This is the start of the stable review cycle for the 3.2.97 release. There are 94 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Mon Jan 1 17:00:00 UTC 2018. Anything received after that time might be too late.
All the patches have also been committed to the linux-3.2.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below.
Ben.
-------------
Al Viro (3): Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket [71bb99a02b32b4cc4265118e85f6035ca72923f0] Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket [96c26653ce65bf84f3212f8b00d4316c1efcbf4c] more bio_map_user_iov() leak fixes [2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058]
Alan Stern (8): USB: core: prevent malicious bNumInterfaces overflow [48a4ff1c7bb5a32d2e396b03132d20d552c0eca7] USB: dummy-hcd: Fix deadlock caused by disconnect detection [ab219221a5064abfff9f78c323c4a257b16cdb81] USB: dummy-hcd: Fix erroneous synchronization change [7dbd8f4cabd96db5a50513de9d83a8105a5ffc81] USB: dummy-hcd: fix infinite-loop resubmission bug [0173a68bfb0ad1c72a6ee39cc485aa2c97540b98] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks [f16443a034c7aa359ddf6f0f9bc40d01ca31faea] USB: gadgetfs: Fix crash caused by inadequate synchronization [520b72fc64debf8a86c3853b8e486aa5982188f0] USB: gadgetfs: fix copy_to_user while holding spinlock [6e76c01e71551cb221c1f3deacb9dcd9a7346784] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives [113f6eb6d50cfa5e2a1cdcf1678b12661fa272ab]
Andreas Engel (1): USB: serial: cp210x: add support for ELV TFD500 [c496ad835c31ad639b6865714270b3003df031f6]
Andreas Gruenbacher (1): vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets [fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8]
Andrew Honig (1): KVM: VMX: remove I/O port 0x80 bypass on Intel hosts [d59d51f088014f25c2562de59b9abff4f42a7468]
Andrey Konovalov (2): uwb: ensure that endpoint is interrupt [70e743e4cec3733dc13559f6184b35d358b9ef3f] uwb: properly check kthread_run return value [bbf26183b7a6236ba602f4d6a2f7cade35bba043]
Ashish Samant (1): ocfs2: fstrim: Fix start offset of first cluster group during fstrim [105ddc93f06ebe3e553f58563d11ed63dbcd59f0]
Baruch Siach (1): spi: uapi: spidev: add missing ioctl header [a2b4a79b88b24c49d98d45a06a014ffd22ada1a4]
Ben Hutchings (2): ipsec: Fix aborted xfrm policy dump crash [1137b5e2529a8f5ca8ee709288ecba3e68044df2] security: Fix mode test in selinux_ptrace_access_check() [69f594a38967f4540ce7a29b3fd214e68a8330bd]
Bin Liu (1): usb: gadget: fix spinlock dead lock in gadgetfs [d246dcb2331c5783743720e6510892eb1d2801d9]
Boqun Feng (2): kvm/x86: Avoid async PF preempting the kernel incorrectly [a2b7861bb33b2538420bb5d8554153484d3f961f] kvm/x86: Handle async PF in RCU read-side critical sections [b862789aa5186d5ea3a024b7cfe0f80c3a38b980]
Borislav Petkov (1): x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context [a743bbeef27b9176987ec0cb7f906ab0ab52d1da]
Casey Schaufler (1): lsm: fix smack_inode_removexattr and xattr_getsecurity memleak [57e7ba04d422c3d41c8426380303ec9b7533ded9]
Colin Ian King (1): staging: iio: ade7759: fix signed extension bug on shift of a u8 [13ffe9a26df4e156363579b25c904dd0b1e31bfb]
Craig Gallek (1): tun/tap: sanitize TUNSETSNDBUF input [93161922c658c714715686cd0cf69b090cb9bf1d]
Dan Carpenter (1): tile: array underflow in setup_maxnodemem() [637f23abca87d26e091e0d6647ec878d97d2c6cd]
David Herrmann (1): Bluetooth: hidp: verify l2cap sockets [b3916db32c4a3124eee9f3742a2f4723731d7602]
Dmitry Fleytman (1): usb: Increase quirk delay for USB devices [b2a542bbb3081dbd64acc8929c140d196664c406]
Dmitry Torokhov (1): Input: uinput - avoid FF flush when destroying device [e8b95728f724797f958912fd9b765a695595d3a6]
Eric Biggers (13): FS-Cache: fix dereference of NULL user_key_payload [d124b2c53c7bee6569d2a2d0b18b4a1afde00134] KEYS: add missing permission check for request_key() destination [4dca6ea1d9432052afb06baf2e3ae78188a4410b] KEYS: don't revoke uninstantiated key in request_key_auth_new() [f7b48cf08fa63a68b59c2894806ee478216d7f91] KEYS: encrypted: fix dereference of NULL user_key_payload [13923d0865ca96312197962522e88bc0aedccd74] KEYS: fix cred refcount leak in request_key_auth_new() [44d8143340a99b167c74365e844516b73523c087] KEYS: fix key refcount leak in keyctl_assume_authority() [884bee0215fcc239b30c062c37ca29077005e064] KEYS: fix key refcount leak in keyctl_read_key() [7fc0786d956d9e59b68d282be9b156179846ea3d] KEYS: prevent creating a different user's keyrings [237bbd29f7a049d310d907f4b2716a7feef9abf3] KEYS: trusted: fix writing past end of buffer in trusted_read() [a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1] KEYS: trusted: sanitize all key material [ee618b4619b72527aaed765f0f0b74072b281159] crypto: hmac - require that the underlying hash algorithm is unkeyed [af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1] crypto: salsa20 - fix blkcipher_walk API usage [ecaaab5649781c5a0effdaf298a925063020500e] ecryptfs: fix dereference of NULL user_key_payload [f66665c09ab489a11ca490d6a82df57cfc1bea3e]
Eric Dumazet (1): tcp: fix tcp_mtu_probe() vs highest_sack [2b7cda9c35d3b940eb9ce74b30bbd5eb30db493d]
Ethan Zhao (1): sched/sysctl: Check user input value of sysctl_sched_time_avg [5ccba44ba118a5000cccc50076b0344632459779]
Felipe Balbi (1): usb: quirks: add quirk for WORLDE MINI MIDI keyboard [2811501e6d8f5747d08f8e25b9ecf472d0dc4c7d]
Geert Uytterhoeven (2): sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration [b78412b8300a8453b78d2c1b0b925b66493bb011] sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration [d8ce38f69843a56da044e56b6c16aecfbc3c6e39]
Gerald Schaefer (1): s390/mm: fix write access check in gup_huge_pmd() [ba385c0594e723d41790ecfb12c610e6f90c7785]
Gleb Natapov (1): KVM: Do not take reference to mm during async #PF [62c49cc976af84cb0ffcb5ec07ee88da1a94e222]
Guillaume Nault (6): l2tp: check ps->sock before running pppol2tp_session_ioctl() [5903f594935a3841137c86b9d5b75143a5b7121c] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 [8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09] l2tp: fix l2tp_eth module loading [9f775ead5e570e7e19015b9e4e2f3dd6e71a5935] l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() [a3c18422a4b4e108bcf6a2328f48867e1003fd95] l2tp: hold tunnel in pppol2tp_connect() [f9e56baf03f9d36043a78f16e3e8b2cfd211e09e] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 [94d7ee0baa8b764cf64ad91ed69464c1a6a0066b]
Haozhong Zhang (1): KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit [8eb3f87d903168bdbd1222776a6b1e281f50513e]
Henryk Heisig (1): USB: serial: option: add support for TP-Link LTE module [837ddc4793a69b256ac5e781a5e729b448a8d983]
Herbert Xu (1): crypto: shash - Fix zero-length shash ahash digest crash [b61907bb42409adf9b3120f741af7c57dd7e3db2]
Jean Delvare (1): kernel/params.c: align add_sysfs_param documentation with code [630cc2b30a42c70628368a412beb4a5e5dd71abe]
Jeffrey Chu (1): USB: serial: ftdi_sio: add id for Cypress WICED dev board [a6c215e21b0dc5fe9416dce90f9acc2ea53c4502]
Jim Dickerson (1): usb: pci-quirks.c: Corrected timeout values used in handshake [114ec3a6f9096d211a4aff4277793ba969a62c73]
Joerg Roedel (1): iommu/amd: Finish TLB flush in amd_iommu_unmap() [ce76353f169a6471542d999baf3d29b121dce9c0]
Johannes Thumshirn (1): scsi: libiscsi: fix shifting of DID_REQUEUE host byte [eef9ffdf9cd39b2986367bc8395e2772bc1284ba]
Kazuya Mizuguchi (1): usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet [29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513]
Konstantin Khlebnikov (1): Smack: remove unneeded NULL-termination from securtity label [da1b63566c469bf3e2b24182114422e16b1aa34c]
LEROY Christophe (1): crypto: talitos - fix sha224 [afd62fa26343be6445479e75de9f07092a061459]
Maksim Salau (1): usb: cdc_acm: Add quirk for Elatec TWN3 [765fb2f181cad669f2beb87842a05d8071f2be85]
Mark Rutland (1): ARM: 8720/1: ensure dump_instr() checks addr_limit [b9dd05c7002ee0ca8b676428b2268c26399b5e31]
Martin K. Petersen (1): scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP [28a0bc4120d38a394499382ba21d6965a67a3703]
Mathias Nyman (1): xhci: fix finding correct bus_state structure for USB 3.1 hosts [5a838a13c9b4e5dd188b7a6eaeb894e9358ead0c]
Michael S. Tsirkin (1): macvtap: fix TUNSETSNDBUF values > 64k [3ea79249e81e5ed051f2e6480cbde896d99046e8]
Mohamed Ghannam (1): dccp: CVE-2017-8824: use-after-free in DCCP code [69c64866ce072dea1d1e59a0d61e0f66c0dffb76]
Nicolas Dichtel (1): net: enable interface alias removal via rtnl [2459b4c635858094df78abb9ca87d99f89fe8ca5]
Oleg Nesterov (1): ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock [1333ab03150478df8d6f5673a91df1e50dc6ab97]
Oswald Buddenhagen (1): MIPS: AR7: Ensure that serial ports are properly set up [b084116f8587b222a2c5ef6dcd846f40f24b9420]
Stefan Mätje (1): can: esd_usb2: Fix can_dlc value for received RTR, frames [72d92e865d1560723e1957ee3f393688c49ca5bf]
Stefano Brivio (1): scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function [5c756065e47dc3e84b00577bd109f0a8e69903d7]
Steffen Maier (1): scsi: zfcp: fix erp_action use-before-initialize in REC action trace [ab31fd0ce65ec93828b617123792c1bb7c6dcc42]
Takashi Iwai (9): ALSA: caiaq: Fix stray URB at probe error path [99fee508245825765ff60155fed43f970ff83a8f] ALSA: seq: Avoid invalid lockdep class warning [3510c7aa069aa83a2de6dab2b41401a198317bdc] ALSA: seq: Fix OSS sysex delivery in OSS emulation [132d358b183ac6ad8b3fea32ad5e0663456d18d1] ALSA: seq: Fix copy_from_user() call inside lock [5803b023881857db32ffefa0d269c90280a67ee0] ALSA: seq: Fix nested rwsem annotation for lockdep splat [1f20f9ff57ca23b9f5502fca85ce3977e8496cb1] ALSA: timer: Add missing mutex lock for compat ioctls [79fb0518fec8c8b4ea7f1729f54f293724b3dbb0] ALSA: timer: Limit max instances per timer [9b7d869ee5a77ed4a462372bb89af622e705bfb8] ALSA: timer: Protect the whole snd_timer_close() with open race [9984d1b5835ca29fc7025186a891ee7398d21cc7] ALSA: usx2y: Suppress kernel warning at page allocation failures [7682e399485fe19622b6fd82510b1f4551e48a25]
Wanpeng Li (1): KVM: Fix stack-out-of-bounds read in write_mmio [e39d200fa5bf5b94a0948db0dae44c1b73b84a56]
Willem de Bruijn (1): packet: only test po->has_vnet_hdr once in packet_snd [da7c9561015e93d10fe6aab73e9288e0d09d65a6]
Xin Long (1): sctp: fix a type cast warnings that causes a_rwnd gets the wrong value [f6fc6bc0b8e0bb13a210bd7386ffdcb1a5f30ef1]
Yoshihiro Shimoda (2): usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe [6124607acc88fffeaadf3aacfeb3cc1304c87387] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction [0a2ce62b61f2c76d0213edf4e37aaf54a8ddf295]
Makefile | 4 +- arch/arm/kernel/traps.c | 28 ++++++--- arch/mips/ar7/platform.c | 1 + arch/s390/mm/gup.c | 7 +-- arch/sh/include/cpu-sh4/cpu/sh7722.h | 2 +- arch/sh/include/cpu-sh4/cpu/sh7757.h | 8 +-- arch/tile/kernel/setup.c | 3 +- arch/x86/crypto/salsa20_glue.c | 7 --- arch/x86/include/asm/kvm_para.h | 4 +- arch/x86/kernel/kvm.c | 22 +++---- arch/x86/kvm/svm.c | 2 +- arch/x86/kvm/vmx.c | 7 +-- arch/x86/kvm/x86.c | 8 +-- arch/x86/oprofile/op_model_ppro.c | 4 +- crypto/hmac.c | 6 +- crypto/salsa20_generic.c | 7 --- crypto/shash.c | 13 ++-- drivers/crypto/talitos.c | 4 +- drivers/input/ff-core.c | 13 +++- drivers/input/misc/uinput.c | 18 ++++++ drivers/iommu/amd_iommu.c | 1 + drivers/net/can/usb/esd_usb2.c | 2 +- drivers/net/macvtap.c | 6 +- drivers/net/tun.c | 4 ++ drivers/s390/scsi/zfcp_aux.c | 5 ++ drivers/s390/scsi/zfcp_erp.c | 18 +++--- drivers/s390/scsi/zfcp_scsi.c | 5 ++ drivers/scsi/libiscsi.c | 2 +- drivers/scsi/lpfc/lpfc_init.c | 1 + drivers/scsi/scsi_scan.c | 3 + drivers/scsi/sd.c | 14 ++++- drivers/staging/iio/meter/ade7759.c | 2 +- drivers/usb/class/cdc-acm.c | 3 + drivers/usb/core/config.c | 6 +- drivers/usb/core/hub.c | 2 +- drivers/usb/core/quirks.c | 4 ++ drivers/usb/gadget/dummy_hcd.c | 56 +++++++++++++---- drivers/usb/gadget/inode.c | 72 ++++++++++++++++----- drivers/usb/host/pci-quirks.c | 8 +-- drivers/usb/host/xhci.h | 2 +- drivers/usb/renesas_usbhs/fifo.c | 23 +++++-- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 7 +++ drivers/usb/serial/option.c | 2 + drivers/usb/storage/unusual_devs.h | 7 +++ drivers/uwb/hwa-rc.c | 2 + drivers/uwb/uwbd.c | 12 ++-- fs/bio.c | 14 +++-- fs/ecryptfs/ecryptfs_kernel.h | 25 +++++--- fs/ecryptfs/keystore.c | 9 ++- fs/fscache/object-list.c | 7 +++ fs/ocfs2/alloc.c | 24 +++++-- fs/read_write.c | 4 +- fs/xattr.c | 2 +- include/crypto/internal/hash.h | 8 +++ include/linux/input.h | 1 + include/linux/key.h | 2 + include/linux/spi/spidev.h | 1 + include/net/bluetooth/l2cap.h | 1 + include/net/tcp.h | 6 +- include/scsi/scsi_device.h | 1 + include/scsi/scsi_devinfo.h | 1 + include/sound/seq_kernel.h | 3 +- include/sound/seq_virmidi.h | 1 + include/sound/timer.h | 2 + include/trace/events/kvm.h | 7 ++- kernel/params.c | 2 +- kernel/ptrace.c | 3 +- kernel/sysctl.c | 3 +- net/bluetooth/bnep/core.c | 3 + net/bluetooth/cmtp/core.c | 3 + net/bluetooth/hidp/core.c | 2 + net/bluetooth/l2cap_sock.c | 6 ++ net/core/rtnetlink.c | 5 +- net/dccp/proto.c | 5 ++ net/ipv4/tcp_output.c | 3 +- net/l2tp/l2tp_eth.c | 51 +-------------- net/l2tp/l2tp_ip.c | 20 +++--- net/l2tp/l2tp_ppp.c | 10 ++- net/packet/af_packet.c | 4 +- net/sctp/sm_sideeffect.c | 4 +- net/xfrm/xfrm_user.c | 3 +- security/keys/encrypted-keys/encrypted.c | 7 +++ security/keys/internal.h | 2 +- security/keys/key.c | 2 + security/keys/keyctl.c | 8 +-- security/keys/keyring.c | 23 ++++--- security/keys/process_keys.c | 9 ++- security/keys/request_key.c | 46 +++++++++++--- security/keys/request_key_auth.c | 69 ++++++++++----------- security/keys/trusted.c | 71 ++++++++++----------- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 57 ++++++++--------- sound/core/hrtimer.c | 1 + sound/core/seq/oss/seq_oss_midi.c | 4 +- sound/core/seq/oss/seq_oss_readq.c | 29 +++++++++ sound/core/seq/oss/seq_oss_readq.h | 2 + sound/core/seq/seq_clientmgr.c | 2 +- sound/core/seq/seq_virmidi.c | 27 +++++--- sound/core/timer.c | 103 +++++++++++++++++++++---------- sound/core/timer_compat.c | 17 ++++- sound/usb/caiaq/device.c | 12 +++- sound/usb/usx2y/usb_stream.c | 6 +- 104 files changed, 769 insertions(+), 416 deletions(-)
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li wanpeng.li@hotmail.com
commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.
Reported by syzkaller:
BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18 Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 Call Trace: dump_stack+0xab/0xe1 print_address_description+0x6b/0x290 kasan_report+0x28a/0x370 write_mmio+0x11e/0x270 [kvm] emulator_read_write_onepage+0x311/0x600 [kvm] emulator_read_write+0xef/0x240 [kvm] emulator_fix_hypercall+0x105/0x150 [kvm] em_hypercall+0x2b/0x80 [kvm] x86_emulate_insn+0x2b1/0x1640 [kvm] x86_emulate_instruction+0x39a/0xb90 [kvm] handle_exception+0x1b4/0x4d0 [kvm_intel] vcpu_enter_guest+0x15a0/0x2640 [kvm] kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] kvm_vcpu_ioctl+0x479/0x880 [kvm] do_vfs_ioctl+0x142/0x9a0 SyS_ioctl+0x74/0x80 entry_SYSCALL_64_fastpath+0x23/0x9a
The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) to the guest memory, however, write_mmio tracepoint always prints 8 bytes through *(u64 *)val since kvm splits the mmio access into 8 bytes. This leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes it by just accessing the bytes which we operate on.
Before patch:
syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
After patch:
syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
Reported-by: Dmitry Vyukov dvyukov@google.com Reviewed-by: Darren Kenny darren.kenny@oracle.com Reviewed-by: Marc Zyngier marc.zyngier@arm.com Tested-by: Marc Zyngier marc.zyngier@arm.com Cc: Paolo Bonzini pbonzini@redhat.com Cc: Radim Krčmář rkrcmar@redhat.com Cc: Marc Zyngier marc.zyngier@arm.com Cc: Christoffer Dall christoffer.dall@linaro.org Signed-off-by: Wanpeng Li wanpeng.li@hotmail.com Signed-off-by: Paolo Bonzini pbonzini@redhat.com [bwh: Backported to 3.2: - Drop ARM changes - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3920,7 +3920,7 @@ static int vcpu_mmio_read(struct kvm_vcp !kvm_iodevice_read(&vcpu->arch.apic->dev, addr, n, v)) && kvm_io_bus_read(vcpu->kvm, KVM_MMIO_BUS, addr, n, v)) break; - trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); + trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); handled += n; addr += n; len -= n; @@ -4152,7 +4152,7 @@ static int read_prepare(struct kvm_vcpu if (vcpu->mmio_read_completed) { memcpy(val, vcpu->mmio_data, bytes); trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, - vcpu->mmio_phys_addr, *(u64 *)val); + vcpu->mmio_phys_addr, val); vcpu->mmio_read_completed = 0; return 1; } @@ -4174,14 +4174,14 @@ static int write_emulate(struct kvm_vcpu
static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) { - trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val); return vcpu_mmio_write(vcpu, gpa, bytes, val); }
static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, void *val, int bytes) { - trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0); + trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL); return X86EMUL_IO_NEEDED; }
--- a/include/trace/events/kvm.h +++ b/include/trace/events/kvm.h @@ -152,7 +152,7 @@ TRACE_EVENT(kvm_ack_irq, { KVM_TRACE_MMIO_WRITE, "write" }
TRACE_EVENT(kvm_mmio, - TP_PROTO(int type, int len, u64 gpa, u64 val), + TP_PROTO(int type, int len, u64 gpa, void *val), TP_ARGS(type, len, gpa, val),
TP_STRUCT__entry( @@ -166,7 +166,10 @@ TRACE_EVENT(kvm_mmio, __entry->type = type; __entry->len = len; __entry->gpa = gpa; - __entry->val = val; + __entry->val = 0; + if (val) + memcpy(&__entry->val, val, + min_t(u32, sizeof(__entry->val), len)); ),
TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov oleg@redhat.com
commit 1333ab03150478df8d6f5673a91df1e50dc6ab97 upstream.
This test-case (simplified version of generated by syzkaller)
#include <unistd.h> #include <sys/ptrace.h> #include <sys/wait.h>
void test(void) { for (;;) { if (fork()) { wait(NULL); continue; }
ptrace(PTRACE_SEIZE, getppid(), 0, 0); ptrace(PTRACE_INTERRUPT, getppid(), 0, 0); _exit(0); } }
int main(void) { int np;
for (np = 0; np < 8; ++np) if (!fork()) test();
while (wait(NULL) > 0) ; return 0; }
triggers the 2nd WARN_ON_ONCE(!signr) warning in do_jobctl_trap(). The problem is that __ptrace_unlink() clears task->jobctl under siglock but task->ptrace is cleared without this lock held; this fools the "else" branch which assumes that !PT_SEIZED means PT_PTRACED.
Note also that most of other PTRACE_SEIZE checks can race with detach from the exiting tracer too. Say, the callers of ptrace_trap_notify() assume that SEIZED can't go away after it was checked.
Signed-off-by: Oleg Nesterov oleg@redhat.com Reported-by: Dmitry Vyukov dvyukov@google.com Cc: Tejun Heo tj@kernel.org Cc: syzkaller syzkaller@googlegroups.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/ptrace.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -77,12 +77,11 @@ void __ptrace_unlink(struct task_struct { BUG_ON(!child->ptrace);
- child->ptrace = 0; child->parent = child->real_parent; list_del_init(&child->ptrace_entry);
spin_lock(&child->sighand->siglock); - + child->ptrace = 0; /* * Clear all pending traps and TRAPPING. TRAPPING should be * cleared regardless of JOBCTL_STOP_PENDING. Do it explicitly.
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 520b72fc64debf8a86c3853b8e486aa5982188f0 upstream.
The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written before the UDC and composite frameworks were adopted; it is a legacy driver. As such, it expects that once bound to a UDC controller, it will not be unbound until it unregisters itself.
However, the UDC framework does unbind function drivers while they are still registered. When this happens, it can cause the gadgetfs driver to misbehave or crash. For example, userspace can cause a crash by opening the device file and doing an ioctl call before setting up a configuration (found by Andrey Konovalov using the syzkaller fuzzer).
This patch adds checks and synchronization to prevent these bad behaviors. It adds a udc_usage counter that the driver increments at times when it is using a gadget interface without holding the private spinlock. The unbind routine waits for this counter to go to 0 before returning, thereby ensuring that the UDC is no longer in use.
