Permalink
Commits on Jun 24, 2016
  1. net: validate the range we feed to iov_iter_init() in sys_sendto/sys_…

    Al Viro authored and mdmower committed Mar 20, 2015
    …recvfrom
    
    Change-Id: Ida19e5102b7faca17c685a261c20fbbf5c9614f9
    Cc: stable@vger.kernel.org # v3.19
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  2. mnt: Fail collect_mounts when applied to unmounted mounts

    ebiederm authored and mdmower committed Jan 7, 2015
    The only users of collect_mounts are in audit_tree.c
    
    In audit_trim_trees and audit_add_tree_rule the path passed into
    collect_mounts is generated from kern_path passed an audit_tree
    pathname which is guaranteed to be an absolute path.   In those cases
    collect_mounts is obviously intended to work on mounted paths and
    if a race results in paths that are unmounted when collect_mounts
    it is reasonable to fail early.
    
    The paths passed into audit_tag_tree don't have the absolute path
    check.  But are used to play with fsnotify and otherwise interact with
    the audit_trees, so again operating only on mounted paths appears
    reasonable.
    
    Avoid having to worry about what happens when we try and audit
    unmounted filesystems by restricting collect_mounts to mounts
    that appear in the mount tree.
    
    Change-Id: I2edfee6d6951a2179ce8f53785b65ddb1eb95629
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
  3. KEYS: potential uninitialized variable

    Dan Carpenter authored and mdmower committed May 26, 2016
    If __key_link_begin() failed then "edit" would be uninitialized.  I've
    added a check to fix that.
    
    Change-Id: I0e28bdba07f645437db2b08daf67ca27f16c6f5c
    Fixes: f70e2e0 ('KEYS: Do preallocation for __key_link()')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  4. net: wireless: bcmdhd: check privilege on priv cmd

    Jerry Lee authored and mdmower committed Apr 15, 2016
      check net admin capability for ioctl calls
    
    BUG=26425765
    
    Change-Id: Idae75c9fc530add3ead3508d25e994bbfec9a6de
  5. msm: kgsl: Add missing checks for alloc size and sglen

    Rajesh Kemisetti authored and mdmower committed Apr 13, 2016
    In _kgsl_sharedmem_page_alloc():
    
    - Make len of type size_t to be in line with size.
      - Check for boundary limits of requested alloc size before honoring.
        - Make sure sglen is greater than zero before marking it as end
          of sg list.
    
    BUG=27475454
    
    Change-Id: I8e18aad2118f58ce677050ff4c4a4b0823c4b4b3
  6. USB: usbfs: fix potential infoleak in devio

    kengiter authored and mdmower committed May 3, 2016
    The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
    are padding bytes which are not initialized and leaked to userland
    via “copy_to_user”.
    
    Change-Id: Icd49231ee1862682739a871ae78a5602ee104731
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commits on May 24, 2016
  1. ppp: take reference on channels netns

    Guillaume Nault authored and mdmower committed Mar 23, 2016
    Let channels hold a reference on their network namespace.
    Some channel types, like ppp_async and ppp_synctty, can have their
    userspace controller running in a different namespace. Therefore they
    can't rely on them to preclude their netns from being removed from
    under them.
    
    ==================================================================
    BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
    addr ffff880064e217e0
    Read of size 8 by task syz-executor/11581
    =============================================================================
    BUG net_namespace (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------
    
    Disabling lock debugging due to kernel taint
    INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
    [<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
    [<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
    [<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
    [<     inline     >] slab_alloc kernel/mm/slub.c:2574
    [<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
    [<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
    [<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
    [<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
    [<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
    [<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
    [<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
    [<     inline     >] copy_process kernel/kernel/fork.c:1274
    [<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
    [<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
    [<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
    [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
    
    INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
    [<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
    [<     inline     >] slab_free kernel/mm/slub.c:2805
    [<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
    [<     inline     >] net_free kernel/net/core/net_namespace.c:341
    [<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
    [<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
    [<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
    [<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
    [<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
    [<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
    INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
    flags=0x5fffc0000004080
    INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
    
    CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
     00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
     ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
     ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
    Call Trace:
     [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
     [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
     [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
     [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
     [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
     [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
     [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
     [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
     [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
     [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
     [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
     [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
     [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
     [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
     [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
     [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
     [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
     [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
     [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
     [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
     [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
     [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
     [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
     [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
     [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
     [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
     [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
     [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
     [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
     [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
     [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
     [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
     [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
     [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
     [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
     [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
     [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
     [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
     [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
     [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
     [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
     [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
     [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
     [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
     [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
     [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
    Memory state around the buggy address:
     ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
     ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    
    Change-Id: I591b30eafa1b57bd2e211e1f33c39128702ff0b0
    Fixes: 273ec51 ("net: ppp_generic - introduce net-namespace functionality v2")
    Reported-by: Baozeng Ding <sploving1@gmail.com>
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  2. netfilter: x_tables: check for size overflow

    Florian Westphal authored and mdmower committed Mar 10, 2016
    Ben Hawkes says:
     integer overflow in xt_alloc_table_info, which on 32-bit systems can
     lead to small structure allocation and a copy_from_user based heap
     corruption.
    
    Change-Id: I13c554c630651a37e3f6a195e9a5f40cddcb29a1
    Reported-by: Ben Hawkes <hawkes@google.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  3. ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

    kengiter authored and mdmower committed May 3, 2016
    The stack object “r1” has a total size of 32 bytes. Its field
    “event” and “val” both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being initialized.
    
    Change-Id: Ie3dcdee7da8ad292712814e8402c571a717ab8d1
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  4. ALSA: timer: Fix leak in events via snd_timer_user_ccallback

    kengiter authored and mdmower committed May 3, 2016
    The stack object “r1” has a total size of 32 bytes. Its field
    “event” and “val” both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being initialized.
    
    Change-Id: I5ece63432f6ca6251fa31c046c211c8c03313a59
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  5. ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

    kengiter authored and mdmower committed May 3, 2016
    The stack object “tread” has a total size of 32 bytes. Its field
    “event” and “val” both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being initialized.
    
    Change-Id: Ibf2868136a538eed0f2e75395a5f14a8608dd86d
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  6. netfilter: x_tables: fix unconditional helper

    Florian Westphal authored and mdmower committed Mar 22, 2016
    Ben Hawkes says:
    
     In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
     is possible for a user-supplied ipt_entry structure to have a large
     next_offset field. This field is not bounds checked prior to writing a
     counter value at the supplied offset.
    
    Problem is that mark_source_chains should not have been called --
    the rule doesn't have a next entry, so its supposed to return
    an absolute verdict of either ACCEPT or DROP.
    
    However, the function conditional() doesn't work as the name implies.
    It only checks that the rule is using wildcard address matching.
    
    However, an unconditional rule must also not be using any matches
    (no -m args).
    
    The underflow validator only checked the addresses, therefore
    passing the 'unconditional absolute verdict' test, while
    mark_source_chains also tested for presence of matches, and thus
    proceeeded to the next (not-existent) rule.
    
    Unify this so that all the callers have same idea of 'unconditional rule'.
    
    Change-Id: Id2b4779f2e41b1a82b1d266bb9e11118c4428afc
    Reported-by: Ben Hawkes <hawkes@google.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  7. ipv4: Don't do expensive useless work during inetdev destroy.

    davem330 authored and mdmower committed Mar 14, 2016
    When an inetdev is destroyed, every address assigned to the interface
    is removed.  And in this scenerio we do two pointless things which can
    be very expensive if the number of assigned interfaces is large:
    
    1) Address promotion.  We are deleting all addresses, so there is no
       point in doing this.
    
    2) A full nf conntrack table purge for every address.  We only need to
       do this once, as is already caught by the existing
       masq_dev_notifier so masq_inet_event() can skip this.
    
    Change-Id: I4b2a3ed665543728451c21465fb90ec89f739135
    Reported-by: Solar Designer <solar@openwall.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
    [bwh: Backported to 3.2: adjust filename, context]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  8. USB: cdc-acm: more sanity checking

    oneukum authored and mdmower committed Mar 15, 2016
    An attack has become available which pretends to be a quirky
    device circumventing normal sanity checks and crashes the kernel
    by an insufficient number of interfaces. This patch adds a check
    to the code path for quirky devices.
    
