- Linux-stable-mirror - lists.linaro.org

[PATCH v2 3/3] intel_th: msu: Fix an off-by-one in attribute store

by Alexander Shishkin

The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated list of window sizes, passed from userspace. However, there is a bug in the string parsing logic wherein it doesn't exclude the comma character from the range of characters as it consumes them. This leads to an out-of-bounds access given a sufficiently long list. For example: > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages > ================================================================== > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40 > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825 > > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+ > Call Trace: > dump_stack+0x7c/0xc0 > print_address_description+0x6c/0x23c > ? memchr+0x1e/0x40 > kasan_report.cold.5+0x241/0x308 > memchr+0x1e/0x40 > nr_pages_store+0x203/0xd00 [intel_th_msu] Fix this by accounting for the comma character. Signed-off-by: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") Cc: stable(a)vger.kernel.org # v4.4+ --- drivers/hwtracing/intel_th/msu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c index d293e55553bd..ba7aaf421f36 100644 --- a/drivers/hwtracing/intel_th/msu.c +++ b/drivers/hwtracing/intel_th/msu.c @@ -1423,7 +1423,8 @@ nr_pages_store(struct device *dev, struct device_attribute *attr, if (!end) break; - len -= end - p; + /* consume the number and the following comma, hence +1 */ + len -= end - p + 1; p = end + 1; } while (len); -- 2.19.2

6 years, 11 months

2
1
0 0

Linux 4.19.11

by Greg KH

I'm announcing the release of the 4.19.11 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts | 2 arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 2 arch/arm/boot/dts/qcom-apq8064-arrow-sd-600eval.dts | 5 arch/arm/mach-mmp/cputype.h | 6 arch/arm64/mm/dma-mapping.c | 2 arch/powerpc/kernel/legacy_serial.c | 6 arch/powerpc/kernel/msi.c | 7 arch/x86/Makefile | 10 - block/bio.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 36 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c | 3 drivers/gpu/drm/i915/gvt/fb_decoder.c | 2 drivers/gpu/drm/i915/intel_lrc.c | 7 drivers/gpu/drm/msm/disp/dpu1/dpu_dbg.c | 8 - drivers/gpu/drm/nouveau/dispnv50/disp.c | 30 ++- drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 drivers/i2c/busses/i2c-aspeed.c | 4 drivers/md/dm-cache-metadata.c | 4 drivers/md/dm-thin.c | 68 ++++---- drivers/md/dm-zoned-target.c | 122 ++++------------ drivers/md/dm.c | 2 drivers/media/common/videobuf2/videobuf2-core.c | 4 drivers/mmc/core/block.c | 15 + drivers/mmc/host/omap.c | 11 + drivers/mmc/host/sdhci-omap.c | 12 + drivers/mmc/host/sdhci.c | 18 +- drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 drivers/scsi/raid_class.c | 4 drivers/slimbus/qcom-ngd-ctrl.c | 6 drivers/staging/olpc_dcon/Kconfig | 1 fs/aio.c | 2 fs/fuse/dir.c | 2 fs/fuse/file.c | 21 +- fs/fuse/fuse_i.h | 2 fs/iomap.c | 7 fs/overlayfs/dir.c | 14 + fs/overlayfs/export.c | 6 fs/userfaultfd.c | 3 init/Kconfig | 5 kernel/sched/core.c | 7 kernel/sched/fair.c | 2 kernel/sched/pelt.c | 2 kernel/sched/pelt.h | 2 kernel/sched/sched.h | 5 kernel/trace/ftrace.c | 1 kernel/trace/trace_events_filter.c | 5 kernel/trace/trace_events_trigger.c | 6 scripts/spdxcheck.py | 6 53 files changed, 310 insertions(+), 218 deletions(-) Aaro Koskinen (1): MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Alek Du (1): mmc: sdhci: fix the timeout check window for clock and reset Alex Deucher (3): drm/amdkfd: add new vega10 pci ids drm/amdgpu: add some additional vega10 pci ids drm/amdgpu: update smu firmware images for VI variants (v2) Amir Goldstein (2): ovl: fix decode of dir file handle with multi lower layers ovl: fix missing override creds in link of a metacopy upper Andrea Arcangeli (1): userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Arnd Bergmann (5): scsi: raid_attrs: fix unused variable warning slimbus: ngd: mark PM functions as __maybe_unused i2c: aspeed: fix build warning ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning drm/msm: fix address space warning Ben Skeggs (1): drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer Benjamin Herrenschmidt (1): powerpc: Look for "stdout-path" when setting up legacy consoles Brian Norris (1): Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Chad Austin (1): fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Chen-Yu Tsai (1): pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Chris Wilson (1): drm/i915/execlists: Apply a full mb before execution for Braswell Damien Le Moal (1): dm zoned: Fix target BIO completion handling Faiz Abbas (1): mmc: sdhci-omap: Fix DCRC error handling during tuning Greg Kroah-Hartman (1): Linux 4.19.11 Hans Verkuil (1): media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Jeff Moyer (1): aio: fix spectre gadget in lookup_ioctx Junwei Zhang (1): drm/amdgpu: update SMC firmware image for polaris10 variants Keith Busch (1): block/bio: Do not zero user pages Kenneth Feng (1): drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI Lubomir Rintel (2): staging: olpc_dcon: add a missing dependency ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Lyude Paul (1): drm/nouveau/kms: Fix memory leak in nv50_mstm_del() Masahiro Yamada (1): x86/build: Fix compiler support check for CONFIG_RETPOLINE Mike Snitzer (3): dm thin: send event about thin-pool state change _after_ making it dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty() dm: call blk_queue_split() to impose device limits on bios Piotr Jaroszynski (1): fs/iomap.c: get/put the page in iomap_page_create/release() Radu Rendec (1): powerpc/msi: Fix NULL pointer access in teardown code Robin Murphy (1): arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing Stefan Wahren (1): ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs Steven Rostedt (VMware) (3): tracing: Fix memory leak in create_filter() tracing: Fix memory leak in set_trigger_filter() tracing: Fix memory leak of instance function hash filters Thierry Reding (1): scripts/spdxcheck.py: always open files in binary mode Tina Zhang (1): drm/i915/gvt: Fix tiled memory decoding bug on BDW Vincent Guittot (1): sched/pelt: Fix warning and clean up IRQ PELT config Wolfram Sang (1): mmc: core: use mrq->sbc when sending CMD23 for RPMB

