1. 22 Jun, 2020 14 commits
    • Su Kang Yin's avatar
      crypto: talitos - fix ECB and CBC algs ivsize · e3780a26
      Su Kang Yin authored
      commit e1de42fd ("crypto: talitos - fix ECB algs ivsize")
      wrongly modified CBC algs ivsize instead of ECB aggs ivsize.
      
      This restore the CBC algs original ivsize of removes ECB's ones.
      
      Fixes: e1de42fd ("crypto: talitos - fix ECB algs ivsize")
      Signed-off-by: default avatarSu Kang Yin <cantona@cantona.net>
      Reviewed-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3780a26
    • Qu Wenruo's avatar
      btrfs: Detect unbalanced tree with empty leaf before crashing btree operations · 227af79e
      Qu Wenruo authored
      commit 62fdaa52 upstream.
      
      [BUG]
      With crafted image, btrfs will panic at btree operations:
      
        kernel BUG at fs/btrfs/ctree.c:3894!
        invalid opcode: 0000 [#1] SMP PTI
        CPU: 0 PID: 1138 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9
        RIP: 0010:__push_leaf_left+0x6b6/0x6e0
        RSP: 0018:ffffc0bd4128b990 EFLAGS: 00010246
        RAX: 0000000000000000 RBX: ffffa0a4ab8f0e38 RCX: 0000000000000000
        RDX: ffffa0a280000000 RSI: 0000000000000000 RDI: ffffa0a4b3814000
        RBP: ffffc0bd4128ba38 R08: 0000000000001000 R09: ffffc0bd4128b948
        R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000240
        R13: ffffa0a4b556fb60 R14: ffffa0a4ab8f0af0 R15: ffffa0a4ab8f0af0
        FS: 0000000000000000(0000) GS:ffffa0a4b7a00000(0000) knlGS:0000000000000000
        CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f2461c80020 CR3: 000000022b32a006 CR4: 00000000000206f0
        Call Trace:
        ? _cond_resched+0x1a/0x50
        push_leaf_left+0x179/0x190
        btrfs_del_items+0x316/0x470
        btrfs_del_csums+0x215/0x3a0
        __btrfs_free_extent.isra.72+0x5a7/0xbe0
        __btrfs_run_delayed_refs+0x539/0x1120
        btrfs_run_delayed_refs+0xdb/0x1b0
        btrfs_commit_transaction+0x52/0x950
        ? start_transaction+0x94/0x450
        transaction_kthread+0x163/0x190
        kthread+0x105/0x140
        ? btrfs_cleanup_transaction+0x560/0x560
        ? kthread_destroy_worker+0x50/0x50
        ret_from_fork+0x35/0x40
        Modules linked in:
        ---[ end trace c2425e6e89b5558f ]---
      
      [CAUSE]
      The offending csum tree looks like this:
      
        checksum tree key (CSUM_TREE ROOT_ITEM 0)
        node 29741056 level 1 items 14 free 107 generation 19 owner CSUM_TREE
      	  ...
      	  key (EXTENT_CSUM EXTENT_CSUM 85975040) block 29630464 gen 17
      	  key (EXTENT_CSUM EXTENT_CSUM 89911296) block 29642752 gen 17 <<<
      	  key (EXTENT_CSUM EXTENT_CSUM 92274688) block 29646848 gen 17
      	  ...
      
        leaf 29630464 items 6 free space 1 generation 17 owner CSUM_TREE
      	  item 0 key (EXTENT_CSUM EXTENT_CSUM 85975040) itemoff 3987 itemsize 8
      		  range start 85975040 end 85983232 length 8192
      	  ...
        leaf 29642752 items 0 free space 3995 generation 17 owner 0
      		      ^ empty leaf            invalid owner ^
      
        leaf 29646848 items 1 free space 602 generation 17 owner CSUM_TREE
      	  item 0 key (EXTENT_CSUM EXTENT_CSUM 92274688) itemoff 627 itemsize 3368
      		  range start 92274688 end 95723520 length 3448832
      
      So we have a corrupted csum tree where one tree leaf is completely
      empty, causing unbalanced btree, thus leading to unexpected btree
      balance error.
      
      [FIX]
      For this particular case, we handle it in two directions to catch it:
      - Check if the tree block is empty through btrfs_verify_level_key()
        So that invalid tree blocks won't be read out through
        btrfs_search_slot() and its variants.
      