    Change-Id: Ie96a95d833e4ca9c3c3c3557679115ffb7069b5b
    Signed-off-by: Oliver Neukum <ONeukum@suse.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. usbnet: cleanup after bind() in probe()

    oneukum authored and mdmower committed Mar 7, 2016
    In case bind() works, but a later error forces bailing
    in probe() in error cases work and a timer may be scheduled.
    They must be killed. This fixes an error case related to
    the double free reported in
    http://www.spinics.net/lists/netdev/msg367669.html
    and needs to go on top of Linus' fix to cdc-ncm.
    
    Change-Id: I43b1673bc31b3af05789e461b39c55062735cc56
    Signed-off-by: Oliver Neukum <ONeukum@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  10. ALSA: hrtimer: Fix stall by hrtimer_cancel()

    tiwai authored and mdmower committed Jan 18, 2016
    hrtimer_cancel() waits for the completion from the callback, thus it
    must not be called inside the callback itself.  This was already a
    problem in the past with ALSA hrtimer driver, and the early commit
    [fcfdebe: ALSA: hrtimer - Fix lock-up] tried to address it.
    
    However, the previous fix is still insufficient: it may still cause a
    lockup when the ALSA timer instance reprograms itself in its callback.
    Then it invokes the start function even in snd_timer_interrupt() that
    is called in hrtimer callback itself, results in a CPU stall.  This is
    no hypothetical problem but actually triggered by syzkaller fuzzer.
    
    This patch tries to fix the issue again.  Now we call
    hrtimer_try_to_cancel() at both start and stop functions so that it
    won't fall into a deadlock, yet giving some chance to cancel the queue
    if the functions have been called outside the callback.  The proper
    hrtimer_cancel() is called in anyway at closing, so this should be
    enough.
    
    Change-Id: Id6224b2a3ade0d217e891e6af09744df4d0b2e5c
    Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  11. pipe: limit the per-user amount of pages allocated in pipes

    Willy Tarreau authored and mdmower committed Jan 18, 2016
    On no-so-small systems, it is possible for a single process to cause an
    OOM condition by filling large pipes with data that are never read. A
    typical process filling 4000 pipes with 1 MB of data will use 4 GB of
    memory. On small systems it may be tricky to set the pipe max size to
    prevent this from happening.
    
    This patch makes it possible to enforce a per-user soft limit above
    which new pipes will be limited to a single page, effectively limiting
    them to 4 kB each, as well as a hard limit above which no new pipes may
    be created for this user. This has the effect of protecting the system
    against memory abuse without hurting other users, and still allowing
    pipes to work correctly though with less data at once.
    
    The limit are controlled by two new sysctls : pipe-user-pages-soft, and
    pipe-user-pages-hard. Both may be disabled by setting them to zero. The
    default soft limit allows the default number of FDs per process (1024)
    to create pipes of the default size (64kB), thus reaching a limit of 64MB
    before starting to create only smaller pipes. With 256 processes limited
    to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
    1084 MB of memory allocated for a user. The hard limit is disabled by
    default to avoid breaking existing applications that make intensive use
    of pipes (eg: for splicing).
    
    Reported-by: socketpair@gmail.com
    Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Mitigates: CVE-2013-4312 (Linux 2.0+)
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    	Documentation/sysctl/fs.txt
    	fs/pipe.c
    	include/linux/sched.h
    
    Change-Id: Ic7c678af18129943e16715fdaa64a97a7f0854be
  12. ALSA: timer: Harden slave timer list handling

    tiwai authored and mdmower committed Jan 14, 2016
    A slave timer instance might be still accessible in a racy way while
    operating the master instance as it lacks of locking.  Since the
    master operation is mostly protected with timer->lock, we should cope
    with it while changing the slave instance, too.  Also, some linked
    lists (active_list and ack_list) of slave instances aren't unlinked
    immediately at stopping or closing, and this may lead to unexpected
    accesses.
    