The patch also adds a check in the dev_ioctl() routine to make sure the driver is bound to a UDC before dereferencing the gadget pointer, and it makes destroy_ep_files() synchronize with the endpoint I/O routines, to prevent the user from accessing an endpoint data structure after it has been removed.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-by: Andrey Konovalov andreyknvl@google.com Tested-by: Andrey Konovalov andreyknvl@google.com Acked-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.2: - Expand locked section in ep0_write() to match upstream - Adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -24,7 +24,7 @@ #include <linux/sched.h> #include <linux/slab.h> #include <linux/poll.h> - +#include <linux/delay.h> #include <linux/device.h> #include <linux/moduleparam.h>
@@ -112,6 +112,7 @@ enum ep0_state { struct dev_data { spinlock_t lock; atomic_t count; + int udc_usage; enum ep0_state state; /* P: lock */ struct usb_gadgetfs_event event [N_EVENT]; unsigned ev_next; @@ -608,9 +609,9 @@ static void ep_aio_complete(struct usb_e priv->actual = req->actual; kick_iocb(iocb); } - spin_unlock(&epdata->dev->lock);
usb_ep_free_request(ep, req); + spin_unlock(&epdata->dev->lock); put_ep(epdata); }
@@ -1010,9 +1011,11 @@ ep0_read (struct file *fd, char __user * struct usb_request *req = dev->req;
if ((retval = setup_req (ep, req, 0)) == 0) { + ++dev->udc_usage; spin_unlock_irq (&dev->lock); retval = usb_ep_queue (ep, req, GFP_KERNEL); spin_lock_irq (&dev->lock); + --dev->udc_usage; } dev->state = STATE_DEV_CONNECTED;
@@ -1207,6 +1210,7 @@ ep0_write (struct file *fd, const char _ retval = setup_req (dev->gadget->ep0, dev->req, len); if (retval == 0) { dev->state = STATE_DEV_CONNECTED; + ++dev->udc_usage; spin_unlock_irq (&dev->lock); if (copy_from_user (dev->req->buf, buf, len)) retval = -EFAULT; @@ -1217,12 +1221,13 @@ ep0_write (struct file *fd, const char _ dev->gadget->ep0, dev->req, GFP_KERNEL); } + spin_lock_irq(&dev->lock); + --dev->udc_usage; if (retval < 0) { - spin_lock_irq (&dev->lock); clean_req (dev->gadget->ep0, dev->req); - spin_unlock_irq (&dev->lock); } else retval = len; + spin_unlock_irq(&dev->lock);
return retval; } @@ -1314,9 +1319,21 @@ static long dev_ioctl (struct file *fd, struct usb_gadget *gadget = dev->gadget; long ret = -ENOTTY;
- if (gadget->ops->ioctl) + spin_lock_irq(&dev->lock); + if (dev->state == STATE_DEV_OPENED || + dev->state == STATE_DEV_UNBOUND) { + /* Not bound to a UDC */ + } else if (gadget->ops->ioctl) { + ++dev->udc_usage; + spin_unlock_irq(&dev->lock); + ret = gadget->ops->ioctl (gadget, code, value);
+ spin_lock_irq(&dev->lock); + --dev->udc_usage; + } + spin_unlock_irq(&dev->lock); + return ret; }
@@ -1551,10 +1568,12 @@ delegate: if (value < 0) break;
+ ++dev->udc_usage; spin_unlock (&dev->lock); value = usb_ep_queue (gadget->ep0, dev->req, GFP_KERNEL); spin_lock (&dev->lock); + --dev->udc_usage; if (value < 0) { clean_req (gadget->ep0, dev->req); break; @@ -1578,8 +1597,12 @@ delegate: req->length = value; req->zero = value < w_length;
+ ++dev->udc_usage; spin_unlock (&dev->lock); value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL); + spin_lock(&dev->lock); + --dev->udc_usage; + spin_unlock(&dev->lock); if (value < 0) { DBG (dev, "ep_queue --> %d\n", value); req->status = 0; @@ -1609,21 +1632,24 @@ restart: /* break link to FS */ ep = list_entry (entry, struct ep_data, epfiles); list_del_init (&ep->epfiles); + spin_unlock_irq (&dev->lock); + dentry = ep->dentry; ep->dentry = NULL; parent = dentry->d_parent->d_inode;
/* break link to controller */ + mutex_lock(&ep->lock); if (ep->state == STATE_EP_ENABLED) (void) usb_ep_disable (ep->ep); ep->state = STATE_EP_UNBOUND; usb_ep_free_request (ep->ep, ep->req); ep->ep = NULL; + mutex_unlock(&ep->lock); + wake_up (&ep->wait); put_ep (ep);
- spin_unlock_irq (&dev->lock); - /* break link to dcache */ mutex_lock (&parent->i_mutex); d_delete (dentry); @@ -1697,6 +1723,11 @@ gadgetfs_unbind (struct usb_gadget *gadg
spin_lock_irq (&dev->lock); dev->state = STATE_DEV_UNBOUND; + while (dev->udc_usage > 0) { + spin_unlock_irq(&dev->lock); + usleep_range(1000, 2000); + spin_lock_irq(&dev->lock); + } spin_unlock_irq (&dev->lock);
destroy_ep_files (dev);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Craig Gallek kraig@google.com
commit 93161922c658c714715686cd0cf69b090cb9bf1d upstream.
Syzkaller found several variants of the lockup below by setting negative values with the TUNSETSNDBUF ioctl. This patch adds a sanity check to both the tun and tap versions of this ioctl.
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389] Modules linked in: irq event stamp: 329692056 hardirqs last enabled at (329692055): [<ffffffff824b8381>] _raw_spin_unlock_irqrestore+0x31/0x75 hardirqs last disabled at (329692056): [<ffffffff824b9e58>] apic_timer_interrupt+0x98/0xb0 softirqs last enabled at (35659740): [<ffffffff824bc958>] __do_softirq+0x328/0x48c softirqs last disabled at (35659731): [<ffffffff811c796c>] irq_exit+0xbc/0xd0 CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880009452140 task.stack: ffff880006a20000 RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80 RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10 RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900 RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900 R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8 FS: 00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0 Call Trace: prepare_to_wait+0x26/0xc0 sock_alloc_send_pskb+0x14e/0x270 ? remove_wait_queue+0x60/0x60 tun_get_user+0x2cc/0x19d0 ? __tun_get+0x60/0x1b0 tun_chr_write_iter+0x57/0x86 __vfs_write+0x156/0x1e0 vfs_write+0xf7/0x230 SyS_write+0x57/0xd0 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x7f4be4356df9 RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9 RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005 RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780 R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000
Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device") Fixes: 20d29d7a916a ("net: macvtap driver") Signed-off-by: Craig Gallek kraig@google.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/macvtap.c | 2 ++ drivers/net/tun.c | 4 ++++ 2 files changed, 6 insertions(+)
--- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -953,6 +953,8 @@ static long macvtap_ioctl(struct file *f case TUNSETSNDBUF: if (get_user(s, sp)) return -EFAULT; + if (s <= 0) + return -EINVAL;
q->sk.sk_sndbuf = s; return 0; --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1397,6 +1397,10 @@ static long __tun_chr_ioctl(struct file ret = -EFAULT; break; } + if (sndbuf <= 0) { + ret = -EINVAL; + break; + }
tun->socket.sk->sk_sndbuf = sndbuf; break;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Baruch Siach baruch@tkos.co.il
commit a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 upstream.
The SPI_IOC_MESSAGE() macro references _IOC_SIZEBITS. Add linux/ioctl.h to make sure this macro is defined. This fixes the following build failure of lcdproc with the musl libc:
In file included from .../sysroot/usr/include/sys/ioctl.h:7:0, from hd44780-spi.c:31: hd44780-spi.c: In function 'spi_transfer': hd44780-spi.c:89:24: error: '_IOC_SIZEBITS' undeclared (first use in this function) status = ioctl(p->fd, SPI_IOC_MESSAGE(1), &xfer); ^
Signed-off-by: Baruch Siach baruch@tkos.co.il Signed-off-by: Mark Brown broonie@kernel.org [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/spi/spidev.h | 1 + 1 file changed, 1 insertion(+)
--- a/include/linux/spi/spidev.h +++ b/include/linux/spi/spidev.h @@ -23,6 +23,7 @@ #define SPIDEV_H
#include <linux/types.h> +#include <linux/ioctl.h>
/* User space versions of kernel symbols for SPI clocking modes, * matching <linux/spi/spi.h>
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jean Delvare jdelvare@suse.de
commit 630cc2b30a42c70628368a412beb4a5e5dd71abe upstream.
This parameter is named kp, so the documentation should use that.
Fixes: 9b473de87209 ("param: Fix duplicate module prefixes") Link: http://lkml.kernel.org/r/20170919142656.64aea59e@endymion Signed-off-by: Jean Delvare jdelvare@suse.de Acked-by: Rusty Russell rusty@rustcorp.com.au Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/params.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/params.c +++ b/kernel/params.c @@ -578,7 +578,7 @@ EXPORT_SYMBOL(__kernel_param_unlock); /* * add_sysfs_param - add a parameter to sysfs * @mk: struct module_kobject - * @kparam: the actual parameter definition to add to sysfs + * @kp: the actual parameter definition to add to sysfs * @name: name of parameter * * Create a kobject if for a (per-module) parameter if mp NULL, and
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn jthumshirn@suse.de
commit eef9ffdf9cd39b2986367bc8395e2772bc1284ba upstream.
The SCSI host byte should be shifted left by 16 in order to have scsi_decide_disposition() do the right thing (.i.e. requeue the command).
Signed-off-by: Johannes Thumshirn jthumshirn@suse.de Fixes: 661134ad3765 ("[SCSI] libiscsi, bnx2i: make bound ep check common") Cc: Lee Duncan lduncan@suse.com Cc: Hannes Reinecke hare@suse.de Cc: Bart Van Assche Bart.VanAssche@sandisk.com Cc: Chris Leech cleech@redhat.com Acked-by: Lee Duncan lduncan@suse.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/libiscsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -1660,7 +1660,7 @@ int iscsi_queuecommand(struct Scsi_Host
if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) { reason = FAILURE_SESSION_IN_RECOVERY; - sc->result = DID_REQUEUE; + sc->result = DID_REQUEUE << 16; goto fault; }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit f16443a034c7aa359ddf6f0f9bc40d01ca31faea upstream.
Using the syzkaller kernel fuzzer, Andrey Konovalov generated the following error in gadgetfs:
BUG: KASAN: use-after-free in __lock_acquire+0x3069/0x3690 kernel/locking/lockdep.c:3246 Read of size 8 at addr ffff88003a2bdaf8 by task kworker/3:1/903
CPU: 3 PID: 903 Comm: kworker/3:1 Not tainted 4.12.0-rc4+ #35 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x292/0x395 lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x230/0x340 mm/kasan/report.c:408 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:429 __lock_acquire+0x3069/0x3690 kernel/locking/lockdep.c:3246 lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:299 [inline] gadgetfs_suspend+0x89/0x130 drivers/usb/gadget/legacy/inode.c:1682 set_link_state+0x88e/0xae0 drivers/usb/gadget/udc/dummy_hcd.c:455 dummy_hub_control+0xd7e/0x1fb0 drivers/usb/gadget/udc/dummy_hcd.c:2074 rh_call_control drivers/usb/core/hcd.c:689 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:846 [inline] usb_hcd_submit_urb+0x92f/0x20b0 drivers/usb/core/hcd.c:1650 usb_submit_urb+0x8b2/0x12c0 drivers/usb/core/urb.c:542 usb_start_wait_urb+0x148/0x5b0 drivers/usb/core/message.c:56 usb_internal_control_msg drivers/usb/core/message.c:100 [inline] usb_control_msg+0x341/0x4d0 drivers/usb/core/message.c:151 usb_clear_port_feature+0x74/0xa0 drivers/usb/core/hub.c:412 hub_port_disable+0x123/0x510 drivers/usb/core/hub.c:4177 hub_port_init+0x1ed/0x2940 drivers/usb/core/hub.c:4648 hub_port_connect drivers/usb/core/hub.c:4826 [inline] hub_port_connect_change drivers/usb/core/hub.c:4999 [inline] port_event drivers/usb/core/hub.c:5105 [inline] hub_event+0x1ae1/0x3d40 drivers/usb/core/hub.c:5185 process_one_work+0xc08/0x1bd0 kernel/workqueue.c:2097 process_scheduled_works kernel/workqueue.c:2157 [inline] worker_thread+0xb2b/0x1860 kernel/workqueue.c:2233 kthread+0x363/0x440 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:424
Allocated by task 9958: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617 kmem_cache_alloc_trace+0x87/0x280 mm/slub.c:2745 kmalloc include/linux/slab.h:492 [inline] kzalloc include/linux/slab.h:665 [inline] dev_new drivers/usb/gadget/legacy/inode.c:170 [inline] gadgetfs_fill_super+0x24f/0x540 drivers/usb/gadget/legacy/inode.c:1993 mount_single+0xf6/0x160 fs/super.c:1192 gadgetfs_mount+0x31/0x40 drivers/usb/gadget/legacy/inode.c:2019 mount_fs+0x9c/0x2d0 fs/super.c:1223 vfs_kern_mount.part.25+0xcb/0x490 fs/namespace.c:976 vfs_kern_mount fs/namespace.c:2509 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x41b/0x2d90 fs/namespace.c:2834 SYSC_mount fs/namespace.c:3050 [inline] SyS_mount+0xb0/0x120 fs/namespace.c:3027 entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 9960: save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590 slab_free_hook mm/slub.c:1357 [inline] slab_free_freelist_hook mm/slub.c:1379 [inline] slab_free mm/slub.c:2961 [inline] kfree+0xed/0x2b0 mm/slub.c:3882 put_dev+0x124/0x160 drivers/usb/gadget/legacy/inode.c:163 gadgetfs_kill_sb+0x33/0x60 drivers/usb/gadget/legacy/inode.c:2027 deactivate_locked_super+0x8d/0xd0 fs/super.c:309 deactivate_super+0x21e/0x310 fs/super.c:340 cleanup_mnt+0xb7/0x150 fs/namespace.c:1112 __cleanup_mnt+0x1b/0x20 fs/namespace.c:1119 task_work_run+0x1a0/0x280 kernel/task_work.c:116 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x18a8/0x2820 kernel/exit.c:878 do_group_exit+0x14e/0x420 kernel/exit.c:982 get_signal+0x784/0x1780 kernel/signal.c:2318 do_signal+0xd7/0x2130 arch/x86/kernel/signal.c:808 exit_to_usermode_loop+0x1ac/0x240 arch/x86/entry/common.c:157 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263 entry_SYSCALL_64_fastpath+0xbc/0xbe
The buggy address belongs to the object at ffff88003a2bdae0 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [ffff88003a2bdae0, ffff88003a2bdee0) The buggy address belongs to the page: page:ffffea0000e8ae00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x100000000008100(slab|head) raw: 0100000000008100 0000000000000000 0000000000000000 0000000100170017 raw: ffffea0000ed3020 ffffea0000f5f820 ffff88003e80efc0 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88003a2bd980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003a2bda00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88003a2bda80: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb
^
ffff88003a2bdb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88003a2bdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
What this means is that the gadgetfs_suspend() routine was trying to access dev->lock after it had been deallocated. The root cause is a race in the dummy_hcd driver; the dummy_udc_stop() routine can race with the rest of the driver because it contains no locking. And even when proper locking is added, it can still race with the set_link_state() function because that function incorrectly drops the private spinlock before invoking any gadget driver callbacks.
The result of this race, as seen above, is that set_link_state() can invoke a callback in gadgetfs even after gadgetfs has been unbound from dummy_hcd's UDC and its private data structures have been deallocated.
include/linux/usb/gadget.h documents that the ->reset, ->disconnect, ->suspend, and ->resume callbacks may be invoked in interrupt context. In general this is necessary, to prevent races with gadget driver removal. This patch fixes dummy_hcd to retain the spinlock across these calls, and it adds a spinlock acquisition to dummy_udc_stop() to prevent the race.
The net2280 driver makes the same mistake of dropping the private spinlock for its ->disconnect and ->reset callback invocations. The patch fixes it too.
Lastly, since gadgetfs_suspend() may be invoked in interrupt context, it cannot assume that interrupts are enabled when it runs. It must use spin_lock_irqsave() instead of spin_lock_irq(). The patch fixes that bug as well.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-and-tested-by: Andrey Konovalov andreyknvl@google.com Acked-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.2: - Drop changes in net2280 - Adjust filenames, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -1804,9 +1804,10 @@ static void gadgetfs_suspend (struct usb_gadget *gadget) { struct dev_data *dev = get_gadget_data (gadget); + unsigned long flags;
INFO (dev, "suspended from state %d\n", dev->state); - spin_lock (&dev->lock); + spin_lock_irqsave(&dev->lock, flags); switch (dev->state) { case STATE_DEV_SETUP: // VERY odd... host died?? case STATE_DEV_CONNECTED: @@ -1817,7 +1818,7 @@ gadgetfs_suspend (struct usb_gadget *gad default: break; } - spin_unlock (&dev->lock); + spin_unlock_irqrestore(&dev->lock, flags); }
static struct usb_gadget_driver gadgetfs_driver = { --- a/drivers/usb/gadget/dummy_hcd.c +++ b/drivers/usb/gadget/dummy_hcd.c @@ -374,20 +374,13 @@ static void set_link_state(struct dummy_ (dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 && dum->driver) { stop_activity(dum); - spin_unlock(&dum->lock); dum->driver->disconnect(&dum->gadget); - spin_lock(&dum->lock); } } else if (dum_hcd->active != dum_hcd->old_active) { - if (dum_hcd->old_active && dum->driver->suspend) { - spin_unlock(&dum->lock); + if (dum_hcd->old_active && dum->driver->suspend) dum->driver->suspend(&dum->gadget); - spin_lock(&dum->lock); - } else if (!dum_hcd->old_active && dum->driver->resume) { - spin_unlock(&dum->lock); + else if (!dum_hcd->old_active && dum->driver->resume) dum->driver->resume(&dum->gadget); - spin_lock(&dum->lock); - } }
dum_hcd->old_status = dum_hcd->port_status; @@ -925,7 +918,9 @@ static int dummy_udc_stop(struct usb_gad dev_dbg (udc_dev(dum), "unregister gadget driver '%s'\n", driver->driver.name);
+ spin_lock_irq(&dum->lock); dum->driver = NULL; + spin_unlock_irq(&dum->lock);
return 0; }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Mätje Stefan.Maetje@esd.eu
commit 72d92e865d1560723e1957ee3f393688c49ca5bf upstream.
The dlc member of the struct rx_msg contains also the ESD_RTR flag to mark received RTR frames. Without the fix the can_dlc value for received RTR frames would always be set to 8 by get_can_dlc() instead of the received value.
Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") Signed-off-by: Stefan Mätje stefan.maetje@esd.eu Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/can/usb/esd_usb2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c @@ -332,7 +332,7 @@ static void esd_usb2_rx_can_msg(struct e }
cf->can_id = id & ESD_IDMASK; - cf->can_dlc = get_can_dlc(msg->msg.rx.dlc); + cf->can_dlc = get_can_dlc(msg->msg.rx.dlc & ~ESD_RTR);
if (id & ESD_EXTID) cf->can_id |= CAN_EFF_FLAG;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long lucien.xin@gmail.com
commit f6fc6bc0b8e0bb13a210bd7386ffdcb1a5f30ef1 upstream.
These warnings were found by running 'make C=2 M=net/sctp/'.
Commit d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a SACK from SHUTDOWN.") expected to use the peers old rwnd and add our flight size to the a_rwnd. But with the wrong Endian, it may not work as well as expected.
So fix it by converting to the right value.
Fixes: d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a SACK from SHUTDOWN.") Reported-by: Eric Dumazet edumazet@google.com Signed-off-by: Xin Long lucien.xin@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/sctp/sm_sideeffect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -1598,8 +1598,8 @@ static int sctp_cmd_interpreter(sctp_eve case SCTP_CMD_PROCESS_CTSN: /* Dummy up a SACK for processing. */ sackh.cum_tsn_ack = cmd->obj.be32; - sackh.a_rwnd = asoc->peer.rwnd + - asoc->outqueue.outstanding_bytes; + sackh.a_rwnd = htonl(asoc->peer.rwnd + + asoc->outqueue.outstanding_bytes); sackh.num_gap_ack_blocks = 0; sackh.num_dup_tsns = 0; sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_SACK,
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" mst@redhat.com
commit 3ea79249e81e5ed051f2e6480cbde896d99046e8 upstream.
Upon TUNSETSNDBUF, macvtap reads the requested sndbuf size into a local variable u. commit 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF") changed its type to u16 (which is the right thing to do for all other macvtap ioctls), breaking all values > 64k.
The value of TUNSETSNDBUF is actually a signed 32 bit integer, so the right thing to do is to read it into an int.
Cc: David S. Miller davem@davemloft.net Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF") Reported-by: Mark A. Peloquin Bisected-by: Matthew Rosato mjrosato@linux.vnet.ibm.com Reported-by: Christian Borntraeger borntraeger@de.ibm.com Signed-off-by: Michael S. Tsirkin mst@redhat.com Tested-by: Matthew Rosato mjrosato@linux.vnet.ibm.com Acked-by: Christian Borntraeger borntraeger@de.ibm.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/macvtap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -951,10 +951,10 @@ static long macvtap_ioctl(struct file *f return 0;
case TUNSETSNDBUF: - if (get_user(u, up)) + if (get_user(s, sp)) return -EFAULT;
- q->sk.sk_sndbuf = u; + q->sk.sk_sndbuf = s; return 0;
case TUNGETVNETHDRSZ:
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 5903f594935a3841137c86b9d5b75143a5b7121c upstream.
When pppol2tp_session_ioctl() is called by pppol2tp_tunnel_ioctl(), the session may be unconnected. That is, it was created by pppol2tp_session_create() and hasn't been connected with pppol2tp_connect(). In this case, ps->sock is NULL, so we need to check for this case in order to avoid dereferencing a NULL pointer.
Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_ppp.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -997,6 +997,9 @@ static int pppol2tp_session_ioctl(struct session->name, cmd, arg);
sk = ps->sock; + if (!sk) + return -EBADR; + sock_hold(sk);
switch (cmd) {
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Engel anen-nospam@gmx.net
commit c496ad835c31ad639b6865714270b3003df031f6 upstream.
Add the USB device id for the ELV TFD500 data logger.
Signed-off-by: Andreas Engel anen-nospam@gmx.net Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/cp210x.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -176,6 +176,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ + { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman mathias.nyman@linux.intel.com
commit 5a838a13c9b4e5dd188b7a6eaeb894e9358ead0c upstream.
xhci driver keeps a bus_state structure for each hcd (usb2 and usb3)
The structure is picked based on hcd speed, but driver only compared for HCD_USB3 speed, returning the wrong bus_state for HCD_USB31 hosts.
This caused null pointer dereference errors in bus_resume function.
Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/host/xhci.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1375,7 +1375,7 @@ struct xhci_bus_state {
static inline unsigned int hcd_index(struct usb_hcd *hcd) { - if (hcd->speed == HCD_USB3) + if (hcd->speed >= HCD_USB3) return 0; else return 1;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 99fee508245825765ff60155fed43f970ff83a8f upstream.
caiaq driver doesn't kill the URB properly at its error path during the probe, which may lead to a use-after-free error later. This patch addresses it.
Reported-by: Johan Hovold johan@kernel.org Reviewed-by: Johan Hovold johan@kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.2: s/cdev/dev/g] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/usb/caiaq/device.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
--- a/sound/usb/caiaq/device.c +++ b/sound/usb/caiaq/device.c @@ -440,10 +440,12 @@ static int __devinit init_card(struct sn
err = snd_usb_caiaq_send_command(dev, EP1_CMD_GET_DEVICE_INFO, NULL, 0); if (err) - return err; + goto err_kill_urb;
- if (!wait_event_timeout(dev->ep1_wait_queue, dev->spec_received, HZ)) - return -ENODEV; + if (!wait_event_timeout(dev->ep1_wait_queue, dev->spec_received, HZ)) { + err = -ENODEV; + goto err_kill_urb; + }
usb_string(usb_dev, usb_dev->descriptor.iManufacturer, dev->vendor_name, CAIAQ_USB_STR_LEN); @@ -479,6 +481,10 @@ static int __devinit init_card(struct sn
setup_card(dev); return 0; + + err_kill_urb: + usb_kill_urb(&dev->ep1_in_urb); + return err; }
static int __devinit snd_probe(struct usb_interface *intf,
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit a3c18422a4b4e108bcf6a2328f48867e1003fd95 upstream.
Socket must be held while under the protection of the l2tp lock; there is no guarantee that sk remains valid after the read_unlock_bh() call.
Same issue for l2tp_ip and l2tp_ip6.
Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: - Drop changes in l2tp_ip6.c - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c @@ -197,14 +197,15 @@ pass_up:
read_lock_bh(&l2tp_ip_lock); sk = __l2tp_ip_bind_lookup(&init_net, iph->daddr, 0, tunnel_id); + if (!sk) { + read_unlock_bh(&l2tp_ip_lock); + goto discard; + } + + sock_hold(sk); read_unlock_bh(&l2tp_ip_lock); }
- if (sk == NULL) - goto discard; - - sock_hold(sk); - if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_put;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Dickerson jim.dickerson@hpe.com
commit 114ec3a6f9096d211a4aff4277793ba969a62c73 upstream.
Servers were emitting failed handoff messages but were not waiting the full 1 second as designated in section 4.22.1 of the eXtensible Host Controller Interface specifications. The handshake was using wrong units so calls were made with milliseconds not microseconds. Comments referenced 5 seconds not 1 second as in specs.
The wrong units were also corrected in a second handshake call.
Signed-off-by: Jim Dickerson jim.dickerson@hpe.com Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/host/pci-quirks.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/host/pci-quirks.c +++ b/drivers/usb/host/pci-quirks.c @@ -866,7 +866,7 @@ EXPORT_SYMBOL_GPL(usb_disable_xhci_ports * * Takes care of the handoff between the Pre-OS (i.e. BIOS) and the OS. * It signals to the BIOS that the OS wants control of the host controller, - * and then waits 5 seconds for the BIOS to hand over control. + * and then waits 1 second for the BIOS to hand over control. * If we timeout, assume the BIOS is broken and take control anyway. */ static void __devinit quirk_usb_handoff_xhci(struct pci_dev *pdev) @@ -912,9 +912,9 @@ static void __devinit quirk_usb_handoff_ if (val & XHCI_HC_BIOS_OWNED) { writel(val | XHCI_HC_OS_OWNED, base + ext_cap_offset);
- /* Wait for 5 seconds with 10 microsecond polling interval */ + /* Wait for 1 second with 10 microsecond polling interval */ timeout = handshake(base + ext_cap_offset, XHCI_HC_BIOS_OWNED, - 0, 5000, 10); + 0, 1000000, 10);
/* Assume a buggy BIOS and take HC ownership anyway */ if (timeout) { @@ -942,7 +942,7 @@ hc_init: * operational or runtime registers. Wait 5 seconds and no more. */ timeout = handshake(op_reg_base + XHCI_STS_OFFSET, XHCI_STS_CNR, 0, - 5000, 10); + 5000000, 10); /* Assume a buggy HC and start HC initialization anyway */ if (timeout) { val = readl(op_reg_base + XHCI_STS_OFFSET);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream.
we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/bio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/bio.c +++ b/fs/bio.c @@ -976,6 +976,7 @@ static struct bio *__bio_map_user_iov(st struct bio *bio; int cur_page = 0; int ret, offset; + struct bio_vec *bvec;
for (i = 0; i < iov_count; i++) { unsigned long uaddr = (unsigned long)iov[i].iov_base; @@ -1019,7 +1020,12 @@ static struct bio *__bio_map_user_iov(st
ret = get_user_pages_fast(uaddr, local_nr_pages, write_to_vm, &pages[cur_page]); - if (ret < local_nr_pages) { + if (unlikely(ret < local_nr_pages)) { + for (j = cur_page; j < page_limit; j++) { + if (!pages[j]) + break; + put_page(pages[j]); + } ret = -EFAULT; goto out_unmap; } @@ -1074,10 +1080,8 @@ static struct bio *__bio_map_user_iov(st return bio;
out_unmap: - for (i = 0; i < nr_pages; i++) { - if(!pages[i]) - break; - page_cache_release(pages[i]); + bio_for_each_segment_all(bvec, bio, j) { + put_page(bvec->bv_page); } out: kfree(pages);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit d8ce38f69843a56da044e56b6c16aecfbc3c6e39 upstream.
Commit 3810e96056ff ("sh: modify pinmux for SH7757 2nd cut") renamed GPIO_PT[JLNQ]7 to GPIO_PT[JLNQ]7_RESV, and removed the existing users from the pinmux_pins[] array.
