1. 21 Sep, 2019 13 commits
    • Matt Delco's avatar
      KVM: coalesced_mmio: add bounds checking · 232a6462
      Matt Delco authored
      commit b60fe990 upstream.
      
      The first/last indexes are typically shared with a user app.
      The app can change the 'last' index that the kernel uses
      to store the next result.  This change sanity checks the index
      before using it for writing to a potentially arbitrary address.
      
      This fixes CVE-2019-14821.
      
      Cc: stable@vger.kernel.org
      Fixes: 5f94c174 ("KVM: Add coalesced MMIO support (common part)")
      Signed-off-by: default avatarMatt Delco <delco@chromium.org>
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
      [Use READ_ONCE. - Paolo]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      232a6462
    • Cong Wang's avatar
      net_sched: let qdisc_put() accept NULL pointer · 7a1bad56
      Cong Wang authored
      [ Upstream commit 6efb971b ]
      
      When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
      pointer which leads to a crash in sfb_destroy(). Similar for
      sch_dsmark.
      
      Instead of fixing each separately, Linus suggested to just accept
      NULL pointer in qdisc_put(), which would make callers easier.
      
      (For sch_dsmark, the bug probably exists long before commit
      6529eaba.)
      
      Fixes: 6529eaba ("net: sched: introduce tcf block infractructure")
      Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a1bad56
    • Dongli Zhang's avatar
      xen-netfront: do not assume sk_buff_head list is empty in error handling · 47288968
      Dongli Zhang authored
      [ Upstream commit 00b36850 ]
      
      When skb_shinfo(skb) is not able to cache extra fragment (that is,
      skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes
      the sk_buff_head list is already empty. As a result, cons is increased only
      by 1 and returns to error handling path in xennet_poll().
      
      However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be
      set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring
      buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are
      already cleared to NULL. This leads to NULL pointer access in the next
      iteration to process rx ring buffer entries.
      
      Below is how xennet_poll() does error handling. All remaining entries in
      tmpq are accounted to queue->rx.rsp_cons without assuming how many
      outstanding skbs are remained in the list.
      
       985 static int xennet_poll(struct napi_struct *napi, int budget)
      ... ...
      1032           if (unlikely(xennet_set_skb_gso(skb, gso))) {
      1033                   __skb_queue_head(&tmpq, skb);
      1034                   queue->rx.rsp_cons += skb_queue_len(&tmpq);
      1035                   goto err;
      1036           }
      
      It is better to always have the error handling in the same way.
      
      Fixes: ad4f15dc ("xen/netfront: don't bug in case of too many frags")
      Signed-off-by: default avatarDongli Zhang <dongli.zhang@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47288968
    • Willem de Bruijn's avatar
      udp: correct reuseport selection with connected sockets · fdd60d80
      Willem de Bruijn authored
      [ Upstream commit acdcecc6 ]
      
      UDP reuseport groups can hold a mix unconnected and connected sockets.
      Ensure that connections only receive all traffic to their 4-tuple.
      
      Fast reuseport returns on the first reuseport match on the assumption
      that all matches are equal. Only if connections are present, return to
      the previous behavior of scoring all sockets.
      
      Record if connections are present and if so (1) treat such connected
      sockets as an independent match from the group, (2) only return
      2-tuple matches from reuseport and (3) do not return on the first
      2-tuple reuseport match to allow for a higher scoring match later.
      
      New field has_conns is set without locks. No other fields in the
      bitmap are modified at runtime and the field is only ever set
      unconditionally, so an RMW cannot miss a change.
      
      Fixes: e32ea7e7 ("soreuseport: fast reuseport UDP socket selection")
      Link: http://lkml.kernel.org/r/CA+FuTSfRP09aJNYRt04SS6qj22ViiOEWaWmLAwX0psk8-PGNxw@mail.gmail.comSigned-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarCraig Gallek <kraig@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdd60d80
    • Xin Long's avatar
      ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit · 97b5f8c9
      Xin Long authored
      [ Upstream commit 28e48603 ]
      
      In ip6erspan_tunnel_xmit(), if the skb will not be sent out, it has to
      be freed on the tx_err path. Otherwise when deleting a netns, it would
      cause dst/dev to leak, and dmesg shows:
      
        unregister_netdevice: waiting for lo to become free. Usage count = 1
      
      Fixes: ef7baf5e ("ip6_gre: add ip6 erspan collect_md mode")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97b5f8c9
    • Yoshihiro Shimoda's avatar
      phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current · 4fb95f29
      Yoshihiro Shimoda authored
      commit e6839c31 upstream.
      
      The hardware manual should be revised, but the initial value of
      VBCTRL.OCCLREN is set to 1 actually. If the bit is set, the hardware
      clears VBCTRL.VBOUT and ADPCTRL.DRVVBUS registers automatically
      when the hardware detects over-current signal from a USB power switch.
      However, since the hardware doesn't have any registers which
      indicates over-current, the driver cannot handle it at all. So, if
      "is_otg_channel" hardware detects over-current, since ADPCTRL.DRVVBUS
      register is cleared automatically, the channel cannot be used after
      that.
      
      To resolve this behavior, this patch sets the VBCTRL.OCCLREN to 0
      to keep ADPCTRL.DRVVBUS even if the "is_otg_channel" hardware
      detects over-current. (We assume a USB power switch itself protects
      over-current and turns the VBUS off.)
      
      This patch is inspired by a BSP patch from Kazuya Mizuguchi.
      
      Fixes: 1114e2d3 ("phy: rcar-gen3-usb2: change the mode to OTG on the combined channel")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fb95f29
    • Sean Young's avatar
      media: tm6000: double free if usb disconnect while streaming · abf389e0
      Sean Young authored
      commit 699bf941 upstream.
      
      The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
      to NULL after each free.
      
      stop stream
      urb killing
      urb buffer free
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start stream request tm6000_start_stream
      tm6000: pipe reset
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: IR URB failure: status: -71, length 0
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      tm6000:  error tm6000_urb_received
      usb 1-2: USB disconnect, device number 5
      tm6000: disconnecting tm6000 #0
      ==================================================================
      BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
      Read of size 8 at addr ffff888241044060 by task kworker/2:0/22
      
      CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G        W         5.3.0-rc4+ #1
      Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       dump_stack+0x9a/0xf0
       print_address_description.cold+0xae/0x34f
       __kasan_report.cold+0x75/0x93
       ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
       ? dvb_fini+0x75/0x140 [tm6000_dvb]
       kasan_report+0xe/0x12
       dvb_fini+0x75/0x140 [tm6000_dvb]
       tm6000_close_extension+0x51/0x80 [tm6000]
       tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
       usb_unbind_interface+0xe4/0x390
       device_release_driver_internal+0x121/0x250
       bus_remove_device+0x197/0x260
       device_del+0x268/0x550
       ? __device_links_no_driver+0xd0/0xd0
       ? usb_remove_ep_devs+0x30/0x3b
       usb_disable_device+0x122/0x400
       usb_disconnect+0x153/0x430
       hub_event+0x800/0x1e40
       ? trace_hardirqs_on_thunk+0x1a/0x20
       ? hub_port_debounce+0x1f0/0x1f0
       ? retint_kernel+0x10/0x10
       ? lock_is_held_type+0xf1/0x130
       ? hub_port_debounce+0x1f0/0x1f0
       ? process_one_work+0x4ae/0xa00
       process_one_work+0x4ba/0xa00
       ? pwq_dec_nr_in_flight+0x160/0x160
       ? do_raw_spin_lock+0x10a/0x1d0
       worker_thread+0x7a/0x5c0
       ? process_one_work+0xa00/0xa00
       kthread+0x1d5/0x200
       ? kthread_create_worker_on_cpu+0xd0/0xd0
       ret_from_fork+0x3a/0x50
      
      Allocated by task 2682:
       save_stack+0x1b/0x80
       __kasan_kmalloc.constprop.0+0xc2/0xd0
       usb_alloc_urb+0x28/0x60
       tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
       dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
       dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
       dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
       dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
       dvb_usercopy+0x97/0x1f0 [dvb_core]
       dvb_demux_ioctl+0x11/0x20 [dvb_core]
       do_vfs_ioctl+0x5d8/0x9d0
       ksys_ioctl+0x5e/0x90
       __x64_sys_ioctl+0x3d/0x50
       do_syscall_64+0x74/0xe0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 22:
       save_stack+0x1b/0x80
       __kasan_slab_free+0x12c/0x170
       kfree+0xfd/0x3a0
       xhci_giveback_urb_in_irq+0xfe/0x230
       xhci_td_cleanup+0x276/0x340
       xhci_irq+0x1129/0x3720
       __handle_irq_event_percpu+0x6e/0x420
       handle_irq_event_percpu+0x6f/0x100
       handle_irq_event+0x55/0x84
       handle_edge_irq+0x108/0x3b0
       handle_irq+0x2e/0x40
       do_IRQ+0x83/0x1a0
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abf389e0
    • Alan Stern's avatar
      USB: usbcore: Fix slab-out-of-bounds bug during device reset · 77d4e2a0
      Alan Stern authored
      commit 3dd550a2 upstream.
      
      The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
      
      BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
      Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746
      
      CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        memcmp+0xa6/0xb0 lib/string.c:904
        memcmp include/linux/string.h:400 [inline]
        descriptors_changed drivers/usb/core/hub.c:5579 [inline]
        usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
        usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
        rt2x00usb_probe+0x53/0x7af
      drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
      
      The error occurs when the descriptors_changed() routine (called during
      a device reset) attempts to compare the old and new BOS and capability
      descriptors.  The length it uses for the comparison is the
      wTotalLength value stored in BOS descriptor, but this value is not
      necessarily the same as the length actually allocated for the
      descriptors.  If it is larger the routine will call memcmp() with a
      length that is too big, thus reading beyond the end of the allocated
      region and leading to this fault.
      
