September 2018 - Linux-stable-mirror

[PATCH 2/2] NFC: Fix the number of pipes

by Greg Kroah-Hartman

From: Suren Baghdasaryan <surenb(a)google.com> According to ETSI TS 102 622 specification chapter 4.4 pipe identifier is 7 bits long which allows for 128 unique pipe IDs. Because NFC_HCI_MAX_PIPES is used as the number of pipes supported and not as the max pipe ID, its value should be 128 instead of 127. nfc_hci_recv_from_llc extracts pipe ID from packet header using NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127. Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With pipes array having only 127 elements and pipe ID of 127 the OOB memory access will result. Cc: Samuel Ortiz <sameo(a)linux.intel.com> Cc: Allen Pais <allen.pais(a)oracle.com> Cc: "David S. Miller" <davem(a)davemloft.net> Suggested-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/net/nfc/hci.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/nfc/hci.h b/include/net/nfc/hci.h index 316694dafa5b..008f466d1da7 100644 --- a/include/net/nfc/hci.h +++ b/include/net/nfc/hci.h @@ -87,7 +87,7 @@ struct nfc_hci_pipe { * According to specification 102 622 chapter 4.4 Pipes, * the pipe identifier is 7 bits long. */ -#define NFC_HCI_MAX_PIPES 127 +#define NFC_HCI_MAX_PIPES 128 struct nfc_hci_init_data { u8 gate_count; struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES]; -- 2.19.0

6 years, 3 months

1
0
0 0

[PATCH 1/2] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands

by Greg Kroah-Hartman

From: Suren Baghdasaryan <surenb(a)google.com> When handling SHDLC I-Frame commands "pipe" field used for indexing into an array should be checked before usage. If left unchecked it might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). Malformed NFC HCI frames could be injected by a malicious NFC device communicating with the device being attacked (remote attack vector), or even by an attacker with physical access to the I2C bus such that they could influence the data transfers on that bus (local attack vector). skb->data is controlled by the attacker and has only been sanitized in the most trivial ways (CRC check), therefore we can consider the create_info struct and all of its members to tainted. 'create_info->pipe' with max value of 255 (uint8) is used to take an offset of the hdev->pipes array of 127 elements which can lead to OOB write. Cc: Samuel Ortiz <sameo(a)linux.intel.com> Cc: Allen Pais <allen.pais(a)oracle.com> Cc: "David S. Miller" <davem(a)davemloft.net> Suggested-by: Kevin Deus <kdeus(a)google.com> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Acked-by: Kees Cook <keescook(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/nfc/hci/core.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c index ac8030c4bcf8..19cb2e473ea6 100644 --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, } create_info = (struct hci_create_pipe_resp *)skb->data; + if (create_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id * but since we received this cmd from host controller, we @@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, } delete_info = (struct hci_delete_pipe_noti *)skb->data; + if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; break; -- 2.19.0

6 years, 3 months

1
0
0 0

[git:media_tree/master] media: tvp5150: avoid going past array on v4l2_querymenu()

