linux.git/drivers/misc, branch v4.6.3 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git misc: mic: Fix for double fetch security bug in VOP driver 2016-06-01T19:18:04+00:00 Ashutosh Dixit ashutosh.dixit@intel.com 2016-04-27T21:36:05+00:00 2a9369456a384d84c521c8ebb48d247e8738f84f commit 9bf292bfca94694a721449e3fd752493856710f6 upstream. The MIC VOP driver does two successive reads from user space to read a variable length data structure. Kernel memory corruption can result if the data structure changes between the two reads. This patch disallows the chance of this happening. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651 Reported by: Pengfei Wang <wpengfeinudt@gmail.com> Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com> Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 9bf292bfca94694a721449e3fd752493856710f6 upstream.

The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: bus: call mei_cl_read_start under device lock 2016-06-01T19:18:00+00:00 Alexander Usyskin alexander.usyskin@intel.com 2016-05-03T22:54:21+00:00 b54260fe250203657e9eac54771005fe99a5463a commit bc46b45a421a64a0895dd41a34d3d2086e1ac7f6 upstream. Ensure that mei_cl_read_start is called under the device lock also in the bus layer. The function updates global ctrl_wr_list which should be locked. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit bc46b45a421a64a0895dd41a34d3d2086e1ac7f6 upstream.

Ensure that mei_cl_read_start is called under the device lock
also in the bus layer. The function updates global ctrl_wr_list
which should be locked.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: amthif: discard not read messages 2016-06-01T19:18:00+00:00 Alexander Usyskin alexander.usyskin@intel.com 2016-04-17T16:16:04+00:00 293dc5cee23129f9a97b7661efb4705f43308cd9 commit 9d04ee11db7bf0d848266cbfd7db336097a0e239 upstream. When a message is received and amthif client is not in reading state the message is ignored and left dangling in the queue. This may happen after one of the amthif host connections is closed w/o completing the reading. Another client will pick up a wrong message on next read attempt which will lead to link reset. To prevent this the driver has to properly discard the message when amthif client is not in reading state. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 9d04ee11db7bf0d848266cbfd7db336097a0e239 upstream.

When a message is received and amthif client is not in reading state
the message is ignored and left dangling in the queue. This may happen
after one of the amthif host connections is closed w/o completing the
reading. Another client will pick up a wrong message on next read
attempt which will lead to link reset.
To prevent this the driver has to properly discard the message when
amthif client is not in reading state.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: fix NULL dereferencing during FW initiated disconnection 2016-06-01T19:18:00+00:00 Alexander Usyskin alexander.usyskin@intel.com 2016-04-17T16:16:03+00:00 7f41001cf02dbd4369f04b04e57aeba481d4e635 commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream. In the case when disconnection is initiated from the FW the driver is flushing items from the write control list while iterating over it: mei_irq_write_handler() list_for_each_entry_safe(ctrl_wr_list) <-- outer loop mei_cl_irq_disconnect_rsp() mei_cl_set_disconnected() mei_io_list_flush(ctrl_wr_list) <-- destorying list We move the list flushing to the completion routine. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream.

In the case when disconnection is initiated from the FW
the driver is flushing items from the write control list while
iterating over it:

mei_irq_write_handler()
    list_for_each_entry_safe(ctrl_wr_list)         <-- outer loop
         mei_cl_irq_disconnect_rsp()
             mei_cl_set_disconnected()
                 mei_io_list_flush(ctrl_wr_list)   <-- destorying list

We move the list flushing to the completion routine.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'char-misc-4.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 2016-05-07T17:53:32+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-05-07T17:53:32+00:00 32cf95db22d49cf4a3b421ba9fd156bb5f920ebb Pull misc driver fixes from Gfreg KH: "Here are three small fixes for some driver problems that were reported. Full details in the shortlog below. All of these have been in linux-next with no reported issues" * tag 'char-misc-4.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: nvmem: mxs-ocotp: fix buffer overflow in read Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() misc: mic: Fix for double fetch security bug in VOP driver 
Pull misc driver fixes from Gfreg KH:
 "Here are three small fixes for some driver problems that were
  reported.  Full details in the shortlog below.

  All of these have been in linux-next with no reported issues"

* tag 'char-misc-4.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  nvmem: mxs-ocotp: fix buffer overflow in read
  Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read()
  misc: mic: Fix for double fetch security bug in VOP driver
Merge tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux 2016-04-30T01:50:08+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-04-30T01:50:08+00:00 1b46bac6275506db73592aa8b9bd1d67c79b95dc Pull powerpc fixes from Michael Ellerman: "A few more powerpc fixes for 4.6: - cxl: Keep IRQ mappings on context teardown from Michael Neuling - cxl: Poll for outstanding IRQs when detaching a context from Michael Neuling - Wire up preadv2 and pwritev2 syscalls from Rui Salvaterra" * tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc: wire up preadv2 and pwritev2 syscalls cxl: Poll for outstanding IRQs when detaching a context cxl: Keep IRQ mappings on context teardown 
Pull powerpc fixes from Michael Ellerman:
 "A few more powerpc fixes for 4.6:

   - cxl: Keep IRQ mappings on context teardown from Michael Neuling

   - cxl: Poll for outstanding IRQs when detaching a context from
     Michael Neuling

   - Wire up preadv2 and pwritev2 syscalls from Rui Salvaterra"

* tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc: wire up preadv2 and pwritev2 syscalls
  cxl: Poll for outstanding IRQs when detaching a context
  cxl: Keep IRQ mappings on context teardown
misc: mic: Fix for double fetch security bug in VOP driver 2016-04-27T22:30:58+00:00 Ashutosh Dixit ashutosh.dixit@intel.com 2016-04-27T21:36:05+00:00 82dc4afd7e65455464f0fc2fe6976efde54fe451 The MIC VOP driver does two successive reads from user space to read a variable length data structure. Kernel memory corruption can result if the data structure changes between the two reads. This patch disallows the chance of this happening. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651 Reported by: Pengfei Wang <wpengfeinudt@gmail.com> Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com> Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
cxl: Poll for outstanding IRQs when detaching a context 2016-04-27T02:04:48+00:00 Michael Neuling mikey@neuling.org 2016-04-22T04:57:49+00:00 2bc79ffcbb817873cc43d63118008ab75181b73d When detaching contexts, we may still have interrupts in the system which are yet to be delivered to any CPU and be acked in the PSL. This can result in a subsequent unrelated process getting an spurious IRQ or an interrupt for a non-existent context. This polls the PSL to ensure that the PSL is clear of IRQs for the detached context, before removing the context from the idr. Signed-off-by: Michael Neuling <mikey@neuling.org> Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Acked-by: Ian Munsie <imunsie@au1.ibm.com> Tested-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 
When detaching contexts, we may still have interrupts in the system
which are yet to be delivered to any CPU and be acked in the PSL.
This can result in a subsequent unrelated process getting an spurious
IRQ or an interrupt for a non-existent context.

This polls the PSL to ensure that the PSL is clear of IRQs for the
detached context, before removing the context from the idr.

Signed-off-by: Michael Neuling <mikey@neuling.org>
Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Acked-by: Ian Munsie <imunsie@au1.ibm.com>
Tested-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
cxl: Keep IRQ mappings on context teardown 2016-04-27T02:04:31+00:00 Michael Neuling mikey@neuling.org 2016-04-22T04:57:48+00:00 d6776bba44d9752f6cdf640046070e71ee4bba7b Keep IRQ mappings on context teardown. This won't leak IRQs as if we allocate the mapping again, the generic code will give the same mapping used last time. Doing this works around a race in the generic code. Masking the interrupt introduces a race which can crash the kernel or result in IRQ that is never EOIed. The lost of EOI results in all subsequent mappings to the same HW IRQ never receiving an interrupt. We've seen this race with cxl test cases which are doing heavy context startup and teardown at the same time as heavy interrupt load. A fix to the generic code is being investigated also. Signed-off-by: Michael Neuling <mikey@neuling.org> Cc: stable@vger.kernel.org # 3.8 Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Acked-by: Ian Munsie <imunsie@au1.ibm.com> Tested-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 
Keep IRQ mappings on context teardown.  This won't leak IRQs as if we
allocate the mapping again, the generic code will give the same
mapping used last time.

Doing this works around a race in the generic code. Masking the
interrupt introduces a race which can crash the kernel or result in
IRQ that is never EOIed. The lost of EOI results in all subsequent
mappings to the same HW IRQ never receiving an interrupt.

We've seen this race with cxl test cases which are doing heavy context
startup and teardown at the same time as heavy interrupt load.

A fix to the generic code is being investigated also.

Signed-off-by: Michael Neuling <mikey@neuling.org>
Cc: stable@vger.kernel.org # 3.8
Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Acked-by: Ian Munsie <imunsie@au1.ibm.com>
Tested-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
lkdtm: do not leak free page on kmalloc failure 2016-04-06T23:22:25+00:00 Kees Cook keescook@chromium.org 2016-04-06T22:53:27+00:00 3d085c7413d32bb6895e5b9b5ee6a7d2180159c5 This frees the allocated page if there is a kmalloc failure. Signed-off-by: Kees Cook <keescook@chromium.org> 
This frees the allocated page if there is a kmalloc failure.

Signed-off-by: Kees Cook <keescook@chromium.org>