August 2018 - Linux-stable-mirror

[PATCH for-4.9.y 0/5] net/sched: init failure fixes

by Amit Pundir

Hi Greg, Kindly consider/review following net/sched fixes for stable 4.9.y. This patchset is a follow-up of upstream fix 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") cherry-picked on stable 4.9.y. It fix null pointer dereferences due to uninitialized timer (qdisc watchdog) or double frees due to ->destroy cleaning up a second time. Here is the original submission https://www.mail-archive.com/netdev@vger.kernel.org/msg186003.html Cherry-picked and build tested on Linux 4.9.116 for ARCH=arm/arm64. These fixes are applicable for stable 4.4.y kernel as well, but one of the patches needed a minor rebasing, so I'm resending this series for 4.4.y in a separate thread to avoid any confusion. Regards, Amit Pundir Nikolay Aleksandrov (5): sch_htb: fix crash on init failure sch_multiq: fix double free on init failure sch_hhf: fix null pointer dereference on init failure sch_netem: avoid null pointer deref on init failure sch_tbf: fix two null pointer dereferences on init failure net/sched/sch_hhf.c | 3 +++ net/sched/sch_htb.c | 5 +++-- net/sched/sch_multiq.c | 7 +------ net/sched/sch_netem.c | 4 ++-- net/sched/sch_tbf.c | 5 +++-- 5 files changed, 12 insertions(+), 12 deletions(-) -- 2.7.4

6 years, 4 months

3
10
0 0

[PATCH v2] x86/entry/64: Remove %ebx handling from error_entry/exit

by Sarah Newman

commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream. This version applies to v4.9. >From Andy Lutomirski, original author: error_entry and error_exit communicate the user vs kernel status of the frame using %ebx. This is unnecessary -- the information is in regs->cs. Just use regs->cs. This makes error_entry simpler and makes error_exit more robust. It also fixes a nasty bug. Before all the Spectre nonsense, The xen_failsafe_callback entry point returned like this: ALLOC_PT_GPREGS_ON_STACK SAVE_C_REGS SAVE_EXTRA_REGS ENCODE_FRAME_POINTER jmp error_exit And it did not go through error_entry. This was bogus: RBX contained garbage, and error_exit expected a flag in RBX. Fortunately, it generally contained *nonzero* garbage, so the correct code path was used. As part of the Spectre fixes, code was added to clear RBX to mitigate certain speculation attacks. Now, depending on kernel configuration, RBX got zeroed and, when running some Wine workloads, the kernel crashes. This was introduced by: commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") With this patch applied, RBX is no longer needed as a flag, and the problem goes away. I suspect that malicious userspace could use this bug to crash the kernel even without the offending patch applied, though. [Historical note: I wrote this patch as a cleanup before I was aware of the bug it fixed.] [Note to stable maintainers: this should probably get applied to all kernels.] Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Dominik Brodowski <linux(a)dominikbrodowski.net> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: xen-devel(a)lists.xenproject.org Cc: x86(a)kernel.org Cc: stable(a)vger.kernel.org Cc: Andy Lutomirski <luto(a)kernel.org> Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b(a)runbox.com> Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Sarah Newman <srn(a)prgmr.com> --- arch/x86/entry/entry_64.S | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index d58d8dc..76c1d85e 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -774,7 +774,7 @@ ENTRY(\sym) call \do_sym - jmp error_exit /* %ebx: no swapgs flag */ + jmp error_exit .endif END(\sym) .endm @@ -1043,7 +1043,6 @@ END(paranoid_exit) /* * Save all registers in pt_regs, and switch gs if needed. - * Return: EBX=0: came from user mode; EBX=1: otherwise */ ENTRY(error_entry) cld @@ -1056,7 +1055,6 @@ ENTRY(error_entry) * the kernel CR3 here. */ SWITCH_KERNEL_CR3 - xorl %ebx, %ebx testb $3, CS+8(%rsp) jz .Lerror_kernelspace @@ -1087,7 +1085,6 @@ ENTRY(error_entry) * for these here too. */ .Lerror_kernelspace: - incl %ebx leaq native_irq_return_iret(%rip), %rcx cmpq %rcx, RIP+8(%rsp) je .Lerror_bad_iret @@ -1119,28 +1116,19 @@ ENTRY(error_entry) /* * Pretend that the exception came from user mode: set up pt_regs - * as if we faulted immediately after IRET and clear EBX so that - * error_exit knows that we will be returning to user mode. + * as if we faulted immediately after IRET. */ mov %rsp, %rdi call fixup_bad_iret mov %rax, %rsp - decl %ebx jmp .Lerror_entry_from_usermode_after_swapgs END(error_entry) - -/* - * On entry, EBX is a "return to kernel mode" flag: - * 1: already in kernel mode, don't need SWAPGS - * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode - */ ENTRY(error_exit) - movl %ebx, %eax DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF - testl %eax, %eax - jnz retint_kernel + testb $3, CS(%rsp) + jz retint_kernel jmp retint_user END(error_exit) -- 1.9.1

