From fdf71503403c679590ad6fd96cdc35f1eabb91ea Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 20 Apr 2018 18:29:39 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch dmaengine-at_xdmac-fix-rare-residue-corruption.patch ib-srp-fix-completion-vector-assignment-algorithm.patch ib-srp-fix-srp_abort.patch libnvdimm-namespace-use-a-safe-lookup-for-dimm-device-name.patch rdma-rxe-fix-an-out-of-bounds-read.patch rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch --- ...-at-pcm-release-via-pcm-timer-access.patch | 59 +++++++++++++ ...at_xdmac-fix-rare-residue-corruption.patch | 71 +++++++++++++++ ...mpletion-vector-assignment-algorithm.patch | 49 +++++++++++ queue-4.9/ib-srp-fix-srp_abort.patch | 41 +++++++++ ...e-a-safe-lookup-for-dimm-device-name.patch | 70 +++++++++++++++ .../rdma-rxe-fix-an-out-of-bounds-read.patch | 88 +++++++++++++++++++ ...ption_ib_path-without-an-rdma-device.patch | 35 ++++++++ queue-4.9/series | 7 ++ 8 files changed, 420 insertions(+) create mode 100644 queue-4.9/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch create mode 100644 queue-4.9/dmaengine-at_xdmac-fix-rare-residue-corruption.patch create mode 100644 queue-4.9/ib-srp-fix-completion-vector-assignment-algorithm.patch create mode 100644 queue-4.9/ib-srp-fix-srp_abort.patch create mode 100644 queue-4.9/libnvdimm-namespace-use-a-safe-lookup-for-dimm-device-name.patch create mode 100644 queue-4.9/rdma-rxe-fix-an-out-of-bounds-read.patch create mode 100644 queue-4.9/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch diff --git a/queue-4.9/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch b/queue-4.9/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch new file mode 100644 index 00000000000..6db569a1726 --- /dev/null +++ b/queue-4.9/alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch @@ -0,0 +1,59 @@ +From a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 2 Apr 2018 22:41:43 +0200 +Subject: ALSA: pcm: Fix UAF at PCM release via PCM timer access + +From: Takashi Iwai + +commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream. + +The PCM runtime object is created and freed dynamically at PCM stream +open / close time. This is tracked via substream->runtime, and it's +cleared at snd_pcm_detach_substream(). + +The runtime object assignment is protected by PCM open_mutex, so for +all PCM operations, it's safely handled. However, each PCM substream +provides also an ALSA timer interface, and user-space can access to +this while closing a PCM substream. This may eventually lead to a +UAF, as snd_pcm_timer_resolution() tries to access the runtime while +clearing it in other side. + +Fortunately, it's the only concurrent access from the PCM timer, and +it merely reads runtime->timer_resolution field. So, we can avoid the +race by reordering kfree() and wrapping the substream->runtime +clearance with the corresponding timer lock. + +Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1025,8 +1026,13 @@ void snd_pcm_detach_substream(struct snd + snd_free_pages((void*)runtime->control, + PAGE_ALIGN(sizeof(struct snd_pcm_mmap_control))); + kfree(runtime->hw_constraints.rules); +- kfree(runtime); ++ /* Avoid concurrent access to runtime via PCM timer interface */ ++ if (substream->timer) ++ spin_lock_irq(&substream->timer->lock); + substream->runtime = NULL; ++ if (substream->timer) ++ spin_unlock_irq(&substream->timer->lock); ++ kfree(runtime); + put_pid(substream->pid); + substream->pid = NULL; + substream->pstr->substream_opened--; diff --git a/queue-4.9/dmaengine-at_xdmac-fix-rare-residue-corruption.patch b/queue-4.9/dmaengine-at_xdmac-fix-rare-residue-corruption.patch new file mode 100644 index 00000000000..1523d78625a --- /dev/null +++ b/queue-4.9/dmaengine-at_xdmac-fix-rare-residue-corruption.patch @@ -0,0 +1,71 @@ +From c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 Mon Sep 17 00:00:00 2001 +From: Maxime Jayat +Date: Thu, 22 Feb 2018 12:39:55 +0100 +Subject: dmaengine: at_xdmac: fix rare residue corruption + +From: Maxime Jayat + +commit c5637476bbf9bb86c7f0413b8f4822a73d8d2d07 upstream. + +Despite the efforts made to correctly read the