    This patch tries to address these issues.  It adds spin lock of
    timer->lock (either from master or slave, which is equivalent) in a
    few places.  For avoiding a deadlock, we ensure that the global
    slave_active_lock is always locked at first before each timer lock.
    
    Also, ack and active_list of slave instances are properly unlinked at
    snd_timer_stop() and snd_timer_close().
    
    Last but not least, remove the superfluous call of _snd_timer_stop()
    at removing slave links.  This is a noop, and calling it may confuse
    readers wrt locking.  Further cleanup will follow in a later patch.
    
    Actually we've got reports of use-after-free by syzkaller fuzzer, and
    this hopefully fixes these issues.
    
    Change-Id: I572878b909dda522dbedc84633414185802bc974
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  13. ALSA: timer: Fix race among timer ioctls

    tiwai authored and mdmower committed Jan 13, 2016
    ALSA timer ioctls have an open race and this may lead to a
    use-after-free of timer instance object.  A simplistic fix is to make
    each ioctl exclusive.  We have already tread_sem for controlling the
    tread, and extend this as a global mutex to be applied to each ioctl.
    
    The downside is, of course, the worse concurrency.  But these ioctls
    aren't to be parallel accessible, in anyway, so it should be fine to
    serialize there.
    
    Change-Id: Iaa21b00f62e02cc58e346a29846e0fce6536e860
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  14. ALSA: timer: Fix double unlink of active_list

    tiwai authored and mdmower committed Jan 13, 2016
    ALSA timer instance object has a couple of linked lists and they are
    unlinked unconditionally at snd_timer_stop().  Meanwhile
    snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
    the element list itself unchanged.  This ends up with unlinking twice,
    and it was caught by syzkaller fuzzer.
    
    The fix is to use list_del_init() variant properly there, too.
    
    Change-Id: I95e2ab06180dfe43fb6b7c2875a866b53ca245ce
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  15. ALSA: usb-audio: avoid freeing umidi object twice

    xairy authored and mdmower committed Feb 13, 2016
    The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
    when tearing down the rawmidi interface. So we shouldn't try to free it
    in snd_usbmidi_create() after having registered the rawmidi interface.
    
    Found by KASAN.
    
    Change-Id: I8534867beeac111370017ef246adc17e23e1a3b1
    Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
    Acked-by: Clemens Ladisch <clemens@ladisch.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  16. msm: perf: Protect buffer overflow due to malicious user

    Swetha Chikkaboraiah authored and mdmower committed Jan 27, 2016
    In function krait_pmu_disable_event, parameter hwc comes from
    userspace and is untrusted.The function krait_clearpmu is called
    after the function get_krait_evtinfo.
    Function get_krait_evtinfo as parameter krait_evt_type variable
    which is used to extract the groupcode(reg) which is bound to
     KRAIT_MAX_L1_REG (is 3). After validation,one code path modifies
    groupcode(reg):If this code path executes, groupcode(reg) can be
    3,4, 5, or 6. In krait_clearpmu groupcode used to access array
    krait_functions whose size is 3. Since groupcode can be 3,4,5,6
    accessing array krait_functions lead to bufferoverlflow.
    This change will validate groupcode not to exceed 3.
    
    Change-Id: I48c92adda137d8a074b4e1a367a468195a810ca1
    CRs-fixed: 962450
    Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
Commits on Apr 25, 2016
  1. arch: arm: HTC: Update defconfigs

    mdmower committed Apr 15, 2016
    Regenerate HTC defconfigs after prima driver update and move t6 to
    CONFIG_PRIMA_WLAN.
    
    Change-Id: Ib004368eb1bbd2a2fafc72aac94327da3d03c6ce
  2. staging: prima: setup wcnss before prima loads

    Flemmard authored and mdmower committed Dec 24, 2013
    * Prima needs wcnss to be set up when it loads.
      Therefore use a platform_driver to notify prima that wcnss is ready.
    
    This commit is largely based on "staging: prima: Allow prima_wlan to be
    built inside kernel" (I6c403f705e9dffa524a2aab54453e50775b45264), but
    changes to wcnss are already included in this kernel. Reference the
    original commit for a better understanding of how this is implemented.
    
    Change-Id: I8446e2f9d293c8783b602a2da97dbad0324da47d
  3. staging: prima: Get MAC address from WCNSS platform device

    cyanogen authored and mdmower committed Aug 18, 2014
    * Tools can set the value easily from userspace.
    
    Change-Id: Ic4e68e9a460901436bcc5a4e69c652352c49a07d
  4. staging: prima: Update paths and config names

    mdmower committed Apr 15, 2016
    Underscore names are no longer needed to differentiate drivers.
    
    Change-Id: I20677da69047053b4d23158dcfd0e5c07815b794
  5. staging: prima: Replace prima with prima_jb3.2

    mdmower committed Apr 15, 2016
    Begin migration from two prima drivers to one.
    
    Change-Id: I78455b363d3ec2efc364ea398073c0b38dc992e0
Commits on Apr 15, 2016
  1. staging: prima: Squash merge LA.AF.1.1_rb1.18

    Flyhalf205 authored and mdmower committed Dec 8, 2014
    staging: prima: Merge caf/LA.AF.1.1_rb1.7
    
    Merge "wlan: Ignore PNO indication if the channel is not valid for CC."
    Merge "wlan: Handle TX queues timeout when deauth come during ADD STA REQ"
    Merge "wlan: Added the gEnableDFSPnoChnlScan ini parameter"
    Merge "wlan: Do DEL_STA if driver gets deauth during ADD_STA."
    wlan: Added the gEnableDFSPnoChnlScan ini parameter
    Merge "wlan: Minimizing the retry log for Re/Assoc Rsp frame."
    Merge "wlan: Address kernel panic due to invalid memory access"
    Merge "wlan: Assign callback to resume TX if secondary channel is changed."
    Merge "wlan: validate the driver status during interface down"
    wlan: Address kernel panic due to invalid memory access
    wlan: Assign callback to resume TX if secondary channel is changed.
    Merge "wlan: PMF: Fix to delete pmfSaQueryTimer during SubSystemRestart"
    Merge "wlan: logpinprogress wrongly set during SSR"
    Merge "wlan: Validate hdd context before processing an IOCTL."
    Merge "wlan:Clear the wmmAcSetupImplicitQos work in case of implicit AC mechanism."
    Merge "wlan: Avoid watchdog bark due to excessive logging"
    Merge "wlan: Add check for adapter MAGIC to avoid crash in rx_packet_cbk"
    Merge "wlan: wdi: wpal: ratelimit invalid register read"
    wlan: Validate hdd context before processing an IOCTL.
    wlan: Add check for adapter MAGIC to avoid crash in rx_packet_cbk
    wlan:Clear the wmmAcSetupImplicitQos work in case of implicit
    wlan: Avoid watchdog bark due to excessive logging
    wlan: PMF: Fix to delete pmfSaQueryTimer during SubSystemRestart
    wlan: logpinprogress wrongly set during SSR
    wlan: wdi: wpal: ratelimit invalid register read
    
    Change-Id: Iccb708042b5ba680b5338992a2393f081eadf70d
    
    staging: prima: Merge caf/LA.AF.1.1_rb1.8
    
    wlan: Avoid race between IP notifier register unregister
    prima: Configure MC add. list in f/w after new IPV6 address.
    wlan: Don't accept requests coming from upper layer on SSR failure
    wlan: Add support for SSR recovery in WDI timeout
    wlan: Rate limit logs during SSR.
    wlan: Switch off the carrier in case of NULL bss.
    wlan: Check for disconnect before starting carrier/tx_queues.
    wlan: dont send connect result to kernel,if HDD's discon is pending
    wlan: Abort scan for SSID if deauth is received from supplicant.
    wlan: Process all candidate AP before setting state to not connected.
    SCAN-OFFLOAD: Adding separate SME queue for scan commands.
    SCAN_OFFLOAD: Update the scanOffload variable of pMac.
    SCAN_OFFLOAD: Adding new ini variable for scan offload
    
