size bounds check, ensure that the frame of the
      chosen configuration fits. This includes sockaddr_ll and optional
      tp_reserve.
      
      Syzbot was able to construct a ring with insuffient room for the
      sockaddr_ll in the header of a zero-length frame, triggering an
      out-of-bounds write in dev_parse_header.
      
      Convert the comparison to less than, as zero is a valid snap len.
      This matches the test for minimum tp_frame_size immediately below.
      
      Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.")
      Fixes: eb73190f ("net/packet: refine check for priv area size")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59629848
    • Florian Westphal's avatar
      netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state · f29eb8ee
      Florian Westphal authored
      commit 6613b617 upstream.
      
      When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
      that has an un-initialized timeout value, i.e. such entry could be
      reaped at any time.
      
      Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
      an old state.
      
      Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f29eb8ee
    • Eric Dumazet's avatar
      xfrm_user: prevent leaking 2 bytes of kernel memory · 2038a9e1
      Eric Dumazet authored
      commit 45c180bc upstream.
      
      struct xfrm_userpolicy_type has two holes, so we should not
      use C99 style initializer.
      
      KMSAN report:
      
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
      CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
       kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
       kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
       copyout lib/iov_iter.c:140 [inline]
       _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
       copy_to_iter include/linux/uio.h:106 [inline]
       skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
       skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
       netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
       sock_recvmsg_nosec net/socket.c:802 [inline]
       sock_recvmsg+0x1d6/0x230 net/socket.c:809
       ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
       __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
       do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
       __do_sys_recvmmsg net/socket.c:2485 [inline]
       __se_sys_recvmmsg net/socket.c:2481 [inline]
       __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
       do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x446ce9
      RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
      RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
      RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
      RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
      R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
      R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
       kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
       __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
       __nla_put lib/nlattr.c:569 [inline]
       nla_put+0x276/0x340 lib/nlattr.c:627
       copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
       dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
       xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
       xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
       netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
       __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
       netlink_dump_start include/linux/netlink.h:214 [inline]
       xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
       netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
       xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Local variable description: ----upt.i@dump_one_policy
      Variable was created at:
       dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
       xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
      
      Byte 130 of 137 is uninitialized
      Memory access starts at ffff88019550407f
      
      Fixes: c0144bea ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2038a9e1