* [PATCH 3.16 000/204] 3.16.52-rc1 review
@ 2017-12-28 17:05 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 128/204] usb: hub: Allow reset retry for USB2 devices on connect bounce Ben Hutchings
` (204 more replies)
0 siblings, 205 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.16.52 release.
There are 204 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Mon Jan 1 17:00:00 UTC 2018.
Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.
Ben.
-------------
Adrian Salido (1):
HID: i2c-hid: allocate hid buffers for real worst case
[8320caeeffdefec3b58b9d4a7ed8e1079492fe7b]
Al Viro (3):
Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
[71bb99a02b32b4cc4265118e85f6035ca72923f0]
Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket
[96c26653ce65bf84f3212f8b00d4316c1efcbf4c]
more bio_map_user_iov() leak fixes
[2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058]
Alan Stern (11):
USB: core: prevent malicious bNumInterfaces overflow
[48a4ff1c7bb5a32d2e396b03132d20d552c0eca7]
USB: dummy-hcd: Fix deadlock caused by disconnect detection
[ab219221a5064abfff9f78c323c4a257b16cdb81]
USB: dummy-hcd: Fix erroneous synchronization change
[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81]
USB: dummy-hcd: fix connection failures (wrong speed)
[fe659bcc9b173bcfdd958ce2aec75e47651e74e1]
USB: dummy-hcd: fix infinite-loop resubmission bug
[0173a68bfb0ad1c72a6ee39cc485aa2c97540b98]
USB: g_mass_storage: Fix deadlock when driver is unbound
[1fbbb78f25d1291274f320462bf6908906f538db]
USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
[f16443a034c7aa359ddf6f0f9bc40d01ca31faea]
USB: gadgetfs: Fix crash caused by inadequate synchronization
[520b72fc64debf8a86c3853b8e486aa5982188f0]
USB: gadgetfs: fix copy_to_user while holding spinlock
[6e76c01e71551cb221c1f3deacb9dcd9a7346784]
usb-storage: fix bogus hardware error messages for ATA pass-thru devices
[a4fd4a724d6c30ad671046d83be2e9be2f11d275]
usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
[113f6eb6d50cfa5e2a1cdcf1678b12661fa272ab]
Alex Estrin (1):
Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0"
[612601d0013f03de9dc134809f242ba6da9ca252]
Alexey Kodanev (1):
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
[36f6ee22d2d66046e369757ec6bbe1c482957ba6]
Andreas Engel (1):
USB: serial: cp210x: add support for ELV TFD500
[c496ad835c31ad639b6865714270b3003df031f6]
Andreas Gruenbacher (2):
direct-io: Prevent NULL pointer access in submit_page_section
[899f0429c7d3eed886406cd72182bee3b96aa1f9]
vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
[fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8]
Andrei Vagin (1):
net/unix: don't show information about sockets from other namespaces
[0f5da659d8f1810f44de14acf2c80cd6499623a0]
Andrew Gabbasov (1):
usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
[aec17e1e249567e82b26dafbb86de7d07fde8729]
Andrew Honig (1):
KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
[d59d51f088014f25c2562de59b9abff4f42a7468]
Andrey Konovalov (2):
uwb: ensure that endpoint is interrupt
[70e743e4cec3733dc13559f6184b35d358b9ef3f]
uwb: properly check kthread_run return value
[bbf26183b7a6236ba602f4d6a2f7cade35bba043]
Aravind Gopalakrishnan (2):
pci_ids: Add PCI device IDs for F15h M60h
[4cbbdb51cc921f95978360fd7a0652d493dadc3e]
x86, amd_nb: Add device IDs to NB tables for F15h M60h
[15895a729e02ea55433b912cc31d5c6de16359ec]
Arnd Bergmann (4):
ARM: 8715/1: add a private asm/unaligned.h
[1cce91dfc8f7990ca3aea896bfb148f240b12860]
gpio: acpi: work around false-positive -Wstring-overflow warning
[e40a3ae1f794a35c4af3746291ed6fedc1fa0f6f]
include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF
[8a1ac5dc7be09883051b1bf89a5e57d7ad850fa5]
usb: gadget: dummy: fix nonsensical comparisons
[7661ca09b2ff98f48693f431bb01fed62830e433]
Ashish Samant (1):
ocfs2: fstrim: Fix start offset of first cluster group during fstrim
[105ddc93f06ebe3e553f58563d11ed63dbcd59f0]
Baruch Siach (1):
spi: uapi: spidev: add missing ioctl header
[a2b4a79b88b24c49d98d45a06a014ffd22ada1a4]
Ben Hutchings (1):
ipsec: Fix aborted xfrm policy dump crash
[1137b5e2529a8f5ca8ee709288ecba3e68044df2]
Bo Yan (1):
tracing: Erase irqsoff trace with empty write
[8dd33bcb7050dd6f8c1432732f930932c9d3a33e]
Borislav Petkov (3):
x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't
[bfc1168de949cd3e9ca18c3480b5085deff1ea7c]
x86/microcode/intel: Disable late loading on model 79
[723f2828a98c8ca19842042f418fb30dd8cfc0f7]
x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
[a743bbeef27b9176987ec0cb7f906ab0ab52d1da]
Casey Schaufler (1):
lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
[57e7ba04d422c3d41c8426380303ec9b7533ded9]
Christophe Jaillet (1):
IB/mlx5: Fix the size parameter to find_first_bit
[fffd68734dc685e208e86d8c5f6522cd695a8d60]
Colin Ian King (2):
IB/ocrdma: fix incorrect fall-through on switch statement
[06564f60859bdf7e73d70ae35d7e285e96ae9c46]
staging: iio: ade7759: fix signed extension bug on shift of a u8
[13ffe9a26df4e156363579b25c904dd0b1e31bfb]
Cong Wang (2):
tun: call dev_get_valid_name() before register_netdevice()
[0ad646c81b2182f7fa67ec0c8c825e0ee165696d]
vlan: fix a use-after-free in vlan_device_event()
[052d41c01b3a2e3371d66de569717353af489d63]
Craig Gallek (1):
tun/tap: sanitize TUNSETSNDBUF input
[93161922c658c714715686cd0cf69b090cb9bf1d]
Dan Carpenter (1):
tile: array underflow in setup_maxnodemem()
[637f23abca87d26e091e0d6647ec878d97d2c6cd]
David Disseldorp (2):
SMB: fix leak of validate negotiate info response buffer
[fe83bebc05228e838ed5cbbc62712ab50dd40e18]
SMB: fix validate negotiate info uninitialised memory use
[a2d9daad1d2dfbd307ab158044d1c323d7babbde]
Dmitry Fleytman (1):
usb: Increase quirk delay for USB devices
[b2a542bbb3081dbd64acc8929c140d196664c406]
Dmitry Torokhov (3):
Input: ims-psu - check if CDC union descriptor is sane
[ea04efee7635c9120d015dcdeeeb6988130cb67a]
Input: uinput - avoid FF flush when destroying device
[e8b95728f724797f958912fd9b765a695595d3a6]
Input: uinput - avoid crash when sending FF request to device going away
[6b4877c7bdc6ae39ce03716df7caeecf204697eb]
Dongjiu Geng (1):
arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort
[fd6c8c206fc5d0717b0433b191de0715122f33bb]
Dragos Bogdan (2):
iio: ad7793: Fix the serial interface reset
[7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5]
iio: ad_sigma_delta: Implement a dedicated reset function
[7fc10de8d49a748c476532c9d8e8fe19e548dd67]
Eric Biggers (18):
FS-Cache: fix dereference of NULL user_key_payload
[d124b2c53c7bee6569d2a2d0b18b4a1afde00134]
KEYS: add missing permission check for request_key() destination
[4dca6ea1d9432052afb06baf2e3ae78188a4410b]
KEYS: don't revoke uninstantiated key in request_key_auth_new()
[f7b48cf08fa63a68b59c2894806ee478216d7f91]
KEYS: encrypted: fix dereference of NULL user_key_payload
[13923d0865ca96312197962522e88bc0aedccd74]
KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
[624f5ab8720b3371367327a822c267699c1823b8]
KEYS: fix cred refcount leak in request_key_auth_new()
[44d8143340a99b167c74365e844516b73523c087]
KEYS: fix key refcount leak in keyctl_assume_authority()
[884bee0215fcc239b30c062c37ca29077005e064]
KEYS: fix key refcount leak in keyctl_read_key()
[7fc0786d956d9e59b68d282be9b156179846ea3d]
KEYS: fix out-of-bounds read during ASN.1 parsing
[2eb9eabf1e868fda15808954fb29b0f105ed65f1]
KEYS: fix writing past end of user-supplied buffer in keyring_read()
[e645016abc803dafc75e4b8f6e4118f088900ffb]
KEYS: prevent creating a different user's keyrings
[237bbd29f7a049d310d907f4b2716a7feef9abf3]
KEYS: return full count in keyring_read() if buffer is too small
[3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f]
KEYS: trusted: fix writing past end of buffer in trusted_read()
[a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1]
KEYS: trusted: sanitize all key material
[ee618b4619b72527aaed765f0f0b74072b281159]
crypto: hmac - require that the underlying hash algorithm is unkeyed
[af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1]
crypto: salsa20 - fix blkcipher_walk API usage
[ecaaab5649781c5a0effdaf298a925063020500e]
ecryptfs: fix dereference of NULL user_key_payload
[f66665c09ab489a11ca490d6a82df57cfc1bea3e]
lib/digsig: fix dereference of NULL user_key_payload
[192cabd6a296cbc57b3d8c05c4c89d87fc102506]
Eric Dumazet (3):
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
[e466af75c074e76107ae1cd5a2823e9c61894ffb]
tcp: fastopen: fix on syn-data transmit failure
[b5b7db8d680464b1d631fd016f5e093419f0bfd9]
tcp: fix tcp_mtu_probe() vs highest_sack
[2b7cda9c35d3b940eb9ce74b30bbd5eb30db493d]
Eric W. Biederman (5):
exec: Ensure mm->user_ns contains the execed files
[f84df2a6f268de584a201e8911384a2d244876e3]
mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
[bfedb589252c01fa505ac9f6f2a3d5d68d707ef4]
ptrace: Capture the ptracer's creds not PT_PTRACE_CAP
[64b875f7ac8a5d60a4e191479299e931ee949b67]
ptrace: Don't allow accessing an undumpable mm
[84d77d3f06e7e8dea057d10e8ec77ad71f721be3]
ptrace: Properly initialize ptracer_cred on fork
[c70d9d809fdeecedb96972457ee45c49a232d97f]
Ethan Zhao (1):
sched/sysctl: Check user input value of sysctl_sched_time_avg
[5ccba44ba118a5000cccc50076b0344632459779]
Felipe Balbi (1):
usb: quirks: add quirk for WORLDE MINI MIDI keyboard
[2811501e6d8f5747d08f8e25b9ecf472d0dc4c7d]
Florian Westphal (1):
netfilter: ipset: pernet ops must be unregistered last
[e23ed762db7ed1950a6408c3be80bc56909ab3d4]
Geert Uytterhoeven (4):
sh: sh7264: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration
[eae3df7e82318d798f45dedf111e241805ec7a4a]
sh: sh7269: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration
[d9d73e81fe82fdf4ee65a48c26531edc04108349]
sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration
[b78412b8300a8453b78d2c1b0b925b66493bb011]
sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration
[d8ce38f69843a56da044e56b6c16aecfbc3c6e39]
Gerald Schaefer (1):
s390/mm: fix write access check in gup_huge_pmd()
[ba385c0594e723d41790ecfb12c610e6f90c7785]
Guillaume Nault (6):
l2tp: check ps->sock before running pppol2tp_session_ioctl()
[5903f594935a3841137c86b9d5b75143a5b7121c]
l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
[8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09]
l2tp: fix l2tp_eth module loading
[9f775ead5e570e7e19015b9e4e2f3dd6e71a5935]
l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
[a3c18422a4b4e108bcf6a2328f48867e1003fd95]
l2tp: hold tunnel in pppol2tp_connect()
[f9e56baf03f9d36043a78f16e3e8b2cfd211e09e]
l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6
[94d7ee0baa8b764cf64ad91ed69464c1a6a0066b]
Gustavo A. R. Silva (1):
MIPS: microMIPS: Fix incorrect mask in insn_table_MM
[77238e76b9156d28d86c1e31c00ed2960df0e4de]
Hante Meuleman (1):
brcmfmac: Add length checks on firmware events
[0aedbcaf6f182690790d98d90d5fe1e64c846c34]
Haozhong Zhang (1):
KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
[8eb3f87d903168bdbd1222776a6b1e281f50513e]
Henryk Heisig (1):
USB: serial: option: add support for TP-Link LTE module
[837ddc4793a69b256ac5e781a5e729b448a8d983]
Herbert Xu (1):
crypto: shash - Fix zero-length shash ahash digest crash
[b61907bb42409adf9b3120f741af7c57dd7e3db2]
Ilya Dryomov (1):
rbd: use GFP_NOIO for parent stat and data requests
[1e37f2f84680fa7f8394fd444b6928e334495ccc]
Ilya Lesokhin (1):
IB/mlx5: Simplify mlx5_ib_cont_pages
[d67bc5d4e3e100d762c0f57ea67f28bc219698a6]
Jan Luebbe (1):
bus: mbus: fix window size calculation for 4GB windows
[2bbbd96357ce76cc45ec722c00f654aa7b189112]
Jani Nikula (1):
drm/i915/bios: ignore HDMI on port A
[d27ffc1d00327c29b3aa97f941b42f0949f9e99f]
Jann Horn (1):
security: let security modules use PTRACE_MODE_* with bitmasks
[3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69]
Jason A. Donenfeld (1):
security/keys: properly zero out sensitive key material in big_key
[910801809b2e40a4baedd080ef5d80b4a180e70e]
Jean Delvare (1):
kernel/params.c: align add_sysfs_param documentation with code
[630cc2b30a42c70628368a412beb4a5e5dd71abe]
Jeff Lance (1):
Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen
[cf5dd48907bebaefdb43a8ca079be77e8da2cb20]
Jeffrey Chu (1):
USB: serial: ftdi_sio: add id for Cypress WICED dev board
[a6c215e21b0dc5fe9416dce90f9acc2ea53c4502]
Jim Dickerson (1):
usb: pci-quirks.c: Corrected timeout values used in handshake
[114ec3a6f9096d211a4aff4277793ba969a62c73]
Jimmy Assarsson (1):
can: kvaser_usb: Correct return value in printout
[8f65a923e6b628e187d5e791cf49393dd5e8c2f9]
Joerg Roedel (1):
iommu/amd: Finish TLB flush in amd_iommu_unmap()
[ce76353f169a6471542d999baf3d29b121dce9c0]
Johan Hovold (1):
USB: serial: metro-usb: add MS7820 device id
[31dc3f819bac28a0990b36510197560258ab7421]
Johannes Thumshirn (1):
scsi: libiscsi: fix shifting of DID_REQUEUE host byte
[eef9ffdf9cd39b2986367bc8395e2772bc1284ba]
John David Anglin (1):
parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
[374b3bf8e8b519f61eb9775888074c6e46b3bf0c]
Jonathan Basseri (1):
xfrm: Clear sk_dst_cache when applying per-socket policy.
[2b06cdf3e688b98fcc9945873b5d42792bd4eee0]
Kazuya Mizuguchi (1):
usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
[29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513]
Kevin Cernekee (4):
brcmfmac: Add check for short event packets
[dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca]
netfilter: nfnetlink_cthelper: Add missing permission checks
[4b380c42f7d00a395feede754f0bc2292eebe6e5]
netfilter: xt_osf: Add missing permission checks
[916a27901de01446bcf57ecca4783f6cff493309]
netlink: Add netns check on taps
[93c647643b48f0131f02e45da3bd367d80443291]
Kirill A. Shutemov (1):
mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()
[a8f97366452ed491d13cf1e44241bc0b5740b1f0]
Konstantin Khlebnikov (2):
Smack: remove unneeded NULL-termination from securtity label
[da1b63566c469bf3e2b24182114422e16b1aa34c]
net_sched: always reset qdisc backlog in qdisc_reset()
[c8e1812960eeae42e2183154927028511c4bc566]
LEROY Christophe (2):
crypto: talitos - Don't provide setkey for non hmac hashing algs.
[56136631573baa537a15e0012055ffe8cfec1a33]
crypto: talitos - fix sha224
[afd62fa26343be6445479e75de9f07092a061459]
Lauro Ramos Venancio (1):
sched/topology: Optimize build_group_mask()
[f32d782e31bf079f600dcec126ed117b0577e85c]
Li Bin (1):
workqueue: Fix NULL pointer dereference
[cef572ad9bd7f85035ba8272e5352040e8be0152]
Luca Coelho (1):
iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
[97bce57bd7f96e1218751996f549a6e61f18cc8c]
Lukas Wunner (1):
iio: adc: mcp320x: Fix oops on module unload
[0964e40947a630a2a6f724e968246992f97bcf1c]
Maksim Salau (1):
usb: cdc_acm: Add quirk for Elatec TWN3
[765fb2f181cad669f2beb87842a05d8071f2be85]
Marc Zyngier (1):
arm64: Make sure SPsel is always set
[5371513fb338fb9989c569dc071326d369d6ade8]
Marek Szyprowski (1):
iommu/exynos: Remove initconst attribute to avoid potential kernel oops
[9d25e3cc83d731ae4eeb017fd07562fde3f80bef]
Mark Rutland (3):
ARM: 8720/1: ensure dump_instr() checks addr_limit
[b9dd05c7002ee0ca8b676428b2268c26399b5e31]
arm64: ensure __dump_instr() checks addr_limit
[7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1]
arm64: fix dump_instr when PAN and UAO are in use
[c5cea06be060f38e5400d796e61cfc8c36e52924]
Martin K. Petersen (1):
scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
[28a0bc4120d38a394499382ba21d6965a67a3703]
Mathias Nyman (2):
usb: hub: Allow reset retry for USB2 devices on connect bounce
[1ac7db63333db1eeff901bfd6bbcd502b4634fa4]
xhci: fix finding correct bus_state structure for USB 3.1 hosts
[5a838a13c9b4e5dd188b7a6eaeb894e9358ead0c]
Matt Bennett (1):
ip6_gre: Reduce log level in ip6gre_err() to debug
[a46496ce38eeb401344d5623c1960dbf2f1769be]
Matt Fornero (1):
iio: core: Return error for failed read_reg
[3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b]
Matthew Wilcox (1):
fs/mpage.c: fix mpage_writepage() for pages with buffers
[f892760aa66a2d657deaf59538fb69433036767c]
Mayank Rana (1):
usb: xhci: Handle error condition in xhci_stop_device()
[b3207c65dfafae27e7c492cb9188c0dc0eeaf3fd]
Michael S. Tsirkin (1):
macvtap: fix TUNSETSNDBUF values > 64k
[3ea79249e81e5ed051f2e6480cbde896d99046e8]
Miklos Szeredi (1):
fuse: fix READDIRPLUS skipping an entry
[c6cdd51404b7ac12dd95173ddfc548c59ecf037f]
Mohamed Ghannam (1):
dccp: CVE-2017-8824: use-after-free in DCCP code
[69c64866ce072dea1d1e59a0d61e0f66c0dffb76]
Nicolai Stange (1):
PCI: Fix race condition with driver_override
[9561475db680f7144d2223a409dd3d7e322aca03]
Nicolas Dichtel (1):
net: enable interface alias removal via rtnl
[2459b4c635858094df78abb9ca87d99f89fe8ca5]
Oleg Nesterov (1):
ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock
[1333ab03150478df8d6f5673a91df1e50dc6ab97]
Omar Sandoval (1):
Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO
[bea7eafdbda3ba1d4b2ccb9cca829eefb7989bb9]
Oswald Buddenhagen (1):
MIPS: AR7: Ensure that serial ports are properly set up
[b084116f8587b222a2c5ef6dcd846f40f24b9420]
Paolo Abeni (4):
IPv4: early demux can return an error code
[7487449c86c65202b3b725c4524cb48dd65e4e6f]
ipv4: fix broadcast packets reception
[ad0ea1989cc4d5905941d0a9e62c63ad6d859cef]
udp: fix bcast packet reception
[996b44fcef8f216ea0b6b6e74468c5a77b5e341f]
udp: perform source validation for mcast early demux
[bc044e8db7962e727a75b591b9851ff2ac5cf846]
Paul Burton (1):
MIPS: Fix CM region target definitions
[6a6cba1d945a7511cdfaf338526871195e420762]
Peng Xu (1):
nl80211: Define policy for packet pattern attributes
[ad670233c9e1d5feb365d870e30083ef1b889177]
Peter Zijlstra (3):
sched/topology: Remove FORCE_SD_OVERLAP
[af85596c74de2fd9abb87501ae280038ac28a3f4]
sched/topology: Simplify build_overlap_sched_groups()
[91eaed0d61319f58a9f8e43d41a8cbb069b4f73d]
x86/uaccess, sched/preempt: Verify access_ok() context
[7c4788950ba5922fde976d80b72baf46f14dee8d]
Ravi Bangoria (1):
powerpc/sysrq: Fix oops whem ppmu is not registered
[4917fcb58cc73f6b81455e3c5f960144809ddf1a]
Ricard Wanderlof (1):
ASoC: adau17x1: Workaround for noise bug in ADC
[1e6f4fc06f6411adf98bbbe7fcd79442cd2b2a75]
Richard Schütz (1):
can: c_can: don't indicate triple sampling support for D_CAN
[fb5f0b3ef69b95e665e4bbe8a3de7201f09f1071]
Ronnie Sahlberg (1):
cifs: check rsp for NULL before dereferencing in SMB2_open
[bf2afee14e07de16d3cafc67edbfc2a3cc65e4bc]
Sabrina Dubroca (1):
l2tp: fix race condition in l2tp_tunnel_delete
[62b982eeb4589b2e6d7c01a90590e3a4c2b2ca19]
Satoru Takeuchi (1):
btrfs: prevent to set invalid default subvolid
[6d6d282932d1a609e60dc4467677e0e863682f57]
Sekhar Nori (1):
ARM: dts: da850-evm: add serial and ethernet aliases
[ce21574ad1922b403198ee664c4dff276f514f1d]
Shrirang Bagul (1):
USB: serial: qcserial: add Dell DW5818, DW5819
[f5d9644c5fca7d8e8972268598bb516a7eae17f9]
Shu Wang (2):
cifs: release auth_key.response for reconnect.
[f5c4ba816315d3b813af16f5571f86c8d4e897bd]
cifs: release cifs root_cred after exit_cifs
[94183331e815617246b1baa97e0916f358c794bb]
Stefan Mätje (1):
can: esd_usb2: Fix can_dlc value for received RTR, frames
[72d92e865d1560723e1957ee3f393688c49ca5bf]
Stefan Popa (1):
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
[f790923f146140a261ad211e5baf75d169f16fb2]
Stefano Brivio (1):
scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function
[5c756065e47dc3e84b00577bd109f0a8e69903d7]
Steffen Maier (1):
scsi: zfcp: fix erp_action use-before-initialize in REC action trace
[ab31fd0ce65ec93828b617123792c1bb7c6dcc42]
Steve French (3):
SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
[1013e760d10e614dc10b5624ce9fc41563ba2e65]
SMB3: Validate negotiate request must always be signed
[4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd]
SMB: Validate negotiate (to protect against downgrade) even if signing off
[0603c96f3af50e2f9299fa410c224ab1d465e0f9]
Tahsin Erdogan (1):
tracing: Fix trace_pipe behavior for instance traces
[75df6e688ccd517e339a7c422ef7ad73045b18a2]
Takashi Iwai (10):
ALSA: caiaq: Fix stray URB at probe error path
[99fee508245825765ff60155fed43f970ff83a8f]
ALSA: hda: Remove superfluous '-' added by printk conversion
[6bf88a343db2b3c160edf9b82a74966b31cc80bd]
ALSA: seq: Avoid invalid lockdep class warning
[3510c7aa069aa83a2de6dab2b41401a198317bdc]
ALSA: seq: Fix OSS sysex delivery in OSS emulation
[132d358b183ac6ad8b3fea32ad5e0663456d18d1]
ALSA: seq: Fix copy_from_user() call inside lock
[5803b023881857db32ffefa0d269c90280a67ee0]
ALSA: seq: Fix nested rwsem annotation for lockdep splat
[1f20f9ff57ca23b9f5502fca85ce3977e8496cb1]
ALSA: timer: Add missing mutex lock for compat ioctls
[79fb0518fec8c8b4ea7f1729f54f293724b3dbb0]
ALSA: timer: Limit max instances per timer
[9b7d869ee5a77ed4a462372bb89af622e705bfb8]
ALSA: timer: Protect the whole snd_timer_close() with open race
[9984d1b5835ca29fc7025186a891ee7398d21cc7]
ALSA: usx2y: Suppress kernel warning at page allocation failures
[7682e399485fe19622b6fd82510b1f4551e48a25]
Tejun Heo (1):
workqueue: replace pool->manager_arb mutex with a flag
[692b48258dda7c302e777d7d5f4217244478f1f6]
Tyrel Datwyler (1):
powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
[b537ca6fede69a281dc524983e5e633d79a10a08]
Wanpeng Li (1):
KVM: Fix stack-out-of-bounds read in write_mmio
[e39d200fa5bf5b94a0948db0dae44c1b73b84a56]
Will Deacon (1):
arm64: fault: Route pte translation faults via do_translation_fault
[760bfb47c36a07741a089bf6a28e854ffbee7dc9]
Willem de Bruijn (1):
packet: only test po->has_vnet_hdr once in packet_snd
[da7c9561015e93d10fe6aab73e9288e0d09d65a6]
Wolfgang Grandegger (1):
can: gs_usb: fix busy loop if no more TX context is available
[97819f943063b622eca44d3644067c190dc75039]
Xin Long (4):
ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
[f8d20b46ce55cf40afb30dcef6d9288f7ef46d9b]
ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
[76cc0d3282d4b933fa144fa41fbc5318e0fdca24]
sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
[1cc276cec9ec574d41cf47dfc0f51406b6f26ab4]
sctp: fix a type cast warnings that causes a_rwnd gets the wrong value
[f6fc6bc0b8e0bb13a210bd7386ffdcb1a5f30ef1]
Yasuaki Ishimatsu (2):
mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function
[1dd2bfc86818ddbc95f98e312e7704350223fd7d]
mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long
[d09b0137d204bebeaafed672bc5a244e9ac92edb]
Yazen Ghannam (1):
x86/amd_nb: Add Fam17h Data Fabric as "Northbridge"
[b791c6b6a55c402367cc544f54921074253db061]
Ye Yin (1):
netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
[2b5ec1a5f9738ee7bf8f5ec0526e75e00362c48f]
Yoshihiro Shimoda (2):
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
[6124607acc88fffeaadf3aacfeb3cc1304c87387]
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
[0a2ce62b61f2c76d0213edf4e37aaf54a8ddf295]
Makefile | 4 +-
arch/alpha/kernel/ptrace.c | 2 +-
arch/arm/boot/dts/da850-evm.dts | 7 ++
arch/arm/include/asm/Kbuild | 1 -
arch/arm/include/asm/unaligned.h | 27 +++++
arch/arm/kernel/traps.c | 28 ++++--
arch/arm/kvm/emulate.c | 5 +-
arch/arm/kvm/mmio.c | 4 +-
arch/arm64/kernel/head.S | 1 +
arch/arm64/kernel/traps.c | 28 +++---
arch/arm64/kvm/inject_fault.c | 16 ++-
arch/arm64/mm/fault.c | 2 +-
arch/blackfin/kernel/ptrace.c | 4 +-
arch/cris/arch-v32/kernel/ptrace.c | 2 +-
arch/ia64/kernel/ptrace.c | 2 +-
arch/mips/ar7/platform.c | 1 +
arch/mips/include/asm/mips-cm.h | 4 +-
arch/mips/kernel/ptrace32.c | 4 +-
arch/mips/mm/uasm-micromips.c | 2 +-
arch/parisc/kernel/syscall.S | 6 +-
arch/powerpc/kernel/ptrace32.c | 4 +-
arch/powerpc/perf/core-book3s.c | 5 +
arch/powerpc/platforms/pseries/mobility.c | 4 +-
arch/s390/mm/gup.c | 7 +-
arch/sh/include/cpu-sh2a/cpu/sh7264.h | 4 +-
arch/sh/include/cpu-sh2a/cpu/sh7269.h | 4 +-
arch/sh/include/cpu-sh4/cpu/sh7722.h | 2 +-
arch/sh/include/cpu-sh4/cpu/sh7757.h | 8 +-
arch/tile/kernel/setup.c | 2 +-
arch/x86/crypto/salsa20_glue.c | 7 --
arch/x86/include/asm/uaccess.h | 14 ++-
arch/x86/kernel/amd_nb.c | 48 +++++++++
arch/x86/kernel/cpu/microcode/intel.c | 18 ++++
arch/x86/kvm/vmx.c | 7 +-
arch/x86/kvm/x86.c | 8 +-
arch/x86/oprofile/op_model_ppro.c | 4 +-
block/bio.c | 14 ++-
crypto/hmac.c | 6 +-
crypto/salsa20_generic.c | 7 --
crypto/shash.c | 13 ++-
drivers/block/rbd.c | 4 +-
drivers/bus/mvebu-mbus.c | 2 +-
drivers/crypto/talitos.c | 7 +-
drivers/gpio/gpiolib-acpi.c | 2 +-
drivers/gpu/drm/i915/intel_bios.c | 7 ++
drivers/hid/i2c-hid/i2c-hid.c | 3 +-
drivers/iio/adc/ad7793.c | 4 +-
drivers/iio/adc/ad_sigma_delta.c | 28 ++++++
drivers/iio/adc/mcp320x.c | 1 +
drivers/iio/industrialio-core.c | 4 +-
drivers/infiniband/hw/mlx5/mem.c | 49 ++++-----
drivers/infiniband/hw/ocrdma/ocrdma_hw.c | 3 +
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 ---
drivers/input/ff-core.c | 13 ++-
drivers/input/misc/ims-pcu.c | 16 ++-
drivers/input/misc/uinput.c | 57 +++++++----
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
drivers/iommu/amd_iommu.c | 1 +
drivers/iommu/exynos-iommu.c | 2 +-
drivers/net/can/c_can/c_can_pci.c | 1 -
drivers/net/can/c_can/c_can_platform.c | 1 -
drivers/net/can/usb/esd_usb2.c | 2 +-
drivers/net/can/usb/gs_usb.c | 10 +-
drivers/net/can/usb/kvaser_usb.c | 3 +-
drivers/net/macvtap.c | 6 +-
drivers/net/tun.c | 7 ++
drivers/net/wireless/brcm80211/brcmfmac/fweh.c | 58 +++--------
drivers/net/wireless/brcm80211/brcmfmac/fweh.h | 68 ++++++++++---
drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 10 ++
.../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 5 +
drivers/net/wireless/iwlwifi/mvm/mac80211.c | 10 +-
drivers/pci/pci-sysfs.c | 11 ++-
drivers/s390/scsi/zfcp_aux.c | 5 +
drivers/s390/scsi/zfcp_erp.c | 18 ++--
drivers/s390/scsi/zfcp_scsi.c | 5 +
drivers/scsi/libiscsi.c | 2 +-
drivers/scsi/lpfc/lpfc_init.c | 1 +
drivers/scsi/scsi_scan.c | 3 +
drivers/scsi/sd.c | 16 ++-
drivers/staging/iio/adc/ad7192.c | 4 +-
drivers/staging/iio/meter/ade7759.c | 2 +-
drivers/usb/class/cdc-acm.c | 3 +
drivers/usb/core/config.c | 6 +-
drivers/usb/core/hub.c | 13 ++-
drivers/usb/core/quirks.c | 4 +
drivers/usb/gadget/composite.c | 5 +
drivers/usb/gadget/dummy_hcd.c | 81 +++++++++++----
drivers/usb/gadget/f_mass_storage.c | 31 ++----
drivers/usb/gadget/f_mass_storage.h | 14 ---
drivers/usb/gadget/inode.c | 55 +++++++++--
drivers/usb/gadget/mass_storage.c | 20 +---
drivers/usb/gadget/net2280.c | 5 +-
drivers/usb/host/pci-quirks.c | 8 +-
drivers/usb/host/xhci-hub.c | 22 ++++-
drivers/usb/host/xhci.h | 2 +-
drivers/usb/renesas_usbhs/fifo.c | 23 ++++-
drivers/usb/serial/cp210x.c | 1 +
drivers/usb/serial/ftdi_sio.c | 2 +
drivers/usb/serial/ftdi_sio_ids.h | 7 ++
drivers/usb/serial/metro-usb.c | 1 +
drivers/usb/serial/option.c | 2 +
drivers/usb/serial/qcserial.c | 4 +
drivers/usb/storage/transport.c | 14 ++-
drivers/usb/storage/unusual_devs.h | 7 ++
drivers/uwb/hwa-rc.c | 2 +
drivers/uwb/uwbd.c | 12 ++-
fs/block_dev.c | 6 +-
fs/btrfs/ioctl.c | 10 +-
fs/cifs/cifsfs.c | 2 +-
fs/cifs/connect.c | 8 ++
fs/cifs/file.c | 7 ++
fs/cifs/smb2pdu.c | 34 +++++--
fs/direct-io.c | 3 +-
fs/ecryptfs/ecryptfs_kernel.h | 25 +++--
fs/ecryptfs/keystore.c | 9 +-
fs/exec.c | 22 ++++-
fs/fscache/object-list.c | 7 ++
fs/fuse/dir.c | 3 +-
fs/mpage.c | 14 ++-
fs/ocfs2/alloc.c | 24 +++--
fs/read_write.c | 4 +-
fs/xattr.c | 2 +-
include/crypto/internal/hash.h | 8 ++
include/linux/buffer_head.h | 1 +
include/linux/capability.h | 2 +
include/linux/iio/adc/ad_sigma_delta.h | 3 +
include/linux/input.h | 1 +
include/linux/key.h | 2 +
include/linux/mbus.h | 4 +-
include/linux/mm.h | 2 +
include/linux/mm_types.h | 1 +
include/linux/mmzone.h | 10 +-
include/linux/netdevice.h | 3 +
include/linux/of.h | 10 ++
include/linux/pci_ids.h | 2 +
include/linux/preempt_mask.h | 21 ++--
include/linux/ptrace.h | 11 ++-
include/linux/sched.h | 1 +
include/linux/skbuff.h | 7 ++
include/net/protocol.h | 2 +-
include/net/route.h | 4 +-
include/net/tcp.h | 8 +-
include/net/udp.h | 2 +-
include/scsi/scsi_device.h | 1 +
include/scsi/scsi_devinfo.h | 1 +
include/sound/seq_kernel.h | 3 +-
include/sound/seq_virmidi.h | 1 +
include/sound/timer.h | 2 +
include/trace/events/kvm.h | 7 +-
include/uapi/linux/spi/spidev.h | 1 +
kernel/capability.c | 36 ++++++-
kernel/fork.c | 9 +-
kernel/params.c | 2 +-
kernel/ptrace.c | 91 +++++++++++------
kernel/sched/core.c | 21 ++--
kernel/sched/features.h | 1 -
kernel/sysctl.c | 3 +-
kernel/trace/trace.c | 12 ++-
kernel/workqueue.c | 37 +++----
kernel/workqueue_internal.h | 3 +-
lib/asn1_decoder.c | 7 +-
lib/digsig.c | 6 ++
mm/huge_memory.c | 14 +--
mm/init-mm.c | 2 +
mm/memory.c | 2 +-
mm/memory_hotplug.c | 6 +-
mm/nommu.c | 2 +-
net/8021q/vlan.c | 6 +-
net/bluetooth/bnep/core.c | 3 +
net/bluetooth/cmtp/core.c | 3 +
net/core/dev.c | 6 +-
net/core/rtnetlink.c | 5 +-
net/core/skbuff.c | 1 +
net/dccp/proto.c | 5 +
net/ipv4/ip_input.c | 22 +++--
net/ipv4/ip_vti.c | 3 +-
net/ipv4/route.c | 44 +++++----
net/ipv4/tcp_ipv4.c | 9 +-
net/ipv4/tcp_output.c | 12 ++-
net/ipv4/udp.c | 30 ++++--
net/ipv6/ip6_gre.c | 41 ++++----
net/ipv6/ip6_vti.c | 3 +-
net/l2tp/l2tp_core.c | 10 +-
net/l2tp/l2tp_core.h | 5 +-
net/l2tp/l2tp_eth.c | 51 +---------
net/l2tp/l2tp_ip.c | 20 ++--
net/l2tp/l2tp_ip6.c | 21 ++--
net/l2tp/l2tp_ppp.c | 10 +-
net/netfilter/ipset/ip_set_core.c | 23 +++--
net/netfilter/nfnetlink_cthelper.c | 10 ++
net/netfilter/x_tables.c | 4 +-
net/netfilter/xt_osf.c | 7 ++
net/netlink/af_netlink.c | 3 +
net/packet/af_packet.c | 4 +-
net/sched/sch_generic.c | 1 +
net/sctp/input.c | 2 +-
net/sctp/sm_sideeffect.c | 4 +-
net/unix/diag.c | 2 +
net/wireless/nl80211.c | 12 ++-
net/xfrm/xfrm_state.c | 1 +
net/xfrm/xfrm_user.c | 3 +-
security/keys/big_key.c | 2 +-
security/keys/encrypted-keys/encrypted.c | 7 ++
security/keys/internal.h | 2 +-
security/keys/key.c | 2 +
security/keys/keyctl.c | 8 +-
security/keys/keyring.c | 72 +++++++-------
security/keys/process_keys.c | 8 +-
security/keys/request_key.c | 46 +++++++--
security/keys/request_key_auth.c | 69 ++++++-------
security/keys/trusted.c | 69 ++++++-------
security/smack/smack_lsm.c | 65 ++++++------
security/yama/yama_lsm.c | 4 +-
sound/core/hrtimer.c | 1 +
sound/core/seq/oss/seq_oss_midi.c | 4 +-
sound/core/seq/oss/seq_oss_readq.c | 29 ++++++
sound/core/seq/oss/seq_oss_readq.h | 2 +
sound/core/seq/seq_clientmgr.c | 2 +-
sound/core/seq/seq_virmidi.c | 27 +++--
sound/core/timer.c | 109 ++++++++++++++-------
sound/core/timer_compat.c | 17 +++-
sound/pci/hda/hda_codec.c | 2 +-
sound/soc/codecs/adau17x1.c | 24 ++++-
sound/soc/codecs/adau17x1.h | 2 +
sound/usb/caiaq/device.c | 12 ++-
sound/usb/usx2y/usb_stream.c | 6 +-
226 files changed, 1733 insertions(+), 945 deletions(-)
--
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 125/204] x86/microcode/intel: Disable late loading on model 79
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 098/204] crypto: shash - Fix zero-length shash ahash digest crash Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 189/204] netlink: Add netns check on taps Ben Hutchings
` (82 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ingo Molnar, Thomas Gleixner, Linus Torvalds,
Peter Zijlstra, Tony Luck, Borislav Petkov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit 723f2828a98c8ca19842042f418fb30dd8cfc0f7 upstream.
Blacklist Broadwell X model 79 for late loading due to an erratum.
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Tony Luck <tony.luck@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20171018111225.25635-1-bp@alien8.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: substitute literal value for INTEL_FAM6_BROADWELL_X]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -267,6 +267,18 @@ static int get_ucode_fw(void *to, const
return 0;
}
+static bool is_blacklisted(unsigned int cpu)
+{
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
+
+ if (c->x86 == 6 && c->x86_model == 0x4F) {
+ pr_err_once("late loading on model 79 is disabled.\n");
+ return true;
+ }
+
+ return false;
+}
+
static enum ucode_state request_microcode_fw(int cpu, struct device *device,
bool refresh_fw)
{
@@ -275,6 +287,9 @@ static enum ucode_state request_microcod
const struct firmware *firmware;
enum ucode_state ret;
+ if (is_blacklisted(cpu))
+ return UCODE_NFOUND;
+
sprintf(name, "intel-ucode/%02x-%02x-%02x",
c->x86, c->x86_model, c->x86_mask);
@@ -299,6 +314,9 @@ static int get_ucode_user(void *to, cons
static enum ucode_state
request_microcode_user(int cpu, const void __user *buf, size_t size)
{
+ if (is_blacklisted(cpu))
+ return UCODE_NFOUND;
+
return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 186/204] Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 154/204] MIPS: Fix CM region target definitions Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 106/204] iommu/exynos: Remove initconst attribute to avoid potential kernel oops Ben Hutchings
` (65 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Marcel Holtmann
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 71bb99a02b32b4cc4265118e85f6035ca72923f0 upstream.
same story as cmtp
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/bnep/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -533,6 +533,9 @@ int bnep_add_connection(struct bnep_conn
BT_DBG("");
+ if (!l2cap_is_socket(sock))
+ return -EBADFD;
+
baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst);
baswap((void *) src, &l2cap_pi(sock->sk)->chan->src);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 160/204] KEYS: trusted: sanitize all key material
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 034/204] usb-storage: fix bogus hardware error messages for ATA pass-thru devices Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 141/204] SMB: fix leak of validate negotiate info response buffer Ben Hutchings
` (15 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mimi Zohar, David Howells, James Morris, David Safford,
Eric Biggers
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ee618b4619b72527aaed765f0f0b74072b281159 upstream.
As the previous patch did for encrypted-keys, zero sensitive any
potentially sensitive data related to the "trusted" key type before it
is freed. Notably, we were not zeroing the tpm_buf structures in which
the actual key is stored for TPM seal and unseal, nor were we zeroing
the trusted_key_payload in certain error paths.
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
[bwh: Backported to 3.16:
- Drop one unapplicable change
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -69,7 +69,7 @@ static int TSS_sha1(const unsigned char
}
ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -113,7 +113,7 @@ static int TSS_rawhmac(unsigned char *di
if (!ret)
ret = crypto_shash_final(&sdesc->shash, digest);
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -164,7 +164,7 @@ static int TSS_authhmac(unsigned char *d
paramdigest, TPM_NONCE_SIZE, h1,
TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -245,7 +245,7 @@ static int TSS_checkhmac1(unsigned char
if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -346,7 +346,7 @@ static int TSS_checkhmac2(unsigned char
if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
- kfree(sdesc);
+ kzfree(sdesc);
return ret;
}
@@ -563,7 +563,7 @@ static int tpm_seal(struct tpm_buf *tb,
*bloblen = storedsize;
}
out:
- kfree(td);
+ kzfree(td);
return ret;
}
@@ -677,7 +677,7 @@ static int key_seal(struct trusted_key_p
if (ret < 0)
pr_info("trusted_key: srkseal failed (%d)\n", ret);
- kfree(tb);
+ kzfree(tb);
return ret;
}
@@ -702,7 +702,7 @@ static int key_unseal(struct trusted_key
/* pull migratable flag out of sealed key */
p->migratable = p->key[--p->key_len];
- kfree(tb);
+ kzfree(tb);
return ret;
}
@@ -961,12 +961,12 @@ static int trusted_instantiate(struct ke
if (!ret && options->pcrlock)
ret = pcrlock(options->pcrlock);
out:
- kfree(datablob);
- kfree(options);
+ kzfree(datablob);
+ kzfree(options);
if (!ret)
rcu_assign_keypointer(key, payload);
else
- kfree(payload);
+ kzfree(payload);
return ret;
}
@@ -975,8 +975,7 @@ static void trusted_rcu_free(struct rcu_
struct trusted_key_payload *p;
p = container_of(rcu, struct trusted_key_payload, rcu);
- memset(p->key, 0, p->key_len);
- kfree(p);
+ kzfree(p);
}
/*
@@ -1015,7 +1014,7 @@ static int trusted_update(struct key *ke
ret = datablob_parse(datablob, new_p, new_o);
if (ret != Opt_update) {
ret = -EINVAL;
- kfree(new_p);
+ kzfree(new_p);
goto out;
}
/* copy old key values, and reseal with new pcrs */
@@ -1028,22 +1027,22 @@ static int trusted_update(struct key *ke
ret = key_seal(new_p, new_o);
if (ret < 0) {
pr_info("trusted_key: key_seal failed (%d)\n", ret);
- kfree(new_p);
+ kzfree(new_p);
goto out;
}
if (new_o->pcrlock) {
ret = pcrlock(new_o->pcrlock);
if (ret < 0) {
pr_info("trusted_key: pcrlock failed (%d)\n", ret);
- kfree(new_p);
+ kzfree(new_p);
goto out;
}
}
rcu_assign_keypointer(key, new_p);
call_rcu(&p->rcu, trusted_rcu_free);
out:
- kfree(datablob);
- kfree(new_o);
+ kzfree(datablob);
+ kzfree(new_o);
return ret;
}
@@ -1072,24 +1071,19 @@ static long trusted_read(const struct ke
for (i = 0; i < p->blob_len; i++)
bufp = hex_byte_pack(bufp, p->blob[i]);
if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
- kfree(ascii_buf);
+ kzfree(ascii_buf);
return -EFAULT;
}
- kfree(ascii_buf);
+ kzfree(ascii_buf);
return 2 * p->blob_len;
}
/*
- * trusted_destroy - before freeing the key, clear the decrypted data
+ * trusted_destroy - clear and free the key's payload
*/
static void trusted_destroy(struct key *key)
{
- struct trusted_key_payload *p = key->payload.data;
-
- if (!p)
- return;
- memset(p->key, 0, p->key_len);
- kfree(key->payload.data);
+ kzfree(key->payload.data);
}
struct key_type key_type_trusted = {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 168/204] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 163/204] arm64: fix dump_instr when PAN and UAO are in use Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 077/204] udp: perform source validation for mcast early demux Ben Hutchings
` (152 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 94d7ee0baa8b764cf64ad91ed69464c1a6a0066b upstream.
The code following l2tp_tunnel_find() expects that a new reference is
held on sk. Either sk_receive_skb() or the discard_put error path will
drop a reference from the tunnel's socket.
This issue exists in both l2tp_ip and l2tp_ip6.
Fixes: a3c18422a4b4 ("l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ip.c | 5 +++--
net/l2tp/l2tp_ip6.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -178,9 +178,10 @@ pass_up:
tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
tunnel = l2tp_tunnel_find(net, tunnel_id);
- if (tunnel != NULL)
+ if (tunnel) {
sk = tunnel->sock;
- else {
+ sock_hold(sk);
+ } else {
struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
read_lock_bh(&l2tp_ip_lock);
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -190,9 +190,10 @@ pass_up:
tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
tunnel = l2tp_tunnel_find(&init_net, tunnel_id);
- if (tunnel != NULL)
+ if (tunnel) {
sk = tunnel->sock;
- else {
+ sock_hold(sk);
+ } else {
struct ipv6hdr *iph = ipv6_hdr(skb);
read_lock_bh(&l2tp_ip6_lock);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 202/204] crypto: salsa20 - fix blkcipher_walk API usage
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 144/204] xfrm: Clear sk_dst_cache when applying per-socket policy Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 022/204] powerpc/sysrq: Fix oops whem ppmu is not registered Ben Hutchings
` (8 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Eric Biggers, syzbot
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ecaaab5649781c5a0effdaf298a925063020500e upstream.
When asked to encrypt or decrypt 0 bytes, both the generic and x86
implementations of Salsa20 crash in blkcipher_walk_done(), either when
doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
because walk->buffer and walk->page have not been initialized.
The bug is that Salsa20 is calling blkcipher_walk_done() even when
nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
be called when a nonzero number of bytes have been provided.
The broken code is part of an optimization that tries to make only one
call to salsa20_encrypt_bytes() to process inputs that are not evenly
divisible by 64 bytes. To fix the bug, just remove this "optimization"
and use the blkcipher_walk API the same way all the other users do.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "salsa20",
};
char key[16] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
reqfd = accept(algfd, 0, 0);
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
read(reqfd, key, sizeof(key));
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/crypto/salsa20_glue.c | 7 -------
crypto/salsa20_generic.c | 7 -------
2 files changed, 14 deletions(-)
--- a/arch/x86/crypto/salsa20_glue.c
+++ b/arch/x86/crypto/salsa20_glue.c
@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc
salsa20_ivsetup(ctx, walk.iv);
- if (likely(walk.nbytes == nbytes))
- {
- salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
- walk.dst.virt.addr, nbytes);
- return blkcipher_walk_done(desc, &walk, 0);
- }
-
while (walk.nbytes >= 64) {
salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
walk.dst.virt.addr,
--- a/crypto/salsa20_generic.c
+++ b/crypto/salsa20_generic.c
@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc
salsa20_ivsetup(ctx, walk.iv);
- if (likely(walk.nbytes == nbytes))
- {
- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
- walk.src.virt.addr, nbytes);
- return blkcipher_walk_done(desc, &walk, 0);
- }
-
while (walk.nbytes >= 64) {
salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
walk.src.virt.addr,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 046/204] KEYS: fix cred refcount leak in request_key_auth_new()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 045/204] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 172/204] ARM: 8720/1: ensure dump_instr() checks addr_limit Ben Hutchings
` (59 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 44d8143340a99b167c74365e844516b73523c087 upstream.
In request_key_auth_new(), if key_alloc() or key_instantiate_and_link()
were to fail, we would leak a reference to the 'struct cred'. Currently
this can only happen if key_alloc() fails to allocate memory. But it
still should be fixed, as it is a more severe bug waiting to happen.
Fix it by cleaning things up to use a helper function which frees a
'struct request_key_auth' correctly.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/request_key_auth.c | 68 ++++++++++++++++++----------------------
1 file changed, 31 insertions(+), 37 deletions(-)
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -107,6 +107,18 @@ static void request_key_auth_revoke(stru
}
}
+static void free_request_key_auth(struct request_key_auth *rka)
+{
+ if (!rka)
+ return;
+ key_put(rka->target_key);
+ key_put(rka->dest_keyring);
+ if (rka->cred)
+ put_cred(rka->cred);
+ kfree(rka->callout_info);
+ kfree(rka);
+}
+
/*
* Destroy an instantiation authorisation token key.
*/
@@ -116,15 +128,7 @@ static void request_key_auth_destroy(str
kenter("{%d}", key->serial);
- if (rka->cred) {
- put_cred(rka->cred);
- rka->cred = NULL;
- }
-
- key_put(rka->target_key);
- key_put(rka->dest_keyring);
- kfree(rka->callout_info);
- kfree(rka);
+ free_request_key_auth(rka);
}
/*
@@ -138,22 +142,17 @@ struct key *request_key_auth_new(struct
const struct cred *cred = current->cred;
struct key *authkey = NULL;
char desc[20];
- int ret;
+ int ret = -ENOMEM;
kenter("%d,", target->serial);
/* allocate a auth record */
- rka = kmalloc(sizeof(*rka), GFP_KERNEL);
- if (!rka) {
- kleave(" = -ENOMEM");
- return ERR_PTR(-ENOMEM);
- }
+ rka = kzalloc(sizeof(*rka), GFP_KERNEL);
+ if (!rka)
+ goto error;
rka->callout_info = kmalloc(callout_len, GFP_KERNEL);
- if (!rka->callout_info) {
- kleave(" = -ENOMEM");
- kfree(rka);
- return ERR_PTR(-ENOMEM);
- }
+ if (!rka->callout_info)
+ goto error_free_rka;
/* see if the calling process is already servicing the key request of
* another process */
@@ -163,8 +162,12 @@ struct key *request_key_auth_new(struct
/* if the auth key has been revoked, then the key we're
* servicing is already instantiated */
- if (test_bit(KEY_FLAG_REVOKED, &cred->request_key_auth->flags))
- goto auth_key_revoked;
+ if (test_bit(KEY_FLAG_REVOKED,
+ &cred->request_key_auth->flags)) {
+ up_read(&cred->request_key_auth->sem);
+ ret = -EKEYREVOKED;
+ goto error_free_rka;
+ }
irka = cred->request_key_auth->payload.data;
rka->cred = get_cred(irka->cred);
@@ -192,32 +195,23 @@ struct key *request_key_auth_new(struct
KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA);
if (IS_ERR(authkey)) {
ret = PTR_ERR(authkey);
- goto error_alloc;
+ goto error_free_rka;
}
/* construct the auth key */
ret = key_instantiate_and_link(authkey, rka, 0, NULL, NULL);
if (ret < 0)
- goto error_inst;
+ goto error_put_authkey;
kleave(" = {%d,%d}", authkey->serial, atomic_read(&authkey->usage));
return authkey;
-auth_key_revoked:
- up_read(&cred->request_key_auth->sem);
- kfree(rka->callout_info);
- kfree(rka);
- kleave("= -EKEYREVOKED");
- return ERR_PTR(-EKEYREVOKED);
-
-error_inst:
+error_put_authkey:
key_revoke(authkey);
key_put(authkey);
-error_alloc:
- key_put(rka->target_key);
- key_put(rka->dest_keyring);
- kfree(rka->callout_info);
- kfree(rka);
+error_free_rka:
+ free_request_key_auth(rka);
+error:
kleave("= %d", ret);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 024/204] crypto: talitos - fix sha224
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 005/204] HID: i2c-hid: allocate hid buffers for real worst case Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 084/204] kernel/params.c: align add_sysfs_param documentation with code Ben Hutchings
` (27 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, LEROY Christophe
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: LEROY Christophe <christophe.leroy@c-s.fr>
commit afd62fa26343be6445479e75de9f07092a061459 upstream.
Kernel crypto tests report the following error at startup
[ 2.752626] alg: hash: Test 4 failed for sha224-talitos
[ 2.757907] 00000000: 30 e2 86 e2 e7 8a dd 0d d7 eb 9f d5 83 fe f1 b0
00000010: 2d 5a 6c a5 f9 55 ea fd 0e 72 05 22
This patch fixes it
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/talitos.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1581,9 +1581,9 @@ static int common_nonsnoop_hash(struct t
req_ctx->swinit = 0;
} else {
desc->ptr[1] = zero_entry;
- /* Indicate next op is not the first. */
- req_ctx->first = 0;
}
+ /* Indicate next op is not the first. */
+ req_ctx->first = 0;
/* HMAC key */
if (ctx->keylen)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 171/204] ALSA: timer: Limit max instances per timer
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 048/204] KEYS: fix key refcount leak in keyctl_assume_authority() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 180/204] vlan: fix a use-after-free in vlan_device_event() Ben Hutchings
` (68 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jérôme Glisse, syzbot, Takashi Iwai
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 9b7d869ee5a77ed4a462372bb89af622e705bfb8 upstream.
Currently we allow unlimited number of timer instances, and it may
bring the system hogging way too much CPU when too many timer
instances are opened and processed concurrently. This may end up with
a soft-lockup report as triggered by syzkaller, especially when
hrtimer backend is deployed.
Since such insane number of instances aren't demanded by the normal
use case of ALSA sequencer and it merely opens a risk only for abuse,
this patch introduces the upper limit for the number of instances per
timer backend. As default, it's set to 1000, but for the fine-grained
timer like hrtimer, it's set to 100.
Reported-by: syzbot
Tested-by: Jérôme Glisse <jglisse@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/sound/timer.h | 2 ++
sound/core/hrtimer.c | 1 +
sound/core/timer.c | 67 +++++++++++++++++++++++++++++++++++++++++----------
3 files changed, 57 insertions(+), 13 deletions(-)
--- a/include/sound/timer.h
+++ b/include/sound/timer.h
@@ -90,6 +90,8 @@ struct snd_timer {
struct list_head ack_list_head;
struct list_head sack_list_head; /* slow ack list head */
struct tasklet_struct task_queue;
+ int max_instances; /* upper limit of timer instances */
+ int num_instances; /* current number of timer instances */
};
struct snd_timer_instance {
--- a/sound/core/hrtimer.c
+++ b/sound/core/hrtimer.c
@@ -144,6 +144,7 @@ static int __init snd_hrtimer_init(void)
timer->hw = hrtimer_hw;
timer->hw.resolution = resolution;
timer->hw.ticks = NANO_SEC / resolution;
+ timer->max_instances = 100; /* lower the limit */
err = snd_timer_global_register(timer);
if (err < 0) {
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -181,7 +181,7 @@ static void snd_timer_request(struct snd
*
* call this with register_mutex down.
*/
-static void snd_timer_check_slave(struct snd_timer_instance *slave)
+static int snd_timer_check_slave(struct snd_timer_instance *slave)
{
struct snd_timer *timer;
struct snd_timer_instance *master;
@@ -191,16 +191,21 @@ static void snd_timer_check_slave(struct
list_for_each_entry(master, &timer->open_list_head, open_list) {
if (slave->slave_class == master->slave_class &&
slave->slave_id == master->slave_id) {
+ if (master->timer->num_instances >=
+ master->timer->max_instances)
+ return -EBUSY;
list_move_tail(&slave->open_list,
&master->slave_list_head);
+ master->timer->num_instances++;
spin_lock_irq(&slave_active_lock);
slave->master = master;
slave->timer = master->timer;
spin_unlock_irq(&slave_active_lock);
- return;
+ return 0;
}
}
}
+ return 0;
}
/*
@@ -209,7 +214,7 @@ static void snd_timer_check_slave(struct
*
* call this with register_mutex down.
*/
-static void snd_timer_check_master(struct snd_timer_instance *master)
+static int snd_timer_check_master(struct snd_timer_instance *master)
{
struct snd_timer_instance *slave, *tmp;
@@ -217,7 +222,11 @@ static void snd_timer_check_master(struc
list_for_each_entry_safe(slave, tmp, &snd_timer_slave_list, open_list) {
if (slave->slave_class == master->slave_class &&
slave->slave_id == master->slave_id) {
+ if (master->timer->num_instances >=
+ master->timer->max_instances)
+ return -EBUSY;
list_move_tail(&slave->open_list, &master->slave_list_head);
+ master->timer->num_instances++;
spin_lock_irq(&slave_active_lock);
spin_lock(&master->timer->lock);
slave->master = master;
@@ -229,8 +238,11 @@ static void snd_timer_check_master(struc
spin_unlock_irq(&slave_active_lock);
}
}
+ return 0;
}
+static int snd_timer_close_locked(struct snd_timer_instance *timeri);
+
/*
* open a timer instance
* when opening a master, the slave id must be here given.
@@ -241,6 +253,7 @@ int snd_timer_open(struct snd_timer_inst
{
struct snd_timer *timer;
struct snd_timer_instance *timeri = NULL;
+ int err;
if (tid->dev_class == SNDRV_TIMER_CLASS_SLAVE) {
/* open a slave instance */
@@ -260,10 +273,14 @@ int snd_timer_open(struct snd_timer_inst
timeri->slave_id = tid->device;
timeri->flags |= SNDRV_TIMER_IFLG_SLAVE;
list_add_tail(&timeri->open_list, &snd_timer_slave_list);
- snd_timer_check_slave(timeri);
+ err = snd_timer_check_slave(timeri);
+ if (err < 0) {
+ snd_timer_close_locked(timeri);
+ timeri = NULL;
+ }
mutex_unlock(®ister_mutex);
*ti = timeri;
- return 0;
+ return err;
}
/* open a master instance */
@@ -289,6 +306,10 @@ int snd_timer_open(struct snd_timer_inst
return -EBUSY;
}
}
+ if (timer->num_instances >= timer->max_instances) {
+ mutex_unlock(®ister_mutex);
+ return -EBUSY;
+ }
timeri = snd_timer_instance_new(owner, timer);
if (!timeri) {
mutex_unlock(®ister_mutex);
@@ -315,26 +336,28 @@ int snd_timer_open(struct snd_timer_inst
}
list_add_tail(&timeri->open_list, &timer->open_list_head);
- snd_timer_check_master(timeri);
+ timer->num_instances++;
+ err = snd_timer_check_master(timeri);
+ if (err < 0) {
+ snd_timer_close_locked(timeri);
+ timeri = NULL;
+ }
mutex_unlock(®ister_mutex);
*ti = timeri;
- return 0;
+ return err;
}
static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
/*
* close a timer instance
+ * call this with register_mutex down.
*/
-int snd_timer_close(struct snd_timer_instance *timeri)
+static int snd_timer_close_locked(struct snd_timer_instance *timeri)
{
struct snd_timer *timer = NULL;
struct snd_timer_instance *slave, *tmp;
- if (snd_BUG_ON(!timeri))
- return -ENXIO;
-
- mutex_lock(®ister_mutex);
list_del(&timeri->open_list);
/* force to stop the timer */
@@ -342,6 +365,7 @@ int snd_timer_close(struct snd_timer_ins
timer = timeri->timer;
if (timer) {
+ timer->num_instances--;
/* wait, until the active callback is finished */
spin_lock_irq(&timer->lock);
while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) {
@@ -357,6 +381,7 @@ int snd_timer_close(struct snd_timer_ins
list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
open_list) {
list_move_tail(&slave->open_list, &snd_timer_slave_list);
+ timer->num_instances--;
slave->master = NULL;
slave->timer = NULL;
list_del_init(&slave->ack_list);
@@ -384,10 +409,25 @@ int snd_timer_close(struct snd_timer_ins
module_put(timer->module);
}
- mutex_unlock(®ister_mutex);
return 0;
}
+/*
+ * close a timer instance
+ */
+int snd_timer_close(struct snd_timer_instance *timeri)
+{
+ int err;
+
+ if (snd_BUG_ON(!timeri))
+ return -ENXIO;
+
+ mutex_lock(®ister_mutex);
+ err = snd_timer_close_locked(timeri);
+ mutex_unlock(®ister_mutex);
+ return err;
+}
+
unsigned long snd_timer_resolution(struct snd_timer_instance *timeri)
{
struct snd_timer * timer;
@@ -866,6 +906,7 @@ int snd_timer_new(struct snd_card *card,
spin_lock_init(&timer->lock);
tasklet_init(&timer->task_queue, snd_timer_tasklet,
(unsigned long)timer);
+ timer->max_instances = 1000; /* default limit per timer */
if (card != NULL) {
timer->module = card->module;
err = snd_device_new(card, SNDRV_DEV_TIMER, timer, &ops);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 035/204] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 096/204] udp: fix bcast packet reception Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 187/204] Input: ims-psu - check if CDC union descriptor is sane Ben Hutchings
` (134 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kris Lindgren, Greg Kroah-Hartman, Alan Stern
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 113f6eb6d50cfa5e2a1cdcf1678b12661fa272ab upstream.
Kris Lindgren reports that without the NO_WP_DETECT flag, his Seagate
external disk drive fails all write accesses. This regresssion dates
back approximately to the start of the 4.x kernel releases.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Kris Lindgren <kris.lindgren@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1360,6 +1360,13 @@ UNUSUAL_DEV( 0x0bc2, 0x3010, 0x0000, 0x0
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_SANE_SENSE ),
+/* Reported by Kris Lindgren <kris.lindgren@gmail.com> */
+UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9999,
+ "Seagate",
+ "External",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_WP_DETECT ),
+
UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999,
"Maxtor",
"USB to SATA",
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 120/204] scsi: zfcp: fix erp_action use-before-initialize in REC action trace
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 049/204] KEYS: fix key refcount leak in keyctl_read_key() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 032/204] Input: uinput - avoid FF flush when destroying device Ben Hutchings
` (177 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steffen Maier, Martin K. Petersen, Benjamin Block
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Maier <maier@linux.vnet.ibm.com>
commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream.
v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN
recovery") extended accessing parent pointer fields of struct
zfcp_erp_action for tracing. If an erp_action has never been enqueued
before, these parent pointer fields are uninitialized and NULL. Examples
are zfcp objects freshly added to the parent object's children list,
before enqueueing their first recovery subsequently. In
zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action
fields can cause a NULL pointer dereference. Since the kernel can read
from lowcore on s390, it does not immediately cause a kernel page
fault. Instead it can cause hangs on trying to acquire the wrong
erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl()
^bogus^
while holding already other locks with IRQs disabled.
Real life example from attaching lots of LUNs in parallel on many CPUs:
crash> bt 17723
PID: 17723 TASK: ... CPU: 25 COMMAND: "zfcperp0.0.1800"
LOWCORE INFO:
-psw : 0x0404300180000000 0x000000000038e424
-function : _raw_spin_lock_wait_flags at 38e424
...
#0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp]
#1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp]
#2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp]
#3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp]
#4 [fdde8fe60] kthread at 173550
#5 [fdde8feb8] kernel_thread_starter at 10add2
zfcp_adapter
zfcp_port
zfcp_unit <address>, 0x404040d600000000
scsi_device NULL, returning early!
zfcp_scsi_dev.status = 0x40000000
0x40000000 ZFCP_STATUS_COMMON_RUNNING
crash> zfcp_unit <address>
struct zfcp_unit {
erp_action = {
adapter = 0x0,
port = 0x0,
unit = 0x0,
},
}
zfcp_erp_action is always fully embedded into its container object. Such
container object is never moved in its object tree (only add or delete).
Hence, erp_action parent pointers can never change.
To fix the issue, initialize the erp_action parent pointers before
adding the erp_action container to any list and thus before it becomes
accessible from outside of its initializing function.
In order to also close the time window between zfcp_erp_setup_act()
memsetting the entire erp_action to zero and setting the parent pointers
again, drop the memset and instead explicitly initialize individually
all erp_action fields except for parent pointers. To be extra careful
not to introduce any other unintended side effect, even keep zeroing the
erp_action fields for list and timer. Also double-check with
WARN_ON_ONCE that erp_action parent pointers never change, so we get to
know when we would deviate from previous behavior.
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/scsi/zfcp_aux.c | 5 +++++
drivers/s390/scsi/zfcp_erp.c | 18 +++++++++++-------
drivers/s390/scsi/zfcp_scsi.c | 5 +++++
3 files changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/s390/scsi/zfcp_aux.c
+++ b/drivers/s390/scsi/zfcp_aux.c
@@ -356,6 +356,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu
INIT_WORK(&adapter->scan_work, zfcp_fc_scan_ports);
INIT_WORK(&adapter->ns_up_work, zfcp_fc_sym_name_update);
+ adapter->erp_action.adapter = adapter;
+
if (zfcp_qdio_setup(adapter))
goto failed;
@@ -512,6 +514,9 @@ struct zfcp_port *zfcp_port_enqueue(stru
port->dev.groups = zfcp_port_attr_groups;
port->dev.release = zfcp_port_release;
+ port->erp_action.adapter = adapter;
+ port->erp_action.port = port;
+
if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
kfree(port);
goto err_out;
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_
atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE,
&zfcp_sdev->status);
erp_action = &zfcp_sdev->erp_action;
- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
- erp_action->port = port;
- erp_action->sdev = sdev;
+ WARN_ON_ONCE(erp_action->port != port);
+ WARN_ON_ONCE(erp_action->sdev != sdev);
if (!(atomic_read(&zfcp_sdev->status) &
ZFCP_STATUS_COMMON_RUNNING))
act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
@@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_
zfcp_erp_action_dismiss_port(port);
atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status);
erp_action = &port->erp_action;
- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
- erp_action->port = port;
+ WARN_ON_ONCE(erp_action->port != port);
+ WARN_ON_ONCE(erp_action->sdev != NULL);
if (!(atomic_read(&port->status) & ZFCP_STATUS_COMMON_RUNNING))
act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
break;
@@ -219,7 +218,8 @@ static struct zfcp_erp_action *zfcp_erp_
zfcp_erp_action_dismiss_adapter(adapter);
atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE, &adapter->status);
erp_action = &adapter->erp_action;
- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
+ WARN_ON_ONCE(erp_action->port != NULL);
+ WARN_ON_ONCE(erp_action->sdev != NULL);
if (!(atomic_read(&adapter->status) &
ZFCP_STATUS_COMMON_RUNNING))
act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
@@ -229,7 +229,11 @@ static struct zfcp_erp_action *zfcp_erp_
return NULL;
}
- erp_action->adapter = adapter;
+ WARN_ON_ONCE(erp_action->adapter != adapter);
+ memset(&erp_action->list, 0, sizeof(erp_action->list));
+ memset(&erp_action->timer, 0, sizeof(erp_action->timer));
+ erp_action->step = ZFCP_ERP_STEP_UNINITIALIZED;
+ erp_action->fsf_req_id = 0;
erp_action->action = need;
erp_action->status = act_status;
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -136,10 +136,15 @@ static int zfcp_scsi_slave_alloc(struct
struct zfcp_unit *unit;
int npiv = adapter->connection_features & FSF_FEATURE_NPIV_MODE;
+ zfcp_sdev->erp_action.adapter = adapter;
+ zfcp_sdev->erp_action.sdev = sdev;
+
port = zfcp_get_port_by_wwpn(adapter, rport->port_name);
if (!port)
return -ENXIO;
+ zfcp_sdev->erp_action.port = port;
+
unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev));
if (unit)
put_device(&unit->dev);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 013/204] xhci: fix finding correct bus_state structure for USB 3.1 hosts
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 076/204] IPv4: early demux can return an error code Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 181/204] sched/topology: Remove FORCE_SD_OVERLAP Ben Hutchings
` (119 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mathias Nyman, Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 5a838a13c9b4e5dd188b7a6eaeb894e9358ead0c upstream.
xhci driver keeps a bus_state structure for each hcd (usb2 and usb3)
The structure is picked based on hcd speed, but driver only compared
for HCD_USB3 speed, returning the wrong bus_state for HCD_USB31 hosts.
This caused null pointer dereference errors in bus_resume function.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1437,7 +1437,7 @@ struct xhci_bus_state {
static inline unsigned int hcd_index(struct usb_hcd *hcd)
{
- if (hcd->speed == HCD_USB3)
+ if (hcd->speed >= HCD_USB3)
return 0;
else
return 1;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 156/204] macvtap: fix TUNSETSNDBUF values > 64k
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 149/204] x86/uaccess, sched/preempt: Verify access_ok() context Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 061/204] netfilter: ipset: pernet ops must be unregistered last Ben Hutchings
` (126 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael S. Tsirkin, David S. Miller, Mark,
Christian Borntraeger, Matthew Rosato
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
commit 3ea79249e81e5ed051f2e6480cbde896d99046e8 upstream.
Upon TUNSETSNDBUF, macvtap reads the requested sndbuf size into
a local variable u.
commit 39ec7de7092b ("macvtap: fix uninitialized access on
TUNSETIFF") changed its type to u16 (which is the right thing to
do for all other macvtap ioctls), breaking all values > 64k.
The value of TUNSETSNDBUF is actually a signed 32 bit integer, so
the right thing to do is to read it into an int.
Cc: David S. Miller <davem@davemloft.net>
Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF")
Reported-by: Mark A. Peloquin
Bisected-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/macvtap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -1051,10 +1051,10 @@ static long macvtap_ioctl(struct file *f
return 0;
case TUNSETSNDBUF:
- if (get_user(u, up))
+ if (get_user(s, sp))
return -EFAULT;
- q->sk.sk_sndbuf = u;
+ q->sk.sk_sndbuf = s;
return 0;
case TUNGETVNETHDRSZ:
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 185/204] Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 065/204] USB: dummy-hcd: fix connection failures (wrong speed) Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 136/204] x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't Ben Hutchings
` (108 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Marcel Holtmann
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 96c26653ce65bf84f3212f8b00d4316c1efcbf4c upstream.
... rather than relying on ciptool(8) never passing it anything else. Give
it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/cmtp/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -334,6 +334,9 @@ int cmtp_add_connection(struct cmtp_conn
BT_DBG("");
+ if (!l2cap_is_socket(sock))
+ return -EBADFD;
+
session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
if (!session)
return -ENOMEM;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 006/204] spi: uapi: spidev: add missing ioctl header
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 137/204] ipsec: Fix aborted xfrm policy dump crash Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 143/204] net/unix: don't show information about sockets from other namespaces Ben Hutchings
` (24 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Baruch Siach
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Baruch Siach <baruch@tkos.co.il>
commit a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 upstream.
The SPI_IOC_MESSAGE() macro references _IOC_SIZEBITS. Add linux/ioctl.h
to make sure this macro is defined. This fixes the following build
failure of lcdproc with the musl libc:
In file included from .../sysroot/usr/include/sys/ioctl.h:7:0,
from hd44780-spi.c:31:
hd44780-spi.c: In function 'spi_transfer':
hd44780-spi.c:89:24: error: '_IOC_SIZEBITS' undeclared (first use in this function)
status = ioctl(p->fd, SPI_IOC_MESSAGE(1), &xfer);
^
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/uapi/linux/spi/spidev.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/uapi/linux/spi/spidev.h
+++ b/include/uapi/linux/spi/spidev.h
@@ -23,6 +23,7 @@
#define SPIDEV_H
#include <linux/types.h>
+#include <linux/ioctl.h>
/* User space versions of kernel symbols for SPI clocking modes,
* matching <linux/spi/spi.h>
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 203/204] crypto: hmac - require that the underlying hash algorithm is unkeyed
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 033/204] Input: uinput - avoid crash when sending FF request to device going away Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 133/204] pci_ids: Add PCI device IDs for F15h M60h Ben Hutchings
` (4 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, syzbot, Herbert Xu
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream.
Because the HMAC template didn't check that its underlying hash
algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
being used without having been keyed, resulting in sha3_update() being
called without sha3_init(), causing a stack buffer overflow.
This is a very old bug, but it seems to have only started causing real
problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
because the innermost hash's state is ->import()ed from a zeroed buffer,
and it just so happens that other hash algorithms are fine with that,
but SHA-3 is not. However, there could be arch or hardware-dependent
hash algorithms also affected; I couldn't test everything.
Fix the bug by introducing a function crypto_shash_alg_has_setkey()
which tests whether a shash algorithm is keyed. Then update the HMAC
template to require that its underlying hash algorithm is unkeyed.
Here is a reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
int main()
{
int algfd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "hmac(hmac(sha3-512-generic))",
};
char key[4096] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
}
Here was the KASAN report from syzbot:
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
memcpy+0x37/0x50 mm/kasan/kasan.c:303
memcpy include/linux/string.h:341 [inline]
sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
crypto_shash_update+0xcb/0x220 crypto/shash.c:109
shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
hmac_finup+0x182/0x330 crypto/hmac.c:152
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
hmac_setkey+0x36a/0x690 crypto/hmac.c:66
crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
shash_async_setkey+0x47/0x60 crypto/shash.c:207
crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
hash_setkey+0x40/0x90 crypto/algif_hash.c:446
alg_setkey crypto/af_alg.c:221 [inline]
alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/hmac.c | 6 +++++-
crypto/shash.c | 5 +++--
include/crypto/internal/hash.h | 8 ++++++++
3 files changed, 16 insertions(+), 3 deletions(-)
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -197,11 +197,15 @@ static int hmac_create(struct crypto_tem
salg = shash_attr_alg(tb[1], 0, 0);
if (IS_ERR(salg))
return PTR_ERR(salg);
+ alg = &salg->base;
+ /* The underlying hash algorithm must be unkeyed */
err = -EINVAL;
+ if (crypto_shash_alg_has_setkey(salg))
+ goto out_put_alg;
+
ds = salg->digestsize;
ss = salg->statesize;
- alg = &salg->base;
if (ds > alg->cra_blocksize ||
ss < alg->cra_blocksize)
goto out_put_alg;
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -24,11 +24,12 @@
static const struct crypto_type crypto_shash_type;
-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
- unsigned int keylen)
+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
{
return -ENOSYS;
}
+EXPORT_SYMBOL_GPL(shash_no_setkey);
static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
unsigned int keylen)
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -83,6 +83,14 @@ int ahash_register_instance(struct crypt
struct ahash_instance *inst);
void ahash_free_instance(struct crypto_instance *inst);
+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen);
+
+static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
+{
+ return alg->setkey != shash_no_setkey;
+}
+
int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
struct hash_alg_common *alg,
struct crypto_instance *inst);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 014/204] usb: pci-quirks.c: Corrected timeout values used in handshake
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 075/204] ipv4: fix broadcast packets reception Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 045/204] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack Ben Hutchings
` (61 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Jim Dickerson, Mathias Nyman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Dickerson <jim.dickerson@hpe.com>
commit 114ec3a6f9096d211a4aff4277793ba969a62c73 upstream.
Servers were emitting failed handoff messages but were not
waiting the full 1 second as designated in section 4.22.1 of
the eXtensible Host Controller Interface specifications. The
handshake was using wrong units so calls were made with milliseconds
not microseconds. Comments referenced 5 seconds not 1 second as
in specs.
The wrong units were also corrected in a second handshake call.
Signed-off-by: Jim Dickerson <jim.dickerson@hpe.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/pci-quirks.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/host/pci-quirks.c
+++ b/drivers/usb/host/pci-quirks.c
@@ -1024,7 +1024,7 @@ EXPORT_SYMBOL_GPL(usb_disable_xhci_ports
*
* Takes care of the handoff between the Pre-OS (i.e. BIOS) and the OS.
* It signals to the BIOS that the OS wants control of the host controller,
- * and then waits 5 seconds for the BIOS to hand over control.
+ * and then waits 1 second for the BIOS to hand over control.
* If we timeout, assume the BIOS is broken and take control anyway.
*/
static void quirk_usb_handoff_xhci(struct pci_dev *pdev)
@@ -1070,9 +1070,9 @@ static void quirk_usb_handoff_xhci(struc
if (val & XHCI_HC_BIOS_OWNED) {
writel(val | XHCI_HC_OS_OWNED, base + ext_cap_offset);
- /* Wait for 5 seconds with 10 microsecond polling interval */
+ /* Wait for 1 second with 10 microsecond polling interval */
timeout = handshake(base + ext_cap_offset, XHCI_HC_BIOS_OWNED,
- 0, 5000, 10);
+ 0, 1000000, 10);
/* Assume a buggy BIOS and take HC ownership anyway */
if (timeout) {
@@ -1100,7 +1100,7 @@ hc_init:
* operational or runtime registers. Wait 5 seconds and no more.
*/
timeout = handshake(op_reg_base + XHCI_STS_OFFSET, XHCI_STS_CNR, 0,
- 5000, 10);
+ 5000000, 10);
/* Assume a buggy HC and start HC initialization anyway */
if (timeout) {
val = readl(op_reg_base + XHCI_STS_OFFSET);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 151/204] l2tp: hold tunnel in pppol2tp_connect()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 193/204] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 145/204] SMB3: Validate negotiate request must always be signed Ben Hutchings
` (188 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit f9e56baf03f9d36043a78f16e3e8b2cfd211e09e upstream.
Use l2tp_tunnel_get() in pppol2tp_connect() to ensure the tunnel isn't
going to disappear while processing the rest of the function.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -603,6 +603,7 @@ static int pppol2tp_connect(struct socke
u32 tunnel_id, peer_tunnel_id;
u32 session_id, peer_session_id;
bool drop_refcnt = false;
+ bool drop_tunnel = false;
int ver = 2;
int fd;
@@ -671,7 +672,9 @@ static int pppol2tp_connect(struct socke
if (tunnel_id == 0)
goto end;
- tunnel = l2tp_tunnel_find(sock_net(sk), tunnel_id);
+ tunnel = l2tp_tunnel_get(sock_net(sk), tunnel_id);
+ if (tunnel)
+ drop_tunnel = true;
/* Special case: create tunnel context if session_id and
* peer_session_id is 0. Otherwise look up tunnel using supplied
@@ -800,6 +803,8 @@ out_no_ppp:
end:
if (drop_refcnt)
l2tp_session_dec_refcount(session);
+ if (drop_tunnel)
+ l2tp_tunnel_dec_refcount(tunnel);
release_sock(sk);
return error;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 101/204] USB: dummy-hcd: Fix deadlock caused by disconnect detection
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 179/204] can: c_can: don't indicate triple sampling support for D_CAN Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 142/204] SMB: fix validate negotiate info uninitialised memory use Ben Hutchings
` (90 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Felipe Balbi, David Tulloh
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream.
The dummy-hcd driver calls the gadget driver's disconnect callback
under the wrong conditions. It should invoke the callback when Vbus
power is turned off, but instead it does so when the D+ pullup is
turned off.
This can cause a deadlock in the composite core when a gadget driver
is unregistered:
[ 88.361471] ============================================
[ 88.362014] WARNING: possible recursive locking detected
[ 88.362580] 4.14.0-rc2+ #9 Not tainted
[ 88.363010] --------------------------------------------
[ 88.363561] v4l_id/526 is trying to acquire lock:
[ 88.364062] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547e03>] composite_disconnect+0x43/0x100 [libcomposite]
[ 88.365051]
[ 88.365051] but task is already holding lock:
[ 88.365826] (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
[ 88.366858]
[ 88.366858] other info that might help us debug this:
[ 88.368301] Possible unsafe locking scenario:
[ 88.368301]
[ 88.369304] CPU0
[ 88.369701] ----
[ 88.370101] lock(&(&cdev->lock)->rlock);
[ 88.370623] lock(&(&cdev->lock)->rlock);
[ 88.371145]
[ 88.371145] *** DEADLOCK ***
[ 88.371145]
[ 88.372211] May be due to missing lock nesting notation
[ 88.372211]
[ 88.373191] 2 locks held by v4l_id/526:
[ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [<ffffffffa0547b09>] usb_function_deactivate+0x29/0x80 [libcomposite]
[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [<ffffffffa05bd48d>] dummy_pullup+0x7d/0xf0 [dummy_hcd]
[ 88.376289]
[ 88.376289] stack backtrace:
[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9
[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 88.379504] Call Trace:
[ 88.380019] dump_stack+0x86/0xc7
[ 88.380605] __lock_acquire+0x841/0x1120
[ 88.381252] lock_acquire+0xd5/0x1c0
[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite]
[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54
[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite]
[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite]
[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd]
[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd]
[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core]
[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core]
[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite]
[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
This patch changes the code to test the port-power status bit rather
than the port-connect status bit when deciding whether to isue the
callback.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: David Tulloh <david@tulloh.id.au>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -355,6 +355,7 @@ static void set_link_state_by_speed(stru
static void set_link_state(struct dummy_hcd *dum_hcd)
{
struct dummy *dum = dum_hcd->dum;
+ unsigned int power_bit;
dum_hcd->active = 0;
if (dum->pullup)
@@ -365,19 +366,21 @@ static void set_link_state(struct dummy_
return;
set_link_state_by_speed(dum_hcd);
+ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ?
+ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER);
if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 ||
dum_hcd->active)
dum_hcd->resuming = 0;
/* if !connected or reset */
- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 ||
+ if ((dum_hcd->port_status & power_bit) == 0 ||
(dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) {
/*
* We're connected and not reset (reset occurred now),
* and driver attached - disconnect!
*/
- if ((dum_hcd->old_status & USB_PORT_STAT_CONNECTION) != 0 &&
+ if ((dum_hcd->old_status & power_bit) != 0 &&
(dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 &&
dum->ints_enabled) {
stop_activity(dum);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 113/204] iommu/amd: Finish TLB flush in amd_iommu_unmap()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 100/204] more bio_map_user_iov() leak fixes Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 026/204] usb: gadget: dummy: fix nonsensical comparisons Ben Hutchings
` (31 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joerg Roedel
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joerg Roedel <jroedel@suse.de>
commit ce76353f169a6471542d999baf3d29b121dce9c0 upstream.
The function only sends the flush command to the IOMMU(s),
but does not wait for its completion when it returns. Fix
that.
Fixes: 601367d76bd1 ('x86/amd-iommu: Remove iommu_flush_domain function')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iommu/amd_iommu.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -3440,6 +3440,7 @@ static size_t amd_iommu_unmap(struct iom
mutex_unlock(&domain->api_lock);
domain_flush_tlb_pde(domain);
+ domain_flush_complete(domain);
return unmap_size;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 148/204] sctp: fix a type cast warnings that causes a_rwnd gets the wrong value
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 142/204] SMB: fix validate negotiate info uninitialised memory use Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 064/204] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" Ben Hutchings
` (88 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Xin Long, Eric Dumazet
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit f6fc6bc0b8e0bb13a210bd7386ffdcb1a5f30ef1 upstream.
These warnings were found by running 'make C=2 M=net/sctp/'.
Commit d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a
SACK from SHUTDOWN.") expected to use the peers old rwnd and add
our flight size to the a_rwnd. But with the wrong Endian, it may
not work as well as expected.
So fix it by converting to the right value.
Fixes: d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a SACK from SHUTDOWN.")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/sm_sideeffect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1627,8 +1627,8 @@ static int sctp_cmd_interpreter(sctp_eve
case SCTP_CMD_PROCESS_CTSN:
/* Dummy up a SACK for processing. */
sackh.cum_tsn_ack = cmd->obj.be32;
- sackh.a_rwnd = asoc->peer.rwnd +
- asoc->outqueue.outstanding_bytes;
+ sackh.a_rwnd = htonl(asoc->peer.rwnd +
+ asoc->outqueue.outstanding_bytes);
sackh.num_gap_ack_blocks = 0;
sackh.num_dup_tsns = 0;
chunk->subh.sack_hdr = &sackh;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 152/204] ALSA: timer: Add missing mutex lock for compat ioctls
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 064/204] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 002/204] ASoC: adau17x1: Workaround for noise bug in ADC Ben Hutchings
` (86 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, syzbot, Takashi Iwai
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 79fb0518fec8c8b4ea7f1729f54f293724b3dbb0 upstream.
The races among ioctl and other operations were protected by the
commit af368027a49a ("ALSA: timer: Fix race among timer ioctls") and
later fixes, but one code path was forgotten in the scenario: the
32bit compat ioctl. As syzkaller recently spotted, a very similar
use-after-free may happen with the combination of compat ioctls.
The fix is simply to apply the same ioctl_lock to the compat_ioctl
callback, too.
Fixes: af368027a49a ("ALSA: timer: Fix race among timer ioctls")
Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com
Reported-by: syzbot <bot+e5f3c9783e7048a74233054febbe9f1bdf54b6da@syzkaller.appspotmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer_compat.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/sound/core/timer_compat.c
+++ b/sound/core/timer_compat.c
@@ -106,7 +106,8 @@ enum {
#endif /* CONFIG_X86_X32 */
};
-static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd, unsigned long arg)
+static long __snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
{
void __user *argp = compat_ptr(arg);
@@ -127,7 +128,7 @@ static long snd_timer_user_ioctl_compat(
case SNDRV_TIMER_IOCTL_PAUSE:
case SNDRV_TIMER_IOCTL_PAUSE_OLD:
case SNDRV_TIMER_IOCTL_NEXT_DEVICE:
- return snd_timer_user_ioctl(file, cmd, (unsigned long)argp);
+ return __snd_timer_user_ioctl(file, cmd, (unsigned long)argp);
case SNDRV_TIMER_IOCTL_INFO32:
return snd_timer_user_info_compat(file, argp);
case SNDRV_TIMER_IOCTL_STATUS32:
@@ -139,3 +140,15 @@ static long snd_timer_user_ioctl_compat(
}
return -ENOIOCTLCMD;
}
+
+static long snd_timer_user_ioctl_compat(struct file *file, unsigned int cmd,
+ unsigned long arg)
+{
+ struct snd_timer_user *tu = file->private_data;
+ long ret;
+
+ mutex_lock(&tu->ioctl_lock);
+ ret = __snd_timer_user_ioctl_compat(file, cmd, arg);
+ mutex_unlock(&tu->ioctl_lock);
+ return ret;
+}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 110/204] FS-Cache: fix dereference of NULL user_key_payload
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 054/204] security/keys: properly zero out sensitive key material in big_key Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 111/204] lib/digsig: " Ben Hutchings
` (20 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Howells, James Morris, Eric Biggers
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.
When the file /proc/fs/fscache/objects (available with
CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
description "fscache:objlist", then access its payload. However, a
revoked key has a NULL payload, and we failed to check for this.
request_key() *does* skip revoked keys, but there is still a window
where the key can be revoked before we access its payload.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fscache/object-list.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/fscache/object-list.c
+++ b/fs/fscache/object-list.c
@@ -330,6 +330,13 @@ static void fscache_objlist_config(struc
rcu_read_lock();
confkey = key->payload.data;
+ if (!confkey) {
+ /* key was revoked */
+ rcu_read_unlock();
+ key_put(key);
+ goto no_config;
+ }
+
buf = confkey->data;
for (len = confkey->datalen - 1; len >= 0; len--) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 018/204] USB: serial: cp210x: add support for ELV TFD500
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 128/204] usb: hub: Allow reset retry for USB2 devices on connect bounce Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 089/204] mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 170/204] ALSA: timer: Protect the whole snd_timer_close() with open race Ben Hutchings
` (201 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Andreas Engel
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Engel <anen-nospam@gmx.net>
commit c496ad835c31ad639b6865714270b3003df031f6 upstream.
Add the USB device id for the ELV TFD500 data logger.
Signed-off-by: Andreas Engel <anen-nospam@gmx.net>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -170,6 +170,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
+ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
{ USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 100/204] more bio_map_user_iov() leak fixes
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (170 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 092/204] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 113/204] iommu/amd: Finish TLB flush in amd_iommu_unmap() Ben Hutchings
` (32 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream.
we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
block/bio.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/block/bio.c
+++ b/block/bio.c
@@ -1286,6 +1286,7 @@ static struct bio *__bio_map_user_iov(st
struct bio *bio;
int cur_page = 0;
int ret, offset;
+ struct bio_vec *bvec;
for (i = 0; i < iov_count; i++) {
unsigned long uaddr = (unsigned long)iov[i].iov_base;
@@ -1329,7 +1330,12 @@ static struct bio *__bio_map_user_iov(st
ret = get_user_pages_fast(uaddr, local_nr_pages,
write_to_vm, &pages[cur_page]);
- if (ret < local_nr_pages) {
+ if (unlikely(ret < local_nr_pages)) {
+ for (j = cur_page; j < page_limit; j++) {
+ if (!pages[j])
+ break;
+ put_page(pages[j]);
+ }
ret = -EFAULT;
goto out_unmap;
}
@@ -1384,10 +1390,8 @@ static struct bio *__bio_map_user_iov(st
return bio;
out_unmap:
- for (i = 0; i < nr_pages; i++) {
- if(!pages[i])
- break;
- page_cache_release(pages[i]);
+ bio_for_each_segment_all(bvec, bio, j) {
+ put_page(bvec->bv_page);
}
out:
kfree(pages);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 153/204] ALSA: seq: Fix nested rwsem annotation for lockdep splat
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 003/204] iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 052/204] IB/mlx5: Fix the size parameter to find_first_bit Ben Hutchings
` (139 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, syzbot, Dmitry Vyukov, Takashi Iwai
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 1f20f9ff57ca23b9f5502fca85ce3977e8496cb1 upstream.
syzkaller reported the lockdep splat due to the possible deadlock of
grp->list_mutex of each sequencer client object. Actually this is
rather a false-positive report due to the missing nested lock
annotations. The sequencer client may deliver the event directly to
another client which takes another own lock.
For addressing this issue, this patch replaces the simple down_read()
with down_read_nested(). As a lock subclass, the already existing
"hop" can be re-used, which indicates the depth of the call.
Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com
Reported-by: syzbot <bot+7feb8de6b4d6bf810cf098bef942cc387e79d0ad@syzkaller.appspotmail.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_clientmgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -676,7 +676,7 @@ static int deliver_to_subscribers(struct
if (atomic)
read_lock(&grp->list_lock);
else
- down_read(&grp->list_mutex);
+ down_read_nested(&grp->list_mutex, hop);
list_for_each_entry(subs, &grp->list_head, src_list) {
/* both ports ready? */
if (atomic_read(&subs->ref_count) != 2)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 201/204] KVM: Fix stack-out-of-bounds read in write_mmio
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 041/204] iio: adc: mcp320x: Fix oops on module unload Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 063/204] arm64: Make sure SPsel is always set Ben Hutchings
` (42 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marc Zyngier, Christoffer Dall, Paolo Bonzini, Darren Kenny,
Wanpeng Li, Radim Krčmář, Dmitry Vyukov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.
Reported by syzkaller:
BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
Call Trace:
dump_stack+0xab/0xe1
print_address_description+0x6b/0x290
kasan_report+0x28a/0x370
write_mmio+0x11e/0x270 [kvm]
emulator_read_write_onepage+0x311/0x600 [kvm]
emulator_read_write+0xef/0x240 [kvm]
emulator_fix_hypercall+0x105/0x150 [kvm]
em_hypercall+0x2b/0x80 [kvm]
x86_emulate_insn+0x2b1/0x1640 [kvm]
x86_emulate_instruction+0x39a/0xb90 [kvm]
handle_exception+0x1b4/0x4d0 [kvm_intel]
vcpu_enter_guest+0x15a0/0x2640 [kvm]
kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
kvm_vcpu_ioctl+0x479/0x880 [kvm]
do_vfs_ioctl+0x142/0x9a0
SyS_ioctl+0x74/0x80
entry_SYSCALL_64_fastpath+0x23/0x9a
The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
to the guest memory, however, write_mmio tracepoint always prints 8 bytes
through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
it by just accessing the bytes which we operate on.
Before patch:
syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
After patch:
syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
- ARM implementation combines the KVM_TRACE_MMIO_WRITE and
KVM_TRACE_MMIO_READ_UNSATISFIED cases
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/arm/kvm/mmio.c
+++ b/arch/arm/kvm/mmio.c
@@ -113,7 +113,7 @@ int kvm_handle_mmio_return(struct kvm_vc
}
trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
- data);
+ &data);
data = vcpu_data_host_to_guest(vcpu, data, len);
*vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data;
}
@@ -192,7 +192,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu,
trace_kvm_mmio((mmio.is_write) ? KVM_TRACE_MMIO_WRITE :
KVM_TRACE_MMIO_READ_UNSATISFIED,
mmio.len, fault_ipa,
- (mmio.is_write) ? data : 0);
+ (mmio.is_write) ? &data : NULL);
if (mmio.is_write)
mmio_write_buf(mmio.data, mmio.len, data);
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4052,7 +4052,7 @@ static int vcpu_mmio_read(struct kvm_vcp
!kvm_iodevice_read(&vcpu->arch.apic->dev, addr, n, v))
&& kvm_io_bus_read(vcpu->kvm, KVM_MMIO_BUS, addr, n, v))
break;
- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
handled += n;
addr += n;
len -= n;
@@ -4276,7 +4276,7 @@ static int read_prepare(struct kvm_vcpu
{
if (vcpu->mmio_read_completed) {
trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
+ vcpu->mmio_fragments[0].gpa, val);
vcpu->mmio_read_completed = 0;
return 1;
}
@@ -4298,14 +4298,14 @@ static int write_emulate(struct kvm_vcpu
static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
{
- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
return vcpu_mmio_write(vcpu, gpa, bytes, val);
}
static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
void *val, int bytes)
{
- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
return X86EMUL_IO_NEEDED;
}
--- a/include/trace/events/kvm.h
+++ b/include/trace/events/kvm.h
@@ -163,7 +163,7 @@ TRACE_EVENT(kvm_ack_irq,
{ KVM_TRACE_MMIO_WRITE, "write" }
TRACE_EVENT(kvm_mmio,
- TP_PROTO(int type, int len, u64 gpa, u64 val),
+ TP_PROTO(int type, int len, u64 gpa, void *val),
TP_ARGS(type, len, gpa, val),
TP_STRUCT__entry(
@@ -177,7 +177,10 @@ TRACE_EVENT(kvm_mmio,
__entry->type = type;
__entry->len = len;
__entry->gpa = gpa;
- __entry->val = val;
+ __entry->val = 0;
+ if (val)
+ memcpy(&__entry->val, val,
+ min_t(u32, sizeof(__entry->val), len));
),
TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 105/204] scsi: libiscsi: fix shifting of DID_REQUEUE host byte
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 063/204] arm64: Make sure SPsel is always set Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 184/204] dccp: CVE-2017-8824: use-after-free in DCCP code Ben Hutchings
` (40 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chris Leech, Lee Duncan, Johannes Thumshirn,
Martin K. Petersen, Hannes Reinecke, Bart Van Assche
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <jthumshirn@suse.de>
commit eef9ffdf9cd39b2986367bc8395e2772bc1284ba upstream.
The SCSI host byte should be shifted left by 16 in order to have
scsi_decide_disposition() do the right thing (.i.e. requeue the
command).
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Fixes: 661134ad3765 ("[SCSI] libiscsi, bnx2i: make bound ep check common")
Cc: Lee Duncan <lduncan@suse.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Bart Van Assche <Bart.VanAssche@sandisk.com>
Cc: Chris Leech <cleech@redhat.com>
Acked-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/libiscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -1727,7 +1727,7 @@ int iscsi_queuecommand(struct Scsi_Host
if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
reason = FAILURE_SESSION_IN_RECOVERY;
- sc->result = DID_REQUEUE;
+ sc->result = DID_REQUEUE << 16;
goto fault;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 137/204] ipsec: Fix aborted xfrm policy dump crash
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 084/204] kernel/params.c: align add_sysfs_param documentation with code Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 006/204] spi: uapi: spidev: add missing ioctl header Ben Hutchings
` (25 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.
This is a fix for CVE-2017-16939 suitable for older stable branches.
The upstream fix is commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2,
from which the following explanation is taken:
An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.
The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash. This can be
triggered if a dump fails because the target socket's receive
buffer is full.
It was not possible to define a 'start' callback for netlink dumps
until Linux 4.5, so instead add a check for the initialisation flag in
the 'done' callback.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1570,7 +1570,8 @@ static int xfrm_dump_policy_done(struct
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
struct net *net = sock_net(cb->skb->sk);
- xfrm_policy_walk_done(walk, net);
+ if (cb->args[0])
+ xfrm_policy_walk_done(walk, net);
return 0;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 169/204] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 129/204] can: esd_usb2: Fix can_dlc value for received RTR, frames Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 176/204] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] Ben Hutchings
` (101 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 upstream.
Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
* It doesn't take a reference on the returned tunnel, which makes the
call racy wrt. concurrent tunnel deletion.
* The lookup is only based on the tunnel identifier, so it can return
a tunnel that doesn't match the packet's addresses or protocol.
For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
sk_receive_skb() will then crash the kernel by trying to execute this
callback.
And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
properly checks the socket binding and connection settings. It was used
as a fallback mechanism for finding tunnels that didn't have their data
path registered yet. But it's not limited to this case and can be used
to replace l2tp_tunnel_find() in the general case.
Fix l2tp_ip6 in the same way.
Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- In l2tp_ip6.c, always look up in init_net
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -122,6 +122,7 @@ static int l2tp_ip_recv(struct sk_buff *
unsigned char *ptr, *optr;
struct l2tp_session *session;
struct l2tp_tunnel *tunnel = NULL;
+ struct iphdr *iph;
int length;
if (!pskb_may_pull(skb, 4))
@@ -177,23 +178,16 @@ pass_up:
goto discard;
tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
- tunnel = l2tp_tunnel_find(net, tunnel_id);
- if (tunnel) {
- sk = tunnel->sock;
- sock_hold(sk);
- } else {
- struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
-
- read_lock_bh(&l2tp_ip_lock);
- sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
- if (!sk) {
- read_unlock_bh(&l2tp_ip_lock);
- goto discard;
- }
+ iph = (struct iphdr *)skb_network_header(skb);
- sock_hold(sk);
+ read_lock_bh(&l2tp_ip_lock);
+ sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
+ if (!sk) {
read_unlock_bh(&l2tp_ip_lock);
+ goto discard;
}
+ sock_hold(sk);
+ read_unlock_bh(&l2tp_ip_lock);
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -133,6 +133,7 @@ static int l2tp_ip6_recv(struct sk_buff
unsigned char *ptr, *optr;
struct l2tp_session *session;
struct l2tp_tunnel *tunnel = NULL;
+ struct ipv6hdr *iph;
int length;
if (!pskb_may_pull(skb, 4))
@@ -189,24 +190,16 @@ pass_up:
goto discard;
tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
- tunnel = l2tp_tunnel_find(&init_net, tunnel_id);
- if (tunnel) {
- sk = tunnel->sock;
- sock_hold(sk);
- } else {
- struct ipv6hdr *iph = ipv6_hdr(skb);
-
- read_lock_bh(&l2tp_ip6_lock);
- sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr,
- 0, tunnel_id);
- if (!sk) {
- read_unlock_bh(&l2tp_ip6_lock);
- goto discard;
- }
+ iph = ipv6_hdr(skb);
- sock_hold(sk);
+ read_lock_bh(&l2tp_ip6_lock);
+ sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr, 0, tunnel_id);
+ if (!sk) {
read_unlock_bh(&l2tp_ip6_lock);
+ goto discard;
}
+ sock_hold(sk);
+ read_unlock_bh(&l2tp_ip6_lock);
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 098/204] crypto: shash - Fix zero-length shash ahash digest crash
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 097/204] workqueue: replace pool->manager_arb mutex with a flag Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 125/204] x86/microcode/intel: Disable late loading on model 79 Ben Hutchings
` (83 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stephan Müller, Herbert Xu
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream.
The shash ahash digest adaptor function may crash if given a
zero-length input together with a null SG list. This is because
it tries to read the SG list before looking at the length.
This patch fixes it by checking the length first.
Reported-by: Stephan Müller<smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/shash.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -274,12 +274,14 @@ static int shash_async_finup(struct ahas
int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc)
{
- struct scatterlist *sg = req->src;
- unsigned int offset = sg->offset;
unsigned int nbytes = req->nbytes;
+ struct scatterlist *sg;
+ unsigned int offset;
int err;
- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) {
+ if (nbytes &&
+ (sg = req->src, offset = sg->offset,
+ nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) {
void *data;
data = kmap_atomic(sg_page(sg));
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 123/204] usb: quirks: add quirk for WORLDE MINI MIDI keyboard
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 159/204] KEYS: return full count in keyring_read() if buffer is too small Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 021/204] tcp: fastopen: fix on syn-data transmit failure Ben Hutchings
` (114 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alan Stern, Felipe Balbi,
Владимир Мартьянов,
Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit 2811501e6d8f5747d08f8e25b9ecf472d0dc4c7d upstream.
This keyboard doesn't implement Get String descriptors properly even
though string indexes are valid. What happens is that when requesting
for the String descriptor, the device disconnects and
reconnects. Without this quirk, this loop will continue forever.
Cc: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Владимир Мартьянов <vilgeforce@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -218,6 +218,10 @@ static const struct usb_device_id usb_qu
/* Corsair Strafe RGB */
{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* MIDI keyboard WORLDE MINI */
+ { USB_DEVICE(0x1c75, 0x0204), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* Acer C120 LED Projector */
{ USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 173/204] ALSA: seq: Avoid invalid lockdep class warning
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 008/204] USB: serial: ftdi_sio: add id for Cypress WICED dev board Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 165/204] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Ben Hutchings
` (72 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, syzbot
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 3510c7aa069aa83a2de6dab2b41401a198317bdc upstream.
The recent fix for adding rwsem nesting annotation was using the given
"hop" argument as the lock subclass key. Although the idea itself
works, it may trigger a kernel warning like:
BUG: looking up invalid subclass: 8
....
since the lockdep has a smaller number of subclasses (8) than we
currently allow for the hops there (10).
The current definition is merely a sanity check for avoiding the too
deep delivery paths, and the 8 hops are already enough. So, as a
quick fix, just follow the max hops as same as the max lockdep
subclasses.
Fixes: 1f20f9ff57ca ("ALSA: seq: Fix nested rwsem annotation for lockdep splat")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/sound/seq_kernel.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/sound/seq_kernel.h
+++ b/include/sound/seq_kernel.h
@@ -55,7 +55,8 @@ typedef union snd_seq_timestamp snd_seq_
#define SNDRV_SEQ_DEFAULT_CLIENT_EVENTS 200
/* max delivery path length */
-#define SNDRV_SEQ_MAX_HOPS 10
+/* NOTE: this shouldn't be greater than MAX_LOCKDEP_SUBCLASSES */
+#define SNDRV_SEQ_MAX_HOPS 8
/* max size of event size */
#define SNDRV_SEQ_MAX_EVENT_LEN 0x3fffffff
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 193/204] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 102/204] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 151/204] l2tp: hold tunnel in pppol2tp_connect() Ben Hutchings
` (189 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Radim Krčmář, Jim Mattson, Andrew Honig
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Honig <ahonig@google.com>
commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
This fixes CVE-2017-1000407.
KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
the guest floods this port with writes it generates exceptions and
instability in the host kernel, leading to a crash. With this change
guest writes to port 0x80 on Intel will behave the same as they
currently behave on AMD systems.
Prevent the flooding by removing the code that sets port 0x80 as a
passthrough port. This is essentially the same as upstream patch
99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
for AMD chipsets and this patch is for Intel.
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 5 -----
1 file changed, 5 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9029,12 +9029,7 @@ static int __init vmx_init(void)
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
- /*
- * Allow direct access to the PC debug port (it is often used for I/O
- * delays, but the vmexits simply slow things down).
- */
memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
- clear_bit(0x80, vmx_io_bitmap_a);
memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 161/204] KEYS: trusted: fix writing past end of buffer in trusted_read()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 015/204] ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 162/204] KEYS: fix out-of-bounds read during ASN.1 parsing Ben Hutchings
` (35 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Howells, Mimi Zohar, Eric Biggers, James Morris
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream.
When calling keyctl_read() on a key of type "trusted", if the
user-supplied buffer was too small, the kernel ignored the buffer length
and just wrote past the end of the buffer, potentially corrupting
userspace memory. Fix it by instead returning the size required, as per
the documentation for keyctl_read().
We also don't even fill the buffer at all in this case, as this is
slightly easier to implement than doing a short read, and either
behavior appears to be permitted. It also makes it match the behavior
of the "encrypted" key type.
Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/trusted.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1061,20 +1061,21 @@ static long trusted_read(const struct ke
p = rcu_dereference_key(key);
if (!p)
return -EINVAL;
- if (!buffer || buflen <= 0)
- return 2 * p->blob_len;
- ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
- if (!ascii_buf)
- return -ENOMEM;
- bufp = ascii_buf;
- for (i = 0; i < p->blob_len; i++)
- bufp = hex_byte_pack(bufp, p->blob[i]);
- if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
+ if (buffer && buflen >= 2 * p->blob_len) {
+ ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
+ if (!ascii_buf)
+ return -ENOMEM;
+
+ bufp = ascii_buf;
+ for (i = 0; i < p->blob_len; i++)
+ bufp = hex_byte_pack(bufp, p->blob[i]);
+ if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
+ kzfree(ascii_buf);
+ return -EFAULT;
+ }
kzfree(ascii_buf);
- return -EFAULT;
}
- kzfree(ascii_buf);
return 2 * p->blob_len;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 005/204] HID: i2c-hid: allocate hid buffers for real worst case
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (174 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 009/204] USB: serial: option: add support for TP-Link LTE module Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 024/204] crypto: talitos - fix sha224 Ben Hutchings
` (28 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Benson Leung, Jiri Kosina, Dmitry Torokhov, Adrian Salido,
Guenter Roeck
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Salido <salidoa@google.com>
commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream.
The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.
Signed-off-by: Adrian Salido <salidoa@google.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -526,7 +526,8 @@ static int i2c_hid_alloc_buffers(struct
{
/* the worst case is computed from the set_report command with a
* reportID > 15 and the maximum report length */
- int args_len = sizeof(__u8) + /* optional ReportID byte */
+ int args_len = sizeof(__u8) + /* ReportID */
+ sizeof(__u8) + /* optional ReportID byte */
sizeof(__u16) + /* data register */
sizeof(__u16) + /* size of the report */
report_size; /* report */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 142/204] SMB: fix validate negotiate info uninitialised memory use
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 101/204] USB: dummy-hcd: Fix deadlock caused by disconnect detection Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 148/204] sctp: fix a type cast warnings that causes a_rwnd gets the wrong value Ben Hutchings
` (89 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pavel Shilovsky, Steve French, David Disseldorp
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Disseldorp <ddiss@suse.de>
commit a2d9daad1d2dfbd307ab158044d1c323d7babbde upstream.
An undersize validate negotiate info server response causes the client
to use uninitialised memory for struct validate_negotiate_info_rsp
comparisons of Dialect, SecurityMode and/or Capabilities members.
Link: https://bugzilla.samba.org/show_bug.cgi?id=13092
Fixes: 7db0a6efdc3e ("SMB3: Work around mount failure when using SMB3 dialect to Macs")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -535,7 +535,8 @@ int smb3_validate_negotiate(const unsign
rsplen);
/* relax check since Mac returns max bufsize allowed on ioctl */
- if (rsplen > CIFSMaxBufSize)
+ if ((rsplen > CIFSMaxBufSize)
+ || (rsplen < sizeof(struct validate_negotiate_info_rsp)))
goto err_rsp_free;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 085/204] sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 017/204] gpio: acpi: work around false-positive -Wstring-overflow warning Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 177/204] MIPS: AR7: Ensure that serial ports are properly set up Ben Hutchings
` (105 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yoshinori Sato, Magnus Damm, Yoshihiro Shimoda,
Jacopo Mondi, Linus Torvalds, Rich Felker, Laurent Pinchart,
Geert Uytterhoeven
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit b78412b8300a8453b78d2c1b0b925b66493bb011 upstream.
Patch series "sh: sh7722/sh7757i/sh7264/sh7269: Fix pinctrl registration",
v2.
Magnus Damm reported that on sh7722/Migo-R, pinctrl registration fails
with:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
pinmux_pins[] is initialized through PINMUX_GPIO(), using designated
array initializers, where the GPIO_* enums serve as indices. Apparently
GPIO_PTQ7 was defined in the enum, but never used. If enum values are
defined, but never used, pinmux_pins[] contains (zero-filled) holes.
Hence such entries are treated as pin zero, which was registered before,
and pinctrl registration fails.
I can't see how this ever worked, as at the time of commit f5e25ae52fef
("sh-pfc: Add sh7722 pinmux support"), pinmux_gpios[] in
drivers/pinctrl/sh-pfc/pfc-sh7722.c already had the hole, and
drivers/pinctrl/core.c already had the check.
Some scripting revealed a few more broken drivers:
- sh7757 has four holes, due to nonexistent GPIO_PT[JLNQ]7_RESV.
- sh7264 and sh7269 define GPIO_PH[0-7], but don't use it with
PINMUX_GPIO().
Patch 1 fixes the issue on sh7722, and was tested. Patches 3-4 should
fix the issue on the other 3 SoCs, but was untested due to lack of
hardware.
This patch (of 4):
On sh7722/Migo-R, pinctrl registration fails with:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
pinmux_pins[] is initialized through PINMUX_GPIO(), using designated array
initializers, where the GPIO_* enums serve as indices. As GPIO_PTQ7 is
defined in the enum, but never used, pinmux_pins[] contains a
(zero-filled) hole. Hence this entry is treated as pin zero, which was
registered before, and pinctrl registration fails.
According to the datasheet, port PTQ7 does not exist. Hence remove
GPIO_PTQ7 from the enum to fix this.
Link: http://lkml.kernel.org/r/1505205657-18012-2-git-send-email-geert+renesas@glider.be
Fixes: 8d7b5b0af7e070b9 ("sh: Add sh7722 pinmux code")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reported-by: Magnus Damm <magnus.damm@gmail.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
Cc: Rich Felker <dalias@libc.org>
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/cpu-sh4/cpu/sh7722.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/sh/include/cpu-sh4/cpu/sh7722.h
+++ b/arch/sh/include/cpu-sh4/cpu/sh7722.h
@@ -67,7 +67,7 @@ enum {
GPIO_PTN3, GPIO_PTN2, GPIO_PTN1, GPIO_PTN0,
/* PTQ */
- GPIO_PTQ7, GPIO_PTQ6, GPIO_PTQ5, GPIO_PTQ4,
+ GPIO_PTQ6, GPIO_PTQ5, GPIO_PTQ4,
GPIO_PTQ3, GPIO_PTQ2, GPIO_PTQ1, GPIO_PTQ0,
/* PTR */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 003/204] iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 139/204] can: kvaser_usb: Correct return value in printout Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 153/204] ALSA: seq: Fix nested rwsem annotation for lockdep splat Ben Hutchings
` (140 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Luca Coelho
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Luca Coelho <luciano.coelho@intel.com>
commit 97bce57bd7f96e1218751996f549a6e61f18cc8c upstream.
The MCAST_FILTER_CMD can get quite large when we have many mcast
addresses to set (we support up to 255). So the command should be
send as NOCOPY to prevent a warning caused by too-long commands:
WARNING: CPU: 0 PID: 9700 at /root/iwlwifi/stack-dev/drivers/net/wireless/iwlwifi/pcie/tx.c:1550 iwl_pcie_enqueue_hcmd+0x8c7/0xb40 [iwlwifi]
Command MCAST_FILTER_CMD (0x1d0) is too large (328 bytes)
This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196743
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/iwlwifi/mvm/mac80211.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
@@ -1004,6 +1004,11 @@ static void iwl_mvm_mc_iface_iterator(vo
struct iwl_mvm_mc_iter_data *data = _data;
struct iwl_mvm *mvm = data->mvm;
struct iwl_mcast_filter_cmd *cmd = mvm->mcast_filter_cmd;
+ struct iwl_host_cmd hcmd = {
+ .id = MCAST_FILTER_CMD,
+ .flags = CMD_ASYNC,
+ .dataflags[0] = IWL_HCMD_DFL_NOCOPY,
+ };
int ret, len;
/* if we don't have free ports, mcast frames will be dropped */
@@ -1018,7 +1023,10 @@ static void iwl_mvm_mc_iface_iterator(vo
memcpy(cmd->bssid, vif->bss_conf.bssid, ETH_ALEN);
len = roundup(sizeof(*cmd) + cmd->count * ETH_ALEN, 4);
- ret = iwl_mvm_send_cmd_pdu(mvm, MCAST_FILTER_CMD, CMD_ASYNC, len, cmd);
+ hcmd.len[0] = len;
+ hcmd.data[0] = cmd;
+
+ ret = iwl_mvm_send_cmd(mvm, &hcmd);
if (ret)
IWL_ERR(mvm, "mcast filter cmd error. ret=%d\n", ret);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 012/204] usb: Increase quirk delay for USB devices
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 165/204] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 048/204] KEYS: fix key refcount leak in keyctl_assume_authority() Ben Hutchings
` (70 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Fleytman, Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Fleytman <dmitry@daynix.com>
commit b2a542bbb3081dbd64acc8929c140d196664c406 upstream.
Commit e0429362ab15
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.
The workaround is introducing delay for some USB operations.
According to our testing, delay introduced by original commit
is not long enough and in rare cases we still see issues described
by the aforementioned commit.
This patch increases delays introduced by original commit.
Having this patch applied we do not see those problems anymore.
Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 2 +-
drivers/usb/core/hub.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -824,7 +824,7 @@ int usb_get_configuration(struct usb_dev
}
if (dev->quirks & USB_QUIRK_DELAY_INIT)
- msleep(100);
+ msleep(200);
result = usb_get_descriptor(dev, USB_DT_CONFIG, cfgno,
bigbuffer, length);
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4699,7 +4699,7 @@ static void hub_port_connect(struct usb_
goto loop;
if (udev->quirks & USB_QUIRK_DELAY_INIT)
- msleep(1000);
+ msleep(2000);
/* consecutive bus-powered hubs aren't reliable; they can
* violate the voltage drop budget. if the new child has
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 060/204] l2tp: fix race condition in l2tp_tunnel_delete
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 155/204] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 066/204] USB: dummy-hcd: fix infinite-loop resubmission bug Ben Hutchings
` (54 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Guillaume Nault, Jianlin Shi, David S. Miller,
Sabrina Dubroca
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
commit 62b982eeb4589b2e6d7c01a90590e3a4c2b2ca19 upstream.
If we try to delete the same tunnel twice, the first delete operation
does a lookup (l2tp_tunnel_get), finds the tunnel, calls
l2tp_tunnel_delete, which queues it for deletion by
l2tp_tunnel_del_work.
The second delete operation also finds the tunnel and calls
l2tp_tunnel_delete. If the workqueue has already fired and started
running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the
same tunnel a second time, and try to free the socket again.
Add a dead flag to prevent firing the workqueue twice. Then we can
remove the check of queue_work's result that was meant to prevent that
race but doesn't.
Reproducer:
ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000
ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000
ip link set l2tp1 up
ip l2tp del tunnel tunnel_id 3000
ip l2tp del tunnel tunnel_id 3000
Fixes: f8ccac0e4493 ("l2tp: put tunnel socket release on a workqueue")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 10 ++++------
net/l2tp/l2tp_core.h | 5 ++++-
2 files changed, 8 insertions(+), 7 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1771,14 +1771,12 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
/* This function is used by the netlink TUNNEL_DELETE command.
*/
-int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
+void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
{
- l2tp_tunnel_inc_refcount(tunnel);
- if (false == queue_work(l2tp_wq, &tunnel->del_work)) {
- l2tp_tunnel_dec_refcount(tunnel);
- return 1;
+ if (!test_and_set_bit(0, &tunnel->dead)) {
+ l2tp_tunnel_inc_refcount(tunnel);
+ queue_work(l2tp_wq, &tunnel->del_work);
}
- return 0;
}
EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -169,6 +169,9 @@ struct l2tp_tunnel_cfg {
struct l2tp_tunnel {
int magic; /* Should be L2TP_TUNNEL_MAGIC */
+
+ unsigned long dead;
+
struct rcu_head rcu;
rwlock_t hlist_lock; /* protect session_hlist */
bool acpt_newsess; /* Indicates whether this
@@ -266,7 +269,7 @@ int l2tp_tunnel_create(struct net *net,
u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg,
struct l2tp_tunnel **tunnelp);
void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
-int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
+void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
struct l2tp_session *l2tp_session_create(int priv_size,
struct l2tp_tunnel *tunnel,
u32 session_id, u32 peer_session_id,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 041/204] iio: adc: mcp320x: Fix oops on module unload
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 158/204] tcp: fix tcp_mtu_probe() vs highest_sack Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 201/204] KVM: Fix stack-out-of-bounds read in write_mmio Ben Hutchings
` (43 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Oskar Andero, Lukas Wunner
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 0964e40947a630a2a6f724e968246992f97bcf1c upstream.
The driver calls spi_get_drvdata() in its ->remove hook even though it
has never called spi_set_drvdata(). Stack trace for posterity:
Unable to handle kernel NULL pointer dereference at virtual address 00000220
Internal error: Oops: 5 [#1] SMP ARM
[<8072f564>] (mutex_lock) from [<7f1400d0>] (iio_device_unregister+0x24/0x7c [industrialio])
[<7f1400d0>] (iio_device_unregister [industrialio]) from [<7f15e020>] (mcp320x_remove+0x20/0x30 [mcp320x])
[<7f15e020>] (mcp320x_remove [mcp320x]) from [<8055a8cc>] (spi_drv_remove+0x2c/0x44)
[<8055a8cc>] (spi_drv_remove) from [<805087bc>] (__device_release_driver+0x98/0x134)
[<805087bc>] (__device_release_driver) from [<80509180>] (driver_detach+0xdc/0xe0)
[<80509180>] (driver_detach) from [<8050823c>] (bus_remove_driver+0x5c/0xb0)
[<8050823c>] (bus_remove_driver) from [<80509ab0>] (driver_unregister+0x38/0x58)
[<80509ab0>] (driver_unregister) from [<7f15e69c>] (mcp320x_driver_exit+0x14/0x1c [mcp320x])
[<7f15e69c>] (mcp320x_driver_exit [mcp320x]) from [<801a78d0>] (SyS_delete_module+0x184/0x1d0)
[<801a78d0>] (SyS_delete_module) from [<80108100>] (ret_fast_syscall+0x0/0x1c)
Fixes: f5ce4a7a9291 ("iio: adc: add driver for MCP3204/08 12-bit ADC")
Cc: Oskar Andero <oskar.andero@gmail.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/mcp320x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/mcp320x.c
+++ b/drivers/iio/adc/mcp320x.c
@@ -180,6 +180,7 @@ static int mcp320x_probe(struct spi_devi
indio_dev->name = spi_get_device_id(spi)->name;
indio_dev->modes = INDIO_DIRECT_MODE;
indio_dev->info = &mcp320x_info;
+ spi_set_drvdata(spi, indio_dev);
chip_info = &mcp3208_chip_infos[spi_get_device_id(spi)->driver_data];
indio_dev->channels = chip_info->channels;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 027/204] cifs: release cifs root_cred after exit_cifs
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 004/204] cifs: check rsp for NULL before dereferencing in SMB2_open Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 147/204] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Ben Hutchings
` (184 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shu Wang, Steve French, Ronnie Sahlberg
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shu Wang <shuwang@redhat.com>
commit 94183331e815617246b1baa97e0916f358c794bb upstream.
memory leak was found by kmemleak. exit_cifs_spnego
should be called before cifs module removed, or
cifs root_cred will not be released.
kmemleak report:
unreferenced object 0xffff880070a3ce40 (size 192):
backtrace:
kmemleak_alloc+0x4a/0xa0
kmem_cache_alloc+0xc7/0x1d0
prepare_kernel_cred+0x20/0x120
init_cifs_spnego+0x2d/0x170 [cifs]
0xffffffffc07801f3
do_one_initcall+0x51/0x1b0
do_init_module+0x60/0x1fd
load_module+0x161e/0x1b60
SYSC_finit_module+0xa9/0x100
SyS_finit_module+0xe/0x10
Signed-off-by: Shu Wang <shuwang@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifsfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -1294,7 +1294,7 @@ exit_cifs(void)
exit_cifs_idmap();
#endif
#ifdef CONFIG_CIFS_UPCALL
- unregister_key_type(&cifs_spnego_key_type);
+ exit_cifs_spnego();
#endif
cifs_destroy_request_bufs();
cifs_destroy_mids();
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 121/204] usb: xhci: Handle error condition in xhci_stop_device()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 079/204] brcmfmac: Add length checks on firmware events Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 102/204] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Ben Hutchings
` (191 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Mathias Nyman, Mayank Rana, Jack Pham
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mayank Rana <mrana@codeaurora.org>
commit b3207c65dfafae27e7c492cb9188c0dc0eeaf3fd upstream.
xhci_stop_device() calls xhci_queue_stop_endpoint() multiple times
without checking the return value. xhci_queue_stop_endpoint() can
return error if the HC is already halted or unable to queue commands.
This can cause a deadlock condition as xhci_stop_device() would
end up waiting indefinitely for a completion for the command that
didn't get queued. Fix this by checking the return value and bailing
out of xhci_stop_device() in case of error. This patch happens to fix
potential memory leaks of the allocated command structures as well.
Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,")
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -293,15 +293,25 @@ static int xhci_stop_device(struct xhci_
GFP_NOWAIT);
if (!command) {
spin_unlock_irqrestore(&xhci->lock, flags);
- xhci_free_command(xhci, cmd);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto cmd_cleanup;
+ }
+ ret = xhci_queue_stop_endpoint(xhci, command, slot_id,
+ i, suspend);
+ if (ret) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ xhci_free_command(xhci, command);
+ goto cmd_cleanup;
}
- xhci_queue_stop_endpoint(xhci, command, slot_id, i,
- suspend);
}
}
- xhci_queue_stop_endpoint(xhci, cmd, slot_id, 0, suspend);
+ ret = xhci_queue_stop_endpoint(xhci, cmd, slot_id, 0, suspend);
+ if (ret) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ goto cmd_cleanup;
+ }
+
xhci_ring_cmd_db(xhci);
spin_unlock_irqrestore(&xhci->lock, flags);
@@ -312,6 +322,8 @@ static int xhci_stop_device(struct xhci_
xhci_warn(xhci, "Timeout while waiting for stop endpoint command\n");
ret = -ETIME;
}
+
+cmd_cleanup:
xhci_free_command(xhci, cmd);
return ret;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 002/204] ASoC: adau17x1: Workaround for noise bug in ADC
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 152/204] ALSA: timer: Add missing mutex lock for compat ioctls Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 097/204] workqueue: replace pool->manager_arb mutex with a flag Ben Hutchings
` (85 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Ricard Wanderlof, Ricard Wanderlof
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ricard Wanderlof <ricard.wanderlof@axis.com>
commit 1e6f4fc06f6411adf98bbbe7fcd79442cd2b2a75 upstream.
The ADC in the ADAU1361 (and possibly other Analog Devices codecs)
exhibits a cyclic variation in the noise floor (in our test setup between
-87 and -93 dB), a new value being attained within this range whenever a
new capture stream is started. The cycle repeats after about 10 or 11
restarts.
The workaround recommended by the manufacturer is to toggle the ADOSR bit
in the Converter Control 0 register each time a new capture stream is
started.
I have verified that the patch fixes this problem on the ADAU1361, and
according to the manufacturer toggling the bit in question in this manner
will at least have no detrimental effect on other chips served by this
driver.
Signed-off-by: Ricard Wanderlof <ricardw@axis.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/codecs/adau17x1.c | 24 +++++++++++++++++++++++-
sound/soc/codecs/adau17x1.h | 2 ++
2 files changed, 25 insertions(+), 1 deletion(-)
--- a/sound/soc/codecs/adau17x1.c
+++ b/sound/soc/codecs/adau17x1.c
@@ -88,6 +88,27 @@ static int adau17x1_pll_event(struct snd
return 0;
}
+static int adau17x1_adc_fixup(struct snd_soc_dapm_widget *w,
+ struct snd_kcontrol *kcontrol, int event)
+{
+ struct snd_soc_codec *codec = snd_soc_dapm_to_codec(w->dapm);
+ struct adau *adau = snd_soc_codec_get_drvdata(codec);
+
+ /*
+ * If we are capturing, toggle the ADOSR bit in Converter Control 0 to
+ * avoid losing SNR (workaround from ADI). This must be done after
+ * the ADC(s) have been enabled. According to the data sheet, it is
+ * normally illegal to set this bit when the sampling rate is 96 kHz,
+ * but according to ADI it is acceptable for this workaround.
+ */
+ regmap_update_bits(adau->regmap, ADAU17X1_CONVERTER0,
+ ADAU17X1_CONVERTER0_ADOSR, ADAU17X1_CONVERTER0_ADOSR);
+ regmap_update_bits(adau->regmap, ADAU17X1_CONVERTER0,
+ ADAU17X1_CONVERTER0_ADOSR, 0);
+
+ return 0;
+}
+
static const char * const adau17x1_mono_stereo_text[] = {
"Stereo",
"Mono Left Channel (L+R)",
@@ -119,7 +140,8 @@ static const struct snd_soc_dapm_widget
SND_SOC_DAPM_MUX("Right DAC Mode Mux", SND_SOC_NOPM, 0, 0,
&adau17x1_dac_mode_mux),
- SND_SOC_DAPM_ADC("Left Decimator", NULL, ADAU17X1_ADC_CONTROL, 0, 0),
+ SND_SOC_DAPM_ADC_E("Left Decimator", NULL, ADAU17X1_ADC_CONTROL, 0, 0,
+ adau17x1_adc_fixup, SND_SOC_DAPM_POST_PMU),
SND_SOC_DAPM_ADC("Right Decimator", NULL, ADAU17X1_ADC_CONTROL, 1, 0),
SND_SOC_DAPM_DAC("Left DAC", NULL, ADAU17X1_DAC_CONTROL0, 0, 0),
SND_SOC_DAPM_DAC("Right DAC", NULL, ADAU17X1_DAC_CONTROL0, 1, 0),
--- a/sound/soc/codecs/adau17x1.h
+++ b/sound/soc/codecs/adau17x1.h
@@ -120,5 +120,7 @@ bool adau17x1_has_dsp(struct adau *adau)
#define ADAU17X1_CONVERTER0_CONVSR_MASK 0x7
+#define ADAU17X1_CONVERTER0_ADOSR BIT(3)
+
#endif
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 004/204] cifs: check rsp for NULL before dereferencing in SMB2_open
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 157/204] tun/tap: sanitize TUNSETSNDBUF input Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 027/204] cifs: release cifs root_cred after exit_cifs Ben Hutchings
` (185 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pavel Shilovsky, Xiaoli Feng, Ronnie Sahlberg, Steve French
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ronnie Sahlberg <lsahlber@redhat.com>
commit bf2afee14e07de16d3cafc67edbfc2a3cc65e4bc upstream.
In SMB2_open there are several paths where the SendReceive2
call will return an error before it sets rsp_iov.iov_base
thus leaving iov_base uninitialized.
Thus we need to check rsp before we dereference it in
the call to get_rfc1002_length().
A report of this issue was previously reported in
http://www.spinics.net/lists/linux-cifs/msg12846.html
RH-bugzilla : 1476151
Version 2 :
* Lets properly initialize rsp_iov before we use it.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>.
Signed-off-by: Steve French <smfrench@gmail.com>
Reported-by: Xiaoli Feng <xifeng@redhat.com>
[bwh: Backported to 3.16: zero-initialise iov instead of rsp_iov]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1114,7 +1114,7 @@ SMB2_open(const unsigned int xid, struct
struct TCP_Server_Info *server;
struct cifs_tcon *tcon = oparms->tcon;
struct cifs_ses *ses = tcon->ses;
- struct kvec iov[4];
+ struct kvec iov[4] = {{NULL, 0}};
int resp_buftype;
int uni_path_len;
__le16 *copy_path = NULL;
@@ -1215,7 +1215,7 @@ SMB2_open(const unsigned int xid, struct
if (rc != 0) {
cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
- if (err_buf)
+ if (err_buf && rsp)
*err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4,
GFP_KERNEL);
goto creat_exit;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 127/204] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (192 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 082/204] scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 144/204] xfrm: Clear sk_dst_cache when applying per-socket policy Ben Hutchings
` (10 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Helge Deller, John David Anglin, Christoph Biedl
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit 374b3bf8e8b519f61eb9775888074c6e46b3bf0c upstream.
As discussed on the debian-hppa list, double-wordcompare and exchange
operations fail on 32-bit kernels. Looking at the code, I realized that
the ",ma" completer does the wrong thing in the "ldw,ma 4(%r26), %r29"
instruction. This increments %r26 and causes the following store to
write to the wrong location.
Note by Helge Deller:
The patch applies cleanly to stable kernel series if this upstream
commit is merged in advance:
f4125cfdb300 ("parisc: Avoid trashing sr2 and sr3 in LWS code").
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Tested-by: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Fixes: 89206491201c ("parisc: Implement new LWS CAS supporting 64 bit operations.")
Signed-off-by: Helge Deller <deller@gmx.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/kernel/syscall.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -742,7 +742,7 @@ lws_compare_and_swap_2:
10: ldd 0(%sr3,%r25), %r25
11: ldd 0(%sr3,%r24), %r24
#else
- /* Load new value into r22/r23 - high/low */
+ /* Load old value into r22/r23 - high/low */
10: ldw 0(%sr3,%r25), %r22
11: ldw 4(%sr3,%r25), %r23
/* Load new value into fr4 for atomic store later */
@@ -834,11 +834,11 @@ cas2_action:
copy %r0, %r28
#else
/* Compare first word */
-19: ldw,ma 0(%sr3,%r26), %r29
+19: ldw 0(%sr3,%r26), %r29
sub,= %r29, %r22, %r0
b,n cas2_end
/* Compare second word */
-20: ldw,ma 4(%sr3,%r26), %r29
+20: ldw 4(%sr3,%r26), %r29
sub,= %r29, %r23, %r0
b,n cas2_end
/* Perform the store */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 061/204] netfilter: ipset: pernet ops must be unregistered last
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 156/204] macvtap: fix TUNSETSNDBUF values > 64k Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 053/204] IB/mlx5: Simplify mlx5_ib_cont_pages Ben Hutchings
` (125 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Westphal, Pablo Neira Ayuso, Li Shuang,
Jozsef Kadlecsik
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit e23ed762db7ed1950a6408c3be80bc56909ab3d4 upstream.
Removing the ipset module leaves a small window where one cpu performs
module removal while another runs a command like 'ipset flush'.
ipset uses net_generic(), unregistering the pernet ops frees this
storage area.
Fix it by first removing the user-visible api handlers and the pernet
ops last.
Fixes: 1785e8f473082 ("netfiler: ipset: Add net namespace for ipset")
Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1982,24 +1982,28 @@ static struct pernet_operations ip_set_n
static int __init
ip_set_init(void)
{
- int ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
+ int ret = register_pernet_subsys(&ip_set_net_ops);
+
+ if (ret) {
+ pr_err("ip_set: cannot register pernet_subsys.\n");
+ return ret;
+ }
+
+ ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
if (ret != 0) {
pr_err("ip_set: cannot register with nfnetlink.\n");
+ unregister_pernet_subsys(&ip_set_net_ops);
return ret;
}
+
ret = nf_register_sockopt(&so_set);
if (ret != 0) {
pr_err("SO_SET registry failed: %d\n", ret);
nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
+ unregister_pernet_subsys(&ip_set_net_ops);
return ret;
}
- ret = register_pernet_subsys(&ip_set_net_ops);
- if (ret) {
- pr_err("ip_set: cannot register pernet_subsys.\n");
- nf_unregister_sockopt(&so_set);
- nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
- return ret;
- }
+
pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);
return 0;
}
@@ -2007,9 +2011,10 @@ ip_set_init(void)
static void __exit
ip_set_fini(void)
{
- unregister_pernet_subsys(&ip_set_net_ops);
nf_unregister_sockopt(&so_set);
nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
+
+ unregister_pernet_subsys(&ip_set_net_ops);
pr_debug("these are the famous last words\n");
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 028/204] cifs: release auth_key.response for reconnect.
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 166/204] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 011/204] uwb: properly check kthread_run return value Ben Hutchings
` (145 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Ronnie Sahlberg, Shu Wang
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shu Wang <shuwang@redhat.com>
commit f5c4ba816315d3b813af16f5571f86c8d4e897bd upstream.
There is a race that cause cifs reconnect in cifs_mount,
- cifs_mount
- cifs_get_tcp_session
- [ start thread cifs_demultiplex_thread
- cifs_read_from_socket: -ECONNABORTED
- DELAY_WORK smb2_reconnect_server ]
- cifs_setup_session
- [ smb2_reconnect_server ]
auth_key.response was allocated in cifs_setup_session, and
will release when the session destoried. So when session re-
connect, auth_key.response should be check and released.
Tested with my system:
CIFS VFS: Free previous auth_key.response = ffff8800320bbf80
A simple auth_key.response allocation call trace:
- cifs_setup_session
- SMB2_sess_setup
- SMB2_sess_auth_rawntlmssp_authenticate
- build_ntlmssp_auth_blob
- setup_ntlmv2_rsp
Signed-off-by: Shu Wang <shuwang@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/connect.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3956,6 +3956,14 @@ cifs_setup_session(const unsigned int xi
cifs_dbg(FYI, "Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d\n",
server->sec_mode, server->capabilities, server->timeAdj);
+ if (ses->auth_key.response) {
+ cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
+ ses->auth_key.response);
+ kfree(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
+ }
+
if (server->ops->sess_setup)
rc = server->ops->sess_setup(xid, ses, nls_info);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 067/204] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 090/204] mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 029/204] SMB: Validate negotiate (to protect against downgrade) even if signing off Ben Hutchings
` (148 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman, Felipe Balbi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit f16443a034c7aa359ddf6f0f9bc40d01ca31faea upstream.
Using the syzkaller kernel fuzzer, Andrey Konovalov generated the
following error in gadgetfs:
> BUG: KASAN: use-after-free in __lock_acquire+0x3069/0x3690
> kernel/locking/lockdep.c:3246
> Read of size 8 at addr ffff88003a2bdaf8 by task kworker/3:1/903
>
> CPU: 3 PID: 903 Comm: kworker/3:1 Not tainted 4.12.0-rc4+ #35
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:16 [inline]
> dump_stack+0x292/0x395 lib/dump_stack.c:52
> print_address_description+0x78/0x280 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351 [inline]
> kasan_report+0x230/0x340 mm/kasan/report.c:408
> __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:429
> __lock_acquire+0x3069/0x3690 kernel/locking/lockdep.c:3246
> lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
> __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
> _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
> spin_lock include/linux/spinlock.h:299 [inline]
> gadgetfs_suspend+0x89/0x130 drivers/usb/gadget/legacy/inode.c:1682
> set_link_state+0x88e/0xae0 drivers/usb/gadget/udc/dummy_hcd.c:455
> dummy_hub_control+0xd7e/0x1fb0 drivers/usb/gadget/udc/dummy_hcd.c:2074
> rh_call_control drivers/usb/core/hcd.c:689 [inline]
> rh_urb_enqueue drivers/usb/core/hcd.c:846 [inline]
> usb_hcd_submit_urb+0x92f/0x20b0 drivers/usb/core/hcd.c:1650
> usb_submit_urb+0x8b2/0x12c0 drivers/usb/core/urb.c:542
> usb_start_wait_urb+0x148/0x5b0 drivers/usb/core/message.c:56
> usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
> usb_control_msg+0x341/0x4d0 drivers/usb/core/message.c:151
> usb_clear_port_feature+0x74/0xa0 drivers/usb/core/hub.c:412
> hub_port_disable+0x123/0x510 drivers/usb/core/hub.c:4177
> hub_port_init+0x1ed/0x2940 drivers/usb/core/hub.c:4648
> hub_port_connect drivers/usb/core/hub.c:4826 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:4999 [inline]
> port_event drivers/usb/core/hub.c:5105 [inline]
> hub_event+0x1ae1/0x3d40 drivers/usb/core/hub.c:5185
> process_one_work+0xc08/0x1bd0 kernel/workqueue.c:2097
> process_scheduled_works kernel/workqueue.c:2157 [inline]
> worker_thread+0xb2b/0x1860 kernel/workqueue.c:2233
> kthread+0x363/0x440 kernel/kthread.c:231
> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:424
>
> Allocated by task 9958:
> save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
> set_track mm/kasan/kasan.c:525 [inline]
> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617
> kmem_cache_alloc_trace+0x87/0x280 mm/slub.c:2745
> kmalloc include/linux/slab.h:492 [inline]
> kzalloc include/linux/slab.h:665 [inline]
> dev_new drivers/usb/gadget/legacy/inode.c:170 [inline]
> gadgetfs_fill_super+0x24f/0x540 drivers/usb/gadget/legacy/inode.c:1993
> mount_single+0xf6/0x160 fs/super.c:1192
> gadgetfs_mount+0x31/0x40 drivers/usb/gadget/legacy/inode.c:2019
> mount_fs+0x9c/0x2d0 fs/super.c:1223
> vfs_kern_mount.part.25+0xcb/0x490 fs/namespace.c:976
> vfs_kern_mount fs/namespace.c:2509 [inline]
> do_new_mount fs/namespace.c:2512 [inline]
> do_mount+0x41b/0x2d90 fs/namespace.c:2834
> SYSC_mount fs/namespace.c:3050 [inline]
> SyS_mount+0xb0/0x120 fs/namespace.c:3027
> entry_SYSCALL_64_fastpath+0x1f/0xbe
>
> Freed by task 9960:
> save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
> set_track mm/kasan/kasan.c:525 [inline]
> kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590
> slab_free_hook mm/slub.c:1357 [inline]
> slab_free_freelist_hook mm/slub.c:1379 [inline]
> slab_free mm/slub.c:2961 [inline]
> kfree+0xed/0x2b0 mm/slub.c:3882
> put_dev+0x124/0x160 drivers/usb/gadget/legacy/inode.c:163
> gadgetfs_kill_sb+0x33/0x60 drivers/usb/gadget/legacy/inode.c:2027
> deactivate_locked_super+0x8d/0xd0 fs/super.c:309
> deactivate_super+0x21e/0x310 fs/super.c:340
> cleanup_mnt+0xb7/0x150 fs/namespace.c:1112
> __cleanup_mnt+0x1b/0x20 fs/namespace.c:1119
> task_work_run+0x1a0/0x280 kernel/task_work.c:116
> exit_task_work include/linux/task_work.h:21 [inline]
> do_exit+0x18a8/0x2820 kernel/exit.c:878
> do_group_exit+0x14e/0x420 kernel/exit.c:982
> get_signal+0x784/0x1780 kernel/signal.c:2318
> do_signal+0xd7/0x2130 arch/x86/kernel/signal.c:808
> exit_to_usermode_loop+0x1ac/0x240 arch/x86/entry/common.c:157
> prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
> syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263
> entry_SYSCALL_64_fastpath+0xbc/0xbe
>
> The buggy address belongs to the object at ffff88003a2bdae0
> which belongs to the cache kmalloc-1024 of size 1024
> The buggy address is located 24 bytes inside of
> 1024-byte region [ffff88003a2bdae0, ffff88003a2bdee0)
> The buggy address belongs to the page:
> page:ffffea0000e8ae00 count:1 mapcount:0 mapping: (null)
> index:0x0 compound_mapcount: 0
> flags: 0x100000000008100(slab|head)
> raw: 0100000000008100 0000000000000000 0000000000000000 0000000100170017
> raw: ffffea0000ed3020 ffffea0000f5f820 ffff88003e80efc0 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88003a2bd980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88003a2bda00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff88003a2bda80: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb
> ^
> ffff88003a2bdb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88003a2bdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
What this means is that the gadgetfs_suspend() routine was trying to
access dev->lock after it had been deallocated. The root cause is a
race in the dummy_hcd driver; the dummy_udc_stop() routine can race
with the rest of the driver because it contains no locking. And even
when proper locking is added, it can still race with the
set_link_state() function because that function incorrectly drops the
private spinlock before invoking any gadget driver callbacks.
The result of this race, as seen above, is that set_link_state() can
invoke a callback in gadgetfs even after gadgetfs has been unbound
from dummy_hcd's UDC and its private data structures have been
deallocated.
include/linux/usb/gadget.h documents that the ->reset, ->disconnect,
->suspend, and ->resume callbacks may be invoked in interrupt context.
In general this is necessary, to prevent races with gadget driver
removal. This patch fixes dummy_hcd to retain the spinlock across
these calls, and it adds a spinlock acquisition to dummy_udc_stop() to
prevent the race.
The net2280 driver makes the same mistake of dropping the private
spinlock for its ->disconnect and ->reset callback invocations. The
patch fixes it too.
Lastly, since gadgetfs_suspend() may be invoked in interrupt context,
it cannot assume that interrupts are enabled when it runs. It must
use spin_lock_irqsave() instead of spin_lock_irq(). The patch fixes
that bug as well.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Drop changes in net2280's handle_stat1_irqs()
- Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1798,9 +1798,10 @@ static void
gadgetfs_suspend (struct usb_gadget *gadget)
{
struct dev_data *dev = get_gadget_data (gadget);
+ unsigned long flags;
INFO (dev, "suspended from state %d\n", dev->state);
- spin_lock (&dev->lock);
+ spin_lock_irqsave(&dev->lock, flags);
switch (dev->state) {
case STATE_DEV_SETUP: // VERY odd... host died??
case STATE_DEV_CONNECTED:
@@ -1811,7 +1812,7 @@ gadgetfs_suspend (struct usb_gadget *gad
default:
break;
}
- spin_unlock (&dev->lock);
+ spin_unlock_irqrestore(&dev->lock, flags);
}
static struct usb_gadget_driver gadgetfs_driver = {
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -379,20 +379,13 @@ static void set_link_state(struct dummy_
(dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 &&
dum->driver) {
stop_activity(dum);
- spin_unlock(&dum->lock);
dum->driver->disconnect(&dum->gadget);
- spin_lock(&dum->lock);
}
} else if (dum_hcd->active != dum_hcd->old_active) {
- if (dum_hcd->old_active && dum->driver->suspend) {
- spin_unlock(&dum->lock);
+ if (dum_hcd->old_active && dum->driver->suspend)
dum->driver->suspend(&dum->gadget);
- spin_lock(&dum->lock);
- } else if (!dum_hcd->old_active && dum->driver->resume) {
- spin_unlock(&dum->lock);
+ else if (!dum_hcd->old_active && dum->driver->resume)
dum->driver->resume(&dum->gadget);
- spin_lock(&dum->lock);
- }
}
dum_hcd->old_status = dum_hcd->port_status;
@@ -926,7 +919,9 @@ static int dummy_udc_stop(struct usb_gad
dev_dbg(udc_dev(dum), "unregister gadget driver '%s'\n",
driver->driver.name);
+ spin_lock_irq(&dum->lock);
dum->driver = NULL;
+ spin_unlock_irq(&dum->lock);
return 0;
}
--- a/drivers/usb/gadget/net2280.c
+++ b/drivers/usb/gadget/net2280.c
@@ -1941,11 +1941,8 @@ stop_activity (struct net2280 *dev, stru
nuke (&dev->ep [i]);
/* report disconnect; the driver is already quiesced */
- if (driver) {
- spin_unlock(&dev->lock);
+ if (driver)
driver->disconnect(&dev->gadget);
- spin_lock(&dev->lock);
- }
usb_reinit (dev);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 184/204] dccp: CVE-2017-8824: use-after-free in DCCP code
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 105/204] scsi: libiscsi: fix shifting of DID_REQUEUE host byte Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 107/204] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Ben Hutchings
` (39 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Mohamed Ghannam, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mohamed Ghannam <simo.ghannam@gmail.com>
commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 upstream.
Whenever the sock object is in DCCP_CLOSED state,
dccp_disconnect() must free dccps_hc_tx_ccid and
dccps_hc_rx_ccid and set to NULL.
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/proto.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -252,6 +252,7 @@ int dccp_disconnect(struct sock *sk, int
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
+ struct dccp_sock *dp = dccp_sk(sk);
int err = 0;
const int old_state = sk->sk_state;
@@ -271,6 +272,10 @@ int dccp_disconnect(struct sock *sk, int
sk->sk_err = ECONNRESET;
dccp_clear_xmit_timers(sk);
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+ dp->dccps_hc_rx_ccid = NULL;
+ dp->dccps_hc_tx_ccid = NULL;
__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 008/204] USB: serial: ftdi_sio: add id for Cypress WICED dev board
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 099/204] direct-io: Prevent NULL pointer access in submit_page_section Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 173/204] ALSA: seq: Avoid invalid lockdep class warning Ben Hutchings
` (73 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Jeffrey Chu
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Chu <jeffrey.chu@cypress.com>
commit a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 upstream.
Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB
device IDs to ftdi_sio driver.
Signed-off-by: Jeffrey Chu <jeffrey.chu@cypress.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
2 files changed, 9 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1028,6 +1028,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
{ USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
+ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -610,6 +610,13 @@
#define ADI_GNICEPLUS_PID 0xF001
/*
+ * Cypress WICED USB UART
+ */
+#define CYPRESS_VID 0x04B4
+#define CYPRESS_WICED_BT_USB_PID 0x009B
+#define CYPRESS_WICED_WL_USB_PID 0xF900
+
+/*
* Microchip Technology, Inc.
*
* MICROCHIP_VID (0x04D8) and MICROCHIP_USB_BOARD_PID (0x000A) are
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 025/204] crypto: talitos - Don't provide setkey for non hmac hashing algs.
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 119/204] tun: call dev_get_valid_name() before register_netdevice() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 074/204] staging: iio: ade7759: fix signed extension bug on shift of a u8 Ben Hutchings
` (129 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, LEROY Christophe
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: LEROY Christophe <christophe.leroy@c-s.fr>
commit 56136631573baa537a15e0012055ffe8cfec1a33 upstream.
Today, md5sum fails with error -ENOKEY because a setkey
function is set for non hmac hashing algs, see strace output below:
mmap(NULL, 378880, PROT_READ, MAP_SHARED, 6, 0) = 0x77f50000
accept(3, 0, NULL) = 7
vmsplice(5, [{"bin/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 378880}], 1, SPLICE_F_MORE|SPLICE_F_GIFT) = 262144
splice(4, NULL, 7, NULL, 262144, SPLICE_F_MORE) = -1 ENOKEY (Required key not available)
write(2, "Generation of hash for file kcap"..., 50) = 50
munmap(0x77f50000, 378880) = 0
This patch ensures that setkey() function is set only
for hmac hashing.
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/talitos.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -2550,7 +2550,8 @@ static struct talitos_crypto_alg *talito
t_alg->algt.alg.hash.final = ahash_final;
t_alg->algt.alg.hash.finup = ahash_finup;
t_alg->algt.alg.hash.digest = ahash_digest;
- t_alg->algt.alg.hash.setkey = ahash_setkey;
+ if (!strncmp(alg->cra_name, "hmac", 4))
+ t_alg->algt.alg.hash.setkey = ahash_setkey;
if (!(priv->features & TALITOS_FTR_HMAC_OK) &&
!strncmp(alg->cra_name, "hmac", 4)) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 119/204] tun: call dev_get_valid_name() before register_netdevice()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 109/204] KEYS: encrypted: fix dereference of NULL user_key_payload Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 025/204] crypto: talitos - Don't provide setkey for non hmac hashing algs Ben Hutchings
` (130 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Jason Wang, Cong Wang, Michael S. Tsirkin,
Dmitry Alexeev
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 0ad646c81b2182f7fa67ec0c8c825e0ee165696d upstream.
register_netdevice() could fail early when we have an invalid
dev name, in which case ->ndo_uninit() is not called. For tun
device, this is a problem because a timer etc. are already
initialized and it expects ->ndo_uninit() to clean them up.
We could move these initializations into a ->ndo_init() so
that register_netdevice() knows better, however this is still
complicated due to the logic in tun_detach().
Therefore, I choose to just call dev_get_valid_name() before
register_netdevice(), which is quicker and much easier to audit.
And for this specific case, it is already enough.
Fixes: 96442e42429e ("tuntap: choose the txq based on rxq")
Reported-by: Dmitry Alexeev <avekceeb@gmail.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/tun.c | 3 +++
include/linux/netdevice.h | 3 +++
net/core/dev.c | 6 +++---
3 files changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1647,6 +1647,9 @@ static int tun_set_iff(struct net *net,
if (!dev)
return -ENOMEM;
+ err = dev_get_valid_name(net, dev, name);
+ if (err)
+ goto err_free_dev;
dev_net_set(dev, net);
dev->rtnl_link_ops = &tun_link_ops;
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3000,6 +3000,9 @@ void ether_setup(struct net_device *dev)
struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
void (*setup)(struct net_device *),
unsigned int txqs, unsigned int rxqs);
+int dev_get_valid_name(struct net *net, struct net_device *dev,
+ const char *name);
+
#define alloc_netdev(sizeof_priv, name, setup) \
alloc_netdev_mqs(sizeof_priv, name, setup, 1, 1)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1056,9 +1056,8 @@ static int dev_alloc_name_ns(struct net
return ret;
}
-static int dev_get_valid_name(struct net *net,
- struct net_device *dev,
- const char *name)
+int dev_get_valid_name(struct net *net, struct net_device *dev,
+ const char *name)
{
BUG_ON(!net);
@@ -1074,6 +1073,7 @@ static int dev_get_valid_name(struct net
return 0;
}
+EXPORT_SYMBOL(dev_get_valid_name);
/**
* dev_change_name - change name of a device
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 036/204] USB: gadgetfs: fix copy_to_user while holding spinlock
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 104/204] ALSA: caiaq: Fix stray URB at probe error path Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 188/204] netfilter: nfnetlink_cthelper: Add missing permission checks Ben Hutchings
` (93 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Andrey Konovalov, Alan Stern,
Felipe Balbi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 6e76c01e71551cb221c1f3deacb9dcd9a7346784 upstream.
The gadgetfs driver as a long-outstanding FIXME, regarding a call of
copy_to_user() made while holding a spinlock. This patch fixes the
issue by dropping the spinlock and using the dev->udc_usage mechanism
introduced by another recent patch to guard against status changes
while the lock isn't held.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1055,11 +1055,14 @@ ep0_read (struct file *fd, char __user *
retval = -EIO;
else {
len = min (len, (size_t)dev->req->actual);
-// FIXME don't call this with the spinlock held ...
+ ++dev->udc_usage;
+ spin_unlock_irq(&dev->lock);
if (copy_to_user (buf, dev->req->buf, len))
retval = -EFAULT;
else
retval = len;
+ spin_lock_irq(&dev->lock);
+ --dev->udc_usage;
clean_req (dev->gadget->ep0, dev->req);
/* NOTE userspace can't yet choose to stall */
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 073/204] arm64: fault: Route pte translation faults via do_translation_fault
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 053/204] IB/mlx5: Simplify mlx5_ib_cont_pages Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 200/204] ptrace: Properly initialize ptracer_cred on fork Ben Hutchings
` (123 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Catalin Marinas, Ankit Jain, Will Deacon
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit 760bfb47c36a07741a089bf6a28e854ffbee7dc9 upstream.
We currently route pte translation faults via do_page_fault, which elides
the address check against TASK_SIZE before invoking the mm fault handling
code. However, this can cause issues with the path walking code in
conjunction with our word-at-a-time implementation because
load_unaligned_zeropad can end up faulting in kernel space if it reads
across a page boundary and runs into a page fault (e.g. by attempting to
read from a guard region).
In the case of such a fault, load_unaligned_zeropad has registered a
fixup to shift the valid data and pad with zeroes, however the abort is
reported as a level 3 translation fault and we dispatch it straight to
do_page_fault, despite it being a kernel address. This results in calling
a sleeping function from atomic context:
BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
in_atomic(): 0, irqs_disabled(): 0, pid: 10290
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[...]
[<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
[<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
[<ffffff8e016977f0>] do_page_fault+0x140/0x330
[<ffffff8e01681328>] do_mem_abort+0x54/0xb0
Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
[...]
[<ffffff8e016844fc>] el1_da+0x18/0x78
[<ffffff8e017f399c>] path_parentat+0x44/0x88
[<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
[<ffffff8e017f5044>] filename_create+0x4c/0x128
[<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
[<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
Code: 36380080 d5384100 f9400800 9402566d (d4210000)
---[ end trace 2d01889f2bca9b9f ]---
Fix this by dispatching all translation faults to do_translation_faults,
which avoids invoking the page fault logic for faults on kernel addresses.
Reported-by: Ankit Jain <ankijain@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -386,7 +386,7 @@ static struct fault_info {
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "input address range fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" },
- { do_page_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
{ do_bad, SIGBUS, 0, "reserved access flag fault" },
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" },
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" },
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 058/204] drm/i915/bios: ignore HDMI on port A
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 106/204] iommu/exynos: Remove initconst attribute to avoid potential kernel oops Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 075/204] ipv4: fix broadcast packets reception Ben Hutchings
` (63 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Rodrigo Vivi, Imre Deak, Ville Syrjälä,
Daniel Drake, Jani Nikula
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 2ba7d7e0437127314864238f8bfcb8369d81075c upstream.
The hardware state readout oopses after several warnings when trying to
use HDMI on port A, if such a combination is configured in VBT. Filter
the combo out already at the VBT parsing phase.
v2: also ignore DVI (Ville)
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102889
Cc: Imre Deak <imre.deak@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Tested-by: Daniel Drake <dan@reactivated.net>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20170921141920.18172-1-jani.nikula@intel.com
(cherry picked from commit d27ffc1d00327c29b3aa97f941b42f0949f9e99f)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_bios.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/gpu/drm/i915/intel_bios.c
+++ b/drivers/gpu/drm/i915/intel_bios.c
@@ -939,6 +939,13 @@ static void parse_ddi_port(struct drm_i9
is_hdmi = is_dvi && (child->common.device_type & DEVICE_TYPE_NOT_HDMI_OUTPUT) == 0;
is_edp = is_dp && (child->common.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR);
+ if (port == PORT_A && is_dvi) {
+ DRM_DEBUG_KMS("VBT claims port A supports DVI%s, ignoring\n",
+ is_hdmi ? "/HDMI" : "");
+ is_dvi = false;
+ is_hdmi = false;
+ }
+
info->supports_dvi = is_dvi;
info->supports_hdmi = is_hdmi;
info->supports_dp = is_dp;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 072/204] sched/sysctl: Check user input value of sysctl_sched_time_avg
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 108/204] bus: mbus: fix window size calculation for 4GB windows Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 139/204] can: kvaser_usb: Correct return value in printout Ben Hutchings
` (142 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, ethan.kernel, keescook, Thomas Gleixner, Linus Torvalds,
efault, Ingo Molnar, James Puthukattukaran, mcgrof, Ethan Zhao,
Peter Zijlstra (Intel)
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Zhao <ethan.zhao@oracle.com>
commit 5ccba44ba118a5000cccc50076b0344632459779 upstream.
System will hang if user set sysctl_sched_time_avg to 0:
[root@XXX ~]# sysctl kernel.sched_time_avg_ms=0
Stack traceback for pid 0
0xffff883f6406c600 0 0 1 3 R 0xffff883f6406cf50 *swapper/3
ffff883f7ccc3ae8 0000000000000018 ffffffff810c4dd0 0000000000000000
0000000000017800 ffff883f7ccc3d78 0000000000000003 ffff883f7ccc3bf8
ffffffff810c4fc9 ffff883f7ccc3c08 00000000810c5043 ffff883f7ccc3c08
Call Trace:
<IRQ> [<ffffffff810c4dd0>] ? update_group_capacity+0x110/0x200
[<ffffffff810c4fc9>] ? update_sd_lb_stats+0x109/0x600
[<ffffffff810c5507>] ? find_busiest_group+0x47/0x530
[<ffffffff810c5b84>] ? load_balance+0x194/0x900
[<ffffffff810ad5ca>] ? update_rq_clock.part.83+0x1a/0xe0
[<ffffffff810c6d42>] ? rebalance_domains+0x152/0x290
[<ffffffff810c6f5c>] ? run_rebalance_domains+0xdc/0x1d0
[<ffffffff8108a75b>] ? __do_softirq+0xfb/0x320
[<ffffffff8108ac85>] ? irq_exit+0x125/0x130
[<ffffffff810b3a17>] ? scheduler_ipi+0x97/0x160
[<ffffffff81052709>] ? smp_reschedule_interrupt+0x29/0x30
[<ffffffff8173a1be>] ? reschedule_interrupt+0x6e/0x80
<EOI> [<ffffffff815bc83c>] ? cpuidle_enter_state+0xcc/0x230
[<ffffffff815bc80c>] ? cpuidle_enter_state+0x9c/0x230
[<ffffffff815bc9d7>] ? cpuidle_enter+0x17/0x20
[<ffffffff810cd6dc>] ? cpu_startup_entry+0x38c/0x420
[<ffffffff81053373>] ? start_secondary+0x173/0x1e0
Because divide-by-zero error happens in function:
update_group_capacity()
update_cpu_capacity()
scale_rt_capacity()
{
...
total = sched_avg_period() + delta;
used = div_u64(avg, total);
...
}
To fix this issue, check user input value of sysctl_sched_time_avg, keep
it unchanged when hitting invalid input, and set the minimum limit of
sysctl_sched_time_avg to 1 ms.
Reported-by: James Puthukattukaran <james.puthukattukaran@oracle.com>
Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: efault@gmx.de
Cc: ethan.kernel@gmail.com
Cc: keescook@chromium.org
Cc: mcgrof@kernel.org
Link: http://lkml.kernel.org/r/1504504774-18253-1-git-send-email-ethan.zhao@oracle.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sysctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -342,7 +342,8 @@ static struct ctl_table kern_table[] = {
.data = &sysctl_sched_time_avg,
.maxlen = sizeof(unsigned int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &one,
},
{
.procname = "sched_shares_window_ns",
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 162/204] KEYS: fix out-of-bounds read during ASN.1 parsing
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (168 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 161/204] KEYS: trusted: fix writing past end of buffer in trusted_read() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 092/204] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak Ben Hutchings
` (34 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Howells, James Morris, Eric Biggers
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 2eb9eabf1e868fda15808954fb29b0f105ed65f1 upstream.
syzkaller with KASAN reported an out-of-bounds read in
asn1_ber_decoder(). It can be reproduced by the following command,
assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y:
keyctl add asymmetric desc $'\x30\x30' @s
The bug is that the length of an ASN.1 data value isn't validated in the
case where it is encoded using the short form, causing the decoder to
read past the end of the input buffer. Fix it by validating the length.
The bug report was:
BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818
CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0xb3/0x10b lib/dump_stack.c:52
print_address_description+0x79/0x2a0 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x236/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89
x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x347/0xb20 security/keys/key.c:855
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89
RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5
RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
lib/asn1_decoder.c | 3 +++
1 file changed, 3 insertions(+)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -276,6 +276,9 @@ next_op:
if (unlikely(len > datalen - dp))
goto data_overrun_error;
}
+ } else {
+ if (unlikely(len > datalen - dp))
+ goto data_overrun_error;
}
if (flags & FLAG_CONS) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 055/204] PCI: Fix race condition with driver_override
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (201 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 122/204] usb: cdc_acm: Add quirk for Elatec TWN3 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 204/204] KEYS: add missing permission check for request_key() destination Ben Hutchings
2017-12-28 19:25 ` [PATCH 3.16 000/204] 3.16.52-rc1 review Guenter Roeck
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicolai Stange, Bjorn Helgaas
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Stange <nstange@suse.de>
commit 9561475db680f7144d2223a409dd3d7e322aca03 upstream.
The driver_override implementation is susceptible to a race condition when
different threads are reading vs. storing a different driver override. Add
locking to avoid the race condition.
This is in close analogy to commit 6265539776a0 ("driver core: platform:
fix race condition with driver_override") from Adrian Salido.
Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override")
Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/pci-sysfs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -514,7 +514,7 @@ static ssize_t driver_override_store(str
const char *buf, size_t count)
{
struct pci_dev *pdev = to_pci_dev(dev);
- char *driver_override, *old = pdev->driver_override, *cp;
+ char *driver_override, *old, *cp;
/* We need to keep extra room for a newline */
if (count >= (PAGE_SIZE - 1))
@@ -528,12 +528,15 @@ static ssize_t driver_override_store(str
if (cp)
*cp = '\0';
+ device_lock(dev);
+ old = pdev->driver_override;
if (strlen(driver_override)) {
pdev->driver_override = driver_override;
} else {
kfree(driver_override);
pdev->driver_override = NULL;
}
+ device_unlock(dev);
kfree(old);
@@ -544,8 +547,12 @@ static ssize_t driver_override_show(stru
struct device_attribute *attr, char *buf)
{
struct pci_dev *pdev = to_pci_dev(dev);
+ ssize_t len;
- return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+ device_lock(dev);
+ len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+ device_unlock(dev);
+ return len;
}
static DEVICE_ATTR_RW(driver_override);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 141/204] SMB: fix leak of validate negotiate info response buffer
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 160/204] KEYS: trusted: sanitize all key material Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 095/204] ALSA: seq: Fix copy_from_user() call inside lock Ben Hutchings
` (14 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, David Disseldorp
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Disseldorp <ddiss@suse.de>
commit fe83bebc05228e838ed5cbbc62712ab50dd40e18 upstream.
Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -479,7 +479,7 @@ int smb3_validate_negotiate(const unsign
{
int rc = 0;
struct validate_negotiate_info_req vneg_inbuf;
- struct validate_negotiate_info_rsp *pneg_rsp;
+ struct validate_negotiate_info_rsp *pneg_rsp = NULL;
u32 rsplen;
cifs_dbg(FYI, "validate negotiate\n");
@@ -536,7 +536,7 @@ int smb3_validate_negotiate(const unsign
/* relax check since Mac returns max bufsize allowed on ioctl */
if (rsplen > CIFSMaxBufSize)
- return -EIO;
+ goto err_rsp_free;
}
/* check validate negotiate info response matches what we got earlier */
@@ -555,10 +555,13 @@ int smb3_validate_negotiate(const unsign
/* validate negotiate successful */
cifs_dbg(FYI, "validate negotiate info successful\n");
+ kfree(pneg_rsp);
return 0;
vneg_out:
cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+err_rsp_free:
+ kfree(pneg_rsp);
return -EIO;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 040/204] SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 199/204] ptrace: Don't allow accessing an undumpable mm Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 043/204] iio: ad7793: Fix the serial interface reset Ben Hutchings
` (78 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky, Steve French, Ronnie Sahlberg
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <smfrench@gmail.com>
commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream.
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/file.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -225,6 +225,13 @@ cifs_nt_open(char *full_path, struct ino
if (backup_cred(cifs_sb))
create_options |= CREATE_OPEN_BACKUP_INTENT;
+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
+ if (f_flags & O_SYNC)
+ create_options |= CREATE_WRITE_THROUGH;
+
+ if (f_flags & O_DIRECT)
+ create_options |= CREATE_NO_BUFFER;
+
oparms.tcon = tcon;
oparms.cifs_sb = cifs_sb;
oparms.desired_access = desired_access;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 124/204] ALSA: hda: Remove superfluous '-' added by printk conversion
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 052/204] IB/mlx5: Fix the size parameter to find_first_bit Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 020/204] tracing: Fix trace_pipe behavior for instance traces Ben Hutchings
` (137 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 6bf88a343db2b3c160edf9b82a74966b31cc80bd upstream.
While converting the error messages to the standard macros in the
commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a
superfluous '-' slipped in the code mistakenly. Its influence is
almost negligible, merely shows a dB value as negative integer instead
of positive integer (or vice versa) in the rare error message.
So let's kill this embarrassing byte to show more correct value.
Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/hda_codec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2791,7 +2791,7 @@ static int get_kctl_0dB_offset(struct sn
return -1;
if (*step_to_check && *step_to_check != step) {
snd_printk(KERN_ERR "hda_codec: Mismatching dB step for vmaster slave (%d!=%d)\n",
-- *step_to_check, step);
+ *step_to_check, step);
return -1;
}
*step_to_check = step;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 016/204] s390/mm: fix write access check in gup_huge_pmd()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 126/204] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 138/204] ARM: 8715/1: add a private asm/unaligned.h Ben Hutchings
` (161 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin Schwidefsky, Gerald Schaefer
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
commit ba385c0594e723d41790ecfb12c610e6f90c7785 upstream.
The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
wrong way around. It must not be set for write==1, and not be checked for
write==0. Fix this similar to how it was fixed for ptes long time ago in
commit 25591b070336 ("[S390] fix get_user_pages_fast").
One impact of this bug would be unnecessarily using the gup slow path for
write==0 on r/w mappings. A potentially more severe impact would be that
gup_huge_pmd() will succeed for write==1 on r/o mappings.
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/mm/gup.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -51,13 +51,12 @@ static inline int gup_pte_range(pmd_t *p
static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
unsigned long end, int write, struct page **pages, int *nr)
{
- unsigned long mask, result;
struct page *head, *page, *tail;
+ unsigned long mask;
int refs;
- result = write ? 0 : _SEGMENT_ENTRY_PROTECT;
- mask = result | _SEGMENT_ENTRY_INVALID;
- if ((pmd_val(pmd) & mask) != result)
+ mask = (write ? _SEGMENT_ENTRY_PROTECT : 0) | _SEGMENT_ENTRY_INVALID;
+ if ((pmd_val(pmd) & mask) != 0)
return 0;
VM_BUG_ON(!pfn_valid(pmd_val(pmd) >> PAGE_SHIFT));
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 176/204] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 169/204] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 081/204] ALSA: usx2y: Suppress kernel warning at page allocation failures Ben Hutchings
` (100 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot, Eric Biggers, James Morris, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 624f5ab8720b3371367327a822c267699c1823b8 upstream.
syzkaller reported a NULL pointer dereference in asn1_ber_decoder(). It
can be reproduced by the following command, assuming
CONFIG_PKCS7_TEST_KEY=y:
keyctl add pkcs7_test desc '' @s
The bug is that if the data buffer is empty, an integer underflow occurs
in the following check:
if (unlikely(dp >= datalen - 1))
goto data_overrun_error;
This results in the NULL data pointer being dereferenced.
Fix it by checking for 'datalen - dp < 2' instead.
Also fix the similar check for 'dp >= datalen - n' later in the same
function. That one possibly could result in a buffer overread.
The NULL pointer dereference was reproducible using the "pkcs7_test" key
type but not the "asymmetric" key type because the "asymmetric" key type
checks for a 0-length payload before calling into the ASN.1 decoder but
the "pkcs7_test" key type does not.
The bug report was:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
task: ffff9b6b3798c040 task.stack: ffff9b6b37970000
RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c
RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0
RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0
Call Trace:
pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139
verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216
pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63
key_create_or_update+0x180/0x530 security/keys/key.c:855
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4585c9
RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9
RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000
RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae
R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000
Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff
RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78
CR2: 0000000000000000
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
lib/asn1_decoder.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -220,7 +220,7 @@ next_op:
hdr = 2;
/* Extract a tag from the data */
- if (unlikely(dp >= datalen - 1))
+ if (unlikely(datalen - dp < 2))
goto data_overrun_error;
tag = data[dp++];
if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
@@ -266,7 +266,7 @@ next_op:
int n = len - 0x80;
if (unlikely(n > 2))
goto length_too_long;
- if (unlikely(dp >= datalen - n))
+ if (unlikely(n > datalen - dp))
goto data_overrun_error;
hdr += n;
for (len = 0; n > 0; n--) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 037/204] USB: gadgetfs: Fix crash caused by inadequate synchronization
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 200/204] ptrace: Properly initialize ptracer_cred on fork Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 076/204] IPv4: early demux can return an error code Ben Hutchings
` (121 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Felipe Balbi, Greg Kroah-Hartman, Andrey Konovalov,
Alan Stern
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 520b72fc64debf8a86c3853b8e486aa5982188f0 upstream.
The gadgetfs driver (drivers/usb/gadget/legacy/inode.c) was written
before the UDC and composite frameworks were adopted; it is a legacy
driver. As such, it expects that once bound to a UDC controller, it
will not be unbound until it unregisters itself.
However, the UDC framework does unbind function drivers while they are
still registered. When this happens, it can cause the gadgetfs driver
to misbehave or crash. For example, userspace can cause a crash by
opening the device file and doing an ioctl call before setting up a
configuration (found by Andrey Konovalov using the syzkaller fuzzer).
This patch adds checks and synchronization to prevent these bad
behaviors. It adds a udc_usage counter that the driver increments at
times when it is using a gadget interface without holding the private
spinlock. The unbind routine waits for this counter to go to 0 before
returning, thereby ensuring that the UDC is no longer in use.
The patch also adds a check in the dev_ioctl() routine to make sure
the driver is bound to a UDC before dereferencing the gadget pointer,
and it makes destroy_ep_files() synchronize with the endpoint I/O
routines, to prevent the user from accessing an endpoint data
structure after it has been removed.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Expand locked section in ep0_write() to match upstream
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -26,7 +26,7 @@
#include <linux/poll.h>
#include <linux/mmu_context.h>
#include <linux/aio.h>
-
+#include <linux/delay.h>
#include <linux/device.h>
#include <linux/moduleparam.h>
@@ -113,6 +113,7 @@ enum ep0_state {
struct dev_data {
spinlock_t lock;
atomic_t count;
+ int udc_usage;
enum ep0_state state; /* P: lock */
struct usb_gadgetfs_event event [N_EVENT];
unsigned ev_next;
@@ -620,9 +621,9 @@ static void ep_aio_complete(struct usb_e
priv->actual = req->actual;
schedule_work(&priv->work);
}
- spin_unlock(&epdata->dev->lock);
usb_ep_free_request(ep, req);
+ spin_unlock(&epdata->dev->lock);
put_ep(epdata);
}
@@ -1011,9 +1012,11 @@ ep0_read (struct file *fd, char __user *
struct usb_request *req = dev->req;
if ((retval = setup_req (ep, req, 0)) == 0) {
+ ++dev->udc_usage;
spin_unlock_irq (&dev->lock);
retval = usb_ep_queue (ep, req, GFP_KERNEL);
spin_lock_irq (&dev->lock);
+ --dev->udc_usage;
}
dev->state = STATE_DEV_CONNECTED;
@@ -1208,6 +1211,7 @@ ep0_write (struct file *fd, const char _
retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) {
dev->state = STATE_DEV_CONNECTED;
+ ++dev->udc_usage;
spin_unlock_irq (&dev->lock);
if (copy_from_user (dev->req->buf, buf, len))
retval = -EFAULT;
@@ -1218,12 +1222,13 @@ ep0_write (struct file *fd, const char _
dev->gadget->ep0, dev->req,
GFP_KERNEL);
}
+ spin_lock_irq(&dev->lock);
+ --dev->udc_usage;
if (retval < 0) {
- spin_lock_irq (&dev->lock);
clean_req (dev->gadget->ep0, dev->req);
- spin_unlock_irq (&dev->lock);
} else
retval = len;
+ spin_unlock_irq(&dev->lock);
return retval;
}
@@ -1316,9 +1321,21 @@ static long dev_ioctl (struct file *fd,
struct usb_gadget *gadget = dev->gadget;
long ret = -ENOTTY;
- if (gadget->ops->ioctl)
+ spin_lock_irq(&dev->lock);
+ if (dev->state == STATE_DEV_OPENED ||
+ dev->state == STATE_DEV_UNBOUND) {
+ /* Not bound to a UDC */
+ } else if (gadget->ops->ioctl) {
+ ++dev->udc_usage;
+ spin_unlock_irq(&dev->lock);
+
ret = gadget->ops->ioctl (gadget, code, value);
+ spin_lock_irq(&dev->lock);
+ --dev->udc_usage;
+ }
+ spin_unlock_irq(&dev->lock);
+
return ret;
}
@@ -1549,10 +1566,12 @@ delegate:
if (value < 0)
break;
+ ++dev->udc_usage;
spin_unlock (&dev->lock);
value = usb_ep_queue (gadget->ep0, dev->req,
GFP_KERNEL);
spin_lock (&dev->lock);
+ --dev->udc_usage;
if (value < 0) {
clean_req (gadget->ep0, dev->req);
break;
@@ -1576,8 +1595,12 @@ delegate:
req->length = value;
req->zero = value < w_length;
+ ++dev->udc_usage;
spin_unlock (&dev->lock);
value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL);
+ spin_lock(&dev->lock);
+ --dev->udc_usage;
+ spin_unlock(&dev->lock);
if (value < 0) {
DBG (dev, "ep_queue --> %d\n", value);
req->status = 0;
@@ -1604,21 +1627,24 @@ static void destroy_ep_files (struct dev
/* break link to FS */
ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
list_del_init (&ep->epfiles);
+ spin_unlock_irq (&dev->lock);
+
dentry = ep->dentry;
ep->dentry = NULL;
parent = dentry->d_parent->d_inode;
/* break link to controller */
+ mutex_lock(&ep->lock);
if (ep->state == STATE_EP_ENABLED)
(void) usb_ep_disable (ep->ep);
ep->state = STATE_EP_UNBOUND;
usb_ep_free_request (ep->ep, ep->req);
ep->ep = NULL;
+ mutex_unlock(&ep->lock);
+
wake_up (&ep->wait);
put_ep (ep);
- spin_unlock_irq (&dev->lock);
-
/* break link to dcache */
mutex_lock (&parent->i_mutex);
d_delete (dentry);
@@ -1691,6 +1717,11 @@ gadgetfs_unbind (struct usb_gadget *gadg
spin_lock_irq (&dev->lock);
dev->state = STATE_DEV_UNBOUND;
+ while (dev->udc_usage > 0) {
+ spin_unlock_irq(&dev->lock);
+ usleep_range(1000, 2000);
+ spin_lock_irq(&dev->lock);
+ }
spin_unlock_irq (&dev->lock);
destroy_ep_files (dev);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 126/204] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 114/204] include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 016/204] s390/mm: fix write access check in gup_huge_pmd() Ben Hutchings
` (162 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jeff Lance, Dmitry Torokhov, Michael Nazzareno Trimarchi,
Vignesh R
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Lance <j-lance1@ti.com>
commit cf5dd48907bebaefdb43a8ca079be77e8da2cb20 upstream.
Step config setting for 5 wire touchscreen is incorrect for Y coordinates.
It was broken while we moved to DT. If you look close at the offending
commit bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made
configurable"), the change was:
- STEPCONFIG_XNP | STEPCONFIG_YPN;
+ ts_dev->bit_xn | ts_dev->bit_yp;
while bit_xn = STEPCONFIG_XNN and bit_yp = STEPCONFIG_YNN. Not quite the
same.
Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable")
Signed-off-by: Jeff Lance <j-lance1@ti.com>
[vigneshr@ti.com: Rebase to v4.14-rc1]
Signed-off-by: Vignesh R <vigneshr@ti.com>
Reviewed-by: Michael Nazzareno Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/ti_am335x_tsc.c
+++ b/drivers/input/touchscreen/ti_am335x_tsc.c
@@ -157,7 +157,7 @@ static void titsc_step_config(struct tit
break;
case 5:
config |= ts_dev->bit_xp | STEPCONFIG_INP_AN4 |
- ts_dev->bit_xn | ts_dev->bit_yp;
+ STEPCONFIG_XNP | STEPCONFIG_YPN;
break;
case 8:
config |= ts_dev->bit_yp | STEPCONFIG_INP(ts_dev->inp_xp);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 158/204] tcp: fix tcp_mtu_probe() vs highest_sack
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 178/204] rbd: use GFP_NOIO for parent stat and data requests Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 041/204] iio: adc: mcp320x: Fix oops on module unload Ben Hutchings
` (44 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Neal Cardwell, Alexei Starovoitov, David S. Miller,
Eric Dumazet, Yuchung Cheng, Roman Gushchin, Alexei Starovoitov,
Oleksandr Natalenko
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 2b7cda9c35d3b940eb9ce74b30bbd5eb30db493d upstream.
Based on SNMP values provided by Roman, Yuchung made the observation
that some crashes in tcp_sacktag_walk() might be caused by MTU probing.
Looking at tcp_mtu_probe(), I found that when a new skb was placed
in front of the write queue, we were not updating tcp highest sack.
If one skb is freed because all its content was copied to the new skb
(for MTU probing), then tp->highest_sack could point to a now freed skb.
Bad things would then happen, including infinite loops.
This patch renames tcp_highest_sack_combine() and uses it
from tcp_mtu_probe() to fix the bug.
Note that I also removed one test against tp->sacked_out,
since we want to replace tp->highest_sack regardless of whatever
condition, since keeping a stale pointer to freed skb is a recipe
for disaster.
Fixes: a47e5a988a57 ("[TCP]: Convert highest_sack to sk_buff to allow direct access")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Roman Gushchin <guro@fb.com>
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/tcp.h | 6 +++---
net/ipv4/tcp_output.c | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1515,12 +1515,12 @@ static inline void tcp_highest_sack_rese
tcp_sk(sk)->highest_sack = tcp_write_queue_head(sk);
}
-/* Called when old skb is about to be deleted (to be combined with new skb) */
-static inline void tcp_highest_sack_combine(struct sock *sk,
+/* Called when old skb is about to be deleted and replaced by new skb */
+static inline void tcp_highest_sack_replace(struct sock *sk,
struct sk_buff *old,
struct sk_buff *new)
{
- if (tcp_sk(sk)->sacked_out && (old == tcp_sk(sk)->highest_sack))
+ if (old == tcp_highest_sack(sk))
tcp_sk(sk)->highest_sack = new;
}
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1817,6 +1817,7 @@ static int tcp_mtu_probe(struct sock *sk
nskb->ip_summed = skb->ip_summed;
tcp_insert_write_queue_before(nskb, skb, sk);
+ tcp_highest_sack_replace(sk, skb, nskb);
len = 0;
tcp_for_write_queue_from_safe(skb, next, sk) {
@@ -2327,7 +2328,7 @@ static void tcp_collapse_retrans(struct
BUG_ON(tcp_skb_pcount(skb) != 1 || tcp_skb_pcount(next_skb) != 1);
- tcp_highest_sack_combine(sk, next_skb, skb);
+ tcp_highest_sack_replace(sk, next_skb, skb);
tcp_unlink_write_queue(next_skb, sk);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 045/204] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 014/204] usb: pci-quirks.c: Corrected timeout values used in handshake Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 046/204] KEYS: fix cred refcount leak in request_key_auth_new() Ben Hutchings
` (60 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jonathan Cameron, Stefan Popa, Lars-Peter Clausen,
Michael Hennerich
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Popa <stefan.popa@analog.com>
commit f790923f146140a261ad211e5baf75d169f16fb2 upstream.
Depends on: 691c4b95d1 ("iio: ad_sigma_delta: Implement a dedicated reset function")
SPI host drivers can use DMA to transfer data, so the buffer should be properly allocated.
Keeping it on the stack could cause an undefined behavior.
The dedicated reset function solves this issue.
Signed-off-by: Stefan Popa <stefan.popa@analog.com>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/adc/ad7192.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -206,11 +206,9 @@ static int ad7192_setup(struct ad7192_st
struct iio_dev *indio_dev = spi_get_drvdata(st->sd.spi);
unsigned long long scale_uv;
int i, ret, id;
- u8 ones[6];
/* reset the serial interface */
- memset(&ones, 0xFF, 6);
- ret = spi_write(st->sd.spi, &ones, 6);
+ ret = ad_sd_reset(&st->sd, 48);
if (ret < 0)
goto out;
msleep(1); /* Wait for at least 500us */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 157/204] tun/tap: sanitize TUNSETSNDBUF input
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 145/204] SMB3: Validate negotiate request must always be signed Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 004/204] cifs: check rsp for NULL before dereferencing in SMB2_open Ben Hutchings
` (186 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Craig Gallek, David S. Miller, Eric Dumazet
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Craig Gallek <kraig@google.com>
commit 93161922c658c714715686cd0cf69b090cb9bf1d upstream.
Syzkaller found several variants of the lockup below by setting negative
values with the TUNSETSNDBUF ioctl. This patch adds a sanity check
to both the tun and tap versions of this ioctl.
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389]
Modules linked in:
irq event stamp: 329692056
hardirqs last enabled at (329692055): [<ffffffff824b8381>] _raw_spin_unlock_irqrestore+0x31/0x75
hardirqs last disabled at (329692056): [<ffffffff824b9e58>] apic_timer_interrupt+0x98/0xb0
softirqs last enabled at (35659740): [<ffffffff824bc958>] __do_softirq+0x328/0x48c
softirqs last disabled at (35659731): [<ffffffff811c796c>] irq_exit+0xbc/0xd0
CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880009452140 task.stack: ffff880006a20000
RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80
RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900
RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900
R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8
FS: 00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0
Call Trace:
prepare_to_wait+0x26/0xc0
sock_alloc_send_pskb+0x14e/0x270
? remove_wait_queue+0x60/0x60
tun_get_user+0x2cc/0x19d0
? __tun_get+0x60/0x1b0
tun_chr_write_iter+0x57/0x86
__vfs_write+0x156/0x1e0
vfs_write+0xf7/0x230
SyS_write+0x57/0xd0
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f4be4356df9
RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9
RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005
RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780
R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000
Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device")
Fixes: 20d29d7a916a ("net: macvtap driver")
Signed-off-by: Craig Gallek <kraig@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/macvtap.c | 2 ++
drivers/net/tun.c | 4 ++++
2 files changed, 6 insertions(+)
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -1053,6 +1053,8 @@ static long macvtap_ioctl(struct file *f
case TUNSETSNDBUF:
if (get_user(s, sp))
return -EFAULT;
+ if (s <= 0)
+ return -EINVAL;
q->sk.sk_sndbuf = s;
return 0;
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2054,6 +2054,10 @@ static long __tun_chr_ioctl(struct file
ret = -EFAULT;
break;
}
+ if (sndbuf <= 0) {
+ ret = -EINVAL;
+ break;
+ }
tun->sndbuf = sndbuf;
tun_set_sndbuf(tun);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 165/204] ocfs2: fstrim: Fix start offset of first cluster group during fstrim
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 173/204] ALSA: seq: Avoid invalid lockdep class warning Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 012/204] usb: Increase quirk delay for USB devices Ben Hutchings
` (71 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Mark Fasheh, Joseph Qi, Junxiao Bi,
Joel Becker, Ashish Samant
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Samant <ashish.samant@oracle.com>
commit 105ddc93f06ebe3e553f58563d11ed63dbcd59f0 upstream.
The first cluster group descriptor is not stored at the start of the
group but at an offset from the start. We need to take this into
account while doing fstrim on the first cluster group. Otherwise we
will wrongly start fstrim a few blocks after the desired start block and
the range can cross over into the next cluster group and zero out the
group descriptor there. This can cause filesytem corruption that cannot
be fixed by fsck.
Link: http://lkml.kernel.org/r/1507835579-7308-1-git-send-email-ashish.samant@oracle.com
Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/alloc.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -7226,13 +7226,24 @@ out:
static int ocfs2_trim_extent(struct super_block *sb,
struct ocfs2_group_desc *gd,
- u32 start, u32 count)
+ u64 group, u32 start, u32 count)
{
u64 discard, bcount;
+ struct ocfs2_super *osb = OCFS2_SB(sb);
bcount = ocfs2_clusters_to_blocks(sb, count);
- discard = le64_to_cpu(gd->bg_blkno) +
- ocfs2_clusters_to_blocks(sb, start);
+ discard = ocfs2_clusters_to_blocks(sb, start);
+
+ /*
+ * For the first cluster group, the gd->bg_blkno is not at the start
+ * of the group, but at an offset from the start. If we add it while
+ * calculating discard for first group, we will wrongly start fstrim a
+ * few blocks after the desried start block and the range can cross
+ * over into the next cluster group. So, add it only if this is not
+ * the first cluster group.
+ */
+ if (group != osb->first_cluster_group_blkno)
+ discard += le64_to_cpu(gd->bg_blkno);
trace_ocfs2_trim_extent(sb, (unsigned long long)discard, bcount);
@@ -7240,7 +7251,7 @@ static int ocfs2_trim_extent(struct supe
}
static int ocfs2_trim_group(struct super_block *sb,
- struct ocfs2_group_desc *gd,
+ struct ocfs2_group_desc *gd, u64 group,
u32 start, u32 max, u32 minbits)
{
int ret = 0, count = 0, next;
@@ -7259,7 +7270,7 @@ static int ocfs2_trim_group(struct super
next = ocfs2_find_next_bit(bitmap, max, start);
if ((next - start) >= minbits) {
- ret = ocfs2_trim_extent(sb, gd,
+ ret = ocfs2_trim_extent(sb, gd, group,
start, next - start);
if (ret < 0) {
mlog_errno(ret);
@@ -7357,7 +7368,8 @@ int ocfs2_trim_fs(struct super_block *sb
}
gd = (struct ocfs2_group_desc *)gd_bh->b_data;
- cnt = ocfs2_trim_group(sb, gd, first_bit, last_bit, minlen);
+ cnt = ocfs2_trim_group(sb, gd, group,
+ first_bit, last_bit, minlen);
brelse(gd_bh);
gd_bh = NULL;
if (cnt < 0) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 102/204] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 121/204] usb: xhci: Handle error condition in xhci_stop_device() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 193/204] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts Ben Hutchings
` (190 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Felipe Balbi, Kazuya Mizuguchi, Yoshihiro Shimoda
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
commit 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 upstream.
The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of
USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a
zero-length packet. Otherwise, a transfer completion interruption
of USB-DMAC doesn't happen. Even if the driver changes the sequence,
normal operations (transmit/receive without zero-length packet) will
not cause any side-effects. So, this patch fixes the sequence anyway.
Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
[shimoda: revise the commit log]
Fixes: e73a9891b3a1 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/fifo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -828,9 +828,9 @@ static void xfer_work(struct work_struct
dev_dbg(dev, " %s %d (%d/ %d)\n",
fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero);
- usbhsf_dma_start(pipe, fifo);
usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
dma_async_issue_pending(chan);
+ usbhsf_dma_start(pipe, fifo);
usbhs_pipe_enable(pipe);
xfer_work_end:
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 107/204] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 184/204] dccp: CVE-2017-8824: use-after-free in DCCP code Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 174/204] ALSA: seq: Fix OSS sysex delivery in OSS emulation Ben Hutchings
` (38 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Haozhong Zhang, qemu-stable, Paolo Bonzini
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Haozhong Zhang <haozhong.zhang@intel.com>
commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream.
When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
guest CR4. Before this CR4 loading, the guest CR4 refers to L2
CR4. Because these two CR4's are in different levels of guest, we
should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
is used to handle guest writes to its CR4, checks the guest change to
CR4 and may fail if the change is invalid.
The failure may cause trouble. Consider we start
a L1 guest with non-zero L1 PCID in use,
(i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
and
a L2 guest with L2 PCID disabled,
(i.e. L2 CR4.PCIDE == 0)
and following events may happen:
1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
vcpu->arch.cr4) is left to the value of L2 CR4.
2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1")
Cc: qemu-stable@nongnu.org
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8670,7 +8670,7 @@ static void load_vmcs12_host_state(struc
* (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask();
*/
vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
- kvm_set_cr4(vcpu, vmcs12->host_cr4);
+ vmx_set_cr4(vcpu, vmcs12->host_cr4);
nested_ept_uninit_mmu_context(vcpu);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 034/204] usb-storage: fix bogus hardware error messages for ATA pass-thru devices
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 164/204] arm64: ensure __dump_instr() checks addr_limit Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 160/204] KEYS: trusted: sanitize all key material Ben Hutchings
` (16 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kris Lindgren, Alan Stern, Ewan D. Milne,
Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit a4fd4a724d6c30ad671046d83be2e9be2f11d275 upstream.
Ever since commit a621bac3044e ("scsi_lib: correctly retry failed zero
length REQ_TYPE_FS commands"), people have been getting bogus error
messages for USB disk drives using ATA pass-thru. For example:
[ 1344.880193] sd 6:0:0:0: [sdb] Attached SCSI disk
[ 1345.069152] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
[ 1345.069159] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
[ 1345.069162] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
[ 1345.069168] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(16) 85 06 20 00 00 00 00 00 00 00 00 00 00 00 e5 00
[ 1345.172252] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
[ 1345.172258] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
[ 1345.172261] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
[ 1345.172266] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(12)/Blank a1 06 20 da 00 00 4f c2 00 b0 00 00
These messages can be quite annoying, because programs like udisks2
provoke them every 10 minutes or so. Other programs can also have
this effect, such as those in smartmontools.
I don't fully understand how that commit induced the SCSI core to log
these error messages, but the underlying cause for them is code added
to usb-storage by commit f1a0743bc0e7 ("USB: storage: When a device
returns no sense data, call it a Hardware Error"). At the time it was
necessary to do this, in order to prevent an infinite retry loop with
some not-so-great mass storage devices.
However, the ATA pass-thru protocol uses SCSI sense data to return
command status values, and some devices always report Check Condition
status for ATA pass-thru commands to ensure that the host retrieves
the sense data, even if the command succeeded. This violates the USB
mass-storage protocol (Check Condition status is supposed to mean the
command failed), but we can't help that.
This patch attempts to mitigate the problem of these bogus error
reports by changing usb-storage. The HARDWARE ERROR sense key will be
inserted only for commands that aren't ATA pass-thru.
Thanks to Ewan Milne for pointing out that this mechanism was present
in usb-storage. 8 years after writing it, I had completely forgotten
its existence.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Kris Lindgren <kris.lindgren@gmail.com>
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1351305
CC: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/transport.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/usb/storage/transport.c
+++ b/drivers/usb/storage/transport.c
@@ -808,12 +808,24 @@ Retry_Sense:
if (result == USB_STOR_TRANSPORT_GOOD) {
srb->result = SAM_STAT_GOOD;
srb->sense_buffer[0] = 0x0;
+ }
+
+ /*
+ * ATA-passthru commands use sense data to report
+ * the command completion status, and often devices
+ * return Check Condition status when nothing is
+ * wrong.
+ */
+ else if (srb->cmnd[0] == ATA_16 ||
+ srb->cmnd[0] == ATA_12) {
+ /* leave the data alone */
+ }
/* If there was a problem, report an unspecified
* hardware error to prevent the higher layers from
* entering an infinite retry loop.
*/
- } else {
+ else {
srb->result = DID_ERROR << 16;
if ((sshdr.response_code & 0x72) == 0x72)
srb->sense_buffer[1] = HARDWARE_ERROR;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 081/204] ALSA: usx2y: Suppress kernel warning at page allocation failures
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 176/204] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 057/204] btrfs: prevent to set invalid default subvolid Ben Hutchings
` (99 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Andrey Konovalov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 7682e399485fe19622b6fd82510b1f4551e48a25 upstream.
The usx2y driver allocates the stream read/write buffers in continuous
pages depending on the stream setup, and this may spew the kernel
warning messages with a stack trace like:
WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883
__alloc_pages_slowpath+0x1ef2/0x2d70
Modules linked in:
CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
....
It may confuse user as if it were any serious error, although this is
no fatal error and the driver handles the error case gracefully.
Since the driver has already some sanity check of the given size (128
and 256 pages), it can't pass any crazy value. So it's merely page
fragmentation.
This patch adds __GFP_NOWARN to each caller for suppressing such
kernel warnings. The original issue was spotted by syzkaller.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/usx2y/usb_stream.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/usb/usx2y/usb_stream.c
+++ b/sound/usb/usx2y/usb_stream.c
@@ -191,7 +191,8 @@ struct usb_stream *usb_stream_new(struct
}
pg = get_order(read_size);
- sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
+ sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
+ __GFP_NOWARN, pg);
if (!sk->s) {
snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
goto out;
@@ -211,7 +212,8 @@ struct usb_stream *usb_stream_new(struct
pg = get_order(write_size);
sk->write_page =
- (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
+ (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
+ __GFP_NOWARN, pg);
if (!sk->write_page) {
snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
usb_stream_free(sk);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 133/204] pci_ids: Add PCI device IDs for F15h M60h
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (199 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 203/204] crypto: hmac - require that the underlying hash algorithm is unkeyed Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 122/204] usb: cdc_acm: Add quirk for Elatec TWN3 Ben Hutchings
` (3 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Aravind Gopalakrishnan, Borislav Petkov, Bjorn Helgaas
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
commit 4cbbdb51cc921f95978360fd7a0652d493dadc3e upstream.
Add F3, F4 device IDs to be used in amd_nb.c and amd64_edac.c
Signed-off-by: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Link: http://lkml.kernel.org/r/1411070195-10177-1-git-send-email-Aravind.Gopalakrishnan@amd.com
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/pci_ids.h | 2 ++
1 file changed, 2 insertions(+)
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -520,6 +520,8 @@
#define PCI_DEVICE_ID_AMD_15H_M10H_F3 0x1403
#define PCI_DEVICE_ID_AMD_15H_M30H_NB_F3 0x141d
#define PCI_DEVICE_ID_AMD_15H_M30H_NB_F4 0x141e
+#define PCI_DEVICE_ID_AMD_15H_M60H_NB_F3 0x1573
+#define PCI_DEVICE_ID_AMD_15H_M60H_NB_F4 0x1574
#define PCI_DEVICE_ID_AMD_15H_NB_F0 0x1600
#define PCI_DEVICE_ID_AMD_15H_NB_F1 0x1601
#define PCI_DEVICE_ID_AMD_15H_NB_F2 0x1602
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 043/204] iio: ad7793: Fix the serial interface reset
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 040/204] SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 132/204] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Ben Hutchings
` (77 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lars-Peter Clausen, Jonathan Cameron, Dragos Bogdan
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Bogdan <dragos.bogdan@analog.com>
commit 7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5 upstream.
The serial interface can be reset by writing 32 consecutive 1s to the device.
'ret' was initialized correctly but its value was overwritten when
ad7793_check_platform_data() was called. Since a dedicated reset function
is present now, it should be used instead.
Fixes: 2edb769d246e ("iio:ad7793: Add support for the ad7798 and ad7799")
Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/ad7793.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad7793.c
+++ b/drivers/iio/adc/ad7793.c
@@ -257,7 +257,7 @@ static int ad7793_setup(struct iio_dev *
unsigned int vref_mv)
{
struct ad7793_state *st = iio_priv(indio_dev);
- int i, ret = -1;
+ int i, ret;
unsigned long long scale_uv;
u32 id;
@@ -266,7 +266,7 @@ static int ad7793_setup(struct iio_dev *
return ret;
/* reset the serial interface */
- ret = spi_write(st->sd.spi, (u8 *)&ret, sizeof(ret));
+ ret = ad_sd_reset(&st->sd, 32);
if (ret < 0)
goto out;
usleep_range(500, 2000); /* Wait for at least 500us */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 147/204] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 027/204] cifs: release cifs root_cred after exit_cifs Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 135/204] x86/amd_nb: Add Fam17h Data Fabric as "Northbridge" Ben Hutchings
` (183 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Xin Long, Jianlin Shi, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit f8d20b46ce55cf40afb30dcef6d9288f7ef46d9b upstream.
The similar fix in patch 'ipip: only increase err_count for some
certain type icmp in ipip_err' is needed for ip6gre_err.
In Jianlin's case, udp netperf broke even when receiving a TooBig
icmpv6 packet.
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_gre.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -406,13 +406,16 @@ static void ip6gre_err(struct sk_buff *s
case ICMPV6_DEST_UNREACH:
net_dbg_ratelimited("%s: Path to destination invalid or inactive!\n",
t->parms.name);
- break;
+ if (code != ICMPV6_PORT_UNREACH)
+ break;
+ return;
case ICMPV6_TIME_EXCEED:
if (code == ICMPV6_EXC_HOPLIMIT) {
net_dbg_ratelimited("%s: Too small hop limit or routing loop in tunnel!\n",
t->parms.name);
+ break;
}
- break;
+ return;
case ICMPV6_PARAMPROB:
teli = 0;
if (code == ICMPV6_HDR_FIELD)
@@ -428,13 +431,13 @@ static void ip6gre_err(struct sk_buff *s
net_dbg_ratelimited("%s: Recipient unable to parse tunneled packet!\n",
t->parms.name);
}
- break;
+ return;
case ICMPV6_PKT_TOOBIG:
mtu = be32_to_cpu(info) - offset;
if (mtu < IPV6_MIN_MTU)
mtu = IPV6_MIN_MTU;
t->dev->mtu = mtu;
- break;
+ return;
}
if (time_before(jiffies, t->err_time + IP6TUNNEL_ERR_TIMEO))
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 187/204] Input: ims-psu - check if CDC union descriptor is sane
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 035/204] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 086/204] sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration Ben Hutchings
` (133 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Andrey Konovalov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit ea04efee7635c9120d015dcdeeeb6988130cb67a upstream.
Before trying to use CDC union descriptor, try to validate whether that it
is sane by checking that intf->altsetting->extra is big enough and that
descriptor bLength is not too big and not too small.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/misc/ims-pcu.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_in
return NULL;
}
- while (buflen > 0) {
+ while (buflen >= sizeof(*union_desc)) {
union_desc = (struct usb_cdc_union_desc *)buf;
+ if (union_desc->bLength > buflen) {
+ dev_err(&intf->dev, "Too large descriptor\n");
+ return NULL;
+ }
+
if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
dev_dbg(&intf->dev, "Found union header\n");
- return union_desc;
+
+ if (union_desc->bLength >= sizeof(*union_desc))
+ return union_desc;
+
+ dev_err(&intf->dev,
+ "Union descriptor to short (%d vs %zd\n)",
+ union_desc->bLength, sizeof(*union_desc));
+ return NULL;
}
buflen -= union_desc->bLength;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 144/204] xfrm: Clear sk_dst_cache when applying per-socket policy.
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (193 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 127/204] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 202/204] crypto: salsa20 - fix blkcipher_walk API usage Ben Hutchings
` (9 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, Jonathan Basseri
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Basseri <misterikkit@google.com>
commit 2b06cdf3e688b98fcc9945873b5d42792bd4eee0 upstream.
If a socket has a valid dst cache, then xfrm_lookup_route will get
skipped. However, the cache is not invalidated when applying policy to a
socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
sometimes ignored on those sockets. (Note: This was broken for IPv4 and
IPv6 at different times.)
This can be demonstrated like so,
1. Create UDP socket.
2. connect() the socket.
3. Apply an outbound XFRM policy to the socket. (setsockopt)
4. send() data on the socket.
Packets will continue to be sent in the clear instead of matching an
xfrm or returning a no-match error (EAGAIN). This affects calls to
send() and not sendto().
Invalidating the sk_dst_cache is necessary to correctly apply xfrm
policies. Since we do this in xfrm_user_policy(), the sk_lock was
already acquired in either do_ip_setsockopt() or do_ipv6_setsockopt(),
and we may call __sk_dst_reset().
Performance impact should be negligible, since this code is only called
when changing xfrm policy, and only affects the socket in question.
Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid")
Tested: https://android-review.googlesource.com/517555
Tested: https://android-review.googlesource.com/418659
Signed-off-by: Jonathan Basseri <misterikkit@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1877,6 +1877,7 @@ int xfrm_user_policy(struct sock *sk, in
if (err >= 0) {
xfrm_sk_policy_insert(sk, err, pol);
xfrm_pol_put(pol);
+ __sk_dst_reset(sk);
err = 0;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 074/204] staging: iio: ade7759: fix signed extension bug on shift of a u8
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 025/204] crypto: talitos - Don't provide setkey for non hmac hashing algs Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 149/204] x86/uaccess, sched/preempt: Verify access_ok() context Ben Hutchings
` (128 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Colin Ian King
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit 13ffe9a26df4e156363579b25c904dd0b1e31bfb upstream.
The current shift of st->rx[2] left shifts a u8 24 bits left,
promotes the integer to a an int and then to a unsigned u64. If
the top bit of st->rx[2] is set then we end up with all the upper
bits being set to 1. Fix this by casting st->rx[2] to a u64 before
the 24 bit left shift.
Detected by CoverityScan CID#144940 ("Unintended sign extension")
Fixes: 2919fa54ef64 ("staging: iio: meter: new driver for ADE7759 devices")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/meter/ade7759.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/meter/ade7759.c
+++ b/drivers/staging/iio/meter/ade7759.c
@@ -124,7 +124,7 @@ static int ade7759_spi_read_reg_40(struc
reg_address);
goto error_ret;
}
- *val = ((u64)st->rx[1] << 32) | (st->rx[2] << 24) |
+ *val = ((u64)st->rx[1] << 32) | ((u64)st->rx[2] << 24) |
(st->rx[3] << 16) | (st->rx[4] << 8) | st->rx[5];
error_ret:
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 054/204] security/keys: properly zero out sensitive key material in big_key
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (181 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 150/204] workqueue: Fix NULL pointer dereference Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 110/204] FS-Cache: fix dereference of NULL user_key_payload Ben Hutchings
` (21 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Herbert Xu, security, Jason A. Donenfeld,
Kirill Marinushkin, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
commit 910801809b2e40a4baedd080ef5d80b4a180e70e upstream.
Error paths forgot to zero out sensitive material, so this patch changes
some kfrees into a kzfrees.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
[bwh: Backported to 3.16: there's only one kfree() to change]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/big_key.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -135,7 +135,7 @@ void big_key_destroy(struct key *key)
path->mnt = NULL;
path->dentry = NULL;
} else {
- kfree(key->payload.data);
+ kzfree(key->payload.data);
key->payload.data = NULL;
}
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 042/204] iio: ad_sigma_delta: Implement a dedicated reset function
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 118/204] net: enable interface alias removal via rtnl Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 050/204] KEYS: fix writing past end of user-supplied buffer in keyring_read() Ben Hutchings
` (195 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dragos Bogdan, Lars-Peter Clausen, Jonathan Cameron
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Bogdan <dragos.bogdan@analog.com>
commit 7fc10de8d49a748c476532c9d8e8fe19e548dd67 upstream.
Since most of the SD ADCs have the option of reseting the serial
interface by sending a number of SCLKs with CS = 0 and DIN = 1,
a dedicated function that can do this is usefull.
Needed for the patch: iio: ad7793: Fix the serial interface reset
Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/ad_sigma_delta.c | 28 ++++++++++++++++++++++++++++
include/linux/iio/adc/ad_sigma_delta.h | 3 +++
2 files changed, 31 insertions(+)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -177,6 +177,34 @@ out:
}
EXPORT_SYMBOL_GPL(ad_sd_read_reg);
+/**
+ * ad_sd_reset() - Reset the serial interface
+ *
+ * @sigma_delta: The sigma delta device
+ * @reset_length: Number of SCLKs with DIN = 1
+ *
+ * Returns 0 on success, an error code otherwise.
+ **/
+int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
+ unsigned int reset_length)
+{
+ uint8_t *buf;
+ unsigned int size;
+ int ret;
+
+ size = DIV_ROUND_UP(reset_length, 8);
+ buf = kcalloc(size, sizeof(*buf), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ memset(buf, 0xff, size);
+ ret = spi_write(sigma_delta->spi, buf, size);
+ kfree(buf);
+
+ return ret;
+}
+EXPORT_SYMBOL_GPL(ad_sd_reset);
+
static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
unsigned int mode, unsigned int channel)
{
--- a/include/linux/iio/adc/ad_sigma_delta.h
+++ b/include/linux/iio/adc/ad_sigma_delta.h
@@ -111,6 +111,9 @@ int ad_sd_write_reg(struct ad_sigma_delt
int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
unsigned int size, unsigned int *val);
+int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
+ unsigned int reset_length);
+
int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
const struct iio_chan_spec *chan, int *val);
int ad_sd_calibrate_all(struct ad_sigma_delta *sigma_delta,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 084/204] kernel/params.c: align add_sysfs_param documentation with code
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 024/204] crypto: talitos - fix sha224 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 137/204] ipsec: Fix aborted xfrm policy dump crash Ben Hutchings
` (26 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Rusty Russell, Jean Delvare
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jean Delvare <jdelvare@suse.de>
commit 630cc2b30a42c70628368a412beb4a5e5dd71abe upstream.
This parameter is named kp, so the documentation should use that.
Fixes: 9b473de87209 ("param: Fix duplicate module prefixes")
Link: http://lkml.kernel.org/r/20170919142656.64aea59e@endymion
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Acked-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/params.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -581,7 +581,7 @@ EXPORT_SYMBOL(__kernel_param_unlock);
/*
* add_sysfs_param - add a parameter to sysfs
* @mk: struct module_kobject
- * @kparam: the actual parameter definition to add to sysfs
+ * @kp: the actual parameter definition to add to sysfs
* @name: name of parameter
*
* Create a kobject if for a (per-module) parameter if mp NULL, and
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 020/204] tracing: Fix trace_pipe behavior for instance traces
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 124/204] ALSA: hda: Remove superfluous '-' added by printk conversion Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 096/204] udp: fix bcast packet reception Ben Hutchings
` (136 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), Tahsin Erdogan
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tahsin Erdogan <tahsin@google.com>
commit 75df6e688ccd517e339a7c422ef7ad73045b18a2 upstream.
When reading data from trace_pipe, tracing_wait_pipe() performs a
check to see if tracing has been turned off after some data was read.
Currently, this check always looks at global trace state, but it
should be checking the trace instance where trace_pipe is located at.
Because of this bug, cat instances/i1/trace_pipe in the following
script will immediately exit instead of waiting for data:
cd /sys/kernel/debug/tracing
echo 0 > tracing_on
mkdir -p instances/i1
echo 1 > instances/i1/tracing_on
echo 1 > instances/i1/events/sched/sched_process_exec/enable
cat instances/i1/trace_pipe
Link: http://lkml.kernel.org/r/20170917102348.1615-1-tahsin@google.com
Fixes: 10246fa35d4f ("tracing: give easy way to clear trace buffer")
Signed-off-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4414,7 +4414,7 @@ static int tracing_wait_pipe(struct file
*
* iter->pos will be 0 if we haven't read anything.
*/
- if (!tracing_is_on() && iter->pos)
+ if (!tracer_tracing_is_on(iter->tr) && iter->pos)
break;
mutex_unlock(&iter->mutex);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 103/204] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 167/204] l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 159/204] KEYS: return full count in keyring_read() if buffer is too small Ben Hutchings
` (116 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andrew Gabbasov, Felipe Balbi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
commit aec17e1e249567e82b26dafbb86de7d07fde8729 upstream.
KASAN enabled configuration reports an error
BUG: KASAN: use-after-free in usb_composite_overwrite_options+...
[libcomposite] at addr ...
Read of size 1 by task ...
when some driver is un-bound and then bound again.
For example, this happens with FunctionFS driver when "ffs-test"
test application is run several times in a row.
If the driver has empty manufacturer ID string in initial static data,
it is then replaced with generated string. After driver unbinding
the generated string is freed, but the driver data still keep that
pointer. And if the driver is then bound again, that pointer
is re-used for string emptiness check.
The fix is to clean up the driver string data upon its unbinding
to drop the pointer to freed memory.
Fixes: cc2683c318a5 ("usb: gadget: Provide a default implementation of default manufacturer string")
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/composite.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1815,6 +1815,8 @@ static DEVICE_ATTR_RO(suspended);
static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver)
{
struct usb_composite_dev *cdev = get_gadget_data(gadget);
+ struct usb_gadget_strings *gstr = cdev->driver->strings[0];
+ struct usb_string *dev_str = gstr->strings;
/* composite_disconnect() must already have been called
* by the underlying peripheral controller driver!
@@ -1834,6 +1836,9 @@ static void __composite_unbind(struct us
composite_dev_cleanup(cdev);
+ if (dev_str[USB_GADGET_MANUFACTURER_IDX].s == cdev->def_manufacturer)
+ dev_str[USB_GADGET_MANUFACTURER_IDX].s = "";
+
kfree(cdev->def_manufacturer);
kfree(cdev);
set_gadget_data(gadget, NULL);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 010/204] uwb: ensure that endpoint is interrupt
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 071/204] packet: only test po->has_vnet_hdr once in packet_snd Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 155/204] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Ben Hutchings
` (56 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andrey Konovalov, Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov <andreyknvl@google.com>
commit 70e743e4cec3733dc13559f6184b35d358b9ef3f upstream.
hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no
check for that, which results in a WARNING in USB core code, when a bad
USB descriptor is provided from a device:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
Modules linked in:
CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: ffff88006bdc1a00 task.stack: ffff88006bde8000
RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282
RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000
RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a
RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff
R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f
R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90
FS: 0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0
Call Trace:
hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710
uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361
hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858
usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:385
driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
__device_attach_driver+0x230/0x290 drivers/base/dd.c:625
bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
__device_attach+0x269/0x3c0 drivers/base/dd.c:682
device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
device_add+0xcf9/0x1640 drivers/base/core.c:1703
usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:385
driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
__device_attach_driver+0x230/0x290 drivers/base/dd.c:625
bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
__device_attach+0x269/0x3c0 drivers/base/dd.c:682
device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
device_add+0xcf9/0x1640 drivers/base/core.c:1703
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4890
hub_port_connect_change drivers/usb/core/hub.c:4996
port_event drivers/usb/core/hub.c:5102
hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
---[ end trace 55d741234124cfc3 ]---
Check that endpoint is interrupt.
Found by syzkaller.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/uwb/hwa-rc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/uwb/hwa-rc.c
+++ b/drivers/uwb/hwa-rc.c
@@ -827,6 +827,8 @@ static int hwarc_probe(struct usb_interf
if (iface->cur_altsetting->desc.bNumEndpoints < 1)
return -ENODEV;
+ if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc))
+ return -ENODEV;
result = -ENOMEM;
uwb_rc = uwb_rc_alloc();
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 078/204] l2tp: fix l2tp_eth module loading
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 170/204] ALSA: timer: Protect the whole snd_timer_close() with open race Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 001/204] tile: array underflow in setup_maxnodemem() Ben Hutchings
` (199 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 9f775ead5e570e7e19015b9e4e2f3dd6e71a5935 upstream.
The l2tp_eth module crashes if its netlink callbacks are run when the
pernet data aren't initialised.
We should normally register_pernet_device() before the genl callbacks.
However, the pernet data only maintain a list of l2tpeth interfaces,
and this list is never used. So let's just drop pernet handling
instead.
Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_eth.c | 51 ++-------------------------------------------------
1 file changed, 2 insertions(+), 49 deletions(-)
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -41,7 +41,6 @@ struct l2tp_eth {
struct net_device *dev;
struct sock *tunnel_sock;
struct l2tp_session *session;
- struct list_head list;
atomic_long_t tx_bytes;
atomic_long_t tx_packets;
atomic_long_t tx_dropped;
@@ -55,17 +54,6 @@ struct l2tp_eth_sess {
struct net_device *dev;
};
-/* per-net private data for this module */
-static unsigned int l2tp_eth_net_id;
-struct l2tp_eth_net {
- struct list_head l2tp_eth_dev_list;
- spinlock_t l2tp_eth_lock;
-};
-
-static inline struct l2tp_eth_net *l2tp_eth_pernet(struct net *net)
-{
- return net_generic(net, l2tp_eth_net_id);
-}
static struct lock_class_key l2tp_eth_tx_busylock;
static int l2tp_eth_dev_init(struct net_device *dev)
@@ -81,12 +69,6 @@ static int l2tp_eth_dev_init(struct net_
static void l2tp_eth_dev_uninit(struct net_device *dev)
{
- struct l2tp_eth *priv = netdev_priv(dev);
- struct l2tp_eth_net *pn = l2tp_eth_pernet(dev_net(dev));
-
- spin_lock(&pn->l2tp_eth_lock);
- list_del_init(&priv->list);
- spin_unlock(&pn->l2tp_eth_lock);
dev_put(dev);
}
@@ -216,7 +198,6 @@ static int l2tp_eth_create(struct net *n
struct l2tp_eth *priv;
struct l2tp_eth_sess *spriv;
int rc;
- struct l2tp_eth_net *pn;
if (cfg->ifname) {
dev = dev_get_by_name(net, cfg->ifname);
@@ -251,7 +232,6 @@ static int l2tp_eth_create(struct net *n
priv = netdev_priv(dev);
priv->dev = dev;
priv->session = session;
- INIT_LIST_HEAD(&priv->list);
priv->tunnel_sock = tunnel->sock;
session->recv_skb = l2tp_eth_dev_recv;
@@ -272,10 +252,6 @@ static int l2tp_eth_create(struct net *n
strlcpy(session->ifname, dev->name, IFNAMSIZ);
dev_hold(dev);
- pn = l2tp_eth_pernet(dev_net(dev));
- spin_lock(&pn->l2tp_eth_lock);
- list_add(&priv->list, &pn->l2tp_eth_dev_list);
- spin_unlock(&pn->l2tp_eth_lock);
return 0;
@@ -288,22 +264,6 @@ out:
return rc;
}
-static __net_init int l2tp_eth_init_net(struct net *net)
-{
- struct l2tp_eth_net *pn = net_generic(net, l2tp_eth_net_id);
-
- INIT_LIST_HEAD(&pn->l2tp_eth_dev_list);
- spin_lock_init(&pn->l2tp_eth_lock);
-
- return 0;
-}
-
-static struct pernet_operations l2tp_eth_net_ops = {
- .init = l2tp_eth_init_net,
- .id = &l2tp_eth_net_id,
- .size = sizeof(struct l2tp_eth_net),
-};
-
static const struct l2tp_nl_cmd_ops l2tp_eth_nl_cmd_ops = {
.session_create = l2tp_eth_create,
@@ -317,25 +277,18 @@ static int __init l2tp_eth_init(void)
err = l2tp_nl_register_ops(L2TP_PWTYPE_ETH, &l2tp_eth_nl_cmd_ops);
if (err)
- goto out;
-
- err = register_pernet_device(&l2tp_eth_net_ops);
- if (err)
- goto out_unreg;
+ goto err;
pr_info("L2TP ethernet pseudowire support (L2TPv3)\n");
return 0;
-out_unreg:
- l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH);
-out:
+err:
return err;
}
static void __exit l2tp_eth_exit(void)
{
- unregister_pernet_device(&l2tp_eth_net_ops);
l2tp_nl_unregister_ops(L2TP_PWTYPE_ETH);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 149/204] x86/uaccess, sched/preempt: Verify access_ok() context
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 074/204] staging: iio: ade7759: fix signed extension bug on shift of a u8 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 156/204] macvtap: fix TUNSETSNDBUF values > 64k Ben Hutchings
` (127 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, H. Peter Anvin, Peter Zijlstra, Linus Torvalds,
Thomas Gleixner, Ingo Molnar, Andy Lutomirski
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 7c4788950ba5922fde976d80b72baf46f14dee8d upstream.
I recently encountered wreckage because access_ok() was used where it
should not be, add an explicit WARN when access_ok() is used wrongly.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Adjust filename
- Include <linux/preempt_mask.h> in <asm/uaccess.h> since it's not included by
<linux/uaccess.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/uaccess.h | 13 +++++++++++--
include/linux/preempt_mask.h | 21 +++++++++++++--------
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -7,6 +7,7 @@
#include <linux/compiler.h>
#include <linux/thread_info.h>
#include <linux/string.h>
+#include <linux/preempt_mask.h>
#include <asm/asm.h>
#include <asm/page.h>
#include <asm/smap.h>
@@ -66,6 +67,12 @@ static inline bool __chk_range_not_ok(un
__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
})
+#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
+# define WARN_ON_IN_IRQ() WARN_ON_ONCE(!in_task())
+#else
+# define WARN_ON_IN_IRQ()
+#endif
+
/**
* access_ok: - Checks if a user space pointer is valid
* @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
@@ -85,8 +92,11 @@ static inline bool __chk_range_not_ok(un
* checks that the pointer is in the user space range - after calling
* this function, memory access functions may still return -EFAULT.
*/
-#define access_ok(type, addr, size) \
- likely(!__range_not_ok(addr, size, user_addr_max()))
+#define access_ok(type, addr, size) \
+({ \
+ WARN_ON_IN_IRQ(); \
+ likely(!__range_not_ok(addr, size, user_addr_max())); \
+})
/*
* The exception table consists of pairs of addresses relative to the
--- a/include/linux/preempt_mask.h
+++ b/include/linux/preempt_mask.h
@@ -57,19 +57,24 @@
/*
* Are we doing bottom half or hardware interrupt processing?
- * Are we in a softirq context? Interrupt context?
- * in_softirq - Are we currently processing softirq or have bh disabled?
- * in_serving_softirq - Are we currently processing softirq?
+ *
+ * in_irq() - We're in (hard) IRQ context
+ * in_softirq() - We have BH disabled, or are processing softirqs
+ * in_interrupt() - We're in NMI,IRQ,SoftIRQ context or have BH disabled
+ * in_serving_softirq() - We're in softirq context
+ * in_nmi() - We're in NMI context
+ * in_task() - We're in task context
+ *
+ * Note: due to the BH disabled confusion: in_softirq(),in_interrupt() really
+ * should not be used in new code.
*/
#define in_irq() (hardirq_count())
#define in_softirq() (softirq_count())
#define in_interrupt() (irq_count())
#define in_serving_softirq() (softirq_count() & SOFTIRQ_OFFSET)
-
-/*
- * Are we in NMI context?
- */
-#define in_nmi() (preempt_count() & NMI_MASK)
+#define in_nmi() (preempt_count() & NMI_MASK)
+#define in_task() (!(preempt_count() & \
+ (NMI_MASK | HARDIRQ_MASK | SOFTIRQ_OFFSET)))
/*
* The preempt_count offset after preempt_disable();
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 038/204] USB: g_mass_storage: Fix deadlock when driver is unbound
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 191/204] USB: core: prevent malicious bNumInterfaces overflow Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 117/204] USB: serial: metro-usb: add MS7820 device id Ben Hutchings
` (51 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michal Nazarewicz, Felipe Balbi, Greg Kroah-Hartman,
Alan Stern
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 1fbbb78f25d1291274f320462bf6908906f538db upstream.
As a holdover from the old g_file_storage gadget, the g_mass_storage
legacy gadget driver attempts to unregister itself when its main
operating thread terminates (if it hasn't been unregistered already).
This is not strictly necessary; it was never more than an attempt to
have the gadget fail cleanly if something went wrong and the main
thread was killed.
However, now that the UDC core manages gadget drivers independently of
UDC drivers, this scheme doesn't work any more. A simple test:
modprobe dummy-hcd
modprobe g-mass-storage file=...
rmmod dummy-hcd
ends up in a deadlock with the following backtrace:
sysrq: SysRq : Show Blocked State
task PC stack pid father
file-storage D 0 1130 2 0x00000000
Call Trace:
__schedule+0x53e/0x58c
schedule+0x6e/0x77
schedule_preempt_disabled+0xd/0xf
__mutex_lock.isra.1+0x129/0x224
? _raw_spin_unlock_irqrestore+0x12/0x14
__mutex_lock_slowpath+0x12/0x14
mutex_lock+0x28/0x2b
usb_gadget_unregister_driver+0x29/0x9b [udc_core]
usb_composite_unregister+0x10/0x12 [libcomposite]
msg_cleanup+0x1d/0x20 [g_mass_storage]
msg_thread_exits+0xd/0xdd7 [g_mass_storage]
fsg_main_thread+0x1395/0x13d6 [usb_f_mass_storage]
? __schedule+0x573/0x58c
kthread+0xd9/0xdb
? do_set_interface+0x25c/0x25c [usb_f_mass_storage]
? init_completion+0x1e/0x1e
ret_from_fork+0x19/0x24
rmmod D 0 1155 683 0x00000000
Call Trace:
__schedule+0x53e/0x58c
schedule+0x6e/0x77
schedule_timeout+0x26/0xbc
? __schedule+0x573/0x58c
do_wait_for_common+0xb3/0x128
? usleep_range+0x81/0x81
? wake_up_q+0x3f/0x3f
wait_for_common+0x2e/0x45
wait_for_completion+0x17/0x19
fsg_common_put+0x34/0x81 [usb_f_mass_storage]
fsg_free_inst+0x13/0x1e [usb_f_mass_storage]
usb_put_function_instance+0x1a/0x25 [libcomposite]
msg_unbind+0x2a/0x42 [g_mass_storage]
__composite_unbind+0x4a/0x6f [libcomposite]
composite_unbind+0x12/0x14 [libcomposite]
usb_gadget_remove_driver+0x4f/0x77 [udc_core]
usb_del_gadget_udc+0x52/0xcc [udc_core]
dummy_udc_remove+0x27/0x2c [dummy_hcd]
platform_drv_remove+0x1d/0x31
device_release_driver_internal+0xe9/0x16d
device_release_driver+0x11/0x13
bus_remove_device+0xd2/0xe2
device_del+0x19f/0x221
? selinux_capable+0x22/0x27
platform_device_del+0x21/0x63
platform_device_unregister+0x10/0x1a
cleanup+0x20/0x817 [dummy_hcd]
SyS_delete_module+0x10c/0x197
? ____fput+0xd/0xf
? task_work_run+0x55/0x62
? prepare_exit_to_usermode+0x65/0x75
do_fast_syscall_32+0x86/0xc3
entry_SYSENTER_32+0x4e/0x7c
What happens is that removing the dummy-hcd driver causes the UDC core
to unbind the gadget driver, which it does while holding the udc_lock
mutex. The unbind routine in g_mass_storage tells the main thread to
exit and waits for it to terminate.
But as mentioned above, when the main thread exits it tries to
unregister the mass-storage function driver. Via the composite
framework this ends up calling usb_gadget_unregister_driver(), which
tries to acquire the udc_lock mutex. The result is deadlock.
The simplest way to fix the problem is not to be so clever: The main
thread doesn't have to unregister the function driver. The side
effects won't be so terrible; if the gadget is still attached to a USB
host when the main thread is killed, it will appear to the host as
though the gadget's firmware has crashed -- a reasonably accurate
interpretation, and an all-too-common occurrence for USB mass-storage
devices.
In fact, the code to unregister the driver when the main thread exits
is specific to g-mass-storage; it is not used when f-mass-storage is
included as a function in a larger composite device. Therefore the
entire mechanism responsible for this (the fsg_operations structure
with its ->thread_exits method, the fsg_common_set_ops() routine, and
the msg_thread_exits() callback routine) can all be eliminated. Even
the msg_registered bitflag can be removed, because now the driver is
unregistered in only one place rather than in two places.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Preserve the old way of iterating over LUNs in fsg_main_thread() cleanup
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -307,8 +307,6 @@ struct fsg_common {
struct completion thread_notifier;
struct task_struct *thread_task;
- /* Callback functions. */
- const struct fsg_operations *ops;
/* Gadget's private data. */
void *private_data;
@@ -2498,6 +2496,8 @@ static void handle_exception(struct fsg_
static int fsg_main_thread(void *common_)
{
struct fsg_common *common = common_;
+ struct fsg_lun **curlun_it;
+ unsigned i;
/*
* Allow the thread to be killed by a signal, but set the signal mask
@@ -2559,22 +2559,18 @@ static int fsg_main_thread(void *common_
common->thread_task = NULL;
spin_unlock_irq(&common->lock);
- if (!common->ops || !common->ops->thread_exits
- || common->ops->thread_exits(common) < 0) {
- struct fsg_lun **curlun_it = common->luns;
- unsigned i = common->nluns;
-
- down_write(&common->filesem);
- for (; i--; ++curlun_it) {
- struct fsg_lun *curlun = *curlun_it;
- if (!curlun || !fsg_lun_is_open(curlun))
- continue;
+ /* Eject media from all LUNs */
+ curlun_it = common->luns;
+ i = common->nluns;
+
+ down_write(&common->filesem);
+ for (; i--; ++curlun_it) {
+ struct fsg_lun *curlun = *curlun_it;
+ if (curlun && fsg_lun_is_open(curlun))
fsg_lun_close(curlun);
- curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
- }
- up_write(&common->filesem);
}
+ up_write(&common->filesem);
/* Let fsg_unbind() know the thread has exited */
complete_and_exit(&common->thread_notifier, 0);
@@ -2842,13 +2838,6 @@ int fsg_common_set_nluns(struct fsg_comm
}
EXPORT_SYMBOL_GPL(fsg_common_set_nluns);
-void fsg_common_set_ops(struct fsg_common *common,
- const struct fsg_operations *ops)
-{
- common->ops = ops;
-}
-EXPORT_SYMBOL_GPL(fsg_common_set_ops);
-
void fsg_common_free_buffers(struct fsg_common *common)
{
_fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
--- a/drivers/usb/gadget/f_mass_storage.h
+++ b/drivers/usb/gadget/f_mass_storage.h
@@ -60,17 +60,6 @@ struct fsg_module_parameters {
struct fsg_common;
/* FSF callback functions */
-struct fsg_operations {
- /*
- * Callback function to call when thread exits. If no
- * callback is set or it returns value lower then zero MSF
- * will force eject all LUNs it operates on (including those
- * marked as non-removable or with prevent_medium_removal flag
- * set).
- */
- int (*thread_exits)(struct fsg_common *common);
-};
-
struct fsg_lun_opts {
struct config_group group;
struct fsg_lun *lun;
@@ -145,9 +134,6 @@ void fsg_common_free_luns(struct fsg_com
int fsg_common_set_nluns(struct fsg_common *common, int nluns);
-void fsg_common_set_ops(struct fsg_common *common,
- const struct fsg_operations *ops);
-
int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
unsigned int id, const char *name,
const char **name_pfx);
--- a/drivers/usb/gadget/mass_storage.c
+++ b/drivers/usb/gadget/mass_storage.c
@@ -121,15 +121,6 @@ static unsigned int fsg_num_buffers = CO
FSG_MODULE_PARAMETERS(/* no prefix */, mod_data);
-static unsigned long msg_registered;
-static void msg_cleanup(void);
-
-static int msg_thread_exits(struct fsg_common *common)
-{
- msg_cleanup();
- return 0;
-}
-
static int __init msg_do_config(struct usb_configuration *c)
{
struct fsg_opts *opts;
@@ -172,9 +163,6 @@ static struct usb_configuration msg_conf
static int __init msg_bind(struct usb_composite_dev *cdev)
{
- static const struct fsg_operations ops = {
- .thread_exits = msg_thread_exits,
- };
struct fsg_opts *opts;
struct fsg_config config;
int status;
@@ -195,8 +183,6 @@ static int __init msg_bind(struct usb_co
if (status)
goto fail_set_nluns;
- fsg_common_set_ops(opts->common, &ops);
-
status = fsg_common_set_cdev(opts->common, cdev, config.can_stall);
if (status)
goto fail_set_cdev;
@@ -221,7 +207,6 @@ static int __init msg_bind(struct usb_co
usb_composite_overwrite_options(cdev, &coverwrite);
dev_info(&cdev->gadget->dev,
DRIVER_DESC ", version: " DRIVER_VERSION "\n");
- set_bit(0, &msg_registered);
return 0;
fail_string_ids:
@@ -268,9 +253,8 @@ static int __init msg_init(void)
}
module_init(msg_init);
-static void msg_cleanup(void)
+static void __exit msg_cleanup(void)
{
- if (test_and_clear_bit(0, &msg_registered))
- usb_composite_unregister(&msg_driver);
+ usb_composite_unregister(&msg_driver);
}
module_exit(msg_cleanup);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 053/204] IB/mlx5: Simplify mlx5_ib_cont_pages
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 061/204] netfilter: ipset: pernet ops must be unregistered last Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 073/204] arm64: fault: Route pte translation faults via do_translation_fault Ben Hutchings
` (124 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eli Cohen, Leon Romanovsky, Ilya Lesokhin, Doug Ledford
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Lesokhin <ilyal@mellanox.com>
commit d67bc5d4e3e100d762c0f57ea67f28bc219698a6 upstream.
The patch simplifies mlx5_ib_cont_pages and fixes the following
issues in the original implementation:
First issues is related to alignment of the PFNs. After the check
base + p != PFN, the alignment of the PFN wasn't checked. So the PFN
sequence 0, 1, 1, 2 would result in a page_shift of 13 even though
the 3rd PFN is not 8KB aligned.
This wasn't actually a bug because it was supported by all the
existing mlx5 compatible device, but we don't want to require
this support in all future devices.
Another issue is because the inner loop didn't advance PFN so
the test "if (base + p != pfn)" always failed for SGE with
len > (1<<page_shift).
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/mem.c | 47 +++++++++++++++-------------------------
1 file changed, 17 insertions(+), 30 deletions(-)
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -46,46 +46,33 @@ void mlx5_ib_cont_pages(struct ib_umem *
{
unsigned long tmp;
unsigned long m;
- int i, k;
- u64 base = 0;
- int p = 0;
- int skip;
- int mask;
- u64 len;
- u64 pfn;
+ u64 base = ~0, p = 0;
+ u64 len, pfn;
+ int i = 0;
struct scatterlist *sg;
int entry;
addr = addr >> PAGE_SHIFT;
tmp = (unsigned long)addr;
m = find_first_bit(&tmp, BITS_PER_LONG);
- skip = 1 << m;
- mask = skip - 1;
- i = 0;
+
for_each_sg(umem->sg_head.sgl, sg, umem->nmap, entry) {
len = sg_dma_len(sg) >> PAGE_SHIFT;
pfn = sg_dma_address(sg) >> PAGE_SHIFT;
- for (k = 0; k < len; k++) {
- if (!(i & mask)) {
- tmp = (unsigned long)pfn;
- m = min_t(unsigned long, m, find_first_bit(&tmp, BITS_PER_LONG));
- skip = 1 << m;
- mask = skip - 1;
- base = pfn;
- p = 0;
- } else {
- if (base + p != pfn) {
- tmp = (unsigned long)p;
- m = find_first_bit(&tmp, BITS_PER_LONG);
- skip = 1 << m;
- mask = skip - 1;
- base = pfn;
- p = 0;
- }
- }
- p++;
- i++;
+ if (base + p != pfn) {
+ /* If either the offset or the new
+ * base are unaligned update m
+ */
+ tmp = (unsigned long)(pfn | p);
+ if (!IS_ALIGNED(tmp, 1 << m))
+ m = find_first_bit(&tmp, BITS_PER_LONG);
+
+ base = pfn;
+ p = 0;
}
+
+ p += len;
+ i += len;
}
if (i) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 088/204] sh: sh7269: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 070/204] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 047/204] KEYS: don't revoke uninstantiated key in request_key_auth_new() Ben Hutchings
` (111 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jacopo Mondi, Linus Torvalds, Laurent Pinchart, Rich Felker,
Geert Uytterhoeven, Yoshinori Sato, Magnus Damm,
Yoshihiro Shimoda
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit d9d73e81fe82fdf4ee65a48c26531edc04108349 upstream.
Pinmux_pins[] is initialized through PINMUX_GPIO(), using designated
array initializers, where the GPIO_* enums serve as indices. If enum
values are defined, but never used, pinmux_pins[] contains (zero-filled)
holes. Such entries are treated as pin zero, which was registered
before, thus leading to pinctrl registration failures, as seen on
sh7722:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PH[0-7] from the enum to fix this.
Link: http://lkml.kernel.org/r/1505205657-18012-5-git-send-email-geert+renesas@glider.be
Fixes: ef0fa5331a73e479 ("sh: Add pinmux for sh7269")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: Magnus Damm <magnus.damm@gmail.com>
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/cpu-sh2a/cpu/sh7269.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h
+++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h
@@ -45,9 +45,7 @@ enum {
GPIO_PG7, GPIO_PG6, GPIO_PG5, GPIO_PG4,
GPIO_PG3, GPIO_PG2, GPIO_PG1, GPIO_PG0,
- /* Port H */
- GPIO_PH7, GPIO_PH6, GPIO_PH5, GPIO_PH4,
- GPIO_PH3, GPIO_PH2, GPIO_PH1, GPIO_PH0,
+ /* Port H - Port H does not have a Data Register */
/* Port I - not on device */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 063/204] arm64: Make sure SPsel is always set
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 201/204] KVM: Fix stack-out-of-bounds read in write_mmio Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 105/204] scsi: libiscsi: fix shifting of DID_REQUEUE host byte Ben Hutchings
` (41 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Catalin Marinas, Mark Rutland, Marc Zyngier, Will Deacon
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <marc.zyngier@arm.com>
commit 5371513fb338fb9989c569dc071326d369d6ade8 upstream.
When the kernel is entered at EL2 on an ARMv8.0 system, we construct
the EL1 pstate and make sure this uses the the EL1 stack pointer
(we perform an exception return to EL1h).
But if the kernel is either entered at EL1 or stays at EL2 (because
we're on a VHE-capable system), we fail to set SPsel, and use whatever
stack selection the higher exception level has choosen for us.
Let's not take any chance, and make sure that SPsel is set to one
before we decide the mode we're going to run in.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/head.S | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -269,6 +269,7 @@ ENDPROC(stext)
* booted in EL1 or EL2 respectively.
*/
ENTRY(el2_setup)
+ msr SPsel, #1 // We want to use SP_EL{1,2}
mrs x0, CurrentEL
cmp x0, #CurrentEL_EL2
b.ne 1f
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 150/204] workqueue: Fix NULL pointer dereference
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 143/204] net/unix: don't show information about sockets from other namespaces Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 054/204] security/keys: properly zero out sensitive key material in big_key Ben Hutchings
` (22 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lai Jiangshan, Li Bin, Xiaofei Tan, Tejun Heo
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Li Bin <huawei.libin@huawei.com>
commit cef572ad9bd7f85035ba8272e5352040e8be0152 upstream.
When queue_work() is used in irq (not in task context), there is
a potential case that trigger NULL pointer dereference.
----------------------------------------------------------------
worker_thread()
|-spin_lock_irq()
|-process_one_work()
|-worker->current_pwq = pwq
|-spin_unlock_irq()
|-worker->current_func(work)
|-spin_lock_irq()
|-worker->current_pwq = NULL
|-spin_unlock_irq()
//interrupt here
|-irq_handler
|-__queue_work()
//assuming that the wq is draining
|-is_chained_work(wq)
|-current_wq_worker()
//Here, 'current' is the interrupted worker!
|-current->current_pwq is NULL here!
|-schedule()
----------------------------------------------------------------
Avoid it by checking for task context in current_wq_worker(), and
if not in task context, we shouldn't use the 'current' to check the
condition.
Reported-by: Xiaofei Tan <tanxiaofei@huawei.com>
Signed-off-by: Li Bin <huawei.libin@huawei.com>
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 8d03ecfe4718 ("workqueue: reimplement is_chained_work() using current_wq_worker()")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/workqueue_internal.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/workqueue_internal.h
+++ b/kernel/workqueue_internal.h
@@ -9,6 +9,7 @@
#include <linux/workqueue.h>
#include <linux/kthread.h>
+#include <linux/preempt.h>
struct worker_pool;
@@ -59,7 +60,7 @@ struct worker {
*/
static inline struct worker *current_wq_worker(void)
{
- if (current->flags & PF_WQ_WORKER)
+ if (in_task() && (current->flags & PF_WQ_WORKER))
return kthread_data(current);
return NULL;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 068/204] USB: dummy-hcd: Fix erroneous synchronization change
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 132/204] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 099/204] direct-io: Prevent NULL pointer access in submit_page_section Ben Hutchings
` (75 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Felipe Balbi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 upstream.
A recent change to the synchronization in dummy-hcd was incorrect.
The issue was that dummy_udc_stop() contained no locking and therefore
could race with various gadget driver callbacks, and the fix was to
add locking and issue the callbacks with the private spinlock held.
UDC drivers aren't supposed to do this. Gadget driver callback
routines are allowed to invoke functions in the UDC driver, and these
functions will generally try to acquire the private spinlock. This
would deadlock the driver.
The correct solution is to drop the spinlock before issuing callbacks,
and avoid races by emulating the synchronize_irq() call that all real
UDC drivers must perform in their ->udc_stop() routines after
disabling interrupts. This involves adding a flag to dummy-hcd's
private structure to keep track of whether interrupts are supposed to
be enabled, and adding a counter to keep track of ongoing callbacks so
that dummy_udc_stop() can wait for them all to finish.
A real UDC driver won't receive disconnect, reset, suspend, resume, or
setup events once it has disabled interrupts. dummy-hcd will receive
them but won't try to issue any gadget driver callbacks, which should
be just as good.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: f16443a034c7 ("USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks")
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/dummy_hcd.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -191,11 +191,13 @@ struct dummy {
*/
struct dummy_ep ep[DUMMY_ENDPOINTS];
int address;
+ int callback_usage;
struct usb_gadget gadget;
struct usb_gadget_driver *driver;
struct dummy_request fifo_req;
u8 fifo_buf[FIFO_SIZE];
u16 devstatus;
+ unsigned ints_enabled:1;
unsigned udc_suspended:1;
unsigned pullup:1;
@@ -377,15 +379,24 @@ static void set_link_state(struct dummy_
*/
if ((dum_hcd->old_status & USB_PORT_STAT_CONNECTION) != 0 &&
(dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 &&
- dum->driver) {
+ dum->ints_enabled) {
stop_activity(dum);
+ ++dum->callback_usage;
+ spin_unlock(&dum->lock);
dum->driver->disconnect(&dum->gadget);
+ spin_lock(&dum->lock);
+ --dum->callback_usage;
}
- } else if (dum_hcd->active != dum_hcd->old_active) {
+ } else if (dum_hcd->active != dum_hcd->old_active &&
+ dum->ints_enabled) {
+ ++dum->callback_usage;
+ spin_unlock(&dum->lock);
if (dum_hcd->old_active && dum->driver->suspend)
dum->driver->suspend(&dum->gadget);
else if (!dum_hcd->old_active && dum->driver->resume)
dum->driver->resume(&dum->gadget);
+ spin_lock(&dum->lock);
+ --dum->callback_usage;
}
dum_hcd->old_status = dum_hcd->port_status;
@@ -901,9 +912,12 @@ static int dummy_udc_start(struct usb_ga
* can't enumerate without help from the driver we're binding.
*/
+ spin_lock_irq(&dum->lock);
dum->devstatus = 0;
dum->driver = driver;
+ dum->ints_enabled = 1;
+ spin_unlock_irq(&dum->lock);
dev_dbg(udc_dev(dum), "binding gadget driver '%s'\n",
driver->driver.name);
return 0;
@@ -920,6 +934,16 @@ static int dummy_udc_stop(struct usb_gad
driver->driver.name);
spin_lock_irq(&dum->lock);
+ dum->ints_enabled = 0;
+ stop_activity(dum);
+
+ /* emulate synchronize_irq(): wait for callbacks to finish */
+ while (dum->callback_usage > 0) {
+ spin_unlock_irq(&dum->lock);
+ usleep_range(1000, 2000);
+ spin_lock_irq(&dum->lock);
+ }
+
dum->driver = NULL;
spin_unlock_irq(&dum->lock);
@@ -1449,6 +1473,8 @@ static struct dummy_ep *find_endpoint(st
if (!is_active((dum->gadget.speed == USB_SPEED_SUPER ?
dum->ss_hcd : dum->hs_hcd)))
return NULL;
+ if (!dum->ints_enabled)
+ return NULL;
if ((address & ~USB_DIR_IN) == 0)
return &dum->ep[0];
for (i = 1; i < DUMMY_ENDPOINTS; i++) {
@@ -1790,10 +1816,12 @@ restart:
* until setup() returns; no reentrancy issues etc.
*/
if (value > 0) {
+ ++dum->callback_usage;
spin_unlock(&dum->lock);
value = dum->driver->setup(&dum->gadget,
&setup);
spin_lock(&dum->lock);
+ --dum->callback_usage;
if (value >= 0) {
/* no delays (max 64KB data stage) */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 075/204] ipv4: fix broadcast packets reception
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 058/204] drm/i915/bios: ignore HDMI on port A Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 014/204] usb: pci-quirks.c: Corrected timeout values used in handshake Ben Hutchings
` (62 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paolo Abeni, David S. Miller, Hannes Frederic Sowa
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit ad0ea1989cc4d5905941d0a9e62c63ad6d859cef upstream.
Currently, ingress ipv4 broadcast datagrams are dropped since,
in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
bcast packets.
This patch addresses the issue, invoking ip_check_mc_rcu()
only for mcast packets.
Fixes: 6e5403093261 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/udp.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1974,10 +1974,14 @@ void udp_v4_early_demux(struct sk_buff *
if (!in_dev)
return;
- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
- iph->protocol);
- if (!ours)
- return;
+ /* we are supposed to accept bcast packets */
+ if (skb->pkt_type == PACKET_MULTICAST) {
+ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
+ iph->protocol);
+ if (!ours)
+ return;
+ }
+
sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
uh->source, iph->saddr, dif);
} else if (skb->pkt_type == PACKET_HOST) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 079/204] brcmfmac: Add length checks on firmware events
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 195/204] ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 121/204] usb: xhci: Handle error condition in xhci_stop_device() Ben Hutchings
` (192 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hante Meuleman, Lei Zhang, Pieter-Paul Giesberts,
Franky (Zhenhui) Lin, Kalle Valo, Arend Van Spriel
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hante Meuleman <meuleman@broadcom.com>
commit 0aedbcaf6f182690790d98d90d5fe1e64c846c34 upstream.
Add additional length checks on firmware events to create more
robust code.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Lei Zhang <leizh@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Drop changes to brcmf_wowl_nd_results()
- Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
@@ -26,50 +26,6 @@
#include "fwil.h"
/**
- * struct brcm_ethhdr - broadcom specific ether header.
- *
- * @subtype: subtype for this packet.
- * @length: TODO: length of appended data.
- * @version: version indication.
- * @oui: OUI of this packet.
- * @usr_subtype: subtype for this OUI.
- */
-struct brcm_ethhdr {
- __be16 subtype;
- __be16 length;
- u8 version;
- u8 oui[3];
- __be16 usr_subtype;
-} __packed;
-
-struct brcmf_event_msg_be {
- __be16 version;
- __be16 flags;
- __be32 event_type;
- __be32 status;
- __be32 reason;
- __be32 auth_type;
- __be32 datalen;
- u8 addr[ETH_ALEN];
- char ifname[IFNAMSIZ];
- u8 ifidx;
- u8 bsscfgidx;
-} __packed;
-
-/**
- * struct brcmf_event - contents of broadcom event packet.
- *
- * @eth: standard ether header.
- * @hdr: broadcom specific ether header.
- * @msg: common part of the actual event message.
- */
-struct brcmf_event {
- struct ethhdr eth;
- struct brcm_ethhdr hdr;
- struct brcmf_event_msg_be msg;
-} __packed;
-
-/**
* struct brcmf_fweh_queue_item - event item on event queue.
*
* @q: list element for queuing.
@@ -85,6 +41,7 @@ struct brcmf_fweh_queue_item {
u8 ifidx;
u8 ifaddr[ETH_ALEN];
struct brcmf_event_msg_be emsg;
+ u32 datalen;
u8 data[0];
};
@@ -292,6 +249,11 @@ static void brcmf_fweh_event_worker(stru
brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), event->data,
min_t(u32, emsg.datalen, 64),
"event payload, len=%d\n", emsg.datalen);
+ if (emsg.datalen > event->datalen) {
+ brcmf_err("event invalid length header=%d, msg=%d\n",
+ event->datalen, emsg.datalen);
+ goto event_free;
+ }
/* special handling of interface event */
if (event->code == BRCMF_E_IF) {
@@ -423,7 +385,8 @@ int brcmf_fweh_activate_events(struct br
* dispatch the event to a registered handler (using worker).
*/
void brcmf_fweh_process_event(struct brcmf_pub *drvr,
- struct brcmf_event *event_packet)
+ struct brcmf_event *event_packet,
+ u32 packet_len)
{
enum brcmf_fweh_event_code code;
struct brcmf_fweh_info *fweh = &drvr->fweh;
@@ -443,6 +406,9 @@ void brcmf_fweh_process_event(struct brc
if (code != BRCMF_E_IF && !fweh->evt_handler[code])
return;
+ if (datalen > BRCMF_DCMD_MAXLEN)
+ return;
+
if (in_interrupt())
alloc_flag = GFP_ATOMIC;
@@ -456,6 +422,7 @@ void brcmf_fweh_process_event(struct brc
/* use memcpy to get aligned event message */
memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
memcpy(event->data, data, datalen);
+ event->datalen = datalen;
memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
brcmf_fweh_queue_event(fweh, event);
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
@@ -27,7 +27,6 @@
struct brcmf_pub;
struct brcmf_if;
struct brcmf_cfg80211_info;
-struct brcmf_event;
/* list of firmware events */
#define BRCMF_FWEH_EVENT_ENUM_DEFLIST \
@@ -173,13 +172,55 @@ enum brcmf_fweh_event_code {
/**
* definitions for event packet validation.
*/
-#define BRCMF_EVENT_OUI_OFFSET 19
-#define BRCM_OUI "\x00\x10\x18"
-#define DOT11_OUI_LEN 3
-#define BCMILCP_BCM_SUBTYPE_EVENT 1
+#define BRCM_OUI "\x00\x10\x18"
+#define BCMILCP_BCM_SUBTYPE_EVENT 1
/**
+ * struct brcm_ethhdr - broadcom specific ether header.
+ *
+ * @subtype: subtype for this packet.
+ * @length: TODO: length of appended data.
+ * @version: version indication.
+ * @oui: OUI of this packet.
+ * @usr_subtype: subtype for this OUI.
+ */
+struct brcm_ethhdr {
+ __be16 subtype;
+ __be16 length;
+ u8 version;
+ u8 oui[3];
+ __be16 usr_subtype;
+} __packed;
+
+struct brcmf_event_msg_be {
+ __be16 version;
+ __be16 flags;
+ __be32 event_type;
+ __be32 status;
+ __be32 reason;
+ __be32 auth_type;
+ __be32 datalen;
+ u8 addr[ETH_ALEN];
+ char ifname[IFNAMSIZ];
+ u8 ifidx;
+ u8 bsscfgidx;
+} __packed;
+
+/**
+ * struct brcmf_event - contents of broadcom event packet.
+ *
+ * @eth: standard ether header.
+ * @hdr: broadcom specific ether header.
+ * @msg: common part of the actual event message.
+ */
+struct brcmf_event {
+ struct ethhdr eth;
+ struct brcm_ethhdr hdr;
+ struct brcmf_event_msg_be msg;
+} __packed;
+
+/**
* struct brcmf_event_msg - firmware event message.
*
* @version: version information.
@@ -247,33 +288,34 @@ void brcmf_fweh_unregister(struct brcmf_
enum brcmf_fweh_event_code code);
int brcmf_fweh_activate_events(struct brcmf_if *ifp);
void brcmf_fweh_process_event(struct brcmf_pub *drvr,
- struct brcmf_event *event_packet);
+ struct brcmf_event *event_packet,
+ u32 packet_len);
static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
struct sk_buff *skb)
{
struct brcmf_event *event_packet;
- u8 *data;
u16 usr_stype;
/* only process events when protocol matches */
if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
return;
+ if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
+ return;
+
/* check for BRCM oui match */
event_packet = (struct brcmf_event *)skb_mac_header(skb);
- data = (u8 *)event_packet;
- data += BRCMF_EVENT_OUI_OFFSET;
- if (memcmp(BRCM_OUI, data, DOT11_OUI_LEN))
+ if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
+ sizeof(event_packet->hdr.oui)))
return;
/* final match on usr_subtype */
- data += DOT11_OUI_LEN;
- usr_stype = get_unaligned_be16(data);
+ usr_stype = get_unaligned_be16(&event_packet->hdr.usr_subtype);
if (usr_stype != BCMILCP_BCM_SUBTYPE_EVENT)
return;
- brcmf_fweh_process_event(drvr, event_packet);
+ brcmf_fweh_process_event(drvr, event_packet, skb->len + ETH_HLEN);
}
#endif /* FWEH_H_ */
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -1363,6 +1363,11 @@ int brcmf_p2p_notify_action_frame_rx(str
u16 mgmt_type;
u8 action;
+ if (e->datalen < sizeof(*rxframe)) {
+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
+ return 0;
+ }
+
ch.chspec = be16_to_cpu(rxframe->chanspec);
cfg->d11inf.decchspec(&ch);
/* Check if wpa_supplicant has registered for this frame */
@@ -1861,6 +1866,11 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
brcmf_dbg(INFO, "Enter: event %d reason %d\n", e->event_code,
e->reason);
+ if (e->datalen < sizeof(*rxframe)) {
+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
+ return 0;
+ }
+
ch.chspec = be16_to_cpu(rxframe->chanspec);
cfg->d11inf.decchspec(&ch);
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3036,6 +3036,11 @@ brcmf_notify_sched_scan_results(struct b
brcmf_dbg(SCAN, "Enter\n");
+ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) {
+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
+ return 0;
+ }
+
if (e->event_code == BRCMF_E_PFN_NET_LOST) {
brcmf_dbg(SCAN, "PFN NET LOST event. Do Nothing\n");
return 0;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 146/204] ip6_gre: Reduce log level in ip6gre_err() to debug
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 112/204] ecryptfs: fix dereference of NULL user_key_payload Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 062/204] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Ben Hutchings
` (47 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Matt Bennett, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Bennett <matt.bennett@alliedtelesis.co.nz>
commit a46496ce38eeb401344d5623c1960dbf2f1769be upstream.
Currently error log messages in ip6gre_err are printed at 'warn'
level. This is different to most other tunnel types which don't
print any messages. These log messages don't provide any information
that couldn't be deduced with networking tools. Also it can be annoying
to have one end of the tunnel go down and have the logs fill with
pointless messages such as "Path to destination invalid or inactive!".
This patch reduces the log level of these messages to 'dbg' level to
bring the visible behaviour into line with other tunnel types.
