1. 10 Jun, 2013 40 commits
    • Jan Kara's avatar
      jbd: Delay discarding buffers in journal_unmap_buffer · 0b48676f
      Jan Kara authored
      Delay discarding buffers in journal_unmap_buffer until
      we know that "add to orphan" operation has definitely been
      committed, otherwise the log space of committing transation
      may be freed and reused before truncate get committed, updates
      may get lost if crash happens.
      
      This patch is a backport of JBD2 fix by dingdinghua <dingdinghua@nrchpc.ac.cn>.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      (cherry picked from commit 86963918)
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0b48676f
    • Greg Thelen's avatar
      tmpfs: fix use-after-free of mempolicy object · 1e3e8106
      Greg Thelen authored
      commit 5f00110f upstream.
      
      The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
      option is not specified in the remount request.  A new policy can be
      specified if mpol=M is given.
      
      Before this patch remounting an mpol bound tmpfs without specifying
      mpol= mount option in the remount request would set the filesystem's
      mempolicy object to a freed mempolicy object.
      
      To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
          # mkdir /tmp/x
      
          # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
      
          # grep /tmp/x /proc/mounts
          nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
      
          # mount -o remount,size=200M nodev /tmp/x
      
          # grep /tmp/x /proc/mounts
          nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
              # note ? garbage in mpol=... output above
      
          # dd if=/dev/zero of=/tmp/x/f count=1
              # panic here
      
      Panic:
          BUG: unable to handle kernel NULL pointer dereference at           (null)
          IP: [<          (null)>]           (null)
          [...]
          Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
          Call Trace:
            mpol_shared_policy_init+0xa5/0x160
            shmem_get_inode+0x209/0x270
            shmem_mknod+0x3e/0xf0
            shmem_create+0x18/0x20
            vfs_create+0xb5/0x130
            do_last+0x9a1/0xea0
            path_openat+0xb3/0x4d0
            do_filp_open+0x42/0xa0
            do_sys_open+0xfe/0x1e0
            compat_sys_open+0x1b/0x20
            cstar_dispatch+0x7/0x1f
      
      Non-debug kernels will not crash immediately because referencing the
      dangling mpol will not cause a fault.  Instead the filesystem will
      reference a freed mempolicy object, which will cause unpredictable
      behavior.
      
      The problem boils down to a dropped mpol reference below if
      shmem_parse_options() does not allocate a new mpol:
      
          config = *sbinfo
          shmem_parse_options(data, &config, true)
          mpol_put(sbinfo->mpol)
          sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
      
      This patch avoids the crash by not releasing the mempolicy if
      shmem_parse_options() doesn't create a new mpol.
      
      How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
      not look back further.
      Signed-off-by: default avatarGreg Thelen <gthelen@google.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1e3e8106
    • Geert Uytterhoeven's avatar
      sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() · 59deaa36
      Geert Uytterhoeven authored
      commit 66081a72 upstream.
      
      The warning check for duplicate sysfs entries can cause a buffer overflow
      when printing the warning, as strcat() doesn't check buffer sizes.
      Use strlcat() instead.
      
      Since strlcat() doesn't return a pointer to the passed buffer, unlike
      strcat(), I had to convert the nested concatenation in sysfs_add_one() to
      an admittedly more obscure comma operator construct, to avoid emitting code
      for the concatenation if CONFIG_BUG is disabled.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      59deaa36
    • Anurup m's avatar
      fs/fscache/stats.c: fix memory leak · 4495d600
      Anurup m authored
      commit ec686c92 upstream.
      
      There is a kernel memory leak observed when the proc file
      /proc/fs/fscache/stats is read.
      
      The reason is that in fscache_stats_open, single_open is called and the
      respective release function is not called during release.  Hence fix
      with correct release function - single_release().
      
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=57101Signed-off-by: default avatarAnurup m <anurup.m@huawei.com>
      Cc: shyju pv <shyju.pv@huawei.com>
      Cc: Sanil kumar <sanil.kumar@huawei.com>
      Cc: Nataraj m <nataraj.m@huawei.com>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      4495d600
    • Kees Cook's avatar
      fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check · e5a2fb56
      Kees Cook authored
      commit 12176503 upstream.
      
      The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
      while converting ioctl arguments.  This could lead to leaking kernel
      stack contents into userspace.
      
      Patch extracted from existing fix in grsecurity.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: David Miller <davem@davemloft.net>
      Cc: Brad Spengler <spender@grsecurity.net>
      Cc: PaX Team <pageexec@freemail.hu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e5a2fb56
    • Eric Wong's avatar
      epoll: prevent missed events on EPOLL_CTL_MOD · 1c137a47
      Eric Wong authored
      commit 128dd175 upstream.
      
