There are many code paths opencoding kvmalloc. Let's use the helper
instead. The main difference to kvmalloc is that those users are
usually not considering all the aspects of the memory allocator. E.g.
allocation requests <= 32kB (with 4kB pages) are basically never failing
and invoke OOM killer to satisfy the allocation. This sounds too
disruptive for something that has a reasonable fallback - the vmalloc.
On the other hand those requests might fallback to vmalloc even when the
memory allocator would succeed after several more reclaim/compaction
attempts previously. There is no guarantee something like that happens
though.
This patch converts many of those places to kv[mz]alloc* helpers because
they are more conservative.
Link: http://lkml.kernel.org/r/20170306103327.2766-2-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> # Xen bits
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Andreas Dilger <andreas.dilger@intel.com> # Lustre
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> # KVM/s390
Acked-by: Dan Williams <dan.j.williams@intel.com> # nvdim
Acked-by: David Sterba <dsterba@suse.com> # btrfs
Acked-by: Ilya Dryomov <idryomov@gmail.com> # Ceph
Acked-by: Tariq Toukan <tariqt@mellanox.com> # mlx4
Acked-by: Leon Romanovsky <leonro@mellanox.com> # mlx5
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Anton Vorontsov <anton@enomsg.org>
Cc: Colin Cross <ccross@android.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Santosh Raspatur <santosh@chelsio.com>
Cc: Hariprasad S <hariprasad@chelsio.com>
Cc: Yishai Hadas <yishaih@mellanox.com>
Cc: Oleg Drokin <oleg.drokin@intel.com>
Cc: "Yan, Zheng" <zyan@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4xT1kACgkQONu9yGCS
aT7d9Q/9FvxHEFvYlet8Bfx/uLFsVGOKwDiZ+e7eQhYqzamdl75qLbPbPqcyfeDO
hCa87JFJCCpRlcHjSvdNk/IF9rRpA6+Wi7FijX/UjgmWNPCao6qb5vBRoH9KMgOk
rtDnIp+klLcG+xLAnTkLgAVCm7osGMVZgwKKqhCLEKdVIT38VlP9nCipehTeMmrS
1f8sqQhqXt0FpticFP5JVJXg3iH5bdqXNc9eCXuF1h7nudYEut8v5NFoF3w0EInZ
iMKnLhbfR9ScOpzaWE/Hg5tJIUwFG9l/IhlDDJJk3O0oTKzs+ZM4N8+RzZ3iFy+N
JNzspQatLKIHSbGGyGK61bu4Eq2bGdCaQMPcMmFHiDKtz7+thE7bjZOcPjzo4pjA
3JJ9ytVUAujIXKryed5E/vNfG6W/puIY6xaM1LPJPIYGa20/0gJGiWXnsXBk6NxG
EvkuC1nwYcIdkopYqM4OZz8n63ywya0pY5JifVW6q3zYU8sqwC9mkkAYGjT0IRb8
llvUyaO05nIDJkY2mgv124cxxyKTsUYPc7+c/VTW7HGyzAc7MLPOpYDbXZHW9WWT
GNGhlBJlk1UK87CRoHswuPgmx+eABXtGjmwHQJbxRmf1y7aWFNjYBKAyQCi9y/sm
XW4LT4l4JhT3xB5SFcti1iqchD2OFk65CKCFeHkm54URXb68Qjs=
=PuM5
-----END PGP SIGNATURE-----
Merge 4.9.212 into android-4.9-q
Changes in 4.9.212
xfs: Sanity check flags of Q_XQUOTARM call
powerpc/archrandom: fix arch_get_random_seed_int()
mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
drm/sti: do not remove the drm_bridge that was never added
drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
ALSA: hda: fix unused variable warning
IB/rxe: replace kvfree with vfree
ALSA: usb-audio: update quirk for B&W PX to remove microphone
staging: comedi: ni_mio_common: protect register write overflow
pwm: lpss: Release runtime-pm reference from the driver's remove callback
mlxsw: reg: QEEC: Add minimum shaper fields
pcrypt: use format specifier in kobject_add
exportfs: fix 'passing zero to ERR_PTR()' warning
drm/dp_mst: Skip validating ports during destruction, just ref
net: phy: Fix not to call phy_resume() if PHY is not attached
pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
Input: nomadik-ske-keypad - fix a loop timeout test
clk: highbank: fix refcount leak in hb_clk_init()
clk: qoriq: fix refcount leak in clockgen_init()
clk: socfpga: fix refcount leak
clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
clk: imx6q: fix refcount leak in imx6q_clocks_init()
clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
clk: imx7d: fix refcount leak in imx7d_clocks_init()
clk: vf610: fix refcount leak in vf610_clocks_init()
clk: armada-370: fix refcount leak in a370_clk_init()
clk: kirkwood: fix refcount leak in kirkwood_clk_init()
clk: armada-xp: fix refcount leak in axp_clk_init()
clk: dove: fix refcount leak in dove_clk_init()
IB/usnic: Fix out of bounds index check in query pkey
RDMA/ocrdma: Fix out of bounds index check in query pkey
RDMA/qedr: Fix out of bounds index check in query pkey
arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
crypto: tgr192 - fix unaligned memory access
ASoC: imx-sgtl5000: put of nodes if finding codec fails
IB/iser: Pass the correct number of entries for dma mapped SGL
rtc: cmos: ignore bogus century byte
clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
iwlwifi: mvm: fix A-MPDU reference assignment
tty: ipwireless: Fix potential NULL pointer dereference
crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
ARM: dts: lpc32xx: add required clocks property to keypad device node
ARM: dts: lpc32xx: reparent keypad controller to SIC1
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
iwlwifi: mvm: fix RSS config command
staging: most: cdev: add missing check for cdev_add failure
rtc: ds1672: fix unintended sign extension
thermal: mediatek: fix register index error
net: phy: fixed_phy: Fix fixed_phy not checking GPIO
rtc: 88pm860x: fix unintended sign extension
rtc: 88pm80x: fix unintended sign extension
rtc: pm8xxx: fix unintended sign extension
fbdev: chipsfb: remove set but not used variable 'size'
iw_cxgb4: use tos when importing the endpoint
iw_cxgb4: use tos when finding ipv6 routes
pinctrl: sh-pfc: emev2: Add missing pinmux functions
pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
usb: phy: twl6030-usb: fix possible use-after-free on remove
block: don't use bio->bi_vcnt to figure out segment number
keys: Timestamp new keys
vfio_pci: Enable memory accesses before calling pci_map_rom
dmaengine: mv_xor: Use correct device for DMA API
cdc-wdm: pass return value of recover_from_urb_loss
regulator: pv88060: Fix array out-of-bounds access
regulator: pv88080: Fix array out-of-bounds access
regulator: pv88090: Fix array out-of-bounds access
net: dsa: qca8k: Enable delay for RGMII_ID mode
drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
drm/nouveau/pmu: don't print reply values if exec is false
ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
fs/nfs: Fix nfs_parse_devname to not modify it's argument
NFS: Fix a soft lockup in the delegation recovery code
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
nios2: ksyms: Add missing symbol exports
scsi: megaraid_sas: reduce module load time
drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
xen, cpu_hotplug: Prevent an out of bounds access
net: sh_eth: fix a missing check of of_get_phy_mode
media: ivtv: update *pos correctly in ivtv_read_pos()
media: cx18: update *pos correctly in cx18_read_pos()
media: wl128x: Fix an error code in fm_download_firmware()
media: cx23885: check allocation return
regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
jfs: fix bogus variable self-initialization
tipc: tipc clang warning
m68k: mac: Fix VIA timer counter accesses
ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
media: davinci-isif: avoid uninitialized variable use
media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
spi: tegra114: clear packed bit for unpacked mode
spi: tegra114: fix for unpacked mode transfers
soc/fsl/qe: Fix an error code in qe_pin_request()
spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
ehea: Fix a copy-paste err in ehea_init_port_res
scsi: qla2xxx: Unregister chrdev if module initialization fails
ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
tipc: set sysctl_tipc_rmem and named_timeout right range
powerpc: vdso: Make vdso32 installation conditional in vdso_install
ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
media: ov2659: fix unbalanced mutex_lock/unlock
6lowpan: Off by one handling ->nexthdr
dmaengine: axi-dmac: Don't check the number of frames for alignment
ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
ASoC: fix valid stream condition
usb: gadget: fsl: fix link error against usb-gadget module
IB/mlx5: Add missing XRC options to QP optional params mask
iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
net: ena: fix: Free napi resources when ena_up() fails
net: ena: fix incorrect test of supported hash function
net: ena: fix ena_com_fill_hash_function() implementation
dmaengine: tegra210-adma: restore channel status
l2tp: Fix possible NULL pointer dereference
media: omap_vout: potential buffer overflow in vidioc_dqbuf()
media: davinci/vpbe: array underflow in vpbe_enum_outputs()
platform/x86: alienware-wmi: printing the wrong error code
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
pwm: meson: Don't disable PWM when setting duty repeatedly
ARM: riscpc: fix lack of keyboard interrupts after irq conversion
kdb: do a sanity check on the cpu in kdb_per_cpu()
backlight: lm3630a: Return 0 on success in update_status functions
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
dmaengine: tegra210-adma: Fix crash during probe
spi: spi-fsl-spi: call spi_finalize_current_message() at the end
crypto: ccp - fix AES CFB error exposed by new test vectors
serial: stm32: fix transmit_chars when tx is stopped
misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
iommu: Use right function to get group for device
signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
media: vivid: fix incorrect assignment operation when setting video mode
powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
drm/msm/mdp5: Fix mdp5_cfg_init error return
net: netem: fix backlog accounting for corrupted GSO frames
net/af_iucv: always register net_device notifier
ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
drm/msm/a3xx: remove TPL1 regs from snapshot
perf/ioctl: Add check for the sample_period value
dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
clk: qcom: Fix -Wunused-const-variable
iommu/amd: Make iommu_disable safer
mfd: intel-lpss: Release IDA resources
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
devres: allow const resource arguments
RDMA/hns: Fixs hw access invalid dma memory error
net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
scsi: libfc: fix null pointer dereference on a null lport
libertas_tf: Use correct channel range in lbtf_geo_init
qed: reduce maximum stack frame size
usb: host: xhci-hub: fix extra endianness conversion
mic: avoid statically declaring a 'struct device'.
x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
ALSA: aoa: onyx: always initialize register read value
net/mlx5: Fix mlx5_ifc_query_lag_out_bits
cifs: fix rmmod regression in cifs.ko caused by force_sig changes
crypto: caam - free resources in case caam_rng registration failed
ext4: set error return correctly when ext4_htree_store_dirent fails
ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
signal: Allow cifs and drbd to receive their terminating signals
ASoC: sun4i-i2s: RX and TX counter registers are swapped
dmaengine: dw: platform: Switch to acpi_dma_controller_register()
mac80211: minstrel_ht: fix per-group max throughput rate initialization
mips: avoid explicit UB in assignment of mips_io_port_base
ahci: Do not export local variable ahci_em_messages
Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
hwmon: (lm75) Fix write operations for negative temperatures
power: supply: Init device wakeup after device_add()
x86, perf: Fix the dependency of the x86 insn decoder selftest
staging: greybus: light: fix a couple double frees
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
iio: dac: ad5380: fix incorrect assignment to val
ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
net: sonic: return NETDEV_TX_OK if failed to map buffer
Btrfs: fix hang when loading existing inode cache off disk
hwmon: (shtc1) fix shtc1 and shtw1 id mask
net: sonic: replace dev_kfree_skb in sonic_send_packet
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
iommu/amd: Wait for completion of IOTLB flush in attach_device
net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
net: stmmac: dwmac-meson8b: Fix signedness bug in probe
of: mdio: Fix a signedness bug in of_phy_get_and_connect()
net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
nvme: retain split access workaround for capability reads
net: stmmac: gmac4+: Not all Unicast addresses may be available
mac80211: accept deauth frames in IBSS mode
llc: fix another potential sk_buff leak in llc_ui_sendmsg()
llc: fix sk_buff refcounting in llc_conn_state_process()
net: stmmac: fix length of PTP clock's name string
act_mirred: Fix mirred_init_module error handling
drm/msm/dsi: Implement reset correctly
dmaengine: imx-sdma: fix size check for sdma script_number
net: netem: fix error path for corrupted GSO frames
net: netem: correct the parent's backlog when corrupted packet was dropped
net: qca_spi: Move reset_count to struct qcaspi
afs: Fix large file support
media: ov6650: Fix incorrect use of JPEG colorspace
media: ov6650: Fix some format attributes not under control
media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support
MIPS: Loongson: Fix return value of loongson_hwmon_init
net: neigh: use long type to store jiffies delta
packet: fix data-race in fanout_flow_is_huge()
dmaengine: ti: edma: fix missed failure handling
drm/radeon: fix bad DMA from INTERRUPT_CNTL2
arm64: dts: juno: Fix UART frequency
IB/iser: Fix dma_nents type definition
m68k: Call timer_interrupt() with interrupts disabled
net: ethtool: Add back transceiver type
net: phy: Keep reporting transceiver type
can, slip: Protect tty->disc_data in write_wakeup and close with RCU
firestream: fix memory leaks
net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
net, ip6_tunnel: fix namespaces move
net, ip_tunnel: fix namespaces move
net_sched: fix datalen for ematch
tcp_bbr: improve arithmetic division in bbr_update_bw()
net: usb: lan78xx: Add .ndo_features_check
gtp: make sure only SOCK_DGRAM UDP sockets are accepted
hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
hwmon: (core) Simplify sysfs attribute name allocation
hwmon: Deal with errors from the thermal subsystem
hwmon: (core) Fix double-free in __hwmon_device_register()
hwmon: (core) Do not use device managed functions for memory allocations
Input: keyspan-remote - fix control-message timeouts
ARM: 8950/1: ftrace/recordmcount: filter relocation types
mmc: tegra: fix SDR50 tuning override
mmc: sdhci: fix minimum clock rate for v3 controller
Input: sur40 - fix interface sanity checks
Input: gtco - fix endpoint sanity check
Input: aiptek - fix endpoint sanity check
Input: pegasus_notetaker - fix endpoint sanity check
Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register
hwmon: (nct7802) Fix voltage limits to wrong registers
scsi: RDMA/isert: Fix a recently introduced regression related to logout
tracing: xen: Ordered comparison of function pointers
do_last(): fetch directory ->i_mode and ->i_uid before it's too late
Documentation: Document arm64 kpti control
arm64: kpti: Whitelist Cortex-A CPUs that don't implement the CSV3 field
coresight: etb10: Do not call smp_processor_id from preemptible
coresight: tmc-etf: Do not call smp_processor_id from preemptible
libertas: Fix two buffer overflows at parsing bss descriptor
bcache: silence static checker warning
scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
md: Avoid namespace collision with bitmap API
bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free()
netfilter: ipset: use bitmap infrastructure completely
net/x25: fix nonblocking connect
Linux 4.9.212
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2e83a05c5f119a7467a4d6984045d45d0c06b764
[ Upstream commit 7c1857bdbdf1e4c541e45eab477ee23ed4333ea4 ]
Set the timestamp on new keys rather than leaving it unset.
Fixes: 31d5a79d7f ("KEYS: Do LRU discard in full keyrings")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2Fsb0ACgkQONu9yGCS
aT5mJg//ax1zYVGrIBnEKe9PfdG0T83VhkxQyekFZ7K8pO0egaYFk3saHRX45o7n
dIT0mqUZSE/w2eDk+kx/JSiI6+p4GpK+3+Ku8kD8w+9CB0lpSZxKPexmPylQqrW5
axGyHNzrCgcQVfo1rYYPL0E/unc/OOoWTxJlLgWL2Wqr5mjx6ZRHmSvo9Gwx9XA5
VkgTFEusLveMS9LEfMzwFavvFrclfQRqLMciyf6F24Jbw0wzSFvh0IY/qlzCTXcQ
SciAjIgX6Duh4FgeRTI1uYhqiNoozGnQ+pM+V+YCq3BIUFj/aeB8njrljGGDTAw3
cG8UxoYQzLygJlshK2k9PferbBM28SlJkSSn8GpS5MzTKmEfrT/WbtR+VN7rnJkg
qDJ+OHg8vZ/JvWDxh4V5AwiIT3xyov26zkAjf/GhXYOD8O70AJpz+0qQtxRAsX04
gd+jue8BvEWUQPlhN+eyw9M9oacx8wMkeg2sndCVC0YmFlX9S1AUuJqQIxnrqhwC
uxDpAATqjhUHT4Ut0ishGOPsiZ42h55CW/NKsqmn1y58OQ8Z8/JCWIF8XRvuA5uS
WS71NDAf4SDp5ivHOqQdwEYr6dy3Xw0S8KE+PxjLO5ZEjb59r7oPr5V3Ge91met6
KrDwQn3/JDwRxPxEI38yTKUTdrbnkHM47CdwRdoGWx+By1dmcH0=
=YnXX
-----END PGP SIGNATURE-----
Merge 4.9.194 into android-4.9-q
Changes in 4.9.194
bridge/mdb: remove wrong use of NLM_F_MULTI
cdc_ether: fix rndis support for Mediatek based smartphones
ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
isdn/capi: check message length in capi_write()
net: Fix null de-reference of device refcount
net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list
sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
tipc: add NULL pointer check before calling kfree_rcu
tun: fix use-after-free when register netdev failed
Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
gpio: fix line flag validation in linehandle_create
gpio: fix line flag validation in lineevent_create
Btrfs: fix assertion failure during fsync and use of stale transaction
genirq: Prevent NULL pointer dereference in resend_irqs()
KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
KVM: x86: work around leak of uninitialized stack contents
KVM: nVMX: handle page fault in vmread
MIPS: VDSO: Prevent use of smp_processor_id()
MIPS: VDSO: Use same -m%-float cflag as the kernel proper
clk: rockchip: Don't yell about bad mmc phases when getting
mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue
driver core: Fix use-after-free and double free on glue directory
crypto: talitos - check AES key size
crypto: talitos - fix CTR alg blocksize
crypto: talitos - check data blocksize in ablkcipher.
crypto: talitos - fix ECB algs ivsize
crypto: talitos - Do not modify req->cryptlen on decryption.
crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking.
drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto
nvmem: Use the same permissions for eeprom as for nvmem
x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning
USB: usbcore: Fix slab-out-of-bounds bug during device reset
media: tm6000: double free if usb disconnect while streaming
powerpc/mm/radix: Use the right page size for vmemmap mapping
x86/boot: Add missing bootparam that breaks boot on some platforms
xen-netfront: do not assume sk_buff_head list is empty in error handling
KVM: coalesced_mmio: add bounds checking
serial: sprd: correct the wrong sequence of arguments
tty/serial: atmel: reschedule TX after RX was started
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss
s390/bpf: fix lcgr instruction encoding
ARM: OMAP2+: Fix omap4 errata warning on other SoCs
s390/bpf: use 32-bit index for tail calls
NFSv4: Fix return values for nfs4_file_open()
NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
qed: Add cleanup in qed_slowpath_start()
ARM: 8874/1: mm: only adjust sections of valid mm structures
batman-adv: Only read OGM2 tvlv_len after buffer len check
r8152: Set memory to all 0xFFs on failed reg reads
x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
netfilter: nf_conntrack_ftp: Fix debug output
NFSv2: Fix eof handling
NFSv2: Fix write regression
cifs: set domainName when a domain-key is used in multiuser
cifs: Use kzfree() to zero out the password
ARM: 8901/1: add a criteria for pfn_valid of arm
sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
perf/x86/intel: Restrict period on Nehalem
perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops
tools/power turbostat: fix buffer overrun
net: seeq: Fix the function used to release some memory in an error handling path
dmaengine: ti: dma-crossbar: Fix a memory leak bug
dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation
keys: Fix missing null pointer check in request_key_auth_describe()
iommu/amd: Fix race in increase_address_space()
floppy: fix usercopy direction
media: technisat-usb2: break out of loop at end of buffer
ARC: export "abort" for modules
net_sched: let qdisc_put() accept NULL pointer
Linux 4.9.194
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ]
If a request_key authentication token key gets revoked, there's a window in
which request_key_auth_describe() can see it with a NULL payload - but it
makes no check for this and something like the following oops may occur:
BUG: Kernel NULL pointer dereference at 0x00000038
Faulting instruction address: 0xc0000000004ddf30
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [...] request_key_auth_describe+0x90/0xd0
LR [...] request_key_auth_describe+0x54/0xd0
Call Trace:
[...] request_key_auth_describe+0x54/0xd0 (unreliable)
[...] proc_keys_show+0x308/0x4c0
[...] seq_read+0x3d0/0x540
[...] proc_reg_read+0x90/0x110
[...] __vfs_read+0x3c/0x70
[...] vfs_read+0xb4/0x1b0
[...] ksys_read+0x7c/0x130
[...] system_call+0x5c/0x70
Fix this by checking for a NULL pointer when describing such a key.
Also make the read routine check for a NULL pointer to be on the safe side.
[DH: Modified to not take already-held rcu lock and modified to also check
in the read routine]
Fixes: 04c567d931 ("[PATCH] Keys: Fix race between two instantiators of a key")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlyQ3RQACgkQONu9yGCS
aT7TLw/9F5gfxXx9TrLxmXwviMNzg1PFdCSFRVjuqw0ljPdpP0jS/mNtfGIr2O4U
pUeI0Rqm5Tc4QiiEX3hsCcySTIMU1MmkGFZ10kwLEB4STX0CcyJhBleLDZaaynbH
Dqt6yiZPDKNAoKh/AdaoghYIrIYpXvXhKLsny7lrYJWXkj4g7qFKO1uI1+MGUDLV
0xI2byZ1xfd+BCB9OExoUFpSERqfYDOir/XCgYItinggsDW5UTNXm4AelcF6E6ne
9emmYxBVCHls4Fl+4uyC6GPlm+WEQkPt3dUl9gTCjqIJMleQLj3gz1xkLKkB/+DO
Ih1/73+GdTDD5mnV81ZoYsfzkGMRJfAwGy1okgijn/iyl3QFLQ5iQu/WqjO5FIGi
l2f85hOO3H3hFdibteVGgta2Y741+hB3CogC+Uqt4rn02Z2QQ80sZLLsbDz2GGy/
d6Hz3YXt+CBM/e2Whcf+VRnC4zyEk/j8fhhfkKxCHAg74BPR0/2iU4tXvC0vIqRd
+gk+J6A2HL9fgabx7bZnxymlucUhBzk6EFmjBk3YeELx65xYI5d70MuWAFkVzGpm
VsGK6fasGHmB6xKNoq+yhA5IBdCMlbMGgbA8K4gIs1jNaU5f3FxdLrB5W01EHUyz
bE6QLu/likXifOrAihmvjBmbkIHp2nbeEYMAoQEo7bZC4tScAZs=
=akoG
-----END PGP SIGNATURE-----
Merge 4.9.164 into android-4.9
Changes in 4.9.164
ACPICA: Reference Counts: increase max to 0x4000 for large servers
KEYS: restrict /proc/keys by credentials at open time
l2tp: fix infoleak in l2tp_ip6_recvmsg()
net: hsr: fix memory leak in hsr_dev_finalize()
net/hsr: fix possible crash in add_timer()
net: sit: fix UBSAN Undefined behaviour in check_6rd
net/x25: fix use-after-free in x25_device_event()
net/x25: reset state in x25_connect()
pptp: dst_release sk_dst_cache in pptp_sock_destruct
ravb: Decrease TxFIFO depth of Q3 and Q2 to one
route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
tcp: handle inet_csk_reqsk_queue_add() failures
vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
net/mlx4_core: Fix reset flow when in command polling mode
net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling
net/mlx4_core: Fix qp mtt size calculation
net/x25: fix a race in x25_bind()
mdio_bus: Fix use-after-free on device_register fails
net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255
missing barriers in some of unix_sock ->addr and ->path accesses
ipvlan: disallow userns cap_net_admin to change global mode/flags
vxlan: Fix GRO cells race condition between receive and link delete
rxrpc: Fix client call queueing, waiting for channel
gro_cells: make sure device is up in gro_cells_receive()
tcp/dccp: remove reqsk_put() from inet_child_forget()
perf/x86: Fixup typo in stub functions
ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
It's wrong to add len to sector_nr in raid10 reshape twice
mmc: tmio_mmc_core: don't claim spurious interrupts
of: Support const and non-const use for to_of_node()
vhost/vsock: fix vhost vsock cid hashing inconsistent
Linux 4.9.164
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 4aa68e07d845562561f5e73c04aa521376e95252 upstream.
When checking for permission to view keys whilst reading from
/proc/keys, we should use the credentials with which the /proc/keys file
was opened. This is because, in a classic type of exploit, it can be
possible to bypass checks for the *current* credentials by passing the
file descriptor to a suid program.
Following commit 34dbbcdbf6 ("Make file credentials available to the
seqfile interfaces") we can finally fix it. So let's do it.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlx2U0AACgkQONu9yGCS
aT6W1g//fNWwDub0IGC1rDim+yd40rvgSXz7JkZLi+vog90ucwmogIbK9BOMqZcn
y1Sz6M43EpUOxP039tbVVah+ay6nN6v/Y/PZXLtBHjk6OqRfaY6RNvmsdrej8Trj
cgVmsh9gohGLy3hcNz0hIcNrnOL4vAUvp2el56kOlkAZo1iascsuDKXFynlGsx9r
d/RhNr5MnjdDCjOTTdVaoSnLCdmeFZSKvnPrvHYqYlLzJ5/SeGMqRK5i+SYkveHG
OVL/OpadIwxTnCdwJLeYafSj4AL0nnhjDN9rTvrU4FWL6GKjCESBMaaMJA+e/Na7
l/PdytwJlHzr7PZYDvKZo3Rxq0R3+seUr1JxaUsBEJSuqNStEFG1RGwvm2JYW6M5
8NhFYDjHAtkZlTFUxEioku4Dy1UyvgaCHKMdUTUXMm3EMx8GKkeg0JBZwQqSvR4m
xxCx1clekmGf9linQ2tg6iZQaH9r64sLER/kH3fqrhiMR2e70/C1tjLejochNsl7
pmrMtrmgq7r5UdBiGeROGuSV4iB9mLW+DpbmBmkS1aBBDz9l//AW2EXb5dbedPjQ
HyMrZKyaDLxXcK0TF4s2qJI6+nzV6j9OAL9js8Ra+/AZO0ZGc19C4H2BJRh8yjcv
r3RILeRySERFgyVS6SAmHdp4XDiN0FfZE8AFIMqf9PjSzAWTyj4=
=LpSD
-----END PGP SIGNATURE-----
Merge 4.9.161 into android-4.9
Changes in 4.9.161
mac80211: Free mpath object when rhashtable insertion fails
libceph: handle an empty authorize reply
ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
proc, oom: do not report alien mms when setting oom_score_adj
KEYS: allow reaching the keys quotas exactly
mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
mfd: twl-core: Fix section annotations on {,un}protect_pm_master
mfd: db8500-prcmu: Fix some section annotations
mfd: mt6397: Do not call irq_domain_remove if PMIC unsupported
mfd: ab8500-core: Return zero in get_register_interruptible()
mfd: qcom_rpm: write fw_version to CTRL_REG
mfd: wm5110: Add missing ASRC rate register
mfd: mc13xxx: Fix a missing check of a register-read failure
qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier
net: hns: Fix use after free identified by SLUB debug
MIPS: ath79: Enable OF serial ports in the default config
scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
scsi: isci: initialize shost fully before calling scsi_add_host()
MIPS: jazz: fix 64bit build
net: stmmac: Fix PCI module removal leak
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
atm: he: fix sign-extension overflow on large shift
leds: lp5523: fix a missing check of return value of lp55xx_read
mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky
net/mlx5e: Fix wrong (zero) TX drop counter indication for representor
isdn: avm: Fix string plus integer warning from Clang
net: ethernet: stmmac: change dma descriptors to __le32
RDMA/srp: Rework SCSI device reset handling
KEYS: user: Align the payload buffer
KEYS: always initialize keyring_index_key::desc_len
batman-adv: fix uninit-value in batadv_interface_tx()
net/packet: fix 4gb buffer limit due to overflow check
team: avoid complex list operations in team_nl_cmd_options_set()
sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment
net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
parisc: Fix ptrace syscall number modification
ARCv2: Enable unaligned access in early ASM code
ARC: U-boot: check arguments paranoidly
ARC: define ARCH_SLAB_MINALIGN = 8
hpet: Make cmd parameter of hpet_ioctl_common() unsigned
clocksource: Use GENMASK_ULL in definition of CLOCKSOURCE_MASK
netpoll: Fix device name check in netpoll_setup()
tracing: Use cpumask_available() to check if cpumask variable may be used
x86/boot: Disable the address-of-packed-member compiler warning
drm/i915: Consistently use enum pipe for PCH transcoders
drm/i915: Fix enum pipe vs. enum transcoder for the PCH transcoder
kbuild: move cc-option and cc-disable-warning after incl. arch Makefile
kbuild: clang: fix build failures with sparse check
kbuild: clang: remove crufty HOSTCFLAGS
kbuild: clang: disable unused variable warnings only when constant
kbuild: set no-integrated-as before incl. arch Makefile
kbuild: add -no-integrated-as Clang option unconditionally
irqchip/gic-v3: Convert arm64 GIC accessors to {read,write}_sysreg_s
mm/zsmalloc.c: change stat type parameter to int
mm/zsmalloc.c: fix -Wunneeded-internal-declaration warning
Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
netfilter: nf_tables: fix flush after rule deletion in the same batch
pinctrl: max77620: Use define directive for max77620_pinconf_param values
phy: tegra: remove redundant self assignment of 'map'
sched/sysctl: Fix attributes of some extern declarations
kbuild: consolidate Clang compiler flags
Linux 4.9.161
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream.
syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin()
called from construct_alloc_key() during sys_request_key(), because the
length of the key description was never calculated.
The problem is that we rely on ->desc_len being initialized by
search_process_keyrings(), specifically by search_nested_keyrings().
But, if the process isn't subscribed to any keyrings that never happens.
Fix it by always initializing keyring_index_key::desc_len as soon as the
description is set, like we already do in some places.
The following program reproduces the BUG_ON() when it's run as root and
no session keyring has been installed. If it doesn't work, try removing
pam_keyinit.so from /etc/pam.d/login and rebooting.
#include <stdlib.h>
#include <unistd.h>
#include <keyutils.h>
int main(void)
{
int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);
keyctl_setperm(id, KEY_OTH_WRITE);
setreuid(5000, 5000);
request_key("user", "desc", "", id);
}
Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com
Fixes: b2a4df200d ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9 upstream.
If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
actually users can only add up to 'n - 1' keys. Likewise for
'kernel.keys.maxbytes' and the root_* versions of these sysctls. But
these sysctls are apparently supposed to be *maximums*, as per their
names and all documentation I could find -- the keyrings(7) man page,
Documentation/security/keys/core.rst, and all the mentions of EDQUOT
meaning that the key quota was *exceeded* (as opposed to reached).
Thus, fix the code to allow reaching the quotas exactly.
Fixes: 0b77f5bfb4 ("keys: make the keyring quotas controllable through /proc/sys")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqSio0ACgkQONu9yGCS
aT7v/w/+OTmWpuavTV+sJz34t8UfnYtl7MnJhubkaCpaTryLXUDeWr5XGzjYRQTh
2OhvqDqoFqrKeKsMSl9x5ZBzA4CUcl5b/Umr8bqMH2iLeVr159qHoqttJ7lMwhX4
JR0avL4rZZlg/6Vbr8PjwNRn/6KF5UOQnTe4Yfpk89nDojeP5+tIZqhq7d6BFRis
Bcsb3BZg4UuJZYlJXARoXyPb4kCSEpJ6TPRM5Z1OlqbBLSCecjyqhYzW32Yj3HhT
FvV4pJLs/YBkD3GQTrWpNPmLIP/4anu+0geCviCV3SVC7UQJI46yzYLZFSaW1kg0
ol7pNONRGFNxihk4jiKMi5ON3pOMKq3qfY9KDIjGa6R8OIiQLCmC09TFFdzUjCJE
E9Q4av+KmUsCvrYtgpRTPjo/v2KGJRz8ZTuXdF9QjEIOdOomU4PMNNrXKx014goZ
r7mlxK3qW9HToBp60AAinRvNRJyFr3QH9gXjLU8fZvTVJ45eQkIwIqm5Q40Nk/IL
GrpCYkMcFouIYcpnYdurxYcaAeqwA/R4Df5WRHTaOzNXWZ5gsLRkS/muPVOL23cV
kCmlZytacE6R4TDkXzrEVfnN+n3QJWybyrx8sQbhBkT7NiEuPcqU/iGZe3uWSPS8
N2CVTW+keaPJijWeAPDqs+JEn6I/ARNq1gzw8tKjKWpEwyBa25g=
=FVgu
-----END PGP SIGNATURE-----
Merge 4.9.84 into android-4.9
Changes in 4.9.84
vhost: use mutex_lock_nested() in vhost_dev_lock_vqs()
kcm: Check if sk_user_data already set in kcm_attach
kcm: Only allow TCP sockets to be attached to a KCM mux
cfg80211: check dev_set_name() return value
xfrm: skip policies marked as dead while rehashing
mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
xfrm: Fix stack-out-of-bounds read on socket policy lookup.
xfrm: check id proto in validate_tmpl()
sctp: set frag_point in sctp_setsockopt_maxseg correctly
blktrace: fix unlocked registration of tracepoints
drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE
Provide a function to create a NUL-terminated string from unterminated data
selinux: ensure the context is NUL terminated in security_context_to_sid_core()
selinux: skip bounded transition processing if the policy isn't loaded
crypto: x86/twofish-3way - Fix %rbp usage
staging: android: ion: Add __GFP_NOWARN for system contig heap
staging: android: ion: Switch from WARN to pr_warn
blk_rq_map_user_iov: fix error override
KVM: x86: fix escape of guest dr6 to the host
kcov: detect double association with a single task
netfilter: x_tables: fix int overflow in xt_alloc_table_info()
netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
netfilter: on sockopt() acquire sock lock only in the required scope
netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete
net: avoid skb_warn_bad_offload on IS_ERR
crypto: hash - annotate algorithms taking optional key
crypto: hash - prevent using keyed hashes without setting key
ASoC: ux500: add MODULE_LICENSE tag
video: fbdev/mmp: add MODULE_LICENSE
ARM: 8743/1: bL_switcher: add MODULE_LICENSE tag
arm64: dts: add #cooling-cells to CPU nodes
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
staging: android: ashmem: Fix a race condition in pin ioctls
binder: check for binder_thread allocation failure in binder_poll()
staging: iio: adc: ad7192: fix external frequency setting
staging: iio: ad5933: switch buffer mode to software
usbip: keep usbip_device sockfd state in sync with tcp_socket
usb: build drivers/usb/common/ when USB_SUPPORT is set
ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context
ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen
ARM: dts: logicpd-som-lv: Fix gpmc addresses for NAND and enet
ARM: dts: logicpd-somlv: Fix wl127x pinmux
ARM: dts: am4372: Correct the interrupts_properties of McASP
ARM: dts: am437x-cm-t43: Correct the dmas property of spi0
perf top: Fix window dimensions change handling
perf bench numa: Fixup discontiguous/sparse numa nodes
media: s5k6aa: describe some function parameters
pinctrl: sunxi: Fix A80 interrupt pin bank
pinctrl: sunxi: Fix A64 UART mux value
i40iw: Correct ARP index mask
RDMA/cma: Make sure that PSN is not over max allowed
sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune
scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none
ipvlan: Add the skb->mark as flow4's member to lookup route
m68k: add missing SOFTIRQENTRY_TEXT linker section
powerpc/perf: Fix oops when grouping different pmu events
s390/dasd: prevent prefix I/O error
ARM: dts: Fix elm interrupt compiler warning
gianfar: fix a flooded alignment reports because of padding issue.
net_sched: red: Avoid devision by zero
net_sched: red: Avoid illegal values
btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
brcmfmac: Avoid build error with make W=1
net: ethernet: arc: fix error handling in emac_rockchip_probe
509: fix printing uninitialized stack memory when OID is empty
gianfar: Disable EEE autoneg by default
dmaengine: ioat: Fix error handling path
dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved
clk: fix a panic error caused by accessing NULL pointer
ASoC: rockchip: disable clock on error
spi: sun4i: disable clocks in the remove function
xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
drm/armada: fix leak of crtc structure
dmaengine: jz4740: disable/unprepare clk if probe fails
usb: dwc3: gadget: Wait longer for controller to end command processing
usb: dwc3: of-simple: fix missing clk_disable_unprepare
mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
platform/x86: dell-laptop: Fix keyboard max lighting for Dell Latitude E6410
xen: XEN_ACPI_PROCESSOR is Dom0-only
hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
powerpc/64s: Fix conversion of slb_miss_common to use RFI_TO_USER/KERNEL
powerpc/64s: Simple RFI macro conversions
powerpc/64s: Improve RFI L1-D cache flush fallback
crypto: talitos - fix Kernel Oops on hashing an empty file
drm/i915: fix intel_backlight_device_register declaration
shmem: avoid maybe-uninitialized warning
clk: sunxi-ng: fix build error without CONFIG_RESET_CONTROLLER
vmxnet3: prevent building with 64K pages
perf/x86: Shut up false-positive -Wmaybe-uninitialized warning
PCI: vmd: Fix suspend handlers defined-but-not-used warning
gpio: intel-mid: Fix build warning when !CONFIG_PM
platform/x86: intel_mid_thermal: Fix suspend handlers unused warning
usb: musb: fix compilation warning on unused function
PCI: Change pci_host_common_probe() visibility
perf: xgene: Include module.h
video: fbdev: via: remove possibly unused variables
scsi: advansys: fix build warning for PCI=n
x86/ras/inject: Make it depend on X86_LOCAL_APIC=y
gpio: xgene: mark PM functions as __maybe_unused
arm64: define BUG() instruction without CONFIG_BUG
x86/fpu/math-emu: Fix possible uninitialized variable use
tools build: Add tools tree support for 'make -s'
x86/build: Silence the build with "make -s"
thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies
x86: add MULTIUSER dependency for KVM
dmaengine: zx: fix build warning
x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG
x86/vm86: Fix unused variable warning if THP is disabled
scsi: advansys: fix uninitialized data access
arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set
ALSA: hda/ca0132 - fix possible NULL pointer use
reiserfs: avoid a -Wmaybe-uninitialized warning
cw1200: fix bogus maybe-uninitialized warning
security/keys: BIG_KEY requires CONFIG_CRYPTO
drm: exynos: mark pm functions as __maybe_unused
rbd: silence bogus -Wmaybe-uninitialized warning
drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized
Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning
KVM: add X86_LOCAL_APIC dependency
shmem: fix compilation warnings on unused functions
tc358743: fix register i2c_rd/wr functions
go7007: add MEDIA_CAMERA_SUPPORT dependency
em28xx: only use mt9v011 if camera support is enabled
tw5864: use dev_warn instead of WARN to shut up warning
ISDN: eicon: reduce stack size of sig_ind function
clk: meson: gxbb: fix build error without RESET_CONTROLLER
kasan: rework Kconfig settings
drm/i915: hide unused intel_panel_set_backlight function
arm64: sunxi: always enable reset controller
binfmt_elf: compat: avoid unused function warning
spi: bcm-qspi: shut up warning about cfi header inclusion
idle: i7300: add PCI dependency
arm64: fix warning about swapper_pg_dir overflow
usb: phy: msm add regulator dependency
x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug
KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously
KVM: VMX: clean up declaration of VPID/EPT invalidation types
KVM: nVMX: invvpid handling improvements
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
Linux 4.9.84
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 3cd18d1981731d5f74b8e437009124ac99905d14 upstream.
The recent rework introduced a possible randconfig build failure
when CONFIG_CRYPTO configured to only allow modules:
security/keys/big_key.o: In function `big_key_crypt':
big_key.c:(.text+0x29f): undefined reference to `crypto_aead_setkey'
security/keys/big_key.o: In function `big_key_init':
big_key.c:(.init.text+0x1a): undefined reference to `crypto_alloc_aead'
big_key.c:(.init.text+0x45): undefined reference to `crypto_aead_setauthsize'
big_key.c:(.init.text+0x77): undefined reference to `crypto_destroy_tfm'
crypto/gcm.o: In function `gcm_hash_crypt_remain_continue':
gcm.c:(.text+0x167): undefined reference to `crypto_ahash_finup'
crypto/gcm.o: In function `crypto_gcm_exit_tfm':
gcm.c:(.text+0x847): undefined reference to `crypto_destroy_tfm'
When we 'select CRYPTO' like the other users, we always get a
configuration that builds.
Fixes: 428490e38b2e ("security/keys: rewrite all of big_key crypto")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqCzaQACgkQONu9yGCS
aT62mRAAiN+5Q/aCQcyRCnUYiD7k0WQQvNYaqb1aAuiX+4kz4/NZ4BW6xI/BENYI
32Px98b98mKenpIDNg2JaAj5ZdoSRkls4lHvJ/KfPG5uTKoXwdBbDrR5K8ASZzfI
Z7PUSoCC6NsiKszSgexK8xvfiJ/tfhz1WqpA5X6a2UfgZqCfG/H6G9Dtatdjrgfr
+V0qE0XUM+eWVy+E0lBCccrM5s8ssr+ON4V6QOgmZh1WlaMuCpouOvTYBW/6PBKu
aYjQKvJuXlxTa7IoqvHTd5WwcM+4wYwG6S+/8f3Xprgn8K3juYZ0EmACgSXm2AuR
vu089LyRDyLsG0J7eRoMZU753B/uV51vH23wfaitfbHxzFsFQihOuivhTttww10u
7v7RNcfEQBuAjD9KfZCf4/iSs2QIDKKpLQVy4hUuGv0gcj31WjOzU3uKlvvJUvN+
HsFRXrE5RvS4TaRkiI3fnV3NAFj/l9fkW+V2YV5nWg3C8zBbiGVOBNODgUKLMLvE
mJTQ42oVqhQfuzFDCSE3jPQMe4VL3OMQ1MC9Yc99/UvtYHZeV5PpgCC0kcMGh+r8
Gf9n0hBuFwr38djK/bewrjcIims3lgRbHdlzqtCHFRmaH5bJMkUWD8WakjbjRI89
SYKc6TuVzvzRoaMjNj14dHQSdiTz0Fod+U82KMccZ4F7SflhdQo=
=nbsq
-----END PGP SIGNATURE-----
Merge 4.9.81 into android-4.9
Changes in 4.9.81
powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
powerpc/64: Add macros for annotating the destination of rfid/hrfid
powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
powerpc/64s: Add support for RFI flush of L1-D cache
powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti
powerpc/pseries: Query hypervisor for RFI flush settings
powerpc/powernv: Check device-tree for RFI flush settings
powerpc/64s: Wire up cpu_show_meltdown()
powerpc/64s: Allow control of RFI flush via debugfs
auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
pinctrl: pxa: pxa2xx: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
kaiser: fix intel_bts perf crashes
x86/pti: Make unpoison of pgd for trusted boot work for real
kaiser: allocate pgd with order 0 when pti=off
serial: core: mark port as initialized after successful IRQ change
ip6mr: fix stale iterator
net: igmp: add a missing rcu locking section
qlcnic: fix deadlock bug
qmi_wwan: Add support for Quectel EP06
r8169: fix RTL8168EP take too long to complete driver initialization.
tcp: release sk_frag.page in tcp_disconnect
vhost_net: stop device during reset owner
tcp_bbr: fix pacing_gain to always be unity when using lt_bw
cls_u32: add missing RCU annotation.
ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only
soreuseport: fix mem leak in reuseport_add_sock()
x86/asm: Fix inline asm call constraints for GCC 4.4
x86/microcode/AMD: Do not load when running on a hypervisor
media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
b43: Add missing MODULE_FIRMWARE()
KEYS: encrypted: fix buffer overread in valid_master_desc()
x86/retpoline: Remove the esp/rsp thunk
KVM: x86: Make indirect calls in emulator speculation safe
KVM: VMX: Make indirect call speculation safe
module/retpoline: Warn about missing retpoline in module
x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
x86/cpufeatures: Add Intel feature bits for Speculation Control
x86/cpufeatures: Add AMD feature bits for Speculation Control
x86/msr: Add definitions for new speculation control MSRs
x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
x86/nospec: Fix header guards names
x86/bugs: Drop one "mitigation" from dmesg
x86/cpu/bugs: Make retpoline module warning conditional
x86/cpufeatures: Clean up Spectre v2 related CPUID flags
x86/retpoline: Simplify vmexit_fill_RSB()
x86/spectre: Check CONFIG_RETPOLINE in command line parser
x86/entry/64: Remove the SYSCALL64 fast path
x86/entry/64: Push extra regs right away
x86/asm: Move 'status' from thread_struct to thread_info
Documentation: Document array_index_nospec
array_index_nospec: Sanitize speculative array de-references
x86: Implement array_index_mask_nospec
x86: Introduce barrier_nospec
x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
x86/get_user: Use pointer masking to limit speculation
x86/syscall: Sanitize syscall table de-references under speculation
vfs, fdtable: Prevent bounds-check bypass via speculative execution
nl80211: Sanitize array index in parse_txq_params
x86/spectre: Report get_user mitigation for spectre_v1
x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
x86/paravirt: Remove 'noreplace-paravirt' cmdline option
x86/kvm: Update spectre-v1 mitigation
x86/retpoline: Avoid retpolines for built-in __init functions
x86/spectre: Simplify spectre_v2 command line parsing
x86/pti: Mark constant arrays as __initconst
x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL
KVM: nVMX: kmap() can't fail
KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail
KVM: nVMX: mark vmcs12 pages dirty on L2 exit
KVM: nVMX: Eliminate vmcs02 pool
KVM: VMX: introduce alloc_loaded_vmcs
KVM: VMX: make MSR bitmaps per-VCPU
KVM/x86: Add IBPB support
KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
crypto: tcrypt - fix S/G table for test_aead_speed()
ASoC: simple-card: Fix misleading error message
ASoC: rsnd: don't call free_irq() on Parent SSI
ASoC: rsnd: avoid duplicate free_irq()
drm: rcar-du: Use the VBK interrupt for vblank events
drm: rcar-du: Fix race condition when disabling planes at CRTC stop
x86/microcode: Do the family check first
Linux 4.9.81
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream.
With the 'encrypted' key type it was possible for userspace to provide a
data blob ending with a master key description shorter than expected,
e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a
master key description, validate_master_desc() could read beyond the end
of the buffer. Fix this by using strncmp() instead of memcmp(). [Also
clean up the code to deduplicate some logic.]
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAloyNioACgkQONu9yGCS
aT5nyA/9Eo2iA40h62JJtQDRkp7LQvFf6VwKWFaTq8fbWDjM3x9oC3KEYIY6CfVS
2yHiTT5iZmxXfVEFWYq8auVUXYzGy5UZ+Sm5ryBqB5CoGpZSTEZLZCizvqVdHx1F
eaXwZT1k0Wqslgll9xtqTNj1LzMTz1/Q5w5yVsN+9F1t4lBGKEp9/WoQzWcr/R+F
Fwz76kD5tnzls1nRu+c7DrQzaJxLnQJS+U4e8mKLdmveUTyGFura6YW3aOO9vouV
Qt5LyloYw5eN533LTxJChXLQW1QlQsKe6BSb4qzrVcbFFX5F/b5MF+SO22xvUXwT
XEVrQziDyhYq2y1y4ZGmGHQ/k9pd+gtNx/j0WBSP0BAkeABnOsQGxLWdcsDqJt63
CWyPOcOh8ldOAcX/DD3YU/jRVXzYRrjUgL5Y37XRFJbejeig2clcEf+oOBpi2y0z
CfBtcwRyG60h7+9NJNPN+3wVWhs0fhyXve5TgGNQQ3TMikft673ZM/Rt0cVBvwbC
M7y3ZPy4B7PNfTzf/itHGt3ffw9KQdcp5IiBshHJVQICC6AuvXw5QaDA28VMaeJ6
eQF4UBiGSI7O9G4bx99rYuVuMhwqa2WGau19Dm6TFzTYXbHzaZaXpPfvWbKvryfC
q/s2JF/99Vw9jFVnxY0SxJHp79g1idsWGVP3Jod0k3cn2tKKkHo=
=Jzd9
-----END PGP SIGNATURE-----
Merge 4.9.69 into android-4.9
Changes in 4.9.69
usb: gadget: udc: renesas_usb3: fix number of the pipes
can: ti_hecc: Fix napi poll return value for repoll
can: kvaser_usb: free buf in error paths
can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
can: kvaser_usb: ratelimit errors if incomplete messages are received
can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
can: ems_usb: cancel urb on -EPIPE and -EPROTO
can: esd_usb2: cancel urb on -EPIPE and -EPROTO
can: usb_8dev: cancel urb on -EPIPE and -EPROTO
virtio: release virtio index when fail to device_register
hv: kvp: Avoid reading past allocated blocks from KVP file
isa: Prevent NULL dereference in isa_bus driver callbacks
scsi: dma-mapping: always provide dma_get_cache_alignment
scsi: use dma_get_cache_alignment() as minimum DMA alignment
scsi: libsas: align sata_device's rps_resp on a cacheline
efi: Move some sysfs files to be read-only by root
efi/esrt: Use memunmap() instead of kfree() to free the remapping
ASN.1: fix out-of-bounds read when parsing indefinite length item
ASN.1: check for error from ASN1_OP_END__ACT actions
KEYS: add missing permission check for request_key() destination
X.509: reject invalid BIT STRING for subjectPublicKey
X.509: fix comparisons of ->pkey_algo
x86/PCI: Make broadcom_postcore_init() check acpi_disabled
KVM: x86: fix APIC page invalidation
btrfs: fix missing error return in btrfs_drop_snapshot
ALSA: pcm: prevent UAF in snd_pcm_info
ALSA: seq: Remove spurious WARN_ON() at timer check
ALSA: usb-audio: Fix out-of-bound error
ALSA: usb-audio: Add check return value for usb_string()
iommu/vt-d: Fix scatterlist offset handling
smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
s390: fix compat system call table
KVM: s390: Fix skey emulation permission check
powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
brcmfmac: change driver unbind order of the sdio function devices
kdb: Fix handling of kallsyms_symbol_next() return value
drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
media: dvb: i2c transfers over usb cannot be done from stack
arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation
KVM: arm/arm64: vgic-its: Check result of allocation before use
arm64: fpsimd: Prevent registers leaking from dead tasks
bus: arm-cci: Fix use of smp_processor_id() in preemptible context
bus: arm-ccn: Check memory allocation failure
bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
crypto: talitos - fix AEAD test failures
crypto: talitos - fix memory corruption on SEC2
crypto: talitos - fix setkey to check key weakness
crypto: talitos - fix AEAD for sha224 on non sha224 capable chips
crypto: talitos - fix use of sg_link_tbl_len
crypto: talitos - fix ctr-aes-talitos
usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT
ARM: BUG if jumping to usermode address in kernel mode
ARM: avoid faulting on qemu
thp: reduce indentation level in change_huge_pmd()
thp: fix MADV_DONTNEED vs. numa balancing race
mm: drop unused pmdp_huge_get_and_clear_notify()
Revert "drm/armada: Fix compile fail"
Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
ARM: 8657/1: uaccess: consistently check object sizes
vti6: Don't report path MTU below IPV6_MIN_MTU.
ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
x86/selftests: Add clobbers for int80 on x86_64
x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register
sched/fair: Make select_idle_cpu() more aggressive
x86/hpet: Prevent might sleep splat on resume
powerpc/64: Invalidate process table caching after setting process table
selftest/powerpc: Fix false failures for skipped tests
powerpc: Fix compiling a BE kernel with a powerpc64le toolchain
lirc: fix dead lock between open and wakeup_filter
module: set __jump_table alignment to 8
powerpc/64: Fix checksum folding in csum_add()
ARM: OMAP2+: Fix device node reference counts
ARM: OMAP2+: Release device node after it is no longer needed.
ASoC: rcar: avoid SSI_MODEx settings for SSI8
gpio: altera: Use handle_level_irq when configured as a level_high
HID: chicony: Add support for another ASUS Zen AiO keyboard
usb: gadget: configs: plug memory leak
USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
usb: dwc3: gadget: Fix system suspend/resume on TI platforms
usb: gadget: pxa27x: Test for a valid argument pointer
usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
libata: drop WARN from protocol error in ata_sff_qc_issue()
workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
scsi: qla2xxx: Fix ql_dump_buffer
scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
irqchip/crossbar: Fix incorrect type of register size
KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
arm: KVM: Survive unknown traps from guests
arm64: KVM: Survive unknown traps from guests
KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled
spi_ks8995: fix "BUG: key accdaa28 not in .data!"
spi_ks8995: regs_size incorrect for some devices
bnx2x: prevent crash when accessing PTP with interface down
bnx2x: fix possible overrun of VFPF multicast addresses array
bnx2x: fix detection of VLAN filtering feature for VF
bnx2x: do not rollback VF MAC/VLAN filters we did not configure
rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races
ibmvnic: Fix overflowing firmware/hardware TX queue
ibmvnic: Allocate number of rx/tx buffers agreed on by firmware
ipv6: reorder icmpv6_init() and ip6_mr_init()
crypto: s5p-sss - Fix completing crypto request in IRQ handler
i2c: riic: fix restart condition
blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue()
zram: set physical queue limits to avoid array out of bounds accesses
netfilter: don't track fragmented packets
axonram: Fix gendisk handling
drm/amd/amdgpu: fix console deadlock if late init failed
powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
EDAC, i5000, i5400: Fix definition of NRECMEMB register
kbuild: pkg: use --transform option to prefix paths in tar
coccinelle: fix parallel build with CHECK=scripts/coccicheck
x86/mpx/selftests: Fix up weird arrays
mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
route: also update fnhe_genid when updating a route cache
route: update fnhe_expires for redirect when the fnhe exists
drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'
lib/genalloc.c: make the avail variable an atomic_long_t
dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
NFS: Fix a typo in nfs_rename()
sunrpc: Fix rpc_task_begin trace point
xfs: fix forgotten rcu read unlock when skipping inode reclaim
dt-bindings: usb: fix reg-property port-number range
block: wake up all tasks blocked in get_request()
sparc64/mm: set fields in deferred pages
zsmalloc: calling zs_map_object() from irq is a bug
sctp: do not free asoc when it is already dead in sctp_sendmsg
sctp: use the right sk after waking up from wait_buf sleep
bpf: fix lockdep splat
clk: uniphier: fix DAPLL2 clock rate of Pro5
atm: horizon: Fix irq release error
jump_label: Invoke jump_label_test() via early_initcall()
xfrm: Copy policy family in clone_policy
IB/mlx4: Increase maximal message size under UD QP
IB/mlx5: Assign send CQ and recv CQ of UMR QP
afs: Connect up the CB.ProbeUuid
Linux 4.9.69
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
When the request_key() syscall is not passed a destination keyring, it
links the requested key (if constructed) into the "default" request-key
keyring. This should require Write permission to the keyring. However,
there is actually no permission check.
This can be abused to add keys to any keyring to which only Search
permission is granted. This is because Search permission allows joining
the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
then will set the default request-key keyring to the session keyring.
Then, request_key() can be used to add keys to the keyring.
Both negatively and positively instantiated keys can be added using this
method. Adding negative keys is trivial. Adding a positive key is a
bit trickier. It requires that either /sbin/request-key positively
instantiates the key, or that another thread adds the key to the process
keyring at just the right time, such that request_key() misses it
initially but then finds it in construct_alloc_key().
Fix this bug by checking for Write permission to the keyring in
construct_get_dest_keyring() when the default keyring is being used.
We don't do the permission check for non-default keyrings because that
was already done by the earlier call to lookup_user_key(). Also,
request_key_and_link() is currently passed a 'struct key *' rather than
a key_ref_t, so the "possessed" bit is unavailable.
We also don't do the permission check for the "requestor keyring", to
continue to support the use case described by commit 8bbf4976b5
("KEYS: Alter use of key instantiation link-to-keyring argument") where
/sbin/request-key recursively calls request_key() to add keys to the
original requestor's destination keyring. (I don't know of any users
who actually do that, though...)
Fixes: 3e30148c3d ("[PATCH] Keys: Make request-key create an authorisation key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAloQCeEACgkQONu9yGCS
aT5NSg/+KKaM27NOw+QU41S27e7EEk2ToFZVInD4YMVM37WDP3Dhy/6qGKqd7QEd
pYjcxdXhVi+vIyozY/QjXGNhTTOao5AtgGTdw1l2lag2VritbAqplgr0hPRLoj4M
9BEYveO2u+ooNJ6vieyW7TIVqGh05X4F43/Ng1I3iAbmvMcyg8LcqauYMaNa37jj
PP9XWWbZ87GCLqNM3Cy/V7uR/xFjj7N7/N6//547QRTgqnB31EytUXEwxtvgS7Z8
HxhVYk7gTzZMgpN6TUo0AKnD9iOxzR18kC0PooUz2nphS92Zad2rakhxUVJASUXv
DpY5LSyiN/F6fVp68ObAx8Cw31Uavjyvy/TJju1Kg9Mrt1fN/MBsEH0HSI7PrxyQ
7Q2Se+A8LZqeYW4P1AvHjei7Z10AL64YcXwrsAkeouh74WWKrVoEeoYVYDF+FdRy
87jNJE6+W589g+hLI0fX1Q07luEfToRfvZQTk0pdxLTxt5HrCgSoX6q6yOQ4ofMn
mTfRmNSaeiEaNDgl/f9ZqH3ViOFsINJ+0zgCMmFv4p8yyl2grj63ELdHKkjqTHCN
oPH3ZCeCFV+uvunA8geHLzToMDfZOsPQ4BbewV3TEFG4rSVxXQcoTJWIYaxHYaih
5X/JIgFZyaDnUFJQyEtcj8MyVnz1oraw73ghdOMuvHxkYXe+Xr4=
=DcCO
-----END PGP SIGNATURE-----
Merge 4.9.63 into android-4.9
Changes in 4.9.63
gso: fix payload length when gso_size is zero
tun/tap: sanitize TUNSETSNDBUF input
ipv6: addrconf: increment ifp refcount before ipv6_del_addr()
netlink: do not set cb_running if dump's start() errs
net: call cgroup_sk_alloc() earlier in sk_clone_lock()
tcp: fix tcp_mtu_probe() vs highest_sack
l2tp: check ps->sock before running pppol2tp_session_ioctl()
tun: call dev_get_valid_name() before register_netdevice()
sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
tcp/dccp: fix ireq->opt races
packet: avoid panic in packet_getsockopt()
soreuseport: fix initialization race
ipv6: flowlabel: do not leave opt->tot_len with garbage
sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
tcp/dccp: fix lockdep splat in inet_csk_route_req()
tcp/dccp: fix other lockdep splats accessing ireq_opt
net/unix: don't show information about sockets from other namespaces
tap: double-free in error path in tap_open()
ipip: only increase err_count for some certain type icmp in ipip_err
ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit
tun: allow positive return values on dev_get_valid_name() call
sctp: reset owner sk for data chunks on out queues when migrating a sock
net_sched: avoid matching qdisc with zero handle
ppp: fix race in ppp device destruction
mac80211: accept key reinstall without changing anything
mac80211: use constant time comparison with keys
mac80211: don't compare TKIP TX MIC key in reinstall prevention
usb: usbtest: fix NULL pointer dereference
Input: ims-psu - check if CDC union descriptor is sane
ALSA: seq: Cancel pending autoload work at unbinding device
Revert "ARM: dts: imx53-qsb-common: fix FEC pinmux config"
netfilter: nat: avoid use of nf_conn_nat extension
netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable"
security/keys: add CONFIG_KEYS_COMPAT to Kconfig
brcmfmac: remove setting IBSS mode when stopping AP
target/iscsi: Fix iSCSI task reassignment handling
qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2)
misc: panel: properly restore atomic counter on error path
Linux 4.9.63
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 47b2c3fff4932e6fc17ce13d51a43c6969714e20 upstream.
CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for
several 64-bit architectures : mips, parisc, tile.
At the moment and for those architectures, calling in 32-bit userspace the
keyctl syscall would return an ENOSYS error.
This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to
make sure the compatibility wrapper is registered by default for any 64-bit
architecture as long as it is configured with CONFIG_COMPAT.
[DH: Modified to remove arm64 compat enablement also as requested by Eric
Biggers]
Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
cc: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Cc: James Cowgill <james.cowgill@mips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAloMVOIACgkQONu9yGCS
aT7U0A//WFyrvkUqEF3EKLcKceAY/jrqDoVt6hlNHLtIdOAYzV0pQlkf4xpFwpa9
k90nSZO4GqbL72P851knrZ9rKWeJz0SE5aFTt/NbfP5jpANsTx/+nuz3eNiFUJLp
HkNYHMF8XnffTKhexQNBxA+mXZehNMS6b188F0JZUc41o1W2jd/B6t9l1c/kquRW
63XESLPGr4a5dKRigsw+ais5JQqHrLfIR5TSxzDvwSht8WgsiO2XCe2K9VhhvP5r
SusHzNAYOwnf2lOjKrLQkLdgvQJLf18CPuknxd1x27EfHSueGgKumG6KkFZW0TcU
SxSA7JsYEG82jVHImwZ8M/jndyM/AH2ZB5r1R7Fd1odxcyh7Ga2sYFUv/JpZ0ImC
q4Wn5LFwBehnaw+Qx2e6ITKD6oFjP4EywxVIjUDDW7qNsHyDPEbLJLfKU4S9e2aV
IyohCev1DTPTT4RVHOA8W4I6kMy2R3qHK/BN004hKcD5jnpjSbG6Fp+/xHltZ2Gp
oq3IFB0qeH7/edEWYPEkXuvtv7+hWeuLRzyCO8f+/IPlOFkAkfNsrbZLgo6gOspr
Z0EL3WW7/KJp4FSlM7hLIrGXk+yoKXxvFpAB9h6jzmwryIovPhjCYhDlOiFRt9rx
L/ksNocDc6h+J/jiuHbYai9njIt6yy8iwtTvg7DXiRm4w3bljNA=
=bk2f
-----END PGP SIGNATURE-----
Merge 4.9.62 into android-4.9
Changes in 4.9.62
adv7604: Initialize drive strength to default when using DT
video: fbdev: pmag-ba-fb: Remove bad `__init' annotation
PCI: mvebu: Handle changes to the bridge windows while enabled
sched/core: Add missing update_rq_clock() call in sched_move_task()
xen/netback: set default upper limit of tx/rx queues to 8
ARM: dts: imx53-qsb-common: fix FEC pinmux config
dt-bindings: clockgen: Add compatible string for LS1012A
EDAC, amd64: Add x86cpuid sanity check during init
PM / OPP: Error out on failing to add static OPPs for v1 bindings
clk: samsung: exynos5433: Add IDs for PHYCLK_MIPIDPHY0_* clocks
drm: drm_minor_register(): Clean up debugfs on failure
KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
iommu/arm-smmu-v3: Clear prior settings when updating STEs
pinctrl: baytrail: Fix debugfs offset output
powerpc/corenet: explicitly disable the SDHC controller on kmcoge4
cxl: Force psl data-cache flush during device shutdown
ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6
arm64: dma-mapping: Only swizzle DMA ops for IOMMU_DOMAIN_DMA
crypto: vmx - disable preemption to enable vsx in aes_ctr.c
drm: mali-dp: fix Lx_CONTROL register fields clobber
iio: trigger: free trigger resource correctly
iio: pressure: ms5611: claim direct mode during oversampling changes
iio: magnetometer: mag3110: claim direct mode during raw writes
iio: proximity: sx9500: claim direct mode during raw proximity reads
dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification
dt-bindings: Add vendor prefix for LEGO
phy: increase size of MII_BUS_ID_SIZE and bus_id
serial: sh-sci: Fix register offsets for the IRDA serial port
libertas: fix improper return value
usb: hcd: initialize hcd->flags to 0 when rm hcd
netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
brcmfmac: setup wiphy bands after registering it first
rt2800usb: mark tx failure on timeout
apparmor: fix undefined reference to `aa_g_hash_policy'
IPsec: do not ignore crypto err in ah4 input
EDAC, amd64: Save and return err code from probe_one_instance()
s390/topology: make "topology=off" parameter work
Input: mpr121 - handle multiple bits change of status register
Input: mpr121 - set missing event capability
sched/cputime, powerpc32: Fix stale scaled stime on context switch
IB/ipoib: Change list_del to list_del_init in the tx object
ARM: dts: STiH410-family: fix wrong parent clock frequency
s390/qeth: fix retrieval of vipa and proxy-arp addresses
s390/qeth: issue STARTLAN as first IPA command
wcn36xx: Don't use the destroyed hal_mutex
IB/rxe: Fix reference leaks in memory key invalidation code
clk: mvebu: adjust AP806 CPU clock frequencies to production chip
net: dsa: select NET_SWITCHDEV
platform/x86: hp-wmi: Fix detection for dock and tablet mode
cdc_ncm: Set NTB format again after altsetting switch for Huawei devices
KEYS: trusted: sanitize all key material
KEYS: trusted: fix writing past end of buffer in trusted_read()
platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state
platform/x86: hp-wmi: Do not shadow error values
x86/uaccess, sched/preempt: Verify access_ok() context
workqueue: Fix NULL pointer dereference
crypto: ccm - preserve the IV buffer
crypto: x86/sha1-mb - fix panic due to unaligned access
crypto: x86/sha256-mb - fix panic due to unaligned access
KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
ARM: 8720/1: ensure dump_instr() checks addr_limit
ALSA: seq: Fix OSS sysex delivery in OSS emulation
ALSA: seq: Avoid invalid lockdep class warning
drm/i915: Do not rely on wm preservation for ILK watermarks
MIPS: microMIPS: Fix incorrect mask in insn_table_MM
MIPS: Fix CM region target definitions
MIPS: SMP: Use a completion event to signal CPU up
MIPS: Fix race on setting and getting cpu_online_mask
MIPS: SMP: Fix deadlock & online race
selftests: firmware: send expected errors to /dev/null
tools: firmware: check for distro fallback udev cancel rule
ASoC: sun4i-spdif: remove legacy dapm components
MIPS: BMIPS: Fix missing cbr address
MIPS: AR7: Defer registration of GPIO
MIPS: AR7: Ensure that serial ports are properly set up
Input: elan_i2c - add ELAN060C to the ACPI table
rbd: use GFP_NOIO for parent stat and data requests
drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
drm/bridge: adv7511: Rework adv7511_power_on/off() so they can be reused internally
drm/bridge: adv7511: Reuse __adv7511_power_on/off() when probing EDID
drm/bridge: adv7511: Re-write the i2c address before EDID probing
can: sun4i: handle overrun in RX FIFO
can: ifi: Fix transmitter delay calculation
can: c_can: don't indicate triple sampling support for D_CAN
x86/smpboot: Make optimization of delay calibration work correctly
x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
Linux 4.9.62
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream.
When calling keyctl_read() on a key of type "trusted", if the
user-supplied buffer was too small, the kernel ignored the buffer length
and just wrote past the end of the buffer, potentially corrupting
userspace memory. Fix it by instead returning the size required, as per
the documentation for keyctl_read().
We also don't even fill the buffer at all in this case, as this is
slightly easier to implement than doing a short read, and either
behavior appears to be permitted. It also makes it match the behavior
of the "encrypted" key type.
Fixes: d00a1c72f7 ("keys: add new trusted key-type")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ee618b4619b72527aaed765f0f0b74072b281159 upstream.
As the previous patch did for encrypted-keys, zero sensitive any
potentially sensitive data related to the "trusted" key type before it
is freed. Notably, we were not zeroing the tpm_buf structures in which
the actual key is stored for TPM seal and unseal, nor were we zeroing
the trusted_key_payload in certain error paths.
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAloCyZYACgkQONu9yGCS
aT7HBg/9HBV8/35ibIliyeod6nv2qhM1UZUUmM1mw1b/IKlvCS2kIdy9z8yZE7yL
MqgIibVeW0DzRj+pdXXu/Oq0TvtJVkUK6hUXTcmm6L6QYgSoxq6R9m4z3gqzFn7c
XuCvK2+gYLx/Zif6CO/JKsYFuDt/BNKKvx9IEpshby72QUq2NAkzBfH8+gC5i7Ho
5OB3YtkAa+IBJbWfmTBIlhkI7U5CrNXTndP5Hjz5yYJp18kvdGK+GYkndzZ1XLps
1HxIfZroz0wn4wsRCIIGP+WeDmu0X3SjvVbbIFfRxzRbc3StG02oPdkA3+F5psT6
WVZDnbKjM++bVa7WZn0Zr+zggdzRrHo2qzTpx7TW8honGLjuTDNbieYnVKhhr9HK
V6BTHpSX8eGd+eIDnvgB9f/lNVXvrSfxrXgUwKhKist6pipsX7MshOrdycGY1gp3
fHRG0pyvqEVzDyXYm7jBjZ6XbpxVeBYEiIBdP6g2Ms3LBC0lCMTzOlleXacUx5SM
CfIOA9GwjavcD5NumRr5y+inBV07Y+LMf5dmSSfekXsOXkFR8qJtcIQMvXXZ+Zue
mN5ujQeh+97iC0Vocf4J5mHySs6jeTh6tWL0weSUelUN2wP9HExq/Lz+syeTVsK2
Wo/nyP+SStcjaxkLLVbsBODnXiEBEfxQCloXu83OWwQ3pv6iLeE=
=GwpR
-----END PGP SIGNATURE-----
Merge 4.9.61 into android-4.9
Changes in 4.9.61
ALSA: timer: Add missing mutex lock for compat ioctls
ALSA: seq: Fix nested rwsem annotation for lockdep splat
cifs: check MaxPathNameComponentLength != 0 before using it
KEYS: return full count in keyring_read() if buffer is too small
KEYS: fix out-of-bounds read during ASN.1 parsing
ASoC: adau17x1: Workaround for noise bug in ADC
arm64: ensure __dump_instr() checks addr_limit
arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort
arm/arm64: kvm: Disable branch profiling in HYP code
ARM: 8715/1: add a private asm/unaligned.h
drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting
ocfs2: fstrim: Fix start offset of first cluster group during fstrim
drm/i915/edp: read edp display control registers unconditionally
drm/msm: Fix potential buffer overflow issue
drm/msm: fix an integer overflow test
tracing/samples: Fix creation and deletion of simple_thread_fn creation
Fix tracing sample code warning.
cpufreq: Do not clear real_cpus mask on policy init
crypto: ccp - Set the AES size field for all modes
staging: fsl-mc: Add missing header
IB/mlx5: Assign DSCP for R-RoCE QPs Address Path
PM / wakeirq: report a wakeup_event on dedicated wekup irq
scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool
mmc: s3cmci: include linux/interrupt.h for tasklet_struct
mfd: ab8500-sysctrl: Handle probe deferral
mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped
bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs
staging: rtl8712u: Fix endian settings for structs describing network packets
PCI/MSI: Return failure when msix_setup_entries() fails
net: mvneta: fix build errors when linux/phy*.h is removed from net/dsa.h
ext4: fix stripe-unaligned allocations
ext4: do not use stripe_width if it is not set
net/ena: change driver's default timeouts
i2c: riic: correctly finish transfers
drm/amdgpu: when dpm disabled, also need to stop/start vce.
perf tools: Only increase index if perf_evsel__new_idx() succeeds
iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station
drm/fsl-dcu: check for clk_prepare_enable() error
clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum
net: phy: dp83867: Recover from "port mirroring" N/A MODE4
cx231xx: Fix I2C on Internal Master 3 Bus
ath10k: fix reading sram contents for QCA4019
clk: sunxi-ng: Check kzalloc() for errors and cleanup error path
mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events()
gpio: mcp23s08: Select REGMAP/REGMAP_I2C to fix build error
xen/manage: correct return value check on xenbus_scanf()
scsi: aacraid: Process Error for response I/O
platform/x86: intel_mid_thermal: Fix module autoload
staging: lustre: llite: don't invoke direct_IO for the EOF case
staging: lustre: hsm: stack overrun in hai_dump_data_field
staging: lustre: ptlrpc: skip lock if export failed
staging: lustre: lmv: Error not handled for lmv_find_target
brcmfmac: check brcmf_bus_get_memdump result for error
vfs: open() with O_CREAT should not create inodes with unknown ids
ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers
exynos4-is: fimc-is: Unmap region obtained by of_iomap()
mei: return error on notification request to a disconnected client
s390/dasd: check for device error pointer within state change interrupts
s390/prng: Adjust generation of entropy to produce real 256 bits.
s390/crypto: Extend key length check for AES-XTS in fips mode.
bt8xx: fix memory leak
drm/exynos: g2d: prevent integer overflow in
PCI: Avoid possible deadlock on pci_lock and p->pi_lock
powerpc/64: Don't try to use radix MMU under a hypervisor
xen: don't print error message in case of missing Xenstore entry
staging: r8712u: Fix Sparse warning in rtl871x_xmit.c
ARM: dts: mvebu: pl310-cache disable double-linefill
Linux 4.9.61
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f upstream.
Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
in keyring_read()") made keyring_read() stop corrupting userspace memory
when the user-supplied buffer is too small. However it also made the
return value in that case be the short buffer size rather than the size
required, yet keyctl_read() is actually documented to return the size
required. Therefore, switch it over to the documented behavior.
Note that for now we continue to have it fill the short buffer, since it
did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
relies on it.
Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlny8HMACgkQONu9yGCS
aT77eBAAgJeVMbCAfKiW1mtwUJW/OoPTHImt5xYqkrFpkqaDlqX47FkfUMXj2Esu
707Ejvw/+tAbZsvP3dQES8gFzM6arilKaX/EjruFow7Shtj84s5ny7i2iyR/PUmp
87FudvveyUzg7bH0rWHWYLVfUnJaxg3UywGNV5oB4nBQoTL8M6lljpxtL/a0hfF9
A5K9R6CT3mWCAoQyOtOSAg/A7Ax74qPBFW4UTKN4RY5yDEp/RupT9yjH9k5qLeDC
nhGA3JwOZhIFrkb3jkHYsqwvEcqOtcHN/kJ0kPfVx9Sj1Tp4Dk1XK9XWnC0qTGLO
0H4VY57ODEREkpsMoXEmJi5403i5Q61m4MMO1iS6Gj9XnZ/lZCvLSbVVjLSNZsOY
A4eAFPxYMLj6XHRrQK0a4obAhacMljXZxHjnCwgFllDo11TqXtb7Zp/fD75sagoQ
3fNFAS10+N9VyqADdlrir+IRkN9jvnmynj1vTbdlb2KKmU+lpc+iAZ8iptpExfX8
e6ZN+K4Xq0uCEHZkkOB1beh3bNhgIpICBKI2LXTdCFXtklwg5hJvzF4yv2IPleFo
7exiUH326MRxQNg9ltdTJ1BA6FNW29S1oIYTzpblsLsA4Up3O/gI2GH3I35M2/H6
XKAS/HI6XEmaMK1WBWS/pFQGGZ0rGGUPbVfPiXsdR10XDdz7X/M=
=44jV
-----END PGP SIGNATURE-----
Merge 4.9.59 into android-4.9
Changes in 4.9.59
USB: devio: Revert "USB: devio: Don't corrupt user memory"
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
USB: serial: metro-usb: add MS7820 device id
usb: cdc_acm: Add quirk for Elatec TWN3
usb: quirks: add quirk for WORLDE MINI MIDI keyboard
usb: hub: Allow reset retry for USB2 devices on connect bounce
ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
can: gs_usb: fix busy loop if no more TX context is available
parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
iio: dummy: events: Add missing break
usb: musb: sunxi: Explicitly release USB PHY on exit
usb: musb: Check for host-mode using is_host_active() on reset interrupt
xhci: Identify USB 3.1 capable hosts by their port protocol capability
can: esd_usb2: Fix can_dlc value for received RTR, frames
drm/nouveau/bsp/g92: disable by default
drm/nouveau/mmu: flush tlbs before deleting page tables
ALSA: seq: Enable 'use' locking in all configurations
ALSA: hda: Remove superfluous '-' added by printk conversion
ALSA: hda: Abort capability probe at invalid register read
i2c: ismt: Separate I2C block read from SMBus block read
i2c: piix4: Fix SMBus port selection for AMD Family 17h chips
brcmfmac: Add check for short event packets
brcmsmac: make some local variables 'static const' to reduce stack size
bus: mbus: fix window size calculation for 4GB windows
clockevents/drivers/cs5535: Improve resilience to spurious interrupts
rtlwifi: rtl8821ae: Fix connection lost problem
x86/microcode/intel: Disable late loading on model 79
KEYS: encrypted: fix dereference of NULL user_key_payload
lib/digsig: fix dereference of NULL user_key_payload
KEYS: don't let add_key() update an uninstantiated key
pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
vmbus: fix missing signaling in hv_signal_on_read()
xfs: don't unconditionally clear the reflink flag on zero-block files
xfs: evict CoW fork extents when performing finsert/fcollapse
fs/xfs: Use %pS printk format for direct addresses
xfs: report zeroed or not correctly in xfs_zero_range()
xfs: update i_size after unwritten conversion in dio completion
xfs: perag initialization should only touch m_ag_max_usable for AG 0
xfs: Capture state of the right inode in xfs_iflush_done
xfs: always swap the cow forks when swapping extents
xfs: handle racy AIO in xfs_reflink_end_cow
xfs: Don't log uninitialised fields in inode structures
xfs: move more RT specific code under CONFIG_XFS_RT
xfs: don't change inode mode if ACL update fails
xfs: reinit btree pointer on attr tree inactivation walk
xfs: handle error if xfs_btree_get_bufs fails
xfs: cancel dirty pages on invalidation
xfs: trim writepage mapping to within eof
fscrypt: fix dereference of NULL user_key_payload
KEYS: Fix race between updating and finding a negative key
FS-Cache: fix dereference of NULL user_key_payload
Linux 4.9.59
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 363b02dab09b3226f3bd1420dad9c72b79a42a76 upstream.
Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
error into one field such that:
(1) The instantiation state can be modified/read atomically.
(2) The error can be accessed atomically with the state.
(3) The error isn't stored unioned with the payload pointers.
This deals with the problem that the state is spread over three different
objects (two bits and a separate variable) and reading or updating them
atomically isn't practical, given that not only can uninstantiated keys
change into instantiated or rejected keys, but rejected keys can also turn
into instantiated keys - and someone accessing the key might not be using
any locking.
The main side effect of this problem is that what was held in the payload
may change, depending on the state. For instance, you might observe the
key to be in the rejected state. You then read the cached error, but if
the key semaphore wasn't locked, the key might've become instantiated
between the two reads - and you might now have something in hand that isn't
actually an error code.
The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
code if the key is negatively instantiated. The key_is_instantiated()
function is replaced with key_is_positive() to avoid confusion as negative
keys are also 'instantiated'.
Additionally, barriering is included:
(1) Order payload-set before state-set during instantiation.
(2) Order state-read before payload-read when using the key.
Further separate barriering is necessary if RCU is being used to access the
payload content after reading the payload pointers.
Fixes: 146aa8b145 ("KEYS: Merge the type-specific data with the payload data")
Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream.
Currently, when passed a key that already exists, add_key() will call the
key's ->update() method if such exists. But this is heavily broken in the
case where the key is uninstantiated because it doesn't call
__key_instantiate_and_link(). Consequently, it doesn't do most of the
things that are supposed to happen when the key is instantiated, such as
setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
awakening tasks waiting on it, and incrementing key->user->nikeys.
It also never takes key_construction_mutex, which means that
->instantiate() can run concurrently with ->update() on the same key. In
the case of the "user" and "logon" key types this causes a memory leak, at
best. Maybe even worse, the ->update() methods of the "encrypted" and
"trusted" key types actually just dereference a NULL pointer when passed an
uninstantiated key.
Change key_create_or_update() to wait interruptibly for the key to finish
construction before continuing.
This patch only affects *uninstantiated* keys. For now we still allow a
negatively instantiated key to be updated (thereby positively
instantiating it), although that's broken too (the next patch fixes it)
and I'm not sure that anyone actually uses that functionality either.
Here is a simple reproducer for the bug using the "encrypted" key type
(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
pertained to more than just the "encrypted" key type:
#include <stdlib.h>
#include <unistd.h>
#include <keyutils.h>
int main(void)
{
int ringid = keyctl_join_session_keyring(NULL);
if (fork()) {
for (;;) {
const char payload[] = "update user:foo 32";
usleep(rand() % 10000);
add_key("encrypted", "desc", payload, sizeof(payload), ringid);
keyctl_clear(ringid);
}
} else {
for (;;)
request_key("encrypted", "desc", "callout_info", ringid);
}
}
It causes:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: encrypted_update+0xb0/0x170
PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
PREEMPT SMP
CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8a467a39a340 task.stack: ffffb15c40770000
RIP: 0010:encrypted_update+0xb0/0x170
RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
Call Trace:
key_create_or_update+0x2bc/0x460
SyS_add_key+0x10c/0x1d0
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f5d7f211259
RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
CR2: 0000000000000018
Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload. However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
This was an issue for master keys of type "user" only. Master keys can
also be of type "trusted", but those cannot be revoked.
Fixes: 7e70cb4978 ("keys: add new key-type encrypted")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cherry-picked from upstream-f2fs-stable-linux-4.9.y
Changes include:
commit 30da3a4de9 ("f2fs: hurry up to issue discard after io interruption")
commit d1c363b483 ("f2fs: fix to show correct discard_granularity in sysfs")
...
commit e6b120d4d0 ("f2fs/fscrypt: catch up to v4.12")
commit 4d7931d727 ("KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload()")
Signed-off-by: Hyojun Kim <hyojun@google.com>
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000
-5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16a ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring. But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer. Fix it by
only filling the space that is available.
Fixes: b2a4df200d ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream.
This started out as just replacing the use of crypto/rng with
get_random_bytes_wait, so that we wouldn't use bad randomness at boot
time. But, upon looking further, it appears that there were even deeper
underlying cryptographic problems, and that this seems to have been
committed with very little crypto review. So, I rewrote the whole thing,
trying to keep to the conventions introduced by the previous author, to
fix these cryptographic flaws.
It makes no sense to seed crypto/rng at boot time and then keep
using it like this, when in fact there's already get_random_bytes_wait,
which can ensure there's enough entropy and be a much more standard way
of generating keys. Since this sensitive material is being stored
untrusted, using ECB and no authentication is simply not okay at all. I
find it surprising and a bit horrifying that this code even made it past
basic crypto review, which perhaps points to some larger issues. This
patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
generated each time, we can set the nonce to zero. There was also a race
condition in which the same key would be reused at the same time in
different threads. A mutex fixes this issue now.
So, to summarize, this commit fixes the following vulnerabilities:
* Low entropy key generation, allowing an attacker to potentially
guess or predict keys.
* Unauthenticated encryption, allowing an attacker to modify the
cipher text in particular ways in order to manipulate the plaintext,
which is is even more frightening considering the next point.
* Use of ECB mode, allowing an attacker to trivially swap blocks or
compare identical plaintext blocks.
* Key re-use.
* Faulty memory zeroing.
[Note that in backporting this commit to 4.9, get_random_bytes_wait was
replaced with get_random_bytes, since 4.9 does not have the former
function. This might result in slightly worse entropy in key generation,
but common use cases of big_keys makes that likely not a huge deal. And,
this is the best we can do with this old kernel. Alas.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 910801809b2e40a4baedd080ef5d80b4a180e70e upstream.
Error paths forgot to zero out sensitive material, so this patch changes
some kfrees into a kzfrees.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.
This function has two callers and neither are able to handle a NULL
return. Really, -EINVAL is the correct thing return here anyway. This
fixes some static checker warnings like:
security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.
Fixes: 7e70cb4978 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e9ff56ac352446f55141aaef1553cee662b2e310 upstream.
Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
stack buffers because the stack may be virtually mapped. Fix this for
the padding buffers in encrypted-keys by using ZERO_PAGE for the
encryption padding and by allocating a temporary heap buffer for the
decryption padding.
Tested with CONFIG_DEBUG_SG=y:
keyctl new_session
keyctl add user master "abcdefghijklmnop" @s
keyid=$(keyctl add encrypted desc "new user:master 25" @s)
datablob="$(keyctl pipe $keyid)"
keyctl unlink $keyid
keyid=$(keyctl add encrypted desc "load $datablob" @s)
datablob2="$(keyctl pipe $keyid)"
[ "$datablob" = "$datablob2" ] && echo "Success!"
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream.
sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods. Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present. Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.
This fixes CVE-2017-7472.
Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:
#include <keyutils.h>
int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}
Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.
Fixes: d84f4f992c ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c1644fe041ebaf6519f6809146a77c3ead9193af upstream.
This fixes CVE-2017-6951.
Userspace should not be able to do things with the "dead" key type as it
doesn't have some of the helper functions set upon it that the kernel
needs. Attempting to use it may cause the kernel to crash.
Fix this by changing the name of the type to ".dead" so that it's rejected
up front on userspace syscalls by key_get_type_from_user().
Though this doesn't seem to affect recent kernels, it does affect older
ones, certainly those prior to:
commit c06cfb08b8
Author: David Howells <dhowells@redhat.com>
Date: Tue Sep 16 17:36:06 2014 +0100
KEYS: Remove key_type::match in favour of overriding default by match_preparse
which went in before 3.18-rc1.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ee8f844e3c5a73b999edf733df1c529d6503ec2f upstream.
This fixes CVE-2016-9604.
Keyrings whose name begin with a '.' are special internal keyrings and so
userspace isn't allowed to create keyrings by this name to prevent
shadowing. However, the patch that added the guard didn't fix
KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
it can also subscribe to them as a session keyring if they grant SEARCH
permission to the user.
This, for example, allows a root process to set .builtin_trusted_keys as
its session keyring, at which point it has full access because now the
possessor permissions are added. This permits root to add extra public
keys, thereby bypassing module verification.
This also affects kexec and IMA.
This can be tested by (as root):
keyctl session .builtin_trusted_keys
keyctl add user a a @s
keyctl list @s
which on my test box gives me:
2 keys in keyring:
180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
801382539: --alswrv 0 0 user: a
Fix this by rejecting names beginning with a '.' in the keyctl.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
cc: linux-ima-devel@lists.sourceforge.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Since BIG_KEYS can't be compiled as module it requires one of the "stdrng"
providers to be compiled into kernel. Otherwise big_key_crypto_init() fails
on crypto_alloc_rng step and next dereference of big_key_skcipher (e.g. in
big_key_preparse()) results in a NULL pointer dereference.
Fixes: 13100a72f4 ('Security: Keys: Big keys stored encrypted')
Signed-off-by: Artem Savkov <asavkov@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Stephan Mueller <smueller@chronox.de>
cc: Kirill Marinushkin <k.marinushkin@gmail.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
big_key has two separate initialisation functions, one that registers the
key type and one that registers the crypto. If the key type fails to
register, there's no problem if the crypto registers successfully because
there's no way to reach the crypto except through the key type.
However, if the key type registers successfully but the crypto does not,
big_key_rng and big_key_blkcipher may end up set to NULL - but the code
neither checks for this nor unregisters the big key key type.
Furthermore, since the key type is registered before the crypto, it is
theoretically possible for the kernel to try adding a big_key before the
crypto is set up, leading to the same effect.
Fix this by merging big_key_crypto_init() and big_key_init() and calling
the resulting function late. If they're going to be encrypted, we
shouldn't be creating big_keys before we have the facilities to do the
encryption available. The key type registration is also moved after the
crypto initialisation.
The fix also includes message printing on failure.
If the big_key type isn't correctly set up, simply doing:
dd if=/dev/zero bs=4096 count=1 | keyctl padd big_key a @s
ought to cause an oops.
Fixes: 13100a72f4 ('Security: Keys: Big keys stored encrypted')
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Peter Hlavaty <zer0mem@yahoo.com>
cc: Kirill Marinushkin <k.marinushkin@gmail.com>
cc: Artem Savkov <asavkov@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
This fixes CVE-2016-7042.
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943
That's 14 chars plus NUL, not 11 chars plus NUL.
Expand the buffer to 16 chars.
I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.
The panic incurred looks something like:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<ffffffff813d941f>] dump_stack+0x63/0x84
[<ffffffff811b2cb6>] panic+0xde/0x22a
[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<ffffffff81350410>] ? key_validate+0x50/0x50
[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<ffffffff8126b31c>] seq_read+0x2cc/0x390
[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<ffffffff81244fc7>] __vfs_read+0x37/0x150
[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<ffffffff81246156>] vfs_read+0x96/0x130
[<ffffffff81247635>] SyS_read+0x55/0xc0
[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
The IV must not be modified by the skcipher operation so we need
to duplicate it.
Fixes: c3917fd9df ("KEYS: Use skcipher")
Cc: stable@vger.kernel.org
Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Pull security subsystem updates from James Morris:
"Highlights:
- TPM core and driver updates/fixes
- IPv6 security labeling (CALIPSO)
- Lots of Apparmor fixes
- Seccomp: remove 2-phase API, close hole where ptrace can change
syscall #"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (156 commits)
apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
tpm: Add TPM 2.0 support to the Nuvoton i2c driver (NPCT6xx family)
tpm: Factor out common startup code
tpm: use devm_add_action_or_reset
tpm2_i2c_nuvoton: add irq validity check
tpm: read burstcount from TPM_STS in one 32-bit transaction
tpm: fix byte-order for the value read by tpm2_get_tpm_pt
tpm_tis_core: convert max timeouts from msec to jiffies
apparmor: fix arg_size computation for when setprocattr is null terminated
apparmor: fix oops, validate buffer size in apparmor_setprocattr()
apparmor: do not expose kernel stack
apparmor: fix module parameters can be changed after policy is locked
apparmor: fix oops in profile_unpack() when policy_db is not present
apparmor: don't check for vmalloc_addr if kvzalloc() failed
apparmor: add missing id bounds check on dfa verification
apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
apparmor: use list_next_entry instead of list_entry_next
apparmor: fix refcount race when finding a child profile
apparmor: fix ref count leak when profile sha1 hash is read
apparmor: check that xindex is in trans_table bounds
...
Pull crypto updates from Herbert Xu:
"Here is the crypto update for 4.8:
API:
- first part of skcipher low-level conversions
- add KPP (Key-agreement Protocol Primitives) interface.
Algorithms:
- fix IPsec/cryptd reordering issues that affects aesni
- RSA no longer does explicit leading zero removal
- add SHA3
- add DH
- add ECDH
- improve DRBG performance by not doing CTR by hand
Drivers:
- add x86 AVX2 multibuffer SHA256/512
- add POWER8 optimised crc32c
- add xts support to vmx
- add DH support to qat
- add RSA support to caam
- add Layerscape support to caam
- add SEC1 AEAD support to talitos
- improve performance by chaining requests in marvell/cesa
- add support for Araneus Alea I USB RNG
- add support for Broadcom BCM5301 RNG
- add support for Amlogic Meson RNG
- add support Broadcom NSP SoC RNG"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (180 commits)
crypto: vmx - Fix aes_p8_xts_decrypt build failure
crypto: vmx - Ignore generated files
crypto: vmx - Adding support for XTS
crypto: vmx - Adding asm subroutines for XTS
crypto: skcipher - add comment for skcipher_alg->base
crypto: testmgr - Print akcipher algorithm name
crypto: marvell - Fix wrong flag used for GFP in mv_cesa_dma_add_iv_op
crypto: nx - off by one bug in nx_of_update_msc()
crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request struct
crypto: scatterwalk - Inline start/map/done
crypto: scatterwalk - Remove unnecessary BUG in scatterwalk_start
crypto: scatterwalk - Remove unnecessary advance in scatterwalk_pagedone
crypto: scatterwalk - Fix test in scatterwalk_done
crypto: api - Optimise away crypto_yield when hard preemption is on
crypto: scatterwalk - add no-copy support to copychunks
crypto: scatterwalk - Remove scatterwalk_bytes_sglen
crypto: omap - Stop using crypto scatterwalk_bytes_sglen
crypto: skcipher - Remove top-level givcipher interface
crypto: user - Remove crypto_lookup_skcipher call
crypto: cts - Convert to skcipher
...
This patch replaces use of the obsolete blkcipher with skcipher.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: David Howells <dhowells@redhat.com>
Michal Hocko
rifek4
FAROVITUS
Greg Kroah-Hartman
David Howells
Hillf Danton
Eric Biggers
Arnd Bergmann
Bilal Amarni
Hyojun Kim
Jason A. Donenfeld
Dan Carpenter
Artem Savkov
Herbert Xu
Linus Torvalds