1. 30 12月, 2017 4 次提交
    • E
      af_key: fix buffer overread in parse_exthdrs() · 4e765b49
      Eric Biggers 提交于
      If a message sent to a PF_KEY socket ended with an incomplete extension
      header (fewer than 4 bytes remaining), then parse_exthdrs() read past
      the end of the message, into uninitialized memory.  Fix it by returning
      -EINVAL in this case.
      
      Reproducer:
      
      	#include <linux/pfkeyv2.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
      		char buf[17] = { 0 };
      		struct sadb_msg *msg = (void *)buf;
      
      		msg->sadb_msg_version = PF_KEY_V2;
      		msg->sadb_msg_type = SADB_DELETE;
      		msg->sadb_msg_len = 2;
      
      		write(sock, buf, 17);
      	}
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      4e765b49
    • E
      af_key: fix buffer overread in verify_address_len() · 06b335cb
      Eric Biggers 提交于
      If a message sent to a PF_KEY socket ended with one of the extensions
      that takes a 'struct sadb_address' but there were not enough bytes
      remaining in the message for the ->sa_family member of the 'struct
      sockaddr' which is supposed to follow, then verify_address_len() read
      past the end of the message, into uninitialized memory.  Fix it by
      returning -EINVAL in this case.
      
      This bug was found using syzkaller with KMSAN.
      
      Reproducer:
      
      	#include <linux/pfkeyv2.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
      		char buf[24] = { 0 };
      		struct sadb_msg *msg = (void *)buf;
      		struct sadb_address *addr = (void *)(msg + 1);
      
      		msg->sadb_msg_version = PF_KEY_V2;
      		msg->sadb_msg_type = SADB_DELETE;
      		msg->sadb_msg_len = 3;
      		addr->sadb_address_len = 1;
      		addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
      
      		write(sock, buf, 24);
      	}
      Reported-by: NAlexander Potapenko <glider@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      06b335cb
    • F
      xfrm: skip policies marked as dead while rehashing · 862591bf
      Florian Westphal 提交于
      syzkaller triggered following KASAN splat:
      
      BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
      read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
      Workqueue: events xfrm_hash_rebuild [..]
       __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
       xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
       process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
       worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
      
      The reproducer triggers:
      1016                 if (error) {
      1017                         list_move_tail(&walk->walk.all, &x->all);
      1018                         goto out;
      1019                 }
      
      in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
      callback returns -ENOBUFS).
      
      In this case, *walk is located the pfkey socket struct, so this socket
      becomes visible in the global policy list.
      
      It looks like this is intentional -- phony walker has walk.dead set to 1
      and all other places skip such "policies".
      
      Ccing original authors of the two commits that seem to expose this
      issue (first patch missed ->dead check, second patch adds pfkey
      sockets to policies dumper list).
      
      Fixes: 880a6fab ("xfrm: configure policy hash table thresholds by netlink")
      Fixes: 12a169e7 ("ipsec: Put dumpers on the dump list")
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Timo Teras <timo.teras@iki.fi>
      Cc: Christophe Gouault <christophe.gouault@6wind.com>
      Reported-by: Nsyzbot <bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      862591bf
    • H
      xfrm: Forbid state updates from changing encap type · 257a4b01
      Herbert Xu 提交于
      Currently we allow state updates to competely replace the contents
      of x->encap.  This is bad because on the user side ESP only sets up
      header lengths depending on encap_type once when the state is first
      created.  This could result in the header lengths getting out of
      sync with the actual state configuration.
      
      In practice key managers will never do a state update to change the
      encapsulation type.  Only the port numbers need to be changed as the
      peer NAT entry is updated.
      
      Therefore this patch adds a check in xfrm_state_update to forbid
      any changes to the encap_type.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      257a4b01
  2. 29 12月, 2017 10 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 2758b3e3
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) IPv6 gre tunnels end up with different default features enabled
          depending upon whether netlink or ioctls are used to bring them up.
          Fix from Alexey Kodanev.
      
       2) Fix read past end of user control message in RDS< from Avinash
          Repaka.
      
       3) Missing RCU barrier in mini qdisc code, from Cong Wang.
      
       4) Missing policy put when reusing per-cpu route entries, from Florian
          Westphal.
      
       5) Handle nested PCI errors properly in bnx2x driver, from Guilherme G.
          Piccoli.
      
       6) Run nested transport mode IPSEC packets via tasklet, from Herbert
          Xu.
      
       7) Fix handling poll() for stream sockets in tipc, from Parthasarathy
          Bhuvaragan.
      
       8) Fix two stack-out-of-bounds issues in IPSEC, from Steffen Klassert.
      
       9) Another zerocopy ubuf handling fix, from Willem de Bruijn.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits)
        strparser: Call sock_owned_by_user_nocheck
        sock: Add sock_owned_by_user_nocheck
        skbuff: in skb_copy_ubufs unclone before releasing zerocopy
        tipc: fix hanging poll() for stream sockets
        sctp: Replace use of sockets_allocated with specified macro.
        bnx2x: Improve reliability in case of nested PCI errors
        tg3: Enable PHY reset in MTU change path for 5720
        tg3: Add workaround to restrict 5762 MRRS to 2048
        tg3: Update copyright
        net: fec: unmap the xmit buffer that are not transferred by DMA
        tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
        tipc: error path leak fixes in tipc_enable_bearer()
        RDS: Check cmsg_len before dereferencing CMSG_DATA
        tcp: Avoid preprocessor directives in tracepoint macro args
        tipc: fix memory leak of group member when peer node is lost
        net: sched: fix possible null pointer deref in tcf_block_put
        tipc: base group replicast ack counter on number of actual receivers
        net_sched: fix a missing rcu barrier in mini_qdisc_pair_swap()
        net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
        ip6_gre: fix device features for ioctl setup
        ...
      2758b3e3
    • L
      Merge tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux · fd84b751
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "nouveau and i915 regression fixes"
      
      * tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau: fix race when adding delayed work items
        i915: Reject CCS modifiers for pipe C on Geminilake
        drm/i915/gvt: Fix pipe A enable as default for vgpu
      fd84b751
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · c0208a33
      Linus Torvalds 提交于
      Pull clk fix from Stephen Boyd:
       "One more fix for the runtime PM clk patches. We're calling a runtime
        PM API that may schedule from somewhere that we can't do that. We
        change to the async version of pm_runtime_put() to fix it"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: use atomic runtime pm api in clk_core_is_enabled
      c0208a33
    • L
      Merge tag 'led_fixes_for_4.15-rc6' of... · 4f2382f3
      Linus Torvalds 提交于
      Merge tag 'led_fixes_for_4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fix from Jacek Anaszewski:
       "A single LED fix for brightness setting when delay_off is 0"
      
      * tag 'led_fixes_for_4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        led: core: Fix brightness setting when setting delay_off=0
      4f2382f3
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 19286e4a
      Linus Torvalds 提交于
      Pull rdma fixes from Jason Gunthorpe:
       "This is the next batch of for-rc patches from RDMA. It includes the
        fix for the ipoib regression I mentioned last time, and the result of
        a fairly major debugging effort to get iser working reliably on cxgb4
        hardware - it turns out the cxgb4 driver was not handling QP error
        flushing properly causing iser to fail.
      
         - cxgb4 fix for an iser testing failure as debugged by Steve and
           Sagi. The problem was a driver bug in the handling of shutting down
           a QP.
      
         - Various vmw_pvrdma fixes for bogus WARN_ON, missed resource free on
           error unwind and a use after free bug
      
         - Improper congestion counter values on mlx5 when link aggregation is
           enabled
      
         - ipoib lockdep regression introduced in this merge window
      
         - hfi1 regression supporting the device in a VM introduced in a
           recent patch
      
