1. 28 Oct, 2017 13 commits
  2. 27 Oct, 2017 2 commits
  3. 26 Oct, 2017 12 commits
  4. 25 Oct, 2017 13 commits
    • Michael J. Ruhl's avatar
      RDMA/netlink: OOPs in rdma_nl_rcv_msg() from misinterpreted flag · b4d91aeb
      Michael J. Ruhl authored
      rdma_nl_rcv_msg() checks to see if it should use the .dump() callback
      or the .doit() callback.  The check is done with this check:
      
      if (flags & NLM_F_DUMP) ...
      
      The NLM_F_DUMP flag is two bits (NLM_F_ROOT | NLM_F_MATCH).
      
      When an RDMA_NL_LS message (response) is received, the bit used for
      indicating an error is the same bit as NLM_F_ROOT.
      
      NLM_F_ROOT == (0x100) == RDMA_NL_LS_F_ERR.
      
      ibacm sends a response with the RDMA_NL_LS_F_ERR bit set if an error
      occurs in the service.  The current code then misinterprets the
      NLM_F_DUMP bit and trys to call the .dump() callback.
      
      If the .dump() callback for the specified request is not available
      (which is true for the RDMA_NL_LS messages) the following Oops occurs:
      
      [ 4555.960256] BUG: unable to handle kernel NULL pointer dereference at
         (null)
      [ 4555.969046] IP:           (null)
      [ 4555.972664] PGD 10543f1067 P4D 10543f1067 PUD 1033f93067 PMD 0
      [ 4555.979287] Oops: 0010 [#1] SMP
      [ 4555.982809] Modules linked in: rpcrdma ib_isert iscsi_target_mod
      target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_ucm ib_ucm
      ib_uverbs ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod
      dax sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass
      crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd
      glue_helper cryptd hfi1 rdmavt iTCO_wdt iTCO_vendor_support ib_core mei_me
      lpc_ich pcspkr mei ioatdma sg shpchp i2c_i801 mfd_core wmi ipmi_si ipmi_devintf
      ipmi_msghandler acpi_power_meter acpi_pad nfsd auth_rpcgss nfs_acl lockd grace
      sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea
      sysfillrect sysimgblt fb_sys_fops ttm igb ahci crc32c_intel ptp libahci
      pps_core drm dca libata i2c_algo_bit i2c_core
      [ 4556.061190] CPU: 54 PID: 9841 Comm: ibacm Tainted: G          I
      4.14.0-rc2+ #6
      [ 4556.069667] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS
      SE5C610.86B.01.01.0008.021120151325 02/11/2015
      [ 4556.081339] task: ffff880855f42d00 task.stack: ffffc900246b4000
      [ 4556.087967] RIP: 0010:          (null)
      [ 4556.092166] RSP: 0018:ffffc900246b7bc8 EFLAGS: 00010246
      [ 4556.098018] RAX: ffffffff81dbe9e0 RBX: ffff881058bb1000 RCX:
      0000000000000000
      [ 4556.105997] RDX: 0000000000001100 RSI: ffff881058bb1320 RDI:
      ffff881056362000
      [ 4556.113984] RBP: ffffc900246b7bf8 R08: 0000000000000ec0 R09:
      0000000000001100
      [ 4556.121971] R10: ffff8810573a5000 R11: 0000000000000000 R12:
      ffff881056362000
      [ 4556.129957] R13: 0000000000000ec0 R14: ffff881058bb1320 R15:
      0000000000000ec0
      [ 4556.137945] FS:  00007fe0ba5a38c0(0000) GS:ffff88105f080000(0000)
      knlGS:0000000000000000
      [ 4556.147000] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 4556.153433] CR2: 0000000000000000 CR3: 0000001056f5d003 CR4:
      00000000001606e0
      [ 4556.161419] Call Trace:
      [ 4556.164167]  ? netlink_dump+0x12c/0x290
      [ 4556.168468]  __netlink_dump_start+0x186/0x1f0
      [ 4556.173357]  rdma_nl_rcv_msg+0x193/0x1b0 [ib_core]
      [ 4556.178724]  rdma_nl_rcv+0xdc/0x130 [ib_core]
      [ 4556.183604]  netlink_unicast+0x181/0x240
      [ 4556.187998]  netlink_sendmsg+0x2c2/0x3b0
      [ 4556.192392]  sock_sendmsg+0x38/0x50
      [ 4556.196299]  SYSC_sendto+0x102/0x190
      [ 4556.200308]  ? __audit_syscall_entry+0xaf/0x100
      [ 4556.205387]  ? syscall_trace_enter+0x1d0/0x2b0
      [ 4556.210366]  ? __audit_syscall_exit+0x209/0x290
      [ 4556.215442]  SyS_sendto+0xe/0x10
      [ 4556.219060]  do_syscall_64+0x67/0x1b0
      [ 4556.223165]  entry_SYSCALL64_slow_path+0x25/0x25
      [ 4556.228328] RIP: 0033:0x7fe0b9db2a63
      [ 4556.232333] RSP: 002b:00007ffc55edc260 EFLAGS: 00000293 ORIG_RAX:
      000000000000002c
      [ 4556.240808] RAX: ffffffffffffffda RBX: 0000000000000010 RCX:
      00007fe0b9db2a63
      [ 4556.248796] RDX: 0000000000000010 RSI: 00007ffc55edc280 RDI:
      000000000000000d
      [ 4556.256782] RBP: 00007ffc55edc670 R08: 00007ffc55edc270 R09:
      000000000000000c
      [ 4556.265321] R10: 0000000000000000 R11: 0000000000000293 R12:
      00007ffc55edc280
      [ 4556.273846] R13: 000000000260b400 R14: 000000000000000d R15:
      0000000000000001
      [ 4556.282368] Code:  Bad RIP value.
      [ 4556.286629] RIP:           (null) RSP: ffffc900246b7bc8
      [ 4556.293013] CR2: 0000000000000000
      [ 4556.297292] ---[ end trace 8d67abcfd10ec209 ]---
      [ 4556.305465] Kernel panic - not syncing: Fatal exception
      [ 4556.313786] Kernel Offset: disabled
      [ 4556.321563] ---[ end Kernel panic - not syncing: Fatal exception
      [ 4556.328960] ------------[ cut here ]------------
      
