- 20 Feb, 2019 23 commits
-
-
Daniel Axtens authored
commit 8914a595 upstream If a bnx2x card is passed a GSO packet with a gso_size larger than ~9700 bytes, it will cause a firmware error that will bring the card down: bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert! bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2 bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052 bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1 ... (dump of values continues) ... Detect when the mac length of a GSO packet is greater than the maximum packet size (9700 bytes) and disable GSO. Signed-off-by:
Daniel Axtens <dja@axtens.net> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> [jwang: cherry pick for CVE-2018-1000026] Signed-off-by:
Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by:
Sasha Levin <sashal@kernel.org>
-
Daniel Axtens authored
commit 2b16f048 upstream If you take a GSO skb, and split it into packets, will the MAC length (L2 + L3 + L4 headers + payload) of those packets be small enough to fit within a given length? Move skb_gso_mac_seglen() to skbuff.h with other related functions like skb_gso_network_seglen() so we can use it, and then create skb_gso_validate_mac_len to do the full calculation. Signed-off-by:
-
Russell King authored
Commit d6951f58 upstream. The intention in the previous patch was to only place the processor tables in the .rodata section if big.Little was being built and we wanted the branch target hardening, but instead (due to the way it was tested) it ended up always placing the tables into the .rodata section. Although harmless, let's correct this anyway. Fixes: 3a4d0c21 ("ARM: ensure that processor vtables is not lost after boot") Signed-off-by:
Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by:
David A. Long <dave.long@linaro.org> Reviewed-by:
Julien Thierry <julien.thierry@arm.com> Tested-by:
-
Russell King authored
Commit 3a4d0c21 upstream. Marek Szyprowski reported problems with CPU hotplug in current kernels. This was tracked down to the processor vtables being located in an init section, and therefore discarded after kernel boot, despite being required after boot to properly initialise the non-boot CPUs. Arrange for these tables to end up in .rodata when required. Reported-by:
Marek Szyprowski <m.szyprowski@samsung.com> Tested-by:
Krzysztof Kozlowski <krzk@kernel.org> Fixes: 383fb3ee ("ARM: spectre-v2: per-CPU vtables to work around big.Little systems") Signed-off-by:
-
Russell King authored
Commit 383fb3ee upstream. In big.Little systems, some CPUs require the Spectre workarounds in paths such as the context switch, but other CPUs do not. In order to handle these differences, we need per-CPU vtables. We are unable to use the kernel's per-CPU variables to support this as per-CPU is not initialised at times when we need access to the vtables, so we have to use an array indexed by logical CPU number. We use an array-of-pointers to avoid having function pointers in the kernel's read/write .data section. Reviewed-by:
-
Russell King authored
Commit e209950f upstream. Allow the way we access members of the processor vtable to be changed at compile time. We will need to move to per-CPU vtables to fix the Spectre variant 2 issues on big.Little systems. However, we have a couple of calls that do not need the vtable treatment, and indeed cause a kernel warning due to the (later) use of smp_processor_id(), so also introduce the PROC_TABLE macro for these which always use CPU 0's function pointers. Reviewed-by:
-
Russell King authored
Commit 945aceb1 upstream. Call the per-processor type check_bugs() method in the same way as we do other per-processor functions - move the "processor." detail into proc-fns.h. Reviewed-by:
-
Russell King authored
Commit 65987a85 upstream. Split out the lookup of the processor type and associated error handling from the rest of setup_processor() - we will need to use this in the secondary CPU bringup path for big.Little Spectre variant 2 mitigation. Reviewed-by:
-
Russell King authored