      The kernel reads the BOS descriptor twice: first to get the total
      length of all the capability descriptors, and second to read it along
      with all those other descriptors.  A malicious (or very faulty) device
      may send different values for the BOS descriptor fields each time.
      The memory area will be allocated using the wTotalLength value read
      the first time, but stored within it will be the value read the second
      time.
      
      To prevent this possibility from causing any errors, this patch
      modifies the BOS descriptor after it has been read the second time:
      It sets the wTotalLength field to the actual length of the descriptors
      that were read in and validated.  Then the memcpy() call, or any other
      code using these descriptors, will be able to rely on wTotalLength
      being valid.
      
      Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77d4e2a0
    • Aneesh Kumar K.V's avatar
      powerpc/mm/radix: Use the right page size for vmemmap mapping · b01b1eb2
      Aneesh Kumar K.V authored
      commit 89a3496e upstream.
      
      We use mmu_vmemmap_psize to find the page size for mapping the vmmemap area.
      With radix translation, we are suboptimally setting this value to PAGE_SIZE.
      
      We do check for 2M page size support and update mmu_vmemap_psize to use
      hugepage size but we suboptimally reset the value to PAGE_SIZE in
      radix__early_init_mmu(). This resulted in always mapping vmemmap area with
      64K page size.
      
      Fixes: 2bfd65e4 ("powerpc/mm/radix: Add radix callbacks for early init routines")
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b01b1eb2
    • Benjamin Tissoires's avatar
      Input: elan_i2c - remove Lenovo Legion Y7000 PnpID · 289f3c82
      Benjamin Tissoires authored
      commit 0c043d70 upstream.
      
      Looks like the Bios of the Lenovo Legion Y7000 is using ELAN061B
      when the actual device is supposed to be used with hid-multitouch.
      
      Remove it from the list of the supported device, hoping that
      no one will complain about the loss in functionality.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=203467
      Fixes: 738c06d0 ("Input: elan_i2c - add hardware ID for multiple Lenovo laptops")
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      289f3c82
    • Leon Romanovsky's avatar
      RDMA/restrack: Release task struct which was hold by CM_ID object · 305c3b49
      Leon Romanovsky authored
      commit ed7a01fd upstream.
      
      Tracking CM_ID resource is performed in two stages: creation of cm_id
      and connecting it to the cma_dev. It is needed because rdma-cm protocol
      exports two separate user-visible calls rdma_create_id and rdma_accept.
      
      At the time of CM_ID creation, the real owner of that object is unknown
      yet and we need to grab task_struct. This task_struct is released or
      reassigned in attach phase later on. but call to rdma_destroy_id left
      this task_struct unreleased.
      
      Such separation is unique to CM_ID and other restrack objects initialize
      in one shot. It means that it is safe to use "res->valid" check to catch
      unfinished CM_ID flow and release task_struct for that object.
      
      Fixes: 00313983 ("RDMA/nldev: provide detailed CM_ID information")
      Reported-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Reviewed-by: default avatarArtemy Kovalyov <artemyko@mellanox.com>
      Reviewed-by: default avatarYossi Itigin <yosefe@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Cc: Håkon Bugge <haakon.bugge@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      305c3b49
    • Aaron Armstrong Skomra's avatar
      HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report · 8993c673
      Aaron Armstrong Skomra authored
      commit 184eccd4 upstream.
      
      In the generic code path, HID_DG_CONTACTMAX was previously
      only read from the second byte of report 0x23.
      
      Another report (0x82) has the HID_DG_CONTACTMAX in the
      higher nibble of the third byte. We should support reading the
      value of HID_DG_CONTACTMAX no matter what report we are reading
      or which position that value is in.
      
      To do this we submit the feature report as a event report
      using hid_report_raw_event(). Our modified finger event path
      records the value of HID_DG_CONTACTMAX when it sees that usage.
      
      Fixes: 8ffffd52 ("HID: wacom: fix timeout on probe for some wacoms")
      Signed-off-by: default avatarAaron Armstrong Skomra <aaron.skomra@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8993c673
    • Pablo Neira Ayuso's avatar
      netfilter: nf_flow_table: set default timeout after successful insertion · 2a0aa8a0
      Pablo Neira Ayuso authored
      commit 110e4872 upstream.
      
      Set up the default timeout for this new entry otherwise the garbage
      collector might quickly remove it right after the flowtable insertion.
      
      Fixes: ac2a6666 ("netfilter: add generic flow table infrastructure")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a0aa8a0
  2. 19 Sep, 2019 27 commits