However, pinmux_pins[] is initialized through PINMUX_GPIO(), using designated array initializers, where the GPIO_* enums serve as indices. Hence entries were not really removed, but replaced by (zero-filled) holes. Such entries are treated as pin zero, which was registered before, thus leading to pinctrl registration failures, as seen on sh7722:
sh-pfc pfc-sh7722: pin 0 already registered sh-pfc pfc-sh7722: error during pin registration sh-pfc pfc-sh7722: could not register: -22 sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PT[JLNQ]7_RESV from the enum to fix this.
Link: http://lkml.kernel.org/r/1505205657-18012-3-git-send-email-geert+renesas@gli... Fixes: 3810e96056ffddf6 ("sh: modify pinmux for SH7757 2nd cut") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Cc: Jacopo Mondi jacopo+renesas@jmondi.org Cc: Magnus Damm magnus.damm@gmail.com Cc: Rich Felker dalias@libc.org Cc: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Cc: Yoshinori Sato ysato@users.sourceforge.jp Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/sh/include/cpu-sh4/cpu/sh7757.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/sh/include/cpu-sh4/cpu/sh7757.h +++ b/arch/sh/include/cpu-sh4/cpu/sh7757.h @@ -40,7 +40,7 @@ enum {
/* PTJ */ GPIO_PTJ0, GPIO_PTJ1, GPIO_PTJ2, GPIO_PTJ3, - GPIO_PTJ4, GPIO_PTJ5, GPIO_PTJ6, GPIO_PTJ7_RESV, + GPIO_PTJ4, GPIO_PTJ5, GPIO_PTJ6,
/* PTK */ GPIO_PTK0, GPIO_PTK1, GPIO_PTK2, GPIO_PTK3, @@ -48,7 +48,7 @@ enum {
/* PTL */ GPIO_PTL0, GPIO_PTL1, GPIO_PTL2, GPIO_PTL3, - GPIO_PTL4, GPIO_PTL5, GPIO_PTL6, GPIO_PTL7_RESV, + GPIO_PTL4, GPIO_PTL5, GPIO_PTL6,
/* PTM */ GPIO_PTM0, GPIO_PTM1, GPIO_PTM2, GPIO_PTM3, @@ -56,7 +56,7 @@ enum {
/* PTN */ GPIO_PTN0, GPIO_PTN1, GPIO_PTN2, GPIO_PTN3, - GPIO_PTN4, GPIO_PTN5, GPIO_PTN6, GPIO_PTN7_RESV, + GPIO_PTN4, GPIO_PTN5, GPIO_PTN6,
/* PTO */ GPIO_PTO0, GPIO_PTO1, GPIO_PTO2, GPIO_PTO3, @@ -68,7 +68,7 @@ enum {
/* PTQ */ GPIO_PTQ0, GPIO_PTQ1, GPIO_PTQ2, GPIO_PTQ3, - GPIO_PTQ4, GPIO_PTQ5, GPIO_PTQ6, GPIO_PTQ7_RESV, + GPIO_PTQ4, GPIO_PTQ5, GPIO_PTQ6,
/* PTR */ GPIO_PTR0, GPIO_PTR1, GPIO_PTR2, GPIO_PTR3,
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 6e76c01e71551cb221c1f3deacb9dcd9a7346784 upstream.
The gadgetfs driver as a long-outstanding FIXME, regarding a call of copy_to_user() made while holding a spinlock. This patch fixes the issue by dropping the spinlock and using the dev->udc_usage mechanism introduced by another recent patch to guard against status changes while the lock isn't held.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-by: Andrey Konovalov andreyknvl@google.com Acked-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/inode.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -1054,11 +1054,14 @@ ep0_read (struct file *fd, char __user * retval = -EIO; else { len = min (len, (size_t)dev->req->actual); -// FIXME don't call this with the spinlock held ... + ++dev->udc_usage; + spin_unlock_irq(&dev->lock); if (copy_to_user (buf, dev->req->buf, len)) retval = -EFAULT; else retval = len; + spin_lock_irq(&dev->lock); + --dev->udc_usage; clean_req (dev->gadget->ep0, dev->req); /* NOTE userspace can't yet choose to stall */ }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oswald Buddenhagen oswald.buddenhagen@gmx.de
commit b084116f8587b222a2c5ef6dcd846f40f24b9420 upstream.
Without UPF_FIXED_TYPE, the data from the PORT_AR7 uart_config entry is never copied, resulting in a dead port.
Fixes: 154615d55459 ("MIPS: AR7: Use correct UART port type") Signed-off-by: Oswald Buddenhagen oswald.buddenhagen@gmx.de [jonas.gorski: add Fixes tag] Signed-off-by: Jonas Gorski jonas.gorski@gmail.com Reviewed-by: Florian Fainelli f.fainelli@gmail.com Cc: Ralf Baechle ralf@linux-mips.org Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Yoshihiro YUNOMAE yoshihiro.yunomae.ez@hitachi.com Cc: Nicolas Schichan nschichan@freebox.fr Cc: Oswald Buddenhagen oswald.buddenhagen@gmx.de Cc: linux-mips@linux-mips.org Cc: linux-serial@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/17543/ Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/ar7/platform.c | 1 + 1 file changed, 1 insertion(+)
--- a/arch/mips/ar7/platform.c +++ b/arch/mips/ar7/platform.c @@ -541,6 +541,7 @@ static int __init ar7_register_uarts(voi uart_port.type = PORT_AR7; uart_port.uartclk = clk_get_rate(bus_clk) / 2; uart_port.iotype = UPIO_MEM32; + uart_port.flags = UPF_FIXED_TYPE; uart_port.regshift = 2;
uart_port.line = 0;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kazuya Mizuguchi kazuya.mizuguchi.ks@renesas.com
commit 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 upstream.
The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a zero-length packet. Otherwise, a transfer completion interruption of USB-DMAC doesn't happen. Even if the driver changes the sequence, normal operations (transmit/receive without zero-length packet) will not cause any side-effects. So, this patch fixes the sequence anyway.
Signed-off-by: Kazuya Mizuguchi kazuya.mizuguchi.ks@renesas.com [shimoda: revise the commit log] Fixes: e73a9891b3a1 ("usb: renesas_usbhs: add DMAEngine support") Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/renesas_usbhs/fifo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/renesas_usbhs/fifo.c +++ b/drivers/usb/renesas_usbhs/fifo.c @@ -817,8 +817,8 @@ static void usbhsf_dma_prepare_tasklet(u dev_dbg(dev, " %s %d (%d/ %d)\n", fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero);
- usbhsf_dma_start(pipe, fifo); dma_async_issue_pending(chan); + usbhsf_dma_start(pipe, fifo);
xfer_work_end: usbhs_unlock(priv, flags);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gerald Schaefer gerald.schaefer@de.ibm.com
commit ba385c0594e723d41790ecfb12c610e6f90c7785 upstream.
The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the wrong way around. It must not be set for write==1, and not be checked for write==0. Fix this similar to how it was fixed for ptes long time ago in commit 25591b070336 ("[S390] fix get_user_pages_fast").
One impact of this bug would be unnecessarily using the gup slow path for write==0 on r/w mappings. A potentially more severe impact would be that gup_huge_pmd() will succeed for write==1 on r/o mappings.
Signed-off-by: Gerald Schaefer gerald.schaefer@de.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com [bwh: Backported to 3.2: - Segment flag names are different - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/s390/mm/gup.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
--- a/arch/s390/mm/gup.c +++ b/arch/s390/mm/gup.c @@ -51,13 +51,12 @@ static inline int gup_pte_range(pmd_t *p static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr, unsigned long end, int write, struct page **pages, int *nr) { - unsigned long mask, result; struct page *head, *page, *tail; + unsigned long mask; int refs;
- result = write ? 0 : _SEGMENT_ENTRY_RO; - mask = result | _SEGMENT_ENTRY_INV; - if ((pmd_val(pmd) & mask) != result) + mask = (write ? _SEGMENT_ENTRY_RO : 0) | _SEGMENT_ENTRY_INV; + if ((pmd_val(pmd) & mask) != 0) return 0; VM_BUG_ON(!pfn_valid(pmd_val(pmd) >> PAGE_SHIFT));
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Honig ahonig@google.com
commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
This fixes CVE-2017-1000407.
KVM allows guests to directly access I/O port 0x80 on Intel hosts. If the guest floods this port with writes it generates exceptions and instability in the host kernel, leading to a crash. With this change guest writes to port 0x80 on Intel will behave the same as they currently behave on AMD systems.
Prevent the flooding by removing the code that sets port 0x80 as a passthrough port. This is essentially the same as upstream patch 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was for AMD chipsets and this patch is for Intel.
Signed-off-by: Andrew Honig ahonig@google.com Signed-off-by: Jim Mattson jmattson@google.com Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs") Signed-off-by: Radim Krčmář rkrcmar@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kvm/vmx.c | 5 ----- 1 file changed, 5 deletions(-)
--- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7285,12 +7285,7 @@ static int __init vmx_init(void) goto out2; }
- /* - * Allow direct access to the PC debug port (it is often used for I/O - * delays, but the vmexits simply slow things down). - */ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); - clear_bit(0x80, vmx_io_bitmap_a);
memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com
commit 0a2ce62b61f2c76d0213edf4e37aaf54a8ddf295 upstream.
This patch fixes an issue that the usbhsf_fifo_clear() is possible to cause 10 msec delay if the pipe is RX direction and empty because the FRDY bit will never be set to 1 in such case.
Fixes: e8d548d54968 ("usb: renesas_usbhs: fifo became independent from pipe.") Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/renesas_usbhs/fifo.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c +++ b/drivers/usb/renesas_usbhs/fifo.c @@ -263,8 +263,17 @@ static void usbhsf_fifo_clear(struct usb struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); int ret = 0;
- if (!usbhs_pipe_is_dcp(pipe)) - ret = usbhsf_fifo_barrier(priv, fifo); + if (!usbhs_pipe_is_dcp(pipe)) { + /* + * This driver checks the pipe condition first to avoid -EBUSY + * from usbhsf_fifo_barrier() with about 10 msec delay in + * the interrupt handler if the pipe is RX direction and empty. + */ + if (usbhs_pipe_is_dir_in(pipe)) + ret = usbhs_pipe_is_accessible(pipe); + if (!ret) + ret = usbhsf_fifo_barrier(priv, fifo); + }
/* * if non-DCP pipe, this driver should set BCLR when
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 9984d1b5835ca29fc7025186a891ee7398d21cc7 upstream.
In order to make the open/close more robust, widen the register_mutex protection over the whole snd_timer_close() function. Also, the close procedure is slightly shuffled to be in the safer order, as well as a few code refactoring.
Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/timer.c | 48 +++++++++++++++++++++--------------------------- 1 file changed, 21 insertions(+), 27 deletions(-)
--- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -326,25 +326,14 @@ int snd_timer_close(struct snd_timer_ins if (snd_BUG_ON(!timeri)) return -ENXIO;
+ mutex_lock(®ister_mutex); + list_del(&timeri->open_list); + /* force to stop the timer */ snd_timer_stop(timeri);
- if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) { - /* wait, until the active callback is finished */ - spin_lock_irq(&slave_active_lock); - while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) { - spin_unlock_irq(&slave_active_lock); - udelay(10); - spin_lock_irq(&slave_active_lock); - } - spin_unlock_irq(&slave_active_lock); - mutex_lock(®ister_mutex); - list_del(&timeri->open_list); - mutex_unlock(®ister_mutex); - } else { - timer = timeri->timer; - if (snd_BUG_ON(!timer)) - goto out; + timer = timeri->timer; + if (timer) { /* wait, until the active callback is finished */ spin_lock_irq(&timer->lock); while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) { @@ -353,11 +342,7 @@ int snd_timer_close(struct snd_timer_ins spin_lock_irq(&timer->lock); } spin_unlock_irq(&timer->lock); - mutex_lock(®ister_mutex); - list_del(&timeri->open_list); - if (list_empty(&timer->open_list_head) && - timer->hw.close) - timer->hw.close(timer); + /* remove slave links */ spin_lock_irq(&slave_active_lock); spin_lock(&timer->lock); @@ -371,15 +356,24 @@ int snd_timer_close(struct snd_timer_ins } spin_unlock(&timer->lock); spin_unlock_irq(&slave_active_lock); - mutex_unlock(®ister_mutex); + + /* slave doesn't need to release timer resources below */ + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) + timer = NULL; } - out: + if (timeri->private_free) timeri->private_free(timeri); kfree(timeri->owner); kfree(timeri); - if (timer) + + if (timer) { + if (list_empty(&timer->open_list_head) && timer->hw.close) + timer->hw.close(timer); module_put(timer->module); + } + + mutex_unlock(®ister_mutex); return 0; }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 7fc0786d956d9e59b68d282be9b156179846ea3d upstream.
In keyctl_read_key(), if key_permission() were to return an error code other than EACCES, we would leak a the reference to the key. This can't actually happen currently because key_permission() can only return an error code other than EACCES if security_key_permission() does, only SELinux and Smack implement that hook, and neither can return an error code other than EACCES. But it should still be fixed, as it is a bug waiting to happen.
Fixes: 29db91906340 ("[PATCH] Keys: Add LSM hooks for key management [try #3]") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/keyctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -684,7 +684,7 @@ long keyctl_read_key(key_serial_t keyid, if (ret == 0) goto can_read_key; if (ret != -EACCES) - goto error; + goto error2;
/* we can't; see if it's searchable from this process's keyrings * - we automatically take account of the fact that it may be
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 13ffe9a26df4e156363579b25c904dd0b1e31bfb upstream.
The current shift of st->rx[2] left shifts a u8 24 bits left, promotes the integer to a an int and then to a unsigned u64. If the top bit of st->rx[2] is set then we end up with all the upper bits being set to 1. Fix this by casting st->rx[2] to a u64 before the 24 bit left shift.
Detected by CoverityScan CID#144940 ("Unintended sign extension")
Fixes: 2919fa54ef64 ("staging: iio: meter: new driver for ADE7759 devices") Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/iio/meter/ade7759.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/meter/ade7759.c +++ b/drivers/staging/iio/meter/ade7759.c @@ -128,7 +128,7 @@ static int ade7759_spi_read_reg_40(struc reg_address); goto error_ret; } - *val = ((u64)st->rx[1] << 32) | (st->rx[2] << 24) | + *val = ((u64)st->rx[1] << 32) | ((u64)st->rx[2] << 24) | (st->rx[3] << 16) | (st->rx[4] << 8) | st->rx[5];
error_ret:
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit ecaaab5649781c5a0effdaf298a925063020500e upstream.
When asked to encrypt or decrypt 0 bytes, both the generic and x86 implementations of Salsa20 crash in blkcipher_walk_done(), either when doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)', because walk->buffer and walk->page have not been initialized.
The bug is that Salsa20 is calling blkcipher_walk_done() even when nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to be called when a nonzero number of bytes have been provided.
The broken code is part of an optimization that tries to make only one call to salsa20_encrypt_bytes() to process inputs that are not evenly divisible by 64 bytes. To fix the bug, just remove this "optimization" and use the blkcipher_walk API the same way all the other users do.
Reproducer:
#include <linux/if_alg.h> #include <sys/socket.h> #include <unistd.h>
int main() { int algfd, reqfd; struct sockaddr_alg addr = { .salg_type = "skcipher", .salg_name = "salsa20", }; char key[16] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (void *)&addr, sizeof(addr)); reqfd = accept(algfd, 0, 0); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); read(reqfd, key, sizeof(key)); }
Reported-by: syzbot syzkaller@googlegroups.com Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/crypto/salsa20_glue.c | 7 ------- crypto/salsa20_generic.c | 7 ------- 2 files changed, 14 deletions(-)
--- a/arch/x86/crypto/salsa20_glue.c +++ b/arch/x86/crypto/salsa20_glue.c @@ -64,13 +64,6 @@ static int encrypt(struct blkcipher_desc
salsa20_ivsetup(ctx, walk.iv);
- if (likely(walk.nbytes == nbytes)) - { - salsa20_encrypt_bytes(ctx, walk.src.virt.addr, - walk.dst.virt.addr, nbytes); - return blkcipher_walk_done(desc, &walk, 0); - } - while (walk.nbytes >= 64) { salsa20_encrypt_bytes(ctx, walk.src.virt.addr, walk.dst.virt.addr, --- a/crypto/salsa20_generic.c +++ b/crypto/salsa20_generic.c @@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc
salsa20_ivsetup(ctx, walk.iv);
- if (likely(walk.nbytes == nbytes)) - { - salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, - walk.src.virt.addr, nbytes); - return blkcipher_walk_done(desc, &walk, 0); - } - while (walk.nbytes >= 64) { salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, walk.src.virt.addr,
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov andreyknvl@google.com
commit bbf26183b7a6236ba602f4d6a2f7cade35bba043 upstream.
uwbd_start() calls kthread_run() and checks that the return value is not NULL. But the return value is not NULL in case kthread_run() fails, it takes the form of ERR_PTR(-EINTR).
Use IS_ERR() instead.
Also add a check to uwbd_stop().
Signed-off-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/uwb/uwbd.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/uwb/uwbd.c +++ b/drivers/uwb/uwbd.c @@ -303,18 +303,22 @@ static int uwbd(void *param) /** Start the UWB daemon */ void uwbd_start(struct uwb_rc *rc) { - rc->uwbd.task = kthread_run(uwbd, rc, "uwbd"); - if (rc->uwbd.task == NULL) + struct task_struct *task = kthread_run(uwbd, rc, "uwbd"); + if (IS_ERR(task)) { + rc->uwbd.task = NULL; printk(KERN_ERR "UWB: Cannot start management daemon; " "UWB won't work\n"); - else + } else { + rc->uwbd.task = task; rc->uwbd.pid = rc->uwbd.task->pid; + } }
/* Stop the UWB daemon and free any unprocessed events */ void uwbd_stop(struct uwb_rc *rc) { - kthread_stop(rc->uwbd.task); + if (rc->uwbd.task) + kthread_stop(rc->uwbd.task); uwbd_flush(rc); }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi felipe.balbi@linux.intel.com
commit 2811501e6d8f5747d08f8e25b9ecf472d0dc4c7d upstream.
This keyboard doesn't implement Get String descriptors properly even though string indexes are valid. What happens is that when requesting for the String descriptor, the device disconnects and reconnects. Without this quirk, this loop will continue forever.
Cc: Alan Stern stern@rowland.harvard.edu Reported-by: Владимир Мартьянов vilgeforce@gmail.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/quirks.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -205,6 +205,10 @@ static const struct usb_device_id usb_qu /* Corsair Strafe RGB */ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* MIDI keyboard WORLDE MINI */ + { USB_DEVICE(0x1c75, 0x0204), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + { } /* terminating entry must be last */ };
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: LEROY Christophe christophe.leroy@c-s.fr
commit afd62fa26343be6445479e75de9f07092a061459 upstream.
Kernel crypto tests report the following error at startup
[ 2.752626] alg: hash: Test 4 failed for sha224-talitos [ 2.757907] 00000000: 30 e2 86 e2 e7 8a dd 0d d7 eb 9f d5 83 fe f1 b0 00000010: 2d 5a 6c a5 f9 55 ea fd 0e 72 05 22
This patch fixes it
Signed-off-by: Christophe Leroy christophe.leroy@c-s.fr Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/crypto/talitos.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/talitos.c +++ b/drivers/crypto/talitos.c @@ -1632,9 +1632,9 @@ static int common_nonsnoop_hash(struct t req_ctx->swinit = 0; } else { desc->ptr[1] = zero_entry; - /* Indicate next op is not the first. */ - req_ctx->first = 0; } + /* Indicate next op is not the first. */ + req_ctx->first = 0;
/* HMAC key */ if (ctx->keylen)
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 96c26653ce65bf84f3212f8b00d4316c1efcbf4c upstream.
... rather than relying on ciptool(8) never passing it anything else. Give it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops, trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Marcel Holtmann marcel@holtmann.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/bluetooth/cmtp/core.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/net/bluetooth/cmtp/core.c +++ b/net/bluetooth/cmtp/core.c @@ -336,6 +336,9 @@ int cmtp_add_connection(struct cmtp_conn
BT_DBG("");
+ if (!l2cap_is_socket(sock)) + return -EBADFD; + session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL); if (!session) return -ENOMEM;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths.
This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/config.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -521,6 +521,9 @@ static int usb_parse_configuration(struc unsigned iad_num = 0;
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); + nintf = nintf_orig = config->desc.bNumInterfaces; + config->desc.bNumInterfaces = 0; // Adjusted later + if (config->desc.bDescriptorType != USB_DT_CONFIG || config->desc.bLength < USB_DT_CONFIG_SIZE || config->desc.bLength > size) { @@ -534,7 +537,6 @@ static int usb_parse_configuration(struc buffer += config->desc.bLength; size -= config->desc.bLength;
- nintf = nintf_orig = config->desc.bNumInterfaces; if (nintf > USB_MAXINTERFACES) { dev_warn(ddev, "config %d has too many interfaces: %d, " "using maximum allowed: %d\n",
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 upstream.
Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
* It doesn't take a reference on the returned tunnel, which makes the call racy wrt. concurrent tunnel deletion.
* The lookup is only based on the tunnel identifier, so it can return a tunnel that doesn't match the packet's addresses or protocol.
For example, a packet sent to an L2TPv3 over IPv6 tunnel can be delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple cross-talk: when delivering the packet to an L2TP over UDP tunnel, the corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling sk_receive_skb() will then crash the kernel by trying to execute this callback.
And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup() properly checks the socket binding and connection settings. It was used as a fallback mechanism for finding tunnels that didn't have their data path registered yet. But it's not limited to this case and can be used to replace l2tp_tunnel_find() in the general case.
Fix l2tp_ip6 in the same way.
Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support") Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: - Always look up in init_net - Drop changes in l2tp_ip6.c - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c @@ -127,6 +127,7 @@ static int l2tp_ip_recv(struct sk_buff * unsigned char *ptr, *optr; struct l2tp_session *session; struct l2tp_tunnel *tunnel = NULL; + struct iphdr *iph; int length; int offset;
@@ -189,23 +190,16 @@ pass_up: goto discard;
tunnel_id = ntohl(*(__be32 *) &skb->data[4]); - tunnel = l2tp_tunnel_find(&init_net, tunnel_id); - if (tunnel) { - sk = tunnel->sock; - sock_hold(sk); - } else { - struct iphdr *iph = (struct iphdr *) skb_network_header(skb); - - read_lock_bh(&l2tp_ip_lock); - sk = __l2tp_ip_bind_lookup(&init_net, iph->daddr, 0, tunnel_id); - if (!sk) { - read_unlock_bh(&l2tp_ip_lock); - goto discard; - } + iph = (struct iphdr *)skb_network_header(skb);
- sock_hold(sk); + read_lock_bh(&l2tp_ip_lock); + sk = __l2tp_ip_bind_lookup(&init_net, iph->daddr, 0, tunnel_id); + if (!sk) { read_unlock_bh(&l2tp_ip_lock); + goto discard; } + sock_hold(sk); + read_unlock_bh(&l2tp_ip_lock);
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_put;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream.
The dummy-hcd driver calls the gadget driver's disconnect callback under the wrong conditions. It should invoke the callback when Vbus power is turned off, but instead it does so when the D+ pullup is turned off.
This can cause a deadlock in the composite core when a gadget driver is unregistered:
[ 88.361471] ============================================ [ 88.362014] WARNING: possible recursive locking detected [ 88.362580] 4.14.0-rc2+ #9 Not tainted [ 88.363010] -------------------------------------------- [ 88.363561] v4l_id/526 is trying to acquire lock: [ 88.364062] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547e03>] composite_disconnect+0x43/0x100 [libcomposite] [ 88.365051] [ 88.365051] but task is already holding lock: [ 88.365826] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite] [ 88.366858] [ 88.366858] other info that might help us debug this: [ 88.368301] Possible unsafe locking scenario: [ 88.368301] [ 88.369304] CPU0 [ 88.369701] ---- [ 88.370101] lock(&(&cdev->lock)->rlock); [ 88.370623] lock(&(&cdev->lock)->rlock); [ 88.371145] [ 88.371145] *** DEADLOCK *** [ 88.371145] [ 88.372211] May be due to missing lock nesting notation [ 88.372211] [ 88.373191] 2 locks held by v4l_id/526: [ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite] [ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [<ffffffffa05bd48d>] dummy_pullup+0x7d/0xf0 [dummy_hcd] [ 88.376289] [ 88.376289] stack backtrace: [ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9 [ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 88.379504] Call Trace: [ 88.380019] dump_stack+0x86/0xc7 [ 88.380605] __lock_acquire+0x841/0x1120 [ 88.381252] lock_acquire+0xd5/0x1c0 [ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite] [ 88.382668] _raw_spin_lock_irqsave+0x40/0x54 [ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite] [ 88.384290] composite_disconnect+0x43/0x100 [libcomposite] [ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd] [ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd] [ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core] [ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core] [ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite] [ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
This patch changes the code to test the port-power status bit rather than the port-connect status bit when deciding whether to isue the callback.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-by: David Tulloh david@tulloh.id.au Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/usb/gadget/dummy_hcd.c +++ b/drivers/usb/gadget/dummy_hcd.c @@ -350,6 +350,7 @@ static void set_link_state_by_speed(stru static void set_link_state(struct dummy_hcd *dum_hcd) { struct dummy *dum = dum_hcd->dum; + unsigned int power_bit;
dum_hcd->active = 0; if (dum->pullup) @@ -360,19 +361,21 @@ static void set_link_state(struct dummy_ return;
set_link_state_by_speed(dum_hcd); + power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ? + USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER);
if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 || dum_hcd->active) dum_hcd->resuming = 0;
/* if !connected or reset */ - if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 || + if ((dum_hcd->port_status & power_bit) == 0 || (dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) { /* * We're connected and not reset (reset occurred now), * and driver attached - disconnect! */ - if ((dum_hcd->old_status & USB_PORT_STAT_CONNECTION) != 0 && + if ((dum_hcd->old_status & power_bit) != 0 && (dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 && dum->ints_enabled) { stop_activity(dum);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng boqun.feng@gmail.com
commit a2b7861bb33b2538420bb5d8554153484d3f961f upstream.
Currently, in PREEMPT_COUNT=n kernel, kvm_async_pf_task_wait() could call schedule() to reschedule in some cases. This could result in accidentally ending the current RCU read-side critical section early, causing random memory corruption in the guest, or otherwise preempting the currently running task inside between preempt_disable and preempt_enable.
