- Linux-stable-mirror - lists.linaro.org

Patch "kbuild: fix linker feature test macros when cross compiling with Clang" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled kbuild: fix linker feature test macros when cross compiling with Clang to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: kbuild-fix-linker-feature-test-macros-when-cross-compiling-with-clang.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 86a9df597cdd564d2d29c65897bcad42519e3678 Mon Sep 17 00:00:00 2001 From: Nick Desaulniers <ndesaulniers(a)google.com> Date: Mon, 6 Nov 2017 10:47:54 -0800 Subject: kbuild: fix linker feature test macros when cross compiling with Clang From: Nick Desaulniers <ndesaulniers(a)google.com> commit 86a9df597cdd564d2d29c65897bcad42519e3678 upstream. I was not seeing my linker flags getting added when using ld-option when cross compiling with Clang. Upon investigation, this seems to be due to a difference in how GCC vs Clang handle cross compilation. GCC is configured at build time to support one backend, that is implicit when compiling. Clang is explicit via the use of `-target <triple>` and ships with all supported backends by default. GNU Make feature test macros that compile then link will always fail when cross compiling with Clang unless Clang's triple is passed along to the compiler. For example: $ clang -x c /dev/null -c -o temp.o $ aarch64-linux-android/bin/ld -E temp.o aarch64-linux-android/bin/ld: unknown architecture of input file `temp.o' is incompatible with aarch64 output aarch64-linux-android/bin/ld: warning: cannot find entry symbol _start; defaulting to 0000000000400078 $ echo $? 1 $ clang -target aarch64-linux-android- -x c /dev/null -c -o temp.o $ aarch64-linux-android/bin/ld -E temp.o aarch64-linux-android/bin/ld: warning: cannot find entry symbol _start; defaulting to 00000000004002e4 $ echo $? 0 This causes conditional checks that invoke $(CC) without the target triple, then $(LD) on the result, to always fail. Suggested-by: Masahiro Yamada <yamada.masahiro(a)socionext.com> Signed-off-by: Nick Desaulniers <ndesaulniers(a)google.com> Reviewed-by: Matthias Kaehlcke <mka(a)chromium.org> Signed-off-by: Masahiro Yamada <yamada.masahiro(a)socionext.com> Signed-off-by: Greg Hackmann <ghackmann(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- scripts/Kbuild.include | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/scripts/Kbuild.include +++ b/scripts/Kbuild.include @@ -160,12 +160,13 @@ cc-if-fullversion = $(shell [ $(cc-fullv # cc-ldoption # Usage: ldflags += $(call cc-ldoption, -Wl$(comma)--hash-style=both) cc-ldoption = $(call try-run,\ - $(CC) $(1) -nostdlib -x c /dev/null -o "$$TMP",$(1),$(2)) + $(CC) $(1) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -nostdlib -x c /dev/null -o "$$TMP",$(1),$(2)) # ld-option # Usage: LDFLAGS += $(call ld-option, -X) ld-option = $(call try-run,\ - $(CC) -x c /dev/null -c -o "$$TMPO" ; $(LD) $(1) "$$TMPO" -o "$$TMP",$(1),$(2)) + $(CC) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -x c /dev/null -c -o "$$TMPO"; \ + $(LD) $(LDFLAGS) $(1) "$$TMPO" -o "$$TMP",$(1),$(2)) # ar-option # Usage: KBUILD_ARFLAGS := $(call ar-option,D) Patches currently in stable-queue which might be from ndesaulniers(a)google.com are queue-4.14/kbuild-fix-linker-feature-test-macros-when-cross-compiling-with-clang.patch

7 years, 8 months

1
0
0 0

Patch "usb: gadget: f_hid: fix: Move IN request allocation to set_alt()" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: gadget: f_hid: fix: Move IN request allocation to set_alt() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadget-f_hid-fix-move-in-request-allocation-to-set_alt.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 749494b6bdbbaf0899aa1c62a1ad74cd747bce47 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak <kopasiak90(a)gmail.com> Date: Tue, 24 Jan 2017 03:27:24 +0100 Subject: usb: gadget: f_hid: fix: Move IN request allocation to set_alt() From: Krzysztof Opasiak <kopasiak90(a)gmail.com> commit 749494b6bdbbaf0899aa1c62a1ad74cd747bce47 upstream. Since commit: ba1582f22231 ("usb: gadget: f_hid: use alloc_ep_req()") we cannot allocate any requests in bind() as we check if we should align request buffer based on endpoint descriptor which is assigned in set_alt(). Allocating request in bind() function causes a NULL pointer dereference. This commit moves allocation of IN request from bind() to set_alt() to prevent this issue. Fixes: ba1582f22231 ("usb: gadget: f_hid: use alloc_ep_req()") Cc: stable(a)vger.kernel.org Tested-by: David Lechner <david(a)lechnology.com> Signed-off-by: Krzysztof Opasiak <k.opasiak(a)samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Cc: Bin Liu <b-liu(a)ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/function/f_hid.c | 89 +++++++++++++++++++++++++++--------- 1 file changed, 67 insertions(+), 22 deletions(-) --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -284,6 +284,7 @@ static ssize_t f_hidg_write(struct file size_t count, loff_t *offp) { struct f_hidg *hidg = file->private_data; + struct usb_request *req; unsigned long flags; ssize_t status = -ENOMEM; @@ -293,7 +294,7 @@ static ssize_t f_hidg_write(struct file spin_lock_irqsave(&hidg->write_spinlock, flags); #define WRITE_COND (!hidg->write_pending) - +try_again: /* write queue */ while (!WRITE_COND) { spin_unlock_irqrestore(&hidg->write_spinlock, flags); @@ -308,6 +309,7 @@ static ssize_t f_hidg_write(struct file } hidg->write_pending = 1; + req = hidg->req; count = min_t(unsigned, count, hidg->report_length); spin_unlock_irqrestore(&hidg->write_spinlock, flags); @@ -320,24 +322,38 @@ static ssize_t f_hidg_write(struct file goto release_write_pending; } - hidg->req->status = 0; - hidg->req->zero = 0; - hidg->req->length = count; - hidg->req->complete = f_hidg_req_complete; - hidg->req->context = hidg; + spin_lock_irqsave(&hidg->write_spinlock, flags); + + /* we our function has been disabled by host */ + if (!hidg->req) { + free_ep_req(hidg->in_ep, hidg->req); + /* + * TODO + * Should we fail with error here? + */ + goto try_again; + } + + req->status = 0; + req->zero = 0; + req->length = count; + req->complete = f_hidg_req_complete; + req->context = hidg; status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); if (status < 0) { ERROR(hidg->func.config->cdev, "usb_ep_queue error on int endpoint %zd\n", status); - goto release_write_pending; + goto release_write_pending_unlocked; } else { status = count; } + spin_unlock_irqrestore(&hidg->write_spinlock, flags); return status; release_write_pending: spin_lock_irqsave(&hidg->write_spinlock, flags); +release_write_pending_unlocked: hidg->write_pending = 0; spin_unlock_irqrestore(&hidg->write_spinlock, flags); @@ -541,12 +557,23 @@ static void hidg_disable(struct usb_func kfree(list); } spin_unlock_irqrestore(&hidg->read_spinlock, flags); + + spin_lock_irqsave(&hidg->write_spinlock, flags); + if (!hidg->write_pending) { + free_ep_req(hidg->in_ep, hidg->req); + hidg->write_pending = 1; + } + + hidg->req = NULL; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); } static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) { struct usb_composite_dev *cdev = f->config->cdev; struct f_hidg *hidg = func_to_hidg(f); + struct usb_request *req_in = NULL; + unsigned long flags; int i, status = 0; VDBG(cdev, "hidg_set_alt intf:%d alt:%d\n", intf, alt); @@ -567,6 +594,12 @@ static int hidg_set_alt(struct usb_funct goto fail; } hidg->in_ep->driver_data = hidg; + + req_in = hidg_alloc_ep_req(hidg->in_ep, hidg->report_length); + if (!req_in) { + status = -ENOMEM; + goto disable_ep_in; + } } @@ -578,12 +611,12 @@ static int hidg_set_alt(struct usb_funct hidg->out_ep); if (status) { ERROR(cdev, "config_ep_by_speed FAILED!\n"); - goto fail; + goto free_req_in; } status = usb_ep_enable(hidg->out_ep); if (status < 0) { ERROR(cdev, "Enable OUT endpoint FAILED!\n"); - goto fail; + goto free_req_in; } hidg->out_ep->driver_data = hidg; @@ -599,17 +632,37 @@ static int hidg_set_alt(struct usb_funct req->context = hidg; status = usb_ep_queue(hidg->out_ep, req, GFP_ATOMIC); - if (status) + if (status) { ERROR(cdev, "%s queue req --> %d\n", hidg->out_ep->name, status); + free_ep_req(hidg->out_ep, req); + } } else { - usb_ep_disable(hidg->out_ep); status = -ENOMEM; - goto fail; + goto disable_out_ep; } } } + if (hidg->in_ep != NULL) { + spin_lock_irqsave(&hidg->write_spinlock, flags); + hidg->req = req_in; + hidg->write_pending = 0; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); + + wake_up(&hidg->write_queue); + } + return 0; +disable_out_ep: + usb_ep_disable(hidg->out_ep); +free_req_in: + if (req_in) + free_ep_req(hidg->in_ep, req_in); + +disable_ep_in: + if (hidg->in_ep) + usb_ep_disable(hidg->in_ep); + fail: return status; } @@ -658,12 +711,6 @@ static int hidg_bind(struct usb_configur goto fail; hidg->out_ep = ep; - /* preallocate request and buffer */ - status = -ENOMEM; - hidg->req = alloc_ep_req(hidg->in_ep, hidg->report_length); - if (!hidg->req) - goto fail; - /* set descriptor dynamic values */ hidg_interface_desc.bInterfaceSubClass = hidg->bInterfaceSubClass; hidg_interface_desc.bInterfaceProtocol = hidg->bInterfaceProtocol; @@ -690,6 +737,8 @@ static int hidg_bind(struct usb_configur goto fail; spin_lock_init(&hidg->write_spinlock); + hidg->write_pending = 1; + hidg->req = NULL; spin_lock_init(&hidg->read_spinlock); init_waitqueue_head(&hidg->write_queue); init_waitqueue_head(&hidg->read_queue); @@ -954,10 +1003,6 @@ static void hidg_unbind(struct usb_confi device_destroy(hidg_class, MKDEV(major, hidg->minor)); cdev_del(&hidg->cdev); - /* disable/free request and end point */ - usb_ep_disable(hidg->in_ep); - free_ep_req(hidg->in_ep, hidg->req); - usb_free_all_descriptors(f); } Patches currently in stable-queue which might be from kopasiak90(a)gmail.com are queue-4.9/usb-gadget-f_hid-fix-move-in-request-allocation-to-set_alt.patch

