1. 16 9月, 2019 12 次提交
    • S
      batman-adv: Only read OGM tvlv_len after buffer len check · 86d5ae21
      Sven Eckelmann 提交于
      commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream.
      
      Multiple batadv_ogm_packet can be stored in an skbuff. The functions
      batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
      batadv_iv_ogm_aggr_packet() to check if there is another additional
      batadv_ogm_packet in the skb or not before they continue processing the
      packet.
      
      The length for such an OGM is BATADV_OGM_HLEN +
      batadv_ogm_packet->tvlv_len. The check must first check that at least
      BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
      part of the header. Otherwise it might try read outside of the currently
      available skbuff to get the content of tvlv_len.
      
      Fixes: ef261577 ("batman-adv: tvlv - basic infrastructure")
      Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Acked-by: NAntonio Quartulli <a@unstable.cc>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86d5ae21
    • E
      batman-adv: fix uninit-value in batadv_netlink_get_ifindex() · 4b5fee45
      Eric Dumazet 提交于
      commit 3ee1bb7aae97324ec9078da1f00cb2176919563f upstream.
      
      batadv_netlink_get_ifindex() needs to make sure user passed
      a correct u32 attribute.
      
      syzbot reported :
      BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
      CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x191/0x1f0 lib/dump_stack.c:113
       kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
       __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
       batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
       genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
       netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
       __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
       genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
       genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
       netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
       netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
       netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
       netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
       sock_sendmsg_nosec net/socket.c:651 [inline]
       sock_sendmsg net/socket.c:661 [inline]
       ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
       __sys_sendmsg net/socket.c:2298 [inline]
       __do_sys_sendmsg net/socket.c:2307 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2305
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440209
      
      Fixes: b60620cf ("batman-adv: netlink: hardif query")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b5fee45
    • G
      powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction · 47a0f70d
      Gustavo Romero 提交于
      commit 8205d5d98ef7f155de211f5e2eb6ca03d95a5a60 upstream.
      
      When we take an FP unavailable exception in a transaction we have to
      account for the hardware FP TM checkpointed registers being
      incorrect. In this case for this process we know the current and
      checkpointed FP registers must be the same (since FP wasn't used
      inside the transaction) hence in the thread_struct we copy the current
      FP registers to the checkpointed ones.
      
      This copy is done in tm_reclaim_thread(). We use thread->ckpt_regs.msr
      to determine if FP was on when in userspace. thread->ckpt_regs.msr
      represents the state of the MSR when exiting userspace. This is setup
      by check_if_tm_restore_required().
      
      Unfortunatley there is an optimisation in giveup_all() which returns
      early if tsk->thread.regs->msr (via local variable `usermsr`) has
      FP=VEC=VSX=SPE=0. This optimisation means that
      check_if_tm_restore_required() is not called and hence
      thread->ckpt_regs.msr is not updated and will contain an old value.
      
      This can happen if due to load_fp=255 we start a userspace process
      with MSR FP=1 and then we are context switched out. In this case
      thread->ckpt_regs.msr will contain FP=1. If that same process is then
      context switched in and load_fp overflows, MSR will have FP=0. If that
      process now enters a transaction and does an FP instruction, the FP
      unavailable will not update thread->ckpt_regs.msr (the bug) and MSR
      FP=1 will be retained in thread->ckpt_regs.msr.  tm_reclaim_thread()
      will then not perform the required memcpy and the checkpointed FP regs
      in the thread struct will contain the wrong values.
      
      The code path for this happening is:
      
             Userspace:                      Kernel
                         Start userspace
                          with MSR FP/VEC/VSX/SPE=0 TM=1
                            < -----
             ...
             tbegin
             bne
             fp instruction
                         FP unavailable
                             ---- >
                                              fp_unavailable_tm()
      					  tm_reclaim_current()
      					    tm_reclaim_thread()
      					      giveup_all()
      					        return early since FP/VMX/VSX=0
      						/* ckpt MSR not updated (Incorrect) */
      					      tm_reclaim()
      					        /* thread_struct ckpt FP regs contain junk (OK) */
                                                    /* Sees ckpt MSR FP=1 (Incorrect) */
      					      no memcpy() performed
      					        /* thread_struct ckpt FP regs not fixed (Incorrect) */
      					  tm_recheckpoint()
      					     /* Put junk in hardware checkpoint FP regs */
                                               ....
                            < -----
                         Return to userspace
                           with MSR TM=1 FP=1
                           with junk in the FP TM checkpoint
             TM rollback
             reads FP junk
      
      This is a data integrity problem for the current process as the FP
      registers are corrupted. It's also a security problem as the FP
      registers from one process may be leaked to another.
      