The difficulty to handle this well is because we don't know whether an async PF delivered in a preemptible section or RCU read-side critical section for PREEMPT_COUNT=n, since preempt_disable()/enable() and rcu_read_lock/unlock() are both no-ops in that case.
To cure this, we treat any async PF interrupting a kernel context as one that cannot be preempted, preventing kvm_async_pf_task_wait() from choosing the schedule() path in that case.
To do so, a second parameter for kvm_async_pf_task_wait() is introduced, so that we know whether it's called from a context interrupting the kernel, and the parameter is set properly in all the callsites.
Cc: "Paul E. McKenney" paulmck@linux.vnet.ibm.com Cc: Peter Zijlstra peterz@infradead.org Cc: Wanpeng Li wanpeng.li@hotmail.com Signed-off-by: Boqun Feng boqun.feng@gmail.com Signed-off-by: Radim Krčmář rkrcmar@redhat.com [bwh: Backported to 3.2: - Use user_mode_vm() as equivalent to upstream user_mode() - Adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/include/asm/kvm_para.h | 4 ++-- arch/x86/kernel/kvm.c | 14 ++++++++++---- arch/x86/kvm/svm.c | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-)
--- a/arch/x86/include/asm/kvm_para.h +++ b/arch/x86/include/asm/kvm_para.h @@ -195,13 +195,13 @@ static inline unsigned int kvm_arch_para
#ifdef CONFIG_KVM_GUEST void __init kvm_guest_init(void); -void kvm_async_pf_task_wait(u32 token); +void kvm_async_pf_task_wait(u32 token, int interrupt_kernel); void kvm_async_pf_task_wake(u32 token); u32 kvm_read_and_reset_pf_reason(void); extern void kvm_disable_steal_time(void); #else #define kvm_guest_init() do { } while (0) -#define kvm_async_pf_task_wait(T) do {} while(0) +#define kvm_async_pf_task_wait(T, I) do {} while(0) #define kvm_async_pf_task_wake(T) do {} while(0) static inline u32 kvm_read_and_reset_pf_reason(void) { --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -113,7 +113,11 @@ static struct kvm_task_sleep_node *_find return NULL; }
-void kvm_async_pf_task_wait(u32 token) +/* + * @interrupt_kernel: Is this called from a routine which interrupts the kernel + * (other than user space)? + */ +void kvm_async_pf_task_wait(u32 token, int interrupt_kernel) { u32 key = hash_32(token, KVM_TASK_SLEEP_HASHBITS); struct kvm_task_sleep_head *b = &async_pf_sleepers[key]; @@ -137,8 +141,10 @@ void kvm_async_pf_task_wait(u32 token)
n.token = token; n.cpu = smp_processor_id(); - n.halted = idle || preempt_count() > 1 || - rcu_preempt_depth(); + n.halted = idle || + (IS_ENABLED(CONFIG_PREEMPT_COUNT) + ? preempt_count() > 1 || rcu_preempt_depth() + : interrupt_kernel); init_waitqueue_head(&n.wq); hlist_add_head(&n.link, &b->list); spin_unlock(&b->lock); @@ -257,7 +263,7 @@ do_async_page_fault(struct pt_regs *regs break; case KVM_PV_REASON_PAGE_NOT_PRESENT: /* page is swapped out by the host. */ - kvm_async_pf_task_wait((u32)read_cr2()); + kvm_async_pf_task_wait((u32)read_cr2(), !user_mode_vm(regs)); break; case KVM_PV_REASON_PAGE_READY: kvm_async_pf_task_wake((u32)read_cr2()); --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -1620,7 +1620,7 @@ static int pf_interception(struct vcpu_s case KVM_PV_REASON_PAGE_NOT_PRESENT: svm->apf_reason = 0; local_irq_disable(); - kvm_async_pf_task_wait(fault_address); + kvm_async_pf_task_wait(fault_address, 0); local_irq_enable(); break; case KVM_PV_REASON_PAGE_READY:
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Zhao ethan.zhao@oracle.com
commit 5ccba44ba118a5000cccc50076b0344632459779 upstream.
System will hang if user set sysctl_sched_time_avg to 0:
[root@XXX ~]# sysctl kernel.sched_time_avg_ms=0
Stack traceback for pid 0 0xffff883f6406c600 0 0 1 3 R 0xffff883f6406cf50 *swapper/3 ffff883f7ccc3ae8 0000000000000018 ffffffff810c4dd0 0000000000000000 0000000000017800 ffff883f7ccc3d78 0000000000000003 ffff883f7ccc3bf8 ffffffff810c4fc9 ffff883f7ccc3c08 00000000810c5043 ffff883f7ccc3c08 Call Trace: <IRQ> [<ffffffff810c4dd0>] ? update_group_capacity+0x110/0x200 [<ffffffff810c4fc9>] ? update_sd_lb_stats+0x109/0x600 [<ffffffff810c5507>] ? find_busiest_group+0x47/0x530 [<ffffffff810c5b84>] ? load_balance+0x194/0x900 [<ffffffff810ad5ca>] ? update_rq_clock.part.83+0x1a/0xe0 [<ffffffff810c6d42>] ? rebalance_domains+0x152/0x290 [<ffffffff810c6f5c>] ? run_rebalance_domains+0xdc/0x1d0 [<ffffffff8108a75b>] ? __do_softirq+0xfb/0x320 [<ffffffff8108ac85>] ? irq_exit+0x125/0x130 [<ffffffff810b3a17>] ? scheduler_ipi+0x97/0x160 [<ffffffff81052709>] ? smp_reschedule_interrupt+0x29/0x30 [<ffffffff8173a1be>] ? reschedule_interrupt+0x6e/0x80 <EOI> [<ffffffff815bc83c>] ? cpuidle_enter_state+0xcc/0x230 [<ffffffff815bc80c>] ? cpuidle_enter_state+0x9c/0x230 [<ffffffff815bc9d7>] ? cpuidle_enter+0x17/0x20 [<ffffffff810cd6dc>] ? cpu_startup_entry+0x38c/0x420 [<ffffffff81053373>] ? start_secondary+0x173/0x1e0
Because divide-by-zero error happens in function:
update_group_capacity() update_cpu_capacity() scale_rt_capacity() { ... total = sched_avg_period() + delta; used = div_u64(avg, total); ... }
To fix this issue, check user input value of sysctl_sched_time_avg, keep it unchanged when hitting invalid input, and set the minimum limit of sysctl_sched_time_avg to 1 ms.
Reported-by: James Puthukattukaran james.puthukattukaran@oracle.com Signed-off-by: Ethan Zhao ethan.zhao@oracle.com Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: efault@gmx.de Cc: ethan.kernel@gmail.com Cc: keescook@chromium.org Cc: mcgrof@kernel.org Link: http://lkml.kernel.org/r/1504504774-18253-1-git-send-email-ethan.zhao@oracle... Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/sysctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -329,7 +329,8 @@ static struct ctl_table kern_table[] = { .data = &sysctl_sched_time_avg, .maxlen = sizeof(unsigned int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &one, }, { .procname = "sched_shares_window",
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng boqun.feng@gmail.com
commit b862789aa5186d5ea3a024b7cfe0f80c3a38b980 upstream.
Sasha Levin reported a WARNING:
| WARNING: CPU: 0 PID: 6974 at kernel/rcu/tree_plugin.h:329 | rcu_preempt_note_context_switch kernel/rcu/tree_plugin.h:329 [inline] | WARNING: CPU: 0 PID: 6974 at kernel/rcu/tree_plugin.h:329 | rcu_note_context_switch+0x16c/0x2210 kernel/rcu/tree.c:458 ... | CPU: 0 PID: 6974 Comm: syz-fuzzer Not tainted 4.13.0-next-20170908+ #246 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS | 1.10.1-1ubuntu1 04/01/2014 | Call Trace: ... | RIP: 0010:rcu_preempt_note_context_switch kernel/rcu/tree_plugin.h:329 [inline] | RIP: 0010:rcu_note_context_switch+0x16c/0x2210 kernel/rcu/tree.c:458 | RSP: 0018:ffff88003b2debc8 EFLAGS: 00010002 | RAX: 0000000000000001 RBX: 1ffff1000765bd85 RCX: 0000000000000000 | RDX: 1ffff100075d7882 RSI: ffffffffb5c7da20 RDI: ffff88003aebc410 | RBP: ffff88003b2def30 R08: dffffc0000000000 R09: 0000000000000001 | R10: 0000000000000000 R11: 0000000000000000 R12: ffff88003b2def08 | R13: 0000000000000000 R14: ffff88003aebc040 R15: ffff88003aebc040 | __schedule+0x201/0x2240 kernel/sched/core.c:3292 | schedule+0x113/0x460 kernel/sched/core.c:3421 | kvm_async_pf_task_wait+0x43f/0x940 arch/x86/kernel/kvm.c:158 | do_async_page_fault+0x72/0x90 arch/x86/kernel/kvm.c:271 | async_page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1069 | RIP: 0010:format_decode+0x240/0x830 lib/vsprintf.c:1996 | RSP: 0018:ffff88003b2df520 EFLAGS: 00010283 | RAX: 000000000000003f RBX: ffffffffb5d1e141 RCX: ffff88003b2df670 | RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffb5d1e140 | RBP: ffff88003b2df560 R08: dffffc0000000000 R09: 0000000000000000 | R10: ffff88003b2df718 R11: 0000000000000000 R12: ffff88003b2df5d8 | R13: 0000000000000064 R14: ffffffffb5d1e140 R15: 0000000000000000 | vsnprintf+0x173/0x1700 lib/vsprintf.c:2136 | sprintf+0xbe/0xf0 lib/vsprintf.c:2386 | proc_self_get_link+0xfb/0x1c0 fs/proc/self.c:23 | get_link fs/namei.c:1047 [inline] | link_path_walk+0x1041/0x1490 fs/namei.c:2127 ...
This happened when the host hit a page fault, and delivered it as in an async page fault, while the guest was in an RCU read-side critical section. The guest then tries to reschedule in kvm_async_pf_task_wait(), but rcu_preempt_note_context_switch() would treat the reschedule as a sleep in RCU read-side critical section, which is not allowed (even in preemptible RCU). Thus the WARN.
To cure this, make kvm_async_pf_task_wait() go to the halt path if the PF happens in a RCU read-side critical section.
Reported-by: Sasha Levin levinsasha928@gmail.com Cc: "Paul E. McKenney" paulmck@linux.vnet.ibm.com Cc: Peter Zijlstra peterz@infradead.org Signed-off-by: Boqun Feng boqun.feng@gmail.com Signed-off-by: Paolo Bonzini pbonzini@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kernel/kvm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -137,7 +137,8 @@ void kvm_async_pf_task_wait(u32 token)
n.token = token; n.cpu = smp_processor_id(); - n.halted = idle || preempt_count() > 1; + n.halted = idle || preempt_count() > 1 || + rcu_preempt_depth(); init_waitqueue_head(&n.wq); hlist_add_head(&n.link, &b->list); spin_unlock(&b->lock);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit ee618b4619b72527aaed765f0f0b74072b281159 upstream.
As the previous patch did for encrypted-keys, zero sensitive any potentially sensitive data related to the "trusted" key type before it is freed. Notably, we were not zeroing the tpm_buf structures in which the actual key is stored for TPM seal and unseal, nor were we zeroing the trusted_key_payload in certain error paths.
Cc: Mimi Zohar zohar@linux.vnet.ibm.com Cc: David Safford safford@us.ibm.com Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: James Morris james.l.morris@oracle.com [bwh: Backported to 3.2: - Also use kzfree() in my_get_random() - Drop one unapplicable change - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -69,7 +69,7 @@ static int TSS_sha1(const unsigned char }
ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest); - kfree(sdesc); + kzfree(sdesc); return ret; }
@@ -113,7 +113,7 @@ static int TSS_rawhmac(unsigned char *di if (!ret) ret = crypto_shash_final(&sdesc->shash, digest); out: - kfree(sdesc); + kzfree(sdesc); return ret; }
@@ -164,7 +164,7 @@ static int TSS_authhmac(unsigned char *d paramdigest, TPM_NONCE_SIZE, h1, TPM_NONCE_SIZE, h2, 1, &c, 0, 0); out: - kfree(sdesc); + kzfree(sdesc); return ret; }
@@ -245,7 +245,7 @@ static int TSS_checkhmac1(unsigned char if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: - kfree(sdesc); + kzfree(sdesc); return ret; }
@@ -346,7 +346,7 @@ static int TSS_checkhmac2(unsigned char if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: - kfree(sdesc); + kzfree(sdesc); return ret; }
@@ -396,7 +396,7 @@ static int my_get_random(unsigned char * return -ENOMEM; ret = tpm_get_random(tb, buf, len);
- kfree(tb); + kzfree(tb); return ret; }
@@ -595,7 +595,7 @@ static int tpm_seal(struct tpm_buf *tb, *bloblen = storedsize; } out: - kfree(td); + kzfree(td); return ret; }
@@ -709,7 +709,7 @@ static int key_seal(struct trusted_key_p if (ret < 0) pr_info("trusted_key: srkseal failed (%d)\n", ret);
- kfree(tb); + kzfree(tb); return ret; }
@@ -734,7 +734,7 @@ static int key_unseal(struct trusted_key /* pull migratable flag out of sealed key */ p->migratable = p->key[--p->key_len];
- kfree(tb); + kzfree(tb); return ret; }
@@ -990,12 +990,12 @@ static int trusted_instantiate(struct ke if (!ret && options->pcrlock) ret = pcrlock(options->pcrlock); out: - kfree(datablob); - kfree(options); + kzfree(datablob); + kzfree(options); if (!ret) rcu_assign_pointer(key->payload.data, payload); else - kfree(payload); + kzfree(payload); return ret; }
@@ -1004,8 +1004,7 @@ static void trusted_rcu_free(struct rcu_ struct trusted_key_payload *p;
p = container_of(rcu, struct trusted_key_payload, rcu); - memset(p->key, 0, p->key_len); - kfree(p); + kzfree(p); }
/* @@ -1043,7 +1042,7 @@ static int trusted_update(struct key *ke ret = datablob_parse(datablob, new_p, new_o); if (ret != Opt_update) { ret = -EINVAL; - kfree(new_p); + kzfree(new_p); goto out; } /* copy old key values, and reseal with new pcrs */ @@ -1056,22 +1055,22 @@ static int trusted_update(struct key *ke ret = key_seal(new_p, new_o); if (ret < 0) { pr_info("trusted_key: key_seal failed (%d)\n", ret); - kfree(new_p); + kzfree(new_p); goto out; } if (new_o->pcrlock) { ret = pcrlock(new_o->pcrlock); if (ret < 0) { pr_info("trusted_key: pcrlock failed (%d)\n", ret); - kfree(new_p); + kzfree(new_p); goto out; } } rcu_assign_pointer(key->payload.data, new_p); call_rcu(&p->rcu, trusted_rcu_free); out: - kfree(datablob); - kfree(new_o); + kzfree(datablob); + kzfree(new_o); return ret; }
@@ -1100,24 +1099,19 @@ static long trusted_read(const struct ke for (i = 0; i < p->blob_len; i++) bufp = hex_byte_pack(bufp, p->blob[i]); if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) { - kfree(ascii_buf); + kzfree(ascii_buf); return -EFAULT; } - kfree(ascii_buf); + kzfree(ascii_buf); return 2 * p->blob_len; }
/* - * trusted_destroy - before freeing the key, clear the decrypted data + * trusted_destroy - clear and free the key's payload */ static void trusted_destroy(struct key *key) { - struct trusted_key_payload *p = key->payload.data; - - if (!p) - return; - memset(p->key, 0, p->key_len); - kfree(key->payload.data); + kzfree(key->payload.data); }
struct key_type key_type_trusted = {
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu b-liu@ti.com
commit d246dcb2331c5783743720e6510892eb1d2801d9 upstream.
[ 40.467381] ============================================= [ 40.473013] [ INFO: possible recursive locking detected ] [ 40.478651] 4.6.0-08691-g7f3db9a #37 Not tainted [ 40.483466] --------------------------------------------- [ 40.489098] usb/733 is trying to acquire lock: [ 40.493734] (&(&dev->lock)->rlock){-.....}, at: [<bf129288>] ep0_complete+0x18/0xdc [gadgetfs] [ 40.502882] [ 40.502882] but task is already holding lock: [ 40.508967] (&(&dev->lock)->rlock){-.....}, at: [<bf12a420>] ep0_read+0x20/0x5e0 [gadgetfs] [ 40.517811] [ 40.517811] other info that might help us debug this: [ 40.524623] Possible unsafe locking scenario: [ 40.524623] [ 40.530798] CPU0 [ 40.533346] ---- [ 40.535894] lock(&(&dev->lock)->rlock); [ 40.540088] lock(&(&dev->lock)->rlock); [ 40.544284] [ 40.544284] *** DEADLOCK *** [ 40.544284] [ 40.550461] May be due to missing lock nesting notation [ 40.550461] [ 40.557544] 2 locks held by usb/733: [ 40.561271] #0: (&f->f_pos_lock){+.+.+.}, at: [<c02a6114>] __fdget_pos+0x40/0x48 [ 40.569219] #1: (&(&dev->lock)->rlock){-.....}, at: [<bf12a420>] ep0_read+0x20/0x5e0 [gadgetfs] [ 40.578523] [ 40.578523] stack backtrace: [ 40.583075] CPU: 0 PID: 733 Comm: usb Not tainted 4.6.0-08691-g7f3db9a #37 [ 40.590246] Hardware name: Generic AM33XX (Flattened Device Tree) [ 40.596625] [<c010ffbc>] (unwind_backtrace) from [<c010c1bc>] (show_stack+0x10/0x14) [ 40.604718] [<c010c1bc>] (show_stack) from [<c04207fc>] (dump_stack+0xb0/0xe4) [ 40.612267] [<c04207fc>] (dump_stack) from [<c01886ec>] (__lock_acquire+0xf68/0x1994) [ 40.620440] [<c01886ec>] (__lock_acquire) from [<c0189528>] (lock_acquire+0xd8/0x238) [ 40.628621] [<c0189528>] (lock_acquire) from [<c06ad6b4>] (_raw_spin_lock_irqsave+0x38/0x4c) [ 40.637440] [<c06ad6b4>] (_raw_spin_lock_irqsave) from [<bf129288>] (ep0_complete+0x18/0xdc [gadgetfs]) [ 40.647339] [<bf129288>] (ep0_complete [gadgetfs]) from [<bf10a728>] (musb_g_giveback+0x118/0x1b0 [musb_hdrc]) [ 40.657842] [<bf10a728>] (musb_g_giveback [musb_hdrc]) from [<bf108768>] (musb_g_ep0_queue+0x16c/0x188 [musb_hdrc]) [ 40.668772] [<bf108768>] (musb_g_ep0_queue [musb_hdrc]) from [<bf12a944>] (ep0_read+0x544/0x5e0 [gadgetfs]) [ 40.678963] [<bf12a944>] (ep0_read [gadgetfs]) from [<c0284470>] (__vfs_read+0x20/0x110) [ 40.687414] [<c0284470>] (__vfs_read) from [<c0285324>] (vfs_read+0x88/0x114) [ 40.694864] [<c0285324>] (vfs_read) from [<c0286150>] (SyS_read+0x44/0x9c) [ 40.702051] [<c0286150>] (SyS_read) from [<c0107820>] (ret_fast_syscall+0x0/0x1c)
This is caused by the spinlock bug in ep0_read(). Fix the two other deadlock sources in gadgetfs_setup() too.
Signed-off-by: Bin Liu b-liu@ti.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/inode.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -1009,8 +1009,11 @@ ep0_read (struct file *fd, char __user * struct usb_ep *ep = dev->gadget->ep0; struct usb_request *req = dev->req;
- if ((retval = setup_req (ep, req, 0)) == 0) - retval = usb_ep_queue (ep, req, GFP_ATOMIC); + if ((retval = setup_req (ep, req, 0)) == 0) { + spin_unlock_irq (&dev->lock); + retval = usb_ep_queue (ep, req, GFP_KERNEL); + spin_lock_irq (&dev->lock); + } dev->state = STATE_DEV_CONNECTED;
/* assume that was SET_CONFIGURATION */ @@ -1544,8 +1547,11 @@ delegate: w_length); if (value < 0) break; + + spin_unlock (&dev->lock); value = usb_ep_queue (gadget->ep0, dev->req, - GFP_ATOMIC); + GFP_KERNEL); + spin_lock (&dev->lock); if (value < 0) { clean_req (gadget->ep0, dev->req); break; @@ -1568,11 +1574,14 @@ delegate: if (value >= 0 && dev->state != STATE_DEV_SETUP) { req->length = value; req->zero = value < w_length; - value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC); + + spin_unlock (&dev->lock); + value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL); if (value < 0) { DBG (dev, "ep_queue --> %d\n", value); req->status = 0; } + return value; }
/* device stalls when value < 0 */
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov dmitry.torokhov@gmail.com
commit e8b95728f724797f958912fd9b765a695595d3a6 upstream.
Normally, when input device supporting force feedback effects is being destroyed, we try to "flush" currently playing effects, so that the physical device does not continue vibrating (or executing other effects). Unfortunately this does not work well for uinput as flushing of the effects deadlocks with the destroy action:
- if device is being destroyed because the file descriptor is being closed, then there is noone to even service FF requests;
- if device is being destroyed because userspace sent UI_DEV_DESTROY, while theoretically it could be possible to service FF requests, userspace is unlikely to do so (they'd need to make sure FF handling happens on a separate thread) even if kernel solves the issue with FF ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex.
To avoid lockups like the one below, let's install a custom input device flush handler, and avoid trying to flush force feedback effects when we destroying the device, and instead rely on uinput to shut off the device properly.
NMI watchdog: Watchdog detected hard LOCKUP on cpu 3 ... <<EOE>> [<ffffffff817a0307>] _raw_spin_lock_irqsave+0x37/0x40 [<ffffffff810e633d>] complete+0x1d/0x50 [<ffffffffa00ba08c>] uinput_request_done+0x3c/0x40 [uinput] [<ffffffffa00ba587>] uinput_request_submit.part.7+0x47/0xb0 [uinput] [<ffffffffa00bb62b>] uinput_dev_erase_effect+0x5b/0x76 [uinput] [<ffffffff815d91ad>] erase_effect+0xad/0xf0 [<ffffffff815d929d>] flush_effects+0x4d/0x90 [<ffffffff815d4cc0>] input_flush_device+0x40/0x60 [<ffffffff815daf1c>] evdev_cleanup+0xac/0xc0 [<ffffffff815daf5b>] evdev_disconnect+0x2b/0x60 [<ffffffff815d74ac>] __input_unregister_device+0xac/0x150 [<ffffffff815d75f7>] input_unregister_device+0x47/0x70 [<ffffffffa00bac45>] uinput_destroy_device+0xb5/0xc0 [uinput] [<ffffffffa00bb2de>] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput] [<ffffffff811231ab>] ? do_futex+0x12b/0xad0 [<ffffffffa00bb3f8>] uinput_ioctl+0x18/0x20 [uinput] [<ffffffff81241248>] do_vfs_ioctl+0x298/0x480 [<ffffffff81337553>] ? security_file_ioctl+0x43/0x60 [<ffffffff812414a9>] SyS_ioctl+0x79/0x90 [<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71
Reported-by: Rodrigo Rivas Costa rodrigorivascosta@gmail.com Reported-by: Clément VUCHENER clement.vuchener@gmail.com Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741 Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/input/ff-core.c | 13 ++++++++++--- drivers/input/misc/uinput.c | 18 ++++++++++++++++++ include/linux/input.h | 1 + 3 files changed, 29 insertions(+), 3 deletions(-)
--- a/drivers/input/ff-core.c +++ b/drivers/input/ff-core.c @@ -239,9 +239,15 @@ int input_ff_erase(struct input_dev *dev EXPORT_SYMBOL_GPL(input_ff_erase);
/* - * flush_effects - erase all effects owned by a file handle + * input_ff_flush - erase all effects owned by a file handle + * @dev: input device to erase effect from + * @file: purported owner of the effects + * + * This function erases all force-feedback effects associated with + * the given owner from specified device. Note that @file may be %NULL, + * in which case all effects will be erased. */ -static int flush_effects(struct input_dev *dev, struct file *file) +int input_ff_flush(struct input_dev *dev, struct file *file) { struct ff_device *ff = dev->ff; int i; @@ -257,6 +263,7 @@ static int flush_effects(struct input_de
return 0; } +EXPORT_SYMBOL_GPL(input_ff_flush);
/** * input_ff_event() - generic handler for force-feedback events @@ -340,7 +347,7 @@ int input_ff_create(struct input_dev *de mutex_init(&ff->mutex);
dev->ff = ff; - dev->flush = flush_effects; + dev->flush = input_ff_flush; dev->event = input_ff_event; __set_bit(EV_FF, dev->evbit);
--- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -218,6 +218,18 @@ static int uinput_dev_erase_effect(struc return retval; }
+static int uinput_dev_flush(struct input_dev *dev, struct file *file) +{ + /* + * If we are called with file == NULL that means we are tearing + * down the device, and therefore we can not handle FF erase + * requests: either we are handling UI_DEV_DESTROY (and holding + * the udev->mutex), or the file descriptor is closed and there is + * nobody on the other side anymore. + */ + return file ? input_ff_flush(dev, file) : 0; +} + static void uinput_destroy_device(struct uinput_device *udev) { const char *name, *phys; @@ -261,6 +273,12 @@ static int uinput_create_device(struct u dev->ff->playback = uinput_dev_playback; dev->ff->set_gain = uinput_dev_set_gain; dev->ff->set_autocenter = uinput_dev_set_autocenter; + /* + * The standard input_ff_flush() implementation does + * not quite work for uinput as we can't reasonably + * handle FF requests during device teardown. + */ + dev->flush = uinput_dev_flush; }
error = input_register_device(udev->dev); --- a/include/linux/input.h +++ b/include/linux/input.h @@ -1618,6 +1618,7 @@ int input_ff_event(struct input_dev *dev
int input_ff_upload(struct input_dev *dev, struct ff_effect *effect, struct file *file); int input_ff_erase(struct input_dev *dev, int effect_id, struct file *file); +int input_ff_flush(struct input_dev *dev, struct file *file);
int input_ff_create_memless(struct input_dev *dev, void *data, int (*play_effect)(struct input_dev *, void *, struct ff_effect *));
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit f7b48cf08fa63a68b59c2894806ee478216d7f91 upstream.
