Re: [PATCH v2] KEYS: always initialize keyring_index_key::desc_len

2018-12-06 Thread Eric Biggers
On Wed, Nov 28, 2018 at 03:19:41PM -0800, Eric Biggers wrote: > On Fri, Nov 02, 2018 at 06:58:54PM -0700, Eric Biggers wrote: > > From: Eric Biggers > > > > syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() > > called from construct_allo

Re: [PATCH] KEYS: fix parsing invalid pkey info string

2018-12-06 Thread Eric Biggers
On Wed, Nov 28, 2018 at 03:20:20PM -0800, Eric Biggers wrote: > On Sat, Nov 03, 2018 at 10:30:35AM -0700, Eric Biggers wrote: > > From: Eric Biggers > > > > We need to check the return value of match_token() for Opt_err (-1) > > before doing anything with it. &

[PATCH v3 2/6] crypto: x86/nhpoly1305 - add AVX2 accelerated NHPoly1305

2018-12-04 Thread Eric Biggers
From: Eric Biggers Add a 64-bit AVX2 implementation of NHPoly1305, an ε-almost-∆-universal hash function used in the Adiantum encryption mode. For now, only the NH portion is actually AVX2-accelerated; the Poly1305 part is less performance-critical so is just implemented in C. Signed-off

[PATCH v2 0/6] crypto: x86_64 optimized XChaCha and NHPoly1305 (for Adiantum)

2018-11-29 Thread Eric Biggers
. Changed since v1: - Rebase on top of latest cryptodev with the AVX-512VL accelerated ChaCha20 from Martin Willi. Eric Biggers (6): crypto: x86/nhpoly1305 - add SSE2 accelerated NHPoly1305 crypto: x86/nhpoly1305 - add AVX2 accelerated NHPoly1305 crypto: x86/chacha20 - limit the preemption

Re: [PATCH] KEYS: fix parsing invalid pkey info string

2018-11-28 Thread Eric Biggers
On Sat, Nov 03, 2018 at 10:30:35AM -0700, Eric Biggers wrote: > From: Eric Biggers > > We need to check the return value of match_token() for Opt_err (-1) > before doing anything with it. > > Reported-by: syzbot+a22e0dc07567662c5...@syzkaller.appspotmail.com > Fixes

Re: [PATCH v2] KEYS: always initialize keyring_index_key::desc_len

2018-11-28 Thread Eric Biggers
On Fri, Nov 02, 2018 at 06:58:54PM -0700, Eric Biggers wrote: > From: Eric Biggers > > syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() > called from construct_alloc_key() during sys_request_key(), because the > length of the key description wa

Re: [RFC PATCH] zinc chacha20 generic implementation using crypto API code

2018-11-19 Thread Eric Biggers
On Tue, Nov 20, 2018 at 12:15:17AM +0100, Jason A. Donenfeld wrote: > Hi Eric, > > On Mon, Nov 19, 2018 at 11:54 PM Eric Biggers wrote: > > Will v9 include a documentation file for Zinc in Documentation/crypto/? > > That's been suggested several times. >

[PATCH] userfaultfd: convert userfaultfd_ctx::refcount to refcount_t

2018-11-14 Thread Eric Biggers
From: Eric Biggers Reference counters should use refcount_t rather than atomic_t, since the refcount_t implementation can prevent overflows, reducing the exploitability of reference leak bugs. userfaultfd_ctx::refcount is a reference counter with the usual semantics, so convert it to refcount_t

[PATCH] userfaultfd: convert userfaultfd_ctx::refcount to refcount_t

2018-11-14 Thread Eric Biggers
From: Eric Biggers Reference counters should use refcount_t rather than atomic_t, since the refcount_t implementation can prevent overflows, reducing the exploitability of reference leak bugs. userfaultfd_ctx::refcount is a reference counter with the usual semantics, so convert it to refcount_t

Re: [PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges

2018-11-14 Thread Eric Biggers
Hi Dmitry, On Wed, Nov 14, 2018 at 02:28:56PM -0800, 'Dmitry Torokhov' via syzkaller-bugs wrote: > On Wed, Nov 14, 2018 at 2:05 PM Jann Horn wrote: > > > > On Wed, Nov 14, 2018 at 10:55 PM Eric Biggers wrote: > > > > > > From: Eric Biggers > > > &

Re: [PATCH] HID: uhid: prevent uhid_char_write() under KERNEL_DS

2018-11-14 Thread Eric Biggers
On Wed, Nov 14, 2018 at 07:18:39PM +0100, 'Jann Horn' via syzkaller-bugs wrote: > +cc Andy > > On Wed, Nov 14, 2018 at 7:03 PM Eric Biggers wrote: > > When a UHID_CREATE command is written to the uhid char device, a > > copy_from_user() is done from a user pointer em

[PATCH v2] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges

2018-11-14 Thread Eric Biggers
From: Eric Biggers When a UHID_CREATE command is written to the uhid char device, a copy_from_user() is done from a user pointer embedded in the command. When the address limit is KERNEL_DS, e.g. as is the case during sys_sendfile(), this can read from kernel memory. Alternatively, information

[PATCH] HID: uhid: prevent uhid_char_write() under KERNEL_DS

2018-11-14 Thread Eric Biggers
From: Eric Biggers When a UHID_CREATE command is written to the uhid char device, a copy_from_user() is done from a user pointer embedded in the command. When the address limit is KERNEL_DS, e.g. as is the case during sendfile(), this can read from kernel memory. Therefore, UHID_CREATE must

Re: BUG: GPF in non-whitelisted uaccess (non-canonical address?)

2018-11-14 Thread Eric Biggers
On Wed, Nov 14, 2018 at 08:52:46AM -0800, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Wed, Nov 14, 2018 at 4:20 AM, David Herrmann wrote: > > Hey > > > > On Wed, Nov 14, 2018 at 1:25 AM syzbot > > wrote: > >> syzbot has found a reproducer for the following crash on: > >> > >> HEAD commit:

[PATCH] KEYS: fix parsing invalid pkey info string

2018-11-03 Thread Eric Biggers
From: Eric Biggers We need to check the return value of match_token() for Opt_err (-1) before doing anything with it. Reported-by: syzbot+a22e0dc07567662c5...@syzkaller.appspotmail.com Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [v

[PATCH v2] KEYS: always initialize keyring_index_key::desc_len

2018-11-02 Thread Eric Biggers
From: Eric Biggers syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() called from construct_alloc_key() during sys_request_key(), because the length of the key description was never calculated. The problem is that we rely on ->desc_len being initi

Re: [PATCH] KEYS: always initialize keyring_index_key::desc_len

2018-11-02 Thread Eric Biggers
On Fri, Nov 02, 2018 at 04:15:10PM -0700, Eric Biggers wrote: > From: Eric Biggers > > syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() > called from construct_alloc_key() during sys_request_key(), because the > length of the key description wa

[PATCH] KEYS: always initialize keyring_index_key::desc_len

2018-11-02 Thread Eric Biggers
From: Eric Biggers syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin() called from construct_alloc_key() during sys_request_key(), because the length of the key description was never calculated. The problem is that we rely on ->desc_len being initi

Re: [RFC PATCH v2 04/12] crypto: chacha - add XChaCha12 support

2018-10-19 Thread Eric Biggers
Hi Ard, On Fri, Oct 19, 2018 at 10:34:41PM +0800, Ard Biesheuvel wrote: > > diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h > > index ae79e9983c72f..3d261f5cd156d 100644 > > --- a/include/crypto/chacha.h > > +++ b/include/crypto/chacha.h > > @@ -5,6 +5,11 @@ > > * XChaCha extends

Re: [PATCH 1/2] splice: don't merge into linked buffers

2018-10-15 Thread Eric Biggers
On Mon, Oct 15, 2018 at 05:04:18PM +0200, Jann Horn wrote: > Before this patch, it was possible for two pipes to affect each other after > data had been transferred between them with tee(): > > > $ cat tee_test.c > > int main(void) { > int pipe_a[2]; > if (pipe(pipe_a)) err(1,

[RFC PATCH v2 06/12] crypto: arm/chacha20 - refactor to allow varying number of rounds

2018-10-15 Thread Eric Biggers
From: Eric Biggers In preparation for adding XChaCha12 support, rename/refactor the NEON implementation of ChaCha20 to support different numbers of rounds. Signed-off-by: Eric Biggers --- arch/arm/crypto/Makefile | 4 +- ...hacha20-neon-core.S => chacha-neon-core.S} |

Re: [PATCH net-next v6 00/23] WireGuard: Secure Network Tunnel

2018-09-27 Thread Eric Biggers
On Thu, Sep 27, 2018 at 11:35:39PM +0200, Jason A. Donenfeld wrote: > Hi Eric, > > On Thu, Sep 27, 2018 at 8:29 PM Eric Biggers wrote: > > Why is Herbert Xu's existing crypto tree being circumvented, especially for > > future patches (the initial merge isn't quite a

Re: [PATCH net-next v6 00/23] WireGuard: Secure Network Tunnel

2018-09-27 Thread Eric Biggers
On Tue, Sep 25, 2018 at 04:55:59PM +0200, Jason A. Donenfeld wrote: > > It is intended that this entire patch series enter the kernel through > DaveM's net-next tree. Subsequently, WireGuard patches will go through > DaveM's net-next tree, while Zinc patches will go through Greg KH's tree. >

Re: [RFC PATCH v2 2/2] fscrypt: enable RCU-walk path for .d_revalidate

2018-09-10 Thread Eric Biggers
Hi Gao, On Mon, Sep 10, 2018 at 09:08:57PM +0800, Gao Xiang wrote: > This patch attempts to enable RCU-walk for fscrypt. > It looks harmless at glance and could have better > performance than do ref-walk only. > > Signed-off-by: Gao Xiang > --- > change log v2: > -

Re: [PATCH] lib/parser.c: switch match_number() over to use match_strdup()

2018-09-04 Thread Eric Biggers
On Thu, Aug 30, 2018 at 12:47:27PM -0700, Eric Biggers wrote: > From: Eric Biggers > > This simplifies the code. No change in behavior. > > Signed-off-by: Eric Biggers > --- > lib/parser.c | 5 + > 1 file changed, 1 insertion(+), 4 deletions(-) > > d

[PATCH] lib/parser.c: switch match_u64int() over to use match_strdup()

2018-08-30 Thread Eric Biggers
From: Eric Biggers This simplifies the code. No change in behavior. Signed-off-by: Eric Biggers --- lib/parser.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/parser.c b/lib/parser.c index 96656a6dd59b..dd70e5e6c9e2 100644 --- a/lib/parser.c +++ b/lib/parser.c

[PATCH] lib/parser.c: switch match_number() over to use match_strdup()

2018-08-30 Thread Eric Biggers
From: Eric Biggers This simplifies the code. No change in behavior. Signed-off-by: Eric Biggers --- lib/parser.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/parser.c b/lib/parser.c index 0142ef28f0eb..96656a6dd59b 100644 --- a/lib/parser.c +++ b/lib/parser.c

[PATCH] lib/parser.c: switch match_strdup() over to use kmemdup_nul()

2018-08-30 Thread Eric Biggers
From: Eric Biggers This simplifies the code. No change in behavior. Signed-off-by: Eric Biggers --- lib/parser.c | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/lib/parser.c b/lib/parser.c index 3278958b472a..0142ef28f0eb 100644 --- a/lib/parser.c +++ b/lib/parser.c

Re: [RDMA bug] KASAN: use-after-free Read in __list_del_entry_valid (4)

2018-08-23 Thread Eric Biggers
Hello RDMA / InfiniBand maintainers, This is an RDMA bug and it still occurs on Linus' tree as of today (commit 815f0ddb346c1960). I've also simplified the reproducer for it; see below after the original report. Apparently it involves a race between RDMA_USER_CM_CMD_RESOLVE_IP and

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

2018-08-22 Thread Eric Biggers
On Sat, May 26, 2018 at 11:24:01AM +0200, Dmitry Vyukov wrote: > On Sun, May 13, 2018 at 8:21 AM, Eric Biggers wrote: > > On Thu, Apr 05, 2018 at 08:15:24PM -0700, Eric Biggers wrote: > >> On Mon, Jan 29, 2018 at 01:29:48PM +0800, Tianyu Lan wrote: > >> > > >&

Re: [PATCH v1 2/3] zinc: Introduce minimal cryptography library

2018-08-16 Thread Eric Biggers
Hi Dan, (I reordered your responses slightly to group together similar topics) On Thu, Aug 16, 2018 at 04:24:54AM -, D. J. Bernstein wrote: > Eric Biggers writes: > > You'd probably attract more contributors if you followed established > > open source conventions. > >

Re: [PATCH v1 2/3] zinc: Introduce minimal cryptography library

2018-08-01 Thread Eric Biggers
[+Cc linux-crypto] Hi Jason, Apologies for starting a new thread, but this patch apparently wasn't Cc'ed to linux-crypto, despite adding over 24000 lines of crypto code. So much for WireGuard being only 4000 lines :-) (For anyone else like me who didn't receive the patch, it can be found at

Re: kernel BUG at fs/super.c:LINE!

2018-07-19 Thread Eric Biggers
On Sun, Jul 08, 2018 at 02:11:59PM -0700, Eric Biggers wrote: > On Sat, Jul 07, 2018 at 06:29:02PM -0700, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:526674536360 Add linux-next specific files for 201807

Re: kernel BUG at fs/userfaultfd.c:LINE! (2)

2018-07-17 Thread Eric Biggers
[+Cc userfaultfd developers and linux-mm] The reproducer hits the BUG_ON() in userfaultfd_release(): BUG_ON(!!vma->vm_userfaultfd_ctx.ctx ^ !!(vma->vm_flags & (VM_UFFD_MISSING | VM_UFFD_WP))); On Sun, Jul 15, 2018 at 05:19:03PM -0700, syzbot wrote: > Hello, > > syzbot

Re: KASAN: slab-out-of-bounds Read in find_first_bit

2018-07-17 Thread Eric Biggers
On Sun, Jul 08, 2018 at 05:42:13PM +0300, Kirill Tkhai wrote: > On 07.07.2018 01:39, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:    526674536360 Add linux-next specific files for 20180706 > > git tree:   linux-next > > console output:

Re: kernel BUG at mm/vmscan.c:LINE!

2018-07-17 Thread Eric Biggers
On Sun, Jul 08, 2018 at 05:50:47PM +0300, Kirill Tkhai wrote: > On 07.07.2018 10:16, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:    526674536360 Add linux-next specific files for 20180706 > > git tree:   linux-next > > console output:

Re: general protection fault in do_remount_sb

2018-07-17 Thread Eric Biggers
Hi David, this looks like another bug in the fs_context patchset. do_remount_sb() is dereferencing a NULL fs_context. On Fri, Jul 06, 2018 at 03:39:03PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:526674536360 Add linux-next specific files for

Re: BUG: bad usercopy in __check_heap_object (3)

2018-07-17 Thread Eric Biggers
On Fri, Jul 06, 2018 at 03:39:04PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:526674536360 Add linux-next specific files for 20180706 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=12d51a2c40 > kernel

Re: [dm-devel] [PATCH v5 05/11] crypto: ahash: Remove VLA usage

2018-07-17 Thread Eric Biggers
On Mon, Jul 16, 2018 at 09:21:44PM -0700, Kees Cook wrote: > In the quest to remove all stack VLA usage from the kernel[1], this > introduces max size macros for ahash, as already done for shash, and > adjust the crypto user to max state size. > > [1] >

Re: [PATCH] x86/power/64: Remove VLA usage

2018-07-16 Thread Eric Biggers
On Sun, Jul 15, 2018 at 08:56:57PM -0700, Kees Cook wrote: > In the quest to remove all stack VLA usage from the kernel[1], this > removes the discouraged use of AHASH_REQUEST_ON_STACK by switching to > shash directly and allocating the descriptor in heap memory (which should > be fine: the tfm

Re: [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation [ver #9]

2018-07-11 Thread Eric Biggers
On Wed, Jul 11, 2018 at 08:22:41AM +0100, David Howells wrote: > Andy Lutomirski wrote: > > > >sfd = fsopen("ext4", FSOPEN_CLOEXEC); > > >write(sfd, "s /dev/sdb1"); // note I'm ignoring write's length arg > > > > Imagine some malicious program passes sfd as stdout to a setuid > >

Re: [PATCH 07/18] fs_context: fix double free of legacy_fs_context data

2018-07-09 Thread Eric Biggers
On Mon, Jul 09, 2018 at 06:17:41PM -0700, Eric Biggers wrote: > On Mon, Jul 09, 2018 at 01:31:09PM +0100, David Howells wrote: > > Eric Biggers wrote: > > > > > sys_fsmount() calls fc->ops->free() to free the data, zeroes > > > ->fs_p

Re: [PATCH 07/18] fs_context: fix double free of legacy_fs_context data

2018-07-09 Thread Eric Biggers
On Mon, Jul 09, 2018 at 01:31:09PM +0100, David Howells wrote: > Eric Biggers wrote: > > > sys_fsmount() calls fc->ops->free() to free the data, zeroes > > ->fs_private, then proceeds to reuse the context. But legacy_fs_context > > doesn't use ->fs_private,

Re: [PATCH vfs/for-next 00/18] fs_context fixes

2018-07-08 Thread Eric Biggers
On Sun, Jul 08, 2018 at 02:01:36PM -0700, Eric Biggers wrote: > Hi David and Al, here are some fixes for the fs_context patches. > > Feel free to fold these into the original patches if you want. > > Patches 13-18 are cleanups only. > Also, mount(..., MS_REMOUNT|MS_BIND,

Re: kernel BUG at fs/super.c:LINE!

2018-07-08 Thread Eric Biggers
On Sat, Jul 07, 2018 at 06:29:02PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:526674536360 Add linux-next specific files for 20180706 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=1443b16840 > kernel

[PATCH 05/18] fs_context: fix mount option blacklist

2018-07-08 Thread Eric Biggers
From: Eric Biggers The blacklist didn't actually do anything, since match_token() always returned 0. Fixes: 8a2e54b8af88 ("vfs: Implement a filesystem superblock creation/configuration context") Signed-off-by: Eric Biggers --- fs/fs_context.c | 40 -

[PATCH 02/18] fs_context: fix shrinker leak in sget_fc()

2018-07-08 Thread Eric Biggers
From: Eric Biggers alloc_super() now preallocates the shrinker, so sget_fc() must only register the pre-allocated shrinker, not allocate one again. Fixes: 8a2e54b8af88 ("vfs: Implement a filesystem superblock creation/configuration context") Signed-off-by: Eric Biggers --- fs/s

[PATCH vfs/for-next 00/18] fs_context fixes

2018-07-08 Thread Eric Biggers
Hi David and Al, here are some fixes for the fs_context patches. Feel free to fold these into the original patches if you want. Patches 13-18 are cleanups only. Eric Biggers (18): sysfs: check return value of kernfs_get_tree() fs_context: fix shrinker leak in sget_fc() fs_context: fix

[PATCH 03/18] fs_context: fix detecting full log buffer

2018-07-08 Thread Eric Biggers
From: Eric Biggers When 'head' and 'tail' wrap around, 'log->head - log->tail' will be something like '4 - 252 = -248', and comparing that directly to the array size is wrong. Fix by casting to 'u8'. Fixes: 09aeca629fb3 ("vfs: Implement logging through fs_context") Signed-off-

[PATCH 06/18] fs_context: fix memory leak with 's' (source) command

2018-07-08 Thread Eric Biggers
From: Eric Biggers Fixes: 5f417428a312 ("vfs: Implement fsopen() to prepare for a mount") Signed-off-by: Eric Biggers --- fs/fsopen.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index 5d346ac78d504..8d6fa4ba8fb55 100644 --- a/fs/fsopen.c +++ b/f

[PATCH 01/18] sysfs: check return value of kernfs_get_tree()

2018-07-08 Thread Eric Biggers
From: Eric Biggers Reported-by: syzbot+0977fcb74b8a12a96...@syzkaller.appspotmail.com Fixes: a5195193b1e5 ("kernfs, sysfs, cgroup, intel_rdt: Support fs_context") Signed-off-by: Eric Biggers --- fs/sysfs/mount.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/sysfs/mount.c

[PATCH 09/18] fsmount: fix handling FSMOUNT_CLOEXEC

2018-07-08 Thread Eric Biggers
From: Eric Biggers Fixes: 0c65353ab9f5 ("vfs: Implement fsmount() to effect a pre-configured mount") Signed-off-by: Eric Biggers --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 9cde133d0a9c4..8ac9e8fb31

[PATCH 10/18] fsmount: fix bypassing SB_MANDLOCK permission check

2018-07-08 Thread Eric Biggers
From: Eric Biggers fc->sb_flags can be modified up until fc->uapi_mutex is taken, so the permission check for SB_MANDLOCK needs to happen under the mutex. Also move the may_mount() check as early as possible. Fixes: 0c65353ab9f5 ("vfs: Implement fsmount() to effect a pre-config

[PATCH 11/18] fspick: fix path leak

2018-07-08 Thread Eric Biggers
From: Eric Biggers Fixes: 99f8421020ac ("vfs: Implement fspick() to select a superblock for reconfiguration") Signed-off-by: Eric Biggers --- fs/fsopen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index 8d6fa4ba8fb55..3e439299dd

[PATCH 12/18] fspick: add missing permission check

2018-07-08 Thread Eric Biggers
From: Eric Biggers Fixes: 99f8421020ac ("vfs: Implement fspick() to select a superblock for reconfiguration") Signed-off-by: Eric Biggers --- fs/fsopen.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/fsopen.c b/fs/fsopen.c index 3e439299ddf79..b3a22848f8eec 10064

[PATCH 18/18] fs_context: fix fscontext_write() comment

2018-07-08 Thread Eric Biggers
From: Eric Biggers The 'r' command doesn't exist, and 'd' was apparently renamed to 's'. Signed-off-by: Eric Biggers --- fs/fsopen.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index 34d7292bb398e..6947fed9df3b2 100644 --- a/fs/fsopen.c

[PATCH 07/18] fs_context: fix double free of legacy_fs_context data

2018-07-08 Thread Eric Biggers
From: Eric Biggers sys_fsmount() calls fc->ops->free() to free the data, zeroes ->fs_private, then proceeds to reuse the context. But legacy_fs_context doesn't use ->fs_private, so we need to handle zeroing it too; otherwise there's a double free of legacy_fs_context::{legacy_

[PATCH 08/18] fsmount: pass up error code from dentry_open()

2018-07-08 Thread Eric Biggers
From: Eric Biggers Fixes: 0c65353ab9f5 ("vfs: Implement fsmount() to effect a pre-configured mount") Signed-off-by: Eric Biggers --- fs/namespace.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 6f0701a03a2b3..9cde133d0a

[PATCH 13/18] fsmount: removed unused variable 'inode'

2018-07-08 Thread Eric Biggers
From: Eric Biggers Signed-off-by: Eric Biggers --- fs/namespace.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 7f0191bb5db46..0624af4806c4a 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3230,7 +3230,6 @@ EXPORT_SYMBOL_GPL(kern_mount

[PATCH 14/18] fsopen,fspick: factor out log allocation

2018-07-08 Thread Eric Biggers
From: Eric Biggers Signed-off-by: Eric Biggers --- fs/fsopen.c | 27 --- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index b3a22848f8eec..02edb4705fac2 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -223,6 +223,16 @@ static

[PATCH 17/18] fs_context: de-obfuscate command validation

2018-07-08 Thread Eric Biggers
From: Eric Biggers Signed-off-by: Eric Biggers --- fs/fsopen.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index dd38f6b65aace..34d7292bb398e 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -50,10 +50,10 @@ static ssize_t fscontext_write

[PATCH 16/18] fs_context: de-obfuscate control flow in fscontext_read()

2018-07-08 Thread Eric Biggers
From: Eric Biggers Signed-off-by: Eric Biggers --- fs/fsopen.c | 20 +--- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index 1fbd8b0ca194b..dd38f6b65aace 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -161,20 +161,18 @@ static ssize_t

[PATCH 15/18] fsopen,fspick: rename fsopen_create_fd() to fscontext_create_fd()

2018-07-08 Thread Eric Biggers
From: Eric Biggers It's used for both fsopen() and fspick(), not just fsopen(). Signed-off-by: Eric Biggers --- fs/fsopen.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/fsopen.c b/fs/fsopen.c index 02edb4705fac2..1fbd8b0ca194b 100644 --- a/fs/fsopen.c +++ b/fs

[PATCH 04/18] fs_context: fix fs_context leak in simple_pin_fs()

2018-07-08 Thread Eric Biggers
From: Eric Biggers Fixes: 8a2e54b8af88 ("vfs: Implement a filesystem superblock creation/configuration context") Signed-off-by: Eric Biggers --- fs/libfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/libfs.c b/fs/libfs.c index 823f0510e43da..d9a5d883dc

Re: KASAN: use-after-free Read in iput

2018-07-07 Thread Eric Biggers
On Tue, Apr 17, 2018 at 06:02:02PM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > a27fc14219f2e3c4a46ba9177b04d9b52c875532 (Mon Apr 16 21:07:39 2018 +) > Merge branch 'parisc-4.17-3' of > git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux

[PATCH] reiserfs: fix buffer overflow with long warning messages

2018-07-07 Thread Eric Biggers
From: Eric Biggers ReiserFS prepares log messages into a 1024-byte buffer with no bounds checks. Long messages, such as the "unknown mount option" warning when userspace passes a crafted mount options string, overflow this buffer. This causes KASAN to report a global-out-of-bounds w

Re: KASAN: use-after-free Read in __list_add_valid (5)

2018-07-04 Thread Eric Biggers
On Tue, May 15, 2018 at 01:49:23PM -0700, Roland Dreier wrote: > > Still reproducible on Linus' tree (commit 66e1c94db3cd4e) and on linux-next > > (next-20180511). Here's a simplified reproducer: > > Thanks! That's a fantastic test case. > > The issue is a race where rdma_listen() sees invalid

Re: INFO: task hung in ucma_destroy_id

2018-07-04 Thread Eric Biggers
On Wed, Mar 28, 2018 at 02:56:01AM -0700, syzbot wrote: > syzbot has found reproducer for the following crash on upstream commit > 3eb2ce825ea1ad89d20f7a3b5780df850e4be274 (Sun Mar 25 22:44:30 2018 +) > Linux 4.16-rc7 > syzbot dashboard link: >

Re: [PATCH 10/32] VFS: Implement a filesystem superblock creation/configuration context [ver #8]

2018-07-03 Thread Eric Biggers
On Fri, May 25, 2018 at 01:06:29AM +0100, David Howells wrote: > +/** > + * sget_fc - Find or create a superblock > + * @fc: Filesystem context. > + * @test: Comparison callback > + * @set: Setup callback > + * > + * Find or create a superblock using the parameters stored in the filesystem >

Re: [PATCH 3/3][RFC] tools: create power/crypto utility

2018-06-21 Thread Eric Biggers
Hi Yu, On Fri, Jun 22, 2018 at 10:39:13AM +0800, Yu Chen wrote: > Hi Eric, > On Wed, Jun 20, 2018 at 10:41:42AM -0700, Eric Biggers wrote: > > Hi Chen, > > > > On Wed, Jun 20, 2018 at 05:40:51PM +0800, Chen Yu wrote: > > > crypto_hibernate is a user-space util

Re: [PATCH 3/3][RFC] tools: create power/crypto utility

2018-06-20 Thread Eric Biggers
Hi Chen, On Wed, Jun 20, 2018 at 05:40:51PM +0800, Chen Yu wrote: > crypto_hibernate is a user-space utility to generate > 512bits AES key and pass it to the kernel via ioctl > for hibernation encryption.(We can also add the key > into kernel via keyctl if necessary, but currently > using ioctl

Re: KASAN: use-after-free Read in crypto_destroy_tfm

2018-05-29 Thread Eric Biggers
On Sat, May 26, 2018 at 07:41:34PM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Sat, May 26, 2018 at 7:40 PM, syzbot > wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:0644f186fc9d Merge tag 'for_linus' of git://git.kernel.org.. > > git tree:

Re: general protection fault in __radix_tree_delete

2018-05-26 Thread Eric Biggers
On Sun, May 13, 2018 at 10:26:15AM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Sun, Apr 29, 2018 at 7:00 PM, syzbot > wrote: > > Hello, > > > > syzbot hit the following crash on upstream commit > >

Re: WARNING: kernel stack regs has bad 'bp' value (3)

2018-05-26 Thread Eric Biggers
On Sat, May 12, 2018 at 10:43:08AM +0200, Dmitry Vyukov wrote: > On Fri, Feb 2, 2018 at 11:18 PM, Eric Biggers <ebigge...@gmail.com> wrote: > > On Fri, Feb 02, 2018 at 02:57:32PM +0100, Dmitry Vyukov wrote: > >> On Fri, Feb 2, 2018 at 2:48 PM, syzbot > &

[PATCH v2] ppp: remove the PPPIOCDETACH ioctl

2018-05-23 Thread Eric Biggers
From: Eric Biggers <ebigg...@google.com> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is fundamentally a bad idea. It does check 'f_count < 2', which excludes concurrent operations on the file since they wou

Re: [PATCH] ppp: remove the PPPIOCDETACH ioctl

2018-05-23 Thread Eric Biggers
On Wed, May 23, 2018 at 11:56:36AM -0400, David Miller wrote: > From: Guillaume Nault > Date: Wed, 23 May 2018 15:57:08 +0200 > > > I'd rather add > > + if (cmd == PPPIOCDETACH) { > > + err = -EINVAL; > > + goto out; > > + } > > > > Making

Re: INFO: task hung in xlog_grant_head_check

2018-05-23 Thread Eric Biggers
Hi Darrick, On Wed, May 23, 2018 at 12:44:25AM -0700, Darrick J. Wong wrote: > On Tue, May 22, 2018 at 03:52:08PM -0700, Eric Biggers wrote: > > On Wed, May 23, 2018 at 08:26:20AM +1000, Dave Chinner wrote: > > > On Tue, May 22, 2018 at 08:31:08AM -0400, Brian Foster wrote: >

[PATCH] ppp: remove the PPPIOCDETACH ioctl

2018-05-22 Thread Eric Biggers
From: Eric Biggers <ebigg...@google.com> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is fundamentally a bad idea. It does check 'f_count < 2', which excludes concurrent operations on the file since they wou

Re: KASAN: use-after-free Read in remove_wait_queue (2)

2018-05-22 Thread Eric Biggers
On Fri, May 18, 2018 at 06:02:23PM +0200, Guillaume Nault wrote: > On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote: > > [+ppp list and maintainer] > > > > This is a bug in ppp_generic.c; it still happens on Linus' tree and it's > > easily > >

Re: INFO: task hung in xlog_grant_head_check

2018-05-22 Thread Eric Biggers
On Wed, May 23, 2018 at 08:26:20AM +1000, Dave Chinner wrote: > On Tue, May 22, 2018 at 08:31:08AM -0400, Brian Foster wrote: > > On Mon, May 21, 2018 at 10:55:02AM -0700, syzbot wrote: > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit:203ec2fed17a Merge

Re: CONFIG_KCOV causing crash in svm_vcpu_run()

2018-05-22 Thread Eric Biggers
On Mon, May 14, 2018 at 10:25:08AM -0700, Eric Biggers wrote: > On Mon, May 14, 2018 at 07:14:41AM +0200, Dmitry Vyukov wrote: > > On Mon, May 14, 2018 at 5:02 AM, Eric Biggers <ebigge...@gmail.com> wrote: > > > Sorry, messed up address for KVM mailing list. See message b

[PATCH] cfg80211: further limit wiphy names to 64 bytes

2018-05-14 Thread Eric Biggers
From: Eric Biggers <ebigg...@google.com> wiphy names were recently limited to 128 bytes by commit a7cfebcb7594 ("cfg80211: limit wiphy names to 128 bytes"). As it turns out though, this isn't sufficient because dev_vprintk_emit() needs the syslog header string "SUBSYS

Re: CONFIG_KCOV causing crash in svm_vcpu_run()

2018-05-14 Thread Eric Biggers
On Mon, May 14, 2018 at 07:14:41AM +0200, Dmitry Vyukov wrote: > On Mon, May 14, 2018 at 5:02 AM, Eric Biggers <ebigge...@gmail.com> wrote: > > Sorry, messed up address for KVM mailing list. See message below. > > > > On Sun, May 13, 2018 at 08:00:07P

Re: KASAN: use-after-free Read in remove_wait_queue (2)

2018-05-14 Thread Eric Biggers
[+ppp list and maintainer] On Wed, Feb 28, 2018 at 08:59:02AM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > f3afe530d644488a074291da04a69a296ab63046 (Tue Feb 27 22:02:39 2018 +) > Merge branch 'fixes-v4.16-rc4' of >

Re: WARNING: suspicious RCU usage in tipc_bearer_find

2018-05-13 Thread Eric Biggers
On Fri, Feb 09, 2018 at 12:00:01PM -0800, syzbot wrote: > syzbot has found reproducer for the following crash on net-next commit > 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +) > Merge tag 'usercopy-v4.16-rc1' of > git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Re: CONFIG_KCOV causing crash in svm_vcpu_run()

2018-05-13 Thread Eric Biggers
Sorry, messed up address for KVM mailing list. See message below. On Sun, May 13, 2018 at 08:00:07PM -0700, Eric Biggers wrote: > With CONFIG_KCOV=y and an AMD processor, running the following program crashes > the kernel with no output (I'm testing in a VM, so it's using nested > virtu

CONFIG_KCOV causing crash in svm_vcpu_run()

2018-05-13 Thread Eric Biggers
With CONFIG_KCOV=y and an AMD processor, running the following program crashes the kernel with no output (I'm testing in a VM, so it's using nested virtualization): #include #include #include int main() { int dev, vm, cpu;

[PATCH] net/smc: check for missing nlattrs in SMC_PNETID messages

2018-05-13 Thread Eric Biggers
From: Eric Biggers <ebigg...@google.com> It's possible to crash the kernel in several different ways by sending messages to the SMC_PNETID generic netlink family that are missing the expected attributes: - Missing SMC_PNETID_NAME => null pointer dereference when comparing names.

Re: KASAN: use-after-free Read in __list_add_valid (5)

2018-05-13 Thread Eric Biggers
On Sun, Mar 25, 2018 at 05:01:03PM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > bcfc1f4554662d8f2429ac8bd96064a59c149754 (Sat Mar 24 16:50:12 2018 +) > Merge tag 'pinctrl-v4.16-3' of > git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Re: general protection fault in account_system_index_time

2018-05-13 Thread Eric Biggers
On Wed, Mar 28, 2018 at 12:01:02AM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 3eb2ce825ea1ad89d20f7a3b5780df850e4be274 (Sun Mar 25 22:44:30 2018 +) > Linux 4.16-rc7 > syzbot dashboard link: >

Re: general protection fault in rds_ib_get_mr

2018-05-13 Thread Eric Biggers
On Wed, Mar 21, 2018 at 09:00:01AM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 3215b9d57a2c75c4305a3956ca303d7004485200 (Wed Mar 21 00:44:27 2018 +) > Merge tag 'clk-fixes-for-linus' of > git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux >

Re: BUG: unable to handle kernel paging request in memset_erms (2)

2018-05-13 Thread Eric Biggers
On Fri, Jan 19, 2018 at 01:58:01PM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on mmots commit > 2164355612187e55e8d60a28d2cc6b2337841a7e (Fri Jan 19 01:07:54 2018 +) > pci: test for unexpectedly disabled bridges > > So far this crash happened 2 times on mmots. > C

Re: INFO: trying to register non-static key in del_timer_sync

2018-05-13 Thread Eric Biggers
On Sun, Jan 28, 2018 at 10:58:01AM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > c4e0ca7fa24137e372d6135fe16e8df8e123f116 (Fri Jan 26 23:10:50 2018 +) > Merge tag 'riscv-for-linus-4.15-maintainers' of >

Re: general protection fault in rdma_addr_size

2018-05-13 Thread Eric Biggers
On Fri, Mar 23, 2018 at 01:01:02PM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 8f5fd927c3a7576d57248a2d7a0861c3f2795973 (Fri Mar 16 20:37:42 2018 +) > Merge tag 'for-4.16-rc5-tag' of > git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux > syzbot

Re: WARNING in dev_vprintk_emit

2018-05-13 Thread Eric Biggers
[+MAC80211 list and maintainer] On Wed, Jan 17, 2018 at 05:58:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > c92a9a461dff6140c539c61e457aa97df29517d6 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 >

Re: KASAN: null-ptr-deref Write in linear_transfer

2018-05-13 Thread Eric Biggers
On Wed, Jan 10, 2018 at 10:58:43AM +0100, Takashi Iwai wrote: > On Wed, 10 Jan 2018 09:08:00 +0100, > Eric Biggers wrote: > > > > On Fri, Jan 05, 2018 at 02:58:02AM -0800, syzbot wrote: > > > Hello, > > > > > > syzkaller hit the following crash on &

Re: BUG: unable to handle kernel paging request in cgroup_mt_destroy_v1

2018-05-13 Thread Eric Biggers
On Wed, Jan 31, 2018 at 05:58:01PM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 3da90b159b146672f830bcd2489dd3a1f4e9e089 (Wed Jan 31 03:07:32 2018 +) > Merge tag 'f2fs-for-4.16-rc1' of > git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs > >

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

2018-05-13 Thread Eric Biggers
On Thu, Apr 05, 2018 at 08:15:24PM -0700, Eric Biggers wrote: > On Mon, Jan 29, 2018 at 01:29:48PM +0800, Tianyu Lan wrote: > > > > > > On 1/27/2018 7:27 AM, Eric Biggers wrote: > > > On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu wrote: > > > &g

Re: BUG: workqueue lockup (2)

2018-05-12 Thread Eric Biggers
Hi Tetsuo, On Sun, May 13, 2018 at 11:06:17AM +0900, Tetsuo Handa wrote: > Eric Biggers wrote: > > The bug that this reproducer reproduces was fixed a while ago by commit > > 966031f340185e, so I'm marking this bug report fixed by it: > > > > #syz fix: n_tty: fix EX

Re: BUG: workqueue lockup (2)

2018-05-12 Thread Eric Biggers
On Tue, Dec 19, 2017 at 04:25:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > f3b5ad89de16f5d42e8ad36fbdf85f705c1ae051 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

  1   2   3   4   5   6   7   8   9   >