Commit 899a42f8 upstream. Move lookup_processor_type() out of the __init section so it is callable from (eg) the secondary startup code during hotplug. Reviewed-by:
-
Julien Thierry authored
Commit 5df7a99b upstream. In vfp_preserve_user_clear_hwstate, ufp_exc->fpinst2 gets assigned to itself. It should actually be hwstate->fpinst2 that gets assigned to the ufp_exc field. Fixes commit 3aa2df6e ("ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state"). Reported-by:
David Binderman <dcb314@hotmail.com> Signed-off-by:
-
Julien Thierry authored
Commit a1d09e07 upstream. Sanitize user pointer given to __copy_to_user, both for standard version and memcopy version of the user accessor. Signed-off-by:
-
Julien Thierry authored
Commit afaf6838 upstream. Introduce C and asm helpers to sanitize user address, taking the address range they target into account. Use asm helper for existing sanitization in __copy_from_user(). Signed-off-by:
-
Julien Thierry authored
Commit e3aa6243 upstream. When Spectre mitigation is required, __put_user() needs to include check_uaccess. This is already the case for put_user(), so just make __put_user() an alias of put_user(). Signed-off-by:
-
Julien Thierry authored
Commit 621afc67 upstream. A mispredicted conditional call to set_fs could result in the wrong addr_limit being forwarded under speculation to a subsequent access_ok check, potentially forming part of a spectre-v1 attack using uaccess routines. This patch prevents this forwarding from taking place, but putting heavy barriers in set_fs after writing the addr_limit. Porting commit c2f0ad4f ("arm64: uaccess: Prevent speculative use of the current addr_limit"). Signed-off-by:
-
Julien Thierry authored
Commit 18ea66bd upstream. With Spectre-v1.1 mitigations, __put_user_error is pointless. In an attempt to remove it, replace its references in frame setups with __put_user. Signed-off-by:
-
Julien Thierry authored
Commit 31950890 upstream. Copy events to user using __copy_to_user() rather than copy members of individually with __put_user_error(). This has the benefit of disabling/enabling PAN once per event intead of once per event member. Signed-off-by:
-
Julien Thierry authored
Commit 3aa2df6e upstream. Use __copy_to_user() rather than __put_user_error() for individual members when saving VFP state. This has the benefit of disabling/enabling PAN once per copied struct intead of once per write. Signed-off-by:
-
Julien Thierry authored
Commit 73839798 upstream. When setting a dummy iwmmxt context, create a local instance and use __copy_to_user both cases whether iwmmxt is being used or not. This has the benefit of disabling/enabling PAN once for the whole copy intead of once per write. Signed-off-by:
-
Julien Thierry authored
Commit 5ca451cf upstream. When saving the ARM integer registers, use __copy_to_user() to copy them into user signal frame, rather than __put_user_error(). This has the benefit of disabling/enabling PAN once for the whole copy intead of once per write. Signed-off-by:
-
Hauke Mehrtens authored
commit 6926e041 upstream. Musl provides its own ethhdr struct definition. Add a guard to prevent its definition of the appropriate musl header has already been included. glibc does not implement this header, but when glibc will implement this they can just define __UAPI_DEF_ETHHDR 0 to make it work with the kernel. Signed-off-by:
Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by:
Linus Walleij <linus.walleij@linaro.org> Signed-off-by:
-
Jianchao Wang authored
[ Upstream commit 85bd6e61 ] Florian reported a io hung issue when fsync(). It should be triggered by following race condition. data + post flush a flush blk_flush_complete_seq case REQ_FSEQ_DATA blk_flush_queue_rq issued to driver blk_mq_dispatch_rq_list try to issue a flush req failed due to NON-NCQ command .queue_rq return BLK_STS_DEV_RESOURCE request completion req->end_io // doesn't check RESTART mq_flush_data_end_io case REQ_FSEQ_POSTFLUSH blk_kick_flush do nothing because previous flush has not been completed blk_mq_run_hw_queue insert rq to hctx->dispatch due to RESTART is still set, do nothing To fix this, replace the blk_mq_run_hw_queue in mq_flush_data_end_io with blk_mq_sched_restart to check and clear the RESTART flag. Fixes: bd166ef1 (blk-mq-sched: add framework for MQ capable IO schedulers) Reported-by:
Florian Stecker <m19@florianstecker.de> Tested-by:
Jianchao Wang <jianchao.w.wang@oracle.com> Signed-off-by:
Jens Axboe <axboe@kernel.dk> Signed-off-by:
-
Adrian Bunk authored
commit 37cf28d3 upstream. Works with ST M24M02. Signed-off-by:
Adrian Bunk <bunk@kernel.org> Signed-off-by:
Bartosz Golaszewski <brgl@bgdev.pl> Signed-off-by:
-
Adrian Bunk authored
commit 6c0c5dc3 upstream. Add new compatible to the device tree bindings. Signed-off-by:
Rob Herring <robh@kernel.org> Signed-off-by:
-
- 15 Feb, 2019 17 commits
-
-
Greg Kroah-Hartman authored
-
Linus Torvalds authored
commit cb5b020a upstream. This reverts commit 8099b047. It turns out that people do actually depend on the shebang string being truncated, and on the fact that an interpreter (like perl) will often just re-interpret it entirely to get the full argument list. Reported-by:
Samuel Dionne-Riel <samuel@dionne-riel.com> Acked-by:
Kees Cook <keescook@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Greg Kroah-Hartman authored
-
Xiubo Li authored
commit 3d27c4de upstream. Since mutex lock in irq hanler is useless currently, here will remove it together with it. This reverts commit 9421e45f. Reported-by: james.r.harris@intel.com CC: Ahsan Atta <ahsan.atta@intel.com> Signed-off-by:
Xiubo Li <xiubli@redhat.com> Signed-off-by:
Tommi Rantala <tommi.t.rantala@nokia.com> Signed-off-by:
-
Xiubo Li authored
commit b34e9a15 upstream. The call trace: XXX/1910 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [<ffffffff97008c87>] might_fault+0x57/0xb0 but task is already holding lock: (&idev->info_lock){+.+...}, at: [<ffffffffc0638a06>] uio_write+0x46/0x130 [uio] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&idev->info_lock){+.+...}: [<ffffffff96f31fc9>] lock_acquire+0x99/0x1e0 [<ffffffff975edad3>] mutex_lock_nested+0x93/0x410 [<ffffffffc063873d>] uio_mmap+0x2d/0x170 [uio] [<ffffffff97016b58>] mmap_region+0x428/0x650 [<ffffffff97017138>] do_mmap+0x3b8/0x4e0 [<ffffffff96ffaba3>] vm_mmap_pgoff+0xd3/0x120 [<ffffffff97015261>] SyS_mmap_pgoff+0x1f1/0x270 [<ffffffff96e387c2>] SyS_mmap+0x22/0x30 [<ffffffff975ff315>] system_call_fastpath+0x1c/0x21 -> #0 (&mm->mmap_sem){++++++}: [<ffffffff96f30e9c>] __lock_acquire+0xdac/0x15f0 [<ffffffff96f31fc9>] lock_acquire+0x99/0x1e0 [<ffffffff97008cb4>] might_fault+0x84/0xb0 [<ffffffffc0638a74>] uio_write+0xb4/0x130 [uio] [<ffffffff9706ffa3>] vfs_write+0xc3/0x1f0 [<ffffffff97070e2a>] SyS_write+0x8a/0x100 [<ffffffff975ff315>] system_call_fastpath+0x1c/0x21 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&idev->info_lock); lock(&mm->mmap_sem); lock(&idev->info_lock); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by XXX/1910: #0: (&idev->info_lock){+.+...}, at: [<ffffffffc0638a06>] uio_write+0x46/0x130 [uio] stack backtrace: CPU: 0 PID: 1910 Comm: XXX Kdump: loaded Not tainted #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 Call Trace: [<ffffffff975e9211>] dump_stack+0x19/0x1b [<ffffffff975e260a>] print_circular_bug+0x1f9/0x207 [<ffffffff96f2f6a7>] check_prevs_add+0x957/0x960 [<ffffffff96f30e9c>] __lock_acquire+0xdac/0x15f0 [<ffffffff96f2fb19>] ? mark_held_locks+0xb9/0x140 [<ffffffff96f31fc9>] lock_acquire+0x99/0x1e0 [<ffffffff97008c87>] ? might_fault+0x57/0xb0 [<ffffffff97008cb4>] might_fault+0x84/0xb0 [<ffffffff97008c87>] ? might_fault+0x57/0xb0 [<ffffffffc0638a74>] uio_write+0xb4/0x130 [uio] [<ffffffff9706ffa3>] vfs_write+0xc3/0x1f0 [<ffffffff9709349c>] ? fget_light+0xfc/0x510 [<ffffffff97070e2a>] SyS_write+0x8a/0x100 [<ffffffff975ff315>] system_call_fastpath+0x1c/0x21 Signed-off-by:
-
Hailong Liu authored
commit e7de2590 upstream. uio_mmap has multiple fail paths to set return value to nonzero then goto out. However, it always returns *0* from the *out* at end, and this will mislead callers who check the return value of this function. Fixes: 57c5f4df ("uio: fix crash after the device is unregistered") CC: Xiubo Li <xiubli@redhat.com> Signed-off-by:
Hailong Liu <liu.hailong6@zte.com.cn> Cc: stable <stable@vger.kernel.org> Signed-off-by:
Jiang Biao <jiang.biao2@zte.com.cn> Signed-off-by:
-
Xiubo Li authored
commit 57c5f4df upstream. For the target_core_user use case, after the device is unregistered it maybe still opened in user space, then the kernel will crash, like: [ 251.163692] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 251.163820] IP: [<ffffffffc0736213>] show_name+0x23/0x40 [uio] [ 251.163965] PGD 8000000062694067 PUD 62696067 PMD 0 [ 251.164097] Oops: 0000 [#1] SMP ... [ 251.165605] e1000 mptscsih mptbase drm_panel_orientation_quirks dm_mirror dm_region_hash dm_log dm_mod [ 251.166014] CPU: 0 PID: 13380 Comm: tcmu-runner Kdump: loaded Not tainted 3.10.0-916.el7.test.x86_64 #1 [ 251.166381] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 [ 251.166747] task: ffff971eb91db0c0 ti: ffff971e9e384000 task.ti: ffff971e9e384000 [ 251.167137] RIP: 0010:[<ffffffffc0736213>] [<ffffffffc0736213>] show_name+0x23/0x40 [uio] [ 251.167563] RSP: 0018:ffff971e9e387dc8 EFLAGS: 00010282 [ 251.167978] RAX: 0000000000000000 RBX: ffff971e9e3f8000 RCX: ffff971eb8368d98 [ 251.168408] RDX: ffff971e9e3f8000 RSI: ffffffffc0738084 RDI: ffff971e9e3f8000 [ 251.168856] RBP: ffff971e9e387dd0 R08: ffff971eb8bc0018 R09: 0000000000000000 [ 251.169296] R10: 0000000000001000 R11: ffffffffa09d444d R12: ffffffffa1076e80 [ 251.169750] R13: ffff971e9e387f18 R14: 0000000000000001 R15: ffff971e9cfb1c80 [ 251.170213] FS: 00007ff37d175880(0000) GS:ffff971ebb600000(0000) knlGS:0000000000000000 [ 251.170693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 251.171248] CR2: 0000000000000008 CR3: 00000000001f6000 CR4: 00000000003607f0 [ 251.172071] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 251.172640] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 251.173236] Call Trace: [ 251.173789] [<ffffffffa0c9b2d3>] dev_attr_show+0x23/0x60 [ 251.174356] [<ffffffffa0f561b2>] ? mutex_lock+0x12/0x2f [ 251.174892] [<ffffffffa0ac6d9f>] sysfs_kf_seq_show+0xcf/0x1f0 [ 251.175433] [<ffffffffa0ac54e6>] kernfs_seq_show+0x26/0x30 [ 251.175981] [<ffffffffa0a63be0>] seq_read+0x110/0x3f0 [ 251.176609] [<ffffffffa0ac5d45>] kernfs_fop_read+0xf5/0x160 [ 251.177158] [<ffffffffa0a3d3af>] vfs_read+0x9f/0x170 [ 251.177707] [<ffffffffa0a3e27f>] SyS_read+0x7f/0xf0 [ 251.178268] [<ffffffffa0f648af>] system_call_fastpath+0x1c/0x21 [ 251.178823] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 53 48 89 d3 e8 7e 96 56 e0 48 8b 80 d8 02 00 00 48 89 df 48 c7 c6 84 80 73 c0 <48> 8b 50 08 31 c0 e8 e2 67 44 e0 5b 48 98 5d c3 0f 1f 00 66 2e [ 251.180115] RIP [<ffffffffc0736213>] show_name+0x23/0x40 [uio] [ 251.180820] RSP <ffff971e9e387dc8> [ 251.181473] CR2: 0000000000000008 CC: Hamish Martin <hamish.martin@alliedtelesis.co.nz> CC: Mike Christie <mchristi@redhat.com> Reviewed-by:
Hamish Martin <hamish.martin@alliedtelesis.co.nz> Signed-off-by:
-
Xiubo Li authored
commit 543af586 upstream. We are hitting a regression with the following commit: commit a93e7b33 Author: Hamish Martin <hamish.martin@alliedtelesis.co.nz> Date: Mon May 14 13:32:23 2018 +1200 uio: Prevent device destruction while fds are open The problem is the addition of spin_lock_irqsave in uio_write. This leads to hitting uio_write -> copy_from_user -> _copy_from_user -> might_fault and the logs filling up with sleeping warnings. I also noticed some uio drivers allocate memory, sleep, grab mutexes from callouts like open() and release and uio is now doing spin_lock_irqsave while calling them. Reported-by:
Mike Christie <mchristi@redhat.com> CC: Hamish Martin <hamish.martin@alliedtelesis.co.nz> Reviewed-by:
-
Xiubo Li authored
commit 9421e45f upstream. Prepraing for changing to use mutex lock. Signed-off-by:
-
Hamish Martin authored
