1. 10 Nov, 2016 8 commits
    • David Howells's avatar
      KEYS: Fix short sprintf buffer in /proc/keys show function · 940d7ecb
      David Howells authored
      commit 03dab869 upstream.
      
      This fixes CVE-2016-7042.
      
      Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
      is turned on, this can cause a panic due to stack corruption.
      
      The problem is that xbuf[] is not big enough to hold a 64-bit timeout
      rendered as weeks:
      
      	(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
      	$2 = 30500568904943
      
      That's 14 chars plus NUL, not 11 chars plus NUL.
      
      Expand the buffer to 16 chars.
      
      I think the unpatched code apparently works if the stack-protector is not
      enabled because on a 32-bit machine the buffer won't be overflowed and on a
      64-bit machine there's a 64-bit aligned pointer at one side and an int that
      isn't checked again on the other side.
      
      The panic incurred looks something like:
      
      Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
      CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
      Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
       ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
       ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
      Call Trace:
       [<ffffffff813d941f>] dump_stack+0x63/0x84
       [<ffffffff811b2cb6>] panic+0xde/0x22a
       [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
       [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
       [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
       [<ffffffff81350410>] ? key_validate+0x50/0x50
       [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
       [<ffffffff8126b31c>] seq_read+0x2cc/0x390
       [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
       [<ffffffff81244fc7>] __vfs_read+0x37/0x150
       [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
       [<ffffffff81246156>] vfs_read+0x96/0x130
       [<ffffffff81247635>] SyS_read+0x55/0xc0
       [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      Reported-by: default avatarOndrej Kozina <okozina@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarOndrej Kozina <okozina@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      940d7ecb
    • Johannes Weiner's avatar
      mm: memcontrol: do not recurse in direct reclaim · 29999129
      Johannes Weiner authored
      commit 89a28483 upstream.
      
      On 4.0, we saw a stack corruption from a page fault entering direct
      memory cgroup reclaim, calling into btrfs_releasepage(), which then
      tried to allocate an extent and recursed back into a kmem charge ad
      nauseam:
      
        [...]
        btrfs_releasepage+0x2c/0x30
        try_to_release_page+0x32/0x50
        shrink_page_list+0x6da/0x7a0
        shrink_inactive_list+0x1e5/0x510
        shrink_lruvec+0x605/0x7f0
        shrink_zone+0xee/0x320
        do_try_to_free_pages+0x174/0x440
        try_to_free_mem_cgroup_pages+0xa7/0x130
        try_charge+0x17b/0x830
        memcg_charge_kmem+0x40/0x80
        new_slab+0x2d9/0x5a0
        __slab_alloc+0x2fd/0x44f
        kmem_cache_alloc+0x193/0x1e0
        alloc_extent_state+0x21/0xc0
        __clear_extent_bit+0x2b5/0x400
        try_release_extent_mapping+0x1a3/0x220
        __btrfs_releasepage+0x31/0x70
        btrfs_releasepage+0x2c/0x30
        try_to_release_page+0x32/0x50
        shrink_page_list+0x6da/0x7a0
        shrink_inactive_list+0x1e5/0x510
        shrink_lruvec+0x605/0x7f0
        shrink_zone+0xee/0x320
        do_try_to_free_pages+0x174/0x440
        try_to_free_mem_cgroup_pages+0xa7/0x130
        try_charge+0x17b/0x830
        mem_cgroup_try_charge+0x65/0x1c0
        handle_mm_fault+0x117f/0x1510
        __do_page_fault+0x177/0x420
        do_page_fault+0xc/0x10
        page_fault+0x22/0x30
      
      On later kernels, kmem charging is opt-in rather than opt-out, and that
      particular kmem allocation in btrfs_releasepage() is no longer being
      charged and won't recurse and overrun the stack anymore.
      
      But it's not impossible for an accounted allocation to happen from the
      memcg direct reclaim context, and we needed to reproduce this crash many
      times before we even got a useful stack trace out of it.
      
      Like other direct reclaimers, mark tasks in memcg reclaim PF_MEMALLOC to
      avoid recursing into any other form of direct reclaim.  Then let
      recursive charges from PF_MEMALLOC contexts bypass the cgroup limit.
      
