1. 12 Sep, 2018 11 commits
    • Rishabh Bhatnagar's avatar
      firmware: Fix security issue with request_firmware_into_buf() · 422b3db2
      Rishabh Bhatnagar authored
      When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag
      it is expected that firmware is loaded into buffer from memory.
      But inside alloc_lookup_fw_priv every new firmware that is loaded is
      added to the firmware cache (fwc) list head. So if any driver requests
      a firmware that is already loaded the code iterates over the above
      mentioned list and it can end up giving a pointer to other device driver's
      firmware buffer.
      Also the existing copy may either be modified by drivers, remote processors
      or even freed. This causes a potential security issue with batched requests
      when using request_firmware_into_buf.
      
      Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE
      is set, and also don't do the lookup in the list.
      
      Fixes: 0e742e92 ("firmware: provide infrastructure to make fw caching optional")
      [mcgrof: broken since feature introduction on v4.8]
      
      Cc: stable@vger.kernel.org # v4.8+
      Signed-off-by: default avatarVikram Mulukutla <markivx@codeaurora.org>
      Signed-off-by: default avatarRishabh Bhatnagar <rishabhb@codeaurora.org>
      Signed-off-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      422b3db2
    • Stephen Hemminger's avatar
      vmbus: don't return values for uninitalized channels · 6712cc9c
      Stephen Hemminger authored
      For unsupported device types, the vmbus channel ringbuffer is never
      initialized, and therefore reading the sysfs files will return garbage
      or cause a kernel OOPS.
      
      Fixes: c2e5df61 ("vmbus: add per-channel sysfs info")
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Cc: <stable@vger.kernel.org> # 4.15
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6712cc9c
    • Wei Yongjun's avatar
      fpga: dfl: fme: fix return value check in in pr_mgmt_init() · 029d727b
      Wei Yongjun authored
      In case of error, the function dfl_fme_create_region() returns ERR_PTR()
      and never returns NULL. The NULL test in the return value check should
      be replaced with IS_ERR().
      
      Fixes: 29de7624 ("fpga: dfl: fme: add partial reconfiguration sub feature support")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Acked-by: default avatarMoritz Fischer <mdf@kernel.org>
      Acked-by: default avatarAlan Tull <atull@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      029d727b
    • Gustavo A. R. Silva's avatar
      misc: hmc6352: fix potential Spectre v1 · de916736
      Gustavo A. R. Silva authored
      val is indirectly controlled by user-space, hence leading to a
      potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue
      'map' [r]
      
      Fix this by sanitizing val before using it to index map
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de916736
    • K. Y. Srinivasan's avatar
      Tools: hv: Fix a bug in the key delete code · 86503bd3
      K. Y. Srinivasan authored
      Fix a bug in the key delete code - the num_records range
      from 0 to num_records-1.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reported-by: default avatarDavid Binderman <dcb314@hotmail.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86503bd3
    • Bryant G. Ly's avatar
      misc: ibmvsm: Fix wrong assignment of return code · c55e9318
      Bryant G. Ly authored
      Currently the assignment is flipped and rc is always 0.
      Signed-off-by: default avatarBryant G. Ly <bryantly@linux.ibm.com>
      Fixes: 0eca353e ("misc: IBM Virtual Management Channel Driver (VMC)")
      Reviewed-by: default avatarBradley Warrum <bwarrum@us.ibm.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c55e9318
    • Minchan Kim's avatar
      android: binder: fix the race mmap and alloc_new_buf_locked · da1b9564
      Minchan Kim authored
      There is RaceFuzzer report like below because we have no lock to close
      below the race between binder_mmap and binder_alloc_new_buf_locked.
      To close the race, let's use memory barrier so that if someone see
      alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL.
      
      (I didn't add stable mark intentionallybecause standard android
      userspace libraries that interact with binder (libbinder & libhwbinder)
      prevent the mmap/ioctl race. - from Todd)
      
      "
      Thread interleaving:
      CPU0 (binder_alloc_mmap_handler)              CPU1 (binder_alloc_new_buf_locked)
      =====                                         =====
      // drivers/android/binder_alloc.c
      // #L718 (v4.18-rc3)
      alloc->vma = vma;
                                                    // drivers/android/binder_alloc.c
                                                    // #L346 (v4.18-rc3)
                                                    if (alloc->vma == NULL) {
                                                        ...
                                                        // alloc->vma is not NULL at this point
                                                        return ERR_PTR(-ESRCH);
                                                    }
                                                    ...
                                                    // #L438
                                                    binder_update_page_range(alloc, 0,
                                                            (void *)PAGE_ALIGN((uintptr_t)buffer->data),
                                                            end_page_addr);
      
                                                    // In binder_update_page_range() #L218
                                                    // But still alloc->vma_vm_mm is NULL here
                                                    if (need_mm && mmget_not_zero(alloc->vma_vm_mm))
      alloc->vma_vm_mm = vma->vm_mm;
      
      Crash Log:
      ==================================================================
      BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
      BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline]
      BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline]
      BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
      Write of size 4 at addr 0000000000000058 by task syz-executor0/11184
      
      CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x16e/0x22c lib/dump_stack.c:113
       kasan_report_error mm/kasan/report.c:352 [inline]
       kasan_report+0x163/0x380 mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267
       kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
       __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline]
       atomic_add_unless include/linux/atomic.h:533 [inline]
       mmget_not_zero include/linux/sched/mm.h:75 [inline]
       binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218
       binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline]
       binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513
       binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957
       binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528
       binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456
       binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686
       ksys_ioctl+0x94/0xb0 fs/ioctl.c:701
       __do_sys_ioctl fs/ioctl.c:708 [inline]
       __se_sys_ioctl fs/ioctl.c:706 [inline]
       __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706
       do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      "
      Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
      Signed-off-by: default avatarMinchan Kim <minchan@kernel.org>
      Reviewed-by: default avatarMartijn Coenen <maco@android.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da1b9564
    • Tomas Winkler's avatar
      mei: bus: need to unlink client before freeing · 34f1166a
      Tomas Winkler authored
      In case a client fails to connect in mei_cldev_enable(), the
      caller won't call the mei_cldev_disable leaving the client
      in a linked stated. Upon driver unload the client structure
      will be freed in  mei_cl_bus_dev_release(), leaving a stale pointer
      on a fail_list.  This will eventually end up in crash
      during power down flow in mei_cl_set_disonnected().
      
      RIP:  mei_cl_set_disconnected+0x5/0x260[mei]
      Call trace:
      mei_cl_all_disconnect+0x22/0x30
      mei_reset+0x194/0x250
      __synchronize_hardirq+0x43/0x50
      _cond_resched+0x15/0x30
      mei_me_intr_clear+0x20/0x100
      mei_stop+0x76/0xb0
      mei_me_shutdown+0x3f/0x80
      pci_device_shutdown+0x34/0x60
      kernel_restart+0x0e/0x30
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455
      Fixes: 'c110cdb1 ("mei: bus: make a client pointer always available")'
      Cc: <stable@vger.kernel.org> 4.10+
      Tested-by: default avatarGeorg Müller <georgmueller@gmx.net>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34f1166a
    • Tomas Winkler's avatar
      mei: bus: fix hw module get/put balance · 69bf5313
      Tomas Winkler authored
      In case the device is not connected it doesn't 'get'
      hw module and hence should not 'put' it on disable.
      
      Cc: <stable@vger.kernel.org> 4.16+
      Fixes:'commit 257355a4 ("mei: make module referencing local to the bus.c")'
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455Tested-by: default avatarGeorg Müller <georgmueller@gmx.net>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69bf5313
    • John Hubbard's avatar
      mei: fix use-after-free in mei_cl_write · c1a214ad
      John Hubbard authored
      KASAN reports a use-after-free during startup, in mei_cl_write:
      
          BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
             (drivers/misc/mei/client.c:1770)
      
      This is caused by commit 98e70866 ("mei: add support for variable
      length mei headers."), which changed the return value from len, to
      buf->size. That ends up using a stale buf pointer, because blocking
      call, the cb (callback) is deleted in me_cl_complete() function.
      
      However, fortunately, len remains unchanged throughout the function
      (and I don't see anything else that would require re-reading buf->size
      either), so the fix is to simply revert the change, and return len, as
      before.
      
      Fixes: 98e70866 ("mei: add support for variable length mei headers.")
      CC: Arnd Bergmann <arnd@arndb.de>
      CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1a214ad
    • Alexander Usyskin's avatar
      mei: ignore not found client in the enumeration · 8d2d8935
      Alexander Usyskin authored
      Some of the ME clients are available only for BIOS operation and are
      removed during hand off to an OS. However the removal is not instant.
      A client may be visible on the client list when the mei driver requests
      for enumeration, while the subsequent request for properties will be
      answered with client not found error value. The default behavior
      for an error is to perform client reset while this error is harmless and
      the link reset should be prevented. This issue started to be visible due to
      suspend/resume timing changes. Currently reported only on the Haswell
      based system.
      
      Fixes:
      [33.564957] mei_me 0000:00:16.0: hbm: properties response: wrong status = 1 CLIENT_NOT_FOUND
      [33.564978] mei_me 0000:00:16.0: mei_irq_read_handler ret = -71.
      [33.565270] mei_me 0000:00:16.0: unexpected reset: dev_state = INIT_CLIENTS fw status = 1E000255 60002306 00000200 00004401 00000000 00000010
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarAlexander Usyskin <alexander.usyskin@intel.com>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d2d8935
  2. 10 Sep, 2018 1 commit
  3. 09 Sep, 2018 7 commits
  4. 08 Sep, 2018 6 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · f8f65382
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - Fix a VFP corruption in 32-bit guest
         - Add missing cache invalidation for CoW pages
         - Two small cleanups
      
        s390:
         - Fallout from the hugetlbfs support: pfmf interpretion and locking
         - VSIE: fix keywrapping for nested guests
      