         - Typo that breaks future uAPI compatibility in the verbs core
      
         - More SELinux related oops fixing
      
         - Fix an oops during error unwind in mlx5"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/mlx5: Fix mlx5_ib_alloc_mr error flow
        IB/core: Verify that QP is security enabled in create and destroy
        IB/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp()
        IB/mlx5: Serialize access to the VMA list
        IB/hfi: Only read capability registers if the capability exists
        IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
        IB/mlx5: Fix congestion counters in LAG mode
        RDMA/vmw_pvrdma: Avoid use after free due to QP/CQ/SRQ destroy
        RDMA/vmw_pvrdma: Use refcount_dec_and_test to avoid warning
        RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path
        iw_cxgb4: when flushing, complete all wrs in a chain
        iw_cxgb4: reflect the original WR opcode in drain cqes
        iw_cxgb4: Only validate the MSN for successful completions
      19286e4a
    • D
      Merge branch 'strparser-Fix-lockdep-issue' · d5902f6d
      David S. Miller 提交于
      Tom Herbert says:
      
      ====================
      strparser: Fix lockdep issue
      
      When sock_owned_by_user returns true in strparser. Fix is to add and
      call sock_owned_by_user_nocheck since the check for owned by user is
      not an error condition in this case.
      ====================
      
      Fixes: 43a0c675 ("strparser: Stream parser for messages")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Reported-and-tested-by: <syzbot+c91c53af67f9ebe599a337d2e70950366153b295@syzkaller.appspotmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d5902f6d
    • T
      strparser: Call sock_owned_by_user_nocheck · d66fa9ec
      Tom Herbert 提交于
      strparser wants to check socket ownership without producing any
      warnings. As indicated by the comment in the code, it is permissible
      for owned_by_user to return true.
      
      Fixes: 43a0c675 ("strparser: Stream parser for messages")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Reported-and-tested-by: <syzbot+c91c53af67f9ebe599a337d2e70950366153b295@syzkaller.appspotmail.com>
      Signed-off-by: NTom Herbert <tom@quantonium.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d66fa9ec
    • T
      sock: Add sock_owned_by_user_nocheck · 602f7a27
      Tom Herbert 提交于
      This allows checking socket lock ownership with producing lockdep
      warnings.
      Signed-off-by: NTom Herbert <tom@quantonium.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      602f7a27
    • W
      skbuff: in skb_copy_ubufs unclone before releasing zerocopy · f72c4ac6
      Willem de Bruijn 提交于
      skb_copy_ubufs must unclone before it is safe to modify its
      skb_shared_info with skb_zcopy_clear.
      
      Commit b90ddd56 ("skbuff: skb_copy_ubufs must release uarg even
      without user frags") ensures that all skbs release their zerocopy
      state, even those without frags.
      
      But I forgot an edge case where such an skb arrives that is cloned.
      
      The stack does not build such packets. Vhost/tun skbs have their
      frags orphaned before cloning. TCP skbs only attach zerocopy state
      when a frag is added.
      
      But if TCP packets can be trimmed or linearized, this might occur.
      Tracing the code I found no instance so far (e.g., skb_linearize
      ends up calling skb_zcopy_clear if !skb->data_len).
      
      Still, it is non-obvious that no path exists. And it is fragile to
      rely on this.
      
      Fixes: b90ddd56 ("skbuff: skb_copy_ubufs must release uarg even without user frags")
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f72c4ac6
    • P
      tipc: fix hanging poll() for stream sockets · 517d7c79
      Parthasarathy Bhuvaragan 提交于
      In commit 42b531de ("tipc: Fix missing connection request
      handling"), we replaced unconditional wakeup() with condtional
      wakeup for clients with flags POLLIN | POLLRDNORM | POLLRDBAND.
      
      This breaks the applications which do a connect followed by poll
      with POLLOUT flag. These applications are not woken when the
      connection is ESTABLISHED and hence sleep forever.
      
      In this commit, we fix it by including the POLLOUT event for
      sockets in TIPC_CONNECTING state.
      
      Fixes: 42b531de ("tipc: Fix missing connection request handling")
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NParthasarathy Bhuvaragan <parthasarathy.bhuvaragan@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      517d7c79
  3. 28 12月, 2017 20 次提交
  4. 27 12月, 2017 6 次提交
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 65bbbf6c
      David S. Miller 提交于
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2017-12-22
      
      1) Check for valid id proto in validate_tmpl(), otherwise
         we may trigger a warning in xfrm_state_fini().
         From Cong Wang.
      
      2) Fix a typo on XFRMA_OUTPUT_MARK policy attribute.
         From Michal Kubecek.
      
      3) Verify the state is valid when encap_type < 0,
         otherwise we may crash on IPsec GRO .
         From Aviv Heller.
      
      4) Fix stack-out-of-bounds read on socket policy lookup.
         We access the flowi of the wrong address family in the
         IPv4 mapped IPv6 case, fix this by catching address
         family missmatches before we do the lookup.
      
      5) fix xfrm_do_migrate() with AEAD to copy the geniv
         field too. Otherwise the state is not fully initialized
         and migration fails. From Antony Antony.
      
      6) Fix stack-out-of-bounds with misconfigured transport
         mode policies. Our policy template validation is not
         strict enough. It is possible to configure policies
         with transport mode template where the address family
         of the template does not match the selectors address
         family. Fix this by refusing such a configuration,
         address family can not change on transport mode.
      
      7) Fix a policy reference leak when reusing pcpu xdst
         entry. From Florian Westphal.
      
      8) Reinject transport-mode packets through tasklet,
         otherwise it is possible to reate a recursion
         loop. From Herbert Xu.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      65bbbf6c
    • F
      net: fec: unmap the xmit buffer that are not transferred by DMA · 178e5f57
      Fugang Duan 提交于
      The enet IP only support 32 bit, it will use swiotlb buffer to do dma
      mapping when xmit buffer DMA memory address is bigger than 4G in i.MX
      platform. After stress suspend/resume test, it will print out:
      
      log:
      [12826.352864] fec 5b040000.ethernet: swiotlb buffer is full (sz: 191 bytes)
      [12826.359676] DMA: Out of SW-IOMMU space for 191 bytes at device 5b040000.ethernet
      [12826.367110] fec 5b040000.ethernet eth0: Tx DMA memory map failed
      
      The issue is that the ready xmit buffers that are dma mapped but DMA still
      don't copy them into fifo, once MAC restart, these DMA buffers are not unmapped.
      So it should check the dma mapping buffer and unmap them.
      Signed-off-by: NFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      178e5f57
    • T
      tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path · 642a8439
      Tommi Rantala 提交于
      Calling tipc_mon_delete() before the monitor has been created will oops.
      This can happen in tipc_enable_bearer() error path if tipc_disc_create()
      fails.
      
