1. 17 Jul, 2019 4 commits
    • Denis Efremov's avatar
      floppy: fix out-of-bounds read in copy_buffer · da99466a
      Denis Efremov authored
      This fixes a global out-of-bounds read access in the copy_buffer
      function of the floppy driver.
      
      The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
      and head fields (unsigned int) of the floppy_drive structure are used to
      compute the max_sector (int) in the make_raw_rw_request function.  It is
      possible to overflow the max_sector.  Next, max_sector is passed to the
      copy_buffer function and used in one of the memcpy calls.
      
      An unprivileged user could trigger the bug if the device is accessible,
      but requires a floppy disk to be inserted.
      
      The patch adds the check for the .sect * .head multiplication for not
      overflowing in the set_geometry function.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      da99466a
    • Denis Efremov's avatar
      floppy: fix invalid pointer dereference in drive_name · 9b04609b
      Denis Efremov authored
      This fixes the invalid pointer dereference in the drive_name function of
      the floppy driver.
      
      The native_format field of the struct floppy_drive_params is used as
      floppy_type array index in the drive_name function.  Thus, the field
      should be checked the same way as the autodetect field.
      
      To trigger the bug, one could use a value out of range and set the drive
      parameters with the FDSETDRVPRM ioctl.  Next, FDGETDRVTYP ioctl should
      be used to call the drive_name.  A floppy disk is not required to be
      inserted.
      
      CAP_SYS_ADMIN is required to call FDSETDRVPRM.
      
      The patch adds the check for a value of the native_format field to be in
      the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
      indices.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9b04609b
    • Denis Efremov's avatar
      floppy: fix out-of-bounds read in next_valid_format · 5635f897
      Denis Efremov authored
      This fixes a global out-of-bounds read access in the next_valid_format
      function of the floppy driver.
      
      The values from autodetect field of the struct floppy_drive_params are
      used as indices for the floppy_type array in the next_valid_format
      function 'floppy_type[DP->autodetect[probed_format]].sect'.
      
      To trigger the bug, one could use a value out of range and set the drive
      parameters with the FDSETDRVPRM ioctl.  A floppy disk is not required to
      be inserted.
      
      CAP_SYS_ADMIN is required to call FDSETDRVPRM.
      
      The patch adds the check for values of the autodetect field to be in the
      '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5635f897
    • Denis Efremov's avatar
      floppy: fix div-by-zero in setup_format_params · f3554aeb
      Denis Efremov authored
      This fixes a divide by zero error in the setup_format_params function of
      the floppy driver.
      
      Two consecutive ioctls can trigger the bug: The first one should set the
      drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
      to become zero.  Next, the floppy format operation should be called.
      
      A floppy disk is not required to be inserted.  An unprivileged user
      could trigger the bug if the device is accessible.
      
      The patch checks F_SECT_PER_TRACK for a non-zero value in the
      set_geometry function.  The proper check should involve a reasonable
      upper limit for the .sect and .rate fields, but it could change the
      UAPI.
      
      The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
      cancels the formatting operation in case of zero.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f3554aeb
  2. 07 Jul, 2019 1 commit
  3. 06 Jul, 2019 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190706' of git://git.kernel.dk/linux-block · 46713c3d
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single fix for a patch from Greg KH, which reportedly break
        block debugfs locations for certain setups. Trivial enough that I
        think we should include it now, rather than wait and release 5.2 with
        it, since it's a regression in this series"
      
      * tag 'for-linus-20190706' of git://git.kernel.dk/linux-block:
        blk-mq: fix up placement of debugfs directory of queue files
      46713c3d
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · bcc0e65f
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
       "A few more MIPS fixes:
      
         - Fix a silly typo in virt_addr_valid which led to completely bogus
           behavior (that happened to stop tripping up hardened usercopy
           despite being broken).
      
         - Fix UART parity setup on AR933x systems.
      
         - A build fix for non-Linux build machines.
      
         - Have the 'all' make target build DTBs, primarily to fit in with the
           behavior of scripts/package/builddeb.
      
         - Handle an execution hazard in TLB exceptions that use KScratch
           registers, which could inadvertently clobber the $1 register on
           some generally higher-end out-of-order CPUs.
      
         - A MAINTAINERS update to fix the path to the NAND driver for Ingenic
           systems"
      
      * tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MAINTAINERS: Correct path to moved files
        MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
        MIPS: have "plain" make calls build dtbs for selected platforms
        MIPS: fix build on non-linux hosts
        MIPS: ath79: fix ar933x uart parity mode
        MIPS: Fix bounds check virt_addr_valid
      bcc0e65f
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma · 2692982b
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - bam_dma fix for completed descriptor count
      
       - fix for imx-sdma remove BD_INTR for channel0 and use-after-free on
         probe error path
      
       - endian bug fix in jz4780 IRQ handler
      
      * tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: qcom: bam_dma: Fix completed descriptors count
        dmaengine: imx-sdma: remove BD_INTR for channel0
        dmaengine: imx-sdma: fix use-after-free on probe error path
        dmaengine: jz4780: Fix an endian bug in IRQ handler
      2692982b
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 4f8b4909
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two iscsi fixes.
      
        One for an oops in the client which can be triggered by the server
        authentication protocol and the other in the target code which causes
        data corruption"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
        scsi: target/iblock: Fix overrun in WRITE SAME emulation
      4f8b4909
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ceacbc0e
      Linus Torvalds authored
      Pull vfs fixlet from Al Viro:
       "Fix bogus default y in Kconfig (VALIDATE_FS_PARSER)
      
        That thing should not be turned on by default, especially since it's
        not quiet in case it finds no problems. Geert has sent the obvious fix
        quite a few times, but it fell through the cracks"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fs: VALIDATE_FS_PARSER should default to n
      ceacbc0e
    • Greg Kroah-Hartman's avatar
      blk-mq: fix up placement of debugfs directory of queue files · 7e41c3c9
      Greg Kroah-Hartman authored
      When the blk-mq debugfs file creation logic was "cleaned up" it was
      cleaned up too much, causing the queue file to not be created in the
      correct location.  Turns out the check for the directory being present
      is needed as if that has not happened yet, the files should not be
      created, and the function will be called later on in the initialization
      code so that the files can be created in the correct location.
      
      Fixes: 6cfc0081 ("blk-mq: no need to check return value of debugfs_create functions")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Cc: linux-block@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7e41c3c9
    • Linus Torvalds's avatar
      Revert "mm: page cache: store only head pages in i_pages" · 69bf4b6b
      Linus Torvalds authored
      This reverts commit 5fd4ca2d.
      
      Mikhail Gavrilov reports that it causes the VM_BUG_ON_PAGE() in
      __delete_from_swap_cache() to trigger:
      
         page:ffffd6d34dff0000 refcount:1 mapcount:1 mapping:ffff97812323a689 index:0xfecec363
         anon
         flags: 0x17fffe00080034(uptodate|lru|active|swapbacked)
         raw: 0017fffe00080034 ffffd6d34c67c508 ffffd6d3504b8d48 ffff97812323a689
         raw: 00000000fecec363 0000000000000000 0000000100000000 ffff978433ace000
         page dumped because: VM_BUG_ON_PAGE(entry != page)
         page->mem_cgroup:ffff978433ace000
         ------------[ cut here ]------------
         kernel BUG at mm/swap_state.c:170!
         invalid opcode: 0000 [#1] SMP NOPTI
         CPU: 1 PID: 221 Comm: kswapd0 Not tainted 5.2.0-0.rc2.git0.1.fc31.x86_64 #1
         Hardware name: System manufacturer System Product Name/ROG STRIX X470-I GAMING, BIOS 2202 04/11/2019
         RIP: 0010:__delete_from_swap_cache+0x20d/0x240
         Code: 30 65 48 33 04 25 28 00 00 00 75 4a 48 83 c4 38 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c6 2f dc 0f 8a 48 89 c7 e8 93 1b fd ff <0f> 0b 48 c7 c6 a8 74 0f 8a e8 85 1b fd ff 0f 0b 48 c7 c6 a8 7d 0f
         RSP: 0018:ffffa982036e7980 EFLAGS: 00010046
         RAX: 0000000000000021 RBX: 0000000000000040 RCX: 0000000000000006
         RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff97843d657900
         RBP: 0000000000000001 R08: ffffa982036e7835 R09: 0000000000000535
         R10: ffff97845e21a46c R11: ffffa982036e7835 R12: ffff978426387120
         R13: 0000000000000000 R14: ffffd6d34dff0040 R15: ffffd6d34dff0000
         FS:  0000000000000000(0000) GS:ffff97843d640000(0000) knlGS:0000000000000000
         CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
         CR2: 00002cba88ef5000 CR3: 000000078a97c000 CR4: 00000000003406e0
         Call Trace:
          delete_from_swap_cache+0x46/0xa0
          try_to_free_swap+0xbc/0x110
          swap_writepage+0x13/0x70
          pageout.isra.0+0x13c/0x350
          shrink_page_list+0xc14/0xdf0
          shrink_inactive_list+0x1e5/0x3c0
          shrink_node_memcg+0x202/0x760
          shrink_node+0xe0/0x470
          balance_pgdat+0x2d1/0x510
          kswapd+0x220/0x420
          kthread+0xfb/0x130
          ret_from_fork+0x22/0x40
      
      and it's not immediately obvious why it happens.  It's too late in the
      rc cycle to do anything but revert for now.
      
