diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-09 10:14:00 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-09 10:14:00 +0200 |
commit | e381844f0a775504e3ea3d630e60d64a8016f591 (patch) | |
tree | bf4a888cd9ab9d3f3acd71971a263dac49459bde | |
parent | 4cc7a25b8e2a0da7967c567bc80f1b3c8520f5bf (diff) | |
download | queue-3.18-e381844f0a775504e3ea3d630e60d64a8016f591.tar.gz |
more patches
-rw-r--r-- | ethtool-fix-potential-userspace-buffer-overflow.patch | 54 | ||||
-rw-r--r-- | media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch | 39 | ||||
-rw-r--r-- | net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch | 90 | ||||
-rw-r--r-- | pktgen-do-not-sleep-with-the-thread-lock-held.patch | 96 | ||||
-rw-r--r-- | series | 5 | ||||
-rw-r--r-- | usb-gadget-fix-request-length-error-for-isoc-transfer.patch | 41 |
6 files changed, 325 insertions, 0 deletions
diff --git a/ethtool-fix-potential-userspace-buffer-overflow.patch b/ethtool-fix-potential-userspace-buffer-overflow.patch new file mode 100644 index 0000000..38843a2 --- /dev/null +++ b/ethtool-fix-potential-userspace-buffer-overflow.patch @@ -0,0 +1,54 @@ +From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST +From: Vivien Didelot <vivien.didelot@gmail.com> +Date: Mon, 3 Jun 2019 16:57:13 -0400 +Subject: ethtool: fix potential userspace buffer overflow + +From: Vivien Didelot <vivien.didelot@gmail.com> + +[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ] + +ethtool_get_regs() allocates a buffer of size ops->get_regs_len(), +and pass it to the kernel driver via ops->get_regs() for filling. + +There is no restriction about what the kernel drivers can or cannot do +with the open ethtool_regs structure. They usually set regs->version +and ignore regs->len or set it to the same size as ops->get_regs_len(). + +But if userspace allocates a smaller buffer for the registers dump, +we would cause a userspace buffer overflow in the final copy_to_user() +call, which uses the regs.len value potentially reset by the driver. + +To fix this, make this case obvious and store regs.len before calling +ops->get_regs(), to only copy as much data as requested by userspace, +up to the value returned by ops->get_regs_len(). + +While at it, remove the redundant check for non-null regbuf. + +Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com> +Reviewed-by: Michal Kubecek <mkubecek@suse.cz> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/ethtool.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -863,13 +863,16 @@ static int ethtool_get_regs(struct net_d + if (reglen && !regbuf) + return -ENOMEM; + ++ if (regs.len < reglen) ++ reglen = regs.len; ++ + ops->get_regs(dev, ®s, regbuf); + + ret = -EFAULT; + if (copy_to_user(useraddr, ®s, sizeof(regs))) + goto out; + useraddr += offsetof(struct ethtool_regs, data); +- if (regbuf && copy_to_user(useraddr, regbuf, regs.len)) ++ if (copy_to_user(useraddr, regbuf, reglen)) + goto out; + ret = 0; + diff --git a/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch b/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch new file mode 100644 index 0000000..aac3153 --- /dev/null +++ b/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch @@ -0,0 +1,39 @@ +From 89dd34caf73e28018c58cd193751e41b1f8bdc56 Mon Sep 17 00:00:00 2001 +From: Nadav Amit <namit@vmware.com> +Date: Mon, 4 Jun 2018 09:47:13 -0400 +Subject: media: uvcvideo: Fix uvc_alloc_entity() allocation alignment + +From: Nadav Amit <namit@vmware.com> + +commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream. + +The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of +(entity->pads) is not a power of two. As a stop-gap, until a better +solution is adapted, use roundup() instead. + +Found by a static assertion. Compile-tested only. + +Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity") + +Signed-off-by: Nadav Amit <namit@vmware.com> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Cc: Doug Anderson <dianders@chromium.org> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/media/usb/uvc/uvc_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -826,7 +826,7 @@ static struct uvc_entity *uvc_alloc_enti + unsigned int size; + unsigned int i; + +- extra_size = ALIGN(extra_size, sizeof(*entity->pads)); ++ extra_size = roundup(extra_size, sizeof(*entity->pads)); + num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1; + size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads + + num_inputs; diff --git a/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch b/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch new file mode 100644 index 0000000..fc62a11 --- /dev/null +++ b/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch @@ -0,0 +1,90 @@ +From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST +From: Zhu Yanjun <yanjun.zhu@oracle.com> +Date: Thu, 6 Jun 2019 04:00:03 -0400 +Subject: net: rds: fix memory leak in rds_ib_flush_mr_pool + +From: Zhu Yanjun <yanjun.zhu@oracle.com> + +[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ] + +When the following tests last for several hours, the problem will occur. + +Server: + rds-stress -r 1.1.1.16 -D 1M +Client: + rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30 + +The following will occur. + +" +Starting up.... +tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu +% + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 +" +>From vmcore, we can find that clean_list is NULL. + +>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker. +Then rds_ib_mr_pool_flush_worker calls +" + rds_ib_flush_mr_pool(pool, 0, NULL); +" +Then in function +" +int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, + int free_all, struct rds_ib_mr **ibmr_ret) +" +ibmr_ret is NULL. + +In the source code, +" +... +list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +if (ibmr_ret) + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); + +/* more than one entry in llist nodes */ +if (clean_nodes->next) + llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); +... +" +When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next +instead of clean_nodes is added in clean_list. +So clean_nodes is discarded. It can not be used again. +The workqueue is executed periodically. So more and more clean_nodes are +discarded. Finally the clean_list is NULL. +Then this problem will occur. + +Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist") +Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/rds/ib_rdma.