      EPOLL_CTL_MOD sets the interest mask before calling f_op->poll() to
      ensure events are not missed.  Since the modifications to the interest
      mask are not protected by the same lock as ep_poll_callback, we need to
      ensure the change is visible to other CPUs calling ep_poll_callback.
      
      We also need to ensure f_op->poll() has an up-to-date view of past
      events which occured before we modified the interest mask.  So this
      barrier also pairs with the barrier in wq_has_sleeper().
      
      This should guarantee either ep_poll_callback or f_op->poll() (or both)
      will notice the readiness of a recently-ready/modified item.
      
      This issue was encountered by Andreas Voellmy and Junchang(Jason) Wang in:
      http://thread.gmane.org/gmane.linux.kernel/1408782/Signed-off-by: default avatarEric Wong <normalperson@yhbt.net>
      Cc: Hans Verkuil <hans.verkuil@cisco.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Davide Libenzi <davidel@xmailserver.org>
      Cc: Hans de Goede <hdegoede@redhat.com>
      Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
      Cc: David Miller <davem@davemloft.net>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andreas Voellmy <andreas.voellmy@yale.edu>
      Tested-by: default avatar"Junchang(Jason) Wang" <junchang.wang@yale.edu>
      Cc: netdev@vger.kernel.org
      Cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1c137a47
    • Ying Xue's avatar
      USB: ftdi_sio: Quiet sparse noise about using plain integer was NULL pointer · b7924161
      Ying Xue authored
      commit a816e311 upstream.
      
      Pointers should not be compared to plain integers.
      Quiets the sparse warning:
      warning: Using plain integer as NULL pointer
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Suggested-by: default avatarLotfi Manseur <lotfi.manseur@imag.fr>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      b7924161
    • Andrew Worsley's avatar
      USB: serial: ftdi_sio: Handle the old_termios == 0 case e.g. uart_resume_port() · d62e0441
      Andrew Worsley authored
      commit c515598e upstream.
      
        Handle null old_termios in ftdi_set_termios() calls from uart_resume_port().
      Signed-off-by: default avatarAndrew Worsley <amworsley@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Suggested-by: default avatarLotfi Manseur <lotfi.manseur@imag.fr>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d62e0441
    • Oliver Neukum's avatar
      USB: cdc-wdm: fix buffer overflow · e3c81f65
      Oliver Neukum authored
      commit c0f5ecee upstream.
      
      The buffer for responses must not overflow.
      If this would happen, set a flag, drop the data and return
      an error after user space has read all remaining data.
      Signed-off-by: default avatarOliver Neukum <oliver@neukum.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 2.6.32: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e3c81f65
    • Wolfgang Frisch's avatar
      USB: io_ti: Fix NULL dereference in chase_port() · 09b1d9f2
      Wolfgang Frisch authored
      commit 1ee0a224 upstream
      
      The tty is NULL when the port is hanging up.
      chase_port() needs to check for this.
      
      This patch is intended for stable series.
      The behavior was observed and tested in Linux 3.2 and 3.7.1.
      
      Johan Hovold submitted a more elaborate patch for the mainline kernel.
      
      [   56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
      [   56.278811] usb 1-1: USB disconnect, device number 3
      [   56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
      [   56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
      [   56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
      [   56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
      [   56.282085] Oops: 0002 [#1] SMP
      [   56.282744] Modules linked in:
      [   56.283512] CPU 1
      [   56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
      [   56.283512] RIP: 0010:[<ffffffff8144e62a>]  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
      [   56.283512] RSP: 0018:ffff88001fa99ab0  EFLAGS: 00010046
      [   56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
      [   56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
      [   56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
      [   56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
      [   56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
      [   56.283512] FS:  0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
      [   56.283512] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
      [   56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [   56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
      [   56.283512] Stack:
      [   56.283512]  0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
      [   56.283512]  ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
      [   56.283512]  ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
      [   56.283512] Call Trace:
      [   56.283512]  [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
      [   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
      [   56.283512]  [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
      [   56.283512]  [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
      [   56.283512]  [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
      [   56.283512]  [<ffffffff81300171>] ? edge_close+0x64/0x129
      [   56.283512]  [<ffffffff810612f7>] ? __wake_up+0x35/0x46
      [   56.283512]  [<ffffffff8106135b>] ? should_resched+0x5/0x23
      [   56.283512]  [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
      [   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
      [   56.283512]  [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
      [   56.283512]  [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
      [   56.283512]  [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
      [   56.283512]  [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
      [   56.283512]  [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
      [   56.283512]  [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
      [   56.283512]  [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
      [   56.283512]  [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
      [   56.283512]  [<ffffffff8128b7a3>] ? device_del+0x119/0x167
      [   56.283512]  [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
      [   56.283512]  [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
      [   56.283512]  [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
      [   56.283512]  [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
      [   56.283512]  [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
      [   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
      [   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
      [   56.283512]  [<ffffffff810570b4>] ? kthread+0x81/0x89
      [   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
      [   56.283512]  [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
      [   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
      [   56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
      <f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
      [   56.283512] RIP  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
      [   56.283512]  RSP <ffff88001fa99ab0>
      [   56.283512] CR2: 00000000000001c8
      [   56.283512] ---[ end trace 49714df27e1679ce ]---
      Signed-off-by: default avatarWolfgang Frisch <wfpub@roembden.net>
      Cc: Johan Hovold <jhovold@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      09b1d9f2
    • Johan Hovold's avatar
      USB: garmin_gps: fix memory leak on disconnect · f9477f69
      Johan Hovold authored
      commit 618aa106 upstream.
      
      Remove bogus disconnect test introduced by 95bef012 ("USB: more serial
      drivers writing after disconnect") which prevented queued data from
      being freed on disconnect.
      
      The possible IO it was supposed to prevent is long gone.
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      f9477f69
    • Johan Hovold's avatar
      USB: mos7840: fix port-device leak in error path · 22045d49
      Johan Hovold authored
      commit 3eb55cc4 upstream.
      
      The driver set the usb-serial port pointers to NULL on errors in attach,
      effectively preventing usb-serial core from decrementing the port ref
      counters and releasing the port devices and associated data.
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      22045d49
    • Johan Hovold's avatar
      USB: mos7840: fix urb leak at release · 451820e7
      Johan Hovold authored
      commit 65a4cdbb upstream.
      
      Make sure control urb is freed at release.
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      451820e7
    • Lennart Sorensen's avatar
      USB: serial: Fix memory leak in sierra_release() · 70c15a31
      Lennart Sorensen authored
      commit f7bc5051 upstream.
      
      I found a memory leak in sierra_release() (well sierra_probe() I guess)
      that looses 8 bytes each time the driver releases a device.
      Signed-off-by: default avatarLen Sorensen <lsorense@csclub.uwaterloo.ca>
      Acked-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      70c15a31
    • Johan Hovold's avatar
      USB: whiteheat: fix memory leak in error path · 3fe1b642
      Johan Hovold authored
      commit c129197c upstream.
      
      Make sure command buffer is deallocated in case of errors during attach.
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Cc: <support@connecttech.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3fe1b642
    • Alan Stern's avatar
      USB: EHCI: go back to using the system clock for QH unlinks · 4b4963a9
      Alan Stern authored
      commit 004c1968 upstream
      
      This patch (as1477) fixes a problem affecting a few types of EHCI
      controller.  Contrary to what one might expect, these controllers
      automatically stop their internal frame counter when no ports are
      enabled.  Since ehci-hcd currently relies on the frame counter for
      determining when it should unlink QHs from the async schedule, those
      controllers run into trouble: The frame counter stops and the QHs
      never get unlinked.
      
      Some systems have also experienced other problems traced back to
      commit b9638011 (USB: ehci-hcd unlink
      speedups), which made the original switch from using the system clock
      to using the frame counter.  It never became clear what the reason was
      for these problems, but evidently it is related to use of the frame
      counter.
      
      To fix all these problems, this patch more or less reverts that commit
      and goes back to using the system clock.  But this can't be done
      cleanly because other changes have since been made to the scan_async()
      subroutine.  One of these changes involved the tricky logic that tries
      to avoid rescanning QHs that have already been seen when the scanning
      loop is restarted, which happens whenever an URB is given back.
      Switching back to clock-based unlinks would make this logic even more
      complicated.
      
      Therefore the new code doesn't rescan the entire async list whenever a
      giveback occurs.  Instead it rescans only the current QH and continues
      on from there.  This requires the use of a separate pointer to keep
      track of the next QH to scan, since the current QH may be unlinked
      while the scanning is in progress.  That new pointer must be global,
      so that it can be adjusted forward whenever the _next_ QH gets
      unlinked.  (uhci-hcd uses this same trick.)
      
      Simplification of the scanning loop removes a level of indentation,
      which accounts for the size of the patch.  The amount of code changed
      is relatively small, and it isn't exactly a reversion of the
      b9638011 commit.
      
      This fixes Bugzilla #32432.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@kernel.org>
      Tested-by: default avatarMatej Kenda <matejken@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarThomas Bork <tom@eisfair.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      4b4963a9
    • Matthew Garrett's avatar
      xhci: Make handover code more robust · 1238778a
      Matthew Garrett authored
      commit e955a1cd upstream.
      
