1. 26 Jun, 2018 6 commits
    • Ivan Bornyakov's avatar
      atm: zatm: fix memcmp casting · 5dbffe42
      Ivan Bornyakov authored
      [ Upstream commit f9c6442a ]
      
      memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
      can lose significant bits and get 0 from non-0 value returned by the
      memcmp().
      Signed-off-by: default avatarIvan Bornyakov <brnkv.i1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5dbffe42
    • Hao Wei Tee's avatar
      iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs · 46bada0a
      Hao Wei Tee authored
      [ Upstream commit ab1068d6 ]
      
      When there are 16 or more logical CPUs, we request for
      `IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of
      IRQs, but later on we compare the number of IRQs returned to
      nr_online_cpus+2 instead of max_irqs, the latter being what we
      actually asked for. This ends up setting num_rx_queues to 17 which
      causes lots of out-of-bounds array accesses later on.
      
      Compare to max_irqs instead, and also add an assertion in case
      num_rx_queues > IWM_MAX_RX_HW_QUEUES.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551
      
      Fixes: 2e5d4a8f ("iwlwifi: pcie: Add new configuration to enable MSIX")
      Signed-off-by: default avatarHao Wei Tee <angelsl@in04.sg>
      Tested-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46bada0a
    • Julian Anastasov's avatar
      ipvs: fix buffer overflow with sync daemon and service · 0063faaa
      Julian Anastasov authored
      [ Upstream commit 52f96757 ]
      
      syzkaller reports for buffer overflow for interface name
      when starting sync daemons [1]
      
      What we do is that we copy user structure into larger stack
      buffer but later we search NUL past the stack buffer.
      The same happens for sched_name when adding/editing virtual server.
      
      We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
      being used as size in include/uapi/linux/ip_vs.h, so they
      include the space for NUL.
      
      As using strlcpy is wrong for unsafe source, replace it with
      strscpy and add checks to return EINVAL if source string is not
      NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
      
      For the netlink interface reduce the len parameter for
      IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
      so that we get proper EINVAL.
      
      [1]
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
      RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
      RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
      R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
      R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
      FS:  00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        strlen include/linux/string.h:270 [inline]
        strlcpy include/linux/string.h:293 [inline]
        do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
        udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
        ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
        tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
        sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
        __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
        __do_sys_setsockopt net/socket.c:1914 [inline]
        __se_sys_setsockopt net/socket.c:1911 [inline]
        __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
        do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x447369
      RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
      RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
      R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
      de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
      90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
      
      Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
      Fixes: e4ff6751 ("ipvs: add sync_maxlen parameter for the sync daemon")
      Fixes: 4da62fc7 ("[IPVS]: Fix for overflows")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0063faaa
    • Paolo Abeni's avatar
      netfilter: ebtables: handle string from userspace with care · 8268afc5
      Paolo Abeni authored
      [ Upstream commit 94c752f9 ]
      
      strlcpy() can't be safely used on a user-space provided string,
      as it can try to read beyond the buffer's end, if the latter is
      not NULL terminated.
      
      Leveraging the above, syzbot has been able to trigger the following
      splat:
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
      [inline]
      BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
      net/bridge/netfilter/ebtables.c:1957 [inline]
      BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
      net/bridge/netfilter/ebtables.c:2059 [inline]
      BUG: KASAN: stack-out-of-bounds in size_entry_mwt
      net/bridge/netfilter/ebtables.c:2155 [inline]
      BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
      net/bridge/netfilter/ebtables.c:2194
      Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
      
      CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        check_memory_region_inline mm/kasan/kasan.c:260 [inline]
        check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
        memcpy+0x37/0x50 mm/kasan/kasan.c:303
        strlcpy include/linux/string.h:300 [inline]
        compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
        ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
        size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
        compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
        compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
        compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
        compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
        compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
        compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
        inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
        compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
        compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
        __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
        __do_compat_sys_setsockopt net/compat.c:416 [inline]
        __se_compat_sys_setsockopt net/compat.c:413 [inline]
        __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
        do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
        do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
        entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7fb3cb9
      RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x2fffc0000000000()
      raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fix the issue replacing the unsafe function with strscpy() and
      taking care of possible errors.
      
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8268afc5
    • Eric Dumazet's avatar
      xfrm6: avoid potential infinite loop in _decode_session6() · c8197f96
      Eric Dumazet authored
      [ Upstream commit d9f92772 ]
      
      syzbot found a way to trigger an infinitie loop by overflowing
      @offset variable that has been forced to use u16 for some very
      obscure reason in the past.
      