6 years, 11 months

1
1
0 0

[PATCH 4.19 00/44] 4.19.11-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.11 release. There are 44 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Dec 20 16:39:02 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.11-rc1 Masahiro Yamada <yamada.masahiro(a)socionext.com> x86/build: Fix compiler support check for CONFIG_RETPOLINE Damien Le Moal <damien.lemoal(a)wdc.com> dm zoned: Fix target BIO completion handling Junwei Zhang <Jerry.Zhang(a)amd.com> drm/amdgpu: update SMC firmware image for polaris10 variants Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: update smu firmware images for VI variants (v2) Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add some additional vega10 pci ids Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add new vega10 pci ids Kenneth Feng <kenneth.feng(a)amd.com> drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915/execlists: Apply a full mb before execution for Braswell Tina Zhang <tina.zhang(a)intel.com> drm/i915/gvt: Fix tiled memory decoding bug on BDW Brian Norris <briannorris(a)chromium.org> Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Ben Skeggs <bskeggs(a)redhat.com> drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer Lyude Paul <lyude(a)redhat.com> drm/nouveau/kms: Fix memory leak in nv50_mstm_del() Benjamin Herrenschmidt <benh(a)kernel.crashing.org> powerpc: Look for "stdout-path" when setting up legacy consoles Radu Rendec <radu.rendec(a)gmail.com> powerpc/msi: Fix NULL pointer access in teardown code Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix memory leak of instance function hash filters Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix memory leak in set_trigger_filter() Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix memory leak in create_filter() Mike Snitzer <snitzer(a)redhat.com> dm: call blk_queue_split() to impose device limits on bios Mike Snitzer <snitzer(a)redhat.com> dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty() Mike Snitzer <snitzer(a)redhat.com> dm thin: send event about thin-pool state change _after_ making it Stefan Wahren <stefan.wahren(a)i2se.com> ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs Lubomir Rintel <lkundrak(a)v3.sk> ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Chad Austin <chadaustin(a)fb.com> fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Alek Du <alek.du(a)intel.com> mmc: sdhci: fix the timeout check window for clock and reset Faiz Abbas <faiz_abbas(a)ti.com> mmc: sdhci-omap: Fix DCRC error handling during tuning Wolfram Sang <wsa+renesas(a)sang-engineering.com> mmc: core: use mrq->sbc when sending CMD23 for RPMB Aaro Koskinen <aaro.koskinen(a)iki.fi> MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Amir Goldstein <amir73il(a)gmail.com> ovl: fix missing override creds in link of a metacopy upper Amir Goldstein <amir73il(a)gmail.com> ovl: fix decode of dir file handle with multi lower layers Keith Busch <keith.busch(a)intel.com> block/bio: Do not zero user pages Robin Murphy <robin.murphy(a)arm.com> arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing Andrea Arcangeli <aarcange(a)redhat.com> userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Piotr Jaroszynski <pjaroszynski(a)nvidia.com> fs/iomap.c: get/put the page in iomap_page_create/release() Thierry Reding <treding(a)nvidia.com> scripts/spdxcheck.py: always open files in binary mode Jeff Moyer <jmoyer(a)redhat.com> aio: fix spectre gadget in lookup_ioctx Chen-Yu Tsai <wens(a)csie.org> pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Arnd Bergmann <arnd(a)arndb.de> drm/msm: fix address space warning Arnd Bergmann <arnd(a)arndb.de> ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning Arnd Bergmann <arnd(a)arndb.de> i2c: aspeed: fix build warning Arnd Bergmann <arnd(a)arndb.de> slimbus: ngd: mark PM functions as __maybe_unused Lubomir Rintel <lkundrak(a)v3.sk> staging: olpc_dcon: add a missing dependency Arnd Bergmann <arnd(a)arndb.de> scsi: raid_attrs: fix unused variable warning Vincent Guittot <vincent.guittot(a)linaro.org> sched/pelt: Fix warning and clean up IRQ PELT config ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts | 2 +- arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 2 +- .../arm/boot/dts/qcom-apq8064-arrow-sd-600eval.dts | 5 + arch/arm/mach-mmp/cputype.h | 6 +- arch/arm64/mm/dma-mapping.c | 2 +- arch/powerpc/kernel/legacy_serial.c | 6 +- arch/powerpc/kernel/msi.c | 7 +- arch/x86/Makefile | 10 +- block/bio.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 36 +++++- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 + drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 + .../drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 + drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c | 3 + drivers/gpu/drm/i915/gvt/fb_decoder.c | 2 +- drivers/gpu/drm/i915/intel_lrc.c | 7 +- drivers/gpu/drm/msm/disp/dpu1/dpu_dbg.c | 8 +- drivers/gpu/drm/nouveau/dispnv50/disp.c | 30 +++-- drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 - drivers/i2c/busses/i2c-aspeed.c | 4 +- drivers/md/dm-cache-metadata.c | 4 + drivers/md/dm-thin.c | 68 ++++++------ drivers/md/dm-zoned-target.c | 122 +++++++-------------- drivers/md/dm.c | 2 + drivers/media/common/videobuf2/videobuf2-core.c | 4 +- drivers/mmc/core/block.c | 15 ++- drivers/mmc/host/omap.c | 11 +- drivers/mmc/host/sdhci-omap.c | 12 +- drivers/mmc/host/sdhci.c | 18 ++- drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +- drivers/scsi/raid_class.c | 4 +- drivers/slimbus/qcom-ngd-ctrl.c | 6 +- drivers/staging/olpc_dcon/Kconfig | 1 + fs/aio.c | 2 + fs/fuse/dir.c | 2 +- fs/fuse/file.c | 21 ++-- fs/fuse/fuse_i.h | 2 +- fs/iomap.c | 7 ++ fs/overlayfs/dir.c | 14 ++- fs/overlayfs/export.c | 6 +- fs/userfaultfd.c | 3 +- init/Kconfig | 5 + kernel/sched/core.c | 7 +- kernel/sched/fair.c | 2 +- kernel/sched/pelt.c | 2 +- kernel/sched/pelt.h | 2 +- kernel/sched/sched.h | 5 +- kernel/trace/ftrace.c | 1 + kernel/trace/trace_events_filter.c | 5 +- kernel/trace/trace_events_trigger.c | 6 +- scripts/spdxcheck.py | 6 +- 53 files changed, 311 insertions(+), 219 deletions(-)