      My test platform (Intel DX79SI) boots reliably under BIOS, but frequently
      crashes when booting via UEFI. I finally tracked this down to the xhci
      handoff code. It seems that reads from the device occasionally just return
      0xff, resulting in xhci_find_next_cap_offset generating a value that's
      larger than the resource region. We then oops when attempting to read the
      value. Sanity checking that value lets us avoid the crash.
      
      I've no idea what's causing the underlying problem, and xhci still doesn't
      actually *work* even with this, but the machine at least boots which will
      probably make further debugging easier.
      
      This should be backported to kernels as old as 2.6.31, that contain the
      commit 66d4eadd "USB: xhci: BIOS handoff
      and HW initialization."
      Signed-off-by: default avatarMatthew Garrett <mjg@redhat.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1238778a
    • Mathias Krause's avatar
      Bluetooth: fix possible info leak in bt_sock_recvmsg() · e55f3e43
      Mathias Krause authored
      commit 4683f42f upstream.
      
      In case the socket is already shutting down, bt_sock_recvmsg() returns
      with 0 without updating msg_namelen leading to net/socket.c leaking the
      local, uninitialized sockaddr_storage variable to userland -- 128 bytes
      of kernel stack memory.
      
      Fix this by moving the msg_namelen assignment in front of the shutdown
      test.
      
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [dannf: adjusted to apply to Debian's 2.6.32]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e55f3e43
    • Mathias Krause's avatar
      Bluetooth: L2CAP - Fix info leak via getsockname() · cb15ea45
      Mathias Krause authored
      commit 792039c7 upstream.
      
      The L2CAP code fails to initialize the l2_bdaddr_type member of struct
      sockaddr_l2 and the padding byte added for alignment. It that for leaks
      two bytes kernel stack via the getsockname() syscall. Add an explicit
      memset(0) before filling the structure to avoid the info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 2.6.32: adjust filename]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cb15ea45
    • Mathias Krause's avatar
      Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() · 78ded8d6
      Mathias Krause authored
      [ Upstream commit e11e0455 ]
      
      If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
      early with 0 without updating the possibly set msg_namelen member. This,
      in turn, leads to a 128 byte kernel stack leak in net/socket.c.
      
      Fix this by updating msg_namelen in this case. For all other cases it
      will be handled in bt_sock_stream_recvmsg().
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      78ded8d6
    • Mathias Krause's avatar
      Bluetooth: RFCOMM - Fix info leak via getsockname() · 473f13e1
      Mathias Krause authored
      [ Upstream commit 9344a972 ]
      
      The RFCOMM code fails to initialize the trailing padding byte of struct
      sockaddr_rc added for alignment. It that for leaks one byte kernel stack
      via the getsockname() syscall. Add an explicit memset(0) before filling
      the structure to avoid the info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      473f13e1
    • Mathias Krause's avatar
      Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) · c47abf3b
      Mathias Krause authored
      [ Upstream commit e15ca9a0 ]
      
      The HCI code fails to initialize the two padding bytes of struct
      hci_ufilter before copying it to userland -- that for leaking two
      bytes kernel stack. Add an explicit memset(0) before filling the
      structure to avoid the info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Gustavo Padovan <gustavo@padovan.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c47abf3b
    • Anderson Lizardo's avatar
      Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() · 326af266
      Anderson Lizardo authored
      commit 0a9ab9bd upstream
      
      The length parameter should be sizeof(req->name) - 1 because there is no
      guarantee that string provided by userspace will contain the trailing
      '\0'.
      
      Can be easily reproduced by manually setting req->name to 128 non-zero
      bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on
      input subsystem:
      
      $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name
      AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af
      
      ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys"
      field in struct hid_device due to overflow.)
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAnderson Lizardo <anderson.lizardo@openbossa.org>
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
      
      [backported to 2.6.32 jmm]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      326af266
    • Dan Carpenter's avatar
      telephony: ijx: buffer overflow in ixj_write_cid() · 7664ec67
      Dan Carpenter authored
      [Not needed in 3.8 or newer as this driver is removed there. - gregkh]
      
      We get this from user space and nothing has been done to ensure that
      these strings are NUL terminated.
      Reported-by: default avatarChen Gang <gang.chen@asianux.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      7664ec67
    • Patrick McHardy's avatar
      IPoIB: Fix use-after-free of multicast object · dd70f87c
      Patrick McHardy authored
      commit bea1e22d upstream.
      