      [   48.589074] BUG: unable to handle kernel paging request at 0000000000001008
      [   48.590266] IP: tipc_mon_delete+0xea/0x270 [tipc]
      [   48.591223] PGD 1e60c5067 P4D 1e60c5067 PUD 1eb0cf067 PMD 0
      [   48.592230] Oops: 0000 [#1] SMP KASAN
      [   48.595610] CPU: 5 PID: 1199 Comm: tipc Tainted: G    B            4.15.0-rc4-pc64-dirty #5
      [   48.597176] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
      [   48.598489] RIP: 0010:tipc_mon_delete+0xea/0x270 [tipc]
      [   48.599347] RSP: 0018:ffff8801d827f668 EFLAGS: 00010282
      [   48.600705] RAX: ffff8801ee813f00 RBX: 0000000000000204 RCX: 0000000000000000
      [   48.602183] RDX: 1ffffffff1de6a75 RSI: 0000000000000297 RDI: 0000000000000297
      [   48.604373] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1dd1533
      [   48.605607] R10: ffffffff8eafbb05 R11: fffffbfff1dd1534 R12: 0000000000000050
      [   48.607082] R13: dead000000000200 R14: ffffffff8e73f310 R15: 0000000000001020
      [   48.608228] FS:  00007fc686484800(0000) GS:ffff8801f5540000(0000) knlGS:0000000000000000
      [   48.610189] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   48.611459] CR2: 0000000000001008 CR3: 00000001dda70002 CR4: 00000000003606e0
      [   48.612759] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   48.613831] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   48.615038] Call Trace:
      [   48.615635]  tipc_enable_bearer+0x415/0x5e0 [tipc]
      [   48.620623]  tipc_nl_bearer_enable+0x1ab/0x200 [tipc]
      [   48.625118]  genl_family_rcv_msg+0x36b/0x570
      [   48.631233]  genl_rcv_msg+0x5a/0xa0
      [   48.631867]  netlink_rcv_skb+0x1cc/0x220
      [   48.636373]  genl_rcv+0x24/0x40
      [   48.637306]  netlink_unicast+0x29c/0x350
      [   48.639664]  netlink_sendmsg+0x439/0x590
      [   48.642014]  SYSC_sendto+0x199/0x250
      [   48.649912]  do_syscall_64+0xfd/0x2c0
      [   48.650651]  entry_SYSCALL64_slow_path+0x25/0x25
      [   48.651843] RIP: 0033:0x7fc6859848e3
      [   48.652539] RSP: 002b:00007ffd25dff938 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [   48.654003] RAX: ffffffffffffffda RBX: 00007ffd25dff990 RCX: 00007fc6859848e3
      [   48.655303] RDX: 0000000000000054 RSI: 00007ffd25dff990 RDI: 0000000000000003
      [   48.656512] RBP: 00007ffd25dff980 R08: 00007fc685c35fc0 R09: 000000000000000c
      [   48.657697] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000d13010
      [   48.658840] R13: 00007ffd25e009c0 R14: 0000000000000000 R15: 0000000000000000
      [   48.662972] RIP: tipc_mon_delete+0xea/0x270 [tipc] RSP: ffff8801d827f668
      [   48.664073] CR2: 0000000000001008
      [   48.664576] ---[ end trace e811818d54d5ce88 ]---
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NTommi Rantala <tommi.t.rantala@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      642a8439
    • T
      tipc: error path leak fixes in tipc_enable_bearer() · 19142551
      Tommi Rantala 提交于
      Fix memory leak in tipc_enable_bearer() if enable_media() fails, and
      cleanup with bearer_disable() if tipc_mon_create() fails.
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NTommi Rantala <tommi.t.rantala@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      19142551
    • A
      RDS: Check cmsg_len before dereferencing CMSG_DATA · 14e138a8
      Avinash Repaka 提交于
      RDS currently doesn't check if the length of the control message is
      large enough to hold the required data, before dereferencing the control
      message data. This results in following crash:
      
      BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
      [inline]
      BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90
      net/rds/send.c:1066
      Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157
      
      CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:252
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x25b/0x340 mm/kasan/report.c:409
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
       rds_rdma_bytes net/rds/send.c:1013 [inline]
       rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066
       sock_sendmsg_nosec net/socket.c:628 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:638
       ___sys_sendmsg+0x320/0x8b0 net/socket.c:2018
       __sys_sendmmsg+0x1ee/0x620 net/socket.c:2108
       SYSC_sendmmsg net/socket.c:2139 [inline]
       SyS_sendmmsg+0x35/0x60 net/socket.c:2134
       entry_SYSCALL_64_fastpath+0x1f/0x96
      RIP: 0033:0x43fe49
      RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49
      RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0
      R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000
      
      To fix this, we verify that the cmsg_len is large enough to hold the
      data to be read, before proceeding further.
      Reported-by: Nsyzbot <syzkaller-bugs@googlegroups.com>
      Signed-off-by: NAvinash Repaka <avinash.repaka@oracle.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Reviewed-by: NYuval Shaia <yuval.shaia@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      14e138a8
    • T
      ALSA: hda - Fix missing COEF init for ALC225/295/299 · 44be77c5
      Takashi Iwai 提交于
      There was a long-standing problem on HP Spectre X360 with Kabylake
      where it lacks of the front speaker output in some situations.  Also
      there are other products showing the similar behavior.  The culprit
      seems to be the missing COEF setup on ALC codecs, ALC225/295/299,
      which are all compatible.
      
      This patch adds the proper COEF setup (to initialize idx 0x67 / bits
      0x3000) for addressing the issue.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195457
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      44be77c5