      We probably want to look at NEXTHDR_FRAGMENT handling which looks
      wrong, in a separate patch.
      
      In net-next, we shall try to use skb_header_pointer() instead of
      pskb_may_pull().
      
      watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
      Modules linked in:
      irq event stamp: 13885653
      hardirqs last  enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
      hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
      softirqs last  enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
      softirqs last  enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
      softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
      CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
      RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
      RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
      RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
      R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
      R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
      FS:  0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
       __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
       xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
       icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
       icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
       icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
       ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
       dst_input include/net/dst.h:450 [inline]
       ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
       __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
       netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
       napi_frags_finish net/core/dev.c:5226 [inline]
       napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
       tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
       tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
       call_write_iter include/linux/fs.h:1784 [inline]
       do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
       do_iter_write+0x185/0x5f0 fs/read_write.c:959
       vfs_writev+0x1c7/0x330 fs/read_write.c:1004
       do_writev+0x112/0x2f0 fs/read_write.c:1039
       __do_sys_writev fs/read_write.c:1112 [inline]
       __se_sys_writev fs/read_write.c:1109 [inline]
       __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8197f96
    • Greg Kroah-Hartman's avatar
      objtool: update .gitignore file · ccd19d3a
      Greg Kroah-Hartman authored
      With the recent sync with objtool from 4.14.y, the objtool .gitignore
      file was forgotten.  Fix that up now to properly handle the change in
      where the autogenerated files live.
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccd19d3a
  2. 16 Jun, 2018 31 commits
  3. 13 Jun, 2018 3 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.9.108 · 4f42dc62
      Greg Kroah-Hartman authored
      4f42dc62
    • Philip Müller's avatar
      complete e390f9a9 port for v4.9.106 · cd4f9f23
      Philip Müller authored
      objtool ports introduced in v4.9.106 were not totally complete. Therefore
      they resulted in issues like:
      
        module: overflow in relocation type 10 val XXXXXXXXXXX
        ‘usbcore’ likely not compiled with -mcmodel=kernel
        module: overflow in relocation type 10 val XXXXXXXXXXX
        ‘scsi_mod’ likely not compiled with -mcmodel=kernel
      
      Missing part was the complete backport of commit e390f9a9.
      
      Original notes by Josh Poimboeuf:
      
      The '__unreachable' and '__func_stack_frame_non_standard' sections are
      only used at compile time.  They're discarded for vmlinux but they
      should also be discarded for modules.
      
      Since this is a recurring pattern, prefix the section names with
      ".discard.".  It's a nice convention and vmlinux.lds.h already discards
      such sections.
      
      Also remove the 'a' (allocatable) flag from the __unreachable section
      since it doesn't make sense for a discarded section.
      Signed-off-by: default avatarPhilip Müller <philm@manjaro.org>
      Fixes: d1091c7f ("objtool: Improve detection of BUG() and other dead ends")
      Link: https://gitlab.manjaro.org/packages/core/linux49/issues/2Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd4f9f23
    • Josh Poimboeuf's avatar
      objtool: Fix gcov check for older versions of GCC · 23873aed
      Josh Poimboeuf authored
      commit 867ac9d7 upstream.
      
      Objtool tries to silence 'unreachable instruction' warnings when it
      detects gcov is enabled, because gcov produces a lot of unreachable
      instructions and they don't really matter.
      
      However, the 0-day bot is still reporting some unreachable instruction
      warnings with CONFIG_GCOV_KERNEL=y on GCC 4.6.4.
      
      As it turns out, objtool's gcov detection doesn't work with older
      versions of GCC because they don't create a bunch of symbols with the
      'gcov.' prefix like newer versions of GCC do.
      
      Move the gcov check out of objtool and instead just create a new
      '--no-unreachable' flag which can be passed in by the kernel Makefile
      when CONFIG_GCOV_KERNEL is defined.
      
      Also rename the 'nofp' variable to 'no_fp' for consistency with the new
      'no_unreachable' variable.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 9cfffb11 ("objtool: Skip all "unreachable instruction" warnings for gcov kernels")
      Link: http://lkml.kernel.org/r/c243dc78eb2ffdabb6e927844dea39b6033cd395.1500939244.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [just Makefile.build as the other parts of this patch already applied - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23873aed