      Fix a crash in ipoib_mcast_join_task().  (with help from Or Gerlitz)
      
      Commit c8c2afe3 ("IPoIB: Use rtnl lock/unlock when changing device
      flags") added a call to rtnl_lock() in ipoib_mcast_join_task(), which
      is run from the ipoib_workqueue, and hence the workqueue can't be
      flushed from the context of ipoib_stop().
      
      In the current code, ipoib_stop() (which doesn't flush the workqueue)
      calls ipoib_mcast_dev_flush(), which goes and deletes all the
      multicast entries.  This takes place without any synchronization with
      a possible running instance of ipoib_mcast_join_task() for the same
      ipoib device, leading to a crash due to NULL pointer dereference.
      
      Fix this by making sure that the workqueue is flushed before
      ipoib_mcast_dev_flush() is called.  To make that possible, we move the
      RTNL-lock wrapped code to ipoib_mcast_join_finish().
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      dd70f87c
    • Nithin Nayak Sujir's avatar
      tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode · e6d11ed5
      Nithin Nayak Sujir authored
      [ Upstream commit 9c13cb8b ]
      
      When netconsole is enabled, logging messages generated during tg3_open
      can result in a null pointer dereference for the uninitialized tg3
      status block. Use the irq_sync flag to disable polling in the early
      stages. irq_sync is cleared when the driver is enabling interrupts after
      all initialization is completed.
      Signed-off-by: default avatarNithin Nayak Sujir <nsujir@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e6d11ed5
    • Larry Finger's avatar
      b43legacy: Fix crash on unload when firmware not available · 28c684ce
      Larry Finger authored
      commit 2d838bb6 upstream.
      
      When b43legacy is loaded without the firmware being available, a following
      unload generates a kernel NULL pointer dereference BUG as follows:
      
      [  214.330789] BUG: unable to handle kernel NULL pointer dereference at 0000004c
      [  214.330997] IP: [<c104c395>] drain_workqueue+0x15/0x170
      [  214.331179] *pde = 00000000
      [  214.331311] Oops: 0000 [#1] SMP
      [  214.331471] Modules linked in: b43legacy(-) ssb pcmcia mac80211 cfg80211 af_packet mperf arc4 ppdev sr_mod cdrom sg shpchp yenta_socket pcmcia_rsrc pci_hotplug pcmcia_core battery parport_pc parport floppy container ac button edd autofs4 ohci_hcd ehci_hcd usbcore usb_common thermal processor scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_dh fan thermal_sys hwmon ata_generic pata_ali libata [last unloaded: cfg80211]
      [  214.333421] Pid: 3639, comm: modprobe Not tainted 3.6.0-rc6-wl+ #163 Source Technology VIC 9921/ALI Based Notebook
      [  214.333580] EIP: 0060:[<c104c395>] EFLAGS: 00010246 CPU: 0
      [  214.333687] EIP is at drain_workqueue+0x15/0x170
      [  214.333788] EAX: c162ac40 EBX: cdfb8360 ECX: 0000002a EDX: 00002a2a
      [  214.333890] ESI: 00000000 EDI: 00000000 EBP: cd767e7c ESP: cd767e5c
      [  214.333957]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      [  214.333957] CR0: 8005003b CR2: 0000004c CR3: 0c96a000 CR4: 00000090
      [  214.333957] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [  214.333957] DR6: ffff0ff0 DR7: 00000400
      [  214.333957] Process modprobe (pid: 3639, ti=cd766000 task=cf802e90 task.ti=cd766000)
      [  214.333957] Stack:
      [  214.333957]  00000292 cd767e74 c12c5e09 00000296 00000296 cdfb8360 cdfb9220 00000000
      [  214.333957]  cd767e90 c104c4fd cdfb8360 cdfb9220 cd682800 cd767ea4 d0c10184 cd682800
      [  214.333957]  cd767ea4 cba31064 cd767eb8 d0867908 cba31064 d087e09c cd96f034 cd767ec4
      [  214.333957] Call Trace:
      [  214.333957]  [<c12c5e09>] ? skb_dequeue+0x49/0x60
      [  214.333957]  [<c104c4fd>] destroy_workqueue+0xd/0x150
      [  214.333957]  [<d0c10184>] ieee80211_unregister_hw+0xc4/0x100 [mac80211]
      [  214.333957]  [<d0867908>] b43legacy_remove+0x78/0x80 [b43legacy]
      [  214.333957]  [<d083654d>] ssb_device_remove+0x1d/0x30 [ssb]
      [  214.333957]  [<c126f15a>] __device_release_driver+0x5a/0xb0
      [  214.333957]  [<c126fb07>] driver_detach+0x87/0x90
      [  214.333957]  [<c126ef4c>] bus_remove_driver+0x6c/0xe0
      [  214.333957]  [<c1270120>] driver_unregister+0x40/0x70
      [  214.333957]  [<d083686b>] ssb_driver_unregister+0xb/0x10 [ssb]
      [  214.333957]  [<d087c488>] b43legacy_exit+0xd/0xf [b43legacy]
      [  214.333957]  [<c1089dde>] sys_delete_module+0x14e/0x2b0
      [  214.333957]  [<c110a4a7>] ? vfs_write+0xf7/0x150
      [  214.333957]  [<c1240050>] ? tty_write_lock+0x50/0x50
      [  214.333957]  [<c110a6f8>] ? sys_write+0x38/0x70
      [  214.333957]  [<c1397c55>] syscall_call+0x7/0xb
      [  214.333957] Code: bc 27 00 00 00 00 a1 74 61 56 c1 55 89 e5 e8 a3 fc ff ff 5d c3 90 55 89 e5 57 56 89 c6 53 b8 40 ac 62 c1 83 ec 14 e8 bb b7 34 00 <8b> 46 4c 8d 50 01 85 c0 89 56 4c 75 03 83 0e 40 80 05 40 ac 62
      [  214.333957] EIP: [<c104c395>] drain_workqueue+0x15/0x170 SS:ESP 0068:cd767e5c
      [  214.333957] CR2: 000000000000004c
      [  214.341110] ---[ end trace c7e90ec026d875a6 ]---Index: wireless-testing/drivers/net/wireless/b43legacy/main.c
      
