1. 29 Mar, 2017 10 commits
  2. 28 Mar, 2017 1 commit
    • Mark Rutland's avatar
      net: ipconfig: fix ic_close_devs() use-after-free · ffefb6f4
      Mark Rutland authored
      Our chosen ic_dev may be anywhere in our list of ic_devs, and we may
      free it before attempting to close others. When we compare d->dev and
      ic_dev->dev, we're potentially dereferencing memory returned to the
      allocator. This causes KASAN to scream for each subsequent ic_dev we
      check.
      
      As there's a 1-1 mapping between ic_devs and netdevs, we can instead
      compare d and ic_dev directly, which implicitly handles the !ic_dev
      case, and avoids the use-after-free. The ic_dev pointer may be stale,
      but we will not dereference it.
      
      Original splat:
      
      [    6.487446] ==================================================================
      [    6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr ffff800367efa708
      [    6.503013] Read of size 8 by task swapper/0/1
      [    6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-00002-gda42158 #8
      [    6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016
      [    6.523138] Call trace:
      [    6.525590] [<ffff200008094778>] dump_backtrace+0x0/0x570
      [    6.530976] [<ffff200008094d08>] show_stack+0x20/0x30
      [    6.536017] [<ffff200008bee928>] dump_stack+0x120/0x188
      [    6.541231] [<ffff20000856d5e4>] kasan_object_err+0x24/0xa0
      [    6.546790] [<ffff20000856d924>] kasan_report_error+0x244/0x738
      [    6.552695] [<ffff20000856dfec>] __asan_report_load8_noabort+0x54/0x80
      [    6.559204] [<ffff20000aae86ac>] ic_close_devs+0xc4/0x154
      [    6.564590] [<ffff20000aaedbac>] ip_auto_config+0x2ed4/0x2f1c
      [    6.570321] [<ffff200008084b04>] do_one_initcall+0xcc/0x370
      [    6.575882] [<ffff20000aa31de8>] kernel_init_freeable+0x5f8/0x6c4
      [    6.581959] [<ffff20000a16df00>] kernel_init+0x18/0x190
      [    6.587171] [<ffff200008084710>] ret_from_fork+0x10/0x40
      [    6.592468] Object at ffff800367efa700, in cache kmalloc-128 size: 128
      [    6.598969] Allocated:
      [    6.601324] PID = 1
      [    6.603427]  save_stack_trace_tsk+0x0/0x418
      [    6.607603]  save_stack_trace+0x20/0x30
      [    6.611430]  kasan_kmalloc+0xd8/0x188
      [    6.615087]  ip_auto_config+0x8c4/0x2f1c
      [    6.619002]  do_one_initcall+0xcc/0x370
      [    6.622832]  kernel_init_freeable+0x5f8/0x6c4
      [    6.627178]  kernel_init+0x18/0x190
      [    6.630660]  ret_from_fork+0x10/0x40
      [    6.634223] Freed:
      [    6.636233] PID = 1
      [    6.638334]  save_stack_trace_tsk+0x0/0x418
      [    6.642510]  save_stack_trace+0x20/0x30
      [    6.646337]  kasan_slab_free+0x88/0x178
      [    6.650167]  kfree+0xb8/0x478
      [    6.653131]  ic_close_devs+0x130/0x154
      [    6.656875]  ip_auto_config+0x2ed4/0x2f1c
      [    6.660875]  do_one_initcall+0xcc/0x370
      [    6.664705]  kernel_init_freeable+0x5f8/0x6c4
      [    6.669051]  kernel_init+0x18/0x190
      [    6.672534]  ret_from_fork+0x10/0x40
      [    6.676098] Memory state around the buggy address:
      [    6.680880]  ffff800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    6.688078]  ffff800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    6.695276] >ffff800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    6.702469]                       ^
      [    6.705952]  ffff800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    6.713149]  ffff800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    6.720343] ==================================================================
      [    6.727536] Disabling lock debugging due to kernel taint
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: James Morris <jmorris@namei.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffefb6f4
  3. 27 Mar, 2017 1 commit
  4. 26 Mar, 2017 3 commits
    • Alexey Khoroshilov's avatar
      irda: vlsi_ir: fix check for DMA mapping errors · 6ac3b77a
      Alexey Khoroshilov authored
      vlsi_alloc_ring() checks for DMA mapping errors by comparing
      returned address with zero, while pci_dma_mapping_error() should be used.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ac3b77a
    • Arnd Bergmann's avatar
      net: hns: avoid gcc-7.0.1 warning for uninitialized data · 834a61d4
      Arnd Bergmann authored
      hns_dsaf_set_mac_key() calls dsaf_set_field() on an uninitialized field,
      which will then change only a few of its bits, causing a warning with
      the latest gcc:
      
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_set_mac_uc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
         (origin) &= (~(mask)); \
                  ^~
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_set_mac_mc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_add_mac_mc_port':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_del_mac_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_rm_mac_addr':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_del_mac_mc_port':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_mac_uc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_mac_mc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      The code is actually correct since we always set all 16 bits of the
      port_vlan field, but gcc correctly points out that the first
      access does contain uninitialized data.
      
      This initializes the field to zero first before setting the
      individual bits.
      