6 years, 11 months

5
52
0 0

patch "usb: r8a66597: Fix a possible concurrency use-after-free bug in" added to usb-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: r8a66597: Fix a possible concurrency use-after-free bug in to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001 From: Jia-Ju Bai <baijiaju1990(a)gmail.com> Date: Tue, 18 Dec 2018 20:04:25 +0800 Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may be concurrently executed. The two functions both access a possible shared variable "hep->hcpriv". This shared variable is freed by r8a66597_endpoint_disable() via the call path: r8a66597_endpoint_disable kfree(hep->hcpriv) (line 1995 in Linux-4.19) This variable is read by r8a66597_urb_enqueue() via the call path: r8a66597_urb_enqueue spin_lock_irqsave(&r8a66597->lock) init_pipe_info enable_r8a66597_pipe pipe = hep->hcpriv (line 802 in Linux-4.19) The read operation is protected by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai <baijiaju1990(a)gmail.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/r8a66597-hcd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c index 984892dd72f5..42668aeca57c 100644 --- a/drivers/usb/host/r8a66597-hcd.c +++ b/drivers/usb/host/r8a66597-hcd.c @@ -1979,6 +1979,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, static void r8a66597_endpoint_disable(struct usb_hcd *hcd, struct usb_host_endpoint *hep) +__acquires(r8a66597->lock) +__releases(r8a66597->lock) { struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; @@ -1991,13 +1993,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, return; pipenum = pipe->info.pipenum; + spin_lock_irqsave(&r8a66597->lock, flags); if (pipenum == 0) { kfree(hep->hcpriv); hep->hcpriv = NULL; + spin_unlock_irqrestore(&r8a66597->lock, flags); return; } - spin_lock_irqsave(&r8a66597->lock, flags); pipe_stop(r8a66597, pipe); pipe_irq_disable(r8a66597, pipenum); disable_irq_empty(r8a66597, pipenum); -- 2.20.1

6 years, 11 months

1
0
0 0

patch "driver core: Add missing dev->bus->need_parent_lock checks" added to driver-core-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled driver core: Add missing dev->bus->need_parent_lock checks to my driver-core git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git in the driver-core-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From e121a833745b4708b660e3fe6776129c2956b041 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Thu, 13 Dec 2018 19:27:47 +0100 Subject: driver core: Add missing dev->bus->need_parent_lock checks __device_release_driver() has to check dev->bus->need_parent_lock before dropping the parent lock and acquiring it again as it may attempt to drop a lock that hasn't been acquired or lock a device that shouldn't be locked and create a lock imbalance. Fixes: 8c97a46af04b (driver core: hold dev's parent lock when needed) Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Cc: stable <stable(a)vger.kernel.org> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/base/dd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 88713f182086..8ac10af17c00 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -933,11 +933,11 @@ static void __device_release_driver(struct device *dev, struct device *parent) if (drv) { while (device_links_busy(dev)) { device_unlock(dev); - if (parent) + if (parent && dev->bus->need_parent_lock) device_unlock(parent); device_links_unbind_consumers(dev); - if (parent) + if (parent && dev->bus->need_parent_lock) device_lock(parent); device_lock(dev); -- 2.20.1

6 years, 11 months

1
0
0 0

[WRONG] KVM: arm/arm64: vgic: fix off-by-one bug in vgic_get_irq()

