1. 07 Jun, 2017 40 commits
    • Paul Burton's avatar
      MIPS: Calculate microMIPS ra properly when unwinding the stack · 8577fb6b
      Paul Burton authored
      commit bb9bc468 upstream.
      
      get_frame_info() calculates the offset of the return address within a
      stack frame simply by dividing a the bottom 16 bits of the instruction,
      treated as a signed integer, by the size of a long. Whilst this works
      for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
      incorrect for microMIPS where encodings differ. The result is that we
      typically completely fail to unwind the stack on microMIPS.
      
      Fix this by adjusting is_ra_save_ins() to calculate the return address
      offset, and take into account the various different encodings there in
      the same place as we consider whether an instruction is storing the
      ra/$31 register.
      
      With this we are now able to unwind the stack for kernels targetting the
      microMIPS ISA, for example we can produce:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          [<8011ea17>] __warn+0x9b/0xac
          [<8011ea45>] warn_slowpath_fmt+0x1d/0x20
          [<8013fe53>] register_console+0x43/0x314
          [<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
          [<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
          [<8066c115>] do_early_param+0x75/0xac
          [<801302f9>] parse_args+0x1dd/0x308
          [<8066c459>] parse_early_options+0x25/0x28
          [<8066c48b>] parse_early_param+0x2f/0x38
          [<8066e8cf>] setup_arch+0x113/0x488
          [<8066c4f3>] start_kernel+0x57/0x328
          ---[ end trace 0000000000000000 ]---
      
      Whereas previously we only produced:
      
          Call Trace:
          [<80109e1f>] show_stack+0x63/0x7c
          ---[ end trace 0000000000000000 ]---
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14532/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      8577fb6b
    • Paul Burton's avatar
      MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions · a3e70c33
      Paul Burton authored
      commit 67c75057 upstream.
      
      is_jump_ins() checks 16b instruction fields without verifying that the
      instruction is indeed 16b, as is done by is_ra_save_ins() &
      is_sp_move_ins(). Add the appropriate check.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14531/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a3e70c33
    • Paul Burton's avatar
      MIPS: Fix get_frame_info() handling of microMIPS function size · 9c01ee59
      Paul Burton authored
      commit b6c7a324 upstream.
      
      get_frame_info() is meant to iterate over up to the first 128
      instructions within a function, but for microMIPS kernels it will not
      reach that many instructions unless the function is 512 bytes long since
      we calculate the maximum number of instructions to check by dividing the
      function length by the 4 byte size of a union mips_instruction. In
      microMIPS kernels this won't do since instructions are variable length.
      
      Fix this by instead checking whether the pointer to the current
      instruction has reached the end of the function, and use max_insns as a
      simple constant to check the number of iterations against.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14530/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9c01ee59
    • Paul Burton's avatar
      MIPS: Prevent unaligned accesses during stack unwinding · 15d2aa74
      Paul Burton authored
      commit a3552dac upstream.
      
      During stack unwinding we call a number of functions to determine what
      type of instruction we're looking at. The union mips_instruction pointer
      provided to them may be pointing at a 2 byte, but not 4 byte, aligned
      address & we thus cannot directly access the 4 byte wide members of the
      union mips_instruction. To avoid this is_ra_save_ins() copies the
      required half-words of the microMIPS instruction to a correctly aligned
      union mips_instruction on the stack, which it can then access safely.
      The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
      this temporary copy, and instead attempt to directly dereference 4 byte
      fields which may be misaligned and lead to an address exception.
      
      Fix this by copying the instruction halfwords to a temporary union
      mips_instruction in get_frame_info() such that we can provide a 4 byte
      aligned union mips_instruction to the is_*_ins() functions and they do
      not need to deal with misalignment themselves.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14529/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      15d2aa74
    • Paul Burton's avatar
      MIPS: Clear ISA bit correctly in get_frame_info() · 1809a783
      Paul Burton authored
      commit ccaf7caf upstream.
      
      get_frame_info() can be called in microMIPS kernels with the ISA bit
      already clear. For example this happens when unwind_stack_by_address()
      is called because we begin with a PC that has the ISA bit set & subtract
      the (odd) offset from the preceding symbol (which does not have the ISA
      bit set). Since get_frame_info() unconditionally subtracts 1 from the PC
      in microMIPS kernels it incorrectly misaligns the address it then
      attempts to access code at, leading to an address error exception.
      
      Fix this by using msk_isa16_mode() to clear the ISA bit, which allows
      get_frame_info() to function regardless of whether it is provided with a
      PC that has the ISA bit set or not.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: 34c2f668 ("MIPS: microMIPS: Add unaligned access support.")
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14528/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1809a783
    • James Cowgill's avatar
      MIPS: OCTEON: Fix copy_from_user fault handling for large buffers · e51712a8
      James Cowgill authored
      commit 884b4269 upstream.
      
      If copy_from_user is called with a large buffer (>= 128 bytes) and the
      userspace buffer refers partially to unreadable memory, then it is
      possible for Octeon's copy_from_user to report the wrong number of bytes
      have been copied. In the case where the buffer size is an exact multiple
      of 128 and the fault occurs in the last 64 bytes, copy_from_user will
      report that all the bytes were copied successfully but leave some
      garbage in the destination buffer.
      
      The bug is in the main __copy_user_common loop in octeon-memcpy.S where
      in the middle of the loop, src and dst are incremented by 128 bytes. The
      l_exc_copy fault handler is used after this but that assumes that
      "src < THREAD_BUADDR($28)". This is not the case if src has already been
      incremented.
      
      Fix by adding an extra fault handler which rewinds the src and dst
      pointers 128 bytes before falling though to l_exc_copy.
      
      Thanks to the pwritev test from the strace test suite for originally
      highlighting this bug!
      
      Fixes: 5b3b1688 ("MIPS: Add Cavium OCTEON processor support ...")
      Signed-off-by: default avatarJames Cowgill <James.Cowgill@imgtec.com>
      Acked-by: default avatarDavid Daney <david.daney@cavium.com>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14978/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e51712a8
    • Shmulik Ladkani's avatar
      net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames · beb27bf1
      Shmulik Ladkani authored
      commit d65f2fa6 upstream.
      
      META_COLLECTOR int_vlan_tag() assumes that if the accel tag (vlan_tci)
      is zero, then no vlan accel tag is present.
      
      This is incorrect for zero VID vlan accel packets, making the following
      match fail:
        tc filter add ... basic match 'meta(vlan mask 0xfff eq 0)' ...
      
      Apparently 'int_vlan_tag' was implemented prior VLAN_TAG_PRESENT was
      introduced in 05423b24 "vlan: allow null VLAN ID to be used"
      (and at time introduced, the 'vlan_tx_tag_get' call in em_meta was not
       adapted).
      
      Fix, testing skb_vlan_tag_present instead of testing skb_vlan_tag_get's
      value.
      
      Fixes: 05423b24 ("vlan: allow null VLAN ID to be used")
      Fixes: 1a31f204 ("netsched: Allow meta match on vlan tag on receive")
      Signed-off-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      beb27bf1
    • Steffen Klassert's avatar
      vti4: Don't count header length twice. · 37fdac58
      Steffen Klassert authored
      commit a3245236 upstream.
      
      We currently count the size of LL_MAX_HEADER and struct iphdr
      twice for vti4 devices, this leads to a wrong device mtu.
      The size of LL_MAX_HEADER and struct iphdr is already counted in
      ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
      
      Fixes: b9959fd3 ("vti: switch to new ip tunnel code")
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      37fdac58
    • Daniel Borkmann's avatar
      net: 6lowpan: fix lowpan_header_create non-compression memcpy call · 3ac993d4
      Daniel Borkmann authored
      commit 965801e1 upstream.
      
      In function lowpan_header_create(), we invoke the following code
      construct:
      
        struct ipv6hdr *hdr;
        ...
        hdr = ipv6_hdr(skb);
        ...
        if (...)
          memcpy(hc06_ptr + 1, &hdr->flow_lbl[1], 2);
        else
          memcpy(hc06_ptr, &hdr, 4);
      
      Where the else path of the condition, that is, non-compression
      path, calls memcpy() with a pointer to struct ipv6hdr *hdr as
      source, thus two levels of indirection. This cannot be correct,
      and likely only one level of pointer was intended as source
      buffer for memcpy() here.
      
      Fixes: 44331fe2 ("IEEE802.15.4: 6LoWPAN basic support")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
      Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Cc: Werner Almesberger <werner@almesberger.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3ac993d4
    • Dan Carpenter's avatar
      drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set() · c4c175db
      Dan Carpenter authored
      commit bdefc8cb upstream.
      
      We should be taking the minimum here instead of the max.  It could lead
      to a buffer overflow.
      
      Fixes: 438d99e3 ('drm/nvd0/disp: initial crtc object implementation')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      
      a/drm/nv50_display.c b/drm/nv50_display.c
      index f8e66c08b11a..4e384a2f99c3 100644
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c4c175db
    • Dan Carpenter's avatar
      mfd: pm8921: Potential NULL dereference in pm8921_remove() · dad5635c
      Dan Carpenter authored
      commit d6daef95 upstream.
      
      We assume that "pmic" could be NULL and then dereference it two lines
      later.  I fix this by moving the dereference inside the NULL check.
      
      Fixes: c013f0a5 ('mfd: Add pm8xxx irq support')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      dad5635c
    • Ben Hutchings's avatar
      ocfs2: do not write error flag to user structure we cannot copy from/to · 511ae3b9
      Ben Hutchings authored
      commit 2b462638 upstream.
      
      If we failed to copy from the structure, writing back the flags leaks 31
      bits of kernel memory (the rest of the ir_flags field).
      
      In any case, if we cannot copy from/to the structure, why should we
      expect putting just the flags to work?
      
      Also make sure ocfs2_info_handle_freeinode() returns the right error
      code if the copy_to_user() fails.
      
      Fixes: ddee5cdb ('Ocfs2: Add new OCFS2_IOC_INFO ioctl for ocfs2 v8.')
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Joel Becker <jlbec@evilplan.org>
      Acked-by: default avatarMark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      511ae3b9
    • Thomas Gleixner's avatar
      goldfish: Sanitize the broken interrupt handler · 7fb0b447
      Thomas Gleixner authored
      commit 6cf18e69 upstream.
      
      This interrupt handler is broken in several ways:
      
        - It loops forever when the op code is not decodeable
      
        - It never returns IRQ_HANDLED because the only way to exit the loop
          returns IRQ_NONE unconditionally.
      
      The whole concept of this is broken. Creating devices in an interrupt
      handler is beyond any point of sanity.
      
      Make it at least behave halfways sane so accidental users do not have to
      deal with a hard to debug lockup.
      
      Fixes: e809c22b ("goldfish: add the goldfish virtual bus")
      Reported-by: default avatarGabriel C <nix.or.die@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7fb0b447
    • Thomas Gleixner's avatar
      x86/platform/goldfish: Prevent unconditional loading · d3926e19
      Thomas Gleixner authored
      commit 47512cfd upstream.
      
      The goldfish platform code registers the platform device unconditionally
      which causes havoc in several ways if the goldfish_pdev_bus driver is
      enabled:
      
       - Access to the hardcoded physical memory region, which is either not
         available or contains stuff which is completely unrelated.
      
       - Prevents that the interrupt of the serial port can be requested
      
       - In case of a spurious interrupt it goes into a infinite loop in the
         interrupt handler of the pdev_bus driver (which needs to be fixed
         seperately).
      
      Add a 'goldfish' command line option to make the registration opt-in when
      the platform is compiled in.
      
      I'm seriously grumpy about this engineering trainwreck, which has seven
      SOBs from Intel developers for 50 lines of code. And none of them figured
      out that this is broken. Impressive fail!
      
      Fixes: ddd70cf9 ("goldfish: platform device for x86")
      Reported-by: default avatarGabriel C <nix.or.die@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d3926e19
    • Johan Hovold's avatar
      USB: serial: ark3116: fix register-accessor error handling · 9ce78b1e
      Johan Hovold authored
      commit 9fef37d7 upstream.
      
      The current implementation failed to detect short transfers, something
      which could lead to bits of the uninitialised heap transfer buffer
      leaking to user space.
      
      Fixes: 149fc791 ("USB: ark3116: Setup some basic infrastructure for new ark3116 driver.")
      Fixes: f4c1e8d5 ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9ce78b1e
    • Johan Hovold's avatar
      USB: serial: opticon: fix CTS retrieval at open · 1110205c
      Johan Hovold authored
      commit 2eee0502 upstream.
      
      The opticon driver used a control request at open to trigger a CTS
      status notification to be sent over the bulk-in pipe. When the driver
      was converted to using the generic read implementation, an inverted test
      prevented this request from being sent, something which could lead to
      TIOCMGET reporting an incorrect CTS state.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 7a6ee2b0 ("USB: opticon: switch to generic read implementation")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1110205c
    • Johan Hovold's avatar
      USB: serial: spcp8x5: fix modem-status handling · 3e642b83
      Johan Hovold authored
      commit 5ed8d410 upstream.
      
      Make sure to detect short control transfers and return zero on success
      when retrieving the modem status.
      
      This fixes the TIOCMGET implementation which since e1ed212d ("USB:
      spcp8x5: add proper modem-status support") has returned TIOCM_LE on
      successful retrieval, and avoids leaking bits from the stack on short
      transfers.
      
      This also fixes the carrier-detect implementation which since the above
      mentioned commit unconditionally has returned true.
      
      Fixes: e1ed212d ("USB: spcp8x5: add proper modem-status support")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3e642b83
    • Johan Hovold's avatar
      USB: serial: ftdi_sio: fix line-status over-reporting · c1514183
      Johan Hovold authored
      commit a6bb1e17 upstream.
      
      FTDI devices use a receive latency timer to periodically empty the
      receive buffer and report modem and line status (also when the buffer is
      empty).
      
      When a break or error condition is detected the corresponding status
      flags will be set on a packet with nonzero data payload and the flags
      are not updated until the break is over or further characters are
      received.
      
      In order to avoid over-reporting break and error conditions, these flags
      must therefore only be processed for packets with payload.
      
      This specifically fixes the case where after an overrun, the error
      condition is continuously reported and NULL-characters inserted until
      further data is received.
      Reported-by: default avatarMichael Walle <michael@walle.cc>
      Fixes: 72fda3ca ("USB: serial: ftd_sio: implement sysrq handling on
      break")
      Fixes: 166ceb69 ("USB: ftdi_sio: clean up line-status handling")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c1514183
    • Johan Hovold's avatar
      USB: serial: ftdi_sio: fix extreme low-latency setting · af1f7fb6
      Johan Hovold authored
      commit c6dce262 upstream.
      
      Since commit 557aaa7f ("ft232: support the ASYNC_LOW_LATENCY
      flag") the FTDI driver has been using a receive latency-timer value of
      1 ms instead of the device default of 16 ms.
      
      The latency timer is used to periodically empty a non-full receive
      buffer, but a status header is always sent when the timer expires
      including when the buffer is empty. This means that a two-byte bulk
      message is received every millisecond also for an otherwise idle port as
      long as it is open.
      
      Let's restore the pre-2009 behaviour which reduces the rate of the
      status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to
      62.5 Hz) by not setting ASYNC_LOW_LATENCY by default.
      
      Anyone willing to pay the price for the minimum-latency behaviour should
      set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool
      such as setserial (e.g. setserial /dev/ttyUSB0 low_latency).
      
      Note that since commit 0cbd81a9 ("USB: ftdi_sio: remove
      tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but
      to set a minimal latency timer.
      Reported-by: default avatarAntoine Aubert <a.aubert@overkiz.com>
      Fixes: 557aaa7f ("ft232: support the ASYNC_LOW_LATENCY flag")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      af1f7fb6
    • Johan Hovold's avatar
      USB: serial: ftdi_sio: fix modem-status error handling · aa814edb
      Johan Hovold authored
      commit 427c3a95 upstream.
      
      Make sure to detect short responses when fetching the modem status in
      order to avoid parsing uninitialised buffer data and having bits of it
      leak to user space.
      
      Note that we still allow for short 1-byte responses.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      aa814edb
    • Johan Hovold's avatar
      USB: serial: mos7840: fix another NULL-deref at open · c8c6bd83
      Johan Hovold authored
      commit 5182c2cf upstream.
      
      Fix another NULL-pointer dereference at open should a malicious device
      lack an interrupt-in endpoint.
      
      Note that the driver has a broken check for an interrupt-in endpoint
      which means that an interrupt URB has never even been submitted.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c8c6bd83
    • Maxime Jayat's avatar
      net: socket: fix recvmmsg not returning error from sock_error · 0b5240c4
      Maxime Jayat authored
      commit e623a9e9 upstream.
      
      Commit 34b88a68 ("net: Fix use after free in the recvmmsg exit path"),
      changed the exit path of recvmmsg to always return the datagrams
      variable and modified the error paths to set the variable to the error
      code returned by recvmsg if necessary.
      
      However in the case sock_error returned an error, the error code was
      then ignored, and recvmmsg returned 0.
      
      Change the error path of recvmmsg to correctly return the error code
      of sock_error.
      
      The bug was triggered by using recvmmsg on a CAN interface which was
      not up. Linux 4.6 and later return 0 in this case while earlier
      releases returned -ENETDOWN.
      
      Fixes: 34b88a68 ("net: Fix use after free in the recvmmsg exit path")
      Signed-off-by: default avatarMaxime Jayat <maxime.jayat@mobile-devices.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0b5240c4
    • Anoob Soman's avatar
      packet: Do not call fanout_release from atomic contexts · 9aab3592
      Anoob Soman authored
      commit 2bd624b4 upstream.
      
      Commit 66644982 ("packet: call fanout_release, while UNREGISTERING a
      netdev"), unfortunately, introduced the following issues.
      
      1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
      rcu_read-side critical section. rcu_read_lock disables preemption, most often,
      which prohibits calling sleeping functions.
      
      [  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
      [  ]
      [  ] rcu_scheduler_active = 1, debug_locks = 0
      [  ] 4 locks held by ovs-vswitchd/1969:
      [  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
      [  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
      [  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
      [  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
      [  ]
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
      [  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
      [  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
      "sleeping function called from invalid context"
      
      [  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
      [  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
      [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
      [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
      [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      3. calling dev_remove_pack(&fanout->prot_hook), from inside
      spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
      -> synchronize_net(), which might sleep.
      
      [  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
      [  ] INFO: lockdep is turned off.
      [  ] Call Trace:
      [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
      [  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
      [  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
      [  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
      [  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
      [  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
      [  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
      [  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
      [  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
      [  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
      [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
      
      4. fanout_release() races with calls from different CPU.
      
      To fix the above problems, remove the call to fanout_release() under
      rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
      netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
      to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
      __fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
      fanout->prot_hook is removed as well.
      
      [js] no rollover in 3.12
      
      Fixes: 66644982 ("packet: call fanout_release, while UNREGISTERING a netdev")
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarAnoob Soman <anoob.soman@citrix.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9aab3592
    • Eric Dumazet's avatar
      packet: fix races in fanout_add() · 2a272abc
      Eric Dumazet authored
      commit d199fab6 upstream.
      
      Multiple threads can call fanout_add() at the same time.
      
      We need to grab fanout_mutex earlier to avoid races that could
      lead to one thread freeing po->rollover that was set by another thread.
      
      Do the same in fanout_release(), for peace of mind, and to help us
      finding lockdep issues earlier.
      
      [js] no rollover in 3.12
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Fixes: 0648ab70 ("packet: rollover prepare: per-socket state")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      2a272abc
    • Eric Dumazet's avatar
      l2tp: do not use udp_ioctl() · 3d753377
      Eric Dumazet authored
      commit 72fb96e7 upstream.
      
      udp_ioctl(), as its name suggests, is used by UDP protocols,
      but is also used by L2TP :(
      
      L2TP should use its own handler, because it really does not
      look the same.
      
      SIOCINQ for instance should not assume UDP checksum or headers.
      
      Thanks to Andrey and syzkaller team for providing the report
      and a nice reproducer.
      
      While crashes only happen on recent kernels (after commit
      7c13f97f ("udp: do fwd memory scheduling on dequeue")), this
      probably needs to be backported to older kernels.
      
      Fixes: 7c13f97f ("udp: do fwd memory scheduling on dequeue")
      Fixes: 85584672 ("udp: Fix udp_poll() and ioctl()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3d753377
    • WANG Cong's avatar
      ping: fix a null pointer dereference · c6dfb877
      WANG Cong authored
      commit 73d2c667 upstream.
      
      Andrey reported a kernel crash:
      
        general protection fault: 0000 [#1] SMP KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        task: ffff880060048040 task.stack: ffff880069be8000
        RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
        RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
        RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
        RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
        RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
        RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
        R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
        R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
        FS:  00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
        Call Trace:
         inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
         sock_sendmsg_nosec net/socket.c:635 [inline]
         sock_sendmsg+0xca/0x110 net/socket.c:645
         SYSC_sendto+0x660/0x810 net/socket.c:1687
         SyS_sendto+0x40/0x50 net/socket.c:1655
         entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      This is because we miss a check for NULL pointer for skb_peek() when
      the queue is empty. Other places already have the same check.
      
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c6dfb877
    • Eric Dumazet's avatar
      ip6_gre: fix ip6gre_err() invalid reads · a05c8e39
      Eric Dumazet authored
      commit 7892032c upstream.
      
      Andrey Konovalov reported out of bound accesses in ip6gre_err()
      
      If GRE flags contains GRE_KEY, the following expression
      *(((__be32 *)p) + (grehlen / 4) - 1)
      
      accesses data ~40 bytes after the expected point, since
      grehlen includes the size of IPv6 headers.
      
      Let's use a "struct gre_base_hdr *greh" pointer to make this
      code more readable.
      
      p[1] becomes greh->protocol.
      grhlen is the GRE header length.
      
      Fixes: c12b395a ("gre: Support GRE over IPv6")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a05c8e39
    • Eric Dumazet's avatar
      netlabel: out of bound access in cipso_v4_validate() · 96296cdd
      Eric Dumazet authored
      commit d71b7896 upstream.
      
      syzkaller found another out of bound access in ip_options_compile(),
      or more exactly in cipso_v4_validate()
      
      Fixes: 20e2a864 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
      Fixes: 446fda4f ("[NetLabel]: CIPSOv4 engine")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov  <dvyukov@google.com>
      Cc: Paul Moore <paul@paul-moore.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      96296cdd
    • Eric Dumazet's avatar
      ipv4: keep skb->dst around in presence of IP options · 050c3097
      Eric Dumazet authored
      commit 34b2cef2 upstream.
      
      Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
      is accessed.
      
      ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
      are present.
      
      We could refine the test to the presence of ts_needtime or srr,
      but IP options are not often used, so let's be conservative.
      
      Thanks to syzkaller team for finding this bug.
      
      Fixes: d826eb14 ("ipv4: PKTINFO doesnt need dst reference")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      050c3097
    • Eric Dumazet's avatar
      net: use a work queue to defer net_disable_timestamp() work · efca6f52
      Eric Dumazet authored
      commit 5fa8bbda upstream.
      
      Dmitry reported a warning [1] showing that we were calling
      net_disable_timestamp() -> static_key_slow_dec() from a non
      process context.
      
      Grabbing a mutex while holding a spinlock or rcu_read_lock()
      is not allowed.
      
      As Cong suggested, we now use a work queue.
      
      It is possible netstamp_clear() exits while netstamp_needed_deferred
      is not zero, but it is probably not worth trying to do better than that.
      
      netstamp_needed_deferred atomic tracks the exact number of deferred
      decrements.
      
      [1]
      [ INFO: suspicious RCU usage. ]
      4.10.0-rc5+ #192 Not tainted
      -------------------------------
      ./include/linux/rcupdate.h:561 Illegal context switch in RCU read-side
      critical section!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 0
      2 locks held by syz-executor14/23111:
       #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83a35c35>] lock_sock
      include/net/sock.h:1454 [inline]
       #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83a35c35>]
      rawv6_sendmsg+0x1e65/0x3ec0 net/ipv6/raw.c:919
       #1:  (rcu_read_lock){......}, at: [<ffffffff83ae2678>] nf_hook
      include/linux/netfilter.h:201 [inline]
       #1:  (rcu_read_lock){......}, at: [<ffffffff83ae2678>]
      __ip6_local_out+0x258/0x840 net/ipv6/output_core.c:160
      
      stack backtrace:
      CPU: 2 PID: 23111 Comm: syz-executor14 Not tainted 4.10.0-rc5+ #192
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
      01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:15 [inline]
       dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
       lockdep_rcu_suspicious+0x139/0x180 kernel/locking/lockdep.c:4452
       rcu_preempt_sleep_check include/linux/rcupdate.h:560 [inline]
       ___might_sleep+0x560/0x650 kernel/sched/core.c:7748
       __might_sleep+0x95/0x1a0 kernel/sched/core.c:7739
       mutex_lock_nested+0x24f/0x1730 kernel/locking/mutex.c:752
       atomic_dec_and_mutex_lock+0x119/0x160 kernel/locking/mutex.c:1060
       __static_key_slow_dec+0x7a/0x1e0 kernel/jump_label.c:149
       static_key_slow_dec+0x51/0x90 kernel/jump_label.c:174
       net_disable_timestamp+0x3b/0x50 net/core/dev.c:1728
       sock_disable_timestamp+0x98/0xc0 net/core/sock.c:403
       __sk_destruct+0x27d/0x6b0 net/core/sock.c:1441
       sk_destruct+0x47/0x80 net/core/sock.c:1460
       __sk_free+0x57/0x230 net/core/sock.c:1468
       sock_wfree+0xae/0x120 net/core/sock.c:1645
       skb_release_head_state+0xfc/0x200 net/core/skbuff.c:655
       skb_release_all+0x15/0x60 net/core/skbuff.c:668
       __kfree_skb+0x15/0x20 net/core/skbuff.c:684
       kfree_skb+0x16e/0x4c0 net/core/skbuff.c:705
       inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
       inet_frag_put include/net/inet_frag.h:133 [inline]
       nf_ct_frag6_gather+0x1106/0x3840
      net/ipv6/netfilter/nf_conntrack_reasm.c:617
       ipv6_defrag+0x1be/0x2b0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
       nf_hook_entry_hookfn include/linux/netfilter.h:102 [inline]
       nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
       nf_hook include/linux/netfilter.h:212 [inline]
       __ip6_local_out+0x489/0x840 net/ipv6/output_core.c:160
       ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
       ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
       ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
       rawv6_push_pending_frames net/ipv6/raw.c:613 [inline]
       rawv6_sendmsg+0x2d1a/0x3ec0 net/ipv6/raw.c:927
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
       sock_sendmsg_nosec net/socket.c:635 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:645
       sock_write_iter+0x326/0x600 net/socket.c:848
       do_iter_readv_writev+0x2e3/0x5b0 fs/read_write.c:695
       do_readv_writev+0x42c/0x9b0 fs/read_write.c:872
       vfs_writev+0x87/0xc0 fs/read_write.c:911
       do_writev+0x110/0x2c0 fs/read_write.c:944
       SYSC_writev fs/read_write.c:1017 [inline]
       SyS_writev+0x27/0x30 fs/read_write.c:1014
       entry_SYSCALL_64_fastpath+0x1f/0xc2
      RIP: 0033:0x445559
      RSP: 002b:00007f6f46fceb58 EFLAGS: 00000292 ORIG_RAX: 0000000000000014
      RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000445559
      RDX: 0000000000000001 RSI: 0000000020f1eff0 RDI: 0000000000000005
      RBP: 00000000006e19c0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000700000
      R13: 0000000020f59000 R14: 0000000000000015 R15: 0000000000020400
      BUG: sleeping function called from invalid context at
      kernel/locking/mutex.c:752
      in_atomic(): 1, irqs_disabled(): 0, pid: 23111, name: syz-executor14
      INFO: lockdep is turned off.
      CPU: 2 PID: 23111 Comm: syz-executor14 Not tainted 4.10.0-rc5+ #192
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
      01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:15 [inline]
       dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
       ___might_sleep+0x47e/0x650 kernel/sched/core.c:7780
       __might_sleep+0x95/0x1a0 kernel/sched/core.c:7739
       mutex_lock_nested+0x24f/0x1730 kernel/locking/mutex.c:752
       atomic_dec_and_mutex_lock+0x119/0x160 kernel/locking/mutex.c:1060
       __static_key_slow_dec+0x7a/0x1e0 kernel/jump_label.c:149
       static_key_slow_dec+0x51/0x90 kernel/jump_label.c:174
       net_disable_timestamp+0x3b/0x50 net/core/dev.c:1728
       sock_disable_timestamp+0x98/0xc0 net/core/sock.c:403
       __sk_destruct+0x27d/0x6b0 net/core/sock.c:1441
       sk_destruct+0x47/0x80 net/core/sock.c:1460
       __sk_free+0x57/0x230 net/core/sock.c:1468
       sock_wfree+0xae/0x120 net/core/sock.c:1645
       skb_release_head_state+0xfc/0x200 net/core/skbuff.c:655
       skb_release_all+0x15/0x60 net/core/skbuff.c:668
       __kfree_skb+0x15/0x20 net/core/skbuff.c:684
       kfree_skb+0x16e/0x4c0 net/core/skbuff.c:705
       inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
       inet_frag_put include/net/inet_frag.h:133 [inline]
       nf_ct_frag6_gather+0x1106/0x3840
      net/ipv6/netfilter/nf_conntrack_reasm.c:617
       ipv6_defrag+0x1be/0x2b0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
       nf_hook_entry_hookfn include/linux/netfilter.h:102 [inline]
       nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
       nf_hook include/linux/netfilter.h:212 [inline]
       __ip6_local_out+0x489/0x840 net/ipv6/output_core.c:160
       ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
       ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
       ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
       rawv6_push_pending_frames net/ipv6/raw.c:613 [inline]
       rawv6_sendmsg+0x2d1a/0x3ec0 net/ipv6/raw.c:927
       inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
       sock_sendmsg_nosec net/socket.c:635 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:645
       sock_write_iter+0x326/0x600 net/socket.c:848
       do_iter_readv_writev+0x2e3/0x5b0 fs/read_write.c:695
       do_readv_writev+0x42c/0x9b0 fs/read_write.c:872
       vfs_writev+0x87/0xc0 fs/read_write.c:911
       do_writev+0x110/0x2c0 fs/read_write.c:944
       SYSC_writev fs/read_write.c:1017 [inline]
       SyS_writev+0x27/0x30 fs/read_write.c:1014
       entry_SYSCALL_64_fastpath+0x1f/0xc2
      RIP: 0033:0x445559
      
      Fixes: b90e5794 ("net: dont call jump_label_dec from irq context")
      Suggested-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      efca6f52
    • Andrey Ryabinin's avatar
      drm/i915: fix use-after-free in page_flip_completed() · 5c9d55e1
      Andrey Ryabinin authored
      commit 5351fbb1 upstream.
      
      page_flip_completed() dereferences 'work' variable after executing
      queue_work(). This is not safe as the 'work' item might be already freed
      by queued work:
      
          BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90
          Call Trace:
           __asan_report_load8_noabort+0x59/0x80
           page_flip_completed+0x3ff/0x490
           intel_finish_page_flip_mmio+0xe3/0x130
           intel_pipe_handle_vblank+0x2d/0x40
           gen8_irq_handler+0x4a7/0xed0
           __handle_irq_event_percpu+0xf6/0x860
           handle_irq_event_percpu+0x6b/0x160
           handle_irq_event+0xc7/0x1b0
           handle_edge_irq+0x1f4/0xa50
           handle_irq+0x41/0x70
           do_IRQ+0x9a/0x200
           common_interrupt+0x89/0x89
      
          Freed:
           kfree+0x113/0x4d0
           intel_unpin_work_fn+0x29a/0x3b0
           process_one_work+0x79e/0x1b70
           worker_thread+0x611/0x1460
           kthread+0x241/0x3a0
           ret_from_fork+0x27/0x40
      
      Move queue_work() after	trace_i915_flip_complete() to fix this.
      
      Fixes: e5510fac ("drm/i915: add tracepoints for flip requests & completions")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.comSigned-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5c9d55e1
    • Steffen Maier's avatar
      scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send · 01e26ca6
      Steffen Maier authored
      commit 2dfa6688 upstream.
      
      Dan Carpenter kindly reported:
      <quote>
      The patch d27a7cb9: "zfcp: trace on request for open and close of
      WKA port" from Aug 10, 2016, leads to the following static checker
      warning:
      
      	drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port()
      	warn: 'req' was already freed.
      
      drivers/s390/scsi/zfcp_fsf.c
        1609          zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
        1610          retval = zfcp_fsf_req_send(req);
        1611          if (retval)
        1612                  zfcp_fsf_req_free(req);
                                                ^^^
      Freed.
      
        1613  out:
        1614          spin_unlock_irq(&qdio->req_q_lock);
        1615          if (req && !IS_ERR(req))
        1616                  zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
                                                                        ^^^^^^^^^^^
      Use after free.
      
        1617          return retval;
        1618  }
      
      Same thing for zfcp_fsf_close_wka_port() as well.
      </quote>
      
      Rather than relying on req being NULL (or ERR_PTR) for all cases where
      we don't want to trace or should not trace,
      simply check retval which is unconditionally initialized with -EIO != 0
      and it can only become 0 on successful retval = zfcp_fsf_req_send(req).
      With that we can also remove the then again unnecessary unconditional
      initialization of req which was introduced with that earlier commit.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Suggested-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: d27a7cb9 ("zfcp: trace on request for open and close of WKA port")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarJens Remus <jremus@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      01e26ca6
    • Thorsten Horstmann's avatar
      mac80211: Fix adding of mesh vendor IEs · 22ae324e
      Thorsten Horstmann authored
      commit da7061c8 upstream.
      
      The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
      it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
      return value in mesh_add_vendor_ies must therefore be checked against
      ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
      WLAN_EID_VENDOR_SPECIFIC will be rejected.
      
      Fixes: 082ebb0c ("mac80211: fix mesh beacon format")
      Signed-off-by: default avatarThorsten Horstmann <thorsten@defutech.de>
      Signed-off-by: default avatarMathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      [sven@narfation.org: Add commit message]
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      22ae324e
    • Dave Martin's avatar
      ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write · fcd0b441
      Dave Martin authored
      commit 228dbbfb upstream.
      
      Ensure that if userspace supplies insufficient data to
      PTRACE_SETREGSET to fill all the registers, the thread's old
      registers are preserved.
      
      Fixes: 5be6f62b ("ARM: 6883/1: ptrace: Migrate to regsets framework")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Acked-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      fcd0b441
    • J. Bruce Fields's avatar
      svcrpc: fix oops in absence of krb5 module · dd105cf0
      J. Bruce Fields authored
      commit 034dd34f upstream.
      
      Olga Kornievskaia says: "I ran into this oops in the nfsd (below)
      (4.10-rc3 kernel). To trigger this I had a client (unsuccessfully) try
      to mount the server with krb5 where the server doesn't have the
      rpcsec_gss_krb5 module built."
      
      The problem is that rsci.cred is copied from a svc_cred structure that
      gss_proxy didn't properly initialize.  Fix that.
      
      [120408.542387] general protection fault: 0000 [#1] SMP
      ...
      [120408.565724] CPU: 0 PID: 3601 Comm: nfsd Not tainted 4.10.0-rc3+ #16
      [120408.567037] Hardware name: VMware, Inc. VMware Virtual =
      Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
      [120408.569225] task: ffff8800776f95c0 task.stack: ffffc90003d58000
      [120408.570483] RIP: 0010:gss_mech_put+0xb/0x20 [auth_rpcgss]
      ...
      [120408.584946]  ? rsc_free+0x55/0x90 [auth_rpcgss]
      [120408.585901]  gss_proxy_save_rsc+0xb2/0x2a0 [auth_rpcgss]
      [120408.587017]  svcauth_gss_proxy_init+0x3cc/0x520 [auth_rpcgss]
      [120408.588257]  ? __enqueue_entity+0x6c/0x70
      [120408.589101]  svcauth_gss_accept+0x391/0xb90 [auth_rpcgss]
      [120408.590212]  ? try_to_wake_up+0x4a/0x360
      [120408.591036]  ? wake_up_process+0x15/0x20
      [120408.592093]  ? svc_xprt_do_enqueue+0x12e/0x2d0 [sunrpc]
      [120408.593177]  svc_authenticate+0xe1/0x100 [sunrpc]
      [120408.594168]  svc_process_common+0x203/0x710 [sunrpc]
      [120408.595220]  svc_process+0x105/0x1c0 [sunrpc]
      [120408.596278]  nfsd+0xe9/0x160 [nfsd]
      [120408.597060]  kthread+0x101/0x140
      [120408.597734]  ? nfsd_destroy+0x60/0x60 [nfsd]
      [120408.598626]  ? kthread_park+0x90/0x90
      [120408.599448]  ret_from_fork+0x22/0x30
      