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: tvp5150: avoid going past array on v4l2_querymenu() Author: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> Date: Thu Sep 13 16:49:51 2018 -0400 The parameters of v4l2_ctrl_new_std_menu_items() are tricky: instead of the number of possible values, it requires the number of the maximum value. In other words, the ARRAY_SIZE() value should be decremented, otherwise it will go past the array bounds, as warned by KASAN: [ 279.839688] BUG: KASAN: global-out-of-bounds in v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839709] Read of size 8 at addr ffffffffc10a4cb0 by task v4l2-compliance/16676 [ 279.839736] CPU: 1 PID: 16676 Comm: v4l2-compliance Not tainted 4.18.0-rc2+ #120 [ 279.839741] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 [ 279.839743] Call Trace: [ 279.839758] dump_stack+0x71/0xab [ 279.839807] ? v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839817] print_address_description+0x1c9/0x270 [ 279.839863] ? v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839871] kasan_report+0x237/0x360 [ 279.839918] v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839964] __video_do_ioctl+0x2c8/0x590 [videodev] [ 279.840011] ? copy_overflow+0x20/0x20 [videodev] [ 279.840020] ? avc_ss_reset+0xa0/0xa0 [ 279.840028] ? check_stack_object+0x21/0x60 [ 279.840036] ? __check_object_size+0xe7/0x240 [ 279.840080] video_usercopy+0xed/0x730 [videodev] [ 279.840123] ? copy_overflow+0x20/0x20 [videodev] [ 279.840167] ? v4l_enumstd+0x40/0x40 [videodev] [ 279.840177] ? __handle_mm_fault+0x9f9/0x1ba0 [ 279.840186] ? __pmd_alloc+0x2c0/0x2c0 [ 279.840193] ? __vfs_write+0xb6/0x350 [ 279.840200] ? kernel_read+0xa0/0xa0 [ 279.840244] ? video_usercopy+0x730/0x730 [videodev] [ 279.840284] v4l2_ioctl+0xa1/0xb0 [videodev] [ 279.840295] do_vfs_ioctl+0x117/0x8a0 [ 279.840303] ? selinux_file_ioctl+0x211/0x2f0 [ 279.840313] ? ioctl_preallocate+0x120/0x120 [ 279.840319] ? selinux_capable+0x20/0x20 [ 279.840332] ksys_ioctl+0x70/0x80 [ 279.840342] __x64_sys_ioctl+0x3d/0x50 [ 279.840351] do_syscall_64+0x6d/0x1c0 [ 279.840361] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 279.840367] RIP: 0033:0x7fdfb46275d7 [ 279.840369] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48 [ 279.840474] RSP: 002b:00007ffee1179038 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 279.840483] RAX: ffffffffffffffda RBX: 00007ffee1179180 RCX: 00007fdfb46275d7 [ 279.840488] RDX: 00007ffee11790c0 RSI: 00000000c02c5625 RDI: 0000000000000003 [ 279.840493] RBP: 0000000000000002 R08: 0000000000000020 R09: 00000000009f0902 [ 279.840497] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffee117a5a0 [ 279.840501] R13: 00007ffee11790c0 R14: 0000000000000002 R15: 0000000000000000 [ 279.840515] The buggy address belongs to the variable: [ 279.840535] tvp5150_test_patterns+0x10/0xffffffffffffe360 [tvp5150] Fixes: c43875f66140 ("[media] tvp5150: replace MEDIA_ENT_F_CONN_TEST by a control") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/i2c/tvp5150.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- diff --git a/drivers/media/i2c/tvp5150.c b/drivers/media/i2c/tvp5150.c index f337e523821b..57b2102586bc 100644 --- a/drivers/media/i2c/tvp5150.c +++ b/drivers/media/i2c/tvp5150.c @@ -1534,7 +1534,7 @@ static int tvp5150_probe(struct i2c_client *c, 27000000, 1, 27000000); v4l2_ctrl_new_std_menu_items(&core->hdl, &tvp5150_ctrl_ops, V4L2_CID_TEST_PATTERN, - ARRAY_SIZE(tvp5150_test_patterns), + ARRAY_SIZE(tvp5150_test_patterns) - 1, 0, 0, tvp5150_test_patterns); sd->ctrl_handler = &core->hdl; if (core->hdl.error) {

6 years, 3 months

1
0
0 0

[PATCH] mtd: rawnand: marvell: prevent harmless warnings

by Miquel Raynal

Since the addition of WARN_ON() in nand_subop_get_data/addr_len() helpers, this driver will produce harmless warnings (mostly at probe) just because it always called the *_data_len() helper in the parsing function (even on non-data instructions, where this value is meaningless and unneeded. Fix these warnings by deriving the length only when it is relevant. Fixes: 760c435e0f85 ("mtd: rawnand: make subop helpers return unsigned values") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/mtd/nand/raw/marvell_nand.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index 7af4d6213ee5..bc2ef5209783 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -1547,7 +1547,7 @@ static void marvell_nfc_parse_instructions(struct nand_chip *chip, for (op_id = 0; op_id < subop->ninstrs; op_id++) { unsigned int offset, naddrs; const u8 *addrs; - int len = nand_subop_get_data_len(subop, op_id); + int len; instr = &subop->instrs[op_id]; @@ -1593,6 +1593,7 @@ static void marvell_nfc_parse_instructions(struct nand_chip *chip, nfc_op->ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_MONOLITHIC_RW) | NDCB0_LEN_OVRD; + len = nand_subop_get_data_len(subop, op_id); nfc_op->ndcb[3] |= round_up(len, FIFO_DEPTH); } nfc_op->data_delay_ns = instr->delay_ns; @@ -1606,6 +1607,7 @@ static void marvell_nfc_parse_instructions(struct nand_chip *chip, nfc_op->ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_MONOLITHIC_RW) | NDCB0_LEN_OVRD; + len = nand_subop_get_data_len(subop, op_id); nfc_op->ndcb[3] |= round_up(len, FIFO_DEPTH); } nfc_op->data_delay_ns = instr->delay_ns; -- 2.17.1