      - Check 0 tree owner in tree checker
        NO tree is using 0 as its tree owner, detect it and reject at tree
        block read time.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202821Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarVikash Bansal <bvikas@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      227af79e
    • Anand Jain's avatar
      btrfs: merge btrfs_find_device and find_device · 8cb9b069
      Anand Jain authored
      commit 09ba3bc9 upstream.
      
      Both btrfs_find_device() and find_device() does the same thing except
      that the latter does not take the seed device onto account in the device
      scanning context. We can merge them.
      Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      [4.19.y backport notes:
      Vikash : - To apply this patch, a portion of commit e4319cd9
                 was used to change the first argument of function
                 "btrfs_find_device" from "struct btrfs_fs_info" to
                 "struct btrfs_fs_devices".
      Signed-off-by: default avatarVikash Bansal <bvikas@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cb9b069
    • Christophe Leroy's avatar
      lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() · e18590b3
      Christophe Leroy authored
      commit ab10ae1c upstream.
      
      The range passed to user_access_begin() by strncpy_from_user() and
      strnlen_user() starts at 'src' and goes up to the limit of userspace
      although reads will be limited by the 'count' param.
      
      On 32 bits powerpc (book3s/32) access has to be granted for each
      256Mbytes segment and the cost increases with the number of segments to
      unlock.
      
      Limit the range with 'count' param.
      
      Fixes: 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarMiles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e18590b3
    • Will Deacon's avatar
      x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() · b46395f4
      Will Deacon authored
      commit 6e693b3f upstream.
      
      Commit 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
      makes the access_ok() check part of the user_access_begin() preceding a
      series of 'unsafe' accesses.  This has the desirable effect of ensuring
      that all 'unsafe' accesses have been range-checked, without having to
      pick through all of the callsites to verify whether the appropriate
      checking has been made.
      
      However, the consolidated range check does not inhibit speculation, so
      it is still up to the caller to ensure that they are not susceptible to
      any speculative side-channel attacks for user addresses that ultimately
      fail the access_ok() check.
      
      This is an oversight, so use __uaccess_begin_nospec() to ensure that
      speculation is inhibited until the access_ok() check has passed.
      Reported-by: default avatarJulien Thierry <julien.thierry@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Miles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b46395f4
    • Stafford Horne's avatar
      arch/openrisc: Fix issues with access_ok() · e8236726
      Stafford Horne authored
      commit 9cb2feb4 upstream.
      
      The commit 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
      exposed incorrect implementations of access_ok() macro in several
      architectures.  This change fixes 2 issues found in OpenRISC.
      
      OpenRISC was not properly using parenthesis for arguments and also using
      arguments twice.  This patch fixes those 2 issues.
      
      I test booted this patch with v5.0-rc1 on qemu and it's working fine.
      
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarStafford Horne <shorne@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarMiles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8236726
    • Linus Torvalds's avatar
      Fix 'acccess_ok()' on alpha and SH · 3b051f17
      Linus Torvalds authored
      commit 94bd8a05 upstream.
      
      Commit 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
      broke both alpha and SH booting in qemu, as noticed by Guenter Roeck.
      
      It turns out that the bug wasn't actually in that commit itself (which
      would have been surprising: it was mostly a no-op), but in how the
      addition of access_ok() to the strncpy_from_user() and strnlen_user()
      functions now triggered the case where those functions would test the
      access of the very last byte of the user address space.
      
      The string functions actually did that user range test before too, but
      they did it manually by just comparing against user_addr_max().  But
      with user_access_begin() doing the check (using "access_ok()"), it now
      exposed problems in the architecture implementations of that function.
      
      For example, on alpha, the access_ok() helper macro looked like this:
      
        #define __access_ok(addr, size) \
              ((get_fs().seg & (addr | size | (addr+size))) == 0)
      
      and what it basically tests is of any of the high bits get set (the
      USER_DS masking value is 0xfffffc0000000000).
      
      And that's completely wrong for the "addr+size" check.  Because it's
      off-by-one for the case where we check to the very end of the user
      address space, which is exactly what the strn*_user() functions do.
      
      Why? Because "addr+size" will be exactly the size of the address space,
      so trying to access the last byte of the user address space will fail
      the __access_ok() check, even though it shouldn't.  As a result, the
      user string accessor functions failed consistently - because they
      literally don't know how long the string is going to be, and the max
      access is going to be that last byte of the user address space.
      
