From patchwork Tue May 9 14:42:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98914 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857320qge; Tue, 9 May 2017 07:42:56 -0700 (PDT) X-Received: by 10.98.134.72 with SMTP id x69mr315050pfd.106.1494340976617; Tue, 09 May 2017 07:42:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340976; cv=none; d=google.com; s=arc-20160816; b=0YXVPE44VrKLieZZENToZ7NX+UPNPXtjOr0/JXC4W8LjFyvah8V2hz4dP85VRL2yv5 cPgWpIkwrK8bCZnZCGLrCSCfTcHMdWEkmYrEMGfeAMGEPYQdOV9h7b3wlv9pRgmhUBk4 l3ZSUEymSlSgxqJP4MoA4AFrjwh1GMDd66zt/98AcfZrGK0+Lxvcknu/3QzjEMz8DKvn AjRmp56vPM7GWUkWy5+9N/LxI13cQn7oqf2Eq7noEesQeJZaT0ndh+7dX/mqsOtcJ3aI Bzz+dMSRQ1mZy19KMViIYkPydV01M24QYp0mH6Icb3bzxMCPquw6/KgB1LNfqeELY0iR tkXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=y+dD0iGuCEUv7lwnbAlqN0xTaVofV/j9JpjjwKjrUrU=; b=f+nUOZ0KQ31QFe7VPN897M4tFxiJOTa2O+bzcbYepSuNIdIpHzPZgXS4QWmC/DGU9G sv8A+rKF+fIWmZUUBKPSgGbGD0PtdLByZQSTpj8LRcY6/Tq9nfHI7iDeqG1WTQ9FtzLR +GGv0qM8EWzenhErNriHpfn9gP9gUwNHJlMadyia0QZoMGvPIhBknyNGFOePDLvuR0wx LJ237EtBz+H/OMld/Jd5gRJTGCr0qJ6BP4Qjf1sLdH86UXM1jdU+3PfBD9WKFQH6Y5D2 Jc13FFRyl3FGvvUPsLmuusbWkz0DehiBANLgSmFwTzS3nujTi1xRLqjAJeMX2oEQwRh/ 1Yhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.42.56; Tue, 09 May 2017 07:42:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752027AbdEIOmz (ORCPT + 6 others); Tue, 9 May 2017 10:42:55 -0400 Received: from mail-pg0-f41.google.com ([74.125.83.41]:35386 "EHLO mail-pg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751210AbdEIOmz (ORCPT ); Tue, 9 May 2017 10:42:55 -0400 Received: by mail-pg0-f41.google.com with SMTP id o3so744242pgn.2 for ; Tue, 09 May 2017 07:42:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=y+dD0iGuCEUv7lwnbAlqN0xTaVofV/j9JpjjwKjrUrU=; b=ClNxUGyHLgbXYNTO+Mh0XmmOLF3iB1uhvMSjYbGNJNL/j/decM18eb06mIfD0RWfwt IxDLwKPFdU7bE6++Btcs1tRRenhbX2auxbBLhkdK6p+yoCcv5wPknP7ecHCCyrbNXWvm C1x/jr60kTurVHWvT1GLZMPdTVKqGi4GDzNIw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=y+dD0iGuCEUv7lwnbAlqN0xTaVofV/j9JpjjwKjrUrU=; b=ZFTOn6GNa0lxmc5012iYCkJ3eUgD+m0MAstCkU40jRdzdWSjNef+mTHTeeJMJno0rW iWMgD4Ho8N0r343g6Sxdj1TzR4iwD0UzyidPF8CeUO5bc86cnAOwyiFf+F5N6DUi6Di5 oApLg9V7/frR1ImtSaWNB6oKvwBWcsk16Ut8fbkpldh0200898xhpR+nIgnN+A/mKctQ Kb4qFVGIyyip6goQ7Bv0y+/54m7GRmDRfKtzQEUmW6TpLsrCewQknXoYlkrfAzmIVuhm 6eK/XbgoYmq2F0oJFnq9J7xXuOxZ6Ew0wM4PA34hPuawMGKv9WQc5G7o2NVXqnq4MQR9 H33A== X-Gm-Message-State: AODbwcCbW5PFZSgDFQgbo6ZJvG8Jddi5rIQASDUdP5o7+juVtPEG/xXK LyLwCxgV1xS2xsdt X-Received: by 10.84.224.135 with SMTP id s7mr702320plj.66.1494340974671; Tue, 09 May 2017 07:42:54 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.42.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:42:53 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Mark Rutland , Catalin Marinas Subject: [PATCH for-3.18 01/24] arm64: make sys_call_table const Date: Tue, 9 May 2017 20:12:25 +0530 Message-Id: <1494340968-17152-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Mark Rutland commit c623b33b4e9599c6ac5076f7db7369eb9869aa04 upstream. As with x86, mark the sys_call_table const such that it will be placed in the .rodata section. This will cause attempts to modify the table (accidental or deliberate) to fail when strict page permissions are in place. In the absence of strict page permissions, there should be no functional change. Signed-off-by: Mark Rutland Acked-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Amit Pundir --- arch/arm64/kernel/sys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.7.4 diff --git a/arch/arm64/kernel/sys.c b/arch/arm64/kernel/sys.c index 3fa98ff14f0e..df20b7918854 100644 --- a/arch/arm64/kernel/sys.c +++ b/arch/arm64/kernel/sys.c @@ -50,7 +50,7 @@ asmlinkage long sys_mmap(unsigned long addr, unsigned long len, * The sys_call_table array must be 4K aligned to be accessible from * kernel/entry.S. */ -void *sys_call_table[__NR_syscalls] __aligned(4096) = { +void * const sys_call_table[__NR_syscalls] __aligned(4096) = { [0 ... __NR_syscalls - 1] = sys_ni_syscall, #include }; From patchwork Tue May 9 14:42:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98915 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857331qge; Tue, 9 May 2017 07:43:00 -0700 (PDT) X-Received: by 10.84.198.164 with SMTP id p33mr641201pld.127.1494340980419; Tue, 09 May 2017 07:43:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340980; cv=none; d=google.com; s=arc-20160816; b=JtMDdb8LyBF9FSwaIRVZlP0hYGlqKZxK0ZhyqGvRovZpZoTiUKH1SUgyNAfaQEg81y NVW4LnJVZwPfvP0UpoIVKF5aunx7IiL3hMF3mmyCSiikCNiKvH1S9TVAcluoHmIpRLqP nc2wo0Q5UXrU2hRHFkyF6RwjlKf552DbZ64kL2xhT3FnrPcxbDW6HybqnzB/Sg/8bV7c WIkTuxnQdisoJ5jGtq909m/7qahESyBBc6AxRKtUGQOo8IfbpD9CQYdIYtCpVanaqK6O cYMUigxlJgoGPcBCuRRVTXK5Ks1IJfw5HVPPNLPyi9sRx1SCCUCIZ4TMjnCRAybqdG4l cxeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=UaST7g272YsOjetCH5pfQddFjhm76mEFbZMTp6kNCdA=; b=wqGphtXIISXNCLAC/XMHPdXn18eqctPEo6t4mwMxoJhzistwQoZJh+4mZnZ8hCeR2o s15+5c5GZSdiHYRF3TWgkDDz0pTUF8HLEzrTUOwL6Ba91vJUDRuc5I+uwzZbWS9gB+vN gKmtXg1YInO/LwAkoTCUH7p21AjL0b3XcaszAGcw07Xwh/PISFFKgQVAZDIkVrB++h74 HiPgi+fc4hd0J4j4aKMqbFhmzeqbsyMBkpJDnwoFAz6jjHdmZ2nnDAgNmkC04HgkKzRA va+Ld94gvjdX5+PcJIIG7oqv0r11/6y1e+elkzqxZ5XPP35w+qvTuF4G9WEWd8tE2eIu tqLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.00; Tue, 09 May 2017 07:43:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752788AbdEIOm7 (ORCPT + 6 others); Tue, 9 May 2017 10:42:59 -0400 Received: from mail-pg0-f50.google.com ([74.125.83.50]:35419 "EHLO mail-pg0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751210AbdEIOm6 (ORCPT ); Tue, 9 May 2017 10:42:58 -0400 Received: by mail-pg0-f50.google.com with SMTP id o3so745041pgn.2 for ; Tue, 09 May 2017 07:42:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=UaST7g272YsOjetCH5pfQddFjhm76mEFbZMTp6kNCdA=; b=KijbZvV3gtL9V4up0s8QGeSv9N4Du087PLIkh/fL2Qq9O4MJPDTwiqzXzpe7kF24Db r77Bctlfcf5aypDtGGy/3UW/qGIIWHyb6SpUVsYsFYXL1Ag1a+WMpP3Zi1IZq6FG1wt8 uBzmcT3YMmP3NC/1HTyRQF1OSSJhBuXHXoixw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=UaST7g272YsOjetCH5pfQddFjhm76mEFbZMTp6kNCdA=; b=Rh+N6/TKamGkpDNVfj6wL5MB59ggpdVFRwIxggli/uCEEwuvmaK9YiKNiEIivF1UFI 6FEtU0HtuTO3zKFANB5nGgxY+Fnnr4neE0aDf9Wx2djcnXPPNaiNm35rVs2GvYWq7A7e mjFNmW8AMmwcnN0EMUr7jcIZSb4+N8ll72Z3u0ySkkX1jfm8wlROE7/WgvPSus20T77V LGKDGYPIx/71LABIDSvqMHfEUTvwqlw/mml9wBJFFuIJz2lDKUtW90kOJ2gh0n1y5Cwi WoJIT63AoSc5Ta087MQ8myU9Vaqd+stsrim3hRwyLSMkquQwAti9bWB6s1yYItXU3qyZ D3DA== X-Gm-Message-State: AODbwcBTHl7rwiEWE9azfSDcsEmWZwIZDl62KnY+53I0fgJRhvNGA0RR MdoKropvZVrS1Gi676kuzQ== X-Received: by 10.98.192.143 with SMTP id g15mr202264pfk.219.1494340977921; Tue, 09 May 2017 07:42:57 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.42.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:42:57 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Peter Zijlstra , "Paul E . McKenney" , Jiri Olsa , Arnaldo Carvalho de Melo , Linus Torvalds , Ingo Molnar Subject: [PATCH for-3.18 02/24] perf: Fix event->ctx locking Date: Tue, 9 May 2017 20:12:26 +0530 Message-Id: <1494340968-17152-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Zijlstra commit f63a8daa5812afef4f06c962351687e1ff9ccb2b upstream. There have been a few reported issues wrt. the lack of locking around changing event->ctx. This patch tries to address those. It avoids the whole rwsem thing; and while it appears to work, please give it some thought in review. What I did fail at is sensible runtime checks on the use of event->ctx, the RCU use makes it very hard. Signed-off-by: Peter Zijlstra (Intel) Cc: Paul E. McKenney Cc: Jiri Olsa Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org Signed-off-by: Ingo Molnar Signed-off-by: Amit Pundir --- kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 207 insertions(+), 37 deletions(-) -- 2.7.4 diff --git a/kernel/events/core.c b/kernel/events/core.c index 26c40faa8ea4..3964293d1540 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -907,6 +907,77 @@ static void put_ctx(struct perf_event_context *ctx) } /* + * Because of perf_event::ctx migration in sys_perf_event_open::move_group and + * perf_pmu_migrate_context() we need some magic. + * + * Those places that change perf_event::ctx will hold both + * perf_event_ctx::mutex of the 'old' and 'new' ctx value. + * + * Lock ordering is by mutex address. There is one other site where + * perf_event_context::mutex nests and that is put_event(). But remember that + * that is a parent<->child context relation, and migration does not affect + * children, therefore these two orderings should not interact. + * + * The change in perf_event::ctx does not affect children (as claimed above) + * because the sys_perf_event_open() case will install a new event and break + * the ctx parent<->child relation, and perf_pmu_migrate_context() is only + * concerned with cpuctx and that doesn't have children. + * + * The places that change perf_event::ctx will issue: + * + * perf_remove_from_context(); + * synchronize_rcu(); + * perf_install_in_context(); + * + * to affect the change. The remove_from_context() + synchronize_rcu() should + * quiesce the event, after which we can install it in the new location. This + * means that only external vectors (perf_fops, prctl) can perturb the event + * while in transit. Therefore all such accessors should also acquire + * perf_event_context::mutex to serialize against this. + * + * However; because event->ctx can change while we're waiting to acquire + * ctx->mutex we must be careful and use the below perf_event_ctx_lock() + * function. + * + * Lock order: + * task_struct::perf_event_mutex + * perf_event_context::mutex + * perf_event_context::lock + * perf_event::child_mutex; + * perf_event::mmap_mutex + * mmap_sem + */ +static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event) +{ + struct perf_event_context *ctx; + +again: + rcu_read_lock(); + ctx = ACCESS_ONCE(event->ctx); + if (!atomic_inc_not_zero(&ctx->refcount)) { + rcu_read_unlock(); + goto again; + } + rcu_read_unlock(); + + mutex_lock(&ctx->mutex); + if (event->ctx != ctx) { + mutex_unlock(&ctx->mutex); + put_ctx(ctx); + goto again; + } + + return ctx; +} + +static void perf_event_ctx_unlock(struct perf_event *event, + struct perf_event_context *ctx) +{ + mutex_unlock(&ctx->mutex); + put_ctx(ctx); +} + +/* * This must be done under the ctx->lock, such as to serialize against * context_equiv(), therefore we cannot call put_ctx() since that might end up * calling scheduler related locks and ctx->lock nests inside those. @@ -1654,7 +1725,7 @@ int __perf_event_disable(void *info) * is the current context on this CPU and preemption is disabled, * hence we can't get into perf_event_task_sched_out for this context. */ -void perf_event_disable(struct perf_event *event) +static void _perf_event_disable(struct perf_event *event) { struct perf_event_context *ctx = event->ctx; struct task_struct *task = ctx->task; @@ -1695,6 +1766,19 @@ retry: } raw_spin_unlock_irq(&ctx->lock); } + +/* + * Strictly speaking kernel users cannot create groups and therefore this + * interface does not need the perf_event_ctx_lock() magic. + */ +void perf_event_disable(struct perf_event *event) +{ + struct perf_event_context *ctx; + + ctx = perf_event_ctx_lock(event); + _perf_event_disable(event); + perf_event_ctx_unlock(event, ctx); +} EXPORT_SYMBOL_GPL(perf_event_disable); static void perf_set_shadow_time(struct perf_event *event, @@ -2158,7 +2242,7 @@ unlock: * perf_event_for_each_child or perf_event_for_each as described * for perf_event_disable. */ -void perf_event_enable(struct perf_event *event) +static void _perf_event_enable(struct perf_event *event) { struct perf_event_context *ctx = event->ctx; struct task_struct *task = ctx->task; @@ -2214,9 +2298,21 @@ retry: out: raw_spin_unlock_irq(&ctx->lock); } + +/* + * See perf_event_disable(); + */ +void perf_event_enable(struct perf_event *event) +{ + struct perf_event_context *ctx; + + ctx = perf_event_ctx_lock(event); + _perf_event_enable(event); + perf_event_ctx_unlock(event, ctx); +} EXPORT_SYMBOL_GPL(perf_event_enable); -int perf_event_refresh(struct perf_event *event, int refresh) +static int _perf_event_refresh(struct perf_event *event, int refresh) { /* * not supported on inherited events @@ -2225,10 +2321,25 @@ int perf_event_refresh(struct perf_event *event, int refresh) return -EINVAL; atomic_add(refresh, &event->event_limit); - perf_event_enable(event); + _perf_event_enable(event); return 0; } + +/* + * See perf_event_disable() + */ +int perf_event_refresh(struct perf_event *event, int refresh) +{ + struct perf_event_context *ctx; + int ret; + + ctx = perf_event_ctx_lock(event); + ret = _perf_event_refresh(event, refresh); + perf_event_ctx_unlock(event, ctx); + + return ret; +} EXPORT_SYMBOL_GPL(perf_event_refresh); static void ctx_sched_out(struct perf_event_context *ctx, @@ -3421,7 +3532,16 @@ static void perf_remove_from_owner(struct perf_event *event) rcu_read_unlock(); if (owner) { - mutex_lock(&owner->perf_event_mutex); + /* + * If we're here through perf_event_exit_task() we're already + * holding ctx->mutex which would be an inversion wrt. the + * normal lock order. + * + * However we can safely take this lock because its the child + * ctx->mutex. + */ + mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING); + /* * We have to re-check the event->owner field, if it is cleared * we raced with perf_event_exit_task(), acquiring the mutex @@ -3547,12 +3667,13 @@ static int perf_event_read_group(struct perf_event *event, u64 read_format, char __user *buf) { struct perf_event *leader = event->group_leader, *sub; - int n = 0, size = 0, ret = -EFAULT; struct perf_event_context *ctx = leader->ctx; - u64 values[5]; + int n = 0, size = 0, ret; u64 count, enabled, running; + u64 values[5]; + + lockdep_assert_held(&ctx->mutex); - mutex_lock(&ctx->mutex); count = perf_event_read_value(leader, &enabled, &running); values[n++] = 1 + leader->nr_siblings; @@ -3567,7 +3688,7 @@ static int perf_event_read_group(struct perf_event *event, size = n * sizeof(u64); if (copy_to_user(buf, values, size)) - goto unlock; + return -EFAULT; ret = size; @@ -3581,14 +3702,11 @@ static int perf_event_read_group(struct perf_event *event, size = n * sizeof(u64); if (copy_to_user(buf + ret, values, size)) { - ret = -EFAULT; - goto unlock; + return -EFAULT; } ret += size; } -unlock: - mutex_unlock(&ctx->mutex); return ret; } @@ -3660,8 +3778,14 @@ static ssize_t perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { struct perf_event *event = file->private_data; + struct perf_event_context *ctx; + int ret; - return perf_read_hw(event, buf, count); + ctx = perf_event_ctx_lock(event); + ret = perf_read_hw(event, buf, count); + perf_event_ctx_unlock(event, ctx); + + return ret; } static unsigned int perf_poll(struct file *file, poll_table *wait) @@ -3687,7 +3811,7 @@ static unsigned int perf_poll(struct file *file, poll_table *wait) return events; } -static void perf_event_reset(struct perf_event *event) +static void _perf_event_reset(struct perf_event *event) { (void)perf_event_read(event); local64_set(&event->count, 0); @@ -3706,6 +3830,7 @@ static void perf_event_for_each_child(struct perf_event *event, struct perf_event *child; WARN_ON_ONCE(event->ctx->parent_ctx); + mutex_lock(&event->child_mutex); func(event); list_for_each_entry(child, &event->child_list, child_list) @@ -3719,14 +3844,13 @@ static void perf_event_for_each(struct perf_event *event, struct perf_event_context *ctx = event->ctx; struct perf_event *sibling; - WARN_ON_ONCE(ctx->parent_ctx); - mutex_lock(&ctx->mutex); + lockdep_assert_held(&ctx->mutex); + event = event->group_leader; perf_event_for_each_child(event, func); list_for_each_entry(sibling, &event->sibling_list, group_entry) perf_event_for_each_child(sibling, func); - mutex_unlock(&ctx->mutex); } struct period_event { @@ -3831,25 +3955,24 @@ static int perf_event_set_output(struct perf_event *event, struct perf_event *output_event); static int perf_event_set_filter(struct perf_event *event, void __user *arg); -static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg) { - struct perf_event *event = file->private_data; void (*func)(struct perf_event *); u32 flags = arg; switch (cmd) { case PERF_EVENT_IOC_ENABLE: - func = perf_event_enable; + func = _perf_event_enable; break; case PERF_EVENT_IOC_DISABLE: - func = perf_event_disable; + func = _perf_event_disable; break; case PERF_EVENT_IOC_RESET: - func = perf_event_reset; + func = _perf_event_reset; break; case PERF_EVENT_IOC_REFRESH: - return perf_event_refresh(event, arg); + return _perf_event_refresh(event, arg); case PERF_EVENT_IOC_PERIOD: return perf_event_period(event, (u64 __user *)arg); @@ -3896,6 +4019,19 @@ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) return 0; } +static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +{ + struct perf_event *event = file->private_data; + struct perf_event_context *ctx; + long ret; + + ctx = perf_event_ctx_lock(event); + ret = _perf_ioctl(event, cmd, arg); + perf_event_ctx_unlock(event, ctx); + + return ret; +} + #ifdef CONFIG_COMPAT static long perf_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) @@ -3918,11 +4054,15 @@ static long perf_compat_ioctl(struct file *file, unsigned int cmd, int perf_event_task_enable(void) { + struct perf_event_context *ctx; struct perf_event *event; mutex_lock(¤t->perf_event_mutex); - list_for_each_entry(event, ¤t->perf_event_list, owner_entry) - perf_event_for_each_child(event, perf_event_enable); + list_for_each_entry(event, ¤t->perf_event_list, owner_entry) { + ctx = perf_event_ctx_lock(event); + perf_event_for_each_child(event, _perf_event_enable); + perf_event_ctx_unlock(event, ctx); + } mutex_unlock(¤t->perf_event_mutex); return 0; @@ -3930,11 +4070,15 @@ int perf_event_task_enable(void) int perf_event_task_disable(void) { + struct perf_event_context *ctx; struct perf_event *event; mutex_lock(¤t->perf_event_mutex); - list_for_each_entry(event, ¤t->perf_event_list, owner_entry) - perf_event_for_each_child(event, perf_event_disable); + list_for_each_entry(event, ¤t->perf_event_list, owner_entry) { + ctx = perf_event_ctx_lock(event); + perf_event_for_each_child(event, _perf_event_disable); + perf_event_ctx_unlock(event, ctx); + } mutex_unlock(¤t->perf_event_mutex); return 0; @@ -7271,6 +7415,15 @@ out: return ret; } +static void mutex_lock_double(struct mutex *a, struct mutex *b) +{ + if (b < a) + swap(a, b); + + mutex_lock(a); + mutex_lock_nested(b, SINGLE_DEPTH_NESTING); +} + /** * sys_perf_event_open - open a performance event, associate it to a task/cpu * @@ -7286,7 +7439,7 @@ SYSCALL_DEFINE5(perf_event_open, struct perf_event *group_leader = NULL, *output_event = NULL; struct perf_event *event, *sibling; struct perf_event_attr attr; - struct perf_event_context *ctx; + struct perf_event_context *ctx, *uninitialized_var(gctx); struct file *event_file = NULL; struct fd group = {NULL, 0}; struct task_struct *task = NULL; @@ -7484,9 +7637,14 @@ SYSCALL_DEFINE5(perf_event_open, } if (move_group) { - struct perf_event_context *gctx = group_leader->ctx; + gctx = group_leader->ctx; + + /* + * See perf_event_ctx_lock() for comments on the details + * of swizzling perf_event::ctx. + */ + mutex_lock_double(&gctx->mutex, &ctx->mutex); - mutex_lock(&gctx->mutex); perf_remove_from_context(group_leader, false); /* @@ -7501,15 +7659,19 @@ SYSCALL_DEFINE5(perf_event_open, perf_event__state_init(sibling); put_ctx(gctx); } - mutex_unlock(&gctx->mutex); - put_ctx(gctx); + } else { + mutex_lock(&ctx->mutex); } WARN_ON_ONCE(ctx->parent_ctx); - mutex_lock(&ctx->mutex); if (move_group) { + /* + * Wait for everybody to stop referencing the events through + * the old lists, before installing it on new lists. + */ synchronize_rcu(); + perf_install_in_context(ctx, group_leader, group_leader->cpu); get_ctx(ctx); list_for_each_entry(sibling, &group_leader->sibling_list, @@ -7521,6 +7683,11 @@ SYSCALL_DEFINE5(perf_event_open, perf_install_in_context(ctx, event, event->cpu); perf_unpin_context(ctx); + + if (move_group) { + mutex_unlock(&gctx->mutex); + put_ctx(gctx); + } mutex_unlock(&ctx->mutex); put_online_cpus(); @@ -7628,7 +7795,11 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) src_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, src_cpu)->ctx; dst_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, dst_cpu)->ctx; - mutex_lock(&src_ctx->mutex); + /* + * See perf_event_ctx_lock() for comments on the details + * of swizzling perf_event::ctx. + */ + mutex_lock_double(&src_ctx->mutex, &dst_ctx->mutex); list_for_each_entry_safe(event, tmp, &src_ctx->event_list, event_entry) { perf_remove_from_context(event, false); @@ -7636,11 +7807,9 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) put_ctx(src_ctx); list_add(&event->migrate_entry, &events); } - mutex_unlock(&src_ctx->mutex); synchronize_rcu(); - mutex_lock(&dst_ctx->mutex); list_for_each_entry_safe(event, tmp, &events, migrate_entry) { list_del(&event->migrate_entry); if (event->state >= PERF_EVENT_STATE_OFF) @@ -7650,6 +7819,7 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) get_ctx(dst_ctx); } mutex_unlock(&dst_ctx->mutex); + mutex_unlock(&src_ctx->mutex); } EXPORT_SYMBOL_GPL(perf_pmu_migrate_context); From patchwork Tue May 9 14:42:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98916 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857342qge; Tue, 9 May 2017 07:43:02 -0700 (PDT) X-Received: by 10.98.22.9 with SMTP id 9mr236450pfw.125.1494340982363; Tue, 09 May 2017 07:43:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340982; cv=none; d=google.com; s=arc-20160816; b=QYjVeaw5ZiuU8+jCcka4/4ImLcn6m/w1bE7AGkooIxPG8ATt1Z06SuoGW2PyF8WmEG KVKPJ/BUtd5O5zqJ5lmjyEFhMuvm0lqRf7l6q+8l71J2iH5Bsi6v3i28mNn30B2QLSvu NaRmFnnefTxNEnclukh43mbW9ye9AmecliJkYA+25PbLfefJN6smTrLeJNav8C1R14L4 ZUM65btAlLwJkAHv/KKZVFXlyjnG5ObHhxWTXi7GUxI9BXzM9p3vb6juGdGpxDaAc8sB yu5OIgfEVQQvwL6N62CvMzwotJDRHJVVbE2KbSE7eSj6PT3BGdvSON3BRu4/1tXPC5uL ah7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=vVSWcxe0RJnoub4iUkiKKDAl07/Sshs7ZkTcJ2r/hfo=; b=PUGoJg0RxYigidmcPBZs14c8OVsuW7cdNwCwH4ICMgFp3Qcn1Wtru2dwp23jzMINuN xV770ENG26BMkOBrnXeb2XB+j+o+t5yvxNaRCpRi0yDf7dV4s5LfJimEpTfiNu6IUIpR /IxxhYToVEAyAp5zWl7W/Ptg84F2TnVDDN3J4ELCt+hqc7C7uFcdG9qdXLrVPlCTpG3B bD5xThlW+B0elaUmDhXrniY3KgklYDEzr9LL1QAs/qanHGjbA1jzTqAruI7pBF/aUWPR Yk0aAgJ2TEV/5RuPKDvL4Ik8k1B383e+JjIxI2L9wkoxXm9UNqUP80AwE81gBcMQMgWU 3yRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.02; Tue, 09 May 2017 07:43:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751306AbdEIOnB (ORCPT + 6 others); Tue, 9 May 2017 10:43:01 -0400 Received: from mail-pf0-f181.google.com ([209.85.192.181]:36052 "EHLO mail-pf0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751210AbdEIOnA (ORCPT ); Tue, 9 May 2017 10:43:00 -0400 Received: by mail-pf0-f181.google.com with SMTP id m17so1140524pfg.3 for ; Tue, 09 May 2017 07:43:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=vVSWcxe0RJnoub4iUkiKKDAl07/Sshs7ZkTcJ2r/hfo=; b=ic06Xvyn+unQsvgQ7171UPzySgBNqlkGbO3mwTJx2DRXQ4WExbp++2eVO15+Zqv30B W/IXW40mu836MsiMFcKgZ4Glkgyk6nIL7YwKDuSl5xLxh9zqaXM63+ASxY6RWIh/eKeF hiOd6VuiPVQuc5lG6RMCmouisuXrH2SoCJNws= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=vVSWcxe0RJnoub4iUkiKKDAl07/Sshs7ZkTcJ2r/hfo=; b=WZpa8Gy2pfXN+JSW91MxhCQHYaTdHAfJrL2uMwi9l3TPzzB/AmbnJcQT8PgF5pRT6G si+WTbsSc9v0CuZjhXXfXEIUj/BUkpgt5GDj+jKz8QF6TwfaY28xLK2UOR2JeTFQBd0I KHdO3yzf/X1+JvBNsuXa4Li2TLUPoLOIoZvgB/ZiuhEfBFxP/D1XPmaLs8VZLtmMGnQp e2S7TgohaMD7+mFGbSbyyZHw5WEW8kXYfVmLut57HWQOsq4QuM53VYNsVer3BZRkxy9g K7Nt8Iyhrids+ooXnUTITlPzT+mU2I4FIQsha9fPuIJ5Yzp1Ry94vgjzdRg0YlAkUdl2 Yvyw== X-Gm-Message-State: AODbwcDO+h2FyNvRinVr8WFpzaoj+hxwFIJzcmEFc4IK9rRAqbVi5p9S bRxOPZNEdvO7kwFX X-Received: by 10.84.217.201 with SMTP id d9mr666934plj.164.1494340980053; Tue, 09 May 2017 07:43:00 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.42.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:42:59 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, "Suzuki K. Poulose" , Will Deacon Subject: [PATCH for-3.18 03/24] arm64: perf: reject groups spanning multiple HW PMUs Date: Tue, 9 May 2017 20:12:27 +0530 Message-Id: <1494340968-17152-4-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: "Suzuki K. Poulose" commit 8fff105e13041e49b82f92eef034f363a6b1c071 upstream. The perf core implicitly rejects events spanning multiple HW PMUs, as in these cases the event->ctx will differ. However this validation is performed after pmu::event_init() is called in perf_init_event(), and thus pmu::event_init() may be called with a group leader from a different HW PMU. The ARM64 PMU driver does not take this fact into account, and when validating groups assumes that it can call to_arm_pmu(event->pmu) for any HW event. When the event in question is from another HW PMU this is wrong, and results in dereferencing garbage. This patch updates the ARM64 PMU driver to first test for and reject events from other PMUs, moving the to_arm_pmu and related logic after this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with a CCI PMU present: Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL) CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249 Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT) task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000 PC is at 0x0 LR is at validate_event+0x90/0xa8 pc : [<0000000000000000>] lr : [] pstate: 00000145 sp : ffffffc07b0a3ba0 [< (null)>] (null) [] armpmu_event_init+0x174/0x3cc [] perf_try_init_event+0x34/0x70 [] perf_init_event+0xe0/0x10c [] perf_event_alloc+0x288/0x358 [] SyS_perf_event_open+0x464/0x98c Code: bad PC value Also cleans up the code to use the arm_pmu only when we know that we are dealing with an arm pmu event. Cc: Will Deacon Acked-by: Mark Rutland Acked-by: Peter Ziljstra (Intel) Signed-off-by: Suzuki K. Poulose Signed-off-by: Will Deacon Signed-off-by: Amit Pundir --- arch/arm64/kernel/perf_event.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) -- 2.7.4 diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c index aa29ecb4f800..78a5894b1621 100644 --- a/arch/arm64/kernel/perf_event.c +++ b/arch/arm64/kernel/perf_event.c @@ -316,22 +316,31 @@ out: } static int -validate_event(struct pmu_hw_events *hw_events, - struct perf_event *event) +validate_event(struct pmu *pmu, struct pmu_hw_events *hw_events, + struct perf_event *event) { - struct arm_pmu *armpmu = to_arm_pmu(event->pmu); + struct arm_pmu *armpmu; struct hw_perf_event fake_event = event->hw; struct pmu *leader_pmu = event->group_leader->pmu; if (is_software_event(event)) return 1; + /* + * Reject groups spanning multiple HW PMUs (e.g. CPU + CCI). The + * core perf code won't check that the pmu->ctx == leader->ctx + * until after pmu->event_init(event). + */ + if (event->pmu != pmu) + return 0; + if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF) return 1; if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec) return 1; + armpmu = to_arm_pmu(event->pmu); return armpmu->get_event_idx(hw_events, &fake_event) >= 0; } @@ -349,15 +358,15 @@ validate_group(struct perf_event *event) memset(fake_used_mask, 0, sizeof(fake_used_mask)); fake_pmu.used_mask = fake_used_mask; - if (!validate_event(&fake_pmu, leader)) + if (!validate_event(event->pmu, &fake_pmu, leader)) return -EINVAL; list_for_each_entry(sibling, &leader->sibling_list, group_entry) { - if (!validate_event(&fake_pmu, sibling)) + if (!validate_event(event->pmu, &fake_pmu, sibling)) return -EINVAL; } - if (!validate_event(&fake_pmu, event)) + if (!validate_event(event->pmu, &fake_pmu, event)) return -EINVAL; return 0; From patchwork Tue May 9 14:42:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98917 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857364qge; Tue, 9 May 2017 07:43:06 -0700 (PDT) X-Received: by 10.99.141.76 with SMTP id z73mr554033pgd.118.1494340985896; Tue, 09 May 2017 07:43:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340985; cv=none; d=google.com; s=arc-20160816; b=FywX+XsXFT5z3YQprL9fv2A2jfYobvM3OW1R32ChVE8gnLFmg5WngqJmQKG7aBLe6N 0wNDncCRp2K84PLPXlLTbxAwn26pwiXx0edLsOXZN9HTWu6SbE6Q72q21htHw5AeQ0RY QwtwoXlmbho1v5oh0nKXPn4otLSE11UbDa0vEwKEfM2lEsmoB6EWgKdBZuXaX4424HV7 g4bTnay+Sp/g+5kAnlqBoCQbXTIMmbaQT8pe9Sfa/YFbvBMD00T+TtxcdBwak/9tUIzL XRbxGa3/q6AM0DPkRZjM5TjKyWkzcZm7pUYnYbI22loXcAuQ6O62f/ch8ztGVwFsNyD2 x8Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=yuYA+b5FkcldYohNOTnvL7lUz2p37ffgdwoPIHGA/j8=; b=Y91oRMpwft07x3rYRA+0SvM5BFhY9CP7v0cbYXyB9WJcJbmmdxY+P07SfdkvlxsSVi wP02AMIRjk9JQZhWxM8Th3YZhfh/WudyrKaIbKE2EfyjNCMyxl5Biqrx+EURGu+Jlj52 sCmplG2/XRJCAufrhL+CoI5YK9PE1G698UvJbAKx6GpuQQ+OAQORm/8Vey6GQZs273Tt s/8Rye4goZUTX8Cbr5hcj8oirIOhGtLN4Aqf27RvXelNd2S1Kd7zJJ2i5eVql6BHoD2K Ze5pPVfV8b5RMIETZ1HmSr7ECmGRT0WDp6T1Wnx8NeBe0R0F9ixd5x1szefthjFCLfK9 bRkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.05; Tue, 09 May 2017 07:43:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751554AbdEIOnF (ORCPT + 6 others); Tue, 9 May 2017 10:43:05 -0400 Received: from mail-pf0-f178.google.com ([209.85.192.178]:33478 "EHLO mail-pf0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751210AbdEIOnE (ORCPT ); Tue, 9 May 2017 10:43:04 -0400 Received: by mail-pf0-f178.google.com with SMTP id e193so1201931pfh.0 for ; Tue, 09 May 2017 07:43:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yuYA+b5FkcldYohNOTnvL7lUz2p37ffgdwoPIHGA/j8=; b=Yp2lhIPyagY2pPl0R3HQjq7DleVVGDOA7Edi8foRHSpgamd2EiClxIG+vS5xVnBy6B 7UvnEjuPU5tQK8+10odzhyR5ab9OSoqYq+kGFXICoauALZErVodNmldd++Va8vlsPNa9 lVBKW5SWZ2RIOfes0RL8Ge3mfSOOq896xRWwc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yuYA+b5FkcldYohNOTnvL7lUz2p37ffgdwoPIHGA/j8=; b=j/p3ikiAdVAlUHX/H2rakp/0N82nhsbgFuYrVSfjRcZuv6qK3pGSv8Jb2MmJcSNPK2 jg1inztIQnbXw9PpgjSWN29KDQAzFYNT+5b5M3G6xnPTMRHrEFhCgCETpnMRFNKxixSS OxnuFe3R5cE4CJg4sUyuFYeu/i6zuztICoZgHY6iiGZNNNN2X7Xvpo3RGYVuINnhC+9I 7a2rUqg8QOr93hql6quBqEOhXlqKLuXNNlES9NX5njMzn/V8+oEl8BO1U0gA9pYH4YUr yTsAyQE4tz3lSssXOrJa28AHaxmH5+mChm5XdlB3FF7pqKwmKfjXJ6sUGAUW/sJdUsFS 4Jag== X-Gm-Message-State: AODbwcCpchSk3d/5ZnIuwlo4Ps7AXNFS5KbiD8XYG/tLVJUcgX6DOXBn TDta8/ZDGtQ0tULn X-Received: by 10.99.103.7 with SMTP id b7mr584189pgc.2.1494340983930; Tue, 09 May 2017 07:43:03 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:03 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Peter Zijlstra , Arnaldo Carvalho de Melo , Frederic Weisbecker , Jiri Olsa , Linus Torvalds , Stephane Eranian , Thomas Gleixner , Vince Weaver , Ingo Molnar Subject: [PATCH for-3.18 04/24] perf: Fix race in swevent hash Date: Tue, 9 May 2017 20:12:28 +0530 Message-Id: <1494340968-17152-5-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Zijlstra commit 12ca6ad2e3a896256f086497a7c7406a547ee373 upstream. There's a race on CPU unplug where we free the swevent hash array while it can still have events on. This will result in a use-after-free which is BAD. Simply do not free the hash array on unplug. This leaves the thing around and no use-after-free takes place. When the last swevent dies, we do a for_each_possible_cpu() iteration anyway to clean these up, at which time we'll free it, so no leakage will occur. Reported-by: Sasha Levin Tested-by: Sasha Levin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Signed-off-by: Ingo Molnar Signed-off-by: Amit Pundir --- kernel/events/core.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) -- 2.7.4 diff --git a/kernel/events/core.c b/kernel/events/core.c index 3964293d1540..4886c0e97bbd 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5851,9 +5851,6 @@ struct swevent_htable { /* Recursion avoidance in each contexts */ int recursion[PERF_NR_CONTEXTS]; - - /* Keeps track of cpu being initialized/exited */ - bool online; }; static DEFINE_PER_CPU(struct swevent_htable, swevent_htable); @@ -6111,14 +6108,8 @@ static int perf_swevent_add(struct perf_event *event, int flags) hwc->state = !(flags & PERF_EF_START); head = find_swevent_head(swhash, event); - if (!head) { - /* - * We can race with cpu hotplug code. Do not - * WARN if the cpu just got unplugged. - */ - WARN_ON_ONCE(swhash->online); + if (WARN_ON_ONCE(!head)) return -EINVAL; - } hlist_add_head_rcu(&event->hlist_entry, head); @@ -6185,7 +6176,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu) int err = 0; mutex_lock(&swhash->hlist_mutex); - if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) { struct swevent_hlist *hlist; @@ -8342,7 +8332,6 @@ static void perf_event_init_cpu(int cpu) struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); mutex_lock(&swhash->hlist_mutex); - swhash->online = true; if (swhash->hlist_refcount > 0) { struct swevent_hlist *hlist; @@ -8395,14 +8384,7 @@ static void perf_event_exit_cpu_context(int cpu) static void perf_event_exit_cpu(int cpu) { - struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); - perf_event_exit_cpu_context(cpu); - - mutex_lock(&swhash->hlist_mutex); - swhash->online = false; - swevent_hlist_release(swhash); - mutex_unlock(&swhash->hlist_mutex); } #else static inline void perf_event_exit_cpu(int cpu) { } From patchwork Tue May 9 14:42:29 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98918 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857384qge; Tue, 9 May 2017 07:43:08 -0700 (PDT) X-Received: by 10.99.145.195 with SMTP id l186mr503864pge.123.1494340988660; Tue, 09 May 2017 07:43:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340988; cv=none; d=google.com; s=arc-20160816; b=lw3IhYPO88bZThGDgXv7srXH0Zug/jgWhoCa8mz0iPeljsljwwxxVuRgFG+HJxAhDu 1zedollHQzl2sIibvabqe1hXDc7urts2YPHKLESE772mXdOnGhoWMJUK1oWGQrOGQYU2 6OUS/vO59Yz4/4sLUWuKfEtPE+m3pXU6uewm4YqortmmERXBFqzANO27yilYQdoBDlp4 p79D3qV52VbjBLS90yiBJgi19azV5G49+FdAw0HyePPhfaVa9RbtYqDAbWpVlWaVgWCq tlis/pGiu//zPRk128XqB8hinNiYLRJpwyNmtLTRo55ZWh5NFlZDp9vgALgGfs0N+fJH qRzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=nMiSX2gLbPL9P610RbCwqPUIMthkfp5Gr//oxq6zNRw=; b=EO+Ee+QjKXesF1KlBXZG46DalqF2au/NTKhGb0sU5Z2z6noDFlIgyPCPVfd318Tpgg LPxSiwQK4feVrw7KetIDKjb1S/dTkdkzYhFnCB2F/Fc2VsVrzX1fWcnrUi6iwLHCorIk uDcVwelRNDuJrH8HKhr2TEFKQwrCXt++2KQQ+9MmXIgdl7yzjYC5oZYWkA6C1JH4zSBb eKnCzrSEOT5c56UFJYTzb/iAnwB/arGkRpaa28v+5LstDZTbs6i1U3OnvGLNqFl/poZS Znwg1AlRUEYkNCvwj/QavC+fHQ6E6tTbUQx8GOTe/wsJ1COBKtYGRHi4YvCkoS8gbh3Y FCxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.08; Tue, 09 May 2017 07:43:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753557AbdEIOnH (ORCPT + 6 others); Tue, 9 May 2017 10:43:07 -0400 Received: from mail-pg0-f46.google.com ([74.125.83.46]:32940 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752426AbdEIOnG (ORCPT ); Tue, 9 May 2017 10:43:06 -0400 Received: by mail-pg0-f46.google.com with SMTP id u187so782161pgb.0 for ; Tue, 09 May 2017 07:43:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=nMiSX2gLbPL9P610RbCwqPUIMthkfp5Gr//oxq6zNRw=; b=j/6/6nlvOtOTXdt0ZsYOF811ejov+gQBE3LpphZpNNX0yQtAY0feUkIhFtse6TwwO2 wsG3VcElkCON+mqBxo62EHJvfNr8ie0XxMceGCTq6MKUvd4SG7yvW6LuXeWj26qd6aHx zVsYo/cmW09T5Wi9GCf6+a0cZX+QfSc6QqZPc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=nMiSX2gLbPL9P610RbCwqPUIMthkfp5Gr//oxq6zNRw=; b=c+lgHipFq2mIFMVZ4Zx6vEFKk6/FIG41If4GPm6bos5cAPipvqMNYdzwnHBDmGGgab LtMWk1VTzOo7xteVb2Mj8VffqkbANDuN4OydXpGe7RF3nZ98GrcyV+7n73cEzXoOinsL oiN8emM0at/ajUE0xBiPNOF0qRYiB9VrxQZXUx5+1+4apgbqQTn2P0xGfN+jfj+r5W4W nH6jJpV2D3wjaLOx9gZHBqBa35iKmhSS+iQLLWYfky/U7kummwrgRkVZoDmlieH+jVX6 aCNq+gZ7T5a/+VC2eYFElpuLkc+1ekKB8Ju4tcDosLJ57VJ3NfdF0bWr5KOEhbaKGBhC OJfA== X-Gm-Message-State: AODbwcDUXuqQ5ha8w4wTIKGs+aaeX5vhBLFdCvygQkoDD2kLLDu8iiUp kXLDFMJUO1EbOWZHeGAfqw== X-Received: by 10.84.198.164 with SMTP id p33mr641761pld.127.1494340985932; Tue, 09 May 2017 07:43:05 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:05 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, David Howells Subject: [PATCH for-3.18 05/24] ASN.1: Fix non-match detection failure on data overrun Date: Tue, 9 May 2017 20:12:29 +0530 Message-Id: <1494340968-17152-6-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Howells commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream. If the ASN.1 decoder is asked to parse a sequence of objects, non-optional matches get skipped if there's no more data to be had rather than a data-overrun error being reported. This is due to the code segment that decides whether to skip optional matches (ie. matches that could get ignored because an element is marked OPTIONAL in the grammar) due to a lack of data also skips non-optional elements if the data pointer has reached the end of the buffer. This can be tested with the data decoder for the new RSA akcipher algorithm that takes three non-optional integers. Currently, it skips the last integer if there is insufficient data. Without the fix, #defining DEBUG in asn1_decoder.c will show something like: next_op: pc=0/13 dp=0/270 C=0 J=0 - match? 30 30 00 - TAG: 30 266 CONS next_op: pc=2/13 dp=4/270 C=1 J=0 - match? 02 02 00 - TAG: 02 257 - LEAF: 257 next_op: pc=5/13 dp=265/270 C=1 J=0 - match? 02 02 00 - TAG: 02 3 - LEAF: 3 next_op: pc=8/13 dp=270/270 C=1 J=0 next_op: pc=11/13 dp=270/270 C=1 J=0 - end cons t=4 dp=270 l=270/270 The next_op line for pc=8/13 should be followed by a match line. This is not exploitable for X.509 certificates by means of shortening the message and fixing up the ASN.1 CONS tags because: (1) The relevant records being built up are cleared before use. (2) If the message is shortened sufficiently to remove the public key, the ASN.1 parse of the RSA key will fail quickly due to a lack of data. (3) Extracted signature data is either turned into MPIs (which cope with a 0 length) or is simpler integers specifying algoritms and suchlike (which can validly be 0); and (4) The AKID and SKID extensions are optional and their removal is handled without risking passing a NULL to asymmetric_key_generate_id(). (5) If the certificate is truncated sufficiently to remove the subject, issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons stack underflow' return. This is not exploitable for PKCS#7 messages by means of removal of elements from such a message from the tail end of a sequence: (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable as detailed above. (2) The message digest content isn't used if it shows a NULL pointer, similarly, the authattrs aren't used if that shows a NULL pointer. (3) A missing signature results in a NULL MPI - which the MPI routines deal with. (4) If data is NULL, it is expected that the message has detached content and that is handled appropriately. (5) If the serialNumber is excised, the unconditional action associated with it will pick up the containing SEQUENCE instead, so no NULL pointer will be seen here. If both the issuer and the serialNumber are excised, the ASN.1 decode will fail with an 'Unexpected tag' return. In either case, there's no way to get to asymmetric_key_generate_id() with a NULL pointer. (6) Other fields are decoded to simple integers. Shortening the message to omit an algorithm ID field will cause checks on this to fail early in the verification process. This can also be tested by snipping objects off of the end of the ASN.1 stream such that mandatory tags are removed - or even from the end of internal SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be produced. Without this patch ERANGE or ENOPKG might be produced or the parse may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced later, depending on what gets snipped. Just snipping off the final BIT_STRING or OCTET_STRING from either sample should be a start since both are mandatory and neither will cause an EBADMSG without the patches Reported-by: Marcel Holtmann Signed-off-by: David Howells Tested-by: Marcel Holtmann Reviewed-by: David Woodhouse Signed-off-by: Amit Pundir --- lib/asn1_decoder.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c index 1a000bb050f9..d60ce8a53650 100644 --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -208,9 +208,8 @@ next_op: unsigned char tmp; /* Skip conditional matches if possible */ - if ((op & ASN1_OP_MATCH__COND && - flags & FLAG_MATCHED) || - dp == datalen) { + if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) || + (op & ASN1_OP_MATCH__SKIP && dp == datalen)) { pc += asn1_op_lengths[op]; goto next_op; } From patchwork Tue May 9 14:42:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98919 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857391qge; Tue, 9 May 2017 07:43:09 -0700 (PDT) X-Received: by 10.84.218.204 with SMTP id g12mr731334plm.32.1494340989785; Tue, 09 May 2017 07:43:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340989; cv=none; d=google.com; s=arc-20160816; b=VMhA6m4ytroLWYgiRfgWw1zU2qRjtZ61gqViwvumg7ndVjwsDOatfXdKjAhLq5Pk7O enPQjaCPPnijWk3tpkmSpj1nggvMw3gh3ow545zsvyNVZHSxJ9VXj3xAsdOIJyiwGcmw iQFfndotginZS2KqBXM/d63jW69XRPAVD/EkSG5gOzT+DZyveBeqGRbHBTQZ18u8hox8 hS4/IdQxPzgY8cuGXFl7xoKWFn9bhgcPt089VBFpeWC26fqdTWqui+n1dYw9FoBg1ijs 8dQOisA+WSnQGBA7gwi847BDi27LFJ1PMLI9VDpt6K5n7stUkjv8yPa02nkY9i8hcmBJ 2MTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=k6apPWwn6C2ik9sC9TMQBFeLJX704EIElACxw1xmBuw=; b=jGn5AZhdLGlbSXUL9OWvLqy3gEQu+FpJTsAJxdlJ6jf5V7HD/lE30wSNyfOlSklOCj PmhnDGhFsuN+pc9cpdfq3UTMyz4VhXoansAQNSkQ521X7OZwnVJMT/fjS6f49wpTgh+Y pV6r31PuKstvucKiXh1xk95SiIamXHOHPiDT+yO2bWbmG1mqkUufbs7QfMGwgrCKlC6R fWiUCtiUj3kc+gYohZ+nftv5jvuoeYNOg8PYPsJfMuZfJDXRZZW+8r1CBB643AxWTDiu rpgBimEzIm7vjjnKNq88yyQOoo8EQjdRv16wDugNQTJc13TwzUWjJGXxOot1vO4pnD73 BWPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.09; Tue, 09 May 2017 07:43:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753862AbdEIOnJ (ORCPT + 6 others); Tue, 9 May 2017 10:43:09 -0400 Received: from mail-pg0-f41.google.com ([74.125.83.41]:32962 "EHLO mail-pg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753358AbdEIOnI (ORCPT ); Tue, 9 May 2017 10:43:08 -0400 Received: by mail-pg0-f41.google.com with SMTP id u187so782619pgb.0 for ; Tue, 09 May 2017 07:43:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=k6apPWwn6C2ik9sC9TMQBFeLJX704EIElACxw1xmBuw=; b=CzRyu80hokcTteLg0weKCD3pcte825d74+7mCy1KYVTf/NCOi0sqAFC5QYobR4mGeX VOYhqg6+qK4tgFHewQz3S9jU4+v/kndxmaCuMWytYELl9fKK0wgxyv1TmFt2B4+R7v7/ rP5pkbO6QUw+5pU2lUgjX05kX/az3vWRoOmvk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=k6apPWwn6C2ik9sC9TMQBFeLJX704EIElACxw1xmBuw=; b=Mg5mAblLbvYwyc3qhn0bV7xqyjix+N37PCFOAvQAXVY1Ksk6KVj6/xzifwIuHlsjCa N6Pn6EMJ7E2igtJxQUP7crS2Li1Vc8xOG89vD6FTlpnZxlWK7rNAVP3uXZDUPOb3T7in xlKdFjB6JpUh7Nee5Iak1HKp9p3E+ZfGY9CcNbTKw1ePKT4wE7xINEaTkKCYLHCBYMTu viu/GqZs+sOZoB2NWPDFSeXvB1H4n5tvkmsYkhsJpwIZGKbopeWjxGt/nyY+htXNme9i kOwWtTe5C/pFRvyyhrIDpyUmpimcBG17XDmbl9EO/213MO4GJITWwiDDSstY9vF1nfKo i2Yg== X-Gm-Message-State: AODbwcDhE2EsWA4bsZngL9qHJRV1m2cLtqU55zWqQUjYe6t3UnT5rt5E p7i0XYmidUCWMWhh X-Received: by 10.99.158.82 with SMTP id r18mr479975pgo.231.1494340987837; Tue, 09 May 2017 07:43:07 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:07 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, David Howells Subject: [PATCH for-3.18 06/24] KEYS: Fix ASN.1 indefinite length object parsing Date: Tue, 9 May 2017 20:12:30 +0530 Message-Id: <1494340968-17152-7-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: David Howells commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream. This fixes CVE-2016-0758. In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, it isn't validated against the remaining amount of data before being added to the cursor. With a sufficiently large size indicated, the check: datalen - dp < 2 may then fail due to integer overflow. Fix this by checking the length indicated against the amount of remaining data in both places a definite length is determined. Whilst we're at it, make the following changes: (1) Check the maximum size of extended length does not exceed the capacity of the variable it's being stored in (len) rather than the type that variable is assumed to be (size_t). (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the integer 0. (3) To reduce confusion, move the initialisation of len outside of: for (len = 0; n > 0; n--) { since it doesn't have anything to do with the loop counter n. Signed-off-by: David Howells Reviewed-by: Mimi Zohar Acked-by: David Woodhouse Acked-by: Peter Jones Signed-off-by: Amit Pundir --- lib/asn1_decoder.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) -- 2.7.4 diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c index d60ce8a53650..806c5b6b4b3a 100644 --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -69,7 +69,7 @@ next_tag: /* Extract a tag from the data */ tag = data[dp++]; - if (tag == 0) { + if (tag == ASN1_EOC) { /* It appears to be an EOC. */ if (data[dp++] != 0) goto invalid_eoc; @@ -91,10 +91,8 @@ next_tag: /* Extract the length */ len = data[dp++]; - if (len <= 0x7f) { - dp += len; - goto next_tag; - } + if (len <= 0x7f) + goto check_length; if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { /* Indefinite length */ @@ -105,14 +103,18 @@ next_tag: } n = len - 0x80; - if (unlikely(n > sizeof(size_t) - 1)) + if (unlikely(n > sizeof(len) - 1)) goto length_too_long; if (unlikely(n > datalen - dp)) goto data_overrun_error; - for (len = 0; n > 0; n--) { + len = 0; + for (; n > 0; n--) { len <<= 8; len |= data[dp++]; } +check_length: + if (len > datalen - dp) + goto data_overrun_error; dp += len; goto next_tag; From patchwork Tue May 9 14:42:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98920 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857404qge; Tue, 9 May 2017 07:43:12 -0700 (PDT) X-Received: by 10.84.248.73 with SMTP id e9mr710816pln.76.1494340992036; Tue, 09 May 2017 07:43:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340992; cv=none; d=google.com; s=arc-20160816; b=UFLXnGf+Q7KpiXEEWVzLzkEsNjBIL9oHNhgCiGTsG3hosPWEokhjtd7gTAIg4ap+5z g9lWbBTma7d5RGv3IUAa+39rmbuE63HjdB48uz4simtSvGzy+IMpK0PNOCumSddq3ONh SEZ45rPvDVMOBtpr5ZL3riuosSx8QgqFu3txtBcLfxN7BwsfmvHkKXDRqVczdmMmHBqE PXLvsq+f19wKN5XGZHEvzsJ5PGkHMTxy73NHpfkjFTxhE4OGdfClEFA3sgbjZsdVRTTu xQVwheFy3iO3lTIWrMmKpkiAB1pY88guQb96tZBeLooqfzO5JFuRpRW2q1smGpSr1GYW OVGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=o5E76HviSgR7+pCcFX9DLM+EmatALrZnKpZrisIDDv0=; b=rlw/LPKVCM0TZdOLqytj8TF8WrwJY2ZA9+1vsL2WFGe7XUQqTOBhQi4Y4KLffTEuGf HRqLZR/tV6f8sjzxfTj9AfRMIYQnPwlg6j2XinAfRftY3bNDrUmmEVmAlPYqXsbiySv9 daprmGf9FK4VPIV7LMWfaaod0cMjDOgFcph20WusfJ1yxSCFnyvRCo7BugpxdqqS417c O7e6oTaDmKdfn4mk5bUseUV4gSCi/qmPs3lunu07Ur0YnQxv94AfMAn+X9hbmYzihaet FODPEx/mWYJGL/GZtywalojGQSoTDD4YvDipGF0Va0zxh9xaDzQaja+X0PFIz/uOQ1aq 8XxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.11; Tue, 09 May 2017 07:43:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753737AbdEIOnL (ORCPT + 6 others); Tue, 9 May 2017 10:43:11 -0400 Received: from mail-pg0-f49.google.com ([74.125.83.49]:34694 "EHLO mail-pg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753358AbdEIOnK (ORCPT ); Tue, 9 May 2017 10:43:10 -0400 Received: by mail-pg0-f49.google.com with SMTP id u28so766875pgn.1 for ; Tue, 09 May 2017 07:43:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=o5E76HviSgR7+pCcFX9DLM+EmatALrZnKpZrisIDDv0=; b=eFXH+mXfSd01m2CIv7vFrjDlIas6EfAplM8YhWhwDo5DEkYtrLrSi2EYJ0QTF1KmPD 9GcwNZXqY3bEfVtvKeGj3dCYIDu84dsmEBrJvAZQwPJ+vruz3f5LYTczj7O5LLli0T3+ HPaK0EFlhpFn78cixtZUONynBoLiOi6fp1Qe4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=o5E76HviSgR7+pCcFX9DLM+EmatALrZnKpZrisIDDv0=; b=Vu5QptGJ8wQJpqMuu8jTShmxjBqcacmSAo5DKRWdDYPALx3YL/0eQniVs0O32RWH7G mr4pRLuKP4v/Up23ml8SPUdvzMAJGzjZhvmpQzRtMkMaZR/bD1C8REl0kpSDhLhWPDOx pKuDgHyI2wEqugCvZHuj58ZjO89ZW0QtBoJa8PNyj5U/ki5YYDC+b2Z1QfPRXLdZIDOz gYEx5Iy+v9ISt5eJDfJVZV0ONqmM3rhJ2Pmo+BJEuyHEe8GxB9hXrgDglrMFpO3jeTzb sqf4ptqkM8PkdhB5jXLOl/rECb97PJSV+kPDnJGDSHKE8ugboDPRzZl4cqpzfDZXOz0H 4kJw== X-Gm-Message-State: AODbwcB/MPTM62gjZKEhMoImZ2jNc0q6ussgNMZsNuVIIOD8CSJLSWz9 n1gHkJSKaQM2r89h X-Received: by 10.84.130.7 with SMTP id 7mr651540plc.35.1494340990028; Tue, 09 May 2017 07:43:10 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:09 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Lukas Czerner Subject: [PATCH for-3.18 07/24] ext4: fix potential use after free in __ext4_journal_stop Date: Tue, 9 May 2017 20:12:31 +0530 Message-Id: <1494340968-17152-8-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Lukas Czerner commit 6934da9238da947628be83635e365df41064b09b upstream. There is a use-after-free possibility in __ext4_journal_stop() in the case that we free the handle in the first jbd2_journal_stop() because we're referencing handle->h_err afterwards. This was introduced in 9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by storing the handle->h_err value beforehand and avoid referencing potentially freed handle. Fixes: 9705acd63b125dee8b15c705216d7186daea4625 Signed-off-by: Lukas Czerner Reviewed-by: Andreas Dilger Cc: stable@vger.kernel.org Signed-off-by: Amit Pundir --- fs/ext4/ext4_jbd2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c index d41843181818..e770c1ee4613 100644 --- a/fs/ext4/ext4_jbd2.c +++ b/fs/ext4/ext4_jbd2.c @@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle) return 0; } + err = handle->h_err; if (!handle->h_transaction) { - err = jbd2_journal_stop(handle); - return handle->h_err ? handle->h_err : err; + rc = jbd2_journal_stop(handle); + return err ? err : rc; } sb = handle->h_transaction->t_journal->j_private; - err = handle->h_err; rc = jbd2_journal_stop(handle); if (!err) From patchwork Tue May 9 14:42:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98921 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857420qge; Tue, 9 May 2017 07:43:14 -0700 (PDT) X-Received: by 10.98.62.213 with SMTP id y82mr245888pfj.93.1494340994331; Tue, 09 May 2017 07:43:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340994; cv=none; d=google.com; s=arc-20160816; b=gO8iJh8vTYBO4yBYje0xTR27mSiNVQRBsE2qxgYxHBqrQVjUBX0ZsR8t6gFqBZmoLX AkAQMMo+qqLHY8c3caIQRo8AdZf6z7JRffDIb/LG9NFic3vlypLFc4mGmYgTygvmU7Od v5IUC/F1BOFqfG2h2SxyzfouYB7Z0Avxn8FdXPVDtwmvt3UpI178xFC6TqqitX3K2tJN wxcRGVl1Usc6rSGKGZ27PWJJeohsFWSyszZPaZoemL32k0aka88dSW4asR10IMCMe3UU Af+rnrOK6A7NEGwI/7q3RIbSSkXn4o2afWrY4uTJYmvf2GN5J7mWWUeIFKrQ9ah30LM0 xokQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=vIG8sd9AZ7DcEG3BkG8hIKLWH0JomhoPT6ptcCbiyFs=; b=PEwAao8TxIBEpu905W94hJj+JjcV4/Qnc00A0/8+pqsIVehu6KIJyBTWU+AtQxXfVe 0urFgbl3h7q4ltuYltCes7UCxbshonxNxXsTHe+hSMNaS8Gt+KPF3XPdO01wwnhnxDpG XEKeMyR3ID0jetq2ni9W9/YCVgLA87jSWX4dfk4UWoGBQ2YYzd+wMoIuFBrWt5T0ClI3 95Xw/mwNBemTnuhFOib48EBPcAQdSQRsyoi9r0o/wm/9uu7V9O1fQMyetTehHUXJac39 qqnO1V9xY15pu6HVzC73YQOp2GA3usO63gwQ26R+5IH2fVmZ35SlzgkvVMLv0Nks2ybX Q+Hg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.14; Tue, 09 May 2017 07:43:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753998AbdEIOnN (ORCPT + 6 others); Tue, 9 May 2017 10:43:13 -0400 Received: from mail-pf0-f169.google.com ([209.85.192.169]:35708 "EHLO mail-pf0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnN (ORCPT ); Tue, 9 May 2017 10:43:13 -0400 Received: by mail-pf0-f169.google.com with SMTP id v14so1164532pfd.2 for ; Tue, 09 May 2017 07:43:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=vIG8sd9AZ7DcEG3BkG8hIKLWH0JomhoPT6ptcCbiyFs=; b=HGXd/RVKi1z1VBKf1zEdcksqO1nbukRNVuUFhyCzj6Jq4lxdNUdOxotyJsAgJm95u8 rIxRGMySZiZIaksWiSOw2U2Kv/dIKJHFsJCGjO0Kdb56FeuQqB02sNrORLAwzVxsLshj Hof35Fv8uJfV3d5/hkUTh3fmvTkMpE2KGZj1A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=vIG8sd9AZ7DcEG3BkG8hIKLWH0JomhoPT6ptcCbiyFs=; b=g+jsQGAwC9bstX68hgRVNsLww7ETIYE9qJDKsWN4bdxH4CA1oU2FQ06vnYx3iFvczZ zwb+1/gthHuDAJ1FV6Vy8A1KXqf+yN3Y3qtLyConIu02/OzMF6p3HUWQ1C+NpS9HogTL E9yHl90U1NFJEt8CUAYShDh5JPfi6A6PLl0Gnik62R5NX7C9UzaRU/klBgq61NVQRhcy mFN9TlwF8WLjwbhzS1eiDU6QGkKKnpaWCRG4LgFvwaV5siiL43KBvhQeal3uxVV+yfgr fDqKaPgQRLso/ikvj8SybSZM7UQS5T1dtVEoVMdSmQSyoUq8eEQSzt1hzrWFDSyt5hyM keKg== X-Gm-Message-State: AODbwcA1fWAYRyZYIPfn6XrxPO2FvugCFvAHoj1cJspCeuNQ+kWNU0Fk 8pSXzVBL7wBPt+MB X-Received: by 10.99.63.141 with SMTP id m135mr476852pga.195.1494340992241; Tue, 09 May 2017 07:43:12 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:11 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Calvin Owens , "Martin K . Petersen" Subject: [PATCH for-3.18 08/24] sg: Fix double-free when drives detach during SG_IO Date: Tue, 9 May 2017 20:12:32 +0530 Message-Id: <1494340968-17152-9-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Calvin Owens commit f3951a3709ff50990bf3e188c27d346792103432 upstream. In sg_common_write(), we free the block request and return -ENODEV if the device is detached in the middle of the SG_IO ioctl(). Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we end up freeing rq->cmd in the already free rq object, and then free the object itself out from under the current user. This ends up corrupting random memory via the list_head on the rq object. The most common crash trace I saw is this: ------------[ cut here ]------------ kernel BUG at block/blk-core.c:1420! Call Trace: [] blk_put_request+0x5b/0x80 [] sg_finish_rem_req+0x6b/0x120 [sg] [] sg_common_write.isra.14+0x459/0x5a0 [sg] [] ? selinux_file_alloc_security+0x48/0x70 [] sg_new_write.isra.17+0x195/0x2d0 [sg] [] sg_ioctl+0x644/0xdb0 [sg] [] do_vfs_ioctl+0x90/0x520 [] ? file_has_perm+0x97/0xb0 [] SyS_ioctl+0x91/0xb0 [] tracesys+0xdd/0xe2 RIP [] __blk_put_request+0x154/0x1a0 The solution is straightforward: just set srp->rq to NULL in the failure branch so that sg_finish_rem_req() doesn't attempt to re-free it. Additionally, since sg_rq_end_io() will never be called on the object when this happens, we need to free memory backing ->cmd if it isn't embedded in the object itself. KASAN was extremely helpful in finding the root cause of this bug. Signed-off-by: Calvin Owens Acked-by: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir --- drivers/scsi/sg.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index e50adf710229..71b30e18f2f0 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -791,8 +791,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp, return k; /* probably out of space --> ENOMEM */ } if (atomic_read(&sdp->detaching)) { - if (srp->bio) + if (srp->bio) { + if (srp->rq->cmd != srp->rq->__cmd) + kfree(srp->rq->cmd); + blk_end_request_all(srp->rq, -EIO); + srp->rq = NULL; + } + sg_finish_rem_req(srp); return -ENODEV; } From patchwork Tue May 9 14:42:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98922 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857443qge; Tue, 9 May 2017 07:43:16 -0700 (PDT) X-Received: by 10.99.112.68 with SMTP id a4mr530220pgn.198.1494340996733; Tue, 09 May 2017 07:43:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340996; cv=none; d=google.com; s=arc-20160816; b=nZR4k2J9llfzmIWZfaK2tfaIhueeJlXoFyezoZ0f0eOabkdL9VT9vwjszt1kay0b0w 8uGd0MOoRs6BxYG8qFAizlFef48ILIaIHhHjtCJkV/CNlARH/zZzvxWKvJBWdO7eWZ5E zkSnBHt/HWMAYLcoSc0RnYrY+nC5502CsBByaOIr9DJum5rJl3XKfJHI/4ALlnW67Fs1 i+AqwjrxavmYPqSf6tP2O0kdzRN9HNSynBswvaFqjadhKOPljy16/0cQrt/BjuGSC8P3 IIC2R6aHH3ofhXTJZr96WlRtcphGa3GW3vWwMlgiUUZYyy6hsHamV5OEYuHar3zk8xAV iozQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=17a+O9eSxUL0Uc53h3gL5IZoZ0G6ciK1Vuy5uxei0gs=; b=FJZnfmgGNlEiPLgGd+LvAv2fgMx639m2hEr7bhCUw45PILZi3xrSITcOo25KYBc+ba P8KEpgGlhVuBLG0b0qtqjOWRgqSuUiigLLgZ7nVdJ+ts0FM8mIsu4/vwVhwtvnMf0qim YG4FOy7r25R/yIJo/3fnXgYBVpqGEIg29fFPGS/4lvfOSKHqw9ZCX1F9pus7u2dxyaKo /IPNVuNRWPgdgIuQ8q5X9AR+xH3SI2YD3SaVKJEqMCMEmbFPxIE8RRChAX7NGBmvzLlD ejtj8PbHc02EKIsT0Tkd+D6GQPCS/RIAuVEjXAxKoqmA3xCSqCvQPb3adYznpMWzs3YH qSFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.16; Tue, 09 May 2017 07:43:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754007AbdEIOnQ (ORCPT + 6 others); Tue, 9 May 2017 10:43:16 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:33808 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnP (ORCPT ); Tue, 9 May 2017 10:43:15 -0400 Received: by mail-pf0-f171.google.com with SMTP id e64so1183760pfd.1 for ; Tue, 09 May 2017 07:43:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=17a+O9eSxUL0Uc53h3gL5IZoZ0G6ciK1Vuy5uxei0gs=; b=Wn3Y3G/uyLYT2tIychFieYpXG+tsiQmgq4OmtdJ5sHSE+ZzZ01xT+W6DCzIYXVJ9dD cz9kNcewEuCdxCbHAHvqi7JhVVvYW9/PbVv2xGHHiV3oj4zpOMaQaSdlBKjWJjrjlV00 ZMzN4m6Yq0PlF084wO39t7ZsZ5Qa3yUzeqckA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=17a+O9eSxUL0Uc53h3gL5IZoZ0G6ciK1Vuy5uxei0gs=; b=cswgaRpoG5nHDmHm4wBOaMMkSEnvB43Kp+6lwj+eaMCqOznYHy3Sli5q5ROudhE2C/ Y5cLz2QEn/hF3/r7vrCgY88CaCJtQf03jYn2cVcSNKwQXMkN05k1jTyG5Q4ohV5KMpw5 BZ6W/H2h+o/p91p7dQlR+1MVv+abf6SHHfDC9Elqu+bEachZ9m5NN+gIJPeVJoQ4H4BM 6k8V07/5z6xUOI/iCinoDiBGdvetu4QGrbwKFhGR4g4B7XM4f/iTgXHSYRQfM0hSaAn4 JvH1wEKbzAa/QzU0FYN9wjkHL6GMxNTUWrhLB62Mwx556XUTcQHk0iJ3HgpMTT2DwwuH BQsQ== X-Gm-Message-State: AODbwcD/LYMEFoLvjxvf86oRIPdf0qgykln+JIEjdaz2igPcmfABku90 AnE/E9JNOKX0Nj4D X-Received: by 10.98.152.214 with SMTP id d83mr277900pfk.7.1494340994626; Tue, 09 May 2017 07:43:14 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:14 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Peter Hurley , Tilman Schmidt , Sasha Levin Subject: [PATCH for-3.18 09/24] tty: Prevent ldisc drivers from re-using stale tty fields Date: Tue, 9 May 2017 20:12:33 +0530 Message-Id: <1494340968-17152-10-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Hurley commit dd42bf1197144ede075a9d4793123f7689e164bc upstream. Line discipline drivers may mistakenly misuse ldisc-related fields when initializing. For example, a failure to initialize tty->receive_room in the N_GIGASET_M101 line discipline was recently found and fixed [1]. Now, the N_X25 line discipline has been discovered accessing the previous line discipline's already-freed private data [2]. Harden the ldisc interface against misuse by initializing revelant tty fields before instancing the new line discipline. [1] commit fd98e9419d8d622a4de91f76b306af6aa627aa9c Author: Tilman Schmidt Date: Tue Jul 14 00:37:13 2015 +0200 isdn/gigaset: reset tty->receive_room when attaching ser_gigaset [2] Report from Sasha Levin [ 634.336761] ================================================================== [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 [ 634.339558] Read of size 4 by task syzkaller_execu/8981 [ 634.340359] ============================================================================= [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected ... [ 634.405018] Call Trace: [ 634.405277] dump_stack (lib/dump_stack.c:52) [ 634.405775] print_trailer (mm/slub.c:655) [ 634.406361] object_err (mm/slub.c:662) [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) Cc: Tilman Schmidt Cc: Sasha Levin Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Amit Pundir --- drivers/tty/tty_ldisc.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.7.4 diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 2d822aa259b2..2bf08366cd5b 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -414,6 +414,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush); * they are not on hot paths so a little discipline won't do * any harm. * + * The line discipline-related tty_struct fields are reset to + * prevent the ldisc driver from re-using stale information for + * the new ldisc instance. + * * Locking: takes termios_rwsem */ @@ -422,6 +426,9 @@ static void tty_set_termios_ldisc(struct tty_struct *tty, int num) down_write(&tty->termios_rwsem); tty->termios.c_line = num; up_write(&tty->termios_rwsem); + + tty->disc_data = NULL; + tty->receive_room = 0; } /** From patchwork Tue May 9 14:42:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98923 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857461qge; Tue, 9 May 2017 07:43:19 -0700 (PDT) X-Received: by 10.84.217.28 with SMTP id o28mr662625pli.37.1494340999115; Tue, 09 May 2017 07:43:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340999; cv=none; d=google.com; s=arc-20160816; b=Uqu1cwB5cB6at79G9WQUy6r0tiY6B77tcqtoR3s0gIp0dtpy+W8+Ao8quk2vfpU4pd Xuwhll6mde0qnrbQiSJPQoJV1P2a1ed6w/RGONtDiKsVTGLj9VAJ5DRJThw4tGuNXs5j XXDIBv9Tb8/k4oP8bdcvM8x69MkBRejKaywEYEHunHI8PEhaDJm9opDtmV2Pd0QqAX4/ xy3T1gCcuvQjbFJSbV2MQMHecHRegw6TLxUicd6HfbD6xMldPTXmi4q2L/bthTkL5qEA 9lvgt26hORp7I4Ph/dNQmF4PIAaMrnANW3HZnANaV+zJ7hLjr8uSbtUQv1ZKaOT+NMv6 zXMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=HQRQ986RD7/60gyp8W6gN9qWP+Mvt6BcZB/RnRsvtAM=; b=p2+6Go3hWzRfGP9hbGFTjoPyACRCJMa8XjQL2oGsT+Z9cWE4lYNS4o0qXQuBqiI4by uw+l9QDsBsbFUUpYof1b3WlLkoj082WO9zP9Zst2imVZbjBSNVW6qT5skxuP2Dndt4n7 lAFrixQyL9q0WPjeumJRHTM1G/17YR07S6CUWrMJJlbxdcesESiaK9HcCVAJ0tT92qLL fHiH08tWqnliNYPUpJrQXm3MY8HZ0Ir6Pm6LIXpfauEMY4SVl4a6LgZ8jfB11bLDo96l 7IiP1Ur+arBO5eLa3dqEfpz6fyOtLSGAaM73iOGCGnF9xUcYKwkqC6SyHlK9hretB7lX F6nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.18; Tue, 09 May 2017 07:43:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754050AbdEIOnS (ORCPT + 6 others); Tue, 9 May 2017 10:43:18 -0400 Received: from mail-pf0-f182.google.com ([209.85.192.182]:33540 "EHLO mail-pf0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnR (ORCPT ); Tue, 9 May 2017 10:43:17 -0400 Received: by mail-pf0-f182.google.com with SMTP id e193so1204873pfh.0 for ; Tue, 09 May 2017 07:43:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=HQRQ986RD7/60gyp8W6gN9qWP+Mvt6BcZB/RnRsvtAM=; b=NDADwKe9Lvxz7Xg3znjjJ7JYH/tMV3Qt12x4CvqVfLC5XyD7UvXoEgNL4sOOIPTWCP mW4iKmHkKVrv2Vn0QiEXTIvnD9uuqMh1hnMhVn+7cirkN2f924I9Ap3Wj/4BOY2dSC76 k9rapFSGjgAzgfeBROOf3PFmveF/u5t4JH/Os= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=HQRQ986RD7/60gyp8W6gN9qWP+Mvt6BcZB/RnRsvtAM=; b=koN8fu5ACxthAEpRxNTULW5dz0hZYlaj25jyhUombZ5lsPib3fkwszrtTV30c3wgT/ s8cG9YmL10vakIvL4bqPHXPyjAINz2IST2s9xLcC6Vs8S11gArpNsj1woWET6naW7+R0 FB3c7Aqp/A2BW1OtzkEMzDy39W/ZUtOmhyVv8YtcByirmbR6EDKDZ6Of54L+JT8q5s9a qldyJ8wKHAvNWAPF2CP9ZPNYHqHblExeChvOu0drSFMaLiPl/JBxH0IhJlUBS/ENl/z2 I01/ODFcoNZ6UBmqZVvcdD8UvndKPhv5jTRkM474oj1scnQtBqL0NO5x4DrPwB68/Gh7 iLyQ== X-Gm-Message-State: AODbwcBXmSjCQQMQexT4VrxiH/I/qd2H3jQd14976BR9XNqfAG0WgUy8 bbphV7JuDxl1NsWd X-Received: by 10.98.220.201 with SMTP id c70mr284193pfl.230.1494340996891; Tue, 09 May 2017 07:43:16 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:16 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Hangbin Liu , "David S . Miller" Subject: [PATCH for-3.18 10/24] net/ipv6: add sysctl option accept_ra_min_hop_limit Date: Tue, 9 May 2017 20:12:34 +0530 Message-Id: <1494340968-17152-11-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Hangbin Liu commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 upstream. Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface") disabled accept hop limit from RA if it is smaller than the current hop limit for security stuff. But this behavior kind of break the RFC definition. RFC 4861, 6.3.4. Processing Received Router Advertisements A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time, and Retrans Timer) may contain a value denoting that it is unspecified. In such cases, the parameter should be ignored and the host should continue using whatever value it is already using. If the received Cur Hop Limit value is non-zero, the host SHOULD set its CurHopLimit variable to the received value. So add sysctl option accept_ra_min_hop_limit to let user choose the minimum hop limit value they can accept from RA. And set default to 1 to meet RFC standards. Signed-off-by: Hangbin Liu Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- Documentation/networking/ip-sysctl.txt | 8 ++++++++ include/linux/ipv6.h | 1 + include/uapi/linux/ipv6.h | 1 + net/ipv6/addrconf.c | 10 ++++++++++ net/ipv6/ndisc.c | 16 +++++++--------- 5 files changed, 27 insertions(+), 9 deletions(-) -- 2.7.4 diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index a476b08a43e0..628d342a806f 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1256,6 +1256,14 @@ accept_ra_from_local - BOOLEAN disabled if accept_ra_from_local is disabled on a specific interface. +accept_ra_min_hop_limit - INTEGER + Minimum hop limit Information in Router Advertisement. + + Hop limit Information in Router Advertisement less than this + variable shall be ignored. + + Default: 1 + accept_ra_pinfo - BOOLEAN Learn Prefix Information in Router Advertisement. diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 2725b03b4ae2..5b8ffda9b668 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -29,6 +29,7 @@ struct ipv6_devconf { __s32 max_desync_factor; __s32 max_addresses; __s32 accept_ra_defrtr; + __s32 accept_ra_min_hop_limit; __s32 accept_ra_pinfo; #ifdef CONFIG_IPV6_ROUTER_PREF __s32 accept_ra_rtr_pref; diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h index efa2666f4b8a..ea3a39c0ac5d 100644 --- a/include/uapi/linux/ipv6.h +++ b/include/uapi/linux/ipv6.h @@ -164,6 +164,7 @@ enum { DEVCONF_MLDV2_UNSOLICITED_REPORT_INTERVAL, DEVCONF_SUPPRESS_FRAG_NDISC, DEVCONF_ACCEPT_RA_FROM_LOCAL, + DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT, DEVCONF_MAX }; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 4cc14452d5cc..43840e080d85 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -188,6 +188,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { .max_addresses = IPV6_MAX_ADDRESSES, .accept_ra_defrtr = 1, .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, .accept_ra_pinfo = 1, #ifdef CONFIG_IPV6_ROUTER_PREF .accept_ra_rtr_pref = 1, @@ -225,6 +226,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { .max_addresses = IPV6_MAX_ADDRESSES, .accept_ra_defrtr = 1, .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, .accept_ra_pinfo = 1, #ifdef CONFIG_IPV6_ROUTER_PREF .accept_ra_rtr_pref = 1, @@ -4320,6 +4322,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf, array[DEVCONF_MAX_DESYNC_FACTOR] = cnf->max_desync_factor; array[DEVCONF_MAX_ADDRESSES] = cnf->max_addresses; array[DEVCONF_ACCEPT_RA_DEFRTR] = cnf->accept_ra_defrtr; + array[DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT] = cnf->accept_ra_min_hop_limit; array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo; #ifdef CONFIG_IPV6_ROUTER_PREF array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref; @@ -5136,6 +5139,13 @@ static struct addrconf_sysctl_table .proc_handler = proc_dointvec, }, { + .procname = "accept_ra_min_hop_limit", + .data = &ipv6_devconf.accept_ra_min_hop_limit, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, + { .procname = "accept_ra_pinfo", .data = &ipv6_devconf.accept_ra_pinfo, .maxlen = sizeof(int), diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index a46c50423aec..6e7bf721840e 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -1214,18 +1214,16 @@ static void ndisc_router_discovery(struct sk_buff *skb) if (rt) rt6_set_expires(rt, jiffies + (HZ * lifetime)); - if (ra_msg->icmph.icmp6_hop_limit) { - /* Only set hop_limit on the interface if it is higher than - * the current hop_limit. - */ - if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { + if (in6_dev->cnf.accept_ra_min_hop_limit < 256 && + ra_msg->icmph.icmp6_hop_limit) { + if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) { in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); } else { - ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); + ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than minimum\n"); } - if (rt) - dst_metric_set(&rt->dst, RTAX_HOPLIMIT, - ra_msg->icmph.icmp6_hop_limit); } skip_defrtr: From patchwork Tue May 9 14:42:35 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98924 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857472qge; Tue, 9 May 2017 07:43:21 -0700 (PDT) X-Received: by 10.99.177.8 with SMTP id r8mr505040pgf.109.1494341001208; Tue, 09 May 2017 07:43:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341001; cv=none; d=google.com; s=arc-20160816; b=nJBwOHXo9qAUaTcCk7v8YpKVVkdZouaurmpQ48uE/ow0+sDFkFoEq792QNUVDQw1jC ekLI17GshZS3mIn3E+SwZ9Kk1+xplYhjxYV5YYNE369JO2RA+9kA9QbjqqpN0poKeX9m JER0OC+yzgDj5+zzPsX3Aviz2QyEmT5TO3oPffvClXd/YX/v2Qz8oMoE/oMDYuzNUssd eYE9H832S8bXrOCtbaSiq55qjURe1ULzRpY28gDhaxuf2pZAZH0hJ2+4BtM5UnToUPeX tHg+Kvs6WHfzAZf1frUXVujy+osXHQCLRYJZVmur44W2MF60k8CJ3LEFBVOxGoQKTngk gMTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=Q2ht5CSMUFZ116iMeui79EKUX9FPPcMK2L2gX04aQGs=; b=ZbbnH1jG++HwUpTm34lGTBJWFr6IW677ef5qMk4kG8AqCwfGY+lUiHjYupNRENKsl4 GzmKS1t+3BsqiLydOX7qrrx15WDB9KPPh+uQePcwFy5ktOvlQL0cH5YvFl1qZ18L3VGb Alo9Ry4Jz7GuzxCPQkAv3j60Sd2dtCkMZPc9j9FIxpluHL4qJ2FvFr212qFgvCyJLHfQ wUJS5LS1eHHW61872vj4SxFi48V2ifVD+e1wNZbQdFTp7320J4RhuJ/8L6PsNxshrHfc 44N4PUE+cWYJs/ilINfP+c1awFYZ9uB1cZh7sE04LGvwL0+qBoRxBHIvsB2M94QUxMfR rowg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.20; Tue, 09 May 2017 07:43:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754192AbdEIOnU (ORCPT + 6 others); Tue, 9 May 2017 10:43:20 -0400 Received: from mail-pg0-f51.google.com ([74.125.83.51]:36830 "EHLO mail-pg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnT (ORCPT ); Tue, 9 May 2017 10:43:19 -0400 Received: by mail-pg0-f51.google.com with SMTP id 64so729093pgb.3 for ; Tue, 09 May 2017 07:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Q2ht5CSMUFZ116iMeui79EKUX9FPPcMK2L2gX04aQGs=; b=HiQ/ehLQa76W+AHE/PGs1gD31wx4n4BiEoy5Z9kD0AJngeGBAnd1Nw4v6m+PiDQz3e U22iSQIKUqEzH7Avt6X0px8J0CPaPeOmDXtXqn4TOuB/ZYASjZNuto6XLnX6fT8CQQ9y Vt+dC0ASnSUTshH+tf8auvCO12OH6/pWliEI0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Q2ht5CSMUFZ116iMeui79EKUX9FPPcMK2L2gX04aQGs=; b=YQ5jxHCccOIQNNkSKQKjCl+HRCcEoT9YIxk6/+6yuMpCZiJ01Io2wyzbquh5RLR9uY rhG12bDSdtT9oD6bnOsGkciOxWyF85X/HAPLjmxAKOQPt7WGzHgYASY7t6559/GRQiED lBoDOyf0eddK8MtQBUj76CQ4LWxk3bd22niJ6reDAK7xYxOCvs7HyNE41oIe+ljkdtXL W484/alb7Mm8kLsn8o5c4RbzNn6fCy1lpmSPS85pSnOyh6ca+dSHd0Is2vrnyACeYcks UZWmH8iNGWb3NDmql6LSe7RODjNqZ9mSaKKNzeg0WSYFCprqqqVGFR2cro9EDKM9oD1k M7jQ== X-Gm-Message-State: AODbwcBm42YYD/T9oY/xRvYwwdlDiZ4A3fOokHo6/Xtv52THcm7oKYGj Eeq83JmEpLvlguuy X-Received: by 10.99.139.195 with SMTP id j186mr550947pge.134.1494340999189; Tue, 09 May 2017 07:43:19 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:18 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Eric Dumazet , "David S . Miller" Subject: [PATCH for-3.18 11/24] ipv6: sctp: add rcu protection around np->opt Date: Tue, 9 May 2017 20:12:35 +0530 Message-Id: <1494340968-17152-12-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet commit c836a8ba93869d6a0290a6ae0047fbef09066871 upstream. This patch completes the work I did in commit 45f6fad84cc3 ("ipv6: add complete rcu protection around np->opt"), as I missed sctp part. This simply makes sure np->opt is used with proper RCU locking and accessors. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sctp/ipv6.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 18361cbfc882..15bc2886a529 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -209,6 +209,7 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) struct sock *sk = skb->sk; struct ipv6_pinfo *np = inet6_sk(sk); struct flowi6 *fl6 = &transport->fl.u.ip6; + int res; pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb, skb->len, &fl6->saddr, &fl6->daddr); @@ -220,7 +221,10 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); - return ip6_xmit(sk, skb, fl6, np->opt, np->tclass); + rcu_read_lock(); + res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass); + rcu_read_unlock(); + return res; } /* Returns the dst cache entry for the given source and destination ip @@ -262,7 +266,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, pr_debug("src=%pI6 - ", &fl6->saddr); } - final_p = fl6_update_dst(fl6, np->opt, &final); + rcu_read_lock(); + final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); + rcu_read_unlock(); + dst = ip6_dst_lookup_flow(sk, fl6, final_p); if (!asoc || saddr) goto out; @@ -321,7 +328,7 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, if (baddr) { fl6->saddr = baddr->v6.sin6_addr; fl6->fl6_sport = baddr->v6.sin6_port; - final_p = fl6_update_dst(fl6, np->opt, &final); + final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); dst = ip6_dst_lookup_flow(sk, fl6, final_p); } From patchwork Tue May 9 14:42:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98925 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857491qge; Tue, 9 May 2017 07:43:23 -0700 (PDT) X-Received: by 10.84.213.2 with SMTP id f2mr727191pli.22.1494341003440; Tue, 09 May 2017 07:43:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341003; cv=none; d=google.com; s=arc-20160816; b=DnvOux0YmtbB+XF4brZjA0iKgiHfM4SbW3oclWpz9saIZfZ0+k+w2xLeRkL4E9LoYC KWQN5MlJPu1k6nB0SNF8bhSDaxPdJThU1jcYELI6xQ2t6PZEKv/HgUnYQm4wobZc5LH2 EZGtbI04mzvbRYJiHUTASc0243Ig10yDn8QvUrnNBPIv7lBvLfGY+13bKiya4t5CkjyW /BuVwAaM3DCi8X6BJBW5tYgVGxrVZVEEl8Yyr/4JOnnPeahAqYsmr1htOD5qduSuRs0o XI70Z30dmWmEK0nSeZtit1Y9eNgHDqgB2AXIjeVWEAxbcI35MwMWt8j2xG6Yh9U1TMBs QNpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=HeiTbPTzg+tTwf67Pv38+8+wT+ep8aVSl2DanJU0OKY=; b=joU6jIg1a0WOruoKpJO4xggeJCXVw1WyUNMNN5emV8lb7q+CMKlY8E0Q0VoOWG/1uW fiLHKryJaJXPtJQVSlojyH94WHoKO6dko1ACltHIi5LG6xnBLhW3zkqpHAMxi+1J5HaD bzDmNX8tbmq+hUHhspOp9RuQ/9bfRXI0vZJV7bGbB/lNBZcWxdzqkLIAtOG3LiBM+Fcn 7haRIicKQyUOfSM+jxqWJB8B+fEW7rKOsKAtMmqy+Ur5RMFqLVsNAXPYi2UQzRWIS5gz KkuqD50WaPukaw+6ycU3rNRDSbgvb4D5o4OJcSDCt0ez3tAG7ndwqW7BkJF7/WoU7558 UHGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.23; Tue, 09 May 2017 07:43:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754195AbdEIOnW (ORCPT + 6 others); Tue, 9 May 2017 10:43:22 -0400 Received: from mail-pg0-f47.google.com ([74.125.83.47]:33090 "EHLO mail-pg0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnW (ORCPT ); Tue, 9 May 2017 10:43:22 -0400 Received: by mail-pg0-f47.google.com with SMTP id u187so785771pgb.0 for ; Tue, 09 May 2017 07:43:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=HeiTbPTzg+tTwf67Pv38+8+wT+ep8aVSl2DanJU0OKY=; b=O9IkSylQxqn5aUVZyk3oYnlMJlzLLoEaglB63zm52hZEObpwJBbbLUDtb0mlJO5i/8 7Vxm6ZqRDPE/7V/g64K6z8suwa1hEFn/1ZHD1ZngbLNo5wr0thDUNAEhW1iLEf8zBDjP zxpImHY2Al8p3xyCWeuq8r6eSIv+wgvQbmbAs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=HeiTbPTzg+tTwf67Pv38+8+wT+ep8aVSl2DanJU0OKY=; b=D5ueUP89T1c56wE5dJNcyX6rA9Zd4NtFVJyWy+Y/as+tzAbYbAnBPRHRl+kDlVF/Cl PweWODomAeO0ZZ05+3v3ozCifG1KYLd8gNgQ0hFbm8bdU3xpKrJKwVWjWUwVTC9aV1oy d3+4qVY++FOTx22YF7ldhIfuM6Y9cAaLleLRq9ekjoQlwG8KcQAaI3D8iYlSIyGfAesr hnlQ3h5yKuyHQL6o7p0ZHAzLyboV3xyL8j8WYFo9CSFhTezu7cQ//HufGWjfktgfsVuH bY7Wl4QYMd5b8HX+LHytAwbOr2cccOxk/o3ny3oxy1u+Giue5vY7OFNFUbMwFYDNS1m6 tDPA== X-Gm-Message-State: AODbwcA58d4xXy6rxNBaaFJLbMCClsSglK92gW4dZ/kVZmcOqRubv2pK a+u6Fs6sh18Bde/ctxYrsw== X-Received: by 10.84.136.131 with SMTP id 3mr615603pll.181.1494341001593; Tue, 09 May 2017 07:43:21 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:20 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Eric Dumazet , "David S . Miller" Subject: [PATCH for-3.18 12/24] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Date: Tue, 9 May 2017 20:12:36 +0530 Message-Id: <1494340968-17152-13-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet commit 69ce6487dcd364245a3d26322fc8f4ffd1e8d947 upstream. While cooking the sctp np->opt rcu fixes, I forgot to move one rcu_read_unlock() after the added rcu_dereference() in sctp_v6_get_dst() This gave lockdep warnings reported by Dave Jones. Fixes: c836a8ba9386 ("ipv6: sctp: add rcu protection around np->opt") Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/sctp/ipv6.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.7.4 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 15bc2886a529..5fb8b7b579f9 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -323,14 +323,13 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, } } } - rcu_read_unlock(); - if (baddr) { fl6->saddr = baddr->v6.sin6_addr; fl6->fl6_sport = baddr->v6.sin6_port; final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); dst = ip6_dst_lookup_flow(sk, fl6, final_p); } + rcu_read_unlock(); out: if (!IS_ERR_OR_NULL(dst)) { From patchwork Tue May 9 14:42:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98926 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857507qge; Tue, 9 May 2017 07:43:25 -0700 (PDT) X-Received: by 10.98.76.155 with SMTP id e27mr249091pfj.77.1494341005698; Tue, 09 May 2017 07:43:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341005; cv=none; d=google.com; s=arc-20160816; b=p3zMGQV0hkUk18MYpArunbfH8MIwOkH8g69/irm5oPLkPFgy5/rPykfGY6tEeRuoep uLUrhE0D+2vmK36ICCAGMo+33EwRNRPM9vpaLrvr7CPyMnkExlcnFRyF+m5z29Nn3xyB M7TZH22mJWfmqE3FyICtmW8zuzePbO7jPjTWxqBxrmvy4UFpG/ECXSMlJEsMvGBKbwoj c30Z3FqiStHG2BjOFi24BIHTmrvs17c0wUCfL0xHCsDtAv6Ti0kBiQOw6sPBRKIyKQsd HBwKUWl01RHBEr3q5dNAWbowrXxHgcz+H29ey47tjXj8HSYj0Im+BHXIllGgStdwdd5R N64w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=fHsuT0r0YhkHHfyqNUlTjYoATeOmS6gzGDeWeHf+fgM=; b=JfLBMH8tu++RS1nvzqdaX8iVNRXQswMzgbtabRT4F9LA4oaNLFrN21djP10cYwcOcJ EF/QafcF98lB0lfrnkM69oC47LwT9dssURr5UuhOo4cIJpEssSmZ+BerjN21ANOmsBdR qw6T+MRKztlkHUa3QEMup3ziJFOixyTinnmOUd4lt6ofmxEXB2XgedMdL9RDgcsC4t5b T+E06kpoeeNgHt3/c8fMrCs+JRfQCt6ZiDYEXvT3+vUKLRr+hEoy8ZW+g5WJwkoHtYwZ 0xBtcYxaUxFyGXVRRNksaesvW5gWt/LacH4RI88qHvWUATYbpaxGXF4XPykS0wposG86 uWcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.25; Tue, 09 May 2017 07:43:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754196AbdEIOnZ (ORCPT + 6 others); Tue, 9 May 2017 10:43:25 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:33571 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnY (ORCPT ); Tue, 9 May 2017 10:43:24 -0400 Received: by mail-pf0-f171.google.com with SMTP id e193so1206312pfh.0 for ; Tue, 09 May 2017 07:43:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=fHsuT0r0YhkHHfyqNUlTjYoATeOmS6gzGDeWeHf+fgM=; b=JWA4x6kTbFFIHjAKXff7nx6K225LciOVqrhnraCfMVfV/+9TVu8XPBvgVbZpo2aSqo AIqFg51YE6vxwly7yrqJbb2JOuo6DwuxrVoWGHNaJcuiPAfRUX7DFZYUyVm039TvXDSA /BKNA/VXzLeMMu6SVzA+hSQSJWhIgs6ZcHbUs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fHsuT0r0YhkHHfyqNUlTjYoATeOmS6gzGDeWeHf+fgM=; b=hz705gsxJ8xj11zyTBt6BU4Gd01YDzKMluMgUwpbIXsU9w4a/RsRsh2lU1i7k7RyEN kk/upaTIZ/z8JRNtJvd0uyLamW6s5GknuD2pj1PC0+E+IBBXpLqOfuRY5d81r7qXnUp/ Rfb81hhpelei3h8rAfHzOLwCPYgm1izVC7+hfSAgSdSB3dB4UWqeWIYBCjvCaOppj9XS X1xOLhwBCjTG+P2V7GBOWorKBd1byg6k56+OwUIvqF6dVI35h/j5azGBbFEZkCEKCVbQ N6RBDzh6ISkla7SvSn8su3dpkG4VJ6xpFDs958AyR7nd+9fBhJ+37mg6v0e/8xBCq/bC Otlw== X-Gm-Message-State: AODbwcCgOKjGuhFt6NGW2WSDclgcEsmVSkPYiKQ0W+wTo3K7z11ueN39 VBDbZJOYDW5ZubPI X-Received: by 10.99.1.207 with SMTP id 198mr488639pgb.181.1494341003678; Tue, 09 May 2017 07:43:23 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:23 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Rainer Weikusat , "David S . Miller" Subject: [PATCH for-3.18 13/24] af_unix: Guard against other == sk in unix_dgram_sendmsg Date: Tue, 9 May 2017 20:12:37 +0530 Message-Id: <1494340968-17152-14-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Rainer Weikusat commit a5527dda344fff0514b7989ef7a755729769daa1 upstream. The unix_dgram_sendmsg routine use the following test if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { to determine if sk and other are in an n:1 association (either established via connect or by using sendto to send messages to an unrelated socket identified by address). This isn't correct as the specified address could have been bound to the sending socket itself or because this socket could have been connected to itself by the time of the unix_peer_get but disconnected before the unix_state_lock(other). In both cases, the if-block would be entered despite other == sk which might either block the sender unintentionally or lead to trying to unlock the same spin lock twice for a non-blocking send. Add a other != sk check to guard against this. Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") Reported-By: Philipp Hahn Signed-off-by: Rainer Weikusat Tested-by: Philipp Hahn Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- net/unix/af_unix.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 7950b4c26651..29b1f4dc48ca 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1722,7 +1722,12 @@ restart_locked: goto out_unlock; } - if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { + /* other == sk && unix_peer(other) != sk if + * - unix_peer(sk) == NULL, destination address bound to sk + * - unix_peer(sk) == sk by time of get but disconnected before lock + */ + if (other != sk && + unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { if (timeo) { timeo = unix_wait_for_peer(other, timeo); From patchwork Tue May 9 14:42:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98927 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857534qge; Tue, 9 May 2017 07:43:29 -0700 (PDT) X-Received: by 10.99.163.18 with SMTP id s18mr534444pge.150.1494341009739; Tue, 09 May 2017 07:43:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341009; cv=none; d=google.com; s=arc-20160816; b=iDeQbeJQETpGPofLu5MwB004PPtsool0gWmNUUTtamDmMsIsxlWqzypSyECIoyv1Qi hU5gVhR0oG2SRWdsIYU6jbp5++8UtS7lcFH9sTrLUD5W+C7OlDUT4XTRbN9fnHGb/948 1fRpakoXulKqHR3M24850Nvh0o821QDtyclc30lbXHztlWNBMIJTygxAv+FNflVhU3aj ogg2oOIjecky46jp2y2uPIlqd8WepXx3ilQP+uTA5Cv9c4vi43CGgBXEjJoYd2gowbxn Q1kp5HQGCYpNJP0Q7Ya1X1cNnjaDL15lwf23lR9fFDCVRti5Ss3dFmu4Jo3XiJsfI0aO O1Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=KNgvizFCbbCir765zyMNcMDjaxAgWKcgwfBf2NXj5kQ=; b=gkHknejWZlrKBcmxPBFSVM63HaUq0xVnxa2EGHXnwOxBednNGudjsx/bvnjoDTYcAK r5DWyFD1H7u39nAXDAcyiKwuP3djf7dun53Pv5YL7aBo7DBcDINQxjj9Wx9V4gLEIQVO rI/wmM4KPfASt+HkXqAMqv7EQfZTFweTMJ3K0xaL1apDQ0vbNv4bbtvVzl/Q7G3+xvyc 6wECJOuV5qbr1QurJYrfTMnzA9ug5qhhgHU/VQYgU8yNs8Mk6sZ0tG5Jb74PSnuKWHoG Q4v21gce2VMq6E3rmJ8jwc8fBWOYD5SN7nswXsyi9WWkRB9XGAe6MR1t3/s8X5IIEZTV njig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.29; Tue, 09 May 2017 07:43:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754202AbdEIOn2 (ORCPT + 6 others); Tue, 9 May 2017 10:43:28 -0400 Received: from mail-pg0-f43.google.com ([74.125.83.43]:35651 "EHLO mail-pg0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOn1 (ORCPT ); Tue, 9 May 2017 10:43:27 -0400 Received: by mail-pg0-f43.google.com with SMTP id o3so751895pgn.2 for ; Tue, 09 May 2017 07:43:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=KNgvizFCbbCir765zyMNcMDjaxAgWKcgwfBf2NXj5kQ=; b=JpSPAJ43QchWnqvtFYtxA0vI/lhYe82bFFw5g08aAhK9BehmPReQdT+oZIHHNI2Tio LzyKCVeDpL17eV1OPCqVaap9Wf72fZkxMtif2DWiChGtNMBKGaPxu2AZs4SinbRCc9mt H0Q18T8o6Fdhs/n/5pq7On9h1h5yeL0L7EAlo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=KNgvizFCbbCir765zyMNcMDjaxAgWKcgwfBf2NXj5kQ=; b=bN1Emtay2PzNscWSiRwMVBybISxw6ec3YaBvGbaRP8ke15LcTvHtU61KPgrFwdd5F5 fx8A0Zn9euaRXsuDUKZbN5xY35GfOi9Q4KG1PirWQCdT+3yqgLNnWYcO69EnisthFAJp q6/FkiuUV+dFO4B81/+qdywr8kCzKjPX7oFd8dEy4ldPr1D5rD7QSAO2HFkXX3Ow7AMS hLH2MZVqtthJyc7mWd5YKR536tY0aZUda4g772gK846RbvuIZulMYMTOG3xQIu8FdCzw bDfWJ62IwU+p8BZU4IZJ9DTdQcERPROJajKbO4VbU9KV7cAYTgsIBRdCQCeTfym1wxAT G4Pw== X-Gm-Message-State: AODbwcAecf3fR7QwlC5BjYP1ifb8JdC3z8zAc5A4ls0eIgmoH9Bwekhw pqbqe449zOtQ5zNj X-Received: by 10.84.175.129 with SMTP id t1mr673334plb.190.1494341006762; Tue, 09 May 2017 07:43:26 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:26 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, WANG Cong , Paul Mackerras , linux-ppp@vger.kernel.org, Guillaume Nault , Cyrill Gorcunov , "David S . Miller" Subject: [PATCH for-3.18 14/24] ppp: defer netns reference release for ppp channel Date: Tue, 9 May 2017 20:12:38 +0530 Message-Id: <1494340968-17152-15-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: WANG Cong commit 205e1e255c479f3fd77446415706463b282f94e4 upstream. Matt reported that we have a NULL pointer dereference in ppp_pernet() from ppp_connect_channel(), i.e. pch->chan_net is NULL. This is due to that a parallel ppp_unregister_channel() could happen while we are in ppp_connect_channel(), during which pch->chan_net set to NULL. Since we need a reference to net per channel, it makes sense to sync the refcnt with the life time of the channel, therefore we should release this reference when we destroy it. Fixes: 1f461dcdd296 ("ppp: take reference on channels netns") Reported-by: Matt Bennett Cc: Paul Mackerras Cc: linux-ppp@vger.kernel.org Cc: Guillaume Nault Cc: Cyrill Gorcunov Signed-off-by: Cong Wang Reviewed-by: Cyrill Gorcunov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- drivers/net/ppp/ppp_generic.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index e3fbbbbd84e7..3dd1c19756ec 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2342,8 +2342,6 @@ ppp_unregister_channel(struct ppp_channel *chan) spin_lock_bh(&pn->all_channels_lock); list_del(&pch->list); spin_unlock_bh(&pn->all_channels_lock); - put_net(pch->chan_net); - pch->chan_net = NULL; pch->file.dead = 1; wake_up_interruptible(&pch->file.rwait); @@ -2960,6 +2958,9 @@ ppp_disconnect_channel(struct channel *pch) */ static void ppp_destroy_channel(struct channel *pch) { + put_net(pch->chan_net); + pch->chan_net = NULL; + atomic_dec(&channel_count); if (!pch->file.dead) { From patchwork Tue May 9 14:42:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98928 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857548qge; Tue, 9 May 2017 07:43:31 -0700 (PDT) X-Received: by 10.99.160.68 with SMTP id u4mr517575pgn.39.1494341011211; Tue, 09 May 2017 07:43:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341011; cv=none; d=google.com; s=arc-20160816; b=MR3Y3YcGQPjq/5uYSYEZuwhbQA21oKSeNL5lk3NfQq7MOtIKahYHehbcG60jj/Jmht WFg6TMKotlo/LpwnvlFzMusirIroc2q2rkVz+6n+M/mgkv/cdYg6sscBFrLND7Z+kpNr Gg5yvnDnXl6T/6xnTA9WsdNgC62/UKQVorj9OQ2RZMWV2fbcky5nVZ6Wxgf3C0/QUMnA JDseypyArg+8GYcOVFsfVugwAlR4fUOwIqelg8pIwLDw6q/DJVCSuFp1CDUkzbfqy/W4 xcKtz7LjDw+g9RZaUxMOGBTAwp64OHcylcSQ60E3kvEz51jYas3haOQ2m2SplGx5ZVwQ jfBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=CWm4fyG2ETcAcDlsuk5NX7ToC1oBeB0X5Uxj9j0lhz4=; b=qpZM1B2dXzJ2i0QS25953xybJ/BSjthtAHMEV64djBL8KI4ocbC3U6Wlv2V6vIdwqr gnlEmui8aA8hvcy/myum1zVqToOeMo4RG1K4wSNdDxDy4RBACDMlc1/eCcRsqx0snpIP Wr6RyXoWlQeHuCDIkbmAwafaLukYsqlmzqt7HsmdJ+XRSpIMCgJsD/nkpPAs7imKi78h Y6/6N7/MxjonfT+vO7X6freUATuabNdtGYO+AHi1bcZr1O0uF0csDpeUJkedYgV+1Bte x5hYficHpgIK5lmCzwSWwgYVMmF1WdQlnR+vOveNj30MYEb5RTwZTIULmWUa3byYvt2a sYdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.31; Tue, 09 May 2017 07:43:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754234AbdEIOna (ORCPT + 6 others); Tue, 9 May 2017 10:43:30 -0400 Received: from mail-pg0-f46.google.com ([74.125.83.46]:33838 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754199AbdEIOn3 (ORCPT ); Tue, 9 May 2017 10:43:29 -0400 Received: by mail-pg0-f46.google.com with SMTP id u28so771250pgn.1 for ; Tue, 09 May 2017 07:43:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CWm4fyG2ETcAcDlsuk5NX7ToC1oBeB0X5Uxj9j0lhz4=; b=O/7vhxqpmdmFcbEzFczPJ/oFnbe4TEFAPO8eh7SHn+4G/eKEbEhHNU5MlCO+4WLZUb Tdd1RjwMcKdk3QUcNgQXay1pjwdXY1JD2J9Y79+Atn/lYHhyFgy60tio1CFT41320MlN h+87wa/yF+9Nl7H+sUT4H+d3QraZunO4FI1rE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CWm4fyG2ETcAcDlsuk5NX7ToC1oBeB0X5Uxj9j0lhz4=; b=oEDTUIbbvCcjjk7L0GoDGRBBu4lO/xpclYR/miTm4/6WVqoKml4Wq/0eYL1XITIz06 5zCM+y3P+bTBKqH7deCC0qX46PT9uK5DYVF53yceZi9x/wJRpLMCG9JPGLnIVOyp/6xI HSvKeNSjGbY9JTYtEFWs61GzjC2oQ2LLOhXt8ed0lbKV62bYDralVHO8Vx2IMKruzKFU pgCAJXFYD/M7CGILcydNU/X/BE9WdKmf99glPMdEqDYUNIuB2UUCdPD4ihRIkPnHIGXF 095W/QJDJ6OmQHukssujI+rTxNu/g8qH8RP3CVhQwR5ST6iY6BS/Ulk9FfNRvsj+3KJR wjdg== X-Gm-Message-State: AODbwcBYzDmzwcKvxUkisYmWtFl4fgCcztxRsyV4BMU91Ze4WXGG4gaP tNvdvk2sH2R3b1QM X-Received: by 10.99.51.74 with SMTP id z71mr493430pgz.137.1494341009209; Tue, 09 May 2017 07:43:29 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:28 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Benjamin Tissoires , Jiri Kosina Subject: [PATCH for-3.18 15/24] HID: core: prevent out-of-bound readings Date: Tue, 9 May 2017 20:12:39 +0530 Message-Id: <1494340968-17152-16-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Benjamin Tissoires commit 50220dead1650609206efe91f0cc116132d59b3f upstream. Plugging a Logitech DJ receiver with KASAN activated raises a bunch of out-of-bound readings. The fields are allocated up to MAX_USAGE, meaning that potentially, we do not have enough fields to fit the incoming values. Add checks and silence KASAN. Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Amit Pundir --- drivers/hid/hid-core.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.7.4 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 19a3a12f3257..34dda44cb910 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1213,6 +1213,7 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, /* Ignore report if ErrorRollOver */ if (!(field->flags & HID_MAIN_ITEM_VARIABLE) && value[n] >= min && value[n] <= max && + value[n] - min < field->maxusage && field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1) goto exit; } @@ -1225,11 +1226,13 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, } if (field->value[n] >= min && field->value[n] <= max + && field->value[n] - min < field->maxusage && field->usage[field->value[n] - min].hid && search(value, field->value[n], count)) hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt); if (value[n] >= min && value[n] <= max + && value[n] - min < field->maxusage && field->usage[value[n] - min].hid && search(field->value, value[n], count)) hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt); From patchwork Tue May 9 14:42:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98929 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857563qge; Tue, 9 May 2017 07:43:33 -0700 (PDT) X-Received: by 10.98.52.4 with SMTP id b4mr317928pfa.124.1494341013536; Tue, 09 May 2017 07:43:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341013; cv=none; d=google.com; s=arc-20160816; b=ipsULQNg0Ec40nvujIzuBa0heExaRQ9lrLz6P/xDxR1zuGgXApg43aXEV0AnEWdLJR q3FXGVS8cyNZYgR56Uj+MuOsWlgDbb51OsW1vQQakXVmmn5CEAZ1NuARKsL5RCmKQdQj borZxe75McgcCg226Wdh7Zodcv2piLN4PYgXR8smM9MUzF+vr5lZjrbrRtbSWOexkvdi P5xM18WfDcNhTRdIKvri3xe4zTXd6fjfyMjkp/gO5KJBGRez/DDYEpqctp16vyuazmmu HdxhD5uS8xharOiue0uNzuxV2CL/lc+9xpaNQlVfZVbv3HuTjo9QpKt6HUSMhuMLsMW0 AowQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=B3LvGvUEt85AD9ExLTTRirYGlTUqX1rG7uuHrF6RZkY=; b=GKKbbtTqLCtyhmBMRodKYGs7CdV5XBxGeQG6ISAWZz/eEyCUSJezUJMiA8Cllj4hxG M16JzNdtf1jh4kieJ4gPEcMhmNP31Zr+QlF++NVXVdmxIrVIe7BZW5rr/+Pz5Wnhupkl gNH0cPE+XfNIGJromDyr1hMCHw0R1RTWWleIxGdq5q6I4hlaZQry06sanzy/Efav3GnU QfD/xqd3Gc8sITZzZf1LcFEYDjS2JYk6JfSDqi3OXP0lWPkj49jDpCfeT3KNvPEWaW8L Ne6RutotgZR2mjKB5SWJ/kg9QqIqzCSH97Lgv2u1sy+vY4o+ZUuOhOi2n9pQVaIpdjIc VlyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.33; Tue, 09 May 2017 07:43:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754239AbdEIOnc (ORCPT + 6 others); Tue, 9 May 2017 10:43:32 -0400 Received: from mail-pf0-f181.google.com ([209.85.192.181]:35805 "EHLO mail-pf0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754236AbdEIOnc (ORCPT ); Tue, 9 May 2017 10:43:32 -0400 Received: by mail-pf0-f181.google.com with SMTP id v14so1169100pfd.2 for ; Tue, 09 May 2017 07:43:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=B3LvGvUEt85AD9ExLTTRirYGlTUqX1rG7uuHrF6RZkY=; b=I5FZMgsuRFERkM6jLxgUg8vInZpizwIuWueA5VhjbgDyRs1p7g1BLTq12RZLI2z8hY eX47ZTiyxqJ2WA3TRScy2zJSHFyec1FKLW/WcKUfZliu0vM3hmsiVYhp69qk1yHSSQUL KiA9Ym12dnbuHed+3DY8sbt/WEo3kYbIT15yY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=B3LvGvUEt85AD9ExLTTRirYGlTUqX1rG7uuHrF6RZkY=; b=ABgfW0isJkM+Bgqx5S7QxlTgQg9UgY9vInSHp8Y6TG+tfHYrx3J3YAjc6g57MALgWt u4T+SWtRvldj4h4UiD1+T3FH28ZGbR4F7jNlMzbuDRHNqrRr3BFxyEgy5LMsN6TR/jP6 YtF8ADhtRUkZXBthp9GkVWoBj7TT3w9okg8QJRrzplIdNtmDWxUlhqbeapSerHl+5j6/ obtnU7kLnKhEQzwccwpsjAhkNbsIPJ98XXCDqQ8db0ZBAtixXuyMcHEAz1CvRxnXZohU ZV4MDNEZ1ufIro9xni+NacAjSpIwii8chucOTtOgnFG5VPYLd5Y9KK2g+49c2evGjWX0 V6Yg== X-Gm-Message-State: AODbwcD+PzPgWWHorxaaEsVc6Md94sfPDSlNlVf8w4LkUPgJyFatfGlT dn0XEw0XT0A3qkt5 X-Received: by 10.99.160.68 with SMTP id u4mr517605pgn.39.1494341011490; Tue, 09 May 2017 07:43:31 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:30 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, =?utf-8?q?Bj=C3=B8rn_Mork?= , "David S . Miller" Subject: [PATCH for-3.18 16/24] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind Date: Tue, 9 May 2017 20:12:40 +0530 Message-Id: <1494340968-17152-17-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Bjørn Mork commit 4d06dd537f95683aba3651098ae288b7cbff8274 upstream. usbnet_link_change will call schedule_work and should be avoided if bind is failing. Otherwise we will end up with scheduled work referring to a netdev which has gone away. Instead of making the call conditional, we can just defer it to usbnet_probe, using the driver_info flag made for this purpose. Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change") Reported-by: Andrey Konovalov Suggested-by: Linus Torvalds Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- drivers/net/usb/cdc_ncm.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) -- 2.7.4 diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 614b4ca6420a..02e7b9e6a641 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -952,23 +952,12 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting); static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf) { - int ret; - /* MBIM backwards compatible function? */ if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM) return -ENODEV; /* The NCM data altsetting is fixed */ - ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM); - - /* - * We should get an event when network connection is "connected" or - * "disconnected". Set network connection in "disconnected" state - * (carrier is OFF) during attach, so the IP network stack does not - * start IPv6 negotiation and more. - */ - usbnet_link_change(dev, 0, 0); - return ret; + return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM); } static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max) @@ -1510,7 +1499,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) static const struct driver_info cdc_ncm_info = { .description = "CDC NCM", - .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET, + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET + | FLAG_LINK_INTR, .bind = cdc_ncm_bind, .unbind = cdc_ncm_unbind, .manage_power = usbnet_manage_power, @@ -1523,7 +1513,7 @@ static const struct driver_info cdc_ncm_info = { static const struct driver_info wwan_info = { .description = "Mobile Broadband Network Device", .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET - | FLAG_WWAN, + | FLAG_LINK_INTR | FLAG_WWAN, .bind = cdc_ncm_bind, .unbind = cdc_ncm_unbind, .manage_power = usbnet_manage_power, @@ -1536,7 +1526,7 @@ static const struct driver_info wwan_info = { static const struct driver_info wwan_noarp_info = { .description = "Mobile Broadband Network Device (NO ARP)", .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET - | FLAG_WWAN | FLAG_NOARP, + | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP, .bind = cdc_ncm_bind, .unbind = cdc_ncm_unbind, .manage_power = usbnet_manage_power, From patchwork Tue May 9 14:42:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98930 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857576qge; Tue, 9 May 2017 07:43:35 -0700 (PDT) X-Received: by 10.84.204.8 with SMTP id a8mr724840ple.4.1494341015512; Tue, 09 May 2017 07:43:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341015; cv=none; d=google.com; s=arc-20160816; b=KorHg/L5DbtwwbBDZpW00Boqa0jNgmr7bsXrqNJ3O/Nm42ox7L/XiiIvDQp2srhKcx 02Pq92Yj5GH286tUMHkuM4gKc6quMLkqQP3n0vQCv7mABIpIoDGwOGC6kT1neG26in41 Sp/jyw/NYSsd3BKGxNwstcx6KxPGgmi/Ftv/au6ppdeOINWWYLxVols1HIYsQL5MToJJ tSe/l2X/4rS8kM+8H2moJUGL4dEtqecHe3aFqSUAFaFZuMZNXI9Zo+F6ZU9Reg2XULvF 31v+wJ/QJyCjDJ9Xwn5jFH0DuQNItc+t7LX6JNRWSJQ+TP2J83FN2gd+juu4RqAo+HuG 6e3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=MPja4xXiwzCdjNxPDJDFQmO1vNNvQ+hIIvzGxpiE07E=; b=TlwROY3EUJcMppypepJg808MDgO4/Rb1enwDuZ9nq1jOV8fdZbL2p1ADWeGleQkU3y CIML+2ZnUnZX029em1MPD57fESrMBWiJH1HEyKmRYrUA6vtfxzQk6f1nHvrJ18u8gmwa 0G4SqiR4xXdFfzzG3+STjLLBcGDVnSmzDAHSCw/TmnsvaQ31vvU1ZBXYd0LHThAAprwt SeGrTYbx3pTdYmWkaNkJvlQSO0T48YiCRr8K0uAjRmHqAEcf2vYADcll3dsiJU7xveqk j4P0Z4Jbr/poebyWSQXLSWLwgx91WeKgfmqVQdUGvVFqil5AfGs8MeMnz0NPhvZ1gyn2 SSQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.35; Tue, 09 May 2017 07:43:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754254AbdEIOne (ORCPT + 6 others); Tue, 9 May 2017 10:43:34 -0400 Received: from mail-pg0-f42.google.com ([74.125.83.42]:35704 "EHLO mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754237AbdEIOne (ORCPT ); Tue, 9 May 2017 10:43:34 -0400 Received: by mail-pg0-f42.google.com with SMTP id o3so753393pgn.2 for ; Tue, 09 May 2017 07:43:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=MPja4xXiwzCdjNxPDJDFQmO1vNNvQ+hIIvzGxpiE07E=; b=OWzPFu+fryAMn/M6AQ7ZhQw7spcMnFRqR2TuH1IhcxLBT/l8ou9uYwKkYUTU9d+imG xAYzIXlqc9aMVCGMkgwlhEbrmFx9wJPTtYqESpmqky6c86yOig6JiLTdDs7RnrSS63sE YdRPqyfFJsLMKGB8MPb2UTd/iitxUAgHIPvxo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MPja4xXiwzCdjNxPDJDFQmO1vNNvQ+hIIvzGxpiE07E=; b=TXES+mczJdx7TBJTufzLfCgns9fl6d/IVSiVYWchTVUgaqHkOBfr94276xPgAIlwc3 y73bIwDfoXxfFiG2y0EIyR7hRpO8nEJiMH/v6r3gDOvRVmX9C8aD6H4uCykOEmi4DkyJ OoUdnnJcRLxnISsXID0NBmLQGIuYP8gUdLWbtHOOP1lA0uwlW5Doa+VyAZGnZYsH7o1e DyOen4w5tXqvs8PgdPHk56lrBaNL+xDmXSi8SydrWS7Fhk5CV2PYgZFgmf5EdfgtWrtV uQEC/Ba1ktqBshecsqEN82p7j8qT2WDMKyk/b/VHN3Qh41T2pP8sxvVOMFCS1ZOz8khm YURg== X-Gm-Message-State: AODbwcAmf0WTx7oqWuYzzCI9bHTnZg3EboE4Xb8t6PZIlJn6RV4bvwZw fWWCrpSm/AJLp6bU X-Received: by 10.98.36.80 with SMTP id r77mr302013pfj.164.1494341013510; Tue, 09 May 2017 07:43:33 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:32 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Takashi Iwai Subject: [PATCH for-3.18 17/24] ALSA: seq: Fix race at timer setup and close Date: Tue, 9 May 2017 20:12:41 +0530 Message-Id: <1494340968-17152-18-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/seq/seq_queue.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.7.4 diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c index a0cda38205b9..77ec21420355 100644 --- a/sound/core/seq/seq_queue.c +++ b/sound/core/seq/seq_queue.c @@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked) static void queue_delete(struct snd_seq_queue *q) { /* stop and release the timer */ + mutex_lock(&q->timer_mutex); snd_seq_timer_stop(q->timer); snd_seq_timer_close(q); + mutex_unlock(&q->timer_mutex); /* wait until access free */ snd_use_lock_sync(&q->use_lock); /* release resources... */ From patchwork Tue May 9 14:42:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98931 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857598qge; Tue, 9 May 2017 07:43:37 -0700 (PDT) X-Received: by 10.99.115.11 with SMTP id o11mr575091pgc.10.1494341017739; Tue, 09 May 2017 07:43:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341017; cv=none; d=google.com; s=arc-20160816; b=FndQxV4/CkhmRi1sh07ufwAY6GjEc1tVoNFQi6pSIOc9lskO/KVJ4k2nK1arjkGk99 +a1/dYGsGuMRAGwcNWskjFrfIDsLe5E/TuW59kox73DzVzbli3h0Do4bWRcYAmLXYlwZ Tvo/2x3O17dIX3TG7OUSPx86bMJuUA0QoVoDped8HmTt0RdCVM7jkqhNbB4tJ3BCKxTJ fziV5lsbdh4J3t00DZ066jdyYxHXMVkKCP4qMHtI24XZ1o1L4MiZreGpxKQuZ4V63edv 4kUUrE+xsahPEOyuN2YOP9TnBSojpuEsdGbgR+wvV/icQyWIquYB9ycI+bj+vcAt4W2t VinA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=P8h47N0QIp9/YN48MVxW5iUkqvbrSFXTAnMxIewCtq0=; b=fpUKqfZNJdZiJAVuFU0PSlSSDfrp211+9JyEUxxwx6MSt6vGSeNUeI5+IXn0/jXtz5 t8IaxjQ35vIS69/xozG2rfTKenr6NV1n1Lw54LB7O8nQ5ZaeWf8y21S07RZ5+iiTryyA H+SdGOrYxd6dVEAhOhWgZwVK5PcJLpVOlgJvRYtJZGrDa/oceZqzLaUia8yeb46ny1n/ kxLDUV7ouq/FZ9kal0cvXjTuMOztpZhm1+ZsIWip1lF74rUJRdXxew7QQmEP1na+1Snm 7WjVOX8KYAm7IY5Srd8kAnI1wYDBP3gPRZvQ5k99QkqdpatJieV7Xcfs+PRx9CwKHedC EcFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.37; Tue, 09 May 2017 07:43:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754261AbdEIOnh (ORCPT + 6 others); Tue, 9 May 2017 10:43:37 -0400 Received: from mail-pg0-f54.google.com ([74.125.83.54]:33217 "EHLO mail-pg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754251AbdEIOng (ORCPT ); Tue, 9 May 2017 10:43:36 -0400 Received: by mail-pg0-f54.google.com with SMTP id u187so788865pgb.0 for ; Tue, 09 May 2017 07:43:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=P8h47N0QIp9/YN48MVxW5iUkqvbrSFXTAnMxIewCtq0=; b=C0xMmRrlJiMC1V9tUiinqNSEwD7hPpqdT5jesw5BhfqFVtG7XMLFNU3XdYj4vjNkvD dFydfX/B5O61J3XJKuaTw+5lruAAErhtC1yj1upKNqIIDJ6fbSOb7XsilvHLeJbgNLOv ckzJDz3QEpvGaTrvxoUqfybH1yFA+Zf8R+D+8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=P8h47N0QIp9/YN48MVxW5iUkqvbrSFXTAnMxIewCtq0=; b=ZhVkGTYQoB7D0DeCRtTV56B7jhkKYli/ptO11J1k1YpqauZ/VXvYjutSX1GYuVZe/I NS8Iga0dXve+pnaHPaoY4JzYufXnQ+8WIdfXUgutaoUwuN/XFCrerT+BQLMQYEpyTDQR jQfIx0CAl3Scaq9dSj29j30YXBxsT9qfX8psC2r+yO0F2z6fy0+8wOs1hLf6BoBsqI/j 7IXeJQx4SwLo0YKB0mQKtCWKY9t0UO8l8NyWtHLnI4oabS+VoNBhV286a0ti2dFUzHxR P2wuuetGrxroYN4fKNBkiEnSIpQUx60WgBKqNuG/xED1YJvdK5qEBFczoknoTsvCL6y5 ICTw== X-Gm-Message-State: AODbwcA4L+s5uZ60kkyLKiAbObY/TgfdQzoX0r0YY5+MIQaH8LWqehaZ esPCGtfiuXqg40qREUgaVRmv X-Received: by 10.98.103.207 with SMTP id t76mr231787pfj.147.1494341015708; Tue, 09 May 2017 07:43:35 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:34 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Takashi Iwai Subject: [PATCH for-3.18 18/24] ALSA: timer: Fix race among timer ioctls Date: Tue, 9 May 2017 20:12:42 +0530 Message-Id: <1494340968-17152-19-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/timer.c | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) -- 2.7.4 diff --git a/sound/core/timer.c b/sound/core/timer.c index c9da76e05b3f..fa4ded0c2230 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -77,7 +77,7 @@ struct snd_timer_user { struct timespec tstamp; /* trigger tstamp */ wait_queue_head_t qchange_sleep; struct fasync_struct *fasync; - struct mutex tread_sem; + struct mutex ioctl_lock; }; /* list of timers */ @@ -1342,7 +1342,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file) return -ENOMEM; spin_lock_init(&tu->qlock); init_waitqueue_head(&tu->qchange_sleep); - mutex_init(&tu->tread_sem); + mutex_init(&tu->ioctl_lock); tu->ticks = 1; tu->queue_size = 128; tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), @@ -1362,8 +1362,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) if (file->private_data) { tu = file->private_data; file->private_data = NULL; + mutex_lock(&tu->ioctl_lock); if (tu->timeri) snd_timer_close(tu->timeri); + mutex_unlock(&tu->ioctl_lock); kfree(tu->queue); kfree(tu->tqueue); kfree(tu); @@ -1601,7 +1603,6 @@ static int snd_timer_user_tselect(struct file *file, int err = 0; tu = file->private_data; - mutex_lock(&tu->tread_sem); if (tu->timeri) { snd_timer_close(tu->timeri); tu->timeri = NULL; @@ -1645,7 +1646,6 @@ static int snd_timer_user_tselect(struct file *file, } __err: - mutex_unlock(&tu->tread_sem); return err; } @@ -1861,7 +1861,7 @@ enum { SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), }; -static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, +static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct snd_timer_user *tu; @@ -1878,17 +1878,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, { int xarg; - mutex_lock(&tu->tread_sem); - if (tu->timeri) { /* too late */ - mutex_unlock(&tu->tread_sem); + if (tu->timeri) /* too late */ return -EBUSY; - } - if (get_user(xarg, p)) { - mutex_unlock(&tu->tread_sem); + if (get_user(xarg, p)) return -EFAULT; - } tu->tread = xarg ? 1 : 0; - mutex_unlock(&tu->tread_sem); return 0; } case SNDRV_TIMER_IOCTL_GINFO: @@ -1921,6 +1915,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, return -ENOTTY; } +static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + struct snd_timer_user *tu = file->private_data; + long ret; + + mutex_lock(&tu->ioctl_lock); + ret = __snd_timer_user_ioctl(file, cmd, arg); + mutex_unlock(&tu->ioctl_lock); + return ret; +} + static int snd_timer_user_fasync(int fd, struct file * file, int on) { struct snd_timer_user *tu; From patchwork Tue May 9 14:42:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98932 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857641qge; Tue, 9 May 2017 07:43:42 -0700 (PDT) X-Received: by 10.84.150.101 with SMTP id g92mr628255plg.149.1494341022320; Tue, 09 May 2017 07:43:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341022; cv=none; d=google.com; s=arc-20160816; b=sZFdihb3K/Wqe/JBcUqmcAWZR47nngBYfwa1G9aYFlfW5ZqpNhtSPW9Dkb73aClEvc aHIjpyJKXiTE6aaLWgIXO/TNBTTAhgLu6bmWdZ1bfYEOBRgswhJPeCbJ+ReBffiQFbPQ oqARwBPYi1XoMSwZtE2SY0H2VK2WWyDZj9aNyCb0TdDxlFjWGP8wi7RrgTbz5PVnnQmR JD1BESQepU4lgfBMX78BhN4Q4PgtGGQwFMXpa1E6sCk+83KzkKVqq2rCaAsoM09G/iDt ntHA98DhXBVWTs9UpYoZSlz/JtmbWFHZyHl91PU4NIYVAYdIo+Eb3mbAbcLPOvsxctUw 56Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=bosPbjRiJA5iHgoQSA5by+AXFXeagQujq6EU+87HqDo=; b=XSO9hdhgvn2JniCGksVIecq9s6NYJYc7tjb0wQcpT2yCBqgHbVdbFz9NNXKHLyXoU+ ob3pjB/rmiewvtx1FVidDDpZEyGq+9kdbltecvuQ60KIkANwcO2UZ2qrSRJSdtncApAG mEKURgeL4gqmaXOrGfDBUER9ZnelGfOhnPd0adgjMhhXh7Db6HmnozTI3qLKAt4PqsMj Cec/1U6PlFyOnFgXZ9zz2nx9AAOKmncWf1vTQQtnF5VaO71dwHxPrHP3sIQLrzDsatzP lb4za1YD50JJcaOj4gmdV9FE5aLjUCBvnkBuya3VEU1Pm9IHLaTGCFLjxY08pNctU5U8 F9EA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.42; Tue, 09 May 2017 07:43:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754291AbdEIOnj (ORCPT + 6 others); Tue, 9 May 2017 10:43:39 -0400 Received: from mail-pg0-f44.google.com ([74.125.83.44]:35983 "EHLO mail-pg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754270AbdEIOni (ORCPT ); Tue, 9 May 2017 10:43:38 -0400 Received: by mail-pg0-f44.google.com with SMTP id 64so733591pgb.3 for ; Tue, 09 May 2017 07:43:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bosPbjRiJA5iHgoQSA5by+AXFXeagQujq6EU+87HqDo=; b=id3u0Q+Mj6hBf+z2pz+0XRe5nUsr4MZJeAn6mAf3pKzYOVR2hMXDZJ1zvxA3qvO+gx UuRYPqO+LmpLXeDW7GEE033V3LHgFYB6Kuvdaxsdw2WsNQ2FmtFubS7TozKdI3PcU/R6 jEeDOdKNhf2jwlrutUd7Boyza5n+ylnllsqpw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bosPbjRiJA5iHgoQSA5by+AXFXeagQujq6EU+87HqDo=; b=UCOta8XBB9DtKBz2hl+PJ0sshOZz0e/MGW4CITV5LSjbUmy6SdnKlwxrf/SSK5fuCN FleytSFb8QlaPr8YcWKxBJLMdQ6N5rtkEXPyiK/ej3G/8EeNSH9d8wUZ8TCqYHvpVLL7 Qwb8M/IkxQDzLUEermqFGlYkMNXdrMqjASf+FuSrppKLy77BctlNaWT+Rx2fm9SdAvj5 g8ONidTDysKfntPm3y4FUuuq0SkjewoTeljApEJAbY+n8yNFcnSE3kHO7skXOrB03cv/ dxIo0OeHYfoEn3H4l754ASlpS0R1x1iqOYC/oKk3yrxPgQqk3DksrmV9NvgcRPydVmSz /+gA== X-Gm-Message-State: AODbwcCJRSHlhcuFI+hvb/lsvGjKbTZPFi3TnnPkswAZPNNivNC8D2Rn tjaiOZz69qAuzg3aiEwbpp9Z X-Received: by 10.99.2.78 with SMTP id 75mr485753pgc.157.1494341018230; Tue, 09 May 2017 07:43:38 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:37 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Kangjie Lu , Kangjie Lu , Takashi Iwai Subject: [PATCH for-3.18 19/24] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS Date: Tue, 9 May 2017 20:12:43 +0530 Message-Id: <1494340968-17152-20-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kangjie Lu commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream. The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/timer.c | 1 + 1 file changed, 1 insertion(+) -- 2.7.4 diff --git a/sound/core/timer.c b/sound/core/timer.c index fa4ded0c2230..ede058bd49a4 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1759,6 +1759,7 @@ static int snd_timer_user_params(struct file *file, if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { if (tu->tread) { struct snd_timer_tread tread; + memset(&tread, 0, sizeof(tread)); tread.event = SNDRV_TIMER_EVENT_EARLY; tread.tstamp.tv_sec = 0; tread.tstamp.tv_nsec = 0; From patchwork Tue May 9 14:42:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98933 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857647qge; Tue, 9 May 2017 07:43:43 -0700 (PDT) X-Received: by 10.99.1.198 with SMTP id 189mr485541pgb.229.1494341023544; Tue, 09 May 2017 07:43:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341023; cv=none; d=google.com; s=arc-20160816; b=RfsffVP0Rf6pi9HZWh7aBC6uAy6VktNWrvIqdSdXIh+GYIltkW5j74Ms4pa+DJJvws XOV2RElmB5xM+aGpqKdnDa+DcweeFlo+WkQzzySQvhNnRwZOn13kpDvhC2+vM0VugnYv 36/DXRNFxm72ZRoOWKb1QufJ/84/tP7KCuGINQSa+aN6kK1/F5z9aph1XPYCJ6etqZ3Z k9JhQNEYy8BsTNAcMqVKvWF84mWYxC9u3BfOHhinsYIBgqblMK5L3Yz3WleypF7P3Sxf JW3mLN4fJ4Q/lYw8do9GlwRqfwpa1Q8TfC/YZtTr+a88IB85vzFdvH0zHXBPex0WRvdu Rjtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=W5971O4MRKycjQjW3ma/L5jkP9jX4i+myo1Hh4vDjGQ=; b=qVD0IwurwBNL1Zbu6Id9fBoc7MbPviQtF/LoZgUkhLNuSE/ybWBd1ecGpaAqphhT57 R130nhkhJ4DaNGhqvJ0GSW2tahGk2+xgsRRFecjBNZiVPhLjKfoaujFYQMQFivInRXkD aE+88gx9vE74eJ0SkXASWgPsblog90aCt3EWw6HjIXHNHCCYhr7LlBywT/J6XJ85zKhg UPICaF+divhN51erwvNObr49q1C/BY37Vcm5HxBn+HLxOvxk9aQgk+tuc4j7vlcNXjE+ qcCNzRca3xOV8N602nji8Mrr+lTjs9eWcHZNpABUe+t0imyC61l7HcpF0RqZU4UWm53q 5mhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.43; Tue, 09 May 2017 07:43:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754270AbdEIOnm (ORCPT + 6 others); Tue, 9 May 2017 10:43:42 -0400 Received: from mail-pg0-f53.google.com ([74.125.83.53]:35780 "EHLO mail-pg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754176AbdEIOnl (ORCPT ); Tue, 9 May 2017 10:43:41 -0400 Received: by mail-pg0-f53.google.com with SMTP id o3so755109pgn.2 for ; Tue, 09 May 2017 07:43:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=W5971O4MRKycjQjW3ma/L5jkP9jX4i+myo1Hh4vDjGQ=; b=POMcHI4tYizsqSIFw/aR33cDGdK5cE3eHgPsoOeQH1s7P74T/Zt030zIUolf1tl9/8 EPgs77Rx1bIxr5YUPD4lhVW3EkM11GoPCkXECfjX99+FIpOIvW7mBGm8NimKZwlTOFfr rYCTLA4PcyzY8pXGKQ0EL6vcDJ+Tf8HIDr8lc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=W5971O4MRKycjQjW3ma/L5jkP9jX4i+myo1Hh4vDjGQ=; b=MDvVV44pbvZbX97Qu3UhaO3Be3++ptzLx41Q0c1kBe2z5+g2420R0jdedJrMX6mWPV DFRiKqRRZNEKEqqnNOOQKUMeLvObqWArYYSFim2t0KNAot+t95Fmh+MqqUnIIJ+x3wGd QCYX9QKoIWJ6M1y2nQQsirMGpwysbmpgY7GwsF9cPtAJiRQz4MCMIQgSLOCcPc1VFsnh iMBP30Vch4SC380xzLWgoutOeoPzW4svkHKyfoIEz8wY7PoljSHbCJQ6wYGIodIZsjk5 PULLE44EX8IGjoHwFe3XFIAj2s6OJ8mL53hv0yTZCNlDz5tJG4WanNyILXzi8gPDKQj7 IOPQ== X-Gm-Message-State: AODbwcDUJBWo/zRoOx7F0yAJdmMX0qbEQ4CZ1a9RwZZaVsf+p12TZRGx Mvyz8MLR85qvd+EW29eMtZkH X-Received: by 10.84.224.135 with SMTP id s7mr707137plj.66.1494341020793; Tue, 09 May 2017 07:43:40 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:40 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Kangjie Lu , Kangjie Lu , Takashi Iwai Subject: [PATCH for-3.18 20/24] ALSA: timer: Fix leak in events via snd_timer_user_ccallback Date: Tue, 9 May 2017 20:12:44 +0530 Message-Id: <1494340968-17152-21-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kangjie Lu commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream. The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/timer.c | 1 + 1 file changed, 1 insertion(+) -- 2.7.4 diff --git a/sound/core/timer.c b/sound/core/timer.c index ede058bd49a4..47c8beb5eb40 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1260,6 +1260,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, tu->tstamp = *tstamp; if ((tu->filter & (1 << event)) == 0 || !tu->tread) return; + memset(&r1, 0, sizeof(r1)); r1.event = event; r1.tstamp = *tstamp; r1.val = resolution; From patchwork Tue May 9 14:42:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98934 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857656qge; Tue, 9 May 2017 07:43:45 -0700 (PDT) X-Received: by 10.99.114.3 with SMTP id n3mr554140pgc.130.1494341025233; Tue, 09 May 2017 07:43:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341025; cv=none; d=google.com; s=arc-20160816; b=DlPMqXPc6PTYd0tf+xY7gdGjtayNLc9NG7zqfM61tMurMXxPLWNSxPZE3fMDmX47Fx vrx/6u28ICm0pC2FEbMoe8Lu5KGfIbwlCcjdgP/JPIZBHRGKxXv1dnE6bNJIg8xM8Drc RwATlli7BhH88NeO8avtyQ7pAyZ9TF4y3loPhkcDVB8dIwdGH/5UvA2MoJC6LeGi2Qhr XxOnAl//JNC1MpCmz/1gIa3qmWbnAZohnibKVXfHCWaL78o1WiocddSxNykP2J0rqwMg zeafoZldlzYZ3Qf5w6ZSLxuB3V3cGHJ1TdDMBbxGXpDLQnkGOCrUZSskndOOLa8aWfGW B1ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=HolqqrokPFRSuLjLA3po0mTiTh7f3TMsyXvMsSgDpsY=; b=gbSld5dqX6tu7YeHxDBnps/I7VSJVIEUBqiC7MuVp+N/TDP2wJmOd3kr/EkspGgFzn yGDFoaxu1jxWVqVtVqyolwn0F8YZw39Xx5nWwcCDCnN+lIl9IvEO06FPh4UDkqSDNGg7 iNvoADTmjx867NdB1bH9wvzX+/rdqjOItfhDP2QJaGpT0rOiNxLLoOmVyGs0rQHfx5Ga Xlq3yrqqoNMFHtHtADLHIfAXv0yfszmLQJ+xeiSOUEXl2fWFcck0kcRf4/YAKpAKes4+ xdQkvQCi7kpbXGNyFO2W39+bY1AdVZY/V11x0AOwkt4onkZoLuKHadoSI8+Lk8F+E+/U tycg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.45; Tue, 09 May 2017 07:43:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754176AbdEIOno (ORCPT + 6 others); Tue, 9 May 2017 10:43:44 -0400 Received: from mail-pg0-f46.google.com ([74.125.83.46]:33288 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754143AbdEIOnn (ORCPT ); Tue, 9 May 2017 10:43:43 -0400 Received: by mail-pg0-f46.google.com with SMTP id u187so790628pgb.0 for ; Tue, 09 May 2017 07:43:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=HolqqrokPFRSuLjLA3po0mTiTh7f3TMsyXvMsSgDpsY=; b=Zp0pWxxtcmYS01RfsigqTbAlvDhFbImTdng/vM2dsRelrDKw60WncGCSBUPIZMa+tS CyiE4K4Vb8Q3epX+Q3uoEjI8ZsWRRb3i8m56jS7b+XPzDuSW3YoB/2d0L/yXw3QMJnmC PQCrG5RqGO4Krthr7ZEI7ODy9JQ0lHfYpuvPo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HolqqrokPFRSuLjLA3po0mTiTh7f3TMsyXvMsSgDpsY=; b=E5fA7e+UodXTtZwRe3GB2Kbk/iCkBpIZ7udMv3KMw5vlXdFaXsOtAguHo9adwHX4/4 zlpZReuH6Unxe6e30/CZ4U1Zv+l9lzWrqKi2mCFcn6s85JhIHp/QhlS0wq/sXM2IuvGq wjM4HGx8MNcP65lqt4Za6IK1VNHbYrl73OAyPdzZSgOZHUPgAT0Bex8pwc6KvRiKjiO3 991D25N+UEd9JoQKPVN4nCSxrqySBzmLdfo1jQmrHkqWOCsWeiHLMFKwjs0VJmnQSOC9 msS7c8+3BhKeAwsWm9OSTZEhrYHx8Vvu0gNRj1KhbfPSAwHcm9axV/gg5CCG5MaPKM2g E9GA== X-Gm-Message-State: AODbwcAMOOwmyOShN0ancjcBHa7s/u0Dm+cJvRsfkJNY8pOi5cvtHdvQ H04YvpDAt3becoNAMn/eQzv3 X-Received: by 10.99.139.195 with SMTP id j186mr552985pge.134.1494341023287; Tue, 09 May 2017 07:43:43 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:42 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Kangjie Lu , Kangjie Lu , Takashi Iwai Subject: [PATCH for-3.18 21/24] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt Date: Tue, 9 May 2017 20:12:45 +0530 Message-Id: <1494340968-17152-22-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kangjie Lu commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream. The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/timer.c | 1 + 1 file changed, 1 insertion(+) -- 2.7.4 diff --git a/sound/core/timer.c b/sound/core/timer.c index 47c8beb5eb40..d448437df4b5 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1295,6 +1295,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, } if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && tu->last_resolution != resolution) { + memset(&r1, 0, sizeof(r1)); r1.event = SNDRV_TIMER_EVENT_RESOLUTION; r1.tstamp = tstamp; r1.val = resolution; From patchwork Tue May 9 14:42:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98935 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857674qge; Tue, 9 May 2017 07:43:47 -0700 (PDT) X-Received: by 10.84.142.133 with SMTP id 5mr718498plx.52.1494341027478; Tue, 09 May 2017 07:43:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341027; cv=none; d=google.com; s=arc-20160816; b=KkHe6tBkESQG4K8HXiPNUpuwdzFVbNCl0axr5uuUCuaQKbyYn+QCnPngcNWugRaQ9h xiw6iIxtXZls3DM8oKunMHWzvRkfPPDAv1RJDgf6OTSflX7r02pZvQCX6aJeFVNaI+wQ emY3EwbMEbgTrhNzPLoCmLIiX+nga/slApXqaMc6vu3W+G5XZCd63kx0IJil5MVpP5uf C0mhhCrnmhMMcW0YfiNiEeB/KyWLv8zNmfPQWD3nC0r2h9epwn7LeKfrah1wpQ588gWh eg5Z8HszyuyhFOpROjwURIpzd/xgunisP9GhbzZTvDAzdmrPMHsC5y6xSqEzT++pT+a/ Dedw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=UGlqH6hRKjMmFd/RkNdey6ijWy7ivpUQh7+QkMks1xk=; b=PGGUwwQVyBfHbAwxMvcJBYZDUxT1YSe4C0NjtOr3dp5o8XMo36F/ATS0NQ0+DS8GXV XNQmOqq3Ybesyb3yVk56jrT8SahJ7GqsJCmPlgU86qf4nDaPOP3uC/MEopI+Slz5OlwC wHGltLRYusL1jGAbdItU9ht4QpSExCy18yc5xAD+BSKCV5sb6qfq7ujvFJP41YXjRlL/ KnzHnjyXc89+lR2W0rG0a2646zOoIW74RCbIaSNWwuHi7rkrLkS4ya3nksGsoeVW/F/L o/rK9P/yVCqAyeTN3z0pZYDDmmKmr3lr5ThTdJVdejpSiZUG6P1b+ijVlEMDNm0E0dFI V5fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.47; Tue, 09 May 2017 07:43:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754259AbdEIOnq (ORCPT + 6 others); Tue, 9 May 2017 10:43:46 -0400 Received: from mail-pg0-f53.google.com ([74.125.83.53]:35822 "EHLO mail-pg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754143AbdEIOnq (ORCPT ); Tue, 9 May 2017 10:43:46 -0400 Received: by mail-pg0-f53.google.com with SMTP id o3so756218pgn.2 for ; Tue, 09 May 2017 07:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=UGlqH6hRKjMmFd/RkNdey6ijWy7ivpUQh7+QkMks1xk=; b=NnOwca4p6Kl/12h5CSKdrzb7Z6JGob647pCOSrYiNieG3tR0bsI2lLQhyFxDf+kgNi lX7cYW+YwmThkwzz6aiHNM8lBP4Fe12NOXKg+dplws8K4pPjBbAraBmw45RSbqOuUPu5 FKDvQ2WVKtQFBmXlwiJuZRx7V19jv3sAV173Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=UGlqH6hRKjMmFd/RkNdey6ijWy7ivpUQh7+QkMks1xk=; b=BQHAczz67eS8yGCj+arwNM0/QhIrfUlU9B0v0y3CkKo4dzLqU9/l/hAdWa4rC9dM/a c4pbRdCqL0D99MB3NXI4mIzZsVpGcxvCzsrn6Epyi/m9/8JC3tcGaFSKyUViBDI/6QF/ tI3tpZMOBHir04w0zeMIGiqBIbwLjO4Vu3iQ+0HNn8uUp7D/LQKhLXKQFGCQM8MnQyu3 E46BaI0de+3Ts8e/6yC5rR0wVSsIM5r+s7OAO7jsLbsXhm9draOTN0Cpj4X9kvnXkQ7t 2GqN/JtFH0aeTH0K9ZG7R7s1kTfFU25ndQxuoP9SyZ+5YpQRKCINoY6PLUPIrFpB4P05 Tv+Q== X-Gm-Message-State: AODbwcBLjsDZZKRvltU88phSHi8ajHgB4Nb2MLiUDt8Mk35RvE2OUML6 EqDxRQxmxrTHDNP7 X-Received: by 10.84.231.23 with SMTP id f23mr697006plk.58.1494341025487; Tue, 09 May 2017 07:43:45 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:44 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Jann Horn , Linus Torvalds Subject: [PATCH for-3.18 22/24] sched: panic on corrupted stack end Date: Tue, 9 May 2017 20:12:46 +0530 Message-Id: <1494340968-17152-23-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jann Horn commit 29d6455178a09e1dc340380c582b13356227e8df upstream. Until now, hitting this BUG_ON caused a recursive oops (because oops handling involves do_exit(), which calls into the scheduler, which in turn raises an oops), which caused stuff below the stack to be overwritten until a panic happened (e.g. via an oops in interrupt context, caused by the overwritten CPU index in the thread_info). Just panic directly. Signed-off-by: Jann Horn Signed-off-by: Linus Torvalds [AmitP: Minor refactoring of upstream changes for linux-3.18.y] Signed-off-by: Amit Pundir --- kernel/sched/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 5f4c71c5d38e..a760c9e0353e 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -2709,7 +2709,8 @@ static noinline void __schedule_bug(struct task_struct *prev) static inline void schedule_debug(struct task_struct *prev) { #ifdef CONFIG_SCHED_STACK_END_CHECK - BUG_ON(unlikely(task_stack_end_corrupted(prev))); + if (task_stack_end_corrupted(prev)) + panic("corrupted stack end detected inside scheduler\n"); #endif /* * Test if we are atomic. Since do_exit() needs to call into From patchwork Tue May 9 14:42:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98936 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857702qge; Tue, 9 May 2017 07:43:50 -0700 (PDT) X-Received: by 10.84.204.8 with SMTP id a8mr726374ple.4.1494341029975; Tue, 09 May 2017 07:43:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341029; cv=none; d=google.com; s=arc-20160816; b=0Lx/OcPXNhnwJJ+SPqzJPuUIjSny/91vgqnX3SttJlPvPkDEXs8i+1yT0XoOy94XEF yzw/667j+ho+y5lGr+IavY9zzhYCWdpleIdK//fjHpXyO5elbvIok8yA2GDNCFGsmfhG RDsutTngfzjC2Y1yCtK0JZF0cAGvTLF+MfDOw/szpXZU9zcERO7YsWXHYuOzXLEi238F XFd2gPMP3lMqm95ScIBBexRxFdzr7SvpcOsyrp5jnqdTLyaa5aLazYhLotzZ/2spq6vA MfsG/9HprrwMxXruACBNluNmn57JjxNNdkh2Dsx77GaLbK2hMr7F80LDAwUzwvWM8zeM tanw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=6xSUeRQ/qeuJ007DPp5HDhkIJMAqcR1rwQK8TwJD8po=; b=p8EAO7RRNJuokvajcgY+qWyJJEueBo0ZTj1vePa1u5ZJ12+ojnTptW/PCkMAhG3elV sX6Wkex62WsHo0tOFflIrvw0foO+SeDq67gE53bR9Bye7vbsLlDvLZ+pRwN4HLe6XVp6 muCEV5R7z2QdMy87Xr4LOPRxPbBW0n/LQRS7D9R6BhdtLU8qglcpwrHwCtyIhSLA9H1K sSsLa2JetahS3e8wlmRNG8Sm04h8ytKJPYyK1ZvJMPyE7KtBZdBX6H/whUdAZLkB0hpQ zJcNaNK+IuvICNI96+bwllFw22lLS5GoFMafRHB+slIQyNlccgm9tgO7wqQ+Nbu+53AO tcUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.49; Tue, 09 May 2017 07:43:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753228AbdEIOnt (ORCPT + 6 others); Tue, 9 May 2017 10:43:49 -0400 Received: from mail-pf0-f182.google.com ([209.85.192.182]:33692 "EHLO mail-pf0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754280AbdEIOns (ORCPT ); Tue, 9 May 2017 10:43:48 -0400 Received: by mail-pf0-f182.google.com with SMTP id e193so1211629pfh.0 for ; Tue, 09 May 2017 07:43:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6xSUeRQ/qeuJ007DPp5HDhkIJMAqcR1rwQK8TwJD8po=; b=QCXvWJgtrnZ+66JoIh6BZUIjaWrbrhdCCeJ8cgoxD6mEu688ingay8IWkImz8UXI6f A6RB5B6uwKUaQmJRxqHnqoJEP21I0RR+mXli7WTbl2/esXxC5i5LL3cStXrJXbOxLOX6 taF8M1OPqxVD5/iaqphGed9Mo3X1Vg794x2vc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6xSUeRQ/qeuJ007DPp5HDhkIJMAqcR1rwQK8TwJD8po=; b=DVNBp7J0PLAmvqVUwE23s1f4RdoYQO5afmi+xm79R8azhvUhLrZ5HV0+f1VeRluCny n0Qrj4cJR0vdaDbQAgK8VyUDi+RW8ghMG/JzithdQvbDIoZdziAWSR2FF6ZTb/teWAfE A6GKZD2TOCA9dbaQ3Dgq2oLZE2F5sukV/sXFDIQe2KqjdC25FjmXFSetSgnQSYam5ieh hp535zvekSKRX5pUNr4N4jkZ3nZniUX0/j/WiPTTqiLR1mM5/t4m6t1CgvS4ci2OSeZr sFYQvQY2wEZFR+1X+79pz4ZefEetlNhw7cjJ3l66DAz8qipKFIjw1XgaOFFCHlVfNvhC hM2g== X-Gm-Message-State: AODbwcBTJY3pMeh4E/BvDbmIox5SBNoif0516dLF7Xy4d1v7LgBkBn8N JSs34VZ/6BavcatH X-Received: by 10.84.224.140 with SMTP id s12mr631987plj.169.1494341027716; Tue, 09 May 2017 07:43:47 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:47 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Takashi Iwai , Mauro Carvalho Chehab Subject: [PATCH for-3.18 23/24] xc2028: Fix use-after-free bug properly Date: Tue, 9 May 2017 20:12:47 +0530 Message-Id: <1494340968-17152-24-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 22a1e7783e173ab3d86018eb590107d68df46c11 upstream. The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried to address the reported use-after-free by clearing the reference. However, it's clearing the wrong pointer; it sets NULL to priv->ctrl.fname, but it's anyway overwritten by the next line memcpy(&priv->ctrl, p, sizeof(priv->ctrl)). OTOH, the actual code accessing the freed string is the strcmp() call with priv->fname: if (!firmware_name[0] && p->fname && priv->fname && strcmp(p->fname, priv->fname)) free_firmware(priv); where priv->fname points to the previous file name, and this was already freed by kfree(). For fixing the bug properly, this patch does the following: - Keep the copy of firmware file name in only priv->fname, priv->ctrl.fname isn't changed; - The allocation is done only when the firmware gets loaded; - The kfree() is called in free_firmware() commonly Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free') Cc: Signed-off-by: Takashi Iwai Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Amit Pundir --- drivers/media/tuners/tuner-xc2028.c | 37 ++++++++++++++++--------------------- 1 file changed, 16 insertions(+), 21 deletions(-) -- 2.7.4 diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c index 0b54ec2d6eed..9948578df228 100644 --- a/drivers/media/tuners/tuner-xc2028.c +++ b/drivers/media/tuners/tuner-xc2028.c @@ -281,6 +281,14 @@ static void free_firmware(struct xc2028_data *priv) int i; tuner_dbg("%s called\n", __func__); + /* free allocated f/w string */ + if (priv->fname != firmware_name) + kfree(priv->fname); + priv->fname = NULL; + + priv->state = XC2028_NO_FIRMWARE; + memset(&priv->cur_fw, 0, sizeof(priv->cur_fw)); + if (!priv->firm) return; @@ -291,9 +299,6 @@ static void free_firmware(struct xc2028_data *priv) priv->firm = NULL; priv->firm_size = 0; - priv->state = XC2028_NO_FIRMWARE; - - memset(&priv->cur_fw, 0, sizeof(priv->cur_fw)); } static int load_all_firmwares(struct dvb_frontend *fe, @@ -884,9 +889,8 @@ read_not_reliable: return 0; fail: - priv->state = XC2028_NO_FIRMWARE; + free_firmware(priv); - memset(&priv->cur_fw, 0, sizeof(priv->cur_fw)); if (retry_count < 8) { msleep(50); retry_count++; @@ -1332,11 +1336,8 @@ static int xc2028_dvb_release(struct dvb_frontend *fe) mutex_lock(&xc2028_list_mutex); /* only perform final cleanup if this is the last instance */ - if (hybrid_tuner_report_instance_count(priv) == 1) { + if (hybrid_tuner_report_instance_count(priv) == 1) free_firmware(priv); - kfree(priv->ctrl.fname); - priv->ctrl.fname = NULL; - } if (priv) hybrid_tuner_release_state(priv); @@ -1399,19 +1400,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) /* * Copy the config data. - * For the firmware name, keep a local copy of the string, - * in order to avoid troubles during device release. */ - kfree(priv->ctrl.fname); - priv->ctrl.fname = NULL; memcpy(&priv->ctrl, p, sizeof(priv->ctrl)); - if (p->fname) { - priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL); - if (priv->ctrl.fname == NULL) { - rc = -ENOMEM; - goto unlock; - } - } /* * If firmware name changed, frees firmware. As free_firmware will @@ -1426,10 +1416,15 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) if (priv->state == XC2028_NO_FIRMWARE) { if (!firmware_name[0]) - priv->fname = priv->ctrl.fname; + priv->fname = kstrdup(p->fname, GFP_KERNEL); else priv->fname = firmware_name; + if (!priv->fname) { + rc = -ENOMEM; + goto unlock; + } + rc = request_firmware_nowait(THIS_MODULE, 1, priv->fname, priv->i2c_props.adap->dev.parent, From patchwork Tue May 9 14:42:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98937 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857734qge; Tue, 9 May 2017 07:43:54 -0700 (PDT) X-Received: by 10.99.114.3 with SMTP id n3mr554917pgc.130.1494341034332; Tue, 09 May 2017 07:43:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341034; cv=none; d=google.com; s=arc-20160816; b=tDg0vK7BhQk7vHxiVKlopplgynaMaTv05cmho9LA9eyOuzMnFVefD+nUhTnFlZpW88 3SpGhAVkDCMuv2Fu90xW0EVrEbNUMT4AA8lO19PcUMResUUyDllka58BqkoctPFRCeNy NkIIjx0j6VAKblqpYCHibw8j5Y4CPBqODMXA9rchmlUTWBvNjgF11TtQbUyRPbxId/Av fx3J0xHEarYbxTdv09cFzMla7kgSoo/N/k79SCTvs8kpg4NcjwWg8cC1KA2Rk9KvedfE t76NTPVUWDeaxvMokdOOPdfXFB/75dhGbkbg3r6yRlZ/QatEG+sEpJ0qLtlqQGFQgzY4 uEvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=CkEvAodoAtUvpC3VRUnObqTv0V55oEcBEjuehes/7Jg=; b=0kITNOfAeAjwD0QEXiKBCt3KB3eThEZP3jlDrcBkTZs+MABVxZRGjPUadrwBPrlwkZ iiui+6S93ZTt059HqD3G8nG7bLpiPpagmVvO7yDOQjTKWro6atAD+nohsBBXCZxW5PIt x2zot7cBdwQw5owaJATRD3sBLhAw1xCCBtuBuQ9w0Iqo+yteBJ96qO5LKBNqZkTBbdDF 2GyCd1+W/ZktDjVBLybGSJuovck3icrUcMR5Px9bwel86DgQib7+6dA31xDebJ/9G9N/ Qva8tnGt735Ow3TFMpkmv6PT+hUc+0FKeeLAenXcBMcSaobxRilZMOHBcNJfYB9SLmvq wAWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.54; Tue, 09 May 2017 07:43:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754308AbdEIOnx (ORCPT + 6 others); Tue, 9 May 2017 10:43:53 -0400 Received: from mail-pg0-f46.google.com ([74.125.83.46]:33364 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754280AbdEIOnw (ORCPT ); Tue, 9 May 2017 10:43:52 -0400 Received: by mail-pg0-f46.google.com with SMTP id u187so792917pgb.0 for ; Tue, 09 May 2017 07:43:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CkEvAodoAtUvpC3VRUnObqTv0V55oEcBEjuehes/7Jg=; b=JY+xBHist2dzNe9bhc+Ca/ubFgoM94GYFitILL7Ua4ZCFicYRT+SkL/dVbzmYYSVDE tZS+AX6QK3wKAMMK0z0luIyg7lxr8FVB5mlqQKASF3pE/A5cuvgzIbddL39sgSdCdYWz m9Gkz4WqxuJKSKyRhHY5nX5oeJ1C/e1ocAIlA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CkEvAodoAtUvpC3VRUnObqTv0V55oEcBEjuehes/7Jg=; b=mKRaFIlZc4xVK0/b3rkSqoYWk/RB5JQ0jSLWaJtQCH/4oE3Ezc7LLdYzP+49gxtb+C 0h5I4ACY8pXb91PSaOge7qpyFj4NgOLZGjpIjYK8v8dQWQH4VWlxFisrnAGqa5ZLpKQE zfoe7UuaJUd6GCCVXd3U2tVU5y37OLuqw9078pyodyoHJHlilViVahKIVY3y1nwBYpEp 7xZtFw0VbIYwWDjZrYN9I5fw4XVcI/f5yRuDhC0kLqlCxmkSHQUvpiHxP1BUNG7ZARnf oqo7Axg1vyJSRw0t7f6ob7yZNpWWGmyFWe6wZ9q8yqFsesxIm7ERzbfPGNJDQDbuklaD 8MDA== X-Gm-Message-State: AODbwcBnQb5JXuUTYH1NizUqQRode1+mM9SJDItWojcqzBvSX9hGI5f0 WymJEepuWHD0EzYu X-Received: by 10.84.238.9 with SMTP id u9mr689530plk.126.1494341032176; Tue, 09 May 2017 07:43:52 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:51 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Keno Fischer , Greg Thelen , Nicholas Piggin , Willy Tarreau , Oleg Nesterov , Kees Cook , Andy Lutomirski , Michal Hocko , Hugh Dickins , Andrew Morton , Linus Torvalds Subject: [PATCH for-3.18 24/24] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Date: Tue, 9 May 2017 20:12:48 +0530 Message-Id: <1494340968-17152-25-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Keno Fischer commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream. In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from __get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE after a COW was resolved to setting the (newly introduced) FOLL_COW instead. Simultaneously, the check in gup.c was updated to still allow writes with FOLL_FORCE set if FOLL_COW had also been set. However, a similar check in huge_memory.c was forgotten. As a result, remote memory writes to ro regions of memory backed by transparent huge pages cause an infinite loop in the kernel (handle_mm_fault sets FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is true. While in this state the process is stil SIGKILLable, but little else works (e.g. no ptrace attach, no other signals). This is easily reproduced with the following code (assuming thp are set to always): #include #include #include #include #include #include #include #include #include #include #define TEST_SIZE 5 * 1024 * 1024 int main(void) { int status; pid_t child; int fd = open("/proc/self/mem", O_RDWR); void *addr = mmap(NULL, TEST_SIZE, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); assert(addr != MAP_FAILED); pid_t parent_pid = getpid(); if ((child = fork()) == 0) { void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); assert(addr2 != MAP_FAILED); memset(addr2, 'a', TEST_SIZE); pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr); return 0; } assert(child == waitpid(child, &status, 0)); assert(WIFEXITED(status) && WEXITSTATUS(status) == 0); return 0; } Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously to the update in gup.c in the original commit. The same pattern exists in follow_devmap_pmd. However, we should not be able to reach that check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we ever do. [akpm@linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/20170106015025.GA38411@juliacomputing.com Signed-off-by: Keno Fischer Acked-by: Kirill A. Shutemov Cc: Greg Thelen Cc: Nicholas Piggin Cc: Willy Tarreau Cc: Oleg Nesterov Cc: Kees Cook Cc: Andy Lutomirski Cc: Michal Hocko Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [AmitP: Minor refactoring of upstream changes for linux-3.18.y, where follow_devmap_pmd() doesn't exist.] Signed-off-by: Amit Pundir --- mm/huge_memory.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2e39d4e0ff09..8c9cbd0e4f3f 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1205,6 +1205,16 @@ out_unlock: return ret; } +/* + * FOLL_FORCE can write to even unwritable pmd's, but only + * after we've gone through a COW cycle and they are dirty. + */ +static inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags) +{ + return pmd_write(pmd) || + ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd)); +} + struct page *follow_trans_huge_pmd(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmd, @@ -1215,7 +1225,7 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma, assert_spin_locked(pmd_lockptr(mm, pmd)); - if (flags & FOLL_WRITE && !pmd_write(*pmd)) + if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, flags)) goto out; /* Avoid dumping huge zero page */