- Linux-stable-mirror - lists.linaro.org

[git:media_tree/fixes] media: v4l: event: Prevent freeing event subscriptions while accessed

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: v4l: event: Prevent freeing event subscriptions while accessed Author: Sakari Ailus <sakari.ailus(a)linux.intel.com> Date: Tue Sep 11 05:32:37 2018 -0400 The event subscriptions are added to the subscribed event list while holding a spinlock, but that lock is subsequently released while still accessing the subscription object. This makes it possible to unsubscribe the event --- and freeing the subscription object's memory --- while the subscription object is simultaneously accessed. Prevent this by adding a mutex to serialise the event subscription and unsubscription. This also gives a guarantee to the callback ops that the add op has returned before the del op is called. This change also results in making the elems field less special: subscriptions are only added to the event list once they are fully initialised. Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Reviewed-by: Hans Verkuil <hans.verkuil(a)cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Cc: stable(a)vger.kernel.org # for 4.14 and up Fixes: c3b5b0241f62 ("V4L/DVB: V4L: Events: Add backend") Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/v4l2-core/v4l2-event.c | 38 +++++++++++++++++++----------------- drivers/media/v4l2-core/v4l2-fh.c | 2 ++ include/media/v4l2-fh.h | 4 ++++ 3 files changed, 26 insertions(+), 18 deletions(-) --- diff --git a/drivers/media/v4l2-core/v4l2-event.c b/drivers/media/v4l2-core/v4l2-event.c index 127fe6eb91d9..a3ef1f50a4b3 100644 --- a/drivers/media/v4l2-core/v4l2-event.c +++ b/drivers/media/v4l2-core/v4l2-event.c @@ -115,14 +115,6 @@ static void __v4l2_event_queue_fh(struct v4l2_fh *fh, const struct v4l2_event *e if (sev == NULL) return; - /* - * If the event has been added to the fh->subscribed list, but its - * add op has not completed yet elems will be 0, treat this as - * not being subscribed. - */ - if (!sev->elems) - return; - /* Increase event sequence number on fh. */ fh->sequence++; @@ -208,6 +200,7 @@ int v4l2_event_subscribe(struct v4l2_fh *fh, struct v4l2_subscribed_event *sev, *found_ev; unsigned long flags; unsigned i; + int ret = 0; if (sub->type == V4L2_EVENT_ALL) return -EINVAL; @@ -225,31 +218,36 @@ int v4l2_event_subscribe(struct v4l2_fh *fh, sev->flags = sub->flags; sev->fh = fh; sev->ops = ops; + sev->elems = elems; + + mutex_lock(&fh->subscribe_lock); spin_lock_irqsave(&fh->vdev->fh_lock, flags); found_ev = v4l2_event_subscribed(fh, sub->type, sub->id); - if (!found_ev) - list_add(&sev->list, &fh->subscribed); spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); if (found_ev) { + /* Already listening */ kvfree(sev); - return 0; /* Already listening */ + goto out_unlock; } if (sev->ops && sev->ops->add) { - int ret = sev->ops->add(sev, elems); + ret = sev->ops->add(sev, elems); if (ret) { - sev->ops = NULL; - v4l2_event_unsubscribe(fh, sub); - return ret; + kvfree(sev); + goto out_unlock; } } - /* Mark as ready for use */ - sev->elems = elems; + spin_lock_irqsave(&fh->vdev->fh_lock, flags); + list_add(&sev->list, &fh->subscribed); + spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); - return 0; +out_unlock: + mutex_unlock(&fh->subscribe_lock); + + return ret; } EXPORT_SYMBOL_GPL(v4l2_event_subscribe); @@ -288,6 +286,8 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh, return 0; } + mutex_lock(&fh->subscribe_lock); + spin_lock_irqsave(&fh->vdev->fh_lock, flags); sev = v4l2_event_subscribed(fh, sub->type, sub->id); @@ -305,6 +305,8 @@ int v4l2_event_unsubscribe(struct v4l2_fh *fh, if (sev && sev->ops && sev->ops->del) sev->ops->del(sev); + mutex_unlock(&fh->subscribe_lock); + kvfree(sev); return 0; diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c index 3895999bf880..c91a7bd3ecfc 100644 --- a/drivers/media/v4l2-core/v4l2-fh.c +++ b/drivers/media/v4l2-core/v4l2-fh.c @@ -45,6 +45,7 @@ void v4l2_fh_init(struct v4l2_fh *fh, struct video_device *vdev) INIT_LIST_HEAD(&fh->available); INIT_LIST_HEAD(&fh->subscribed); fh->sequence = -1; + mutex_init(&fh->subscribe_lock); } EXPORT_SYMBOL_GPL(v4l2_fh_init); @@ -90,6 +91,7 @@ void v4l2_fh_exit(struct v4l2_fh *fh) return; v4l_disable_media_source(fh->vdev); v4l2_event_unsubscribe_all(fh); + mutex_destroy(&fh->subscribe_lock); fh->vdev = NULL; } EXPORT_SYMBOL_GPL(v4l2_fh_exit); diff --git a/include/media/v4l2-fh.h b/include/media/v4l2-fh.h index ea73fef8bdc0..8586cfb49828 100644 --- a/include/media/v4l2-fh.h +++ b/include/media/v4l2-fh.h @@ -38,10 +38,13 @@ struct v4l2_ctrl_handler; * @prio: priority of the file handler, as defined by &enum v4l2_priority * * @wait: event' s wait queue + * @subscribe_lock: serialise changes to the subscribed list; guarantee that + * the add and del event callbacks are orderly called * @subscribed: list of subscribed events * @available: list of events waiting to be dequeued * @navailable: number of available events at @available list * @sequence: event sequence number + * * @m2m_ctx: pointer to &struct v4l2_m2m_ctx */ struct v4l2_fh { @@ -52,6 +55,7 @@ struct v4l2_fh { /* Events */ wait_queue_head_t wait; + struct mutex subscribe_lock; struct list_head subscribed; struct list_head available; unsigned int navailable;