    Change-Id: Iba63ad673363a95e3f7f9cc6c3411cb8bf36ffcf
    
    staging: prima: Merge caf/LA.AF.1.1_rb1.13
    
    wlan: Assoc Req does not Carry proper PSB vaule if ACM is enabled for AC.
    wlan: Defer scan if back to back scan on STA interface.
    wlan: Fix to avoid SAP operating in DFS channel.
    wlan: From HDD remove the logic to try shared auth if open fails.
    Wlan: Check for Roam command in csrIsRoamCommandWaitingForSession.
    wlan: Fix to return proper value from wlan_hdd_scan_abort
    TDLS: Fix possible memory poisoning while processing tdls commands
    wlan: Initialize local variable len.
    wlan: Send proper mlm cnf when Add BSS failed during roaming
    wlan: Fix Crash due to SSR triggers during cfg Ops handling
    CCX: Avoid PMKID and send correct MIC for CCKM+RSN scenario
    wlan: TL cleanup is not invoked for TDLS CONNECTING state.
    prima: Change default value of gCountryCodePriority to 1
    wlan: validate QOS context before updating status.
    wlan: Set tdls mode to disable in case of unloading.
    wlan: Resolve accessing invalid HDD context while processing IOCTLs.
    wlan: vos: set wda needShutdown flag when unable to close SMD port
    wlan: Stop traffic as soon as driver started unloading.
    
    Change-Id: Ie3ea96f061d82f95434d99284ec372ed5fabe286
    
    staging: prima: Merge LA.AF.1.1_rb1.17
    
    wlan: Decrement pending mgmt packet count if defer msg fails.
    wlan: Decrement pending mgmt packet count properly.
    wlan: Fix wlan mgmt pkt drop issue.
    wlan: Drop mgmt frames if they exceed 1/4 of total VOS pkts in peMcMq.
    wlan: configure correct STAID to enable TL caching
    wlan: reset FTState to eFT_START_READY whenever STA disconnect.
    wlan: In UAPSD state, allow apps to power collapse.
    
    Change-Id: Idce3a5154a62694e96d08f5df605ed8338a04599
    
    staging: prima: Merge LA.AF.1.1_rb1.18
    
    Merge "wlan: Send the actual SSN in BA req instead of modified one."
    Merge "wlan: Fix arp offload filtering issue with static ip."
    wlan: Send the actual SSN in BA req instead of modified one.
    
    Change-Id: I64e19c4d84f080e7505bee4426584eef48144656
Commits on Apr 4, 2016
  1. pipe: Fix buffer offset after partially failed read

    bwhacks authored and mdmower committed Feb 13, 2016
    Quoting the RHEL advisory:
    
    > It was found that the fix for CVE-2015-1805 incorrectly kept buffer
    > offset and buffer length in sync on a failed atomic read, potentially
    > resulting in a pipe buffer state corruption. A local, unprivileged user
    > could use this flaw to crash the system or leak kernel memory to user
    > space. (CVE-2016-0774, Moderate)
    
    The same flawed fix was applied to stable branches from 2.6.32.y to
    3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
    We need to give pipe_iov_copy_to_user() a separate offset variable
    and only update the buffer offset if it succeeds.
    
    Change-Id: I988802f38acf40c7671fa0978880928b02d29b56
    References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    (cherry picked from commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
Commits on Mar 22, 2016
  1. UPSTREAM: include/linux/poison.h: fix LIST_POISON{1,2} offset

    Vasily Kulikov authored and mdmower committed Sep 9, 2015
    (cherry pick from commit 8a5e5e02fc83aaf67053ab53b359af08c6c49aaf)
    
    Poison pointer values should be small enough to find a room in
    non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
    is located starting from 0x0.  Given unprivileged users cannot mmap
    anything below mmap_min_addr, it should be safe to use poison pointers
    lower than mmap_min_addr.
    
    The current poison pointer values of LIST_POISON{1,2} might be too big for
    mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
    uses only 0x10000).  There is little point to use such a big value given
    the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
    to a smaller value solves the problem for small mmap_min_addr setups.
    