      Fixes: 1d658336 "SUNRPC: Add RPC based upcall mechanism for RPCGSS auth"
      Cc: Simo Sorce <simo@redhat.com>
      Reported-by: default avatarOlga Kornievskaia <kolga@netapp.com>
      Tested-by: default avatarOlga Kornievskaia <kolga@netapp.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      dd105cf0
    • Alexey Kodanev's avatar
      tcp: initialize max window for a new fastopen socket · 5bcc3fac
      Alexey Kodanev authored
      commit 0dbd7ff3 upstream.
      
      Found that if we run LTP netstress test with large MSS (65K),
      the first attempt from server to send data comparable to this
      MSS on fastopen connection will be delayed by the probe timer.
      
      Here is an example:
      
           < S  seq 0:0 win 43690 options [mss 65495 wscale 7 tfo cookie] length 32
           > S. seq 0:0 ack 1 win 43690 options [mss 65495 wscale 7] length 0
           < .  ack 1 win 342 length 0
      
      Inside tcp_sendmsg(), tcp_send_mss() returns max MSS in 'mss_now',
      as well as in 'size_goal'. This results the segment not queued for
      transmition until all the data copied from user buffer. Then, inside
      __tcp_push_pending_frames(), it breaks on send window test and
      continues with the check probe timer.
      
      Fragmentation occurs in tcp_write_wakeup()...
      
      +0.2 > P. seq 1:43777 ack 1 win 342 length 43776
           < .  ack 43777, win 1365 length 0
           > P. seq 43777:65001 ack 1 win 342 options [...] length 21224
           ...
      
      This also contradicts with the fact that we should bound to the half
      of the window if it is large.
      
      Fix this flaw by correctly initializing max_window. Before that, it
      could have large values that affect further calculations of 'size_goal'.
      
      [js] the code is in tcp_ipv4.c in 3.12 yet
      
      Fixes: 168a8f58 ("tcp: TCP Fast Open Server - main code path")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5bcc3fac
    • Eric Dumazet's avatar
      net: fix harmonize_features() vs NETIF_F_HIGHDMA · 48decd9a
      Eric Dumazet authored
      commit 7be2c82c upstream.
      
      Ashizuka reported a highmem oddity and sent a patch for freescale
      fec driver.
      
      But the problem root cause is that core networking stack
      must ensure no skb with highmem fragment is ever sent through
      a device that does not assert NETIF_F_HIGHDMA in its features.
      
      We need to call illegal_highdma() from harmonize_features()
      regardless of CSUM checks.
      
      Fixes: ec5f0615 ("net: Kill link between CSUM and SG features.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Pravin Shelar <pshelar@ovn.org>
      Reported-by: default avatar"Ashizuka, Yuusuke" <ashiduka@jp.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      48decd9a
    • Andy Shevchenko's avatar
      platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT · b2c6a97c
      Andy Shevchenko authored
      commit 5a00b6c2 upstream.
      
      The commit 1c6c6952 ("genirq: Reject bogus threaded irq requests")
      starts refusing misconfigured interrupt handlers. This makes
      intel_mid_powerbtn not working anymore.
      
      Add a mandatory flag to a threaded IRQ request in the driver.
      
      Fixes: 1c6c6952 ("genirq: Reject bogus threaded irq requests")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      b2c6a97c
    • Arnd Bergmann's avatar
      s5k4ecgx: select CRC32 helper · a632ba43
      Arnd Bergmann authored
      commit c739c0a7 upstream.
      
      A rare randconfig build failure shows up in this driver when
      the CRC32 helper is not there:
      
      drivers/media/built-in.o: In function `s5k4ecgx_s_power':
      s5k4ecgx.c:(.text+0x9eb4): undefined reference to `crc32_le'
      
      This adds the 'select' that all other users of this function have.
      
      Fixes: 8b99312b ("[media] Add v4l2 subdev driver for S5K4ECGX sensor")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a632ba43
    • Ander Conselvan de Oliveira's avatar
      drm/i915: Don't leak edid in intel_crt_detect_ddc() · 784e4e9f
      Ander Conselvan de Oliveira authored
      commit c34f0786 upstream.
      
      In the path where intel_crt_detect_ddc() detects a CRT, if would return
      true without freeing the edid.
      
      Fixes: a2bd1f54 ("drm/i915: check whether we actually received an edid in detect_ddc")
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Daniel Vetter <daniel.vetter@intel.com>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: intel-gfx@lists.freedesktop.org
      Signed-off-by: default avatarAnder Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: default avatarJani Nikula <jani.nikula@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-1-git-send-email-ander.conselvan.de.oliveira@intel.comSigned-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      784e4e9f