From patchwork Wed May 3 17:35:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98499 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166186qgd; Wed, 3 May 2017 10:36:07 -0700 (PDT) X-Received: by 10.99.5.148 with SMTP id 142mr24468955pgf.104.1493832967428; Wed, 03 May 2017 10:36:07 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.07; Wed, 03 May 2017 10:36:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752770AbdECRgG (ORCPT + 6 others); Wed, 3 May 2017 13:36:06 -0400 Received: from mail-pg0-f44.google.com ([74.125.83.44]:32899 "EHLO mail-pg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgF (ORCPT ); Wed, 3 May 2017 13:36:05 -0400 Received: by mail-pg0-f44.google.com with SMTP id y4so76517172pge.0 for ; Wed, 03 May 2017 10:36:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=nmYFEWkaz0uWj4TRO03lfeyoekMbyq6I/MHC9kwNVsU=; b=T3xFs7pP0cJDcs0C71u7iBom1DsWXcBGpSFjQah86brululvSfzyEPzhZc043eXk0I etyPNQDNJ8czJfPC+WVbja/AMmeu9Ks9cl4RlgCk0x4Kd+/de8M0ta5sTS87JAuTxlH0 HF52zpkpjoUKcwu4zZWqc2yqn6UiVT610+CQM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=nmYFEWkaz0uWj4TRO03lfeyoekMbyq6I/MHC9kwNVsU=; b=V+2hK4s62u3gC1uFB2IUj+cXFskStYeuChVNx79Pg06d/uOsHRy13V2McNUXrPz9cT fi4bIXFy3IchsAPoa9i3rOnZxd/zNw4VB8zP/0hJDeXYecNLVDUpQLtFjm2JL/AIesze aUGAzq1I7A9+4gav8jv5iMtb8cRdpL8wiHGXbQMJ4K2VhVaMpe1cHB0jMBDPriKtgBDz pqlUjhTnuMJlgYb6Za7vm4bVaEquNVtgmvd79pvcghbsaQUuwO2iGKW4ihCD6ttJQFmI FfyDT9xqnRLWts1+p4YBEpsMZZD5/1qj86eQmXgzecDB+k7Ub1WwE4SA2pdDuJC2hie0 mHxQ== X-Gm-Message-State: AN3rC/69IreuzzMCWvpVlJrhLiqUQVTzkNz4dDggqol9z8bs6oQqMuMf kPLrbRjHN96Pi8N2 X-Received: by 10.84.128.66 with SMTP id 60mr51324698pla.167.1493832965231; Wed, 03 May 2017 10:36:05 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:04 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Takashi Iwai Subject: [PATCH for-3.18 1/7] ALSA: pcm : Call kill_fasync() in stream lock Date: Wed, 3 May 2017 23:05:52 +0530 Message-Id: <1493832958-12489-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai Currently kill_fasync() is called outside the stream lock in snd_pcm_period_elapsed(). This is potentially racy, since the stream may get released even during the irq handler is running. Although snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't guarantee that the irq handler finishes, thus the kill_fasync() call outside the stream spin lock may be invoked after the substream is detached, as recently reported by KASAN. As a quick workaround, move kill_fasync() call inside the stream lock. The fasync is rarely used interface, so this shouldn't have a big impact from the performance POV. Ideally, we should implement some sync mechanism for the proper finish of stream and irq handler. But this oneliner should suffice for most cases, so far. Reported-by: Baozeng Ding Signed-off-by: Takashi Iwai (cherry picked from commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4) Signed-off-by: Amit Pundir --- sound/core/pcm_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.7.4 diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index dfc28542a007..693ab89cc9a2 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c @@ -1858,10 +1858,10 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream) if (substream->timer_running) snd_timer_interrupt(substream->timer, 1); _end: + kill_fasync(&runtime->fasync, SIGIO, POLL_IN); snd_pcm_stream_unlock_irqrestore(substream, flags); if (runtime->transfer_ack_end) runtime->transfer_ack_end(substream); - kill_fasync(&runtime->fasync, SIGIO, POLL_IN); } EXPORT_SYMBOL(snd_pcm_period_elapsed); From patchwork Wed May 3 17:35:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98500 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166193qgd; Wed, 3 May 2017 10:36:09 -0700 (PDT) X-Received: by 10.98.34.5 with SMTP id i5mr6164895pfi.228.1493832969360; Wed, 03 May 2017 10:36:09 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.09; Wed, 03 May 2017 10:36:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753966AbdECRgI (ORCPT + 6 others); Wed, 3 May 2017 13:36:08 -0400 Received: from mail-pg0-f51.google.com ([74.125.83.51]:36285 "EHLO mail-pg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgI (ORCPT ); Wed, 3 May 2017 13:36:08 -0400 Received: by mail-pg0-f51.google.com with SMTP id t7so81644532pgt.3 for ; Wed, 03 May 2017 10:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=trzbLqWeZz0IEe1ikQuYCfee3exUkGgtMQ//RmHvUxI=; b=egJZoYxohn27Ijc+nN6cgggQyd3CrerI96/JMOKeUvzD8Y7eL/SSOZrjQnEWEthKO8 TkRT9oNk/UBsQ7FI/8RYiSZU92JrMhPe/1Xlt43XuumHIJxV9HHPJEMlPE08bSIi7MkA 1+ob6nWJqfAIdpxZpSfkD4xSA3Flyitj31kuo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=trzbLqWeZz0IEe1ikQuYCfee3exUkGgtMQ//RmHvUxI=; b=G3Nl9G2g07qIZBzCE63ugXwUgDe9Dha9oLivFeQy1+B0zvtxDoPo1hm10uLC9gSKRV abz68mkQVnlM+fT0UHft3Ic7WQgvcKnOdd+NLWeXHGVjOzl/4UwS2GCg6saMPYTdH2wp jeQKzj3r+X4XFfTOjunAbi46ZgbL8wErQvoZAGKSsyztw7Fl4GPuABc8/hB5dmQmNjcm K96M168o1xes/jXOxz7kvtcxLKhBDx+qiEecQxBUof9kC1bawz2OJUSLmUy2fhogE73k 1EzLfq3HBD2pec3lfHsFYljEv5meRVvO3eH+mfpsqdu61HRIEDgGM3922UQfQegPcBPU FSPA== X-Gm-Message-State: AN3rC/7k8fopVhri4U25NFZLCYUXoqu4NYLqRE4U6bfXqWiEdaPW17e8 BTCPK6HBVJQLRpex X-Received: by 10.84.129.1 with SMTP id 1mr49672986plb.125.1493832967378; Wed, 03 May 2017 10:36:07 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:06 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Seung-Woo Kim , Mark Brown Subject: [PATCH for-3.18 2/7] regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing Date: Wed, 3 May 2017 23:05:53 +0530 Message-Id: <1493832958-12489-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Seung-Woo Kim After freeing pin from regulator_ena_gpio_free, loop can access the pin. So this patch fixes not to access pin after freeing. Signed-off-by: Seung-Woo Kim Signed-off-by: Mark Brown (cherry picked from commit 60a2362f769cf549dc466134efe71c8bf9fbaaba) Signed-off-by: Amit Pundir --- drivers/regulator/core.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.7.4 diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c index 872e53f15590..b2e183627f53 100644 --- a/drivers/regulator/core.c +++ b/drivers/regulator/core.c @@ -1720,6 +1720,8 @@ static void regulator_ena_gpio_free(struct regulator_dev *rdev) gpiod_put(pin->gpiod); list_del(&pin->list); kfree(pin); + rdev->ena_pin = NULL; + return; } else { pin->request_count--; } From patchwork Wed May 3 17:35:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98501 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166214qgd; Wed, 3 May 2017 10:36:12 -0700 (PDT) X-Received: by 10.98.62.213 with SMTP id y82mr6119286pfj.93.1493832972683; Wed, 03 May 2017 10:36:12 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.12; Wed, 03 May 2017 10:36:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753971AbdECRgM (ORCPT + 6 others); Wed, 3 May 2017 13:36:12 -0400 Received: from mail-pg0-f51.google.com ([74.125.83.51]:32921 "EHLO mail-pg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgL (ORCPT ); Wed, 3 May 2017 13:36:11 -0400 Received: by mail-pg0-f51.google.com with SMTP id y4so76518229pge.0 for ; Wed, 03 May 2017 10:36:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=IEtkwsNxg+aOggHqrFviWIfSS4IoIxl1ROwrsJt2ams=; b=LG41soTZUhAUbKZhl0FddJScN4MpH0Hn4Z2k747Q5agVo9ThRu4HZsjUcg5RvuSd2R kDCfjvkJY9XmGJnBrL2WIrU5vURGWI9tWJ9GZR47+M+JKzLJMMGX4mzlEQkbyCn220xg Ck+Fw30TwWjJkJJ36CTILhPSrM3zNaaXPxLCU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=IEtkwsNxg+aOggHqrFviWIfSS4IoIxl1ROwrsJt2ams=; b=qt5ceOVTZHIvVmN31SYRffyB5jZVJGYHD7c9D80Id8scG3dzdp7oNk9Nika68Bd9m4 R29TUTz7Q726spISNhIYGUqkKcuGGRvNApy4JeP5zyb7MPZg5Z0UH96ogoEJxvlYG9HO uhvRFd23kzN3l+TdFdKvae3CJIfCYDjnuu1nDPG+8O6dMw88aeMT+0iVLIonx+f6vvhN uJYEEGVld9IHtUvKLWcDhReMvEIlqqmln2jE9DYlX24F6l3CoU0uzQE47v9boYueF2VU peJzJrIMFYJbLngQk7O19GBmfQKSt/keozfXXSOW0R3CF1gRvFslazhVIRCLDDcnvY5L bf9A== X-Gm-Message-State: AN3rC/5yICahrotg8qc7V+hgkuhuexhGjqKWKGCkYrejoPLUbpqTZCGx QXzu3IfSQ2BafIUP X-Received: by 10.98.35.142 with SMTP id q14mr6122764pfj.220.1493832970380; Wed, 03 May 2017 10:36:10 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:09 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Peter Zijlstra , Arnaldo Carvalho de Melo , Jiri Olsa , Linus Torvalds , Ingo Molnar Subject: [PATCH for-3.18 3/7] perf: Tighten (and fix) the grouping condition Date: Wed, 3 May 2017 23:05:54 +0530 Message-Id: <1493832958-12489-4-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Zijlstra The fix from 9fc81d87420d ("perf: Fix events installation during moving group") was incomplete in that it failed to recognise that creating a group with events for different CPUs is semantically broken -- they cannot be co-scheduled. Furthermore, it leads to real breakage where, when we create an event for CPU Y and then migrate it to form a group on CPU X, the code gets confused where the counter is programmed -- triggered in practice as well by me via the perf fuzzer. Fix this by tightening the rules for creating groups. Only allow grouping of counters that can be co-scheduled in the same context. This means for the same task and/or the same cpu. Fixes: 9fc81d87420d ("perf: Fix events installation during moving group") Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org Signed-off-by: Ingo Molnar (cherry picked from commit c3c87e770458aa004bd7ed3f29945ff436fd6511) Signed-off-by: Amit Pundir --- include/linux/perf_event.h | 6 ------ kernel/events/core.c | 15 +++++++++++++-- 2 files changed, 13 insertions(+), 8 deletions(-) -- 2.7.4 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index df8904fea40c..482ccff29bc9 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -455,11 +455,6 @@ struct perf_event { #endif /* CONFIG_PERF_EVENTS */ }; -enum perf_event_context_type { - task_context, - cpu_context, -}; - /** * struct perf_event_context - event context structure * @@ -467,7 +462,6 @@ enum perf_event_context_type { */ struct perf_event_context { struct pmu *pmu; - enum perf_event_context_type type; /* * Protect the states of the events in the list, * nr_active, and the list: diff --git a/kernel/events/core.c b/kernel/events/core.c index 3ebad2556698..26c40faa8ea4 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -6803,7 +6803,6 @@ skip_type: __perf_event_init_context(&cpuctx->ctx); lockdep_set_class(&cpuctx->ctx.mutex, &cpuctx_mutex); lockdep_set_class(&cpuctx->ctx.lock, &cpuctx_lock); - cpuctx->ctx.type = cpu_context; cpuctx->ctx.pmu = pmu; __perf_cpu_hrtimer_init(cpuctx, cpu); @@ -7445,7 +7444,19 @@ SYSCALL_DEFINE5(perf_event_open, * task or CPU context: */ if (move_group) { - if (group_leader->ctx->type != ctx->type) + /* + * Make sure we're both on the same task, or both + * per-cpu events. + */ + if (group_leader->ctx->task != ctx->task) + goto err_context; + + /* + * Make sure we're both events for the same CPU; + * grouping events for different CPUs is broken; since + * you can never concurrently schedule them anyhow. + */ + if (group_leader->cpu != event->cpu) goto err_context; } else { if (group_leader->ctx != ctx) From patchwork Wed May 3 17:35:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98502 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166234qgd; Wed, 3 May 2017 10:36:15 -0700 (PDT) X-Received: by 10.84.238.198 with SMTP id l6mr51117469pln.95.1493832975189; Wed, 03 May 2017 10:36:15 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.14; Wed, 03 May 2017 10:36:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753976AbdECRgO (ORCPT + 6 others); Wed, 3 May 2017 13:36:14 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:35214 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgN (ORCPT ); Wed, 3 May 2017 13:36:13 -0400 Received: by mail-pf0-f171.google.com with SMTP id v14so15824619pfd.2 for ; Wed, 03 May 2017 10:36:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/ZEOLzxXRkipJLMI6H1qemwAKPD8EErteUcemL6N+w0=; b=R+W6KAY4cuGRMvO/W3EwFo7shY1h0ncuXhg3vgDfnmp5Ra+mrbJQ+Eo5Wj2Wb0ewAO hC4U683tg8Y08fc4D5SaCsvX8NRgIskD3kx2jR4TZVfQF1Y3TtpqSkNyiqPKzzj2B9jZ B21zZMe6zjanHagFX0uGeeqKzM4s4GqpFYre0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/ZEOLzxXRkipJLMI6H1qemwAKPD8EErteUcemL6N+w0=; b=flLu92a8pE5BhS/Xxf2PTXxYtTQ5Xun/jg0xcvH5U5zZLbaxxbs/Cm98b+OtAUp29E 8Pmt8PX5CGZ87FFZpCHjXWxNBD5yDlhgZy2uCwoCnhi9MD+zWDQmo1H8202Mk2j1TySs YWVY1iBMPUlQlvurpSPne8LxXgOM+6jzefCaUO6pUV6mS/8kqhZGwyegVGL2k/j6pQM0 nvcUy572wRRUWb5XRDu7XIDu6g9Y+Bw4ONct+vltV/pleC64BSj6XkhCj9ijGuw0LP5Z h6EzwAF8j+OBdRW3KNa+Mimr1dznB3Y6UP+3x0C3b88ZwfK8L6rBNgPEsipMSGCAJ38w BVdw== X-Gm-Message-State: AN3rC/5Qfoa196xcNdUkPQhvxIcN7kehXmAZPKso2gJ5HDPO1kLaJKWH JGBqzgvKvdaJhJbgrA6vLw== X-Received: by 10.99.144.65 with SMTP id a62mr21180315pge.222.1493832972625; Wed, 03 May 2017 10:36:12 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:12 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Jan Kara , Andreas Gruenbacher Subject: [PATCH for-3.18 4/7] posix_acl: Clear SGID bit when setting file permissions Date: Wed, 3 May 2017 23:05:55 +0530 Message-Id: <1493832958-12489-5-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jan Kara When file permissions are modified via chmod(2) and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod(2). Fix that. References: CVE-2016-7097 Reviewed-by: Christoph Hellwig Reviewed-by: Jeff Layton Signed-off-by: Jan Kara Signed-off-by: Andreas Gruenbacher (cherry picked from commit 073931017b49d9458aa351605b43a7e34598caef) Signed-off-by: Amit Pundir --- fs/9p/acl.c | 40 +++++++++++++++++----------------------- fs/btrfs/acl.c | 6 ++---- fs/ceph/acl.c | 6 ++---- fs/ext2/acl.c | 12 ++++-------- fs/ext4/acl.c | 12 ++++-------- fs/f2fs/acl.c | 6 ++---- fs/gfs2/acl.c | 12 +++--------- fs/hfsplus/posix_acl.c | 4 ++-- fs/jffs2/acl.c | 9 ++++----- fs/jfs/acl.c | 6 ++---- fs/ocfs2/acl.c | 20 ++++++++------------ fs/posix_acl.c | 31 +++++++++++++++++++++++++++++++ fs/reiserfs/xattr_acl.c | 8 ++------ fs/xfs/xfs_acl.c | 13 ++++--------- include/linux/posix_acl.h | 1 + 15 files changed, 88 insertions(+), 98 deletions(-) -- 2.7.4 diff --git a/fs/9p/acl.c b/fs/9p/acl.c index 8482f2d11606..d3f5d487ae46 100644 --- a/fs/9p/acl.c +++ b/fs/9p/acl.c @@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name, case ACL_TYPE_ACCESS: name = POSIX_ACL_XATTR_ACCESS; if (acl) { - umode_t mode = inode->i_mode; - retval = posix_acl_equiv_mode(acl, &mode); - if (retval < 0) + struct iattr iattr; + + retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl); + if (retval) goto err_out; - else { - struct iattr iattr; - if (retval == 0) { - /* - * ACL can be represented - * by the mode bits. So don't - * update ACL. - */ - acl = NULL; - value = NULL; - size = 0; - } - /* Updte the mode bits */ - iattr.ia_mode = ((mode & S_IALLUGO) | - (inode->i_mode & ~S_IALLUGO)); - iattr.ia_valid = ATTR_MODE; - /* FIXME should we update ctime ? - * What is the following setxattr update the - * mode ? + if (!acl) { + /* + * ACL can be represented + * by the mode bits. So don't + * update ACL. */ - v9fs_vfs_setattr_dotl(dentry, &iattr); + value = NULL; + size = 0; } + iattr.ia_valid = ATTR_MODE; + /* FIXME should we update ctime ? + * What is the following setxattr update the + * mode ? + */ + v9fs_vfs_setattr_dotl(dentry, &iattr); } break; case ACL_TYPE_DEFAULT: diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c index 9a0124a95851..fb3e64d37cb4 100644 --- a/fs/btrfs/acl.c +++ b/fs/btrfs/acl.c @@ -83,11 +83,9 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans, case ACL_TYPE_ACCESS: name = POSIX_ACL_XATTR_ACCESS; if (acl) { - ret = posix_acl_equiv_mode(acl, &inode->i_mode); - if (ret < 0) + ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (ret) return ret; - if (ret == 0) - acl = NULL; } ret = 0; break; diff --git a/fs/ceph/acl.c b/fs/ceph/acl.c index 5bd853ba44ff..6a4a3e2a46cf 100644 --- a/fs/ceph/acl.c +++ b/fs/ceph/acl.c @@ -108,11 +108,9 @@ int ceph_set_acl(struct inode *inode, struct posix_acl *acl, int type) case ACL_TYPE_ACCESS: name = POSIX_ACL_XATTR_ACCESS; if (acl) { - ret = posix_acl_equiv_mode(acl, &new_mode); - if (ret < 0) + ret = posix_acl_update_mode(inode, &new_mode, &acl); + if (ret) goto out; - if (ret == 0) - acl = NULL; } break; case ACL_TYPE_DEFAULT: diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c index 27695e6f4e46..d6aeb84e90b6 100644 --- a/fs/ext2/acl.c +++ b/fs/ext2/acl.c @@ -193,15 +193,11 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) case ACL_TYPE_ACCESS: name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS; if (acl) { - error = posix_acl_equiv_mode(acl, &inode->i_mode); - if (error < 0) + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) return error; - else { - inode->i_ctime = CURRENT_TIME_SEC; - mark_inode_dirty(inode); - if (error == 0) - acl = NULL; - } + inode->i_ctime = CURRENT_TIME_SEC; + mark_inode_dirty(inode); } break; diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c index d40c8dbbb0d6..87d9bbf6a53f 100644 --- a/fs/ext4/acl.c +++ b/fs/ext4/acl.c @@ -201,15 +201,11 @@ __ext4_set_acl(handle_t *handle, struct inode *inode, int type, case ACL_TYPE_ACCESS: name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS; if (acl) { - error = posix_acl_equiv_mode(acl, &inode->i_mode); - if (error < 0) + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) return error; - else { - inode->i_ctime = ext4_current_time(inode); - ext4_mark_inode_dirty(handle, inode); - if (error == 0) - acl = NULL; - } + inode->i_ctime = ext4_current_time(inode); + ext4_mark_inode_dirty(handle, inode); } break; diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c index 83b9b5a8d112..f12d5c5ecc31 100644 --- a/fs/f2fs/acl.c +++ b/fs/f2fs/acl.c @@ -207,12 +207,10 @@ static int __f2fs_set_acl(struct inode *inode, int type, case ACL_TYPE_ACCESS: name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS; if (acl) { - error = posix_acl_equiv_mode(acl, &inode->i_mode); - if (error < 0) + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) return error; set_acl_inode(fi, inode->i_mode); - if (error == 0) - acl = NULL; } break; diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c index 7b3143064af1..88e66aa516c4 100644 --- a/fs/gfs2/acl.c +++ b/fs/gfs2/acl.c @@ -79,17 +79,11 @@ int gfs2_set_acl(struct inode *inode, struct posix_acl *acl, int type) if (type == ACL_TYPE_ACCESS) { umode_t mode = inode->i_mode; - error = posix_acl_equiv_mode(acl, &mode); - if (error < 0) + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) return error; - - if (error == 0) - acl = NULL; - - if (mode != inode->i_mode) { - inode->i_mode = mode; + if (mode != inode->i_mode) mark_inode_dirty(inode); - } } if (acl) { diff --git a/fs/hfsplus/posix_acl.c b/fs/hfsplus/posix_acl.c index df0c9af68d05..71b3087b7e32 100644 --- a/fs/hfsplus/posix_acl.c +++ b/fs/hfsplus/posix_acl.c @@ -68,8 +68,8 @@ int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, case ACL_TYPE_ACCESS: xattr_name = POSIX_ACL_XATTR_ACCESS; if (acl) { - err = posix_acl_equiv_mode(acl, &inode->i_mode); - if (err < 0) + err = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (err) return err; } err = 0; diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c index 2f7a3c090489..f9f86f87d32b 100644 --- a/fs/jffs2/acl.c +++ b/fs/jffs2/acl.c @@ -235,9 +235,10 @@ int jffs2_set_acl(struct inode *inode, struct posix_acl *acl, int type) case ACL_TYPE_ACCESS: xprefix = JFFS2_XPREFIX_ACL_ACCESS; if (acl) { - umode_t mode = inode->i_mode; - rc = posix_acl_equiv_mode(acl, &mode); - if (rc < 0) + umode_t mode; + + rc = posix_acl_update_mode(inode, &mode, &acl); + if (rc) return rc; if (inode->i_mode != mode) { struct iattr attr; @@ -249,8 +250,6 @@ int jffs2_set_acl(struct inode *inode, struct posix_acl *acl, int type) if (rc < 0) return rc; } - if (rc == 0) - acl = NULL; } break; case ACL_TYPE_DEFAULT: diff --git a/fs/jfs/acl.c b/fs/jfs/acl.c index 0c8ca830b113..9fad9f4fe883 100644 --- a/fs/jfs/acl.c +++ b/fs/jfs/acl.c @@ -84,13 +84,11 @@ static int __jfs_set_acl(tid_t tid, struct inode *inode, int type, case ACL_TYPE_ACCESS: ea_name = POSIX_ACL_XATTR_ACCESS; if (acl) { - rc = posix_acl_equiv_mode(acl, &inode->i_mode); - if (rc < 0) + rc = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (rc) return rc; inode->i_ctime = CURRENT_TIME; mark_inode_dirty(inode); - if (rc == 0) - acl = NULL; } break; case ACL_TYPE_DEFAULT: diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c index 8a7d2f812b5b..c7641f656494 100644 --- a/fs/ocfs2/acl.c +++ b/fs/ocfs2/acl.c @@ -241,20 +241,16 @@ int ocfs2_set_acl(handle_t *handle, case ACL_TYPE_ACCESS: name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS; if (acl) { - umode_t mode = inode->i_mode; - ret = posix_acl_equiv_mode(acl, &mode); - if (ret < 0) - return ret; - else { - if (ret == 0) - acl = NULL; + umode_t mode; - ret = ocfs2_acl_set_mode(inode, di_bh, - handle, mode); - if (ret) - return ret; + ret = posix_acl_update_mode(inode, &mode, &acl); + if (ret) + return ret; - } + ret = ocfs2_acl_set_mode(inode, di_bh, + handle, mode); + if (ret) + return ret; } break; case ACL_TYPE_DEFAULT: diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 3de7c223c963..38c91932eb52 100644 --- a/fs/posix_acl.c +++ b/fs/posix_acl.c @@ -594,6 +594,37 @@ no_acl: } EXPORT_SYMBOL_GPL(posix_acl_create); +/** + * posix_acl_update_mode - update mode in set_acl + * + * Update the file mode when setting an ACL: compute the new file permission + * bits based on the ACL. In addition, if the ACL is equivalent to the new + * file mode, set *acl to NULL to indicate that no ACL should be set. + * + * As with chmod, clear the setgit bit if the caller is not in the owning group + * or capable of CAP_FSETID (see inode_change_ok). + * + * Called from set_acl inode operations. + */ +int posix_acl_update_mode(struct inode *inode, umode_t *mode_p, + struct posix_acl **acl) +{ + umode_t mode = inode->i_mode; + int error; + + error = posix_acl_equiv_mode(*acl, &mode); + if (error < 0) + return error; + if (error == 0) + *acl = NULL; + if (!in_group_p(inode->i_gid) && + !capable_wrt_inode_uidgid(inode, CAP_FSETID)) + mode &= ~S_ISGID; + *mode_p = mode; + return 0; +} +EXPORT_SYMBOL(posix_acl_update_mode); + /* * Fix up the uids and gids in posix acl extended attributes in place. */ diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c index 4b34b9dc03dd..9b1824f35501 100644 --- a/fs/reiserfs/xattr_acl.c +++ b/fs/reiserfs/xattr_acl.c @@ -246,13 +246,9 @@ __reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode, case ACL_TYPE_ACCESS: name = POSIX_ACL_XATTR_ACCESS; if (acl) { - error = posix_acl_equiv_mode(acl, &inode->i_mode); - if (error < 0) + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) return error; - else { - if (error == 0) - acl = NULL; - } } break; case ACL_TYPE_DEFAULT: diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c index a65fa5dde6e9..e0406717edbc 100644 --- a/fs/xfs/xfs_acl.c +++ b/fs/xfs/xfs_acl.c @@ -286,16 +286,11 @@ xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) return error; if (type == ACL_TYPE_ACCESS) { - umode_t mode = inode->i_mode; - error = posix_acl_equiv_mode(acl, &mode); - - if (error <= 0) { - acl = NULL; - - if (error < 0) - return error; - } + umode_t mode; + error = posix_acl_update_mode(inode, &mode, &acl); + if (error) + return error; error = xfs_set_mode(inode, mode); if (error) return error; diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h index 3e96a6a76103..d1a8ad7e5ae4 100644 --- a/include/linux/posix_acl.h +++ b/include/linux/posix_acl.h @@ -95,6 +95,7 @@ extern int set_posix_acl(struct inode *, int, struct posix_acl *); extern int posix_acl_chmod(struct inode *, umode_t); extern int posix_acl_create(struct inode *, umode_t *, struct posix_acl **, struct posix_acl **); +extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **); extern int simple_set_acl(struct inode *, struct posix_acl *, int); extern int simple_acl_create(struct inode *, struct inode *); From patchwork Wed May 3 17:35:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98503 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166253qgd; Wed, 3 May 2017 10:36:17 -0700 (PDT) X-Received: by 10.84.236.79 with SMTP id h15mr50497635pln.110.1493832977407; Wed, 03 May 2017 10:36:17 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.17; Wed, 03 May 2017 10:36:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752784AbdECRgQ (ORCPT + 6 others); Wed, 3 May 2017 13:36:16 -0400 Received: from mail-pg0-f45.google.com ([74.125.83.45]:34567 "EHLO mail-pg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgP (ORCPT ); Wed, 3 May 2017 13:36:15 -0400 Received: by mail-pg0-f45.google.com with SMTP id v1so81770543pgv.1 for ; Wed, 03 May 2017 10:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WP48pRqUVapIWqXqeJW611tlr1YuvwCVreJK3QtGTiQ=; b=DpIIxJqF9ziyLh87t5EBV8TaCcCFTj4GRgukE6FNIoK1+fTihQFLdB2YC5wsa+yteC tbWTyWe3Ea3DqgFq5EuvxXT3xKqY0irRqlrM+KaYDAE40I5rNw1T6fNac8C+ej8d54tz cDMDYkmBnImc53AW3BAi7BuI5N3a8MjLacGWE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WP48pRqUVapIWqXqeJW611tlr1YuvwCVreJK3QtGTiQ=; b=NOGmR4rRNHnXO1PJxsHFJU5N7wq3kQNH3qSlV8oG+xIPB/bgu5XPOAikRB12ShNq0D xvCF9DFkYwBU2TctUd4mZKPJxgcyAqMAFfNa1q6gFzjgFhcA61mzQj6x4K32mJ4AK9ly DWTvQ2v1vsSn4BcOYkUZ0NpA+y+7g9LRyUZjdyDFfvzxsQWGKw5rLXNgsJwvisSjWEuF iHvhG6QQ9KH9uGeXbwU9PVqVcwwZDjqPgJSuqKplXf/zOmdbOfv5R0RoTh3snPWjMrcI Zjf2HoP7Fnt2KKIOi3DS4yOaOc0VMEakRvLM1ke8Dk5f5wMiFPqrYyNBlOlBe4QXtQ3K neeQ== X-Gm-Message-State: AN3rC/6JxvdBlw6+ROlNKgx3XLl4HQRilh8lnuwMmHFeUqiDrYuQ9ClD aBeFEDDkCLeYLBFg X-Received: by 10.99.156.2 with SMTP id f2mr40214849pge.65.1493832974816; Wed, 03 May 2017 10:36:14 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:14 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Guillaume Nault , "David S . Miller" Subject: [PATCH for-3.18 5/7] l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{, 6}_bind() Date: Wed, 3 May 2017 23:05:56 +0530 Message-Id: <1493832958-12489-6-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Guillaume Nault Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind(). Without lock, a concurrent call could modify the socket flags between the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way, a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it would then leave a stale pointer there, generating use-after-free errors when walking through the list or modifying adjacent entries. BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8 Write of size 8 by task syz-executor/10987 CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0 Call Trace: [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] __write_once_size ./include/linux/compiler.h:249 [< inline >] __hlist_del ./include/linux/list.h:622 [< inline >] hlist_del_init ./include/linux/list.h:637 [] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239 [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [] sock_release+0x8d/0x1d0 net/socket.c:570 [] sock_close+0x16/0x20 net/socket.c:1017 [] __fput+0x28c/0x780 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0xf9/0x170 [] do_exit+0x85e/0x2a00 [] do_group_exit+0x108/0x330 [] get_signal+0x617/0x17a0 kernel/signal.c:2307 [] do_signal+0x7f/0x18f0 [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448 Allocated: PID = 10987 [ 1116.897025] [] save_stack_trace+0x16/0x20 [ 1116.897025] [] save_stack+0x46/0xd0 [ 1116.897025] [] kasan_kmalloc+0xad/0xe0 [ 1116.897025] [] kasan_slab_alloc+0x12/0x20 [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708 [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716 [ 1116.897025] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721 [ 1116.897025] [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326 [ 1116.897025] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 [ 1116.897025] [] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182 [ 1116.897025] [] __sock_create+0x37b/0x640 net/socket.c:1153 [ 1116.897025] [< inline >] sock_create net/socket.c:1193 [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223 [ 1116.897025] [] SyS_socket+0xef/0x1b0 net/socket.c:1203 [ 1116.897025] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 10987 [ 1116.897025] [] save_stack_trace+0x16/0x20 [ 1116.897025] [] save_stack+0x46/0xd0 [ 1116.897025] [] kasan_slab_free+0x71/0xb0 [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352 [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 1116.897025] [< inline >] slab_free mm/slub.c:2951 [ 1116.897025] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973 [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369 [ 1116.897025] [] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444 [ 1116.897025] [] sk_destruct+0x44/0x80 net/core/sock.c:1452 [ 1116.897025] [] __sk_free+0x53/0x220 net/core/sock.c:1460 [ 1116.897025] [] sk_free+0x23/0x30 net/core/sock.c:1471 [ 1116.897025] [] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589 [ 