by Gustavo A. R. Silva

Hi Marc, This is wrong: commit 6022fcc0e87a0eb5e9a72b15ed70dd29ebcb7343 The above is not my original patch and it should not be tagged for stable, as it introduces the same kind of bug I intended to fix: array_index_nospec() can now return kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS and this is not what you want. So, in this case the following line of code is just fine as it is: intid = array_index_nospec(intid, kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS); As the commit log says, my patch fixes: commit 41b87599c74300027f305d7b34368ec558978ff2 not both: commit 41b87599c74300027f305d7b34368ec558978ff2 and commit bea2ef803ade3359026d5d357348842bca9edcf1 If you want to apply the fix on top of bea2ef803ade3359026d5d357348842bca9edcf1 then you should apply this instead: diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c index bb1a83345741..e607547c7bb0 100644 --- a/virt/kvm/arm/vgic/vgic.c +++ b/virt/kvm/arm/vgic/vgic.c @@ -103,7 +103,7 @@ struct vgic_irq *vgic_get_irq(struct kvm *kvm, struct kvm_vcpu *vcpu, { /* SGIs and PPIs */ if (intid <= VGIC_MAX_PRIVATE) { - intid = array_index_nospec(intid, VGIC_MAX_PRIVATE); + intid = array_index_nospec(intid, VGIC_MAX_PRIVATE + 1); return &vcpu->arch.vgic_cpu.private_irqs[intid]; } The commit log should remain the same. Thanks -- Gustavo

6 years, 11 months

2
1
0 0

[ANNOUNCE] Linux kernel CVE tracker

by Ben Hutchings

As part of my work for the Civil Infrastructure Platform, I've been tracking security issues in the kernel and trying to ensure that the fixes are applied to stable branches as necessary. The "kernel-sec" repository at <https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec> contains information about known issues and scripts to aid in maintaining and viewing that information. Issues are identified by CVE ID and their status is recorded for mainline and all live stable branches. I import most of the information from distribution security trackers, and from upstream commit references in stable branch commit messages. Manual editing is needed mostly to correct errors in these sources, or where the commits fixing an issue in a stable branch don't correspond exactly to the commits fixing it in mainline. I recently added a local web application that allows browsing the status of all branches and issues, complete with links to references and related commits. There is also a simple reporting script that lists open issues for each branch. If you're interested in security support for stable branches, please take a look at this. I would welcome merge requests to add to the issue data or to improve the scripts. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom

6 years, 11 months

1
0
0 0

patch "binder: fix use-after-free due to ksys_close() during fdget()" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled binder: fix use-after-free due to ksys_close() during fdget() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 80cd795630d6526ba729a089a435bf74a57af927 Mon Sep 17 00:00:00 2001 From: Todd Kjos <tkjos(a)android.com> Date: Fri, 14 Dec 2018 15:58:21 -0800 Subject: binder: fix use-after-free due to ksys_close() during fdget() 44d8047f1d8 ("binder: use standard functions to allocate fds") exposed a pre-existing issue in the binder driver. fdget() is used in ksys_ioctl() as a performance optimization. One of the rules associated with fdget() is that ksys_close() must not be called between the fdget() and the fdput(). There is a case where this requirement is not met in the binder driver which results in the reference count dropping to 0 when the device is still in use. This can result in use-after-free or other issues. If userpace has passed a file-descriptor for the binder driver using a BINDER_TYPE_FDA object, then kys_close() is called on it when handling a binder_ioctl(BC_FREE_BUFFER) command. This violates the assumptions for using fdget(). The problem is fixed by deferring the close using task_work_add(). A new variant of __close_fd() was created that returns a struct file with a reference. The fput() is deferred instead of using ksys_close(). Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds") Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Todd Kjos <tkjos(a)google.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/android/binder.c | 63 ++++++++++++++++++++++++++++++++++++++-- fs/file.c | 29 ++++++++++++++++++ include/linux/fdtable.h | 1 + 3 files changed, 91 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d653e8a474fc..210940bd0457 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -72,6 +72,7 @@ #include <linux/spinlock.h> #include <linux/ratelimit.h> #include <linux/syscalls.h> +#include <linux/task_work.h> #include <uapi/linux/android/binder.h> @@ -2170,6 +2171,64 @@ static bool binder_validate_fixup(struct binder_buffer *b, return (fixup_offset >= last_min_offset); } +/** + * struct binder_task_work_cb - for deferred close + * + * @twork: callback_head for task work + * @fd: fd to close + * + * Structure to pass task work to be handled after + * returning from binder_ioctl() via task_work_add(). + */ +struct binder_task_work_cb { + struct callback_head twork; + struct file *file; +}; + +/** + * binder_do_fd_close() - close list of file descriptors + * @twork: callback head for task work + * + * It is not safe to call ksys_close() during the binder_ioctl() + * function if there is a chance that binder's own file descriptor + * might be closed. This is to meet the requirements for using + * fdget() (see comments for __fget_light()). Therefore use + * task_work_add() to schedule the close operation once we have + * returned from binder_ioctl(). This function is a callback + * for that mechanism and does the actual ksys_close() on the + * given file descriptor. + */ +static void binder_do_fd_close(struct callback_head *twork) +{ + struct binder_task_work_cb *twcb = container_of(twork, + struct binder_task_work_cb, twork); + + fput(twcb->file); + kfree(twcb); +} + +/** + * binder_deferred_fd_close() - schedule a close for the given file-descriptor + * @fd: file-descriptor to close + * + * See comments in binder_do_fd_close(). This function is used to schedule + * a file-descriptor to be closed after returning from binder_ioctl(). + */ +static void binder_deferred_fd_close(int fd) +{ + struct binder_task_work_cb *twcb; + + twcb = kzalloc(sizeof(*twcb), GFP_KERNEL); + if (!twcb) + return; + init_task_work(&twcb->twork, binder_do_fd_close); + __close_fd_get_file(fd, &twcb->file); + if (twcb->file) + task_work_add(current, &twcb->twork, true); + else + kfree(twcb); +} + static void binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, binder_size_t *failed_at) @@ -2309,7 +2368,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, } fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); for (fd_index = 0; fd_index < fda->num_fds; fd_index++) - ksys_close(fd_array[fd_index]); + binder_deferred_fd_close(fd_array[fd_index]); } break; default: pr_err("transaction release %d bad object type %x\n", @@ -3928,7 +3987,7 @@ static int binder_apply_fd_fixups(struct binder_transaction *t) } else if (ret) { u32 *fdp = (u32 *)(t->buffer->data + fixup->offset); - ksys_close(*fdp); + binder_deferred_fd_close(*fdp); } list_del(&fixup->fixup_entry); kfree(fixup); diff --git a/fs/file.c b/fs/file.c index 7ffd6e9d103d..8d059d8973e9 100644 --- a/fs/file.c +++ b/fs/file.c @@ -640,6 +640,35 @@ int __close_fd(struct files_struct *files, unsigned fd) } EXPORT_SYMBOL(__close_fd); /* for ksys_close() */ +/* + * variant of __close_fd that gets a ref on the file for later fput + */ +int __close_fd_get_file(unsigned int fd, struct file **res) +{ + struct files_struct *files = current->files; + struct file *file; + struct fdtable *fdt; + + spin_lock(&files->file_lock); + fdt = files_fdtable(files); + if (fd >= fdt->max_fds) + goto out_unlock; + file = fdt->fd[fd]; + if (!file) + goto out_unlock; + rcu_assign_pointer(fdt->fd[fd], NULL); + __put_unused_fd(files, fd); + spin_unlock(&files->file_lock); + get_file(file); + *res = file; + return filp_close(file, files); + +out_unlock: + spin_unlock(&files->file_lock); + *res = NULL; + return -ENOENT; +} + void do_close_on_exec(struct files_struct *files) { unsigned i; diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h index 41615f38bcff..f07c55ea0c22 100644 --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -121,6 +121,7 @@ extern void __fd_install(struct files_struct *files, unsigned int fd, struct file *file); extern int __close_fd(struct files_struct *files, unsigned int fd); +extern int __close_fd_get_file(unsigned int fd, struct file **res); extern struct kmem_cache *files_cachep; -- 2.20.1

