1. 10 Jun, 2020 20 commits
    • Mark Gross's avatar
      x86/cpu: Add 'table' argument to cpu_matches() · 6682fe2f
      Mark Gross authored
      commit 93920f61 upstream
      
      To make cpu_matches() reusable for other matching tables, have it take a
      pointer to a x86_cpu_id table as an argument.
      
       [ bp: Flip arguments order. ]
      Signed-off-by: default avatarMark Gross <mgross@linux.intel.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6682fe2f
    • Mark Gross's avatar
      x86/cpu: Add a steppings field to struct x86_cpu_id · 253b9e7a
      Mark Gross authored
      commit e9d71445 upstream
      
      Intel uses the same family/model for several CPUs. Sometimes the
      stepping must be checked to tell them apart.
      
      On x86 there can be at most 16 steppings. Add a steppings bitmask to
      x86_cpu_id and a X86_MATCH_VENDOR_FAMILY_MODEL_STEPPING_FEATURE macro
      and support for matching against family/model/stepping.
      
       [ bp: Massage.
         tglx: Lightweight variant for backporting ]
      Signed-off-by: default avatarMark Gross <mgross@linux.intel.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarTony Luck <tony.luck@intel.com>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      253b9e7a
    • Srinivas Kandagatla's avatar
      nvmem: qfprom: remove incorrect write support · f858a997
      Srinivas Kandagatla authored
      commit 8d9eb0d6 upstream.
      
      qfprom has different address spaces for read and write. Reads are
      always done from corrected address space, where as writes are done
      on raw address space.
      Writing to corrected address space is invalid and ignored, so it
      does not make sense to have this support in the driver which only
      supports corrected address space regions at the moment.
      
      Fixes: 4ab11996 ("nvmem: qfprom: Add Qualcomm QFPROM support.")
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200522113341.7728-1-srinivas.kandagatla@linaro.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f858a997
    • Oliver Neukum's avatar
      CDC-ACM: heed quirk also in error handling · b7bf32f7
      Oliver Neukum authored
      commit 97fe8099 upstream.
      
      If buffers are iterated over in the error case, the lower limits
      for quirky devices must be heeded.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reported-by: default avatarJean Rene Dawin <jdawin@math.uni-bielefeld.de>
      Fixes: a4e7279c ("cdc-acm: introduce a cool down")
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200526124420.22160-1-oneukum@suse.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7bf32f7
    • Pascal Terjan's avatar
      staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK · 695fd932
      Pascal Terjan authored
      commit 15ea976a upstream.
      
      The value in shared headers was fixed 9 years ago in commit 8d661f1e
      ("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and
      while looking at using shared headers for other duplicated constants
      I noticed this driver uses the old value.
      
      The macros are also defined twice in this file so I am deleting the
      second definition.
      Signed-off-by: default avatarPascal Terjan <pterjan@google.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      695fd932
    • Jiri Slaby's avatar
      tty: hvc_console, fix crashes on parallel open/close · efe4feb8
      Jiri Slaby authored
      commit 24eb2377 upstream.
      
      hvc_open sets tty->driver_data to NULL when open fails at some point.
      Typically, the failure happens in hp->ops->notifier_add(). If there is
      a racing process which tries to open such mangled tty, which was not
      closed yet, the process will crash in hvc_open as tty->driver_data is
      NULL.
      
      All this happens because close wants to know whether open failed or not.
      But ->open should not NULL this and other tty fields for ->close to be
      happy. ->open should call tty_port_set_initialized(true) and close
      should check by tty_port_initialized() instead. So do this properly in
      this driver.
      
      So this patch removes these from ->open:
      * tty_port_tty_set(&hp->port, NULL). This happens on last close.
      * tty->driver_data = NULL. Dtto.
      * tty_port_put(&hp->port). This happens in shutdown and until now, this
        must have been causing a reference underflow, if I am not missing
        something.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: stable <stable@vger.kernel.org>
      Reported-and-tested-by: default avatarRaghavendra <rananta@codeaurora.org>
      Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efe4feb8
    • Dmitry Torokhov's avatar
      vt: keyboard: avoid signed integer overflow in k_ascii · 18059925
      Dmitry Torokhov authored
      commit b86dab05 upstream.
      
      When k_ascii is invoked several times in a row there is a potential for
      signed integer overflow:
      
      UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
      10 * 1111111111 cannot be represented in type 'int'
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xce/0x128 lib/dump_stack.c:118
       ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
       handle_overflow+0xdc/0xf0 lib/ubsan.c:184
       __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
       k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
       kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
       kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
      
      While it can be worked around by using check_mul_overflow()/
      check_add_overflow(), it is better to introduce a separate flag to
      signal that number pad is being used to compose a symbol, and
      change type of the accumulator from signed to unsigned, thus
      avoiding undefined behavior when it overflows.
      Reported-by: default avatarKyungtae Kim <kt0755@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-wsSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18059925
    • Dinghao Liu's avatar
      usb: musb: Fix runtime PM imbalance on error · fa742576
      Dinghao Liu authored
      commit e4befc12 upstream.
      
      When copy_from_user() returns an error code, there
      is a runtime PM usage counter imbalance.
      
      Fix this by moving copy_from_user() to the beginning
      of this function.
      
      Fixes: 7b6c1b4c ("usb: musb: fix runtime PM in debugfs")
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Link: https://lore.kernel.org/r/20200525025049.3400-7-b-liu@ti.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa742576
    • Bin Liu's avatar
      usb: musb: start session in resume for host port · 996e9ab3
      Bin Liu authored
      commit 7f88a5ac upstream.
      
      Commit 17539f2f ("usb: musb: fix enumeration after resume") replaced
      musb_start() in musb_resume() to not override softconnect bit, but it
      doesn't restart the session for host port which was done in musb_start().
      The session could be disabled in musb_suspend(), which leads the host
      port doesn't stay in host mode.
      
      So let's start the session specifically for host port in musb_resume().
      
      Fixes: 17539f2f ("usb: musb: fix enumeration after resume")
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Link: https://lore.kernel.org/r/20200525025049.3400-3-b-liu@ti.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      996e9ab3
    • Mathieu Othacehe's avatar
      iio: vcnl4000: Fix i2c swapped word reading. · 3fd6c6a9
      Mathieu Othacehe authored
      commit 18dfb532 upstream.
      
      The bytes returned by the i2c reading need to be swapped
      unconditionally. Otherwise, on be16 platforms, an incorrect value will be
      returned.
      
      Taking the slow path via next merge window as its been around a while
      and we have a patch set dependent on this which would be held up.
      
      Fixes: 62a1efb9 ("iio: add vcnl4000 combined ALS and proximity sensor")
      Signed-off-by: default avatarMathieu Othacehe <m.othacehe@gmail.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fd6c6a9
    • Daniele Palmas's avatar
      USB: serial: option: add Telit LE910C1-EUX compositions · 7a2ad9f3
      Daniele Palmas authored
      commit 399ad947 upstream.
      
      Add Telit LE910C1-EUX compositions:
      
      	0x1031: tty, tty, tty, rmnet
      	0x1033: tty, tty, tty, ecm
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Link: https://lore.kernel.org/r/20200525211106.27338-1-dnlplm@gmail.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a2ad9f3
    • Bin Liu's avatar
      USB: serial: usb_wwan: do not resubmit rx urb on fatal errors · d55b643c
      Bin Liu authored
      commit 986c1748 upstream.
      
      usb_wwan_indat_callback() shouldn't resubmit rx urb if the previous urb
      status is a fatal error. Or the usb controller would keep processing the
      new urbs then run into interrupt storm, and has no chance to recover.
      
      Fixes: 6c1ee66a ("USB-Serial: Fix error handling of usb_wwan")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d55b643c
    • Matt Jolly's avatar
      USB: serial: qcserial: add DW5816e QDL support · 2c6ab361
      Matt Jolly authored
      commit 3429444a upstream.
      
      Add support for Dell Wireless 5816e Download Mode (AKA boot & hold mode /
      QDL download mode) to drivers/usb/serial/qcserial.c
      
      This is required to update device firmware.
      Signed-off-by: default avatarMatt Jolly <Kangie@footclan.ninja>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c6ab361
    • Willem de Bruijn's avatar
      net: check untrusted gso_size at kernel entry · 8920e8ae
      Willem de Bruijn authored
      [ Upstream commit 6dd912f8 ]
      
      Syzkaller again found a path to a kernel crash through bad gso input:
      a packet with gso size exceeding len.
      
      These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment.
      But they may affect gso size calculations earlier in the path.
      
      Now that we have thlen as of commit 9274124f ("net: stricter
      validation of untrusted gso packets"), check gso_size at entry too.
      
      Fixes: bfd5f4a3 ("packet: Add GSO/csum offload support.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8920e8ae
    • Stefano Garzarella's avatar
      vsock: fix timeout in vsock_accept() · 630be67a
      Stefano Garzarella authored
      [ Upstream commit 7e0afbdf ]
      
      The accept(2) is an "input" socket interface, so we should use
      SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
      
      So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
      use the right timeout in the vsock_accept().
      
      Fixes: d021c344 ("VSOCK: Introduce VM Sockets")
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Reviewed-by: default avatarJorgen Hansen <jhansen@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      630be67a
    • Chuhong Yuan's avatar
      NFC: st21nfca: add missed kfree_skb() in an error path · c6f79b7b
      Chuhong Yuan authored
      [ Upstream commit 3decabdc ]
      
      st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path.
      Add the missed function call to fix it.
      