6 years, 3 months

2
3
0 0

[PATCH] x86/mm/pat: Fix L1TF stable backport for CPA

by Andi Kleen

From: Andi Kleen <ak(a)linux.intel.com> Patch for stable only to fix boot resets caused by the L1TF patches. Stable trees reverted the following patch Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream. but the L1TF patch backported here x86/mm/pat: Make set_memory_np() L1TF safe commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream set_memory_np() is used to mark kernel mappings not present, but it has it's own open coded mechanism which does not have the L1TF protection of inverting the address bits. assumed that cpa->pfn contains a PFN. With the above patch reverted it does not, which causes the PMD to be set to an incorrect address shifted by 12 bits, which can cause early boot reset on some systems, like an Apollo Lake embedded system. Convert the address to a PFN before passing it to pmd_pfn() Thanks to Bernhard for bisecting and testing. Cc: stable(a)vger.kernel.org # 4.4 and 4.9 Reported-by: Bernhard Kaindl <bernhard.kaindl(a)thalesgroup.com> Tested-by: Bernhard Kaindl <bernhard.kaindl(a)thalesgroup.com> Signed-off-by: Andi Kleen <ak(a)linux.intel.com> --- arch/x86/mm/pageattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c index 27610c2d1821..1007fa80f5a6 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -1006,7 +1006,7 @@ static int populate_pmd(struct cpa_data *cpa, pmd = pmd_offset(pud, start); - set_pmd(pmd, pmd_mkhuge(pfn_pmd(cpa->pfn, + set_pmd(pmd, pmd_mkhuge(pfn_pmd(cpa->pfn >> PAGE_SHIFT, canon_pgprot(pmd_pgprot)))); start += PMD_SIZE; -- 2.17.1

