commit f6767727467056943bf6d3433ffce0a8b2b05681
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri Mar 31 10:32:02 2017 +0200
Linux 4.9.20
commit 1dc3a068cc1123cbfb1d6340cfd795bfd453870a
Author: Bin Liu <b-liu@ti.com>
Date: Fri Mar 10 14:43:37 2017 -0600
usb: musb: fix possible spinlock deadlock
commit bc1e2154542071e3cfe1734b143af9b8bdacf8bd upstream.
The DSPS glue calls del_timer_sync() in its musb_platform_disable()
implementation, which requires the caller to not hold a lock. But
musb_remove() calls musb_platform_disable() will musb->lock held. This
could causes spinlock deadlock.
So change musb_remove() to call musb_platform_disable() without holds
musb->lock. This doesn't impact the musb_platform_disable implementation
in other glue drivers.
root@am335x-evm:~# modprobe -r musb-dsps
[ 126.134879] musb-hdrc musb-hdrc.1: remove, state 1
[ 126.140465] usb usb2: USB disconnect, device number 1
[ 126.146178] usb 2-1: USB disconnect, device number 2
[ 126.416985] musb-hdrc musb-hdrc.1: USB bus 2 deregistered
[ 126.423943]
[ 126.425525] ======================================================
[ 126.431997] [ INFO: possible circular locking dependency detected ]
[ 126.438564] 4.11.0-rc1-00003-g1557f13bca04-dirty #77 Not tainted
[ 126.444852] -------------------------------------------------------
[ 126.451414] modprobe/778 is trying to acquire lock:
[ 126.456523] (((&glue->timer))){+.-...}, at: [<c01b8788>] del_timer_sync+0x0/0xd0
[ 126.464403]
[ 126.464403] but task is already holding lock:
[ 126.470511] (&(&musb->lock)->rlock){-.-...}, at: [<bf30b7f8>] musb_remove+0x50/0x1
30 [musb_hdrc]
[ 126.479965]
[ 126.479965] which lock already depends on the new lock.
[ 126.479965]
[ 126.488531]
[ 126.488531] the existing dependency chain (in reverse order) is:
[ 126.496368]
[ 126.496368] -> #1 (&(&musb->lock)->rlock){-.-...}:
[ 126.502968] otg_timer+0x80/0xec [musb_dsps]
[ 126.507990] call_timer_fn+0xb4/0x390
[ 126.512372] expire_timers+0xf0/0x1fc
[ 126.516754] run_timer_softirq+0x80/0x178
[ 126.521511] __do_softirq+0xc4/0x554
[ 126.525802] irq_exit+0xe8/0x158
[ 126.529735] __handle_domain_irq+0x58/0xb8
[ 126.534583] __irq_usr+0x54/0x80
[ 126.538507]
[ 126.538507] -> #0 (((&glue->timer))){+.-...}:
[ 126.544636] del_timer_sync+0x40/0xd0
[ 126.549066] musb_remove+0x6c/0x130 [musb_hdrc]
[ 126.554370] platform_drv_remove+0x24/0x3c
[ 126.559206] device_release_driver_internal+0x14c/0x1e0
[ 126.565225] bus_remove_device+0xd8/0x108
[ 126.569970] device_del+0x1e4/0x308
[ 126.574170] platform_device_del+0x24/0x8c
[ 126.579006] platform_device_unregister+0xc/0x20
[ 126.584394] dsps_remove+0x14/0x30 [musb_dsps]
[ 126.589595] platform_drv_remove+0x24/0x3c
[ 126.594432] device_release_driver_internal+0x14c/0x1e0
[ 126.600450] driver_detach+0x38/0x6c
[ 126.604740] bus_remove_driver+0x4c/0xa0
[ 126.609407] SyS_delete_module+0x11c/0x1e4
[ 126.614252] __sys_trace_return+0x0/0x10
Fixes: ea2f35c01d5ea ("usb: musb: Fix sleeping function called from invalid context for hdrc glue")
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 916c5cfeab400f5260d20dc2e5c8e0ec52e64cfc
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date: Tue Jan 24 15:40:06 2017 +0100
sched/rt: Add a missing rescheduling point
commit 619bd4a71874a8fd78eb6ccf9f272c5e98bcc7b7 upstream.
Since the change in commit:
fd7a4bed1835 ("sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks")
... we don't reschedule a task under certain circumstances:
Lets say task-A, SCHED_OTHER, is running on CPU0 (and it may run only on
CPU0) and holds a PI lock. This task is removed from the CPU because it
used up its time slice and another SCHED_OTHER task is running. Task-B on
CPU1 runs at RT priority and asks for the lock owned by task-A. This
results in a priority boost for task-A. Task-B goes to sleep until the
lock has been made available. Task-A is already runnable (but not active),
so it receives no wake up.
The reality now is that task-A gets on the CPU once the scheduler decides
to remove the current task despite the fact that a high priority task is
enqueued and waiting. This may take a long time.
The desired behaviour is that CPU0 immediately reschedules after the
priority boost which made task-A the task with the lowest priority.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: fd7a4bed1835 ("sched, rt: Convert switched_{from, to}_rt() prio_changed_rt() to balance callbacks")
Link: http://lkml.kernel.org/r/20170124144006.29821-1-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2984e52c75c657db7901f6189f02e0251ca963c2
Author: Eric Biggers <ebiggers@google.com>
Date: Tue Feb 21 15:07:11 2017 -0800
fscrypt: remove broken support for detecting keyring key revocation
commit 1b53cf9815bb4744958d41f3795d5d5a1d365e2d upstream.
Filesystem encryption ostensibly supported revoking a keyring key that
had been used to "unlock" encrypted files, causing those files to become
"locked" again. This was, however, buggy for several reasons, the most
severe of which was that when key revocation happened to be detected for
an inode, its fscrypt_info was immediately freed, even while other
threads could be using it for encryption or decryption concurrently.
This could be exploited to crash the kernel or worse.
This patch fixes the use-after-free by removing the code which detects
the keyring key having been revoked, invalidated, or expired. Instead,
an encrypted inode that is "unlocked" now simply remains unlocked until
it is evicted from memory. Note that this is no worse than the case for
block device-level encryption, e.g. dm-crypt, and it still remains
possible for a privileged user to evict unused pages, inodes, and
dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
simply unmounting the filesystem. In fact, one of those actions was
already needed anyway for key revocation to work even somewhat sanely.
This change is not expected to break any applications.
In the future I'd like to implement a real API for fscrypt key
revocation that interacts sanely with ongoing filesystem operations ---
waiting for existing operations to complete and blocking new operations,
and invalidating and sanitizing key material and plaintext from the VFS
caches. But this is a hard problem, and for now this bug must be fixed.
This bug affected almost all versions of ext4, f2fs, and ubifs
encryption, and it was potentially reachable in any kernel configured
with encryption support (CONFIG_EXT4_ENCRYPTION=y,
CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the
shared fs/crypto/ code, but due to the potential security implications
of this bug, it may still be worthwhile to backport this fix to them.
Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 21c95eca627bf63fa56dc19f5fb5fb2a770dadc0
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:57 2017 +0100
metag/ptrace: Reject partial NT_METAG_RPIPE writes
commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream.
It's not clear what behaviour is sensible when doing partial write of
NT_METAG_RPIPE, so just don't bother.
This patch assumes that userspace will never rely on a partial SETREGSET
in this case, since it's not clear what should happen anyway.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2d6532ceb45bffcc05036f93a0590ffa82c7794f
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:56 2017 +0100
metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream.
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill TXSTATUS, a well-defined default value is used, based on the
task's current value.
Suggested-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2739b4874165acc5ce07e643c363e6768f44cf4f
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:55 2017 +0100
metag/ptrace: Preserve previous registers for short regset write
commit a78ce80d2c9178351b34d78fec805140c29c193e upstream.
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 84b94c4356c668ebe4532b3a999cf375f0089310
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:59 2017 +0100
sparc/ptrace: Preserve previous registers for short regset write
commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream.
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0ba34c87f7ce04232295ebf4991cd3ff36ea5abd
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:58 2017 +0100
mips/ptrace: Preserve previous registers for short regset write
commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream.
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 616fe993f410c589cd928dfb015ccaf9c931dcc1
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:54 2017 +0100
h8300/ptrace: Fix incorrect register transfer count
commit 502585c7555083d4a949c08350306b9ec196779e upstream.
regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
if CONFIG_CPU_H8S is set, since this adds an extra entry to
register_offset[] but not to user_regs_struct.
So, iterate over user_regs_struct based on its actual size, not based on
the length of register_offset[].