      Special case RDMA_NL_LS response messages to call the appropriate
      callback.
      
      Additionally, make sure that the .dump() callback is not NULL
      before calling it.
      
      Fixes: 647c75ac ("RDMA/netlink: Convert LS to doit callback")
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarKaike Wan <kaike.wan@intel.com>
      Reviewed-by: default avatarAlex Estrin <alex.estrin@intel.com>
      Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Reviewed-by: default avatarShiraz Saleem <shiraz.saleem@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      b4d91aeb
    • David Disseldorp's avatar
      SMB: fix validate negotiate info uninitialised memory use · a2d9daad
      David Disseldorp authored
      An undersize validate negotiate info server response causes the client
      to use uninitialised memory for struct validate_negotiate_info_rsp
      comparisons of Dialect, SecurityMode and/or Capabilities members.
      
      Link: https://bugzilla.samba.org/show_bug.cgi?id=13092
      Fixes: 7db0a6ef ("SMB3: Work around mount failure when using SMB3 dialect to Macs")
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      a2d9daad
    • David Disseldorp's avatar
      SMB: fix leak of validate negotiate info response buffer · fe83bebc
      David Disseldorp authored
      Fixes: ff1c038a ("Check SMB3 dialects against downgrade attacks")
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      fe83bebc
    • Aurélien Aptel's avatar
      CIFS: Fix NULL pointer deref on SMB2_tcon() failure · db3b5474
      Aurélien Aptel authored
      If SendReceive2() fails rsp is set to NULL but is dereferenced in the
      error handling code.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAurelien Aptel <aaptel@suse.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      db3b5474
    • Aurelien Aptel's avatar
      CIFS: do not send invalid input buffer on QUERY_INFO requests · 48923d2a
      Aurelien Aptel authored
      query_info() doesn't use the InputBuffer field of the QUERY_INFO
      request, therefore according to [MS-SMB2] it must:
      
      a) set the InputBufferOffset to 0
      b) send a zero-length InputBuffer
      
      Doing a) is trivial but b) is a bit more tricky.
      
      The packet is allocated according to it's StructureSize, which takes
      into account an extra 1 byte buffer which we don't need
      here. StructureSize fields must have constant values no matter the
      actual length of the whole packet so we can't just edit that constant.
      
      Both the NetBIOS-over-TCP message length ("rfc1002 length") L and the
      iovec length L' have to be updated. Since L' is computed from L we
      just update L by decrementing it by one.
      Signed-off-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      48923d2a
    • Benjamin Gilbert's avatar
      cifs: Select all required crypto modules · 5b454a64
      Benjamin Gilbert authored
      Some dependencies were lost when CIFS_SMB2 was merged into CIFS.
      