6 years, 3 months

6
11
0 0

[STABLE 4.4] x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

by Andi Kleen

From: Andi Kleen <ak(a)linux.intel.com> [upstream cc51e5428ea54f575d49cfcede1d4cb3a72b4ec4 for 4.4. Note there might be still a trivial conflict with the backport for b0a182f875689647b014bc01d36b340217792852, but should be easy to resolve] On Nehalem and newer core CPUs the CPU cache internally uses 44 bits physical address space. The L1TF workaround is limited by this internal cache address width, and needs to have one bit free there for the mitigation to work. Older client systems report only 36bit physical address space so the range check decides that L1TF is not mitigated for a 36bit phys/32GB system with some memory holes. But since these actually have the larger internal cache width this warning is bogus because it would only really be needed if the system had more than 43bits of memory. Add a new internal x86_cache_bits field. Normally it is the same as the physical bits field reported by CPUID, but for Nehalem and newerforce it to be at least 44bits. Change the L1TF memory size warning to use the new cache_bits field to avoid bogus warnings and remove the bogus comment about memory size. Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf") Reported-by: George Anchev <studio(a)anchev.net> Reported-by: Christopher Snowhill <kode54(a)gmail.com> Signed-off-by: Andi Kleen <ak(a)linux.intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: x86(a)kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Michael Hocko <mhocko(a)suse.com> Cc: vbabka(a)suse.cz Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.org --- arch/x86/include/asm/processor.h | 4 ++- arch/x86/kernel/cpu/bugs.c | 47 ++++++++++++++++++++++++++++---- arch/x86/kernel/cpu/common.c | 2 ++ 3 files changed, 47 insertions(+), 6 deletions(-) diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index a3a53955f01c..cb07d3f618ca 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -104,6 +104,8 @@ struct cpuinfo_x86 { __u8 x86_phys_bits; /* CPUID returned core id bits: */ __u8 x86_coreid_bits; + + __u8 x86_cache_bits; /* Max extended CPUID function supported: */ __u32 extended_cpuid_level; /* Maximum supported CPUID level, -1=no CPUID: */ @@ -174,7 +176,7 @@ extern void cpu_detect(struct cpuinfo_x86 *c); static inline unsigned long l1tf_pfn_limit(void) { - return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1; + return BIT_ULL(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT); } extern void early_cpu_init(void); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 34e4aaaf03d2..2a41a86aa5c2 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -634,6 +634,46 @@ void x86_spec_ctrl_setup_ap(void) #undef pr_fmt #define pr_fmt(fmt) "L1TF: " fmt + +/* + * These CPUs all support 44bits physical address space internally in the + * cache but CPUID can report a smaller number of physical address bits. + * + * The L1TF mitigation uses the top most address bit for the inversion of + * non present PTEs. When the installed memory reaches into the top most + * address bit due to memory holes, which has been observed on machines + * which report 36bits physical address bits and have 32G RAM installed, + * then the mitigation range check in l1tf_select_mitigation() triggers. + * This is a false positive because the mitigation is still possible due to + * the fact that the cache uses 44bit internally. Use the cache bits + * instead of the reported physical bits and adjust them on the affected + * machines to 44bit if the reported bits are less than 44. + */ +static void override_cache_bits(struct cpuinfo_x86 *c) +{ + if (c->x86 != 6) + return; + + switch (c->x86_model) { + case INTEL_FAM6_NEHALEM: + case INTEL_FAM6_WESTMERE: + case INTEL_FAM6_SANDYBRIDGE: + case INTEL_FAM6_IVYBRIDGE: + case INTEL_FAM6_HASWELL_CORE: + case INTEL_FAM6_HASWELL_ULT: + case INTEL_FAM6_HASWELL_GT3E: + case INTEL_FAM6_BROADWELL_CORE: + case INTEL_FAM6_BROADWELL_GT3E: + case INTEL_FAM6_SKYLAKE_MOBILE: + case INTEL_FAM6_SKYLAKE_DESKTOP: + case INTEL_FAM6_KABYLAKE_MOBILE: + case INTEL_FAM6_KABYLAKE_DESKTOP: + if (c->x86_cache_bits < 44) + c->x86_cache_bits = 44; + break; + } +} + static void __init l1tf_select_mitigation(void) { u64 half_pa; @@ -641,16 +681,13 @@ static void __init l1tf_select_mitigation(void) if (!boot_cpu_has_bug(X86_BUG_L1TF)) return; + override_cache_bits(&boot_cpu_data); + #if CONFIG_PGTABLE_LEVELS == 2 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); return; #endif - /* - * This is extremely unlikely to happen because almost all - * systems have far more MAX_PA/2 than RAM can be fit into - * DIMM slots. - */ half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) { pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 4d3fa79c0f09..b12c0287d6cf 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -798,6 +798,8 @@ void get_cpu_cap(struct cpuinfo_x86 *c) c->x86_phys_bits = 36; #endif + c->x86_cache_bits = c->x86_phys_bits; + if (c->extended_cpuid_level >= 0x8000000a) c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); -- 2.17.1

6 years, 3 months

2
1
0 0

[PATCH v4.14.y] autofs: fix autofs_sbi() does not check super block type

by Zubin Mithra

From: Ian Kent <raven(a)themaw.net> commit 0633da48f0793aeba27f82d30605624416723a91 upstream. autofs_sbi() does not check the superblock magic number to verify it has been given an autofs super block. Backport Note: autofs4 has been renamed to autofs upstream. As a result the upstream patch does not apply cleanly onto 4.14.y. Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto… Reported-by: <syzbot+87c3c541582e56943277(a)syzkaller.appspotmail.com> Signed-off-by: Ian Kent <raven(a)themaw.net> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Zubin Mithra <zsm(a)chromium.org> --- fs/autofs4/autofs_i.h | 4 +++- fs/autofs4/inode.c | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h index 4737615f0eaa..ce696d6c4641 100644 --- a/fs/autofs4/autofs_i.h +++ b/fs/autofs4/autofs_i.h @@ -26,6 +26,7 @@ #include <linux/list.h> #include <linux/completion.h> #include <asm/current.h> +#include <linux/magic.h> /* This is the range of ioctl() numbers we claim as ours */ #define AUTOFS_IOC_FIRST AUTOFS_IOC_READY @@ -124,7 +125,8 @@ struct autofs_sb_info { static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb) { - return (struct autofs_sb_info *)(sb->s_fs_info); + return sb->s_magic != AUTOFS_SUPER_MAGIC ? + NULL : (struct autofs_sb_info *)(sb->s_fs_info); } static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry) diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c index 09e7d68dff02..3c7e727612fa 100644 --- a/fs/autofs4/inode.c +++ b/fs/autofs4/inode.c @@ -14,7 +14,6 @@ #include <linux/pagemap.h> #include <linux/parser.h> #include <linux/bitops.h> -#include <linux/magic.h> #include "autofs_i.h" #include <linux/module.h> -- 2.19.0.rc0.228.g281dcd1b4d0-goog