    The values are suggested by Solar Designer:
    http://www.openwall.com/lists/oss-security/2015/05/02/6
    
    Signed-off-by: Vasily Kulikov <segoon@openwall.com>
    Cc: Solar Designer <solar@openwall.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Bug: 26429468
    Bug: 26186802
    Bug: 26429519
    Change-Id: Ic51614f6cc98e416282f19af96b9d116eff7c08b
  2. pipe: iovec: Fix memory corruption when retrying atomic copy as non-a…

    bwhacks authored and mdmower committed Jun 16, 2015
    …tomic
    
    pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
    the first time atomically and the second time not.  The second attempt
    needs to continue from the iovec position, pipe buffer offset and
    remaining length where the first attempt failed, but currently the
    pipe buffer offset and remaining length are reset.  This will corrupt
    the piped data (possibly also leading to an information leak between
    processes) and may also corrupt kernel memory.
    
    This was fixed upstream by commits f0d1bec ("new helper:
    copy_page_from_iter()") and 637b58c ("switch pipe_read() to
    copy_page_to_iter()"), but those aren't suitable for stable.  This fix
    for older kernel versions was made by Seth Jennings for RHEL and I
    have extracted it from their update.
    
    CVE-2015-1805
    
    Bug: 27275324
    
    Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4
    References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
Commits on Mar 14, 2016
  1. tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)

    peterhurley authored and intervigilium committed Jan 11, 2016
    ioctl(TIOCGETD) retrieves the line discipline id directly from the
    ldisc because the line discipline id (c_line) in termios is untrustworthy;
    userspace may have set termios via ioctl(TCSETS*) without actually
    changing the line discipline via ioctl(TIOCSETD).
    
    However, directly accessing the current ldisc via tty->ldisc is
    unsafe; the ldisc ptr dereferenced may be stale if the line discipline
    is changing via ioctl(TIOCSETD) or hangup.
    
    Wait for the line discipline reference (just like read() or write())
    to retrieve the "current" line discipline id.
    
    Change-Id: I7dae813721d4631d84a7d48b7b908e3bc40617cb
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  2. fuse: break infinite loop in fuse_fill_write_pages()

    Roman Gushchin authored and intervigilium committed Oct 12, 2015
    I got a report about unkillable task eating CPU. Further
    investigation shows, that the problem is in the fuse_fill_write_pages()
    function. If iov's first segment has zero length, we get an infinite
    loop, because we never reach iov_iter_advance() call.
    
    Fix this by calling iov_iter_advance() before repeating an attempt to
    copy data from userspace.
    
    A similar problem is described in 124d3b7 ("fix writev regression:
    pan hanging unkillable and un-straceable"). If zero-length segmend
    is followed by segment with invalid address,
    iov_iter_fault_in_readable() checks only first segment (zero-length),
    iov_iter_copy_from_user_atomic() skips it, fails at second and
    returns zero -> goto again without skipping zero-length segment.
    
    Patch calls iov_iter_advance() before goto again: we'll skip zero-length
    segment at second iteraction and iov_iter_fault_in_readable() will detect
    invalid address.
    
    Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
    description.
    
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Maxim Patlasov <mpatlasov@parallels.com>
    Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
    Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
    Fixes: ea9b990 ("fuse: implement perform_write")
    Cc: <stable@vger.kernel.org>
    
    Change-Id: Id37193373294dd43191469389cfe68ca1736a54b
    (cherry picked from commit 10ad8bb6373f72b0c8b4f3be748403ff3a9f2d07)
  3. ext4: make orphan functions be no-op in no-journal mode

    anatol authored and intervigilium committed Sep 18, 2012
    Instead of checking whether the handle is valid, we check if journal
    is enabled. This avoids taking the s_orphan_lock mutex in all cases
    when there is no journal in use, including the error paths where
    ext4_orphan_del() is called with a handle set to NULL.
    
    Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    
    Change-Id: I734ccb8069fceb12b864e7b9dceb37e27ab94c61
  4. bluetooth: Validate socket address length in sco_sock_bind().

    davem330 authored and intervigilium committed Dec 15, 2015
    Change-Id: I890640975f1af64f71947b6a1820249e08f6375b
    Signed-off-by: David S. Miller <davem@davemloft.net>