Skip to content
Snippets Groups Projects
  1. Sep 09, 2020
    • Will Deacon's avatar
      media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors · 4240339a
      Will Deacon authored
      commit 68035c80 upstream.
      
      Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
      up the following WARNING from the UVC chain scanning code:
      
        | list_add double add: new=ffff880069084010, prev=ffff880069084010,
        | next=ffff880067d22298.
        | ------------[ cut here ]------------
        | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
        | Modules linked in:
        | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
        | 4.14.0-rc2-42613-g1488251d1a98 #238
        | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        | Workqueue: usb_hub_wq hub_event
        | task: ffff88006b01ca40 task.stack: ffff880064358000
        | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
        | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
        | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
        | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
        | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
        | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
        | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
        | FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
        | CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
        | Call Trace:
        |  __list_add ./include/linux/list.h:59
        |  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
        |  uvc_scan_chain_forward.isra.8+0x373/0x416
        | drivers/media/usb/uvc/uvc_driver.c:1471
        |  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
        |  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
        |  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
      
      Looking into the output from usbmon, the interesting part is the
      following data packet:
      
        ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
        00090403 00000e01 00000924 03000103 7c003328 010204db
      
      If we drop the lead configuration and interface descriptors, we're left
      with an output terminal descriptor describing a generic display:
      
        /* Output terminal descriptor */
        buf[0]	09
        buf[1]	24
        buf[2]	03	/* UVC_VC_OUTPUT_TERMINAL */
        buf[3]	00	/* ID */
        buf[4]	01	/* type == 0x0301 (UVC_OTT_DISPLAY) */
        buf[5]	03
        buf[6]	7c
        buf[7]	00	/* source ID refers to self! */
        buf[8]	33
      
      The problem with this descriptor is that it is self-referential: the
      source ID of 0 matches itself! This causes the 'struct uvc_entity'
      representing the display to be added to its chain list twice during
      'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
      processed directly from the 'dev->entities' list and then again
      immediately afterwards when trying to follow the source ID in
      'uvc_scan_chain_forward()'
      
      Add a check before adding an entity to a chain list to ensure that the
      entity is not already part of a chain.
      
      Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/
      
      
      
      Cc: <stable@vger.kernel.org>
      Fixes: c0efd232 ("V4L/DVB (8145a): USB Video Class driver")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2 tags
      4240339a
  2. Aug 05, 2020
  3. Jul 06, 2020
  4. Jun 05, 2020
    • Jiri Slaby's avatar
      vt: selection, push sel_lock up · 5ace0772
      Jiri Slaby authored
      
      commit e8c75a30 upstream.
      
      sel_lock cannot nest in the console lock. Thanks to syzkaller, the
      kernel states firmly:
      
      > WARNING: possible circular locking dependency detected
      > 5.6.0-rc3-syzkaller #0 Not tainted
      > ------------------------------------------------------
      > syz-executor.4/20336 is trying to acquire lock:
      > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
      >
      > but task is already holding lock:
      > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374
      >
      > which lock already depends on the new lock.
      >
      > the existing dependency chain (in reverse order) is:
      >
      > -> #2 (sel_lock){+.+.}:
      >        mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118
      >        set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217
      >        set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181
      >        tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050
      >        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364
      
      This is ioctl(TIOCL_SETSEL).
      Locks held on the path: console_lock -> sel_lock
      
      > -> #1 (console_lock){+.+.}:
      >        console_lock+0x46/0x70 kernel/printk/printk.c:2289
      >        con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223
      >        n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350
      >        do_tty_write drivers/tty/tty_io.c:962 [inline]
      >        tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046
      
      This is write().
      Locks held on the path: termios_rwsem -> console_lock
      
      > -> #0 (&tty->termios_rwsem){++++}:
      >        down_write+0x57/0x140 kernel/locking/rwsem.c:1534
      >        tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
      >        mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902
      >        tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465
      >        paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389
      >        tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055
      >        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364
      
      This is ioctl(TIOCL_PASTESEL).
      Locks held on the path: sel_lock -> termios_rwsem
      
      > other info that might help us debug this:
      >
      > Chain exists of:
      >   &tty->termios_rwsem --> console_lock --> sel_lock
      
      Clearly. From the above, we have:
       console_lock -> sel_lock
       sel_lock -> termios_rwsem
       termios_rwsem -> console_lock
      
      Fix this by reversing the console_lock -> sel_lock dependency in
      ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock.
      
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatar <syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com>
      Fixes: 07e6124a ("vt: selection, close sel_buffer race")
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    • Al Viro's avatar
      do_last(): fetch directory ->i_mode and ->i_uid before it's too late · 7a9cfc0c
      Al Viro authored
      
      commit d0cb5018 upstream.
      
      may_create_in_sticky() call is done when we already have dropped the
      reference to dir.
      
      Fixes: 30aba665 (namei: allow restricted O_CREAT of FIFOs and regular files)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a9cfc0c
    • Jiri Slaby's avatar
      vt: selection, push console lock down · 121855e1
      Jiri Slaby authored
      
      commit 4b70dd57 upstream.
      
      We need to nest the console lock in sel_lock, so we have to push it down
      a bit. Fortunately, the callers of set_selection_* just lock the console
      lock around the function call. So moving it down is easy.
      
      In the next patch, we switch the order.
      
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Fixes: 07e6124a ("vt: selection, close sel_buffer race")
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      121855e1
    • Jiri Slaby's avatar
      vt: selection, close sel_buffer race · ea474d24
      Jiri Slaby authored
      
      commit 07e6124a upstream.
      
      syzkaller reported this UAF:
      BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
      Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184
      
      CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
      Call Trace:
      ...
       kasan_report+0xe/0x20 mm/kasan/common.c:634
       n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
       tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
       paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
       tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
       vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
       tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
       vfs_ioctl fs/ioctl.c:47 [inline]
      
      It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
      and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
      while the other frees it and reallocates a new one for another
      selection. Add a mutex to close this race.
      
      The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
      other selection global variables (like sel_start, sel_end, and sel_cons)
      are protected only in set_selection_user. The other functions need quite
      some more work to close the races of the variables there. This is going
      to happen later.
      
      This likely fixes (I am unsure as there is no reproducer provided) bug
      206361 too. It was marked as CVE-2020-8648.
      
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatar <syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com>
      References: https://bugzilla.kernel.org/show_bug.cgi?id=206361
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea474d24
    • Zhang Xiaoxu's avatar
      vgacon: Fix a UAF in vgacon_invert_region · 20c6501c
      Zhang Xiaoxu authored
      
      commit 513dc792 upstream.
      
      When syzkaller tests, there is a UAF:
        BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
          ffff880000100000
        Read of size 2 by task syz-executor.1/16489
        page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
        index:0x0
        page flags: 0xfffff00000000()
        page dumped because: kasan: bad access detected
        CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
        Call Trace:
          [<ffffffffb119f309>] dump_stack+0x1e/0x20
          [<ffffffffb04af957>] kasan_report+0x577/0x950
          [<ffffffffb04ae652>] __asan_load2+0x62/0x80
          [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
          [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
          [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
          [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
          [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
          [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
          [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
          [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
          [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
          Memory state around the buggy address:
           ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00
           ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00
          >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
           ff ff ff
      
      It can be reproduce in the linux mainline by the program:
        #include <stdio.h>
        #include <stdlib.h>
        #include <unistd.h>
        #include <fcntl.h>
        #include <sys/types.h>
        #include <sys/stat.h>
        #include <sys/ioctl.h>
        #include <linux/vt.h>
      
        struct tiocl_selection {
          unsigned short xs;      /* X start */
          unsigned short ys;      /* Y start */
          unsigned short xe;      /* X end */
          unsigned short ye;      /* Y end */
          unsigned short sel_mode; /* selection mode */
        };
      
        #define TIOCL_SETSEL    2
        struct tiocl {
          unsigned char type;
          unsigned char pad;
          struct tiocl_selection sel;
        };
      
        int main()
        {
          int fd = 0;
          const char *dev = "/dev/char/4:1";
      
          struct vt_consize v = {0};
          struct tiocl tioc = {0};
      
          fd = open(dev, O_RDWR, 0);
      
          v.v_rows = 3346;
          ioctl(fd, VT_RESIZEX, &v);
      
          tioc.type = TIOCL_SETSEL;
          ioctl(fd, TIOCLINUX, &tioc);
      
          return 0;
        }
      
      When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
      but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
      for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
      smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
      the offset, it maybe larger than the vga_vram_size in vgacon driver, then
      bad access.
      Also, if set an larger screenbuf firstly, then set an more larger
      screenbuf, when copy old_origin to new_origin, a bad access may happen.
      
      So, If the screen size larger than vga_vram, resize screen should be
      failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
      
      Linus pointed out that overflow checking seems absent. We're saved by
      the existing bounds checks in vc_do_resize() with rather strict
      limits:
      
      	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
      		return -EINVAL;
      
      Fixes: 0aec4867 ("[PATCH] SVGATextMode fix")
      Reference: CVE-2020-8647 and CVE-2020-8649
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      [danvet: augment commit message to point out overflow safety]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20c6501c
    • Eric Dumazet's avatar
      net/flow_dissector: switch to siphash · 4f7bd8bf
      Eric Dumazet authored
      
      commit 55667441 upstream.
      
      UDP IPv6 packets auto flowlabels are using a 32bit secret
      (static u32 hashrnd in net/core/flow_dissector.c) and
      apply jhash() over fields known by the receivers.
      
      Attackers can easily infer the 32bit secret and use this information
      to identify a device and/or user, since this 32bit secret is only
      set at boot time.
      
      Really, using jhash() to generate cookies sent on the wire
      is a serious security concern.
      
      Trying to change the rol32(hash, 16) in ip6_make_flowlabel() would be
      a dead end. Trying to periodically change the secret (like in sch_sfq.c)
      could change paths taken in the network for long lived flows.
      
      Let's switch to siphash, as we did in commit df453700
      ("inet: switch IP ID generator to siphash")
      
      Using a cryptographically strong pseudo random function will solve this
      privacy issue and more generally remove other weak points in the stack.
      
      Packet schedulers using skb_get_hash_perturb() benefit from this change.
      
      Fixes: b5677416 ("ipv6: Enable auto flow labels by default")
      Fixes: 42240901 ("ipv6: Implement different admin modes for automatic flow labels")
      Fixes: 67800f9b ("ipv6: Call skb_get_hash_flowi6 to get skb->hash in ip6_make_flowlabel")
      Fixes: cb1ce2ef ("ipv6: Implement automatic flow label generation on transmit")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarJonathan Berger <jonathann1@walla.com>
      Reported-by: default avatarAmit Klein <aksecurity@gmail.com>
      Reported-by: default avatarBenny Pinkas <benny@pinkas.net>
      Cc: Tom Herbert <tom@herbertland.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      4f7bd8bf
  5. May 01, 2020
  6. Apr 06, 2020
  7. Mar 04, 2020
  8. Dec 14, 2019
  9. Sep 06, 2019
    • Greg Kroah-Hartman's avatar
      Merge 4.14.142 into android-4.14-q · f3b9aac7
      Greg Kroah-Hartman authored
      
      Changes in 4.14.142
      	dmaengine: ste_dma40: fix unneeded variable warning
      	auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach
      	iommu/dma: Handle SG length overflow better
      	usb: gadget: composite: Clear "suspended" on reset/disconnect
      	usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt
      	xen/blkback: fix memory leaks
      	i2c: rcar: avoid race when unregistering slave client
      	i2c: emev2: avoid race when unregistering slave client
      	drm/ast: Fixed reboot test may cause system hanged
      	usb: host: fotg2: restart hcd after port reset
      	tools: hv: fix KVP and VSS daemons exit code
      	watchdog: bcm2835_wdt: Fix module autoload
      	drm/bridge: tfp410: fix memleak in get_modes()
      	scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value
      	drm/tilcdc: Register cpufreq notifier after we have initialized crtc
      	tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue
      	ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
      	ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
      	net/smc: make sure EPOLLOUT is raised
      	tcp: make sure EPOLLOUT wont be missed
      	mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n
      	ALSA: line6: Fix memory leak at line6_init_pcm() error path
      	ALSA: seq: Fix potential concurrent access to the deleted pool
      	kvm: x86: skip populating logical dest map if apic is not sw enabled
      	KVM: x86: Don't update RIP or do single-step on faulting emulation
      	x86/apic: Do not initialize LDR and DFR for bigsmp
      	x86/apic: Include the LDR when clearing out APIC registers
      	ftrace: Fix NULL pointer dereference in t_probe_next()
      	ftrace: Check for successful allocation of hash
      	ftrace: Check for empty hash and comment the race with registering probes
      	usb-storage: Add new JMS567 revision to unusual_devs
      	USB: cdc-wdm: fix race between write and disconnect due to flag abuse
      	usb: chipidea: udc: don't do hardware access if gadget has stopped
      	usb: host: ohci: fix a race condition between shutdown and irq
      	usb: host: xhci: rcar: Fix typo in compatible string matching
      	USB: storage: ums-realtek: Update module parameter description for auto_delink_en
      	USB: storage: ums-realtek: Whitelist auto-delink support
      	uprobes/x86: Fix detection of 32-bit user mode
      	mmc: sdhci-of-at91: add quirk for broken HS200
      	mmc: core: Fix init of SD cards reporting an invalid VDD range
      	stm class: Fix a double free of stm_source_device
      	intel_th: pci: Add support for another Lewisburg PCH
      	intel_th: pci: Add Tiger Lake support
      	drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest
      	VMCI: Release resource if the work is already queued
      	crypto: ccp - Ignore unconfigured CCP device on suspend/resume
      	Revert "cfg80211: fix processing world regdomain when non modular"
      	mac80211: fix possible sta leak
      	KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling
      	KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long
      	KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI
      	NFS: Clean up list moves of struct nfs_page
      	NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend()
      	NFS: Pass error information to the pgio error cleanup routine
      	NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0
      	i2c: piix4: Fix port selection for AMD Family 16h Model 30h
      	x86/ptrace: fix up botched merge of spectrev1 fix
      	Revert "ASoC: Fail card instantiation if DAI format setup fails"
      	Linux 4.14.142
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      4 tags
      f3b9aac7
    • Greg Kroah-Hartman's avatar
      Linux 4.14.142 · 414510bc
      Greg Kroah-Hartman authored
      v4.14.142
      414510bc
    • Greg Kroah-Hartman's avatar
      Revert "ASoC: Fail card instantiation if DAI format setup fails" · e474227a
      Greg Kroah-Hartman authored
      
      This reverts commit a56c79ef which is
      commit 40aa5383 upstream.
      
      Mark Brown writes:
      	I nacked this patch when Sasha posted it - it only improves
      	diagnostics and might make systems that worked by accident break
      	since it turns things into a hard failure, it won't make
      	anything that didn't work previously work.
      
      Reported-by: default avatarMark Brown <broonie@kernel.org>
      Cc: Ricard Wanderlof <ricardw@axis.com>
      Cc: Sasha Levin <sashal@kernel.org>
      Link: https://lore.kernel.org/lkml/20190904181027.GG4348@sirena.co.uk
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e474227a
    • Greg Kroah-Hartman's avatar
      x86/ptrace: fix up botched merge of spectrev1 fix · 3a647417
      Greg Kroah-Hartman authored
      I incorrectly merged commit 31a2fbb3 ("x86/ptrace: Fix possible
      spectre-v1 in ptrace_get_debugreg()") when backporting it, as was
      graciously pointed out at
      https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
      
      
      
      Resolve the upstream difference with the stable kernel merge to properly
      protect things.
      
      Reported-by: default avatarBrad Spengler <spender@grsecurity.net>
      Cc: Dianzhang Chen <dianzhangchen0@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <bp@alien8.de>
      Cc: <hpa@zytor.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a647417
    • Andrew Cooks's avatar
      i2c: piix4: Fix port selection for AMD Family 16h Model 30h · 2b452eaa
      Andrew Cooks authored
      
      [ Upstream commit c7c06a15 ]
      
      Family 16h Model 30h SMBus controller needs the same port selection fix
      as described and fixed in commit 0fe16195 ("i2c: piix4: Fix SMBus port
      selection for AMD Family 17h chips")
      
      commit 6befa3fd ("i2c: piix4: Support alternative port selection
      register") also fixed the port selection for Hudson2, but unfortunately
      this is not the exact same device and the AMD naming and PCI Device IDs
      aren't particularly helpful here.
      
      The SMBus port selection register is common to the following Families
      and models, as documented in AMD's publicly available BIOS and Kernel
      Developer Guides:
      
       50742 - Family 15h Model 60h-6Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)
       55072 - Family 15h Model 70h-7Fh (PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)
       52740 - Family 16h Model 30h-3Fh (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS)
      
      The Hudson2 PCI Device ID (PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) is shared
      between Bolton FCH and Family 16h Model 30h, but the location of the
      SmBus0Sel port selection bits are different:
      
       51192 - Bolton Register Reference Guide
      
      We distinguish between Bolton and Family 16h Model 30h using the PCI
      Revision ID:
      
        Bolton is device 0x780b, revision 0x15
        Family 16h Model 30h is device 0x780b, revision 0x1F
        Family 15h Model 60h and 70h are both device 0x790b, revision 0x4A.
      
      The following additional public AMD BKDG documents were checked and do
      not share the same port selection register:
      
       42301 - Family 15h Model 00h-0Fh doesn't mention any
       42300 - Family 15h Model 10h-1Fh doesn't mention any
       49125 - Family 15h Model 30h-3Fh doesn't mention any
      
       48751 - Family 16h Model 00h-0Fh uses the previously supported
               index register SB800_PIIX4_PORT_IDX_ALT at 0x2e
      
      Signed-off-by: default avatarAndrew Cooks <andrew.cooks@opengear.com>
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Cc: stable@vger.kernel.org [v4.6+]
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2b452eaa
    • Trond Myklebust's avatar
      NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 · 1a17912f
      Trond Myklebust authored
      
      [ Upstream commit eb2c50da ]
      
      If the attempt to resend the I/O results in no bytes being read/written,
      we must ensure that we report the error.
      
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Fixes: 0a00b77b ("nfs: mirroring support for direct io")
      Cc: stable@vger.kernel.org # v3.20+
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1a17912f
    • Trond Myklebust's avatar
      NFS: Pass error information to the pgio error cleanup routine · e4ca24bd
      Trond Myklebust authored
      
      [ Upstream commit df3accb8 ]
      
      Allow the caller to pass error information when cleaning up a failed
      I/O request so that we can conditionally take action to cancel the
      request altogether if the error turned out to be fatal.
      
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e4ca24bd
    • Trond Myklebust's avatar
      NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() · ae63bd38
      Trond Myklebust authored
      
      [ Upstream commit f4340e93 ]
      
      If the attempt to resend the pages fails, we need to ensure that we
      clean up those pages that were not transmitted.
      
      Fixes: d600ad1f ("NFS41: pop some layoutget errors to application")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Cc: stable@vger.kernel.org # v4.5+
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ae63bd38
    • Trond Myklebust's avatar
      NFS: Clean up list moves of struct nfs_page · fc26de15
      Trond Myklebust authored
      
      [ Upstream commit 078b5fd9 ]
      
      In several places we're just moving the struct nfs_page from one list to
      another by first removing from the existing list, then adding to the new
      one.
      
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fc26de15
    • Marc Zyngier's avatar
      KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI · 712fc1c0
      Marc Zyngier authored
      
      [ Upstream commit 82e40f55 ]
      
      A guest is not allowed to inject a SGI (or clear its pending state)
      by writing to GICD_ISPENDR0 (resp. GICD_ICPENDR0), as these bits are
      defined as WI (as per ARM IHI 0048B 4.3.7 and 4.3.8).
      
      Make sure we correctly emulate the architecture.
      
      Fixes: 96b29800 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers")
      Cc: stable@vger.kernel.org # 4.7+
      Reported-by: default avatarAndre Przywara <andre.przywara@arm.com>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      712fc1c0
    • Heyi Guo's avatar
      KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long · aafa2889
      Heyi Guo authored
      
      [ Upstream commit d4a8061a ]
      
      If the ap_list is longer than 256 entries, merge_final() in list_sort()
      will call the comparison callback with the same element twice, causing
      a deadlock in vgic_irq_cmp().
      
      Fix it by returning early when irqa == irqb.
      
      Cc: stable@vger.kernel.org # 4.7+
      Fixes: 8e444745 ("KVM: arm/arm64: vgic-new: Add IRQ sorting")
      Signed-off-by: default avatarZenghui Yu <yuzenghui@huawei.com>
      Signed-off-by: default avatarHeyi Guo <guoheyi@huawei.com>
      [maz: massaged commit log and patch, added Fixes and Cc-stable]
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aafa2889
    • Alexey Kardashevskiy's avatar
      KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling · 06ab420a
      Alexey Kardashevskiy authored
      
      [ Upstream commit ddfd151f ]
      
      H_PUT_TCE_INDIRECT handlers receive a page with up to 512 TCEs from
      a guest. Although we verify correctness of TCEs before we do anything
      with the existing tables, there is a small window when a check in
      kvmppc_tce_validate might pass and right after that the guest alters
      the page of TCEs, causing an early exit from the handler and leaving
      srcu_read_lock(&vcpu->kvm->srcu) (virtual mode) or lock_rmap(rmap)
      (real mode) locked.
      
      This fixes the bug by jumping to the common exit code with an appropriate
      unlock.
      
      Cc: stable@vger.kernel.org # v4.11+
      Fixes: 121f80ba ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO")
      Signed-off-by: default avatarAlexey Kardashevskiy <aik@ozlabs.ru>
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      06ab420a
    • Johannes Berg's avatar
      mac80211: fix possible sta leak · d5054c17
      Johannes Berg authored
      commit 5fd2f91a upstream.
      
      If TDLS station addition is rejected, the sta memory is leaked.
      Avoid this by moving the check before the allocation.
      
      Cc: stable@vger.kernel.org
      Fixes: 7ed52853 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
      Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net
      
      
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5054c17
    • Hodaszi, Robert's avatar
      Revert "cfg80211: fix processing world regdomain when non modular" · 44b39ce4
      Hodaszi, Robert authored
      
      commit 0d31d4db upstream.
      
      This reverts commit 96cce12f ("cfg80211: fix processing world
      regdomain when non modular").
      
      Re-triggering a reg_process_hint with the last request on all events,
      can make the regulatory domain fail in case of multiple WiFi modules. On
      slower boards (espacially with mdev), enumeration of the WiFi modules
      can end up in an intersected regulatory domain, and user cannot set it
      with 'iw reg set' anymore.
      
      This is happening, because:
      - 1st module enumerates, queues up a regulatory request
      - request gets processed by __reg_process_hint_driver():
        - checks if previous was set by CORE -> yes
          - checks if regulator domain changed -> yes, from '00' to e.g. 'US'
            -> sends request to the 'crda'
      - 2nd module enumerates, queues up a regulator request (which triggers
        the reg_todo() work)
      - reg_todo() -> reg_process_pending_hints() sees, that the last request
        is not processed yet, so it tries to process it again.
        __reg_process_hint driver() will run again, and:
        - checks if the last request's initiator was the core -> no, it was
          the driver (1st WiFi module)
        - checks, if the previous initiator was the driver -> yes
          - checks if the regulator domain changed -> yes, it was '00' (set by
            core, and crda call did not return yet), and should be changed to 'US'
      
      ------> __reg_process_hint_driver calls an intersect
      
      Besides, the reg_process_hint call with the last request is meaningless
      since the crda call has a timeout work. If that timeout expires, the
      first module's request will lost.
      
      Cc: stable@vger.kernel.org
      Fixes: 96cce12f ("cfg80211: fix processing world regdomain when non modular")
      Signed-off-by: default avatarRobert Hodaszi <robert.hodaszi@digi.com>
      Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr
      
      
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44b39ce4
    • Gary R Hook's avatar
      crypto: ccp - Ignore unconfigured CCP device on suspend/resume · d204cf4f
      Gary R Hook authored
      
      commit 5871cd93 upstream.
      
      If a CCP is unconfigured (e.g. there are no available queues) then
      there will be no data structures allocated for the device. Thus, we
      must check for validity of a pointer before trying to access structure
      members.
      
      Fixes: 720419f0 ("crypto: ccp - Introduce the AMD Secure Processor device")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d204cf4f
    • Nadav Amit's avatar
      VMCI: Release resource if the work is already queued · 57371084
      Nadav Amit authored
      
      commit ba03a9bb upstream.
      
      Francois reported that VMware balloon gets stuck after a balloon reset,
      when the VMCI doorbell is removed. A similar error can occur when the
      balloon driver is removed with the following splat:
      
      [ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
      [ 1088.622035]       Tainted: G        W         5.2.0 #4
      [ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [ 1088.622205] modprobe        D    0  3565   1450 0x00000000
      [ 1088.622210] Call Trace:
      [ 1088.622246]  __schedule+0x2a8/0x690
      [ 1088.622248]  schedule+0x2d/0x90
      [ 1088.622250]  schedule_timeout+0x1d3/0x2f0
      [ 1088.622252]  wait_for_completion+0xba/0x140
      [ 1088.622320]  ? wake_up_q+0x80/0x80
      [ 1088.622370]  vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
      [ 1088.622373]  vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
      [ 1088.622379]  vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
      [ 1088.622381]  vmballoon_exit+0x18/0xcc8 [vmw_balloon]
      [ 1088.622394]  __x64_sys_delete_module+0x146/0x280
      [ 1088.622408]  do_syscall_64+0x5a/0x130
      [ 1088.622410]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 1088.622415] RIP: 0033:0x7f54f62791b7
      [ 1088.622421] Code: Bad RIP value.
      [ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
      [ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
      [ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
      [ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
      [ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0
      