      The problem is fixed by making certain that the ucode pointer is not NULL
      before deregistering the driver in mac80211.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      28c684ce
    • Francois Romieu's avatar
      r8169: incorrect identifier for a 8168dp · 5d977bde
      Francois Romieu authored
      Merge error.
      
      See CFG_METHOD_8 (0x3c800000 + 0x00300000) since version 8.002.00
      of Realtek's driver.
      Signed-off-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Cc: Hayes <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      (cherry picked from commit 17c99297)
      Cc: Thomas Bork <tom@eisfair.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5d977bde
    • Lennart Sorensen's avatar
      r8169: Add support for D-Link 530T rev C1 (Kernel Bug 38862) · fa9652ba
      Lennart Sorensen authored
      [ Upstream commit 93a3aa25 ]
      
      The D-Link DGE-530T rev C1 is a re-badged Realtek 8169 named DLG10028C,
      unlike the previous revisions which were skge based.  It is probably
      the same as the discontinued DGE-528T (0x4300) other than the PCI ID.
      
      The PCI ID is 0x1186:0x4302.
      
      Adding it to r8169.c where 0x1186:0x4300 is already found makes the card
      be detected and work.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=38862Signed-off-by: default avatarLen Sorensen <lsorense@csclub.uwaterloo.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      (cherry picked from commit 7106159f)
      Cc: Thomas Bork <tom@eisfair.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      fa9652ba
    • Timo Teräs's avatar
      r8169: remove the obsolete and incorrect AMD workaround · a0a6cfcd
      Timo Teräs authored
      [ Upstream commit 5d0feaff ]
      
      This was introduced in commit 6dccd16b "r8169: merge with version
      6.001.00 of Realtek's r8169 driver". I did not find the version
      6.001.00 online, but in 6.002.00 or any later r8169 from Realtek
      this hunk is no longer present.
      
      Also commit 05af2142 "r8169: fix Ethernet Hangup for RTL8110SC
      rev d" claims to have fixed this issue otherwise.
      
      The magic compare mask of 0xfffe000 is dubious as it masks
      parts of the Reserved part, and parts of the VLAN tag. But this
      does not make much sense as the VLAN tag parts are perfectly
      valid there. In matter of fact this seems to be triggered with
      any VLAN tagged packet as RxVlanTag bit is matched. I would
      suspect 0xfffe0000 was intended to test reserved part only.
      
      Finally, this hunk is evil as it can cause more packets to be
      handled than what was NAPI quota causing net/core/dev.c:
      net_rx_action(): WARN_ON_ONCE(work > weight) to trigger, and
      mess up the NAPI state causing device to hang.
      
      As result, any system using VLANs and having high receive
      traffic (so that NAPI poll budget limits rtl_rx) would result
      in device hang.
      Signed-off-by: default avatarTimo Teräs <timo.teras@iki.fi>
      Acked-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      (cherry picked from commit 3a42cce9)
      Cc: Thomas Bork <tom@eisfair.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a0a6cfcd
    • Hayes Wang's avatar
      r8169: correct settings of rtl8102e. · 3e472a9a
      Hayes Wang authored
      Adjust and remove certain settings of RTL8102E which are for previous chips.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Acked-off-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      (cherry picked from commit d24e9aaf)
      Cc: Thomas Bork <tom@eisfair.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3e472a9a
    • Mathias Krause's avatar
      xfrm_user: return error pointer instead of NULL #2 · 95f86856
      Mathias Krause authored
      commit c2546372 upstream.
      