7 years

1
0
0 0

Re: [Xen-devel] [PATCH] xen: remove size limit of privcmd-buf mapping interface

by Juergen Gross

On 02/11/2018 08:26, Jan Beulich wrote: >>>> On 01.11.18 at 17:27, <jgross(a)suse.com> wrote: >> On 01/11/2018 16:50, Jan Beulich wrote: >>>>>> Juergen Gross <jgross(a)suse.com> 11/01/18 3:23 PM >>> >>>> On 01/11/2018 15:18, Jan Beulich wrote: >>>>>>>> Juergen Gross <jgross(a)suse.com> 11/01/18 1:34 PM >>> >>>>>> Currently the size of hypercall buffers allocated via >>>>>> /dev/xen/hypercall is limited to a default of 64 memory pages. For live >>>>>> migration of guests this might be too small as the page dirty bitmask >>>>>> needs to be sized according to the size of the guest. This means >>>>>> migrating a 8GB sized guest is already exhausting the default buffer >>>>>> size for the dirty bitmap. >>>>>> >>>>>> There is no sensible way to set a sane limit, so just remove it >>>>>> completely. The device node's usage is limited to root anyway, so there >>>>>> is no additional DOS scenario added by allowing unlimited buffers. >>>>> >>>>> But is this setting of permissions what we want long term? What about a >>>>> de-privileged qemu, which still needs to be able to issue at least dm-op >>>>> hypercalls? >>>> >>>> Wouldn't that qemu have opened the node while still being privileged? >>> >>> Possibly, but how does this help? As soon as it's unprivileged it must not >>> be able to hog resources anymore. >>> >>> Anyway, with Andrew's reply my point may be irrelevant, but I have to >>> admit I'm not entirely sure. >> >> I guess we want Xen tools to close /dev/xen/hypercall (or more precise: >> don't dup2() it) when qemu is de-privileging itself. This will make it >> very clear that it can't hog memory via mmap(). >> >> When you are fine with that I'll send a Xen patch for this. > > If that doesn't prevent the process from making the hypercalls it > is permitted to do (I have to admit I don't recall if there are any > still needed besides the dmop ones), sure. Turns out that is already done: the restrict_all callback of libxencall will associate /dev/null with the file descriptor of /dev/xen/hypercall. Juergen

7 years

1
0
0 0

[PATCH AUTOSEL 4.4 01/25] xfrm: Validate address prefix lengths in the xfrm selector.

by Sasha Levin

From: Steffen Klassert <steffen.klassert(a)secunet.com> [ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ] We don't validate the address prefix lengths in the xfrm selector we got from userspace. This can lead to undefined behaviour in the address matching functions if the prefix is too big for the given address family. Fix this by checking the prefixes and refuse SA/policy insertation when a prefix is invalid. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Air Icy <icytxw(a)gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/xfrm/xfrm_user.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index a9b4491a3cc4..c2e98dcba9fe 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, err = -EINVAL; switch (p->family) { case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; + break; case AF_INET6: #if IS_ENABLED(CONFIG_IPV6) + if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) + goto out; + break; #else err = -EAFNOSUPPORT; @@ -1312,10 +1318,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) switch (p->sel.family) { case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + return -EINVAL; + break; case AF_INET6: #if IS_ENABLED(CONFIG_IPV6) + if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) + return -EINVAL; + break; #else return -EAFNOSUPPORT; -- 2.17.1

7 years

2
25
0 0

Re: Patch "bridge: do not add port to router list when receives query with source 0.0.0.0" has been added to the 4.18-stable tree

by Hangbin Liu

On Fri, Nov 02, 2018 at 06:13:17AM +0100, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > bridge: do not add port to router list when receives query with source 0.0.0.0 > > to the 4.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch > and it can be found in the queue-4.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi, Please also include patch commit 0fe5119e267f3e3d8ac206895f5922195ec55a8a Author: Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> Date: Sat Oct 27 12:07:47 2018 +0300 net: bridge: remove ipv6 zero address check in mcast queries which fixed the patch. Thanks Hangbin > > > From foo@baz Fri Nov 2 06:12:44 CET 2018 > From: Hangbin Liu <liuhangbin(a)gmail.com> > Date: Fri, 26 Oct 2018 10:28:43 +0800 > Subject: bridge: do not add port to router list when receives query with source 0.0.0.0 > > From: Hangbin Liu <liuhangbin(a)gmail.com> > > [ Upstream commit 5a2de63fd1a59c30c02526d427bc014b98adf508 ] > > Based on RFC 4541, 2.1.1. IGMP Forwarding Rules > > The switch supporting IGMP snooping must maintain a list of > multicast routers and the ports on which they are attached. This > list can be constructed in any combination of the following ways: > > a) This list should be built by the snooping switch sending > Multicast Router Solicitation messages as described in IGMP > Multicast Router Discovery [MRDISC]. It may also snoop > Multicast Router Advertisement messages sent by and to other > nodes. > > b) The arrival port for IGMP Queries (sent by multicast routers) > where the source address is not 0.0.0.0. > > We should not add the port to router list when receives query with source > 0.0.0.0. > > Reported-by: Ying Xu <yinxu(a)redhat.com> > Signed-off-by: Hangbin Liu <liuhangbin(a)gmail.com> > Acked-by: Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> > Acked-by: Roopa Prabhu <roopa(a)cumulusnetworks.com> > Signed-off-by: David S. Miller <davem(a)davemloft.net> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > net/bridge/br_multicast.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > --- a/net/bridge/br_multicast.c > +++ b/net/bridge/br_multicast.c > @@ -1420,7 +1420,15 @@ static void br_multicast_query_received( > return; > > br_multicast_update_query_timer(br, query, max_delay); > - br_multicast_mark_router(br, port); > + > + /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, > + * the arrival port for IGMP Queries where the source address > + * is 0.0.0.0 should not be added to router port list. > + */ > + if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || > + (saddr->proto == htons(ETH_P_IPV6) && > + !ipv6_addr_any(&saddr->u.ip6))) > + br_multicast_mark_router(br, port); > } > > static int br_ip4_multicast_query(struct net_bridge *br, > > > Patches currently in stable-queue which might be from liuhangbin(a)gmail.com are > > queue-4.18/bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch

7 years

3
2
0 0

Re: [Xen-devel] [PATCH] xen: remove size limit of privcmd-buf mapping interface

by Juergen Gross

On 01/11/2018 16:50, Jan Beulich wrote: >>>> Juergen Gross <jgross(a)suse.com> 11/01/18 3:23 PM >>> >> On 01/11/2018 15:18, Jan Beulich wrote: >>>>>> Juergen Gross <jgross(a)suse.com> 11/01/18 1:34 PM >>> >>>> Currently the size of hypercall buffers allocated via >>>> /dev/xen/hypercall is limited to a default of 64 memory pages. For live >>>> migration of guests this might be too small as the page dirty bitmask >>>> needs to be sized according to the size of the guest. This means >>>> migrating a 8GB sized guest is already exhausting the default buffer >>>> size for the dirty bitmap. >>>> >>>> There is no sensible way to set a sane limit, so just remove it >>>> completely. The device node's usage is limited to root anyway, so there >>>> is no additional DOS scenario added by allowing unlimited buffers. >>> >>> But is this setting of permissions what we want long term? What about a >>> de-privileged qemu, which still needs to be able to issue at least dm-op >>> hypercalls? >> >> Wouldn't that qemu have opened the node while still being privileged? > > Possibly, but how does this help? As soon as it's unprivileged it must not > be able to hog resources anymore. > > Anyway, with Andrew's reply my point may be irrelevant, but I have to > admit I'm not entirely sure. I guess we want Xen tools to close /dev/xen/hypercall (or more precise: don't dup2() it) when qemu is de-privileging itself. This will make it very clear that it can't hog memory via mmap(). When you are fine with that I'll send a Xen patch for this. Juergen

7 years

2
1
0 0

Re: Patch "bridge: do not add port to router list when receives query with source 0.0.0.0" has been added to the 4.19-stable tree

by Hangbin Liu

On Fri, Nov 02, 2018 at 06:16:13AM +0100, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > bridge: do not add port to router list when receives query with source 0.0.0.0 > > to the 4.19-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch > and it can be found in the queue-4.19 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi, Patch commit 0fe5119e267f3e3d8ac206895f5922195ec55a8a Author: Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> Date: Sat Oct 27 12:07:47 2018 +0300 net: bridge: remove ipv6 zero address check in mcast queries is also needed to fix this patch. Thanks Hangbin > > > From foo@baz Fri Nov 2 06:12:28 CET 2018 > From: Hangbin Liu <liuhangbin(a)gmail.com> > Date: Fri, 26 Oct 2018 10:28:43 +0800 > Subject: bridge: do not add port to router list when receives query with source 0.0.0.0 > > From: Hangbin Liu <liuhangbin(a)gmail.com> > > [ Upstream commit 5a2de63fd1a59c30c02526d427bc014b98adf508 ] > > Based on RFC 4541, 2.1.1. IGMP Forwarding Rules > > The switch supporting IGMP snooping must maintain a list of > multicast routers and the ports on which they are attached. This > list can be constructed in any combination of the following ways: > > a) This list should be built by the snooping switch sending > Multicast Router Solicitation messages as described in IGMP > Multicast Router Discovery [MRDISC]. It may also snoop > Multicast Router Advertisement messages sent by and to other > nodes. > > b) The arrival port for IGMP Queries (sent by multicast routers) > where the source address is not 0.0.0.0. > > We should not add the port to router list when receives query with source > 0.0.0.0. > > Reported-by: Ying Xu <yinxu(a)redhat.com> > Signed-off-by: Hangbin Liu <liuhangbin(a)gmail.com> > Acked-by: Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> > Acked-by: Roopa Prabhu <roopa(a)cumulusnetworks.com> > Signed-off-by: David S. Miller <davem(a)davemloft.net> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > net/bridge/br_multicast.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > --- a/net/bridge/br_multicast.c > +++ b/net/bridge/br_multicast.c > @@ -1420,7 +1420,15 @@ static void br_multicast_query_received( > return; > > br_multicast_update_query_timer(br, query, max_delay); > - br_multicast_mark_router(br, port); > + > + /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, > + * the arrival port for IGMP Queries where the source address > + * is 0.0.0.0 should not be added to router port list. > + */ > + if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || > + (saddr->proto == htons(ETH_P_IPV6) && > + !ipv6_addr_any(&saddr->u.ip6))) > + br_multicast_mark_router(br, port); > } > > static void br_ip4_multicast_query(struct net_bridge *br, > > > Patches currently in stable-queue which might be from liuhangbin(a)gmail.com are > > queue-4.19/bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch

7 years

2
1
0 0

[PATCHES] Sparc

by David Miller

Please queue up the following sparc bug fixes for v4.18 and v4.19 -stable, respectively. Thanks! >From dd6bdff3a6573eb93d5ea786ecb319aeb0134ef0 Mon Sep 17 00:00:00 2001 From: "David S. Miller" <davem(a)davemloft.net> Date: Fri, 26 Oct 2018 15:11:56 -0700 Subject: [PATCH 1/3] sparc64: Export __node_distance. [ Upstream commit 2b4792eaa9f553764047d157365ed8b7787751a3 ] Some drivers reference it via node_distance(), for example the NVME host driver core. ERROR: "__node_distance" [drivers/nvme/host/nvme-core.ko] undefined! make[1]: *** [scripts/Makefile.modpost:92: __modpost] Error 1 Signed-off-by: David S. Miller <davem(a)davemloft.net> --- arch/sparc/mm/init_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c index f396048a0d68..39822f611c01 100644 --- a/arch/sparc/mm/init_64.c +++ b/arch/sparc/mm/init_64.c @@ -1383,6 +1383,7 @@ int __node_distance(int from, int to) } return numa_latency[from][to]; } +EXPORT_SYMBOL(__node_distance); static int __init find_best_numa_node_for_mlgroup(struct mdesc_mlgroup *grp) { -- 2.19.1 >From 2835fa1d7c211c2367f8ec488306a00c01b63472 Mon Sep 17 00:00:00 2001 From: David Miller <davem(a)redhat.com> Date: Thu, 25 Oct 2018 20:36:46 -0700 Subject: [PATCH 2/3] sparc64: Make corrupted user stacks more debuggable. [ Upstream commit 5b4fc3882a649c9411dd0dcad2ddb78e911d340e ] Right now if we get a corrupted user stack frame we do a do_exit(SIGILL) which is not helpful. If under a debugger, this behavior causes the inferior process to exit. So the register and other state cannot be examined at the time of the event. Instead, conditionally log a rate limited kernel log message and then force a SIGSEGV. With bits and ideas borrowed (as usual) from powerpc. Signed-off-by: David S. Miller <davem(a)davemloft.net> --- arch/sparc/include/asm/switch_to_64.h | 3 ++- arch/sparc/kernel/process_64.c | 25 +++++++++++++++++++------ arch/sparc/kernel/rtrap_64.S | 1 + arch/sparc/kernel/signal32.c | 12 ++++++++++-- arch/sparc/kernel/signal_64.c | 6 +++++- 5 files changed, 37 insertions(+), 10 deletions(-) diff --git a/arch/sparc/include/asm/switch_to_64.h b/arch/sparc/include/asm/switch_to_64.h index 4ff29b1406a9..b1d4e2e3210f 100644 --- a/arch/sparc/include/asm/switch_to_64.h +++ b/arch/sparc/include/asm/switch_to_64.h @@ -67,6 +67,7 @@ do { save_and_clear_fpu(); \ } while(0) void synchronize_user_stack(void); -void fault_in_user_windows(void); +struct pt_regs; +void fault_in_user_windows(struct pt_regs *); #endif /* __SPARC64_SWITCH_TO_64_H */ diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c index 6c086086ca8f..59eaf6227af1 100644 --- a/arch/sparc/kernel/process_64.c +++ b/arch/sparc/kernel/process_64.c @@ -36,6 +36,7 @@ #include <linux/sysrq.h> #include <linux/nmi.h> #include <linux/context_tracking.h> +#include <linux/signal.h> #include <linux/uaccess.h> #include <asm/page.h> @@ -521,7 +522,12 @@ static void stack_unaligned(unsigned long sp) force_sig_fault(SIGBUS, BUS_ADRALN, (void __user *) sp, 0, current); } -void fault_in_user_windows(void) +static const char uwfault32[] = KERN_INFO \ + "%s[%d]: bad register window fault: SP %08lx (orig_sp %08lx) TPC %08lx O7 %08lx\n"; +static const char uwfault64[] = KERN_INFO \ + "%s[%d]: bad register window fault: SP %016lx (orig_sp %016lx) TPC %08lx O7 %016lx\n"; + +void fault_in_user_windows(struct pt_regs *regs) { struct thread_info *t = current_thread_info(); unsigned long window; @@ -534,9 +540,9 @@ void fault_in_user_windows(void) do { struct reg_window *rwin = &t->reg_window[window]; int winsize = sizeof(struct reg_window); - unsigned long sp; + unsigned long sp, orig_sp; - sp = t->rwbuf_stkptrs[window]; + orig_sp = sp = t->rwbuf_stkptrs[window]; if (test_thread_64bit_stack(sp)) sp += STACK_BIAS; @@ -547,8 +553,16 @@ void fault_in_user_windows(void) stack_unaligned(sp); if (unlikely(copy_to_user((char __user *)sp, - rwin, winsize))) + rwin, winsize))) { + if (show_unhandled_signals) + printk_ratelimited(is_compat_task() ? + uwfault32 : uwfault64, + current->comm, current->pid, + sp, orig_sp, + regs->tpc, + regs->u_regs[UREG_I7]); goto barf; + } } while (window--); } set_thread_wsaved(0); @@ -556,8 +570,7 @@ void fault_in_user_windows(void) barf: set_thread_wsaved(window + 1); - user_exit(); - do_exit(SIGILL); + force_sig(SIGSEGV, current); } asmlinkage long sparc_do_fork(unsigned long clone_flags, diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S index 4073e2b87dd0..29aa34f11720 100644 --- a/arch/sparc/kernel/rtrap_64.S +++ b/arch/sparc/kernel/rtrap_64.S @@ -39,6 +39,7 @@ __handle_preemption: wrpr %g0, RTRAP_PSTATE_IRQOFF, %pstate __handle_user_windows: + add %sp, PTREGS_OFF, %o0 call fault_in_user_windows 661: wrpr %g0, RTRAP_PSTATE, %pstate /* If userspace is using ADI, it could potentially pass diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c index 44d379db3f64..4c5b3fcbed94 100644 --- a/arch/sparc/kernel/signal32.c +++ b/arch/sparc/kernel/signal32.c @@ -371,7 +371,11 @@ static int setup_frame32(struct ksignal *ksig, struct pt_regs *regs, get_sigframe(ksig, regs, sigframe_size); if (invalid_frame_pointer(sf, sigframe_size)) { - do_exit(SIGILL); + if (show_unhandled_signals) + pr_info("%s[%d] bad frame in setup_frame32: %08lx TPC %08lx O7 %08lx\n", + current->comm, current->pid, (unsigned long)sf, + regs->tpc, regs->u_regs[UREG_I7]); + force_sigsegv(ksig->sig, current); return -EINVAL; } @@ -501,7 +505,11 @@ static int setup_rt_frame32(struct ksignal *ksig, struct pt_regs *regs, get_sigframe(ksig, regs, sigframe_size); if (invalid_frame_pointer(sf, sigframe_size)) { - do_exit(SIGILL); + if (show_unhandled_signals) + pr_info("%s[%d] bad frame in setup_rt_frame32: %08lx TPC %08lx O7 %08lx\n", + current->comm, current->pid, (unsigned long)sf, + regs->tpc, regs->u_regs[UREG_I7]); + force_sigsegv(ksig->sig, current); return -EINVAL; } diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c index 48366e5eb5b2..e9de1803a22e 100644 --- a/arch/sparc/kernel/signal_64.c +++ b/arch/sparc/kernel/signal_64.c @@ -370,7 +370,11 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) get_sigframe(ksig, regs, sf_size); if (invalid_frame_pointer (sf)) { - do_exit(SIGILL); /* won't return, actually */ + if (show_unhandled_signals) + pr_info("%s[%d] bad frame in setup_rt_frame: %016lx TPC %016lx O7 %016lx\n", + current->comm, current->pid, (unsigned long)sf, + regs->tpc, regs->u_regs[UREG_I7]); + force_sigsegv(ksig->sig, current); return -EINVAL; } -- 2.19.1 >From 42dffdd95a8faacd7df0e369040b0f441594757b Mon Sep 17 00:00:00 2001 From: "David S. Miller" <davem(a)davemloft.net> Date: Wed, 31 Oct 2018 18:30:21 -0700 Subject: [PATCH 3/3] sparc64: Wire up compat getpeername and getsockname. [ Upstream commit 1f2b5b8e2df4591fbca430aff9c5a072dcc0f408 ] Fixes: 8b30ca73b7cc ("sparc: Add all necessary direct socket system calls.") Reported-by: Joseph Myers <joseph(a)codesourcery.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> --- arch/sparc/kernel/systbls_64.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/sparc/kernel/systbls_64.S b/arch/sparc/kernel/systbls_64.S index bb68c805b891..ff9389a1c9f3 100644 --- a/arch/sparc/kernel/systbls_64.S +++ b/arch/sparc/kernel/systbls_64.S @@ -47,9 +47,9 @@ sys_call_table32: .word sys_recvfrom, sys_setreuid16, sys_setregid16, sys_rename, compat_sys_truncate /*130*/ .word compat_sys_ftruncate, sys_flock, compat_sys_lstat64, sys_sendto, sys_shutdown .word sys_socketpair, sys_mkdir, sys_rmdir, compat_sys_utimes, compat_sys_stat64 -/*140*/ .word sys_sendfile64, sys_nis_syscall, compat_sys_futex, sys_gettid, compat_sys_getrlimit +/*140*/ .word sys_sendfile64, sys_getpeername, compat_sys_futex, sys_gettid, compat_sys_getrlimit .word compat_sys_setrlimit, sys_pivot_root, sys_prctl, sys_pciconfig_read, sys_pciconfig_write -/*150*/ .word sys_nis_syscall, sys_inotify_init, sys_inotify_add_watch, sys_poll, sys_getdents64 +/*150*/ .word sys_getsockname, sys_inotify_init, sys_inotify_add_watch, sys_poll, sys_getdents64 .word compat_sys_fcntl64, sys_inotify_rm_watch, compat_sys_statfs, compat_sys_fstatfs, sys_oldumount /*160*/ .word compat_sys_sched_setaffinity, compat_sys_sched_getaffinity, sys_getdomainname, sys_setdomainname, sys_nis_syscall .word sys_quotactl, sys_set_tid_address, compat_sys_mount, compat_sys_ustat, sys_setxattr -- 2.19.1