NDA and CUBC registers, +the order in which the registers are read could sometimes lead to an +inconsistent state. + +Re-using the timeline from the comments, this following timing of +registers reads could lead to reading NDA with value "@desc2" and +CUBC with value "MAX desc1": + + INITD -------- ------------ + |____________________| + _______________________ _______________ + NDA @desc2 \/ @desc3 + _______________________/\_______________ + __________ ___________ _______________ + CUBC 0 \/ MAX desc1 \/ MAX desc2 + __________/\___________/\_______________ + | | | | +Events:(1)(2) (3)(4) + +(1) check_nda = @desc2 +(2) initd = 1 +(3) cur_ubc = MAX desc1 +(4) cur_nda = @desc2 + +This is allowed by the condition ((check_nda == cur_nda) && initd), +despite cur_ubc and cur_nda being in the precise state we don't want. + +This error leads to incorrect residue computation. + +Fix it by inversing the order in which CUBC and INITD are read. This +makes sure that NDA and CUBC are always read together either _before_ +INITD goes to 0 or _after_ it is back at 1. +The case where NDA is read before INITD is at 0 and CUBC is read after +INITD is back at 1 will be rejected by check_nda and cur_nda being +different. + +Fixes: 53398f488821 ("dmaengine: at_xdmac: fix residue corruption") +Cc: stable@vger.kernel.org +Signed-off-by: Maxime Jayat +Acked-by: Ludovic Desroches +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/at_xdmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1473,10 +1473,10 @@ at_xdmac_tx_status(struct dma_chan *chan + for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) { + check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); +- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); +- rmb(); + cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC); + rmb(); ++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD); ++ rmb(); + cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc; + rmb(); + diff --git a/queue-4.9/ib-srp-fix-completion-vector-assignment-algorithm.patch b/queue-4.9/ib-srp-fix-completion-vector-assignment-algorithm.patch new file mode 100644 index 00000000000..19f20ead213 --- /dev/null +++ b/queue-4.9/ib-srp-fix-completion-vector-assignment-algorithm.patch @@ -0,0 +1,49 @@ +From 3a148896b24adf8688dc0c59af54531931677a40 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 12 Feb 2018 09:50:25 -0800 +Subject: IB/srp: Fix completion vector assignment algorithm + +From: Bart Van Assche + +commit 3a148896b24adf8688dc0c59af54531931677a40 upstream. + +Ensure that cv_end is equal to ibdev->num_comp_vectors for the +NUMA node with the highest index. This patch improves spreading +of RDMA channels over completion vectors and thereby improves +performance, especially on systems with only a single NUMA node. +This patch drops support for the comp_vector login parameter by +ignoring the value of that parameter since I have not found a +good way to combine support for that parameter and automatic +spreading of RDMA channels over completion vectors. + +Fixes: d92c0da71a35 ("IB/srp: Add multichannel support") +Reported-by: Alexander Schmid +Signed-off-by: Bart Van Assche +Cc: Alexander Schmid +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -3397,12 +3397,10 @@ static ssize_t srp_create_target(struct + num_online_nodes()); + const int ch_end = ((node_idx + 1) * target->ch_count / + num_online_nodes()); +- const int cv_start = (node_idx * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; +- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors / +- num_online_nodes() + target->comp_vector) +- % ibdev->num_comp_vectors; ++ const int cv_start = node_idx * ibdev->num_comp_vectors / ++ num_online_nodes(); ++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors / ++ num_online_nodes(); + int cpu_idx = 0; + + for_each_online_cpu(cpu) { diff --git a/queue-4.9/ib-srp-fix-srp_abort.patch b/queue-4.9/ib-srp-fix-srp_abort.patch new file mode 100644 index 00000000000..1068d7b1341 --- /dev/null +++ b/queue-4.9/ib-srp-fix-srp_abort.patch @@ -0,0 +1,41 @@ +From e68088e78d82920632eba112b968e49d588d02a2 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 