6 years, 11 months

1
0
0 0

Re: [PATCH 2/2] efi: efi_guid_t must be 64-bit aligned

by Ard Biesheuvel

On Tue, 18 Dec 2018 at 21:41, Sasha Levin <sashal(a)kernel.org> wrote: > > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v4.19.10, v4.14.89, v4.9.146, v4.4.168, v3.18.130, > Please disregard this patch for -stable until we decide how we are going to fix the 32-bit array packing issue. > v4.19.10: Build OK! > v4.14.89: Build OK! > v4.9.146: Failed to apply! Possible dependencies: > 2f74f09bce4f ("efi: parse ARM processor error") > 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API") > bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure") > c0020756315e ("efi: switch to use new generic UUID API") > > v4.4.168: Failed to apply! Possible dependencies: > 2c23b73c2d02 ("x86/efi: Prepare GOP handling code for reuse as generic code") > 2f74f09bce4f ("efi: parse ARM processor error") > 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API") > ba7e34b1bbd2 ("include/linux/efi.h: redefine type, constant, macro from generic code") > bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure") > c0020756315e ("efi: switch to use new generic UUID API") > > v3.18.130: Failed to apply! Possible dependencies: > 1bd0abb0c924 ("arm64/efi: set EFI_ALLOC_ALIGN to 64 KB") > 23a0d4e8fa6d ("efi: Disable interrupts around EFI calls, not in the epilog/prolog calls") > 2c23b73c2d02 ("x86/efi: Prepare GOP handling code for reuse as generic code") > 2f74f09bce4f ("efi: parse ARM processor error") > 4c62360d7562 ("efi: Handle memory error structures produced based on old versions of standard") > 4ee20980812b ("arm64: fix data type for physical address") > 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API") > 60305db98845 ("arm64/efi: move virtmap init to early initcall") > 744937b0b12a ("efi: Clean up the efi_call_phys_[prolog|epilog]() save/restore interaction") > 790a2ee24278 ("Merge tag 'efi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into core/efi") > 8a53554e12e9 ("x86/efi: Fix multiple GOP device support") > 8ce837cee8f5 ("arm64/mm: add create_pgd_mapping() to create private page tables") > 9679be103108 ("arm64/efi: remove idmap manipulations from UEFI code") > a352ea3e197b ("arm64/efi: set PE/COFF file alignment to 512 bytes") > b05b9f5f9dcf ("x86, mirror: x86 enabling - find mirrored memory ranges") > ba7e34b1bbd2 ("include/linux/efi.h: redefine type, constant, macro from generic code") > bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure") > c0020756315e ("efi: switch to use new generic UUID API") > d1ae8c005792 ("arm64: dmi: Add SMBIOS/DMI support") > da141706aea5 ("arm64: add better page protections to arm64") > e1e1fddae74b ("arm64/mm: add explicit struct_mm argument to __create_mapping()") > ea6bc80d1819 ("arm64/efi: set PE/COFF section alignment to 4 KB") > f3cdfd239da5 ("arm64/efi: move SetVirtualAddressMap() to UEFI stub") > > > How should we proceed with this patch? > > -- > Thanks, > Sasha

6 years, 11 months

2
1
0 0

[PATCH AUTOSEL 4.19 01/73] mac80211_hwsim: fix module init error paths for netlink

by Sasha Levin

From: Alexey Khoroshilov <khoroshilov(a)ispras.ru> [ Upstream commit 05cc09de4c017663a217630682041066f2f9a5cd ] There is no unregister netlink notifier and family on error paths in init_mac80211_hwsim(). Also there is an error path where hwsim_class is not destroyed. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Fixes: 62759361eb49 ("mac80211-hwsim: Provide multicast event for HWSIM_CMD_NEW_RADIO") Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/mac80211_hwsim.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 07442ada6dd0..6532cb25a333 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3712,16 +3712,16 @@ static int __init init_mac80211_hwsim(void) if (err) goto out_unregister_pernet; + err = hwsim_init_netlink(); + if (err) + goto out_unregister_driver; + hwsim_class = class_create(THIS_MODULE, "mac80211_hwsim"); if (IS_ERR(hwsim_class)) { err = PTR_ERR(hwsim_class); - goto out_unregister_driver; + goto out_exit_netlink; } - err = hwsim_init_netlink(); - if (err < 0) - goto out_unregister_driver; - for (i = 0; i < radios; i++) { struct hwsim_new_radio_params param = { 0 }; @@ -3827,6 +3827,8 @@ static int __init init_mac80211_hwsim(void) free_netdev(hwsim_mon); out_free_radios: mac80211_hwsim_free(); +out_exit_netlink: + hwsim_exit_netlink(); out_unregister_driver: platform_driver_unregister(&mac80211_hwsim_driver); out_unregister_pernet: -- 2.19.1

6 years, 11 months

4
78
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror