1. 14 Jul, 2019 11 commits
    • John Fastabend's avatar
      bpf: sockmap, fix use after free from sleep in psock backlog workqueue · 8badaded
      John Fastabend authored
      [ Upstream commit bd95e678 ]
      
      Backlog work for psock (sk_psock_backlog) might sleep while waiting
      for memory to free up when sending packets. However, while sleeping
      the socket may be closed and removed from the map by the user space
      side.
      
      This breaks an assumption in sk_stream_wait_memory, which expects the
      wait queue to be still there when it wakes up resulting in a
      use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT
      to avoid the sleep altogether. We already set the flag for the
      sendpage case but we missed the case were sendmsg is used.
      Sockmap is currently the only user of skb_send_sock_locked() so only
      the sockmap paths should be impacted.
      
      ==================================================================
      BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70
      Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110
      
      CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3-dirty #14
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
      Workqueue: events sk_psock_backlog
      Call Trace:
       print_address_description+0x6e/0x2b0
       ? remove_wait_queue+0x31/0x70
       kasan_report+0xfd/0x177
       ? remove_wait_queue+0x31/0x70
       ? remove_wait_queue+0x31/0x70
       remove_wait_queue+0x31/0x70
       sk_stream_wait_memory+0x4dd/0x5f0
       ? sk_stream_wait_close+0x1b0/0x1b0
       ? wait_woken+0xc0/0xc0
       ? tcp_current_mss+0xc5/0x110
       tcp_sendmsg_locked+0x634/0x15d0
       ? tcp_set_state+0x2e0/0x2e0
       ? __kasan_slab_free+0x1d1/0x230
       ? kmem_cache_free+0x70/0x140
       ? sk_psock_backlog+0x40c/0x4b0
       ? process_one_work+0x40b/0x660
       ? worker_thread+0x82/0x680
       ? kthread+0x1b9/0x1e0
       ? ret_from_fork+0x1f/0x30
       ? check_preempt_curr+0xaf/0x130
       ? iov_iter_kvec+0x5f/0x70
       ? kernel_sendmsg_locked+0xa0/0xe0
       skb_send_sock_locked+0x273/0x3c0
       ? skb_splice_bits+0x180/0x180
       ? start_thread+0xe0/0xe0
       ? update_min_vruntime.constprop.27+0x88/0xc0
       sk_psock_backlog+0xb3/0x4b0
       ? strscpy+0xbf/0x1e0
       process_one_work+0x40b/0x660
       worker_thread+0x82/0x680
       ? process_one_work+0x660/0x660
       kthread+0x1b9/0x1e0
       ? __kthread_create_on_node+0x250/0x250
       ret_from_fork+0x1f/0x30
      
      Fixes: 20bf50de ("skbuff: Function to send an skbuf on a socket")
      Reported-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Tested-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8badaded
    • John Crispin's avatar
      mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() · 234d92fc
      John Crispin authored
      [ Upstream commit 25d16d12 ]
      
      The reported rate is not scaled down correctly. After applying this patch,
      the function will behave just like the v/ht equivalents.
      Signed-off-by: default avatarShashidhar Lakkavalli <slakkavalli@datto.com>
      Signed-off-by: default avatarJohn Crispin <john@phrozen.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      234d92fc
    • Jakub Sitnicki's avatar
      bpf: sockmap, restore sk_write_space when psock gets dropped · 0579691b
      Jakub Sitnicki authored
      [ Upstream commit 186bcc3d ]
      
      Once psock gets unlinked from its sock (sk_psock_drop), user-space can
      still trigger a call to sk->sk_write_space by setting TCP_NOTSENT_LOWAT
      socket option. This causes a null-ptr-deref because we try to read
      psock->saved_write_space from sk_psock_write_space:
      
      ==================================================================
      BUG: KASAN: null-ptr-deref in sk_psock_write_space+0x69/0x80
      Read of size 8 at addr 00000000000001a0 by task sockmap-echo/131
      
