1. 15 Jul, 2017 4 commits
    • Malcolm Priestley's avatar
      staging: vt6556: vnt_start Fix missing call to vnt_key_init_table. · ed53d437
      Malcolm Priestley authored
      commit dc32190f upstream.
      
      The key table is not intialized correctly without this call.
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed53d437
    • Kirill Tkhai's avatar
      locking/rwsem-spinlock: Fix EINTR branch in __down_write_common() · 3350230a
      Kirill Tkhai authored
      commit a0c4acd2 upstream.
      
      If a writer could been woken up, the above branch
      
      	if (sem->count == 0)
      		break;
      
      would have moved us to taking the sem. So, it's
      not the time to wake a writer now, and only readers
      are allowed now. Thus, 0 must be passed to __rwsem_do_wake().
      
      Next, __rwsem_do_wake() wakes readers unconditionally.
      But we mustn't do that if the sem is owned by writer
      in the moment. Otherwise, writer and reader own the sem
      the same time, which leads to memory corruption in
      callers.
      
      rwsem-xadd.c does not need that, as:
      
        1) the similar check is made lockless there,
        2) in __rwsem_mark_wake::try_reader_grant we test,
      
      that sem is not owned by writer.
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Niklas Cassel <niklas.cassel@axis.com>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 17fcbd59 "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y"
      Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomainSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3350230a
    • Eric W. Biederman's avatar
      proc: Fix proc_sys_prune_dcache to hold a sb reference · 43fac435
      Eric W. Biederman authored
      commit 2fd1d2c4 upstream.
      
      Andrei Vagin writes:
      FYI: This bug has been reproduced on 4.11.7
      > BUG: Dentry ffff895a3dd01240{i=4e7c09a,n=lo}  still in use (1) [unmount of proc proc]
      > ------------[ cut here ]------------
      > WARNING: CPU: 1 PID: 13588 at fs/dcache.c:1445 umount_check+0x6e/0x80
      > CPU: 1 PID: 13588 Comm: kworker/1:1 Not tainted 4.11.7-200.fc25.x86_64 #1
      > Hardware name: CompuLab sbc-flt1/fitlet, BIOS SBCFLT_0.08.04 06/27/2015
      > Workqueue: events proc_cleanup_work
      > Call Trace:
      >  dump_stack+0x63/0x86
      >  __warn+0xcb/0xf0
      >  warn_slowpath_null+0x1d/0x20
      >  umount_check+0x6e/0x80
      >  d_walk+0xc6/0x270
      >  ? dentry_free+0x80/0x80
      >  do_one_tree+0x26/0x40
      >  shrink_dcache_for_umount+0x2d/0x90
      >  generic_shutdown_super+0x1f/0xf0
      >  kill_anon_super+0x12/0x20
      >  proc_kill_sb+0x40/0x50
      >  deactivate_locked_super+0x43/0x70
      >  deactivate_super+0x5a/0x60
      >  cleanup_mnt+0x3f/0x90
      >  mntput_no_expire+0x13b/0x190
      >  kern_unmount+0x3e/0x50
      >  pid_ns_release_proc+0x15/0x20
      >  proc_cleanup_work+0x15/0x20
      >  process_one_work+0x197/0x450
      >  worker_thread+0x4e/0x4a0
      >  kthread+0x109/0x140
      >  ? process_one_work+0x450/0x450
      >  ? kthread_park+0x90/0x90
      >  ret_from_fork+0x2c/0x40
      > ---[ end trace e1c109611e5d0b41 ]---
      > VFS: Busy inodes after unmount of proc. Self-destruct in 5 seconds.  Have a nice day...
      > BUG: unable to handle kernel NULL pointer dereference at           (null)
      > IP: _raw_spin_lock+0xc/0x30
      > PGD 0
      
      Fix this by taking a reference to the super block in proc_sys_prune_dcache.
      
      The superblock reference is the core of the fix however the sysctl_inodes
      list is converted to a hlist so that hlist_del_init_rcu may be used.  This
      allows proc_sys_prune_dache to remove inodes the sysctl_inodes list, while
      not causing problems for proc_sys_evict_inode when if it later choses to
      remove the inode from the sysctl_inodes list.  Removing inodes from the
      sysctl_inodes list allows proc_sys_prune_dcache to have a progress
      guarantee, while still being able to drop all locks.  The fact that
      head->unregistering is set in start_unregistering ensures that no more
      inodes will be added to the the sysctl_inodes list.
      
      Previously the code did a dance where it delayed calling iput until the
      next entry in the list was being considered to ensure the inode remained on
      the sysctl_inodes list until the next entry was walked to.  The structure
      of the loop in this patch does not need that so is much easier to
      understand and maintain.
      Reported-by: default avatarAndrei Vagin <avagin@gmail.com>
      Tested-by: default avatarAndrei Vagin <avagin@openvz.org>
      Fixes: ace0c791 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
      Fixes: d6cffbbe ("proc/sysctl: prune stale dentries during unregistering")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43fac435
    • Cong Wang's avatar
      mqueue: fix a use-after-free in sys_mq_notify() · c353aee3
      Cong Wang authored
      commit f991af3d upstream.
      
      The retry logic for netlink_attachskb() inside sys_mq_notify()
      is nasty and vulnerable:
      
      1) The sock refcnt is already released when retry is needed
      2) The fd is controllable by user-space because we already
         release the file refcnt
      
      so we when retry but the fd has been just closed by user-space
      during this small window, we end up calling netlink_detachskb()
      on the error path which releases the sock again, later when
      the user-space closes this socket a use-after-free could be
      triggered.
      
      Setting 'sock' to NULL here should be sufficient to fix it.
      Reported-by: default avatarGeneBlue <geneblue.mail@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c353aee3
  2. 12 Jul, 2017 36 commits