If key_instantiate_and_link() were to fail (which fortunately isn't possible currently), the call to key_revoke(authkey) would crash with a NULL pointer dereference in request_key_auth_revoke() because the key has not yet been instantiated.
Fix this by removing the call to key_revoke(). key_put() is sufficient, as it's not possible for an uninstantiated authkey to have been used for anything yet.
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/request_key_auth.c | 1 - 1 file changed, 1 deletion(-)
--- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -206,7 +206,6 @@ struct key *request_key_auth_new(struct return authkey;
error_put_authkey: - key_revoke(authkey); key_put(authkey); error_free_rka: free_request_key_auth(rka);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 2b7cda9c35d3b940eb9ce74b30bbd5eb30db493d upstream.
Based on SNMP values provided by Roman, Yuchung made the observation that some crashes in tcp_sacktag_walk() might be caused by MTU probing.
Looking at tcp_mtu_probe(), I found that when a new skb was placed in front of the write queue, we were not updating tcp highest sack.
If one skb is freed because all its content was copied to the new skb (for MTU probing), then tp->highest_sack could point to a now freed skb.
Bad things would then happen, including infinite loops.
This patch renames tcp_highest_sack_combine() and uses it from tcp_mtu_probe() to fix the bug.
Note that I also removed one test against tp->sacked_out, since we want to replace tp->highest_sack regardless of whatever condition, since keeping a stale pointer to freed skb is a recipe for disaster.
Fixes: a47e5a988a57 ("[TCP]: Convert highest_sack to sk_buff to allow direct access") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: Alexei Starovoitov alexei.starovoitov@gmail.com Reported-by: Roman Gushchin guro@fb.com Reported-by: Oleksandr Natalenko oleksandr@natalenko.name Acked-by: Alexei Starovoitov ast@kernel.org Acked-by: Neal Cardwell ncardwell@google.com Acked-by: Yuchung Cheng ycheng@google.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/net/tcp.h | 6 +++--- net/ipv4/tcp_output.c | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-)
--- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1394,12 +1394,12 @@ static inline void tcp_highest_sack_rese tcp_sk(sk)->highest_sack = tcp_write_queue_head(sk); }
-/* Called when old skb is about to be deleted (to be combined with new skb) */ -static inline void tcp_highest_sack_combine(struct sock *sk, +/* Called when old skb is about to be deleted and replaced by new skb */ +static inline void tcp_highest_sack_replace(struct sock *sk, struct sk_buff *old, struct sk_buff *new) { - if (tcp_sk(sk)->sacked_out && (old == tcp_sk(sk)->highest_sack)) + if (old == tcp_highest_sack(sk)) tcp_sk(sk)->highest_sack = new; }
--- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1676,6 +1676,7 @@ static int tcp_mtu_probe(struct sock *sk nskb->ip_summed = skb->ip_summed;
tcp_insert_write_queue_before(nskb, skb, sk); + tcp_highest_sack_replace(sk, skb, nskb);
len = 0; tcp_for_write_queue_from_safe(skb, next, sk) { @@ -1987,7 +1988,7 @@ static void tcp_collapse_retrans(struct
BUG_ON(tcp_skb_pcount(skb) != 1 || tcp_skb_pcount(next_skb) != 1);
- tcp_highest_sack_combine(sk, next_skb, skb); + tcp_highest_sack_replace(sk, next_skb, skb);
tcp_unlink_write_queue(next_skb, sk);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 9f775ead5e570e7e19015b9e4e2f3dd6e71a5935 upstream.
The l2tp_eth module crashes if its netlink callbacks are run when the pernet data aren't initialised.
We should normally register_pernet_device() before the genl callbacks. However, the pernet data only maintain a list of l2tpeth interfaces, and this list is never used. So let's just drop pernet handling instead.
Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_eth.c | 51 ++------------------------------------------------- 1 file changed, 2 insertions(+), 49 deletions(-)
--- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -39,7 +39,6 @@ struct l2tp_eth { struct net_device *dev; struct sock *tunnel_sock; struct l2tp_session *session; - struct list_head list; };
/* via l2tp_session_priv() */ @@ -47,17 +46,6 @@ struct l2tp_eth_sess { struct net_device *dev; };
-/* per-net private data for this module */ -static unsigned int l2tp_eth_net_id; -struct l2tp_eth_net { - struct list_head l2tp_eth_dev_list; - spinlock_t l2tp_eth_lock; -}; - -static inline struct l2tp_eth_net *l2tp_eth_pernet(struct net *net) -{ - return net_generic(net, l2tp_eth_net_id); -}
static int l2tp_eth_dev_init(struct net_device *dev) { @@ -72,12 +60,6 @@ static int l2tp_eth_dev_init(struct net_
static void l2tp_eth_dev_uninit(struct net_device *dev) { - struct l2tp_eth *priv = netdev_priv(dev); - struct l2tp_eth_net *pn = l2tp_eth_pernet(dev_net(dev)); - - spin_lock(&pn->l2tp_eth_lock); - list_del_init(&priv->list); - spin_unlock(&pn->l2tp_eth_lock); dev_put(dev); }
@@ -193,7 +175,6 @@ static int l2tp_eth_create(struct net *n struct l2tp_eth *priv; struct l2tp_eth_sess *spriv; int rc; - struct l2tp_eth_net *pn;
if (cfg->ifname) { dev = dev_get_by_name(net, cfg->ifname); @@ -228,7 +209,6 @@ static int l2tp_eth_create(struct net *n priv = netdev_priv(dev); priv->dev = dev; priv->session = session; - INIT_LIST_HEAD(&priv->list);
priv->tunnel_sock = tunnel->sock; session->recv_skb = l2tp_eth_dev_recv; @@ -249,10 +229,6 @@ static int l2tp_eth_create(struct net *n strlcpy(session->ifname, dev->name, IFNAMSIZ);
dev_hold(dev); - pn = l2tp_eth_pernet(dev_net(dev)); - spin_lock(&pn->l2tp_eth_lock); - list_add(&priv->list, &pn->l2tp_eth_dev_list); - spin_unlock(&pn->l2tp_eth_lock);
return 0;
@@ -265,22 +241,6 @@ out: return rc; }
-static __net_init int l2tp_eth_init_net(struct net *net) -{ - struct l2tp_eth_net *pn = net_generic(net, l2tp_eth_net_id); - - INIT_LIST_HEAD(&pn->l2tp_eth_dev_list); - spin_lock_init(&pn->l2tp_eth_lock); - - return 0; -} - -static struct pernet_operations l2tp_eth_net_ops = { - .init = l2tp_eth_init_net, - .id = &l2tp_eth_net_id, - .size = sizeof(struct l2tp_eth_net), -}; -
static const struct l2tp_nl_cmd_ops l2tp_eth_nl_cmd_ops = { .session_create = l2tp_eth_create, @@ -294,25 +254,18 @@ static int __init l2tp_eth_init(void)
err = l2tp_nl_register_ops(L2TP_PWTYPE_ETH, &l2tp_eth_nl_cmd_ops); if (err) - goto out; - - err = register_pernet_device(&l2tp_eth_net_ops); - if (err) - goto out_unreg; + goto err;
printk(KERN_INFO "L2TP ethernet pseudowire support (L2TPv3)\n");
return 0;
-out_unreg: - l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH); -out: +err: return err; }
static void __exit l2tp_eth_exit(void) { - unregister_pernet_device(&l2tp_eth_net_ops); l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH); }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Samant ashish.samant@oracle.com
commit 105ddc93f06ebe3e553f58563d11ed63dbcd59f0 upstream.
The first cluster group descriptor is not stored at the start of the group but at an offset from the start. We need to take this into account while doing fstrim on the first cluster group. Otherwise we will wrongly start fstrim a few blocks after the desired start block and the range can cross over into the next cluster group and zero out the group descriptor there. This can cause filesytem corruption that cannot be fixed by fsck.
Link: http://lkml.kernel.org/r/1507835579-7308-1-git-send-email-ashish.samant@orac... Signed-off-by: Ashish Samant ashish.samant@oracle.com Reviewed-by: Junxiao Bi junxiao.bi@oracle.com Reviewed-by: Joseph Qi jiangqi903@gmail.com Cc: Mark Fasheh mfasheh@versity.com Cc: Joel Becker jlbec@evilplan.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ocfs2/alloc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
--- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -7188,13 +7188,24 @@ out:
static int ocfs2_trim_extent(struct super_block *sb, struct ocfs2_group_desc *gd, - u32 start, u32 count) + u64 group, u32 start, u32 count) { u64 discard, bcount; + struct ocfs2_super *osb = OCFS2_SB(sb);
bcount = ocfs2_clusters_to_blocks(sb, count); - discard = le64_to_cpu(gd->bg_blkno) + - ocfs2_clusters_to_blocks(sb, start); + discard = ocfs2_clusters_to_blocks(sb, start); + + /* + * For the first cluster group, the gd->bg_blkno is not at the start + * of the group, but at an offset from the start. If we add it while + * calculating discard for first group, we will wrongly start fstrim a + * few blocks after the desried start block and the range can cross + * over into the next cluster group. So, add it only if this is not + * the first cluster group. + */ + if (group != osb->first_cluster_group_blkno) + discard += le64_to_cpu(gd->bg_blkno);
trace_ocfs2_trim_extent(sb, (unsigned long long)discard, bcount);
@@ -7202,7 +7213,7 @@ static int ocfs2_trim_extent(struct supe }
static int ocfs2_trim_group(struct super_block *sb, - struct ocfs2_group_desc *gd, + struct ocfs2_group_desc *gd, u64 group, u32 start, u32 max, u32 minbits) { int ret = 0, count = 0, next; @@ -7221,7 +7232,7 @@ static int ocfs2_trim_group(struct super next = ocfs2_find_next_bit(bitmap, max, start);
if ((next - start) >= minbits) { - ret = ocfs2_trim_extent(sb, gd, + ret = ocfs2_trim_extent(sb, gd, group, start, next - start); if (ret < 0) { mlog_errno(ret); @@ -7323,7 +7334,8 @@ int ocfs2_trim_fs(struct super_block *sb }
gd = (struct ocfs2_group_desc *)gd_bh->b_data; - cnt = ocfs2_trim_group(sb, gd, first_bit, last_bit, minlen); + cnt = ocfs2_trim_group(sb, gd, group, + first_bit, last_bit, minlen); brelse(gd_bh); gd_bh = NULL; if (cnt < 0) {
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit b78412b8300a8453b78d2c1b0b925b66493bb011 upstream.
Patch series "sh: sh7722/sh7757i/sh7264/sh7269: Fix pinctrl registration", v2.
Magnus Damm reported that on sh7722/Migo-R, pinctrl registration fails with:
sh-pfc pfc-sh7722: pin 0 already registered sh-pfc pfc-sh7722: error during pin registration sh-pfc pfc-sh7722: could not register: -22 sh-pfc: probe of pfc-sh7722 failed with error -22
pinmux_pins[] is initialized through PINMUX_GPIO(), using designated array initializers, where the GPIO_* enums serve as indices. Apparently GPIO_PTQ7 was defined in the enum, but never used. If enum values are defined, but never used, pinmux_pins[] contains (zero-filled) holes. Hence such entries are treated as pin zero, which was registered before, and pinctrl registration fails.
I can't see how this ever worked, as at the time of commit f5e25ae52fef ("sh-pfc: Add sh7722 pinmux support"), pinmux_gpios[] in drivers/pinctrl/sh-pfc/pfc-sh7722.c already had the hole, and drivers/pinctrl/core.c already had the check.
Some scripting revealed a few more broken drivers: - sh7757 has four holes, due to nonexistent GPIO_PT[JLNQ]7_RESV. - sh7264 and sh7269 define GPIO_PH[0-7], but don't use it with PINMUX_GPIO().
Patch 1 fixes the issue on sh7722, and was tested. Patches 3-4 should fix the issue on the other 3 SoCs, but was untested due to lack of hardware.
This patch (of 4):
On sh7722/Migo-R, pinctrl registration fails with:
sh-pfc pfc-sh7722: pin 0 already registered sh-pfc pfc-sh7722: error during pin registration sh-pfc pfc-sh7722: could not register: -22 sh-pfc: probe of pfc-sh7722 failed with error -22
pinmux_pins[] is initialized through PINMUX_GPIO(), using designated array initializers, where the GPIO_* enums serve as indices. As GPIO_PTQ7 is defined in the enum, but never used, pinmux_pins[] contains a (zero-filled) hole. Hence this entry is treated as pin zero, which was registered before, and pinctrl registration fails.
According to the datasheet, port PTQ7 does not exist. Hence remove GPIO_PTQ7 from the enum to fix this.
Link: http://lkml.kernel.org/r/1505205657-18012-2-git-send-email-geert+renesas@gli... Fixes: 8d7b5b0af7e070b9 ("sh: Add sh7722 pinmux code") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reported-by: Magnus Damm magnus.damm@gmail.com Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Tested-by: Jacopo Mondi jacopo+renesas@jmondi.org Cc: Rich Felker dalias@libc.org Cc: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Cc: Yoshinori Sato ysato@users.sourceforge.jp Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/sh/include/cpu-sh4/cpu/sh7722.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/sh/include/cpu-sh4/cpu/sh7722.h +++ b/arch/sh/include/cpu-sh4/cpu/sh7722.h @@ -67,7 +67,7 @@ enum { GPIO_PTN3, GPIO_PTN2, GPIO_PTN1, GPIO_PTN0,
/* PTQ */ - GPIO_PTQ7, GPIO_PTQ6, GPIO_PTQ5, GPIO_PTQ4, + GPIO_PTQ6, GPIO_PTQ5, GPIO_PTQ4, GPIO_PTQ3, GPIO_PTQ2, GPIO_PTQ1, GPIO_PTQ0,
/* PTR */
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 0173a68bfb0ad1c72a6ee39cc485aa2c97540b98 upstream.
The dummy-hcd HCD/UDC emulator tries not to do too much work during each timer interrupt. But it doesn't try very hard; currently all it does is limit the total amount of bulk data transferred. Other transfer types aren't limited, and URBs that transfer no data (because of an error, perhaps) don't count toward the limit, even though on a real USB bus they would consume at least a minimum overhead.
This means it's possible to get the driver stuck in an infinite loop, for example, if the host class driver resubmits an URB every time it completes (which is common for interrupt URBs). Each time the URB is resubmitted it gets added to the end of the pending-URBs list, and dummy-hcd doesn't stop until that list is empty. Andrey Konovalov was able to trigger this failure mode using the syzkaller fuzzer.
This patch fixes the infinite-loop problem by restricting the URBs handled during each timer interrupt to those that were already on the pending list when the interrupt routine started. Newly added URBs won't be processed until the next timer interrupt. The problem of properly accounting for non-bulk bandwidth (as well as packet and transaction overhead) is not addressed here.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-by: Andrey Konovalov andreyknvl@google.com Tested-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/usb/gadget/dummy_hcd.c +++ b/drivers/usb/gadget/dummy_hcd.c @@ -167,6 +167,7 @@ struct dummy_hcd {
struct usb_device *udev; struct list_head urbp_list; + struct urbp *next_frame_urbp;
unsigned active:1; unsigned old_active:1; @@ -1108,6 +1109,8 @@ static int dummy_urb_enqueue (
list_add_tail(&urbp->urbp_list, &dum_hcd->urbp_list); urb->hcpriv = urbp; + if (!dum_hcd->next_frame_urbp) + dum_hcd->next_frame_urbp = urbp; if (usb_pipetype (urb->pipe) == PIPE_CONTROL) urb->error_count = 1; /* mark as a new urb */
@@ -1544,6 +1547,7 @@ static void dummy_timer(unsigned long _d spin_unlock_irqrestore (&dum->lock, flags); return; } + dum_hcd->next_frame_urbp = NULL;
for (i = 0; i < DUMMY_ENDPOINTS; i++) { if (!ep_name [i]) @@ -1560,6 +1564,10 @@ restart: int type; int status = -EINPROGRESS;
+ /* stop when we reach URBs queued after the timer interrupt */ + if (urbp == dum_hcd->next_frame_urbp) + break; + urb = urbp->urb; if (urb->unlinked) goto return_urb;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Casey Schaufler casey@schaufler-ca.com
commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream.
security_inode_getsecurity() provides the text string value of a security attribute. It does not provide a "secctx". The code in xattr_getsecurity() that calls security_inode_getsecurity() and then calls security_release_secctx() happened to work because SElinux and Smack treat the attribute and the secctx the same way. It fails for cap_inode_getsecurity(), because that module has no secctx that ever needs releasing. It turns out that Smack is the one that's doing things wrong by not allocating memory when instructed to do so by the "alloc" parameter.
The fix is simple enough. Change the security_release_secctx() to kfree() because it isn't a secctx being returned by security_inode_getsecurity(). Change Smack to allocate the string when told to do so.
Note: this also fixes memory leaks for LSMs which implement inode_getsecurity but not release_secctx, such as capabilities.
Signed-off-by: Casey Schaufler casey@schaufler-ca.com Reported-by: Konstantin Khlebnikov khlebnikov@yandex-team.ru Signed-off-by: James Morris james.l.morris@oracle.com [bwh: Backported to 3.2: - s/isp->smk_known/isp/ - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/xattr.c | 2 +- security/smack/smack_lsm.c | 55 +++++++++++++++++++++------------------------- 2 files changed, 26 insertions(+), 31 deletions(-)
--- a/fs/xattr.c +++ b/fs/xattr.c @@ -161,7 +161,7 @@ xattr_getsecurity(struct inode *inode, c } memcpy(value, buffer, len); out: - security_release_secctx(buffer, len); + kfree(buffer); out_noalloc: return len; } --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -940,7 +940,7 @@ static int smack_inode_removexattr(struc * @inode: the object * @name: attribute name * @buffer: where to put the result - * @alloc: unused + * @alloc: duplicate memory * * Returns the size of the attribute or an error code */ @@ -953,43 +953,38 @@ static int smack_inode_getsecurity(const struct super_block *sbp; struct inode *ip = (struct inode *)inode; char *isp; - int ilen; - int rc = 0;
- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { + if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) isp = smk_of_inode(inode); - ilen = strlen(isp); - *buffer = isp; - return ilen; + else { + /* + * The rest of the Smack xattrs are only on sockets. + */ + sbp = ip->i_sb; + if (sbp->s_magic != SOCKFS_MAGIC) + return -EOPNOTSUPP; + + sock = SOCKET_I(ip); + if (sock == NULL || sock->sk == NULL) + return -EOPNOTSUPP; + + ssp = sock->sk->sk_security; + + if (strcmp(name, XATTR_SMACK_IPIN) == 0) + isp = ssp->smk_in; + else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) + isp = ssp->smk_out; + else + return -EOPNOTSUPP; }
- /* - * The rest of the Smack xattrs are only on sockets. - */ - sbp = ip->i_sb; - if (sbp->s_magic != SOCKFS_MAGIC) - return -EOPNOTSUPP; - - sock = SOCKET_I(ip); - if (sock == NULL || sock->sk == NULL) - return -EOPNOTSUPP; - - ssp = sock->sk->sk_security; - - if (strcmp(name, XATTR_SMACK_IPIN) == 0) - isp = ssp->smk_in; - else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) - isp = ssp->smk_out; - else - return -EOPNOTSUPP; - - ilen = strlen(isp); - if (rc == 0) { - *buffer = isp; - rc = ilen; + if (alloc) { + *buffer = kstrdup(isp, GFP_KERNEL); + if (*buffer == NULL) + return -ENOMEM; }
- return rc; + return strlen(isp); }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Martin K. Petersen" martin.petersen@oracle.com
commit 28a0bc4120d38a394499382ba21d6965a67a3703 upstream.
SBC-4 states:
"A MAXIMUM UNMAP LBA COUNT field set to a non-zero value indicates the maximum number of LBAs that may be unmapped by an UNMAP command"
"A MAXIMUM WRITE SAME LENGTH field set to a non-zero value indicates the maximum number of contiguous logical blocks that the device server allows to be unmapped or written in a single WRITE SAME command."
Despite the spec being clear on the topic, some devices incorrectly expect WRITE SAME commands with the UNMAP bit set to be limited to the value reported in MAXIMUM UNMAP LBA COUNT in the Block Limits VPD.
Implement a blacklist option that can be used to accommodate devices with this behavior.
Reported-by: Bill Kuzeja William.Kuzeja@stratus.com Reported-by: Ewan D. Milne emilne@redhat.com Reviewed-by: Ewan D. Milne emilne@redhat.com Tested-by: Laurence Oberman loberman@redhat.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com [bwh: Backported to 3.2: - Keep using literals for SD_MAX_WS{16,10}_BLOCKS - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/scsi_scan.c | 3 +++ drivers/scsi/sd.c | 16 ++++++++++++---- include/scsi/scsi_device.h | 1 + include/scsi/scsi_devinfo.h | 1 + 4 files changed, 17 insertions(+), 4 deletions(-)
--- a/drivers/scsi/scsi_scan.c +++ b/drivers/scsi/scsi_scan.c @@ -957,6 +957,9 @@ static int scsi_add_lun(struct scsi_devi if (*bflags & BLIST_RETRY_HWERROR) sdev->retry_hwerror = 1;
+ if (*bflags & BLIST_UNMAP_LIMIT_WS) + sdev->unmap_limit_for_ws = 1; + transport_configure_device(&sdev->sdev_gendev);
if (sdev->host->hostt->slave_configure) { --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -523,11 +523,21 @@ static void sd_config_discard(struct scs break;
case SD_LBP_WS16: - max_blocks = min_not_zero(sdkp->max_ws_blocks, 0xffffffff); + if (sdkp->device->unmap_limit_for_ws) + max_blocks = sdkp->max_unmap_blocks; + else + max_blocks = sdkp->max_ws_blocks; + + max_blocks = min_not_zero(max_blocks, 0xffffffff); break;
case SD_LBP_WS10: - max_blocks = min_not_zero(sdkp->max_ws_blocks, (u32)0xffff); + if (sdkp->device->unmap_limit_for_ws) + max_blocks = sdkp->max_unmap_blocks; + else + max_blocks = sdkp->max_ws_blocks; + + max_blocks = min_not_zero(max_blocks, (u32)0xffff); break;
case SD_LBP_ZERO: --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h @@ -152,6 +152,7 @@ struct scsi_device { unsigned no_read_capacity_16:1; /* Avoid READ_CAPACITY_16 cmds */ unsigned is_visible:1; /* is the device visible in sysfs */ unsigned broken_fua:1; /* Don't set FUA bit */ + unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
DECLARE_BITMAP(supported_events, SDEV_EVT_MAXBITS); /* supported events */ struct list_head event_list; /* asserted events */ --- a/include/scsi/scsi_devinfo.h +++ b/include/scsi/scsi_devinfo.h @@ -30,4 +30,5 @@ #define BLIST_RETRY_HWERROR 0x400000 /* retry HARDWARE_ERROR */ #define BLIST_MAX_512 0x800000 /* maximum 512 sector cdb length */ #define BLIST_ATTACH_PQ3 0x1000000 /* Scan: Attach to PQ3 devices */ +#define BLIST_UNMAP_LIMIT_WS 0x80000000 /* Use UNMAP limit for WRITE SAME */ #endif
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maksim Salau msalau@iotecha.com
commit 765fb2f181cad669f2beb87842a05d8071f2be85 upstream.
Elatec TWN3 has the union descriptor on data interface. This results in failure to bind the device to the driver with the following log: usb 1-1.2: new full speed USB device using streamplug-ehci and address 4 usb 1-1.2: New USB device found, idVendor=09d8, idProduct=0320 usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 usb 1-1.2: Product: RFID Device (COM) usb 1-1.2: Manufacturer: OEM cdc_acm 1-1.2:1.0: Zero length descriptor references cdc_acm: probe of 1-1.2:1.0 failed with error -22
Adding the NO_UNION_NORMAL quirk for the device fixes the issue.
`lsusb -v` of the device:
Bus 001 Device 003: ID 09d8:0320 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 32 idVendor 0x09d8 idProduct 0x0320 bcdDevice 3.00 iManufacturer 1 OEM iProduct 2 RFID Device (COM) iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 67 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 250mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 2 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 Unused bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 0 CDC Header: bcdCDC 1.10 CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 1 CDC ACM: bmCapabilities 0x06 sends break line coding and serial state CDC Union: bMasterInterface 0 bSlaveInterface 1 Device Status: 0x0000 (Bus Powered)
Signed-off-by: Maksim Salau msalau@iotecha.com Acked-by: Oliver Neukum oneukum@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/class/cdc-acm.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1595,6 +1595,9 @@ static const struct usb_device_id acm_id { USB_DEVICE(0xfff0, 0x0100), /* DATECS FP-2000 */ .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */ }, + { USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */ + .driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */ + },
{ USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */ .driver_info = CLEAR_HALT_CONDITIONS,
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u keyctl add keyring _uid_ses.4000 "" @u sleep 15' & sleep 1 sudo -u '#4000' keyctl describe @u sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right permissions. In particular, the user who created them first will own them and will have full access to them via the possessor permissions, which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000 -5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/include/linux/key.h +++ b/include/linux/key.h @@ -155,6 +155,7 @@ struct key { #define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ #define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ #define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ +#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */
/* the description string * - this is used to match a key against search criteria @@ -196,6 +197,7 @@ extern struct key *key_alloc(struct key_ #define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */ #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */ #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */ +#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
extern void key_revoke(struct key *key); extern void key_put(struct key *key); --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -124,7 +124,7 @@ extern key_ref_t search_process_keyrings key_match_func_t match, const struct cred *cred);
-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check); +extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
extern int install_user_keyrings(void); extern int install_thread_keyring_to_cred(struct cred *); --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *t
if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) key->flags |= 1 << KEY_FLAG_IN_QUOTA; + if (flags & KEY_ALLOC_UID_KEYRING) + key->flags |= 1 << KEY_FLAG_UID_KEYRING;
memset(&key->type_data, 0, sizeof(key->type_data));
--- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -550,15 +550,15 @@ found: /* * Find a keyring with the specified name. * - * All named keyrings in the current user namespace are searched, provided they - * grant Search permission directly to the caller (unless this check is - * skipped). Keyrings whose usage points have reached zero or who have been - * revoked are skipped. + * Only keyrings that have nonzero refcount, are not revoked, and are owned by a + * user in the current user namespace are considered. If @uid_keyring is %true, + * the keyring additionally must have been allocated as a user or user session + * keyring; otherwise, it must grant Search permission directly to the caller. * * Returns a pointer to the keyring with the keyring's refcount having being * incremented on success. -ENOKEY is returned if a key could not be found. */ -struct key *find_keyring_by_name(const char *name, bool skip_perm_check) +struct key *find_keyring_by_name(const char *name, bool uid_keyring) { struct key *keyring; int bucket; @@ -586,10 +586,15 @@ struct key *find_keyring_by_name(const c if (strcmp(keyring->description, name) != 0) continue;
- if (!skip_perm_check && - key_permission(make_key_ref(keyring, 0), - KEY_SEARCH) < 0) - continue; + if (uid_keyring) { + if (!test_bit(KEY_FLAG_UID_KEYRING, + &keyring->flags)) + continue; + } else { + if (key_permission(make_key_ref(keyring, 0), + KEY_SEARCH) < 0) + continue; + }
/* we've got a match but we might end up racing with * key_cleanup() if the keyring is currently 'dead' --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c @@ -72,7 +72,9 @@ int install_user_keyrings(void) uid_keyring = find_keyring_by_name(buf, true); if (IS_ERR(uid_keyring)) { uid_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, - cred, KEY_ALLOC_IN_QUOTA, + cred, + KEY_ALLOC_UID_KEYRING | + KEY_ALLOC_IN_QUOTA, NULL); if (IS_ERR(uid_keyring)) { ret = PTR_ERR(uid_keyring); @@ -88,7 +90,10 @@ int install_user_keyrings(void) if (IS_ERR(session_keyring)) { session_keyring = keyring_alloc(buf, user->uid, (gid_t) -1, - cred, KEY_ALLOC_IN_QUOTA, NULL); + cred, + KEY_ALLOC_UID_KEYRING | + KEY_ALLOC_IN_QUOTA, + NULL); if (IS_ERR(session_keyring)) { ret = PTR_ERR(session_keyring); goto error_release;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream.
Because the HMAC template didn't check that its underlying hash algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))" through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC being used without having been keyed, resulting in sha3_update() being called without sha3_init(), causing a stack buffer overflow.
This is a very old bug, but it seems to have only started causing real problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3) because the innermost hash's state is ->import()ed from a zeroed buffer, and it just so happens that other hash algorithms are fine with that, but SHA-3 is not. However, there could be arch or hardware-dependent hash algorithms also affected; I couldn't test everything.
Fix the bug by introducing a function crypto_shash_alg_has_setkey() which tests whether a shash algorithm is keyed. Then update the HMAC template to require that its underlying hash algorithm is unkeyed.
Here is a reproducer:
#include <linux/if_alg.h> #include <sys/socket.h>
int main() { int algfd; struct sockaddr_alg addr = { .salg_type = "hash", .salg_name = "hmac(hmac(sha3-512-generic))", }; char key[4096] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (const struct sockaddr *)&addr, sizeof(addr)); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); }
Here was the KASAN report from syzbot:
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline] BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:341 [inline] sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 crypto_shash_update+0xcb/0x220 crypto/shash.c:109 shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 hmac_finup+0x182/0x330 crypto/hmac.c:152 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172 crypto_shash_digest+0xc4/0x120 crypto/shash.c:186 hmac_setkey+0x36a/0x690 crypto/hmac.c:66 crypto_shash_setkey+0xad/0x190 crypto/shash.c:64 shash_async_setkey+0x47/0x60 crypto/shash.c:207 crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200 hash_setkey+0x40/0x90 crypto/algif_hash.c:446 alg_setkey crypto/af_alg.c:221 [inline] alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254 SYSC_setsockopt net/socket.c:1851 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1830 entry_SYSCALL_64_fastpath+0x1f/0x96
Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- crypto/hmac.c | 6 +++++- crypto/shash.c | 5 +++-- include/crypto/internal/hash.h | 8 ++++++++ 3 files changed, 16 insertions(+), 3 deletions(-)
--- a/crypto/hmac.c +++ b/crypto/hmac.c @@ -197,11 +197,15 @@ static int hmac_create(struct crypto_tem salg = shash_attr_alg(tb[1], 0, 0); if (IS_ERR(salg)) return PTR_ERR(salg); + alg = &salg->base;
+ /* The underlying hash algorithm must be unkeyed */ err = -EINVAL; + if (crypto_shash_alg_has_setkey(salg)) + goto out_put_alg; + ds = salg->digestsize; ss = salg->statesize; - alg = &salg->base; if (ds > alg->cra_blocksize || ss < alg->cra_blocksize) goto out_put_alg; --- a/crypto/shash.c +++ b/crypto/shash.c @@ -24,11 +24,12 @@
static const struct crypto_type crypto_shash_type;
-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, - unsigned int keylen) +int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen) { return -ENOSYS; } +EXPORT_SYMBOL_GPL(shash_no_setkey);
static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, unsigned int keylen) --- a/include/crypto/internal/hash.h +++ b/include/crypto/internal/hash.h @@ -70,6 +70,14 @@ int ahash_register_instance(struct crypt struct ahash_instance *inst); void ahash_free_instance(struct crypto_instance *inst);
+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen); + +static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) +{ + return alg->setkey != shash_no_setkey; +} + int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn, struct hash_alg_common *alg, struct crypto_instance *inst);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 132d358b183ac6ad8b3fea32ad5e0663456d18d1 upstream.
The SYSEX event delivery in OSS sequencer emulation assumed that the event is encoded in the variable-length data with the straight buffering. This was the normal behavior in the past, but during the development, the chained buffers were introduced for carrying more data, while the OSS code was left intact. As a result, when a SYSEX event with the chained buffer data is passed to OSS sequencer port, it may end up with the wrong memory access, as if it were having a too large buffer.
This patch addresses the bug, by applying the buffer data expansion by the generic snd_seq_dump_var_event() helper function.
Reported-by: syzbot syzkaller@googlegroups.com Reported-by: Mark Salyzyn salyzyn@android.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/seq/oss/seq_oss_midi.c | 4 +--- sound/core/seq/oss/seq_oss_readq.c | 29 +++++++++++++++++++++++++++++ sound/core/seq/oss/seq_oss_readq.h | 2 ++ 3 files changed, 32 insertions(+), 3 deletions(-)
--- a/sound/core/seq/oss/seq_oss_midi.c +++ b/sound/core/seq/oss/seq_oss_midi.c @@ -618,9 +618,7 @@ send_midi_event(struct seq_oss_devinfo * if (!dp->timer->running) len = snd_seq_oss_timer_start(dp->timer); if (ev->type == SNDRV_SEQ_EVENT_SYSEX) { - if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) == SNDRV_SEQ_EVENT_LENGTH_VARIABLE) - snd_seq_oss_readq_puts(dp->readq, mdev->seq_device, - ev->data.ext.ptr, ev->data.ext.len); + snd_seq_oss_readq_sysex(dp->readq, mdev->seq_device, ev); } else { len = snd_midi_event_decode(mdev->coder, msg, sizeof(msg), ev); if (len > 0) --- a/sound/core/seq/oss/seq_oss_readq.c +++ b/sound/core/seq/oss/seq_oss_readq.c @@ -120,6 +120,35 @@ snd_seq_oss_readq_puts(struct seq_oss_re }
/* + * put MIDI sysex bytes; the event buffer may be chained, thus it has + * to be expanded via snd_seq_dump_var_event(). + */ +struct readq_sysex_ctx { + struct seq_oss_readq *readq; + int dev; +}; + +static int readq_dump_sysex(void *ptr, void *buf, int count) +{ + struct readq_sysex_ctx *ctx = ptr; + + return snd_seq_oss_readq_puts(ctx->readq, ctx->dev, buf, count); +} + +int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev, + struct snd_seq_event *ev) +{ + struct readq_sysex_ctx ctx = { + .readq = q, + .dev = dev + }; + + if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE) + return 0; + return snd_seq_dump_var_event(ev, readq_dump_sysex, &ctx); +} + +/* * copy an event to input queue: * return zero if enqueued */ --- a/sound/core/seq/oss/seq_oss_readq.h +++ b/sound/core/seq/oss/seq_oss_readq.h @@ -44,6 +44,8 @@ void snd_seq_oss_readq_delete(struct seq void snd_seq_oss_readq_clear(struct seq_oss_readq *readq); unsigned int snd_seq_oss_readq_poll(struct seq_oss_readq *readq, struct file *file, poll_table *wait); int snd_seq_oss_readq_puts(struct seq_oss_readq *readq, int dev, unsigned char *data, int len); +int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev, + struct snd_seq_event *ev); int snd_seq_oss_readq_put_event(struct seq_oss_readq *readq, union evrec *ev); int snd_seq_oss_readq_put_timestamp(struct seq_oss_readq *readq, unsigned long curt, int seq_mode); int snd_seq_oss_readq_pick(struct seq_oss_readq *q, union evrec *rec);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Maier maier@linux.vnet.ibm.com
commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream.
v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") extended accessing parent pointer fields of struct zfcp_erp_action for tracing. If an erp_action has never been enqueued before, these parent pointer fields are uninitialized and NULL. Examples are zfcp objects freshly added to the parent object's children list, before enqueueing their first recovery subsequently. In zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action fields can cause a NULL pointer dereference. Since the kernel can read from lowcore on s390, it does not immediately cause a kernel page fault. Instead it can cause hangs on trying to acquire the wrong erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl() ^bogus^ while holding already other locks with IRQs disabled.
Real life example from attaching lots of LUNs in parallel on many CPUs:
crash> bt 17723 PID: 17723 TASK: ... CPU: 25 COMMAND: "zfcperp0.0.1800" LOWCORE INFO: -psw : 0x0404300180000000 0x000000000038e424 -function : _raw_spin_lock_wait_flags at 38e424 ... #0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp] #1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp] #2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp] #3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp] #4 [fdde8fe60] kthread at 173550 #5 [fdde8feb8] kernel_thread_starter at 10add2
zfcp_adapter zfcp_port zfcp_unit <address>, 0x404040d600000000 scsi_device NULL, returning early! zfcp_scsi_dev.status = 0x40000000 0x40000000 ZFCP_STATUS_COMMON_RUNNING
crash> zfcp_unit <address> struct zfcp_unit { erp_action = { adapter = 0x0, port = 0x0, unit = 0x0, }, }
zfcp_erp_action is always fully embedded into its container object. Such container object is never moved in its object tree (only add or delete). Hence, erp_action parent pointers can never change.
To fix the issue, initialize the erp_action parent pointers before adding the erp_action container to any list and thus before it becomes accessible from outside of its initializing function.
In order to also close the time window between zfcp_erp_setup_act() memsetting the entire erp_action to zero and setting the parent pointers again, drop the memset and instead explicitly initialize individually all erp_action fields except for parent pointers. To be extra careful not to introduce any other unintended side effect, even keep zeroing the erp_action fields for list and timer. Also double-check with WARN_ON_ONCE that erp_action parent pointers never change, so we get to know when we would deviate from previous behavior.
Signed-off-by: Steffen Maier maier@linux.vnet.ibm.com Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/scsi/zfcp_aux.c | 5 +++++ drivers/s390/scsi/zfcp_erp.c | 18 +++++++++++------- drivers/s390/scsi/zfcp_scsi.c | 5 +++++ 3 files changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/s390/scsi/zfcp_aux.c +++ b/drivers/s390/scsi/zfcp_aux.c @@ -366,6 +366,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu INIT_WORK(&adapter->scan_work, zfcp_fc_scan_ports); INIT_WORK(&adapter->ns_up_work, zfcp_fc_sym_name_update);
+ adapter->erp_action.adapter = adapter; + if (zfcp_qdio_setup(adapter)) goto failed;
@@ -535,6 +537,9 @@ struct zfcp_port *zfcp_port_enqueue(stru port->dev.parent = &adapter->ccw_device->dev; port->dev.release = zfcp_port_release;
+ port->erp_action.adapter = adapter; + port->erp_action.port = port; + if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) { kfree(port); goto err_out; --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_ atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE, &zfcp_sdev->status); erp_action = &zfcp_sdev->erp_action; - memset(erp_action, 0, sizeof(struct zfcp_erp_action)); - erp_action->port = port; - erp_action->sdev = sdev; + WARN_ON_ONCE(erp_action->port != port); + WARN_ON_ONCE(erp_action->sdev != sdev); if (!(atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_RUNNING)) act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY; @@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_ zfcp_erp_action_dismiss_port(port); atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status); erp_action = &port->erp_action; - memset(erp_action, 0, sizeof(struct zfcp_erp_action)); - erp_action->port = port; + WARN_ON_ONCE(erp_action->port != port); + WARN_ON_ONCE(erp_action->sdev != NULL); if (!(atomic_read(&port->status) & ZFCP_STATUS_COMMON_RUNNING)) act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY; break; @@ -219,7 +218,8 @@ static struct zfcp_erp_action *zfcp_erp_ zfcp_erp_action_dismiss_adapter(adapter); atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE, &adapter->status); erp_action = &adapter->erp_action; - memset(erp_action, 0, sizeof(struct zfcp_erp_action)); + WARN_ON_ONCE(erp_action->port != NULL); + WARN_ON_ONCE(erp_action->sdev != NULL); if (!(atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_RUNNING)) act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY; @@ -229,7 +229,11 @@ static struct zfcp_erp_action *zfcp_erp_ return NULL; }
- erp_action->adapter = adapter; + WARN_ON_ONCE(erp_action->adapter != adapter); + memset(&erp_action->list, 0, sizeof(erp_action->list)); + memset(&erp_action->timer, 0, sizeof(erp_action->timer)); + erp_action->step = ZFCP_ERP_STEP_UNINITIALIZED; + erp_action->fsf_req_id = 0; erp_action->action = need; erp_action->status = act_status;
--- a/drivers/s390/scsi/zfcp_scsi.c +++ b/drivers/s390/scsi/zfcp_scsi.c @@ -136,10 +136,15 @@ static int zfcp_scsi_slave_alloc(struct struct zfcp_unit *unit; int npiv = adapter->connection_features & FSF_FEATURE_NPIV_MODE;
+ zfcp_sdev->erp_action.adapter = adapter; + zfcp_sdev->erp_action.sdev = sdev; + port = zfcp_get_port_by_wwpn(adapter, rport->port_name); if (!port) return -ENXIO;
+ zfcp_sdev->erp_action.port = port; + unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev)); if (unit) put_device(&unit->dev);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream.
In eCryptfs, we failed to verify that the authentication token keys are not revoked before dereferencing their payloads, which is problematic because the payload of a revoked key is NULL. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire the key semaphore.
Fix it by updating ecryptfs_get_key_payload_data() to return -EKEYREVOKED if the key payload is NULL. For completeness we check this for "encrypted" keys as well as "user" keys, although encrypted keys cannot be revoked currently.
Alternatively we could use key_validate(), but since we'll also need to fix ecryptfs_get_key_payload_data() to validate the payload length, it seems appropriate to just check the payload pointer.
Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig") Reviewed-by: James Morris james.l.morris@oracle.com Cc: Michael Halcrow mhalcrow@google.com Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com [bwh: Backported to 3.2: user key payload is key->payload.data, not key->payload.data[0]] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/ecryptfs/ecryptfs_kernel.h +++ b/fs/ecryptfs/ecryptfs_kernel.h @@ -83,11 +83,16 @@ struct ecryptfs_page_crypt_context { static inline struct ecryptfs_auth_tok * ecryptfs_get_encrypted_key_payload_data(struct key *key) { - if (key->type == &key_type_encrypted) - return (struct ecryptfs_auth_tok *) - (&((struct encrypted_key_payload *)key->payload.data)->payload_data); - else + struct encrypted_key_payload *payload; + + if (key->type != &key_type_encrypted) return NULL; + + payload = key->payload.data; + if (!payload) + return ERR_PTR(-EKEYREVOKED); + + return (struct ecryptfs_auth_tok *)payload->payload_data; }
static inline struct key *ecryptfs_get_encrypted_key(char *sig) @@ -113,13 +118,17 @@ static inline struct ecryptfs_auth_tok * ecryptfs_get_key_payload_data(struct key *key) { struct ecryptfs_auth_tok *auth_tok; + struct user_key_payload *ukp;
auth_tok = ecryptfs_get_encrypted_key_payload_data(key); - if (!auth_tok) - return (struct ecryptfs_auth_tok *) - (((struct user_key_payload *)key->payload.data)->data); - else + if (auth_tok) return auth_tok; + + ukp = key->payload.data; + if (!ukp) + return ERR_PTR(-EKEYREVOKED); + + return (struct ecryptfs_auth_tok *)ukp->data; }
#define ECRYPTFS_MAX_KEYSET_SIZE 1024 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c @@ -458,7 +458,8 @@ out: * @auth_tok_key: key containing the authentication token * @auth_tok: authentication token * - * Returns zero on valid auth tok; -EINVAL otherwise + * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or + * -EKEYREVOKED if the key was revoked before we acquired its semaphore. */ static int ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key, @@ -467,6 +468,12 @@ ecryptfs_verify_auth_tok_from_key(struct int rc = 0;
(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key); + if (IS_ERR(*auth_tok)) { + rc = PTR_ERR(*auth_tok); + *auth_tok = NULL; + goto out; + } + if (ecryptfs_verify_version((*auth_tok)->version)) { printk(KERN_ERR "Data structure version mismatch. Userspace " "tools must match eCryptfs kernel module with major "
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov andreyknvl@google.com
commit 70e743e4cec3733dc13559f6184b35d358b9ef3f upstream.
hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no check for that, which results in a WARNING in USB core code, when a bad USB descriptor is provided from a device:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: ffff88006bdc1a00 task.stack: ffff88006bde8000 RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282 RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000 RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90 FS: 0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0 Call Trace: hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710 uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361 hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858 usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4890 hub_port_connect_change drivers/usb/core/hub.c:4996 port_event drivers/usb/core/hub.c:5102 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 kthread+0x324/0x3f0 kernel/kthread.c:231 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f> ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6 ---[ end trace 55d741234124cfc3 ]---
Check that endpoint is interrupt.
Found by syzkaller.
Signed-off-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/uwb/hwa-rc.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/uwb/hwa-rc.c +++ b/drivers/uwb/hwa-rc.c @@ -813,6 +813,8 @@ static int hwarc_probe(struct usb_interf
if (iface->cur_altsetting->desc.bNumEndpoints < 1) return -ENODEV; + if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc)) + return -ENODEV;
result = -ENOMEM; uwb_rc = uwb_rc_alloc();
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 71bb99a02b32b4cc4265118e85f6035ca72923f0 upstream.
same story as cmtp
Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Marcel Holtmann marcel@holtmann.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/bluetooth/bnep/core.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/net/bluetooth/bnep/core.c +++ b/net/bluetooth/bnep/core.c @@ -560,6 +560,9 @@ int bnep_add_connection(struct bnep_conn
BT_DBG("");
+ if (!l2cap_is_socket(sock)) + return -EBADFD; + baswap((void *) dst, &bt_sk(sock->sk)->dst); baswap((void *) src, &bt_sk(sock->sk)->src);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 9b7d869ee5a77ed4a462372bb89af622e705bfb8 upstream.
Currently we allow unlimited number of timer instances, and it may bring the system hogging way too much CPU when too many timer instances are opened and processed concurrently. This may end up with a soft-lockup report as triggered by syzkaller, especially when hrtimer backend is deployed.
Since such insane number of instances aren't demanded by the normal use case of ALSA sequencer and it merely opens a risk only for abuse, this patch introduces the upper limit for the number of instances per timer backend. As default, it's set to 1000, but for the fine-grained timer like hrtimer, it's set to 100.
Reported-by: syzbot Tested-by: Jérôme Glisse jglisse@redhat.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/sound/timer.h | 2 ++ sound/core/hrtimer.c | 1 + sound/core/timer.c | 67 +++++++++++++++++++++++++++++++++++++++++---------- 3 files changed, 57 insertions(+), 13 deletions(-)
--- a/include/sound/timer.h +++ b/include/sound/timer.h @@ -90,6 +90,8 @@ struct snd_timer { struct list_head ack_list_head; struct list_head sack_list_head; /* slow ack list head */ struct tasklet_struct task_queue; + int max_instances; /* upper limit of timer instances */ + int num_instances; /* current number of timer instances */ };
struct snd_timer_instance { --- a/sound/core/hrtimer.c +++ b/sound/core/hrtimer.c @@ -145,6 +145,7 @@ static int __init snd_hrtimer_init(void) timer->hw = hrtimer_hw; timer->hw.resolution = resolution; timer->hw.ticks = NANO_SEC / resolution; + timer->max_instances = 100; /* lower the limit */
err = snd_timer_global_register(timer); if (err < 0) { --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -179,7 +179,7 @@ static void snd_timer_request(struct snd * * call this with register_mutex down. */ -static void snd_timer_check_slave(struct snd_timer_instance *slave) +static int snd_timer_check_slave(struct snd_timer_instance *slave) { struct snd_timer *timer; struct snd_timer_instance *master; @@ -189,16 +189,21 @@ static void snd_timer_check_slave(struct list_for_each_entry(master, &timer->open_list_head, open_list) { if (slave->slave_class == master->slave_class && slave->slave_id == master->slave_id) { + if (master->timer->num_instances >= + master->timer->max_instances) + return -EBUSY; list_move_tail(&slave->open_list, &master->slave_list_head); + master->timer->num_instances++; spin_lock_irq(&slave_active_lock); slave->master = master; slave->timer = master->timer; spin_unlock_irq(&slave_active_lock); - return; + return 0; } } } + return 0; }
/* @@ -207,7 +212,7 @@ static void snd_timer_check_slave(struct * * call this with register_mutex down. */ -static void snd_timer_check_master(struct snd_timer_instance *master) +static int snd_timer_check_master(struct snd_timer_instance *master) { struct snd_timer_instance *slave, *tmp;
@@ -215,7 +220,11 @@ static void snd_timer_check_master(struc list_for_each_entry_safe(slave, tmp, &snd_timer_slave_list, open_list) { if (slave->slave_class == master->slave_class && slave->slave_id == master->slave_id) { + if (master->timer->num_instances >= + master->timer->max_instances) + return -EBUSY; list_move_tail(&slave->open_list, &master->slave_list_head); + master->timer->num_instances++; spin_lock_irq(&slave_active_lock); spin_lock(&master->timer->lock); slave->master = master; @@ -227,8 +236,11 @@ static void snd_timer_check_master(struc spin_unlock_irq(&slave_active_lock); } } + return 0; }
+static int snd_timer_close_locked(struct snd_timer_instance *timeri); + /* * open a timer instance * when opening a master, the slave id must be here given. @@ -239,6 +251,7 @@ int snd_timer_open(struct snd_timer_inst { struct snd_timer *timer; struct snd_timer_instance *timeri = NULL; + int err;
if (tid->dev_class == SNDRV_TIMER_CLASS_SLAVE) { /* open a slave instance */ @@ -257,10 +270,14 @@ int snd_timer_open(struct snd_timer_inst timeri->slave_id = tid->device; timeri->flags |= SNDRV_TIMER_IFLG_SLAVE; list_add_tail(&timeri->open_list, &snd_timer_slave_list); - snd_timer_check_slave(timeri); + err = snd_timer_check_slave(timeri); + if (err < 0) { + snd_timer_close_locked(timeri); + timeri = NULL; + } mutex_unlock(®ister_mutex); *ti = timeri; - return 0; + return err; }
/* open a master instance */ @@ -286,6 +303,10 @@ int snd_timer_open(struct snd_timer_inst return -EBUSY; } } + if (timer->num_instances >= timer->max_instances) { + mutex_unlock(®ister_mutex); + return -EBUSY; + } timeri = snd_timer_instance_new(owner, timer); if (!timeri) { mutex_unlock(®ister_mutex); @@ -307,26 +328,28 @@ int snd_timer_open(struct snd_timer_inst }
list_add_tail(&timeri->open_list, &timer->open_list_head); - snd_timer_check_master(timeri); + timer->num_instances++; + err = snd_timer_check_master(timeri); + if (err < 0) { + snd_timer_close_locked(timeri); + timeri = NULL; + } mutex_unlock(®ister_mutex); *ti = timeri; - return 0; + return err; }
static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
/* * close a timer instance + * call this with register_mutex down. */ -int snd_timer_close(struct snd_timer_instance *timeri) +static int snd_timer_close_locked(struct snd_timer_instance *timeri) { struct snd_timer *timer = NULL; struct snd_timer_instance *slave, *tmp;
- if (snd_BUG_ON(!timeri)) - return -ENXIO; - - mutex_lock(®ister_mutex); list_del(&timeri->open_list);
/* force to stop the timer */ @@ -334,6 +357,7 @@ int snd_timer_close(struct snd_timer_ins
timer = timeri->timer; if (timer) { + timer->num_instances--; /* wait, until the active callback is finished */ spin_lock_irq(&timer->lock); while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) { @@ -349,6 +373,7 @@ int snd_timer_close(struct snd_timer_ins list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head, open_list) { list_move_tail(&slave->open_list, &snd_timer_slave_list); + timer->num_instances--; slave->master = NULL; slave->timer = NULL; list_del_init(&slave->ack_list); @@ -373,10 +398,25 @@ int snd_timer_close(struct snd_timer_ins module_put(timer->module); }
- mutex_unlock(®ister_mutex); return 0; }
+/* + * close a timer instance + */ +int snd_timer_close(struct snd_timer_instance *timeri) +{ + int err; + + if (snd_BUG_ON(!timeri)) + return -ENXIO; + + mutex_lock(®ister_mutex); + err = snd_timer_close_locked(timeri); + mutex_unlock(®ister_mutex); + return err; +} + unsigned long snd_timer_resolution(struct snd_timer_instance *timeri) { struct snd_timer * timer; @@ -841,6 +881,7 @@ int snd_timer_new(struct snd_card *card, spin_lock_init(&timer->lock); tasklet_init(&timer->task_queue, snd_timer_tasklet, (unsigned long)timer); + timer->max_instances = 1000; /* default limit per timer */ if (card != NULL) { timer->module = card->module; err = snd_device_new(card, SNDRV_DEV_TIMER, timer, &ops);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
When the request_key() syscall is not passed a destination keyring, it links the requested key (if constructed) into the "default" request-key keyring. This should require Write permission to the keyring. However, there is actually no permission check.
This can be abused to add keys to any keyring to which only Search permission is granted. This is because Search permission allows joining the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING) then will set the default request-key keyring to the session keyring. Then, request_key() can be used to add keys to the keyring.
