From patchwork Tue Jun 8 18:26:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 455782 Delivered-To: patch@linaro.org Received: by 2002:a02:735a:0:0:0:0:0 with SMTP id a26csp3993487jae; Tue, 8 Jun 2021 11:29:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzIwHs+/YaHcxVsXhImlpyfrewwHQGtvoqNoo2uSWIpjbwfD48RXZjggls92XfA/kfCFhxW X-Received: by 2002:a17:906:1806:: with SMTP id v6mr24731194eje.454.1623176964166; Tue, 08 Jun 2021 11:29:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623176964; cv=none; d=google.com; s=arc-20160816; b=j3MGSf+YYEqon0XYTduwk7uaqdDOU+emmsX14aetgJqUgSrRM4qoXUBZrSwrpQWDw/ clHJQiboDm4iIrgY5RPMnWgZ7XxiClxah6cQKDfCMoNUm2ykMktWmsNB3U2YUwPjDIL8 Gdm2usOSMiz4duJNIAEseyYzpPSRhYWHTT1SgsPUjWCu62hdT4JnP1awIvdZ2xhxScMN DKAYYEDEUZWnf+YL9oOfKXiVtvJsfyj/JpsTwMnZIIYLSuVNAMwsuDQ4QNC1BMXSfcnt Hb0wc4TQfT/cunVBOhwFB9jsQ5JLEphfkoSFrFrwM6IIMOU5DytFnM9rkH5mmhZzcILi O67w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Eo5x9aHvGUcjKY+0L75qI3vcxRLg/b5ErQCsSYYxjZM=; b=Zid6LyMaSVCDbhIdNGdY2EaS0mV8meFHWFTycpsAXjlJRXNTYAZl8Ooar6RMfLVs+N r7VCR7cd26axs4oVsfTrXwwEPPMXjXvZiV5+fSXwMMGWWOi3psKuD1L+j4fMvmq9Tqs7 NQhZTRI3zHJJrn4sQAZle4HT4cidTpeJLgvVVEtmt6G7p+ERWDMUveXAOgH+J/dFLw22 aZaqrlGMyWp7MJpZzqu+HSy7ttbrqAzboeB6zJ38vKWcp7sYicARO5NEU/elKUUmqlWK n62pnoUx4+Hk/3H129E+Jxh7JC3JRJsZ0bMzWL0J91UZqTeZtGmlZQ9YfsxcXVh+WrMD g0KA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kap+4WyI; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b13si387135ejl.150.2021.06.08.11.29.23; Tue, 08 Jun 2021 11:29:24 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kap+4WyI; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233498AbhFHSam (ORCPT + 12 others); Tue, 8 Jun 2021 14:30:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:55022 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233355AbhFHSal (ORCPT ); Tue, 8 Jun 2021 14:30:41 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id F336261352; Tue, 8 Jun 2021 18:28:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176914; bh=Ue9lbIDJj0P2m0BfjmqXGYFaocepRpggYF4jKEqrpKY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kap+4WyI+Cco9tXD1Ni2MR9p3Pq1bV8jruJsEYeeO+w2MHXjShf27pyv4JeaJyigl 3KtW8LwvVy2ASyRHNo9DhMkI5Kx7QjXW8NvhnohvUKPI45s2oRUwWkLaBkwbySgeUw 66wNbOWRO1j0jCnVlnJWPsaLpSebIDLw+afgROdk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zhen Lei , Max Gurtovoy , Alex Williamson , Sasha Levin Subject: [PATCH 4.4 02/23] vfio/pci: Fix error return code in vfio_ecap_init() Date: Tue, 8 Jun 2021 20:26:54 +0200 Message-Id: <20210608175926.609575454@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Zhen Lei [ Upstream commit d1ce2c79156d3baf0830990ab06d296477b93c26 ] The error code returned from vfio_ext_cap_len() is stored in 'len', not in 'ret'. Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Reviewed-by: Max Gurtovoy Message-Id: <20210515020458.6771-1-thunder.leizhen@huawei.com> Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin --- drivers/vfio/pci/vfio_pci_config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.30.2 diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c index 666b234acca0..9891001244ea 100644 --- a/drivers/vfio/pci/vfio_pci_config.c +++ b/drivers/vfio/pci/vfio_pci_config.c @@ -1488,7 +1488,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev) if (len == 0xFF) { len = vfio_ext_cap_len(vdev, ecap, epos); if (len < 0) - return ret; + return len; } } From patchwork Tue Jun 8 18:26:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456767 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9102C4743D for ; Tue, 8 Jun 2021 18:29:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8C140613B9 for ; Tue, 8 Jun 2021 18:29:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233937AbhFHSax (ORCPT ); Tue, 8 Jun 2021 14:30:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:55612 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233920AbhFHSav (ORCPT ); Tue, 8 Jun 2021 14:30:51 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3ECB2613AE; Tue, 8 Jun 2021 18:28:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176938; bh=GvBZEAFzs/JsSVxO5y+ZXjEC47o0qYUnu9msmDXAorQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iUNv3wrYFIrCQbDs1PkPaQHosRtCBjglk2wYNH60CI9NIFbDUB5nkoJD68oS5JIFp AM5ajrKOw6KE5/BPvnIMJR1wYE7uxHdR46doFKNL1jCdYxkutZ92eQZxY3tuggYHhV Jl7pH06ida3tXZWgtAx2Li7UrD3Vrhk1iwbaSIJk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Max Gurtovoy , Alex Williamson , Sasha Levin Subject: [PATCH 4.4 03/23] vfio/platform: fix module_put call in error flow Date: Tue, 8 Jun 2021 20:26:55 +0200 Message-Id: <20210608175926.649210183@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Max Gurtovoy [ Upstream commit dc51ff91cf2d1e9a2d941da483602f71d4a51472 ] The ->parent_module is the one that use in try_module_get. It should also be the one the we use in module_put during vfio_platform_open(). Fixes: 32a2d71c4e80 ("vfio: platform: introduce vfio-platform-base module") Signed-off-by: Max Gurtovoy Message-Id: <20210518192133.59195-1-mgurtovoy@nvidia.com> Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin --- drivers/vfio/platform/vfio_platform_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c index e65b142d3422..9b170ce16011 100644 --- a/drivers/vfio/platform/vfio_platform_common.c +++ b/drivers/vfio/platform/vfio_platform_common.c @@ -192,7 +192,7 @@ err_irq: vfio_platform_regions_cleanup(vdev); err_reg: mutex_unlock(&driver_lock); - module_put(THIS_MODULE); + module_put(vdev->parent_module); return ret; } From patchwork Tue Jun 8 18:26:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457787 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 967EFC4743F for ; Tue, 8 Jun 2021 18:29:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8135C613B9 for ; Tue, 8 Jun 2021 18:29:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233966AbhFHSay (ORCPT ); Tue, 8 Jun 2021 14:30:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:55612 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233935AbhFHSay (ORCPT ); Tue, 8 Jun 2021 14:30:54 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6FD4C61352; Tue, 8 Jun 2021 18:29:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176941; bh=paxo7YgeC40g60lJVnEgmyjUda1w8zrswA5EkUy2Um0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v8P7wZcE5xwkhihikz8C9k1tw6SVtP+0S3om9DefIAjCPMID9v8F498Q+TVU/12rM Jle+bGXbLE1bQhaLUBesfFCgPDaOInonwai7WAiR+293Pn6QgDesFCUGv+YedeQgOC Ue2usgoGtNRMzDrEhkVl/oyxyU0szS3zB+/eeD6k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin , syzbot+e562383183e4b1766930@syzkaller.appspotmail.com Subject: [PATCH 4.4 04/23] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service Date: Tue, 8 Jun 2021 20:26:56 +0200 Message-Id: <20210608175926.688787741@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Julian Anastasov [ Upstream commit 56e4ee82e850026d71223262c07df7d6af3bd872 ] syzbot reported memory leak [1] when adding service with HASHED flag. We should ignore this flag both from sockopt and netlink provided data, otherwise the service is not hashed and not visible while releasing resources. [1] BUG: memory leak unreferenced object 0xffff888115227800 (size 512): comm "syz-executor263", pid 8658, jiffies 4294951882 (age 12.560s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:556 [inline] [] kzalloc include/linux/slab.h:686 [inline] [] ip_vs_add_service+0x598/0x7c0 net/netfilter/ipvs/ip_vs_ctl.c:1343 [] do_ip_vs_set_ctl+0x810/0xa40 net/netfilter/ipvs/ip_vs_ctl.c:2570 [] nf_setsockopt+0x68/0xa0 net/netfilter/nf_sockopt.c:101 [] ip_setsockopt+0x259/0x1ff0 net/ipv4/ip_sockglue.c:1435 [] raw_setsockopt+0x18c/0x1b0 net/ipv4/raw.c:857 [] __sys_setsockopt+0x1b0/0x360 net/socket.c:2117 [] __do_sys_setsockopt net/socket.c:2128 [inline] [] __se_sys_setsockopt net/socket.c:2125 [inline] [] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2125 [] do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 [] entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-and-tested-by: syzbot+e562383183e4b1766930@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Julian Anastasov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/ipvs/ip_vs_ctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index