1. 14 10月, 2017 1 次提交
  2. 13 10月, 2017 9 次提交
  3. 12 10月, 2017 18 次提交
  4. 11 10月, 2017 12 次提交
    • T
      ALSA: caiaq: Fix stray URB at probe error path · 99fee508
      Takashi Iwai 提交于
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      99fee508
    • A
      HID: hid-elecom: extend to fix descriptor for HUGE trackball · a0933a45
      Alex Manoussakis 提交于
      In addition to DEFT, Elecom introduced a larger trackball called HUGE, in
      both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same
      buttons and behavior as the DEFT. This patch adds the two relevant USB IDs
      to enable operation of the three Fn buttons on the top of the device.
      
      Cc: Diego Elio Petteno <flameeyes@flameeyes.eu>
      Signed-off-by: NAlex Manoussakis <amanou@gnu.org>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      a0933a45
    • J
      HID: usbhid: fix out-of-bounds bug · f043bfc9
      Jaejoong Kim 提交于
      The hid descriptor identifies the length and type of subordinate
      descriptors for a device. If the received hid descriptor is smaller than
      the size of the struct hid_descriptor, it is possible to cause
      out-of-bounds.
      
      In addition, if bNumDescriptors of the hid descriptor have an incorrect
      value, this can also cause out-of-bounds while approaching hdesc->desc[n].
      
      So check the size of hid descriptor and bNumDescriptors.
      
      	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
      	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
      
      	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
      	4.14.0-rc1-42251-gebb2c243 #169
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	Workqueue: usb_hub_wq hub_event
      	Call Trace:
      	__dump_stack lib/dump_stack.c:16
      	dump_stack+0x292/0x395 lib/dump_stack.c:52
      	print_address_description+0x78/0x280 mm/kasan/report.c:252
      	kasan_report_error mm/kasan/report.c:351
      	kasan_report+0x22f/0x340 mm/kasan/report.c:409
      	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
      	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
      	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
      	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
      	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
      	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
      	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
      	hub_port_connect drivers/usb/core/hub.c:4903
      	hub_port_connect_change drivers/usb/core/hub.c:5009
      	port_event drivers/usb/core/hub.c:5115
      	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
      	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
      	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
      	kthread+0x3a1/0x470 kernel/kthread.c:231
      	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      
      Cc: stable@vger.kernel.org
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NJaejoong Kim <climbbb.kim@gmail.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      f043bfc9
    • J
      livepatch: unpatch all klp_objects if klp_module_coming fails · ef8daf8e
      Joe Lawrence 提交于
      When an incoming module is considered for livepatching by
      klp_module_coming(), it iterates over multiple patches and multiple
      kernel objects in this order:
      
      	list_for_each_entry(patch, &klp_patches, list) {
      		klp_for_each_object(patch, obj) {
      
      which means that if one of the kernel objects fails to patch,
      klp_module_coming()'s error path needs to unpatch and cleanup any kernel
      objects that were already patched by a previous patch.
      Reported-by: NMiroslav Benes <mbenes@suse.cz>
      Suggested-by: NPetr Mladek <pmladek@suse.com>
      Signed-off-by: NJoe Lawrence <joe.lawrence@redhat.com>
      Acked-by: NJosh Poimboeuf <jpoimboe@redhat.com>
      Reviewed-by: NPetr Mladek <pmladek@suse.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      ef8daf8e
    • T
      ALSA: seq: Fix use-after-free at creating a port · 71105998
      Takashi Iwai 提交于
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: NMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      71105998
    • A
      bio_copy_user_iov(): don't ignore ->iov_offset · 1cfd0ddd
      Al Viro 提交于
      Since "block: support large requests in blk_rq_map_user_iov" we
      started to call it with partially drained iter; that works fine
      on the write side, but reads create a copy of iter for completion
      time.  And that needs to take the possibility of ->iov_iter != 0
      into account...
      
      Cc: stable@vger.kernel.org #v4.5+
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      1cfd0ddd
    • A
      more bio_map_user_iov() leak fixes · 2b04e8f6
      Al Viro 提交于
      we need to take care of failure exit as well - pages already
      in bio should be dropped by analogue of bio_unmap_pages(),
      since their refcounts had been bumped only once per reference
      in bio.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      2b04e8f6
    • V
      fix unbalanced page refcounting in bio_map_user_iov · 95d78c28
      Vitaly Mayatskikh 提交于
      bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
      IO vector has small consecutive buffers belonging to the same page.
      bio_add_pc_page merges them into one, but the page reference is never
      dropped.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NVitaly Mayatskikh <v.mayatskih@gmail.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      95d78c28
    • A
      direct-io: Prevent NULL pointer access in submit_page_section · 899f0429
      Andreas Gruenbacher 提交于
      In the code added to function submit_page_section by commit b1058b98,
      sdio->bio can currently be NULL when calling dio_bio_submit.  This then
      leads to a NULL pointer access in dio_bio_submit, so check for a NULL
      bio in submit_page_section before trying to submit it instead.
      
      Fixes xfstest generic/250 on gfs2.
      
      Cc: stable@vger.kernel.org # v3.10+
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      899f0429
    • L
      Merge tag 'seccomp-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · a957fd42
      Linus Torvalds 提交于
      Pull seccomp fixlet from Kees Cook:
       "Minor seccomp fix for v4.14-rc5. I debated sending this at all for
        v4.14, but since it fixes a minor issue in the prior fix, which also
        went to -stable, it seemed better to just get all of it cleaned up
        right now.
      
         - fix missed "static" to avoid Sparse warning (Colin King)"
      
      * tag 'seccomp-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        seccomp: make function __get_seccomp_filter static
      a957fd42
    • L
      Merge tag 'nfsd-4.14-1' of git://linux-nfs.org/~bfields/linux · f953d248
      Linus Torvalds 提交于
      Pull nfsd fix from Bruce Fields:
       "One fix for a 4.14 regression, and one minor fix to the MAINTAINERs
        file. (I was weirdly flattered by the idea that lots of random people
        suddenly seemed to think Jeff and I were VFS experts. Turns out it was
        just a typo)"
      
      * tag 'nfsd-4.14-1' of git://linux-nfs.org/~bfields/linux:
        nfsd4: define nfsd4_secinfo_no_name_release()
        MAINTAINERS: associate linux/fs.h with VFS instead of file locking
      f953d248
    • C
      seccomp: make function __get_seccomp_filter static · 084f5601
      Colin Ian King 提交于
      The function __get_seccomp_filter is local to the source and does
      not need to be in global scope, so make it static.
      
      Cleans up sparse warning:
      symbol '__get_seccomp_filter' was not declared. Should it be static?
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Fixes: 66a733ea ("seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()")
      Cc: stable@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      084f5601