diff options
| -rw-r--r-- | HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch | 44 | ||||
| -rw-r--r-- | config-x86_64-generic | 3 | ||||
| -rw-r--r-- | drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch | 29 | ||||
| -rw-r--r-- | kernel.spec | 40 | ||||
| -rw-r--r-- | net-smsc911x-Fix-bug-where-PHY-interrupts-are-overwritten-by-0.patch | 52 | ||||
| -rw-r--r-- | nfsd-check-permissions-when-setting-ACLs.patch | 154 | ||||
| -rw-r--r-- | platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch | 52 | ||||
| -rw-r--r-- | posix_acl-Add-set_posix_acl.patch | 55 | ||||
| -rw-r--r-- | qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch | 98 | ||||
| -rw-r--r-- | sources | 2 |
10 files changed, 527 insertions, 2 deletions
diff --git a/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch b/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch new file mode 100644 index 000000000..e84272ee7 --- /dev/null +++ b/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch @@ -0,0 +1,44 @@ +From 93a2001bdfd5376c3dc2158653034c20392d15c5 Mon Sep 17 00:00:00 2001 +From: Scott Bauer <sbauer@plzdonthack.me> +Date: Thu, 23 Jun 2016 08:59:47 -0600 +Subject: [PATCH] HID: hiddev: validate num_values for HIDIOCGUSAGES, + HIDIOCSUSAGES commands + +This patch validates the num_values parameter from userland during the +HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set +to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter +leading to a heap overflow. + +Cc: stable@vger.kernel.org +Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + drivers/hid/usbhid/hiddev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca6f2e0..700145b15088 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; +-- +2.5.5 + diff --git a/config-x86_64-generic b/config-x86_64-generic index b6037709c..abac3ee5b 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -230,3 +230,6 @@ CONFIG_INFINIBAND_HFI1=m # CONFIG_HFI1_DEBUG_SDMA_ORDER is not set CONFIG_HFI1_VERBS_31BIT_PSN=y # CONFIG_SDMA_VERBOSITY is not set +# +# Temporary workaround until SND_SOC_INTEL_HASWELL_MACH no longer requires builtin +CONFIG_DW_DMAC=y diff --git a/drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch b/drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch new file mode 100644 index 000000000..996b47918 --- /dev/null +++ b/drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch @@ -0,0 +1,29 @@ +From 217215041b9285af2193a755b56a8f3ed408bfe2 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs <bskeggs@redhat.com> +Date: Wed, 6 Jul 2016 06:50:36 +1000 +Subject: [PATCH] drm/nouveau/disp/sor/gf119: select correct sor when poking + training pattern + +Fixes a regression caused by a stupid thinko from "disp/sor/gf119: both +links use the same training register". + +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c +index 22706c0..49bd5da 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c +@@ -40,7 +40,8 @@ static int + gf119_sor_dp_pattern(struct nvkm_output_dp *outp, int pattern) + { + struct nvkm_device *device = outp->base.disp->engine.subdev.device; +- nvkm_mask(device, 0x61c110, 0x0f0f0f0f, 0x01010101 * pattern); ++ const u32 soff = gf119_sor_soff(outp); ++ nvkm_mask(device, 0x61c110 + soff, 0x0f0f0f0f, 0x01010101 * pattern); + return 0; + } + diff --git a/kernel.spec b/kernel.spec index 0782930ba..efaa85499 100644 --- a/kernel.spec +++ b/kernel.spec @@ -59,7 +59,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -525,6 +525,8 @@ Patch422: geekbox-v4-device-tree-support.patch # http://www.spinics.net/lists/arm-kernel/msg483898.html Patch423: Initial-AllWinner-A64-and-PINE64-support.patch +Patch424: net-smsc911x-Fix-bug-where-PHY-interrupts-are-overwritten-by-0.patch + # http://www.spinics.net/lists/linux-tegra/msg26029.html Patch426: usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch @@ -668,6 +670,22 @@ Patch823: 0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch Patch824: 0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch Patch825: 0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch +#CVE-2016-5829 rhbz 1350509 1350513 +Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch + +#CVE-2016-1237 rhbz 1350845 1350847 +Patch830: posix_acl-Add-set_posix_acl.patch +Patch831: nfsd-check-permissions-when-setting-ACLs.patch + +#CVE-2016-6156 rhbz 1353490 1353491 +Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch + +#rbhz 1351205 +Patch833: drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch + +#rhbz 1346753 +Patch834: qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch + # END OF PATCH DEFINITIONS %endif @@ -2196,6 +2214,26 @@ fi # # %changelog +* Mon Jul 11 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.4-300 +- Linux v4.6.4 + +* Thu Jul 07 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Fix oops in qla2xxx driver (rhbz 1346753) +- Fix blank screen on some nvidia cards (rbhz 1351205) +- CVE-2016-6156 race condition in chrome chardev driver (rhbz 1353490 1353491) + +* Fri Jul 01 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Reenable CONFIG_DW_DMAC_CORE=y to fix sound on some Broadwell machines (rhbz 1351738 1352176) + +* Thu Jun 30 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Pull upstream fix for smsc911x + +* Tue Jun 28 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-1237 missing check for permissions setting ACL (rhbz 1350845 1350847) + +* Mon Jun 27 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-5829 heap overflow in hiddev (rhbz 1350509 1350513) + * Fri Jun 24 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.3-300 - Linux v4.6.3 diff --git a/net-smsc911x-Fix-bug-where-PHY-interrupts-are-overwritten-by-0.patch b/net-smsc911x-Fix-bug-where-PHY-interrupts-are-overwritten-by-0.patch new file mode 100644 index 000000000..24b5ac2ae --- /dev/null +++ b/net-smsc911x-Fix-bug-where-PHY-interrupts-are-overwritten-by-0.patch @@ -0,0 +1,52 @@ +From patchwork Wed Jun 22 17:40:50 2016 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [v3] net: smsc911x: Fix bug where PHY interrupts are overwritten by 0 +From: Jeremy Linton <jeremy.linton@arm.com> +X-Patchwork-Id: 639331 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: <1466617250-27317-1-git-send-email-jeremy.linton@arm.com> +To: netdev@vger.kernel.org +Cc: steve.glendinning@shawell.net, andrew@lunn.ch, + sergei.shtylyov@cogentembedded.com, linux-kernel@vger.kernel.org, + stable@vger.kernel.org, pbrobinson@gmail.com, + mlangsdorf@redhat.com, steve.capper@arm.com +Date: Wed, 22 Jun 2016 12:40:50 -0500 + +By default, mdiobus_alloc() sets the PHYs to polling mode, but a +pointer size memcpy means that a couple IRQs end up being overwritten +with a value of 0. This means that PHY_POLL is disabled and results +in unpredictable behavior depending on the PHY's location on the +MDIO bus. Remove that memcpy and the now unused phy_irq member to +force the SMSC911x PHYs into polling mode 100% of the time. + +Fixes: e7f4dc3536a4 ("mdio: Move allocation of interrupts into core") + +Signed-off-by: Jeremy Linton <jeremy.linton@arm.com> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> +--- + drivers/net/ethernet/smsc/smsc911x.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c +index 8af2556..b5ab5e1 100644 +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -116,7 +116,6 @@ struct smsc911x_data { + + struct phy_device *phy_dev; + struct mii_bus *mii_bus; +- int phy_irq[PHY_MAX_ADDR]; + unsigned int using_extphy; + int last_duplex; + int last_carrier; +@@ -1073,7 +1072,6 @@ static int smsc911x_mii_init(struct platform_device *pdev, + pdata->mii_bus->priv = pdata; + pdata->mii_bus->read = smsc911x_mii_read; + pdata->mii_bus->write = smsc911x_mii_write; +- memcpy(pdata->mii_bus->irq, pdata->phy_irq, sizeof(pdata->mii_bus)); + + pdata->mii_bus->parent = &pdev->dev; + diff --git a/nfsd-check-permissions-when-setting-ACLs.patch b/nfsd-check-permissions-when-setting-ACLs.patch new file mode 100644 index 000000000..37ed435e0 --- /dev/null +++ b/nfsd-check-permissions-when-setting-ACLs.patch @@ -0,0 +1,154 @@ +From 999653786df6954a31044528ac3f7a5dadca08f4 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Wed, 22 Jun 2016 19:43:35 +0100 +Subject: [PATCH] nfsd: check permissions when setting ACLs + +Use set_posix_acl, which includes proper permission checks, instead of +calling ->set_acl directly. Without this anyone may be able to grant +themselves permissions to a file by setting the ACL. + +Lock the inode to make the new checks atomic with respect to set_acl. +(Also, nfsd was the only caller of set_acl not locking the inode, so I +suspect this may fix other races.) + +This also simplifies the code, and ensures our ACLs are checked by +posix_acl_valid. + +The permission checks and the inode locking were lost with commit +4ac7249e, which changed nfsd to use the set_acl inode operation directly +instead of going through xattr handlers. + +Reported-by: David Sinquin <david@sinquin.eu> +[agreunba@redhat.com: use set_posix_acl] +Fixes: 4ac7249e +Cc: Christoph Hellwig <hch@infradead.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +--- + fs/nfsd/nfs2acl.c | 20 ++++++++++---------- + fs/nfsd/nfs3acl.c | 16 +++++++--------- + fs/nfsd/nfs4acl.c | 16 ++++++++-------- + 3 files changed, 25 insertions(+), 27 deletions(-) + +diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c +index 1580ea6fd64d..d08cd88155c7 100644 +--- a/fs/nfsd/nfs2acl.c ++++ b/fs/nfsd/nfs2acl.c +@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct svc_rqst * rqstp, + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + if (error) +- goto out_drop_write; ++ goto out_drop_lock; ++ ++ fh_unlock(fh); + + fh_drop_write(fh); + +@@ -131,7 +130,8 @@ out: + posix_acl_release(argp->acl_access); + posix_acl_release(argp->acl_default); + return nfserr; +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c +index 01df4cd7c753..0c890347cde3 100644 +--- a/fs/nfsd/nfs3acl.c ++++ b/fs/nfsd/nfs3acl.c +@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct svc_rqst * rqstp, + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c +index 6adabd6049b7..71292a0d6f09 100644 +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, + dentry = fhp->fh_dentry; + inode = d_inode(dentry); + +- if (!inode->i_op->set_acl || !IS_POSIXACL(inode)) +- return nfserr_attrnotsupp; +- + if (S_ISDIR(inode->i_mode)) + flags = NFS4_ACL_DIR; + +@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, + if (host_error < 0) + goto out_nfserr; + +- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS); ++ fh_lock(fhp); ++ ++ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl); + if (host_error < 0) +- goto out_release; ++ goto out_drop_lock; + + if (S_ISDIR(inode->i_mode)) { +- host_error = inode->i_op->set_acl(inode, dpacl, +- ACL_TYPE_DEFAULT); ++ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl); + } + +-out_release: ++out_drop_lock: ++ fh_unlock(fhp); ++ + posix_acl_release(pacl); + posix_acl_release(dpacl); + out_nfserr: +-- +2.5.5 + diff --git a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch new file mode 100644 index 000000000..a685ff697 --- /dev/null +++ b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch @@ -0,0 +1,52 @@ +From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 21 Jun 2016 16:58:46 +0300 +Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl + +We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure +that those values have not changed between the two copy_from_user() +calls. Otherwise it could lead to a buffer overflow. + +Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value. +We should use the new smaller value so we don't copy too much data to +the user. + +Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> +Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data') +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Tested-by: Gwendal Grignou <gwendal@chromium.org> +Cc: <stable@vger.kernel.org> # v4.2+ +Signed-off-by: Olof Johansson <olof@lixom.net> +--- + drivers/platform/chrome/cros_ec_dev.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c +index 6d8ee3b15872..8abd80dbcbed 100644 +--- a/drivers/platform/chrome/cros_ec_dev.c ++++ b/drivers/platform/chrome/cros_ec_dev.c +@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) + goto exit; + } + ++ if (u_cmd.outsize != s_cmd->outsize || ++ u_cmd.insize != s_cmd->insize) { ++ ret = -EINVAL; ++ goto exit; ++ } ++ + s_cmd->command += ec->cmd_offset; + ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd); + /* Only copy data to userland if data was received. */ + if (ret < 0) + goto exit; + +- if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize)) ++ if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize)) + ret = -EFAULT; + exit: + kfree(s_cmd); +-- +2.5.5 + diff --git a/posix_acl-Add-set_posix_acl.patch b/posix_acl-Add-set_posix_acl.patch new file mode 100644 index 000000000..c067f7b85 --- /dev/null +++ b/posix_acl-Add-set_posix_acl.patch @@ -0,0 +1,55 @@ +From c463b51e8ea1ae47a7bb8cc2777eb550ad3273e2 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruenba@redhat.com> +Date: Wed, 22 Jun 2016 23:57:25 +0200 +Subject: [PATCH] posix_acl: Add set_posix_acl + +Factor out part of posix_acl_xattr_set into a common function that takes +a posix_acl, which nfsd can also call. + +The prototype already exists in include/linux/posix_acl.h. + +Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> +Cc: stable@vger.kernel.org +Cc: Christoph Hellwig <hch@infradead.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +--- + fs/posix_acl.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index 711dd5170376..f30caace5b84 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -786,6 +786,28 @@ posix_acl_xattr_get(const struct xattr_handler *handler, + return error; + } + ++int ++set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) ++{ ++ if (!IS_POSIXACL(inode)) ++ return -EOPNOTSUPP; ++ if (!inode->i_op->set_acl) ++ return -EOPNOTSUPP; ++ ++ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return acl ? -EACCES : 0; ++ if (!inode_owner_or_capable(inode)) ++ return -EPERM; ++ ++ if (acl) { ++ int ret = posix_acl_valid(acl); ++ if (ret) ++ return ret; ++ } ++ return inode->i_op->set_acl(inode, acl, type); ++} ++EXPORT_SYMBOL(set_posix_acl); ++ + static int + posix_acl_xattr_set(const struct