1. 08 May, 2019 24 commits
    • Alan Stern's avatar
      USB: core: Fix bug caused by duplicate interface PM usage counter · 3c65c766
      Alan Stern authored
      commit c2b71462 upstream.
      
      The syzkaller fuzzer reported a bug in the USB hub driver which turned
      out to be caused by a negative runtime-PM usage counter.  This allowed
      a hub to be runtime suspended at a time when the driver did not expect
      it.  The symptom is a WARNING issued because the hub's status URB is
      submitted while it is already active:
      
      	URB 0000000031fb463e submitted while active
      	WARNING: CPU: 0 PID: 2917 at drivers/usb/core/urb.c:363
      
      The negative runtime-PM usage count was caused by an unfortunate
      design decision made when runtime PM was first implemented for USB.
      At that time, USB class drivers were allowed to unbind from their
      interfaces without balancing the usage counter (i.e., leaving it with
      a positive count).  The core code would take care of setting the
      counter back to 0 before allowing another driver to bind to the
      interface.
      
      Later on when runtime PM was implemented for the entire kernel, the
      opposite decision was made: Drivers were required to balance their
      runtime-PM get and put calls.  In order to maintain backward
      compatibility, however, the USB subsystem adapted to the new
      implementation by keeping an independent usage counter for each
      interface and using it to automatically adjust the normal usage
      counter back to 0 whenever a driver was unbound.
      
      This approach involves duplicating information, but what is worse, it
      doesn't work properly in cases where a USB class driver delays
      decrementing the usage counter until after the driver's disconnect()
      routine has returned and the counter has been adjusted back to 0.
      Doing so would cause the usage counter to become negative.  There's
      even a warning about this in the USB power management documentation!
      
      As it happens, this is exactly what the hub driver does.  The
      kick_hub_wq() routine increments the runtime-PM usage counter, and the
      corresponding decrement is carried out by hub_event() in the context
      of the hub_wq work-queue thread.  This work routine may sometimes run
      after the driver has been unbound from its interface, and when it does
      it causes the usage counter to go negative.
      
      It is not possible for hub_disconnect() to wait for a pending
      hub_event() call to finish, because hub_disconnect() is called with
      the device lock held and hub_event() acquires that lock.  The only
      feasible fix is to reverse the original design decision: remove the
      duplicate interface-specific usage counter and require USB drivers to
      balance their runtime PM gets and puts.  As far as I know, all
      existing drivers currently do this.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+7634edaea4d0b341c625@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c65c766
    • Alan Stern's avatar
      USB: core: Fix unterminated string returned by usb_string() · 7bbbb95a
      Alan Stern authored
      commit c01c348e upstream.
      
      Some drivers (such as the vub300 MMC driver) expect usb_string() to
      return a properly NUL-terminated string, even when an error occurs.
      (In fact, vub300's probe routine doesn't bother to check the return
      code from usb_string().)  When the driver goes on to use an
      unterminated string, it leads to kernel errors such as
      stack-out-of-bounds, as found by the syzkaller USB fuzzer.
      
      An out-of-range string index argument is not at all unlikely, given
      that some devices don't provide string descriptors and therefore list
      0 as the value for their string indexes.  This patch makes
      usb_string() return a properly terminated empty string along with the
      -EINVAL error code when an out-of-range index is encountered.
      
      And since a USB string index is a single-byte value, indexes >= 256
      are just as invalid as values of 0 or below.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: syzbot+b75b85111c10b8d680f1@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7bbbb95a
    • Malte Leip's avatar
      usb: usbip: fix isoc packet num validation in get_pipe · 616ba129
      Malte Leip authored
      commit c409ca3b upstream.
      
      Change the validation of number_of_packets in get_pipe to compare the
      number of packets to a fixed maximum number of packets allowed, set to
      be 1024. This number was chosen due to it being used by other drivers as
      well, for example drivers/usb/host/uhci-q.c
      
      Background/reason:
      The get_pipe function in stub_rx.c validates the number of packets in
      isochronous mode and aborts with an error if that number is too large,
      in order to prevent malicious input from possibly triggering large
      memory allocations. This was previously done by checking whether
      pdu->u.cmd_submit.number_of_packets is bigger than the number of packets
      that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes
      if all except possibly the last packet had maximum length, given by
      usb_endpoint_maxp(epd) *  usb_endpoint_maxp_mult(epd). This leads to an
      error if URBs with packets shorter than the maximum possible length are
      submitted, which is allowed according to
      Documentation/driver-api/usb/URB.rst and occurs for example with the
      snd-usb-audio driver.
      
      Fixes: c6688ef9 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input")
      Signed-off-by: default avatarMalte Leip <malte@leip.net>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      616ba129
    • Alan Stern's avatar
      USB: w1 ds2490: Fix bug caused by improper use of altsetting array · 6f6bbb66
      Alan Stern authored
      commit c114944d upstream.
      
      The syzkaller USB fuzzer spotted a slab-out-of-bounds bug in the
      ds2490 driver.  This bug is caused by improper use of the altsetting
      array in the usb_interface structure (the array's entries are not
      always stored in numerical order), combined with a naive assumption
      that all interfaces probed by the driver will have the expected number
      of altsettings.
      
      The bug can be fixed by replacing references to the possibly
      non-existent intf->altsetting[alt] entry with the guaranteed-to-exist
      intf->cur_altsetting entry.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+d65f673b847a1a96cdba@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f6bbb66
    • Alan Stern's avatar
      USB: yurex: Fix protection fault after device removal · 965cc840
      Alan Stern authored
      commit ef61eb43 upstream.
      
      The syzkaller USB fuzzer found a general-protection-fault bug in the
      yurex driver.  The fault occurs when a device has been unplugged; the
      driver's interrupt-URB handler logs an error message referring to the
      device by name, after the device has been unregistered and its name
      deallocated.
      
      This problem is caused by the fact that the interrupt URB isn't
      cancelled until the driver's private data structure is released, which
      can happen long after the device is gone.  The cure is to make sure
      that the interrupt URB is killed before yurex_disconnect() returns;
      this is exactly the sort of thing that usb_poison_urb() was meant for.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      965cc840
    • Arnd Bergmann's avatar
      caif: reduce stack size with KASAN · ff5ca554
      Arnd Bergmann authored
      commit ce628966 upstream.
      
      When CONFIG_KASAN is set, we can use relatively large amounts of kernel
      stack space:
      
      net/caif/cfctrl.c:555:1: warning: the frame size of 1600 bytes is larger than 1280 bytes [-Wframe-larger-than=]
      
      This adds convenience wrappers around cfpkt_extr_head(), which is responsible
      for most of the stack growth. With those wrapper functions, gcc apparently
      starts reusing the stack slots for each instance, thus avoiding the
      problem.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff5ca554
    • Kristina Martsenko's avatar
      arm64: mm: don't print out page table entries on EL0 faults · ee254b4d
      Kristina Martsenko authored
      commit bf396c09 upstream.
      
      When we take a fault from EL0 that can't be handled, we print out the
      page table entries associated with the faulting address. This allows
      userspace to print out any current page table entries, including kernel
      (TTBR1) entries. Exposing kernel mappings like this could pose a
      security risk, so don't print out page table information on EL0 faults.
      (But still print it out for EL1 faults.) This also follows the same
      behaviour as x86, printing out page table entries on kernel mode faults
      but not user mode faults.
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarKristina Martsenko <kristina.martsenko@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee254b4d
    • Kristina Martsenko's avatar
      arm64: mm: print out correct page table entries · 9cec5be3
      Kristina Martsenko authored
      commit 67ce16ec upstream.
      