      This patch moves up check_if_tm_restore_required() in giveup_all() to
      ensure thread->ckpt_regs.msr is updated correctly.
      
      A simple testcase to replicate this will be posted to
      tools/testing/selftests/powerpc/tm/tm-poison.c
      
      Similarly for VMX.
      
      This fixes CVE-2019-15030.
      
      Fixes: f48e91e8 ("powerpc/tm: Fix FP and VMX register corruption")
      Cc: stable@vger.kernel.org # 4.12+
      Signed-off-by: NGustavo Romero <gromero@linux.vnet.ibm.com>
      Signed-off-by: NMichael Neuling <mikey@neuling.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20190904045529.23002-1-gromero@linux.vnet.ibm.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47a0f70d
    • T
      vhost/test: fix build for vhost test - again · 6e7040d6
      Tiwei Bie 提交于
      commit 264b563b8675771834419057cbe076c1a41fb666 upstream.
      
      Since vhost_exceeds_weight() was introduced, callers need to specify
      the packet weight and byte weight in vhost_dev_init(). Note that, the
      packet weight isn't counted in this patch to keep the original behavior
      unchanged.
      
      Fixes: e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()")
      Cc: stable@vger.kernel.org
      Signed-off-by: NTiwei Bie <tiwei.bie@intel.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e7040d6
    • T
      vhost/test: fix build for vhost test · 4f45483f
      Tiwei Bie 提交于
      commit 93d2c4de8d8129b97ee1e1a222aedb0719d2fcd9 upstream.
      
      Since below commit, callers need to specify the iov_limit in
      vhost_dev_init() explicitly.
      
      Fixes: b46a0bf78ad7 ("vhost: fix OOB in get_rx_bufs()")
      Cc: stable@vger.kernel.org
      Signed-off-by: NTiwei Bie <tiwei.bie@intel.com>
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f45483f
    • D
      drm/vmwgfx: Fix double free in vmw_recv_msg() · dcd22e14
      Dan Carpenter 提交于
      commit 08b0c891605acf727e43e3e03a25857d3e789b61 upstream.
      
      We recently added a kfree() after the end of the loop:
      
      	if (retries == RETRIES) {
      		kfree(reply);
      		return -EINVAL;
      	}
      
      There are two problems.  First the test is wrong and because retries
      equals RETRIES if we succeed on the last iteration through the loop.
      Second if we fail on the last iteration through the loop then the kfree
      is a double free.
      
      When you're reading this code, please note the break statement at the
      end of the while loop.  This patch changes the loop so that if it's not
      successful then "reply" is NULL and we can test for that afterward.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 6b7c3b86f0b6 ("drm/vmwgfx: fix memory leak when too many retries have occurred")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: NThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcd22e14
    • L
      sched/fair: Don't assign runtime for throttled cfs_rq · 38d38d1e
      Liangyan 提交于
      commit 5e2d2cc2588bd3307ce3937acbc2ed03c830a861 upstream.
      
      do_sched_cfs_period_timer() will refill cfs_b runtime and call
      distribute_cfs_runtime to unthrottle cfs_rq, sometimes cfs_b->runtime
      will allocate all quota to one cfs_rq incorrectly, then other cfs_rqs
      attached to this cfs_b can't get runtime and will be throttled.
      
      We find that one throttled cfs_rq has non-negative
      cfs_rq->runtime_remaining and cause an unexpetced cast from s64 to u64
      in snippet:
      
        distribute_cfs_runtime() {
          runtime = -cfs_rq->runtime_remaining + 1;
        }
      
      The runtime here will change to a large number and consume all
      cfs_b->runtime in this cfs_b period.
      
      According to Ben Segall, the throttled cfs_rq can have
      account_cfs_rq_runtime called on it because it is throttled before
      idle_balance, and the idle_balance calls update_rq_clock to add time
      that is accounted to the task.
      