      Fixes: 2a38e120 ("[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred")
      Signed-off-by: default avatarBenjamin Gilbert <benjamin.gilbert@coreos.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      5b454a64
    • Juergen Gross's avatar
      xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() · 298d275d
      Juergen Gross authored
      In case gntdev_mmap() succeeds only partially in mapping grant pages
      it will leave some vital information uninitialized needed later for
      cleanup. This will lead to an out of bounds array access when unmapping
      the already mapped pages.
      
      So just initialize the data needed for unmapping the pages a little bit
      earlier.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarArthur Borsboom <arthurborsboom@gmail.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      298d275d
    • Miklos Szeredi's avatar
      fuse: fix READDIRPLUS skipping an entry · c6cdd514
      Miklos Szeredi authored
      Marios Titas running a Haskell program noticed a problem with fuse's
      readdirplus: when it is interrupted by a signal, it skips one directory
      entry.
      
      The reason is that fuse erronously updates ctx->pos after a failed
      dir_emit().
      
      The issue originates from the patch adding readdirplus support.
      Reported-by: default avatarJakob Unterwurzacher <jakobunt@gmail.com>
      Tested-by: Marios Titas <redneb@gmx.com> 
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 0b05b183 ("fuse: implement NFS-like readdirplus support")
      Cc: <stable@vger.kernel.org> # v3.9
      c6cdd514
    • Mark Brown's avatar
      Merge remote-tracking branches 'spi/fix/armada', 'spi/fix/idr',... · 7555aa76
      Mark Brown authored
      Merge remote-tracking branches 'spi/fix/armada', 'spi/fix/idr', 'spi/fix/qspi', 'spi/fix/stm32' and 'spi/fix/uapi' into spi-linus
      7555aa76
    • Ard Biesheuvel's avatar
      efi/libstub/arm: Don't randomize runtime regions when CONFIG_HIBERNATION=y · 38fb6652
      Ard Biesheuvel authored
      Commit:
      
        e69176d6 ("ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region")
      
      implemented randomization of the virtual mapping that the OS chooses for
      the UEFI runtime services. This was motivated by the fact that UEFI usually
      does not bother to specify any permission restrictions for those regions,
      making them prime real estate for exploitation now that the OS is getting
      more and more careful not to leave any R+W+X mapped regions lying around.
      
      However, this randomization breaks assumptions in the resume from
      hibernation code, which expects all memory regions populated by UEFI to
      remain in the same place, including their virtual mapping into the OS
      memory space. While this assumption may not be entirely reasonable in the
      first place, breaking it deliberately does not make a lot of sense either.
      So let's refrain from this randomization pass if CONFIG_HIBERNATION=y.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: James Morse <james.morse@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Link: http://lkml.kernel.org/r/20171025100448.26056-3-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      38fb6652
    • Dan Carpenter's avatar
      efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps() · 092e72c9
      Dan Carpenter authored
      If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1"
      will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR.  We
      try to dereference it inside the loop and crash.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarIvan Hu <ivan.hu@canonical.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Fixes: ff6301da ("efi: Add efi_test driver for exporting UEFI runtime service interfaces")
      Link: http://lkml.kernel.org/r/20171025100448.26056-2-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      092e72c9
    • Jeff Layton's avatar
      ceph: unlock dangling spinlock in try_flush_caps() · 6c2838fb
      Jeff Layton authored
      sparse warns:
      
        fs/ceph/caps.c:2042:9: warning: context imbalance in 'try_flush_caps' - wrong count at exit
      
      We need to exit this function with the lock unlocked, but a couple of
      cases leave it locked.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reviewed-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      6c2838fb
    • Martin Schwidefsky's avatar
      s390/kvm: fix detection of guest machine checks · 0a5e2ec2
      Martin Schwidefsky authored
      The new detection code for guest machine checks added a check based
      on %r11 to .Lcleanup_sie to distinguish between normal asynchronous
      interrupts and machine checks. But the funtion is called from the
      program check handler as well with an undefined value in %r11.
      
      The effect is that all program exceptions pointing to the SIE instruction
      will set the CIF_MCCK_GUEST bit. The bit stays set for the CPU until the
       next machine check comes in which will incorrectly be interpreted as a
      guest machine check.
      
      The simplest fix is to stop using .Lcleanup_sie in the program check
      handler and duplicate a few instructions.
      
      Fixes: c929500d ("s390/nmi: s390: New low level handling for machine check happening in guest")
      Cc: <stable@vger.kernel.org> # v4.13+
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      0a5e2ec2