23 Feb 2018 14:09:24 -0800 +Subject: IB/srp: Fix srp_abort() + +From: Bart Van Assche + +commit e68088e78d82920632eba112b968e49d588d02a2 upstream. + +Before commit e494f6a72839 ("[SCSI] improved eh timeout handler") it +did not really matter whether or not abort handlers like srp_abort() +called .scsi_done() when returning another value than SUCCESS. Since +that commit however this matters. Hence only call .scsi_done() when +returning SUCCESS. + +Signed-off-by: Bart Van Assche +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2626,9 +2626,11 @@ static int srp_abort(struct scsi_cmnd *s + ret = FAST_IO_FAIL; + else + ret = FAILED; +- srp_free_req(ch, req, scmnd, 0); +- scmnd->result = DID_ABORT << 16; +- scmnd->scsi_done(scmnd); ++ if (ret == SUCCESS) { ++ srp_free_req(ch, req, scmnd, 0); ++ scmnd->result = DID_ABORT << 16; ++ scmnd->scsi_done(scmnd); ++ } + + return ret; + } diff --git a/queue-4.9/libnvdimm-namespace-use-a-safe-lookup-for-dimm-device-name.patch b/queue-4.9/libnvdimm-namespace-use-a-safe-lookup-for-dimm-device-name.patch new file mode 100644 index 00000000000..b07e7304f2d --- /dev/null +++ b/queue-4.9/libnvdimm-namespace-use-a-safe-lookup-for-dimm-device-name.patch @@ -0,0 +1,70 @@ +From 4f8672201b7e7ed4f5f6c3cf6dcd080648580582 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 6 Apr 2018 16:37:21 -0700 +Subject: libnvdimm, namespace: use a safe lookup for dimm device name + +From: Dan Williams + +commit 4f8672201b7e7ed4f5f6c3cf6dcd080648580582 upstream. + +The following NULL dereference results from incorrectly assuming that +ndd is valid in this print: + + struct nvdimm_drvdata *ndd = to_ndd(&nd_region->mapping[i]); + + /* + * Give up if we don't find an instance of a uuid at each + * position (from 0 to nd_region->ndr_mappings - 1), or if we + * find a dimm with two instances of the same uuid. + */ + dev_err(&nd_region->dev, "%s missing label for %pUb\n", + dev_name(ndd->dev), nd_label->uuid); + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + IP: nd_region_register_namespaces+0xd67/0x13c0 [libnvdimm] + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 43 PID: 673 Comm: kworker/u609:10 Not tainted 4.16.0-rc4+ #1 + [..] + RIP: 0010:nd_region_register_namespaces+0xd67/0x13c0 [libnvdimm] + [..] + Call Trace: + ? devres_add+0x2f/0x40 + ? devm_kmalloc+0x52/0x60 + ? nd_region_activate+0x9c/0x320 [libnvdimm] + nd_region_probe+0x94/0x260 [libnvdimm] + ? kernfs_add_one+0xe4/0x130 + nvdimm_bus_probe+0x63/0x100 [libnvdimm] + +Switch to using the nvdimm device directly. + +Fixes: 0e3b0d123c8f ("libnvdimm, namespace: allow multiple pmem...") +Cc: +Reported-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/namespace_devs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1747,7 +1747,7 @@ struct device *create_namespace_pmem(str + } + + if (i < nd_region->ndr_mappings) { +- struct nvdimm_drvdata *ndd = to_ndd(&nd_region->mapping[i]); ++ struct nvdimm *nvdimm = nd_region->mapping[i].nvdimm; + + /* + * Give up if we don't find an instance of a uuid at each +@@ -1755,7 +1755,7 @@ struct device *create_namespace_pmem(str + * find a dimm with two instances of the same uuid. + */ + dev_err(&nd_region->dev, "%s missing label for %pUb\n", +- dev_name(ndd->dev), nd_label->uuid); ++ nvdimm_name(nvdimm), nd_label->uuid); + rc = -EINVAL; + goto err; + } diff --git a/queue-4.9/rdma-rxe-fix-an-out-of-bounds-read.patch b/queue-4.9/rdma-rxe-fix-an-out-of-bounds-read.patch new file mode 100644 index 00000000000..ba7abd7c3b9 --- /dev/null +++ b/queue-4.9/rdma-rxe-fix-an-out-of-bounds-read.patch @@ -0,0 +1,88 @@ +From a6544a624c3ff92a64e4aca3931fa064607bd3da Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 1 Mar 2018 14:00:29 -0800 +Subject: RDMA/rxe: Fix an out-of-bounds read + +From: Bart Van Assche + +commit a6544a624c3ff92a64e4aca3931fa064607bd3da upstream. + +This patch avoids that KASAN reports the following when the SRP initiator +calls srp_post_send(): + +================================================================== +BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x5c4/0x980 [rdma_rxe] +Read of size 8 at addr