1. 01 Aug, 2018 3 commits
    • Linus Torvalds's avatar
      squashfs metadata 2: electric boogaloo · cdbb65c4
      Linus Torvalds authored
      Anatoly continues to find issues with fuzzed squashfs images.
      
      This time, corrupt, missing, or undersized data for the page filling
      wasn't checked for, because the squashfs_{copy,read}_cache() functions
      did the squashfs_copy_data() call without checking the resulting data
      size.
      
      Which could result in the page cache pages being incompletely filled in,
      and no error indication to the user space reading garbage data.
      
      So make a helper function for the "fill in pages" case, because the
      exact same incomplete sequence existed in two places.
      
      [ I should have made a squashfs branch for these things, but I didn't
        intend to start doing them in the first place.
      
        My historical connection through cramfs is why I got into looking at
        these issues at all, and every time I (continue to) think it's a
        one-off.
      
        Because _this_ time is always the last time. Right?   - Linus ]
      Reported-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Phillip Lougher <phillip@squashfs.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cdbb65c4
    • John Stultz's avatar
      staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages · 44960f2a
      John Stultz authored
      Amit Pundir and Youling in parallel reported crashes with recent
      mainline kernels running Android:
      
        F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        F DEBUG   : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
        F DEBUG   : Revision: '0'
        F DEBUG   : ABI: 'arm'
        F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
        F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
        ... <snip> ...
        F DEBUG   : backtrace:
        F DEBUG   :     #00 pc 00001c04  /system/lib/libc.so (memset+48)
        F DEBUG   :     #01 pc 0010c513  /system/lib/libart.so (create_mspace_with_base+82)
        F DEBUG   :     #02 pc 0015c601  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
        F DEBUG   :     #03 pc 0015c3ed  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)
        ...
      
      This was bisected back to commit bfd40eaf ("mm: fix
      vma_is_anonymous() false-positives").
      
      create_mspace_with_base() in the trace above, utilizes ashmem, and with
      ashmem, for shared mappings we use shmem_zero_setup(), which sets the
      vma->vm_ops to &shmem_vm_ops.  But for private ashmem mappings nothing
      sets the vma->vm_ops.
      
      Looking at the problematic patch, it seems to add a requirement that one
      call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
      used.  Using the dummy_vm_ops seem to triggger SIGBUS when traversing
      unmapped pages.
      
      Thus, this patch adds a call to vma_set_anonymous() for ashmem private
      mappings and seems to avoid the reported problem.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Colin Cross <ccross@google.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Reported-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Reported-by: default avatarYouling 257 <youling257@gmail.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      44960f2a
    • Linus Torvalds's avatar
      ia64: mark special ia64 memory areas anonymous · ebad825c
      Linus Torvalds authored
      Commit bfd40eaf ("mm: fix vma_is_anonymous() false-positives") made
      newly allocated vma's have a dummy vm_ops field so that they wouldn't be
      mistaken for anonymous mappings, and if you wanted an anonymous vma you
      had to explicitly say so by calling "vma_set_anonymous()" on it.
      
      However, it missed the two special vmas that ia64 processes have: the
      register backing store and the NaT page.  So they wouldn't actually act
      like anonymous ranges, and page faults on them caused a SIGBUS rather
      than the creation of a new anon page in them.
      
      That obviously will make any ia64 binary very unhappy indeed, and the
      boot fails early.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Reported-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ebad825c
  2. 31 Jul, 2018 8 commits
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20180731' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 37b71411
      Linus Torvalds authored
      Pull audit fix from Paul Moore:
       "A single small audit fix to guard against memory allocation failures
        when logging information about a kernel module load.
      
        It's small, easy to understand, and self-contained; while nothing is
        zero risk, this should be pretty low"
      
      * tag 'audit-pr-20180731' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
        audit: fix potential null dereference 'context->module.name'
      37b71411
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · c1d61e7f
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Nine fixes, five in the qla2xxx driver, the most serious of which is
        the uninitialized list head crash which can be observed in most
        systems under a sufficiently loaded low memory environment.
      
