1. 14 1月, 2017 13 次提交
  2. 13 1月, 2017 12 次提交
  3. 12 1月, 2017 15 次提交
    • P
      KVM: x86: fix emulation of "MOV SS, null selector" · 33ab9110
      Paolo Bonzini 提交于
      This is CVE-2017-2583.  On Intel this causes a failed vmentry because
      SS's type is neither 3 nor 7 (even though the manual says this check is
      only done for usable SS, and the dmesg splat says that SS is unusable!).
      On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
      
      The fix fabricates a data segment descriptor when SS is set to a null
      selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
      Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
      this in turn ensures CPL < 3 because RPL must be equal to CPL.
      
      Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
      the bug and deciphering the manuals.
      Reported-by: NXiaohan Zhang <zhangxiaohan1@huawei.com>
      Fixes: 79d5b4c3
      Cc: stable@nongnu.org
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      33ab9110
    • J
      capability: export has_capability · 19c816e8
      Jike Song 提交于
      has_capability() is sometimes needed by modules to test capability
      for specified task other than current, so export it.
      
      Cc: Kirti Wankhede <kwankhede@nvidia.com>
      Signed-off-by: NJike Song <jike.song@intel.com>
      Acked-by: NSerge Hallyn <serge@hallyn.com>
      Acked-by: NJames Morris <james.l.morris@oracle.com>
      Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
      19c816e8
    • W
      KVM: x86: fix NULL deref in vcpu_scan_ioapic · 546d87e5
      Wanpeng Li 提交于
      Reported by syzkaller:
      
          BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0
          IP: _raw_spin_lock+0xc/0x30
          PGD 3e28eb067
          PUD 3f0ac6067
          PMD 0
          Oops: 0002 [#1] SMP
          CPU: 0 PID: 2431 Comm: test Tainted: G           OE   4.10.0-rc1+ #3
          Call Trace:
           ? kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
           kvm_arch_vcpu_ioctl_run+0x10a8/0x15f0 [kvm]
           ? pick_next_task_fair+0xe1/0x4e0
           ? kvm_arch_vcpu_load+0xea/0x260 [kvm]
           kvm_vcpu_ioctl+0x33a/0x600 [kvm]
           ? hrtimer_try_to_cancel+0x29/0x130
           ? do_nanosleep+0x97/0xf0
           do_vfs_ioctl+0xa1/0x5d0
           ? __hrtimer_init+0x90/0x90
           ? do_nanosleep+0x5b/0xf0
           SyS_ioctl+0x79/0x90
           do_syscall_64+0x6e/0x180
           entry_SYSCALL64_slow_path+0x25/0x25
          RIP: _raw_spin_lock+0xc/0x30 RSP: ffffa43688973cc0
      
      The syzkaller folks reported a NULL pointer dereference due to
      ENABLE_CAP succeeding even without an irqchip.  The Hyper-V
      synthetic interrupt controller is activated, resulting in a
      wrong request to rescan the ioapic and a NULL pointer dereference.
      
          #include <sys/ioctl.h>
          #include <sys/mman.h>
          #include <sys/types.h>
          #include <linux/kvm.h>
          #include <pthread.h>
          #include <stddef.h>
          #include <stdint.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #ifndef KVM_CAP_HYPERV_SYNIC
          #define KVM_CAP_HYPERV_SYNIC 123
          #endif
      
          void* thr(void* arg)
          {
      	struct kvm_enable_cap cap;
      	cap.flags = 0;
      	cap.cap = KVM_CAP_HYPERV_SYNIC;
      	ioctl((long)arg, KVM_ENABLE_CAP, &cap);
      	return 0;
          }
      
          int main()
          {
      	void *host_mem = mmap(0, 0x1000, PROT_READ|PROT_WRITE,
      			MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
      	int kvmfd = open("/dev/kvm", 0);
      	int vmfd = ioctl(kvmfd, KVM_CREATE_VM, 0);
      	struct kvm_userspace_memory_region memreg;
      	memreg.slot = 0;
      	memreg.flags = 0;
      	memreg.guest_phys_addr = 0;
      	memreg.memory_size = 0x1000;
      	memreg.userspace_addr = (unsigned long)host_mem;
      	host_mem[0] = 0xf4;
      	ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg);
      	int cpufd = ioctl(vmfd, KVM_CREATE_VCPU, 0);
      	struct kvm_sregs sregs;
      	ioctl(cpufd, KVM_GET_SREGS, &sregs);
      	sregs.cr0 = 0;
      	sregs.cr4 = 0;
      	sregs.efer = 0;
      	sregs.cs.selector = 0;
      	sregs.cs.base = 0;
      	ioctl(cpufd, KVM_SET_SREGS, &sregs);
      	struct kvm_regs regs = { .rflags = 2 };
      	ioctl(cpufd, KVM_SET_REGS, &regs);
      	ioctl(vmfd, KVM_CREATE_IRQCHIP, 0);
      	pthread_t th;
      	pthread_create(&th, 0, thr, (void*)(long)cpufd);
      	usleep(rand() % 10000);
      	ioctl(cpufd, KVM_RUN, 0);
      	pthread_join(th, 0);
      	return 0;
          }
      
      This patch fixes it by failing ENABLE_CAP if without an irqchip.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Fixes: 5c919412 (kvm/x86: Hyper-V synthetic interrupt controller)
      Cc: stable@vger.kernel.org # 4.5+
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      546d87e5
    • W
      KVM: eventfd: fix NULL deref irqbypass consumer · 4f3dbdf4
      Wanpeng Li 提交于
      Reported syzkaller:
      
          BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
          IP: irq_bypass_unregister_consumer+0x9d/0xb70 [irqbypass]
          PGD 0
      
          Oops: 0002 [#1] SMP
          CPU: 1 PID: 125 Comm: kworker/1:1 Not tainted 4.9.0+ #1
          Workqueue: kvm-irqfd-cleanup irqfd_shutdown [kvm]
          task: ffff9bbe0dfbb900 task.stack: ffffb61802014000
          RIP: 0010:irq_bypass_unregister_consumer+0x9d/0xb70 [irqbypass]
          Call Trace:
           irqfd_shutdown+0x66/0xa0 [kvm]
           process_one_work+0x16b/0x480
           worker_thread+0x4b/0x500
           kthread+0x101/0x140
           ? process_one_work+0x480/0x480
           ? kthread_create_on_node+0x60/0x60
           ret_from_fork+0x25/0x30
          RIP: irq_bypass_unregister_consumer+0x9d/0xb70 [irqbypass] RSP: ffffb61802017e20
          CR2: 0000000000000008
      
      The syzkaller folks reported a NULL pointer dereference that due to
      unregister an consumer which fails registration before. The syzkaller
      creates two VMs w/ an equal eventfd occasionally. So the second VM
      fails to register an irqbypass consumer. It will make irqfd as inactive
      and queue an workqueue work to shutdown irqfd and unregister the irqbypass
      consumer when eventfd is closed. However, the second consumer has been
      initialized though it fails registration. So the token(same as the first
      VM's) is taken to unregister the consumer through the workqueue, the
      consumer of the first VM is found and unregistered, then NULL deref incurred
      in the path of deleting consumer from the consumers list.
      
      This patch fixes it by making irq_bypass_register/unregister_consumer()
      looks for the consumer entry based on consumer pointer itself instead of
      token matching.
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Suggested-by: NAlex Williamson <alex.williamson@redhat.com>
      Cc: stable@vger.kernel.org
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Alex Williamson <alex.williamson@redhat.com>
      Signed-off-by: NWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      4f3dbdf4
    • S
      KVM: x86: Introduce segmented_write_std · 129a72a0
      Steve Rutherford 提交于
      Introduces segemented_write_std.
      
      Switches from emulated reads/writes to standard read/writes in fxsave,
      fxrstor, sgdt, and sidt.  This fixes CVE-2017-2584, a longstanding
      kernel memory leak.
      
      Since commit 283c95d0 ("KVM: x86: emulate FXSAVE and FXRSTOR",
      2016-11-09), which is luckily not yet in any final release, this would
      also be an exploitable kernel memory *write*!
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Cc: stable@vger.kernel.org
      Fixes: 96051572
      Fixes: 283c95d0Suggested-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NSteve Rutherford <srutherford@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      129a72a0
    • D
      KVM: x86: flush pending lapic jump label updates on module unload · cef84c30
      David Matlack 提交于
      KVM's lapic emulation uses static_key_deferred (apic_{hw,sw}_disabled).
      These are implemented with delayed_work structs which can still be
      pending when the KVM module is unloaded. We've seen this cause kernel
      panics when the kvm_intel module is quickly reloaded.
      
      Use the new static_key_deferred_flush() API to flush pending updates on
      module unload.
      Signed-off-by: NDavid Matlack <dmatlack@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      cef84c30
    • D
      jump_labels: API for flushing deferred jump label updates · b6416e61
      David Matlack 提交于
      Modules that use static_key_deferred need a way to synchronize with
      any delayed work that is still pending when the module is unloaded.
      Introduce static_key_deferred_flush() which flushes any pending
      jump label updates.
      Signed-off-by: NDavid Matlack <dmatlack@google.com>
      Cc: stable@vger.kernel.org
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      b6416e61
    • B
      HID: i2c-hid: Add sleep between POWER ON and RESET · a89af4ab
      Brendan McGrath 提交于
      Support for the Asus Touchpad was recently added. It turns out this
      device can fail initialisation (and become unusable) when the RESET
      command is sent too soon after the POWER ON command.
      
      Unfortunately the i2c-hid specification does not specify the need for
      a delay between these two commands. But it was discovered the Windows
      driver has a 1ms delay.
      
      As a result, this patch modifies the i2c-hid module to add a sleep
      inbetween the POWER ON and RESET commands which lasts between 1ms and 5ms.
      
      See https://github.com/vlasenko/hid-asus-dkms/issues/24 for further
      details.
      Signed-off-by: NBrendan McGrath <redmcg@redmandi.dyndns.org>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      a89af4ab
    • L
      Merge branch 'akpm' (patches from Andrew) · ba836a6f
      Linus Torvalds 提交于
      Merge fixes from Andrew Morton:
       "27 fixes.
      
        There are three patches that aren't actually fixes. They're simple
        function renamings which are nice-to-have in mainline as ongoing net
        development depends on them."
      
      * akpm: (27 commits)
        timerfd: export defines to userspace
        mm/hugetlb.c: fix reservation race when freeing surplus pages
        mm/slab.c: fix SLAB freelist randomization duplicate entries
        zram: support BDI_CAP_STABLE_WRITES
        zram: revalidate disk under init_lock
        mm: support anonymous stable page
        mm: add documentation for page fragment APIs
        mm: rename __page_frag functions to __page_frag_cache, drop order from drain
        mm: rename __alloc_page_frag to page_frag_alloc and __free_page_frag to page_frag_free
        mm, memcg: fix the active list aging for lowmem requests when memcg is enabled
        mm: don't dereference struct page fields of invalid pages
        mailmap: add codeaurora.org names for nameless email commits
        signal: protect SIGNAL_UNKILLABLE from unintentional clearing.
        mm: pmd dirty emulation in page fault handler
        ipc/sem.c: fix incorrect sem_lock pairing
        lib/Kconfig.debug: fix frv build failure
        mm: get rid of __GFP_OTHER_NODE
        mm: fix remote numa hits statistics
        mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done}
        ocfs2: fix crash caused by stale lvb with fsdlm plugin
        ...
      ba836a6f
    • D
      vfio-mdev: remove some dead code · 73da4268
      Dan Carpenter 提交于
      We set info.count to 1 in mtty_get_irq_info() so static checkers
      complain that, "Why do we have impossible conditions?"  The answer is
      that it seems to be left over dead code that can be safely removed.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NKirti Wankhede <kwankhede@nvidia.com>
      Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
      73da4268
    • D
      vfio-mdev: buffer overflow in ioctl() · 5c677869
      Dan Carpenter 提交于
      This is a sample driver for documentation so the impact is probably
      pretty low.  But we should check that bar_index is valid so we
      don't write beyond the end of the mdev_state->region_info[] array.
      
      Fixes: 9d1a546c ("docs: Sample driver to demonstrate how to use Mediated device framework.")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NKirti Wankhede <kwankhede@nvidia.com>
      Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
      5c677869
    • D
      vfio-mdev: return -EFAULT if copy_to_user() fails · 6ed0993a
      Dan Carpenter 提交于
      The copy_to_user() function returns the number of bytes which it wasn't
      able to copy but we want to return a negative error code.
      