1116.897025] [] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243 [ 1116.897025] [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [ 1116.897025] [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [ 1116.897025] [] sock_release+0x8d/0x1d0 net/socket.c:570 [ 1116.897025] [] sock_close+0x16/0x20 net/socket.c:1017 [ 1116.897025] [] __fput+0x28c/0x780 fs/file_table.c:208 [ 1116.897025] [] ____fput+0x15/0x20 fs/file_table.c:244 [ 1116.897025] [] task_work_run+0xf9/0x170 [ 1116.897025] [] do_exit+0x85e/0x2a00 [ 1116.897025] [] do_group_exit+0x108/0x330 [ 1116.897025] [] get_signal+0x617/0x17a0 kernel/signal.c:2307 [ 1116.897025] [] do_signal+0x7f/0x18f0 [ 1116.897025] [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 1116.897025] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [ 1116.897025] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -- 2.7.4 ================================================================== The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table. Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case") Reported-by: Baozeng Ding Reported-by: Andrey Konovalov Tested-by: Baozeng Ding Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller (cherry picked from commit 32c231164b762dddefa13af5a0101032c70b50ef) Signed-off-by: Amit Pundir --- net/l2tp/l2tp_ip.c | 5 +++-- net/l2tp/l2tp_ip6.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c index c2cd3dd7fa67..85285f460468 100644 --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c @@ -252,8 +252,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) int ret; int chk_addr_ret; - if (!sock_flag(sk, SOCK_ZAPPED)) - return -EINVAL; if (addr_len < sizeof(struct sockaddr_l2tpip)) return -EINVAL; if (addr->l2tp_family != AF_INET) @@ -268,6 +266,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) read_unlock_bh(&l2tp_ip_lock); lock_sock(sk); + if (!sock_flag(sk, SOCK_ZAPPED)) + goto out; + if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip)) goto out; diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c index f5d6fd834303..cf0958712058 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -266,8 +266,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) int addr_type; int err; - if (!sock_flag(sk, SOCK_ZAPPED)) - return -EINVAL; if (addr->l2tp_family != AF_INET6) return -EINVAL; if (addr_len < sizeof(*addr)) @@ -293,6 +291,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) lock_sock(sk); err = -EINVAL; + if (!sock_flag(sk, SOCK_ZAPPED)) + goto out_unlock; + if (sk->sk_state != TCP_CLOSE) goto out_unlock; From patchwork Wed May 3 17:35:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98504 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166268qgd; Wed, 3 May 2017 10:36:19 -0700 (PDT) X-Received: by 10.99.168.77 with SMTP id i13mr40515645pgp.148.1493832979048; Wed, 03 May 2017 10:36:19 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.18; Wed, 03 May 2017 10:36:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753977AbdECRgS (ORCPT + 6 others); Wed, 3 May 2017 13:36:18 -0400 Received: from mail-pf0-f175.google.com ([209.85.192.175]:35231 "EHLO mail-pf0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgR (ORCPT ); Wed, 3 May 2017 13:36:17 -0400 Received: by mail-pf0-f175.google.com with SMTP id v14so15825337pfd.2 for ; Wed, 03 May 2017 10:36:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ouYCUaeg0eL/1wVQb6/R9doc5O/Yr75bY2bMHrzeAl0=; b=IGF+/ZpjfOz6G0ph2+qoID2OM34USLfD+yxiG58ID97gAr/jNBBD+ZDj9KNpGlJzFW 8j3Blac+amvkgXTy3e3FdM+Du4BOfE2gQZOLnFRY6VfoeZ5C8GpjDwYZHX11JNU19xq1 FW1JrdqwUeQ1lO+MWdZbO/sHGk3ej3mYwA47I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ouYCUaeg0eL/1wVQb6/R9doc5O/Yr75bY2bMHrzeAl0=; b=sT+ZSB8ZVz2qQkacRkaSeeAc4v/T+25iBUBI3/47FGbKEYdONTxCUIXICmXSQP3vBd 2Cn+0VDatNCJluG9BFnE1tlCy5F/PtfYbfQyvmnuvsm9w772/1XQMuC5S6BH0ScbaXOW /eH5cJWLTld4/qhMfPUSn2rM0RbM/zcywDW9FnFRD/O0nY5CBVBMv3xVM/XBrtxmMfWc 5nBdu4AgJtqrysMJGpgDo0eGQVw1Qpfw7n4Aqy+FkV/BaU5s1qGJLmyqYpMdPIokcKKm eQZqm9y97lB6NjfZwIwlvsUUrc2PkrOFe3DuMd9Ip/742I+QaAWotSm1a0ZPJZqTcFuE 32Jw== X-Gm-Message-State: AN3rC/7MYRK0mekGkGcOa9X1qRewbbFOOt3BUktZWFcOy4bdt8o0wg7n icsABcyEeW9Z2uIbecvx6w== X-Received: by 10.84.179.65 with SMTP id a59mr48776879plc.171.1493832976930; Wed, 03 May 2017 10:36:16 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:16 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Eric Dumazet , "David S . Miller" Subject: [PATCH for-3.18 6/7] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE Date: Wed, 3 May 2017 23:05:57 +0530 Message-Id: <1493832958-12489-7-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet CAP_NET_ADMIN users should not be allowed to set negative sk_sndbuf or sk_rcvbuf values, as it can lead to various memory corruptions, crashes, OOM... Note that before commit 82981930125a ("net: cleanups in sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were vulnerable. This needs to be backported to all known linux kernels. Again, many thanks to syzkaller team for discovering this gem. Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Signed-off-by: David S. Miller (cherry picked from commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290) Signed-off-by: Amit Pundir --- net/core/sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/core/sock.c b/net/core/sock.c index 3b3734f81e64..7bcd07e7eeed 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -733,7 +733,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, val = min_t(u32, val, sysctl_wmem_max); set_sndbuf: sk->sk_userlocks |= SOCK_SNDBUF_LOCK; - sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); + sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); /* Wake up sending tasks if we upped the value. */ sk->sk_write_space(sk); break; @@ -769,7 +769,7 @@ set_rcvbuf: * returning the value we actually used in getsockopt * is the most desirable behavior. */ - sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); + sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); break; case SO_RCVBUFFORCE: From patchwork Wed May 3 17:35:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98505 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166281qgd; Wed, 3 May 2017 10:36:21 -0700 (PDT) X-Received: by 10.98.78.193 with SMTP id c184mr6143264pfb.85.1493832981520; Wed, 03 May 2017 10:36:21 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.21; Wed, 03 May 2017 10:36:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753469AbdECRgU (ORCPT + 6 others); Wed, 3 May 2017 13:36:20 -0400 Received: from mail-pg0-f49.google.com ([74.125.83.49]:32965 "EHLO mail-pg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgU (ORCPT ); Wed, 3 May 2017 13:36:20 -0400 Received: by mail-pg0-f49.google.com with SMTP id y4so76520075pge.0 for ; Wed, 03 May 2017 10:36:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=i1Qc/O16t2wyzY3DU0CCB5nT9demMlJ+4OT7gHb8tuk=; b=HdN181Z/CmIK/4S5fnNaFQ/6tv7XUMlxJxmVAJxesfYGkLh79Jy1h1D6UGnRpvOeNf gUJnEDdGUmokH5I9F6u7E4wX6Be0bpOzISlxjFnqgBGPM+eJI13NxIfmFuaXZ5yN0CWq 60T1v2rgK26wPwSG9hf2j3EZOaLPhQLyu/h3E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=i1Qc/O16t2wyzY3DU0CCB5nT9demMlJ+4OT7gHb8tuk=; b=jHqn7mypbhQeishZNn7Djgf3ck0kjkVbwJ5r7JTyieud2hPuRglcVlMfv6duz3JOUv zk112P5oyZHEaahPMEpRVXb2Jg3EI2EC2m/2QF9Y4PzbbvUeBhZHyE6JaBlryctAh6e/ z/kbLYZ8dlYu1kpWmOO9yqfRugx2RLmspUpckW5wWANZv+v9J1YW85mwgEp2vJ1enEDT d7tnwwXIpI+4HM5N4n4GsjPK4aeq1prtyE9pTAsDPHD8jbMZVGKodxywejECA2/kH3/J xr3HaQ6wrrfRu5ccLN32AGelC42WP56yrE/HussYpOinr5WvejiGK6sENXX1Gq3zjpOW 4gwg== X-Gm-Message-State: AN3rC/63/22ubOT4gdKxQJteqxCcVM2OXpWTg426xa1cX+kKjuUNzQL9 FqskpLjVR9u/UIZU X-Received: by 10.84.143.195 with SMTP id 61mr50572036plz.158.1493832979481; Wed, 03 May 2017 10:36:19 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:18 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, "Kirill A. Shutemov" , Andrew Morton , Willy Tarreau , Linus Torvalds Subject: [PATCH for-3.18 7/7] mm: avoid setting up anonymous pages into file mapping Date: Wed, 3 May 2017 23:05:58 +0530 Message-Id: <1493832958-12489-8-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: "Kirill A. Shutemov" Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. Signed-off-by: Kirill A. Shutemov Acked-by: Oleg Nesterov Cc: Andrew Morton Cc: Willy Tarreau Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Amit Pundir --- mm/memory.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) -- 2.7.4 diff --git a/mm/memory.c b/mm/memory.c index e8e3cf7bd247..6ca26c332712 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2629,6 +2629,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, pte_unmap(page_table); + /* File mapping without ->vm_ops ? */ + if (vma->vm_flags & VM_SHARED) + return VM_FAULT_SIGBUS; + /* Check if we need to add a guard page to the stack */ if (check_stack_guard_page(vma, address) < 0) return VM_FAULT_SIGSEGV; @@ -3033,6 +3037,9 @@ static int do_linear_fault(struct mm_struct *mm, struct vm_area_struct *vma, - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; pte_unmap(page_table); + /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ + if (!vma->vm_ops->fault) + return VM_FAULT_SIGBUS; if (!(flags & FAULT_FLAG_WRITE)) return do_read_fault(mm, vma, address, pmd, pgoff, flags, orig_pte); @@ -3198,11 +3205,9 @@ static int handle_pte_fault(struct mm_struct *mm, entry = ACCESS_ONCE(*pte); if (!pte_present(entry)) { if (pte_none(entry)) { - if (vma->vm_ops) { - if (likely(vma->vm_ops->fault)) - return do_linear_fault(mm, vma, address, + if (vma->vm_ops) + return do_linear_fault(mm, vma, address, pte, pmd, flags, entry); - } return do_anonymous_page(mm, vma, address, pte, pmd, flags); }