Both negatively and positively instantiated keys can be added using this method. Adding negative keys is trivial. Adding a positive key is a bit trickier. It requires that either /sbin/request-key positively instantiates the key, or that another thread adds the key to the process keyring at just the right time, such that request_key() misses it initially but then finds it in construct_alloc_key().
Fix this bug by checking for Write permission to the keyring in construct_get_dest_keyring() when the default keyring is being used.
We don't do the permission check for non-default keyrings because that was already done by the earlier call to lookup_user_key(). Also, request_key_and_link() is currently passed a 'struct key *' rather than a key_ref_t, so the "possessed" bit is unavailable.
We also don't do the permission check for the "requestor keyring", to continue to support the use case described by commit 8bbf4976b59f ("KEYS: Alter use of key instantiation link-to-keyring argument") where /sbin/request-key recursively calls request_key() to add keys to the original requestor's destination keyring. (I don't know of any users who actually do that, though...)
Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com [bwh: Backported to 3.2: - s/KEY_NEED_WRITE/KEY_WRITE/ - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/request_key.c | 46 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-)
--- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -267,11 +267,12 @@ static int construct_key(struct key *key * The keyring selected is returned with an extra reference upon it which the * caller must release. */ -static void construct_get_dest_keyring(struct key **_dest_keyring) +static int construct_get_dest_keyring(struct key **_dest_keyring) { struct request_key_auth *rka; const struct cred *cred = current_cred(); struct key *dest_keyring = *_dest_keyring, *authkey; + int ret;
kenter("%p", dest_keyring);
@@ -280,6 +281,8 @@ static void construct_get_dest_keyring(s /* the caller supplied one */ key_get(dest_keyring); } else { + bool do_perm_check = true; + /* use a default keyring; falling through the cases until we * find one that we actually have */ switch (cred->jit_keyring) { @@ -294,8 +297,10 @@ static void construct_get_dest_keyring(s dest_keyring = key_get(rka->dest_keyring); up_read(&authkey->sem); - if (dest_keyring) + if (dest_keyring) { + do_perm_check = false; break; + } }
case KEY_REQKEY_DEFL_THREAD_KEYRING: @@ -330,11 +335,29 @@ static void construct_get_dest_keyring(s default: BUG(); } + + /* + * Require Write permission on the keyring. This is essential + * because the default keyring may be the session keyring, and + * joining a keyring only requires Search permission. + * + * However, this check is skipped for the "requestor keyring" so + * that /sbin/request-key can itself use request_key() to add + * keys to the original requestor's destination keyring. + */ + if (dest_keyring && do_perm_check) { + ret = key_permission(make_key_ref(dest_keyring, 1), + KEY_WRITE); + if (ret) { + key_put(dest_keyring); + return ret; + } + } }
*_dest_keyring = dest_keyring; kleave(" [dk %d]", key_serial(dest_keyring)); - return; + return 0; }
/* @@ -449,11 +472,15 @@ static struct key *construct_key_and_lin
kenter("");
- user = key_user_lookup(current_fsuid(), current_user_ns()); - if (!user) - return ERR_PTR(-ENOMEM); + ret = construct_get_dest_keyring(&dest_keyring); + if (ret) + goto error;
- construct_get_dest_keyring(&dest_keyring); + user = key_user_lookup(current_fsuid(), current_user_ns()); + if (!user) { + ret = -ENOMEM; + goto error_put_dest_keyring; + }
ret = construct_alloc_key(type, description, dest_keyring, flags, user, &key); @@ -469,7 +496,7 @@ static struct key *construct_key_and_lin } else if (ret == -EINPROGRESS) { ret = 0; } else { - goto couldnt_alloc_key; + goto error_put_dest_keyring; }
key_put(dest_keyring); @@ -479,8 +506,9 @@ static struct key *construct_key_and_lin construction_failed: key_negate_and_link(key, key_negative_timeout, NULL, NULL); key_put(key); -couldnt_alloc_key: +error_put_dest_keyring: key_put(dest_keyring); +error: kleave(" = %d", ret); return ERR_PTR(ret); }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 44d8143340a99b167c74365e844516b73523c087 upstream.
In request_key_auth_new(), if key_alloc() or key_instantiate_and_link() were to fail, we would leak a reference to the 'struct cred'. Currently this can only happen if key_alloc() fails to allocate memory. But it still should be fixed, as it is a more severe bug waiting to happen.
Fix it by cleaning things up to use a helper function which frees a 'struct request_key_auth' correctly.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/request_key_auth.c | 68 ++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 37 deletions(-)
--- a/security/keys/request_key_auth.c +++ b/security/keys/request_key_auth.c @@ -106,6 +106,18 @@ static void request_key_auth_revoke(stru } }
+static void free_request_key_auth(struct request_key_auth *rka) +{ + if (!rka) + return; + key_put(rka->target_key); + key_put(rka->dest_keyring); + if (rka->cred) + put_cred(rka->cred); + kfree(rka->callout_info); + kfree(rka); +} + /* * Destroy an instantiation authorisation token key. */ @@ -115,15 +127,7 @@ static void request_key_auth_destroy(str
kenter("{%d}", key->serial);
- if (rka->cred) { - put_cred(rka->cred); - rka->cred = NULL; - } - - key_put(rka->target_key); - key_put(rka->dest_keyring); - kfree(rka->callout_info); - kfree(rka); + free_request_key_auth(rka); }
/* @@ -137,22 +141,17 @@ struct key *request_key_auth_new(struct const struct cred *cred = current->cred; struct key *authkey = NULL; char desc[20]; - int ret; + int ret = -ENOMEM;
kenter("%d,", target->serial);
/* allocate a auth record */ - rka = kmalloc(sizeof(*rka), GFP_KERNEL); - if (!rka) { - kleave(" = -ENOMEM"); - return ERR_PTR(-ENOMEM); - } + rka = kzalloc(sizeof(*rka), GFP_KERNEL); + if (!rka) + goto error; rka->callout_info = kmalloc(callout_len, GFP_KERNEL); - if (!rka->callout_info) { - kleave(" = -ENOMEM"); - kfree(rka); - return ERR_PTR(-ENOMEM); - } + if (!rka->callout_info) + goto error_free_rka;
/* see if the calling process is already servicing the key request of * another process */ @@ -162,8 +161,12 @@ struct key *request_key_auth_new(struct
/* if the auth key has been revoked, then the key we're * servicing is already instantiated */ - if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags)) - goto auth_key_revoked; + if (test_bit(KEY_FLAG_REVOKED, + &cred->request_key_auth->flags)) { + up_read(&cred->request_key_auth->sem); + ret = -EKEYREVOKED; + goto error_free_rka; + }
irka = cred->request_key_auth->payload.data; rka->cred = get_cred(irka->cred); @@ -191,32 +194,23 @@ struct key *request_key_auth_new(struct KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(authkey)) { ret = PTR_ERR(authkey); - goto error_alloc; + goto error_free_rka; }
/* construct the auth key */ ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL); if (ret < 0) - goto error_inst; + goto error_put_authkey;
kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage)); return authkey;
-auth_key_revoked: - up_read(&cred->request_key_auth->sem); - kfree(rka->callout_info); - kfree(rka); - kleave("= -EKEYREVOKED"); - return ERR_PTR(-EKEYREVOKED); - -error_inst: +error_put_authkey: key_revoke(authkey); key_put(authkey); -error_alloc: - key_put(rka->target_key); - key_put(rka->dest_keyring); - kfree(rka->callout_info); - kfree(rka); +error_free_rka: + free_request_key_auth(rka); +error: kleave("= %d", ret); return ERR_PTR(ret); }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream.
The event handler in the virmidi sequencer code takes a read-lock for the linked list traverse, while it's calling snd_seq_dump_var_event() in the loop. The latter function may expand the user-space data depending on the event type. It eventually invokes copy_from_user(), which might be a potential dead-lock.
The sequencer core guarantees that the user-space data is passed only with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it and always takes read-lock(). For avoiding the problem above, this patch introduces rwsem for non-atomic case, while keeping rwlock for atomic case.
Also while we're at it: the superfluous irq flags is dropped in snd_virmidi_input_open().
Reported-by: Jia-Ju Bai baijiaju1990@163.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/sound/seq_virmidi.h | 1 + sound/core/seq/seq_virmidi.c | 27 +++++++++++++++++++-------- 2 files changed, 20 insertions(+), 8 deletions(-)
--- a/include/sound/seq_virmidi.h +++ b/include/sound/seq_virmidi.h @@ -60,6 +60,7 @@ struct snd_virmidi_dev { int port; /* created/attached port */ unsigned int flags; /* SNDRV_VIRMIDI_* */ rwlock_t filelist_lock; + struct rw_semaphore filelist_sem; struct list_head filelist; };
--- a/sound/core/seq/seq_virmidi.c +++ b/sound/core/seq/seq_virmidi.c @@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc * decode input event and put to read buffer of each opened file */ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, - struct snd_seq_event *ev) + struct snd_seq_event *ev, + bool atomic) { struct snd_virmidi *vmidi; unsigned char msg[4]; int len;
- read_lock(&rdev->filelist_lock); + if (atomic) + read_lock(&rdev->filelist_lock); + else + down_read(&rdev->filelist_sem); list_for_each_entry(vmidi, &rdev->filelist, list) { if (!vmidi->trigger) continue; @@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event snd_rawmidi_receive(vmidi->substream, msg, len); } } - read_unlock(&rdev->filelist_lock); + if (atomic) + read_unlock(&rdev->filelist_lock); + else + up_read(&rdev->filelist_sem);
return 0; } @@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi struct snd_virmidi_dev *rdev;
rdev = rmidi->private_data; - return snd_virmidi_dev_receive_event(rdev, ev); + return snd_virmidi_dev_receive_event(rdev, ev, true); } #endif /* 0 */
@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc rdev = private_data; if (!(rdev->flags & SNDRV_VIRMIDI_USE)) return 0; /* ignored */ - return snd_virmidi_dev_receive_event(rdev, ev); + return snd_virmidi_dev_receive_event(rdev, ev, atomic); }
/* @@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct struct snd_virmidi_dev *rdev = substream->rmidi->private_data; struct snd_rawmidi_runtime *runtime = substream->runtime; struct snd_virmidi *vmidi; - unsigned long flags;
vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL); if (vmidi == NULL) @@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct vmidi->client = rdev->client; vmidi->port = rdev->port; runtime->private_data = vmidi; - write_lock_irqsave(&rdev->filelist_lock, flags); + down_write(&rdev->filelist_sem); + write_lock_irq(&rdev->filelist_lock); list_add_tail(&vmidi->list, &rdev->filelist); - write_unlock_irqrestore(&rdev->filelist_lock, flags); + write_unlock_irq(&rdev->filelist_lock); + up_write(&rdev->filelist_sem); vmidi->rdev = rdev; return 0; } @@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc struct snd_virmidi_dev *rdev = substream->rmidi->private_data; struct snd_virmidi *vmidi = substream->runtime->private_data;
+ down_write(&rdev->filelist_sem); write_lock_irq(&rdev->filelist_lock); list_del(&vmidi->list); write_unlock_irq(&rdev->filelist_lock); + up_write(&rdev->filelist_sem); snd_midi_event_free(vmidi->parser); substream->runtime->private_data = NULL; kfree(vmidi); @@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car rdev->rmidi = rmidi; rdev->device = device; rdev->client = -1; + init_rwsem(&rdev->filelist_sem); rwlock_init(&rdev->filelist_lock); INIT_LIST_HEAD(&rdev->filelist); rdev->seq_mode = SNDRV_VIRMIDI_SEQ_DISPATCH;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 upstream.
A recent change to the synchronization in dummy-hcd was incorrect. The issue was that dummy_udc_stop() contained no locking and therefore could race with various gadget driver callbacks, and the fix was to add locking and issue the callbacks with the private spinlock held.
UDC drivers aren't supposed to do this. Gadget driver callback routines are allowed to invoke functions in the UDC driver, and these functions will generally try to acquire the private spinlock. This would deadlock the driver.
The correct solution is to drop the spinlock before issuing callbacks, and avoid races by emulating the synchronize_irq() call that all real UDC drivers must perform in their ->udc_stop() routines after disabling interrupts. This involves adding a flag to dummy-hcd's private structure to keep track of whether interrupts are supposed to be enabled, and adding a counter to keep track of ongoing callbacks so that dummy_udc_stop() can wait for them all to finish.
A real UDC driver won't receive disconnect, reset, suspend, resume, or setup events once it has disabled interrupts. dummy-hcd will receive them but won't try to issue any gadget driver callbacks, which should be just as good.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Fixes: f16443a034c7 ("USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks") Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/dummy_hcd.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/dummy_hcd.c +++ b/drivers/usb/gadget/dummy_hcd.c @@ -182,11 +182,13 @@ struct dummy { */ struct dummy_ep ep [DUMMY_ENDPOINTS]; int address; + int callback_usage; struct usb_gadget gadget; struct usb_gadget_driver *driver; struct dummy_request fifo_req; u8 fifo_buf [FIFO_SIZE]; u16 devstatus; + unsigned ints_enabled:1; unsigned udc_suspended:1; unsigned pullup:1;
@@ -372,15 +374,24 @@ static void set_link_state(struct dummy_ */ if ((dum_hcd->old_status & USB_PORT_STAT_CONNECTION) != 0 && (dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 && - dum->driver) { + dum->ints_enabled) { stop_activity(dum); + ++dum->callback_usage; + spin_unlock(&dum->lock); dum->driver->disconnect(&dum->gadget); + spin_lock(&dum->lock); + --dum->callback_usage; } - } else if (dum_hcd->active != dum_hcd->old_active) { + } else if (dum_hcd->active != dum_hcd->old_active && + dum->ints_enabled) { + ++dum->callback_usage; + spin_unlock(&dum->lock); if (dum_hcd->old_active && dum->driver->suspend) dum->driver->suspend(&dum->gadget); else if (!dum_hcd->old_active && dum->driver->resume) dum->driver->resume(&dum->gadget); + spin_lock(&dum->lock); + --dum->callback_usage; }
dum_hcd->old_status = dum_hcd->port_status; @@ -901,9 +912,12 @@ static int dummy_udc_start(struct usb_ga * can't enumerate without help from the driver we're binding. */
+ spin_lock_irq(&dum->lock); dum->devstatus = 0;
dum->driver = driver; + dum->ints_enabled = 1; + spin_unlock_irq(&dum->lock); dev_dbg (udc_dev(dum), "binding gadget driver '%s'\n", driver->driver.name); return 0; @@ -919,6 +933,16 @@ static int dummy_udc_stop(struct usb_gad driver->driver.name);
spin_lock_irq(&dum->lock); + dum->ints_enabled = 0; + stop_activity(dum); + + /* emulate synchronize_irq(): wait for callbacks to finish */ + while (dum->callback_usage > 0) { + spin_unlock_irq(&dum->lock); + usleep_range(1000, 2000); + spin_lock_irq(&dum->lock); + } + dum->driver = NULL; spin_unlock_irq(&dum->lock);
@@ -1301,6 +1325,8 @@ static struct dummy_ep *find_endpoint (s if (!is_active((dum->gadget.speed == USB_SPEED_SUPER ? dum->ss_hcd : dum->hs_hcd))) return NULL; + if (!dum->ints_enabled) + return NULL; if ((address & ~USB_DIR_IN) == 0) return &dum->ep [0]; for (i = 1; i < DUMMY_ENDPOINTS; i++) { @@ -1642,10 +1668,12 @@ restart: * until setup() returns; no reentrancy issues etc. */ if (value > 0) { + ++dum->callback_usage; spin_unlock (&dum->lock); value = dum->driver->setup (&dum->gadget, &setup); spin_lock (&dum->lock); + --dum->callback_usage;
if (value >= 0) { /* no delays (max 64KB data stage) */
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mohamed Ghannam simo.ghannam@gmail.com
commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 upstream.
Whenever the sock object is in DCCP_CLOSED state, dccp_disconnect() must free dccps_hc_tx_ccid and dccps_hc_rx_ccid and set to NULL.
Signed-off-by: Mohamed Ghannam simo.ghannam@gmail.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/dccp/proto.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/net/dccp/proto.c +++ b/net/dccp/proto.c @@ -252,6 +252,7 @@ int dccp_disconnect(struct sock *sk, int { struct inet_connection_sock *icsk = inet_csk(sk); struct inet_sock *inet = inet_sk(sk); + struct dccp_sock *dp = dccp_sk(sk); int err = 0; const int old_state = sk->sk_state;
@@ -271,6 +272,10 @@ int dccp_disconnect(struct sock *sk, int sk->sk_err = ECONNRESET;
dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); + ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; + dp->dccps_hc_tx_ccid = NULL;
__skb_queue_purge(&sk->sk_receive_queue); __skb_queue_purge(&sk->sk_write_queue);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn willemb@google.com
commit da7c9561015e93d10fe6aab73e9288e0d09d65a6 upstream.
Packet socket option po->has_vnet_hdr can be updated concurrently with other operations if no ring is attached.
Do not test the option twice in packet_snd, as the value may change in between calls. A race on setsockopt disable may cause a packet > mtu to be sent without having GSO options set.
Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Signed-off-by: Willem de Bruijn willemb@google.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/packet/af_packet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2231,6 +2231,7 @@ static int packet_snd(struct socket *soc int offset = 0; int vnet_hdr_len; struct packet_sock *po = pkt_sk(sk); + bool has_vnet_hdr = false; unsigned short gso_type = 0;
/* @@ -2263,6 +2264,7 @@ static int packet_snd(struct socket *soc reserve = dev->hard_header_len; if (po->has_vnet_hdr) { vnet_hdr_len = sizeof(vnet_hdr); + has_vnet_hdr = true;
err = -EINVAL; if (len < vnet_hdr_len) @@ -2354,7 +2356,7 @@ static int packet_snd(struct socket *soc skb->priority = sk->sk_priority; skb->mark = sk->sk_mark;
- if (po->has_vnet_hdr) { + if (has_vnet_hdr) { if (vnet_hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) { if (!skb_partial_csum_set(skb, vnet_hdr.csum_start, vnet_hdr.csum_offset)) {
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel nicolas.dichtel@6wind.com
commit 2459b4c635858094df78abb9ca87d99f89fe8ca5 upstream.
IFLA_IFALIAS is defined as NLA_STRING. It means that the minimal length of the attribute is 1 ("\0"). However, to remove an alias, the attribute length must be 0 (see dev_set_alias()).
Let's define the type to NLA_BINARY to allow 0-length string, so that the alias can be removed.
Example: $ ip l s dummy0 alias foo $ ip l l dev dummy0 5: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether ae:20:30:4f:a7:f3 brd ff:ff:ff:ff:ff:ff alias foo
Before the patch: $ ip l s dummy0 alias "" RTNETLINK answers: Numerical result out of range
After the patch: $ ip l s dummy0 alias "" $ ip l l dev dummy0 5: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether ae:20:30:4f:a7:f3 brd ff:ff:ff:ff:ff:ff
CC: Oliver Hartkopp oliver@hartkopp.net CC: Stephen Hemminger stephen@networkplumber.org Fixes: 96ca4a2cc145 ("net: remove ifalias on empty given alias") Reported-by: Julien FLoret julien.floret@6wind.com Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/core/rtnetlink.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1137,7 +1137,10 @@ const struct nla_policy ifla_policy[IFLA [IFLA_LINKINFO] = { .type = NLA_NESTED }, [IFLA_NET_NS_PID] = { .type = NLA_U32 }, [IFLA_NET_NS_FD] = { .type = NLA_U32 }, - [IFLA_IFALIAS] = { .type = NLA_STRING, .len = IFALIASZ-1 }, + /* IFLA_IFALIAS is a string, but policy is set to NLA_BINARY to + * allow 0-length string (needed to remove an alias). + */ + [IFLA_IFALIAS] = { .type = NLA_BINARY, .len = IFALIASZ - 1 }, [IFLA_VFINFO_LIST] = {. type = NLA_NESTED }, [IFLA_VF_PORTS] = { .type = NLA_NESTED }, [IFLA_PORT_SELF] = { .type = NLA_NESTED },
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
A key of type "encrypted" references a "master key" which is used to encrypt and decrypt the encrypted key's payload. However, when we accessed the master key's payload, we failed to handle the case where the master key has been revoked, which sets the payload pointer to NULL. Note that request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested.
This was an issue for master keys of type "user" only. Master keys can also be of type "trusted", but those cannot be revoked.
Fixes: 7e70cb497850 ("keys: add new key-type encrypted") Reviewed-by: James Morris james.l.morris@oracle.com Cc: Mimi Zohar zohar@linux.vnet.ibm.com Cc: David Safford safford@us.ibm.com Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/encrypted-keys/encrypted.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -315,6 +315,13 @@ static struct key *request_user_key(cons
down_read(&ukey->sem); upayload = rcu_dereference(ukey->payload.data); + if (!upayload) { + /* key was revoked before we acquired its semaphore */ + up_read(&ukey->sem); + key_put(ukey); + ukey = ERR_PTR(-EKEYREVOKED); + goto error; + } *master_key = upayload->data; *master_keylen = upayload->datalen; error:
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit 637f23abca87d26e091e0d6647ec878d97d2c6cd upstream.
My static checker correctly complains that we should have a lower bound on "node" to prevent an array underflow.
Fixes: 867e359b97c9 ("arch/tile: core support for Tilera 32-bit chips.") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Chris Metcalf cmetcalf@mellanox.com [bwh: Backported to 3.2: keep maxnodemem_mb as long] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/tile/kernel/setup.c +++ b/arch/tile/kernel/setup.c @@ -119,7 +119,8 @@ early_param("maxmem", setup_maxmem); static int __init setup_maxnodemem(char *str) { char *endp; - long maxnodemem_mb, node; + long maxnodemem_mb; + unsigned long node;
node = str ? simple_strtoul(str, &endp, 0) : INT_MAX; if (node >= MAX_NUMNODES || *endp != ':' ||
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu herbert@gondor.apana.org.au
commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream.
The shash ahash digest adaptor function may crash if given a zero-length input together with a null SG list. This is because it tries to read the SG list before looking at the length.
This patch fixes it by checking the length first.
Reported-by: Stephan Müllersmueller@chronox.de Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Tested-by: Stephan Müller smueller@chronox.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- crypto/shash.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
--- a/crypto/shash.c +++ b/crypto/shash.c @@ -273,12 +273,14 @@ static int shash_async_finup(struct ahas
int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc) { - struct scatterlist *sg = req->src; - unsigned int offset = sg->offset; unsigned int nbytes = req->nbytes; + struct scatterlist *sg; + unsigned int offset; int err;
- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) { + if (nbytes && + (sg = req->src, offset = sg->offset, + nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) { void *data;
data = crypto_kmap(sg_page(sg), 0);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 113f6eb6d50cfa5e2a1cdcf1678b12661fa272ab upstream.
Kris Lindgren reports that without the NO_WP_DETECT flag, his Seagate external disk drive fails all write accesses. This regresssion dates back approximately to the start of the 4.x kernel releases.
Signed-off-by: Alan Stern stern@rowland.harvard.edu Reported-by: Kris Lindgren kris.lindgren@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/storage/unusual_devs.h | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -1346,6 +1346,13 @@ UNUSUAL_DEV( 0x0bc2, 0x3010, 0x0000, 0x0 USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_SANE_SENSE ),
+/* Reported by Kris Lindgren kris.lindgren@gmail.com */ +UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9999, + "Seagate", + "External", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_WP_DETECT ), + UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999, "Maxtor", "USB to SATA",
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com
commit 6124607acc88fffeaadf3aacfeb3cc1304c87387 upstream.
This patch fixes an issue that the driver sets the BCLR bit of {C,Dn}FIFOCTR register to 1 even when it's non-DCP pipe and the FRDY bit of {C,Dn}FIFOCTR register is set to 1.
Fixes: e8d548d54968 ("usb: renesas_usbhs: fifo became independent from pipe.") Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/renesas_usbhs/fifo.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c +++ b/drivers/usb/renesas_usbhs/fifo.c @@ -261,11 +261,17 @@ static void usbhsf_fifo_clear(struct usb struct usbhs_fifo *fifo) { struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); + int ret = 0;
if (!usbhs_pipe_is_dcp(pipe)) - usbhsf_fifo_barrier(priv, fifo); + ret = usbhsf_fifo_barrier(priv, fifo);
- usbhs_write(priv, fifo->ctr, BCLR); + /* + * if non-DCP pipe, this driver should set BCLR when + * usbhsf_fifo_barrier() returns 0. + */ + if (!ret) + usbhs_write(priv, fifo->ctr, BCLR); }
static int usbhsf_fifo_rcv_len(struct usbhs_priv *priv,
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Henryk Heisig hyniu@o2.pl
commit 837ddc4793a69b256ac5e781a5e729b448a8d983 upstream.
This commit adds support for TP-Link LTE mPCIe module is used in in TP-Link MR200v1, MR6400v1 and v2 routers.
Signed-off-by: Henryk Heisig hyniu@o2.pl Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/option.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -508,6 +508,7 @@ static void option_instat_callback(struc
/* TP-LINK Incorporated products */ #define TPLINK_VENDOR_ID 0x2357 +#define TPLINK_PRODUCT_LTE 0x000D #define TPLINK_PRODUCT_MA180 0x0201
/* Changhong products */ @@ -1959,6 +1960,7 @@ static const struct usb_device_id option { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, + { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 7682e399485fe19622b6fd82510b1f4551e48a25 upstream.
The usx2y driver allocates the stream read/write buffers in continuous pages depending on the stream setup, and this may spew the kernel warning messages with a stack trace like: WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883 __alloc_pages_slowpath+0x1ef2/0x2d70 Modules linked in: CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted ....
It may confuse user as if it were any serious error, although this is no fatal error and the driver handles the error case gracefully. Since the driver has already some sanity check of the given size (128 and 256 pages), it can't pass any crazy value. So it's merely page fragmentation.
This patch adds __GFP_NOWARN to each caller for suppressing such kernel warnings. The original issue was spotted by syzkaller.