      CPU: 0 PID: 131 Comm: sockmap-echo Not tainted 5.2.0-rc1-00094-gf49aa1de #81
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
      Call Trace:
       ? sk_psock_write_space+0x69/0x80
       __kasan_report.cold.2+0x5/0x3f
       ? sk_psock_write_space+0x69/0x80
       kasan_report+0xe/0x20
       sk_psock_write_space+0x69/0x80
       tcp_setsockopt+0x69a/0xfc0
       ? tcp_shutdown+0x70/0x70
       ? fsnotify+0x5b0/0x5f0
       ? remove_wait_queue+0x90/0x90
       ? __fget_light+0xa5/0xf0
       __sys_setsockopt+0xe6/0x180
       ? sockfd_lookup_light+0xb0/0xb0
       ? vfs_write+0x195/0x210
       ? ksys_write+0xc9/0x150
       ? __x64_sys_read+0x50/0x50
       ? __bpf_trace_x86_fpu+0x10/0x10
       __x64_sys_setsockopt+0x61/0x70
       do_syscall_64+0xc5/0x520
       ? vmacache_find+0xc0/0x110
       ? syscall_return_slowpath+0x110/0x110
       ? handle_mm_fault+0xb4/0x110
       ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
       ? trace_hardirqs_off_caller+0x4b/0x120
       ? trace_hardirqs_off_thunk+0x1a/0x3a
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f2e5e7cdcce
      Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b1 66 2e 0f 1f 84 00 00 00 00 00
      0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff
      ff 73 01 c3 48 8b 0d 8a 11 0c 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffed011b778 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2e5e7cdcce
      RDX: 0000000000000019 RSI: 0000000000000006 RDI: 0000000000000007
      RBP: 00007ffed011b790 R08: 0000000000000004 R09: 00007f2e5e84ee80
      R10: 00007ffed011b788 R11: 0000000000000206 R12: 00007ffed011b78c
      R13: 00007ffed011b788 R14: 0000000000000007 R15: 0000000000000068
      ==================================================================
      
      Restore the saved sk_write_space callback when psock is being dropped to
      fix the crash.
      Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0579691b
    • Björn Töpel's avatar
      bpf, riscv: clear target register high 32-bits for and/or/xor on ALU32 · a1dbf728
      Björn Töpel authored
      [ Upstream commit fe121ee5 ]
      
      When using 32-bit subregisters (ALU32), the RISC-V JIT would not clear
      the high 32-bits of the target register and therefore generate
      incorrect code.
      
      E.g., in the following code:
      
        $ cat test.c
        unsigned int f(unsigned long long a,
        	       unsigned int b)
        {
        	return (unsigned int)a & b;
        }
      
        $ clang-9 -target bpf -O2 -emit-llvm -S test.c -o - | \
        	llc-9 -mattr=+alu32 -mcpu=v3
        	.text
        	.file	"test.c"
        	.globl	f
        	.p2align	3
        	.type	f,@function
        f:
        	r0 = r1
        	w0 &= w2
        	exit
        .Lfunc_end0:
        	.size	f, .Lfunc_end0-f
      
      The JIT would not clear the high 32-bits of r0 after the
      and-operation, which in this case might give an incorrect return
      value.
      
      After this patch, that is not the case, and the upper 32-bits are
      cleared.
      Reported-by: default avatarJiong Wang <jiong.wang@netronome.com>
      Fixes: 2353ecc6 ("bpf, riscv: add BPF JIT for RV64G")
      Signed-off-by: default avatarBjörn Töpel <bjorn.topel@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a1dbf728
    • Matteo Croce's avatar
      samples, bpf: suppress compiler warning · 3ab0e4bc
      Matteo Croce authored
      [ Upstream commit a195ceff ]
      