xattr_handler *handler, + struct dentry *dentry, const char *name, +-- +2.5.5 + diff --git a/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch b/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch new file mode 100644 index 000000000..4e50a65e2 --- /dev/null +++ b/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch @@ -0,0 +1,98 @@ +From 36d17a40c174c8b77386520ab2a430fea760dcc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= <bonbons@linux-vserver.org> +Date: Thu, 30 Jun 2016 17:00:32 +0200 +Subject: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL +pointer dereference when rsp->msix is NULL: + +[ 5.622457] NULL pointer dereference at 0000000000000050 +[ 5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0 +[ 5.622457] PGD 0 +[ 5.622457] Oops: 0000 [#1] SMP +[ 5.622457] Modules linked in: +[ 5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1 +[ 5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011 +[ 5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000 +[ 5.622457] RIP: 0010:[<ffffffff8155e614>] [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0 +[ 5.622457] RSP: 0000:ffff8801afb03de8 EFLAGS: 00010002 +[ 5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff +[ 5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0 +[ 5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000 +[ 5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8 +[ 5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013 +[ 5.622457] FS: 0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000 +[ 5.622457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0 +[ 5.622457] Stack: +[ 5.622457] ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002 +[ 5.622457] ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002 +[ 5.622457] ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032 +[ 5.622457] Call Trace: +[ 5.622457] <IRQ> +[ 5.622457] [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80 +[ 5.622457] [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60 +[ 5.622457] [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240 +[ 5.622457] [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0 +[ 5.622457] [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200 +[ 5.622457] [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100 +[ 5.622457] [<ffffffff810c8a77>] handle_irq_event+0x27/0x50 +[ 5.622457] [<ffffffff810cb965>] handle_edge_irq+0x65/0x140 +[ 5.622457] [<ffffffff8101a498>] handle_irq+0x18/0x30 +[ 5.622457] [<ffffffff8101a276>] do_IRQ+0x46/0xd0 +[ 5.622457] [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f +[ 5.622457] <EOI> +[ 5.622457] [<ffffffff81020d38>] ? mwait_idle+0x68/0x80 +[ 5.622457] [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10 +[ 5.622457] [<ffffffff810c1b97>] default_idle_call+0x27/0x30 +[ 5.622457] [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230 +[ 5.622457] [<ffffffff810324c6>] start_secondary+0x136/0x140 +[ 5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00 +[ 5.622457] RIP [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0 +[ 5.622457] RSP <ffff8801afb03de8> +[ 5.622457] CR2: 0000000000000050 +[ 5.622457] ---[ end trace fa2b19c25106d42b ]--- +[ 5.622457] Kernel panic - not syncing: Fatal exception in interrupt + +The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde +(qla2xxx: Add irq affinity notification). + +Only dereference rsp->msix when it has been set so the machine can boot +fine. Possibly rsp->msix is unset because: +[ 3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k. +[ 3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000. +[ 3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3). +[ 3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258. +[ 3.890145] scsi host0: qla2xxx +[ 3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA. +[ 3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496). +[ 5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps). + +Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org> +Acked-by: Quinn Tran <quinn.tran@qlogic.com> +CC: <stable@vger.kernel.org> # 4.5+ +Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde +Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com> +--- + drivers/scsi/qla2xxx/qla_isr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 5649c200d37c..a92a62dea793 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + if (!vha->flags.online) + return; + +- if (rsp->msix->cpuid != smp_processor_id()) { ++ if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) { + /* if kernel does not notify qla of IRQ's CPU change, + * then set it here. + */ +-- +2.5.5 + @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -0d59cb81eb7c0daf0f5019deda65af90 patch-4.6.3.xz +c8ff415734155965ae7a2a85ef9c9e03 patch-4.6.4.xz |