6 years, 4 months

3
2
0 0

Linux 4.4.151

by Greg KH

I'm announcing the release of the 4.4.151 kernel. All users of the 4.4 kernel series must upgrade. The updated 4.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/include/asm/pgtable.h | 13 ++++++++----- drivers/acpi/sleep.c | 27 +++++++++++++++++++++++++++ drivers/isdn/i4l/isdn_common.c | 8 +------- drivers/tty/serial/8250/8250_dw.c | 2 +- drivers/usb/serial/option.c | 4 ++++ drivers/usb/serial/sierra.c | 4 ++-- include/net/af_vsock.h | 4 ++-- include/net/llc.h | 5 +++++ net/bluetooth/sco.c | 3 ++- net/dccp/ccids/ccid2.c | 6 ++++-- net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 ++-- net/sched/cls_tcindex.c | 8 +++----- net/vmw_vsock/af_vsock.c | 15 ++++++++------- net/vmw_vsock/vmci_transport.c | 3 +-- sound/core/memalloc.c | 8 ++------ sound/core/seq/seq_virmidi.c | 10 ++++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 +++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +++- sound/pci/vx222/vx222_ops.c | 8 ++++---- sound/pcmcia/vx/vxp_ops.c | 10 +++++----- 24 files changed, 102 insertions(+), 60 deletions(-) Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations Greg Kroah-Hartman (1): Linux 4.4.151 Hangbin Liu (2): net_sched: Fix missing res info when create new tc_index filter net_sched: fix NULL pointer dereference when delete tcindex filter Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (5): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions Tom Lendacky (1): x86/mm: Simplify p[g4um]d_page() macros Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Zhang Rui (1): ACPI: save NVS memory for Lenovo G50-45

6 years, 4 months

1
1
0 0

Linux 4.9.123

by Greg KH

I'm announcing the release of the 4.9.123 kernel. All users of the 4.9 kernel series must upgrade. The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/include/asm/pgtable.h | 13 ++++++++----- drivers/acpi/sleep.c | 8 ++++++++ drivers/isdn/i4l/isdn_common.c | 8 +------- drivers/tty/serial/8250/8250_dw.c | 3 ++- drivers/tty/serial/8250/8250_port.c | 3 +-- drivers/usb/serial/option.c | 4 ++++ drivers/usb/serial/sierra.c | 4 ++-- include/net/af_vsock.h | 4 ++-- include/net/llc.h | 5 +++++ net/bluetooth/sco.c | 3 ++- net/dccp/ccids/ccid2.c | 6 ++++-- net/ipv6/ip6_tunnel.c | 8 ++------ net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 ++-- net/sched/cls_matchall.c | 2 ++ net/sched/cls_tcindex.c | 8 +++----- net/vmw_vsock/af_vsock.c | 15 ++++++++------- net/vmw_vsock/vmci_transport.c | 3 +-- sound/core/memalloc.c | 8 ++------ sound/core/seq/seq_virmidi.c | 10 ++++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 +++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +++- sound/pci/vx222/vx222_ops.c | 8 ++++---- sound/pcmcia/vx/vxp_ops.c | 10 +++++----- 27 files changed, 89 insertions(+), 68 deletions(-) Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations Greg Kroah-Hartman (1): Linux 4.9.123 Hangbin Liu (3): net_sched: Fix missing res info when create new tc_index filter net_sched: fix NULL pointer dereference when delete tcindex filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (5): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions Tom Lendacky (1): x86/mm: Simplify p[g4um]d_page() macros Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xin Long (1): ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit

6 years, 4 months

1
1
0 0

Linux 4.14.66

by Greg KH

I'm announcing the release of the 4.14.66 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - drivers/acpi/sleep.c | 8 +++++++ drivers/isdn/i4l/isdn_common.c | 8 ------- drivers/misc/sram.c | 9 +++++++- drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 2 - drivers/tty/serial/8250/8250_dw.c | 3 +- drivers/tty/serial/8250/8250_exar.c | 6 ++++- drivers/tty/serial/8250/8250_port.c | 3 -- drivers/usb/serial/option.c | 4 +++ drivers/usb/serial/pl2303.c | 2 + drivers/usb/serial/pl2303.h | 1 drivers/usb/serial/sierra.c | 4 +-- drivers/vhost/vhost.c | 9 +++++--- include/net/af_vsock.h | 4 +-- include/net/llc.h | 5 ++++ net/bluetooth/sco.c | 3 +- net/dccp/ccids/ccid2.c | 6 +++-- net/ipv6/ip6_tunnel.c | 8 +------ net/l2tp/l2tp_core.c | 2 - net/llc/llc_core.c | 4 +-- net/sched/cls_matchall.c | 2 + net/sched/cls_tcindex.c | 8 ++----- net/vmw_vsock/af_vsock.c | 15 +++++++------- net/vmw_vsock/vmci_transport.c | 3 -- sound/core/memalloc.c | 8 +------ sound/core/seq/seq_virmidi.c | 10 +++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 ++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 +-- sound/pci/hda/hda_intel.c | 2 - sound/pci/hda/patch_conexant.c | 4 ++- sound/pci/vx222/vx222_ops.c | 8 +++---- sound/pcmcia/vx/vxp_ops.c | 10 ++++----- 32 files changed, 104 insertions(+), 69 deletions(-) Aaron Sierra (1): serial: 8250_exar: Read INT0 from slave device, too Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations Dmitry Bogdanov (1): net: aquantia: Fix IFF_ALLMULTI flag functionality Greg Kroah-Hartman (1): Linux 4.14.66 Hangbin Liu (3): net_sched: fix NULL pointer dereference when delete tcindex filter net_sched: Fix missing res info when create new tc_index filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Jason Wang (1): vhost: reset metadata cache when initializing new IOTLB Johan Hovold (1): misc: sram: fix resource leaks in probe error path John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Movie Song (1): USB: serial: pl2303: add a new device id for ATEN Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (5): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xin Long (1): ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit

6 years, 4 months

1
1
0 0

Linux 4.17.18

by Greg KH

I'm announcing the release of the 4.17.18 kernel. All users of the 4.17 kernel series must upgrade. The updated 4.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.17.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/acpi/sleep.c | 8 drivers/isdn/i4l/isdn_common.c | 8 drivers/misc/sram.c | 9 drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 2 drivers/net/ethernet/marvell/mvneta.c | 53 ++-- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 51 ++- drivers/net/ethernet/realtek/r8169.c | 12 drivers/tty/serial/8250/8250_dw.c | 3 drivers/tty/serial/8250/8250_exar.c | 6 drivers/tty/serial/8250/8250_port.c | 3 drivers/usb/serial/option.c | 4 drivers/usb/serial/pl2303.c | 2 drivers/usb/serial/pl2303.h | 1 drivers/usb/serial/sierra.c | 4 drivers/vhost/vhost.c | 9 include/net/af_vsock.h | 4 include/net/llc.h | 5 net/bluetooth/sco.c | 3 net/core/sock_diag.c | 2 net/dccp/ccids/ccid2.c | 6 net/ipv4/ip_vti.c | 3 net/ipv6/ip6_tunnel.c | 8 net/l2tp/l2tp_core.c | 2 net/llc/llc_core.c | 4 net/rxrpc/ar-internal.h | 8 net/rxrpc/conn_event.c | 4 net/rxrpc/net_ns.c | 6 net/rxrpc/output.c | 12 net/rxrpc/peer_event.c | 156 ++++++------ net/rxrpc/peer_object.c | 8 net/rxrpc/rxkad.c | 4 net/sched/cls_matchall.c | 2 net/sched/cls_tcindex.c | 8 net/socket.c | 3 net/vmw_vsock/af_vsock.c | 15 - net/vmw_vsock/vmci_transport.c | 3 sound/core/memalloc.c | 8 sound/core/seq/oss/seq_oss.c | 2 sound/core/seq/seq_clientmgr.c | 2 sound/core/seq/seq_virmidi.c | 10 sound/pci/cs5535audio/cs5535audio.h | 6 sound/pci/cs5535audio/cs5535audio_pcm.c | 4 sound/pci/hda/hda_intel.c | 2 sound/pci/hda/patch_conexant.c | 4 sound/pci/vx222/vx222_ops.c | 8 sound/pcmcia/vx/vxp_ops.c | 10 48 files changed, 295 insertions(+), 212 deletions(-) Aaron Sierra (1): serial: 8250_exar: Read INT0 from slave device, too Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Andrew Lunn (1): net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations David Howells (1): rxrpc: Fix the keepalive generator [ver #2] Dmitry Bogdanov (1): net: aquantia: Fix IFF_ALLMULTI flag functionality Greg Kroah-Hartman (1): Linux 4.17.18 Haishuang Yan (1): ip_vti: fix a null pointer deferrence when create vti fallback tunnel Hangbin Liu (3): net_sched: fix NULL pointer dereference when delete tcindex filter net_sched: Fix missing res info when create new tc_index filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Heiner Kallweit (1): r8169: don't use MSI-X on RTL8168g Jason Wang (1): vhost: reset metadata cache when initializing new IOTLB Jeremy Cline (1): net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Jian-Hong Pan (1): r8169: don't use MSI-X on RTL8106e Jisheng Zhang (1): net: mvneta: fix mvneta_config_rss on armada 3700 Johan Hovold (1): misc: sram: fix resource leaks in probe error path John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Movie Song (1): USB: serial: pl2303: add a new device id for ATEN Nir Dotan (4): mlxsw: core_acl_flex_actions: Return error for conflicting actions mlxsw: core_acl_flex_actions: Remove redundant resource destruction mlxsw: core_acl_flex_actions: Remove redundant counter destruction mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction Or Gerlitz (1): net/mlx5e: Properly check if hairpin is possible between two functions Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (6): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions ALSA: seq: Fix poll() error return Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xin Long (1): ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit

6 years, 4 months

1
1
0 0

Linux 4.18.4

by Greg KH

I'm announcing the release of the 4.18.4 kernel. All users of the 4.18 kernel series must upgrade. The updated 4.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.18.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - drivers/acpi/sleep.c | 8 ++++ drivers/isdn/i4l/isdn_common.c | 8 ---- drivers/media/usb/dvb-usb-v2/gl861.c | 21 ++++++------ drivers/misc/sram.c | 9 ++++- drivers/net/ethernet/marvell/mvneta.c | 53 +++++++++++++++++++------------- drivers/net/ethernet/realtek/r8169.c | 12 ++++++- drivers/net/hyperv/rndis_filter.c | 2 - drivers/tty/serial/8250/8250_dw.c | 3 + drivers/tty/serial/8250/8250_exar.c | 6 +++ drivers/tty/serial/8250/8250_port.c | 3 - drivers/uio/uio.c | 10 +----- drivers/usb/serial/option.c | 4 ++ drivers/usb/serial/pl2303.c | 2 + drivers/usb/serial/pl2303.h | 1 drivers/usb/serial/sierra.c | 4 +- net/bluetooth/sco.c | 3 + net/core/sock_diag.c | 2 + net/ipv4/ip_vti.c | 3 + net/l2tp/l2tp_core.c | 2 - net/sched/cls_matchall.c | 2 + net/sched/cls_tcindex.c | 8 +--- net/socket.c | 3 - sound/core/memalloc.c | 8 +--- sound/core/seq/oss/seq_oss.c | 2 - sound/core/seq/seq_clientmgr.c | 2 - sound/core/seq/seq_virmidi.c | 10 ++++++ sound/firewire/dice/dice-alesis.c | 2 - sound/pci/cs5535audio/cs5535audio.h | 6 +-- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 +- sound/pci/hda/hda_intel.c | 2 - sound/pci/hda/patch_conexant.c | 4 +- sound/pci/vx222/vx222_ops.c | 8 ++-- sound/pcmcia/vx/vxp_ops.c | 10 +++--- 34 files changed, 137 insertions(+), 92 deletions(-) Aaron Sierra (1): serial: 8250_exar: Read INT0 from slave device, too Aleksander Morgado (1): USB: option: add support for DW5821e Andrew Lunn (1): net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Greg Kroah-Hartman (1): Linux 4.18.4 Hailong Liu (1): uio: fix wrong return value from uio_mmap() Haishuang Yan (1): ip_vti: fix a null pointer deferrence when create vti fallback tunnel Hangbin Liu (3): net_sched: fix NULL pointer dereference when delete tcindex filter net_sched: Fix missing res info when create new tc_index filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Heiner Kallweit (1): r8169: don't use MSI-X on RTL8168g Jeremy Cline (1): net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Jian-Hong Pan (1): r8169: don't use MSI-X on RTL8106e Jisheng Zhang (1): net: mvneta: fix mvneta_config_rss on armada 3700 Johan Hovold (1): misc: sram: fix resource leaks in probe error path John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Mika Båtsman (1): media: gl861: fix probe of dvb_usb_gl861 Movie Song (1): USB: serial: pl2303: add a new device id for ATEN Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (7): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions ALSA: seq: Fix poll() error return hv/netvsc: Fix NULL dereference at single queue mode fallback Takashi Sakamoto (1): ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xiubo Li (1): Revert "uio: use request_threaded_irq instead"