c7ee962a547b..1adbcdda2158 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1226,7 +1226,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, ip_vs_addr_copy(svc->af, &svc->addr, &u->addr); svc->port = u->port; svc->fwmark = u->fwmark; - svc->flags = u->flags; + svc->flags = u->flags & ~IP_VS_SVC_F_HASHED; svc->timeout = u->timeout * HZ; svc->netmask = u->netmask; svc->ipvs = ipvs; From patchwork Tue Jun 8 18:26:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 455783 Delivered-To: patch@linaro.org Received: by 2002:a02:735a:0:0:0:0:0 with SMTP id a26csp3994165jae; Tue, 8 Jun 2021 11:30:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwKC899V35gYiQiHTyQjzDaFzB6Dss9bo75PxZyUlTS/9rCEYPCstJEvinrxyttmpUbMnIP X-Received: by 2002:aa7:c3ce:: with SMTP id l14mr26890617edr.99.1623177016115; Tue, 08 Jun 2021 11:30:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623177016; cv=none; d=google.com; s=arc-20160816; b=DksG05Zx4Jre7oYuqzXTfSwYguo5iDfltkU9Z/QerLACJrf5TnEzGfKgGXvc1alGER /AiTd5WKQ57AJgbrNkfsqVp5KoCEv20Lcczia946yl6KQ4ncR1KWy89mEzjaaz4EbT8P /ieyh9Y4T0Ef91zM3PpmesAph18qLONe0QbrX013jdr0HpMtraQRNldWDSniljwEkqrn GhDsGU7YkCKXqcwqogLucPXTafVghVHNr+3S/aYZ65OryoVzukhBAkZcjtOT9w4GVs5X 8GZbFVr1MH/gjR5vgCLMbQi686UHSF06jZ2/yFwncrHDahS6Gb4j1aaezP/nIMiCe8UJ fmRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=J7UZByMJSOAY6reM4//XCQ6dn1xKG/ywPwyWwiZHH0M=; b=IbFwqM+rUhVyeTrMZbi/S978WjOYhNrDpixCMNivNbvYlxjAJp5Ahn60jMHHzCKsGp 69OT0ICv+ZLNQwUn+Az89L1wl1KPM4+5cLS8HS2UGQt2Ui0l8FCpMzQOh79P6ARitsMb fbDum5HTwJHo3G5QFli7ahN+nuwuEfwDF3vzG2bcJB4w9FFQxKtYB1/UfpKpTktSO/6m j5EvuE2Q3l99jir5/4TBKyVym1HxwsO1dTSRGnplawINOBc0OMkeZOhVJ4xtV3O8JPH8 mNZq33r6oXyQlxri6N9sITU6hcl7UNeFcOwprPiHN43sLOlmrMoPlerUmzEVTiRUrmqH 6rvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=C5gouUi8; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e17si416787ejm.271.2021.06.08.11.30.15; Tue, 08 Jun 2021 11:30:16 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=C5gouUi8; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234008AbhFHSa5 (ORCPT + 12 others); Tue, 8 Jun 2021 14:30:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:55748 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233801AbhFHSa4 (ORCPT ); Tue, 8 Jun 2021 14:30:56 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C07BC613AC; Tue, 8 Jun 2021 18:29:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176943; bh=lKpCVtXD3B8w7NgXNJYxyJ62U+u4UoNXBhi14EH6Lao=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C5gouUi8IevNdoJ5L3gsSrIxH2VQJpJMEeYflVoj3H9/eM+U5HshC/pKO+ojjZc1r 9x7h5c18UOBft6r6DdkuS8sgIO9AJkUfLzYlakwOPAPbsuTEe6A89AQQwt3wbY3xxf K1sz13LFfG1G6NXL30zddy8zxgKD/qBqSZyJrdSc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zhen Lei , Jiri Kosina , Sasha Levin Subject: [PATCH 4.4 05/23] HID: pidff: fix error return code in hid_pidff_init() Date: Tue, 8 Jun 2021 20:26:57 +0200 Message-Id: <20210608175926.720537449@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Zhen Lei [ Upstream commit 3dd653c077efda8152f4dd395359617d577a54cd ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin --- drivers/hid/usbhid/hid-pidff.c | 1 + 1 file changed, 1 insertion(+) -- 2.30.2 diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c index 08174d341f4a..bc75f1efa0f4 100644 --- a/drivers/hid/usbhid/hid-pidff.c +++ b/drivers/hid/usbhid/hid-pidff.c @@ -1304,6 +1304,7 @@ int hid_pidff_init(struct hid_device *hid) if (pidff->pool[PID_DEVICE_MANAGED_POOL].value && pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) { + error = -EPERM; hid_notice(hid, "device does not support device managed pool\n"); goto fail; From patchwork Tue Jun 8 18:26:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457784 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D19AAC4743D for ; Tue, 8 Jun 2021 18:29:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B49C9613B9 for ; Tue, 8 Jun 2021 18:29:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234183AbhFHSbc (ORCPT ); Tue, 8 Jun 2021 14:31:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:55748 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234153AbhFHSbO (ORCPT ); Tue, 8 Jun 2021 14:31:14 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 049C9613B9; Tue, 8 Jun 2021 18:29:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176945; bh=OkZwXrHpxEFAEoYWsY/fBqlUlzOVkf3DGeAuhfwiJ0k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=efZ41uaVB9PnsUZ6J+RtrHfAodXYmTe/FzHuhTf/3a/O+0hCUTyO8gKSsKeNasLpg FoaipKNCNb9vRTXOwX5iB97etSjTJF1Bu/vJ8zN++5y59Z8RDieD6wzd4moZ2M5FMq pYp1S+fU6wFYvzOagmsXKUjBZRYk3NrSLUTHcndY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.4 06/23] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Date: Tue, 8 Jun 2021 20:26:58 +0200 Message-Id: <20210608175926.752384937@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit 8971ee8b087750a23f3cd4dc55bff2d0303fd267 ] The private helper data size cannot be updated. However, updates that contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is the same. Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nfnetlink_cthelper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index 8c1733869343..63a9d5fd00c0 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -355,10 +355,14 @@ static int nfnl_cthelper_update(const struct nlattr * const tb[], struct nf_conntrack_helper *helper) { + u32 size; int ret; - if (tb[NFCTH_PRIV_DATA_LEN]) - return -EBUSY; + if (tb[NFCTH_PRIV_DATA_LEN]) { + size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); + if (size != helper->data_len) + return -EBUSY; + } if (tb[NFCTH_POLICY]) { ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]); From patchwork Tue Jun 8 18:26:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 455784 Delivered-To: patch@linaro.org Received: by 2002:a02:735a:0:0:0:0:0 with SMTP id a26csp3994250jae; Tue, 8 Jun 2021 11:30:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxx00PQYoLNM/dcdJH8l37Krz8RJdPknI02Tj8zI0BDKH85lwYgry2qXEYSl5bDXl8wdbsj X-Received: by 2002:aa7:d64f:: with SMTP id v15mr26486339edr.255.1623177019494; Tue, 08 Jun 2021 11:30:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623177019; cv=none; d=google.com; s=arc-20160816; b=UMf2SHmGHdJrV1jNB8+Pk2JRUpC3ULU2dZ19WeVgDEAZ/HaY4VJ1FvVaSDbl1CJ2qa 1bg5M6ICPms3YKGgVi/8bLujsgUSOh1cXFrQ3Bs4o/noGfsox5a0qzu1qKwk2V4YQ72d fBX3jlVQ5X7I/UF8ksV6ZbFVKJ6QZfgR45tTAiunT3f7F3MWn+FbrylY2amGU5J3JrUJ LWqrWLZbiVESWAi2noPHiz4l6XLQAF2aVygAs4r6kMtfdunmxWoONCbHg0SNow6X3WRY zbvj57BmcRrntwiqcpNCnaxPEPC8vOpw642Lday2As8vz0w8NaqpwHk6F7taDEePr5SQ 2PoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fQlo6ak4GDGJ0MEacg3BDQ2NACjQKOPvwxbcAQUOB3E=; b=jH+8gO5xZDRsWOekC5pAePYBac4b11yrFzSBluDc7UehZFskYrquyuyq2QRVhczu/v aHqPkSzwKF+KeKwkfM1Ll94JQtB2nbpsNGhaBQqDUgFgetiMycgJlnQt1PbvE/JrC15X 9+uG01YpwQ5p9QQ/I6kLIHRQnufapjtKUDPkaClTmGdzSqBQnIF7dFFQYx4/nvq9Xu8Z 8sd5Uoc3e7h+33ElqQEYb4gCCGOEQkSYtHG65QjPuW3/H3LG576PKo33Vfl7+LFV0SHz JuYh+9X17mWjHHpcu6ZbwJcD8VMR7rKCCyfKUILK36m2pmx9psAaUcBReWo9ucJOc1vl JXdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vp7BR5AT; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e17si416787ejm.271.2021.06.08.11.30.19; Tue, 08 Jun 2021 11:30:19 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vp7BR5AT; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234079AbhFHSbE (ORCPT + 12 others); Tue, 8 Jun 2021 14:31:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:55882 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234047AbhFHSbA (ORCPT ); Tue, 8 Jun 2021 14:31:00 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3D63961380; Tue, 8 Jun 2021 18:29:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176947; bh=cq+BDAlz6yVWbPDX5SFSPBUVhukvOyz3I7Ra/jMwicA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Vp7BR5ATi7ASXlvAm6lGReEU36zKnbGK/Gz+gQWdwIzBl4nGkBmisG/j9FoKnR4qh S8JgT+DYVzzVBV8EohGkM5kNxeeSy1+ZWC27D/7twIQ1ok0r6irAr7bE8d6b2/BLQD 0+8LPlXSewAkn06nmcWhz0BWIgYzojtDQ9euRmP4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Zhen Lei , Stefan Schmidt , Sasha Levin Subject: [PATCH 4.4 07/23] ieee802154: fix error return code in ieee802154_add_iface() Date: Tue, 8 Jun 2021 20:26:59 +0200 Message-Id: <20210608175926.783295651@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Zhen Lei [ Upstream commit 79c6b8ed30e54b401c873dbad2511f2a1c525fd5 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: be51da0f3e34 ("ieee802154: Stop using NLA_PUT*().") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210508062517.2574-1-thunder.leizhen@huawei.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin --- net/ieee802154/nl-phy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.30.2 diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c index 77d73014bde3..11f53dc0c1c0 100644 --- a/net/ieee802154/nl-phy.c +++ b/net/ieee802154/nl-phy.c @@ -249,8 +249,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info) } if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) || - nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) + nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) { + rc = -EMSGSIZE; goto nla_put_failure; + } dev_put(dev); wpan_phy_put(phy); From patchwork Tue Jun 8 18:27:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457785 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7540C47082 for ; Tue, 8 Jun 2021 18:29:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B230C613C0 for ; Tue, 8 Jun 2021 18:29:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234152AbhFHSbN (ORCPT ); Tue, 8 Jun 2021 14:31:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:55402 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234073AbhFHSbD (ORCPT ); Tue, 8 Jun 2021 14:31:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7398461352; Tue, 8 Jun 2021 18:29:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176949; bh=x7LfzFnqzNmc4if07anFqfnShHWM0T/wNz8qDWSCL9k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I3B6S8aGjH8yLIxZ6tGIu2jX4ZHWUKPJ5XVNNFj6N9eiYWn4ly2zLUmDCVQtDyKS1 7w726r7oIouT6HMAFb7naDIQ4frko/Hugcwiv51H/A0wBbS8Gp5O6kInuBnsUZHgl2 kPTjsmdPUXKPx5J9PafYiWgHQL0Ex+3OUcqYJC9o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Wei Yongjun , Stefan Schmidt , Sasha Levin Subject: [PATCH 4.4 08/23] ieee802154: fix error return code in ieee802154_llsec_getparams() Date: Tue, 8 Jun 2021 20:27:00 +0200 Message-Id: <20210608175926.812165445@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Wei Yongjun [ Upstream commit 373e864cf52403b0974c2f23ca8faf9104234555 ] Fix to return negative error code -ENOBUFS from the error handling case instead of 0, as done elsewhere in this function. Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Link: https://lore.kernel.org/r/20210519141614.3040055-1-weiyongjun1@huawei.com Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin --- net/ieee802154/nl-mac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c index 76691a07a2e0..fe31df8dc804 100644 --- a/net/ieee802154/nl-mac.c +++ b/net/ieee802154/nl-mac.c @@ -685,8 +685,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info) nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) || nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER, be32_to_cpu(params.frame_counter)) || - ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) + ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) { + rc = -ENOBUFS; goto out_free; + } dev_put(dev); From patchwork Tue Jun 8 18:27:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B248C47082 for ; Tue, 8 Jun 2021 18:29:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0E4E5613C8 for ; Tue, 8 Jun 2021 18:29:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234203AbhFHSbm (ORCPT ); Tue, 8 Jun 2021 14:31:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:56008 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234164AbhFHSbS (ORCPT ); Tue, 8 Jun 2021 14:31:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AF6BA613AC; Tue, 8 Jun 2021 18:29:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176952; bh=/1mCeOgaUwamvf5jGFid4iJx7VUU0RlW3DOilkc3oGY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fPeX+qDMkP4X0J2CdfSBeAamGUK7kJaPCeDc/EQCufi2wwQMdzoJb+0CL8ESSBBbe cXliuweT/QkkYSbMdnuqSnyc/U06v02kA40dG0foWOh05lvOBJYO/NKFdWN1m0vtn4 HUWqqNzhWmEirz2722frBz9vu9Fh/jTCaeIlvFDs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Jakub Kicinski , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, Lin Ma , Hao Xiong Subject: [PATCH 4.4 09/23] Bluetooth: fix the erroneous flush_work() order Date: Tue, 8 Jun 2021 20:27:01 +0200 Message-Id: <20210608175926.842991911@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Lin Ma commit 6a137caec23aeb9e036cdfd8a46dd8a366460e5d upstream. In the cleanup routine for failed initialization of HCI device, the flush_work(&hdev->rx_work) need to be finished before the flush_work(&hdev->cmd_work). Otherwise, the hci_rx_work() can possibly invoke new cmd_work and cause a bug, like double free, in late processings. This was assigned CVE-2021-3564. This patch reorder the flush_work() to fix this bug. Cc: Marcel Holtmann Cc: Johan Hedberg Cc: Luiz Augusto von Dentz Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Lin Ma Signed-off-by: Hao Xiong Cc: stable Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1555,8 +1555,13 @@ static int hci_dev_do_open(struct hci_de } else { /* Init failed, cleanup */ flush_work(&hdev->tx_work); - flush_work(&hdev->cmd_work); + + /* Since hci_rx_work() is possible to awake new cmd_work + * it should be flushed first to avoid unexpected call of + * hci_cmd_work() + */ flush_work(&hdev->rx_work); + flush_work(&hdev->cmd_work); skb_queue_purge(&hdev->cmd_q); skb_queue_purge(&hdev->rx_q); From patchwork Tue Jun 8 18:27:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456764 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96C15C47082 for ; Tue, 8 Jun 2021 18:29:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 76F74613BC for ; Tue, 8 Jun 2021 18:29:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234185AbhFHSbg (ORCPT ); Tue, 8 Jun 2021 14:31:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:56050 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234080AbhFHSbQ (ORCPT ); Tue, 8 Jun 2021 14:31:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A64F361376; Tue, 8 Jun 2021 18:29:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176955; bh=A+DZCjXPfi97Jinuv2jEb/Uori/2GdOrM4dRbAtzaKA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QRWizZq18BQUky/UbcvsVF8CG14iiWGnxZ96VDKgBiNQKsXOzsqVfiohHLash4kZv b3jXP9o6OBKkWt01WuB2qlXPbYqny6n6W5h0mG5sFlq3PYkSqxRVGRyP46LZUjkqDw RFADpZI93+D83WHh+nNcbU/ULN4FNG10sIoNPg2M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lin Ma , Marcel Holtmann Subject: [PATCH 4.4 10/23] Bluetooth: use correct lock to prevent UAF of hdev object Date: Tue, 8 Jun 2021 20:27:02 +0200 Message-Id: <20210608175926.875027457@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Lin Ma commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream. The hci_sock_dev_event() function will cleanup the hdev object for sockets even if this object may still be in used within the hci_sock_bound_ioctl() function, result in UAF vulnerability. This patch replace the BH context lock to serialize these affairs and prevent the race condition. Signed-off-by: Lin Ma Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -483,7 +483,7 @@ void hci_sock_dev_event(struct hci_dev * /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { - bh_lock_sock_nested(sk); + lock_sock(sk); if (hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; @@ -492,7 +492,7 @@ void hci_sock_dev_event(struct hci_dev * hci_dev_put(hdev); } - bh_unlock_sock(sk); + release_sock(sk); } read_unlock(&hci_sk_list.lock); } From patchwork Tue Jun 8 18:27:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457790 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EAA5EC47082 for ; Tue, 8 Jun 2021 18:28:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D3CA4613AE for ; Tue, 8 Jun 2021 18:28:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233625AbhFHSan (ORCPT ); Tue, 8 Jun 2021 14:30:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:55062 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233372AbhFHSam (ORCPT ); Tue, 8 Jun 2021 14:30:42 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9163C61380; Tue, 8 Jun 2021 18:28:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176917; bh=rsED8s3r44/lFHHL2PzzG5LOJomieDVl4CR1CyvZD0c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mGi/fFnk6q055ZrQk8zJlVMiyl8djwLrYnLJJ4vXnP+i13dPPD4LKUHtwpuJLpx+P yV8eVILLXELtTrCKsB73SKbJ5+ZfRvCN5IcEofKcGKD8SIAx6HjesbKgGS+A0I+jp9 Ug9Ac6yG/Tts/Esy3JtiFoAydJCoUl8m59Qphe4E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , "David S. Miller" Subject: [PATCH 4.4 11/23] net: caif: added cfserl_release function Date: Tue, 8 Jun 2021 20:27:03 +0200 Message-Id: <20210608175926.905795153@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Pavel Skripkin commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream. Added cfserl_release() function. Cc: stable@vger.kernel.org Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/net/caif/cfserl.h | 1 + net/caif/cfserl.c | 5 +++++ 2 files changed, 6 insertions(+) --- a/include/net/caif/cfserl.h +++ b/include/net/caif/cfserl.h @@ -9,4 +9,5 @@ #include struct cflayer *cfserl_create(int instance, bool use_stx); +void cfserl_release(struct cflayer *layer); #endif --- a/net/caif/cfserl.c +++ b/net/caif/cfserl.c @@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflaye static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl, int phyid); +void cfserl_release(struct cflayer *layer) +{ + kfree(layer); +} + struct cflayer *cfserl_create(int instance, bool use_stx) { struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC); From patchwork Tue Jun 8 18:27:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456768 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C95B6C4743E for ; Tue, 8 Jun 2021 18:28:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B239C613B9 for ; Tue, 8 Jun 2021 18:28:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233770AbhFHSat (ORCPT ); Tue, 8 Jun 2021 14:30:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:55088 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233801AbhFHSas (ORCPT ); Tue, 8 Jun 2021 14:30:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 38175613AC; Tue, 8 Jun 2021 18:28:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176919; bh=dOmcRJm6Y37kvcI1vAX4/vWOo7WEzddVyjrsNS8JqB4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zYsly73oRz6dIcIniWEK8BU7556j+W4yjwBzPM0I5uP9ChA2TYeMcZDLrJdl0R4l4 1bxAIBhey9ryAD4RTbubLzTxmPcni92iIh94f6MWOyV5gA70V52ChNDIU+dlyukpqc 9rASPXZbOigBrJwAPxqDil5NkjXEwPcKHyaW7pBI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , "David S. Miller" Subject: [PATCH 4.4 12/23] net: caif: add proper error handling Date: Tue, 8 Jun 2021 20:27:04 +0200 Message-Id: <20210608175926.937231084@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Pavel Skripkin commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream. caif_enroll_dev() can fail in some cases. Ingnoring these cases can lead to memory leak due to not assigning link_support pointer to anywhere. Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll") Cc: stable@vger.kernel.org Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/net/caif/caif_dev.h | 2 +- include/net/caif/cfcnfg.h | 2 +- net/caif/caif_dev.c | 8 +++++--- net/caif/cfcnfg.c | 16 +++++++++++----- 4 files changed, 18 insertions(+), 10 deletions(-) --- a/include/net/caif/caif_dev.h +++ b/include/net/caif/caif_dev.h @@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *ad * The link_support layer is used to add any Link Layer specific * framing. */ -void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, +int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, struct cflayer *link_support, int head_room, struct cflayer **layer, int (**rcv_func)( struct sk_buff *, struct net_device *, --- a/include/net/caif/cfcnfg.h +++ b/include/net/caif/cfcnfg.h @@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg); * @fcs: Specify if checksum is used in CAIF Framing Layer. * @head_room: Head space needed by link specific protocol. */ -void +int cfcnfg_add_phy_layer(struct cfcnfg *cnfg, struct net_device *dev, struct cflayer *phy_layer, enum cfcnfg_phy_preference pref, --- a/net/caif/caif_dev.c +++ b/net/caif/caif_dev.c @@ -303,7 +303,7 @@ static void dev_flowctrl(struct net_devi caifd_put(caifd); } -void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, +int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, struct cflayer *link_support, int head_room, struct cflayer **layer, int (**rcv_func)(struct sk_buff *, struct net_device *, @@ -314,11 +314,12 @@ void caif_enroll_dev(struct net_device * enum cfcnfg_phy_preference pref; struct cfcnfg *cfg = get_cfcnfg(dev_net(dev)); struct caif_device_entry_list *caifdevs; + int res; caifdevs = caif_device_list(dev_net(dev)); caifd = caif_device_alloc(dev); if (!caifd) - return; + return -ENOMEM; *layer = &caifd->layer; spin_lock_init(&caifd->flow_lock); @@ -340,7 +341,7 @@ void caif_enroll_dev(struct net_device * sizeof(caifd->layer.name) - 1); caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0; caifd->layer.transmit = transmit; - cfcnfg_add_phy_layer(cfg, + res = cfcnfg_add_phy_layer(cfg, dev, &caifd->layer, pref, @@ -350,6 +351,7 @@ void caif_enroll_dev(struct net_device * mutex_unlock(&caifdevs->lock); if (rcv_func) *rcv_func = receive; + return res; } EXPORT_SYMBOL(caif_enroll_dev); --- a/net/caif/cfcnfg.c +++ b/net/caif/cfcnfg.c @@ -455,7 +455,7 @@ unlock: rcu_read_unlock(); } -void +int cfcnfg_add_phy_layer(struct cfcnfg *cnfg, struct net_device *dev, struct cflayer *phy_layer, enum cfcnfg_phy_preference pref, @@ -464,7 +464,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg { struct cflayer *frml; struct cfcnfg_phyinfo *phyinfo = NULL; - int i; + int i, res = 0; u8 phyid; mutex_lock(&cnfg->lock); @@ -478,12 +478,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg goto got_phyid; } pr_warn("Too many CAIF Link Layers (max 6)\n"); + res = -EEXIST; goto out; got_phyid: phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC); - if (!phyinfo) + if (!phyinfo) { + res = -ENOMEM; goto out_err; + } phy_layer->id = phyid; phyinfo->pref = pref; @@ -497,8 +500,10 @@ got_phyid: frml = cffrml_create(phyid, fcs); - if (!frml) + if (!frml) { + res = -ENOMEM; goto out_err; + } phyinfo->frm_layer = frml; layer_set_up(frml, cnfg->mux); @@ -516,11 +521,12 @@ got_phyid: list_add_rcu(&phyinfo->node, &cnfg->phys); out: mutex_unlock(&cnfg->lock); - return; + return res; out_err: kfree(phyinfo); mutex_unlock(&cnfg->lock); + return res; } EXPORT_SYMBOL(cfcnfg_add_phy_layer); From patchwork Tue Jun 8 18:27:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457792 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CDA99C47082 for ; Tue, 8 Jun 2021 18:28:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B438C613B9 for ; Tue, 8 Jun 2021 18:28:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232997AbhFHSag (ORCPT ); Tue, 8 Jun 2021 14:30:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:55110 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232946AbhFHSaf (ORCPT ); Tue, 8 Jun 2021 14:30:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7360C613B9; Tue, 8 Jun 2021 18:28:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176922; bh=3HOKnaVi71YUI+jEO9hylFIiLEbQbbKztLrOt1LrGG4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q5DvVggoWdzREflohutcENbmvO6qoNHMPuM75V0eqleiVu1pDTI0T20K0bJqwtlHg +u30q3e9PVF73Dl6n/jkghZVpSJHXgKRWlfl/rfNu7QCkAmngu52OKa/v4e6zdB75V vKVebnxbEe4OK7l+XisXgv8cxNa+FAJEwiVXPdEo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , "David S. Miller" , syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com Subject: [PATCH 4.4 13/23] net: caif: fix memory leak in caif_device_notify Date: Tue, 8 Jun 2021 20:27:05 +0200 Message-Id: <20210608175926.969843464@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Pavel Skripkin commit b53558a950a89824938e9811eddfc8efcd94e1bb upstream. In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. So simply free allocated pointer in case of error Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll") Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/caif/caif_dev.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/net/caif/caif_dev.c +++ b/net/caif/caif_dev.c @@ -366,6 +366,7 @@ static int caif_device_notify(struct not struct cflayer *layer, *link_support; int head_room = 0; struct caif_device_entry_list *caifdevs; + int res; cfg = get_cfcnfg(dev_net(dev)); caifdevs = caif_device_list(dev_net(dev)); @@ -391,8 +392,10 @@ static int caif_device_notify(struct not break; } } - caif_enroll_dev(dev, caifdev, link_support, head_room, + res = caif_enroll_dev(dev, caifdev, link_support, head_room, &layer, NULL); + if (res) + cfserl_release(link_support); caifdev->flowctrl = dev_flowctrl; break; From patchwork Tue Jun 8 18:27:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456771 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1359CC4743D for ; Tue, 8 Jun 2021 18:28:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EA799613B9 for ; Tue, 8 Jun 2021 18:28:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233090AbhFHSai (ORCPT ); Tue, 8 Jun 2021 14:30:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:55134 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232746AbhFHSah (ORCPT ); Tue, 8 Jun 2021 14:30:37 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E8B49613AE; Tue, 8 Jun 2021 18:28:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176924; bh=u/YoHiPNvaOjM6DSUbtCv9cuDvMIjhzS/H0FsmXQYhk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F5/LnCkLpEHweH/O60HG8Qe1oeFbHrfmTCLAL6IuKzzCrWiOc+DKhI/MguXARH/dz j2ujYOkn126XzU+ghhl5cdJvwTF9DKfrRq9hOyXbOaCzWKJ+sy8amkJvBb0K0cS5Qb Jumsw1QV+grUjpbyvZPh4BCYSx8OdOqY2hOR2pZ0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , "David S. Miller" Subject: [PATCH 4.4 14/23] net: caif: fix memory leak in cfusbl_device_notify Date: Tue, 8 Jun 2021 20:27:06 +0200 Message-Id: <20210608175926.999530831@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Pavel Skripkin commit 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb upstream. In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. So simply free allocated pointer in case of error. Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface") Cc: stable@vger.kernel.org Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/caif/caif_usb.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/net/caif/caif_usb.c +++ b/net/caif/caif_usb.c @@ -116,6 +116,11 @@ static struct cflayer *cfusbl_create(int return (struct cflayer *) this; } +static void cfusbl_release(struct cflayer *layer) +{ + kfree(layer); +} + static struct packet_type caif_usb_type __read_mostly = { .type = cpu_to_be16(ETH_P_802_EX1), }; @@ -128,6 +133,7 @@ static int cfusbl_device_notify(struct n struct cflayer *layer, *link_support; struct usbnet *usbnet; struct usb_device *usbdev; + int res; /* Check whether we have a NCM device, and find its VID/PID. */ if (!(dev->dev.parent && dev->dev.parent->driver && @@ -170,8 +176,11 @@ static int cfusbl_device_notify(struct n if (dev->num_tx_queues > 1) pr_warn("USB device uses more than one tx queue\n"); - caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, + res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, &layer, &caif_usb_type.func); + if (res) + goto err; + if (!pack_added) dev_add_pack(&caif_usb_type); pack_added = true; @@ -181,6 +190,9 @@ static int cfusbl_device_notify(struct n layer->name[sizeof(layer->name) - 1] = 0; return 0; +err: + cfusbl_release(link_support); + return res; } static struct notifier_block caif_device_notifier = { From patchwork Tue Jun 8 18:27:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457791 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37F90C4743E for ; Tue, 8 Jun 2021 18:28:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1ADD6613AE for ; Tue, 8 Jun 2021 18:28:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233337AbhFHSal (ORCPT ); Tue, 8 Jun 2021 14:30:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:55218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233235AbhFHSaj (ORCPT ); Tue, 8 Jun 2021 14:30:39 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 39B42613BC; Tue, 8 Jun 2021 18:28:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176926; bh=skfRBhuDqDwhe9k4MPq5LuK1GjND8gtF8MVXYQX9T6k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dAKVOaJ6t4LbNtcKLDt4UzZXeYl/tWNRWeSnS0ME903Gv0RKKweWsjVbNHhRK0B38 iMigfKR/IR6NAtluxsqrA1hSLxS5JBi6BddeTbTqfjoAfi88NXUvQ2w0+0fGMDVvt0 Y+QH2rkFAreKq4OqcrwA9n/4vxGyie3hwgnaCoNM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com, Jaroslav Kysela , Takashi Iwai Subject: [PATCH 4.4 15/23] ALSA: timer: Fix master timer notification Date: Tue, 8 Jun 2021 20:27:07 +0200 Message-Id: <20210608175927.029876951@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream. snd_timer_notify1() calls the notification to each slave for a master event, but it passes a wrong event number. It should be +10 offset, corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with +100 offset. Casually this was spotted by UBSAN check via syzkaller. Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/timer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -432,9 +432,10 @@ static void snd_timer_notify1(struct snd return; if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE) return; + event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */ list_for_each_entry(ts, &ti->slave_active_head, active_list) if (ts->ccallback) - ts->ccallback(ts, event + 100, &tstamp, resolution); + ts->ccallback(ts, event, &tstamp, resolution); } /* start/continue a master timer */ From patchwork Tue Jun 8 18:27:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456769 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E89EC48BCD for ; Tue, 8 Jun 2021 18:28:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 09AA261376 for ; Tue, 8 Jun 2021 18:28:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233570AbhFHSan (ORCPT ); Tue, 8 Jun 2021 14:30:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:55316 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233401AbhFHSam (ORCPT ); Tue, 8 Jun 2021 14:30:42 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A6210613B9; Tue, 8 Jun 2021 18:28:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176929; bh=Im+tgIBQb4d+XfJ3CKyIfesWZruWc9MkSsKkJ8tJOw0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Aj82g7T9BwE4to7arbJt0js/2tsrf8YcOGLtDtNArEAklDBVSSaEiH1CUVuc8v4ho k0wFHfwqOU5RA2GV4PUh39SWO8q1wpbRH9ZsOnf2yOBRj1FbC8eqjTGsvPFMBIlP/B HmUNv6oFEDknc3o6GTcHtBqpBBCGUp7wLblyNMjo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Ye Bin , Jan Kara , Theodore Tso Subject: [PATCH 4.4 16/23] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed Date: Tue, 8 Jun 2021 20:27:08 +0200 Message-Id: <20210608175927.062615220@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ye Bin commit 082cd4ec240b8734a82a89ffb890216ac98fec68 upstream. We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops - BUG: 0 [#1] SMP ...... [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 This patch's modification is according to Jan Kara's suggestion in: https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ "I see. Now I understand your patch. Honestly, seeing how fragile is trying to fix extent tree after split has failed in the middle, I would probably go even further and make sure we fix the tree properly in case of ENOSPC and EDQUOT (those are easily user triggerable). Anything else indicates a HW problem or fs corruption so I'd rather leave the extent tree as is and don't try to fix it (which also means we will not create overlapping extents)." Cc: stable@kernel.org Signed-off-by: Ye Bin Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20210506141042.3298679-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman --- fs/ext4/extents.c | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3268,7 +3268,10 @@ static int ext4_split_extent_at(handle_t ext4_ext_mark_unwritten(ex2); err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags); - if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) { + if (err != -ENOSPC && err != -EDQUOT) + goto out; + + if (EXT4_EXT_MAY_ZEROOUT & split_flag) { if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { if (split_flag & EXT4_EXT_DATA_VALID1) { err = ext4_ext_zeroout(inode, ex2); @@ -3294,30 +3297,30 @@ static int ext4_split_extent_at(handle_t ext4_ext_pblock(&orig_ex)); } - if (err) - goto fix_extent_len; - /* update the extent length and mark as initialized */ - ex->ee_len = cpu_to_le16(ee_len); - ext4_ext_try_to_merge(handle, inode, path, ex); - err = ext4_ext_dirty(handle, inode, path + path->p_depth); - if (err) - goto fix_extent_len; - - /* update extent status tree */ - err = ext4_zeroout_es(inode, &zero_ex); - - goto out; - } else if (err) - goto fix_extent_len; - -out: - ext4_ext_show_leaf(inode, path); - return err; + if (!err) { + /* update the extent length and mark as initialized */ + ex->ee_len = cpu_to_le16(ee_len); + ext4_ext_try_to_merge(handle, inode, path, ex); + err = ext4_ext_dirty(handle, inode, path + path->p_depth); + if (!err) + /* update extent status tree */ + err = ext4_zeroout_es(inode, &zero_ex); + /* If we failed at this point, we don't know in which + * state the extent tree exactly is so don't try to fix + * length of the original extent as it may do even more + * damage. + */ + goto out; + } + } fix_extent_len: ex->ee_len = orig_ex.ee_len; ext4_ext_dirty(handle, inode, path + path->p_depth); return err; +out: + ext4_ext_show_leaf(inode, path); + return err; } /* From patchwork Tue Jun 8 18:27:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 455785 Delivered-To: patch@linaro.org Received: by 2002:a02:735a:0:0:0:0:0 with SMTP id a26csp3994225jae; Tue, 8 Jun 2021 11:30:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbxdRklbTujdXUNweGwMQljJjtYkXC8+017gTum6gYx8pMIr1j9LH9SiVW1ztE0qB7nzC0 X-Received: by 2002:a17:906:f0a:: with SMTP id z10mr25465356eji.115.1623177018069; Tue, 08 Jun 2021 11:30:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623177018; cv=none; d=google.com; s=arc-20160816; b=l2CBvz5b6kHIwrnWuA6valVrm8yIo8501tymazCADlbiShAAAjGzuYd6WWOndkZkqN 9epT2BsePXgTmVmoEOYqm0O1MKuzfNEopAuBUgkPlUKIttzv6CP4QudVbKc+NT3QW13u zj/76M0rEV3m1HnUq455L0SKf0jW2CWhwRElz+BNo129s/FdiWLj2L3D4cPVOr8eoP/n tZJvhMix1gMmpdjRwM3evjdbEZDYGYjhrIEDzWVoL7hkP/MKQpwzkjHTYBd3lhsVCoYt oVSTu18Fs4OZLsj2/ZqtrnA6rpNAu/LlsknlDuf25eUvLYmVFVJERF00SNdsD49fpOcm YLKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=d/BEheMCsp6tJvvkj+v6SByswLS1bXNcE/OQrqGx5q0=; b=E127aQfdmlm0Ljew2O/2ShYPHqs6vVr97qAJJG9Xt5rexntCLQtAjkmNTF0wyJaP01 pG4Z09bFDpIo2a86oR8xoH2H9qPou5WNBHQUleMm2eCnddCpyqf/BPgQX9XPrAxvG40L p7WlaXTGfe24RzvCXqd4Eouu15RpJ83T6IUkStB/ZSEk+5teJQ6GIjML01aLg+P4jMT2 9Wcmq4XODGzp1VbR5euEUHyb96BhR1bAweG2R0Li61u7xh3HFoggTtHR31CxcES1ZAw6 DAUX43CgpXIESMJC+KkZyeFLR1zrbDS5QyKWeTAJEAjY4n63wH1w3btRFXmBJkrV1Rhh aWAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w1Gd6+tu; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e17si416787ejm.271.2021.06.08.11.30.17; Tue, 08 Jun 2021 11:30:18 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w1Gd6+tu; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234069AbhFHSbC (ORCPT + 12 others); Tue, 8 Jun 2021 14:31:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:55402 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234043AbhFHSbA (ORCPT ); Tue, 8 Jun 2021 14:31:00 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C6168613BD; Tue, 8 Jun 2021 18:28:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176931; bh=hv6Cx92D1GhxtqEGoD/jG1K/qYa0/KEHnH+Wp3T4aHA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w1Gd6+tuCk/YQkkGwJubxh1knH/beaRQmeaTV0fTGSFiGp3dr4mGF4hTmG/EjqmvN 1ex562SpfhmmRoFgg/LiViA3WhMRg3Qlcyf4wrjxYLgz/8bNHUTS6UBH3wDfuiWBD8 DJLUOQfXu9+NiAirJF36uZRGZ6/mt3Sy+TAr7WYs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mark Rutland , Christian Brauner , Cedric Le Goater , Christian Brauner , "Eric W. Biederman" , Martin Schwidefsky , Paul Mackerras , Andrew Morton , Linus Torvalds Subject: [PATCH 4.4 17/23] pid: take a reference when initializing `cad_pid` Date: Tue, 8 Jun 2021 20:27:09 +0200 Message-Id: <20210608175927.095013842@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Mark Rutland commit 0711f0d7050b9e07c44bc159bbc64ac0a1022c7f upstream. During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ffff23794dda0000, ffff23794dda00e0) The buggy address belongs to the page: page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4dda0 head:(____ptrval____) order:1 compound_mapcount:0 flags: 0x3fffc0000010200(slab|head) raw: 03fffc0000010200 dead000000000100 dead000000000122 ffff23794d40d080 raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff23794dd9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff23794dd9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff23794dda0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff23794dda0080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff23794dda0100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ================================================================== Link: https://lkml.kernel.org/r/20210524172230.38715-1-mark.rutland@arm.com Fixes: 9ec52099e4b8678a ("[PATCH] replace cad_pid by a struct pid") Signed-off-by: Mark Rutland Acked-by: Christian Brauner Cc: Cedric Le Goater Cc: Christian Brauner Cc: Eric W. Biederman Cc: Kees Cook Cc: Paul Mackerras Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- init/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/init/main.c +++ b/init/main.c @@ -997,7 +997,7 @@ static noinline void __init kernel_init_ */ set_cpus_allowed_ptr(current, cpu_all_mask); - cad_pid = task_pid(current); + cad_pid = get_pid(task_pid(current)); smp_prepare_cpus(setup_max_cpus); From patchwork Tue Jun 8 18:27:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457789 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71887C4743D for ; Tue, 8 Jun 2021 18:28:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5CBAC613BF for ; Tue, 8 Jun 2021 18:28:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233355AbhFHSar (ORCPT ); Tue, 8 Jun 2021 14:30:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:55444 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233642AbhFHSar (ORCPT ); Tue, 8 Jun 2021 14:30:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0D78961380; Tue, 8 Jun 2021 18:28:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176933; bh=Baws95ltPI1dAH6Mq25BiK4aXjq113FeFOTIO0ZzuyM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v5Kgs89DrdhzpG3s4+dHIQq5K+anJymhmIILEMmH8MLpUVGB4YJAFhj0jzU0XpEdZ GHFa3TDTrldX0N42ycGU/aFj8kDqowNRzl3XmNLjiRviiD/jtN62mRjfFX5TiPYdAF ET7kfV6UpVSTxblH8svvFGrtoBnTmyjpNEIBOh34= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Junxiao Bi , Joseph Qi , Jan Kara , Mark Fasheh , Joel Becker , Changwei Ge , Gang He , Jun Piao , Andrew Morton , Linus Torvalds Subject: [PATCH 4.4 18/23] ocfs2: fix data corruption by fallocate Date: Tue, 8 Jun 2021 20:27:10 +0200 Message-Id: <20210608175927.125657530@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Junxiao Bi commit 6bba4471f0cc1296fe3c2089b9e52442d3074b2e upstream. When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size. Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.conv The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0 v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/ Link: https://lkml.kernel.org/r/20210528210648.9124-1-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Reviewed-by: Joseph Qi Cc: Jan Kara Cc: Mark Fasheh Cc: Joel Becker Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/ocfs2/file.