commit a93e7b33 upstream. Prevent destruction of a uio_device while user space apps hold open file descriptors to that device. Further, access to the 'info' member of the struct uio_device is protected by spinlock. This is to ensure stale pointers to data not under control of the UIO subsystem are not dereferenced. Signed-off-by:
Chris Packham <chris.packham@alliedtelesis.co.nz> Signed-off-by:
-
Hamish Martin authored
commit 81daa406 upstream. Drive all return paths for uio_write() through a single block at the end of the function. Signed-off-by:
-
Jiri Olsa authored
commit 692f5a22 upstream. Otherwise we fail on virtual machines with no support for specific HW events. Signed-off-by:
Jiri Olsa <jolsa@kernel.org> Cc: David Ahern <dsahern@gmail.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/20171009130712.14747-1-jolsa@kernel.orgSigned-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Cc: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com> Signed-off-by:
-
Jiri Olsa authored
commit f6a9820d upstream. We started to use group read whenever it's possible: 82bf311e perf stat: Use group read for event groups That breaks some of attr tests, this change adds the new possible read_format value. Signed-off-by:
-
Jiri Olsa authored
commit 10836d9f upstream. The perf_event_attr::task is 1 by default for first (tracking) event in the session. Setting task=1 as default and adding task=0 for cases that need it. Signed-off-by:
-
Sven Eckelmann authored
commit 9114daa8 upstream. The caller of ndo_start_xmit may not already have called skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr therefore can be in the wrong position and even outside the current skbuff. This for example happens when the user binds to the device using a PF_PACKET-SOCK_RAW with enabled qdisc-bypass: int opt = 4; setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt)); Since eth_hdr is used all over the codebase, the batadv_interface_tx function must always take care of resetting it. Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol") Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com Signed-off-by:
Sven Eckelmann <sven@narfation.org> Signed-off-by:
Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by:
-
Sven Eckelmann authored
commit 955d3411 upstream. It is not allowed to use WARN* helpers on potential incorrect input from the user or transient problems because systems configured as panic_on_warn will reboot due to such a problem. A NULL return value of __dev_get_by_index can be caused by various problems which can either be related to the system configuration or problems (incorrectly returned network namespaces) in other (virtual) net_device drivers. batman-adv should not cause a (harmful) WARN in this situation and instead only report it via a simple message. Fixes: b7eddd0b ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface") Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com Reported-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
-
Florian Westphal authored
commit 35e61038 upstream. The check assumes that in transport mode, the first templates family must match the address family of the policy selector. Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION, with ipv4-in-ipv6 chain, leading to following splat: BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854 Read of size 4 at addr ffff888063e57aa0 by task a.out/2050 xfrm_state_find+0x1db/0x1854 xfrm_tmpl_resolve+0x100/0x1d0 xfrm_resolve_and_create_bundle+0x108/0x1000 [..] Problem is that addresses point into flowi4 struct, but xfrm_state_find treats them as being ipv6 because it uses templ->encap_family is used (AF_INET6 in case of reproducer) rather than family (AF_INET). This patch inverts the logic: Enforce 'template family must match selector' EXCEPT for tunnel and BEET mode. In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local address pointers changed to point at the addresses found in the template, rather than the flowi ones, so no oob read will occur. Reported-by: 3ntr0py1337@gmail.com Reported-by:
Daniel Borkmann <daniel@iogearbox.net> Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
-
