1. 15 Nov, 2017 8 commits
  2. 10 Nov, 2017 2 commits
  3. 09 Nov, 2017 4 commits
  4. 07 Nov, 2017 1 commit
  5. 19 Oct, 2017 3 commits
  6. 17 Oct, 2017 7 commits
  7. 12 Oct, 2017 3 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · be7484ac
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fix for potential out-of-bounds memory access (found by fuzzing,
         likely requires specially crafted device to trigger) by Jaejoong Kim
      
       - two new device IDs for elecom driver from Alex Manoussakis
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: hid-elecom: extend to fix descriptor for HUGE trackball
        HID: usbhid: fix out-of-bounds bug
      be7484ac
    • Linus Torvalds's avatar
      Merge tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7702f476
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "It's been a busy week for defending the attacks from fuzzer people.
      
        This contains various USB-audio driver fixes and sequencer core fixes
        spotted by syzkaller and other fuzzer, as well as one quirk for a
        Plantronics USB audio device"
      
      * tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: caiaq: Fix stray URB at probe error path
        ALSA: seq: Fix use-after-free at creating a port
        ALSA: usb-audio: Kill stray URB at exiting
        ALSA: line6: Fix leftover URB at error-path during probe
        ALSA: line6: Fix NULL dereference at podhd_disconnect()
        ALSA: line6: Fix missing initialization before error path
        ALSA: seq: Fix copy_from_user() call inside lock
        ALSA: usb-audio: Add sample rate quirk for Plantronics P610
      7702f476
    • Linus Torvalds's avatar
      Merge branch 'waitid-fix' · 467251c6
      Linus Torvalds authored
      Merge waitid() fix from Kees Cook.
      
      I'd have hoped that the unsafe_{get|put}_user() naming would have
      avoided these kinds of stupid bugs, but no such luck.
      
      * waitid-fix:
        waitid(): Add missing access_ok() checks
      467251c6
  8. 11 Oct, 2017 12 commits
    • Linus Torvalds's avatar
      Merge tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc · ff5abbe7
      Linus Torvalds authored
      Pull rpmsg fixes from Bjorn Andersson:
       "This corrects two mistakes in the Qualcomm GLINK SMEM driver"
      
      * tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc:
        rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent()
        rpmsg: glink: Unlock on error in qcom_glink_request_intent()
      ff5abbe7
    • Linus Torvalds's avatar
      Merge tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc · 9add7e3e
      Linus Torvalds authored
      Pull remoteproc fixes from Bjorn Andersson:
       "This fixes a couple of issues in the imx_rproc driver and corrects the
        Kconfig dependencies of the Qualcomm remoteproc drivers"
      
      * tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc:
        remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init()
        remoteproc: qcom: fix RPMSG_QCOM_GLINK_SMEM dependencies
        remoteproc: imx_rproc: fix a couple off by one bugs
      9add7e3e
    • Wei Yongjun's avatar
      remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init() · 68a39a3e
      Wei Yongjun authored
      In case of error, the function devm_ioremap() returns NULL pointer
      not ERR_PTR(). The IS_ERR() test in the return value check should
      be replaced with NULL test.
      Reviewed-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      68a39a3e
    • Alexander Levin's avatar
      9p: set page uptodate when required in write_end() · 56ae414e
      Alexander Levin authored
      Commit 77469c3f prevented setting the page as uptodate when we wrote
      the right amount of data, fix that.
      
      Fixes: 77469c3f ("9p: saner ->write_end() on failing copy into non-uptodate page")
      Reviewed-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarAlexander Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      56ae414e
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · a0db2890
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Here are some smallish GPIO fixes for v4.14. Like with pin control:
        some build/Kconfig noise and one serious bug in a specific driver.
      
         - Three Kconfig/build warning fixes
      
         - A fix for lost edge IRQs in the OMAP driver"
      
      * tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: omap: Fix lost edge interrupts
        gpio: omap: omap_gpio_show_rev is not __init
        gpio: acpi: work around false-positive -Wstring-overflow warning
        gpio: thunderx: select IRQ_DOMAIN_HIERARCHY instead of depends on
      a0db2890
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · cc74613b
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Two small things and a slightly larger thing in the Intel Cherryview.
      
         - Fix two build problems
      
         - Fix a regression on the Intel Cherryview interrupt path"
      
      * tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: cherryview: fix issues caused by dynamic gpio irqs mapping
        pinctrl/amd: Fix build dependency on pinmux code
        pinctrl: bcm2835: fix build warning in bcm2835_gpio_irq_handle_bank
      cc74613b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ce386181
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
       "Fairly old DIO bug caught by Andreas (3.10+) and several slightly
        younger blk_rq_map_user_iov() bugs, both on map and copy codepaths
        (Vitaly and me)"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        bio_copy_user_iov(): don't ignore ->iov_offset
        more bio_map_user_iov() leak fixes
        fix unbalanced page refcounting in bio_map_user_iov
        direct-io: Prevent NULL pointer access in submit_page_section
      ce386181
    • Takashi Iwai's avatar
      ALSA: caiaq: Fix stray URB at probe error path · 99fee508
      Takashi Iwai authored
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: default avatarJohan Hovold <johan@kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      99fee508
    • Alex Manoussakis's avatar
      HID: hid-elecom: extend to fix descriptor for HUGE trackball · a0933a45
      Alex Manoussakis authored
      In addition to DEFT, Elecom introduced a larger trackball called HUGE, in
      both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same
      buttons and behavior as the DEFT. This patch adds the two relevant USB IDs
      to enable operation of the three Fn buttons on the top of the device.
      
      Cc: Diego Elio Petteno <flameeyes@flameeyes.eu>
      Signed-off-by: default avatarAlex Manoussakis <amanou@gnu.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      a0933a45
    • Jaejoong Kim's avatar
      HID: usbhid: fix out-of-bounds bug · f043bfc9
      Jaejoong Kim authored
      The hid descriptor identifies the length and type of subordinate
      descriptors for a device. If the received hid descriptor is smaller than
      the size of the struct hid_descriptor, it is possible to cause
      out-of-bounds.
      
      In addition, if bNumDescriptors of the hid descriptor have an incorrect
      value, this can also cause out-of-bounds while approaching hdesc->desc[n].
      
      So check the size of hid descriptor and bNumDescriptors.
      
      	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
      	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
      
      	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
      	4.14.0-rc1-42251-gebb2c243 #169
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	Workqueue: usb_hub_wq hub_event
      	Call Trace:
      	__dump_stack lib/dump_stack.c:16
      	dump_stack+0x292/0x395 lib/dump_stack.c:52
      	print_address_description+0x78/0x280 mm/kasan/report.c:252
      	kasan_report_error mm/kasan/report.c:351
      	kasan_report+0x22f/0x340 mm/kasan/report.c:409
      	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
      	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
      	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
      	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
      	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
      	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
      	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
      	hub_port_connect drivers/usb/core/hub.c:4903
      	hub_port_connect_change drivers/usb/core/hub.c:5009
      	port_event drivers/usb/core/hub.c:5115
      	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
      	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
      	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
      	kthread+0x3a1/0x470 kernel/kthread.c:231
      	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      f043bfc9
    • Takashi Iwai's avatar
      ALSA: seq: Fix use-after-free at creating a port · 71105998
      Takashi Iwai authored
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: default avatarMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      71105998
    • Al Viro's avatar
      bio_copy_user_iov(): don't ignore ->iov_offset · 1cfd0ddd
      Al Viro authored
      Since "block: support large requests in blk_rq_map_user_iov" we
      started to call it with partially drained iter; that works fine
      on the write side, but reads create a copy of iter for completion
      time.  And that needs to take the possibility of ->iov_iter != 0
      into account...
      
      Cc: stable@vger.kernel.org #v4.5+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1cfd0ddd