ffff880066606e30 by task 02-mq/1074 + +CPU: 2 PID: 1074 Comm: 02-mq Not tainted 4.16.0-rc3-dbg+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: +dump_stack+0x85/0xc7 +print_address_description+0x65/0x270 +kasan_report+0x231/0x350 +rxe_post_send+0x5c4/0x980 [rdma_rxe] +srp_post_send.isra.16+0x149/0x190 [ib_srp] +srp_queuecommand+0x94d/0x1670 [ib_srp] +scsi_dispatch_cmd+0x1c2/0x550 [scsi_mod] +scsi_queue_rq+0x843/0xa70 [scsi_mod] +blk_mq_dispatch_rq_list+0x143/0xac0 +blk_mq_do_dispatch_ctx+0x1c5/0x260 +blk_mq_sched_dispatch_requests+0x2bf/0x2f0 +__blk_mq_run_hw_queue+0xdb/0x160 +__blk_mq_delay_run_hw_queue+0xba/0x100 +blk_mq_run_hw_queue+0xf2/0x190 +blk_mq_sched_insert_request+0x163/0x2f0 +blk_execute_rq+0xb0/0x130 +scsi_execute+0x14e/0x260 [scsi_mod] +scsi_probe_and_add_lun+0x366/0x13d0 [scsi_mod] +__scsi_scan_target+0x18a/0x810 [scsi_mod] +scsi_scan_target+0x11e/0x130 [scsi_mod] +srp_create_target+0x1522/0x19e0 [ib_srp] +kernfs_fop_write+0x180/0x210 +__vfs_write+0xb1/0x2e0 +vfs_write+0xf6/0x250 +SyS_write+0x99/0x110 +do_syscall_64+0xee/0x2b0 +entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +The buggy address belongs to the page: +page:ffffea0001998180 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x4000000000000000() +raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: +ffff880066606d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 +ffff880066606d80: f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 +>ffff880066606e00: f2 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 + ^ +ffff880066606e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +ffff880066606f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Signed-off-by: Bart Van Assche +Cc: Moni Shoua +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -747,9 +747,8 @@ static int init_send_wqe(struct rxe_qp * + memcpy(wqe->dma.sge, ibwr->sg_list, + num_sge * sizeof(struct ib_sge)); + +- wqe->iova = (mask & WR_ATOMIC_MASK) ? +- atomic_wr(ibwr)->remote_addr : +- rdma_wr(ibwr)->remote_addr; ++ wqe->iova = mask & WR_ATOMIC_MASK ? atomic_wr(ibwr)->remote_addr : ++ mask & WR_READ_OR_WRITE_MASK ? rdma_wr(ibwr)->remote_addr : 0; + wqe->mask = mask; + wqe->dma.length = length; + wqe->dma.resid = length; diff --git a/queue-4.9/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch b/queue-4.9/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch new file mode 100644 index 00000000000..c674950d630 --- /dev/null +++ b/queue-4.9/rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch @@ -0,0 +1,35 @@ +From 8435168d50e66fa5eae01852769d20a36f9e5e83 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Tue, 3 Apr 2018 15:33:01 -0700 +Subject: RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device + +From: Roland Dreier + +commit 8435168d50e66fa5eae01852769d20a36f9e5e83 upstream. + +Check to make sure that ctx->cm_id->device is set before we use it. +Otherwise userspace can trigger a NULL dereference by doing +RDMA_USER_CM_CMD_SET_OPTION on an ID that is not bound to a device. + +Cc: +Reported-by: +Signed-off-by: Roland Dreier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1231,6 +1231,9 @@ static int ucma_set_ib_path(struct ucma_ + if (!optlen) + return -EINVAL; + ++ if (!ctx->cm_id->device) ++ return -EINVAL; ++ + memset(&sa_path, 0, sizeof(sa_path)); + + ib_sa_unpack_path(path_data->path_rec, &sa_path); diff --git a/queue-4.9/series b/queue-4.9/series index 28ccf82a142..3113257e20a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -36,3 +36,10 @@ ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch ext4-protect-i_disksize-update-by-i_data_sem-in-direct-write-path.patch ext4-add-validity-checks-for-bitmap-block-numbers.patch ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch +rdma-ucma-don-t-allow-setting-rdma_option_ib_path-without-an-rdma-device.patch +rdma-rxe-fix-an-out-of-bounds-read.patch +alsa-pcm-fix-uaf-at-pcm-release-via-pcm-timer-access.patch +ib-srp-fix-srp_abort.patch +ib-srp-fix-completion-vector-assignment-algorithm.patch +dmaengine-at_xdmac-fix-rare-residue-corruption.patch +libnvdimm-namespace-use-a-safe-lookup-for-dimm-device-name.patch -- 2.47.3