9a51220...
by
Khaled El Mously
on 2018-07-31
UBUNTU: FIXME
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
Signed-off-by: Khalid Elmously <email address hidden>
d08eef4...
by
Greg Kroah-Hartman <email address hidden>
on 2018-07-17
Linux 4.4.141
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
Signed-off-by: Khalid Elmously <email address hidden>
c1bc7f1...
by
Tetsuo Handa <email address hidden>
on 2018-05-04
loop: remember whether sysfs_create_ group() was done
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit d3349b6b3c373ac 1fbfb040b810fce e5e2adc7e0 upstream.
syzbot is hitting WARN() triggered by memory allocation fault
injection [1] because loop module is calling sysfs_remove_ group()
when sysfs_create_ group() failed.
Fix this by remembering whether sysfs_create_ group() succeeded.
[1] https:/ /syzkaller. appspot. com/bug? id=3f86c0edf75c 86d2633aeb9dd69 eccc70bc7e90b
Signed-off-by: Tetsuo Handa <email address hidden>
Reported-by: syzbot <email address hidden>
Reviewed-by: Greg Kroah-Hartman <email address hidden>
Renamed sysfs_ready -> sysfs_inited.
Signed-off-by: Jens Axboe <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
1722f57...
by
Leon Romanovsky <email address hidden>
on 2018-05-23
RDMA/ucm: Mark UCM interface as BROKEN
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit 7a8690ed6f5346f 6738971892205e9 1d39b6b901 upstream.
In commit 357d23c811a7 ("Remove the obsolete libibcm library")
in rdma-core [1], we removed obsolete library which used the
/dev/infiniband /ucmX interface.
Following multiple syzkaller reports about non-sanitized
user input in the UCMA module, the short audit reveals the same
issues in UCM module too.
It is better to disable this interface in the kernel,
before syzkaller team invests time and energy to harden
this unused interface.
[1] https:/ /github. com/linux- rdma/rdma- core/pull/ 279
Signed-off-by: Leon Romanovsky <email address hidden>
Signed-off-by: Jason Gunthorpe <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
f1257d0...
by
Tetsuo Handa <email address hidden>
on 2018-05-26
PM / hibernate: Fix oops at snapshot_write()
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit fc14eebfc20854a 38fd9f1d93a42b1 783dad4d17 upstream.
syzbot is reporting NULL pointer dereference at snapshot_write() [1].
This is because data->handle is zero-cleared by ioctl(SNAPSHOT_ FREE).
Fix this by checking data_of( data->handle) != NULL before using it.
[1] https:/ /syzkaller. appspot. com/bug? id=828a3c71bd34 4a6de8b6a31233d 51a72099f27fd
Signed-off-by: Tetsuo Handa <email address hidden>
Reported-by: syzbot <email address hidden>
Signed-off-by: Rafael J. Wysocki <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
0ae0911...
by
Theodore Ts'o
on 2018-05-07
loop: add recursion validation to LOOP_CHANGE_FD
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit d2ac838e4cd7e5e 9891ecc094d6267 34b0245c99 upstream.
Refactor the validation code used in LOOP_SET_FD so it is also used in
LOOP_CHANGE_FD. Otherwise it is possible to construct a set of loop
devices that all refer to each other. This can lead to a infinite
loop in starting with "while (is_loop_device(f)) .." in loop_set_fd().
Fix this by refactoring out the validation code and using it for
LOOP_CHANGE_FD as well as LOOP_SET_FD.
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Signed-off-by: Theodore Ts'o <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
b3791b9...
by
Florian Westphal <email address hidden>
on 2018-06-07
netfilter: x_tables: initialise match/target check parameter struct
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit c568503ef02030f 169c9e19204def6 10a3510918 upstream.
syzbot reports following splat:
BUG: KMSAN: uninit-value in ebt_stp_ mt_check+ 0x24b/0x450
net/bridge/ netfilter/ ebt_stp. c:162
ebt_stp_ mt_check+ 0x24b/0x450 net/bridge/ netfilter/ ebt_stp. c:162
xt_check_ match+0x1438/ 0x1650 net/netfilter/ x_tables. c:506
ebt_check_match net/bridge/ netfilter/ ebtables. c:372 [inline]
ebt_check_entry net/bridge/ netfilter/ ebtables. c:702 [inline]
The uninitialised access is
xt_mtchk_ param-> nft_compat
... which should be set to 0.
Fix it by zeroing the struct beforehand, same for tgchk.
ip(6)tables targetinfo uses c99-style initialiser, so no change
needed there.
Reported-by: <email address hidden>
Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
Signed-off-by: Florian Westphal <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
144be98...
by
Eric Dumazet <email address hidden>
on 2018-06-13
netfilter: nf_queue: augment nfqa_cfg_policy
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit ba062ebb2cd561d 404e0fba8ee4b3f 5ebce7cbfc upstream.
