Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.4.69 2020-04-29T14:33:14Z 2020-04-29T14:33:14Z Jann Horn jannh@google.com 2020-04-21T01:14:11Z urn:sha1:f4f235309b5cc8e6217774279ae2b263345f5f6a commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream. remap_vmalloc_range() has had various issues with the bounds checks it promises to perform ("This function checks that addr is a valid vmalloc'ed area, and that it is big enough to cover the vma") over time, e.g.: - not detecting pgoff<<PAGE_SHIFT overflow - not detecting (pgoff<<PAGE_SHIFT)+usize overflow - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same vmalloc allocation - comparing a potentially wildly out-of-bounds pointer with the end of the vmalloc region In particular, since commit fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer dereferences by calling mmap() on a BPF map with a size that is bigger than the distance from the start of the BPF map to the end of the address space. This could theoretically be used as a kernel ASLR bypass, by using whether mmap() with a given offset oopses or returns an error code to perform a binary search over the possible address range. To allow remap_vmalloc_range_partial() to verify that addr and addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset to remap_vmalloc_range_partial() instead of adding it to the pointer in remap_vmalloc_range(). In remap_vmalloc_range_partial(), fix the check against get_vm_area_size() by using size comparisons instead of pointer comparisons, and add checks for pgoff. Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: stable@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Andrii Nakryiko <andriin@fb.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: KP Singh <kpsingh@chromium.org> Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-08-19T19:28:57Z Parav Pandit parav@mellanox.com 2019-08-08T14:12:54Z urn:sha1:eee413e620f408e1e88d94b16d05f45407939d1b While generating interrupt, mdev_state is already available for which interrupt is generated. Instead of doing indirect way from state->device->uuid-> to searching state linearly in linked list on every interrupt generation, directly use the available state. Hence, simplify the code to use mdev_state and remove unused helper function with that. Reviewed-by: Cornelia Huck <cohuck@redhat.com> Signed-off-by: Parav Pandit <parav@mellanox.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2019-07-25T09:05:10Z Masahiro Yamada yamada.masahiro@socionext.com 2019-07-25T07:58:32Z urn:sha1:dc3bf49ea330414724e429e4e9b291899c134e3b The "WITH Linux-syscall-note" exception exists for headers exported to user space. It is strange to add it to non-exported headers. Commit 687a3e4d8e61 ("treewide: remove SPDX "WITH Linux-syscall-note" from kernel-space headers") did cleanups some months ago, but it looks like we need to do this periodically. This patch was generated by the following script: git grep -l -e Linux-syscall-note \ -- :*.h :^arch/*/include/uapi/asm/*.h :^include/uapi/ :^tools | while read file do sed -i -e 's/(\(GPL-[^[:space:]]*\) WITH Linux-syscall-note)/\1/g' \ -e 's/ WITH Linux-syscall-note//g' $file done I did not commit drivers/staging/android/uapi/ion.h . This header is not currently exported, but somebody may plan to move it to include/uapi/ when the time comes. I am not sure. Anyway, it will be better to check the license inconsistency in drivers/staging/android/uapi/. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-02T17:44:15Z YueHaibing yuehaibing@huawei.com 2019-07-02T17:38:10Z urn:sha1:b46c820f8f5a03619f21fc4ed2e42848017aefcd Fixes gcc '-Wunused-but-set-variable' warning: samples/vfio-mdev/mbochs.c: In function mbochs_ioctl: samples/vfio-mdev/mbochs.c:1188:21: warning: variable mdev_state set but not used [-Wunused-but-set-variable] It's not used any more since commit 104c7405a64d ("vfio: add edid support to mbochs sample driver") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2019-07-02T17:38:08Z Kefeng Wang wangkefeng.wang@huawei.com 2019-07-02T17:38:08Z urn:sha1:4b2dbd566c7b91740e32b30a68a7f2b38e3495b9 Make some structs and functions static to fix build warning, parts of warning shown below, samples/vfio-mdev/mtty.c:730:5: warning: symbol 'mtty_create' was not declared. Should it be static? samples/vfio-mdev/mtty.c:780:5: warning: symbol 'mtty_remove' was not declared. Should it be static? samples/vfio-mdev/mtty.c:802:5: warning: symbol 'mtty_reset' was not declared. Should it be static? samples/vfio-mdev/mtty.c:818:9: warning: symbol 'mtty_read' was not declared. Should it be static? samples/vfio-mdev/mtty.c:877:9: warning: symbol 'mtty_write' was not declared. Should it be static? samples/vfio-mdev/mtty.c:1070:5: warning: symbol 'mtty_get_region_info' was not declared. Should it be static? samples/vfio-mdev/mtty.c:1119:5: warning: symbol 'mtty_get_irq_info' was not declared. Should it be static? samples/vfio-mdev/mtty.c:1143:5: warning: symbol 'mtty_get_device_info' was not declared. Should it be static? samples/vfio-mdev/mtty.c:1275:5: warning: symbol 'mtty_open' was not declared. Should it be static? samples/vfio-mdev/mtty.c:1281:6: warning: symbol 'mtty_close' was not declared. Should it be static? samples/vfio-mdev/mtty.c:1305:30: warning: symbol 'mtty_dev_groups' was not declared. Should it be static? Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Alex Williamson <alex.williamson@redhat.com> Cc: Kirti Wankhede <kwankhede@nvidia.com> Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> [aw: wrap long lines] Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2019-06-19T15:09:55Z Thomas Gleixner tglx@linutronix.de 2019-06-04T08:11:33Z urn:sha1:d2912cb15bdda8ba4a5dd73396ad62641af2f520 Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-05-21T08:50:46Z Thomas Gleixner tglx@linutronix.de 2019-05-19T12:07:45Z urn:sha1:ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1 Add SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any form These files fall under the project license, GPL v2 only. The resulting SPDX license identifier is: GPL-2.0-only Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-02-12T20:21:18Z Chengguang Xu cgxu519@gmx.com 2019-02-12T05:59:32Z urn:sha1:3e4835f7d7a84ab022682aaeecaae5c508aeb76c Actually, total amount of available minor number for a single major is MINORMARK + 1. So expand minor range when registering chrdev region. Signed-off-by: Chengguang Xu <cgxu519@gmx.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2019-02-12T20:21:14Z Chengguang Xu cgxu519@gmx.com 2019-02-12T05:59:31Z urn:sha1:18bc04bc8a2aa95c33c6613c5fffc4d3535397f0 Actually, total amount of available minor number for a single major is MINORMARK + 1. So expand minor range when registering chrdev region. Signed-off-by: Chengguang Xu <cgxu519@gmx.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com> 2019-02-12T20:21:05Z Chengguang Xu cgxu519@gmx.com 2019-02-12T05:59:30Z urn:sha1:16355214a54efdb82a48d77b5389ee6fcc73015e Actually, total amount of available minor number for a single major is MINORMARK + 1. So expand minor range when registering chrdev region. Signed-off-by: Chengguang Xu <cgxu519@gmx.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>