        The two sg fixes are minor but obvious and two target ones which seem
        reasonable but not high impact"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Return error when TMF returns
        scsi: qla2xxx: Fix ISP recovery on unload
        scsi: qla2xxx: Fix driver unload by shutting down chip
        scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion
        scsi: qla2xxx: Fix unintialized List head crash
        scsi: sg: update comment for blk_get_request()
        scsi: sg: fix minor memory leak in error path
        scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
        scsi: target: iscsi: cxgbit: fix max iso npdu calculation
      c1d61e7f
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 095c3633
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
       "Some bugfixes that seem important and safe enough to merge at the last
        minute"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        virtio_balloon: fix another race between migration and ballooning
        tools/virtio: add kmalloc_array stub
        tools/virtio: add dma barrier stubs
      095c3633
    • Linus Torvalds's avatar
      Merge tag 'acpi-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · c786e405
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix a recent ACPICA regression affecting control method
        execution at the table level and an earlier hibernation regression in
        the ACPI driver for Intel SoCs (LPSS) that was missed by a previous
        fix in this cycle.
      
        Specifics:
      
         - Fix a recent ACPICA regression introduced by a previous fix that
           caused control method execution at the table level to be mishandled
           by mistake (Erik Schmauss).
      
         - Fix a hibernation regression from the 4.15 cycle in the ACPI driver
           for Intel SoCs (LPSS) that caused the platform firmware to be
           confused during resume from hibernation by the driver's PM quirks
           which was fixed for system-wide suspend/resume (ACPI S3) earlier in
           this cycle, but that previous fix missed the hibernation (ACPI S4)
           case (Rafael Wysocki)"
      
      * tag 'acpi-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: AML Parser: ignore control method status in module-level code
        ACPI / LPSS: Avoid PM quirks on suspend and resume from hibernation
      c786e405
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-soc' · 5f95d39b
      Rafael J. Wysocki authored
      Merge a fix for hibernation regression in the ACPI driver for Intel
      SoCs (LPSS).
      
      * acpi-soc:
        ACPI / LPSS: Avoid PM quirks on suspend and resume from hibernation
      5f95d39b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f67077de
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Several smallish fixes, I don't think any of this requires another -rc
        but I'll leave that up to you:
      
         1) Don't leak uninitialzed bytes to userspace in xfrm_user, from Eric
            Dumazet.
      
         2) Route leak in xfrm_lookup_route(), from Tommi Rantala.
      
         3) Premature poll() returns in AF_XDP, from Björn Töpel.
      
         4) devlink leak in netdevsim, from Jakub Kicinski.
      
         5) Don't BUG_ON in fib_compute_spec_dst, the condition can
            legitimately happen. From Lorenzo Bianconi.
      
         6) Fix some spectre v1 gadgets in generic socket code, from Jeremy
            Cline.
      
         7) Don't allow user to bind to out of range multicast groups, from
            Dmitry Safonov with a follow-up by Dmitry Safonov.
      
         8) Fix metrics leak in fib6_drop_pcpu_from(), from Sabrina Dubroca"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        netlink: Don't shift with UB on nlk->ngroups
        net/ipv6: fix metrics leak
        xen-netfront: wait xenbus state change when load module manually
        can: ems_usb: Fix memory leak on ems_usb_disconnect()
        openvswitch: meter: Fix setting meter id for new entries
        netlink: Do not subscribe to non-existent groups
        NET: stmmac: align DMA stuff to largest cache line length
        tcp_bbr: fix bw probing to raise in-flight data for very small BDPs
        net: socket: Fix potential spectre v1 gadget in sock_is_registered
        net: socket: fix potential spectre v1 gadget in socketcall
        net: mdio-mux: bcm-iproc: fix wrong getter and setter pair
        ipv4: remove BUG_ON() from fib_compute_spec_dst
        enic: handle mtu change for vf properly
        net: lan78xx: fix rx handling before first packet is send
        nfp: flower: fix port metadata conversion bug
        bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog()
        bpf: fix bpf_skb_load_bytes_relative pkt length check
        perf build: Build error in libbpf missing initialization
        net: ena: Fix use of uninitialized DMA address bits field
        bpf: btf: Use exact btf value_size match in map_check_btf()
        ...
      f67077de
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 5723b4a3
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Some small __init annotation and build fixes from Stephen Rostedt and
        Thomas Petazzoni"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: use asm-generic version of msi.h
        sparc: move MSI related definitions to where they are used
        sparc/time: Add missing __init to init_tick_ops()
      5723b4a3
    • Linus Torvalds's avatar
      squashfs: more metadata hardening · d5125847
      Linus Torvalds authored
      Anatoly reports another squashfs fuzzing issue, where the decompression
      parameters themselves are in a compressed block.
      
      This causes squashfs_read_data() to be called in order to read the
      decompression options before the decompression stream having been set
      up, making squashfs go sideways.
      Reported-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Acked-by: default avatarPhillip Lougher <phillip.lougher@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d5125847
  3. 30 Jul, 2018 15 commits
  4. 29 Jul, 2018 14 commits