6 years, 3 months

4
3
0 0

[PATCH v4.14.y 1/2] tun: fix use after free for ptr_ring

by Zubin Mithra

From: Jason Wang <jasowang(a)redhat.com> commit b196d88aba8ac72b775137854121097f4c4c6862 upstream. We used to initialize ptr_ring during TUNSETIFF, this is because its size depends on the tx_queue_len of netdevice. And we try to clean it up when socket were detached from netdevice. A race were spotted when trying to do uninit during a read which will lead a use after free for pointer ring. Solving this by always initialize a zero size ptr_ring in open() and do resizing during TUNSETIFF, and then we can safely do cleanup during close(). With this, there's no need for the workaround that was introduced by commit 4df0bfc79904 ("tun: fix a memory leak for tfile->tx_array"). Backport Note :- Comparison with the upstream patch: [1] A "semantic revert" of the changes made in 4df0bfc799("tun: fix a memory leak for tfile->tx_array"). 4df0bfc799 was applied upstream, and then skb array was changed to use ptr_ring. The upstream patch then removes the changes introduced by 4df0bfc799. This backport does the same; "revert" the changes made by 4df0bfc799. [2] xdp_rxq_info_unreg() being called in relevant locations As xdp_rxq_info related patches are not present in 4.14, these changes are not needed in the backport. [3] An instance of ptr_ring_init needs to be replaced by skb_array_init Inside tun_attach() [4] ptr_ring_cleanup needs to be replaced by skb_array_cleanup Inside tun_chr_close() Note that the backport for 7063efd33b ("tuntap: fix use after free during release") needs to be applied on top of this patch. Reported-by: syzbot+e8b902c3c3fadf0a9dba(a)syzkaller.appspotmail.com Cc: Eric Dumazet <eric.dumazet(a)gmail.com> Cc: Cong Wang <xiyou.wangcong(a)gmail.com> Cc: Michael S. Tsirkin <mst(a)redhat.com> Fixes: 1576d9860599 ("tun: switch to use skb array for tx") Signed-off-by: Jason Wang <jasowang(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Zubin Mithra <zsm(a)chromium.org> --- drivers/net/tun.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index cb17ffadfc30..87a989be1cef 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -534,14 +534,6 @@ static void tun_queue_purge(struct tun_file *tfile) skb_queue_purge(&tfile->sk.sk_error_queue); } -static void tun_cleanup_tx_array(struct tun_file *tfile) -{ - if (tfile->tx_array.ring.queue) { - skb_array_cleanup(&tfile->tx_array); - memset(&tfile->tx_array, 0, sizeof(tfile->tx_array)); - } -} - static void __tun_detach(struct tun_file *tfile, bool clean) { struct tun_file *ntfile; @@ -583,7 +575,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean) tun->dev->reg_state == NETREG_REGISTERED) unregister_netdevice(tun->dev); } - tun_cleanup_tx_array(tfile); sock_put(&tfile->sk); } } @@ -623,13 +614,11 @@ static void tun_detach_all(struct net_device *dev) /* Drop read queue */ tun_queue_purge(tfile); sock_put(&tfile->sk); - tun_cleanup_tx_array(tfile); } list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) { tun_enable_queue(tfile); tun_queue_purge(tfile); sock_put(&tfile->sk); - tun_cleanup_tx_array(tfile); } BUG_ON(tun->numdisabled != 0); @@ -675,7 +664,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte } if (!tfile->detached && - skb_array_init(&tfile->tx_array, dev->tx_queue_len, GFP_KERNEL)) { + skb_array_resize(&tfile->tx_array, dev->tx_queue_len, GFP_KERNEL)) { err = -ENOMEM; goto out; } @@ -2624,6 +2613,11 @@ static int tun_chr_open(struct inode *inode, struct file * file) &tun_proto, 0); if (!tfile) return -ENOMEM; + if (skb_array_init(&tfile->tx_array, 0, GFP_KERNEL)) { + sk_free(&tfile->sk); + return -ENOMEM; + } + RCU_INIT_POINTER(tfile->tun, NULL); tfile->flags = 0; tfile->ifindex = 0; @@ -2644,8 +2638,6 @@ static int tun_chr_open(struct inode *inode, struct file * file) sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); - memset(&tfile->tx_array, 0, sizeof(tfile->tx_array)); - return 0; } @@ -2654,6 +2646,7 @@ static int tun_chr_close(struct inode *inode, struct file *file) struct tun_file *tfile = file->private_data; tun_detach(tfile, true); + skb_array_cleanup(&tfile->tx_array); return 0; } -- 2.19.0.rc1.350.ge57e33dbd1-goog