      Link: https://lore.kernel.org/lkml/CABXGCsN9mYmBD-4GaaeW_NrDu+FDXLzr_6x+XNxfmFV6QkYCDg@mail.gmail.com/Reported-and-bisected-by: default avatarMikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Kirill Shutemov <kirill@shutemov.name>
      Cc: William Kucharski <william.kucharski@oracle.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      69bf4b6b
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9fdb86c8
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "x86 bugfix patches and one compilation fix for ARM"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: arm64/sve: Fix vq_present() macro to yield a bool
        KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
        KVM: nVMX: Change KVM_STATE_NESTED_EVMCS to signal vmcs12 is copied from eVMCS
        KVM: nVMX: Allow restore nested-state to enable eVMCS when vCPU in SMM
        KVM: x86: degrade WARN to pr_warn_ratelimited
      9fdb86c8
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 0e63665a
      Linus Torvalds authored
      Pull mtf fixes from Miquel Raynal:
      
       - Fix the memory organization structure of a Macronix SPI-NAND chip.
      
       - Fix a build dependency wrongly described.
      
       - Fix the sunxi NAND driver for A23/A33 SoCs by (a) reverting the
         faulty commit introducing broken DMA support and (b) applying another
         commit bringing working DMA support.
      
      * tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration
        Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support"
        mtd: rawnand: ingenic: Fix ingenic_ecc dependency
        mtd: spinand: Fix max_bad_eraseblocks_per_lun info in memorg
      0e63665a
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 881ed91f
      Linus Torvalds authored
      Pull i2c fixlet from Wolfram Sang:
       "I2C has a MAINTAINERS update which will be benfitial for developers,
        so let's add it right away"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: tegra: Add Dmitry as a reviewer
      881ed91f
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux · a8f46b5a
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "Two more quick bugfixes for nfsd: fixing a regression causing mount
        failures on high-memory machines and fixing the DRC over RDMA"
      
      * tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux:
        nfsd: Fix overflow causing non-working mounts on 1 TB machines
        svcrdma: Ignore source port when computing DRC hash
      a8f46b5a
  4. 05 Jul, 2019 21 commits
  5. 04 Jul, 2019 3 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · c212ddae
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a collection of small fixes for:
      
         - A race with ASoC HD-audio registration
      
         - LINE6 usb-audio memory overwrite by malformed descriptor
      
         - FireWire MIDI handling
      
         - Missing cast for bit shifts in a few USB-audio quirks
      
         - The wrong function calls in minor OSS sequencer code paths
      
         - A couple of HD-audio quirks"
      
      * tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: line6: Fix write on zero-sized buffer
        ALSA: hda: Fix widget_mutex incomplete protection
        ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
        ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
        ALSA: hda/realtek - Change front mic location for Lenovo M710q
        ALSA: usb-audio: fix sign unintended sign extension on left shifts
        ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
      c212ddae
    • Jann Horn's avatar
      ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME · 6994eefb
      Jann Horn authored
      Fix two issues:
      
      When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
      reference to the parent's objective credentials, then give that pointer
      to get_cred().  However, the object lifetime rules for things like
      struct cred do not permit unconditionally turning an RCU reference into
      a stable reference.
      
      PTRACE_TRACEME records the parent's credentials as if the parent was
      acting as the subject, but that's not the case.  If a malicious
      unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
      at a later point, the parent process becomes attacker-controlled
      (because it drops privileges and calls execve()), the attacker ends up
      with control over two processes with a privileged ptrace relationship,
      which can be abused to ptrace a suid binary and obtain root privileges.
      
      Fix both of these by always recording the credentials of the process
      that is requesting the creation of the ptrace relationship:
      current_cred() can't change under us, and current is the proper subject
      for access control.
      
      This change is theoretically userspace-visible, but I am not aware of
      any code that it will actually break.
      
      Fixes: 64b875f7 ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6994eefb
    • Robert Beckett's avatar
      drm/imx: only send event on crtc disable if kept disabled · 5aeab2bf
      Robert Beckett authored
      The event will be sent as part of the vblank enable during the modeset
      if the crtc is not being kept disabled.
      
      Fixes: 5f2f9115 ("drm/imx: atomic phase 3 step 1: Use atomic configuration")
      Signed-off-by: default avatarRobert Beckett <bob.beckett@collabora.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      5aeab2bf