      When dump_one_policy() returns an error, e.g. because of a too small
      buffer to dump the whole xfrm policy, xfrm_policy_netlink() returns
      NULL instead of an error pointer. But its caller expects an error
      pointer and therefore continues to operate on a NULL skbuff.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      95f86856
    • Mathias Krause's avatar
      xfrm_user: return error pointer instead of NULL · 30d5e9d8
      Mathias Krause authored
      commit 864745d2 upstream.
      
      When dump_one_state() returns an error, e.g. because of a too small
      buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
      instead of an error pointer. But its callers expect an error pointer
      and therefore continue to operate on a NULL skbuff.
      
      This could lead to a privilege escalation (execution of user code in
      kernel context) if the attacker has CAP_NET_ADMIN and is able to map
      address 0.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      30d5e9d8
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_tmpl() · 89cee197
      Mathias Krause authored
      [ Upstream commit 1f86840f ]
      
      The memory used for the template copy is a local stack variable. As
      struct xfrm_user_tmpl contains multiple holes added by the compiler for
      alignment, not initializing the memory will lead to leaking stack bytes
      to userland. Add an explicit memset(0) to avoid the info leak.
      
      Initial version of the patch by Brad Spengler.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Brad Spengler <spender@grsecurity.net>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      89cee197
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_policy() · ab7dec14
      Mathias Krause authored
      [ Upstream commit 7b789836 ]
      
      The memory reserved to dump the xfrm policy includes multiple padding
      bytes added by the compiler for alignment (padding bytes in struct
      xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
      memset(0) before filling the buffer to avoid the heap info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ab7dec14
    • Mathias Krause's avatar
      xfrm_user: fix info leak in copy_to_user_state() · d6927c1e
      Mathias Krause authored
      [ Upstream commit f778a636 ]
      
      The memory reserved to dump the xfrm state includes the padding bytes of
      struct xfrm_usersa_info added by the compiler for alignment (7 for
      amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
      to avoid the info leak.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Acked-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d6927c1e
    • Jussi Kivilinna's avatar
      crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption · e760d49b
      Jussi Kivilinna authored
      commit 9efade1b upstream.
      
      cryptd_queue_worker attempts to prevent simultaneous accesses to crypto
      workqueue by cryptd_enqueue_request using preempt_disable/preempt_enable.
      However cryptd_enqueue_request might be called from softirq context,
      so add local_bh_disable/local_bh_enable to prevent data corruption and
      panics.
      
      Bug report at http://marc.info/?l=linux-crypto-vger&m=134858649616319&w=2
      
      v2:
       - Disable software interrupts instead of hardware interrupts
      Reported-by: default avatarGurucharan Shetty <gurucharan.shetty@gmail.com>
      Signed-off-by: default avatarJussi Kivilinna <jussi.kivilinna@mbnet.fi>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e760d49b
    • David Howells's avatar
      keys: fix race with concurrent install_user_keyrings() · 554da46d
      David Howells authored
      commit 0da9dfdd upstream.
      
      This fixes CVE-2013-1792.
      
      There is a race in install_user_keyrings() that can cause a NULL pointer
      dereference when called concurrently for the same user if the uid and
      uid-session keyrings are not yet created.  It might be possible for an
      unprivileged user to trigger this by calling keyctl() from userspace in
      parallel immediately after logging in.
      
      Assume that we have two threads both executing lookup_user_key(), both
      looking for KEY_SPEC_USER_SESSION_KEYRING.
      
      	THREAD A			THREAD B
      	===============================	===============================
      					==>call install_user_keyrings();
      	if (!cred->user->session_keyring)
      	==>call install_user_keyrings()
      					...
      					user->uid_keyring = uid_keyring;
      	if (user->uid_keyring)
      		return 0;
      	<==
      	key = cred->user->session_keyring [== NULL]
      					user->session_keyring = session_keyring;
      	atomic_inc(&key->usage); [oops]
      
      At the point thread A dereferences cred->user->session_keyring, thread B
      hasn't updated user->session_keyring yet, but thread A assumes it is
      populated because install_user_keyrings() returned ok.
      
      The race window is really small but can be exploited if, for example,
      thread B is interrupted or preempted after initializing uid_keyring, but
      before doing setting session_keyring.
      
      This couldn't be reproduced on a stock kernel.  However, after placing
      systemtap probe on 'user->session_keyring = session_keyring;' that
      introduced some delay, the kernel could be crashed reliably.
      