7 years

2
1
0 0

[PATCHES] Networking

by David Miller

Please queue up the following networking bug fixes for v4.18 and v4.19 -stable, respectively.

7 years

2
1
0 0

[PATCH 4.4 00/92] 4.4.133-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.133 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat May 26 09:31:28 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.133-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.133-rc1 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> x86/kexec: Avoid double free_page() upon do_kexec_load() failure Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> hfsplus: stop workqueue when fill_super() failed Johannes Berg <johannes.berg(a)intel.com> cfg80211: limit wiphy names to 128 bytes Geert Uytterhoeven <geert+renesas(a)glider.be> gpio: rcar: Add Runtime PM handling for interrupts John Stultz <john.stultz(a)linaro.org> time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting Vinod Koul <vinod.koul(a)intel.com> dmaengine: ensure dmaengine helpers check valid callback Jens Remus <jremus(a)linux.ibm.com> scsi: zfcp: fix infinite iteration on ERP ready list Alexander Potapenko <glider(a)google.com> scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() Jason Yan <yanaijie(a)huawei.com> scsi: libsas: defer ata device eh commands to libata Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: use expoline thunks in the BPF JIT Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: extend expoline to BC instructions Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: move spectre sysfs attribute code Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390/kernel: use expoline for indirect branches Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390/ftrace: use expoline for indirect branches Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390/lib: use expoline for indirect branches Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: move expoline assembler macros to a header Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: add assembler macros for CPU alternatives Al Viro <viro(a)zeniv.linux.org.uk> ext2: fix a block leak Eric Dumazet <edumazet(a)google.com> tcp: purge write queue in tcp_connect_init() Eric Dumazet <edumazet(a)google.com> sock_diag: fix use-after-free read in __sk_free Willem de Bruijn <willemb(a)google.com> packet: in packet_snd start writing at link layer allocation Willem de Bruijn <willemb(a)google.com> net: test tailroom before appending to linear skb Liu Bo <bo.liu(a)linux.alibaba.com> btrfs: fix reading stale metadata blocks after degraded raid1 mounts Anand Jain <anand.jain(a)oracle.com> btrfs: fix crash when trying to resume balance without the resume flag Filipe Manana <fdmanana(a)suse.com> Btrfs: fix xattr loss after power failure Masami Hiramatsu <mhiramat(a)kernel.org> ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions Masami Hiramatsu <mhiramat(a)kernel.org> ARM: 8770/1: kprobes: Prohibit probing on optimized_callback Masami Hiramatsu <mhiramat(a)kernel.org> ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed Dexuan Cui <decui(a)microsoft.com> tick/broadcast: Use for_each_cpu() specially on UP kernels Masami Hiramatsu <mhiramat(a)kernel.org> ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr Ard Biesheuvel <ard.biesheuvel(a)linaro.org> efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: remove indirect branch from do_softirq_own_stack Julian Wiedmann <jwi(a)linux.ibm.com> s390/qdio: don't release memory in qdio_setup_irq() Hendrik Brueckner <brueckner(a)linux.ibm.com> s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero Julian Wiedmann <jwi(a)linux.ibm.com> s390/qdio: fix access to uninitialized qdio_q fields Pavel Tatashin <pasha.tatashin(a)oracle.com> mm: don't allow deferred pages with NEED_PER_CPU_KM Nicholas Piggin <npiggin(a)gmail.com> powerpc/powernv: Fix NVRAM sleep in invalid context when crashing Janis Danisevskis <jdanis(a)google.com> procfs: fix pthread cross-thread naming if !PR_DUMPABLE Mateusz Guzik <mguzik(a)redhat.com> proc read mm's {arg,env}_{start,end} with mmap semaphore taken. Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Enable HWP by default Waiman Long <Waiman.Long(a)hpe.com> signals: avoid unnecessary taking of sighand->siglock Mel Gorman <mgorman(a)techsingularity.net> mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read Mel Gorman <mgorman(a)techsingularity.net> mm: filemap: remove redundant code in do_read_cache_page Johannes Weiner <hannes(a)cmpxchg.org> proc: meminfo: estimate available memory more conservatively Vladimir Davydov <vdavydov(a)virtuozzo.com> vmscan: do not force-scan file lru if its absolute size is small Benjamin Herrenschmidt <benh(a)kernel.crashing.org> powerpc: Don't preempt_disable() in show_cpuinfo() Anders Roxell <anders.roxell(a)linaro.org> cpuidle: coupled: remove unused define cpuidle_coupled_lock Stewart Smith <stewart(a)linux.vnet.ibm.com> powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL Stewart Smith <stewart(a)linux.vnet.ibm.com> powerpc/powernv: Remove OPALv2 firmware define and references Stewart Smith <stewart(a)linux.vnet.ibm.com> powerpc/powernv: panic() on OPAL < V3 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: pxa2xx: Allow 64-bit DMA Wenwen Wang <wang6495(a)umn.edu> ALSA: control: fix a redundant-copy issue Hans de Goede <hdegoede(a)redhat.com> ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist Federico Cuello <fedux(a)fedux.com.ar> ALSA: usb: mixer: volume quirk for CM102-A+/102S+ Shuah Khan (Samsung OSG) <shuah(a)kernel.org> usbip: usbip_host: fix bad unlock balance during stub_probe() Shuah Khan (Samsung OSG) <shuah(a)kernel.org> usbip: usbip_host: fix NULL-ptr deref and use-after-free errors Shuah Khan (Samsung OSG) <shuah(a)kernel.org> usbip: usbip_host: run rebind from exit when module is removed Shuah Khan (Samsung OSG) <shuah(a)kernel.org> usbip: usbip_host: delete device from busid_table after rebind Shuah Khan <shuahkh(a)osg.samsung.com> usbip: usbip_host: refine probe and disconnect debug msgs to be useful zhongjiang <zhongjiang(a)huawei.com> kernel/exit.c: avoid undefined behaviour when calling wait4() Jiri Slaby <jslaby(a)suse.cz> futex: futex_wake_op, fix sign_extend32 sign bits Michael Kerrisk (man-pages) <mtk.manpages(a)gmail.com> pipe: cap initial pipe capacity according to pipe-max-size limit James Chapman <jchapman(a)katalix.com> l2tp: revert "l2tp: fix missing print session offset info" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Vasily Averin <vvs(a)virtuozzo.com> lockd: lost rollback of set_grace_period() in lockd_down_net() Antony Antony <antony(a)phenome.org> xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Jiri Slaby <jslaby(a)suse.cz> futex: Remove duplicated code and fix undefined behaviour Mel Gorman <mgorman(a)suse.de> futex: Remove unnecessary warning from get_futex_key Suzuki K Poulose <suzuki.poulose(a)arm.com> arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Ard Biesheuvel <ard.biesheuvel(a)linaro.org> arm64: introduce mov_q macro to move a constant into a 64-bit register Richard Guy Briggs <rgb(a)redhat.com> audit: move calcs after alloc and check when logging set loginuid Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Call notifier in the same spinlock Xin Long <lucien.xin(a)gmail.com> sctp: delay the authentication for the duplicated cookie-echo chunk Xin Long <lucien.xin(a)gmail.com> sctp: fix the issue that the cookie-ack with auth can't get processed Yuchung Cheng <ycheng(a)google.com> tcp: ignore Fast Open on repair mode Debabrata Banerjee <dbanerje(a)akamai.com> bonding: do not allow rlb updates to invalid mac Michael Chan <michael.chan(a)broadcom.com> tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Xin Long <lucien.xin(a)gmail.com> sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Xin Long <lucien.xin(a)gmail.com> sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix powering up RTL8168h Bjørn Mork <bjorn(a)mork.no> qmi_wwan: do not steal interfaces from class drivers Stefano Brivio <sbrivio(a)redhat.com> openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Lance Richardson <lance.richardson.net(a)gmail.com> net: support compat 64-bit time in {s,g}etsockopt Eric Dumazet <edumazet(a)google.com> net_sched: fq: take care of throttled flows before reuse Moshe Shemesh <moshe(a)mellanox.com> net/mlx4_en: Verify coalescing parameters are in range Rob Taglang <rob(a)taglang.io> net: ethernet: sun: niu set correct packet size in skb Eric Dumazet <edumazet(a)google.com> llc: better deal with too small mtu Andrey Ignatov <rdna(a)fb.com> ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Eric Dumazet <edumazet(a)google.com> dccp: fix tasklet usage Hangbin Liu <liuhangbin(a)gmail.com> bridge: check iface upper dev when setting master via ioctl Ingo Molnar <mingo(a)elte.hu> 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() ------------- Diffstat: Makefile | 4 +- arch/alpha/include/asm/futex.h | 26 +-- arch/arc/include/asm/futex.h | 40 +---- arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 - arch/arm/include/asm/assembler.h | 10 ++ arch/arm/include/asm/futex.h | 26 +-- arch/arm/kernel/traps.c | 5 +- arch/arm/lib/getuser.S | 10 ++ arch/arm/probes/kprobes/opt-arm.c | 4 +- arch/arm64/Kconfig | 14 ++ arch/arm64/include/asm/assembler.h | 60 +++++++ arch/arm64/include/asm/cputype.h | 11 ++ arch/arm64/include/asm/futex.h | 26 +-- arch/arm64/mm/proc.S | 5 + arch/frv/include/asm/futex.h | 3 +- arch/frv/kernel/futex.c | 27 +-- arch/hexagon/include/asm/futex.h | 38 +--- arch/ia64/include/asm/futex.h | 25 +-- arch/microblaze/include/asm/futex.h | 38 +--- arch/mips/include/asm/futex.h | 25 +-- arch/parisc/include/asm/futex.h | 25 +-- arch/powerpc/include/asm/firmware.h | 5 +- arch/powerpc/include/asm/futex.h | 26 +-- arch/powerpc/kernel/setup-common.c | 11 -- arch/powerpc/platforms/powernv/eeh-powernv.c | 4 +- arch/powerpc/platforms/powernv/idle.c | 2 +- arch/powerpc/platforms/powernv/opal-nvram.c | 14 +- arch/powerpc/platforms/powernv/opal-xscom.c | 2 +- arch/powerpc/platforms/powernv/opal.c | 36 ++-- arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- arch/powerpc/platforms/powernv/setup.c | 12 +- arch/powerpc/platforms/powernv/smp.c | 74 ++++---- arch/s390/include/asm/alternative-asm.h | 108 ++++++++++++ arch/s390/include/asm/futex.h | 23 +-- arch/s390/include/asm/nospec-insn.h | 193 +++++++++++++++++++++ arch/s390/kernel/Makefile | 1 + arch/s390/kernel/asm-offsets.c | 1 + arch/s390/kernel/base.S | 24 +-- arch/s390/kernel/entry.S | 105 +++-------- arch/s390/kernel/irq.c | 5 +- arch/s390/kernel/mcount.S | 14 +- arch/s390/kernel/nospec-branch.c | 43 +++-- arch/s390/kernel/nospec-sysfs.c | 21 +++ arch/s390/kernel/perf_cpum_sf.c | 4 + arch/s390/kernel/reipl.S | 5 +- arch/s390/kernel/swsusp.S | 10 +- arch/s390/lib/mem.S | 9 +- arch/s390/net/bpf_jit.S | 16 +- arch/s390/net/bpf_jit_comp.c | 63 ++++++- arch/sh/include/asm/futex.h | 26 +-- arch/sparc/include/asm/futex_64.h | 26 +-- arch/tile/include/asm/futex.h | 40 +---- arch/x86/boot/compressed/eboot.c | 6 +- arch/x86/include/asm/futex.h | 40 +---- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/machine_kexec_64.c | 4 +- arch/x86/xen/mmu.c | 4 - arch/xtensa/include/asm/futex.h | 27 +-- drivers/cpufreq/intel_pstate.c | 34 ++-- drivers/cpufreq/powernv-cpufreq.c | 2 +- drivers/cpuidle/coupled.c | 1 - drivers/cpuidle/cpuidle-powernv.c | 2 +- drivers/gpio/gpio-rcar.c | 46 +++++ drivers/net/bonding/bond_alb.c | 2 +- drivers/net/ethernet/broadcom/tg3.c | 9 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++ drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +- drivers/net/ethernet/realtek/8139too.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 3 + drivers/net/ethernet/sun/niu.c | 5 +- drivers/net/usb/qmi_wwan.c | 12 ++ drivers/s390/cio/qdio_setup.c | 12 +- drivers/s390/scsi/zfcp_dbf.c | 23 ++- drivers/s390/scsi/zfcp_ext.h | 5 +- drivers/s390/scsi/zfcp_scsi.c | 14 +- drivers/scsi/libsas/sas_scsi_host.c | 33 ++-- drivers/scsi/sg.c | 2 +- drivers/spi/spi-pxa2xx.h | 2 +- drivers/usb/usbip/stub.h | 2 + drivers/usb/usbip/stub_dev.c | 43 +++-- drivers/usb/usbip/stub_main.c | 105 +++++++++-- fs/btrfs/ctree.c | 6 +- fs/btrfs/tree-log.c | 7 + fs/btrfs/volumes.c | 9 + fs/ext2/inode.c | 10 -- fs/hfsplus/super.c | 1 + fs/lockd/svc.c | 2 + fs/pipe.c | 3 + fs/proc/base.c | 55 +++++- fs/proc/meminfo.c | 5 +- include/asm-generic/futex.h | 50 +----- include/linux/dmaengine.h | 20 ++- include/linux/efi.h | 8 +- include/linux/signal.h | 17 ++ include/linux/timekeeper_internal.h | 4 +- include/trace/events/xen.h | 16 -- include/uapi/linux/nl80211.h | 2 + kernel/auditsc.c | 7 +- kernel/exit.c | 4 + kernel/futex.c | 44 ++++- kernel/signal.c | 7 + kernel/time/tick-broadcast.c | 8 + kernel/time/timekeeping.c | 20 +-- mm/Kconfig | 1 + mm/filemap.c | 90 ++++++---- mm/util.c | 16 +- mm/vmscan.c | 12 +- net/bridge/br_if.c | 4 +- net/compat.c | 6 +- net/core/sock.c | 2 +- net/dccp/ccids/ccid2.c | 14 +- net/dccp/timer.c | 2 +- net/ipv4/ip_output.c | 3 +- net/ipv4/ping.c | 7 +- net/ipv4/tcp.c | 2 +- net/ipv4/tcp_output.c | 7 +- net/ipv4/udp.c | 7 +- net/ipv6/ip6_output.c | 3 +- net/l2tp/l2tp_netlink.c | 2 - net/llc/af_llc.c | 3 + net/openvswitch/flow_netlink.c | 9 +- net/packet/af_packet.c | 4 +- net/sched/sch_fq.c | 37 ++-- net/sctp/associola.c | 30 +++- net/sctp/inqueue.c | 2 +- net/sctp/ipv6.c | 3 + net/sctp/sm_statefuns.c | 89 +++++----- net/wireless/core.c | 3 + net/xfrm/xfrm_state.c | 1 + sound/core/control_compat.c | 3 +- sound/core/timer.c | 220 +++++++++++------------- sound/pci/hda/hda_intel.c | 2 + sound/usb/mixer.c | 8 + 133 files changed, 1605 insertions(+), 1109 deletions(-)

7 years

15
123
0 0

[PATCH stable 4.14] bpf: fix partial copy of map_ptr when dst is scalar

by Daniel Borkmann

commit 0962590e553331db2cc0aef2dc35c57f6300dbbe upstream. ALU operations on pointers such as scalar_reg += map_value_ptr are handled in adjust_ptr_min_max_vals(). Problem is however that map_ptr and range in the register state share a union, so transferring state through dst_reg->range = ptr_reg->range is just buggy as any new map_ptr in the dst_reg is then truncated (or null) for subsequent checks. Fix this by adding a raw member and use it for copying state over to dst_reg. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Cc: Edward Cree <ecree(a)solarflare.com> Acked-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Edward Cree <ecree(a)solarflare.com> --- include/linux/bpf_verifier.h | 3 +++ kernel/bpf/verifier.c | 10 ++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 73bec75..a333300 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -50,6 +50,9 @@ struct bpf_reg_state { * PTR_TO_MAP_VALUE_OR_NULL */ struct bpf_map *map_ptr; + + /* Max size from any of the above. */ + unsigned long raw; }; /* Fixed part of pointer offset, pointer types only */ s32 off; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a0ffc62..013b0cd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1935,7 +1935,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst_reg->umax_value = umax_ptr; dst_reg->var_off = ptr_reg->var_off; dst_reg->off = ptr_reg->off + smin_val; - dst_reg->range = ptr_reg->range; + dst_reg->raw = ptr_reg->raw; break; } /* A new variable offset is created. Note that off_reg->off @@ -1965,10 +1965,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off); dst_reg->off = ptr_reg->off; + dst_reg->raw = ptr_reg->raw; if (ptr_reg->type == PTR_TO_PACKET) { dst_reg->id = ++env->id_gen; /* something was added to pkt_ptr, set range to zero */ - dst_reg->range = 0; + dst_reg->raw = 0; } break; case BPF_SUB: @@ -1999,7 +2000,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst_reg->var_off = ptr_reg->var_off; dst_reg->id = ptr_reg->id; dst_reg->off = ptr_reg->off - smin_val; - dst_reg->range = ptr_reg->range; + dst_reg->raw = ptr_reg->raw; break; } /* A new variable offset is created. If the subtrahend is known @@ -2025,11 +2026,12 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off); dst_reg->off = ptr_reg->off; + dst_reg->raw = ptr_reg->raw; if (ptr_reg->type == PTR_TO_PACKET) { dst_reg->id = ++env->id_gen; /* something was added to pkt_ptr, set range to zero */ if (smin_val < 0) - dst_reg->range = 0; + dst_reg->raw = 0; } break; case BPF_AND: -- 2.9.5

7 years

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror