From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
Christoph Hellwig <hch@lst.de>,
Denys Vlasenko <dvlasenk@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>,
Peter Zijlstra <peterz@infradead.org>,
Rik van Riel <riel@redhat.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Thomas Gleixner <tglx@linutronix.de>,
linux-mm@kvack.org, Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.9 60/84] x86/mm: Fix use-after-free of ldt_struct
Date: Mon, 28 Aug 2017 10:05:25 +0200 [thread overview]
Message-ID: <20170828080531.898990623@linuxfoundation.org> (raw)
In-Reply-To: <20170828080529.526391781@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.
The following commit:
39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
renamed init_new_context() to init_new_context_ldt() and added a new
init_new_context() which calls init_new_context_ldt(). However, the
error code of init_new_context_ldt() was ignored. Consequently, if a
memory allocation in alloc_ldt_struct() failed during a fork(), the
->context.ldt of the new task remained the same as that of the old task
(due to the memcpy() in dup_mm()). ldt_struct's are not intended to be
shared, so a use-after-free occurred after one task exited.
Fix the bug by making init_new_context() pass through the error code of
init_new_context_ldt().
This bug was found by syzkaller, which encountered the following splat:
BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710
CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
__mmdrop+0xe9/0x530 kernel/fork.c:889
mmdrop include/linux/sched/mm.h:42 [inline]
exec_mmap fs/exec.c:1061 [inline]
flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
search_binary_handler+0x142/0x6b0 fs/exec.c:1652
exec_binprm fs/exec.c:1694 [inline]
do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
do_execve+0x31/0x40 fs/exec.c:1860
call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Allocated by task 3700:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 3700:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
__mmdrop+0xe9/0x530 kernel/fork.c:889
mmdrop include/linux/sched/mm.h:42 [inline]
__mmput kernel/fork.c:916 [inline]
mmput+0x541/0x6e0 kernel/fork.c:927
copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
copy_process kernel/fork.c:1546 [inline]
_do_fork+0x1ef/0xfb0 kernel/fork.c:2025
SYSC_clone kernel/fork.c:2135 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2129
do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
return_from_SYSCALL_64+0x0/0x7a
Here is a C reproducer:
#include <asm/ldt.h>
#include <pthread.h>
#include <signal.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
static void *fork_thread(void *_arg)
{
fork();
}
int main(void)
{
struct user_desc desc = { .entry_number = 8191 };
syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));
for (;;) {
if (fork() == 0) {
pthread_t t;
srand(getpid());
pthread_create(&t, NULL, fork_thread, NULL);
usleep(rand() % 10000);
syscall(__NR_exit_group, 0);
}
wait(NULL);
}
}
Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
may use vmalloc() to allocate a large ->entries array, and after
commit:
5d17a73a2ebe ("vmalloc: back off when the current task is killed")
it is possible for userspace to fail a task's vmalloc() by
sending a fatal signal, e.g. via exit_group(). It would be more
difficult to reproduce this bug on kernels without that commit.
This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/mmu_context.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -116,9 +116,7 @@ static inline int init_new_context(struc
mm->context.execute_only_pkey = -1;
}
#endif
- init_new_context_ldt(tsk, mm);
-
- return 0;
+ return init_new_context_ldt(tsk, mm);
}
static inline void destroy_context(struct mm_struct *mm)
{
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
Christoph Hellwig <hch@lst.de>,
Denys Vlasenko <dvlasenk@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>,
Peter Zijlstra <peterz@infradead.org>,
Rik van Riel <riel@redhat.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Thomas Gleixner <tglx@linutronix.de>,
linux-mm@kvack.org, Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.9 60/84] x86/mm: Fix use-after-free of ldt_struct
Date: Mon, 28 Aug 2017 10:05:25 +0200 [thread overview]
Message-ID: <20170828080531.898990623@linuxfoundation.org> (raw)
In-Reply-To: <20170828080529.526391781@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ccd5b3235180eef3cfec337df1c8554ab151b5cc upstream.
The following commit:
39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
renamed init_new_context() to init_new_context_ldt() and added a new
init_new_context() which calls init_new_context_ldt(). However, the
error code of init_new_context_ldt() was ignored. Consequently, if a
memory allocation in alloc_ldt_struct() failed during a fork(), the
->context.ldt of the new task remained the same as that of the old task
(due to the memcpy() in dup_mm()). ldt_struct's are not intended to be
shared, so a use-after-free occurred after one task exited.
Fix the bug by making init_new_context() pass through the error code of
init_new_context_ldt().
This bug was found by syzkaller, which encountered the following splat:
BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
Read of size 4 at addr ffff88006d2cb7c8 by task kworker/u9:0/3710
CPU: 1 PID: 3710 Comm: kworker/u9:0 Not tainted 4.13.0-rc4-next-20170811 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
free_ldt_struct.part.2+0x10a/0x150 arch/x86/kernel/ldt.c:116
free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
__mmdrop+0xe9/0x530 kernel/fork.c:889
mmdrop include/linux/sched/mm.h:42 [inline]
exec_mmap fs/exec.c:1061 [inline]
flush_old_exec+0x173c/0x1ff0 fs/exec.c:1291
load_elf_binary+0x81f/0x4ba0 fs/binfmt_elf.c:855
search_binary_handler+0x142/0x6b0 fs/exec.c:1652
exec_binprm fs/exec.c:1694 [inline]
do_execveat_common.isra.33+0x1746/0x22e0 fs/exec.c:1816
do_execve+0x31/0x40 fs/exec.c:1860
call_usermodehelper_exec_async+0x457/0x8f0 kernel/umh.c:100
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Allocated by task 3700:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
alloc_ldt_struct+0x52/0x140 arch/x86/kernel/ldt.c:67
write_ldt+0x7b7/0xab0 arch/x86/kernel/ldt.c:277
sys_modify_ldt+0x1ef/0x240 arch/x86/kernel/ldt.c:307
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 3700:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
free_ldt_struct.part.2+0xdd/0x150 arch/x86/kernel/ldt.c:121
free_ldt_struct arch/x86/kernel/ldt.c:173 [inline]
destroy_context_ldt+0x60/0x80 arch/x86/kernel/ldt.c:171
destroy_context arch/x86/include/asm/mmu_context.h:157 [inline]
__mmdrop+0xe9/0x530 kernel/fork.c:889
mmdrop include/linux/sched/mm.h:42 [inline]
__mmput kernel/fork.c:916 [inline]
mmput+0x541/0x6e0 kernel/fork.c:927
copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
copy_process kernel/fork.c:1546 [inline]
_do_fork+0x1ef/0xfb0 kernel/fork.c:2025
SYSC_clone kernel/fork.c:2135 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2129
do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
return_from_SYSCALL_64+0x0/0x7a
Here is a C reproducer:
#include <asm/ldt.h>
#include <pthread.h>
#include <signal.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
static void *fork_thread(void *_arg)
{
fork();
}
int main(void)
{
struct user_desc desc = { .entry_number = 8191 };
syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));
for (;;) {
if (fork() == 0) {
pthread_t t;
srand(getpid());
pthread_create(&t, NULL, fork_thread, NULL);
usleep(rand() % 10000);
syscall(__NR_exit_group, 0);
}
wait(NULL);
}
}
Note: the reproducer takes advantage of the fact that alloc_ldt_struct()
may use vmalloc() to allocate a large ->entries array, and after
commit:
5d17a73a2ebe ("vmalloc: back off when the current task is killed")
it is possible for userspace to fail a task's vmalloc() by
sending a fatal signal, e.g. via exit_group(). It would be more
difficult to reproduce this bug on kernels without that commit.
This bug only affected kernels with CONFIG_MODIFY_LDT_SYSCALL=y.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Fixes: 39a0526fb3f7 ("x86/mm: Factor out LDT init from context init")
Link: http://lkml.kernel.org/r/20170824175029.76040-1-ebiggers3@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/mmu_context.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -116,9 +116,7 @@ static inline int init_new_context(struc
mm->context.execute_only_pkey = -1;
}
#endif
- init_new_context_ldt(tsk, mm);
-
- return 0;
+ return init_new_context_ldt(tsk, mm);
}
static inline void destroy_context(struct mm_struct *mm)
{
next prev parent reply other threads:[~2017-08-28 8:13 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-28 8:04 [PATCH 4.9 00/84] 4.9.46-stable review Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 01/84] sparc64: remove unnecessary log message Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 02/84] af_key: do not use GFP_KERNEL in atomic contexts Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 03/84] dccp: purge write queue in dccp_destroy_sock() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 04/84] dccp: defer ccid_hc_tx_delete() at dismantle time Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 05/84] ipv4: fix NULL dereference in free_fib_info_rcu() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 06/84] net_sched/sfq: update hierarchical backlog when drop packet Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 07/84] net_sched: remove warning from qdisc_hash_add Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 08/84] bpf: fix bpf_trace_printk on 32 bit archs Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 09/84] openvswitch: fix skb_panic due to the incorrect actions attrlen Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 10/84] ptr_ring: use kmalloc_array() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 11/84] ipv4: better IP_MAX_MTU enforcement Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 12/84] nfp: fix infinite loop on umapping cleanup Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 13/84] sctp: fully initialize the IPv6 address in sctp_v6_to_addr() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 14/84] tipc: fix use-after-free Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 15/84] ipv6: reset fn->rr_ptr when replacing route Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 16/84] ipv6: repair fib6 tree in failure case Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 17/84] tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 18/84] net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 19/84] irda: do not leak initialized list.dev to userspace Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 20/84] net: sched: fix NULL pointer dereference when action calls some targets Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 21/84] net_sched: fix order of queue length updates in qdisc_replace() Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 22/84] bpf, verifier: add additional patterns to evaluate_reg_imm_alu Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 23/84] bpf: adjust verifier heuristics Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 24/84] bpf, verifier: fix alu ops against map_value{, _adj} register types Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 25/84] bpf: fix mixed signed/unsigned derived min/max value bounds Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 26/84] bpf/verifier: fix min/max handling in BPF_SUB Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 27/84] Input: trackpoint - add new trackpoint firmware ID Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 28/84] Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310 Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 29/84] Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 30/84] KVM: s390: sthyi: fix sthyi inline assembly Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 31/84] KVM: s390: sthyi: fix specification exception detection Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 32/84] KVM: x86: block guest protection keys unless the host has them enabled Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 33/84] ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets Greg Kroah-Hartman
2017-08-28 8:04 ` [PATCH 4.9 34/84] ALSA: core: Fix unexpected error at replacing user TLV Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 35/84] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 36/84] ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 37/84] ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 38/84] mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 39/84] i2c: designware: Fix system suspend Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 40/84] mm/madvise.c: fix freeing of locked page with MADV_FREE Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 41/84] fork: fix incorrect fput of ->exe_file causing use-after-free Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 42/84] mm/memblock.c: reversed logic in memblock_discard() Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 44/84] drm/atomic: If the atomic check fails, return its value first Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 45/84] drm: rcar-du: Fix crash in encoder failure error path Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 46/84] drm: rcar-du: Fix display timing controller parameter Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 47/84] drm: rcar-du: Fix H/V sync signal polarity configuration Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 48/84] tracing: Call clear_boot_tracer() at lateinit_sync Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 49/84] tracing: Fix kmemleak in tracing_map_array_free() Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 50/84] tracing: Fix freeing of filter in create_filter() when set_str is false Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 51/84] kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 52/84] cifs: Fix df output for users with quota limits Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 53/84] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 54/84] nfsd: Limit end of page list when decoding NFSv4 WRITE Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 55/84] ftrace: Check for null ret_stack on profile function graph entry function Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 56/84] perf/core: Fix group {cpu,task} validation Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 57/84] perf probe: Fix --funcs to show correct symbols for offline module Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 58/84] perf/x86/intel/rapl: Make package handling more robust Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 59/84] timers: Fix excessive granularity of new timers after a nohz idle Greg Kroah-Hartman
2017-08-28 8:05 ` Greg Kroah-Hartman [this message]
2017-08-28 8:05 ` [PATCH 4.9 60/84] x86/mm: Fix use-after-free of ldt_struct Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 61/84] net: sunrpc: svcsock: fix NULL-pointer exception Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 62/84] Revert "leds: handle suspend/resume in heartbeat trigger" Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 63/84] netfilter: nat: fix src map lookup Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 64/84] Bluetooth: hidp: fix possible might sleep error in hidp_session_thread Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 65/84] Bluetooth: cmtp: fix possible might sleep error in cmtp_session Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 66/84] Bluetooth: bnep: fix possible might sleep error in bnep_session Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 67/84] Revert "android: binder: Sanity check at binder ioctl" Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 68/84] binder: use group leader instead of open thread Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 69/84] binder: Use wake up hint for synchronous transactions Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 70/84] ANDROID: binder: fix proc->tsk check Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 71/84] iio: imu: adis16480: Fix acceleration scale factor for adis16480 Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 72/84] iio: hid-sensor-trigger: Fix the race with user space powering up sensors Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 73/84] staging: rtl8188eu: add RNX-N150NUB support Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 74/84] Clarify (and fix) MAX_LFS_FILESIZE macros Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 75/84] ntb_transport: fix qp count bug Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 76/84] ntb_transport: fix bug calculating num_qps_mw Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 77/84] NTB: ntb_test: fix bug printing ntb_perf results Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 78/84] ntb: no sleep in ntb_async_tx_submit Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 79/84] ntb: ntb_test: ensure the link is up before trying to configure the mws Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 80/84] ntb: transport shouldnt disable link due to bogus values in SPADs Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 81/84] ACPI: ioapic: Clear on-stack resource before using it Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 82/84] ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 83/84] ACPI: EC: Fix regression related to wrong ECDT initialization order Greg Kroah-Hartman
2017-08-28 8:05 ` [PATCH 4.9 84/84] powerpc/mm: Ensure cpumask update is ordered Greg Kroah-Hartman
2017-08-28 19:39 ` [PATCH 4.9 00/84] 4.9.46-stable review Shuah Khan
2017-08-29 0:10 ` Guenter Roeck
2017-08-29 12:02 ` Sumit Semwal
2017-08-29 15:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170828080531.898990623@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvlasenk@redhat.com \
--cc=dvyukov@google.com \
--cc=ebiggers@google.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mhocko@suse.com \
--cc=mingo@kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.