      Fixes: 9d1a546c ("docs: Sample driver to demonstrate how to use Mediated device framework.")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NKirti Wankhede <kwankhede@nvidia.com>
      Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
      6ed0993a
    • T
      Merge tag 'asoc-fix-v4.10-rc3' of... · 6cf4569c
      Takashi Iwai 提交于
      Merge tag 'asoc-fix-v4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v4.10
      
      As well as the usual smattering of driver specific fixes collected since
      the merge window this has one particularly important fix to the core for
      handling of aux_devs which was broken during the merge window by some of
      the componentization refactoring.
      6cf4569c
    • J
      xfs: Timely free truncated dirty pages · 0a417b8d
      Jan Kara 提交于
      Commit 99579cce "xfs: skip dirty pages in ->releasepage()" started
      to skip dirty pages in xfs_vm_releasepage() which also has the effect
      that if a dirty page is truncated, it does not get freed by
      block_invalidatepage() and is lingering in LRU list waiting for reclaim.
      So a simple loop like:
      
      while true; do
      	dd if=/dev/zero of=file bs=1M count=100
      	rm file
      done
      
      will keep using more and more memory until we hit low watermarks and
      start pagecache reclaim which will eventually reclaim also the truncate
      pages. Keeping these truncated (and thus never usable) pages in memory
      is just a waste of memory, is unnecessarily stressing page cache
      reclaim, and reportedly also leads to anonymous mmap(2) returning ENOMEM
      prematurely.
      
      So instead of just skipping dirty pages in xfs_vm_releasepage(), return
      to old behavior of skipping them only if they have delalloc or unwritten
      buffers and fix the spurious warnings by warning only if the page is
      clean.
      
      CC: stable@vger.kernel.org
      CC: Brian Foster <bfoster@redhat.com>
      CC: Vlastimil Babka <vbabka@suse.cz>
      Reported-by: NPetr Tůma <petr.tuma@d3s.mff.cuni.cz>
      Fixes: 99579cceSigned-off-by: NJan Kara <jack@suse.cz>
      Reviewed-by: NBrian Foster <bfoster@redhat.com>
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      0a417b8d
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · cff3b2c4
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix rtlwifi crash, from Larry Finger.
      
       2) Memory disclosure in appletalk ipddp routing code, from Vlad
          Tsyrklevich.
      
       3) r8152 can erroneously split an RX packet into multiple URBs if the
          Rx FIFO is not empty when we suspend. Fix this by waiting for the
          FIFO to empty before suspending. From Hayes Wang.
      
       4) Two GRO fixes (enter slow path when not enough SKB tail room exists,
          disable frag0 optimizations when there are IPV6 extension headers)
          from Eric Dumazet and Herbert Xu.
      
       5) A series of mlx5e bug fixes (do source udp port offloading for
          tunnels properly, Ip fragment matching fixes, handling firmware
          errors properly when installing TC rules, etc.) from Saeed Mahameed,
          Or Gerlitz, Roi Dayan, Hadar Hen Zion, Gil Rockah, and Daniel
          Jurgens.
      
       6) Two VRF fixes from David Ahern (don't skip multipath selection for
          VRF paths, disallow VRF to be configured with table ID 0).
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (35 commits)
        net: vrf: do not allow table id 0
        net: phy: marvell: fix Marvell 88E1512 used in SGMII mode
        sctp: Fix spelling mistake: "Atempt" -> "Attempt"
        net: ipv4: Fix multipath selection with vrf
        cgroup: move CONFIG_SOCK_CGROUP_DATA to init/Kconfig
        gro: use min_t() in skb_gro_reset_offset()
        net/mlx5: Only cancel recovery work when cleaning up device
        net/mlx5e: Remove WARN_ONCE from adaptive moderation code
        net/mlx5e: Un-register uplink representor on nic_disable
        net/mlx5e: Properly handle FW errors while adding TC rules
        net/mlx5e: Fix kbuild warnings for uninitialized parameters
        net/mlx5e: Set inline mode requirements for matching on IP fragments
        net/mlx5e: Properly get address type of encapsulation IP headers
        net/mlx5e: TC ipv4 tunnel encap offload error flow fixes
        net/mlx5e: Warn when rejecting offload attempts of IP tunnels
        net/mlx5e: Properly handle offloading of source udp port for IP tunnels
        gro: Disable frag0 optimization on IPv6 ext headers
        gro: Enter slow-path if there is no tailroom
        mlx4: Return EOPNOTSUPP instead of ENOTSUPP
        net/af_iucv: don't use paged skbs for TX on HiperSockets
        ...
      cff3b2c4