7 years, 8 months

1
0
0 0

[PATCH] usb: gadget: f_hid: fix: Move IN request allocation to set_alt()

by Bin Liu

From: Krzysztof Opasiak <kopasiak90(a)gmail.com> commit 749494b6bdbbaf0899aa1c62a1ad74cd747bce47 upstream. Since commit: ba1582f22231 ("usb: gadget: f_hid: use alloc_ep_req()") we cannot allocate any requests in bind() as we check if we should align request buffer based on endpoint descriptor which is assigned in set_alt(). Allocating request in bind() function causes a NULL pointer dereference. This commit moves allocation of IN request from bind() to set_alt() to prevent this issue. Fixes: ba1582f22231 ("usb: gadget: f_hid: use alloc_ep_req()") Tested-by: David Lechner <david(a)lechnology.com> Signed-off-by: Krzysztof Opasiak <k.opasiak(a)samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- This backport is for v4.9 only. drivers/usb/gadget/function/f_hid.c | 89 ++++++++++++++++++++++++++++--------- 1 file changed, 67 insertions(+), 22 deletions(-) diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c index b6d4b484c51a..5815120c0402 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -284,6 +284,7 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, size_t count, loff_t *offp) { struct f_hidg *hidg = file->private_data; + struct usb_request *req; unsigned long flags; ssize_t status = -ENOMEM; @@ -293,7 +294,7 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, spin_lock_irqsave(&hidg->write_spinlock, flags); #define WRITE_COND (!hidg->write_pending) - +try_again: /* write queue */ while (!WRITE_COND) { spin_unlock_irqrestore(&hidg->write_spinlock, flags); @@ -308,6 +309,7 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, } hidg->write_pending = 1; + req = hidg->req; count = min_t(unsigned, count, hidg->report_length); spin_unlock_irqrestore(&hidg->write_spinlock, flags); @@ -320,24 +322,38 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, goto release_write_pending; } - hidg->req->status = 0; - hidg->req->zero = 0; - hidg->req->length = count; - hidg->req->complete = f_hidg_req_complete; - hidg->req->context = hidg; + spin_lock_irqsave(&hidg->write_spinlock, flags); + + /* we our function has been disabled by host */ + if (!hidg->req) { + free_ep_req(hidg->in_ep, hidg->req); + /* + * TODO + * Should we fail with error here? + */ + goto try_again; + } + + req->status = 0; + req->zero = 0; + req->length = count; + req->complete = f_hidg_req_complete; + req->context = hidg; status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); if (status < 0) { ERROR(hidg->func.config->cdev, "usb_ep_queue error on int endpoint %zd\n", status); - goto release_write_pending; + goto release_write_pending_unlocked; } else { status = count; } + spin_unlock_irqrestore(&hidg->write_spinlock, flags); return status; release_write_pending: spin_lock_irqsave(&hidg->write_spinlock, flags); +release_write_pending_unlocked: hidg->write_pending = 0; spin_unlock_irqrestore(&hidg->write_spinlock, flags); @@ -541,12 +557,23 @@ static void hidg_disable(struct usb_function *f) kfree(list); } spin_unlock_irqrestore(&hidg->read_spinlock, flags); + + spin_lock_irqsave(&hidg->write_spinlock, flags); + if (!hidg->write_pending) { + free_ep_req(hidg->in_ep, hidg->req); + hidg->write_pending = 1; + } + + hidg->req = NULL; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); } static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) { struct usb_composite_dev *cdev = f->config->cdev; struct f_hidg *hidg = func_to_hidg(f); + struct usb_request *req_in = NULL; + unsigned long flags; int i, status = 0; VDBG(cdev, "hidg_set_alt intf:%d alt:%d\n", intf, alt); @@ -567,6 +594,12 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) goto fail; } hidg->in_ep->driver_data = hidg; + + req_in = hidg_alloc_ep_req(hidg->in_ep, hidg->report_length); + if (!req_in) { + status = -ENOMEM; + goto disable_ep_in; + } } @@ -578,12 +611,12 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) hidg->out_ep); if (status) { ERROR(cdev, "config_ep_by_speed FAILED!\n"); - goto fail; + goto free_req_in; } status = usb_ep_enable(hidg->out_ep); if (status < 0) { ERROR(cdev, "Enable OUT endpoint FAILED!\n"); - goto fail; + goto free_req_in; } hidg->out_ep->driver_data = hidg; @@ -599,17 +632,37 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) req->context = hidg; status = usb_ep_queue(hidg->out_ep, req, GFP_ATOMIC); - if (status) + if (status) { ERROR(cdev, "%s queue req --> %d\n", hidg->out_ep->name, status); + free_ep_req(hidg->out_ep, req); + } } else { - usb_ep_disable(hidg->out_ep); status = -ENOMEM; - goto fail; + goto disable_out_ep; } } } + if (hidg->in_ep != NULL) { + spin_lock_irqsave(&hidg->write_spinlock, flags); + hidg->req = req_in; + hidg->write_pending = 0; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); + + wake_up(&hidg->write_queue); + } + return 0; +disable_out_ep: + usb_ep_disable(hidg->out_ep); +free_req_in: + if (req_in) + free_ep_req(hidg->in_ep, req_in); + +disable_ep_in: + if (hidg->in_ep) + usb_ep_disable(hidg->in_ep); + fail: return status; } @@ -658,12 +711,6 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) goto fail; hidg->out_ep = ep; - /* preallocate request and buffer */ - status = -ENOMEM; - hidg->req = alloc_ep_req(hidg->in_ep, hidg->report_length); - if (!hidg->req) - goto fail; - /* set descriptor dynamic values */ hidg_interface_desc.bInterfaceSubClass = hidg->bInterfaceSubClass; hidg_interface_desc.bInterfaceProtocol = hidg->bInterfaceProtocol; @@ -690,6 +737,8 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) goto fail; spin_lock_init(&hidg->write_spinlock); + hidg->write_pending = 1; + hidg->req = NULL; spin_lock_init(&hidg->read_spinlock); init_waitqueue_head(&hidg->write_queue); init_waitqueue_head(&hidg->read_queue); @@ -954,10 +1003,6 @@ static void hidg_unbind(struct usb_configuration *c, struct usb_function *f) device_destroy(hidg_class, MKDEV(major, hidg->minor)); cdev_del(&hidg->cdev); - /* disable/free request and end point */ - usb_ep_disable(hidg->in_ep); - free_ep_req(hidg->in_ep, hidg->req); - usb_free_all_descriptors(f); } -- 1.9.1

7 years, 8 months

2
1
0 0

[PATCH 4.4 000/108] 4.4.116-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.116 release. There are 108 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Feb 17 15:11:36 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.116-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.116-rc1 Steven Rostedt (VMware) <rostedt(a)goodmis.org> ftrace: Remove incorrect setting of glob search field Eric W. Biederman <ebiederm(a)xmission.com> mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Amir Goldstein <amir73il(a)gmail.com> ovl: fix failure to fsync lower dir Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> ACPI: sbshc: remove raw pointer from printk() message Keith Busch <keith.busch(a)intel.com> nvme: Fix managing degraded controllers Nikolay Borisov <nborisov(a)suse.com> btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker Bart Van Assche <bart.vanassche(a)wdc.com> pktcdvd: Fix pkt_setup_dev() error path James Hogan <jhogan(a)kernel.org> EDAC, octeon: Fix an uninitialized variable warning Max Filippov <jcmvbkbc(a)gmail.com> xtensa: fix futex_atomic_cmpxchg_inatomic Mikulas Patocka <mpatocka(a)redhat.com> alpha: fix reboot on Avanti platform Mikulas Patocka <mpatocka(a)redhat.com> alpha: fix crash if pthread_create races with signal delivery Eric W. Biederman <ebiederm(a)xmission.com> signal/sh: Ensure si_signo is initialized in do_divide_error Eric W. Biederman <ebiederm(a)xmission.com> signal/openrisc: Fix do_unaligned_access to send the proper signal Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version Kai-Heng Feng <kai.heng.feng(a)canonical.com> Revert "Bluetooth: btusb: fix QCA Rome suspend/resume" Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btsdio: Do not bind to non-removable BCM43341 Hans de Goede <hdegoede(a)redhat.com> HID: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working Rasmus Villemoes <linux(a)rasmusvillemoes.dk> kernel/async.c: revert "async: simplify lowest_in_progress()" Mauro Carvalho Chehab <mchehab(a)osg.samsung.com> media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Mauro Carvalho Chehab <mchehab(a)s-opensource.com> media: ts2020: avoid integer overflows on 32 bit machines Martin Kaiser <martin(a)kaiser.cx> watchdog: imx2_wdt: restore previous timeout after suspend+resume Liran Alon <liran.alon(a)oracle.com> KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2 Marc Zyngier <marc.zyngier(a)arm.com> arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Horia Geantă <horia.geanta(a)nxp.com> crypto: caam - fix endless loop when DECO acquire fails Daniel Mentz <danielmentz(a)google.com> media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Daniel Mentz <danielmentz(a)google.com> media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha Hans Verkuil <hansverk(a)cisco.com> media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: avoid sizeof(type) Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: fix the indentation Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Ricardo Ribalda Delgado <ricardo.ribalda(a)gmail.com> vb2: V4L2_BUF_FLAG_DONE is set after DQBUF Hans Verkuil <hans.verkuil(a)cisco.com> media: v4l2-ioctl.c: don't copy back the result for -ENOTTY Cong Wang <xiyou.wangcong(a)gmail.com> nsfs: mark dentry with DCACHE_RCUACCESS Eric Biggers <ebiggers(a)google.com> crypto: poly1305 - remove ->setkey() method Eric Biggers <ebiggers(a)google.com> crypto: cryptd - pass through absence of ->setkey() Eric Biggers <ebiggers(a)google.com> crypto: hash - introduce crypto_hash_alg_has_setkey() Mika Westerberg <mika.westerberg(a)linux.intel.com> ahci: Add Intel Cannon Lake PCH-H PCI ID Hans de Goede <hdegoede(a)redhat.com> ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI Hans de Goede <hdegoede(a)redhat.com> ahci: Annotate PCI ids for mobile Intel chipsets as such Ivan Vecera <ivecera(a)redhat.com> kernfs: fix regression in kernfs_fop_write caused by wrong type Eric Biggers <ebiggers(a)google.com> NFS: reject request for id_legacy key without auxdata J. Bruce Fields <bfields(a)redhat.com> NFS: commit direct writes even if they fail partially Trond Myklebust <trond.myklebust(a)primarydata.com> NFS: Add a cond_resched() to nfs_commit_release_pages() Scott Mayhew <smayhew(a)redhat.com> nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds Bradley Bolen <bradleybolen(a)gmail.com> ubi: block: Fix locking for idr_alloc/idr_remove Miquel Raynal <miquel.raynal(a)free-electrons.com> mtd: nand: sunxi: Fix ECC strength choice Miquel Raynal <miquel.raynal(a)free-electrons.com> mtd: nand: Fix nand_do_read_oob() return value Kamal Dasu <kdasu.kdev(a)gmail.com> mtd: nand: brcmnand: Disable prefetch by default Arnd Bergmann <arnd(a)arndb.de> mtd: cfi: convert inline functions to macros Malcolm Priestley <tvboxspy(a)gmail.com> media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Malcolm Priestley <tvboxspy(a)gmail.com> media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Mohamed Ghannam <simo.ghannam(a)gmail.com> dccp: CVE-2017-8824: use-after-free in DCCP code Steven Rostedt (VMware) <rostedt(a)goodmis.org> sched/rt: Up the root domain ref count when passing it around via IPIs Steven Rostedt (VMware) <rostedt(a)goodmis.org> sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() Petr Cvek <petr.cvek(a)tul.cz> usb: gadget: uvc: Missing files for configfs interface Thomas Gleixner <tglx(a)linutronix.de> posix-timer: Properly check sigevent->sigev_notify Eric W. Biederman <ebiederm(a)xmission.com> netfilter: nf_queue: Make the queue_handler pernet Hugh Dickins <hughd(a)google.com> kaiser: fix compile error without vsyscall Eric Biggers <ebiggers(a)google.com> x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER Yang Shunyong <shunyong.yang(a)hxt-semitech.com> dmaengine: dmatest: fix container_of member in dmatest_callback Aurelien Aptel <aaptel(a)suse.com> CIFS: zero sensitive data when freeing Daniel N Pettersson <danielnp(a)axis.com> cifs: Fix autonegotiate security settings mismatch Matthew Wilcox <mawilcox(a)microsoft.com> cifs: Fix missing put_xid in cifs_file_strict_mmap Michal Suchanek <msuchanek(a)suse.de> powerpc/pseries: include linux/types.h in asm/hvcall.h Borislav Petkov <bp(a)suse.de> x86/microcode: Do the family check first Borislav Petkov <bp(a)suse.de> x86/microcode/AMD: Do not load when running on a hypervisor Robert Baronescu <robert.baronescu(a)nxp.com> crypto: tcrypt - fix S/G table for test_aead_speed() Al Viro <viro(a)zeniv.linux.org.uk> don't put symlink bodies in pagecache into highmem Eric Biggers <ebiggers(a)google.com> KEYS: encrypted: fix buffer overread in valid_master_desc() Jesse Chan <jc(a)linux.com> media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Jason Wang <jasowang(a)redhat.com> vhost_net: stop device during reset owner Li RongQing <lirongqing(a)baidu.com> tcp: release sk_frag.page in tcp_disconnect Chunhao Lin <hau(a)realtek.com> r8169: fix RTL8168EP take too long to complete driver initialization. Junxiao Bi <junxiao.bi(a)oracle.com> qlcnic: fix deadlock bug Eric Dumazet <edumazet(a)google.com> net: igmp: add a missing rcu locking section Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> ip6mr: fix stale iterator Josh Poimboeuf <jpoimboe(a)redhat.com> x86/asm: Fix inline asm call constraints for GCC 4.4 Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> drm: rcar-du: Fix race condition when disabling planes at CRTC stop Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> drm: rcar-du: Use the VBK interrupt for vblank events Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: avoid duplicate free_irq() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't call free_irq() on Parent SSI Julian Scheel <julian(a)jusst.de> ASoC: simple-card: Fix misleading error message Matthias Hintzmann <matthias.dev(a)gmx.de> net: cdc_ncm: initialize drvflags before usage Shuah Khan <shuahkh(a)osg.samsung.com> usbip: fix 3eee23c3ec14 tcp_socket address still in the status file Shuah Khan <shuahkh(a)osg.samsung.com> usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit Jesse Chan <jc(a)linux.com> ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Allow control of RFI flush via debugfs Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Wire up cpu_show_meltdown() Oliver O'Halloran <oohall(a)gmail.com> powerpc/powernv: Check device-tree for RFI flush settings Michael Neuling <mikey(a)neuling.org> powerpc/pseries: Query hypervisor for RFI flush settings Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Add support for RFI flush of L1-D cache Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s: Simple RFI macro conversions Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Add macros for annotating the destination of rfid/hrfid Michael Neuling <mikey(a)neuling.org> powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper Alan Modra <amodra(a)gmail.com> powerpc: Simplify module TOC handling Benjamin Herrenschmidt <benh(a)kernel.crashing.org> powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC Oliver O'Halloran <oohall(a)gmail.com> powerpc/64: Fix flush_(d|i)cache_range() called from modules Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> powerpc/bpf/jit: Disable classic BPF JIT on ppc64le ------------- Diffstat: Makefile | 4 +- arch/alpha/kernel/pci_impl.h | 3 +- arch/alpha/kernel/process.c | 3 +- arch/arm/kvm/handle_exit.c | 13 +- arch/mn10300/mm/misalignment.c | 2 +- arch/openrisc/kernel/traps.c | 10 +- arch/powerpc/Kconfig | 3 +- arch/powerpc/include/asm/exception-64e.h | 6 + arch/powerpc/include/asm/exception-64s.h | 55 +- arch/powerpc/include/asm/feature-fixups.h | 15 + arch/powerpc/include/asm/hvcall.h | 18 + arch/powerpc/include/asm/paca.h | 10 + arch/powerpc/include/asm/plpar_wrappers.h | 14 + arch/powerpc/include/asm/ppc_asm.h | 12 + arch/powerpc/include/asm/setup.h | 13 + arch/powerpc/kernel/asm-offsets.c | 4 + arch/powerpc/kernel/entry_64.S | 44 +- arch/powerpc/kernel/exceptions-64s.S | 126 ++- arch/powerpc/kernel/misc_64.S | 32 +- arch/powerpc/kernel/module_64.c | 12 +- arch/powerpc/kernel/process.c | 5 +- arch/powerpc/kernel/setup_64.c | 139 +++ arch/powerpc/kernel/vmlinux.lds.S | 9 + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 7 +- arch/powerpc/kvm/book3s_rmhandlers.S | 7 +- arch/powerpc/kvm/book3s_segment.S | 4 +- arch/powerpc/lib/feature-fixups.c | 42 + arch/powerpc/platforms/powernv/setup.c | 50 + arch/powerpc/platforms/pseries/setup.c | 37 +- arch/sh/kernel/traps_32.c | 3 +- arch/x86/crypto/poly1305_glue.c | 1 - arch/x86/include/asm/asm.h | 4 +- arch/x86/include/asm/vsyscall.h | 2 +- arch/x86/kernel/cpu/microcode/core.c | 47 +- arch/x86/kvm/vmx.c | 5 +- arch/x86/mm/kaiser.c | 2 +- arch/xtensa/include/asm/futex.h | 23 +- crypto/ahash.c | 11 + crypto/cryptd.c | 3 +- crypto/poly1305_generic.c | 17 +- crypto/tcrypt.c | 6 +- drivers/acpi/sbshc.c | 4 +- drivers/ata/ahci.c | 37 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btsdio.c | 9 + drivers/bluetooth/btusb.c | 19 +- drivers/crypto/caam/ctrl.c | 8 +- drivers/dma/dmatest.c | 2 +- drivers/edac/octeon_edac-lmc.c | 1 + drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 56 +- drivers/gpu/drm/rcar-du/rcar_du_crtc.h | 8 + drivers/hid/hid-core.c | 12 +- drivers/media/dvb-frontends/ts2020.c | 4 +- drivers/media/platform/soc_camera/soc_scale_crop.c | 4 + drivers/media/usb/dvb-usb-v2/lmedm04.c | 39 +- drivers/media/usb/dvb-usb/cxusb.c | 2 + drivers/media/usb/dvb-usb/dib0700_devices.c | 1 + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 1023 ++++++++++++-------- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/media/v4l2-core/videobuf2-v4l2.c | 6 + drivers/mtd/nand/brcmnand/brcmnand.c | 13 +- drivers/mtd/nand/nand_base.c | 5 +- drivers/mtd/nand/sunxi_nand.c | 8 +- drivers/mtd/ubi/block.c | 42 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 18 +- drivers/net/ethernet/realtek/r8169.c | 4 +- drivers/net/usb/cdc_ncm.c | 6 +- drivers/nvme/host/pci.c | 13 +- drivers/usb/gadget/function/uvc_configfs.c | 16 +- drivers/usb/usbip/vhci_hcd.c | 2 +- drivers/usb/usbip/vhci_sysfs.c | 7 +- drivers/vhost/net.c | 1 + drivers/watchdog/imx2_wdt.c | 20 +- fs/btrfs/inode.c | 10 +- fs/cifs/cifsencrypt.c | 3 +- fs/cifs/connect.c | 6 +- fs/cifs/file.c | 26 +- fs/cifs/misc.c | 14 +- fs/cifs/smb2pdu.c | 3 +- fs/ext4/inode.c | 1 + fs/ext4/namei.c | 1 + fs/ext4/symlink.c | 10 +- fs/f2fs/inode.c | 1 + fs/f2fs/namei.c | 5 +- fs/inode.c | 6 + fs/kernfs/file.c | 2 +- fs/nfs/direct.c | 4 +- fs/nfs/nfs4idmap.c | 6 +- fs/nfs/pnfs.c | 4 +- fs/nfs/write.c | 2 + fs/nsfs.c | 1 + fs/overlayfs/readdir.c | 6 +- include/crypto/internal/hash.h | 2 + include/crypto/poly1305.h | 2 - include/linux/fs.h | 1 + include/linux/mtd/map.h | 130 ++- include/net/netfilter/nf_queue.h | 4 +- include/net/netns/netfilter.h | 2 + kernel/async.c | 20 +- kernel/sched/core.c | 13 + kernel/sched/rt.c | 24 +- kernel/sched/sched.h | 2 + kernel/time/posix-timers.c | 34 +- kernel/trace/ftrace.c | 1 - net/dccp/proto.c | 5 + net/ipv4/igmp.c | 4 + net/ipv4/tcp.c | 6 + net/ipv6/ip6mr.c | 1 + net/netfilter/nf_queue.c | 17 +- net/netfilter/nfnetlink_queue.c | 18 +- scripts/mod/modpost.c | 3 +- security/keys/encrypted-keys/encrypted.c | 31 +- sound/soc/codecs/pcm512x-spi.c | 4 + sound/soc/generic/simple-card.c | 8 +- sound/soc/sh/rcar/rsnd.h | 2 + sound/soc/sh/rcar/ssi.c | 5 + 116 files changed, 1821 insertions(+), 851 deletions(-)

7 years, 8 months

9
124
0 0

Patch "RDMA/ucma: Fix access to non-initialized CM_ID object" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled RDMA/ucma: Fix access to non-initialized CM_ID object to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leonro(a)mellanox.com> Date: Tue, 13 Mar 2018 11:43:23 +0200 Subject: RDMA/ucma: Fix access to non-initialized CM_ID object From: Leon Romanovsky <leonro(a)mellanox.com> commit 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 upstream. The attempt to join multicast group without ensuring that CMA device exists will lead to the following crash reported by syzkaller. [ 64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0 [ 64.076797] Read of size 8 at addr 00000000000000b0 by task join/691 [ 64.076797] [ 64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23 [ 64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4 [ 64.076803] Call Trace: [ 64.076809] dump_stack+0x5c/0x77 [ 64.076817] kasan_report+0x163/0x380 [ 64.085859] ? rdma_join_multicast+0x26e/0x12c0 [ 64.086634] rdma_join_multicast+0x26e/0x12c0 [ 64.087370] ? rdma_disconnect+0xf0/0xf0 [ 64.088579] ? __radix_tree_replace+0xc3/0x110 [ 64.089132] ? node_tag_clear+0x81/0xb0 [ 64.089606] ? idr_alloc_u32+0x12e/0x1a0 [ 64.090517] ? __fprop_inc_percpu_max+0x150/0x150 [ 64.091768] ? tracing_record_taskinfo+0x10/0xc0 [ 64.092340] ? idr_alloc+0x76/0xc0 [ 64.092951] ? idr_alloc_u32+0x1a0/0x1a0 [ 64.093632] ? ucma_process_join+0x23d/0x460 [ 64.094510] ucma_process_join+0x23d/0x460 [ 64.095199] ? ucma_migrate_id+0x440/0x440 [ 64.095696] ? futex_wake+0x10b/0x2a0 [ 64.096159] ucma_join_multicast+0x88/0xe0 [ 64.096660] ? ucma_process_join+0x460/0x460 [ 64.097540] ? _copy_from_user+0x5e/0x90 [ 64.098017] ucma_write+0x174/0x1f0 [ 64.098640] ? ucma_resolve_route+0xf0/0xf0 [ 64.099343] ? rb_erase_cached+0x6c7/0x7f0 [ 64.099839] __vfs_write+0xc4/0x350 [ 64.100622] ? perf_syscall_enter+0xe4/0x5f0 [ 64.101335] ? kernel_read+0xa0/0xa0 [ 64.103525] ? perf_sched_cb_inc+0xc0/0xc0 [ 64.105510] ? syscall_exit_register+0x2a0/0x2a0 [ 64.107359] ? __switch_to+0x351/0x640 [ 64.109285] ? fsnotify+0x899/0x8f0 [ 64.111610] ? fsnotify_unmount_inodes+0x170/0x170 [ 64.113876] ? __fsnotify_update_child_dentry_flags+0x30/0x30 [ 64.115813] ? ring_buffer_record_is_on+0xd/0x20 [ 64.117824] ? __fget+0xa8/0xf0 [ 64.119869] vfs_write+0xf7/0x280 [ 64.122001] SyS_write+0xa1/0x120 [ 64.124213] ? SyS_read+0x120/0x120 [ 64.126644] ? SyS_read+0x120/0x120 [ 64.128563] do_syscall_64+0xeb/0x250 [ 64.130732] entry_SYSCALL_64_after_hwframe+0x21/0x86 [ 64.132984] RIP: 0033:0x7f5c994ade99 [ 64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99 [ 64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015 [ 64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000 [ 64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0 [ 64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0 [ 64.151060] [ 64.153703] Disabling lock debugging due to kernel taint [ 64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0 [ 64.159066] IP: rdma_join_multicast+0x26e/0x12c0 [ 64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0 [ 64.164442] Oops: 0000 [#1] SMP KASAN PTI [ 64.166817] CPU: 1 PID: 691 Comm: join Tainted: G B 4.16.0-rc1-00219-gb97853b65b93 #23 [ 64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4 [ 64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0 [ 64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282 [ 64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522 [ 64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297 [ 64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7 [ 64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000 [ 64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400 [ 64.196105] FS: 00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000 [ 64.199211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0 [ 64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 64.211554] Call Trace: [ 64.213464] ? rdma_disconnect+0xf0/0xf0 [ 64.216124] ? __radix_tree_replace+0xc3/0x110 [ 64.219337] ? node_tag_clear+0x81/0xb0 [ 64.222140] ? idr_alloc_u32+0x12e/0x1a0 [ 64.224422] ? __fprop_inc_percpu_max+0x150/0x150 [ 64.226588] ? tracing_record_taskinfo+0x10/0xc0 [ 64.229763] ? idr_alloc+0x76/0xc0 [ 64.232186] ? idr_alloc_u32+0x1a0/0x1a0 [ 64.234505] ? ucma_process_join+0x23d/0x460 [ 64.237024] ucma_process_join+0x23d/0x460 [ 64.240076] ? ucma_migrate_id+0x440/0x440 [ 64.243284] ? futex_wake+0x10b/0x2a0 [ 64.245302] ucma_join_multicast+0x88/0xe0 [ 64.247783] ? ucma_process_join+0x460/0x460 [ 64.250841] ? _copy_from_user+0x5e/0x90 [ 64.253878] ucma_write+0x174/0x1f0 [ 64.257008] ? ucma_resolve_route+0xf0/0xf0 [ 64.259877] ? rb_erase_cached+0x6c7/0x7f0 [ 64.262746] __vfs_write+0xc4/0x350 [ 64.265537] ? perf_syscall_enter+0xe4/0x5f0 [ 64.267792] ? kernel_read+0xa0/0xa0 [ 64.270358] ? perf_sched_cb_inc+0xc0/0xc0 [ 64.272575] ? syscall_exit_register+0x2a0/0x2a0 [ 64.275367] ? __switch_to+0x351/0x640 [ 64.277700] ? fsnotify+0x899/0x8f0 [ 64.280530] ? fsnotify_unmount_inodes+0x170/0x170 [ 64.283156] ? __fsnotify_update_child_dentry_flags+0x30/0x30 [ 64.286182] ? ring_buffer_record_is_on+0xd/0x20 [ 64.288749] ? __fget+0xa8/0xf0 [ 64.291136] vfs_write+0xf7/0x280 [ 64.292972] SyS_write+0xa1/0x120 [ 64.294965] ? SyS_read+0x120/0x120 [ 64.297474] ? SyS_read+0x120/0x120 [ 64.299751] do_syscall_64+0xeb/0x250 [ 64.301826] entry_SYSCALL_64_after_hwframe+0x21/0x86 [ 64.304352] RIP: 0033:0x7f5c994ade99 [ 64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99 [ 64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015 [ 64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000 [ 64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0 [ 64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0 [ 64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8 [ 64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860 [ 64.332979] CR2: 00000000000000b0 [ 64.335550] ---[ end trace 0c00c17a408849c1 ]--- Reported-by: <syzbot+e6aba77967bd72cbc9d6(a)syzkaller.appspotmail.com> Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> Reviewed-by: Sean Hefty <sean.hefty(a)intel.com> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/core/cma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -4039,6 +4039,9 @@ int rdma_join_multicast(struct rdma_cm_i struct cma_multicast *mc; int ret; + if (!id->device) + return -EINVAL; + id_priv = container_of(id, struct rdma_id_private, id); if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) && !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED)) Patches currently in stable-queue which might be from leonro(a)mellanox.com are queue-4.9/rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch queue-4.9/rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch queue-4.9/ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch

7 years, 8 months

1
0
0 0

Patch "RDMA/ucma: Don't allow join attempts for unsupported AF family" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled RDMA/ucma: Don't allow join attempts for unsupported AF family to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 0c81ffc60d5280991773d17e84bda605387148b1 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leonro(a)mellanox.com> Date: Tue, 13 Mar 2018 18:37:27 +0200 Subject: RDMA/ucma: Don't allow join attempts for unsupported AF family From: Leon Romanovsky <leonro(a)mellanox.com> commit 0c81ffc60d5280991773d17e84bda605387148b1 upstream. Users can provide garbage while calling to ucma_join_ip_multicast(), it will indirectly cause to rdma_addr_size() return 0, making the call to ucma_process_join(), which had the right checks, but it is better to check the input as early as possible. The following crash from syzkaller revealed it. kernel BUG at lib/string.c:1052! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286 RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000 RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12 RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998 R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00 FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: memcpy include/linux/string.h:344 [inline] ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421 ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633 __vfs_write+0xef/0x970 fs/read_write.c:480 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f9ec99 RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100 RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de 55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0 Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast") Reported-by: <syzbot+2287ac532caa81900a4e(a)syzkaller.appspotmail.com> Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> Reviewed-by: Sean Hefty <sean.hefty(a)intel.com> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/core/ucma.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1330,7 +1330,7 @@ static ssize_t ucma_process_join(struct return -ENOSPC; addr = (struct sockaddr *) &cmd->addr; - if (!cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr))) + if (cmd->addr_size != rdma_addr_size(addr)) return -EINVAL; if (cmd->join_flags == RDMA_MC_JOIN_FLAG_FULLMEMBER) @@ -1398,6 +1398,9 @@ static ssize_t ucma_join_ip_multicast(st join_cmd.uid = cmd.uid; join_cmd.id = cmd.id; join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr); + if (!join_cmd.addr_size) + return -EINVAL; + join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER; memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size); @@ -1413,6 +1416,9 @@ static ssize_t ucma_join_multicast(struc if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT; + if (!rdma_addr_size((struct sockaddr *)&cmd.addr)) + return -EINVAL; + return ucma_process_join(file, &cmd, out_len); } Patches currently in stable-queue which might be from leonro(a)mellanox.com are queue-4.9/rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch queue-4.9/rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch queue-4.9/ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch

7 years, 8 months

1
0
0 0

Patch "IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 2c292dbb398ee46fc1343daf6c3cf9715a75688e Mon Sep 17 00:00:00 2001 From: Boris Pismenny <borisp(a)mellanox.com> Date: Thu, 8 Mar 2018 15:51:40 +0200 Subject: IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq From: Boris Pismenny <borisp(a)mellanox.com> commit 2c292dbb398ee46fc1343daf6c3cf9715a75688e upstream. Add a check for the length of the qpin structure to prevent out-of-bounds reads BUG: KASAN: slab-out-of-bounds in create_raw_packet_qp+0x114c/0x15e2 Read of size 8192 at addr ffff880066b99290 by task syz-executor3/549 CPU: 3 PID: 549 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #27 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 Call Trace: dump_stack+0x8d/0xd4 print_address_description+0x73/0x290 kasan_report+0x25c/0x370 ? create_raw_packet_qp+0x114c/0x15e2 memcpy+0x1f/0x50 create_raw_packet_qp+0x114c/0x15e2 ? create_raw_packet_qp_tis.isra.28+0x13d/0x13d ? lock_acquire+0x370/0x370 create_qp_common+0x2245/0x3b50 ? destroy_qp_user.isra.47+0x100/0x100 ? kasan_kmalloc+0x13d/0x170 ? sched_clock_cpu+0x18/0x180 ? fs_reclaim_acquire.part.15+0x5/0x30 ? __lock_acquire+0xa11/0x1da0 ? sched_clock_cpu+0x18/0x180 ? kmem_cache_alloc_trace+0x17e/0x310 ? mlx5_ib_create_qp+0x30e/0x17b0 mlx5_ib_create_qp+0x33d/0x17b0 ? sched_clock_cpu+0x18/0x180 ? create_qp_common+0x3b50/0x3b50 ? lock_acquire+0x370/0x370 ? __radix_tree_lookup+0x180/0x220 ? uverbs_try_lock_object+0x68/0xc0 ? rdma_lookup_get_uobject+0x114/0x240 create_qp.isra.5+0xce4/0x1e20 ? ib_uverbs_ex_create_cq_cb+0xa0/0xa0 ? copy_ah_attr_from_uverbs.isra.2+0xa00/0xa00 ? ib_uverbs_cq_event_handler+0x160/0x160 ? __might_fault+0x17c/0x1c0 ib_uverbs_create_qp+0x21b/0x2a0 ? ib_uverbs_destroy_cq+0x2e0/0x2e0 ib_uverbs_write+0x55a/0xad0 ? ib_uverbs_destroy_cq+0x2e0/0x2e0 ? ib_uverbs_destroy_cq+0x2e0/0x2e0 ? ib_uverbs_open+0x760/0x760 ? futex_wake+0x147/0x410 ? check_prev_add+0x1680/0x1680 ? do_futex+0x3d3/0xa60 ? sched_clock_cpu+0x18/0x180 __vfs_write+0xf7/0x5c0 ? ib_uverbs_open+0x760/0x760 ? kernel_read+0x110/0x110 ? lock_acquire+0x370/0x370 ? __fget+0x264/0x3b0 vfs_write+0x18a/0x460 SyS_write+0xc7/0x1a0 ? SyS_read+0x1a0/0x1a0 ? trace_hardirqs_on_thunk+0x1a/0x1c entry_SYSCALL_64_fastpath+0x18/0x85 RIP: 0033:0x4477b9 RSP: 002b:00007f1822cadc18 EFLAGS: 00000292 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004477b9 RDX: 0000000000000070 RSI: 000000002000a000 RDI: 0000000000000005 RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff R13: 0000000000005d70 R14: 00000000006e6e30 R15: 0000000020010ff0 Allocated by task 549: __kmalloc+0x15e/0x340 kvmalloc_node+0xa1/0xd0 create_user_qp.isra.46+0xd42/0x1610 create_qp_common+0x2e63/0x3b50 mlx5_ib_create_qp+0x33d/0x17b0 create_qp.isra.5+0xce4/0x1e20 ib_uverbs_create_qp+0x21b/0x2a0 ib_uverbs_write+0x55a/0xad0 __vfs_write+0xf7/0x5c0 vfs_write+0x18a/0x460 SyS_write+0xc7/0x1a0 entry_SYSCALL_64_fastpath+0x18/0x85 Freed by task 368: kfree+0xeb/0x2f0 kernfs_fop_release+0x140/0x180 __fput+0x266/0x700 task_work_run+0x104/0x180 exit_to_usermode_loop+0xf7/0x110 syscall_return_slowpath+0x298/0x370 entry_SYSCALL_64_fastpath+0x83/0x85 The buggy address belongs to the object at ffff880066b99180 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 272 bytes inside of 512-byte region [ffff880066b99180, ffff880066b99380) The buggy address belongs to the page: page:000000006040eedd count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000008100(slab|head) raw: 4000000000008100 0000000000000000 0000000000000000 0000000180190019 raw: ffffea00019a7500 0000000b0000000b ffff88006c403080 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880066b99180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880066b99200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff880066b99280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff880066b99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880066b99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Cc: syzkaller <syzkaller(a)googlegroups.com> Fixes: 0fb2ed66a14c ("IB/mlx5: Add create and destroy functionality for Raw Packet QP") Signed-off-by: Boris Pismenny <borisp(a)mellanox.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/hw/mlx5/qp.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -1130,7 +1130,7 @@ static void destroy_raw_packet_qp_sq(str ib_umem_release(sq->ubuffer.umem); } -static int get_rq_pas_size(void *qpc) +static size_t get_rq_pas_size(void *qpc) { u32 log_page_size = MLX5_GET(qpc, qpc, log_page_size) + 12; u32 log_rq_stride = MLX5_GET(qpc, qpc, log_rq_stride); @@ -1146,7 +1146,8 @@ static int get_rq_pas_size(void *qpc) } static int create_raw_packet_qp_rq(struct mlx5_ib_dev *dev, - struct mlx5_ib_rq *rq, void *qpin) + struct mlx5_ib_rq *rq, void *qpin, + size_t qpinlen) { struct mlx5_ib_qp *mqp = rq->base.container_mibqp; __be64 *pas; @@ -1155,9 +1156,12 @@ static int create_raw_packet_qp_rq(struc void *rqc; void *wq; void *qpc = MLX5_ADDR_OF(create_qp_in, qpin, qpc); - int inlen; + size_t rq_pas_size = get_rq_pas_size(qpc); + size_t inlen; int err; - u32 rq_pas_size = get_rq_pas_size(qpc); + + if (qpinlen < rq_pas_size + MLX5_BYTE_OFF(create_qp_in, pas)) + return -EINVAL; inlen = MLX5_ST_SZ_BYTES(create_rq_in) + rq_pas_size; in = mlx5_vzalloc(inlen); @@ -1235,7 +1239,7 @@ static void destroy_raw_packet_qp_tir(st } static int create_raw_packet_qp(struct mlx5_ib_dev *dev, struct mlx5_ib_qp *qp, - u32 *in, + u32 *in, size_t inlen, struct ib_pd *pd) { struct mlx5_ib_raw_packet_qp *raw_packet_qp = &qp->raw_packet_qp; @@ -1262,7 +1266,7 @@ static int create_raw_packet_qp(struct m if (qp->rq.wqe_cnt) { rq->base.container_mibqp = qp; - err = create_raw_packet_qp_rq(dev, rq, in); + err = create_raw_packet_qp_rq(dev, rq, in, inlen); if (err) goto err_destroy_sq; @@ -1753,10 +1757,15 @@ static int create_qp_common(struct mlx5_ qp->flags |= MLX5_IB_QP_LSO; } + if (inlen < 0) { + err = -EINVAL; + goto err; + } + if (init_attr->qp_type == IB_QPT_RAW_PACKET) { qp->raw_packet_qp.sq.ubuffer.buf_addr = ucmd.sq_buf_addr; raw_packet_qp_copy_info(qp, &qp->raw_packet_qp); - err = create_raw_packet_qp(dev, qp, in, pd); + err = create_raw_packet_qp(dev, qp, in, inlen, pd); } else { err = mlx5_core_create_qp(dev->mdev, &base->mqp, in, inlen); } Patches currently in stable-queue which might be from borisp(a)mellanox.com are queue-4.9/ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch queue-4.9/ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch

7 years, 8 months

1
0
0 0

Patch "IB/mlx5: Fix integer overflows in mlx5_ib_create_srq" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled IB/mlx5: Fix integer overflows in mlx5_ib_create_srq to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From c2b37f76485f073f020e60b5954b6dc4e55f693c Mon Sep 17 00:00:00 2001 From: Boris Pismenny <borisp(a)mellanox.com> Date: Thu, 8 Mar 2018 15:51:41 +0200 Subject: IB/mlx5: Fix integer overflows in mlx5_ib_create_srq From: Boris Pismenny <borisp(a)mellanox.com> commit c2b37f76485f073f020e60b5954b6dc4e55f693c upstream. This patch validates user provided input to prevent integer overflow due to integer manipulation in the mlx5_ib_create_srq function. Cc: syzkaller <syzkaller(a)googlegroups.com> Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Boris Pismenny <borisp(a)mellanox.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/hw/mlx5/srq.c | 15 +++++++++------ include/linux/mlx5/driver.h | 4 ++-- 2 files changed, 11 insertions(+), 8 deletions(-) --- a/drivers/infiniband/hw/mlx5/srq.c +++ b/drivers/infiniband/hw/mlx5/srq.c @@ -243,8 +243,8 @@ struct ib_srq *mlx5_ib_create_srq(struct { struct mlx5_ib_dev *dev = to_mdev(pd->device); struct mlx5_ib_srq *srq; - int desc_size; - int buf_size; + size_t desc_size; + size_t buf_size; int err; struct mlx5_srq_attr in = {0}; __u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz); @@ -268,15 +268,18 @@ struct ib_srq *mlx5_ib_create_srq(struct desc_size = sizeof(struct mlx5_wqe_srq_next_seg) + srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg); + if (desc_size == 0 || srq->msrq.max_gs > desc_size) + return ERR_PTR(-EINVAL); desc_size = roundup_pow_of_two(desc_size); - desc_size = max_t(int, 32, desc_size); + desc_size = max_t(size_t, 32, desc_size); + if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) + return ERR_PTR(-EINVAL); srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) / sizeof(struct mlx5_wqe_data_seg); srq->msrq.wqe_shift = ilog2(desc_size); buf_size = srq->msrq.max * desc_size; - mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n", - desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs, - srq->msrq.max_avail_gather); + if (buf_size < desc_size) + return ERR_PTR(-EINVAL); in.type = init_attr->srq_type; if (pd->uobject) --- a/include/linux/mlx5/driver.h +++ b/include/linux/mlx5/driver.h @@ -380,8 +380,8 @@ struct mlx5_core_srq { struct mlx5_core_rsc_common common; /* must be first */ u32 srqn; int max; - int max_gs; - int max_avail_gather; + size_t max_gs; + size_t max_avail_gather; int wqe_shift; void (*event) (struct mlx5_core_srq *, enum mlx5_event); Patches currently in stable-queue which might be from borisp(a)mellanox.com are queue-4.9/ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch queue-4.9/ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch

7 years, 8 months

1
0
0 0

[PATCH v4] serial: mvebu-uart: fix tx lost characters

by Gabriel Matni

From: Gabriel Matni <gabriel.matni(a)exfo.com> Fixes missing characters on kernel console at low baud rates (i.e.9600). The driver should poll TX_RDY or TX_FIFO_EMP instead of TX_EMP to ensure that the transmitter holding register (THR) is ready to receive a new byte. TX_EMP tells us when it is possible to send a break sequence via SND_BRK_SEQ. While this also indicates that both the THR and the TSR are empty, it does not guarantee that a new byte can be written just yet. Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port") Reviewed-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Acked-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> Signed-off-by: Gabriel Matni <gabriel.matni(a)exfo.com> --- Changes since v3: - mail the patch in a clean email - fix the subject line accordingly (no Re:) Changes since v2: - use one line for the "Fixes" entry - removed trailing space between Signed-off-by entry and --- - start using versioning, previous fixes in v1 Changes since v1: - patch was corrupt, could not be applied - fixed line indent --- drivers/tty/serial/mvebu-uart.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c index a100e98259d7..f0df0640208e 100644 --- a/drivers/tty/serial/mvebu-uart.c +++ b/drivers/tty/serial/mvebu-uart.c @@ -618,7 +618,7 @@ static void wait_for_xmitr(struct uart_port *port) u32 val; readl_poll_timeout_atomic(port->membase + UART_STAT, val, - (val & STAT_TX_EMP), 1, 10000); + (val & STAT_TX_RDY(port)), 1, 10000); } static void mvebu_uart_console_putchar(struct uart_port *port, int ch) -- 2.7.4

7 years, 8 months

1
0
0 0

Re: [Linux-stable-mirror] [PATCH 4.13 28/43] SMB3: Validate negotiate request must always be signed