      When we take a fault that can't be handled, we print out the page table
      entries associated with the faulting address. In some cases we currently
      print out the wrong entries. For a faulting TTBR1 address, we sometimes
      print out TTBR0 table entries instead, and for a faulting TTBR0 address
      we sometimes print out TTBR1 table entries. Fix this by choosing the
      tables based on the faulting address.
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarKristina Martsenko <kristina.martsenko@arm.com>
      [will: zero-extend addrs to 64-bit, don't walk swapper w/ TTBR0 addr]
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9cec5be3
    • Andrey Konovalov's avatar
      kasan: prevent compiler from optimizing away memset in tests · 5d01a64d
      Andrey Konovalov authored
      commit 69ca372c upstream.
      
      A compiler can optimize away memset calls by replacing them with mov
      instructions.  There are KASAN tests that specifically test that KASAN
      correctly handles memset calls so we don't want this optimization to
      happen.
      
      The solution is to add -fno-builtin flag to test_kasan.ko
      
      Link: http://lkml.kernel.org/r/105ec9a308b2abedb1a0d1fdced0c22d765e4732.1519924383.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Nick Terrell <terrelln@fb.com>
      Cc: Chris Mason <clm@fb.com>
      Cc: Yury Norov <ynorov@caviumnetworks.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
      Cc: Palmer Dabbelt <palmer@dabbelt.com>
      Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
      Cc: Jeff Layton <jlayton@redhat.com>
      Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5d01a64d
    • Will Deacon's avatar
      arm64: proc: Set PTE_NG for table entries to avoid traversing them twice · df214256
      Will Deacon authored
      commit 2ce77f6d upstream.
      
      When KASAN is enabled, the swapper page table contains many identical
      mappings of the zero page, which can lead to a stall during boot whilst
      the G -> nG code continually walks the same page table entries looking
      for global mappings.
      
      This patch sets the nG bit (bit 11, which is IGNORED) in table entries
      after processing the subtree so we can easily skip them if we see them
      a second time.
      Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df214256
    • Colin Ian King's avatar
      kasan: remove redundant initialization of variable 'real_size' · fe71230d
      Colin Ian King authored
      commit 48c23239 upstream.
      
      Variable real_size is initialized with a value that is never read, it is
      re-assigned a new value later on, hence the initialization is redundant
      and can be removed.
      
      Cleans up clang warning:
      
        lib/test_kasan.c:422:21: warning: Value stored to 'real_size' during its initialization is never read
      
      Link: http://lkml.kernel.org/r/20180206144950.32457-1-colin.king@canonical.comSigned-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe71230d
    • Arnd Bergmann's avatar
      kasan: avoid -Wmaybe-uninitialized warning · 30ca85a5
      Arnd Bergmann authored
      commit e7701557 upstream.
      
      gcc-7 produces this warning:
      
        mm/kasan/report.c: In function 'kasan_report':
        mm/kasan/report.c:351:3: error: 'info.first_bad_addr' may be used uninitialized in this function [-Werror=maybe-uninitialized]
           print_shadow_for_address(info->first_bad_addr);
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        mm/kasan/report.c:360:27: note: 'info.first_bad_addr' was declared here
      
      The code seems fine as we only print info.first_bad_addr when there is a
      shadow, and we always initialize it in that case, but this is relatively
      hard for gcc to figure out after the latest rework.
      
      Adding an intialization to the most likely value together with the other
      struct members shuts up that warning.
      
      Fixes: b235b9808664 ("kasan: unify report headers")
      Link: https://patchwork.kernel.org/patch/9641417/
      Link: http://lkml.kernel.org/r/20170725152739.4176967-1-arnd@arndb.deSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarAlexander Potapenko <glider@google.com>
      Suggested-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30ca85a5
    • Masami Hiramatsu's avatar
      kasan: add a prototype of task_struct to avoid warning · 51a27f03
      Masami Hiramatsu authored
      commit 5be9b730 upstream.
      
      Add a prototype of task_struct to fix below warning on arm64.
      
        In file included from arch/arm64/kernel/probes/kprobes.c:19:0:
        include/linux/kasan.h:81:132: error: 'struct task_struct' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
         static inline void kasan_unpoison_task_stack(struct task_struct *task) {}
      
      As same as other types (kmem_cache, page, and vm_struct) this adds a
      prototype of task_struct data structure on top of kasan.h.
      
      [arnd] A related warning was fixed before, but now appears in a
      different line in the same file in v4.11-rc2.  The patch from Masami
      Hiramatsu still seems appropriate, so let's take his version.
      
      Fixes: 71af2ed5 ("kasan, sched/headers: Remove <linux/sched.h> from <linux/kasan.h>")
      Link: https://patchwork.kernel.org/patch/9569839/
      Link: http://lkml.kernel.org/r/20170313141517.3397802-1-arnd@arndb.deSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarAlexander Potapenko <glider@google.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      51a27f03
    • Mark Rutland's avatar
      arm64: kasan: avoid bad virt_to_pfn() · b46a4c22
      Mark Rutland authored
      commit b0de0ccc upstream.
      
      Booting a v4.11-rc1 kernel with DEBUG_VIRTUAL and KASAN enabled produces
      the following splat (trimmed for brevity):
      
      [    0.000000] virt_to_phys used for non-linear address: ffff200008080000 (0xffff200008080000)
      [    0.000000] WARNING: CPU: 0 PID: 0 at arch/arm64/mm/physaddr.c:14 __virt_to_phys+0x48/0x70
      [    0.000000] PC is at __virt_to_phys+0x48/0x70
      [    0.000000] LR is at __virt_to_phys+0x48/0x70
      [    0.000000] Call trace:
      [    0.000000] [<ffff2000080b1ac0>] __virt_to_phys+0x48/0x70
      [    0.000000] [<ffff20000a03b86c>] kasan_init+0x1c0/0x498
      [    0.000000] [<ffff20000a034018>] setup_arch+0x2fc/0x948
      [    0.000000] [<ffff20000a030c68>] start_kernel+0xb8/0x570
      [    0.000000] [<ffff20000a0301e8>] __primary_switched+0x6c/0x74
      
      This is because we use virt_to_pfn() on a kernel image address when
      trying to figure out its nid, so that we can allocate its shadow from
      the same node.
      
      As with other recent changes, this patch uses lm_alias() to solve this.
      
      We could instead use NUMA_NO_NODE, as x86 does for all shadow
      allocations, though we'll likely want the "real" memory shadow to be
      backed from its corresponding nid anyway, so we may as well be
      consistent and find the nid for the image shadow.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Acked-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b46a4c22
    • Josh Poimboeuf's avatar
      x86/unwind: Disable KASAN checks for non-current tasks · c0143f6a
      Josh Poimboeuf authored
      commit 84936118 upstream.
      
      There are a handful of callers to save_stack_trace_tsk() and
      show_stack() which try to unwind the stack of a task other than current.
      In such cases, it's remotely possible that the task is running on one
      CPU while the unwinder is reading its stack from another CPU, causing
      the unwinder to see stack corruption.
      
      These cases seem to be mostly harmless.  The unwinder has checks which
      prevent it from following bad pointers beyond the bounds of the stack.
      So it's not really a bug as long as the caller understands that
      unwinding another task will not always succeed.
      
      In such cases, it's possible that the unwinder may read a KASAN-poisoned
      region of the stack.  Account for that by using READ_ONCE_NOCHECK() when
      reading the stack of another task.
      
      Use READ_ONCE() when reading the stack of the current task, since KASAN
      warnings can still be useful for finding bugs in that case.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Jones <davej@codemonkey.org.uk>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Miroslav Benes <mbenes@suse.cz>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/4c575eb288ba9f73d498dfe0acde2f58674598f1.1483978430.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0143f6a
    • Laura Abbott's avatar
      mm/kasan: Switch to using __pa_symbol and lm_alias · c6fc6221
      Laura Abbott authored
      commit 5c6a84a3 upstream.
      
      __pa_symbol is the correct API to find the physical address of symbols.
      Switch to it to allow for debugging APIs to work correctly. Other
      functions such as p*d_populate may call __pa internally. Ensure that the
      address passed is in the linear region by calling lm_alias.
      Reviewed-by: default avatarMark Rutland <mark.rutland@arm.com>
      Tested-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6fc6221
    • Josh Poimboeuf's avatar
      x86/suspend: fix false positive KASAN warning on suspend/resume · a67f81c8
      Josh Poimboeuf authored
      commit b53f40db upstream.
      
