1. 20 Feb, 2019 18 commits
  2. 19 Feb, 2019 14 commits
  3. 18 Feb, 2019 8 commits
    • Colin Ian King's avatar
      net/mlx4_en: fix spelling mistake: "quiting" -> "quitting" · 21d2cb49
      Colin Ian King authored
      There is a spelling mistake in a en_err error message. Fix it.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      21d2cb49
    • Mao Wenan's avatar
      net: crypto set sk to NULL when af_alg_release. · 9060cb71
      Mao Wenan authored
      KASAN has found use-after-free in sockfs_setattr.
      The existed commit 6d8c50dc ("socket: close race condition between sock_close()
      and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
      that crypto module forgets to set the sk to NULL after af_alg_release.
      
      KASAN report details as below:
      BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
      Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
      
      CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       dump_stack+0xca/0x13e
       print_address_description+0x79/0x330
       ? vprintk_func+0x5e/0xf0
       kasan_report+0x18a/0x2e0
       ? sockfs_setattr+0x120/0x150
       sockfs_setattr+0x120/0x150
       ? sock_register+0x2d0/0x2d0
       notify_change+0x90c/0xd40
       ? chown_common+0x2ef/0x510
       chown_common+0x2ef/0x510
       ? chmod_common+0x3b0/0x3b0
       ? __lock_is_held+0xbc/0x160
       ? __sb_start_write+0x13d/0x2b0
       ? __mnt_want_write+0x19a/0x250
       do_fchownat+0x15c/0x190
       ? __ia32_sys_chmod+0x80/0x80
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       __x64_sys_fchownat+0xbf/0x160
       ? lockdep_hardirqs_on+0x39a/0x5e0
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462589
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
      f7 48 89 d6 48 89
      ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
      48 c7 c1 bc ff ff
      ff f7 d8 64 89 01 48
      RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
      RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
      RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
      RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
      R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
      
      Allocated by task 4185:
       kasan_kmalloc+0xa0/0xd0
       __kmalloc+0x14a/0x350
       sk_prot_alloc+0xf6/0x290
       sk_alloc+0x3d/0xc00
       af_alg_accept+0x9e/0x670
       hash_accept+0x4a3/0x650
       __sys_accept4+0x306/0x5c0
       __x64_sys_accept4+0x98/0x100
       do_syscall_64+0xc8/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 4184:
       __kasan_slab_free+0x12e/0x180
       kfree+0xeb/0x2f0
       __sk_destruct+0x4e6/0x6a0
       sk_destruct+0x48/0x70
       __sk_free+0xa9/0x270
       sk_free+0x2a/0x30
       af_alg_release+0x5c/0x70
       __sock_release+0xd3/0x280
       sock_close+0x1a/0x20
       __fput+0x27f/0x7f0
       task_work_run+0x136/0x1b0
       exit_to_usermode_loop+0x1a7/0x1d0
       do_syscall_64+0x461/0x580
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Syzkaller reproducer:
      r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
      0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
      0xffffffffffffffff, 0x0)
      r1 = socket$alg(0x26, 0x5, 0x0)
      getrusage(0x0, 0x0)
      bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
      'sha256-ssse3\x00'}, 0x80)
      r2 = accept(r1, 0x0, 0x0)
      r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
      r4 = dup3(r3, r0, 0x0)
      fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
      
      Fixes: 6d8c50dc ("socket: close race condition between sock_close() and sockfs_setattr()")
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9060cb71
    • Kuninori Morimoto's avatar
      ASoC: simple-card: fixup refcount_t underflow · 19dd0777
      Kuninori Morimoto authored
      commit da215354 ("ASoC: simple-card: merge simple-scu-card")
      merged simple-card and simple-scu-card. Then it had refcount
      underflow bug. This patch fixup it.
      We will get below error without this patch.
      
      	OF: ERROR: Bad of_node_put() on /sound
      	CPU: 3 PID: 237 Comm: kworker/3:1 Not tainted 5.0.0-rc6+ #1514
      	Hardware name: Renesas H3ULCB Kingfisher board based on r8a7795 ES2.0+ (DT)
      	Workqueue: events deferred_probe_work_func
      	Call trace:
      	 dump_backtrace+0x0/0x150
      	 show_stack+0x24/0x30
      	 dump_stack+0xb0/0xec
      	 of_node_release+0xd0/0xd8
      	 kobject_put+0x74/0xe8
      	 of_node_put+0x24/0x30
      	 __of_get_next_child+0x50/0x70
      	 of_get_next_child+0x40/0x68
      	 asoc_simple_card_probe+0x604/0x730
      	 platform_drv_probe+0x58/0xa8
      	 ...
      Reported-by: default avatarVicente Bergas <vicencb@gmail.com>
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      19dd0777
    • Bard liao's avatar
      ASoC: topology: free created components in tplg load error · 304017d3
      Bard liao authored
      Topology resources are no longer needed if any element failed to load.
      Signed-off-by: default avatarBard liao <yung-chuan.liao@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      304017d3
    • Linus Torvalds's avatar
      Merge tag 'mailbox-fixes-v5.0-rc7' of... · 301e3610
      Linus Torvalds authored
      Merge tag 'mailbox-fixes-v5.0-rc7' of git://git.linaro.org/landing-teams/working/fujitsu/integration
      
      Pull mailbox fixes from Jassi Brar:
      
       - API: Fix build breakge by exporting the function mbox_flush
      
       - BRCM: Fix FlexRM ring flush timeout issue
      
      * tag 'mailbox-fixes-v5.0-rc7' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
        mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
        mailbox: Export mbox_flush()
      301e3610
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 3ddc14e2
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A few ARM fixes:
      
         - Dietmar Eggemann noticed an issue with IRQ migration during CPU
           hotplug stress testing.
      
         - Mathieu Desnoyers noticed that a previous fix broke optimised
           kprobes.
      
         - Robin Murphy noticed a case where we were not clearing the dma_ops"
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8835/1: dma-mapping: Clear DMA ops on teardown
        ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction
        ARM: 8824/1: fix a migrating irq bug when hotplug cpu
      3ddc14e2
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.0-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 10f49021
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Two more tracing fixes
      
         - Have kprobes not use copy_from_user() to access kernel addresses,
           because kprobes can legitimately poke at bad kernel memory, which
           will fault. Copy from user code should never fault in kernel space.
           Using probe_mem_read() can handle kernel address space faulting.
      
         - Put back the entries counter in the tracing output that was
           accidentally removed"
      
      * tag 'trace-v5.0-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix number of entries in trace header
        kprobe: Do not use uaccess functions to access kernel memory that can fault
      10f49021
    • Rayagonda Kokatanur's avatar
      mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue · d7bf31a0
      Rayagonda Kokatanur authored
      RING_CONTROL reg was not written due to wrong address, hence all
      the subsequent ring flush was timing out.
      
      Fixes: a371c10e ("mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence")
      Signed-off-by: default avatarRayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
      Signed-off-by: default avatarRay Jui <ray.jui@broadcom.com>
      Reviewed-by: default avatarScott Branden <scott.branden@broadcom.com>
      Signed-off-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      d7bf31a0