      GCC 9 fails to calculate the size of local constant strings and produces a
      false positive:
      
      samples/bpf/task_fd_query_user.c: In function ‘test_debug_fs_uprobe’:
      samples/bpf/task_fd_query_user.c:242:67: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 215 [-Wformat-truncation=]
        242 |  snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s/id",
            |                                                                   ^~
        243 |    event_type, event_alias);
            |                ~~~~~~~~~~~
      samples/bpf/task_fd_query_user.c:242:2: note: ‘snprintf’ output between 45 and 300 bytes into a destination of size 256
        242 |  snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s/id",
            |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        243 |    event_type, event_alias);
            |    ~~~~~~~~~~~~~~~~~~~~~~~~
      
      Workaround this by lowering the buffer size to a reasonable value.
      Related GCC Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83431Signed-off-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3ab0e4bc
    • Chang-Hsien Tsai's avatar
      samples, bpf: fix to change the buffer size for read() · a5755141
      Chang-Hsien Tsai authored
      [ Upstream commit f7c2d64b ]
      
      If the trace for read is larger than 4096, the return
      value sz will be 4096. This results in off-by-one error
      on buf:
      
          static char buf[4096];
          ssize_t sz;
      
          sz = read(trace_fd, buf, sizeof(buf));
          if (sz > 0) {
              buf[sz] = 0;
              puts(buf);
          }
      Signed-off-by: default avatarChang-Hsien Tsai <luke.tw@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a5755141
    • Aaron Ma's avatar
      Input: elantech - enable middle button support on 2 ThinkPads · e87dee8d
      Aaron Ma authored
      [ Upstream commit aa440de3 ]
      
      Adding 2 new touchpad PNPIDs to enable middle button support.
      Signed-off-by: default avatarAaron Ma <aaron.ma@canonical.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e87dee8d
    • Florian Fainelli's avatar
      soc: bcm: brcmstb: biuctrl: Register writes require a barrier · fc1c8cfd
      Florian Fainelli authored
      [ Upstream commit 6b23af07 ]
      
      The BIUCTRL register writes require that a data barrier be inserted
      after comitting the write to the register for the block to latch in the
      recently written values. Reads have no such requirement and are not
      changed.
      
      Fixes: 34642650 ("soc: Move brcmstb to bcm/brcmstb")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fc1c8cfd
    • Florian Fainelli's avatar
      soc: brcmstb: Fix error path for unsupported CPUs · 113e03c5
      Florian Fainelli authored
      [ Upstream commit 490cad5a ]
      
      In case setup_hifcpubiuctrl_regs() returns an error, because of e.g:
      an unsupported CPU type, just catch that error and return instead of
      blindly continuing with the initialization. This fixes a NULL pointer
      de-reference with the code continuing without having a proper array of
      registers to use.
      
      Fixes: 22f7a911 ("soc: brcmstb: Correct CPU_CREDIT_REG offset for Brahma-B53 CPUs")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      113e03c5
    • Christophe Leroy's avatar
      crypto: talitos - rename alternative AEAD algos. · 9009b798
      Christophe Leroy authored
      commit a1a42f84 upstream.
      
      The talitos driver has two ways to perform AEAD depending on the
      HW capability. Some HW support both. It is needed to give them
      different names to distingish which one it is for instance when
      a test fails.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 7405c8d7 ("crypto: talitos - templates for AEAD using HMAC_SNOOP_NO_AFEU")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9009b798
    • Eric Biggers's avatar
      crypto: lrw - use correct alignmask · 043b0ea7
      Eric Biggers authored
      commit 20a0f976 upstream.
      
      Commit c778f96b ("crypto: lrw - Optimize tweak computation")
      incorrectly reduced the alignmask of LRW instances from
      '__alignof__(u64) - 1' to '__alignof__(__be32) - 1'.
      
      However, xor_tweak() and setkey() assume that the data and key,
      respectively, are aligned to 'be128', which has u64 alignment.
      
      Fix the alignmask to be at least '__alignof__(be128) - 1'.
      
      Fixes: c778f96b ("crypto: lrw - Optimize tweak computation")
      Cc: <stable@vger.kernel.org> # v4.20+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      043b0ea7
  2. 10 Jul, 2019 29 commits