6 years, 3 months

2
2
0 0

[PATCH 4.4 000/107] 4.4.144-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.144 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Jul 25 12:23:53 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.144-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.144-rc1 Sascha Hauer <s.hauer(a)pengutronix.de> ubi: fastmap: Erase outdated anchor PEBs during attach Richard Weinberger <richard(a)nod.at> ubi: Fix Fastmap's update_vol() Richard Weinberger <richard(a)nod.at> ubi: Fix races around ubi_refill_pools() Richard Weinberger <richard(a)nod.at> ubi: Be more paranoid while seaching for the most recent Fastmap Richard Weinberger <richard(a)nod.at> ubi: Rework Fastmap attach base code Richard Weinberger <richard(a)nod.at> ubi: Introduce vol_ignored() Lucas Stach <dev(a)lynxeye.de> clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 Alan Jenkins <alan.christopher.jenkins(a)gmail.com> block: do not use interruptible wait anywhere Andy Lutomirski <luto(a)kernel.org> x86/cpu: Re-apply forced caps every time CPU caps are re-read Juergen Gross <jgross(a)suse.com> x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Rename SSBD_NO to SSB_NO Thomas Gleixner <tglx(a)linutronix.de> x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG Thomas Gleixner <tglx(a)linutronix.de> x86/bugs: Rework spec_ctrl base and mask logic Thomas Gleixner <tglx(a)linutronix.de> x86/bugs: Remove x86_spec_ctrl_set() Thomas Gleixner <tglx(a)linutronix.de> x86/bugs: Expose x86_spec_ctrl_base directly Borislav Petkov <bp(a)suse.de> x86/bugs: Unify x86_spec_ctrl_{set_guest, restore_host} Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Rework speculative_store_bypass_update() Tom Lendacky <thomas.lendacky(a)amd.com> x86/speculation: Add virtualized speculative store bypass disable support Thomas Gleixner <tglx(a)linutronix.de> x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Handle HT correctly on AMD Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Add FEATURE_ZEN Borislav Petkov <bp(a)suse.de> x86/cpu/AMD: Fix erratum 1076 (CPB bit) Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Disentangle SSBD enumeration Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS Borislav Petkov <bp(a)suse.de> x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP Jim Mattson <jmattson(a)google.com> x86/cpu: Make alternative_msr_write work for 32-bit code Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Fix the parameters alignment and missing void Jiri Kosina <jkosina(a)suse.cz> x86/bugs: Make cpu_show_common() static Jiri Kosina <jkosina(a)suse.cz> x86/bugs: Fix __ssb_select_mitigation() return type Borislav Petkov <bp(a)suse.de> Documentation/spec_ctrl: Do some minor cleanups Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> proc: Use underscores for SSBD in 'status' Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Rename _RDS to _SSBD Kees Cook <keescook(a)chromium.org> x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass Thomas Gleixner <tglx(a)linutronix.de> seccomp: Move speculation migitation control to arch code Kees Cook <keescook(a)chromium.org> seccomp: Add filter flag to opt-out of SSB mitigation Thomas Gleixner <tglx(a)linutronix.de> seccomp: Use PR_SPEC_FORCE_DISABLE Thomas Gleixner <tglx(a)linutronix.de> prctl: Add force disable speculation Kees Cook <keescook(a)chromium.org> seccomp: Enable speculation flaw mitigations Kees Cook <keescook(a)chromium.org> proc: Provide details on speculation flaw mitigations Kees Cook <keescook(a)chromium.org> nospec: Allow getting/setting on non-current task Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Add prctl for Speculative Store Bypass mitigation Thomas Gleixner <tglx(a)linutronix.de> x86/process: Allow runtime control of Speculative Store Bypass Thomas Gleixner <tglx(a)linutronix.de> x86/process: Optimize TIF_NOTSC switch Kyle Huey <me(a)kylehuey.com> x86/process: Correct and optimize TIF_BLOCKSTEP switch Kyle Huey <me(a)kylehuey.com> x86/process: Optimize TIF checks in __switch_to_xtra() Thomas Gleixner <tglx(a)linutronix.de> prctl: Add speculation control prctls Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Create spec-ctrl.h to avoid include hell David Woodhouse <dwmw(a)amazon.co.uk> x86/bugs/AMD: Add support to disable RDS on Fam[15, 16, 17]h if requested Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Whitelist allowed SPEC_CTRL MSR values Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs/intel: Set proper CPU features and setup RDS Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/cpufeatures: Add X86_FEATURE_RDS Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Expose /sys/../spec_store_bypass Piotr Luc <piotr.luc(a)intel.com> x86/cpu/intel: Add Knights Mill to Intel family Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> x86/cpu: Rename Merrifield2 to Moorefield Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs, KVM: Support the combination of guest and host IBRS Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Concentrate bug reporting into a separate function Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Concentrate bug detection into a separate function Linus Torvalds <torvalds(a)linux-foundation.org> x86/nospec: Simplify alternative_msr_write() David Woodhouse <dwmw(a)amazon.co.uk> x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when running under Xen Juergen Gross <jgross(a)suse.com> xen: set cpu capabilities from xen_start_kernel() Mickaël Salaün <mic(a)digikod.net> selftest/seccomp: Fix the seccomp(2) signature Mickaël Salaün <mic(a)digikod.net> selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC Alexander Sergeyev <sergeev917(a)gmail.com> x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Ingo Molnar <mingo(a)kernel.org> x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Use IBRS if available before calling into firmware Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/spectre_v2: Don't check microcode versions when running under hypervisors Tim Chen <tim.c.chen(a)linux.intel.com> x86/speculation: Use Indirect Branch Prediction Barrier in context switch Andy Lutomirski <luto(a)kernel.org> x86/mm: Give each mm TLB flush generation a unique ID Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Factor out LDT init from context init Juergen Gross <jgross(a)suse.com> x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend Peter Zijlstra <peterz(a)infradead.org> x86/speculation: Add <asm/msr-index.h> dependency Dan Williams <dan.j.williams(a)intel.com> x86/speculation: Fix up array_index_nospec_mask() asm constraint Ingo Molnar <mingo(a)kernel.org> x86/speculation: Clean up various Spectre related details David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Correct Speculation Control microcode blacklist again David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Update Speculation Control microcode blacklist Dan Williams <dan.j.williams(a)intel.com> x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface Denys Vlasenko <dvlasenk(a)redhat.com> x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs Arnd Bergmann <arnd(a)arndb.de> x86/pti: Mark constant arrays as __initconst David Woodhouse <dwmw(a)amazon.co.uk> x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Clean up Spectre v2 related CPUID flags David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes David Woodhouse <dwmw(a)amazon.co.uk> x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown David Woodhouse <dwmw(a)amazon.co.uk> x86/msr: Add definitions for new speculation control MSRs David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add AMD feature bits for Speculation Control David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add Intel feature bits for Speculation Control David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add CPUID_7_EDX CPUID leaf Nick Desaulniers <ndesaulniers(a)google.com> x86/paravirt: Make native_save_fl() extern inline Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix perceived dead host due to runtime suspend race with event handler Stefano Brivio <sbrivio(a)redhat.com> skbuff: Unconditionally copy pfmemalloc in __skb_clone() Stefano Brivio <sbrivio(a)redhat.com> net: Don't copy pfmemalloc flag in __copy_skb_header() Sanjeev Bansal <sanjeevb.bansal(a)broadcom.com> tg3: Add higher cpu clock for 5762. Gustavo A. R. Silva <gustavo(a)embeddedor.com> ptp: fix missing break in switch Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: fix flag masking in __set_phy_supported David Ahern <dsahern(a)gmail.com> net/ipv4: Set oif in fib_compute_spec_dst Davidlohr Bueso <dave(a)stgolabs.net> lib/rhashtable: consider param->min_size when setting initial table size Colin Ian King <colin.king(a)canonical.com> ipv6: fix useless rol32 call on hash Tyler Hicks <tyhicks(a)canonical.com> ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns Jing Xia <jing.xia.mail(a)gmail.com> mm: memcg: fix use after free in mem_cgroup_iter() Vineet Gupta <vgupta(a)synopsys.com> ARC: mm: allow mprotect to make stack mappings executable Alexey Brodkin <abrodkin(a)synopsys.com> ARC: Fix CONFIG_SWAP Takashi Iwai <tiwai(a)suse.de> ALSA: rawmidi: Change resized buffers atomically OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix memory allocation failure handling of match_strdup() Dewet Thibaut <thibaut.dewet(a)nokia.com> x86/MCE: Remove min interval polling limitation Lan Tianyu <tianyu.lan(a)intel.com> KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel. ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/kernel-parameters.txt | 45 +++ Documentation/spec_ctrl.txt | 94 +++++ Makefile | 4 +- arch/arc/include/asm/page.h | 2 +- arch/arc/include/asm/pgtable.h | 2 +- arch/x86/entry/entry_64_compat.S | 75 ++-- arch/x86/include/asm/apm.h | 6 + arch/x86/include/asm/barrier.h | 2 +- arch/x86/include/asm/cpufeature.h | 7 +- arch/x86/include/asm/cpufeatures.h | 37 +- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/efi.h | 7 + arch/x86/include/asm/intel-family.h | 10 +- arch/x86/include/asm/irqflags.h | 2 +- arch/x86/include/asm/mmu.h | 15 +- arch/x86/include/asm/mmu_context.h | 25 +- arch/x86/include/asm/msr-index.h | 22 ++ arch/x86/include/asm/nospec-branch.h | 54 +++ arch/x86/include/asm/required-features.h | 3 +- arch/x86/include/asm/spec-ctrl.h | 80 ++++ arch/x86/include/asm/thread_info.h | 6 +- arch/x86/include/asm/tlbflush.h | 12 + arch/x86/kernel/Makefile | 1 + arch/x86/kernel/cpu/amd.c | 38 +- arch/x86/kernel/cpu/bugs.c | 427 +++++++++++++++++++-- arch/x86/kernel/cpu/common.c | 121 +++++- arch/x86/kernel/cpu/cpu.h | 3 + arch/x86/kernel/cpu/intel.c | 73 ++++ arch/x86/kernel/cpu/mcheck/mce.c | 3 - arch/x86/kernel/irqflags.S | 26 ++ arch/x86/kernel/ldt.c | 4 +- arch/x86/kernel/process.c | 224 +++++++++-- arch/x86/kernel/smpboot.c | 5 + arch/x86/kvm/svm.c | 2 +- arch/x86/kvm/vmx.c | 2 +- arch/x86/mm/tlb.c | 33 ++ arch/x86/platform/efi/efi_64.c | 3 + arch/x86/xen/enlighten.c | 16 +- arch/x86/xen/smp.c | 5 + arch/x86/xen/suspend.c | 16 + block/blk-core.c | 10 +- drivers/base/cpu.c | 8 + drivers/clk/tegra/clk-tegra30.c | 11 +- drivers/mtd/ubi/attach.c | 139 +++++-- drivers/mtd/ubi/eba.c | 4 +- drivers/mtd/ubi/fastmap-wl.c | 6 +- drivers/mtd/ubi/fastmap.c | 51 ++- drivers/mtd/ubi/ubi.h | 46 ++- drivers/mtd/ubi/wl.c | 114 ++++-- drivers/net/ethernet/broadcom/tg3.c | 9 + drivers/net/phy/phy_device.c | 7 +- drivers/ptp/ptp_chardev.c | 1 + drivers/usb/host/xhci.c | 40 +- drivers/usb/host/xhci.h | 4 + fs/fat/inode.c | 20 +- fs/proc/array.c | 26 ++ include/linux/cpu.h | 2 + include/linux/nospec.h | 10 + include/linux/sched.h | 9 + include/linux/seccomp.h | 3 +- include/linux/skbuff.h | 12 +- include/net/ipv6.h | 2 +- include/uapi/linux/prctl.h | 12 + include/uapi/linux/seccomp.h | 4 +- kernel/seccomp.c | 21 +- kernel/sys.c | 21 + lib/rhashtable.c | 17 +- mm/memcontrol.c | 2 +- net/core/skbuff.c | 1 + net/ipv4/fib_frontend.c | 1 + net/ipv4/sysctl_net_ipv4.c | 5 +- sound/core/rawmidi.c | 20 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 98 ++++- virt/kvm/eventfd.c | 6 +- 75 files changed, 1982 insertions(+), 276 deletions(-)

6 years, 3 months

6
110
0 0

Requests for inclusion on linux-4.14.y

by Eduardo Valentin

Hello Greg, Can you please consider including the following two patches in the stable linux-4.14.y branch? This is to avoid page faults in do_swap_page() on PV guests, usually seen on __radix_tree_lookup() [1]. f7c90c2aa400 ("x86/xen: don't write ptes directly in 32-bit PV guests") b2d7a075a1cc ("x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear") Thanks, [1] - more details on https://bugzilla.kernel.org/show_bug.cgi?id=198497 -- All the best, Eduardo Valentin

6 years, 3 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2018