Signed-off-by: Matt Bennett <matt.bennett@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_gre.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -404,13 +404,13 @@ static void ip6gre_err(struct sk_buff *s
struct ipv6_tlv_tnl_enc_lim *tel;
__u32 mtu;
case ICMPV6_DEST_UNREACH:
- net_warn_ratelimited("%s: Path to destination invalid or inactive!\n",
- t->parms.name);
+ net_dbg_ratelimited("%s: Path to destination invalid or inactive!\n",
+ t->parms.name);
break;
case ICMPV6_TIME_EXCEED:
if (code == ICMPV6_EXC_HOPLIMIT) {
- net_warn_ratelimited("%s: Too small hop limit or routing loop in tunnel!\n",
- t->parms.name);
+ net_dbg_ratelimited("%s: Too small hop limit or routing loop in tunnel!\n",
+ t->parms.name);
}
break;
case ICMPV6_PARAMPROB:
@@ -421,12 +421,12 @@ static void ip6gre_err(struct sk_buff *s
if (teli && teli == be32_to_cpu(info) - 2) {
tel = (struct ipv6_tlv_tnl_enc_lim *) &skb->data[teli];
if (tel->encap_limit == 0) {
- net_warn_ratelimited("%s: Too small encapsulation limit or routing loop in tunnel!\n",
- t->parms.name);
+ net_dbg_ratelimited("%s: Too small encapsulation limit or routing loop in tunnel!\n",
+ t->parms.name);
}
} else {
- net_warn_ratelimited("%s: Recipient unable to parse tunneled packet!\n",
- t->parms.name);
+ net_dbg_ratelimited("%s: Recipient unable to parse tunneled packet!\n",
+ t->parms.name);
}
break;
case ICMPV6_PKT_TOOBIG:
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 076/204] IPv4: early demux can return an error code
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 037/204] USB: gadgetfs: Fix crash caused by inadequate synchronization Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 013/204] xhci: fix finding correct bus_state structure for USB 3.1 hosts Ben Hutchings
` (120 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Paolo Abeni
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 7487449c86c65202b3b725c4524cb48dd65e4e6f upstream.
Currently no error is emitted, but this infrastructure will
used by the next patch to allow source address validation
for mcast sockets.
Since early demux can do a route lookup and an ipv4 route
lookup can return an error code this is consistent with the
current ipv4 route infrastructure.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Drop change to net_protocol::early_demux_handler
- Keep using NET_INC_STATS_BH() in ip_rcv_finish()
- Fix up additional return statement in udp_v4_early_demux()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/protocol.h
+++ b/include/net/protocol.h
@@ -39,7 +39,7 @@
/* This is used to register protocols. */
struct net_protocol {
- void (*early_demux)(struct sk_buff *skb);
+ int (*early_demux)(struct sk_buff *skb);
int (*handler)(struct sk_buff *skb);
void (*err_handler)(struct sk_buff *skb, u32 info);
unsigned int no_policy:1,
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -350,7 +350,7 @@ void tcp_v4_err(struct sk_buff *skb, u32
void tcp_shutdown(struct sock *sk, int how);
-void tcp_v4_early_demux(struct sk_buff *skb);
+int tcp_v4_early_demux(struct sk_buff *skb);
int tcp_v4_rcv(struct sk_buff *skb);
int tcp_v4_tw_remember_stamp(struct inet_timewait_sock *tw);
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -177,7 +177,7 @@ int udp_lib_get_port(struct sock *sk, un
unsigned int hash2_nulladdr);
/* net/ipv4/udp.c */
-void udp_v4_early_demux(struct sk_buff *skb);
+int udp_v4_early_demux(struct sk_buff *skb);
int udp_get_port(struct sock *sk, unsigned short snum,
int (*saddr_cmp)(const struct sock *,
const struct sock *));
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -313,6 +313,7 @@ static int ip_rcv_finish(struct sk_buff
{
const struct iphdr *iph = ip_hdr(skb);
struct rtable *rt;
+ int err;
if (sysctl_ip_early_demux && !skb_dst(skb) && skb->sk == NULL) {
const struct net_protocol *ipprot;
@@ -320,7 +321,9 @@ static int ip_rcv_finish(struct sk_buff
ipprot = rcu_dereference(inet_protos[protocol]);
if (ipprot && ipprot->early_demux) {
- ipprot->early_demux(skb);
+ err = ipprot->early_demux(skb);
+ if (unlikely(err))
+ goto drop_error;
/* must reload iph, skb->head might have changed */
iph = ip_hdr(skb);
}
@@ -331,14 +334,10 @@ static int ip_rcv_finish(struct sk_buff
* how the packet travels inside Linux networking.
*/
if (!skb_dst(skb)) {
- int err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
- iph->tos, skb->dev);
- if (unlikely(err)) {
- if (err == -EXDEV)
- NET_INC_STATS_BH(dev_net(skb->dev),
- LINUX_MIB_IPRPFILTER);
- goto drop;
- }
+ err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
+ iph->tos, skb->dev);
+ if (unlikely(err))
+ goto drop_error;
}
#ifdef CONFIG_IP_ROUTE_CLASSID
@@ -368,6 +367,11 @@ static int ip_rcv_finish(struct sk_buff
drop:
kfree_skb(skb);
return NET_RX_DROP;
+
+drop_error:
+ if (err == -EXDEV)
+ NET_INC_STATS_BH(dev_net(skb->dev), LINUX_MIB_IPRPFILTER);
+ goto drop;
}
/*
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1616,23 +1616,23 @@ csum_err:
}
EXPORT_SYMBOL(tcp_v4_do_rcv);
-void tcp_v4_early_demux(struct sk_buff *skb)
+int tcp_v4_early_demux(struct sk_buff *skb)
{
const struct iphdr *iph;
const struct tcphdr *th;
struct sock *sk;
if (skb->pkt_type != PACKET_HOST)
- return;
+ return 0;
if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct tcphdr)))
- return;
+ return 0;
iph = ip_hdr(skb);
th = tcp_hdr(skb);
if (th->doff < sizeof(struct tcphdr) / 4)
- return;
+ return 0;
sk = __inet_lookup_established(dev_net(skb->dev), &tcp_hashinfo,
iph->saddr, th->source,
@@ -1651,6 +1651,7 @@ void tcp_v4_early_demux(struct sk_buff *
skb_dst_set_noref(skb, dst);
}
}
+ return 0;
}
/* Packet is added to VJ-style prequeue for processing in process
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1950,7 +1950,7 @@ static struct sock *__udp4_lib_demux_loo
return result;
}
-void udp_v4_early_demux(struct sk_buff *skb)
+int udp_v4_early_demux(struct sk_buff *skb)
{
struct net *net = dev_net(skb->dev);
const struct iphdr *iph;
@@ -1962,7 +1962,7 @@ void udp_v4_early_demux(struct sk_buff *
/* validate the packet */
if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr)))
- return;
+ return 0;
iph = ip_hdr(skb);
uh = udp_hdr(skb);
@@ -1972,14 +1972,14 @@ void udp_v4_early_demux(struct sk_buff *
struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
if (!in_dev)
- return;
+ return 0;
/* we are supposed to accept bcast packets */
if (skb->pkt_type == PACKET_MULTICAST) {
ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
iph->protocol);
if (!ours)
- return;
+ return 0;
}
sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
@@ -1988,11 +1988,11 @@ void udp_v4_early_demux(struct sk_buff *
sk = __udp4_lib_demux_lookup(net, uh->dest, iph->daddr,
uh->source, iph->saddr, dif);
} else {
- return;
+ return 0;
}
if (!sk)
- return;
+ return 0;
skb->sk = sk;
skb->destructor = sock_edemux;
@@ -2009,6 +2009,7 @@ void udp_v4_early_demux(struct sk_buff *
skb_dst_set_noref(skb, dst);
}
}
+ return 0;
}
int udp_rcv(struct sk_buff *skb)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 086/204] sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 187/204] Input: ims-psu - check if CDC union descriptor is sane Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 109/204] KEYS: encrypted: fix dereference of NULL user_key_payload Ben Hutchings
` (132 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jacopo Mondi, Linus Torvalds, Laurent Pinchart, Rich Felker,
Geert Uytterhoeven, Magnus Damm, Yoshinori Sato,
Yoshihiro Shimoda
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit d8ce38f69843a56da044e56b6c16aecfbc3c6e39 upstream.
Commit 3810e96056ff ("sh: modify pinmux for SH7757 2nd cut") renamed
GPIO_PT[JLNQ]7 to GPIO_PT[JLNQ]7_RESV, and removed the existing users
from the pinmux_pins[] array.
However, pinmux_pins[] is initialized through PINMUX_GPIO(), using
designated array initializers, where the GPIO_* enums serve as indices.
Hence entries were not really removed, but replaced by (zero-filled)
holes. Such entries are treated as pin zero, which was registered
before, thus leading to pinctrl registration failures, as seen on
sh7722:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PT[JLNQ]7_RESV from the enum to fix this.
Link: http://lkml.kernel.org/r/1505205657-18012-3-git-send-email-geert+renesas@glider.be
Fixes: 3810e96056ffddf6 ("sh: modify pinmux for SH7757 2nd cut")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
Cc: Magnus Damm <magnus.damm@gmail.com>
Cc: Rich Felker <dalias@libc.org>
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/cpu-sh4/cpu/sh7757.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/sh/include/cpu-sh4/cpu/sh7757.h
+++ b/arch/sh/include/cpu-sh4/cpu/sh7757.h
@@ -40,7 +40,7 @@ enum {
/* PTJ */
GPIO_PTJ0, GPIO_PTJ1, GPIO_PTJ2, GPIO_PTJ3,
- GPIO_PTJ4, GPIO_PTJ5, GPIO_PTJ6, GPIO_PTJ7_RESV,
+ GPIO_PTJ4, GPIO_PTJ5, GPIO_PTJ6,
/* PTK */
GPIO_PTK0, GPIO_PTK1, GPIO_PTK2, GPIO_PTK3,
@@ -48,7 +48,7 @@ enum {
/* PTL */
GPIO_PTL0, GPIO_PTL1, GPIO_PTL2, GPIO_PTL3,
- GPIO_PTL4, GPIO_PTL5, GPIO_PTL6, GPIO_PTL7_RESV,
+ GPIO_PTL4, GPIO_PTL5, GPIO_PTL6,
/* PTM */
GPIO_PTM0, GPIO_PTM1, GPIO_PTM2, GPIO_PTM3,
@@ -56,7 +56,7 @@ enum {
/* PTN */
GPIO_PTN0, GPIO_PTN1, GPIO_PTN2, GPIO_PTN3,
- GPIO_PTN4, GPIO_PTN5, GPIO_PTN6, GPIO_PTN7_RESV,
+ GPIO_PTN4, GPIO_PTN5, GPIO_PTN6,
/* PTO */
GPIO_PTO0, GPIO_PTO1, GPIO_PTO2, GPIO_PTO3,
@@ -68,7 +68,7 @@ enum {
/* PTQ */
GPIO_PTQ0, GPIO_PTQ1, GPIO_PTQ2, GPIO_PTQ3,
- GPIO_PTQ4, GPIO_PTQ5, GPIO_PTQ6, GPIO_PTQ7_RESV,
+ GPIO_PTQ4, GPIO_PTQ5, GPIO_PTQ6,
/* PTR */
GPIO_PTR0, GPIO_PTR1, GPIO_PTR2, GPIO_PTR3,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 048/204] KEYS: fix key refcount leak in keyctl_assume_authority()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 012/204] usb: Increase quirk delay for USB devices Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 171/204] ALSA: timer: Limit max instances per timer Ben Hutchings
` (69 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 884bee0215fcc239b30c062c37ca29077005e064 upstream.
In keyctl_assume_authority(), if keyctl_change_reqkey_auth() were to
fail, we would leak the reference to the 'authkey'. Currently this can
only happen if prepare_creds() fails to allocate memory. But it still
should be fixed, as it is a more severe bug waiting to happen.
This patch also moves the read of 'authkey->serial' to before the
reference to the authkey is dropped. Doing the read after dropping the
reference is very fragile because it assumes we still hold another
reference to the key. (Which we do, in current->cred->request_key_auth,
but there's no reason not to write it in the "obviously correct" way.)
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/keyctl.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1401,11 +1401,9 @@ long keyctl_assume_authority(key_serial_
}
ret = keyctl_change_reqkey_auth(authkey);
- if (ret < 0)
- goto error;
+ if (ret == 0)
+ ret = authkey->serial;
key_put(authkey);
-
- ret = authkey->serial;
error:
return ret;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 128/204] usb: hub: Allow reset retry for USB2 devices on connect bounce
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 089/204] mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function Ben Hutchings
` (203 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman, Mathias Nyman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 1ac7db63333db1eeff901bfd6bbcd502b4634fa4 upstream.
If the connect status change is set during reset signaling, but
the status remains connected just retry port reset.
This solves an issue with connecting a 90W HP Thunderbolt 3 dock
with a Lenovo Carbon x1 (5th generation) which causes a 30min loop
of a high speed device being re-discovererd before usb ports starts
working.
[...]
[ 389.023845] usb 3-1: new high-speed USB device number 55 using xhci_hcd
[ 389.491841] usb 3-1: new high-speed USB device number 56 using xhci_hcd
[ 389.959928] usb 3-1: new high-speed USB device number 57 using xhci_hcd
[...]
This is caused by a high speed device that doesn't successfully go to the
enabled state after the second port reset. Instead the connection bounces
(connected, with connect status change), bailing out completely from
enumeration just to restart from scratch.
Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1716332
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/hub.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2625,13 +2625,16 @@ static int hub_port_wait_reset(struct us
if (!(portstatus & USB_PORT_STAT_CONNECTION))
return -ENOTCONN;
- /* bomb out completely if the connection bounced. A USB 3.0
- * connection may bounce if multiple warm resets were issued,
+ /* Retry if connect change is set but status is still connected.
+ * A USB 3.0 connection may bounce if multiple warm resets were issued,
* but the device may have successfully re-connected. Ignore it.
*/
if (!hub_is_superspeed(hub->hdev) &&
- (portchange & USB_PORT_STAT_C_CONNECTION))
- return -ENOTCONN;
+ (portchange & USB_PORT_STAT_C_CONNECTION)) {
+ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_CONNECTION);
+ return -EAGAIN;
+ }
if (!(portstatus & USB_PORT_STAT_ENABLE))
return -EBUSY;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 064/204] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0"
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 148/204] sctp: fix a type cast warnings that causes a_rwnd gets the wrong value Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 152/204] ALSA: timer: Add missing mutex lock for compat ioctls Ben Hutchings
` (87 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mike Marciniszyn, Feras Daoud, Doug Ledford,
Dennis Dalessandro, Alex Estrin
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Estrin <alex.estrin@intel.com>
commit 612601d0013f03de9dc134809f242ba6da9ca252 upstream.
commit 9a9b8112699d will cause core to fail UD QP from being destroyed
on ipoib unload, therefore cause resources leakage.
On pkey change event above patch modifies mgid before calling underlying
driver to detach it from QP. Drivers' detach_mcast() will fail to find
modified mgid it was never given to attach in a first place.
Core qp->usecnt will never go down, so ib_destroy_qp() will fail.
IPoIB driver actually does take care of new broadcast mgid based on new
pkey by destroying an old mcast object in ipoib_mcast_dev_flush())
....
if (priv->broadcast) {
rb_erase(&priv->broadcast->rb_node, &priv->multicast_tree);
list_add_tail(&priv->broadcast->list, &remove_list);
priv->broadcast = NULL;
}
...
then in restarted ipoib_macst_join_task() creating a new broadcast mcast
object, sending join request and on completion tells the driver to attach
to reinitialized QP:
...
if (!priv->broadcast) {
...
broadcast = ipoib_mcast_alloc(dev, 0);
...
memcpy(broadcast->mcmember.mgid.raw, priv->dev->broadcast + 4,
sizeof (union ib_gid));
priv->broadcast = broadcast;
...
Fixes: 9a9b8112699d ("IB/ipoib: Update broadcast object if PKey value was changed in index 0")
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reviewed-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 -------------
1 file changed, 13 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -961,19 +961,6 @@ static inline int update_parent_pkey(str
*/
priv->dev->broadcast[8] = priv->pkey >> 8;
priv->dev->broadcast[9] = priv->pkey & 0xff;
-
- /*
- * Update the broadcast address in the priv->broadcast object,
- * in case it already exists, otherwise no one will do that.
- */
- if (priv->broadcast) {
- spin_lock_irq(&priv->lock);
- memcpy(priv->broadcast->mcmember.mgid.raw,
- priv->dev->broadcast + 4,
- sizeof(union ib_gid));
- spin_unlock_irq(&priv->lock);
- }
-
return 0;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 108/204] bus: mbus: fix window size calculation for 4GB windows
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 011/204] uwb: properly check kthread_run return value Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 072/204] sched/sysctl: Check user input value of sysctl_sched_time_avg Ben Hutchings
` (143 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gregory CLEMENT, Jan Luebbe
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Luebbe <jlu@pengutronix.de>
commit 2bbbd96357ce76cc45ec722c00f654aa7b189112 upstream.
At least the Armada XP SoC supports 4GB on a single DRAM window. Because
the size register values contain the actual size - 1, the MSB is set in
that case. For example, the SDRAM window's control register's value is
0xffffffe1 for 4GB (bits 31 to 24 contain the size).
The MBUS driver reads back each window's size from registers and
calculates the actual size as (control_reg | ~DDR_SIZE_MASK) + 1, which
overflows for 32 bit values, resulting in other miscalculations further
on (a bad RAM window for the CESA crypto engine calculated by
mvebu_mbus_setup_cpu_target_nooverlap() in my case).
This patch changes the type in 'struct mbus_dram_window' from u32 to
u64, which allows us to keep using the same register calculation code in
most MBUS-using drivers (which calculate ->size - 1 again).
Fixes: fddddb52a6c4 ("bus: introduce an Marvell EBU MBus driver")
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bus/mvebu-mbus.c | 2 +-
include/linux/mbus.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/bus/mvebu-mbus.c
+++ b/drivers/bus/mvebu-mbus.c
@@ -523,7 +523,7 @@ mvebu_mbus_default_setup_cpu_target(stru
if (mbus->hw_io_coherency)
w->mbus_attr |= ATTR_HW_COHERENCY;
w->base = base & DDR_BASE_CS_LOW_MASK;
- w->size = (size | ~DDR_SIZE_MASK) + 1;
+ w->size = (u64)(size | ~DDR_SIZE_MASK) + 1;
}
}
mvebu_mbus_dram_info.num_cs = cs;
--- a/include/linux/mbus.h
+++ b/include/linux/mbus.h
@@ -29,8 +29,8 @@ struct mbus_dram_target_info
struct mbus_dram_window {
u8 cs_index;
u8 mbus_attr;
- u32 base;
- u32 size;
+ u64 base;
+ u64 size;
} cs[4];
};
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 170/204] ALSA: timer: Protect the whole snd_timer_close() with open race
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 018/204] USB: serial: cp210x: add support for ELV TFD500 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 078/204] l2tp: fix l2tp_eth module loading Ben Hutchings
` (200 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 9984d1b5835ca29fc7025186a891ee7398d21cc7 upstream.
In order to make the open/close more robust, widen the register_mutex
protection over the whole snd_timer_close() function. Also, the close
procedure is slightly shuffled to be in the safer order, as well as a
few code refactoring.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 48 +++++++++++++++++++++---------------------------
1 file changed, 21 insertions(+), 27 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -334,25 +334,14 @@ int snd_timer_close(struct snd_timer_ins
if (snd_BUG_ON(!timeri))
return -ENXIO;
+ mutex_lock(®ister_mutex);
+ list_del(&timeri->open_list);
+
/* force to stop the timer */
snd_timer_stop(timeri);
- if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
- /* wait, until the active callback is finished */
- spin_lock_irq(&slave_active_lock);
- while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) {
- spin_unlock_irq(&slave_active_lock);
- udelay(10);
- spin_lock_irq(&slave_active_lock);
- }
- spin_unlock_irq(&slave_active_lock);
- mutex_lock(®ister_mutex);
- list_del(&timeri->open_list);
- mutex_unlock(®ister_mutex);
- } else {
- timer = timeri->timer;
- if (snd_BUG_ON(!timer))
- goto out;
+ timer = timeri->timer;
+ if (timer) {
/* wait, until the active callback is finished */
spin_lock_irq(&timer->lock);
while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) {
@@ -361,11 +350,7 @@ int snd_timer_close(struct snd_timer_ins
spin_lock_irq(&timer->lock);
}
spin_unlock_irq(&timer->lock);
- mutex_lock(®ister_mutex);
- list_del(&timeri->open_list);
- if (list_empty(&timer->open_list_head) &&
- timer->hw.close)
- timer->hw.close(timer);
+
/* remove slave links */
spin_lock_irq(&slave_active_lock);
spin_lock(&timer->lock);
@@ -379,18 +364,27 @@ int snd_timer_close(struct snd_timer_ins
}
spin_unlock(&timer->lock);
spin_unlock_irq(&slave_active_lock);
- /* release a card refcount for safe disconnection */
- if (timer->card)
- put_device(&timer->card->card_dev);
- mutex_unlock(®ister_mutex);
+
+ /* slave doesn't need to release timer resources below */
+ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
+ timer = NULL;
}
- out:
+
if (timeri->private_free)
timeri->private_free(timeri);
kfree(timeri->owner);
kfree(timeri);
- if (timer)
+
+ if (timer) {
+ if (list_empty(&timer->open_list_head) && timer->hw.close)
+ timer->hw.close(timer);
+ /* release a card refcount for safe disconnection */
+ if (timer->card)
+ put_device(&timer->card->card_dev);
module_put(timer->module);
+ }
+
+ mutex_unlock(®ister_mutex);
return 0;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 039/204] IB/ocrdma: fix incorrect fall-through on switch statement
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 083/204] USB: serial: qcserial: add Dell DW5818, DW5819 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 194/204] security: let security modules use PTRACE_MODE_* with bitmasks Ben Hutchings
` (96 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Colin Ian King, Doug Ledford, Leon Romanovsky
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit 06564f60859bdf7e73d70ae35d7e285e96ae9c46 upstream.
In the case where mbox_status is OCRDMA_MBX_STATUS_FAILED and
add_status is OCRDMA_MBX_STATUS_FAILED err_num is assigned -EAGAIN
however the case OCRDMA_MBX_STATUS_FAILED is missing a break and
falls through to the default case which then re-assigns err_num
to -EFAULT. Fix this so that err_num is assigned to -EAGAIN
for the add_status OCRDMA_MBX_STATUS_FAILED case and -EFAULT
otherwise.
Detected by CoverityScan CID#703125 ("Missing break in switch")
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/ocrdma/ocrdma_hw.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
@@ -235,7 +235,10 @@ static int ocrdma_get_mbx_errno(u32 stat
case OCRDMA_MBX_ADDI_STATUS_INSUFFICIENT_RESOURCES:
err_num = -EAGAIN;
break;
+ default:
+ err_num = -EFAULT;
}
+ break;
default:
err_num = -EFAULT;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 093/204] nl80211: Define policy for packet pattern attributes
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 140/204] fuse: fix READDIRPLUS skipping an entry Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 094/204] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user Ben Hutchings
` (157 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Peng Xu, Johannes Berg, Jouni Malinen
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peng Xu <pxu@qti.qualcomm.com>
commit ad670233c9e1d5feb365d870e30083ef1b889177 upstream.
Define a policy for packet pattern attributes in order to fix a
potential read over the end of the buffer during nla_get_u32()
of the NL80211_PKTPAT_OFFSET attribute.
Note that the data there can always be read due to SKB allocation
(with alignment and struct skb_shared_info at the end), but the
data might be uninitialized. This could be used to leak some data
from uninitialized vmalloc() memory, but most drivers don't allow
an offset (so you'd just get -EINVAL if the data is non-zero) or
just allow it with a fixed value - 100 or 128 bytes, so anything
above that would get -EINVAL. With brcmfmac the limit is 1500 so
(at least) one byte could be obtained.
Signed-off-by: Peng Xu <pxu@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[rewrite description based on SKB allocation knowledge]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -464,6 +464,14 @@ nl80211_match_policy[NL80211_SCHED_SCAN_
[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
};
+/* policy for packet pattern attributes */
+static const struct nla_policy
+nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
+ [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
+ [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
+ [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
+};
+
static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
struct netlink_callback *cb,
struct cfg80211_registered_device **rdev,
@@ -8573,7 +8581,7 @@ static int nl80211_set_wowlan(struct sk_
u8 *mask_pat;
nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
- nla_len(pat), NULL);
+ nla_len(pat), nl80211_packet_pattern_policy);
err = -EINVAL;
if (!pat_tb[NL80211_PKTPAT_MASK] ||
!pat_tb[NL80211_PKTPAT_PATTERN])
@@ -8801,7 +8809,7 @@ static int nl80211_parse_coalesce_rule(s
u8 *mask_pat;
nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat),
- nla_len(pat), NULL);
+ nla_len(pat), nl80211_packet_pattern_policy);
if (!pat_tb[NL80211_PKTPAT_MASK] ||
!pat_tb[NL80211_PKTPAT_PATTERN])
return -EINVAL;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 131/204] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 116/204] l2tp: check ps->sock before running pppol2tp_session_ioctl() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 044/204] iio: core: Return error for failed read_reg Ben Hutchings
` (171 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Neil Horman, David S. Miller, Eric Dumazet, Xin Long,
Marcelo Ricardo Leitner
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit 1cc276cec9ec574d41cf47dfc0f51406b6f26ab4 upstream.
Now sctp processes icmp redirect packet in sctp_icmp_redirect where
it calls sctp_transport_dst_check in which tp->dst can be released.
The problem is before calling sctp_transport_dst_check, it doesn't
check sock_owned_by_user, which means tp->dst could be freed while
a process is accessing it with owning the socket.
An use-after-free issue could be triggered by this.
This patch is to fix it by checking sock_owned_by_user before calling
sctp_transport_dst_check in sctp_icmp_redirect, so that it would not
release tp->dst if users still hold sock lock.
Besides, the same issue fixed in commit 45caeaa5ac0b ("dccp/tcp: fix
routing redirect race") on sctp also needs this check.
Fixes: 55be7a9c6074 ("ipv4: Add redirect support to all protocol icmp error handlers")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -416,7 +416,7 @@ void sctp_icmp_redirect(struct sock *sk,
{
struct dst_entry *dst;
- if (!t)
+ if (sock_owned_by_user(sk) || !t)
return;
dst = sctp_transport_dst_check(t);
if (dst)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 179/204] can: c_can: don't indicate triple sampling support for D_CAN
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 188/204] netfilter: nfnetlink_cthelper: Add missing permission checks Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 101/204] USB: dummy-hcd: Fix deadlock caused by disconnect detection Ben Hutchings
` (91 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Richard Schütz
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Schütz <rschuetz@uni-koblenz.de>
commit fb5f0b3ef69b95e665e4bbe8a3de7201f09f1071 upstream.
The D_CAN controller doesn't provide a triple sampling mode, so don't set
the CAN_CTRLMODE_3_SAMPLES flag in ctrlmode_supported. Currently enabling
triple sampling is a no-op.
Signed-off-by: Richard Schütz <rschuetz@uni-koblenz.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/c_can/c_can_pci.c | 1 -
drivers/net/can/c_can/c_can_platform.c | 1 -
2 files changed, 2 deletions(-)
--- a/drivers/net/can/c_can/c_can_pci.c
+++ b/drivers/net/can/c_can/c_can_pci.c
@@ -178,7 +178,6 @@ static int c_can_pci_probe(struct pci_de
break;
case BOSCH_D_CAN:
priv->regs = reg_map_d_can;
- priv->can.ctrlmode_supported |= CAN_CTRLMODE_3_SAMPLES;
break;
default:
ret = -EINVAL;
--- a/drivers/net/can/c_can/c_can_platform.c
+++ b/drivers/net/can/c_can/c_can_platform.c
@@ -266,7 +266,6 @@ static int c_can_plat_probe(struct platf
break;
case BOSCH_D_CAN:
priv->regs = reg_map_d_can;
- priv->can.ctrlmode_supported |= CAN_CTRLMODE_3_SAMPLES;
priv->read_reg = c_can_plat_read_reg_aligned_to_16bit;
priv->write_reg = c_can_plat_write_reg_aligned_to_16bit;
priv->read_reg32 = d_can_plat_read_reg32;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 118/204] net: enable interface alias removal via rtnl
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 182/204] sched/topology: Simplify build_overlap_sched_groups() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 042/204] iio: ad_sigma_delta: Implement a dedicated reset function Ben Hutchings
` (196 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Julien FLoret, Nicolas Dichtel,
Stephen Hemminger, Oliver Hartkopp
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
commit 2459b4c635858094df78abb9ca87d99f89fe8ca5 upstream.
IFLA_IFALIAS is defined as NLA_STRING. It means that the minimal length of
the attribute is 1 ("\0"). However, to remove an alias, the attribute
length must be 0 (see dev_set_alias()).
Let's define the type to NLA_BINARY to allow 0-length string, so that the
alias can be removed.
Example:
$ ip l s dummy0 alias foo
$ ip l l dev dummy0
5: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether ae:20:30:4f:a7:f3 brd ff:ff:ff:ff:ff:ff
alias foo
Before the patch:
$ ip l s dummy0 alias ""
RTNETLINK answers: Numerical result out of range
After the patch:
$ ip l s dummy0 alias ""
$ ip l l dev dummy0
5: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether ae:20:30:4f:a7:f3 brd ff:ff:ff:ff:ff:ff
CC: Oliver Hartkopp <oliver@hartkopp.net>
CC: Stephen Hemminger <stephen@networkplumber.org>
Fixes: 96ca4a2cc145 ("net: remove ifalias on empty given alias")
Reported-by: Julien FLoret <julien.floret@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/rtnetlink.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1187,7 +1187,10 @@ static const struct nla_policy ifla_poli
[IFLA_LINKINFO] = { .type = NLA_NESTED },
[IFLA_NET_NS_PID] = { .type = NLA_U32 },
[IFLA_NET_NS_FD] = { .type = NLA_U32 },
- [IFLA_IFALIAS] = { .type = NLA_STRING, .len = IFALIASZ-1 },
+ /* IFLA_IFALIAS is a string, but policy is set to NLA_BINARY to
+ * allow 0-length string (needed to remove an alias).
+ */
+ [IFLA_IFALIAS] = { .type = NLA_BINARY, .len = IFALIASZ - 1 },
[IFLA_VFINFO_LIST] = {. type = NLA_NESTED },
[IFLA_VF_PORTS] = { .type = NLA_NESTED },
[IFLA_PORT_SELF] = { .type = NLA_NESTED },
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 062/204] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 146/204] ip6_gre: Reduce log level in ip6gre_err() to debug Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 178/204] rbd: use GFP_NOIO for parent stat and data requests Ben Hutchings
` (46 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Andreas Gruenbacher
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream.
In generic_file_llseek_size, return -ENXIO for negative offsets as well
as offsets beyond EOF. This affects filesystems which don't implement
SEEK_HOLE / SEEK_DATA internally, possibly because they don't support
holes.
Fixes xfstest generic/448.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/read_write.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -116,7 +116,7 @@ generic_file_llseek_size(struct file *fi
* In the generic case the entire file is data, so as long as
* offset isn't at the end of the file then the offset is data.
*/
- if (offset >= eof)
+ if ((unsigned long long)offset >= eof)
return -ENXIO;
break;
case SEEK_HOLE:
@@ -124,7 +124,7 @@ generic_file_llseek_size(struct file *fi
* There is a virtual hole at the end of the file, so as long as
* offset isn't i_size or larger, return i_size.
*/
- if (offset >= eof)
+ if ((unsigned long long)offset >= eof)
return -ENXIO;
offset = eof;
break;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 065/204] USB: dummy-hcd: fix connection failures (wrong speed)
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 047/204] KEYS: don't revoke uninstantiated key in request_key_auth_new() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 185/204] Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket Ben Hutchings
` (109 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Alan Stern
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit fe659bcc9b173bcfdd958ce2aec75e47651e74e1 upstream.
The dummy-hcd UDC driver is not careful about the way it handles
connection speeds. It ignores the module parameter that is supposed
to govern the maximum connection speed and it doesn't set the HCD
flags properly for the case where it ends up running at full speed.
The result is that in many cases, gadget enumeration over dummy-hcd
fails because the bMaxPacketSize byte in the device descriptor is set
incorrectly. For example, the default settings call for a high-speed
connection, but the maxpacket value for ep0 ends up being set for a
Super-Speed connection.
This patch fixes the problem by initializing the gadget's max_speed
and the HCD flags correctly.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/dummy_hcd.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -973,7 +973,12 @@ static int dummy_udc_probe(struct platfo
dum = *((void **)dev_get_platdata(&pdev->dev));
dum->gadget.name = gadget_name;
dum->gadget.ops = &dummy_ops;
- dum->gadget.max_speed = USB_SPEED_SUPER;
+ if (mod_data.is_super_speed)
+ dum->gadget.max_speed = USB_SPEED_SUPER;
+ else if (mod_data.is_high_speed)
+ dum->gadget.max_speed = USB_SPEED_HIGH;
+ else
+ dum->gadget.max_speed = USB_SPEED_FULL;
dum->gadget.dev.parent = &pdev->dev;
init_dummy_udc_hw(dum);
@@ -2489,8 +2494,6 @@ static struct hc_driver dummy_hcd = {
.product_desc = "Dummy host controller",
.hcd_priv_size = sizeof(struct dummy_hcd),
- .flags = HCD_USB3 | HCD_SHARED,
-
.reset = dummy_setup,
.start = dummy_start,
.stop = dummy_stop,
@@ -2519,8 +2522,12 @@ static int dummy_hcd_probe(struct platfo
dev_info(&pdev->dev, "%s, driver " DRIVER_VERSION "\n", driver_desc);
dum = *((void **)dev_get_platdata(&pdev->dev));
- if (!mod_data.is_super_speed)
+ if (mod_data.is_super_speed)
+ dummy_hcd.flags = HCD_USB3 | HCD_SHARED;
+ else if (mod_data.is_high_speed)
dummy_hcd.flags = HCD_USB2;
+ else
+ dummy_hcd.flags = HCD_USB11;
hs_hcd = usb_create_hcd(&dummy_hcd, &pdev->dev, dev_name(&pdev->dev));
if (!hs_hcd)
return -ENOMEM;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 143/204] net/unix: don't show information about sockets from other namespaces
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 006/204] spi: uapi: spidev: add missing ioctl header Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 150/204] workqueue: Fix NULL pointer dereference Ben Hutchings
` (23 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Andrei Vagin
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrei Vagin <avagin@openvz.org>
commit 0f5da659d8f1810f44de14acf2c80cd6499623a0 upstream.
socket_diag shows information only about sockets from a namespace where
a diag socket lives.
But if we request information about one unix socket, the kernel don't
check that its netns is matched with a diag socket namespace, so any
user can get information about any unix socket in a system. This looks
like a bug.
v2: add a Fixes tag
Fixes: 51d7cccf0723 ("net: make sock diag per-namespace")
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/unix/diag.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -256,6 +256,8 @@ static int unix_diag_get_exact(struct sk
err = -ENOENT;
if (sk == NULL)
goto out_nosk;
+ if (!net_eq(sock_net(sk), net))
+ goto out;
err = sock_diag_check_cookie(sk, req->udiag_cookie);
if (err)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 029/204] SMB: Validate negotiate (to protect against downgrade) even if signing off
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 067/204] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 166/204] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed Ben Hutchings
` (147 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Stefan Metzmacher, Steve French, Ronnie Sahlberg,
Jeremy Allison
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <smfrench@gmail.com>
commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream.
As long as signing is supported (ie not a guest user connection) and
connection is SMB3 or SMB3.02, then validate negotiate (protect
against man in the middle downgrade attacks). We had been doing this
only when signing was required, not when signing was just enabled,
but this more closely matches recommended SMB3 behavior and is
better security. Suggested by Metze.
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Acked-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -486,15 +486,22 @@ int smb3_validate_negotiate(const unsign
/*
* validation ioctl must be signed, so no point sending this if we
- * can not sign it. We could eventually change this to selectively
+ * can not sign it (ie are not known user). Even if signing is not
+ * required (enabled but not negotiated), in those cases we selectively
* sign just this, the first and only signed request on a connection.
- * This is good enough for now since a user who wants better security
- * would also enable signing on the mount. Having validation of
- * negotiate info for signed connections helps reduce attack vectors
+ * Having validation of negotiate info helps reduce attack vectors.
*/
- if (tcon->ses->server->sign == false)
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
return 0; /* validation requires signing */
+ if (tcon->ses->user_name == NULL) {
+ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
+ return 0; /* validation requires signing */
+ }
+
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
+ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
+
vneg_inbuf.Capabilities =
cpu_to_le32(tcon->ses->server->vals->req_capabilities);
memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 145/204] SMB3: Validate negotiate request must always be signed
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 151/204] l2tp: hold tunnel in pppol2tp_connect() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 157/204] tun/tap: sanitize TUNSETSNDBUF input Ben Hutchings
` (187 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Ronnie Sahlberg
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <smfrench@gmail.com>
commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
According to MS-SMB2 3.2.55 validate_negotiate request must
always be signed. Some Windows can fail the request if you send it unsigned
See kernel bugzilla bug 197311
Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: s/sync_hdr\.Flags/Flags/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1342,6 +1342,9 @@ SMB2_ioctl(const unsigned int xid, struc
} else
iov[0].iov_len = get_rfc1002_length(req) + 4;
+ /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+ req->hdr.Flags |= SMB2_FLAGS_SIGNED;
rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 047/204] KEYS: don't revoke uninstantiated key in request_key_auth_new()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 088/204] sh: sh7269: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 065/204] USB: dummy-hcd: fix connection failures (wrong speed) Ben Hutchings
` (110 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit f7b48cf08fa63a68b59c2894806ee478216d7f91 upstream.
If key_instantiate_and_link() were to fail (which fortunately isn't
possible currently), the call to key_revoke(authkey) would crash with a
NULL pointer dereference in request_key_auth_revoke() because the key
has not yet been instantiated.
Fix this by removing the call to key_revoke(). key_put() is sufficient,
as it's not possible for an uninstantiated authkey to have been used for
anything yet.
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/request_key_auth.c | 1 -
1 file changed, 1 deletion(-)
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -207,7 +207,6 @@ struct key *request_key_auth_new(struct
return authkey;
error_put_authkey:
- key_revoke(authkey);
key_put(authkey);
error_free_rka:
free_request_key_auth(rka);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 066/204] USB: dummy-hcd: fix infinite-loop resubmission bug
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 060/204] l2tp: fix race condition in l2tp_tunnel_delete Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 191/204] USB: core: prevent malicious bNumInterfaces overflow Ben Hutchings
` (53 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Alan Stern, Andrey Konovalov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 0173a68bfb0ad1c72a6ee39cc485aa2c97540b98 upstream.
The dummy-hcd HCD/UDC emulator tries not to do too much work during
each timer interrupt. But it doesn't try very hard; currently all
it does is limit the total amount of bulk data transferred. Other
transfer types aren't limited, and URBs that transfer no data (because
of an error, perhaps) don't count toward the limit, even though on a
real USB bus they would consume at least a minimum overhead.
This means it's possible to get the driver stuck in an infinite loop,
for example, if the host class driver resubmits an URB every time it
completes (which is common for interrupt URBs). Each time the URB is
resubmitted it gets added to the end of the pending-URBs list, and
dummy-hcd doesn't stop until that list is empty. Andrey Konovalov was
able to trigger this failure mode using the syzkaller fuzzer.
This patch fixes the infinite-loop problem by restricting the URBs
handled during each timer interrupt to those that were already on the
pending list when the interrupt routine started. Newly added URBs
won't be processed until the next timer interrupt. The problem of
properly accounting for non-bulk bandwidth (as well as packet and
transaction overhead) is not addressed here.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/dummy_hcd.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -173,6 +173,8 @@ struct dummy_hcd {
struct usb_device *udev;
struct list_head urbp_list;
+ struct urbp *next_frame_urbp;
+
u32 stream_en_ep;
u8 num_stream[30 / 2];
@@ -1188,6 +1190,8 @@ static int dummy_urb_enqueue(
list_add_tail(&urbp->urbp_list, &dum_hcd->urbp_list);
urb->hcpriv = urbp;
+ if (!dum_hcd->next_frame_urbp)
+ dum_hcd->next_frame_urbp = urbp;
if (usb_pipetype(urb->pipe) == PIPE_CONTROL)
urb->error_count = 1; /* mark as a new urb */
@@ -1691,6 +1695,7 @@ static void dummy_timer(unsigned long _d
spin_unlock_irqrestore(&dum->lock, flags);
return;
}
+ dum_hcd->next_frame_urbp = NULL;
for (i = 0; i < DUMMY_ENDPOINTS; i++) {
if (!ep_name[i])
@@ -1707,6 +1712,10 @@ restart:
int type;
int status = -EINPROGRESS;
+ /* stop when we reach URBs queued after the timer interrupt */
+ if (urbp == dum_hcd->next_frame_urbp)
+ break;
+
urb = urbp->urb;
if (urb->unlinked)
goto return_urb;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 195/204] ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 050/204] KEYS: fix writing past end of user-supplied buffer in keyring_read() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 079/204] brcmfmac: Add length checks on firmware events Ben Hutchings
` (193 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Oleg Nesterov, syzkaller, Dmitry Vyukov,
Tejun Heo
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 1333ab03150478df8d6f5673a91df1e50dc6ab97 upstream.
This test-case (simplified version of generated by syzkaller)
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
void test(void)
{
for (;;) {
if (fork()) {
wait(NULL);
continue;
}
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
_exit(0);
}
}
int main(void)
{
int np;
for (np = 0; np < 8; ++np)
if (!fork())
test();
while (wait(NULL) > 0)
;
return 0;
}
triggers the 2nd WARN_ON_ONCE(!signr) warning in do_jobctl_trap(). The
problem is that __ptrace_unlink() clears task->jobctl under siglock but
task->ptrace is cleared without this lock held; this fools the "else"
branch which assumes that !PT_SEIZED means PT_PTRACED.
Note also that most of other PTRACE_SEIZE checks can race with detach
from the exiting tracer too. Say, the callers of ptrace_trap_notify()
assume that SEIZED can't go away after it was checked.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/ptrace.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -79,12 +79,11 @@ void __ptrace_unlink(struct task_struct
{
BUG_ON(!child->ptrace);
- child->ptrace = 0;
child->parent = child->real_parent;
list_del_init(&child->ptrace_entry);
spin_lock(&child->sighand->siglock);
-
+ child->ptrace = 0;
/*
* Clear all pending traps and TRAPPING. TRAPPING should be
* cleared regardless of JOBCTL_STOP_PENDING. Do it explicitly.
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 172/204] ARM: 8720/1: ensure dump_instr() checks addr_limit
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 046/204] KEYS: fix cred refcount leak in request_key_auth_new() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 071/204] packet: only test po->has_vnet_hdr once in packet_snd Ben Hutchings
` (58 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Rutland, Russell King
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit b9dd05c7002ee0ca8b676428b2268c26399b5e31 upstream.
When CONFIG_DEBUG_USER is enabled, it's possible for a user to
deliberately trigger dump_instr() with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than
__get_user(), ensuring that we don't erroneously access kernel memory.
So that we can use the same code to dump user instructions and kernel
instructions, the common dumping code is factored out to __dump_instr(),
with the fs manipulated appropriately in dump_instr() around calls to
this.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kernel/traps.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -129,30 +129,26 @@ static void dump_mem(const char *lvl, co
set_fs(fs);
}
-static void dump_instr(const char *lvl, struct pt_regs *regs)
+static void __dump_instr(const char *lvl, struct pt_regs *regs)
{
unsigned long addr = instruction_pointer(regs);
const int thumb = thumb_mode(regs);
const int width = thumb ? 4 : 8;
- mm_segment_t fs;
char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
int i;
/*
- * We need to switch to kernel mode so that we can use __get_user
- * to safely read from kernel space. Note that we now dump the
- * code first, just in case the backtrace kills us.
+ * Note that we now dump the code first, just in case the backtrace
+ * kills us.
*/
- fs = get_fs();
- set_fs(KERNEL_DS);
for (i = -4; i < 1 + !!thumb; i++) {
unsigned int val, bad;
if (thumb)
- bad = __get_user(val, &((u16 *)addr)[i]);
+ bad = get_user(val, &((u16 *)addr)[i]);
else
- bad = __get_user(val, &((u32 *)addr)[i]);
+ bad = get_user(val, &((u32 *)addr)[i]);
if (!bad)
p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ",
@@ -163,8 +159,20 @@ static void dump_instr(const char *lvl,
}
}
printk("%sCode: %s\n", lvl, str);
+}
- set_fs(fs);
+static void dump_instr(const char *lvl, struct pt_regs *regs)
+{
+ mm_segment_t fs;
+
+ if (!user_mode(regs)) {
+ fs = get_fs();
+ set_fs(KERNEL_DS);
+ __dump_instr(lvl, regs);
+ set_fs(fs);
+ } else {
+ __dump_instr(lvl, regs);
+ }
}
#ifdef CONFIG_ARM_UNWIND
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 019/204] tracing: Erase irqsoff trace with empty write
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 177/204] MIPS: AR7: Ensure that serial ports are properly set up Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 129/204] can: esd_usb2: Fix can_dlc value for received RTR, frames Ben Hutchings
` (103 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), mingo, Bo Yan
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bo Yan <byan@nvidia.com>
commit 8dd33bcb7050dd6f8c1432732f930932c9d3a33e upstream.
One convenient way to erase trace is "echo > trace". However, this
is currently broken if the current tracer is irqsoff tracer. This
is because irqsoff tracer use max_buffer as the default trace
buffer.
Set the max_buffer as the one to be cleared when it's the trace
buffer currently in use.
Link: http://lkml.kernel.org/r/1505754215-29411-1-git-send-email-byan@nvidia.com
Cc: <mingo@redhat.com>
Fixes: 4acd4d00f ("tracing: give easy way to clear trace buffer")
Signed-off-by: Bo Yan <byan@nvidia.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3191,11 +3191,17 @@ static int tracing_open(struct inode *in
/* If this file was open for write, then erase contents */
if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {
int cpu = tracing_get_cpu(inode);
+ struct trace_buffer *trace_buf = &tr->trace_buffer;
+
+#ifdef CONFIG_TRACER_MAX_TRACE
+ if (tr->current_trace->print_max)
+ trace_buf = &tr->max_buffer;
+#endif
if (cpu == RING_BUFFER_ALL_CPUS)
- tracing_reset_online_cpus(&tr->trace_buffer);
+ tracing_reset_online_cpus(trace_buf);
else
- tracing_reset(&tr->trace_buffer, cpu);
+ tracing_reset(trace_buf, cpu);
}
if (file->f_mode & FMODE_READ) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 116/204] l2tp: check ps->sock before running pppol2tp_session_ioctl()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 087/204] sh: sh7264: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 131/204] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Ben Hutchings
` (172 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 5903f594935a3841137c86b9d5b75143a5b7121c upstream.
When pppol2tp_session_ioctl() is called by pppol2tp_tunnel_ioctl(),
the session may be unconnected. That is, it was created by
pppol2tp_session_create() and hasn't been connected with
pppol2tp_connect(). In this case, ps->sock is NULL, so we need to check
for this case in order to avoid dereferencing a NULL pointer.
Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1007,6 +1007,9 @@ static int pppol2tp_session_ioctl(struct
session->name, cmd, arg);
sk = ps->sock;
+ if (!sk)
+ return -EBADR;
+
sock_hold(sk);
switch (cmd) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 069/204] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 094/204] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 091/204] Smack: remove unneeded NULL-termination from securtity label Ben Hutchings
` (155 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 6124607acc88fffeaadf3aacfeb3cc1304c87387 upstream.
This patch fixes an issue that the driver sets the BCLR bit of
{C,Dn}FIFOCTR register to 1 even when it's non-DCP pipe and
the FRDY bit of {C,Dn}FIFOCTR register is set to 1.
Fixes: e8d548d54968 ("usb: renesas_usbhs: fifo became independent from pipe.")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/fifo.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -261,11 +261,17 @@ static void usbhsf_fifo_clear(struct usb
struct usbhs_fifo *fifo)
{
struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
+ int ret = 0;
if (!usbhs_pipe_is_dcp(pipe))
- usbhsf_fifo_barrier(priv, fifo);
+ ret = usbhsf_fifo_barrier(priv, fifo);
- usbhs_write(priv, fifo->ctr, BCLR);
+ /*
+ * if non-DCP pipe, this driver should set BCLR when
+ * usbhsf_fifo_barrier() returns 0.
+ */
+ if (!ret)
+ usbhs_write(priv, fifo->ctr, BCLR);
}
static int usbhsf_fifo_rcv_len(struct usbhs_priv *priv,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 174/204] ALSA: seq: Fix OSS sysex delivery in OSS emulation
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 107/204] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 015/204] ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header Ben Hutchings
` (37 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Salyzyn, Takashi Iwai, syzbot
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 132d358b183ac6ad8b3fea32ad5e0663456d18d1 upstream.
The SYSEX event delivery in OSS sequencer emulation assumed that the
event is encoded in the variable-length data with the straight
buffering. This was the normal behavior in the past, but during the
development, the chained buffers were introduced for carrying more
data, while the OSS code was left intact. As a result, when a SYSEX
event with the chained buffer data is passed to OSS sequencer port,
it may end up with the wrong memory access, as if it were having a too
large buffer.
This patch addresses the bug, by applying the buffer data expansion by
the generic snd_seq_dump_var_event() helper function.
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Mark Salyzyn <salyzyn@android.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/oss/seq_oss_midi.c | 4 +---
sound/core/seq/oss/seq_oss_readq.c | 29 +++++++++++++++++++++++++++++
sound/core/seq/oss/seq_oss_readq.h | 2 ++
3 files changed, 32 insertions(+), 3 deletions(-)
--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -615,9 +615,7 @@ send_midi_event(struct seq_oss_devinfo *
if (!dp->timer->running)
len = snd_seq_oss_timer_start(dp->timer);
if (ev->type == SNDRV_SEQ_EVENT_SYSEX) {
- if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) == SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
- snd_seq_oss_readq_puts(dp->readq, mdev->seq_device,
- ev->data.ext.ptr, ev->data.ext.len);
+ snd_seq_oss_readq_sysex(dp->readq, mdev->seq_device, ev);
} else {
len = snd_midi_event_decode(mdev->coder, msg, sizeof(msg), ev);
if (len > 0)
--- a/sound/core/seq/oss/seq_oss_readq.c
+++ b/sound/core/seq/oss/seq_oss_readq.c
@@ -120,6 +120,35 @@ snd_seq_oss_readq_puts(struct seq_oss_re
}
/*
+ * put MIDI sysex bytes; the event buffer may be chained, thus it has
+ * to be expanded via snd_seq_dump_var_event().
+ */
+struct readq_sysex_ctx {
+ struct seq_oss_readq *readq;
+ int dev;
+};
+
+static int readq_dump_sysex(void *ptr, void *buf, int count)
+{
+ struct readq_sysex_ctx *ctx = ptr;
+
+ return snd_seq_oss_readq_puts(ctx->readq, ctx->dev, buf, count);
+}
+
+int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev,
+ struct snd_seq_event *ev)
+{
+ struct readq_sysex_ctx ctx = {
+ .readq = q,
+ .dev = dev
+ };
+
+ if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
+ return 0;
+ return snd_seq_dump_var_event(ev, readq_dump_sysex, &ctx);
+}
+
+/*
* copy an event to input queue:
* return zero if enqueued
*/
--- a/sound/core/seq/oss/seq_oss_readq.h
+++ b/sound/core/seq/oss/seq_oss_readq.h
@@ -44,6 +44,8 @@ void snd_seq_oss_readq_delete(struct seq
void snd_seq_oss_readq_clear(struct seq_oss_readq *readq);
unsigned int snd_seq_oss_readq_poll(struct seq_oss_readq *readq, struct file *file, poll_table *wait);
int snd_seq_oss_readq_puts(struct seq_oss_readq *readq, int dev, unsigned char *data, int len);
+int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev,
+ struct snd_seq_event *ev);
int snd_seq_oss_readq_put_event(struct seq_oss_readq *readq, union evrec *ev);
int snd_seq_oss_readq_put_timestamp(struct seq_oss_readq *readq, unsigned long curt, int seq_mode);
int snd_seq_oss_readq_pick(struct seq_oss_readq *q, union evrec *rec);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 017/204] gpio: acpi: work around false-positive -Wstring-overflow warning
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 136/204] x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 085/204] sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration Ben Hutchings
` (106 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnd Bergmann, Andy Shevchenko, Mika Westerberg,
Linus Walleij
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit e40a3ae1f794a35c4af3746291ed6fedc1fa0f6f upstream.
gcc-7 notices that the pin_table is an array of 16-bit numbers,
but fails to take the following range check into account:
drivers/gpio/gpiolib-acpi.c: In function 'acpi_gpiochip_request_interrupt':
drivers/gpio/gpiolib-acpi.c:206:24: warning: '%02X' directive writing between 2 and 4 bytes into a region of size 3 [-Wformat-overflow=]
sprintf(ev_name, "_%c%02X",
^~~~
drivers/gpio/gpiolib-acpi.c:206:20: note: directive argument in the range [0, 65535]
sprintf(ev_name, "_%c%02X",
^~~~~~~~~
drivers/gpio/gpiolib-acpi.c:206:3: note: 'sprintf' output between 5 and 7 bytes into a destination of size 5
sprintf(ev_name, "_%c%02X",
^~~~~~~~~~~~~~~~~~~~~~~~~~~
agpio->triggering == ACPI_EDGE_SENSITIVE ? 'E' : 'L',
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pin);
~~~~
As suggested by Andy, this changes the format string to have a fixed length.
Since modifying the range check did not help, I also opened a bug against
gcc, see link below.
Fixes: 0d1c28a449c6 ("gpiolib-acpi: Add ACPI5 event model support to gpio.")
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patchwork.kernel.org/patch/9840801/
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82123
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpio/gpiolib-acpi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -130,7 +130,7 @@ static acpi_status acpi_gpiochip_request
if (pin <= 255) {
char ev_name[5];
- sprintf(ev_name, "_%c%02X",
+ sprintf(ev_name, "_%c%02hhX",
agpio->triggering == ACPI_EDGE_SENSITIVE ? 'E' : 'L',
pin);
if (ACPI_SUCCESS(acpi_get_handle(handle, ev_name, &evt_handle)))
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 159/204] KEYS: return full count in keyring_read() if buffer is too small
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 103/204] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 123/204] usb: quirks: add quirk for WORLDE MINI MIDI keyboard Ben Hutchings
` (115 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Morris, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f upstream.
Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
in keyring_read()") made keyring_read() stop corrupting userspace memory
when the user-supplied buffer is too small. However it also made the
return value in that case be the short buffer size rather than the size
required, yet keyctl_read() is actually documented to return the size
required. Therefore, switch it over to the documented behavior.
Note that for now we continue to have it fill the short buffer, since it
did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
relies on it.
Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/keyring.c | 39 +++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 20 deletions(-)
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -441,34 +441,33 @@ static long keyring_read(const struct ke
char __user *buffer, size_t buflen)
{
struct keyring_read_iterator_context ctx;
- unsigned long nr_keys;
- int ret;
+ long ret;
kenter("{%d},,%zu", key_serial(keyring), buflen);
if (buflen & (sizeof(key_serial_t) - 1))
return -EINVAL;
- nr_keys = keyring->keys.nr_leaves_on_tree;
- if (nr_keys == 0)
- return 0;
-
- /* Calculate how much data we could return */
- if (!buffer || !buflen)
- return nr_keys * sizeof(key_serial_t);
-
- /* Copy the IDs of the subscribed keys into the buffer */
- ctx.buffer = (key_serial_t __user *)buffer;
- ctx.buflen = buflen;
- ctx.count = 0;
- ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
- if (ret < 0) {
- kleave(" = %d [iterate]", ret);
- return ret;
+ /* Copy as many key IDs as fit into the buffer */
+ if (buffer && buflen) {
+ ctx.buffer = (key_serial_t __user *)buffer;
+ ctx.buflen = buflen;
+ ctx.count = 0;
+ ret = assoc_array_iterate(&keyring->keys,
+ keyring_read_iterator, &ctx);
+ if (ret < 0) {
+ kleave(" = %ld [iterate]", ret);
+ return ret;
+ }
}
- kleave(" = %zu [ok]", ctx.count);
- return ctx.count;
+ /* Return the size of the buffer needed */
+ ret = keyring->keys.nr_leaves_on_tree * sizeof(key_serial_t);
+ if (ret <= buflen)
+ kleave("= %ld [ok]", ret);
+ else
+ kleave("= %ld [buffer too small]", ret);
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 135/204] x86/amd_nb: Add Fam17h Data Fabric as "Northbridge"
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 147/204] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 183/204] sched/topology: Optimize build_group_mask() Ben Hutchings
` (182 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Borislav Petkov, linux-edac, Thomas Gleixner, Yazen Ghannam,
x86-ml
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yazen Ghannam <Yazen.Ghannam@amd.com>
commit b791c6b6a55c402367cc544f54921074253db061 upstream.
AMD Fam17h uses a Data Fabric component instead of a traditional
Northbridge. However, the DF is similar to a NB in that there is one per
die and it uses PCI config D18Fx registers. So let's reuse the existing
AMD_NB infrastructure for Data Fabrics.
Signed-off-by: Yazen Ghannam <Yazen.Ghannam@amd.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: x86-ml <x86@kernel.org>
Link: http://lkml.kernel.org/r/1478812257-5424-4-git-send-email-Yazen.Ghannam@amd.com
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/amd_nb.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -13,6 +13,9 @@
#include <linux/spinlock.h>
#include <asm/amd_nb.h>
+#define PCI_DEVICE_ID_AMD_17H_DF_F3 0x1463
+#define PCI_DEVICE_ID_AMD_17H_DF_F4 0x1464
+
static u32 *flush_words;
const struct pci_device_id amd_nb_misc_ids[] = {
@@ -24,6 +27,7 @@ const struct pci_device_id amd_nb_misc_i
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) },
{}
};
EXPORT_SYMBOL(amd_nb_misc_ids);
@@ -34,6 +38,7 @@ static const struct pci_device_id amd_nb
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) },
{}
};
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 059/204] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 023/204] ARM: dts: da850-evm: add serial and ethernet aliases Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 192/204] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() Ben Hutchings
` (167 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Alexey Kodanev
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
commit 36f6ee22d2d66046e369757ec6bbe1c482957ba6 upstream.
When running LTP IPsec tests, KASan might report:
BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0
...
Call Trace:
<IRQ>
dump_stack+0x63/0x89
print_address_description+0x7c/0x290
kasan_report+0x28d/0x370
? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
__asan_report_load4_noabort+0x19/0x20
vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
? vti_init_net+0x190/0x190 [ip_vti]
? save_stack_trace+0x1b/0x20
? save_stack+0x46/0xd0
dev_hard_start_xmit+0x147/0x510
? icmp_echo.part.24+0x1f0/0x210
__dev_queue_xmit+0x1394/0x1c60
...
Freed by task 0:
save_stack_trace+0x1b/0x20
save_stack+0x46/0xd0
kasan_slab_free+0x70/0xc0
kmem_cache_free+0x81/0x1e0
kfree_skbmem+0xb1/0xe0
kfree_skb+0x75/0x170
kfree_skb_list+0x3e/0x60
__dev_queue_xmit+0x1298/0x1c60
dev_queue_xmit+0x10/0x20
neigh_resolve_output+0x3a8/0x740
ip_finish_output2+0x5c0/0xe70
ip_finish_output+0x4ba/0x680
ip_output+0x1c1/0x3a0
xfrm_output_resume+0xc65/0x13d0
xfrm_output+0x1e4/0x380
xfrm4_output_finish+0x5c/0x70
Can be fixed if we get skb->len before dst_output().
Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code")
Fixes: 22e1b23dafa8 ("vti6: Support inter address family tunneling.")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_vti.c | 3 ++-
net/ipv6/ip6_vti.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -151,6 +151,7 @@ static netdev_tx_t vti_xmit(struct sk_bu
struct ip_tunnel_parm *parms = &tunnel->parms;
struct dst_entry *dst = skb_dst(skb);
struct net_device *tdev; /* Device to other host */
+ int pkt_len = skb->len;
int err;
if (!dst) {
@@ -194,7 +195,7 @@ static netdev_tx_t vti_xmit(struct sk_bu
err = dst_output(skb);
if (net_xmit_eval(err) == 0)
- err = skb->len;
+ err = pkt_len;
iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
return NETDEV_TX_OK;
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -407,6 +407,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
struct net_device_stats *stats = &t->dev->stats;
struct dst_entry *dst = skb_dst(skb);
struct net_device *tdev;
+ int pkt_len = skb->len;
int err = -1;
if (!dst)
@@ -441,7 +442,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
u64_stats_update_begin(&tstats->syncp);
- tstats->tx_bytes += skb->len;
+ tstats->tx_bytes += pkt_len;
tstats->tx_packets++;
u64_stats_update_end(&tstats->syncp);
} else {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 070/204] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 021/204] tcp: fastopen: fix on syn-data transmit failure Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 088/204] sh: sh7269: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration Ben Hutchings
` (112 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Yoshihiro Shimoda
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 0a2ce62b61f2c76d0213edf4e37aaf54a8ddf295 upstream.
This patch fixes an issue that the usbhsf_fifo_clear() is possible
to cause 10 msec delay if the pipe is RX direction and empty because
the FRDY bit will never be set to 1 in such case.
Fixes: e8d548d54968 ("usb: renesas_usbhs: fifo became independent from pipe.")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/fifo.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -263,8 +263,17 @@ static void usbhsf_fifo_clear(struct usb
struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
int ret = 0;
- if (!usbhs_pipe_is_dcp(pipe))
- ret = usbhsf_fifo_barrier(priv, fifo);
+ if (!usbhs_pipe_is_dcp(pipe)) {
+ /*
+ * This driver checks the pipe condition first to avoid -EBUSY
+ * from usbhsf_fifo_barrier() with about 10 msec delay in
+ * the interrupt handler if the pipe is RX direction and empty.
+ */
+ if (usbhs_pipe_is_dir_in(pipe))
+ ret = usbhs_pipe_is_accessible(pipe);
+ if (!ret)
+ ret = usbhsf_fifo_barrier(priv, fifo);
+ }
/*
* if non-DCP pipe, this driver should set BCLR when
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 181/204] sched/topology: Remove FORCE_SD_OVERLAP
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 013/204] xhci: fix finding correct bus_state structure for USB 3.1 hosts Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 167/204] l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() Ben Hutchings
` (118 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mike Galbraith, Ingo Molnar, Thomas Gleixner,
Linus Torvalds, Peter Zijlstra
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit af85596c74de2fd9abb87501ae280038ac28a3f4 upstream.
Its an obsolete debug mechanism and future code wants to rely on
properties this undermines.
Namely, it would be good to assume that SD_OVERLAP domains have
children, but if we build the entire hierarchy with SD_OVERLAP this is
obviously false.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 2 +-
kernel/sched/features.h | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -6631,7 +6631,7 @@ static int build_sched_domains(const str
sd = build_sched_domain(tl, cpu_map, attr, sd, i);
if (tl == sched_domain_topology)
*per_cpu_ptr(d.sd, i) = sd;
- if (tl->flags & SDTL_OVERLAP || sched_feat(FORCE_SD_OVERLAP))
+ if (tl->flags & SDTL_OVERLAP)
sd->flags |= SD_OVERLAP;
if (cpumask_equal(cpu_map, sched_domain_span(sd)))
break;
--- a/kernel/sched/features.h
+++ b/kernel/sched/features.h
@@ -56,7 +56,6 @@ SCHED_FEAT(NONTASK_CAPACITY, true)
*/
SCHED_FEAT(TTWU_QUEUE, true)
-SCHED_FEAT(FORCE_SD_OVERLAP, false)
SCHED_FEAT(RT_RUNTIME_SHARE, true)
SCHED_FEAT(LB_MIN, false)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 033/204] Input: uinput - avoid crash when sending FF request to device going away
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (197 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 190/204] netfilter: xt_osf: Add missing permission checks Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 203/204] crypto: hmac - require that the underlying hash algorithm is unkeyed Ben Hutchings
` (5 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 6b4877c7bdc6ae39ce03716df7caeecf204697eb upstream.
If FF request comes in while uinput device is going away,
uinput_request_send() will fail with -ENODEV, and uinput_request_submit()
will attempt to mark the slot as unused by calling uinput_request_done().
Unfortunately in this case we haven't initialized request->done completion
yet, and we get a crash:
[ 39.402036] BUG: spinlock bad magic on CPU#1, fftest/3108
[ 39.402046] lock: 0xffff88006a93bb00, .magic: 00000000, .owner: /39, .owner_cpu: 1217155072
[ 39.402055] CPU: 1 PID: 3108 Comm: fftest Tainted: G W 4.13.0+ #15
[ 39.402059] Hardware name: LENOVO 20HQS0EG02/20HQS0EG02, BIOS N1MET37W (1.22 ) 07/04/2017
[ 39.402064] 0000000000000086 f0fad82f3ceaa120 ffff88006a93b9a0 ffffffff9de941bb
[ 39.402077] ffff88026df8ae00 ffff88006a93bb00 ffff88006a93b9c0 ffffffff9dca62b7
[ 39.402088] ffff88006a93bb00 ffff88006a93baf8 ffff88006a93b9e0 ffffffff9dca62e7
[ 39.402099] Call Trace:
[ 39.402112] [<ffffffff9de941bb>] dump_stack+0x4d/0x63
[ 39.402123] [<ffffffff9dca62b7>] spin_dump+0x97/0x9c
[ 39.402130] [<ffffffff9dca62e7>] spin_bug+0x2b/0x2d
[ 39.402138] [<ffffffff9dca6373>] do_raw_spin_lock+0x28/0xfd
[ 39.402147] [<ffffffff9e3055cd>] _raw_spin_lock_irqsave+0x19/0x1f
[ 39.402154] [<ffffffff9dca05b7>] complete+0x1d/0x48
[ 39.402162] [<ffffffffc04f30af>] 0xffffffffc04f30af
[ 39.402167] [<ffffffffc04f468c>] 0xffffffffc04f468c
[ 39.402177] [<ffffffff9dd59c16>] ? __slab_free+0x22f/0x359
[ 39.402184] [<ffffffff9dcc13e9>] ? tk_clock_read+0xc/0xe
[ 39.402189] [<ffffffffc04f471f>] 0xffffffffc04f471f
[ 39.402195] [<ffffffff9dc9ffe5>] ? __wake_up+0x44/0x4b
[ 39.402200] [<ffffffffc04f3240>] ? 0xffffffffc04f3240
[ 39.402207] [<ffffffff9e0f57f3>] erase_effect+0xa1/0xd2
[ 39.402214] [<ffffffff9e0f58c6>] input_ff_flush+0x43/0x5c
[ 39.402219] [<ffffffffc04f32ad>] 0xffffffffc04f32ad
[ 39.402227] [<ffffffff9e0f174f>] input_flush_device+0x3d/0x51
[ 39.402234] [<ffffffff9e0f69ae>] evdev_flush+0x49/0x5c
[ 39.402243] [<ffffffff9dd62d6e>] filp_close+0x3f/0x65
[ 39.402253] [<ffffffff9dd7dcf7>] put_files_struct+0x66/0xc1
[ 39.402261] [<ffffffff9dd7ddeb>] exit_files+0x47/0x4e
[ 39.402270] [<ffffffff9dc6b329>] do_exit+0x483/0x969
[ 39.402278] [<ffffffff9dc73211>] ? recalc_sigpending_tsk+0x3d/0x44
[ 39.402285] [<ffffffff9dc6c7a2>] do_group_exit+0x42/0xb0
[ 39.402293] [<ffffffff9dc767e1>] get_signal+0x58d/0x5bf
[ 39.402300] [<ffffffff9dc03701>] do_signal+0x37/0x53e
[ 39.402307] [<ffffffff9e0f8401>] ? evdev_ioctl_handler+0xac8/0xb04
[ 39.402314] [<ffffffff9e0f8464>] ? evdev_ioctl+0x10/0x12
[ 39.402321] [<ffffffff9dd74cfa>] ? do_vfs_ioctl+0x42e/0x501
[ 39.402328] [<ffffffff9dc0170e>] prepare_exit_to_usermode+0x66/0x90
[ 39.402333] [<ffffffff9dc0181b>] syscall_return_slowpath+0xe3/0xec
[ 39.402339] [<ffffffff9e305b7b>] int_ret_from_sys_call+0x25/0x8f
While we could solve this by simply initializing the completion earlier, we
are better off rearranging the code a bit so we avoid calling complete() on
requests that we did not send out. This patch consolidates marking request
slots as free in one place (in uinput_request_submit(), the same place
where we acquire them) and having everyone else simply signal completion
of the requests.
Fixes: 00ce756ce53a ("Input: uinput - mark failed submission requests as free")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/misc/uinput.c | 39 +++++++++++++++++++++------------------
1 file changed, 21 insertions(+), 18 deletions(-)
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -98,14 +98,15 @@ static int uinput_request_reserve_slot(s
uinput_request_alloc_id(udev, request));
}
-static void uinput_request_done(struct uinput_device *udev,
- struct uinput_request *request)
+static void uinput_request_release_slot(struct uinput_device *udev,
+ unsigned int id)
{
/* Mark slot as available */
- udev->requests[request->id] = NULL;
- wake_up(&udev->requests_waitq);
+ spin_lock(&udev->requests_lock);
+ udev->requests[id] = NULL;
+ spin_unlock(&udev->requests_lock);
- complete(&request->done);
+ wake_up(&udev->requests_waitq);
}
static int uinput_request_send(struct uinput_device *udev,
@@ -138,20 +139,22 @@ static int uinput_request_send(struct ui
static int uinput_request_submit(struct uinput_device *udev,
struct uinput_request *request)
{
- int error;
+ int retval;
- error = uinput_request_reserve_slot(udev, request);
- if (error)
- return error;
+ retval = uinput_request_reserve_slot(udev, request);
+ if (retval)
+ return retval;
- error = uinput_request_send(udev, request);
- if (error) {
- uinput_request_done(udev, request);
- return error;
- }
+ retval = uinput_request_send(udev, request);
+ if (retval)
+ goto out;
wait_for_completion(&request->done);
- return request->retval;
+ retval = request->retval;
+
+ out:
+ uinput_request_release_slot(udev, request->id);
+ return retval;
}
/*
@@ -169,7 +172,7 @@ static void uinput_flush_requests(struct
request = udev->requests[i];
if (request) {
request->retval = -ENODEV;
- uinput_request_done(udev, request);
+ complete(&request->done);
}
}
@@ -858,7 +861,7 @@ static long uinput_ioctl_handler(struct
}
req->retval = ff_up.retval;
- uinput_request_done(udev, req);
+ complete(&req->done);
goto out;
case UI_END_FF_ERASE:
@@ -874,7 +877,7 @@ static long uinput_ioctl_handler(struct
}
req->retval = ff_erase.retval;
- uinput_request_done(udev, req);
+ complete(&req->done);
goto out;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 136/204] x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 185/204] Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 017/204] gpio: acpi: work around false-positive -Wstring-overflow warning Ben Hutchings
` (107 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yazen Ghannam, Ingo Molnar, Linus Torvalds, Sherry Hurwitz,
Thomas Gleixner, Borislav Petkov, Peter Zijlstra, mirh
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit bfc1168de949cd3e9ca18c3480b5085deff1ea7c upstream.
Some F14h machines have an erratum which, "under a highly specific
and detailed set of internal timing conditions" can lead to skipping
instructions and RIP corruption.
Add the fix for those machines when their BIOS doesn't apply it or
there simply isn't BIOS update for them.
Tested-by: <mirh@protonmail.ch>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sherry Hurwitz <sherry.hurwitz@amd.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
Link: http://lkml.kernel.org/r/20171022104731.28249-1-bp@alien8.de
Link: https://bugzilla.kernel.org/show_bug.cgi?id=197285
[ Added pr_info() that we activated the workaround. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/amd_nb.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -18,6 +18,8 @@
static u32 *flush_words;
+#define PCI_DEVICE_ID_AMD_CNB17H_F4 0x1704
+
const struct pci_device_id amd_nb_misc_ids[] = {
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_10H_NB_MISC) },
@@ -28,6 +30,7 @@ const struct pci_device_id amd_nb_misc_i
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F3) },
{}
};
EXPORT_SYMBOL(amd_nb_misc_ids);
@@ -39,6 +42,7 @@ static const struct pci_device_id amd_nb
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F4) },
{}
};
@@ -285,6 +289,41 @@ void amd_flush_garts(void)
}
EXPORT_SYMBOL_GPL(amd_flush_garts);
+static void __fix_erratum_688(void *info)
+{
+#define MSR_AMD64_IC_CFG 0xC0011021
+
+ msr_set_bit(MSR_AMD64_IC_CFG, 3);
+ msr_set_bit(MSR_AMD64_IC_CFG, 14);
+}
+
+/* Apply erratum 688 fix so machines without a BIOS fix work. */
+static __init void fix_erratum_688(void)
+{
+ struct pci_dev *F4;
+ u32 val;
+
+ if (boot_cpu_data.x86 != 0x14)
+ return;
+
+ if (!amd_northbridges.num)
+ return;
+
+ F4 = node_to_amd_nb(0)->link;
+ if (!F4)
+ return;
+
+ if (pci_read_config_dword(F4, 0x164, &val))
+ return;
+
+ if (val & BIT(2))
+ return;
+
+ on_each_cpu(__fix_erratum_688, NULL, 0);
+
+ pr_info("x86/cpu/AMD: CPU erratum 688 worked around\n");
+}
+
static __init int init_amd_nbs(void)
{
int err = 0;
@@ -297,6 +336,8 @@ static __init int init_amd_nbs(void)
if (amd_cache_gart() < 0)
pr_notice("Cannot initialize GART flush words, GART support disabled\n");
+ fix_erratum_688();
+
return err;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 051/204] KEYS: prevent creating a different user's keyrings
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 044/204] iio: core: Return error for failed read_reg Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 023/204] ARM: dts: da850-evm: add serial and ethernet aliases Ben Hutchings
` (169 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Howells, Eric Biggers
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000
-5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -170,6 +170,7 @@ struct key {
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
+#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */
/* the key type and key description string
* - the desc is used to match a key against search criteria
@@ -221,6 +222,7 @@ extern struct key *key_alloc(struct key_
#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
+#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -137,7 +137,7 @@ extern key_ref_t keyring_search_aux(key_
extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
+extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
extern int install_user_keyrings(void);
extern int install_thread_keyring_to_cred(struct cred *);
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -298,6 +298,8 @@ struct key *key_alloc(struct key_type *t
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
if (flags & KEY_ALLOC_TRUSTED)
key->flags |= 1 << KEY_FLAG_TRUSTED;
+ if (flags & KEY_ALLOC_UID_KEYRING)
+ key->flags |= 1 << KEY_FLAG_UID_KEYRING;
#ifdef KEY_DEBUGGING
key->magic = KEY_DEBUG_MAGIC;
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -931,15 +931,15 @@ found:
/*
* Find a keyring with the specified name.
*
- * All named keyrings in the current user namespace are searched, provided they
- * grant Search permission directly to the caller (unless this check is
- * skipped). Keyrings whose usage points have reached zero or who have been
- * revoked are skipped.
+ * Only keyrings that have nonzero refcount, are not revoked, and are owned by a
+ * user in the current user namespace are considered. If @uid_keyring is %true,
+ * the keyring additionally must have been allocated as a user or user session
+ * keyring; otherwise, it must grant Search permission directly to the caller.
*
* Returns a pointer to the keyring with the keyring's refcount having being
* incremented on success. -ENOKEY is returned if a key could not be found.
*/
-struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+struct key *find_keyring_by_name(const char *name, bool uid_keyring)
{
struct key *keyring;
int bucket;
@@ -967,10 +967,15 @@ struct key *find_keyring_by_name(const c
if (strcmp(keyring->description, name) != 0)
continue;
- if (!skip_perm_check &&
- key_permission(make_key_ref(keyring, 0),
- KEY_NEED_SEARCH) < 0)
- continue;
+ if (uid_keyring) {
+ if (!test_bit(KEY_FLAG_UID_KEYRING,
+ &keyring->flags))
+ continue;
+ } else {
+ if (key_permission(make_key_ref(keyring, 0),
+ KEY_NEED_SEARCH) < 0)
+ continue;
+ }
/* we've got a match but we might end up racing with
* key_cleanup() if the keyring is currently 'dead'
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -76,7 +76,9 @@ int install_user_keyrings(void)
if (IS_ERR(uid_keyring)) {
uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
cred, user_keyring_perm,
- KEY_ALLOC_IN_QUOTA, NULL);
+ KEY_ALLOC_UID_KEYRING |
+ KEY_ALLOC_IN_QUOTA,
+ NULL);
if (IS_ERR(uid_keyring)) {
ret = PTR_ERR(uid_keyring);
goto error;
@@ -92,7 +94,9 @@ int install_user_keyrings(void)
session_keyring =
keyring_alloc(buf, user->uid, INVALID_GID,
cred, user_keyring_perm,
- KEY_ALLOC_IN_QUOTA, NULL);
+ KEY_ALLOC_UID_KEYRING |
+ KEY_ALLOC_IN_QUOTA,
+ NULL);
if (IS_ERR(session_keyring)) {
ret = PTR_ERR(session_keyring);
goto error_release;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 196/204] mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 134/204] x86, amd_nb: Add device IDs to NB tables for F15h M60h Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 087/204] sh: sh7264: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration Ben Hutchings
` (174 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Cyrill Gorcunov, Eric W. Biederman, Kees Cook
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 upstream.
During exec dumpable is cleared if the file that is being executed is
not readable by the user executing the file. A bug in
ptrace_may_access allows reading the file if the executable happens to
enter into a subordinate user namespace (aka clone(CLONE_NEWUSER),
unshare(CLONE_NEWUSER), or setns(fd, CLONE_NEWUSER).
This problem is fixed with only necessary userspace breakage by adding
a user namespace owner to mm_struct, captured at the time of exec, so
it is clear in which user namespace CAP_SYS_PTRACE must be present in
to be able to safely give read permission to the executable.
The function ptrace_may_access is modified to verify that the ptracer
has CAP_SYS_ADMIN in task->mm->user_ns instead of task->cred->user_ns.
This ensures that if the task changes it's cred into a subordinate
user namespace it does not become ptraceable.
The function ptrace_attach is modified to only set PT_PTRACE_CAP when
CAP_SYS_PTRACE is held over task->mm->user_ns. The intent of
PT_PTRACE_CAP is to be a flag to note that whatever permission changes
the task might go through the tracer has sufficient permissions for
it not to be an issue. task->cred->user_ns is always the same
as or descendent of mm->user_ns. Which guarantees that having
CAP_SYS_PTRACE over mm->user_ns is the worst case for the tasks
credentials.
To prevent regressions mm->dumpable and mm->user_ns are not considered
when a task has no mm. As simply failing ptrace_may_attach causes
regressions in privileged applications attempting to read things
such as /proc/<pid>/stat
Acked-by: Kees Cook <keescook@chromium.org>
Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
Fixes: 8409cca70561 ("userns: allow ptrace from non-init user namespaces")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/mm_types.h | 1 +
kernel/fork.c | 9 ++++++---
kernel/ptrace.c | 26 +++++++++++---------------
mm/init-mm.c | 2 ++
4 files changed, 20 insertions(+), 18 deletions(-)
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -419,6 +419,7 @@ struct mm_struct {
*/
struct task_struct __rcu *owner;
#endif
+ struct user_namespace *user_ns;
/* store ref to file /proc/<pid>/exe symlink points to */
struct file *exe_file;
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -527,7 +527,8 @@ static void mm_init_aio(struct mm_struct
#endif
}
-static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p)
+static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
+ struct user_namespace *user_ns)
{
atomic_set(&mm->mm_users, 1);
atomic_set(&mm->mm_count, 1);
@@ -551,6 +552,7 @@ static struct mm_struct *mm_init(struct
if (likely(!mm_alloc_pgd(mm))) {
mmu_notifier_mm_init(mm);
+ mm->user_ns = get_user_ns(user_ns);
return mm;
}
@@ -588,7 +590,7 @@ struct mm_struct *mm_alloc(void)
memset(mm, 0, sizeof(*mm));
mm_init_cpumask(mm);
- return mm_init(mm, current);
+ return mm_init(mm, current, current_user_ns());
}
/*
@@ -603,6 +605,7 @@ void __mmdrop(struct mm_struct *mm)
destroy_context(mm);
mmu_notifier_mm_destroy(mm);
check_mm(mm);
+ put_user_ns(mm->user_ns);
free_mm(mm);
}
EXPORT_SYMBOL_GPL(__mmdrop);
@@ -822,7 +825,7 @@ static struct mm_struct *dup_mm(struct t
#if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
mm->pmd_huge_pte = NULL;
#endif
- if (!mm_init(mm, tsk))
+ if (!mm_init(mm, tsk, mm->user_ns))
goto fail_nomem;
if (init_new_context(tsk, mm))
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -230,7 +230,7 @@ static int ptrace_has_cap(struct user_na
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
{
const struct cred *cred = current_cred(), *tcred;
- int dumpable = 0;
+ struct mm_struct *mm;
kuid_t caller_uid;
kgid_t caller_gid;
@@ -281,16 +281,11 @@ static int __ptrace_may_access(struct ta
return -EPERM;
ok:
rcu_read_unlock();
- smp_rmb();
- if (task->mm)
- dumpable = get_dumpable(task->mm);
- rcu_read_lock();
- if (dumpable != SUID_DUMP_USER &&
- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
- rcu_read_unlock();
- return -EPERM;
- }
- rcu_read_unlock();
+ mm = task->mm;
+ if (mm &&
+ ((get_dumpable(mm) != SUID_DUMP_USER) &&
+ !ptrace_has_cap(mm->user_ns, mode)))
+ return -EPERM;
return security_ptrace_access_check(task, mode);
}
@@ -341,6 +336,11 @@ static int ptrace_attach(struct task_str
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
+ if (!retval) {
+ struct mm_struct *mm = task->mm;
+ if (mm && ns_capable(mm->user_ns, CAP_SYS_PTRACE))
+ flags |= PT_PTRACE_CAP;
+ }
task_unlock(task);
if (retval)
goto unlock_creds;
@@ -354,10 +354,6 @@ static int ptrace_attach(struct task_str
if (seize)
flags |= PT_SEIZED;
- rcu_read_lock();
- if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
- flags |= PT_PTRACE_CAP;
- rcu_read_unlock();
task->ptrace = flags;
__ptrace_link(task, current);
--- a/mm/init-mm.c
+++ b/mm/init-mm.c
@@ -6,6 +6,7 @@
#include <linux/cpumask.h>
#include <linux/atomic.h>
+#include <linux/user_namespace.h>
#include <asm/pgtable.h>
#include <asm/mmu.h>
@@ -21,5 +22,6 @@ struct mm_struct init_mm = {
.mmap_sem = __RWSEM_INITIALIZER(init_mm.mmap_sem),
.page_table_lock = __SPIN_LOCK_UNLOCKED(init_mm.page_table_lock),
.mmlist = LIST_HEAD_INIT(init_mm.mmlist),
+ .user_ns = &init_user_ns,
INIT_MM_CONTEXT(init_mm)
};
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 190/204] netfilter: xt_osf: Add missing permission checks
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 022/204] powerpc/sysrq: Fix oops whem ppmu is not registered Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 033/204] Input: uinput - avoid crash when sending FF request to device going away Ben Hutchings
` (6 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kevin Cernekee, Pablo Neira Ayuso
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cernekee <cernekee@chromium.org>
commit 916a27901de01446bcf57ecca4783f6cff493309 upstream.
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, xt_osf_fingers is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
vpnns -- nfnl_osf -f /tmp/pf.os
vpnns -- nfnl_osf -f /tmp/pf.os -d
These non-root operations successfully modify the systemwide OS
fingerprint list. Add new capable() checks so that they can't.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/xt_osf.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -19,6 +19,7 @@
#include <linux/module.h>
#include <linux/kernel.h>
+#include <linux/capability.h>
#include <linux/if.h>
#include <linux/inetdevice.h>
#include <linux/ip.h>
@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct so
struct xt_osf_finger *kf = NULL, *sf;
int err = 0;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct
struct xt_osf_finger *sf;
int err = -ENOENT;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 057/204] btrfs: prevent to set invalid default subvolid
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 081/204] ALSA: usx2y: Suppress kernel warning at page allocation failures Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 083/204] USB: serial: qcserial: add Dell DW5818, DW5819 Ben Hutchings
` (98 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, satoru takeuchi, David Sterba, Qu Wenruo
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: satoru takeuchi <satoru.takeuchi@gmail.com>
commit 6d6d282932d1a609e60dc4467677e0e863682f57 upstream.
`btrfs sub set-default` succeeds to set an ID which isn't corresponding to any
fs/file tree. If such the bad ID is set to a filesystem, we can't mount this
filesystem without specifying `subvol` or `subvolid` mount options.
Fixes: 6ef5ed0d386b ("Btrfs: add ioctl and incompat flag to set the default mount subvol")
Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
Reviewed-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3980,6 +3980,10 @@ static long btrfs_ioctl_default_subvol(s
ret = PTR_ERR(new_root);
goto out;
}
+ if (!is_fstree(new_root->objectid)) {
+ ret = -ENOENT;
+ goto out;
+ }
path = btrfs_alloc_path();
if (!path) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 114/204] include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 007/204] scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 126/204] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen Ben Hutchings
` (163 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ben Dooks, Geert Uytterhoeven, Linus Torvalds,
Bjorn Helgaas, Frank Rowand, Arnd Bergmann, Magnus Damm
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 8a1ac5dc7be09883051b1bf89a5e57d7ad850fa5 upstream.
The pci-rcar driver is enabled for compile tests, and this has shown that
the driver cannot build without CONFIG_OF, following the inclusion of
commit f8f2fe7355fb ("PCI: rcar: Use new OF interrupt mapping when possible"):
drivers/pci/host/pcie-rcar.c: In function 'pci_dma_range_parser_init':
drivers/pci/host/pcie-rcar.c:1039:2: error: implicit declaration of function 'of_n_addr_cells' [-Werror=implicit-function-declaration]
parser->pna = of_n_addr_cells(node);
^
As pointed out by Ben Dooks and Geert Uytterhoeven, this is actually
supposed to build fine, which we can achieve if we make the declaration
of of_irq_parse_and_map_pci conditional on CONFIG_OF and provide an
empty inline function otherwise, as we do for a lot of other of
interfaces.
This lets us build the rcar_pci driver again without CONFIG_OF for build
testing. All platforms using this driver select OF, so this doesn't
change anything for the users.
[akpm@linux-foundation.org: be consistent with surrounding code]
Link: http://lkml.kernel.org/r/20170911200805.3363318-1-arnd@arndb.de
Fixes: c25da4778803 ("PCI: rcar: Add Renesas R-Car PCIe driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Frank Rowand <frank.rowand@sony.com>
Acked-by: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Magnus Damm <damm@opensource.se>
Cc: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/of.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -503,6 +503,16 @@ static inline struct device_node *of_get
return NULL;
}
+static inline int of_n_addr_cells(struct device_node *np)
+{
+ return 0;
+
+}
+static inline int of_n_size_cells(struct device_node *np)
+{
+ return 0;
+}
+
static inline int of_property_read_u64(const struct device_node *np,
const char *propname, u64 *out_value)
{
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 182/204] sched/topology: Simplify build_overlap_sched_groups()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 001/204] tile: array underflow in setup_maxnodemem() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 118/204] net: enable interface alias removal via rtnl Ben Hutchings
` (197 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mike Galbraith, Ingo Molnar, Thomas Gleixner,
Linus Torvalds, Peter Zijlstra
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 91eaed0d61319f58a9f8e43d41a8cbb069b4f73d upstream.
Now that the first group will always be the previous domain of this
@cpu this can be simplified.
In fact, writing the code now removed should've been a big clue I was
doing it wrong :/
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5869,7 +5869,7 @@ static void init_overlap_sched_group(str
static int
build_overlap_sched_groups(struct sched_domain *sd, int cpu)
{
- struct sched_group *first = NULL, *last = NULL, *groups = NULL, *sg;
+ struct sched_group *first = NULL, *last = NULL, *sg;
const struct cpumask *span = sched_domain_span(sd);
struct cpumask *covered = sched_domains_tmpmask;
struct sd_data *sdd = sd->private;
@@ -5899,15 +5899,6 @@ build_overlap_sched_groups(struct sched_
init_overlap_sched_group(sd, sg);
- /*
- * Make sure the first group of this domain contains the
- * canonical balance cpu. Otherwise the sched_domain iteration
- * breaks. See update_sg_lb_stats().
- */
- if ((!groups && cpumask_test_cpu(cpu, sg_span)) ||
- group_balance_cpu(sg) == cpu)
- groups = sg;
-
if (!first)
first = sg;
if (last)
@@ -5915,7 +5906,7 @@ build_overlap_sched_groups(struct sched_
last = sg;
last->next = first;
}
- sd->groups = groups;
+ sd->groups = first;
return 0;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 080/204] brcmfmac: Add check for short event packets
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 095/204] ALSA: seq: Fix copy_from_user() call inside lock Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 082/204] scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP Ben Hutchings
` (12 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kevin Cernekee, Kalle Valo, Mattias Nissler
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cernekee <cernekee@chromium.org>
commit dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca upstream.
The length of the data in the received skb is currently passed into
brcmf_fweh_process_event() as packet_len, but this value is not checked.
event_packet should be followed by DATALEN bytes of additional event
data. Ensure that the received packet actually contains at least
DATALEN bytes of additional data, to avoid copying uninitialized memory
into event->data.
Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmfmac/fweh.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
@@ -406,7 +406,8 @@ void brcmf_fweh_process_event(struct brc
if (code != BRCMF_E_IF && !fweh->evt_handler[code])
return;
- if (datalen > BRCMF_DCMD_MAXLEN)
+ if (datalen > BRCMF_DCMD_MAXLEN ||
+ datalen + sizeof(*event_packet) > packet_len)
return;
if (in_interrupt())
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 031/204] net_sched: always reset qdisc backlog in qdisc_reset()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 117/204] USB: serial: metro-usb: add MS7820 device id Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 112/204] ecryptfs: fix dereference of NULL user_key_payload Ben Hutchings
` (49 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Konstantin Khlebnikov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
commit c8e1812960eeae42e2183154927028511c4bc566 upstream.
SKB stored in qdisc->gso_skb also counted into backlog.
Some qdiscs don't reset backlog to zero in ->reset(),
for example sfq just dequeue and free all queued skb.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_generic.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -621,6 +621,7 @@ void qdisc_reset(struct Qdisc *qdisc)
qdisc->gso_skb = NULL;
qdisc->q.qlen = 0;
}
+ qdisc->qstats.backlog = 0;
}
EXPORT_SYMBOL(qdisc_reset);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 095/204] ALSA: seq: Fix copy_from_user() call inside lock
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 141/204] SMB: fix leak of validate negotiate info response buffer Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 080/204] brcmfmac: Add check for short event packets Ben Hutchings
` (13 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jia-Ju Bai, Takashi Iwai
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream.
The event handler in the virmidi sequencer code takes a read-lock for
the linked list traverse, while it's calling snd_seq_dump_var_event()
in the loop. The latter function may expand the user-space data
depending on the event type. It eventually invokes copy_from_user(),
which might be a potential dead-lock.
The sequencer core guarantees that the user-space data is passed only
with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
and always takes read-lock(). For avoiding the problem above, this
patch introduces rwsem for non-atomic case, while keeping rwlock for
atomic case.
Also while we're at it: the superfluous irq flags is dropped in
snd_virmidi_input_open().
Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/sound/seq_virmidi.h | 1 +
sound/core/seq/seq_virmidi.c | 27 +++++++++++++++++++--------
2 files changed, 20 insertions(+), 8 deletions(-)
--- a/include/sound/seq_virmidi.h
+++ b/include/sound/seq_virmidi.h
@@ -60,6 +60,7 @@ struct snd_virmidi_dev {
int port; /* created/attached port */
unsigned int flags; /* SNDRV_VIRMIDI_* */
rwlock_t filelist_lock;
+ struct rw_semaphore filelist_sem;
struct list_head filelist;
};
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc
* decode input event and put to read buffer of each opened file
*/
static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev,
- struct snd_seq_event *ev)
+ struct snd_seq_event *ev,
+ bool atomic)
{
struct snd_virmidi *vmidi;
unsigned char msg[4];
int len;
- read_lock(&rdev->filelist_lock);
+ if (atomic)
+ read_lock(&rdev->filelist_lock);
+ else
+ down_read(&rdev->filelist_sem);
list_for_each_entry(vmidi, &rdev->filelist, list) {
if (!vmidi->trigger)
continue;
@@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event
snd_rawmidi_receive(vmidi->substream, msg, len);
}
}
- read_unlock(&rdev->filelist_lock);
+ if (atomic)
+ read_unlock(&rdev->filelist_lock);
+ else
+ up_read(&rdev->filelist_sem);
return 0;
}
@@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi
struct snd_virmidi_dev *rdev;
rdev = rmidi->private_data;
- return snd_virmidi_dev_receive_event(rdev, ev);
+ return snd_virmidi_dev_receive_event(rdev, ev, true);
}
#endif /* 0 */
@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc
rdev = private_data;
if (!(rdev->flags & SNDRV_VIRMIDI_USE))
return 0; /* ignored */
- return snd_virmidi_dev_receive_event(rdev, ev);
+ return snd_virmidi_dev_receive_event(rdev, ev, atomic);
}
/*
@@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct
struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
struct snd_rawmidi_runtime *runtime = substream->runtime;
struct snd_virmidi *vmidi;
- unsigned long flags;
vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL);
if (vmidi == NULL)
@@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct
vmidi->client = rdev->client;
vmidi->port = rdev->port;
runtime->private_data = vmidi;
- write_lock_irqsave(&rdev->filelist_lock, flags);
+ down_write(&rdev->filelist_sem);
+ write_lock_irq(&rdev->filelist_lock);
list_add_tail(&vmidi->list, &rdev->filelist);
- write_unlock_irqrestore(&rdev->filelist_lock, flags);
+ write_unlock_irq(&rdev->filelist_lock);
+ up_write(&rdev->filelist_sem);
vmidi->rdev = rdev;
return 0;
}
@@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc
struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
struct snd_virmidi *vmidi = substream->runtime->private_data;
+ down_write(&rdev->filelist_sem);
write_lock_irq(&rdev->filelist_lock);
list_del(&vmidi->list);
write_unlock_irq(&rdev->filelist_lock);
+ up_write(&rdev->filelist_sem);
snd_midi_event_free(vmidi->parser);
substream->runtime->private_data = NULL;
kfree(vmidi);
@@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car
rdev->rmidi = rmidi;
rdev->device = device;
rdev->client = -1;
+ init_rwsem(&rdev->filelist_sem);
rwlock_init(&rdev->filelist_lock);
INIT_LIST_HEAD(&rdev->filelist);
rdev->seq_mode = SNDRV_VIRMIDI_SEQ_DISPATCH;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 082/204] scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 080/204] brcmfmac: Add check for short event packets Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 127/204] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels Ben Hutchings
` (11 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Laurence Oberman, Ewan D. Milne, Bill Kuzeja,
Martin K. Petersen
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Martin K. Petersen" <martin.petersen@oracle.com>
commit 28a0bc4120d38a394499382ba21d6965a67a3703 upstream.
SBC-4 states:
"A MAXIMUM UNMAP LBA COUNT field set to a non-zero value indicates the
maximum number of LBAs that may be unmapped by an UNMAP command"
"A MAXIMUM WRITE SAME LENGTH field set to a non-zero value indicates
the maximum number of contiguous logical blocks that the device server
allows to be unmapped or written in a single WRITE SAME command."
Despite the spec being clear on the topic, some devices incorrectly
expect WRITE SAME commands with the UNMAP bit set to be limited to the
value reported in MAXIMUM UNMAP LBA COUNT in the Block Limits VPD.
Implement a blacklist option that can be used to accommodate devices
with this behavior.
Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
Reported-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_scan.c | 3 +++
drivers/scsi/sd.c | 16 ++++++++++++----
include/scsi/scsi_device.h | 1 +
include/scsi/scsi_devinfo.h | 1 +
4 files changed, 17 insertions(+), 4 deletions(-)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -962,6 +962,9 @@ static int scsi_add_lun(struct scsi_devi
if (*bflags & BLIST_NO_DIF)
sdev->no_dif = 1;
+ if (*bflags & BLIST_UNMAP_LIMIT_WS)
+ sdev->unmap_limit_for_ws = 1;
+
sdev->eh_timeout = SCSI_DEFAULT_EH_TIMEOUT;
if (*bflags & BLIST_TRY_VPD_PAGES)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -651,13 +651,21 @@ static void sd_config_discard(struct scs
break;
case SD_LBP_WS16:
- max_blocks = min_not_zero(sdkp->max_ws_blocks,
- (u32)SD_MAX_WS16_BLOCKS);
+ if (sdkp->device->unmap_limit_for_ws)
+ max_blocks = sdkp->max_unmap_blocks;
+ else
+ max_blocks = sdkp->max_ws_blocks;
+
+ max_blocks = min_not_zero(max_blocks, (u32)SD_MAX_WS16_BLOCKS);
break;
case SD_LBP_WS10:
- max_blocks = min_not_zero(sdkp->max_ws_blocks,
- (u32)SD_MAX_WS10_BLOCKS);
+ if (sdkp->device->unmap_limit_for_ws)
+ max_blocks = sdkp->max_unmap_blocks;
+ else
+ max_blocks = sdkp->max_ws_blocks;
+
+ max_blocks = min_not_zero(max_blocks, (u32)SD_MAX_WS10_BLOCKS);
break;
case SD_LBP_ZERO:
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -175,6 +175,7 @@ struct scsi_device {
unsigned wce_default_on:1; /* Cache is ON by default */
unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
unsigned broken_fua:1; /* Don't set FUA bit */
+ unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
atomic_t disk_events_disable_depth; /* disable depth for disk events */
--- a/include/scsi/scsi_devinfo.h
+++ b/include/scsi/scsi_devinfo.h
@@ -37,5 +37,6 @@
#define BLIST_TRY_VPD_PAGES 0x10000000 /* Attempt to read VPD pages */
#define BLIST_NO_RSOC 0x20000000 /* don't try to issue RSOC */
#define BLIST_MAX_1024 0x40000000 /* maximum 1024 sector cdb length */
+#define BLIST_UNMAP_LIMIT_WS 0x80000000 /* Use UNMAP limit for WRITE SAME */
#endif
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 198/204] exec: Ensure mm->user_ns contains the execed files
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 077/204] udp: perform source validation for mcast early demux Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 090/204] mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long Ben Hutchings
` (150 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jann Horn, Eric W. Biederman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit f84df2a6f268de584a201e8911384a2d244876e3 upstream.
When the user namespace support was merged the need to prevent
ptrace from revealing the contents of an unreadable executable
was overlooked.
Correct this oversight by ensuring that the executed file
or files are in mm->user_ns, by adjusting mm->user_ns.
Use the new function privileged_wrt_inode_uidgid to see if
the executable is a member of the user namespace, and as such
if having CAP_SYS_PTRACE in the user namespace should allow
tracing the executable. If not update mm->user_ns to
the parent user namespace until an appropriate parent is found.
Reported-by: Jann Horn <jann@thejh.net>
Fixes: 9e4a36ece652 ("userns: Fail exec for suid and sgid binaries with ids outside our user namespace.")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16:
- Add #include <linux/user_namespace.h>
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,6 +56,7 @@
#include <linux/pipe_fs_i.h>
#include <linux/oom.h>
#include <linux/compat.h>
+#include <linux/user_namespace.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -1129,8 +1130,22 @@ EXPORT_SYMBOL(flush_old_exec);
void would_dump(struct linux_binprm *bprm, struct file *file)
{
- if (inode_permission(file_inode(file), MAY_READ) < 0)
+ struct inode *inode = file_inode(file);
+ if (inode_permission(inode, MAY_READ) < 0) {
+ struct user_namespace *old, *user_ns;
bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
+
+ /* Ensure mm->user_ns contains the executable */
+ user_ns = old = bprm->mm->user_ns;
+ while ((user_ns != &init_user_ns) &&
+ !privileged_wrt_inode_uidgid(user_ns, inode))
+ user_ns = user_ns->parent;
+
+ if (old != user_ns) {
+ bprm->mm->user_ns = get_user_ns(user_ns);
+ put_user_ns(old);
+ }
+ }
}
EXPORT_SYMBOL(would_dump);
@@ -1160,7 +1175,6 @@ void setup_new_exec(struct linux_binprm
!gid_eq(bprm->cred->gid, current_egid())) {
current->pdeath_signal = 0;
} else {
- would_dump(bprm, bprm->file);
if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)
set_dumpable(current->mm, suid_dumpable);
}
@@ -1564,6 +1578,8 @@ static int do_execve_common(struct filen
if (retval < 0)
goto out;
+ would_dump(bprm, bprm->file);
+
retval = exec_binprm(bprm);
if (retval < 0)
goto out;
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -213,6 +213,7 @@ extern bool has_ns_capability_noaudit(st
struct user_namespace *ns, int cap);
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
+extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -428,6 +428,19 @@ bool capable(int cap)
EXPORT_SYMBOL(capable);
/**
+ * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
+ * @ns: The user namespace in question
+ * @inode: The inode in question
+ *
+ * Return true if the inode uid and gid are within the namespace.
+ */
+bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode)
+{
+ return kuid_has_mapping(ns, inode->i_uid) &&
+ kgid_has_mapping(ns, inode->i_gid);
+}
+
+/**
* capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
* @inode: The inode in question
* @cap: The capability in question
@@ -440,8 +453,7 @@ bool capable_wrt_inode_uidgid(const stru
{
struct user_namespace *ns = current_user_ns();
- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
- kgid_has_mapping(ns, inode->i_gid);
+ return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode);
}
EXPORT_SYMBOL(capable_wrt_inode_uidgid);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 001/204] tile: array underflow in setup_maxnodemem()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 078/204] l2tp: fix l2tp_eth module loading Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 182/204] sched/topology: Simplify build_overlap_sched_groups() Ben Hutchings
` (198 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chris Metcalf, Dan Carpenter
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 637f23abca87d26e091e0d6647ec878d97d2c6cd upstream.
My static checker correctly complains that we should have a lower bound
on "node" to prevent an array underflow.
Fixes: 867e359b97c9 ("arch/tile: core support for Tilera 32-bit chips.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/tile/kernel/setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/tile/kernel/setup.c
+++ b/arch/tile/kernel/setup.c
@@ -139,7 +139,7 @@ static int __init setup_maxnodemem(char
{
char *endp;
unsigned long long maxnodemem;
- long node;
+ unsigned long node;
node = str ? simple_strtoul(str, &endp, 0) : INT_MAX;
if (node >= MAX_NUMNODES || *endp != ':')
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 049/204] KEYS: fix key refcount leak in keyctl_read_key()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 175/204] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 120/204] scsi: zfcp: fix erp_action use-before-initialize in REC action trace Ben Hutchings
` (178 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 7fc0786d956d9e59b68d282be9b156179846ea3d upstream.
In keyctl_read_key(), if key_permission() were to return an error code
other than EACCES, we would leak a the reference to the key. This can't
actually happen currently because key_permission() can only return an
error code other than EACCES if security_key_permission() does, only
SELinux and Smack implement that hook, and neither can return an error
code other than EACCES. But it should still be fixed, as it is a bug
waiting to happen.
Fixes: 29db91906340 ("[PATCH] Keys: Add LSM hooks for key management [try #3]")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/keyctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -745,7 +745,7 @@ long keyctl_read_key(key_serial_t keyid,
if (ret == 0)
goto can_read_key;
if (ret != -EACCES)
- goto error;
+ goto error2;
/* we can't; see if it's searchable from this process's keyrings
* - we automatically take account of the fact that it may be
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 194/204] security: let security modules use PTRACE_MODE_* with bitmasks
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 039/204] IB/ocrdma: fix incorrect fall-through on switch statement Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 104/204] ALSA: caiaq: Fix stray URB at probe error path Ben Hutchings
` (95 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Casey Schaufler, Kees Cook, Eric W. Biederman,
Linus Torvalds, Willy Tarreau, Oleg Nesterov, James Morris,
Jann Horn, Ingo Molnar, Andy Shevchenko, Al Viro, Andy Lutomirski,
Serge E. Hallyn
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jann@thejh.net>
commit 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 upstream.
It looks like smack and yama weren't aware that the ptrace mode
can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
all modes have flags ORed into them.
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/smack/smack_lsm.c | 8 +++-----
security/yama/yama_lsm.c | 4 ++--
2 files changed, 5 insertions(+), 7 deletions(-)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -163,12 +163,10 @@ static int smk_copy_rules(struct list_he
*/
static inline unsigned int smk_ptrace_mode(unsigned int mode)
{
- switch (mode) {
- case PTRACE_MODE_READ:
- return MAY_READ;
- case PTRACE_MODE_ATTACH:
+ if (mode & PTRACE_MODE_ATTACH)
return MAY_READWRITE;
- }
+ if (mode & PTRACE_MODE_READ)
+ return MAY_READ;
return 0;
}
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -292,7 +292,7 @@ int yama_ptrace_access_check(struct task
return rc;
/* require ptrace target be a child of ptracer on attach */
- if (mode == PTRACE_MODE_ATTACH) {
+ if (mode & PTRACE_MODE_ATTACH) {
switch (ptrace_scope) {
case YAMA_SCOPE_DISABLED:
/* No additional restrictions. */
@@ -318,7 +318,7 @@ int yama_ptrace_access_check(struct task
}
}
- if (rc) {
+ if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) {
printk_ratelimited(KERN_NOTICE
"ptrace of pid %d was attempted by: %s (pid %d)\n",
child->pid, current->comm, current->pid);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 022/204] powerpc/sysrq: Fix oops whem ppmu is not registered
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (195 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 202/204] crypto: salsa20 - fix blkcipher_walk API usage Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 190/204] netfilter: xt_osf: Add missing permission checks Ben Hutchings
` (7 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kamalesh Babulal, Michael Ellerman, Ravi Bangoria
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
commit 4917fcb58cc73f6b81455e3c5f960144809ddf1a upstream.
Kernel crashes if power pmu is not registered and user tries to dump
regs with 'echo p > /proc/sysrq-trigger'. Sample log:
Unable to handle kernel paging request for data at address 0x00000008
Faulting instruction address: 0xc0000000000d52f0
NIP [c0000000000d52f0] perf_event_print_debug+0x10/0x230
LR [c00000000058a938] sysrq_handle_showregs+0x38/0x50
Call Trace:
printk+0x38/0x4c (unreliable)
__handle_sysrq+0xe4/0x270
write_sysrq_trigger+0x64/0x80
proc_reg_write+0x80/0xd0
__vfs_write+0x40/0x200
vfs_write+0xc8/0x240
SyS_write+0x60/0x110
system_call+0x58/0x6c
Fixes: 5f6d0380c640 ("powerpc/perf: Define perf_event_print_debug() to print PMU register values")
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/perf/core-book3s.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -755,6 +755,11 @@ void perf_event_print_debug(void)
u32 pmcs[MAX_HWEVENTS];
int i;
+ if (!ppmu) {
+ pr_info("Performance monitor hardware not registered.\n");
+ return;
+ }
+
if (!ppmu->n_counter)
return;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 021/204] tcp: fastopen: fix on syn-data transmit failure
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 123/204] usb: quirks: add quirk for WORLDE MINI MIDI keyboard Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 070/204] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Ben Hutchings
` (113 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Neal Cardwell, Yuchung Cheng, Eric Dumazet, David S. Miller,
Dmitry Vyukov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit b5b7db8d680464b1d631fd016f5e093419f0bfd9 upstream.
Our recent change exposed a bug in TCP Fastopen Client that syzkaller
found right away [1]
When we prepare skb with SYN+DATA, we attempt to transmit it,
and we update socket state as if the transmit was a success.
In socket RTX queue we have two skbs, one with the SYN alone,
and a second one containing the DATA.
When (malicious) ACK comes in, we now complain that second one had no
skb_mstamp.
The proper fix is to make sure that if the transmit failed, we do not
pretend we sent the DATA skb, and make it our send_head.
When 3WHS completes, we can now send the DATA right away, without having
to wait for a timeout.
[1]
WARNING: CPU: 0 PID: 100189 at net/ipv4/tcp_input.c:3117 tcp_clean_rtx_queue+0x2057/0x2ab0 net/ipv4/tcp_input.c:3117()
WARN_ON_ONCE(last_ackt == 0);
Modules linked in:
CPU: 0 PID: 100189 Comm: syz-executor1 Not tainted
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
0000000000000000 ffff8800b35cb1d8 ffffffff81cad00d 0000000000000000
ffffffff828a4347 ffff88009f86c080 ffffffff8316eb20 0000000000000d7f
ffff8800b35cb220 ffffffff812c33c2 ffff8800baad2440 00000009d46575c0
Call Trace:
[<ffffffff81cad00d>] __dump_stack
[<ffffffff81cad00d>] dump_stack+0xc1/0x124
[<ffffffff812c33c2>] warn_slowpath_common+0xe2/0x150
[<ffffffff812c361e>] warn_slowpath_null+0x2e/0x40
[<ffffffff828a4347>] tcp_clean_rtx_queue+0x2057/0x2ab0 n
[<ffffffff828ae6fd>] tcp_ack+0x151d/0x3930
[<ffffffff828baa09>] tcp_rcv_state_process+0x1c69/0x4fd0
[<ffffffff828efb7f>] tcp_v4_do_rcv+0x54f/0x7c0
[<ffffffff8258aacb>] sk_backlog_rcv
[<ffffffff8258aacb>] __release_sock+0x12b/0x3a0
[<ffffffff8258ad9e>] release_sock+0x5e/0x1c0
[<ffffffff8294a785>] inet_wait_for_connect
[<ffffffff8294a785>] __inet_stream_connect+0x545/0xc50
[<ffffffff82886f08>] tcp_sendmsg_fastopen
[<ffffffff82886f08>] tcp_sendmsg+0x2298/0x35a0
[<ffffffff82952515>] inet_sendmsg+0xe5/0x520
[<ffffffff8257152f>] sock_sendmsg_nosec
[<ffffffff8257152f>] sock_sendmsg+0xcf/0x110
Fixes: 8c72c65b426b ("tcp: update skb->skb_mstamp more carefully")
Fixes: 783237e8daf1 ("net-tcp: Fast Open client - sending SYN-data")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3058,6 +3058,10 @@ static int tcp_send_syn_data(struct sock
goto done;
}
+ /* data was not sent, this is our new send_head */
+ sk->sk_send_head = syn_data;
+ tp->packets_out -= tcp_skb_pcount(syn_data);
+
fallback:
/* Send a regular SYN with Fast Open cookie request option */
if (fo->cookie.len > 0)
@@ -3104,6 +3108,11 @@ int tcp_connect(struct sock *sk)
*/
tp->snd_nxt = tp->write_seq;
tp->pushed_seq = tp->write_seq;
+ buff = tcp_send_head(sk);
+ if (unlikely(buff)) {
+ tp->snd_nxt = TCP_SKB_CB(buff)->seq;
+ tp->pushed_seq = TCP_SKB_CB(buff)->seq;
+ }
TCP_INC_STATS(sock_net(sk), TCP_MIB_ACTIVEOPENS);
/* Timer for repeating the SYN until an answer. */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 166/204] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 029/204] SMB: Validate negotiate (to protect against downgrade) even if signing off Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 028/204] cifs: release auth_key.response for reconnect Ben Hutchings
` (146 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ye Yin, Wei Zhou, David S. Miller, Julian Anastasov,
Simon Horman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ye Yin <hustcat@gmail.com>
commit 2b5ec1a5f9738ee7bf8f5ec0526e75e00362c48f upstream.
When run ipvs in two different network namespace at the same host, and one
ipvs transport network traffic to the other network namespace ipvs.
'ipvs_property' flag will make the second ipvs take no effect. So we should
clear 'ipvs_property' when SKB network namespace changed.
Fixes: 621e84d6f373 ("dev: introduce skb_scrub_packet()")
Signed-off-by: Ye Yin <hustcat@gmail.com>
Signed-off-by: Wei Zhou <chouryzhou@gmail.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/skbuff.h | 7 +++++++
net/core/skbuff.c | 1 +
2 files changed, 8 insertions(+)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2965,6 +2965,13 @@ static inline void nf_reset_trace(struct
#endif
}
+static inline void ipvs_reset(struct sk_buff *skb)
+{
+#if IS_ENABLED(CONFIG_IP_VS)
+ skb->ipvs_property = 0;
+#endif
+}
+
/* Note: This doesn't put any conntrack and bridge info in dst. */
static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
{
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3961,6 +3961,7 @@ void skb_scrub_packet(struct sk_buff *sk
if (!xnet)
return;
+ ipvs_reset(skb);
skb_orphan(skb);
skb->mark = 0;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 183/204] sched/topology: Optimize build_group_mask()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 135/204] x86/amd_nb: Add Fam17h Data Fabric as "Northbridge" Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 130/204] can: gs_usb: fix busy loop if no more TX context is available Ben Hutchings
` (181 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, riel, Peter Zijlstra (Intel), Lauro Ramos Venancio, lwang,
Mike Galbraith, Ingo Molnar, Thomas Gleixner, Linus Torvalds
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lauro Ramos Venancio <lvenanci@redhat.com>
commit f32d782e31bf079f600dcec126ed117b0577e85c upstream.
The group mask is always used in intersection with the group CPUs. So,
when building the group mask, we don't have to care about CPUs that are
not part of the group.
Signed-off-by: Lauro Ramos Venancio <lvenanci@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: lwang@redhat.com
Cc: riel@redhat.com
Link: http://lkml.kernel.org/r/1492717903-5195-2-git-send-email-lvenanci@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Update another reference to 'span' introduced by an earlier backport of
sched/topology changes
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5782,14 +5782,14 @@ enum s_alloc {
static void
build_group_mask(struct sched_domain *sd, struct sched_group *sg, struct cpumask *mask)
{
- const struct cpumask *span = sched_domain_span(sd);
+ const struct cpumask *sg_span = sched_group_cpus(sg);
struct sd_data *sdd = sd->private;
struct sched_domain *sibling;
int i;
cpumask_clear(mask);
- for_each_cpu(i, span) {
+ for_each_cpu(i, sg_span) {
sibling = *per_cpu_ptr(sdd->sd, i);
/*
@@ -5801,7 +5801,7 @@ build_group_mask(struct sched_domain *sd
continue;
/* If we would not end up here, we can't continue from here */
- if (!cpumask_equal(span, sched_domain_span(sibling->child)))
+ if (!cpumask_equal(sg_span, sched_domain_span(sibling->child)))
continue;
cpumask_set_cpu(i, mask);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 167/204] l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 181/204] sched/topology: Remove FORCE_SD_OVERLAP Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 103/204] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Ben Hutchings
` (117 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit a3c18422a4b4e108bcf6a2328f48867e1003fd95 upstream.
Socket must be held while under the protection of the l2tp lock; there
is no guarantee that sk remains valid after the read_unlock_bh() call.
Same issue for l2tp_ip and l2tp_ip6.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ip.c | 11 ++++++-----
net/l2tp/l2tp_ip6.c | 11 ++++++-----
2 files changed, 12 insertions(+), 10 deletions(-)
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -185,14 +185,15 @@ pass_up:
read_lock_bh(&l2tp_ip_lock);
sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
+ if (!sk) {
+ read_unlock_bh(&l2tp_ip_lock);
+ goto discard;
+ }
+
+ sock_hold(sk);
read_unlock_bh(&l2tp_ip_lock);
}
- if (sk == NULL)
- goto discard;
-
- sock_hold(sk);
-
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -198,14 +198,15 @@ pass_up:
read_lock_bh(&l2tp_ip6_lock);
sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr,
0, tunnel_id);
+ if (!sk) {
+ read_unlock_bh(&l2tp_ip6_lock);
+ goto discard;
+ }
+
+ sock_hold(sk);
read_unlock_bh(&l2tp_ip6_lock);
}
- if (sk == NULL)
- goto discard;
-
- sock_hold(sk);
-
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 132/204] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 043/204] iio: ad7793: Fix the serial interface reset Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 068/204] USB: dummy-hcd: Fix erroneous synchronization change Ben Hutchings
` (76 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Haibin Zhang, Christoffer Dall, Dongjiu Geng, Marc Zyngier
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dongjiu Geng <gengdongjiu@huawei.com>
commit fd6c8c206fc5d0717b0433b191de0715122f33bb upstream.
When a exception is trapped to EL2, hardware uses ELR_ELx to hold
the current fault instruction address. If KVM wants to inject a
abort to 32 bit guest, it needs to set the LR register for the
guest to emulate this abort happened in the guest. Because ARM32
architecture is pipelined execution, so the LR value has an offset to
the fault instruction address.
The offsets applied to Link value for exceptions as shown below,
which should be added for the ARM32 link register(LR).
Table taken from ARMv8 ARM DDI0487B-B, table G1-10:
Exception Offset, for PE state of:
A32 T32
Undefined Instruction +4 +2
Prefetch Abort +4 +4
Data Abort +8 +8
IRQ or FIQ +4 +4
[ Removed unused variables in inject_abt to avoid compile warnings.
-- Christoffer ]
Signed-off-by: Dongjiu Geng <gengdongjiu@huawei.com>
Tested-by: Haibin Zhang <zhanghaibin7@huawei.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <cdall@linaro.org>
[bwh: Backported to 3.16:
- Don't delete cpsr variable in inject_abt() as it's still needed
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/arm/kvm/emulate.c
+++ b/arch/arm/kvm/emulate.c
@@ -295,7 +295,7 @@ void kvm_inject_undefined(struct kvm_vcp
u32 return_offset = (is_thumb) ? 2 : 4;
new_spsr_value = cpsr;
- new_lr_value = *vcpu_pc(vcpu) - return_offset;
+ new_lr_value = *vcpu_pc(vcpu) + return_offset;
*vcpu_cpsr(vcpu) = (cpsr & ~MODE_MASK) | UND_MODE;
*vcpu_cpsr(vcpu) |= PSR_I_BIT;
@@ -324,9 +324,8 @@ static void inject_abt(struct kvm_vcpu *
unsigned long new_spsr_value;
unsigned long cpsr = *vcpu_cpsr(vcpu);
u32 sctlr = vcpu->arch.cp15[c1_SCTLR];
- bool is_thumb = (cpsr & PSR_T_BIT);
u32 vect_offset;
- u32 return_offset = (is_thumb) ? 4 : 0;
+ u32 return_offset = (is_pabt) ? 4 : 8;
bool is_lpae;
new_spsr_value = cpsr;
--- a/arch/arm64/kvm/inject_fault.c
+++ b/arch/arm64/kvm/inject_fault.c
@@ -29,12 +29,26 @@
PSR_I_BIT | PSR_D_BIT)
#define EL1_EXCEPT_SYNC_OFFSET 0x200
+/*
+ * Table taken from ARMv8 ARM DDI0487B-B, table G1-10.
+ */
+static const u8 return_offsets[8][2] = {
+ [0] = { 0, 0 }, /* Reset, unused */
+ [1] = { 4, 2 }, /* Undefined */
+ [2] = { 0, 0 }, /* SVC, unused */
+ [3] = { 4, 4 }, /* Prefetch abort */
+ [4] = { 8, 8 }, /* Data abort */
+ [5] = { 0, 0 }, /* HVC, unused */
+ [6] = { 4, 4 }, /* IRQ, unused */
+ [7] = { 4, 4 }, /* FIQ, unused */
+};
+
static void prepare_fault32(struct kvm_vcpu *vcpu, u32 mode, u32 vect_offset)
{
unsigned long cpsr;
unsigned long new_spsr_value = *vcpu_cpsr(vcpu);
bool is_thumb = (new_spsr_value & COMPAT_PSR_T_BIT);
- u32 return_offset = (is_thumb) ? 4 : 0;
+ u32 return_offset = return_offsets[vect_offset >> 2][is_thumb];
u32 sctlr = vcpu_cp15(vcpu, c1_SCTLR);
cpsr = mode | COMPAT_PSR_I_BIT;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 030/204] powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 111/204] lib/digsig: " Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 164/204] arm64: ensure __dump_instr() checks addr_limit Ben Hutchings
` (18 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tyrel Datwyler, Michael Ellerman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream.
A reference to the parent device node is held by add_dt_node() for the
node to be added. If the call to dlpar_configure_connector() fails
add_dt_node() returns ENOENT and that reference is not freed.
Add a call to of_node_put(parent_dn) prior to bailing out after a
failed dlpar_configure_connector() call.
Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent node aware")
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/platforms/pseries/mobility.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/mobility.c
+++ b/arch/powerpc/platforms/pseries/mobility.c
@@ -224,8 +224,10 @@ static int add_dt_node(__be32 parent_pha
return -ENOENT;
dn = dlpar_configure_connector(drc_index, parent_dn);
- if (!dn)
+ if (!dn) {
+ of_node_put(parent_dn);
return -ENOENT;
+ }
rc = dlpar_attach_node(dn);
if (rc)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 115/204] fs/mpage.c: fix mpage_writepage() for pages with buffers
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 192/204] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 007/204] scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function Ben Hutchings
` (165 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matthew Wilcox, Linus Torvalds, Ross Zwisler,
Matthew Wilcox, Johannes Thumshirn, Toshi Kani, OGAWA Hirofumi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox <willy@infradead.org>
commit f892760aa66a2d657deaf59538fb69433036767c upstream.
When using FAT on a block device which supports rw_page, we can hit
BUG_ON(!PageLocked(page)) in try_to_free_buffers(). This is because we
call clean_buffers() after unlocking the page we've written. Introduce
a new clean_page_buffers() which cleans all buffers associated with a
page and call it from within bdev_write_page().
[akpm@linux-foundation.org: s/PAGE_SIZE/~0U/ per Linus and Matthew]
Link: http://lkml.kernel.org/r/20171006211541.GA7409@bombadil.infradead.org
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Reported-by: Toshi Kani <toshi.kani@hpe.com>
Reported-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Tested-by: Toshi Kani <toshi.kani@hpe.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/block_dev.c | 6 ++++--
fs/mpage.c | 14 +++++++++++---
include/linux/buffer_head.h | 1 +
3 files changed, 16 insertions(+), 5 deletions(-)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -419,10 +419,12 @@ int bdev_write_page(struct block_device
return -EOPNOTSUPP;
set_page_writeback(page);
result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, rw);
- if (result)
+ if (result) {
end_page_writeback(page);
- else
+ } else {
+ clean_page_buffers(page);
unlock_page(page);
+ }
return result;
}
EXPORT_SYMBOL_GPL(bdev_write_page);
--- a/fs/mpage.c
+++ b/fs/mpage.c
@@ -457,6 +457,16 @@ static void clean_buffers(struct page *p
try_to_free_buffers(page);
}
+/*
+ * For situations where we want to clean all buffers attached to a page.
+ * We don't need to calculate how many buffers are attached to the page,
+ * we just need to specify a number larger than the maximum number of buffers.
+ */
+void clean_page_buffers(struct page *page)
+{
+ clean_buffers(page, ~0U);
+}
+
static int __mpage_writepage(struct page *page, struct writeback_control *wbc,
void *data)
{
@@ -594,10 +604,8 @@ alloc_new:
if (bio == NULL) {
if (first_unmapped == blocks_per_page) {
if (!bdev_write_page(bdev, blocks[0] << (blkbits - 9),
- page, wbc)) {
- clean_buffers(page, first_unmapped);
+ page, wbc))
goto out;
- }
}
bio = mpage_alloc(bdev, blocks[0] << (blkbits - 9),
bio_get_nr_vecs(bdev), GFP_NOFS|__GFP_HIGH);
--- a/include/linux/buffer_head.h
+++ b/include/linux/buffer_head.h
@@ -222,6 +222,7 @@ int generic_write_end(struct file *, str
loff_t, unsigned, unsigned,
struct page *, void *);
void page_zero_new_buffers(struct page *page, unsigned from, unsigned to);
+void clean_page_buffers(struct page *page);
int cont_write_begin(struct file *, struct address_space *, loff_t,
unsigned, unsigned, struct page **, void **,
get_block_t *, loff_t *);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 087/204] sh: sh7264: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 196/204] mm: Add a user_ns owner to mm_struct and fix ptrace permission checks Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 116/204] l2tp: check ps->sock before running pppol2tp_session_ioctl() Ben Hutchings
` (173 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Laurent Pinchart, Rich Felker, Geert Uytterhoeven,
Jacopo Mondi, Linus Torvalds, Yoshinori Sato, Magnus Damm,
Yoshihiro Shimoda
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit eae3df7e82318d798f45dedf111e241805ec7a4a upstream.
Pinmux_pins[] is initialized through PINMUX_GPIO(), using designated
array initializers, where the GPIO_* enums serve as indices. If enum
values are defined, but never used, pinmux_pins[] contains (zero-filled)
holes. Such entries are treated as pin zero, which was registered
before, thus leading to pinctrl registration failures, as seen on
sh7722:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PH[0-7] from the enum to fix this.
Link: http://lkml.kernel.org/r/1505205657-18012-4-git-send-email-geert+renesas@glider.be
Fixes: 41797f75486d8ca3 ("sh: Add pinmux for sh7264")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
Cc: Magnus Damm <magnus.damm@gmail.com>
Cc: Rich Felker <dalias@libc.org>
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/cpu-sh2a/cpu/sh7264.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/sh/include/cpu-sh2a/cpu/sh7264.h
+++ b/arch/sh/include/cpu-sh2a/cpu/sh7264.h
@@ -43,9 +43,7 @@ enum {
GPIO_PG7, GPIO_PG6, GPIO_PG5, GPIO_PG4,
GPIO_PG3, GPIO_PG2, GPIO_PG1, GPIO_PG0,
- /* Port H */
- GPIO_PH7, GPIO_PH6, GPIO_PH5, GPIO_PH4,
- GPIO_PH3, GPIO_PH2, GPIO_PH1, GPIO_PH0,
+ /* Port H - Port H does not have a Data Register */
/* Port I - not on device */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 117/204] USB: serial: metro-usb: add MS7820 device id
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 038/204] USB: g_mass_storage: Fix deadlock when driver is unbound Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 031/204] net_sched: always reset qdisc backlog in qdisc_reset() Ben Hutchings
` (50 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Ladislav Dobrovsky
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 31dc3f819bac28a0990b36510197560258ab7421 upstream.
Add device-id entry for (Honeywell) Metrologic MS7820 bar code scanner.
The device has two interfaces (in this mode?); a vendor-specific
interface with two interrupt endpoints and a second HID interface, which
we do not bind to.
Reported-by: Ladislav Dobrovsky <ladislav.dobrovsky@gmail.com>
Tested-by: Ladislav Dobrovsky <ladislav.dobrovsky@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/metro-usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/metro-usb.c
+++ b/drivers/usb/serial/metro-usb.c
@@ -45,6 +45,7 @@ struct metrousb_private {
static const struct usb_device_id id_table[] = {
{ USB_DEVICE(FOCUS_VENDOR_ID, FOCUS_PRODUCT_ID_BI) },
{ USB_DEVICE(FOCUS_VENDOR_ID, FOCUS_PRODUCT_ID_UNI) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0c2e, 0x0730, 0xff) }, /* MS7820 */
{ }, /* Terminating entry. */
};
MODULE_DEVICE_TABLE(usb, id_table);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 106/204] iommu/exynos: Remove initconst attribute to avoid potential kernel oops
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 186/204] Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 058/204] drm/i915/bios: ignore HDMI on port A Ben Hutchings
` (64 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marek Szyprowski, Joerg Roedel, Krzysztof Kozlowski
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 9d25e3cc83d731ae4eeb017fd07562fde3f80bef upstream.
Exynos SYSMMU registers standard platform device with sysmmu_of_match
table, what means that this table is accessed every time a new platform
device is registered in a system. This might happen also after the boot,
so the table must not be attributed as initconst to avoid potential kernel
oops caused by access to freed memory.
Fixes: 6b21a5db3642 ("iommu/exynos: Support for device tree")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iommu/exynos-iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/exynos-iommu.c
+++ b/drivers/iommu/exynos-iommu.c
@@ -676,7 +676,7 @@ static int __init exynos_sysmmu_probe(st
return 0;
}
-static const struct of_device_id sysmmu_of_match[] __initconst = {
+static const struct of_device_id sysmmu_of_match[] = {
{ .compatible = "samsung,exynos-sysmmu", },
{ },
};
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 154/204] MIPS: Fix CM region target definitions
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 180/204] vlan: fix a use-after-free in vlan_device_event() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 186/204] Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket Ben Hutchings
` (66 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-mips, Matt Redfearn, James Hogan, Ralf Baechle,
Paul Burton
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Burton <paul.burton@mips.com>
commit 6a6cba1d945a7511cdfaf338526871195e420762 upstream.
The default CM target field in the GCR_BASE register is encoded with 0
meaning memory & 1 being reserved. However the definitions we use for
those bits effectively get these two values backwards - likely because
they were copied from the definitions for the CM regions where the
target is encoded differently. This results in use setting up GCR_BASE
with the reserved target value by default, rather than targeting memory
as intended. Although we currently seem to get away with this it's not a
great idea to rely upon.
Fix this by changing our macros to match the documentated target values.
The incorrect encoding became used as of commit 9f98f3dd0c51 ("MIPS: Add
generic CM probe & access code") in the Linux v3.15 cycle, and was
likely carried forwards from older but unused code introduced by
commit 39b8d5254246 ("[MIPS] Add support for MIPS CMP platform.") in the
v2.6.26 cycle.
Fixes: 9f98f3dd0c51 ("MIPS: Add generic CM probe & access code")
Signed-off-by: Paul Burton <paul.burton@mips.com>
Reported-by: Matt Redfearn <matt.redfearn@mips.com>
Reviewed-by: James Hogan <jhogan@kernel.org>
Cc: Matt Redfearn <matt.redfearn@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/17562/
Signed-off-by: James Hogan <jhogan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/mips-cm.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/mips/include/asm/mips-cm.h
+++ b/arch/mips/include/asm/mips-cm.h
@@ -173,8 +173,8 @@ BUILD_CM_Cx_R_(tcid_8_priority, 0x80)
#define CM_GCR_BASE_GCRBASE_MSK (_ULCAST_(0x1ffff) << 15)
#define CM_GCR_BASE_CMDEFTGT_SHF 0
#define CM_GCR_BASE_CMDEFTGT_MSK (_ULCAST_(0x3) << 0)
-#define CM_GCR_BASE_CMDEFTGT_DISABLED 0
-#define CM_GCR_BASE_CMDEFTGT_MEM 1
+#define CM_GCR_BASE_CMDEFTGT_MEM 0
+#define CM_GCR_BASE_CMDEFTGT_RESERVED 1
#define CM_GCR_BASE_CMDEFTGT_IOCU0 2
#define CM_GCR_BASE_CMDEFTGT_IOCU1 3
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 071/204] packet: only test po->has_vnet_hdr once in packet_snd
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 172/204] ARM: 8720/1: ensure dump_instr() checks addr_limit Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 010/204] uwb: ensure that endpoint is interrupt Ben Hutchings
` (57 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, David S. Miller, Willem de Bruijn
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit da7c9561015e93d10fe6aab73e9288e0d09d65a6 upstream.
Packet socket option po->has_vnet_hdr can be updated concurrently with
other operations if no ring is attached.
Do not test the option twice in packet_snd, as the value may change in
between calls. A race on setsockopt disable may cause a packet > mtu
to be sent without having GSO options set.
Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2432,6 +2432,7 @@ static int packet_snd(struct socket *soc
int offset = 0;
int vnet_hdr_len;
struct packet_sock *po = pkt_sk(sk);
+ bool has_vnet_hdr = false;
unsigned short gso_type = 0;
int hlen, tlen;
int extra_len = 0;
@@ -2466,6 +2467,7 @@ static int packet_snd(struct socket *soc
reserve = dev->hard_header_len;
if (po->has_vnet_hdr) {
vnet_hdr_len = sizeof(vnet_hdr);
+ has_vnet_hdr = true;
err = -EINVAL;
if (len < vnet_hdr_len)
@@ -2557,7 +2559,7 @@ static int packet_snd(struct socket *soc
skb->priority = sk->sk_priority;
skb->mark = sk->sk_mark;
- if (po->has_vnet_hdr) {
+ if (has_vnet_hdr) {
if (vnet_hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
if (!skb_partial_csum_set(skb, vnet_hdr.csum_start,
vnet_hdr.csum_offset)) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 155/204] MIPS: microMIPS: Fix incorrect mask in insn_table_MM
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 010/204] uwb: ensure that endpoint is interrupt Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 060/204] l2tp: fix race condition in l2tp_tunnel_delete Ben Hutchings
` (55 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Hogan, Julia Lawall, Gustavo A. R. Silva
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
commit 77238e76b9156d28d86c1e31c00ed2960df0e4de upstream.
It seems that this is a typo error and the proper bit masking is
"RT | RS" instead of "RS | RS".
This issue was detected with the help of Coccinelle.
Fixes: d6b3314b49e1 ("MIPS: uasm: Add lh uam instruction")
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Reviewed-by: James Hogan <jhogan@kernel.org>
Patchwork: https://patchwork.linux-mips.org/patch/17551/
Signed-off-by: James Hogan <jhogan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/mm/uasm-micromips.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/mm/uasm-micromips.c
+++ b/arch/mips/mm/uasm-micromips.c
@@ -83,7 +83,7 @@ static struct insn insn_table_MM[] = {
{ insn_jr, M(mm_pool32a_op, 0, 0, 0, mm_jalr_op, mm_pool32axf_op), RS },
{ insn_lb, M(mm_lb32_op, 0, 0, 0, 0, 0), RT | RS | SIMM },
{ insn_ld, 0, 0 },
- { insn_lh, M(mm_lh32_op, 0, 0, 0, 0, 0), RS | RS | SIMM },
+ { insn_lh, M(mm_lh32_op, 0, 0, 0, 0, 0), RT | RS | SIMM },
{ insn_ll, M(mm_pool32c_op, 0, 0, (mm_ll_func << 1), 0, 0), RS | RT | SIMM },
{ insn_lld, 0, 0 },
{ insn_lui, M(mm_pool32i_op, mm_lui_op, 0, 0, 0, 0), RS | SIMM },
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 197/204] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 138/204] ARM: 8715/1: add a private asm/unaligned.h Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 140/204] fuse: fix READDIRPLUS skipping an entry Ben Hutchings
` (159 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric W. Biederman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 64b875f7ac8a5d60a4e191479299e931ee949b67 upstream.
When the flag PT_PTRACE_CAP was added the PTRACE_TRACEME path was
overlooked. This can result in incorrect behavior when an application
like strace traces an exec of a setuid executable.
Further PT_PTRACE_CAP does not have enough information for making good
security decisions as it does not report which user namespace the
capability is in. This has already allowed one mistake through
insufficient granulariy.
I found this issue when I was testing another corner case of exec and
discovered that I could not get strace to set PT_PTRACE_CAP even when
running strace as root with a full set of caps.
This change fixes the above issue with strace allowing stracing as
root a setuid executable without disabling setuid. More fundamentaly
this change allows what is allowable at all times, by using the correct
information in it's decision.
Fixes: 4214e42f96d4 ("v2.4.9.11 -> v2.4.9.12")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/exec.c | 2 +-
include/linux/capability.h | 1 +
include/linux/ptrace.h | 1 -
include/linux/sched.h | 1 +
kernel/capability.c | 20 ++++++++++++++++++++
kernel/ptrace.c | 12 +++++++-----
6 files changed, 30 insertions(+), 7 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1259,7 +1259,7 @@ static void check_unsafe_exec(struct lin
unsigned n_fs;
if (p->ptrace) {
- if (p->ptrace & PT_PTRACE_CAP)
+ if (ptracer_capable(p, current_user_ns()))
bprm->unsafe |= LSM_UNSAFE_PTRACE_CAP;
else
bprm->unsafe |= LSM_UNSAFE_PTRACE;
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -215,6 +215,7 @@ extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
+extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
/* audit system wants to get cap info from files as well */
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -19,7 +19,6 @@
#define PT_SEIZED 0x00010000 /* SEIZE used, enable new behavior */
#define PT_PTRACED 0x00000001
#define PT_DTRACE 0x00000002 /* delayed trace (used on m68k, i386) */
-#define PT_PTRACE_CAP 0x00000004 /* ptracer can follow suid-exec */
#define PT_OPT_FLAG_SHIFT 3
/* PT_TRACE_* event enable flags */
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1385,6 +1385,7 @@ struct task_struct {
struct list_head cpu_timers[3];
/* process credentials */
+ const struct cred __rcu *ptracer_cred; /* Tracer's credentials at attach */
const struct cred __rcu *real_cred; /* objective and real subjective task
* credentials (COW) */
const struct cred __rcu *cred; /* effective (overridable) subjective task
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -444,3 +444,23 @@ bool capable_wrt_inode_uidgid(const stru
kgid_has_mapping(ns, inode->i_gid);
}
EXPORT_SYMBOL(capable_wrt_inode_uidgid);
+
+/**
+ * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace
+ * @tsk: The task that may be ptraced
+ * @ns: The user namespace to search for CAP_SYS_PTRACE in
+ *
+ * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE
+ * in the specified user namespace.
+ */
+bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
+{
+ int ret = 0; /* An absent tracer adds no restrictions */
+ const struct cred *cred;
+ rcu_read_lock();
+ cred = rcu_dereference(tsk->ptracer_cred);
+ if (cred)
+ ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE);
+ rcu_read_unlock();
+ return (ret == 0);
+}
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -45,6 +45,9 @@ void __ptrace_link(struct task_struct *c
BUG_ON(!list_empty(&child->ptrace_entry));
list_add(&child->ptrace_entry, &new_parent->ptraced);
child->parent = new_parent;
+ rcu_read_lock();
+ child->ptracer_cred = get_cred(__task_cred(new_parent));
+ rcu_read_unlock();
}
/**
@@ -77,10 +80,14 @@ void __ptrace_link(struct task_struct *c
*/
void __ptrace_unlink(struct task_struct *child)
{
+ const struct cred *old_cred;
BUG_ON(!child->ptrace);
child->parent = child->real_parent;
list_del_init(&child->ptrace_entry);
+ old_cred = child->ptracer_cred;
+ child->ptracer_cred = NULL;
+ put_cred(old_cred);
spin_lock(&child->sighand->siglock);
child->ptrace = 0;
@@ -336,11 +343,6 @@ static int ptrace_attach(struct task_str
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
- if (!retval) {
- struct mm_struct *mm = task->mm;
- if (mm && ns_capable(mm->user_ns, CAP_SYS_PTRACE))
- flags |= PT_PTRACE_CAP;
- }
task_unlock(task);
if (retval)
goto unlock_creds;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 091/204] Smack: remove unneeded NULL-termination from securtity label
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 069/204] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 163/204] arm64: fix dump_instr when PAN and UAO are in use Ben Hutchings
` (154 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Konstantin Khlebnikov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
commit da1b63566c469bf3e2b24182114422e16b1aa34c upstream.
Values of extended attributes are stored as binary blobs. NULL-termination
of them isn't required. It just wastes disk space and confuses command-line
tools like getfattr because they have to print that zero byte at the end.
This patch removes terminating zero byte from initial security label in
smack_inode_init_security and cuts it out in function smack_inode_getsecurity
which is used by syscall getxattr. This change seems completely safe, because
function smk_parse_smack ignores everything after first zero byte.
Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/smack/smack_lsm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -674,7 +674,7 @@ static int smack_inode_init_security(str
}
if (len)
- *len = strlen(isp) + 1;
+ *len = strlen(isp);
return 0;
}
@@ -1078,7 +1078,7 @@ static int smack_inode_getsecurity(const
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
isp = smk_of_inode(inode);
- ilen = strlen(isp) + 1;
+ ilen = strlen(isp);
*buffer = isp;
return ilen;
}
@@ -1103,7 +1103,7 @@ static int smack_inode_getsecurity(const
else
return -EOPNOTSUPP;
- ilen = strlen(isp) + 1;
+ ilen = strlen(isp);
if (rc == 0) {
*buffer = isp;
rc = ilen;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 015/204] ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 174/204] ALSA: seq: Fix OSS sysex delivery in OSS emulation Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 161/204] KEYS: trusted: fix writing past end of buffer in trusted_read() Ben Hutchings
` (36 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jianlin Shi, David S. Miller, Xin Long
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit 76cc0d3282d4b933fa144fa41fbc5318e0fdca24 upstream.
Now in ip6gre_header before packing the ipv6 header, it skb_push t->hlen
which only includes encap_hlen + tun_hlen. It means greh and inner header
would be over written by ipv6 stuff and ipv6h might have no chance to set
up.
Jianlin found this issue when using remote any on ip6_gre, the packets he
captured on gre dev are truncated:
22:50:26.210866 Out ethertype IPv6 (0x86dd), length 120: truncated-ip6 -\
8128 bytes missing!(flowlabel 0x92f40, hlim 0, next-header Options (0) \
payload length: 8192) ::1:2000:0 > ::1:0:86dd: HBH [trunc] ip-proto-128 \
8184
It should also skb_push ipv6hdr so that ipv6h points to the right position
to set ipv6 stuff up.
This patch is to skb_push hlen + sizeof(*ipv6h) and also fix some indents
in ip6gre_header.
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1172,21 +1172,23 @@ static int ip6gre_tunnel_change_mtu(stru
}
static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
- unsigned short type,
- const void *daddr, const void *saddr, unsigned int len)
+ unsigned short type, const void *daddr,
+ const void *saddr, unsigned int len)
{
struct ip6_tnl *t = netdev_priv(dev);
- struct ipv6hdr *ipv6h = (struct ipv6hdr *)skb_push(skb, t->hlen);
- __be16 *p = (__be16 *)(ipv6h+1);
+ struct ipv6hdr *ipv6h;
+ __be16 *p;
+ ipv6h = (struct ipv6hdr *)skb_push(skb, t->hlen + sizeof(*ipv6h));
ip6_flow_hdr(ipv6h, 0, t->fl.u.ip6.flowlabel);
ipv6h->hop_limit = t->parms.hop_limit;
ipv6h->nexthdr = NEXTHDR_GRE;
ipv6h->saddr = t->parms.laddr;
ipv6h->daddr = t->parms.raddr;
- p[0] = t->parms.o_flags;
- p[1] = htons(type);
+ p = (__be16 *)(ipv6h + 1);
+ p[0] = t->parms.o_flags;
+ p[1] = htons(type);
/*
* Set the source hardware address.
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 104/204] ALSA: caiaq: Fix stray URB at probe error path
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 194/204] security: let security modules use PTRACE_MODE_* with bitmasks Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 036/204] USB: gadgetfs: fix copy_to_user while holding spinlock Ben Hutchings
` (94 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Johan Hovold
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 99fee508245825765ff60155fed43f970ff83a8f upstream.
caiaq driver doesn't kill the URB properly at its error path during
the probe, which may lead to a use-after-free error later. This patch
addresses it.
Reported-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/caiaq/device.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia
err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL, 0);
if (err)
- return err;
+ goto err_kill_urb;
- if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ))
- return -ENODEV;
+ if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) {
+ err = -ENODEV;
+ goto err_kill_urb;
+ }
usb_string(usb_dev, usb_dev->descriptor.iManufacturer,
cdev->vendor_name, CAIAQ_USB_STR_LEN);
@@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia
setup_card(cdev);
return 0;
+
+ err_kill_urb:
+ usb_kill_urb(&cdev->ep1_in_urb);
+ return err;
}
static int snd_probe(struct usb_interface *intf,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 097/204] workqueue: replace pool->manager_arb mutex with a flag
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 002/204] ASoC: adau17x1: Workaround for noise bug in ADC Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 098/204] crypto: shash - Fix zero-length shash ahash digest crash Ben Hutchings
` (84 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lai Jiangshan, Josef Bacik, Peter Zijlstra, Boqun Feng,
Tejun Heo
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit 692b48258dda7c302e777d7d5f4217244478f1f6 upstream.
Josef reported a HARDIRQ-safe -> HARDIRQ-unsafe lock order detected by
lockdep:
[ 1270.472259] WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
[ 1270.472783] 4.14.0-rc1-xfstests-12888-g76833e8 #110 Not tainted
[ 1270.473240] -----------------------------------------------------
[ 1270.473710] kworker/u5:2/5157 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
[ 1270.474239] (&(&lock->wait_lock)->rlock){+.+.}, at: [<ffffffff8da253d2>] __mutex_unlock_slowpath+0xa2/0x280
[ 1270.474994]
[ 1270.474994] and this task is already holding:
[ 1270.475440] (&pool->lock/1){-.-.}, at: [<ffffffff8d2992f6>] worker_thread+0x366/0x3c0
[ 1270.476046] which would create a new lock dependency:
[ 1270.476436] (&pool->lock/1){-.-.} -> (&(&lock->wait_lock)->rlock){+.+.}
[ 1270.476949]
[ 1270.476949] but this new dependency connects a HARDIRQ-irq-safe lock:
[ 1270.477553] (&pool->lock/1){-.-.}
...
[ 1270.488900] to a HARDIRQ-irq-unsafe lock:
[ 1270.489327] (&(&lock->wait_lock)->rlock){+.+.}
...
[ 1270.494735] Possible interrupt unsafe locking scenario:
[ 1270.494735]
[ 1270.495250] CPU0 CPU1
[ 1270.495600] ---- ----
[ 1270.495947] lock(&(&lock->wait_lock)->rlock);
[ 1270.496295] local_irq_disable();
[ 1270.496753] lock(&pool->lock/1);
[ 1270.497205] lock(&(&lock->wait_lock)->rlock);
[ 1270.497744] <Interrupt>
[ 1270.497948] lock(&pool->lock/1);
, which will cause a irq inversion deadlock if the above lock scenario
happens.
The root cause of this safe -> unsafe lock order is the
mutex_unlock(pool->manager_arb) in manage_workers() with pool->lock
held.
Unlocking mutex while holding an irq spinlock was never safe and this
problem has been around forever but it never got noticed because the
only time the mutex is usually trylocked while holding irqlock making
actual failures very unlikely and lockdep annotation missed the
condition until the recent b9c16a0e1f73 ("locking/mutex: Fix
lockdep_assert_held() fail").
Using mutex for pool->manager_arb has always been a bit of stretch.
It primarily is an mechanism to arbitrate managership between workers
which can easily be done with a pool flag. The only reason it became
a mutex is that pool destruction path wants to exclude parallel
managing operations.
This patch replaces the mutex with a new pool flag POOL_MANAGER_ACTIVE
and make the destruction path wait for the current manager on a wait
queue.
v2: Drop unnecessary flag clearing before pool destruction as
suggested by Boqun.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/workqueue.c | 37 +++++++++++++++----------------------
1 file changed, 15 insertions(+), 22 deletions(-)
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -68,6 +68,7 @@ enum {
* attach_mutex to avoid changing binding state while
* worker_attach_to_pool() is in progress.
*/
+ POOL_MANAGER_ACTIVE = 1 << 0, /* being managed */
POOL_DISASSOCIATED = 1 << 2, /* cpu can't serve workers */
/* worker flags */
@@ -158,7 +159,6 @@ struct worker_pool {
/* L: hash of busy workers */
/* see manage_workers() for details on the two manager mutexes */
- struct mutex manager_arb; /* manager arbitration */
struct mutex attach_mutex; /* attach/detach exclusion */
struct list_head workers; /* A: attached workers */
struct completion *detach_completion; /* all workers detached */
@@ -288,6 +288,7 @@ static struct workqueue_attrs *wq_update
static DEFINE_MUTEX(wq_pool_mutex); /* protects pools and workqueues list */
static DEFINE_SPINLOCK(wq_mayday_lock); /* protects wq->maydays list */
+static DECLARE_WAIT_QUEUE_HEAD(wq_manager_wait); /* wait for manager to go away */
static LIST_HEAD(workqueues); /* PL: list of all workqueues */
static bool workqueue_freezing; /* PL: have wqs started freezing? */
@@ -793,7 +794,7 @@ static bool need_to_create_worker(struct
/* Do we have too many workers and should some go away? */
static bool too_many_workers(struct worker_pool *pool)
{
- bool managing = mutex_is_locked(&pool->manager_arb);
+ bool managing = pool->flags & POOL_MANAGER_ACTIVE;
int nr_idle = pool->nr_idle + managing; /* manager is considered idle */
int nr_busy = pool->nr_workers - nr_idle;
@@ -1996,22 +1997,15 @@ static bool manage_workers(struct worker
{
struct worker_pool *pool = worker->pool;
- /*
- * Anyone who successfully grabs manager_arb wins the arbitration
- * and becomes the manager. mutex_trylock() on pool->manager_arb
- * failure while holding pool->lock reliably indicates that someone
- * else is managing the pool and the worker which failed trylock
- * can proceed to executing work items. This means that anyone
- * grabbing manager_arb is responsible for actually performing
- * manager duties. If manager_arb is grabbed and released without
- * actual management, the pool may stall indefinitely.
- */
- if (!mutex_trylock(&pool->manager_arb))
+ if (pool->flags & POOL_MANAGER_ACTIVE)
return false;
+ pool->flags |= POOL_MANAGER_ACTIVE;
+
maybe_create_worker(pool);
- mutex_unlock(&pool->manager_arb);
+ pool->flags &= ~POOL_MANAGER_ACTIVE;
+ wake_up(&wq_manager_wait);
return true;
}
@@ -3490,7 +3484,6 @@ static int init_worker_pool(struct worke
setup_timer(&pool->mayday_timer, pool_mayday_timeout,
(unsigned long)pool);
- mutex_init(&pool->manager_arb);
mutex_init(&pool->attach_mutex);
INIT_LIST_HEAD(&pool->workers);
@@ -3546,13 +3539,15 @@ static void put_unbound_pool(struct work
hash_del(&pool->hash_node);
/*
- * Become the manager and destroy all workers. Grabbing
- * manager_arb prevents @pool's workers from blocking on
- * attach_mutex.
+ * Become the manager and destroy all workers. This prevents
+ * @pool's workers from blocking on attach_mutex. We're the last
+ * manager and @pool gets freed with the flag set.
*/
- mutex_lock(&pool->manager_arb);
-
spin_lock_irq(&pool->lock);
+ wait_event_lock_irq(wq_manager_wait,
+ !(pool->flags & POOL_MANAGER_ACTIVE), pool->lock);
+ pool->flags |= POOL_MANAGER_ACTIVE;
+
while ((worker = first_idle_worker(pool)))
destroy_worker(worker);
WARN_ON(pool->nr_workers || pool->nr_idle);
@@ -3566,8 +3561,6 @@ static void put_unbound_pool(struct work
if (pool->detach_completion)
wait_for_completion(pool->detach_completion);
- mutex_unlock(&pool->manager_arb);
-
/* shut down the timers */
del_timer_sync(&pool->idle_timer);
del_timer_sync(&pool->mayday_timer);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 189/204] netlink: Add netns check on taps
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 125/204] x86/microcode/intel: Disable late loading on model 79 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 056/204] Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO Ben Hutchings
` (81 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kevin Cernekee, David S. Miller
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cernekee <cernekee@chromium.org>
commit 93c647643b48f0131f02e45da3bd367d80443291 upstream.
Currently, a nlmon link inside a child namespace can observe systemwide
netlink activity. Filter the traffic so that nlmon can only sniff
netlink messages from its own netns.
Test case:
vpnns -- bash -c "ip link add nlmon0 type nlmon; \
ip link set nlmon0 up; \
tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
spi 0x1 mode transport \
auth sha1 0x6162633132330000000000000000000000000000 \
enc aes 0x00000000000000000000000000000000
grep --binary abc123 /tmp/nlmon.pcap
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlink/af_netlink.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -216,6 +216,9 @@ static int __netlink_deliver_tap_skb(str
struct sock *sk = skb->sk;
int ret = -ENOMEM;
+ if (!net_eq(dev_net(dev), sock_net(sk)))
+ return 0;
+
dev_hold(dev);
if (is_vmalloc_addr(skb->head))
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 052/204] IB/mlx5: Fix the size parameter to find_first_bit
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 153/204] ALSA: seq: Fix nested rwsem annotation for lockdep splat Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 124/204] ALSA: hda: Remove superfluous '-' added by printk conversion Ben Hutchings
` (138 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Doug Ledford, Christophe Jaillet,
Majd Dibbiny
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
commit fffd68734dc685e208e86d8c5f6522cd695a8d60 upstream.
The 2nd parameter of 'find_first_bit' is the number of bits to search.
In this case, we are passing 'sizeof(tmp)' which is likely to be 4 or 8
because 'tmp' is an 'unsigned long'.
It is likely that the number of bits of 'tmp' was expected here. So use
BITS_PER_LONG instead.
It has been spotted by the following coccinelle script:
@@
expression ret, x;
@@
* ret = \(find_first_bit \| find_first_zero_bit\) (x, sizeof(...));
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Majd Dibbiny <majd@mellanox.com>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/mem.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -58,7 +58,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
addr = addr >> PAGE_SHIFT;
tmp = (unsigned long)addr;
- m = find_first_bit(&tmp, sizeof(tmp));
+ m = find_first_bit(&tmp, BITS_PER_LONG);
skip = 1 << m;
mask = skip - 1;
i = 0;
@@ -68,7 +68,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
for (k = 0; k < len; k++) {
if (!(i & mask)) {
tmp = (unsigned long)pfn;
- m = min_t(unsigned long, m, find_first_bit(&tmp, sizeof(tmp)));
+ m = min_t(unsigned long, m, find_first_bit(&tmp, BITS_PER_LONG));
skip = 1 << m;
mask = skip - 1;
base = pfn;
@@ -76,7 +76,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
} else {
if (base + p != pfn) {
tmp = (unsigned long)p;
- m = find_first_bit(&tmp, sizeof(tmp));
+ m = find_first_bit(&tmp, BITS_PER_LONG);
skip = 1 << m;
mask = skip - 1;
base = pfn;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 188/204] netfilter: nfnetlink_cthelper: Add missing permission checks
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 036/204] USB: gadgetfs: fix copy_to_user while holding spinlock Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 179/204] can: c_can: don't indicate triple sampling support for D_CAN Ben Hutchings
` (92 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kevin Cernekee, Pablo Neira Ayuso
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Cernekee <cernekee@chromium.org>
commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream.
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, nfnl_cthelper_list is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
$ nfct helper list
nfct v1.4.4: netlink error: Operation not permitted
$ vpnns -- nfct helper list
{
.name = ftp,
.queuenum = 0,
.l3protonum = 2,
.l4protonum = 6,
.priv_data_len = 24,
.status = enabled,
};
Add capable() checks in nfnetlink_cthelper, as this is cleaner than
trying to generalize the solution.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -17,6 +17,7 @@
#include <linux/types.h>
#include <linux/list.h>
#include <linux/errno.h>
+#include <linux/capability.h>
#include <net/netlink.h>
#include <net/sock.h>
@@ -295,6 +296,9 @@ nfnl_cthelper_new(struct sock *nfnl, str
struct nf_conntrack_tuple tuple;
int ret = 0, i;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
return -EINVAL;
@@ -509,6 +513,9 @@ nfnl_cthelper_get(struct sock *nfnl, str
struct nf_conntrack_tuple tuple;
bool tuple_set = false;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = {
.dump = nfnl_cthelper_dump_table,
@@ -581,6 +588,9 @@ nfnl_cthelper_del(struct sock *nfnl, str
bool tuple_set = false, found = false;
int i, j = 0, ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (tb[NFCTH_NAME])
helper_name = nla_data(tb[NFCTH_NAME]);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 109/204] KEYS: encrypted: fix dereference of NULL user_key_payload
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 086/204] sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 119/204] tun: call dev_get_valid_name() before register_netdevice() Ben Hutchings
` (131 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Biggers, James Morris, David Safford, David Howells,
Mimi Zohar
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload. However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
This was an issue for master keys of type "user" only. Master keys can
also be of type "trusted", but those cannot be revoked.
Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/encrypted-keys/encrypted.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -315,6 +315,13 @@ static struct key *request_user_key(cons
down_read(&ukey->sem);
upayload = ukey->payload.data;
+ if (!upayload) {
+ /* key was revoked before we acquired its semaphore */
+ up_read(&ukey->sem);
+ key_put(ukey);
+ ukey = ERR_PTR(-EKEYREVOKED);
+ goto error;
+ }
*master_key = upayload->data;
*master_keylen = upayload->datalen;
error:
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 044/204] iio: core: Return error for failed read_reg
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 131/204] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 051/204] KEYS: prevent creating a different user's keyrings Ben Hutchings
` (170 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lars-Peter Clausen, Jonathan Cameron, Matt Fornero
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Fornero <matt.fornero@mathworks.com>
commit 3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b upstream.
If an IIO device returns an error code for a read access via debugfs, it
is currently ignored by the IIO core (other than emitting an error
message). Instead, return this error code to user space, so upper layers
can detect it correctly.
Signed-off-by: Matt Fornero <matt.fornero@mathworks.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/industrialio-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -184,8 +184,10 @@ static ssize_t iio_debugfs_read_reg(stru
ret = indio_dev->info->debugfs_reg_access(indio_dev,
indio_dev->cached_reg_addr,
0, &val);
- if (ret)
+ if (ret) {
dev_err(indio_dev->dev.parent, "%s: read failed\n", __func__);
+ return ret;
+ }
len = snprintf(buf, sizeof(buf), "0x%X\n", val);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 134/204] x86, amd_nb: Add device IDs to NB tables for F15h M60h
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 032/204] Input: uinput - avoid FF flush when destroying device Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 196/204] mm: Add a user_ns owner to mm_struct and fix ptrace permission checks Ben Hutchings
` (175 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Aravind Gopalakrishnan, Borislav Petkov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
commit 15895a729e02ea55433b912cc31d5c6de16359ec upstream.
Add F3 and F4 PCI device IDs to amd_nb_misc_ids[] and
amd_nb_link_ids[] respectively.
Signed-off-by: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1411070205-10217-1-git-send-email-Aravind.Gopalakrishnan@amd.com
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/amd_nb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -21,6 +21,7 @@ const struct pci_device_id amd_nb_misc_i
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M10H_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
{}
@@ -30,6 +31,7 @@ EXPORT_SYMBOL(amd_nb_misc_ids);
static const struct pci_device_id amd_nb_link_ids[] = {
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M30H_NB_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) },
{}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 129/204] can: esd_usb2: Fix can_dlc value for received RTR, frames
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 019/204] tracing: Erase irqsoff trace with empty write Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 169/204] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 Ben Hutchings
` (102 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marc Kleine-Budde, Stefan Mätje, Stefan Mätje
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Mätje <Stefan.Maetje@esd.eu>
commit 72d92e865d1560723e1957ee3f393688c49ca5bf upstream.
The dlc member of the struct rx_msg contains also the ESD_RTR flag to
mark received RTR frames. Without the fix the can_dlc value for received
RTR frames would always be set to 8 by get_can_dlc() instead of the
received value.
Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/usb/esd_usb2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -334,7 +334,7 @@ static void esd_usb2_rx_can_msg(struct e
}
cf->can_id = id & ESD_IDMASK;
- cf->can_dlc = get_can_dlc(msg->msg.rx.dlc);
+ cf->can_dlc = get_can_dlc(msg->msg.rx.dlc & ~ESD_RTR);
if (id & ESD_EXTID)
cf->can_id |= CAN_EFF_FLAG;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 191/204] USB: core: prevent malicious bNumInterfaces overflow
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 066/204] USB: dummy-hcd: fix infinite-loop resubmission bug Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 038/204] USB: g_mass_storage: Fix deadlock when driver is unbound Ben Hutchings
` (52 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Andrey Konovalov, Alan Stern
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor. Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.
This patch prevents the problem by setting bNumInterfaces to 0
initially. The existing code already sets it to the proper value
after parsing is complete.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -519,6 +519,9 @@ static int usb_parse_configuration(struc
unsigned iad_num = 0;
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
+ nintf = nintf_orig = config->desc.bNumInterfaces;
+ config->desc.bNumInterfaces = 0; // Adjusted later
+
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
config->desc.bLength > size) {
@@ -532,7 +535,6 @@ static int usb_parse_configuration(struc
buffer += config->desc.bLength;
size -= config->desc.bLength;
- nintf = nintf_orig = config->desc.bNumInterfaces;
if (nintf > USB_MAXINTERFACES) {
dev_warn(ddev, "config %d has too many interfaces: %d, "
"using maximum allowed: %d\n",
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 122/204] usb: cdc_acm: Add quirk for Elatec TWN3
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (200 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 133/204] pci_ids: Add PCI device IDs for F15h M60h Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 055/204] PCI: Fix race condition with driver_override Ben Hutchings
` (2 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Maksim Salau, Oliver Neukum, Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maksim Salau <msalau@iotecha.com>
commit 765fb2f181cad669f2beb87842a05d8071f2be85 upstream.
Elatec TWN3 has the union descriptor on data interface. This results in
failure to bind the device to the driver with the following log:
usb 1-1.2: new full speed USB device using streamplug-ehci and address 4
usb 1-1.2: New USB device found, idVendor=09d8, idProduct=0320
usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1.2: Product: RFID Device (COM)
usb 1-1.2: Manufacturer: OEM
cdc_acm 1-1.2:1.0: Zero length descriptor references
cdc_acm: probe of 1-1.2:1.0 failed with error -22
Adding the NO_UNION_NORMAL quirk for the device fixes the issue.
`lsusb -v` of the device:
Bus 001 Device 003: ID 09d8:0320
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 32
idVendor 0x09d8
idProduct 0x0320
bcdDevice 3.00
iManufacturer 1 OEM
iProduct 2 RFID Device (COM)
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 67
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 250mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 2
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 0
CDC Header:
bcdCDC 1.10
CDC Call Management:
bmCapabilities 0x03
call management
use DataInterface
bDataInterface 1
CDC ACM:
bmCapabilities 0x06
sends break
line coding and serial state
CDC Union:
bMasterInterface 0
bSlaveInterface 1
Device Status: 0x0000
(Bus Powered)
Signed-off-by: Maksim Salau <msalau@iotecha.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1775,6 +1775,9 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0xfff0, 0x0100), /* DATECS FP-2000 */
.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
},
+ { USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */
+ .driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */
+ },
{ USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
.driver_info = CLEAR_HALT_CONDITIONS,
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 089/204] mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 128/204] usb: hub: Allow reset retry for USB2 devices on connect bounce Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 018/204] USB: serial: cp210x: add support for ELV TFD500 Ben Hutchings
` (202 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Reza Arbab, Yasuaki Ishimatsu, Michal Hocko,
YASUAKI ISHIMATSU, Xishi Qiu, Vlastimil Babka, Linus Torvalds
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
commit 1dd2bfc86818ddbc95f98e312e7704350223fd7d upstream.
pfn_to_section_nr() and section_nr_to_pfn() are defined as macro.
pfn_to_section_nr() has no issue even if it is defined as macro. But
section_nr_to_pfn() has overflow issue if sec is defined as int.
section_nr_to_pfn() just shifts sec by PFN_SECTION_SHIFT. If sec is
defined as unsigned long, section_nr_to_pfn() returns pfn as 64 bit value.
But if sec is defined as int, section_nr_to_pfn() returns pfn as 32 bit
value.
__remove_section() calculates start_pfn using section_nr_to_pfn() and
scn_nr defined as int. So if hot-removed memory address is over 16TB,
overflow issue occurs and section_nr_to_pfn() does not calculate correct
pfn.
To make callers use proper arg, the patch changes the macros to inline
functions.
Fixes: 815121d2b5cd ("memory_hotplug: clear zone when removing the memory")
Link: http://lkml.kernel.org/r/e643a387-e573-6bbf-d418-c60c8ee3d15e@gmail.com
Signed-off-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Xishi Qiu <qiuxishi@huawei.com>
Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/mmzone.h | 10 ++++++++--
mm/memory_hotplug.c | 2 +-
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -1094,8 +1094,14 @@ static inline unsigned long early_pfn_to
#error Allocator MAX_ORDER exceeds SECTION_SIZE
#endif
-#define pfn_to_section_nr(pfn) ((pfn) >> PFN_SECTION_SHIFT)
-#define section_nr_to_pfn(sec) ((sec) << PFN_SECTION_SHIFT)
+static inline unsigned long pfn_to_section_nr(unsigned long pfn)
+{
+ return pfn >> PFN_SECTION_SHIFT;
+}
+static inline unsigned long section_nr_to_pfn(unsigned long sec)
+{
+ return sec << PFN_SECTION_SHIFT;
+}
#define SECTION_ALIGN_UP(pfn) (((pfn) + PAGES_PER_SECTION - 1) & PAGE_SECTION_MASK)
#define SECTION_ALIGN_DOWN(pfn) ((pfn) & PAGE_SECTION_MASK)
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -735,7 +735,7 @@ static int __remove_section(struct zone
return ret;
scn_nr = __section_nr(ms);
- start_pfn = section_nr_to_pfn(scn_nr);
+ start_pfn = section_nr_to_pfn((unsigned long)scn_nr);
__remove_zone(zone, start_pfn);
sparse_remove_one_section(zone, ms);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 140/204] fuse: fix READDIRPLUS skipping an entry
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 197/204] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 093/204] nl80211: Define policy for packet pattern attributes Ben Hutchings
` (158 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marios Titas, Jakob Unterwurzacher, Miklos Szeredi
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit c6cdd51404b7ac12dd95173ddfc548c59ecf037f upstream.
Marios Titas running a Haskell program noticed a problem with fuse's
readdirplus: when it is interrupted by a signal, it skips one directory
entry.
The reason is that fuse erronously updates ctx->pos after a failed
dir_emit().
The issue originates from the patch adding readdirplus support.
Reported-by: Jakob Unterwurzacher <jakobunt@gmail.com>
Tested-by: Marios Titas <redneb@gmx.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 0b05b18381ee ("fuse: implement NFS-like readdirplus support")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/dir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1382,7 +1382,8 @@ static int parse_dirplusfile(char *buf,
*/
over = !dir_emit(ctx, dirent->name, dirent->namelen,
dirent->ino, dirent->type);
- ctx->pos = dirent->off;
+ if (!over)
+ ctx->pos = dirent->off;
}
buf += reclen;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 199/204] ptrace: Don't allow accessing an undumpable mm
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 056/204] Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 040/204] SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags Ben Hutchings
` (79 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andy Lutomirski, Eric W. Biederman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 84d77d3f06e7e8dea057d10e8ec77ad71f721be3 upstream.
It is the reasonable expectation that if an executable file is not
readable there will be no way for a user without special privileges to
read the file. This is enforced in ptrace_attach but if ptrace
is already attached before exec there is no enforcement for read-only
executables.
As the only way to read such an mm is through access_process_vm
spin a variant called ptrace_access_vm that will fail if the
target process is not being ptraced by the current process, or
the current process did not have sufficient privileges when ptracing
began to read the target processes mm.
In the ptrace implementations replace access_process_vm by
ptrace_access_vm. There remain several ptrace sites that still use
access_process_vm as they are reading the target executables
instructions (for kernel consumption) or register stacks. As such it
does not appear necessary to add a permission check to those calls.
This bug has always existed in Linux.
Fixes: v1.0
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16:
- Pass around only a write flag, not gup_flags
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/kernel/ptrace.c | 2 +-
arch/blackfin/kernel/ptrace.c | 4 ++--
arch/cris/arch-v32/kernel/ptrace.c | 2 +-
arch/ia64/kernel/ptrace.c | 2 +-
arch/mips/kernel/ptrace32.c | 4 ++--
arch/powerpc/kernel/ptrace32.c | 4 ++--
include/linux/mm.h | 2 ++
include/linux/ptrace.h | 3 +++
kernel/ptrace.c | 42 ++++++++++++++++++++++++++++++++------
mm/memory.c | 2 +-
mm/nommu.c | 2 +-
11 files changed, 52 insertions(+), 17 deletions(-)
--- a/arch/alpha/kernel/ptrace.c
+++ b/arch/alpha/kernel/ptrace.c
@@ -281,7 +281,7 @@ long arch_ptrace(struct task_struct *chi
/* When I and D space are separate, these will need to be fixed. */
case PTRACE_PEEKTEXT: /* read word at location addr. */
case PTRACE_PEEKDATA:
- copied = access_process_vm(child, addr, &tmp, sizeof(tmp), 0);
+ copied = ptrace_access_vm(child, addr, &tmp, sizeof(tmp), 0);
ret = -EIO;
if (copied != sizeof(tmp))
break;
--- a/arch/blackfin/kernel/ptrace.c
+++ b/arch/blackfin/kernel/ptrace.c
@@ -270,7 +270,7 @@ long arch_ptrace(struct task_struct *chi
switch (bfin_mem_access_type(addr, to_copy)) {
case BFIN_MEM_ACCESS_CORE:
case BFIN_MEM_ACCESS_CORE_ONLY:
- copied = access_process_vm(child, addr, &tmp,
+ copied = ptrace_access_vm(child, addr, &tmp,
to_copy, 0);
if (copied)
break;
@@ -323,7 +323,7 @@ long arch_ptrace(struct task_struct *chi
switch (bfin_mem_access_type(addr, to_copy)) {
case BFIN_MEM_ACCESS_CORE:
case BFIN_MEM_ACCESS_CORE_ONLY:
- copied = access_process_vm(child, addr, &data,
+ copied = ptrace_access_vm(child, addr, &data,
to_copy, 1);
break;
case BFIN_MEM_ACCESS_DMA:
--- a/arch/cris/arch-v32/kernel/ptrace.c
+++ b/arch/cris/arch-v32/kernel/ptrace.c
@@ -147,7 +147,7 @@ long arch_ptrace(struct task_struct *chi
/* The trampoline page is globally mapped, no page table to traverse.*/
tmp = *(unsigned long*)addr;
} else {
- copied = access_process_vm(child, addr, &tmp, sizeof(tmp), 0);
+ copied = ptrace_access_vm(child, addr, &tmp, sizeof(tmp), 0);
if (copied != sizeof(tmp))
break;
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -1156,7 +1156,7 @@ arch_ptrace (struct task_struct *child,
case PTRACE_PEEKTEXT:
case PTRACE_PEEKDATA:
/* read word at location addr */
- if (access_process_vm(child, addr, &data, sizeof(data), 0)
+ if (ptrace_access_vm(child, addr, &data, sizeof(data), 0)
!= sizeof(data))
return -EIO;
/* ensure return value is not mistaken for error code */
--- a/arch/mips/kernel/ptrace32.c
+++ b/arch/mips/kernel/ptrace32.c
@@ -69,7 +69,7 @@ long compat_arch_ptrace(struct task_stru
if (get_user(addrOthers, (u32 __user * __user *) (unsigned long) addr) != 0)
break;
- copied = access_process_vm(child, (u64)addrOthers, &tmp,
+ copied = ptrace_access_vm(child, (u64)addrOthers, &tmp,
sizeof(tmp), 0);
if (copied != sizeof(tmp))
break;
@@ -178,7 +178,7 @@ long compat_arch_ptrace(struct task_stru
if (get_user(addrOthers, (u32 __user * __user *) (unsigned long) addr) != 0)
break;
ret = 0;
- if (access_process_vm(child, (u64)addrOthers, &data,
+ if (ptrace_access_vm(child, (u64)addrOthers, &data,
sizeof(data), 1) == sizeof(data))
break;
ret = -EIO;
--- a/arch/powerpc/kernel/ptrace32.c
+++ b/arch/powerpc/kernel/ptrace32.c
@@ -73,7 +73,7 @@ long compat_arch_ptrace(struct task_stru
if (get_user(addrOthers, (u32 __user * __user *)addr) != 0)
break;
- copied = access_process_vm(child, (u64)addrOthers, &tmp,
+ copied = ptrace_access_vm(child, (u64)addrOthers, &tmp,
sizeof(tmp), 0);
if (copied != sizeof(tmp))
break;
@@ -178,7 +178,7 @@ long compat_arch_ptrace(struct task_stru
if (get_user(addrOthers, (u32 __user * __user *)addr) != 0)
break;
ret = 0;
- if (access_process_vm(child, (u64)addrOthers, &tmp,
+ if (ptrace_access_vm(child, (u64)addrOthers, &tmp,
sizeof(tmp), 1) == sizeof(tmp))
break;
ret = -EIO;
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1209,6 +1209,8 @@ static inline int fixup_user_fault(struc
extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
void *buf, int len, int write);
+extern int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+ unsigned long addr, void *buf, int len, int write);
long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
unsigned long start, unsigned long nr_pages,
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -8,6 +8,9 @@
#include <linux/pid_namespace.h> /* For task_active_pid_ns. */
#include <uapi/linux/ptrace.h>
+extern int ptrace_access_vm(struct task_struct *tsk, unsigned long addr,
+ void *buf, int len, int write);
+
/*
* Ptrace flags
*
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -27,6 +27,35 @@
#include <linux/cn_proc.h>
#include <linux/compat.h>
+/*
+ * Access another process' address space via ptrace.
+ * Source/target buffer must be kernel space,
+ * Do not walk the page table directly, use get_user_pages
+ */
+int ptrace_access_vm(struct task_struct *tsk, unsigned long addr,
+ void *buf, int len, int write)
+{
+ struct mm_struct *mm;
+ int ret;
+
+ mm = get_task_mm(tsk);
+ if (!mm)
+ return 0;
+
+ if (!tsk->ptrace ||
+ (current != tsk->parent) ||
+ ((get_dumpable(mm) != SUID_DUMP_USER) &&
+ !ptracer_capable(tsk, mm->user_ns))) {
+ mmput(mm);
+ return 0;
+ }
+
+ ret = __access_remote_vm(tsk, mm, addr, buf, len, write);
+ mmput(mm);
+
+ return ret;
+}
+
static int ptrace_trapping_sleep_fn(void *flags)
{
@@ -558,7 +587,8 @@ int ptrace_readdata(struct task_struct *
int this_len, retval;
this_len = (len > sizeof(buf)) ? sizeof(buf) : len;
- retval = access_process_vm(tsk, src, buf, this_len, 0);
+ retval = ptrace_access_vm(tsk, src, buf, this_len, 0);
+
if (!retval) {
if (copied)
break;
@@ -585,7 +615,7 @@ int ptrace_writedata(struct task_struct
this_len = (len > sizeof(buf)) ? sizeof(buf) : len;
if (copy_from_user(buf, src, this_len))
return -EFAULT;
- retval = access_process_vm(tsk, dst, buf, this_len, 1);
+ retval = ptrace_access_vm(tsk, dst, buf, this_len, 1);
if (!retval) {
if (copied)
break;
@@ -1130,7 +1160,7 @@ int generic_ptrace_peekdata(struct task_
unsigned long tmp;
int copied;
- copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
+ copied = ptrace_access_vm(tsk, addr, &tmp, sizeof(tmp), 0);
if (copied != sizeof(tmp))
return -EIO;
return put_user(tmp, (unsigned long __user *)data);
@@ -1141,7 +1171,7 @@ int generic_ptrace_pokedata(struct task_
{
int copied;
- copied = access_process_vm(tsk, addr, &data, sizeof(data), 1);
+ copied = ptrace_access_vm(tsk, addr, &data, sizeof(data), 1);
return (copied == sizeof(data)) ? 0 : -EIO;
}
@@ -1159,7 +1189,7 @@ int compat_ptrace_request(struct task_st
switch (request) {
case PTRACE_PEEKTEXT:
case PTRACE_PEEKDATA:
- ret = access_process_vm(child, addr, &word, sizeof(word), 0);
+ ret = ptrace_access_vm(child, addr, &word, sizeof(word), 0);
if (ret != sizeof(word))
ret = -EIO;
else
@@ -1168,7 +1198,7 @@ int compat_ptrace_request(struct task_st
case PTRACE_POKETEXT:
case PTRACE_POKEDATA:
- ret = access_process_vm(child, addr, &data, sizeof(data), 1);
+ ret = ptrace_access_vm(child, addr, &data, sizeof(data), 1);
ret = (ret != sizeof(data) ? -EIO : 0);
break;
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3560,7 +3560,7 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
* Access another process' address space as given in mm. If non-NULL, use the
* given task for page fault accounting.
*/
-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
unsigned long addr, void *buf, int len, int write)
{
struct vm_area_struct *vma;
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -2007,7 +2007,7 @@ int generic_file_remap_pages(struct vm_a
}
EXPORT_SYMBOL(generic_file_remap_pages);
-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
unsigned long addr, void *buf, int len, int write)
{
struct vm_area_struct *vma;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 009/204] USB: serial: option: add support for TP-Link LTE module
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 026/204] usb: gadget: dummy: fix nonsensical comparisons Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 005/204] HID: i2c-hid: allocate hid buffers for real worst case Ben Hutchings
` (29 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Henryk Heisig, Johan Hovold
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Henryk Heisig <hyniu@o2.pl>
commit 837ddc4793a69b256ac5e781a5e729b448a8d983 upstream.
This commit adds support for TP-Link LTE mPCIe module is used
in in TP-Link MR200v1, MR6400v1 and v2 routers.
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -524,6 +524,7 @@ static void option_instat_callback(struc
/* TP-LINK Incorporated products */
#define TPLINK_VENDOR_ID 0x2357
+#define TPLINK_PRODUCT_LTE 0x000D
#define TPLINK_PRODUCT_MA180 0x0201
/* Changhong products */
@@ -2022,6 +2023,7 @@ static const struct usb_device_id option
{ USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) },
{ USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) },
{ USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */
{ USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180),
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 011/204] uwb: properly check kthread_run return value
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 028/204] cifs: release auth_key.response for reconnect Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 108/204] bus: mbus: fix window size calculation for 4GB windows Ben Hutchings
` (144 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andrey Konovalov, Greg Kroah-Hartman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov <andreyknvl@google.com>
commit bbf26183b7a6236ba602f4d6a2f7cade35bba043 upstream.
uwbd_start() calls kthread_run() and checks that the return value is
not NULL. But the return value is not NULL in case kthread_run() fails,
it takes the form of ERR_PTR(-EINTR).
Use IS_ERR() instead.
Also add a check to uwbd_stop().
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/uwb/uwbd.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/uwb/uwbd.c
+++ b/drivers/uwb/uwbd.c
@@ -303,18 +303,22 @@ static int uwbd(void *param)
/** Start the UWB daemon */
void uwbd_start(struct uwb_rc *rc)
{
- rc->uwbd.task = kthread_run(uwbd, rc, "uwbd");
- if (rc->uwbd.task == NULL)
+ struct task_struct *task = kthread_run(uwbd, rc, "uwbd");
+ if (IS_ERR(task)) {
+ rc->uwbd.task = NULL;
printk(KERN_ERR "UWB: Cannot start management daemon; "
"UWB won't work\n");
- else
+ } else {
+ rc->uwbd.task = task;
rc->uwbd.pid = rc->uwbd.task->pid;
+ }
}
/* Stop the UWB daemon and free any unprocessed events */
void uwbd_stop(struct uwb_rc *rc)
{
- kthread_stop(rc->uwbd.task);
+ if (rc->uwbd.task)
+ kthread_stop(rc->uwbd.task);
uwbd_flush(rc);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 023/204] ARM: dts: da850-evm: add serial and ethernet aliases
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 051/204] KEYS: prevent creating a different user's keyrings Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 059/204] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit Ben Hutchings
` (168 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sekhar Nori, Tony Lindgren, Adam Ford
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sekhar Nori <nsekhar@ti.com>
commit ce21574ad1922b403198ee664c4dff276f514f1d upstream.
Add aliases for serial and ethernet nodes. Serial
aliases help keep order of tty nodes fixed and
ethernet alias is used by bootloader to setup mac
address correctly.
Reported-by: Adam Ford <aford173@gmail.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Fixes: dd7deaf218bf ("ARM: davinci: da850: add DT node for ethernet")
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/da850-evm.dts | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/arm/boot/dts/da850-evm.dts
+++ b/arch/arm/boot/dts/da850-evm.dts
@@ -14,6 +14,13 @@
compatible = "ti,da850-evm", "ti,da850";
model = "DA850/AM1808/OMAP-L138 EVM";
+ aliases {
+ serial0 = &serial0;
+ serial1 = &serial1;
+ serial2 = &serial2;
+ ethernet0 = ð0;
+ };
+
soc {
pmx_core: pinmux@1c14120 {
status = "okay";
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 138/204] ARM: 8715/1: add a private asm/unaligned.h
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 016/204] s390/mm: fix write access check in gup_huge_pmd() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 197/204] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP Ben Hutchings
` (160 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Russell King
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 1cce91dfc8f7990ca3aea896bfb148f240b12860 upstream.
The asm-generic/unaligned.h header provides two different implementations
for accessing unaligned variables: the access_ok.h version used when
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS is set pretends that all pointers
are in fact aligned, while the le_struct.h version convinces gcc that the
alignment of a pointer is '1', to make it issue the correct load/store
instructions depending on the architecture flags.
On ARMv5 and older, we always use the second version, to let the compiler
use byte accesses. On ARMv6 and newer, we currently use the access_ok.h
version, so the compiler can use any instruction including stm/ldm and
ldrd/strd that will cause an alignment trap. This trap can significantly
impact performance when we have to do a lot of fixups and, worse, has
led to crashes in the LZ4 decompressor code that does not have a trap
handler.
This adds an ARM specific version of asm/unaligned.h that uses the
le_struct.h/be_struct.h implementation unconditionally. This should lead
to essentially the same code on ARMv6+ as before, with the exception of
using regular load/store instructions instead of the trapping instructions
multi-register variants.
The crash in the LZ4 decompressor code was probably introduced by the
patch replacing the LZ4 implementation, commit 4e1a33b105dd ("lib: update
LZ4 compressor module"), so linux-4.11 and higher would be affected most.
However, we probably want to have this backported to all older stable
kernels as well, to help with the performance issues.
There are two follow-ups that I think we should also work on, but not
backport to stable kernels, first to change the asm-generic version of
the header to remove the ARM special case, and second to review all
other uses of CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS to see if they
might be affected by the same problem on ARM.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/include/asm/Kbuild | 1 -
arch/arm/include/asm/unaligned.h | 27 +++++++++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
create mode 100644 arch/arm/include/asm/unaligned.h
--- a/arch/arm/include/asm/Kbuild
+++ b/arch/arm/include/asm/Kbuild
@@ -36,4 +36,3 @@ generic-y += termbits.h
generic-y += termios.h
generic-y += timex.h
generic-y += trace_clock.h
-generic-y += unaligned.h
--- /dev/null
+++ b/arch/arm/include/asm/unaligned.h
@@ -0,0 +1,27 @@
+#ifndef __ASM_ARM_UNALIGNED_H
+#define __ASM_ARM_UNALIGNED_H
+
+/*
+ * We generally want to set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS on ARMv6+,
+ * but we don't want to use linux/unaligned/access_ok.h since that can lead
+ * to traps on unaligned stm/ldm or strd/ldrd.
+ */
+#include <asm/byteorder.h>
+
+#if defined(__LITTLE_ENDIAN)
+# include <linux/unaligned/le_struct.h>
+# include <linux/unaligned/be_byteshift.h>
+# include <linux/unaligned/generic.h>
+# define get_unaligned __get_unaligned_le
+# define put_unaligned __put_unaligned_le
+#elif defined(__BIG_ENDIAN)
+# include <linux/unaligned/be_struct.h>
+# include <linux/unaligned/le_byteshift.h>
+# include <linux/unaligned/generic.h>
+# define get_unaligned __get_unaligned_be
+# define put_unaligned __put_unaligned_be
+#else
+# error need to define endianess
+#endif
+
+#endif /* __ASM_ARM_UNALIGNED_H */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 092/204] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 162/204] KEYS: fix out-of-bounds read during ASN.1 parsing Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 100/204] more bio_map_user_iov() leak fixes Ben Hutchings
` (33 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Morris, Konstantin Khlebnikov, Casey Schaufler
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Casey Schaufler <casey@schaufler-ca.com>
commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream.
security_inode_getsecurity() provides the text string value
of a security attribute. It does not provide a "secctx".
The code in xattr_getsecurity() that calls security_inode_getsecurity()
and then calls security_release_secctx() happened to work because
SElinux and Smack treat the attribute and the secctx the same way.
It fails for cap_inode_getsecurity(), because that module has no
secctx that ever needs releasing. It turns out that Smack is the
one that's doing things wrong by not allocating memory when instructed
to do so by the "alloc" parameter.
The fix is simple enough. Change the security_release_secctx() to
kfree() because it isn't a secctx being returned by
security_inode_getsecurity(). Change Smack to allocate the string when
told to do so.
Note: this also fixes memory leaks for LSMs which implement
inode_getsecurity but not release_secctx, such as capabilities.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: James Morris <james.l.morris@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xattr.c | 2 +-
security/smack/smack_lsm.c | 55 +++++++++++++++++++++-------------------------
2 files changed, 26 insertions(+), 31 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -163,7 +163,7 @@ xattr_getsecurity(struct inode *inode, c
}
memcpy(value, buffer, len);
out:
- security_release_secctx(buffer, len);
+ kfree(buffer);
out_noalloc:
return len;
}
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1060,7 +1060,7 @@ static int smack_inode_removexattr(struc
* @inode: the object
* @name: attribute name
* @buffer: where to put the result
- * @alloc: unused
+ * @alloc: duplicate memory
*
* Returns the size of the attribute or an error code
*/
@@ -1073,43 +1073,38 @@ static int smack_inode_getsecurity(const
struct super_block *sbp;
struct inode *ip = (struct inode *)inode;
char *isp;
- int ilen;
- int rc = 0;
- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
isp = smk_of_inode(inode);
- ilen = strlen(isp);
- *buffer = isp;
- return ilen;
+ else {
+ /*
+ * The rest of the Smack xattrs are only on sockets.
+ */
+ sbp = ip->i_sb;
+ if (sbp->s_magic != SOCKFS_MAGIC)
+ return -EOPNOTSUPP;
+
+ sock = SOCKET_I(ip);
+ if (sock == NULL || sock->sk == NULL)
+ return -EOPNOTSUPP;
+
+ ssp = sock->sk->sk_security;
+
+ if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+ isp = ssp->smk_in->smk_known;
+ else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+ isp = ssp->smk_out->smk_known;
+ else
+ return -EOPNOTSUPP;
}
- /*
- * The rest of the Smack xattrs are only on sockets.
- */
- sbp = ip->i_sb;
- if (sbp->s_magic != SOCKFS_MAGIC)
- return -EOPNOTSUPP;
-
- sock = SOCKET_I(ip);
- if (sock == NULL || sock->sk == NULL)
- return -EOPNOTSUPP;
-
- ssp = sock->sk->sk_security;
-
- if (strcmp(name, XATTR_SMACK_IPIN) == 0)
- isp = ssp->smk_in->smk_known;
- else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
- isp = ssp->smk_out->smk_known;
- else
- return -EOPNOTSUPP;
-
- ilen = strlen(isp);
- if (rc == 0) {
- *buffer = isp;
- rc = ilen;
+ if (alloc) {
+ *buffer = kstrdup(isp, GFP_KERNEL);
+ if (*buffer == NULL)
+ return -ENOMEM;
}
- return rc;
+ return strlen(isp);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 111/204] lib/digsig: fix dereference of NULL user_key_payload
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (183 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 110/204] FS-Cache: fix dereference of NULL user_key_payload Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 030/204] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Ben Hutchings
` (19 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Howells, Dmitry Kasatkin, Eric Biggers, James Morris
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.
digsig_verify() requests a user key, then accesses its payload.
However, a revoked key has a NULL payload, and we failed to check for
this. request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
Fixes: 051dbb918c7f ("crypto: digital signature verification support")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
lib/digsig.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/lib/digsig.c
+++ b/lib/digsig.c
@@ -86,6 +86,12 @@ static int digsig_verify_rsa(struct key
down_read(&key->sem);
ukp = key->payload.data;
+ if (!ukp) {
+ /* key was revoked before we acquired its semaphore */
+ err = -EKEYREVOKED;
+ goto err1;
+ }
+
if (ukp->datalen < sizeof(*pkh))
goto err1;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 200/204] ptrace: Properly initialize ptracer_cred on fork
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 073/204] arm64: fault: Route pte translation faults via do_translation_fault Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 037/204] USB: gadgetfs: Fix crash caused by inadequate synchronization Ben Hutchings
` (122 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Eric W. Biederman
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit c70d9d809fdeecedb96972457ee45c49a232d97f upstream.
When I introduced ptracer_cred I failed to consider the weirdness of
fork where the task_struct copies the old value by default. This
winds up leaving ptracer_cred set even when a process forks and
the child process does not wind up being ptraced.
Because ptracer_cred is not set on non-ptraced processes whose
parents were ptraced this has broken the ability of the enlightenment
window manager to start setuid children.
Fix this by properly initializing ptracer_cred in ptrace_init_task
This must be done with a little bit of care to preserve the current value
of ptracer_cred when ptrace carries through fork. Re-reading the
ptracer_cred from the ptracing process at this point is inconsistent
with how PT_PTRACE_CAP has been maintained all of these years.
Tested-by: Takashi Iwai <tiwai@suse.de>
Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/ptrace.h | 7 +++++--
kernel/ptrace.c | 20 +++++++++++++-------
2 files changed, 18 insertions(+), 9 deletions(-)
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -52,7 +52,8 @@ extern int ptrace_request(struct task_st
unsigned long addr, unsigned long data);
extern void ptrace_notify(int exit_code);
extern void __ptrace_link(struct task_struct *child,
- struct task_struct *new_parent);
+ struct task_struct *new_parent,
+ const struct cred *ptracer_cred);
extern void __ptrace_unlink(struct task_struct *child);
extern void exit_ptrace(struct task_struct *tracer);
#define PTRACE_MODE_READ 0x01
@@ -204,7 +205,7 @@ static inline void ptrace_init_task(stru
if (unlikely(ptrace) && current->ptrace) {
child->ptrace = current->ptrace;
- __ptrace_link(child, current->parent);
+ __ptrace_link(child, current->parent, current->ptracer_cred);
if (child->ptrace & PT_SEIZED)
task_set_jobctl_pending(child, JOBCTL_TRAP_STOP);
@@ -213,6 +214,8 @@ static inline void ptrace_init_task(stru
set_tsk_thread_flag(child, TIF_SIGPENDING);
}
+ else
+ child->ptracer_cred = NULL;
}
/**
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -63,19 +63,25 @@ static int ptrace_trapping_sleep_fn(void
return 0;
}
+void __ptrace_link(struct task_struct *child, struct task_struct *new_parent,
+ const struct cred *ptracer_cred)
+{
+ BUG_ON(!list_empty(&child->ptrace_entry));
+ list_add(&child->ptrace_entry, &new_parent->ptraced);
+ child->parent = new_parent;
+ child->ptracer_cred = get_cred(ptracer_cred);
+}
+
/*
* ptrace a task: make the debugger its new parent and
* move it to the ptrace list.
*
* Must be called with the tasklist lock write-held.
*/
-void __ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
{
- BUG_ON(!list_empty(&child->ptrace_entry));
- list_add(&child->ptrace_entry, &new_parent->ptraced);
- child->parent = new_parent;
rcu_read_lock();
- child->ptracer_cred = get_cred(__task_cred(new_parent));
+ __ptrace_link(child, new_parent, __task_cred(new_parent));
rcu_read_unlock();
}
@@ -387,7 +393,7 @@ static int ptrace_attach(struct task_str
flags |= PT_SEIZED;
task->ptrace = flags;
- __ptrace_link(task, current);
+ ptrace_link(task, current);
/* SEIZE doesn't trap tracee on attach */
if (!seize)
@@ -454,7 +460,7 @@ static int ptrace_traceme(void)
*/
if (!ret && !(current->real_parent->flags & PF_EXITING)) {
current->ptrace = PT_PTRACED;
- __ptrace_link(current, current->real_parent);
+ ptrace_link(current, current->real_parent);
}
}
write_unlock_irq(&tasklist_lock);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 163/204] arm64: fix dump_instr when PAN and UAO are in use
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 091/204] Smack: remove unneeded NULL-termination from securtity label Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 168/204] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 Ben Hutchings
` (153 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Morse, Catalin Marinas, Will Deacon, Vladimir Murzin,
Mark Rutland, Robin Murphy
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit c5cea06be060f38e5400d796e61cfc8c36e52924 upstream.
If the kernel is set to show unhandled signals, and a user task does not
handle a SIGILL as a result of an instruction abort, we will attempt to
log the offending instruction with dump_instr before killing the task.
We use dump_instr to log the encoding of the offending userspace
instruction. However, dump_instr is also used to dump instructions from
kernel space, and internally always switches to KERNEL_DS before dumping
the instruction with get_user. When both PAN and UAO are in use, reading
a user instruction via get_user while in KERNEL_DS will result in a
permission fault, which leads to an Oops.
As we have regs corresponding to the context of the original instruction
abort, we can inspect this and only flip to KERNEL_DS if the original
abort was taken from the kernel, avoiding this issue. At the same time,
remove the redundant (and incorrect) comments regarding the order
dump_mem and dump_instr are called in.
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Vladimir Murzin <vladimir.murzin@arm.com>
Tested-by: Vladimir Murzin <vladimir.murzin@arm.com>
Fixes: 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override")
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/traps.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -59,8 +59,7 @@ static void dump_mem(const char *lvl, co
/*
* We need to switch to kernel mode so that we can use __get_user
- * to safely read from kernel space. Note that we now dump the
- * code first, just in case the backtrace kills us.
+ * to safely read from kernel space.
*/
fs = get_fs();
set_fs(KERNEL_DS);
@@ -97,21 +96,12 @@ static void dump_backtrace_entry(unsigne
stack + sizeof(struct pt_regs));
}
-static void dump_instr(const char *lvl, struct pt_regs *regs)
+static void __dump_instr(const char *lvl, struct pt_regs *regs)
{
unsigned long addr = instruction_pointer(regs);
- mm_segment_t fs;
char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
int i;
- /*
- * We need to switch to kernel mode so that we can use __get_user
- * to safely read from kernel space. Note that we now dump the
- * code first, just in case the backtrace kills us.
- */
- fs = get_fs();
- set_fs(KERNEL_DS);
-
for (i = -4; i < 1; i++) {
unsigned int val, bad;
@@ -125,8 +115,18 @@ static void dump_instr(const char *lvl,
}
}
printk("%sCode: %s\n", lvl, str);
+}
- set_fs(fs);
+static void dump_instr(const char *lvl, struct pt_regs *regs)
+{
+ if (!user_mode(regs)) {
+ mm_segment_t fs = get_fs();
+ set_fs(KERNEL_DS);
+ __dump_instr(lvl, regs);
+ set_fs(fs);
+ } else {
+ __dump_instr(lvl, regs);
+ }
}
static void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 139/204] can: kvaser_usb: Correct return value in printout
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 072/204] sched/sysctl: Check user input value of sysctl_sched_time_avg Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 003/204] iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD Ben Hutchings
` (141 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Jimmy Assarsson
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Assarsson <jimmyassarsson@gmail.com>
commit 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 upstream.
If the return value from kvaser_usb_send_simple_msg() was non-zero, the
return value from kvaser_usb_flush_queue() was printed in the kernel
warning.
Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/usb/kvaser_usb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1263,7 +1263,8 @@ static int kvaser_usb_close(struct net_d
if (err)
netdev_warn(netdev, "Cannot flush queue, error %d\n", err);
- if (kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel))
+ err = kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel);
+ if (err)
netdev_warn(netdev, "Cannot reset card, error %d\n", err);
err = kvaser_usb_stop_chip(priv);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 204/204] KEYS: add missing permission check for request_key() destination
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (202 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 055/204] PCI: Fix race condition with driver_override Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 19:25 ` [PATCH 3.16 000/204] 3.16.52-rc1 review Guenter Roeck
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
When the request_key() syscall is not passed a destination keyring, it
links the requested key (if constructed) into the "default" request-key
keyring. This should require Write permission to the keyring. However,
there is actually no permission check.
This can be abused to add keys to any keyring to which only Search
permission is granted. This is because Search permission allows joining
the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
then will set the default request-key keyring to the session keyring.
Then, request_key() can be used to add keys to the keyring.
Both negatively and positively instantiated keys can be added using this
method. Adding negative keys is trivial. Adding a positive key is a
bit trickier. It requires that either /sbin/request-key positively
instantiates the key, or that another thread adds the key to the process
keyring at just the right time, such that request_key() misses it
initially but then finds it in construct_alloc_key().
Fix this bug by checking for Write permission to the keyring in
construct_get_dest_keyring() when the default keyring is being used.
We don't do the permission check for non-default keyrings because that
was already done by the earlier call to lookup_user_key(). Also,
request_key_and_link() is currently passed a 'struct key *' rather than
a key_ref_t, so the "possessed" bit is unavailable.
We also don't do the permission check for the "requestor keyring", to
continue to support the use case described by commit 8bbf4976b59f
("KEYS: Alter use of key instantiation link-to-keyring argument") where
/sbin/request-key recursively calls request_key() to add keys to the
original requestor's destination keyring. (I don't know of any users
who actually do that, though...)
Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/request_key.c | 46 ++++++++++++++++++++++++++++++++++++---------
1 file changed, 37 insertions(+), 9 deletions(-)
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -268,11 +268,12 @@ static int construct_key(struct key *key
* The keyring selected is returned with an extra reference upon it which the
* caller must release.
*/
-static void construct_get_dest_keyring(struct key **_dest_keyring)
+static int construct_get_dest_keyring(struct key **_dest_keyring)
{
struct request_key_auth *rka;
const struct cred *cred = current_cred();
struct key *dest_keyring = *_dest_keyring, *authkey;
+ int ret;
kenter("%p", dest_keyring);
@@ -281,6 +282,8 @@ static void construct_get_dest_keyring(s
/* the caller supplied one */
key_get(dest_keyring);
} else {
+ bool do_perm_check = true;
+
/* use a default keyring; falling through the cases until we
* find one that we actually have */
switch (cred->jit_keyring) {
@@ -295,8 +298,10 @@ static void construct_get_dest_keyring(s
dest_keyring =
key_get(rka->dest_keyring);
up_read(&authkey->sem);
- if (dest_keyring)
+ if (dest_keyring) {
+ do_perm_check = false;
break;
+ }
}
case KEY_REQKEY_DEFL_THREAD_KEYRING:
@@ -331,11 +336,29 @@ static void construct_get_dest_keyring(s
default:
BUG();
}
+
+ /*
+ * Require Write permission on the keyring. This is essential
+ * because the default keyring may be the session keyring, and
+ * joining a keyring only requires Search permission.
+ *
+ * However, this check is skipped for the "requestor keyring" so
+ * that /sbin/request-key can itself use request_key() to add
+ * keys to the original requestor's destination keyring.
+ */
+ if (dest_keyring && do_perm_check) {
+ ret = key_permission(make_key_ref(dest_keyring, 1),
+ KEY_NEED_WRITE);
+ if (ret) {
+ key_put(dest_keyring);
+ return ret;
+ }
+ }
}
*_dest_keyring = dest_keyring;
kleave(" [dk %d]", key_serial(dest_keyring));
- return;
+ return 0;
}
/*
@@ -460,11 +483,15 @@ static struct key *construct_key_and_lin
if (ctx->index_key.type == &key_type_keyring)
return ERR_PTR(-EPERM);
- user = key_user_lookup(current_fsuid());
- if (!user)
- return ERR_PTR(-ENOMEM);
+ ret = construct_get_dest_keyring(&dest_keyring);
+ if (ret)
+ goto error;
- construct_get_dest_keyring(&dest_keyring);
+ user = key_user_lookup(current_fsuid());
+ if (!user) {
+ ret = -ENOMEM;
+ goto error_put_dest_keyring;
+ }
ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
key_user_put(user);
@@ -479,7 +506,7 @@ static struct key *construct_key_and_lin
} else if (ret == -EINPROGRESS) {
ret = 0;
} else {
- goto couldnt_alloc_key;
+ goto error_put_dest_keyring;
}
key_put(dest_keyring);
@@ -489,8 +516,9 @@ static struct key *construct_key_and_lin
construction_failed:
key_negate_and_link(key, key_negative_timeout, NULL, NULL);
key_put(key);
-couldnt_alloc_key:
+error_put_dest_keyring:
key_put(dest_keyring);
+error:
kleave(" = %d", ret);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 180/204] vlan: fix a use-after-free in vlan_device_event()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 171/204] ALSA: timer: Limit max instances per timer Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 154/204] MIPS: Fix CM region target definitions Ben Hutchings
` (67 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Alexander Duyck, Girish Moodalbail,
Cong Wang, David S. Miller, Fengguang Wu
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 052d41c01b3a2e3371d66de569717353af489d63 upstream.
After refcnt reaches zero, vlan_vid_del() could free
dev->vlan_info via RCU:
RCU_INIT_POINTER(dev->vlan_info, NULL);
call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
However, the pointer 'grp' still points to that memory
since it is set before vlan_vid_del():
vlan_info = rtnl_dereference(dev->vlan_info);
if (!vlan_info)
goto out;
grp = &vlan_info->grp;
Depends on when that RCU callback is scheduled, we could
trigger a use-after-free in vlan_group_for_each_dev()
right following this vlan_vid_del().
Fix it by moving vlan_vid_del() before setting grp. This
is also symmetric to the vlan_vid_add() we call in
vlan_device_event().
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/8021q/vlan.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -364,6 +364,9 @@ static int vlan_device_event(struct noti
dev->name);
vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
}
+ if (event == NETDEV_DOWN &&
+ (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
vlan_info = rtnl_dereference(dev->vlan_info);
if (!vlan_info)
@@ -408,9 +411,6 @@ static int vlan_device_event(struct noti
break;
case NETDEV_DOWN:
- if (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
- vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
-
/* Put all VLANs for this dev in the down state too. */
vlan_group_for_each_dev(grp, i, vlandev) {
flgs = vlandev->flags;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 096/204] udp: fix bcast packet reception
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 020/204] tracing: Fix trace_pipe behavior for instance traces Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 035/204] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives Ben Hutchings
` (135 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Hannes Frederic Sowa, Paolo Abeni
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 996b44fcef8f216ea0b6b6e74468c5a77b5e341f upstream.
The commit bc044e8db796 ("udp: perform source validation for
mcast early demux") does not take into account that broadcast packets
lands in the same code path and they need different checks for the
source address - notably, zero source address are valid for bcast
and invalid for mcast.
As a result, 2nd and later broadcast packets with 0 source address
landing to the same socket are dropped. This breaks dhcp servers.
Since we don't have stringent performance requirements for ingress
broadcast traffic, fix it by disabling UDP early demux such traffic.
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Fixes: bc044e8db796 ("udp: perform source validation for mcast early demux")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/udp.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1968,20 +1968,16 @@ int udp_v4_early_demux(struct sk_buff *s
iph = ip_hdr(skb);
uh = udp_hdr(skb);
- if (skb->pkt_type == PACKET_BROADCAST ||
- skb->pkt_type == PACKET_MULTICAST) {
+ if (skb->pkt_type == PACKET_MULTICAST) {
in_dev = __in_dev_get_rcu(skb->dev);
if (!in_dev)
return 0;
- /* we are supposed to accept bcast packets */
- if (skb->pkt_type == PACKET_MULTICAST) {
- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
- iph->protocol);
- if (!ours)
- return 0;
- }
+ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
+ iph->protocol);
+ if (!ours)
+ return 0;
sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
uh->source, iph->saddr, dif);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 178/204] rbd: use GFP_NOIO for parent stat and data requests
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 062/204] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 158/204] tcp: fix tcp_mtu_probe() vs highest_sack Ben Hutchings
` (45 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Disseldorp, Ilya Dryomov
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 1e37f2f84680fa7f8394fd444b6928e334495ccc upstream.
rbd_img_obj_exists_submit() and rbd_img_obj_parent_read_full() are on
the writeback path for cloned images -- we attempt a stat on the parent
object to see if it exists and potentially read it in to call copyup.
GFP_NOIO should be used instead of GFP_KERNEL here.
Link: http://tracker.ceph.com/issues/22014
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/block/rbd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2584,7 +2584,7 @@ static int rbd_img_obj_parent_read_full(
* from the parent.
*/
page_count = (u32)calc_pages_for(0, length);
- pages = ceph_alloc_page_vector(page_count, GFP_KERNEL);
+ pages = ceph_alloc_page_vector(page_count, GFP_NOIO);
if (IS_ERR(pages)) {
result = PTR_ERR(pages);
pages = NULL;
@@ -2711,7 +2711,7 @@ static int rbd_img_obj_exists_submit(str
*/
size = sizeof (__le64) + sizeof (__le32) + sizeof (__le32);
page_count = (u32)calc_pages_for(0, size);
- pages = ceph_alloc_page_vector(page_count, GFP_KERNEL);
+ pages = ceph_alloc_page_vector(page_count, GFP_NOIO);
if (IS_ERR(pages))
return PTR_ERR(pages);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 026/204] usb: gadget: dummy: fix nonsensical comparisons
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 113/204] iommu/amd: Finish TLB flush in amd_iommu_unmap() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 009/204] USB: serial: option: add support for TP-Link LTE module Ben Hutchings
` (30 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Felipe Balbi, Tatyana Brokhman, Felipe Balbi, Alan Stern,
Arnd Bergmann
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 7661ca09b2ff98f48693f431bb01fed62830e433 upstream.
gcc-8 points out two comparisons that are clearly bogus
and almost certainly not what the author intended to write:
drivers/usb/gadget/udc/dummy_hcd.c: In function 'set_link_state_by_speed':
drivers/usb/gadget/udc/dummy_hcd.c:379:31: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
USB_PORT_STAT_ENABLE) == 1 &&
^~
drivers/usb/gadget/udc/dummy_hcd.c:381:25: error: bitwise comparison always evaluates to false [-Werror=tautological-compare]
USB_SS_PORT_LS_U0) == 1 &&
^~
I looked at the code for a bit and came up with a change that makes
it look like what the author probably meant here. This makes it
look reasonable to me and to gcc, shutting up the warning.
It does of course change behavior as the two conditions are actually
evaluated rather than being hardcoded to false, and I have made no
attempt at verifying that the changed logic makes sense in the context
of a USB HCD, so that part needs to be reviewed carefully.
Fixes: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support")
Cc: Tatyana Brokhman <tlinder@codeaurora.org>
Cc: Felipe Balbi <balbi@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/dummy_hcd.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -311,11 +311,10 @@ static void set_link_state_by_speed(stru
USB_PORT_STAT_CONNECTION) == 0)
dum_hcd->port_status |=
(USB_PORT_STAT_C_CONNECTION << 16);
- if ((dum_hcd->port_status &
- USB_PORT_STAT_ENABLE) == 1 &&
- (dum_hcd->port_status &
- USB_SS_PORT_LS_U0) == 1 &&
- dum_hcd->rh_state != DUMMY_RH_SUSPENDED)
+ if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) &&
+ (dum_hcd->port_status &
+ USB_PORT_STAT_LINK_STATE) == USB_SS_PORT_LS_U0 &&
+ dum_hcd->rh_state != DUMMY_RH_SUSPENDED)
dum_hcd->active = 1;
}
} else {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 090/204] mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 198/204] exec: Ensure mm->user_ns contains the execed files Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 067/204] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks Ben Hutchings
` (149 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Vlastimil Babka, Xishi Qiu,
YASUAKI ISHIMATSU, Yasuaki Ishimatsu, Michal Hocko, Reza Arbab
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
commit d09b0137d204bebeaafed672bc5a244e9ac92edb upstream.
find_{smallest|biggest}_section_pfn()s find the smallest/biggest section
and return the pfn of the section. But the functions are defined as int.
So the functions always return 0x00000000 - 0xffffffff. It means if
memory address is over 16TB, the functions does not work correctly.
To handle 64 bit value, the patch defines
find_{smallest|biggest}_section_pfn() as unsigned long.
Fixes: 815121d2b5cd ("memory_hotplug: clear zone when removing the memory")
Link: http://lkml.kernel.org/r/d9d5593a-d0a4-c4be-ab08-493df59a85c6@gmail.com
Signed-off-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Xishi Qiu <qiuxishi@huawei.com>
Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/memory_hotplug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -520,7 +520,7 @@ EXPORT_SYMBOL_GPL(__add_pages);
#ifdef CONFIG_MEMORY_HOTREMOVE
/* find the smallest valid pfn in the range [start_pfn, end_pfn) */
-static int find_smallest_section_pfn(int nid, struct zone *zone,
+static unsigned long find_smallest_section_pfn(int nid, struct zone *zone,
unsigned long start_pfn,
unsigned long end_pfn)
{
@@ -545,7 +545,7 @@ static int find_smallest_section_pfn(int
}
/* find the biggest valid pfn in the range [start_pfn, end_pfn). */
-static int find_biggest_section_pfn(int nid, struct zone *zone,
+static unsigned long find_biggest_section_pfn(int nid, struct zone *zone,
unsigned long start_pfn,
unsigned long end_pfn)
{
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 112/204] ecryptfs: fix dereference of NULL user_key_payload
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 031/204] net_sched: always reset qdisc backlog in qdisc_reset() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 146/204] ip6_gre: Reduce log level in ip6gre_err() to debug Ben Hutchings
` (48 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Howells, Eric Biggers, James Morris, Michael Halcrow
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream.
In eCryptfs, we failed to verify that the authentication token keys are
not revoked before dereferencing their payloads, which is problematic
because the payload of a revoked key is NULL. request_key() *does* skip
revoked keys, but there is still a window where the key can be revoked
before we acquire the key semaphore.
Fix it by updating ecryptfs_get_key_payload_data() to return
-EKEYREVOKED if the key payload is NULL. For completeness we check this
for "encrypted" keys as well as "user" keys, although encrypted keys
cannot be revoked currently.
Alternatively we could use key_validate(), but since we'll also need to
fix ecryptfs_get_key_payload_data() to validate the payload length, it
seems appropriate to just check the payload pointer.
Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: user key payload is key->payload.data, not
key->payload.data[0]]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context {
static inline struct ecryptfs_auth_tok *
ecryptfs_get_encrypted_key_payload_data(struct key *key)
{
- if (key->type == &key_type_encrypted)
- return (struct ecryptfs_auth_tok *)
- (&((struct encrypted_key_payload *)key->payload.data)->payload_data);
- else
+ struct encrypted_key_payload *payload;
+
+ if (key->type != &key_type_encrypted)
return NULL;
+
+ payload = key->payload.data;
+ if (!payload)
+ return ERR_PTR(-EKEYREVOKED);
+
+ return (struct ecryptfs_auth_tok *)payload->payload_data;
}
static inline struct key *ecryptfs_get_encrypted_key(char *sig)
@@ -114,13 +119,17 @@ static inline struct ecryptfs_auth_tok *
ecryptfs_get_key_payload_data(struct key *key)
{
struct ecryptfs_auth_tok *auth_tok;
+ struct user_key_payload *ukp;
auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
- if (!auth_tok)
- return (struct ecryptfs_auth_tok *)
- (((struct user_key_payload *)key->payload.data)->data);
- else
+ if (auth_tok)
return auth_tok;
+
+ ukp = key->payload.data;
+ if (!ukp)
+ return ERR_PTR(-EKEYREVOKED);
+
+ return (struct ecryptfs_auth_tok *)ukp->data;
}
#define ECRYPTFS_MAX_KEYSET_SIZE 1024
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -459,7 +459,8 @@ out:
* @auth_tok_key: key containing the authentication token
* @auth_tok: authentication token
*
- * Returns zero on valid auth tok; -EINVAL otherwise
+ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or
+ * -EKEYREVOKED if the key was revoked before we acquired its semaphore.
*/
static int
ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
@@ -468,6 +469,12 @@ ecryptfs_verify_auth_tok_from_key(struct
int rc = 0;
(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
+ if (IS_ERR(*auth_tok)) {
+ rc = PTR_ERR(*auth_tok);
+ *auth_tok = NULL;
+ goto out;
+ }
+
if (ecryptfs_verify_version((*auth_tok)->version)) {
printk(KERN_ERR "Data structure version mismatch. Userspace "
"tools must match eCryptfs kernel module with major "
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 083/204] USB: serial: qcserial: add Dell DW5818, DW5819
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 057/204] btrfs: prevent to set invalid default subvolid Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 039/204] IB/ocrdma: fix incorrect fall-through on switch statement Ben Hutchings
` (97 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shrirang Bagul, Johan Hovold
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shrirang Bagul <shrirang.bagul@canonical.com>
commit f5d9644c5fca7d8e8972268598bb516a7eae17f9 upstream.
Dell Wireless 5819/5818 devices are re-branded Sierra Wireless MC74
series which will by default boot with vid 0x413c and pid's 0x81cf,
0x81d0, 0x81d1, 0x81d2.
Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/qcserial.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -172,6 +172,10 @@ static const struct usb_device_id id_tab
{DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
{DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
{DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
+ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */
+ {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */
+ {DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */
+ {DEVICE_SWI(0x413c, 0x81d2)}, /* Dell Wireless 5818 */
/* Huawei devices */
{DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 192/204] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 059/204] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 115/204] fs/mpage.c: fix mpage_writepage() for pages with buffers Ben Hutchings
` (166 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hugh Dickins, Michal Hocko, Kirill A. Shutemov,
Linus Torvalds
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
commit a8f97366452ed491d13cf1e44241bc0b5740b1f0 upstream.
Currently, we unconditionally make page table dirty in touch_pmd().
It may result in false-positive can_follow_write_pmd().
We may avoid the situation, if we would only make the page table entry
dirty if caller asks for write access -- FOLL_WRITE.
The patch also changes touch_pud() in the same way.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[carnil: backport for 3.16:
- Adjust context
- Drop specific part for PUD-sized transparent hugepages. Support
for PUD-sized transparent hugepages was added in v4.11-rc1
]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/huge_memory.c | 36 +++++++++++++-----------------------
1 file changed, 13 insertions(+), 23 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1230,17 +1230,11 @@ struct page *follow_trans_huge_pmd(struc
if (flags & FOLL_TOUCH) {
pmd_t _pmd;
- /*
- * We should set the dirty bit only for FOLL_WRITE but
- * for now the dirty bit in the pmd is meaningless.
- * And if the dirty bit will become meaningful and
- * we'll only set it with FOLL_WRITE, an atomic
- * set_bit will be required on the pmd to set the
- * young bit, instead of the current set_pmd_at.
- */
- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
+ _pmd = pmd_mkyoung(*pmd);
+ if (flags & FOLL_WRITE)
+ _pmd = pmd_mkdirty(_pmd);
if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
- pmd, _pmd, 1))
+ pmd, _pmd, flags & FOLL_WRITE))
update_mmu_cache_pmd(vma, addr, pmd);
}
if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 175/204] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 130/204] can: gs_usb: fix busy loop if no more TX context is available Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 049/204] KEYS: fix key refcount leak in keyctl_read_key() Ben Hutchings
` (179 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Fengguang Wu, Borislav Petkov, Robert Richter, x86,
Thomas Gleixner
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit a743bbeef27b9176987ec0cb7f906ab0ab52d1da upstream.
The warning below says it all:
BUG: using __this_cpu_read() in preemptible [00000000] code: swapper/0/1
caller is __this_cpu_preempt_check
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.0-rc8 #4
Call Trace:
dump_stack
check_preemption_disabled
? do_early_param
__this_cpu_preempt_check
arch_perfmon_init
op_nmi_init
? alloc_pci_root_info
oprofile_arch_init
oprofile_init
do_one_initcall
...
These accessors should not have been used in the first place: it is PPro so
no mixed silicon revisions and thus it can simply use boot_cpu_data.
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Fix-creation-mandated-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Robert Richter <rric@kernel.org>
Cc: x86@kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/oprofile/op_model_ppro.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/oprofile/op_model_ppro.c
+++ b/arch/x86/oprofile/op_model_ppro.c
@@ -212,8 +212,8 @@ static void arch_perfmon_setup_counters(
eax.full = cpuid_eax(0xa);
/* Workaround for BIOS bugs in 6/15. Taken from perfmon2 */
- if (eax.split.version_id == 0 && __this_cpu_read(cpu_info.x86) == 6 &&
- __this_cpu_read(cpu_info.x86_model) == 15) {
+ if (eax.split.version_id == 0 && boot_cpu_data.x86 == 6 &&
+ boot_cpu_data.x86_model == 15) {
eax.split.version_id = 2;
eax.split.num_counters = 2;
eax.split.bit_width = 40;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 094/204] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 093/204] nl80211: Define policy for packet pattern attributes Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 069/204] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe Ben Hutchings
` (156 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Willem de Bruijn, Eric Dumazet, Florian Westphal,
Pablo Neira Ayuso
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
syzkaller reports an out of bound read in strlcpy(), triggered
by xt_copy_counters_from_user()
Fix this by using memcpy(), then forcing a zero byte at the last position
of the destination, as Florian did for the non COMPAT code.
Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/x_tables.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -860,7 +860,7 @@ void *xt_copy_counters_from_user(const v
if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
return ERR_PTR(-EFAULT);
- strlcpy(info->name, compat_tmp.name, sizeof(info->name));
+ memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
info->num_counters = compat_tmp.num_counters;
user += sizeof(compat_tmp);
} else
@@ -873,9 +873,9 @@ void *xt_copy_counters_from_user(const v
if (copy_from_user(info, user, sizeof(*info)) != 0)
return ERR_PTR(-EFAULT);
- info->name[sizeof(info->name) - 1] = '\0';
user += sizeof(*info);
}
+ info->name[sizeof(info->name) - 1] = '\0';
size = sizeof(struct xt_counters);
size *= info->num_counters;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 164/204] arm64: ensure __dump_instr() checks addr_limit
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 030/204] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 034/204] usb-storage: fix bogus hardware error messages for ATA pass-thru devices Ben Hutchings
` (17 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Catalin Marinas, Mark Rutland, Will Deacon
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a
chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than
__get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to
KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/traps.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -105,7 +105,7 @@ static void __dump_instr(const char *lvl
for (i = -4; i < 1; i++) {
unsigned int val, bad;
- bad = __get_user(val, &((u32 *)addr)[i]);
+ bad = get_user(val, &((u32 *)addr)[i]);
if (!bad)
p += sprintf(p, i == 0 ? "(%08x) " : "%08x ", val);
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 050/204] KEYS: fix writing past end of user-supplied buffer in keyring_read()
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 042/204] iio: ad_sigma_delta: Implement a dedicated reset function Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 195/204] ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock Ben Hutchings
` (194 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Howells, Eric Biggers
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring. But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer. Fix it by
only filling the space that is available.
Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/keyring.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -405,7 +405,7 @@ static void keyring_describe(const struc
}
struct keyring_read_iterator_context {
- size_t qty;
+ size_t buflen;
size_t count;
key_serial_t __user *buffer;
};
@@ -417,9 +417,9 @@ static int keyring_read_iterator(const v
int ret;
kenter("{%s,%d},,{%zu/%zu}",
- key->type->name, key->serial, ctx->count, ctx->qty);
+ key->type->name, key->serial, ctx->count, ctx->buflen);
- if (ctx->count >= ctx->qty)
+ if (ctx->count >= ctx->buflen)
return 1;
ret = put_user(key->serial, ctx->buffer);
@@ -454,16 +454,12 @@ static long keyring_read(const struct ke
return 0;
/* Calculate how much data we could return */
- ctx.qty = nr_keys * sizeof(key_serial_t);
-
if (!buffer || !buflen)
- return ctx.qty;
-
- if (buflen > ctx.qty)
- ctx.qty = buflen;
+ return nr_keys * sizeof(key_serial_t);
/* Copy the IDs of the subscribed keys into the buffer */
ctx.buffer = (key_serial_t __user *)buffer;
+ ctx.buflen = buflen;
ctx.count = 0;
ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
if (ret < 0) {
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 056/204] Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 189/204] netlink: Add netns check on taps Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 199/204] ptrace: Don't allow accessing an undumpable mm Ben Hutchings
` (80 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Omar Sandoval
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Omar Sandoval <osandov@fb.com>
commit bea7eafdbda3ba1d4b2ccb9cca829eefb7989bb9 upstream.
fs_info->super_copy->{node,sector}size are little-endian, but the ioctl
should return the values in native endianness. Use the cached values in
btrfs_fs_info instead. Found with sparse.
Fixes: 80a773fbfc2d ("btrfs: retrieve more info from FS_INFO ioctl")
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: native nodesize and sectorsize are members of
struct btrfs_root, not struct btrfs_fs_info]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ioctl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2745,9 +2745,9 @@ static long btrfs_ioctl_fs_info(struct b
}
mutex_unlock(&fs_devices->device_list_mutex);
- fi_args->nodesize = root->fs_info->super_copy->nodesize;
- fi_args->sectorsize = root->fs_info->super_copy->sectorsize;
- fi_args->clone_alignment = root->fs_info->super_copy->sectorsize;
+ fi_args->nodesize = root->nodesize;
+ fi_args->sectorsize = root->sectorsize;
+ fi_args->clone_alignment = root->sectorsize;
if (copy_to_user(arg, fi_args, sizeof(*fi_args)))
ret = -EFAULT;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 177/204] MIPS: AR7: Ensure that serial ports are properly set up
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 085/204] sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 019/204] tracing: Erase irqsoff trace with empty write Ben Hutchings
` (104 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yoshihiro YUNOMAE, linux-mips, Nicolas Schichan,
linux-serial, Greg Kroah-Hartman, James Hogan, Jonas Gorski,
Florian Fainelli, Ralf Baechle, Oswald Buddenhagen
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
commit b084116f8587b222a2c5ef6dcd846f40f24b9420 upstream.
Without UPF_FIXED_TYPE, the data from the PORT_AR7 uart_config entry is
never copied, resulting in a dead port.
Fixes: 154615d55459 ("MIPS: AR7: Use correct UART port type")
Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
[jonas.gorski: add Fixes tag]
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Yoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>
Cc: Nicolas Schichan <nschichan@freebox.fr>
Cc: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Cc: linux-mips@linux-mips.org
Cc: linux-serial@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17543/
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/ar7/platform.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/ar7/platform.c
+++ b/arch/mips/ar7/platform.c
@@ -581,6 +581,7 @@ static int __init ar7_register_uarts(voi
uart_port.type = PORT_AR7;
uart_port.uartclk = clk_get_rate(bus_clk) / 2;
uart_port.iotype = UPIO_MEM32;
+ uart_port.flags = UPF_FIXED_TYPE;
uart_port.regshift = 2;
uart_port.line = 0;
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 032/204] Input: uinput - avoid FF flush when destroying device
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 120/204] scsi: zfcp: fix erp_action use-before-initialize in REC action trace Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 134/204] x86, amd_nb: Add device IDs to NB tables for F15h M60h Ben Hutchings
` (176 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dmitry Torokhov, Rodrigo Rivas Costa, Clément VUCHENER
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit e8b95728f724797f958912fd9b765a695595d3a6 upstream.
Normally, when input device supporting force feedback effects is being
destroyed, we try to "flush" currently playing effects, so that the
physical device does not continue vibrating (or executing other effects).
Unfortunately this does not work well for uinput as flushing of the effects
deadlocks with the destroy action:
- if device is being destroyed because the file descriptor is being closed,
then there is noone to even service FF requests;
- if device is being destroyed because userspace sent UI_DEV_DESTROY,
while theoretically it could be possible to service FF requests,
userspace is unlikely to do so (they'd need to make sure FF handling
happens on a separate thread) even if kernel solves the issue with FF
ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex.
To avoid lockups like the one below, let's install a custom input device
flush handler, and avoid trying to flush force feedback effects when we
destroying the device, and instead rely on uinput to shut off the device
properly.
NMI watchdog: Watchdog detected hard LOCKUP on cpu 3
...
<<EOE>> [<ffffffff817a0307>] _raw_spin_lock_irqsave+0x37/0x40
[<ffffffff810e633d>] complete+0x1d/0x50
[<ffffffffa00ba08c>] uinput_request_done+0x3c/0x40 [uinput]
[<ffffffffa00ba587>] uinput_request_submit.part.7+0x47/0xb0 [uinput]
[<ffffffffa00bb62b>] uinput_dev_erase_effect+0x5b/0x76 [uinput]
[<ffffffff815d91ad>] erase_effect+0xad/0xf0
[<ffffffff815d929d>] flush_effects+0x4d/0x90
[<ffffffff815d4cc0>] input_flush_device+0x40/0x60
[<ffffffff815daf1c>] evdev_cleanup+0xac/0xc0
[<ffffffff815daf5b>] evdev_disconnect+0x2b/0x60
[<ffffffff815d74ac>] __input_unregister_device+0xac/0x150
[<ffffffff815d75f7>] input_unregister_device+0x47/0x70
[<ffffffffa00bac45>] uinput_destroy_device+0xb5/0xc0 [uinput]
[<ffffffffa00bb2de>] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput]
[<ffffffff811231ab>] ? do_futex+0x12b/0xad0
[<ffffffffa00bb3f8>] uinput_ioctl+0x18/0x20 [uinput]
[<ffffffff81241248>] do_vfs_ioctl+0x298/0x480
[<ffffffff81337553>] ? security_file_ioctl+0x43/0x60
[<ffffffff812414a9>] SyS_ioctl+0x79/0x90
[<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71
Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Reported-by: Clément VUCHENER <clement.vuchener@gmail.com>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/ff-core.c | 13 ++++++++++---
drivers/input/misc/uinput.c | 18 ++++++++++++++++++
include/linux/input.h | 1 +
3 files changed, 29 insertions(+), 3 deletions(-)
--- a/drivers/input/ff-core.c
+++ b/drivers/input/ff-core.c
@@ -239,9 +239,15 @@ int input_ff_erase(struct input_dev *dev
EXPORT_SYMBOL_GPL(input_ff_erase);
/*
- * flush_effects - erase all effects owned by a file handle
+ * input_ff_flush - erase all effects owned by a file handle
+ * @dev: input device to erase effect from
+ * @file: purported owner of the effects
+ *
+ * This function erases all force-feedback effects associated with
+ * the given owner from specified device. Note that @file may be %NULL,
+ * in which case all effects will be erased.
*/
-static int flush_effects(struct input_dev *dev, struct file *file)
+int input_ff_flush(struct input_dev *dev, struct file *file)
{
struct ff_device *ff = dev->ff;
int i;
@@ -257,6 +263,7 @@ static int flush_effects(struct input_de
return 0;
}
+EXPORT_SYMBOL_GPL(input_ff_flush);
/**
* input_ff_event() - generic handler for force-feedback events
@@ -340,7 +347,7 @@ int input_ff_create(struct input_dev *de
mutex_init(&ff->mutex);
dev->ff = ff;
- dev->flush = flush_effects;
+ dev->flush = input_ff_flush;
dev->event = input_ff_event;
__set_bit(EV_FF, dev->evbit);
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -230,6 +230,18 @@ static int uinput_dev_erase_effect(struc
return uinput_request_submit(udev, &request);
}
+static int uinput_dev_flush(struct input_dev *dev, struct file *file)
+{
+ /*
+ * If we are called with file == NULL that means we are tearing
+ * down the device, and therefore we can not handle FF erase
+ * requests: either we are handling UI_DEV_DESTROY (and holding
+ * the udev->mutex), or the file descriptor is closed and there is
+ * nobody on the other side anymore.
+ */
+ return file ? input_ff_flush(dev, file) : 0;
+}
+
static void uinput_destroy_device(struct uinput_device *udev)
{
const char *name, *phys;
@@ -273,6 +285,12 @@ static int uinput_create_device(struct u
dev->ff->playback = uinput_dev_playback;
dev->ff->set_gain = uinput_dev_set_gain;
dev->ff->set_autocenter = uinput_dev_set_autocenter;
+ /*
+ * The standard input_ff_flush() implementation does
+ * not quite work for uinput as we can't reasonably
+ * handle FF requests during device teardown.
+ */
+ dev->flush = uinput_dev_flush;
}
error = input_register_device(udev->dev);
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -527,6 +527,7 @@ int input_ff_event(struct input_dev *dev
int input_ff_upload(struct input_dev *dev, struct ff_effect *effect, struct file *file);
int input_ff_erase(struct input_dev *dev, int effect_id, struct file *file);
+int input_ff_flush(struct input_dev *dev, struct file *file);
int input_ff_create_memless(struct input_dev *dev, void *data,
int (*play_effect)(struct input_dev *, void *, struct ff_effect *));
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 130/204] can: gs_usb: fix busy loop if no more TX context is available
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 183/204] sched/topology: Optimize build_group_mask() Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 175/204] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Ben Hutchings
` (180 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Wolfgang Grandegger
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wolfgang Grandegger <wg@grandegger.com>
commit 97819f943063b622eca44d3644067c190dc75039 upstream.
If sending messages with no cable connected, it quickly happens that
there is no more TX context available. Then "gs_can_start_xmit()"
returns with "NETDEV_TX_BUSY" and the upper layer does retry
immediately keeping the CPU busy. To fix that issue, I moved
"atomic_dec(&dev->active_tx_urbs)" from "gs_usb_xmit_callback()" to
the TX done handling in "gs_usb_receive_bulk_callback()". Renaming
"active_tx_urbs" to "active_tx_contexts" and moving it into
"gs_[alloc|free]_tx_context()" would also make sense.
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/usb/gs_usb.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -356,6 +356,8 @@ static void gs_usb_recieve_bulk_callback
gs_free_tx_context(txc);
+ atomic_dec(&dev->active_tx_urbs);
+
netif_wake_queue(netdev);
}
@@ -444,14 +446,6 @@ static void gs_usb_xmit_callback(struct
urb->transfer_buffer_length,
urb->transfer_buffer,
urb->transfer_dma);
-
- atomic_dec(&dev->active_tx_urbs);
-
- if (!netif_device_present(netdev))
- return;
-
- if (netif_queue_stopped(netdev))
- netif_wake_queue(netdev);
}
static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, struct net_device *netdev)
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 099/204] direct-io: Prevent NULL pointer access in submit_page_section
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 068/204] USB: dummy-hcd: Fix erroneous synchronization change Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 008/204] USB: serial: ftdi_sio: add id for Cypress WICED dev board Ben Hutchings
` (74 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Andreas Gruenbacher, Jan Kara
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 899f0429c7d3eed886406cd72182bee3b96aa1f9 upstream.
In the code added to function submit_page_section by commit b1058b981,
sdio->bio can currently be NULL when calling dio_bio_submit. This then
leads to a NULL pointer access in dio_bio_submit, so check for a NULL
bio in submit_page_section before trying to submit it instead.
Fixes xfstest generic/250 on gfs2.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/direct-io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/direct-io.c
+++ b/fs/direct-io.c
@@ -812,7 +812,8 @@ out:
*/
if (sdio->boundary) {
ret = dio_send_cur_page(dio, sdio, map_bh);
- dio_bio_submit(dio, sdio);
+ if (sdio->bio)
+ dio_bio_submit(dio, sdio);
page_cache_release(sdio->cur_page);
sdio->cur_page = NULL;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 077/204] udp: perform source validation for mcast early demux
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 168/204] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 198/204] exec: Ensure mm->user_ns contains the execed files Ben Hutchings
` (151 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Paolo Abeni
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit bc044e8db7962e727a75b591b9851ff2ac5cf846 upstream.
The UDP early demux can leverate the rx dst cache even for
multicast unconnected sockets.
In such scenario the ipv4 source address is validated only on
the first packet in the given flow. After that, when we fetch
the dst entry from the socket rx cache, we stop enforcing
the rp_filter and we even start accepting any kind of martian
addresses.
Disabling the dst cache for unconnected multicast socket will
cause large performace regression, nearly reducing by half the
max ingress tput.
Instead we factor out a route helper to completely validate an
skb source address for multicast packets and we call it from
the UDP early demux for mcast packets landing on unconnected
sockets, after successful fetching the related cached dst entry.
This still gives a measurable, but limited performance
regression:
rp_filter = 0 rp_filter = 1
edmux disabled: 1182 Kpps 1127 Kpps
edmux before: 2238 Kpps 2238 Kpps
edmux after: 2037 Kpps 2019 Kpps
The above figures are on top of current net tree.
Applying the net-next commit 6e617de84e87 ("net: avoid a full
fib lookup when rp_filter is disabled.") the delta with
rp_filter == 0 will decrease even more.
Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/route.h | 4 +++-
net/ipv4/route.c | 46 ++++++++++++++++++++++++++--------------------
net/ipv4/udp.c | 13 ++++++++++++-
3 files changed, 41 insertions(+), 22 deletions(-)
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -159,7 +159,9 @@ static inline struct rtable *ip_route_ou
fl4->fl4_gre_key = gre_key;
return ip_route_output_key(net, fl4);
}
-
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ u8 tos, struct net_device *dev,
+ struct in_device *in_dev, u32 *itag);
int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
u8 tos, struct net_device *devin);
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1440,40 +1440,53 @@ static struct rtable *rt_dst_alloc(struc
}
/* called in rcu_read_lock() section */
-static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- u8 tos, struct net_device *dev, int our)
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ u8 tos, struct net_device *dev,
+ struct in_device *in_dev, u32 *itag)
{
- struct rtable *rth;
- struct in_device *in_dev = __in_dev_get_rcu(dev);
- u32 itag = 0;
int err;
/* Primary sanity checks. */
-
if (in_dev == NULL)
return -EINVAL;
if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) ||
skb->protocol != htons(ETH_P_IP))
- goto e_inval;
+ return -EINVAL;
if (likely(!IN_DEV_ROUTE_LOCALNET(in_dev)))
if (ipv4_is_loopback(saddr))
- goto e_inval;
+ return -EINVAL;
if (ipv4_is_zeronet(saddr)) {
if (!ipv4_is_local_multicast(daddr))
- goto e_inval;
+ return -EINVAL;
} else {
err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
- in_dev, &itag);
+ in_dev, itag);
if (err < 0)
- goto e_err;
+ return err;
}
+ return 0;
+}
+
+/* called in rcu_read_lock() section */
+static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ u8 tos, struct net_device *dev, int our)
+{
+ struct in_device *in_dev = __in_dev_get_rcu(dev);
+ struct rtable *rth;
+ u32 itag = 0;
+ int err;
+
+ err = ip_mc_validate_source(skb, daddr, saddr, tos, dev, in_dev, &itag);
+ if (err)
+ return err;
+
rth = rt_dst_alloc(dev_net(dev)->loopback_dev,
IN_DEV_CONF_GET(in_dev, NOPOLICY), false, false);
if (!rth)
- goto e_nobufs;
+ return -ENOBUFS;
#ifdef CONFIG_IP_ROUTE_CLASSID
rth->dst.tclassid = itag;
@@ -1502,13 +1515,6 @@ static int ip_route_input_mc(struct sk_b
skb_dst_set(skb, &rth->dst);
return 0;
-
-e_nobufs:
- return -ENOBUFS;
-e_inval:
- return -EINVAL;
-e_err:
- return err;
}
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1953,6 +1953,7 @@ static struct sock *__udp4_lib_demux_loo
int udp_v4_early_demux(struct sk_buff *skb)
{
struct net *net = dev_net(skb->dev);
+ struct in_device *in_dev = NULL;
const struct iphdr *iph;
const struct udphdr *uh;
struct sock *sk;
@@ -1969,7 +1970,7 @@ int udp_v4_early_demux(struct sk_buff *s
if (skb->pkt_type == PACKET_BROADCAST ||
skb->pkt_type == PACKET_MULTICAST) {
- struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
+ in_dev = __in_dev_get_rcu(skb->dev);
if (!in_dev)
return 0;
@@ -2001,6 +2002,8 @@ int udp_v4_early_demux(struct sk_buff *s
if (dst)
dst = dst_check(dst, 0);
if (dst) {
+ u32 itag = 0;
+
/* DST_NOCACHE can not be used without taking a reference */
if (dst->flags & DST_NOCACHE) {
if (likely(atomic_inc_not_zero(&dst->__refcnt)))
@@ -2008,6 +2011,14 @@ int udp_v4_early_demux(struct sk_buff *s
} else {
skb_dst_set_noref(skb, dst);
}
+
+ /* for unconnected multicast sockets we need to validate
+ * the source on each packet
+ */
+ if (!inet_sk(sk)->inet_daddr && in_dev)
+ return ip_mc_validate_source(skb, iph->daddr,
+ iph->saddr, iph->tos,
+ skb->dev, in_dev, &itag);
}
return 0;
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* [PATCH 3.16 007/204] scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 115/204] fs/mpage.c: fix mpage_writepage() for pages with buffers Ben Hutchings
@ 2017-12-28 17:05 ` Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 114/204] include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF Ben Hutchings
` (164 subsequent siblings)
204 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 17:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin K. Petersen, Dick Kennedy, Johannes Thumshirn,
Stefano Brivio
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio <sbrivio@redhat.com>
commit 5c756065e47dc3e84b00577bd109f0a8e69903d7 upstream.
Internal error codes happen to be positive, thus the PCI driver core
won't treat them as failure, but we do. This would cause a crash later
on as lpfc_pci_remove_one() is called (e.g. as shutdown function).
Fixes: 6d368e532168 ("[SCSI] lpfc 8.3.24: Add resource extent support")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Acked-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/lpfc/lpfc_init.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -5242,6 +5242,7 @@ lpfc_sli4_driver_resource_setup(struct l
lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
"2999 Unsupported SLI4 Parameters "
"Extents and RPI headers enabled.\n");
+ rc = -EIO;
goto out_free_bsmbx;
}
}
^ permalink raw reply [flat|nested] 207+ messages in thread
* Re: [PATCH 3.16 000/204] 3.16.52-rc1 review
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
` (203 preceding siblings ...)
2017-12-28 17:05 ` [PATCH 3.16 204/204] KEYS: add missing permission check for request_key() destination Ben Hutchings
@ 2017-12-28 19:25 ` Guenter Roeck
2017-12-28 21:08 ` Ben Hutchings
204 siblings, 1 reply; 207+ messages in thread
From: Guenter Roeck @ 2017-12-28 19:25 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm
On 12/28/2017 09:05 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.52 release.
> There are 204 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon Jan 1 17:00:00 UTC 2018.
> Anything received after that time might be too late.
>
Build results:
total: 136 pass: 136 fail: 0
Qemu test results:
total: 108 pass: 108 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 207+ messages in thread
* Re: [PATCH 3.16 000/204] 3.16.52-rc1 review
2017-12-28 19:25 ` [PATCH 3.16 000/204] 3.16.52-rc1 review Guenter Roeck
@ 2017-12-28 21:08 ` Ben Hutchings
0 siblings, 0 replies; 207+ messages in thread
From: Ben Hutchings @ 2017-12-28 21:08 UTC (permalink / raw)
To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm
[-- Attachment #1: Type: text/plain, Size: 798 bytes --]
On Thu, 2017-12-28 at 11:25 -0800, Guenter Roeck wrote:
> On 12/28/2017 09:05 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.52 release.
> > There are 204 patches in this series, which will be posted as responses
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Mon Jan 1 17:00:00 UTC 2018.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 136 pass: 136 fail: 0
> Qemu test results:
> total: 108 pass: 108 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking these two.
Ben.
--
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 207+ messages in thread
end of thread, other threads:[~2017-12-28 21:08 UTC | newest]
Thread overview: 207+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-28 17:05 [PATCH 3.16 000/204] 3.16.52-rc1 review Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 128/204] usb: hub: Allow reset retry for USB2 devices on connect bounce Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 089/204] mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 018/204] USB: serial: cp210x: add support for ELV TFD500 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 170/204] ALSA: timer: Protect the whole snd_timer_close() with open race Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 078/204] l2tp: fix l2tp_eth module loading Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 001/204] tile: array underflow in setup_maxnodemem() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 182/204] sched/topology: Simplify build_overlap_sched_groups() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 118/204] net: enable interface alias removal via rtnl Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 042/204] iio: ad_sigma_delta: Implement a dedicated reset function Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 050/204] KEYS: fix writing past end of user-supplied buffer in keyring_read() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 195/204] ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 079/204] brcmfmac: Add length checks on firmware events Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 121/204] usb: xhci: Handle error condition in xhci_stop_device() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 102/204] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 193/204] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 151/204] l2tp: hold tunnel in pppol2tp_connect() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 145/204] SMB3: Validate negotiate request must always be signed Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 157/204] tun/tap: sanitize TUNSETSNDBUF input Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 004/204] cifs: check rsp for NULL before dereferencing in SMB2_open Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 027/204] cifs: release cifs root_cred after exit_cifs Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 147/204] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 135/204] x86/amd_nb: Add Fam17h Data Fabric as "Northbridge" Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 183/204] sched/topology: Optimize build_group_mask() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 130/204] can: gs_usb: fix busy loop if no more TX context is available Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 175/204] x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 049/204] KEYS: fix key refcount leak in keyctl_read_key() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 120/204] scsi: zfcp: fix erp_action use-before-initialize in REC action trace Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 032/204] Input: uinput - avoid FF flush when destroying device Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 134/204] x86, amd_nb: Add device IDs to NB tables for F15h M60h Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 196/204] mm: Add a user_ns owner to mm_struct and fix ptrace permission checks Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 087/204] sh: sh7264: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 116/204] l2tp: check ps->sock before running pppol2tp_session_ioctl() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 131/204] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 044/204] iio: core: Return error for failed read_reg Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 051/204] KEYS: prevent creating a different user's keyrings Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 023/204] ARM: dts: da850-evm: add serial and ethernet aliases Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 059/204] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 192/204] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 115/204] fs/mpage.c: fix mpage_writepage() for pages with buffers Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 007/204] scsi: lpfc: Don't return internal MBXERR_ERROR code from probe function Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 114/204] include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 126/204] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 016/204] s390/mm: fix write access check in gup_huge_pmd() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 138/204] ARM: 8715/1: add a private asm/unaligned.h Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 197/204] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 140/204] fuse: fix READDIRPLUS skipping an entry Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 093/204] nl80211: Define policy for packet pattern attributes Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 094/204] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 069/204] usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 091/204] Smack: remove unneeded NULL-termination from securtity label Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 163/204] arm64: fix dump_instr when PAN and UAO are in use Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 168/204] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 077/204] udp: perform source validation for mcast early demux Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 198/204] exec: Ensure mm->user_ns contains the execed files Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 090/204] mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 067/204] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 029/204] SMB: Validate negotiate (to protect against downgrade) even if signing off Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 166/204] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 028/204] cifs: release auth_key.response for reconnect Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 011/204] uwb: properly check kthread_run return value Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 108/204] bus: mbus: fix window size calculation for 4GB windows Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 072/204] sched/sysctl: Check user input value of sysctl_sched_time_avg Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 139/204] can: kvaser_usb: Correct return value in printout Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 003/204] iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 153/204] ALSA: seq: Fix nested rwsem annotation for lockdep splat Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 052/204] IB/mlx5: Fix the size parameter to find_first_bit Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 124/204] ALSA: hda: Remove superfluous '-' added by printk conversion Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 020/204] tracing: Fix trace_pipe behavior for instance traces Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 096/204] udp: fix bcast packet reception Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 035/204] usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 187/204] Input: ims-psu - check if CDC union descriptor is sane Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 086/204] sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 109/204] KEYS: encrypted: fix dereference of NULL user_key_payload Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 119/204] tun: call dev_get_valid_name() before register_netdevice() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 025/204] crypto: talitos - Don't provide setkey for non hmac hashing algs Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 074/204] staging: iio: ade7759: fix signed extension bug on shift of a u8 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 149/204] x86/uaccess, sched/preempt: Verify access_ok() context Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 156/204] macvtap: fix TUNSETSNDBUF values > 64k Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 061/204] netfilter: ipset: pernet ops must be unregistered last Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 053/204] IB/mlx5: Simplify mlx5_ib_cont_pages Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 073/204] arm64: fault: Route pte translation faults via do_translation_fault Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 200/204] ptrace: Properly initialize ptracer_cred on fork Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 037/204] USB: gadgetfs: Fix crash caused by inadequate synchronization Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 076/204] IPv4: early demux can return an error code Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 013/204] xhci: fix finding correct bus_state structure for USB 3.1 hosts Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 181/204] sched/topology: Remove FORCE_SD_OVERLAP Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 167/204] l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 103/204] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 159/204] KEYS: return full count in keyring_read() if buffer is too small Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 123/204] usb: quirks: add quirk for WORLDE MINI MIDI keyboard Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 021/204] tcp: fastopen: fix on syn-data transmit failure Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 070/204] usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 088/204] sh: sh7269: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 047/204] KEYS: don't revoke uninstantiated key in request_key_auth_new() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 065/204] USB: dummy-hcd: fix connection failures (wrong speed) Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 185/204] Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 136/204] x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 017/204] gpio: acpi: work around false-positive -Wstring-overflow warning Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 085/204] sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 177/204] MIPS: AR7: Ensure that serial ports are properly set up Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 019/204] tracing: Erase irqsoff trace with empty write Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 129/204] can: esd_usb2: Fix can_dlc value for received RTR, frames Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 169/204] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 176/204] KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 081/204] ALSA: usx2y: Suppress kernel warning at page allocation failures Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 057/204] btrfs: prevent to set invalid default subvolid Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 083/204] USB: serial: qcserial: add Dell DW5818, DW5819 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 039/204] IB/ocrdma: fix incorrect fall-through on switch statement Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 194/204] security: let security modules use PTRACE_MODE_* with bitmasks Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 104/204] ALSA: caiaq: Fix stray URB at probe error path Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 036/204] USB: gadgetfs: fix copy_to_user while holding spinlock Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 188/204] netfilter: nfnetlink_cthelper: Add missing permission checks Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 179/204] can: c_can: don't indicate triple sampling support for D_CAN Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 101/204] USB: dummy-hcd: Fix deadlock caused by disconnect detection Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 142/204] SMB: fix validate negotiate info uninitialised memory use Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 148/204] sctp: fix a type cast warnings that causes a_rwnd gets the wrong value Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 064/204] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 152/204] ALSA: timer: Add missing mutex lock for compat ioctls Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 002/204] ASoC: adau17x1: Workaround for noise bug in ADC Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 097/204] workqueue: replace pool->manager_arb mutex with a flag Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 098/204] crypto: shash - Fix zero-length shash ahash digest crash Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 125/204] x86/microcode/intel: Disable late loading on model 79 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 189/204] netlink: Add netns check on taps Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 056/204] Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 199/204] ptrace: Don't allow accessing an undumpable mm Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 040/204] SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 043/204] iio: ad7793: Fix the serial interface reset Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 132/204] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 068/204] USB: dummy-hcd: Fix erroneous synchronization change Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 099/204] direct-io: Prevent NULL pointer access in submit_page_section Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 008/204] USB: serial: ftdi_sio: add id for Cypress WICED dev board Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 173/204] ALSA: seq: Avoid invalid lockdep class warning Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 165/204] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 012/204] usb: Increase quirk delay for USB devices Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 048/204] KEYS: fix key refcount leak in keyctl_assume_authority() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 171/204] ALSA: timer: Limit max instances per timer Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 180/204] vlan: fix a use-after-free in vlan_device_event() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 154/204] MIPS: Fix CM region target definitions Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 186/204] Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 106/204] iommu/exynos: Remove initconst attribute to avoid potential kernel oops Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 058/204] drm/i915/bios: ignore HDMI on port A Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 075/204] ipv4: fix broadcast packets reception Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 014/204] usb: pci-quirks.c: Corrected timeout values used in handshake Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 045/204] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 046/204] KEYS: fix cred refcount leak in request_key_auth_new() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 172/204] ARM: 8720/1: ensure dump_instr() checks addr_limit Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 071/204] packet: only test po->has_vnet_hdr once in packet_snd Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 010/204] uwb: ensure that endpoint is interrupt Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 155/204] MIPS: microMIPS: Fix incorrect mask in insn_table_MM Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 060/204] l2tp: fix race condition in l2tp_tunnel_delete Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 066/204] USB: dummy-hcd: fix infinite-loop resubmission bug Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 191/204] USB: core: prevent malicious bNumInterfaces overflow Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 038/204] USB: g_mass_storage: Fix deadlock when driver is unbound Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 117/204] USB: serial: metro-usb: add MS7820 device id Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 031/204] net_sched: always reset qdisc backlog in qdisc_reset() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 112/204] ecryptfs: fix dereference of NULL user_key_payload Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 146/204] ip6_gre: Reduce log level in ip6gre_err() to debug Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 062/204] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 178/204] rbd: use GFP_NOIO for parent stat and data requests Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 158/204] tcp: fix tcp_mtu_probe() vs highest_sack Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 041/204] iio: adc: mcp320x: Fix oops on module unload Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 201/204] KVM: Fix stack-out-of-bounds read in write_mmio Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 063/204] arm64: Make sure SPsel is always set Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 105/204] scsi: libiscsi: fix shifting of DID_REQUEUE host byte Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 184/204] dccp: CVE-2017-8824: use-after-free in DCCP code Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 107/204] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 174/204] ALSA: seq: Fix OSS sysex delivery in OSS emulation Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 015/204] ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 161/204] KEYS: trusted: fix writing past end of buffer in trusted_read() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 162/204] KEYS: fix out-of-bounds read during ASN.1 parsing Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 092/204] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 100/204] more bio_map_user_iov() leak fixes Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 113/204] iommu/amd: Finish TLB flush in amd_iommu_unmap() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 026/204] usb: gadget: dummy: fix nonsensical comparisons Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 009/204] USB: serial: option: add support for TP-Link LTE module Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 005/204] HID: i2c-hid: allocate hid buffers for real worst case Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 024/204] crypto: talitos - fix sha224 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 084/204] kernel/params.c: align add_sysfs_param documentation with code Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 137/204] ipsec: Fix aborted xfrm policy dump crash Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 006/204] spi: uapi: spidev: add missing ioctl header Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 143/204] net/unix: don't show information about sockets from other namespaces Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 150/204] workqueue: Fix NULL pointer dereference Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 054/204] security/keys: properly zero out sensitive key material in big_key Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 110/204] FS-Cache: fix dereference of NULL user_key_payload Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 111/204] lib/digsig: " Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 030/204] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 164/204] arm64: ensure __dump_instr() checks addr_limit Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 034/204] usb-storage: fix bogus hardware error messages for ATA pass-thru devices Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 160/204] KEYS: trusted: sanitize all key material Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 141/204] SMB: fix leak of validate negotiate info response buffer Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 095/204] ALSA: seq: Fix copy_from_user() call inside lock Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 080/204] brcmfmac: Add check for short event packets Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 082/204] scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 127/204] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 144/204] xfrm: Clear sk_dst_cache when applying per-socket policy Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 202/204] crypto: salsa20 - fix blkcipher_walk API usage Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 022/204] powerpc/sysrq: Fix oops whem ppmu is not registered Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 190/204] netfilter: xt_osf: Add missing permission checks Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 033/204] Input: uinput - avoid crash when sending FF request to device going away Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 203/204] crypto: hmac - require that the underlying hash algorithm is unkeyed Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 133/204] pci_ids: Add PCI device IDs for F15h M60h Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 122/204] usb: cdc_acm: Add quirk for Elatec TWN3 Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 055/204] PCI: Fix race condition with driver_override Ben Hutchings
2017-12-28 17:05 ` [PATCH 3.16 204/204] KEYS: add missing permission check for request_key() destination Ben Hutchings
2017-12-28 19:25 ` [PATCH 3.16 000/204] 3.16.52-rc1 review Guenter Roeck
2017-12-28 21:08 ` Ben Hutchings
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).