Reported-by: Andrey Konovalov andreyknvl@google.com Tested-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/usb/usx2y/usb_stream.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/usb/usx2y/usb_stream.c +++ b/sound/usb/usx2y/usb_stream.c @@ -192,7 +192,8 @@ struct usb_stream *usb_stream_new(struct }
pg = get_order(read_size); - sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg); + sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO| + __GFP_NOWARN, pg); if (!sk->s) { snd_printk(KERN_WARNING "couldn't __get_free_pages()\n"); goto out; @@ -212,7 +213,8 @@ struct usb_stream *usb_stream_new(struct pg = get_order(write_size);
sk->write_page = - (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg); + (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO| + __GFP_NOWARN, pg); if (!sk->write_page) { snd_printk(KERN_WARNING "couldn't __get_free_pages()\n"); usb_stream_free(sk);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov bp@suse.de
commit a743bbeef27b9176987ec0cb7f906ab0ab52d1da upstream.
The warning below says it all:
BUG: using __this_cpu_read() in preemptible [00000000] code: swapper/0/1 caller is __this_cpu_preempt_check CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.0-rc8 #4 Call Trace: dump_stack check_preemption_disabled ? do_early_param __this_cpu_preempt_check arch_perfmon_init op_nmi_init ? alloc_pci_root_info oprofile_arch_init oprofile_init do_one_initcall ...
These accessors should not have been used in the first place: it is PPro so no mixed silicon revisions and thus it can simply use boot_cpu_data.
Reported-by: Fengguang Wu fengguang.wu@intel.com Tested-by: Fengguang Wu fengguang.wu@intel.com Fix-creation-mandated-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Borislav Petkov bp@suse.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Robert Richter rric@kernel.org Cc: x86@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/oprofile/op_model_ppro.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/oprofile/op_model_ppro.c +++ b/arch/x86/oprofile/op_model_ppro.c @@ -212,8 +212,8 @@ static void arch_perfmon_setup_counters( eax.full = cpuid_eax(0xa);
/* Workaround for BIOS bugs in 6/15. Taken from perfmon2 */ - if (eax.split.version_id == 0 && __this_cpu_read(cpu_info.x86) == 6 && - __this_cpu_read(cpu_info.x86_model) == 15) { + if (eax.split.version_id == 0 && boot_cpu_data.x86 == 6 && + boot_cpu_data.x86_model == 15) { eax.split.version_id = 2; eax.split.num_counters = 2; eax.split.bit_width = 40;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Chu jeffrey.chu@cypress.com
commit a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 upstream.
Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB device IDs to ftdi_sio driver.
Signed-off-by: Jeffrey Chu jeffrey.chu@cypress.com Signed-off-by: Johan Hovold johan@kernel.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 2 ++ drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ 2 files changed, 9 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -1035,6 +1035,8 @@ static struct usb_device_id id_table_com { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) }, { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID), .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, { }, /* Optional parameter entry */ { } /* Terminating entry */ }; --- a/drivers/usb/serial/ftdi_sio_ids.h +++ b/drivers/usb/serial/ftdi_sio_ids.h @@ -610,6 +610,13 @@ #define ADI_GNICEPLUS_PID 0xF001
/* + * Cypress WICED USB UART + */ +#define CYPRESS_VID 0x04B4 +#define CYPRESS_WICED_BT_USB_PID 0x009B +#define CYPRESS_WICED_WL_USB_PID 0xF900 + +/* * Microchip Technology, Inc. * * MICROCHIP_VID (0x04D8) and MICROCHIP_USB_BOARD_PID (0x000A) are
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joerg Roedel jroedel@suse.de
commit ce76353f169a6471542d999baf3d29b121dce9c0 upstream.
The function only sends the flush command to the IOMMU(s), but does not wait for its completion when it returns. Fix that.
Fixes: 601367d76bd1 ('x86/amd-iommu: Remove iommu_flush_domain function') Signed-off-by: Joerg Roedel jroedel@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/iommu/amd_iommu.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -2772,6 +2772,7 @@ static int amd_iommu_unmap(struct iommu_ mutex_unlock(&domain->api_lock);
domain_flush_tlb_pde(domain); + domain_flush_complete(domain);
return get_order(unmap_size); }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio sbrivio@redhat.com
commit 5c756065e47dc3e84b00577bd109f0a8e69903d7 upstream.
Internal error codes happen to be positive, thus the PCI driver core won't treat them as failure, but we do. This would cause a crash later on as lpfc_pci_remove_one() is called (e.g. as shutdown function).
Fixes: 6d368e532168 ("[SCSI] lpfc 8.3.24: Add resource extent support") Signed-off-by: Stefano Brivio sbrivio@redhat.com Reviewed-by: Johannes Thumshirn jthumshirn@suse.de Acked-by: Dick Kennedy dick.kennedy@broadcom.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com [bwh: Backported to 3.2: adjust context, indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/lpfc/lpfc_init.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -4490,6 +4490,7 @@ lpfc_sli4_driver_resource_setup(struct l lpfc_printf_log(phba, KERN_ERR, LOG_INIT, "2999 Unsupported SLI4 Parameters " "Extents and RPI headers enabled.\n"); + rc = -EIO; goto out_free_bsmbx; } }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Herrmann dh.herrmann@gmail.com
commit b3916db32c4a3124eee9f3742a2f4723731d7602 upstream.
We need to verify that the given sockets actually are l2cap sockets. If they aren't, we are not supposed to access bt_sk(sock) and we shouldn't start the session if the offsets turn out to be valid local BT addresses.
That is, if someone passes a TCP socket to HIDCONNADD, then we access some random offset in the TCP socket (which isn't even guaranteed to be valid).
Fix this by checking that the socket is an l2cap socket.
Signed-off-by: David Herrmann dh.herrmann@gmail.com Acked-by: Marcel Holtmann marcel@holtmann.org Signed-off-by: Gustavo Padovan gustavo.padovan@collabora.co.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/net/bluetooth/l2cap.h | 1 + net/bluetooth/hidp/core.c | 2 ++ net/bluetooth/l2cap_sock.c | 6 ++++++ 3 files changed, 9 insertions(+)
--- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h @@ -496,6 +496,7 @@ extern int disable_ertm;
int l2cap_init_sockets(void); void l2cap_cleanup_sockets(void); +bool l2cap_is_socket(struct socket *sock);
void __l2cap_connect_rsp_defer(struct l2cap_chan *chan); int __l2cap_wait_ack(struct sock *sk); --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -972,6 +972,8 @@ int hidp_add_connection(struct hidp_conn
BT_DBG("");
+ if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock)) + return -EINVAL; if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) || bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst)) return -ENOTUNIQ; --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -38,6 +38,12 @@ static const struct proto_ops l2cap_sock static void l2cap_sock_init(struct sock *sk, struct sock *parent); static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
+bool l2cap_is_socket(struct socket *sock) +{ + return sock && sock->ops == &l2cap_sock_ops; +} +EXPORT_SYMBOL(l2cap_is_socket); + static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) { struct sock *sk = sock->sk;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 3510c7aa069aa83a2de6dab2b41401a198317bdc upstream.
The recent fix for adding rwsem nesting annotation was using the given "hop" argument as the lock subclass key. Although the idea itself works, it may trigger a kernel warning like: BUG: looking up invalid subclass: 8 .... since the lockdep has a smaller number of subclasses (8) than we currently allow for the hops there (10).
The current definition is merely a sanity check for avoiding the too deep delivery paths, and the 8 hops are already enough. So, as a quick fix, just follow the max hops as same as the max lockdep subclasses.
Fixes: 1f20f9ff57ca ("ALSA: seq: Fix nested rwsem annotation for lockdep splat") Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/sound/seq_kernel.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/sound/seq_kernel.h +++ b/include/sound/seq_kernel.h @@ -55,7 +55,8 @@ typedef union snd_seq_timestamp snd_seq_ #define SNDRV_SEQ_DEFAULT_CLIENT_EVENTS 200
/* max delivery path length */ -#define SNDRV_SEQ_MAX_HOPS 10 +/* NOTE: this shouldn't be greater than MAX_LOCKDEP_SUBCLASSES */ +#define SNDRV_SEQ_MAX_HOPS 8
/* max size of event size */ #define SNDRV_SEQ_MAX_EVENT_LEN 0x3fffffff
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Haozhong Zhang haozhong.zhang@intel.com
commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream.
When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the guest CR4. Before this CR4 loading, the guest CR4 refers to L2 CR4. Because these two CR4's are in different levels of guest, we should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which is used to handle guest writes to its CR4, checks the guest change to CR4 and may fail if the change is invalid.
The failure may cause trouble. Consider we start a L1 guest with non-zero L1 PCID in use, (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0) and a L2 guest with L2 PCID disabled, (i.e. L2 CR4.PCIDE == 0) and following events may happen:
1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4 into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e. vcpu->arch.cr4) is left to the value of L2 CR4.
2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit, kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID, because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1 CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1") Cc: qemu-stable@nongnu.org Signed-off-by: Haozhong Zhang haozhong.zhang@intel.com Signed-off-by: Paolo Bonzini pbonzini@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kvm/vmx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7055,7 +7055,7 @@ void load_vmcs12_host_state(struct kvm_v * (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask(); */ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK); - kvm_set_cr4(vcpu, vmcs12->host_cr4); + vmx_set_cr4(vcpu, vmcs12->host_cr4);
/* shadow page tables on either EPT or shadow page tables */ kvm_set_cr3(vcpu, vmcs12->host_cr3);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov k.khlebnikov@samsung.com
commit da1b63566c469bf3e2b24182114422e16b1aa34c upstream.
Values of extended attributes are stored as binary blobs. NULL-termination of them isn't required. It just wastes disk space and confuses command-line tools like getfattr because they have to print that zero byte at the end.
This patch removes terminating zero byte from initial security label in smack_inode_init_security and cuts it out in function smack_inode_getsecurity which is used by syscall getxattr. This change seems completely safe, because function smk_parse_smack ignores everything after first zero byte.
Signed-off-by: Konstantin Khlebnikov k.khlebnikov@samsung.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/smack/smack_lsm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -583,7 +583,7 @@ static int smack_inode_init_security(str }
if (len) - *len = strlen(isp) + 1; + *len = strlen(isp);
return 0; } @@ -958,7 +958,7 @@ static int smack_inode_getsecurity(const
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { isp = smk_of_inode(inode); - ilen = strlen(isp) + 1; + ilen = strlen(isp); *buffer = isp; return ilen; } @@ -983,7 +983,7 @@ static int smack_inode_getsecurity(const else return -EOPNOTSUPP;
- ilen = strlen(isp) + 1; + ilen = strlen(isp); if (rc == 0) { *buffer = isp; rc = ilen;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 884bee0215fcc239b30c062c37ca29077005e064 upstream.
In keyctl_assume_authority(), if keyctl_change_reqkey_auth() were to fail, we would leak the reference to the 'authkey'. Currently this can only happen if prepare_creds() fails to allocate memory. But it still should be fixed, as it is a more severe bug waiting to happen.
This patch also moves the read of 'authkey->serial' to before the reference to the authkey is dropped. Doing the read after dropping the reference is very fragile because it assumes we still hold another reference to the key. (Which we do, in current->cred->request_key_auth, but there's no reason not to write it in the "obviously correct" way.)
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/keyctl.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)
--- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1345,11 +1345,9 @@ long keyctl_assume_authority(key_serial_ }
ret = keyctl_change_reqkey_auth(authkey); - if (ret < 0) - goto error; + if (ret == 0) + ret = authkey->serial; key_put(authkey); - - ret = authkey->serial; error: return ret; }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit f9e56baf03f9d36043a78f16e3e8b2cfd211e09e upstream.
Use l2tp_tunnel_get() in pppol2tp_connect() to ensure the tunnel isn't going to disappear while processing the rest of the function.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_ppp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -642,6 +642,7 @@ static int pppol2tp_connect(struct socke u32 tunnel_id, peer_tunnel_id; u32 session_id, peer_session_id; bool drop_refcnt = false; + bool drop_tunnel = false; int ver = 2; int fd;
@@ -685,7 +686,9 @@ static int pppol2tp_connect(struct socke if (tunnel_id == 0) goto end;
- tunnel = l2tp_tunnel_find(sock_net(sk), tunnel_id); + tunnel = l2tp_tunnel_get(sock_net(sk), tunnel_id); + if (tunnel) + drop_tunnel = true;
/* Special case: create tunnel context if session_id and * peer_session_id is 0. Otherwise look up tunnel using supplied @@ -818,6 +821,8 @@ out_no_ppp: end: if (drop_refcnt) l2tp_session_dec_refcount(session); + if (drop_tunnel) + l2tp_tunnel_dec_refcount(tunnel); release_sock(sk);
return error;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher agruenba@redhat.com
commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream.
In generic_file_llseek_size, return -ENXIO for negative offsets as well as offsets beyond EOF. This affects filesystems which don't implement SEEK_HOLE / SEEK_DATA internally, possibly because they don't support holes.
Fixes xfstest generic/448.
Signed-off-by: Andreas Gruenbacher agruenba@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org [bwh: Backported to 3.2: s/eof/i_size_read(inode)/] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/read_write.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/read_write.c +++ b/fs/read_write.c @@ -99,7 +99,7 @@ generic_file_llseek_size(struct file *fi * In the generic case the entire file is data, so as long as * offset isn't at the end of the file then the offset is data. */ - if (offset >= i_size_read(inode)) + if ((unsigned long long)offset >= i_size_read(inode)) return -ENXIO; break; case SEEK_HOLE: @@ -107,7 +107,7 @@ generic_file_llseek_size(struct file *fi * There is a virtual hole at the end of the file, so as long as * offset isn't i_size or larger, return i_size. */ - if (offset >= i_size_read(inode)) + if ((unsigned long long)offset >= i_size_read(inode)) return -ENXIO; offset = i_size_read(inode); break;
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Fleytman dmitry@daynix.com
commit b2a542bbb3081dbd64acc8929c140d196664c406 upstream.
Commit e0429362ab15 ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e") introduced quirk to workaround an issue with some Logitech webcams.
The workaround is introducing delay for some USB operations.
According to our testing, delay introduced by original commit is not long enough and in rare cases we still see issues described by the aforementioned commit.
This patch increases delays introduced by original commit. Having this patch applied we do not see those problems anymore.
Signed-off-by: Dmitry Fleytman dmitry@daynix.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/config.c | 2 +- drivers/usb/core/hub.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -830,7 +830,7 @@ int usb_get_configuration(struct usb_dev }
if (dev->quirks & USB_QUIRK_DELAY_INIT) - msleep(100); + msleep(200);
result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno, bigbuffer, length); --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -3552,7 +3552,7 @@ static void hub_port_connect_change(stru
usb_detect_quirks(udev); if (udev->quirks & USB_QUIRK_DELAY_INIT) - msleep(1000); + msleep(2000);
/* consecutive bus-powered hubs aren't reliable; they can * violate the voltage drop budget. if the new child has
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gleb Natapov gleb@redhat.com
commit 62c49cc976af84cb0ffcb5ec07ee88da1a94e222 upstream.
It turned to be totally unneeded. The reason the code was introduced is so that KVM can prefault swapped in page, but prefault can fail even if mm is pinned since page table can change anyway. KVM handles this situation correctly though and does not inject spurious page faults.
Fixes: "INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected" warning while running LTP inside a KVM guest using the recent -next kernel.
Reported-by: Sasha Levin levinsasha928@gmail.com Signed-off-by: Gleb Natapov gleb@redhat.com Signed-off-by: Avi Kivity avi@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kernel/kvm.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-)
--- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -91,7 +91,6 @@ struct kvm_task_sleep_node { u32 token; int cpu; bool halted; - struct mm_struct *mm; };
static struct kvm_task_sleep_head { @@ -138,9 +137,7 @@ void kvm_async_pf_task_wait(u32 token)
n.token = token; n.cpu = smp_processor_id(); - n.mm = current->active_mm; n.halted = idle || preempt_count() > 1; - atomic_inc(&n.mm->mm_count); init_waitqueue_head(&n.wq); hlist_add_head(&n.link, &b->list); spin_unlock(&b->lock); @@ -173,9 +170,6 @@ EXPORT_SYMBOL_GPL(kvm_async_pf_task_wait static void apf_task_wake_one(struct kvm_task_sleep_node *n) { hlist_del_init(&n->link); - if (!n->mm) - return; - mmdrop(n->mm); if (n->halted) smp_send_reschedule(n->cpu); else if (waitqueue_active(&n->wq)) @@ -219,7 +213,7 @@ again: * async PF was not yet handled. * Add dummy entry for the token. */ - n = kmalloc(sizeof(*n), GFP_ATOMIC); + n = kzalloc(sizeof(*n), GFP_ATOMIC); if (!n) { /* * Allocation failed! Busy wait while other cpu @@ -231,7 +225,6 @@ again: } n->token = token; n->cpu = smp_processor_id(); - n->mm = NULL; init_waitqueue_head(&n->wq); hlist_add_head(&n->link, &b->list); } else
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 94d7ee0baa8b764cf64ad91ed69464c1a6a0066b upstream.
The code following l2tp_tunnel_find() expects that a new reference is held on sk. Either sk_receive_skb() or the discard_put error path will drop a reference from the tunnel's socket.
This issue exists in both l2tp_ip and l2tp_ip6.
Fixes: a3c18422a4b4 ("l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.2: - Drop changes to l2tp_ip6.c - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c @@ -190,9 +190,10 @@ pass_up:
tunnel_id = ntohl(*(__be32 *) &skb->data[4]); tunnel = l2tp_tunnel_find(&init_net, tunnel_id); - if (tunnel != NULL) + if (tunnel) { sk = tunnel->sock; - else { + sock_hold(sk); + } else { struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
read_lock_bh(&l2tp_ip_lock);
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 1f20f9ff57ca23b9f5502fca85ce3977e8496cb1 upstream.
syzkaller reported the lockdep splat due to the possible deadlock of grp->list_mutex of each sequencer client object. Actually this is rather a false-positive report due to the missing nested lock annotations. The sequencer client may deliver the event directly to another client which takes another own lock.
For addressing this issue, this patch replaces the simple down_read() with down_read_nested(). As a lock subclass, the already existing "hop" can be re-used, which indicates the depth of the call.
Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com Reported-by: syzbot bot+7feb8de6b4d6bf810cf098bef942cc387e79d0ad@syzkaller.appspotmail.com Reported-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/seq/seq_clientmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -676,7 +676,7 @@ static int deliver_to_subscribers(struct if (atomic) read_lock(&grp->list_lock); else - down_read(&grp->list_mutex); + down_read_nested(&grp->list_mutex, hop); list_for_each_entry(subs, &grp->list_head, src_list) { /* both ports ready? */ if (atomic_read(&subs->ref_count) != 2)
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland mark.rutland@arm.com
commit b9dd05c7002ee0ca8b676428b2268c26399b5e31 upstream.
When CONFIG_DEBUG_USER is enabled, it's possible for a user to deliberately trigger dump_instr() with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
So that we can use the same code to dump user instructions and kernel instructions, the common dumping code is factored out to __dump_instr(), with the fs manipulated appropriately in dump_instr() around calls to this.
Signed-off-by: Mark Rutland mark.rutland@arm.com Signed-off-by: Russell King rmk+kernel@armlinux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/kernel/traps.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-)
--- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -130,30 +130,26 @@ static void dump_mem(const char *lvl, co set_fs(fs); }
-static void dump_instr(const char *lvl, struct pt_regs *regs) +static void __dump_instr(const char *lvl, struct pt_regs *regs) { unsigned long addr = instruction_pointer(regs); const int thumb = thumb_mode(regs); const int width = thumb ? 4 : 8; - mm_segment_t fs; char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; int i;
/* - * We need to switch to kernel mode so that we can use __get_user - * to safely read from kernel space. Note that we now dump the - * code first, just in case the backtrace kills us. + * Note that we now dump the code first, just in case the backtrace + * kills us. */ - fs = get_fs(); - set_fs(KERNEL_DS);
for (i = -4; i < 1 + !!thumb; i++) { unsigned int val, bad;
if (thumb) - bad = __get_user(val, &((u16 *)addr)[i]); + bad = get_user(val, &((u16 *)addr)[i]); else - bad = __get_user(val, &((u32 *)addr)[i]); + bad = get_user(val, &((u32 *)addr)[i]);
if (!bad) p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ", @@ -164,8 +160,20 @@ static void dump_instr(const char *lvl, } } printk("%sCode: %s\n", lvl, str); +}
- set_fs(fs); +static void dump_instr(const char *lvl, struct pt_regs *regs) +{ + mm_segment_t fs; + + if (!user_mode(regs)) { + fs = get_fs(); + set_fs(KERNEL_DS); + __dump_instr(lvl, regs); + set_fs(fs); + } else { + __dump_instr(lvl, regs); + } }
#ifdef CONFIG_ARM_UNWIND
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.
When the file /proc/fs/fscache/objects (available with CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with description "fscache:objlist", then access its payload. However, a revoked key has a NULL payload, and we failed to check for this. request_key() *does* skip revoked keys, but there is still a window where the key can be revoked before we access its payload.
Fix it by checking for a NULL payload, treating it like a key which was already revoked at the time it was requested.
Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped") Reviewed-by: James Morris james.l.morris@oracle.com Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/fscache/object-list.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/fs/fscache/object-list.c +++ b/fs/fscache/object-list.c @@ -338,6 +338,13 @@ static void fscache_objlist_config(struc rcu_read_lock();
confkey = key->payload.data; + if (!confkey) { + /* key was revoked */ + rcu_read_unlock(); + key_put(key); + goto no_config; + } + buf = confkey->data;
for (len = confkey->datalen - 1; len >= 0; len--) {
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 79fb0518fec8c8b4ea7f1729f54f293724b3dbb0 upstream.
The races among ioctl and other operations were protected by the commit af368027a49a ("ALSA: timer: Fix race among timer ioctls") and later fixes, but one code path was forgotten in the scenario: the 32bit compat ioctl. As syzkaller recently spotted, a very similar use-after-free may happen with the combination of compat ioctls.
The fix is simply to apply the same ioctl_lock to the compat_ioctl callback, too.
Fixes: af368027a49a ("ALSA: timer: Fix race among timer ioctls") Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com Reported-by: syzbot bot+e5f3c9783e7048a74233054febbe9f1bdf54b6da@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/timer_compat.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-)
--- a/sound/core/timer_compat.c +++ b/sound/core/timer_compat.c @@ -97,7 +97,8 @@ enum { SNDRV_TIMER_IOCTL_STATUS32 = _IOW('T', 0x14, struct snd_timer_status32), };
-static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg) +static long __snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, + unsigned long arg) { void __user *argp = compat_ptr(arg);
@@ -118,7 +119,7 @@ static long snd_timer_user_ioctl_compat( case SNDRV_TIMER_IOCTL_PAUSE: case SNDRV_TIMER_IOCTL_PAUSE_OLD: case SNDRV_TIMER_IOCTL_NEXT_DEVICE: - return snd_timer_user_ioctl(file, cmd, (unsigned long)argp); + return __snd_timer_user_ioctl(file, cmd, (unsigned long)argp); case SNDRV_TIMER_IOCTL_INFO32: return snd_timer_user_info_compat(file, argp); case SNDRV_TIMER_IOCTL_STATUS32: @@ -126,3 +127,15 @@ static long snd_timer_user_ioctl_compat( } return -ENOIOCTLCMD; } + +static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, + unsigned long arg) +{ + struct snd_timer_user *tu = file->private_data; + long ret; + + mutex_lock(&tu->ioctl_lock); + ret = __snd_timer_user_ioctl_compat(file, cmd, arg); + mutex_unlock(&tu->ioctl_lock); + return ret; +}
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.
This is a fix for CVE-2017-16939 suitable for older stable branches. The upstream fix is commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2, from which the following explanation is taken:
An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program.
The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full.
It was not possible to define a 'start' callback for netlink dumps until Linux 4.5, so instead add a check for the initialisation flag in the 'done' callback.
Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1530,7 +1530,8 @@ static int xfrm_dump_policy_done(struct { struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
- xfrm_policy_walk_done(walk); + if (cb->args[0]) + xfrm_policy_walk_done(walk); return 0; }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream.
When calling keyctl_read() on a key of type "trusted", if the user-supplied buffer was too small, the kernel ignored the buffer length and just wrote past the end of the buffer, potentially corrupting userspace memory. Fix it by instead returning the size required, as per the documentation for keyctl_read().
We also don't even fill the buffer at all in this case, as this is slightly easier to implement than doing a short read, and either behavior appears to be permitted. It also makes it match the behavior of the "encrypted" key type.
Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Reported-by: Ben Hutchings ben@decadent.org.uk Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: David Howells dhowells@redhat.com Reviewed-by: Mimi Zohar zohar@linux.vnet.ibm.com Reviewed-by: James Morris james.l.morris@oracle.com Signed-off-by: James Morris james.l.morris@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- security/keys/trusted.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-)
--- a/security/keys/trusted.c +++ b/security/keys/trusted.c @@ -1089,20 +1089,21 @@ static long trusted_read(const struct ke p = rcu_dereference_key(key); if (!p) return -EINVAL; - if (!buffer || buflen <= 0) - return 2 * p->blob_len; - ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL); - if (!ascii_buf) - return -ENOMEM;
- bufp = ascii_buf; - for (i = 0; i < p->blob_len; i++) - bufp = hex_byte_pack(bufp, p->blob[i]); - if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) { + if (buffer && buflen >= 2 * p->blob_len) { + ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL); + if (!ascii_buf) + return -ENOMEM; + + bufp = ascii_buf; + for (i = 0; i < p->blob_len; i++) + bufp = hex_byte_pack(bufp, p->blob[i]); + if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) { + kzfree(ascii_buf); + return -EFAULT; + } kzfree(ascii_buf); - return -EFAULT; } - kzfree(ascii_buf); return 2 * p->blob_len; }
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
Commit 1c8d42255f4c "ptrace: use fsuid, fsgid, effective creds for fs access checks" added flags to the ptrace mode which need to be ignored here.
This change was made upstream in 3.3 as part of commit 69f594a38967 "ptrace: do not audit capability check when outputing /proc/pid/stat", but that's probably not suitable for stable due to its dependencies.
Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1845,7 +1845,7 @@ static int selinux_ptrace_access_check(s if (rc) return rc;
- if (mode == PTRACE_MODE_READ) { + if (mode & PTRACE_MODE_READ) { u32 sid = current_sid(); u32 csid = task_sid(child); return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
On 12/28/2017 08:59 AM, Ben Hutchings wrote:
This is the start of the stable review cycle for the 3.2.97 release. There are 94 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Mon Jan 1 17:00:00 UTC 2018. Anything received after that time might be too late.
Build results: total: 86 pass: 86 fail: 0 Qemu test results: total: 69 pass: 69 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
linux-stable-mirror@lists.linaro.org