      Resuming from a suspend operation is showing a KASAN false positive
      warning:
      
        BUG: KASAN: stack-out-of-bounds in unwind_get_return_address+0x11d/0x130 at addr ffff8803867d7878
        Read of size 8 by task pm-suspend/7774
        page:ffffea000e19f5c0 count:0 mapcount:0 mapping:          (null) index:0x0
        flags: 0x2ffff0000000000()
        page dumped because: kasan: bad access detected
        CPU: 0 PID: 7774 Comm: pm-suspend Tainted: G    B           4.9.0-rc7+ #8
        Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F5 03/07/2016
        Call Trace:
          dump_stack+0x63/0x82
          kasan_report_error+0x4b4/0x4e0
          ? acpi_hw_read_port+0xd0/0x1ea
          ? kfree_const+0x22/0x30
          ? acpi_hw_validate_io_request+0x1a6/0x1a6
          __asan_report_load8_noabort+0x61/0x70
          ? unwind_get_return_address+0x11d/0x130
          unwind_get_return_address+0x11d/0x130
          ? unwind_next_frame+0x97/0xf0
          __save_stack_trace+0x92/0x100
          save_stack_trace+0x1b/0x20
          save_stack+0x46/0xd0
          ? save_stack_trace+0x1b/0x20
          ? save_stack+0x46/0xd0
          ? kasan_kmalloc+0xad/0xe0
          ? kasan_slab_alloc+0x12/0x20
          ? acpi_hw_read+0x2b6/0x3aa
          ? acpi_hw_validate_register+0x20b/0x20b
          ? acpi_hw_write_port+0x72/0xc7
          ? acpi_hw_write+0x11f/0x15f
          ? acpi_hw_read_multiple+0x19f/0x19f
          ? memcpy+0x45/0x50
          ? acpi_hw_write_port+0x72/0xc7
          ? acpi_hw_write+0x11f/0x15f
          ? acpi_hw_read_multiple+0x19f/0x19f
          ? kasan_unpoison_shadow+0x36/0x50
          kasan_kmalloc+0xad/0xe0
          kasan_slab_alloc+0x12/0x20
          kmem_cache_alloc_trace+0xbc/0x1e0
          ? acpi_get_sleep_type_data+0x9a/0x578
          acpi_get_sleep_type_data+0x9a/0x578
          acpi_hw_legacy_wake_prep+0x88/0x22c
          ? acpi_hw_legacy_sleep+0x3c7/0x3c7
          ? acpi_write_bit_register+0x28d/0x2d3
          ? acpi_read_bit_register+0x19b/0x19b
          acpi_hw_sleep_dispatch+0xb5/0xba
          acpi_leave_sleep_state_prep+0x17/0x19
          acpi_suspend_enter+0x154/0x1e0
          ? trace_suspend_resume+0xe8/0xe8
          suspend_devices_and_enter+0xb09/0xdb0
          ? printk+0xa8/0xd8
          ? arch_suspend_enable_irqs+0x20/0x20
          ? try_to_freeze_tasks+0x295/0x600
          pm_suspend+0x6c9/0x780
          ? finish_wait+0x1f0/0x1f0
          ? suspend_devices_and_enter+0xdb0/0xdb0
          state_store+0xa2/0x120
          ? kobj_attr_show+0x60/0x60
          kobj_attr_store+0x36/0x70
          sysfs_kf_write+0x131/0x200
          kernfs_fop_write+0x295/0x3f0
          __vfs_write+0xef/0x760
          ? handle_mm_fault+0x1346/0x35e0
          ? do_iter_readv_writev+0x660/0x660
          ? __pmd_alloc+0x310/0x310
          ? do_lock_file_wait+0x1e0/0x1e0
          ? apparmor_file_permission+0x18/0x20
          ? security_file_permission+0x73/0x1c0
          ? rw_verify_area+0xbd/0x2b0
          vfs_write+0x149/0x4a0
          SyS_write+0xd9/0x1c0
          ? SyS_read+0x1c0/0x1c0
          entry_SYSCALL_64_fastpath+0x1e/0xad
        Memory state around the buggy address:
         ffff8803867d7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         ffff8803867d7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        >ffff8803867d7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4
                                                                        ^
         ffff8803867d7880: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
         ffff8803867d7900: 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f3 f3 f3 f3 00
      
      KASAN instrumentation poisons the stack when entering a function and
      unpoisons it when exiting the function.  However, in the suspend path,
      some functions never return, so their stack never gets unpoisoned,
      resulting in stale KASAN shadow data which can cause later false
      positive warnings like the one above.
      Reported-by: default avatarScott Bauer <scott.bauer@intel.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a67f81c8
    • Andrew Lunn's avatar
      net: phy: marvell: Fix buffer overrun with stats counters · d0558dfc
      Andrew Lunn authored
      [ Upstream commit fdfdf867 ]
      
      marvell_get_sset_count() returns how many statistics counters there
      are. If the PHY supports fibre, there are 3, otherwise two.
      
      marvell_get_strings() does not make this distinction, and always
      returns 3 strings. This then often results in writing past the end
      of the buffer for the strings.
      
      Fixes: 2170fef7 ("Marvell phy: add field to get errors from fiber link.")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0558dfc
    • Michael Chan's avatar
      bnxt_en: Improve multicast address setup logic. · 4c3215b5
      Michael Chan authored
      [ Upstream commit b4e30e8e ]
      
      The driver builds a list of multicast addresses and sends it to the
      firmware when the driver's ndo_set_rx_mode() is called.  In rare
      cases, the firmware can fail this call if internal resources to
      add multicast addresses are exhausted.  In that case, we should
      try the call again by setting the ALL_MCAST flag which is more
      guaranteed to succeed.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c3215b5
    • Willem de Bruijn's avatar
      packet: validate msg_namelen in send directly · 71061f1a
      Willem de Bruijn authored
      [ Upstream commit 486efdc8 ]
      
      Packet sockets in datagram mode take a destination address. Verify its
      length before passing to dev_hard_header.
      
      Prior to 2.6.14-rc3, the send code ignored sll_halen. This is
      established behavior. Directly compare msg_namelen to dev->addr_len.
      
      Change v1->v2: initialize addr in all paths
      
      Fixes: 6b8d95f1 ("packet: validate address length if non-zero")
      Suggested-by: default avatarDavid Laight <David.Laight@aculab.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71061f1a
    • Willem de Bruijn's avatar
      ipv6: invert flowlabel sharing check in process and user mode · 493cbb3e
      Willem de Bruijn authored
      [ Upstream commit 95c16925 ]
      
      A request for a flowlabel fails in process or user exclusive mode must
      fail if the caller pid or uid does not match. Invert the test.
      
      Previously, the test was unsafe wrt PID recycling, but indeed tested
      for inequality: fl1->owner != fl->owner
      
      Fixes: 4f82f457 ("net ip6 flowlabel: Make owner a union of struct pid* and kuid_t")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      493cbb3e
    • Eric Dumazet's avatar
      ipv6/flowlabel: wait rcu grace period before put_pid() · bf533f48
      Eric Dumazet authored
      [ Upstream commit 6c0afef5 ]
      
      syzbot was able to catch a use-after-free read in pid_nr_ns() [1]
      
      ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid
      but fl_free() releases fl->owner.pid before rcu grace period is started.
      
      [1]
      
      BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407
      Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087
      
      CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
       kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
       pid_nr_ns+0x128/0x140 kernel/pid.c:407
       ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794
       seq_read+0xad3/0x1130 fs/seq_file.c:268
       proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227
       do_loop_readv_writev fs/read_write.c:701 [inline]
       do_loop_readv_writev fs/read_write.c:688 [inline]
       do_iter_read+0x4a9/0x660 fs/read_write.c:922
       vfs_readv+0xf0/0x160 fs/read_write.c:984
       kernel_readv fs/splice.c:358 [inline]
       default_file_splice_read+0x475/0x890 fs/splice.c:413
       do_splice_to+0x12a/0x190 fs/splice.c:876
       splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953
       do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
       do_sendfile+0x597/0xd00 fs/read_write.c:1443
       __do_sys_sendfile64 fs/read_write.c:1498 [inline]
       __se_sys_sendfile64 fs/read_write.c:1490 [inline]
       __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x458da9
      Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
      RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9
      RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4
      R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff
      
      Allocated by task 17543:
       save_stack+0x45/0xd0 mm/kasan/common.c:75
       set_track mm/kasan/common.c:87 [inline]
       __kasan_kmalloc mm/kasan/common.c:497 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
       slab_post_alloc_hook mm/slab.h:437 [inline]
       slab_alloc mm/slab.c:3393 [inline]
       kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555
       alloc_pid+0x55/0x8f0 kernel/pid.c:168
       copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932
       copy_process kernel/fork.c:1709 [inline]
       _do_fork+0x257/0xfd0 kernel/fork.c:2226
       __do_sys_clone kernel/fork.c:2333 [inline]
       __se_sys_clone kernel/fork.c:2327 [inline]
       __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 7789:
       save_stack+0x45/0xd0 mm/kasan/common.c:75
       set_track mm/kasan/common.c:87 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
       __cache_free mm/slab.c:3499 [inline]
       kmem_cache_free+0x86/0x260 mm/slab.c:3765
       put_pid.part.0+0x111/0x150 kernel/pid.c:111
       put_pid+0x20/0x30 kernel/pid.c:105
       fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102
       ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152
       call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
       expire_timers kernel/time/timer.c:1362 [inline]
       __run_timers kernel/time/timer.c:1681 [inline]
       __run_timers kernel/time/timer.c:1649 [inline]
       run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
       __do_softirq+0x266/0x95a kernel/softirq.c:293
      
      The buggy address belongs to the object at ffff888094012a00
       which belongs to the cache pid_2 of size 88
      The buggy address is located 4 bytes inside of
       88-byte region [ffff888094012a00, ffff888094012a58)
      The buggy address belongs to the page:
      page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980
      flags: 0x1fffc0000000200(slab)
      raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080
      raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
       ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
      >ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
                         ^
       ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
       ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
      
      Fixes: 4f82f457 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bf533f48
    • Shmulik Ladkani's avatar
      ipv4: ip_do_fragment: Preserve skb_iif during fragmentation · bcb37e6d
      Shmulik Ladkani authored
      [ Upstream commit d2f0c961 ]
      
      Previously, during fragmentation after forwarding, skb->skb_iif isn't
      preserved, i.e. 'ip_copy_metadata' does not copy skb_iif from given
      'from' skb.
      
      As a result, ip_do_fragment's creates fragments with zero skb_iif,
      leading to inconsistent behavior.
      
      Assume for example an eBPF program attached at tc egress (post
      forwarding) that examines __sk_buff->ingress_ifindex:
       - the correct iif is observed if forwarding path does not involve
         fragmentation/refragmentation
       - a bogus iif is observed if forwarding path involves
         fragmentation/refragmentatiom
      
      Fix, by preserving skb_iif during 'ip_copy_metadata'.
      Signed-off-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcb37e6d
    • Greg Kroah-Hartman's avatar
      ALSA: line6: use dynamic buffers · b9daeb29
      Greg Kroah-Hartman authored
      commit e5c812e8 upstream.
      
      The line6 driver uses a lot of USB buffers off of the stack, which is
      not allowed on many systems, causing the driver to crash on some of
      them.  Fix this up by dynamically allocating the buffers with kmalloc()
      which allows for proper DMA-able memory.
      Reported-by: default avatarChristo Gouws <gouws.christo@gmail.com>
      Reported-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarChristo Gouws <gouws.christo@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9daeb29
  2. 04 May, 2019 16 commits