by Srivatsa S. Bhat

On 11/1/17 8:18 AM, Greg Kroah-Hartman wrote: > On Tue, Oct 31, 2017 at 03:02:11PM +0200, Thomas Backlund wrote: >> Den 31.10.2017 kl. 11:55, skrev Greg Kroah-Hartman: >>> 4.13-stable review patch. If anyone has any objections, please let me know. >>> >>> ------------------ >>> >>> From: Steve French <smfrench(a)gmail.com> >>> >>> commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream. >>> >>> According to MS-SMB2 3.2.55 validate_negotiate request must >>> always be signed. Some Windows can fail the request if you send it unsigned >>> >>> See kernel bugzilla bug 197311 >>> >>> Acked-by: Ronnie Sahlberg <lsahlber.redhat.com> >>> Signed-off-by: Steve French <smfrench(a)gmail.com> >>> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> >>> >>> --- >>> fs/cifs/smb2pdu.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> --- a/fs/cifs/smb2pdu.c >>> +++ b/fs/cifs/smb2pdu.c >>> @@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc >>> } else >>> iov[0].iov_len = get_rfc1002_length(req) + 4; >>> + /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ >>> + if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) >>> + req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED; >>> rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov); >>> cifs_small_buf_release(req); >>> >>> >>> >> >> This one needs to be backported to all stable kernels as the commit that >> introduced the regression: >> ' >> 0603c96f3af50e2f9299fa410c224ab1d465e0f9 >> SMB: Validate negotiate (to protect against downgrade) even if signing off >> >> is backported in stable trees as of: 4.9.53, 4.4.90, 3.18.73 > > Oh wait, it breaks the builds on older kernels, that's why I didn't > apply it :) > > Can you provide me with a working backport? > Hi Steve, Is there a version of this fix available for stable kernels? I tried applying this patch to 4.4.109 (and a similar one for 4.9.74), but it didn't fix the problem. Instead, I actually got a NULL pointer dereference when I tried to mount an SMB3 share. Here is the patch I tried on 4.4.109: diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index f2ff60e..3963bd2 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, } else iov[0].iov_len = get_rfc1002_length(req) + 4; + /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ + if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) + req->hdr.Flags |= SMB2_FLAGS_SIGNED; rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base; This results in the following NULL pointer dereference when I try mounting: # mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir [ 53.073057] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [ 53.073511] IP: [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0 [ 53.073973] PGD 0 [ 53.074427] Oops: 0000 [#1] SMP [ 53.074946] Modules linked in: arc4(E) ecb(E) md4(E) cifs(E) dns_resolver(E) vmw_vsock_vmci_transport(E) vsock(E) hid_generic(E) usbhid(E) hid(E) xt_conntrack(E) mousedev(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) iptable_filter(E) ip_tables(E) crc32c_intel(E) xt_LOG(E) nf_conntrack(E) jitterentropy_rng(E) hmac(E) sha256_ssse3(E) sha256_generic(E) drbg(E) vmw_balloon(E) ansi_cprng(E) aesni_intel(E) aes_x86_64(E) glue_helper(E) lrw(E) gf128mul(E) ablk_helper(E) cryptd(E) psmouse(E) evdev(E) uhci_hcd(E) ehci_pci(E) ehci_hcd(E) usbcore(E) intel_agp(E) usb_common(E) vmw_vmci(E) i2c_piix4(E) intel_gtt(E) nfit(E) battery(E) tpm_tis(E) tpm(E) ac(E) button(E) sch_fq_codel(E) autofs4(E) [ 53.079435] CPU: 3 PID: 829 Comm: mount.cifs Tainted: G E 4.4.109-possible-fix1+ #21 [ 53.079983] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 53.081086] task: ffff8800b4f41940 ti: ffff8800b92ac000 task.ti: ffff8800b92ac000 [ 53.081667] RIP: 0010:[<ffffffff8138ee9a>] [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0 [ 53.082247] RSP: 0018:ffff8800b92af9a8 EFLAGS: 00010282 [ 53.082604] systemd-journald[284]: Compressed data object 721 -> 468 using XZ [ 53.083419] RAX: ffff8800af5943c0 RBX: ffff8800b484a800 RCX: 00000000ffff0ec7 [ 53.084001] RDX: 0000000000000010 RSI: ffff8800b900af18 RDI: 0000000000000000 [ 53.084602] RBP: ffff8800b92af9e0 R08: ffff8800b92afb64 R09: 0000000000000000 [ 53.085184] R10: 3031322e3030312e R11: 00000000000007f5 R12: 0000000000000002 [ 53.085755] R13: 0000000000000000 R14: ffff8800b900af18 R15: 0000000000000010 [ 53.086333] FS: 00007fb659b45740(0000) GS:ffff88013fcc0000(0000) knlGS:0000000000000000 [ 53.086907] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.087480] CR2: 0000000000000050 CR3: 00000000b7970000 CR4: 00000000001606e0 [ 53.088107] Stack: [ 53.088681] ffff8800bba5d8c0 ffff8800b92afa08 ffff8800b484a800 0000000000000002 [ 53.089281] ffff8800b92afac8 000008012400007d ffff8800b484a800 ffff8800b92afa50 [ 53.089871] ffffffffa02194a6 ffff8800b92afb70 ffff8800af5943c0 ffff8800b7a2f800 [ 53.090457] Call Trace: [ 53.091054] [<ffffffffa02194a6>] smb3_calc_signature+0xb6/0x290 [cifs] [ 53.091650] [<ffffffffa0218b5b>] smb2_sign_rqst+0x2b/0x40 [cifs] [ 53.092244] [<ffffffffa0219981>] smb2_setup_request+0xd1/0x170 [cifs] [ 53.092838] [<ffffffffa02082a7>] SendReceive2+0xc7/0x450 [cifs] [ 53.093435] [<ffffffffa02057d5>] ? cifs_small_buf_get+0x15/0x30 [cifs] [ 53.094030] [<ffffffffa021b83f>] ? small_smb2_init+0xdf/0x200 [cifs] [ 53.094616] [<ffffffffa021d6d7>] SMB2_ioctl+0x147/0x310 [cifs] [ 53.095203] [<ffffffffa021d99e>] smb3_validate_negotiate+0xfe/0x2d0 [cifs] [ 53.095792] [<ffffffffa021b196>] SMB2_tcon+0x296/0x500 [cifs] [ 53.096362] [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10 [ 53.096930] [<ffffffffa01efe0b>] cifs_get_tcon+0x1bb/0x560 [cifs] [ 53.097486] [<ffffffffa01f2b10>] cifs_mount+0x690/0xde0 [cifs] [ 53.098032] [<ffffffff817d7b49>] ? _raw_spin_unlock_irqrestore+0x9/0x10 [ 53.098570] [<ffffffffa01de6eb>] cifs_do_mount+0xcb/0x5a0 [cifs] [ 53.099089] [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110 [ 53.099598] [<ffffffff811b7b03>] mount_fs+0x33/0x160 [ 53.100091] [<ffffffff811d1b62>] vfs_kern_mount+0x62/0x100 [ 53.100574] [<ffffffff811d3f1b>] do_mount+0x21b/0xd30 [ 53.101050] [<ffffffff81193ef7>] ? alloc_pages_current+0x87/0x110 [ 53.101511] [<ffffffff811d4d47>] SyS_mount+0x87/0xd0 [ 53.101959] [<ffffffff817d806e>] entry_SYSCALL_64_fastpath+0x12/0x71 [ 53.102400] Code: 89 e5 8b 12 e8 78 d2 04 00 31 c0 5d c3 0f 1f 40 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fd 53 49 89 f6 41 89 d7 48 83 ec 10 <4c> 8b 67 50 41 8b 5c 24 2c 48 85 de 75 14 41 ff 54 24 e8 48 83 [ 53.103820] RIP [<ffffffff8138ee9a>] crypto_shash_setkey+0x1a/0xc0 [ 53.104288] RSP <ffff8800b92af9a8> [ 53.104745] CR2: 0000000000000050 [ 53.105225] ---[ end trace fc2de0ad7f229314 ]--- The CIFS config options enabled are: CONFIG_CIFS=m CONFIG_CIFS_STATS=y CONFIG_CIFS_STATS2=y CONFIG_CIFS_WEAK_PW_HASH=y CONFIG_CIFS_UPCALL=y CONFIG_CIFS_XATTR=y CONFIG_CIFS_POSIX=y CONFIG_CIFS_ACL=y CONFIG_CIFS_DEBUG=y CONFIG_CIFS_DEBUG2=y CONFIG_CIFS_DFS_UPCALL=y CONFIG_CIFS_SMB2=y # CONFIG_CIFS_SMB311 is not set # CONFIG_CIFS_FSCACHE is not set The problem seems to be that crypto_shash_setkey() is called without calling smb3_crypto_shash_allocate() first. So