Three attributes are currently not verified, thus can trigger KMSAN
warnings such as :
BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/ include/ uapi/asm/ swab.h: 10 [inline]
BUG: KMSAN: uninit-value in __fswab32 include/ uapi/linux/ swab.h: 59 [inline]
BUG: KMSAN: uninit-value in nfqnl_recv_ config+ 0x939/0x17d0 net/netfilter/ nfnetlink_ queue.c: 1268
CPU: 1 PID: 4521 Comm: syz-executor120 Not tainted 4.17.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+ 0x185/0x1d0 lib/dump_ stack.c: 113
kmsan_ report+ 0x188/0x2a0 mm/kmsan/ kmsan.c: 1117
__msan_ warning_ 32+0x70/ 0xc0 mm/kmsan/ kmsan_instr. c:620
__arch_swab32 arch/x86/ include/ uapi/asm/ swab.h: 10 [inline]
__fswab32 include/ uapi/linux/ swab.h: 59 [inline]
nfqnl_ recv_config+ 0x939/0x17d0 net/netfilter/ nfnetlink_ queue.c: 1268
nfnetlink_ rcv_msg+ 0xb2e/0xc80 net/netfilter/ nfnetlink. c:212
netlink_ rcv_skb+ 0x37e/0x600 net/netlink/ af_netlink. c:2448
nfnetlink_ rcv+0x2fe/ 0x680 net/netfilter/ nfnetlink. c:513
netlink_ unicast_ kernel net/netlink/ af_netlink. c:1310 [inline]
netlink_ unicast+ 0x1680/ 0x1750 net/netlink/ af_netlink. c:1336
netlink_ sendmsg+ 0x104f/ 0x1350 net/netlink/ af_netlink. c:1901
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg net/socket.c:639 [inline]
___sys_ sendmsg+ 0xec8/0x1320 net/socket.c:2117
__sys_sendmsg net/socket.c:2155 [inline]
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_ sys_sendmsg+ 0x331/0x460 net/socket.c:2162
do_syscall_ 64+0x15b/ 0x230 arch/x86/ entry/common. c:287
entry_ SYSCALL_ 64_after_ hwframe+ 0x44/0xa9
RIP: 0033:0x43fd59
RSP: 002b:00007ffde0 e30d28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401680
R13: 0000000000401710 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at:
kmsan_ save_stack_ with_flags mm/kmsan/ kmsan.c: 279 [inline]
kmsan_ internal_ poison_ shadow+ 0xb8/0x1b0 mm/kmsan/ kmsan.c: 189
kmsan_ kmalloc+ 0x94/0x100 mm/kmsan/ kmsan.c: 315
kmsan_ slab_alloc+ 0x10/0x20 mm/kmsan/ kmsan.c: 322
slab_post_ alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2753 [inline]
__kmalloc_ node_track_ caller+ 0xb35/0x11b0 mm/slub.c:4395
__kmalloc_reserve net/core/ skbuff. c:138 [inline]
__alloc_ skb+0x2cb/ 0x9e0 net/core/ skbuff. c:206
alloc_skb include/ linux/skbuff. h:988 [inline]
netlink_ alloc_large_ skb net/netlink/ af_netlink. c:1182 [inline]
netlink_ sendmsg+ 0x76e/0x1350 net/netlink/ af_netlink. c:1876
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg net/socket.c:639 [inline]
___sys_ sendmsg+ 0xec8/0x1320 net/socket.c:2117
__sys_sendmsg net/socket.c:2155 [inline]
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_ sys_sendmsg+ 0x331/0x460 net/socket.c:2162
do_syscall_ 64+0x15b/ 0x230 arch/x86/ entry/common. c:287
entry_ SYSCALL_ 64_after_ hwframe+ 0x44/0xa9
Fixes: fdb694a01f1f ("netfilter: Add fail-open support")
Fixes: 829e17a1a602 ("[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink")
Signed-off-by: Eric Dumazet <email address hidden>
Reported-by: syzbot <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
b0ccd79...
by
Oleg Nesterov <email address hidden>
on 2018-05-18
uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn()
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit 90718e32e1dcc24 79acfa208ccfc64 42850b594c upstream.
insn_get_length() has the side-effect of processing the entire instruction
but only if it was decoded successfully, otherwise insn_complete() can fail
and in this case we need to just return an error without warning.
Reported-by: <email address hidden>
Signed-off-by: Oleg Nesterov <email address hidden>
Reviewed-by: Masami Hiramatsu <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Ingo Molnar <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
fe6f8e6...
by
Dave Hansen <email address hidden>
on 2018-07-14
x86/cpufeature: Add helper macro for mask check macros
BugLink: https:/ /bugs.launchpad .net/bugs/ 1784543
commit 8eda072e9d7c342 9a372e3635dc585 1f4a42dee1 upstream
Every time we add a word to our cpu features, we need to add
something like this in two places:
(((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16))
The trick is getting the "16" in this case in both places. I've
now screwed this up twice, so as pennance, I've come up with
this patch to keep me and other poor souls from doing the same.
I also commented the logic behind the bit manipulation showcased
above.
Signed-off-by: Dave Hansen <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Borislav Petkov <email address hidden>
Cc: Brian Gerst <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Denys Vlasenko <email address hidden>
Cc: H. Peter Anvin <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Link: http://<email address hidden>
Signed-off-by: Ingo Molnar <email address hidden>
Signed-off-by: Srivatsa S. Bhat <email address hidden>
Reviewed-by: Matt Helsley (VMware) <email address hidden>
Reviewed-by: Alexey Makhalov <email address hidden>
Reviewed-by: Bo Gan <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>