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 5 deletions(-) --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -1860,6 +1860,45 @@ out: } /* + * zero out partial blocks of one cluster. + * + * start: file offset where zero starts, will be made upper block aligned. + * len: it will be trimmed to the end of current cluster if "start + len" + * is bigger than it. + */ +static int ocfs2_zeroout_partial_cluster(struct inode *inode, + u64 start, u64 len) +{ + int ret; + u64 start_block, end_block, nr_blocks; + u64 p_block, offset; + u32 cluster, p_cluster, nr_clusters; + struct super_block *sb = inode->i_sb; + u64 end = ocfs2_align_bytes_to_clusters(sb, start); + + if (start + len < end) + end = start + len; + + start_block = ocfs2_blocks_for_bytes(sb, start); + end_block = ocfs2_blocks_for_bytes(sb, end); + nr_blocks = end_block - start_block; + if (!nr_blocks) + return 0; + + cluster = ocfs2_bytes_to_clusters(sb, start); + ret = ocfs2_get_clusters(inode, cluster, &p_cluster, + &nr_clusters, NULL); + if (ret) + return ret; + if (!p_cluster) + return 0; + + offset = start_block - ocfs2_clusters_to_blocks(sb, cluster); + p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset; + return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS); +} + +/* * Parts of this function taken from xfs_change_file_space() */ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, @@ -1869,7 +1908,7 @@ static int __ocfs2_change_file_space(str { int ret; s64 llen; - loff_t size; + loff_t size, orig_isize; struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); struct buffer_head *di_bh = NULL; handle_t *handle; @@ -1900,6 +1939,7 @@ static int __ocfs2_change_file_space(str goto out_inode_unlock; } + orig_isize = i_size_read(inode); switch (sr->l_whence) { case 0: /*SEEK_SET*/ break; @@ -1907,7 +1947,7 @@ static int __ocfs2_change_file_space(str sr->l_start += f_pos; break; case 2: /*SEEK_END*/ - sr->l_start += i_size_read(inode); + sr->l_start += orig_isize; break; default: ret = -EINVAL; @@ -1961,6 +2001,14 @@ static int __ocfs2_change_file_space(str default: ret = -EINVAL; } + + /* zeroout eof blocks in the cluster. */ + if (!ret && change_size && orig_isize < size) { + ret = ocfs2_zeroout_partial_cluster(inode, orig_isize, + size - orig_isize); + if (!ret) + i_size_write(inode, size); + } up_write(&OCFS2_I(inode)->ip_alloc_sem); if (ret) { mlog_errno(ret); @@ -1977,9 +2025,6 @@ static int __ocfs2_change_file_space(str goto out_inode_unlock; } - if (change_size && i_size_read(inode) < size) - i_size_write(inode, size); - inode->i_ctime = inode->i_mtime = CURRENT_TIME; ret = ocfs2_mark_inode_dirty(handle, inode, di_bh); if (ret < 0) From patchwork Tue Jun 8 18:27:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457788 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B4BDC4743F for ; Tue, 8 Jun 2021 18:28:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0080D613D2 for ; Tue, 8 Jun 2021 18:28:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233847AbhFHSau (ORCPT ); Tue, 8 Jun 2021 14:30:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:55528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233823AbhFHSat (ORCPT ); Tue, 8 Jun 2021 14:30:49 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BFC2D613B9; Tue, 8 Jun 2021 18:28:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176936; bh=BjwMVZV29dd47sjI8xClz0qNUCf6RXp1w1uXhyzZKOU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UjK/iCUDPFQDLqStDVM8KencZGvDz+fUy/CyF0KT09PywTHX5dBRlNhD+wcba22l9 eHrCVonHxjkqnT+7iWGtqxt2LJb1ehPEtaq8JarMuSTesyS2c+nZJP/LBCDfMPYUyI VBJF5NhpP5F/ZJk6MHJCQBeg1yVW3QyI1fSxWUTQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com, butt3rflyh4ck , Krzysztof Kozlowski , Jakub Kicinski Subject: [PATCH 4.4 19/23] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Date: Tue, 8 Jun 2021 20:27:11 +0200 Message-Id: <20210608175927.156677615@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Krzysztof Kozlowski commit 4ac06a1e013cf5fdd963317ffd3b968560f33bba upstream. It's possible to trigger NULL pointer dereference by local unprivileged user, when calling getsockname() after failed bind() (e.g. the bind fails because LLCP_SAP_MAX used as SAP): BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 Call Trace: llcp_sock_getname+0xb1/0xe0 __sys_getpeername+0x95/0xc0 ? lockdep_hardirqs_on_prepare+0xd5/0x180 ? syscall_enter_from_user_mode+0x1c/0x40 __x64_sys_getpeername+0x11/0x20 do_syscall_64+0x36/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae This can be reproduced with Syzkaller C repro (bind followed by getpeername): https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 Cc: Fixes: d646960f7986 ("NFC: Initial LLCP support") Reported-by: syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com Reported-by: butt3rflyh4ck Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210531072138.5219-1-krzysztof.kozlowski@canonical.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -121,6 +121,7 @@ static int llcp_sock_bind(struct socket if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); llcp_sock->local = NULL; + llcp_sock->dev = NULL; ret = -ENOMEM; goto put_dev; } @@ -130,6 +131,7 @@ static int llcp_sock_bind(struct socket llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; + llcp_sock->dev = NULL; ret = -EADDRINUSE; goto put_dev; } From patchwork Tue Jun 8 18:27:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED0BEC4743F for ; Tue, 8 Jun 2021 18:30:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D6BA4613CA for ; Tue, 8 Jun 2021 18:30:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234313AbhFHScB (ORCPT ); Tue, 8 Jun 2021 14:32:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:56318 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234155AbhFHSbe (ORCPT ); Tue, 8 Jun 2021 14:31:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C5924613C5; Tue, 8 Jun 2021 18:29:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176967; bh=uP5csr2qifp5imC+lku80earoP3BQ3lVsLP9LVzkjw8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yQXrtd97Jvi/c5ClUA9qcEvbv0TzVx4SuV9ef1QPFZlL1a4SuBeXAiWwahQYN8Whl 1gAHuMaAun/Zk2w6RLmRbiXnIeMf2bO9MTgggDe2Otn+RJhZzsxkvcoX+6cBfr6pSn ACVk52NafUWwTtv6MX3G5oxl/52Wdv5t+i/4z5u8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Josef Bacik , David Sterba Subject: [PATCH 4.4 20/23] btrfs: fixup error handling in fixup_inode_link_counts Date: Tue, 8 Jun 2021 20:27:12 +0200 Message-Id: <20210608175927.187390732@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Josef Bacik commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream. This function has the following pattern while (1) { ret = whatever(); if (ret) goto out; } ret = 0 out: return ret; However several places in this while loop we simply break; when there's a problem, thus clearing the return value, and in one case we do a return -EIO, and leak the memory for the path. Fix this by re-arranging the loop to deal with ret == 1 coming from btrfs_search_slot, and then simply delete the ret = 0; out: bit so everybody can break if there is an error, which will allow for proper error handling to occur. CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/tree-log.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -1511,6 +1511,7 @@ static noinline int fixup_inode_link_cou break; if (ret == 1) { + ret = 0; if (path->slots[0] == 0) break; path->slots[0]--; @@ -1523,17 +1524,19 @@ static noinline int fixup_inode_link_cou ret = btrfs_del_item(trans, root, path); if (ret) - goto out; + break; btrfs_release_path(path); inode = read_one_inode(root, key.offset); - if (!inode) - return -EIO; + if (!inode) { + ret = -EIO; + break; + } ret = fixup_inode_link_count(trans, root, inode); iput(inode); if (ret) - goto out; + break; /* * fixup on a directory may create new entries, @@ -1542,8 +1545,6 @@ static noinline int fixup_inode_link_cou */ key.offset = (u64)-1; } - ret = 0; -out: btrfs_release_path(path); return ret; } From patchwork Tue Jun 8 18:27:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457782 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFB75C47082 for ; Tue, 8 Jun 2021 18:29:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C5FBF613C8 for ; Tue, 8 Jun 2021 18:29:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234225AbhFHSbs (ORCPT ); Tue, 8 Jun 2021 14:31:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:56134 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234131AbhFHSb0 (ORCPT ); Tue, 8 Jun 2021 14:31:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5C4BD61352; Tue, 8 Jun 2021 18:29:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176960; bh=Dqzs51n09CBzyeBLLoDNn/q8ALuPLbQcOST6ertR6kQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vT866J9fe9VqdtkBtyJGwliPQYKPUWbsf1FEUco/AsICDyr37wFT59UDrPOc+ihhc eE0tgo5DVrRtOYUspPOluC5uoStHIg4E1tdYN8uogPWeAPF/YirCD+Va+lSBPgZJuo 3tQS1dOvAKPFaOH9peEnfXuk8SjvrJl3E/jiXYco= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , Paolo Bonzini , Sudip Mukherjee Subject: [PATCH 4.4 21/23] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode Date: Tue, 8 Jun 2021 20:27:13 +0200 Message-Id: <20210608175927.219476997@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sean Christopherson commit 0884335a2e653b8a045083aa1d57ce74269ac81d upstream. Drop bits 63:32 on loads/stores to/from DRs and CRs when the vCPU is not in 64-bit mode. The APM states bits 63:32 are dropped for both DRs and CRs: In 64-bit mode, the operand size is fixed at 64 bits without the need for a REX prefix. In non-64-bit mode, the operand size is fixed at 32 bits and the upper 32 bits of the destination are forced to 0. Fixes: 7ff76d58a9dc ("KVM: SVM: enhance MOV CR intercept handler") Fixes: cae3797a4639 ("KVM: SVM: enhance mov DR intercept handler") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20210422022128.3464144-4-seanjc@google.com> Signed-off-by: Paolo Bonzini [sudip: manual backport to old file] Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -2927,7 +2927,7 @@ static int cr_interception(struct vcpu_s err = 0; if (cr >= 16) { /* mov to cr */ cr -= 16; - val = kvm_register_read(&svm->vcpu, reg); + val = kvm_register_readl(&svm->vcpu, reg); switch (cr) { case 0: if (!check_selective_cr0_intercepted(svm, val)) @@ -2972,7 +2972,7 @@ static int cr_interception(struct vcpu_s kvm_queue_exception(&svm->vcpu, UD_VECTOR); return 1; } - kvm_register_write(&svm->vcpu, reg, val); + kvm_register_writel(&svm->vcpu, reg, val); } kvm_complete_insn_gp(&svm->vcpu, err); @@ -3004,13 +3004,13 @@ static int dr_interception(struct vcpu_s if (dr >= 16) { /* mov to DRn */ if (!kvm_require_dr(&svm->vcpu, dr - 16)) return 1; - val = kvm_register_read(&svm->vcpu, reg); + val = kvm_register_readl(&svm->vcpu, reg); kvm_set_dr(&svm->vcpu, dr - 16, val); } else { if (!kvm_require_dr(&svm->vcpu, dr)) return 1; kvm_get_dr(&svm->vcpu, dr, &val); - kvm_register_write(&svm->vcpu, reg, val); + kvm_register_writel(&svm->vcpu, reg, val); } skip_emulated_instruction(&svm->vcpu); From patchwork Tue Jun 8 18:27:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 456762 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B957C47082 for ; Tue, 8 Jun 2021 18:29:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1702A61352 for ; Tue, 8 Jun 2021 18:29:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234107AbhFHSbp (ORCPT ); Tue, 8 Jun 2021 14:31:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:56162 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234106AbhFHSbX (ORCPT ); Tue, 8 Jun 2021 14:31:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C1203613BD; Tue, 8 Jun 2021 18:29:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176962; bh=GjZLYadtShdseGMv6xryN9ZrYJlOObDaAjWxe9xYudU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jhlzSwzQR/0U6vakIR4nSlvZTKniZ1uVdsU5Zq/ZeXiuo26mtnUK6DcnFHf3W47mr usmMMkQeIiJr5JJfv44GsVLhAj0Z3rrgT0HXE7iYppyVBZttvu/REVFzpeZhJQaZ2c 0uM81NRtm5/zCH5JB8mgmmbKbTefBPiAu00atPg8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Michael Weiser , Arnd Bergmann Subject: [PATCH 4.4 22/23] arm64: Remove unimplemented syscall log message Date: Tue, 8 Jun 2021 20:27:14 +0200 Message-Id: <20210608175927.252349365@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Michael Weiser commit 1962682d2b2fbe6cfa995a85c53c069fadda473e upstream. Stop printing a (ratelimited) kernel message for each instance of an unimplemented syscall being called. Userland making an unimplemented syscall is not necessarily misbehaviour and to be expected with a current userland running on an older kernel. Also, the current message looks scary to users but does not actually indicate a real problem nor help them narrow down the cause. Just rely on sys_ni_syscall() to return -ENOSYS. Cc: Acked-by: Will Deacon Signed-off-by: Michael Weiser Signed-off-by: Will Deacon Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman --- arch/arm64/kernel/traps.c | 8 -------- 1 file changed, 8 deletions(-) --- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -381,14 +381,6 @@ asmlinkage long do_ni_syscall(struct pt_ } #endif - if (show_unhandled_signals_ratelimited()) { - pr_info("%s[%d]: syscall %d\n", current->comm, - task_pid_nr(current), (int)regs->syscallno); - dump_instr("", regs); - if (user_mode(regs)) - __show_regs(regs); - } - return sys_ni_syscall(); } From patchwork Tue Jun 8 18:27:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 457783 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04170C4743D for ; Tue, 8 Jun 2021 18:29:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E2F8B613CA for ; Tue, 8 Jun 2021 18:29:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234189AbhFHSbh (ORCPT ); Tue, 8 Jun 2021 14:31:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:56244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234052AbhFHSbR (ORCPT ); Tue, 8 Jun 2021 14:31:17 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1F37A613BE; Tue, 8 Jun 2021 18:29:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623176964; bh=xVMsWp26lw0ReF/0QrK6B1Ds64/IDcKJGNXPTJopo9E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uvWv+Bd6N2xTOhOw3xhrX2sAMnErmzLmGiDXnWzKQ73NGtJAwr51kMYsZG/izGqoA vBlks+LtgDBBIetgsZCkJcLTaLP8KbOErYlR8vmCqoWtOk1E9epUBTlLgYikoQ4Rsy VCWCPJJUFYLOZeJSalACBP3s3Qw5TpGtEz5Evkh8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Beulich , Boris Ostrovsky , Juergen Gross Subject: [PATCH 4.4 23/23] xen-pciback: redo VF placement in the virtual topology Date: Tue, 8 Jun 2021 20:27:15 +0200 Message-Id: <20210608175927.282744265@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175926.524658689@linuxfoundation.org> References: <20210608175926.524658689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jan Beulich The commit referenced below was incomplete: It merely affected what would get written to the vdev- xenstore node. The guest would still find the function at the original function number as long as __xen_pcibk_get_pci_dev() wouldn't be in sync. The same goes for AER wrt __xen_pcibk_get_pcifront_dev(). Undo overriding the function to zero and instead make sure that VFs at function zero remain alone in their slot. This has the added benefit of improving overall capacity, considering that there's only a total of 32 slots available right now (PCI segment and bus can both only ever be zero at present). This is upstream commit 4ba50e7c423c29639878c00573288869aa627068. Fixes: 8a5248fe10b1 ("xen PV passthru: assign SR-IOV virtual functions to separate virtual slots") Signed-off-by: Jan Beulich Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/8def783b-404c-3452-196d-3f3fd4d72c9e@suse.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman --- drivers/xen/xen-pciback/vpci.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/drivers/xen/xen-pciback/vpci.c +++ b/drivers/xen/xen-pciback/vpci.c @@ -68,7 +68,7 @@ static int __xen_pcibk_add_pci_dev(struc struct pci_dev *dev, int devid, publish_pci_dev_cb publish_cb) { - int err = 0, slot, func = -1; + int err = 0, slot, func = PCI_FUNC(dev->devfn); struct pci_dev_entry *t, *dev_entry; struct vpci_dev_data *vpci_dev = pdev->pci_dev_data; @@ -93,23 +93,26 @@ static int __xen_pcibk_add_pci_dev(struc /* * Keep multi-function devices together on the virtual PCI bus, except - * virtual functions. + * that we want to keep virtual functions at func 0 on their own. They + * aren't multi-function devices and hence their presence at func 0 + * may cause guests to not scan the other functions. */ - if (!dev->is_virtfn) { + if (!dev->is_virtfn || func) { for (slot = 0; slot < PCI_SLOT_MAX; slot++) { if (list_empty(&vpci_dev->dev_list[slot])) continue; t = list_entry(list_first(&vpci_dev->dev_list[slot]), struct pci_dev_entry, list); + if (t->dev->is_virtfn && !PCI_FUNC(t->dev->devfn)) + continue; if (match_slot(dev, t->dev)) { pr_info("vpci: %s: assign to virtual slot %d func %d\n", pci_name(dev), slot, - PCI_FUNC(dev->devfn)); + func); list_add_tail(&dev_entry->list, &vpci_dev->dev_list[slot]); - func = PCI_FUNC(dev->devfn); goto unlock; } } @@ -122,7 +125,6 @@ static int __xen_pcibk_add_pci_dev(struc pci_name(dev), slot); list_add_tail(&dev_entry->list, &vpci_dev->dev_list[slot]); - func = dev->is_virtfn ? 0 : PCI_FUNC(dev->devfn); goto unlock; } }