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/rds/ib_rdma.c ++++ b/net/rds/ib_rdma.c +@@ -663,12 +663,14 @@ static int rds_ib_flush_mr_pool(struct r + wait_clean_list_grace(); + + list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +- if (ibmr_ret) ++ if (ibmr_ret) { + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); +- ++ clean_nodes = clean_nodes->next; ++ } + /* more than one entry in llist nodes */ +- if (clean_nodes->next) +- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); ++ if (clean_nodes) ++ llist_add_batch(clean_nodes, clean_tail, ++ &pool->clean_list); + + } + diff --git a/pktgen-do-not-sleep-with-the-thread-lock-held.patch b/pktgen-do-not-sleep-with-the-thread-lock-held.patch new file mode 100644 index 0000000..c1b803c --- /dev/null +++ b/pktgen-do-not-sleep-with-the-thread-lock-held.patch @@ -0,0 +1,96 @@ +From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST +From: Paolo Abeni <pabeni@redhat.com> +Date: Thu, 6 Jun 2019 15:45:03 +0200 +Subject: pktgen: do not sleep with the thread lock held. + +From: Paolo Abeni <pabeni@redhat.com> + +[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ] + +Currently, the process issuing a "start" command on the pktgen procfs +interface, acquires the pktgen thread lock and never release it, until +all pktgen threads are completed. The above can blocks indefinitely any +other pktgen command and any (even unrelated) netdevice removal - as +the pktgen netdev notifier acquires the same lock. + +The issue is demonstrated by the following script, reported by Matteo: + +ip -b - <<'EOF' + link add type dummy + link add type veth + link set dummy0 up +EOF +modprobe pktgen +echo reset >/proc/net/pktgen/pgctrl +{ + echo rem_device_all + echo add_device dummy0 +} >/proc/net/pktgen/kpktgend_0 +echo count 0 >/proc/net/pktgen/dummy0 +echo start >/proc/net/pktgen/pgctrl & +sleep 1 +rmmod veth + +Fix the above releasing the thread lock around the sleep call. + +Additionally we must prevent racing with forcefull rmmod - as the +thread lock no more protects from them. Instead, acquire a self-reference +before waiting for any thread. As a side effect, running + +rmmod pktgen + +while some thread is running now fails with "module in use" error, +before this patch such command hanged indefinitely. + +Note: the issue predates the commit reported in the fixes tag, but +this fix can't be applied before the mentioned commit. + +v1 -> v2: + - no need to check for thread existence after flipping the lock, + pktgen threads are freed only at net exit time + - + +Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.") +Reported-and-tested-by: Matteo Croce <mcroce@redhat.com> +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/pktgen.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3089,7 +3089,13 @@ static int pktgen_wait_thread_run(struct + { + while (thread_is_running(t)) { + ++ /* note: 't' will still be around even after the unlock/lock ++ * cycle because pktgen_thread threads are only cleared at ++ * net exit ++ */ ++ mutex_unlock(&pktgen_thread_lock); + msleep_interruptible(100); ++ mutex_lock(&pktgen_thread_lock); + + if (signal_pending(current)) + goto signal; +@@ -3104,6 +3110,10 @@ static int pktgen_wait_all_threads_run(s + struct pktgen_thread *t; + int sig = 1; + ++ /* prevent from racing with rmmod */ ++ if (!try_module_get(THIS_MODULE)) ++ return sig; ++ + mutex_lock(&pktgen_thread_lock); + + list_for_each_entry(t, &pn->pktgen_threads, th_list) { +@@ -3117,6 +3127,7 @@ static int pktgen_wait_all_threads_run(s + t->control |= (T_STOP); + + mutex_unlock(&pktgen_thread_lock); ++ module_put(THIS_MODULE); + return sig; + } + @@ -62,5 +62,10 @@ btrfs-fix-race-updating-log-root-item-during-fsync.patch tty-max310x-fix-external-crystal-register-setup.patch kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch +usb-gadget-fix-request-length-error-for-isoc-transfer.patch +media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch +ethtool-fix-potential-userspace-buffer-overflow.patch +net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch +pktgen-do-not-sleep-with-the-thread-lock-held.patch crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch diff --git a/usb-gadget-fix-request-length-error-for-isoc-transfer.patch b/usb-gadget-fix-request-length-error-for-isoc-transfer.patch new file mode 100644 index 0000000..b4d3db5 --- /dev/null +++ b/usb-gadget-fix-request-length-error-for-isoc-transfer.patch @@ -0,0 +1,41 @@ +From 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 Mon Sep 17 00:00:00 2001 +From: Peter Chen <peter.chen@nxp.com> +Date: Tue, 8 Nov 2016 10:08:24 +0800 +Subject: usb: gadget: fix request length error for isoc transfer + +From: Peter Chen <peter.chen@nxp.com> + +commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream. + +For isoc endpoint descriptor, the wMaxPacketSize is not real max packet +size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation), +it may contain the number of packet, so the real max packet should be +ep->desc->wMaxPacketSize && 0x7ff. + +Cc: Felipe F. Tonello <eu@felipetonello.com> +Cc: Felipe Balbi <felipe.balbi@linux.intel.com> +Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe + endianness and new usb_ep_aligna") + +Signed-off-by: Peter Chen <peter.chen@nxp.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + include/linux/usb/gadget.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -590,7 +590,9 @@ static inline struct usb_gadget *dev_to_ + */ + static inline size_t usb_ep_align(struct usb_ep *ep, size_t len) + { +- return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize)); ++ int max_packet_size = (size_t)usb_endpoint_maxp(ep->desc) & 0x7ff; ++ ++ return round_up(len, max_packet_size); + } + + /** |