      This commit prevents cfs_rq to be assgined new runtime if it has been
      throttled until that distribute_cfs_runtime is called.
      Signed-off-by: NLiangyan <liangyan.peng@linux.alibaba.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: NValentin Schneider <valentin.schneider@arm.com>
      Reviewed-by: NBen Segall <bsegall@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: shanpeic@linux.alibaba.com
      Cc: stable@vger.kernel.org
      Cc: xlpang@linux.alibaba.com
      Fixes: d3d9dc33 ("sched: Throttle entities exceeding their allowed bandwidth")
      Link: https://lkml.kernel.org/r/20190826121633.6538-1-liangyan.peng@linux.alibaba.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38d38d1e
    • H
      ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre · 044ab471
      Hui Wang 提交于
      commit 2a36c16efab254dd6017efeb35ad88ecc96f2328 upstream.
      
      This ThinkCentre machine has a new realtek codec alc222, it is not
      in the support list, we add it in the realtek.c then this machine
      can apply FIXUPs for the realtek codec.
      
      And this machine has two front mics which can't be handled
      by PA so far, it uses the pin 0x18 and 0x19 as the front mics, as
      a result the existing FIXUP ALC294_FIXUP_LENOVO_MIC_LOCATION doesn't
      work on this machine. Fortunately another FIXUP
      ALC283_FIXUP_HEADSET_MIC also can change the location for one of the
      two mics on this machine.
      
      Link: https://lore.kernel.org/r/20190904055327.9883-1-hui.wang@canonical.comSigned-off-by: NHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      044ab471
    • J
      ALSA: hda/realtek - Enable internal speaker & headset mic of ASUS UX431FL · 849f85bf
      Jian-Hong Pan 提交于
      commit 60083f9e94b2f28047d71ed778adf89357c1a8fb upstream.
      
      Original pin node values of ASUS UX431FL with ALC294:
      
      0x12 0xb7a60140
      0x13 0x40000000
      0x14 0x90170110
      0x15 0x411111f0
      0x16 0x411111f0
      0x17 0x90170111
      0x18 0x411111f0
      0x19 0x411111f0
      0x1a 0x411111f0
      0x1b 0x411111f0
      0x1d 0x4066852d
      0x1e 0x411111f0
      0x1f 0x411111f0
      0x21 0x04211020
      
      1. Has duplicated internal speakers (0x14 & 0x17) which makes the output
         route become confused. So, the output volume cannot be changed by
         setting.
      2. Misses the headset mic pin node.
      
      This patch disables the confusing speaker (NID 0x14) and enables the
      headset mic (NID 0x19).
      
      Link: https://lore.kernel.org/r/20190902100054.6941-1-jian-hong@endlessm.comSigned-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      849f85bf
    • S
      ALSA: hda/realtek - Add quirk for HP Pavilion 15 · a956998a
      Sam Bazley 提交于
      commit d33cd42d86671bed870827aa399aeb9f1da74119 upstream.
      
      HP Pavilion 15 (AMD Ryzen-based model) with 103c:84e7 needs the same
      quirk like HP Envy/Spectre x360 for enabling the mute LED over Mic3 pin.
      
      [ rearranged in the SSID number order by tiwai ]
      Signed-off-by: NSam Bazley <sambazley@fastmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a956998a
    • T
      ALSA: hda/realtek - Fix overridden device-specific initialization · d11ca2d7
      Takashi Iwai 提交于
      commit 89781d0806c2c4f29072d3f00cb2dd4274aabc3d upstream.
      
      The recent change to shuffle the codec initialization procedure for
      Realtek via commit 607ca3bd220f ("ALSA: hda/realtek - EAPD turn on
      later") caused the silent output on some machines.  This change was
      supposed to be safe, but it isn't actually; some devices have quirk
      setups to override the EAPD via COEF or BTL in the additional verb
      table, which is applied at the beginning of snd_hda_gen_init().  And
      this EAPD setup is again overridden in alc_auto_init_amp().
      
      For recovering from the regression, tell snd_hda_gen_init() not to
      apply the verbs there by a new flag, then apply the verbs in
      alc_init().
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204727
      Fixes: 607ca3bd220f ("ALSA: hda/realtek - EAPD turn on later")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d11ca2d7
    • T
      ALSA: hda - Fix potential endless loop at applying quirks · 2c4d2ce8
      Takashi Iwai 提交于
      commit 333f31436d3db19f4286f8862a00ea1d8d8420a1 upstream.
      
      Since the chained quirks via chained_before flag is applied before the
      depth check, it may lead to the endless recursive calls, when the
      chain were set up incorrectly.  Fix it by moving the depth check at
      the beginning of the loop.
      
      Fixes: 1f578250 ("ALSA: hda - Add chained_before flag to the fixup entry")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c4d2ce8
  2. 10 9月, 2019 28 次提交