      Fix this by checking both pointers before deciding whether to return.
      Alternatively, the test could be done away with entirely as it is checked
      inside the mutex - but since the mutex is global, that may not be the best
      way.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reported-by: default avatarMateusz Guzik <mguzik@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      554da46d
    • Eddie Wai's avatar
      SCSI: bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload · 4d9de348
      Eddie Wai authored
      commit d6532207 upstream.
      
      This patch fixes the following kernel panic invoked by uninitialized fields
      in the chip initialization for the 1G bnx2 iSCSI offload.
      
      One of the bits in the chip initialization is being used by the latest
      firmware to control overflow packets.  When this control bit gets enabled
      erroneously, it would ultimately result in a bad packet placement which would
      cause the bnx2 driver to dereference a NULL ptr in the placement handler.
      
      This can happen under certain stress I/O environment under the Linux
      iSCSI offload operation.
      
      This change only affects Broadcom's 5709 chipset.
      
      Unable to handle kernel NULL pointer dereference at 0000000000000008 RIP:
       [<ffffffff881f0e7d>] :bnx2:bnx2_poll_work+0xd0d/0x13c5
      Pid: 0, comm: swapper Tainted: G     ---- 2.6.18-333.el5debug #2
      RIP: 0010:[<ffffffff881f0e7d>]  [<ffffffff881f0e7d>] :bnx2:bnx2_poll_work+0xd0d/0x13c5
      RSP: 0018:ffff8101b575bd50  EFLAGS: 00010216
      RAX: 0000000000000005 RBX: ffff81007c5fb180 RCX: 0000000000000000
      RDX: 0000000000000ffc RSI: 00000000817e8000 RDI: 0000000000000220
      RBP: ffff81015bbd7ec0 R08: ffff8100817e9000 R09: 0000000000000000
      R10: ffff81007c5fb180 R11: 00000000000000c8 R12: 000000007a25a010
      R13: 0000000000000000 R14: 0000000000000005 R15: ffff810159f80558
      FS:  0000000000000000(0000) GS:ffff8101afebc240(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000008 CR3: 0000000000201000 CR4: 00000000000006a0
      Process swapper (pid: 0, threadinfo ffff8101b5754000, task ffff8101afebd820)
      Stack:  000000000000000b ffff810159f80000 0000000000000040 ffff810159f80520
       ffff810159f80500 00cf00cf8008e84b ffffc200100939e0 ffff810009035b20
       0000502900000000 000000be00000001 ffff8100817e7810 00d08101b575bea8
      Call Trace:
       <IRQ>  [<ffffffff8008e0d0>] show_schedstat+0x1c2/0x25b
       [<ffffffff881f1886>] :bnx2:bnx2_poll+0xf6/0x231
       [<ffffffff8000c9b9>] net_rx_action+0xac/0x1b1
       [<ffffffff800125a0>] __do_softirq+0x89/0x133
       [<ffffffff8005e30c>] call_softirq+0x1c/0x28
       [<ffffffff8006d5de>] do_softirq+0x2c/0x7d
       [<ffffffff8006d46e>] do_IRQ+0xee/0xf7
       [<ffffffff8005d625>] ret_from_intr+0x0/0xa
       <EOI>  [<ffffffff801a5780>] acpi_processor_idle_simple+0x1c5/0x341
       [<ffffffff801a573d>] acpi_processor_idle_simple+0x182/0x341
       [<ffffffff801a55bb>] acpi_processor_idle_simple+0x0/0x341
       [<ffffffff80049560>] cpu_idle+0x95/0xb8
       [<ffffffff80078b1c>] start_secondary+0x479/0x488
      Signed-off-by: default avatarEddie Wai <eddie.wai@broadcom.com>
      Reviewed-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      4d9de348
    • James Bottomley's avatar
      fix crash in scsi_dispatch_cmd() · 34cee3a5
      James Bottomley authored
      USB surprise removal of sr is triggering an oops in
      scsi_dispatch_command().  What seems to be happening is that USB is
      hanging on to a queue reference until the last close of the upper
      device, so the crash is caused by surprise remove of a mounted CD
      followed by attempted unmount.
      
      The problem is that USB doesn't issue its final commands as part of
      the SCSI teardown path, but on last close when the block queue is long
      gone.  The long term fix is probably to make sr do the teardown in the
      same way as sd (so remove all the lower bits on ejection, but keep the
      upper disk alive until last close of user space).  However, the
      current oops can be simply fixed by not allowing any commands to be
      sent to a dead queue.
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      (cherry picked from commit bfe159a5)
      Cc: Thomas Bork <tom@eisfair.net>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      34cee3a5