      Fixes: 5483bfcb ("net: hns: modify tcam table and set mac key")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      834a61d4
    • Arnd Bergmann's avatar
      net: hns: fix uninitialized data use · a17f1861
      Arnd Bergmann authored
      When dev_dbg() is enabled, we print uninitialized data, as gcc-7.0.1
      now points out:
      
      ethernet/hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_set_promisc_tcam':
      ethernet/hisilicon/hns/hns_dsaf_main.c:2947:75: error: 'tbl_tcam_data.low.val' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      ethernet/hisilicon/hns/hns_dsaf_main.c:2947:75: error: 'tbl_tcam_data.high.val' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      We also pass the data into hns_dsaf_tcam_mc_cfg(), which might later
      use it (not sure about that), so it seems safer to just always initialize
      the tbl_tcam_data structure.
      
      Fixes: 1f5fa2dd ("net: hns: fix for promisc mode in HNS driver")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a17f1861
  5. 25 Mar, 2017 4 commits
  6. 24 Mar, 2017 18 commits
  7. 23 Mar, 2017 3 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · d038e3dc
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This contains the collection of small fixes for 4.11 that were pending
        during my vacation:
      
         - a few HD-audio quirks (more Dell headset support, docking station
           support on HP laptops)
      
         - a regression fix for the previous ctxfi DMA mask fix
      
         - a correction of the new CONFIG_SND_X86 menu entry
      
         - a fix for the races in ALSA sequencer core spotted by syzkaller"
      
      * tag 'sound-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Adding a group of pin definition to fix headset problem
        ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
        ALSA: x86: Make CONFIG_SND_X86 bool
        ALSA: hda - add support for docking station for HP 840 G3
        ALSA: hda - add support for docking station for HP 820 G2
        ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
      d038e3dc
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 131fbf4f
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "Zygo tracked down a very old bug with inline compressed extents.
      
        I didn't tag this one for stable because I want to do individual
        tested backports. It's a little tricky and I'd rather do some extra
        testing on it along the way"
      
      * 'for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        btrfs: add missing memset while reading compressed inline extents
        Btrfs: fix regression in lock_delalloc_pages
        btrfs: remove btrfs_err_str function from uapi/linux/btrfs.h
      131fbf4f
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f341d9f0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Several netfilter fixes from Pablo and the crew:
            - Handle fragmented packets properly in netfilter conntrack, from
              Florian Westphal.
            - Fix SCTP ICMP packet handling, from Ying Xue.
            - Fix big-endian bug in nftables, from Liping Zhang.
            - Fix alignment of fake conntrack entry, from Steven Rostedt.
      
       2) Fix feature flags setting in fjes driver, from Taku Izumi.
      
       3) Openvswitch ipv6 tunnel source address not set properly, from Or
          Gerlitz.
      
       4) Fix jumbo MTU handling in amd-xgbe driver, from Thomas Lendacky.
      
       5) sk->sk_frag.page not released properly in some cases, from Eric
          Dumazet.
      
       6) Fix RTNL deadlocks in nl80211, from Johannes Berg.
      
       7) Fix erroneous RTNL lockdep splat in crypto, from Herbert Xu.
      
       8) Cure improper inflight handling during AF_UNIX GC, from Andrey
          Ulanov.
      
       9) sch_dsmark doesn't write to packet headers properly, from Eric
          Dumazet.
      
      10) Fix SCM_TIMESTAMPING_OPT_STATS handling in TCP, from Soheil Hassas
          Yeganeh.
      
      11) Add some IDs for Motorola qmi_wwan chips, from Tony Lindgren.
      
      12) Fix nametbl deadlock in tipc, from Ying Xue.
      
      13) GRO and LRO packets not counted correctly in mlx5 driver, from Gal
          Pressman.
      
      14) Fix reset of internal PHYs in bcmgenet, from Doug Berger.
      
      15) Fix hashmap allocation handling, from Alexei Starovoitov.
      
      16) nl_fib_input() needs stronger netlink message length checking, from
          Eric Dumazet.
      
      17) Fix double-free of sk->sk_filter during sock clone, from Daniel
          Borkmann.
      
      18) Fix RX checksum offloading in aquantia driver, from Pavel Belous.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (85 commits)
        net:ethernet:aquantia: Fix for RX checksum offload.
        amd-xgbe: Fix the ECC-related bit position definitions
        sfc: cleanup a condition in efx_udp_tunnel_del()
        Bluetooth: btqcomsmd: fix compile-test dependency
        inet: frag: release spinlock before calling icmp_send()
        tcp: initialize icsk_ack.lrcvtime at session start time
        genetlink: fix counting regression on ctrl_dumpfamily()
        socket, bpf: fix sk_filter use after free in sk_clone_lock
        ipv4: provide stronger user input validation in nl_fib_input()
        bpf: fix hashmap extra_elems logic
        enic: update enic maintainers
        net: bcmgenet: remove bcmgenet_internal_phy_setup()
        ipv6: make sure to initialize sockc.tsflags before first use
        fjes: Do not load fjes driver if extended socket device is not power on.
        fjes: Do not load fjes driver if system does not have extended socket device.
        net/mlx5e: Count LRO packets correctly
        net/mlx5e: Count GSO packets correctly
        net/mlx5: Increase number of max QPs in default profile
        net/mlx5e: Avoid supporting udp tunnel port ndo for VF reps
        net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
        ...
      f341d9f0