      Fixes: 1892bf84 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode")
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6f79b7b
    • Daniele Palmas's avatar
      net: usb: qmi_wwan: add Telit LE910C1-EUX composition · ed9ab2c2
      Daniele Palmas authored
      [ Upstream commit 591612aa ]
      
      Add support for Telit LE910C1-EUX composition
      
      0x1031: tty, tty, tty, rmnet
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed9ab2c2
    • Eric Dumazet's avatar
      l2tp: do not use inet_hash()/inet_unhash() · 825c2522
      Eric Dumazet authored
      [ Upstream commit 02c71b14 ]
      
      syzbot recently found a way to crash the kernel [1]
      
      Issue here is that inet_hash() & inet_unhash() are currently
      only meant to be used by TCP & DCCP, since only these protocols
      provide the needed hashinfo pointer.
      
      L2TP uses a single list (instead of a hash table)
      
      This old bug became an issue after commit 61023658
      ("bpf: Add new cgroup attach type to enable sock modifications")
      since after this commit, sk_common_release() can be called
      while the L2TP socket is still considered 'hashed'.
      
      general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
      CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
      Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
      RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
      RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
      RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
      R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
      R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
      FS:  0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       sk_common_release+0xba/0x370 net/core/sock.c:3210
       inet_create net/ipv4/af_inet.c:390 [inline]
       inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
       __sock_create+0x3cb/0x730 net/socket.c:1428
       sock_create net/socket.c:1479 [inline]
       __sys_socket+0xef/0x200 net/socket.c:1521
       __do_sys_socket net/socket.c:1530 [inline]
       __se_sys_socket net/socket.c:1528 [inline]
       __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x441e29
      Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
      RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
      Modules linked in:
      ---[ end trace 23b6578228ce553e ]---
      RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
      Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
      RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
      RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
      RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
      R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
      R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
      FS:  0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fixes: 0d76751f ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Chapman <jchapman@katalix.com>
      Cc: Andrii Nakryiko <andriin@fb.com>
      Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      825c2522
    • Eric Dumazet's avatar
      l2tp: add sk_family checks to l2tp_validate_socket · 04d588fe
      Eric Dumazet authored
      [ Upstream commit d9a81a22 ]
      
      syzbot was able to trigger a crash after using an ISDN socket
      and fool l2tp.
      
      Fix this by making sure the UDP socket is of the proper family.
      
      BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
      Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
      
      CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x188/0x20d lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
       __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
       kasan_report+0x33/0x50 mm/kasan/common.c:625
       setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
       l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
       l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
       genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
       genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
       genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
       netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
       genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
       netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
       netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
       netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0xcf/0x120 net/socket.c:672
       ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
       ___sys_sendmsg+0x100/0x170 net/socket.c:2406
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x45ca29
      Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
      RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
      RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
      
      Allocated by task 3018:
       save_stack+0x1b/0x40 mm/kasan/common.c:49
       set_track mm/kasan/common.c:57 [inline]
       __kasan_kmalloc mm/kasan/common.c:495 [inline]
       __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
       __do_kmalloc mm/slab.c:3656 [inline]
       __kmalloc+0x161/0x7a0 mm/slab.c:3665
       kmalloc include/linux/slab.h:560 [inline]
       sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
       sk_alloc+0x36/0x1100 net/core/sock.c:1666
       data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
       mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
       __sock_create+0x3cb/0x730 net/socket.c:1428
       sock_create net/socket.c:1479 [inline]
       __sys_socket+0xef/0x200 net/socket.c:1521
       __do_sys_socket net/socket.c:1530 [inline]
       __se_sys_socket net/socket.c:1528 [inline]
       __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
       do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      Freed by task 2484:
       save_stack+0x1b/0x40 mm/kasan/common.c:49
       set_track mm/kasan/common.c:57 [inline]
       kasan_set_free_info mm/kasan/common.c:317 [inline]
       __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x109/0x2b0 mm/slab.c:3757
       kvfree+0x42/0x50 mm/util.c:603
       __free_fdtable+0x2d/0x70 fs/file.c:31
       put_files_struct fs/file.c:420 [inline]
       put_files_struct+0x248/0x2e0 fs/file.c:413
       exit_files+0x7e/0xa0 fs/file.c:445
       do_exit+0xb04/0x2dd0 kernel/exit.c:791
       do_group_exit+0x125/0x340 kernel/exit.c:894
       get_signal+0x47b/0x24e0 kernel/signal.c:2739
       do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
       exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
       prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
       do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      The buggy address belongs to the object at ffff88808ed0c000
       which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 1424 bytes inside of
       2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
      The buggy address belongs to the page:
      page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0xfffe0000000200(slab)
      raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
      raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
       ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 6b9f3423 ("l2tp: fix races in tunnel creation")
      Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: James Chapman <jchapman@katalix.com>
      Cc: Guillaume Nault <gnault@redhat.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04d588fe
    • Yang Yingliang's avatar
      devinet: fix memleak in inetdev_init() · be233b75
      Yang Yingliang authored
      [ Upstream commit 1b49cd71 ]
      
      When devinet_sysctl_register() failed, the memory allocated
      in neigh_parms_alloc() should be freed.
      
      Fixes: 20e61da7 ("ipv4: fail early when creating netdev named all or default")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be233b75
  2. 07 Jun, 2020 20 commits