I looked up how mainline avoids this issue, and it looks like the following commit makes a call to generate_signingkey() even when server->sign == false, and this path eventually calls smb3_crytpto_shash_allocate()), thus avoiding the NULL pointer dereference. cabfb3680f78 (CIFS: Enable encryption during session setup phase) So, I adopted this change, and now my resulting patch looks like this: diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index f2ff60e..19cc92c 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -833,7 +833,7 @@ ssetup_exit: if (!rc) { mutex_lock(&server->srv_mutex); - if (server->sign && server->ops->generate_signingkey) { + if (server->ops->generate_signingkey) { rc = server->ops->generate_signingkey(ses); kfree(ses->auth_key.response); ses->auth_key.response = NULL; @@ -1559,6 +1559,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, } else iov[0].iov_len = get_rfc1002_length(req) + 4; + /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ + if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) + req->hdr.Flags |= SMB2_FLAGS_SIGNED; rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base; This fixes the NULL pointer dereference, but the mount still fails, but this time for a different reason -- due to STATUS_ACCESS_DENIED: # mount -vvv -t cifs -o vers=3.0,credentials=.smbcred //<ip_addr>/TestSMB/ testdir mount.cifs kernel mount options: ip=<ip_addr>,unc=\\<ip_addr>\TestSMB,vers=3.0,user=srivatsa,pass=******** mount error(5): Input/output error Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Here is the dmesg output: [ 48.192141] fs/cifs/cifsfs.c: Devname: //<ip_addr>/TestSMB/ flags: 0 [ 48.192178] address conversion returned 1 for <ip_addr> [ 48.192205] fs/cifs/connect.c: Username: srivatsa [ 48.192222] fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed [ 48.192280] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 0 with uid: 0 [ 48.192302] fs/cifs/connect.c: UNC: \\<ip_addr>\TestSMB [ 48.192335] fs/cifs/connect.c: Socket created [ 48.192349] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x6d6 [ 48.193453] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 1 with uid: 0 [ 48.193462] fs/cifs/connect.c: Demultiplex PID: 829 [ 48.193492] fs/cifs/connect.c: Existing smb sess not found [ 48.193510] fs/cifs/smb2pdu.c: Negotiate protocol [ 48.193531] fs/cifs/transport.c: Sending smb: smb_len=102 [ 48.194301] fs/cifs/connect.c: RFC1002 header 0xaa [ 48.194321] fs/cifs/smb2misc.c: smb2_check_message length: 0xae, smb_buf_length: 0xaa [ 48.194349] fs/cifs/smb2misc.c: SMB2 data length 42 offset 128 [ 48.194367] fs/cifs/smb2misc.c: SMB2 len 174 [ 48.194393] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4 [ 48.194415] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release [ 48.194436] fs/cifs/smb2pdu.c: mode 0x1 [ 48.194448] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect [ 48.194466] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [ 48.194484] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [ 48.194502] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300007 TimeAdjust: 0 [ 48.194525] fs/cifs/smb2pdu.c: Session Setup [ 48.194539] fs/cifs/transport.c: Sending smb: smb_len=120 [ 48.194817] fs/cifs/connect.c: RFC1002 header 0x136 [ 48.194836] fs/cifs/smb2misc.c: smb2_check_message length: 0x13a, smb_buf_length: 0x136 [ 48.194859] fs/cifs/smb2misc.c: SMB2 data length 238 offset 72 [ 48.195306] fs/cifs/smb2misc.c: SMB2 len 314 [ 48.195740] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4 [ 48.196174] Status code returned 0xc0000016 STATUS_MORE_PROCESSING_REQUIRED [ 48.196605] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741802 to POSIX err -5 [ 48.197043] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release [ 48.210008] fs/cifs/transport.c: Sending smb: smb_len=412 [ 48.211625] fs/cifs/connect.c: RFC1002 header 0x48 [ 48.212060] fs/cifs/smb2misc.c: smb2_check_message length: 0x4c, smb_buf_length: 0x48 [ 48.212494] fs/cifs/smb2misc.c: SMB2 data length 0 offset 72 [ 48.212919] fs/cifs/smb2misc.c: SMB2 len 77 [ 48.213364] fs/cifs/smb2misc.c: Calculated size 77 length 76 mismatch mid 2 [ 48.213807] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=2 state=4 [ 48.214242] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release [ 48.219385] fs/cifs/smb2pdu.c: SMB2/3 session established successfully [ 48.219831] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 1) rc = 0 [ 48.220276] fs/cifs/connect.c: CIFS VFS: in cifs_get_tcon as Xid: 2 with uid: 0 [ 48.220724] fs/cifs/smb2pdu.c: TCON [ 48.221182] fs/cifs/transport.c: Sending smb: smb_len=122 [ 48.221830] fs/cifs/connect.c: RFC1002 header 0x50 [ 48.222280] fs/cifs/smb2misc.c: smb2_check_message length: 0x54, smb_buf_length: 0x50 [ 48.222734] fs/cifs/smb2misc.c: SMB2 len 84 [ 48.223199] fs/cifs/transport.c: cifs_sync_mid_result: cmd=3 mid=3 state=4 [ 48.223656] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release [ 48.224107] fs/cifs/smb2pdu.c: connection to disk share [ 48.224560] fs/cifs/smb2pdu.c: validate negotiate [ 48.225015] fs/cifs/smb2pdu.c: SMB2 IOCTL [ 48.225456] fs/cifs/transport.c: Sending smb: smb_len=146 [ 48.226049] fs/cifs/connect.c: RFC1002 header 0x49 [ 48.226498] fs/cifs/smb2misc.c: smb2_check_message length: 0x4d, smb_buf_length: 0x49 [ 48.226951] fs/cifs/smb2misc.c: SMB2 data length 0 offset 0 [ 48.227408] fs/cifs/smb2misc.c: SMB2 len 77 [ 48.227863] fs/cifs/transport.c: cifs_sync_mid_result: cmd=11 mid=4 state=4 [ 48.228318] Status code returned 0xc0000022 STATUS_ACCESS_DENIED [ 48.228780] fs/cifs/smb2maperror.c: Mapping SMB2 status code -1073741790 to POSIX err -13 [ 48.229265] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release [ 48.229732] CIFS VFS: validate protocol negotiate failed: -13 [ 48.230197] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_tcon (xid = 2) rc = -5 [ 48.230681] fs/cifs/connect.c: Tcon rc = -5 [ 48.231150] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\<ip_addr>\TestSMB [ 48.231634] fs/cifs/connect.c: cifs_put_smb_ses: ses_count=1 [ 48.232101] fs/cifs/connect.c: CIFS VFS: in cifs_put_smb_ses as Xid: 3 with uid: 0 [ 48.232569] fs/cifs/smb2pdu.c: disconnect session ffff8800b9189e00 [ 48.233053] fs/cifs/transport.c: Sending smb: smb_len=68 [ 48.233651] fs/cifs/connect.c: RFC1002 header 0x44 [ 48.234116] fs/cifs/smb2misc.c: smb2_check_message length: 0x48, smb_buf_length: 0x44 [ 48.234585] fs/cifs/smb2misc.c: SMB2 len 72 [ 48.235063] fs/cifs/transport.c: cifs_sync_mid_result: cmd=2 mid=5 state=4 [ 48.235541] SendRcvNoRsp flags 64 rc 0 [ 48.236075] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 0) rc = -5 [ 48.236556] CIFS VFS: cifs_mount failed w/return code = -5 Any thoughts on what is the right fix for stable kernels? Mounting SMB3 shares works great on mainline (v4.15-rc5). It also works on 4.4.109 if I pass the sec=ntlmsspi option to the mount command (as opposed to the default: sec=ntlmssp). Please let me know if you need any other info. Thank you! Regards, Srivatsa

7 years, 8 months

5
21
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror