Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-4.20.y 2018-06-07T00:27:14+00:00 2018-06-07T00:27:14+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-06-07T00:27:14+00:00 urn:sha1:285767604576148fc1be7fcd112e4a90eb0d6ad2 Pull overflow updates from Kees Cook: "This adds the new overflow checking helpers and adds them to the 2-factor argument allocators. And this adds the saturating size helpers and does a treewide replacement for the struct_size() usage. Additionally this adds the overflow testing modules to make sure everything works. I'm still working on the treewide replacements for allocators with "simple" multiplied arguments: *alloc(a * b, ...) -> *alloc_array(a, b, ...) and *zalloc(a * b, ...) -> *calloc(a, b, ...) as well as the more complex cases, but that's separable from this portion of the series. I expect to have the rest sent before -rc1 closes; there are a lot of messy cases to clean up. Summary: - Introduce arithmetic overflow test helper functions (Rasmus) - Use overflow helpers in 2-factor allocators (Kees, Rasmus) - Introduce overflow test module (Rasmus, Kees) - Introduce saturating size helper functions (Matthew, Kees) - Treewide use of struct_size() for allocators (Kees)" * tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: treewide: Use struct_size() for devm_kmalloc() and friends treewide: Use struct_size() for vmalloc()-family treewide: Use struct_size() for kmalloc()-family device: Use overflow helpers for devm_kmalloc() mm: Use overflow helpers in kvmalloc() mm: Use overflow helpers in kmalloc_array*() test_overflow: Add memory allocation overflow tests overflow.h: Add allocation size calculation helpers test_overflow: Report test failures test_overflow: macrofy some more, do more tests for free lib: add runtime test of check_*_overflow functions compiler.h: enable builtin overflow checkers and add fallback code 2018-06-06T18:15:43+00:00 Kees Cook keescook@chromium.org 2018-05-08T20:45:50+00:00 urn:sha1:acafe7e30216166a17e6e226aadc3ecb63993242 One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct foo { int stuff; void *entry[]; }; instance = kmalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL); Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: instance = kmalloc(struct_size(instance, entry, count), GFP_KERNEL); This patch makes the changes for kmalloc()-family (and kvmalloc()-family) uses. It was done via automatic conversion with manual review for the "CHECKME" non-standard cases noted below, using the following Coccinelle script: // pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len * // sizeof *pkey_cache->table, GFP_KERNEL); @@ identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; expression GFP; identifier VAR, ELEMENT; expression COUNT; @@ - alloc(sizeof(*VAR) + COUNT * sizeof(*VAR->ELEMENT), GFP) + alloc(struct_size(VAR, ELEMENT, COUNT), GFP) // mr = kzalloc(sizeof(*mr) + m * sizeof(mr->map[0]), GFP_KERNEL); @@ identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; expression GFP; identifier VAR, ELEMENT; expression COUNT; @@ - alloc(sizeof(*VAR) + COUNT * sizeof(VAR->ELEMENT[0]), GFP) + alloc(struct_size(VAR, ELEMENT, COUNT), GFP) // Same pattern, but can't trivially locate the trailing element name, // or variable name. @@ identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; expression GFP; expression SOMETHING, COUNT, ELEMENT; @@ - alloc(sizeof(SOMETHING) + COUNT * sizeof(ELEMENT), GFP) + alloc(CHECKME_struct_size(&SOMETHING, ELEMENT, COUNT), GFP) Signed-off-by: Kees Cook <keescook@chromium.org> 2018-05-15T07:08:44+00:00 Jerry Zhang zhangjerry@google.com 2018-03-31T00:54:24+00:00 urn:sha1:9286e24b837151a5a59e7403cea3e4a2c33ba225 Currently, the midi function is not freed until it is both removed from the config and released by the user. Since the user could take a long time to release the card, it's possible that the function could be unlinked and thus f_midi_opts would be null when freeing f_midi. Thus, refcount f_midi_opts and only free it when it is unlinked and all f_midis have been freed. Signed-off-by: Jerry Zhang <zhangjerry@google.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> 2018-03-26T09:53:14+00:00 Yavuz, Tuba tuba@ece.ufl.edu 2018-03-23T17:00:38+00:00 urn:sha1:7fafcfdf6377b18b2a726ea554d6e593ba44349f It looks like there is a possibility of a double-free vulnerability on an error path of the f_midi_set_alt function in the f_midi driver. If the path is feasible then free_ep_req gets called twice: req->complete = f_midi_complete; err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC); => ... usb_gadget_giveback_request => f_midi_complete (CALLBACK) (inside f_midi_complete, for various cases of status) free_ep_req(ep, req); // first kfree if (err) { ERROR(midi, "%s: couldn't enqueue request: %d\n", midi->out_ep->name, err); free_ep_req(midi->out_ep, req); // second kfree return err; } The double-free possibility was introduced with commit ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests"). Found by MOXCAFE tool. Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu> Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests") Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-14T22:44:04+00:00 Linus Torvalds torvalds@linux-foundation.org 2017-11-14T22:44:04+00:00 urn:sha1:abc36be236358162202e86ad88616ff95a755101 Pull configfs updates from Christoph Hellwig: "A couple of configfs cleanups: - proper use of the bool type (Thomas Meyer) - constification of struct config_item_type (Bhumika Goyal)" * tag 'configfs-for-4.15' of git://git.infradead.org/users/hch/configfs: RDMA/cma: make config_item_type const stm class: make config_item_type const ACPI: configfs: make config_item_type const nvmet: make config_item_type const usb: gadget: configfs: make config_item_type const PCI: endpoint: make config_item_type const iio: make function argument and some structures const usb: gadget: make config_item_type structures const dlm: make config_item_type const netconsole: make config_item_type const nullb: make config_item_type const ocfs2/cluster: make config_item_type const target: make config_item_type const configfs: make ci_type field, some pointers and function arguments const configfs: make config_item_type const configfs: Fix bool initialization/comparison 2017-11-07T14:45:02+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2017-11-06T14:37:32+00:00 urn:sha1:24ceb9c669bc18c7de3ae38863ffed8b68ceae9b Now that the SPDX tag is in all USB files, that identifies the license in a specific and legally-defined manner. So the extra GPL text wording can be removed as it is no longer needed at all. This is done on a quest to remove the 700+ different ways that files in the kernel describe the GPL license text. And there's unneeded stuff like the address (sometimes incorrect) for the FSF which is never needed. No copyright headers or other non-license-description text was removed. Cc: Oliver Neukum <oneukum@suse.com> Cc: Johan Hovold <johan@kernel.org> Cc: Jerry Zhang <zhangjerry@google.com> Cc: John Keeping <john@metanate.com> Cc: Krzysztof Opasiak <k.opasiak@samsung.com> Cc: Abdulhadi Mohamed <abdulahhadi2@gmail.com> Cc: Matthew Wilcox <willy@linux.intel.com> Cc: Janusz Dziedzic <januszx.dziedzic@linux.intel.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Vincent Pelletier <plr.vincent@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-04T10:48:02+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2017-11-03T10:28:30+00:00 urn:sha1:5fd54ace4721fc5ce2bb5aef6318fcf17f421460 It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. Update the drivers/usb/ and include/linux/usb* files with the correct SPDX license identifier based on the license text in the file itself. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This work is based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Kate Stewart <kstewart@linuxfoundation.org> Cc: Philippe Ombredanne <pombredanne@nexb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-19T14:15:23+00:00 Bhumika Goyal bhumirks@gmail.com 2017-10-16T15:18:41+00:00 urn:sha1:973639023444320d4fb5c17af58996463b3392d9 Make these structures const as they are only passed to the const argument of the functions config_{group/item}_init_type_name. Signed-off-by: Bhumika Goyal <bhumirks@gmail.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Christoph Hellwig <hch@lst.de> 2017-08-15T11:18:47+00:00 Jerry Zhang zhangjerry@google.com 2017-08-14T21:14:51+00:00 urn:sha1:2d19cdc1cb7ab00003fccb951d6199b8d8c9ac67 Currenly, f_midi_free uses snd_card_free, which will wait until the user has released the sound card before returning. However, if the user doesn't release the sound card, then f_midi_free can block for an arbitrary amount of time, which also blocks any gadget operations on that thread. Instead, we can use snd_card_free_when_closed which returns before all handles are released. Since f_midi can be accessed through rmidi if usb_put_function is called before release_card_device, add refcounting to f_midi_free and have rawmidi's private free call it. The f_midi memory is only kfreed when usb_put_function and release_card_device have both been called. Signed-off-by: Jerry Zhang <zhangjerry@google.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> 2017-08-15T09:46:05+00:00 Badhri Jagan Sridharan badhri@google.com 2017-08-15T01:15:14+00:00 urn:sha1:24cf34595d560de0d8eccd6617b7ca5b4ef93d3e Add super speed descriptors for f_midi. Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>