      The cause for the bug is that when the "delayed" doorbell is invoked, it
      takes a reference on the doorbell entry and schedules work that is
      supposed to run the appropriate code and drop the doorbell entry
      reference. The code ignores the fact that if the work is already queued,
      it will not be scheduled to run one more time. As a result one of the
      references would not be dropped. When the code waits for the reference
      to get to zero, during balloon reset or module removal, it gets stuck.
      
      Fix it. Drop the reference if schedule_work() indicates that the work is
      already queued.
      
      Note that this bug got more apparent (or apparent at all) due to
      commit ce664331 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").
      
      Fixes: 83e2ec76 ("VMCI: doorbell implementation.")
      Reported-by: default avatarFrancois Rigault <rigault.francois@gmail.com>
      Cc: Jorgen Hansen <jhansen@vmware.com>
      Cc: Adit Ranadive <aditr@vmware.com>
      Cc: Alexios Zavras <alexios.zavras@intel.com>
      Cc: Vishnu DASA <vdasa@vmware.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Reviewed-by: default avatarVishnu Dasa <vdasa@vmware.com>
      Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com
      
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57371084
    • Xiong Zhang's avatar
      drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest · fdd17629
      Xiong Zhang authored
      
      commit 0a3dfbb5 upstream.
      
      The following call trace may exist in linux guest dmesg when guest i915
      driver is unloaded.
      [   90.776610] [drm:vgt_deballoon_space.isra.0 [i915]] deballoon space: range [0x0 - 0x0] 0 KiB.
      [   90.776621] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
      [   90.776691] IP: drm_mm_remove_node+0x4d/0x320 [drm]
      [   90.776718] PGD 800000012c7d0067 P4D 800000012c7d0067 PUD 138e4c067 PMD 0
      [   90.777091] task: ffff9adab60f2f00 task.stack: ffffaf39c0fe0000
      [   90.777142] RIP: 0010:drm_mm_remove_node+0x4d/0x320 [drm]
      [   90.777573] Call Trace:
      [   90.777653]  intel_vgt_deballoon+0x4c/0x60 [i915]
      [   90.777729]  i915_ggtt_cleanup_hw+0x121/0x190 [i915]
      [   90.777792]  i915_driver_unload+0x145/0x180 [i915]
      [   90.777856]  i915_pci_remove+0x15/0x20 [i915]
      [   90.777890]  pci_device_remove+0x3b/0xc0
      [   90.777916]  device_release_driver_internal+0x157/0x220
      [   90.777945]  driver_detach+0x39/0x70
      [   90.777967]  bus_remove_driver+0x51/0xd0
      [   90.777990]  pci_unregister_driver+0x23/0x90
      [   90.778019]  SyS_delete_module+0x1da/0x240
      [   90.778045]  entry_SYSCALL_64_fastpath+0x24/0x87
      [   90.778072] RIP: 0033:0x7f34312af067
      [   90.778092] RSP: 002b:00007ffdea3da0d8 EFLAGS: 00000206
      [   90.778297] RIP: drm_mm_remove_node+0x4d/0x320 [drm] RSP: ffffaf39c0fe3dc0
      [   90.778344] ---[ end trace f4b1bc8305fc59dd ]---
      
      Four drm_mm_node are used to reserve guest ggtt space, but some of them
      may be skipped and not initialised due to space constraints in
      intel_vgt_balloon(). If drm_mm_remove_node() is called with
      uninitialized drm_mm_node, the above call trace occurs.
      
      This patch check drm_mm_node's validity before calling
      drm_mm_remove_node().
      
      Fixes: ff8f7975("drm/i915: return the correct usable aperture size under gvt environment")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarXiong Zhang <xiong.y.zhang@intel.com>
      Acked-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Link: https://patchwork.freedesktop.org/patch/msgid/1566279978-9659-1-git-send-email-xiong.y.zhang@intel.com
      
      
      (cherry picked from commit 4776f352)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdd17629
Loading