      Side note: that alpha macro is buggy for another reason too - it re-uses
      the arguments twice.
      
      And SH has another version of almost the exact same bug:
      
        #define __addr_ok(addr) \
              ((unsigned long __force)(addr) < current_thread_info()->addr_limit.seg)
      
      so far so good: yes, a user address must be below the limit.  But then:
      
        #define __access_ok(addr, size)         \
              (__addr_ok((addr) + (size)))
      
      is wrong with the exact same off-by-one case: the case when "addr+size"
      is exactly _equal_ to the limit is actually perfectly fine (think "one
      byte access at the last address of the user address space")
      
      The SH version is actually seriously buggy in another way: it doesn't
      actually check for overflow, even though it did copy the _comment_ that
      talks about overflow.
      
      So it turns out that both SH and alpha actually have completely buggy
      implementations of access_ok(), but they happened to work in practice
      (although the SH overflow one is a serious serious security bug, not
      that anybody likely cares about SH security).
      
      This fixes the problems by using a similar macro on both alpha and SH.
      It isn't trying to be clever, the end address is based on this logic:
      
              unsigned long __ao_end = __ao_a + __ao_b - !!__ao_b;
      
      which basically says "add start and length, and then subtract one unless
      the length was zero".  We can't subtract one for a zero length, or we'd
      just hit an underflow instead.
      
      For a lot of access_ok() users the length is a constant, so this isn't
      actually as expensive as it initially looks.
      Reported-and-tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Cc: Matt Turner <mattst88@gmail.com>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarMiles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b051f17
    • Linus Torvalds's avatar
      make 'user_access_begin()' do 'access_ok()' · 216284c4
      Linus Torvalds authored
      commit 594cc251 upstream.
      
      Originally, the rule used to be that you'd have to do access_ok()
      separately, and then user_access_begin() before actually doing the
      direct (optimized) user access.
      
      But experience has shown that people then decide not to do access_ok()
      at all, and instead rely on it being implied by other operations or
      similar.  Which makes it very hard to verify that the access has
      actually been range-checked.
      
      If you use the unsafe direct user accesses, hardware features (either
      SMAP - Supervisor Mode Access Protection - on x86, or PAN - Privileged
      Access Never - on ARM) do force you to use user_access_begin().  But
      nothing really forces the range check.
      
      By putting the range check into user_access_begin(), we actually force
      people to do the right thing (tm), and the range check vill be visible
      near the actual accesses.  We have way too long a history of people
      trying to avoid them.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarMiles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      216284c4
    • Lorenz Bauer's avatar
      selftests: bpf: fix use of undeclared RET_IF macro · 6f89ad2e
      Lorenz Bauer authored
      commit 634efb75 ("selftests: bpf: Reset global state between
      reuseport test runs") uses a macro RET_IF which doesn't exist in
      the v4.19 tree. It is defined as follows:
      
              #define RET_IF(condition, tag, format...) ({
                      if (CHECK_FAIL(condition)) {
                              printf(tag " " format);
                              return;
                      }
              })
      
      CHECK_FAIL in turn is defined as:
      
              #define CHECK_FAIL(condition) ({
                      int __ret = !!(condition);
                      int __save_errno = errno;
                      if (__ret) {
                              test__fail();
                              fprintf(stdout, "%s:FAIL:%d\n", __func__, __LINE__);
                      }
                      errno = __save_errno;
                      __ret;
              })
      
      Replace occurences of RET_IF with CHECK. This will abort the test binary
      if clearing the intermediate state fails.
      
      Fixes: 634efb75 ("selftests: bpf: Reset global state between reuseport test runs")
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f89ad2e
    • Willem de Bruijn's avatar
      tun: correct header offsets in napi frags mode · 75e36c19
      Willem de Bruijn authored
      [ Upstream commit 96aa1b22 ]
      
      Tun in IFF_NAPI_FRAGS mode calls napi_gro_frags. Unlike netif_rx and
      netif_gro_receive, this expects skb->data to point to the mac layer.
      
      But skb_probe_transport_header, __skb_get_hash_symmetric, and
      xdp_do_generic in tun_get_user need skb->data to point to the network
      header. Flow dissection also needs skb->protocol set, so
      eth_type_trans has to be called.
      
      Ensure the link layer header lies in linear as eth_type_trans pulls
      ETH_HLEN. Then take the same code paths for frags as for not frags.
      Push the link layer header back just before calling napi_gro_frags.
      
      By pulling up to ETH_HLEN from frag0 into linear, this disables the
      frag0 optimization in the special case when IFF_NAPI_FRAGS is used
      with zero length iov[0] (and thus empty skb->linear).
      
      Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarPetar Penkov <ppenkov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75e36c19
    • Ido Schimmel's avatar
      vxlan: Avoid infinite loop when suppressing NS messages with invalid options · dbe7cfbf
      Ido Schimmel authored
      [ Upstream commit 8066e6b4 ]
      
      When proxy mode is enabled the vxlan device might reply to Neighbor
      Solicitation (NS) messages on behalf of remote hosts.
      
      In case the NS message includes the "Source link-layer address" option
      [1], the vxlan device will use the specified address as the link-layer
      destination address in its reply.
      
      To avoid an infinite loop, break out of the options parsing loop when
      encountering an option with length zero and disregard the NS message.
      
      This is consistent with the IPv6 ndisc code and RFC 4886 which states
      that "Nodes MUST silently discard an ND packet that contains an option
      with length zero" [2].
      
      [1] https://tools.ietf.org/html/rfc4861#section-4.3
      [2] https://tools.ietf.org/html/rfc4861#section-4.6
      
      Fixes: 4b29dba9 ("vxlan: fix nonfunctional neigh_reduce()")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbe7cfbf
    • Ido Schimmel's avatar
      bridge: Avoid infinite loop when suppressing NS messages with invalid options · 1e74500f
      Ido Schimmel authored
      [ Upstream commit 53fc6852 ]
      
      When neighbor suppression is enabled the bridge device might reply to
      Neighbor Solicitation (NS) messages on behalf of remote hosts.
      
      In case the NS message includes the "Source link-layer address" option
      [1], the bridge device will use the specified address as the link-layer
      destination address in its reply.
      
      To avoid an infinite loop, break out of the options parsing loop when
      encountering an option with length zero and disregard the NS message.
      
      This is consistent with the IPv6 ndisc code and RFC 4886 which states
      that "Nodes MUST silently discard an ND packet that contains an option
      with length zero" [2].
      
      [1] https://tools.ietf.org/html/rfc4861#section-4.3
      [2] https://tools.ietf.org/html/rfc4861#section-4.6
      
      Fixes: ed842fae ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reported-by: default avatarAlla Segal <allas@mellanox.com>
      Tested-by: default avatarAlla Segal <allas@mellanox.com>
      Acked-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e74500f
    • Vasily Averin's avatar
      net_failover: fixed rollback in net_failover_open() · 8e62792a
      Vasily Averin authored
      [ Upstream commit e8224bfe ]
      
      found by smatch:
      drivers/net/net_failover.c:65 net_failover_open() error:
       we previously assumed 'primary_dev' could be null (see line 43)
      
      Fixes: cfc80d9a ("net: Introduce net_failover driver")
      Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e62792a
    • Hangbin Liu's avatar
      ipv6: fix IPV6_ADDRFORM operation logic · 470e709f
      Hangbin Liu authored
      [ Upstream commit 79a1f0cc ]
      
      Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present.
      Previously the checking logic looks like:
      if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
      	do_some_check;
      else if (sk->sk_protocol != IPPROTO_TCP)
      	break;
      
      After commit b6f61189 ("ipv6: restrict IPV6_ADDRFORM operation"), TCP
      was blocked as the logic changed to:
      if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
      	do_some_check;
      else if (sk->sk_protocol == IPPROTO_TCP)
      	do_some_check;
      	break;
      else
      	break;
      
      Then after commit 82c9ae44 ("ipv6: fix restrict IPV6_ADDRFORM operation")
      UDP/UDPLITE were blocked as the logic changed to:
      if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
      	do_some_check;
      if (sk->sk_protocol == IPPROTO_TCP)
      	do_some_check;
      
      if (sk->sk_protocol != IPPROTO_TCP)
      	break;
      
      Fix it by using Eric's code and simply remove the break in TCP check, which
      looks like:
      if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
      	do_some_check;
      else if (sk->sk_protocol == IPPROTO_TCP)
      	do_some_check;
      else
      	break;
      
      Fixes: 82c9ae44 ("ipv6: fix restrict IPV6_ADDRFORM operation")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      470e709f
  2. 10 Jun, 2020 26 commits