        PPC:
         - Fix a bug where pages might not get marked dirty, causing guest
           memory corruption on migration
         - Fix a bug causing reads from guest memory to use the wrong guest
           real address for very large HPT guests (>256G of memory), leading
           to failures in instruction emulation.
      
        x86:
         - Fix out of bound access from malicious pv ipi hypercalls
           (introduced in rc1)
         - Fix delivery of pending interrupts when entering a nested guest,
           preventing arbitrarily late injection
         - Sanitize kvm_stat output after destroying a guest
         - Fix infinite loop when emulating a nested guest page fault and
           improve the surrounding emulation code
         - Two minor cleanups"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
        KVM: LAPIC: Fix pv ipis out-of-bounds access
        KVM: nVMX: Fix loss of pending IRQ/NMI before entering L2
        arm64: KVM: Remove pgd_lock
        KVM: Remove obsolete kvm_unmap_hva notifier backend
        arm64: KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
        KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW
        KVM: s390: Properly lock mm context allow_gmap_hpage_1m setting
        KVM: s390: vsie: copy wrapping keys to right place
        KVM: s390: Fix pfmf and conditional skey emulation
        tools/kvm_stat: re-animate display of dead guests
        tools/kvm_stat: indicate dead guests as such
        tools/kvm_stat: handle guest removals more gracefully
        tools/kvm_stat: don't reset stats when setting PID filter for debugfs
        tools/kvm_stat: fix updates for dead guests
        tools/kvm_stat: fix handling of invalid paths in debugfs provider
        tools/kvm_stat: fix python3 issues
        KVM: x86: Unexport x86_emulate_instruction()
        KVM: x86: Rename emulate_instruction() to kvm_emulate_instruction()
        KVM: x86: Do not re-{try,execute} after failed emulation in L2
        KVM: x86: Default to not allowing emulation retry in kvm_mmu_page_fault
        ...
      f8f65382
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 0f3aa48a
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A few more fixes who have trickled in:
      
         - MMC bus width fixup for some Allwinner platforms
      
         - Fix for NULL deref in ti-aemif when no platform data is passed in
      
         - Fix div by 0 in SCMI code
      
         - Add a missing module alias in a new RPi driver"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        memory: ti-aemif: fix a potential NULL-pointer dereference
        firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero
        hwmon: rpi: add module alias to raspberrypi-hwmon
        arm64: allwinner: dts: h6: fix Pine H64 MMC bus width
      0f3aa48a
    • Olof Johansson's avatar
      Merge tag 'sunxi-fixes-for-4.19' of... · a132bb90
      Olof Johansson authored
      Merge tag 'sunxi-fixes-for-4.19' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into fixes
      
      Allwinner fixes for 4.19
      
      Just one fix for H6 mmc on the Pine H64: the mmc bus width was missing
      from the device tree. This was added in 4.19-rc1.
      
      * tag 'sunxi-fixes-for-4.19' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
        arm64: allwinner: dts: h6: fix Pine H64 MMC bus width
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      a132bb90
    • Nadav Amit's avatar
      x86/mm: Use WRITE_ONCE() when setting PTEs · 9bc4f28a
      Nadav Amit authored
      When page-table entries are set, the compiler might optimize their
      assignment by using multiple instructions to set the PTE. This might
      turn into a security hazard if the user somehow manages to use the
      interim PTE. L1TF does not make our lives easier, making even an interim
      non-present PTE a security hazard.
      
      Using WRITE_ONCE() to set PTEs and friends should prevent this potential
      security hazard.
      
      I skimmed the differences in the binary with and without this patch. The
      differences are (obviously) greater when CONFIG_PARAVIRT=n as more
      code optimizations are possible. For better and worse, the impact on the
      binary with this patch is pretty small. Skimming the code did not cause
      anything to jump out as a security hazard, but it seems that at least
      move_soft_dirty_pte() caused set_pte_at() to use multiple writes.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Sean Christopherson <sean.j.christopherson@intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180902181451.80520-1-namit@vmware.com
      9bc4f28a
    • Thomas Gleixner's avatar
      x86/apic/vector: Make error return value negative · 47b7360c
      Thomas Gleixner authored
      activate_managed() returns EINVAL instead of -EINVAL in case of
      error. While this is unlikely to happen, the positive return value would
      cause further malfunction at the call site.
      
      Fixes: 2db1f959 ("x86/vector: Handle managed interrupts proper")
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      47b7360c
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · d7b686eb
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
      
       - bugfixes for uniphier, i801, and xiic drivers
      
       - ID removal (never produced) for imx
      
       - one MAINTAINER addition
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: xiic: Record xilinx i2c with Zynq fragment
        i2c: xiic: Make the start and the byte count write atomic
        i2c: i801: fix DNV's SMBCTRL register offset
        i2c: imx-lpi2c: Remove mx8dv compatible entry
        dt-bindings: imx-lpi2c: Remove mx8dv compatible entry
        i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
        i2c: uniphier: issue STOP only for last message or I2C_M_STOP
      d7b686eb
  5. 07 Sep, 2018 15 commits