6 years, 4 months

1
1
0 0

Re: [PATCH] crypto: vmx - Fix sleep-in-atomic bugs

by Marcelo Henrique Cerri

On Tue, Aug 21, 2018 at 05:24:45PM +0200, Ondrej Mosnáček wrote: > CC: Paulo Flabiano Smorigo <pfsmorigo(a)linux.vnet.ibm.com>, > linuxppc-dev(a)lists.ozlabs.org > > (Sorry, sent this before reading new e-mails in the thread...) > > ut 21. 8. 2018 o 17:18 Ondrej Mosnacek <omosnace(a)redhat.com> napísal(a): > > > > This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX > > implementations. The problem is that the blkcipher_* functions should > > not be called in atomic context. > > > > The bugs can be reproduced via the AF_ALG interface by trying to > > encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the > > VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then > > trigger BUG in crypto_yield(): > > > > [ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424 > > [ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc > > [ 891.864739] 1 lock held by kcapi-enc/12347: > > [ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530 > > [ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1 > > [ 891.865251] Call Trace: > > [ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable) > > [ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310 > > [ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0 > > [ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto] > > [ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80 > > [ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530 > > [ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0 > > [ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0 > > [ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0 > > [ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70 > > > > Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") > > Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") > > Cc: stable(a)vger.kernel.org > > Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com> > > --- > > This patch should fix the issue, but I didn't test it. (I'll see if I > > can find some time tomorrow to try and recompile the kernel on a PPC > > machine... in the meantime please review :) > > > > drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++---------------- > > drivers/crypto/vmx/aes_xts.c | 19 ++++++++++++------- > > 2 files changed, 26 insertions(+), 23 deletions(-) > > > > diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c > > index 5285ece4f33a..b71895871be3 100644 > > --- a/drivers/crypto/vmx/aes_cbc.c > > +++ b/drivers/crypto/vmx/aes_cbc.c > > @@ -107,24 +107,23 @@ static int p8_aes_cbc_encrypt(struct blkcipher_desc *desc, > > ret = crypto_skcipher_encrypt(req); > > skcipher_request_zero(req); > > } else { > > - preempt_disable(); > > - pagefault_disable(); > > - enable_kernel_vsx(); > > - > > blkcipher_walk_init(&walk, dst, src, nbytes); > > ret = blkcipher_walk_virt(desc, &walk); > > while ((nbytes = walk.nbytes)) { > > + preempt_disable(); > > + pagefault_disable(); > > + enable_kernel_vsx(); > > aes_p8_cbc_encrypt(walk.src.virt.addr, > > walk.dst.virt.addr, > > nbytes & AES_BLOCK_MASK, > > &ctx->enc_key, walk.iv, 1); > > + disable_kernel_vsx(); > > + pagefault_enable(); > > + preempt_enable(); > > + > > nbytes &= AES_BLOCK_SIZE - 1; > > ret = blkcipher_walk_done(desc, &walk, nbytes); > > } > > - > > - disable_kernel_vsx(); > > - pagefault_enable(); > > - preempt_enable(); > > } > > > > return ret; > > @@ -147,24 +146,23 @@ static int p8_aes_cbc_decrypt(struct blkcipher_desc *desc, > > ret = crypto_skcipher_decrypt(req); > > skcipher_request_zero(req); > > } else { > > - preempt_disable(); > > - pagefault_disable(); > > - enable_kernel_vsx(); > > - > > blkcipher_walk_init(&walk, dst, src, nbytes); > > ret = blkcipher_walk_virt(desc, &walk); > > while ((nbytes = walk.nbytes)) { > > + preempt_disable(); > > + pagefault_disable(); > > + enable_kernel_vsx(); > > aes_p8_cbc_encrypt(walk.src.virt.addr, > > walk.dst.virt.addr, > > nbytes & AES_BLOCK_MASK, > > &ctx->dec_key, walk.iv, 0); > > + disable_kernel_vsx(); > > + pagefault_enable(); > > + preempt_enable(); > > + > > nbytes &= AES_BLOCK_SIZE - 1; > > ret = blkcipher_walk_done(desc, &walk, nbytes); > > } > > - > > - disable_kernel_vsx(); > > - pagefault_enable(); > > - preempt_enable(); > > } > > > > return ret; > > diff --git a/drivers/crypto/vmx/aes_xts.c b/drivers/crypto/vmx/aes_xts.c > > index 8bd9aff0f55f..016ef52390c9 100644 > > --- a/drivers/crypto/vmx/aes_xts.c > > +++ b/drivers/crypto/vmx/aes_xts.c > > @@ -116,13 +116,14 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc, > > ret = enc? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req); > > skcipher_request_zero(req); > > } else { > > + blkcipher_walk_init(&walk, dst, src, nbytes); > > + > > + ret = blkcipher_walk_virt(desc, &walk); > > + > > preempt_disable(); > > pagefault_disable(); > > enable_kernel_vsx(); > > > > - blkcipher_walk_init(&walk, dst, src, nbytes); > > - > > - ret = blkcipher_walk_virt(desc, &walk); > > iv = walk.iv; > > memset(tweak, 0, AES_BLOCK_SIZE); > > aes_p8_encrypt(iv, tweak, &ctx->tweak_key); > > @@ -135,13 +136,17 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc, > > aes_p8_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr, > > nbytes & AES_BLOCK_MASK, &ctx->dec_key, NULL, tweak); > > > > + disable_kernel_vsx(); > > + pagefault_enable(); > > + preempt_enable(); > > + > > nbytes &= AES_BLOCK_SIZE - 1; > > ret = blkcipher_walk_done(desc, &walk, nbytes); > > - } > > > > - disable_kernel_vsx(); > > - pagefault_enable(); > > - preempt_enable(); > > + preempt_disable(); > > + pagefault_disable(); > > + enable_kernel_vsx(); > > + } That doesn't seem right. It would leave preemption disabled when leaving the function. > > } > > return ret; > > } > > -- > > 2.17.1 > > -- Regards, Marcelo

6 years, 4 months

2
1
0 0

[patch 129/167] reiserfs: fix broken xattr handling (heap corruption, bad retval)

by akpm＠linux-foundation.org

From: Jann Horn <jannh(a)google.com> Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval) This fixes the following issues: - When a buffer size is supplied to reiserfs_listxattr() such that each individual name fits, but the concatenation of all names doesn't fit, reiserfs_listxattr() overflows the supplied buffer. This leads to a kernel heap overflow (verified using KASAN) followed by an out-of-bounds usercopy and is therefore a security bug. - When a buffer size is supplied to reiserfs_listxattr() such that a name doesn't fit, -ERANGE should be returned. But reiserfs instead just truncates the list of names; I have verified that if the only xattr on a file has a longer name than the supplied buffer length, listxattr() incorrectly returns zero. With my patch applied, -ERANGE is returned in both cases and the memory corruption doesn't happen anymore. Credit for making me clean this code up a bit goes to Al Viro, who pointed out that the ->actor calling convention is suboptimal and should be changed. Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers") Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Jeff Mahoney <jeffm(a)suse.com> Cc: Eric Biggers <ebiggers(a)google.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/reiserfs/xattr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/reiserfs/xattr.c~reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval +++ a/fs/reiserfs/xattr.c @@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_c return 0; size = namelen + 1; if (b->buf) { - if (size > b->size) + if (b->pos + size > b->size) { + b->pos = -ERANGE; return -ERANGE; + } memcpy(b->buf + b->pos, name, namelen); b->buf[b->pos + namelen] = 0; } _

6 years, 4 months

1
0
0 0

[patch 037/167] drivers/block/zram/zram_drv.c: fix bug storing backing_dev

by akpm＠linux-foundation.org

From: Peter Kalauskas <peskal(a)google.com> Subject: drivers/block/zram/zram_drv.c: fix bug storing backing_dev The call to strlcpy in backing_dev_store is incorrect. It should take the size of the destination buffer instead of the size of the source buffer. Additionally, ignore the newline character (\n) when reading the new file_name buffer. This makes it possible to set the backing_dev as follows: echo /dev/sdX > /sys/block/zram0/backing_dev The reason it worked before was the fact that strlcpy() copies 'len - 1' bytes, which is strlen(buf) - 1 in our case, so it accidentally didn't copy the trailing new line symbol. Which also means that "echo -n /dev/sdX" most likely was broken. Signed-off-by: Peter Kalauskas <peskal(a)google.com> Link: http://lkml.kernel.org/r/20180813061623.GC64836@rodete-desktop-imager.corp.… Acked-by: Minchan Kim <minchan(a)kernel.org> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: <stable(a)vger.kernel.org> [4.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/block/zram/zram_drv.c~zram-fix-bug-storing-backing_dev +++ a/drivers/block/zram/zram_drv.c @@ -337,6 +337,7 @@ static ssize_t backing_dev_store(struct struct device_attribute *attr, const char *buf, size_t len) { char *file_name; + size_t sz; struct file *backing_dev = NULL; struct inode *inode; struct address_space *mapping; @@ -357,7 +358,11 @@ static ssize_t backing_dev_store(struct goto out; } - strlcpy(file_name, buf, len); + strlcpy(file_name, buf, PATH_MAX); + /* ignore trailing newline */ + sz = strlen(file_name); + if (sz > 0 && file_name[sz - 1] == '\n') + file_name[sz - 1] = 0x00; backing_dev = filp_open(file_name, O_RDWR|O_LARGEFILE, 0); if (IS_ERR(backing_dev)) { _

6 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2018