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d77bd2d6a478468127da79e6920b44c467baaa9e
Author: Dave Martin <Dave.Martin@arm.com>
Date: Mon Mar 27 15:10:53 2017 +0100
c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream.
gpr_set won't work correctly and can never have been tested, and the
correct behaviour is not clear due to the endianness-dependent task
layout.
So, just remove it. The core code will now return -EOPNOTSUPPORT when
trying to set NT_PRSTATUS on this architecture until/unless a correct
implementation is supplied.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd6054234bd82065134f62ca0b5e2695c0d859b7
Author: Bjorn Andersson <bjorn.andersson@linaro.org>
Date: Tue Mar 14 08:23:26 2017 -0700
pinctrl: qcom: Don't clear status bit on irq_unmask
commit a6566710adaa4a7dd5e0d99820ff9c9c30ee5951 upstream.
Clearing the status bit on irq_unmask will discard any pending interrupt
that did arrive after the irq_ack, i.e. while the IRQ handler function
was executing.
Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver")
Cc: Stephen Boyd <sboyd@codeaurora.org>
Reported-by: Timur Tabi <timur@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b82b2f930c2b090a51d429664454252c87b45a47
Author: Ladi Prosek <lprosek@redhat.com>
Date: Thu Mar 23 08:04:18 2017 +0100
virtio_balloon: init 1st buffer in stats vq
commit fc8653228c8588a120f6b5dad6983b7b61ff669e upstream.
When init_vqs runs, virtio_balloon.stats is either uninitialized or
contains stale values. The host updates its state with garbage data
because it has no way of knowing that this is just a marker buffer
used for signaling.
This patch updates the stats before pushing the initial buffer.
Alternative fixes:
* Push an empty buffer in init_vqs. Not easily done with the current
virtio implementation and violates the spec "Driver MUST supply the
same subset of statistics in all buffers submitted to the statsq".
* Push a buffer with invalid tags in init_vqs. Violates the same
spec clause, plus "invalid tag" is not really defined.
Note: the spec says:
When using the legacy interface, the device SHOULD ignore all values in
the first buffer in the statsq supplied by the driver after device
initialization. Note: Historically, drivers supplied an uninitialized
buffer in the first buffer.
Unfortunately QEMU does not seem to implement the recommendation
even for the legacy interface.
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3e8c6bd9dbc44630199892ad27ef745a45335191
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon Mar 27 17:53:50 2017 +0200
KVM: x86: cleanup the page tracking SRCU instance
commit 2beb6dad2e8f95d710159d5befb390e4f62ab5cf upstream.
SRCU uses a delayed work item. Skip cleaning it up, and
the result is use-after-free in the work item callbacks.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a
Reviewed-by: Xiao Guangrong <xiaoguangrong.eric@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 79191ea36dc9be10a9c9b03d6b341ed2d2f76045
Author: Andy Whitcroft <apw@canonical.com>
Date: Thu Mar 23 07:45:44 2017 +0000
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 64a5465799ee40e3d54d9da3037934cd4b7b502f
Author: Andy Whitcroft <apw@canonical.com>
Date: Wed Mar 22 07:29:31 2017 +0000
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
commit 677e806da4d916052585301785d847c3b3e6186a upstream.
When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer. However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call. There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents. We do
not at this point check that the replay_window is within the allocated
memory. This leads to out-of-bounds reads and writes triggered by
netlink packets. This leads to memory corruption and the potential for
priviledge escalation.
We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained
replay_window.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f68a09c7944eca3bdfce2ef18b43dfd2359346b7
Author: Florian Westphal <fw@strlen.de>
Date: Wed Feb 8 11:52:29 2017 +0100
xfrm: policy: init locks early
commit c282222a45cb9503cbfbebfdb60491f06ae84b49 upstream.
Dmitry reports following splat:
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
[..]
spin_lock_bh include/linux/spinlock.h:304 [inline]
xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
ops_init+0x10a/0x530 net/core/net_namespace.c:115
setup_net+0x2ed/0x690 net/core/net_namespace.c:291
copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
SYSC_unshare kernel/fork.c:2281 [inline]
Problem is that when we get error during xfrm_net_init we will call
xfrm_policy_fini which will acquire xfrm_policy_lock before it was
initialized. Just move it around so locks get set up first.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 283bc9f35bbbcb0e9 ("xfrm: Namespacify xfrm state/policy locks")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>