      Link: http://lkml.kernel.org/r/20161025141050.GA13019@cmpxchg.orgSigned-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29999129
    • Alexander Polakov's avatar
      mm/list_lru.c: avoid error-path NULL pointer deref · 9fa32e04
      Alexander Polakov authored
      commit 1bc11d70 upstream.
      
      As described in https://bugzilla.kernel.org/show_bug.cgi?id=177821:
      
      After some analysis it seems to be that the problem is in alloc_super().
      In case list_lru_init_memcg() fails it goes into destroy_super(), which
      calls list_lru_destroy().
      
      And in list_lru_init() we see that in case memcg_init_list_lru() fails,
      lru->node is freed, but not set NULL, which then leads list_lru_destroy()
      to believe it is initialized and call memcg_destroy_list_lru().
      memcg_destroy_list_lru() in turn can access lru->node[i].memcg_lrus,
      which is NULL.
      
      [akpm@linux-foundation.org: add comment]
      Signed-off-by: default avatarAlexander Polakov <apolyakov@beget.ru>
      Acked-by: default avatarVladimir Davydov <vdavydov.dev@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9fa32e04
    • Darrick J. Wong's avatar
      libxfs: clean up _calc_dquots_per_chunk · fd9e4cea
      Darrick J. Wong authored
      commit 58d78967 upstream.
      
      The function xfs_calc_dquots_per_chunk takes a parameter in units
      of basic blocks.  The kernel seems to get the units wrong, but
      userspace got 'fixed' by commenting out the unnecessary conversion.
      Fix both.
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd9e4cea
    • Mark Rutland's avatar
      h8300: fix syscall restarting · 0daca12d
      Mark Rutland authored
      commit 21753583 upstream.
      
      Back in commit f56141e3 ("all arches, signal: move restart_block to
      struct task_struct"), all architectures and core code were changed to
      use task_struct::restart_block.  However, when h8300 support was
      subsequently restored in v4.2, it was not updated to account for this,
      and maintains thread_info::restart_block, which is not kept in sync.
      
      This patch drops the redundant restart_block from thread_info, and moves
      h8300 to the common one in task_struct, ensuring that syscall restarting
      always works as expected.
      
      Fixes: f56141e3 ("all arches, signal: move restart_block to struct task_struct")
      Link: http://lkml.kernel.org/r/1476714934-11635-1-git-send-email-mark.rutland@arm.comSigned-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: uclinux-h8-devel@lists.sourceforge.jp
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0daca12d
    • Ville Syrjälä's avatar
      drm/dp/mst: Clear port->pdt when tearing down the i2c adapter · 44084f15
      Ville Syrjälä authored
      commit 36e3fa6a upstream.
      
      The i2c adapter is only relevant for some peer device types, so
      let's clear the pdt if it's still the same as the old_pdt when we
      tear down the i2c adapter.
      
      I don't really like this design pattern of updating port->whatever
      before doing the accompanying changes and passing around old_whatever
      to figure stuff out. Would make much more sense to me to the pass the
      new value around and only update the port->whatever when things are
      consistent. But let's try to work with what we have right now.
      
      Quoting a follow-up from Ville:
      
      "And naturally I forgot to amend the commit message w.r.t. this guy
      [the change in drm_dp_destroy_port].  We don't really need to do this
      here, but I figured I'd try to be a bit more consistent by having it,
      just to avoid accidental mistakes if/when someone changes this stuff
      again later."
      
      v2: Clear port->pdt in the caller, if needed (Daniel)
      
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Carlos Santa <carlos.santa@intel.com>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Tested-by: default avatarCarlos Santa <carlos.santa@intel.com>
      Tested-by: default avatarKirill A. Shutemov <kirill@shutemov.name>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97666Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1477488633-16544-1-git-send-email-ville.syrjala@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44084f15
    • Vladimir Zapolskiy's avatar
      i2c: core: fix NULL pointer dereference under race condition · 4125fe7f
      Vladimir Zapolskiy authored
      commit 147b36d5 upstream.
      
      Race condition between registering an I2C device driver and
      deregistering an I2C adapter device which is assumed to manage that
      I2C device may lead to a NULL pointer dereference due to the
      uninitialized list head of driver clients.
      
      The root cause of the issue is that the I2C bus may know about the
      registered device driver and thus it is matched by bus_for_each_drv(),
      but the list of clients is not initialized and commonly it is NULL,
      because I2C device drivers define struct i2c_driver as static and
      clients field is expected to be initialized by I2C core:
      
        i2c_register_driver()             i2c_del_adapter()
          driver_register()                 ...
            bus_add_driver()                ...
              ...                           bus_for_each_drv(..., __process_removed_adapter)
            ...                               i2c_do_del_adapter()
          ...                                   list_for_each_entry_safe(..., &driver->clients, ...)
          INIT_LIST_HEAD(&driver->clients);
      
      To solve the problem it is sufficient to do clients list head
      initialization before calling driver_register().
      
      The problem was found while using an I2C device driver with a sluggish
      registration routine on a bus provided by a physically detachable I2C
      master controller, but practically the oops may be reproduced under
      the race between arbitraty I2C device driver registration and managing
      I2C bus device removal e.g. by unbinding the latter over sysfs:
      
      % echo 21a4000.i2c > /sys/bus/platform/drivers/imx-i2c/unbind
        Unable to handle kernel NULL pointer dereference at virtual address 00000000
        Internal error: Oops: 17 [#1] SMP ARM
        CPU: 2 PID: 533 Comm: sh Not tainted 4.9.0-rc3+ #61
        Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
        task: e5ada400 task.stack: e4936000
        PC is at i2c_do_del_adapter+0x20/0xcc
        LR is at __process_removed_adapter+0x14/0x1c
        Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
        Control: 10c5387d  Table: 35bd004a  DAC: 00000051
        Process sh (pid: 533, stack limit = 0xe4936210)
        Stack: (0xe4937d28 to 0xe4938000)
        Backtrace:
        [<c0667be0>] (i2c_do_del_adapter) from [<c0667cc0>] (__process_removed_adapter+0x14/0x1c)
        [<c0667cac>] (__process_removed_adapter) from [<c0516998>] (bus_for_each_drv+0x6c/0xa0)
        [<c051692c>] (bus_for_each_drv) from [<c06685ec>] (i2c_del_adapter+0xbc/0x284)
        [<c0668530>] (i2c_del_adapter) from [<bf0110ec>] (i2c_imx_remove+0x44/0x164 [i2c_imx])
        [<bf0110a8>] (i2c_imx_remove [i2c_imx]) from [<c051a838>] (platform_drv_remove+0x2c/0x44)
        [<c051a80c>] (platform_drv_remove) from [<c05183d8>] (__device_release_driver+0x90/0x12c)
        [<c0518348>] (__device_release_driver) from [<c051849c>] (device_release_driver+0x28/0x34)
        [<c0518474>] (device_release_driver) from [<c0517150>] (unbind_store+0x80/0x104)
        [<c05170d0>] (unbind_store) from [<c0516520>] (drv_attr_store+0x28/0x34)
        [<c05164f8>] (drv_attr_store) from [<c0298acc>] (sysfs_kf_write+0x50/0x54)
        [<c0298a7c>] (sysfs_kf_write) from [<c029801c>] (kernfs_fop_write+0x100/0x214)
        [<c0297f1c>] (kernfs_fop_write) from [<c0220130>] (__vfs_write+0x34/0x120)
        [<c02200fc>] (__vfs_write) from [<c0221088>] (vfs_write+0xa8/0x170)
        [<c0220fe0>] (vfs_write) from [<c0221e74>] (SyS_write+0x4c/0xa8)
        [<c0221e28>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c)
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4125fe7f
    • Hoan Tran's avatar
      i2c: xgene: Avoid dma_buffer overrun · eeb1846d
      Hoan Tran authored
      commit 60361601 upstream.
      
      SMBus block command uses the first byte of buffer for the data length.
      The dma_buffer should be increased by 1 to avoid the overrun issue.
      Reported-by: default avatarPhil Endecott <phil_gjouf_endecott@chezphil.org>
      Signed-off-by: default avatarHoan Tran <hotran@apm.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eeb1846d
  2. 01 Nov, 2016 3 commits
  3. 31 Oct, 2016 29 commits