* [PATCH 3.18 10/49] usb: misc: add missing continue in switch
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Alan Stern
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <garsilva@embeddedor.com>
commit 2c930e3d0aed1505e86e0928d323df5027817740 upstream.
Add missing continue in switch.
Addresses-Coverity-ID: 1248733
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/usbtest.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -133,6 +133,7 @@ get_endpoints(struct usbtest_dev *dev, s
case USB_ENDPOINT_XFER_INT:
if (dev->info->intr)
goto try_intr;
+ continue;
case USB_ENDPOINT_XFER_ISOC:
if (dev->info->iso)
goto try_iso;
^ permalink raw reply
* [PATCH 3.18 42/49] HID: core: prevent out-of-bound readings
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Benjamin Tissoires, Jiri Kosina,
Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
commit 50220dead1650609206efe91f0cc116132d59b3f upstream.
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1213,6 +1213,7 @@ static void hid_input_field(struct hid_d
/* Ignore report if ErrorRollOver */
if (!(field->flags & HID_MAIN_ITEM_VARIABLE) &&
value[n] >= min && value[n] <= max &&
+ value[n] - min < field->maxusage &&
field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1)
goto exit;
}
@@ -1225,11 +1226,13 @@ static void hid_input_field(struct hid_d
}
if (field->value[n] >= min && field->value[n] <= max
+ && field->value[n] - min < field->maxusage
&& field->usage[field->value[n] - min].hid
&& search(value, field->value[n], count))
hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt);
if (value[n] >= min && value[n] <= max
+ && value[n] - min < field->maxusage
&& field->usage[value[n] - min].hid
&& search(field->value, value[n], count))
hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);
^ permalink raw reply
* [PATCH 3.18 40/49] af_unix: Guard against other == sk in unix_dgram_sendmsg
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Philipp Hahn, Rainer Weikusat,
David S. Miller, Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
commit a5527dda344fff0514b7989ef7a755729769daa1 upstream.
The unix_dgram_sendmsg routine use the following test
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/af_unix.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1722,7 +1722,12 @@ restart_locked:
goto out_unlock;
}
- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ /* other == sk && unix_peer(other) != sk if
+ * - unix_peer(sk) == NULL, destination address bound to sk
+ * - unix_peer(sk) == sk by time of get but disconnected before lock
+ */
+ if (other != sk &&
+ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
if (timeo) {
timeo = unix_wait_for_peer(other, timeo);
^ permalink raw reply
* [PATCH 3.18 38/49] ipv6: sctp: add rcu protection around np->opt
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller,
Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit c836a8ba93869d6a0290a6ae0047fbef09066871 upstream.
This patch completes the work I did in commit 45f6fad84cc3
("ipv6: add complete rcu protection around np->opt"), as I missed
sctp part.
This simply makes sure np->opt is used with proper RCU locking
and accessors.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/ipv6.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -209,6 +209,7 @@ static int sctp_v6_xmit(struct sk_buff *
struct sock *sk = skb->sk;
struct ipv6_pinfo *np = inet6_sk(sk);
struct flowi6 *fl6 = &transport->fl.u.ip6;
+ int res;
pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb,
skb->len, &fl6->saddr, &fl6->daddr);
@@ -220,7 +221,10 @@ static int sctp_v6_xmit(struct sk_buff *
SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
- return ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
+ rcu_read_lock();
+ res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass);
+ rcu_read_unlock();
+ return res;
}
/* Returns the dst cache entry for the given source and destination ip
@@ -262,7 +266,10 @@ static void sctp_v6_get_dst(struct sctp_
pr_debug("src=%pI6 - ", &fl6->saddr);
}
- final_p = fl6_update_dst(fl6, np->opt, &final);
+ rcu_read_lock();
+ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
+ rcu_read_unlock();
+
dst = ip6_dst_lookup_flow(sk, fl6, final_p);
if (!asoc || saddr)
goto out;
@@ -321,7 +328,7 @@ static void sctp_v6_get_dst(struct sctp_
if (baddr) {
fl6->saddr = baddr->v6.sin6_addr;
fl6->fl6_sport = baddr->v6.sin6_port;
- final_p = fl6_update_dst(fl6, np->opt, &final);
+ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
dst = ip6_dst_lookup_flow(sk, fl6, final_p);
}
^ permalink raw reply
* [PATCH 3.18 37/49] sg: Fix double-free when drives detach during SG_IO
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Calvin Owens, Douglas Gilbert,
Martin K. Petersen, Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Calvin Owens <calvinowens@fb.com>
commit f3951a3709ff50990bf3e188c27d346792103432 upstream.
In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().
Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.
This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:
------------[ cut here ]------------
kernel BUG at block/blk-core.c:1420!
Call Trace:
[<ffffffff81281eab>] blk_put_request+0x5b/0x80
[<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
[<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
[<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
[<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
[<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
[<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
[<ffffffff81258967>] ? file_has_perm+0x97/0xb0
[<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
[<ffffffff81602afb>] tracesys+0xdd/0xe2
RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.
Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.
KASAN was extremely helpful in finding the root cause of this bug.
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sg.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -791,8 +791,14 @@ sg_common_write(Sg_fd * sfp, Sg_request
return k; /* probably out of space --> ENOMEM */
}
if (atomic_read(&sdp->detaching)) {
- if (srp->bio)
+ if (srp->bio) {
+ if (srp->rq->cmd != srp->rq->__cmd)
+ kfree(srp->rq->cmd);
+
blk_end_request_all(srp->rq, -EIO);
+ srp->rq = NULL;
+ }
+
sg_finish_rem_req(srp);
return -ENODEV;
}
^ permalink raw reply
* [PATCH 3.18 36/49] ext4: fix potential use after free in __ext4_journal_stop
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lukas Czerner, Andreas Dilger,
Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Czerner <lczerner@redhat.com>
commit 6934da9238da947628be83635e365df41064b09b upstream.
There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4_jbd2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/ext4/ext4_jbd2.c
+++ b/fs/ext4/ext4_jbd2.c
@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *wher
return 0;
}
+ err = handle->h_err;
if (!handle->h_transaction) {
- err = jbd2_journal_stop(handle);
- return handle->h_err ? handle->h_err : err;
+ rc = jbd2_journal_stop(handle);
+ return err ? err : rc;
}
sb = handle->h_transaction->t_journal->j_private;
- err = handle->h_err;
rc = jbd2_journal_stop(handle);
if (!err)
^ permalink raw reply
* [PATCH 3.18 35/49] KEYS: Fix ASN.1 indefinite length object parsing
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Howells, Mimi Zohar,
David Woodhouse, Peter Jones, Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.
This fixes CVE-2016-0758.
In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor. With a sufficiently large size indicated, the check:
datalen - dp < 2
may then fail due to integer overflow.
Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.
Whilst we're at it, make the following changes:
(1) Check the maximum size of extended length does not exceed the capacity
of the variable it's being stored in (len) rather than the type that
variable is assumed to be (size_t).
(2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
integer 0.
(3) To reduce confusion, move the initialisation of len outside of:
for (len = 0; n > 0; n--) {
since it doesn't have anything to do with the loop counter n.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/asn1_decoder.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -69,7 +69,7 @@ next_tag:
/* Extract a tag from the data */
tag = data[dp++];
- if (tag == 0) {
+ if (tag == ASN1_EOC) {
/* It appears to be an EOC. */
if (data[dp++] != 0)
goto invalid_eoc;
@@ -91,10 +91,8 @@ next_tag:
/* Extract the length */
len = data[dp++];
- if (len <= 0x7f) {
- dp += len;
- goto next_tag;
- }
+ if (len <= 0x7f)
+ goto check_length;
if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
/* Indefinite length */
@@ -105,14 +103,18 @@ next_tag:
}
n = len - 0x80;
- if (unlikely(n > sizeof(size_t) - 1))
+ if (unlikely(n > sizeof(len) - 1))
goto length_too_long;
if (unlikely(n > datalen - dp))
goto data_overrun_error;
- for (len = 0; n > 0; n--) {
+ len = 0;
+ for (; n > 0; n--) {
len <<= 8;
len |= data[dp++];
}
+check_length:
+ if (len > datalen - dp)
+ goto data_overrun_error;
dp += len;
goto next_tag;
^ permalink raw reply
* [PATCH 3.18 34/49] ASN.1: Fix non-match detection failure on data overrun
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, David Howells,
David Woodhouse, Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.
If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.
This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.
This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers. Currently, it skips the last
integer if there is insufficient data.
Without the fix, #defining DEBUG in asn1_decoder.c will show something
like:
next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270
The next_op line for pc=8/13 should be followed by a match line.
This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:
(1) The relevant records being built up are cleared before use.
(2) If the message is shortened sufficiently to remove the public key, the
ASN.1 parse of the RSA key will fail quickly due to a lack of data.
(3) Extracted signature data is either turned into MPIs (which cope with a
0 length) or is simpler integers specifying algoritms and suchlike
(which can validly be 0); and
(4) The AKID and SKID extensions are optional and their removal is handled
without risking passing a NULL to asymmetric_key_generate_id().
(5) If the certificate is truncated sufficiently to remove the subject,
issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
stack underflow' return.
This is not exploitable for PKCS#7 messages by means of removal of elements
from such a message from the tail end of a sequence:
(1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
as detailed above.
(2) The message digest content isn't used if it shows a NULL pointer,
similarly, the authattrs aren't used if that shows a NULL pointer.
(3) A missing signature results in a NULL MPI - which the MPI routines deal
with.
(4) If data is NULL, it is expected that the message has detached content and
that is handled appropriately.
(5) If the serialNumber is excised, the unconditional action associated
with it will pick up the containing SEQUENCE instead, so no NULL
pointer will be seen here.
If both the issuer and the serialNumber are excised, the ASN.1 decode
will fail with an 'Unexpected tag' return.
In either case, there's no way to get to asymmetric_key_generate_id()
with a NULL pointer.
(6) Other fields are decoded to simple integers. Shortening the message
to omit an algorithm ID field will cause checks on this to fail early
in the verification process.
This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be
produced. Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.
Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches
Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/asn1_decoder.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -208,9 +208,8 @@ next_op:
unsigned char tmp;
/* Skip conditional matches if possible */
- if ((op & ASN1_OP_MATCH__COND &&
- flags & FLAG_MATCHED) ||
- dp == datalen) {
+ if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
+ (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
pc += asn1_op_lengths[op];
goto next_op;
}
^ permalink raw reply
* [PATCH 3.18 30/49] arm64: make sys_call_table const
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mark Rutland, Will Deacon,
Catalin Marinas, Amit Pundir
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit c623b33b4e9599c6ac5076f7db7369eb9869aa04 upstream.
As with x86, mark the sys_call_table const such that it will be placed
in the .rodata section. This will cause attempts to modify the table
(accidental or deliberate) to fail when strict page permissions are in
place. In the absence of strict page permissions, there should be no
functional change.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/sys.c
+++ b/arch/arm64/kernel/sys.c
@@ -50,7 +50,7 @@ asmlinkage long sys_mmap(unsigned long a
* The sys_call_table array must be 4K aligned to be accessible from
* kernel/entry.S.
*/
-void *sys_call_table[__NR_syscalls] __aligned(4096) = {
+void * const sys_call_table[__NR_syscalls] __aligned(4096) = {
[0 ... __NR_syscalls - 1] = sys_ni_syscall,
#include <asm/unistd.h>
};
^ permalink raw reply
* [PATCH 3.18 28/49] serial: omap: suspend device on probe errors
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shubhrajyoti D, Johan Hovold,
Tony Lindgren
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 77e6fe7fd2b7cba0bf2f2dc8cde51d7b9a35bf74 upstream.
Make sure to actually suspend the device before returning after a failed
(or deferred) probe.
Note that autosuspend must be disabled before runtime pm is disabled in
order to balance the usage count due to a negative autosuspend delay as
well as to make the final put suspend the device synchronously.
Fixes: 388bc2622680 ("omap-serial: Fix the error handling in the omap_serial probe")
Cc: Shubhrajyoti D <shubhrajyoti@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/omap-serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/omap-serial.c
+++ b/drivers/tty/serial/omap-serial.c
@@ -1743,7 +1743,8 @@ static int serial_omap_probe(struct plat
return 0;
err_add_port:
- pm_runtime_put(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
err_rs485:
err_port_line:
^ permalink raw reply
* [PATCH 3.18 25/49] padata: free correct variable
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jason A. Donenfeld, Herbert Xu
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit 07a77929ba672d93642a56dc2255dd21e6e2290b upstream.
The author meant to free the variable that was just allocated, instead
of the one that failed to be allocated, but made a simple typo. This
patch rectifies that.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/padata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -357,7 +357,7 @@ static int padata_setup_cpumasks(struct
cpumask_and(pd->cpumask.pcpu, pcpumask, cpu_online_mask);
if (!alloc_cpumask_var(&pd->cpumask.cbcpu, GFP_KERNEL)) {
- free_cpumask_var(pd->cpumask.cbcpu);
+ free_cpumask_var(pd->cpumask.pcpu);
return -ENOMEM;
}
^ permalink raw reply
* [PATCH 3.18 17/49] IB/mlx4: Fix ib device initialization error flow
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jack Morgenstein, Leon Romanovsky,
Doug Ledford
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 99e68909d5aba1861897fe7afc3306c3c81b6de0 upstream.
In mlx4_ib_add, procedure mlx4_ib_alloc_eqs is called to allocate EQs.
However, in the mlx4_ib_add error flow, procedure mlx4_ib_free_eqs is not
called to free the allocated EQs.
Fixes: e605b743f33d ("IB/mlx4: Increase the number of vectors (EQs) available for ULPs")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mlx4/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -2357,6 +2357,7 @@ err_counter:
mlx4_counter_free(ibdev->dev, ibdev->counters[i - 1]);
err_map:
+ mlx4_ib_free_eqs(dev, ibdev);
iounmap(ibdev->uar_map);
err_uar:
^ permalink raw reply
* [PATCH 3.18 16/49] IB/IPoIB: ibX: failed to create mcg debug file
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vijay Kumar, Shamir Rabinovitch,
Mark Bloch, Doug Ledford
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
commit 771a52584096c45e4565e8aabb596eece9d73d61 upstream.
When udev renames the netdev devices, ipoib debugfs entries does not
get renamed. As a result, if subsequent probe of ipoib device reuse the
name then creating a debugfs entry for the new device would fail.
Also, moved ipoib_create_debug_files and ipoib_delete_debug_files as part
of ipoib event handling in order to avoid any race condition between these.
Fixes: 1732b0ef3b3a ([IPoIB] add path record information in debugfs)
Signed-off-by: Vijay Kumar <vijay.ac.kumar@oracle.com>
Signed-off-by: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 3 ++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 ++++++++++++++++++++++++++----
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 --
3 files changed, 42 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
@@ -281,8 +281,11 @@ void ipoib_delete_debug_files(struct net
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
+ WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n");
+ WARN_ONCE(!priv->path_dentry, "null path debug file\n");
debugfs_remove(priv->mcg_dentry);
debugfs_remove(priv->path_dentry);
+ priv->mcg_dentry = priv->path_dentry = NULL;
}
int ipoib_register_debugfs(void)
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -98,6 +98,33 @@ static struct ib_client ipoib_client = {
.remove = ipoib_remove_one
};
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+static int ipoib_netdev_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+{
+ struct netdev_notifier_info *ni = ptr;
+ struct net_device *dev = ni->dev;
+
+ if (dev->netdev_ops->ndo_open != ipoib_open)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_REGISTER:
+ ipoib_create_debug_files(dev);
+ break;
+ case NETDEV_CHANGENAME:
+ ipoib_delete_debug_files(dev);
+ ipoib_create_debug_files(dev);
+ break;
+ case NETDEV_UNREGISTER:
+ ipoib_delete_debug_files(dev);
+ break;
+ }
+
+ return NOTIFY_DONE;
+}
+#endif
+
int ipoib_open(struct net_device *dev)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
@@ -1304,8 +1331,6 @@ void ipoib_dev_cleanup(struct net_device
ASSERT_RTNL();
- ipoib_delete_debug_files(dev);
-
/* Delete any child interfaces first */
list_for_each_entry_safe(cpriv, tcpriv, &priv->child_intfs, list) {
/* Stop GC on child */
@@ -1610,8 +1635,6 @@ static struct net_device *ipoib_add_port
goto register_failed;
}
- ipoib_create_debug_files(priv->dev);
-
if (ipoib_cm_add_mode_attr(priv->dev))
goto sysfs_failed;
if (ipoib_add_pkey_attr(priv->dev))
@@ -1626,7 +1649,6 @@ static struct net_device *ipoib_add_port
return priv->dev;
sysfs_failed:
- ipoib_delete_debug_files(priv->dev);
unregister_netdev(priv->dev);
register_failed:
@@ -1714,6 +1736,12 @@ static void ipoib_remove_one(struct ib_d
kfree(dev_list);
}
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+static struct notifier_block ipoib_netdev_notifier = {
+ .notifier_call = ipoib_netdev_event,
+};
+#endif
+
static int __init ipoib_init_module(void)
{
int ret;
@@ -1763,6 +1791,9 @@ static int __init ipoib_init_module(void
if (ret)
goto err_client;
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+ register_netdevice_notifier(&ipoib_netdev_notifier);
+#endif
return 0;
err_client:
@@ -1780,6 +1811,9 @@ err_fs:
static void __exit ipoib_cleanup_module(void)
{
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+ unregister_netdevice_notifier(&ipoib_netdev_notifier);
+#endif
ipoib_netlink_fini();
ib_unregister_client(&ipoib_client);
ib_sa_unregister_client(&ipoib_sa_client);
--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
@@ -86,8 +86,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
priv->parent = ppriv->dev;
- ipoib_create_debug_files(priv->dev);
-
/* RTNL childs don't need proprietary sysfs entries */
if (type == IPOIB_LEGACY_CHILD) {
if (ipoib_cm_add_mode_attr(priv->dev))
@@ -109,7 +107,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
sysfs_failed:
result = -ENOMEM;
- ipoib_delete_debug_files(priv->dev);
unregister_netdevice(priv->dev);
register_failed:
^ permalink raw reply
* [PATCH 3.18 07/49] staging: gdm724x: gdm_mux: fix use-after-free on module unload
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Won Kang, Johan Hovold
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b58f45c8fc301fe83ee28cad3e64686c19e78f1c upstream.
Make sure to deregister the USB driver before releasing the tty driver
to avoid use-after-free in the USB disconnect callback where the tty
devices are deregistered.
Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
Cc: Won Kang <wkang77@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/gdm724x/gdm_mux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/staging/gdm724x/gdm_mux.c
+++ b/drivers/staging/gdm724x/gdm_mux.c
@@ -674,14 +674,13 @@ static int __init gdm_usb_mux_init(void)
static void __exit gdm_usb_mux_exit(void)
{
- unregister_lte_tty_driver();
-
if (mux_rx_wq) {
flush_workqueue(mux_rx_wq);
destroy_workqueue(mux_rx_wq);
}
usb_deregister(&gdm_mux_driver);
+ unregister_lte_tty_driver();
}
module_init(gdm_usb_mux_init);
^ permalink raw reply
* [PATCH 3.18 05/49] staging: vt6656: use off stack for in buffer USB transfers.
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 05c0cf88bec588a7cb34de569acd871ceef26760 upstream.
Since 4.9 mandated USB buffers to be heap allocated. This causes
the driver to fail.
Create buffer for USB transfers.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vt6656/usbpipe.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/staging/vt6656/usbpipe.c
+++ b/drivers/staging/vt6656/usbpipe.c
@@ -78,15 +78,28 @@ int vnt_control_in(struct vnt_private *p
u16 index, u16 length, u8 *buffer)
{
int status;
+ u8 *usb_buffer;
if (test_bit(DEVICE_FLAGS_DISCONNECTED, &priv->flags))
return STATUS_FAILURE;
mutex_lock(&priv->usb_lock);
+ usb_buffer = kmalloc(length, GFP_KERNEL);
+ if (!usb_buffer) {
+ mutex_unlock(&priv->usb_lock);
+ return -ENOMEM;
+ }
+
status = usb_control_msg(priv->usb,
- usb_rcvctrlpipe(priv->usb, 0), request, 0xc0, value,
- index, buffer, length, USB_CTL_WAIT);
+ usb_rcvctrlpipe(priv->usb, 0),
+ request, 0xc0, value,
+ index, usb_buffer, length, USB_CTL_WAIT);
+
+ if (status == length)
+ memcpy(buffer, usb_buffer, length);
+
+ kfree(usb_buffer);
mutex_unlock(&priv->usb_lock);
^ permalink raw reply
* [PATCH 3.18 03/49] USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marek Vasut, Johan Hovold
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@denx.de>
commit 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b upstream.
This development kit has an FT4232 on it with a custom USB VID/PID.
The FT4232 provides four UARTs, but only two are used. The UART 0
is used by the FlashPro5 programmer and UART 2 is connected to the
SmartFusion2 CortexM3 SoC UART port.
Note that the USB VID is registered to Actel according to Linux USB
VID database, but that was acquired by Microsemi.
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -873,6 +873,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
USB_CLASS_VENDOR_SPEC,
USB_SUBCLASS_VENDOR_SPEC, 0x00) },
+ { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
{ USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
{ USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -867,6 +867,12 @@
#define FIC_VID 0x1457
#define FIC_NEO1973_DEBUG_PID 0x5118
+/*
+ * Actel / Microsemi
+ */
+#define ACTEL_VID 0x1514
+#define MICROSEMI_ARROW_SF2PLUS_BOARD_PID 0x2008
+
/* Olimex */
#define OLIMEX_VID 0x15BA
#define OLIMEX_ARM_USB_OCD_PID 0x0003
^ permalink raw reply
* [PATCH 3.18 00/49] 3.18.54-stable review
From: Greg Kroah-Hartman @ 2017-05-18 13:16 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
ben.hutchings, stable
This is the start of the stable review cycle for the 3.18.54 release.
There are 49 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat May 20 13:16:30 UTC 2017.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.54-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 3.18.54-rc1
Kangjie Lu <kangjielu@gmail.com>
ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
Kangjie Lu <kangjielu@gmail.com>
ALSA: timer: Fix leak in events via snd_timer_user_ccallback
Kangjie Lu <kangjielu@gmail.com>
ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Fix race among timer ioctls
Takashi Iwai <tiwai@suse.de>
ALSA: seq: Fix race at timer setup and close
Jann Horn <jannh@google.com>
sched: panic on corrupted stack end
Bjørn Mork <bjorn@mork.no>
cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
Benjamin Tissoires <benjamin.tissoires@redhat.com>
HID: core: prevent out-of-bound readings
WANG Cong <xiyou.wangcong@gmail.com>
ppp: defer netns reference release for ppp channel
Rainer Weikusat <rweikusat@mobileactivedefense.com>
af_unix: Guard against other == sk in unix_dgram_sendmsg
Eric Dumazet <edumazet@google.com>
ipv6: sctp: fix lockdep splat in sctp_v6_get_dst()
Eric Dumazet <edumazet@google.com>
ipv6: sctp: add rcu protection around np->opt
Calvin Owens <calvinowens@fb.com>
sg: Fix double-free when drives detach during SG_IO
Lukas Czerner <lczerner@redhat.com>
ext4: fix potential use after free in __ext4_journal_stop
David Howells <dhowells@redhat.com>
KEYS: Fix ASN.1 indefinite length object parsing
David Howells <dhowells@redhat.com>
ASN.1: Fix non-match detection failure on data overrun
Peter Zijlstra <peterz@infradead.org>
perf: Fix race in swevent hash
Suzuki K. Poulose <suzuki.poulose@arm.com>
arm64: perf: reject groups spanning multiple HW PMUs
Peter Zijlstra <peterz@infradead.org>
perf: Fix event->ctx locking
Mark Rutland <mark.rutland@arm.com>
arm64: make sys_call_table const
Szymon Janc <szymon.janc@codecoup.pl>
Bluetooth: Fix user channel for 32bit userspace on 64bit kernel
Johan Hovold <johan@kernel.org>
serial: omap: suspend device on probe errors
Johan Hovold <johan@kernel.org>
serial: omap: fix runtime-pm handling on unbind
NeilBrown <neilb@suse.com>
md/raid1: avoid reusing a resync bio after error handling.
Jason A. Donenfeld <Jason@zx2c4.com>
padata: free correct variable
Björn Jacke <bj@sernet.de>
CIFS: add misssing SFM mapping for doublequote
Björn Jacke <bj@sernet.de>
CIFS: fix mapping of SFM_SPACE and SFM_PERIOD
Steve French <smfrench@gmail.com>
SMB3: Work around mount failure when using SMB3 dialect to Macs
Steve French <smfrench@gmail.com>
Set unicode flag on cifs echo request to avoid Mac error
Andrey Ryabinin <aryabinin@virtuozzo.com>
fs/block_dev: always invalidate cleancache in invalidate_bdev()
Luis Henriques <lhenriques@suse.com>
ceph: fix memory leak in __ceph_setxattr()
Michal Hocko <mhocko@suse.com>
fs/xattr.c: zero out memory copied to userspace in getxattr
Jack Morgenstein <jackm@dev.mellanox.co.il>
IB/mlx4: Fix ib device initialization error flow
Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
IB/IPoIB: ibX: failed to create mcg debug file
Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
dm era: save spacemap metadata root after the pre-commit
Richard Weinberger <richard@nod.at>
um: Fix PTRACE_POKEUSER on x86_64
Ashish Kalra <ashish@bluestacks.com>
x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
Maksim Salau <maksim.salau@gmail.com>
usb: misc: legousbtower: Fix buffers on stack
Guenter Roeck <linux@roeck-us.net>
usb: hub: Do not attempt to autosuspend disconnected devices
Gustavo A. R. Silva <garsilva@embeddedor.com>
usb: misc: add missing continue in switch
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: jr3_pci: cope with jiffies wraparound
Ian Abbott <abbotti@mev.co.uk>
staging: comedi: jr3_pci: fix possible null pointer dereference
Johan Hovold <johan@kernel.org>
staging: gdm724x: gdm_mux: fix use-after-free on module unload
Malcolm Priestley <tvboxspy@gmail.com>
staging: vt6656: use off stack for out buffer USB transfers.
Malcolm Priestley <tvboxspy@gmail.com>
staging: vt6656: use off stack for in buffer USB transfers.
Ajay Kaher <ajay.kaher@samsung.com>
USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
Marek Vasut <marex@denx.de>
USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit
Peter Chen <peter.chen@nxp.com>
usb: host: xhci: print correct command ring address
Bart Van Assche <bart.vanassche@sandisk.com>
target/fileio: Fix zero-length READ and WRITE handling
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/kernel/perf_event.c | 21 ++-
arch/arm64/kernel/sys.c | 2 +-
arch/x86/boot/boot.h | 2 +-
arch/x86/um/ptrace_64.c | 2 +-
drivers/hid/hid-core.c | 3 +
drivers/infiniband/hw/mlx4/main.c | 1 +
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 3 +
drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 ++++-
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 -
drivers/md/dm-era-target.c | 8 +-
drivers/md/raid1.c | 2 +
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/usb/cdc_ncm.c | 20 +--
drivers/scsi/sg.c | 8 +-
drivers/staging/comedi/drivers/jr3_pci.c | 13 +-
drivers/staging/gdm724x/gdm_mux.c | 3 +-
drivers/staging/vt6656/usbpipe.c | 31 +++-
drivers/target/target_core_file.c | 3 +-
drivers/tty/serial/omap-serial.c | 9 +-
drivers/usb/core/driver.c | 3 +
drivers/usb/core/file.c | 9 +-
drivers/usb/core/hub.c | 6 +
drivers/usb/host/xhci-mem.c | 2 +-
drivers/usb/misc/legousbtower.c | 37 +++--
drivers/usb/misc/usbtest.c | 1 +
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 +
fs/block_dev.c | 11 +-
fs/ceph/xattr.c | 3 +
fs/cifs/cifs_unicode.c | 6 +
fs/cifs/cifs_unicode.h | 5 +-
fs/cifs/cifssmb.c | 3 +
fs/cifs/smb2pdu.c | 14 +-
fs/ext4/ext4_jbd2.c | 6 +-
fs/xattr.c | 2 +-
kernel/events/core.c | 264 +++++++++++++++++++++++-------
kernel/padata.c | 2 +-
kernel/sched/core.c | 3 +-
lib/asn1_decoder.c | 21 +--
net/bluetooth/hci_sock.c | 3 +-
net/sctp/ipv6.c | 16 +-
net/unix/af_unix.c | 7 +-
sound/core/seq/seq_queue.c | 2 +
sound/core/timer.c | 35 ++--
45 files changed, 482 insertions(+), 173 deletions(-)
^ permalink raw reply
* Re: [PATCH-stable] serial: samsung: Bring back removed variable to fix compilation
From: Krzysztof Kozlowski @ 2017-05-18 13:16 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Krzysztof Kozlowski, Jiri Slaby, linux-serial, linux-kernel,
stable
In-Reply-To: <20170518131440.GA14129@kroah.com>
On Thu, May 18, 2017 at 3:14 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Thu, May 18, 2017 at 02:59:32PM +0200, Krzysztof Kozlowski wrote:
>> On Thu, May 18, 2017 at 2:31 PM, Krzysztof Kozlowski
>> <kozik.server@gmail.com> wrote:
>>
>> I need to fixup the from field. It should be krzk@kernel.org.
>
> I've merged this with the original patch so nothing breaks...
Great, thanks!
Krzysztof
^ permalink raw reply
* Re: [PATCH-stable] serial: samsung: Bring back removed variable to fix compilation
From: Greg Kroah-Hartman @ 2017-05-18 13:14 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: Krzysztof Kozlowski, Jiri Slaby, linux-serial, linux-kernel,
stable
In-Reply-To: <CAJKOXPdEQ-JSSZK1PA4xc1f7NWdKNyaeQ3qyjEdW7ttTvTF4og@mail.gmail.com>
On Thu, May 18, 2017 at 02:59:32PM +0200, Krzysztof Kozlowski wrote:
> On Thu, May 18, 2017 at 2:31 PM, Krzysztof Kozlowski
> <kozik.server@gmail.com> wrote:
>
> I need to fixup the from field. It should be krzk@kernel.org.
I've merged this with the original patch so nothing breaks...
thanks,
greg k-h
^ permalink raw reply
* Re: Patch "net/ipv6: add sysctl option accept_ra_min_hop_limit" has been added to the 3.18-stable tree
From: Greg KH @ 2017-05-18 13:05 UTC (permalink / raw)
To: 吉藤英明
Cc: Hangbin Liu, amit.pundir, David Miller, stable, stable-commits,
YOSHIFUJI Hideaki
In-Reply-To: <CAPA1RqBF49hFmoSzkA3yuP=rAPnPyBYojaXhesG+yMZGYPOV5g@mail.gmail.com>
On Thu, May 18, 2017 at 09:39:12PM +0900, 吉藤英明 wrote:
> Hi,
>
> 2017-05-18 21:22 GMT+09:00 <gregkh@linuxfoundation.org>:
> >
> >
> > This is a note to let you know that I've just added the patch titled
> >
> > net/ipv6: add sysctl option accept_ra_min_hop_limit
> >
> > to the 3.18-stable tree which can be found at:
> > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >
> > The filename of the patch is:
> > net-ipv6-add-sysctl-option-accept_ra_min_hop_limit.patch
> > and it can be found in the queue-3.18 subdirectory.
> >
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> >
> >
> > From 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 Mon Sep 17 00:00:00 2001
> > From: Hangbin Liu <liuhangbin@gmail.com>
> > Date: Thu, 30 Jul 2015 14:28:42 +0800
> > Subject: net/ipv6: add sysctl option accept_ra_min_hop_limit
> >
> > From: Hangbin Liu <liuhangbin@gmail.com>
> >
> > commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 upstream.
> >
> > Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
> > disabled accept hop limit from RA if it is smaller than the current hop
> > limit for security stuff. But this behavior kind of break the RFC definition.
> >
> > RFC 4861, 6.3.4. Processing Received Router Advertisements
> > A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time,
> > and Retrans Timer) may contain a value denoting that it is
> > unspecified. In such cases, the parameter should be ignored and the
> > host should continue using whatever value it is already using.
> >
> > If the received Cur Hop Limit value is non-zero, the host SHOULD set
> > its CurHopLimit variable to the received value.
> >
> > So add sysctl option accept_ra_min_hop_limit to let user choose the minimum
> > hop limit value they can accept from RA. And set default to 1 to meet RFC
> > standards.
> >
> > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> > Acked-by: YOSHIFUJI Hideaki <hideaki.yoshifuji@miraclelinux.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> > Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > Documentation/networking/ip-sysctl.txt | 8 ++++++++
> > include/linux/ipv6.h | 1 +
> > include/uapi/linux/ipv6.h | 1 +
> > net/ipv6/addrconf.c | 10 ++++++++++
> > net/ipv6/ndisc.c | 16 +++++++---------
> > 5 files changed, 27 insertions(+), 9 deletions(-)
> >
> > --- a/Documentation/networking/ip-sysctl.txt
> > +++ b/Documentation/networking/ip-sysctl.txt
> > @@ -1256,6 +1256,14 @@ accept_ra_from_local - BOOLEAN
> > disabled if accept_ra_from_local is disabled
> > on a specific interface.
> >
> > +accept_ra_min_hop_limit - INTEGER
> > + Minimum hop limit Information in Router Advertisement.
> > +
> > + Hop limit Information in Router Advertisement less than this
> > + variable shall be ignored.
> > +
> > + Default: 1
> > +
> > accept_ra_pinfo - BOOLEAN
> > Learn Prefix Information in Router Advertisement.
> >
> > --- a/include/linux/ipv6.h
> > +++ b/include/linux/ipv6.h
> > @@ -29,6 +29,7 @@ struct ipv6_devconf {
> > __s32 max_desync_factor;
> > __s32 max_addresses;
> > __s32 accept_ra_defrtr;
> > + __s32 accept_ra_min_hop_limit;
> > __s32 accept_ra_pinfo;
> > #ifdef CONFIG_IPV6_ROUTER_PREF
> > __s32 accept_ra_rtr_pref;
> > --- a/include/uapi/linux/ipv6.h
> > +++ b/include/uapi/linux/ipv6.h
> > @@ -164,6 +164,7 @@ enum {
> > DEVCONF_MLDV2_UNSOLICITED_REPORT_INTERVAL,
> > DEVCONF_SUPPRESS_FRAG_NDISC,
> > DEVCONF_ACCEPT_RA_FROM_LOCAL,
> > + DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
> > DEVCONF_MAX
> > };
> >
>
> Please do not do this. This is not compatible with current
> linus-tree.
>
> >From Linux 4.11:
> DEVCONF_SUPPRESS_FRAG_NDISC,
> DEVCONF_ACCEPT_RA_FROM_LOCAL,
> DEVCONF_USE_OPTIMISTIC,
> DEVCONF_ACCEPT_RA_MTU,
> DEVCONF_STABLE_SECRET,
> DEVCONF_USE_OIF_ADDRS_ONLY,
> DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
> DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
Oh, nice catch. I'll go drop this.
Amit, can you send the _correct_ patch? Looks like Google messed up on
their backport :)
thanks,
greg k-h
^ permalink raw reply
* Re: [PATCH-stable] serial: samsung: Bring back removed variable to fix compilation
From: Krzysztof Kozlowski @ 2017-05-18 12:59 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial, linux-kernel,
stable
In-Reply-To: <1495110677-31174-1-git-send-email-krzk@kernel.org>
On Thu, May 18, 2017 at 2:31 PM, Krzysztof Kozlowski
<kozik.server@gmail.com> wrote:
I need to fixup the from field. It should be krzk@kernel.org.
Krzysztof
> By mistake commit 500fcc08a32b ("serial: samsung: Add missing checks for
> dma_map_single failure") removes a local variable which is still used by
> code. After backporting the commit to stable, compilation fails:
>
> drivers/tty/serial/samsung.c: In function ‘s3c24xx_serial_request_dma’:
> drivers/tty/serial/samsung.c:909:45: error: ‘flags’ undeclared (first use in this function)
>
> Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
>
> ---
>
> Fix for stable-rc commit:
> bc3ac2299c4873cdc7f9bf3c867c23e9714a036f
> ---
> drivers/tty/serial/samsung.c | 1 +
> 1 file changed, 1 insertion(+)
^ permalink raw reply
* Re: Patch "net/ipv6: add sysctl option accept_ra_min_hop_limit" has been added to the 3.18-stable tree
From: 吉藤英明 @ 2017-05-18 12:39 UTC (permalink / raw)
To: gregkh
Cc: Hangbin Liu, amit.pundir, David Miller, stable, stable-commits,
YOSHIFUJI Hideaki
In-Reply-To: <14951101417860@kroah.com>
Hi,
2017-05-18 21:22 GMT+09:00 <gregkh@linuxfoundation.org>:
>
>
> This is a note to let you know that I've just added the patch titled
>
> net/ipv6: add sysctl option accept_ra_min_hop_limit
>
> to the 3.18-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
> net-ipv6-add-sysctl-option-accept_ra_min_hop_limit.patch
> and it can be found in the queue-3.18 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
>
>
> From 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 Mon Sep 17 00:00:00 2001
> From: Hangbin Liu <liuhangbin@gmail.com>
> Date: Thu, 30 Jul 2015 14:28:42 +0800
> Subject: net/ipv6: add sysctl option accept_ra_min_hop_limit
>
> From: Hangbin Liu <liuhangbin@gmail.com>
>
> commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 upstream.
>
> Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
> disabled accept hop limit from RA if it is smaller than the current hop
> limit for security stuff. But this behavior kind of break the RFC definition.
>
> RFC 4861, 6.3.4. Processing Received Router Advertisements
> A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time,
> and Retrans Timer) may contain a value denoting that it is
> unspecified. In such cases, the parameter should be ignored and the
> host should continue using whatever value it is already using.
>
> If the received Cur Hop Limit value is non-zero, the host SHOULD set
> its CurHopLimit variable to the received value.
>
> So add sysctl option accept_ra_min_hop_limit to let user choose the minimum
> hop limit value they can accept from RA. And set default to 1 to meet RFC
> standards.
>
> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> Acked-by: YOSHIFUJI Hideaki <hideaki.yoshifuji@miraclelinux.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> Documentation/networking/ip-sysctl.txt | 8 ++++++++
> include/linux/ipv6.h | 1 +
> include/uapi/linux/ipv6.h | 1 +
> net/ipv6/addrconf.c | 10 ++++++++++
> net/ipv6/ndisc.c | 16 +++++++---------
> 5 files changed, 27 insertions(+), 9 deletions(-)
>
> --- a/Documentation/networking/ip-sysctl.txt
> +++ b/Documentation/networking/ip-sysctl.txt
> @@ -1256,6 +1256,14 @@ accept_ra_from_local - BOOLEAN
> disabled if accept_ra_from_local is disabled
> on a specific interface.
>
> +accept_ra_min_hop_limit - INTEGER
> + Minimum hop limit Information in Router Advertisement.
> +
> + Hop limit Information in Router Advertisement less than this
> + variable shall be ignored.
> +
> + Default: 1
> +
> accept_ra_pinfo - BOOLEAN
> Learn Prefix Information in Router Advertisement.
>
> --- a/include/linux/ipv6.h
> +++ b/include/linux/ipv6.h
> @@ -29,6 +29,7 @@ struct ipv6_devconf {
> __s32 max_desync_factor;
> __s32 max_addresses;
> __s32 accept_ra_defrtr;
> + __s32 accept_ra_min_hop_limit;
> __s32 accept_ra_pinfo;
> #ifdef CONFIG_IPV6_ROUTER_PREF
> __s32 accept_ra_rtr_pref;
> --- a/include/uapi/linux/ipv6.h
> +++ b/include/uapi/linux/ipv6.h
> @@ -164,6 +164,7 @@ enum {
> DEVCONF_MLDV2_UNSOLICITED_REPORT_INTERVAL,
> DEVCONF_SUPPRESS_FRAG_NDISC,
> DEVCONF_ACCEPT_RA_FROM_LOCAL,
> + DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
> DEVCONF_MAX
> };
>
Please do not do this. This is not compatible with current
linus-tree.
>From Linux 4.11:
DEVCONF_SUPPRESS_FRAG_NDISC,
DEVCONF_ACCEPT_RA_FROM_LOCAL,
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
DEVCONF_USE_OIF_ADDRS_ONLY,
DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
// snip
--yoshfuji
^ permalink raw reply
* [PATCH-stable] serial: samsung: Bring back removed variable to fix compilation
From: Krzysztof Kozlowski @ 2017-05-18 12:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, Jiri Slaby, linux-serial, linux-kernel,
stable
Cc: Krzysztof Kozlowski
By mistake commit 500fcc08a32b ("serial: samsung: Add missing checks for
dma_map_single failure") removes a local variable which is still used by
code. After backporting the commit to stable, compilation fails:
drivers/tty/serial/samsung.c: In function ‘s3c24xx_serial_request_dma’:
drivers/tty/serial/samsung.c:909:45: error: ‘flags’ undeclared (first use in this function)
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
---
Fix for stable-rc commit:
bc3ac2299c4873cdc7f9bf3c867c23e9714a036f
---
drivers/tty/serial/samsung.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index ca0bcd7fd61f..43c84c9bb904 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -859,6 +859,7 @@ static void s3c24xx_serial_break_ctl(struct uart_port *port, int break_state)
static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p)
{
struct s3c24xx_uart_dma *dma = p->dma;
+ unsigned long flags;
int ret;
/* Default slave configuration parameters */
--
2.7.4
^ permalink raw reply related
* Re: [PATCH 4.11 097/114] serial: samsung: Add missing checks for dma_map_single failure
From: Greg Kroah-Hartman @ 2017-05-18 12:24 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: linux-kernel, stable, Seung-Woo Kim, Marek Szyprowski,
Bartlomiej Zolnierkiewicz, Shuah Khan
In-Reply-To: <CAJKOXPe5CGjxvu_BaFSp1NdiZmcGSpb5rS-ZWN-bj3Ntbj2kmw@mail.gmail.com>
On Thu, May 18, 2017 at 02:18:30PM +0200, Krzysztof Kozlowski wrote:
> On Thu, May 18, 2017 at 12:46 PM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > 4.11-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Marek Szyprowski <m.szyprowski@samsung.com>
> >
> > commit 500fcc08a32bfd54f11951ba81530775df15c474 upstream.
> >
> > This patch adds missing checks for dma_map_single() failure and proper error
> > reporting. Although this issue was harmless on ARM architecture, it is always
> > good to use the DMA mapping API in a proper way. This patch fixes the following
> > DMA API debug warning:
> >
> > WARNING: CPU: 1 PID: 3785 at lib/dma-debug.c:1171 check_unmap+0x8a0/0xf28
> > dma-pl330 121a0000.pdma: DMA-API: device driver failed to check map error[device address=0x000000006e0f9000] [size=4096 bytes] [mapped as single]
> > Modules linked in:
> > CPU: 1 PID: 3785 Comm: (agetty) Tainted: G W 4.11.0-rc1-00137-g07ca963-dirty #59
> > Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
> > [<c011aaa4>] (unwind_backtrace) from [<c01127c0>] (show_stack+0x20/0x24)
> > [<c01127c0>] (show_stack) from [<c06ba5d8>] (dump_stack+0x84/0xa0)
> > [<c06ba5d8>] (dump_stack) from [<c0139528>] (__warn+0x14c/0x180)
> > [<c0139528>] (__warn) from [<c01395a4>] (warn_slowpath_fmt+0x48/0x50)
> > [<c01395a4>] (warn_slowpath_fmt) from [<c072a114>] (check_unmap+0x8a0/0xf28)
> > [<c072a114>] (check_unmap) from [<c072a834>] (debug_dma_unmap_page+0x98/0xc8)
> > [<c072a834>] (debug_dma_unmap_page) from [<c0803874>] (s3c24xx_serial_shutdown+0x314/0x52c)
> > [<c0803874>] (s3c24xx_serial_shutdown) from [<c07f5124>] (uart_port_shutdown+0x54/0x88)
> > [<c07f5124>] (uart_port_shutdown) from [<c07f522c>] (uart_shutdown+0xd4/0x110)
> > [<c07f522c>] (uart_shutdown) from [<c07f6a8c>] (uart_hangup+0x9c/0x208)
> > [<c07f6a8c>] (uart_hangup) from [<c07c426c>] (__tty_hangup+0x49c/0x634)
> > [<c07c426c>] (__tty_hangup) from [<c07c78ac>] (tty_ioctl+0xc88/0x16e4)
> > [<c07c78ac>] (tty_ioctl) from [<c03b5f2c>] (do_vfs_ioctl+0xc4/0xd10)
> > [<c03b5f2c>] (do_vfs_ioctl) from [<c03b6bf4>] (SyS_ioctl+0x7c/0x8c)
> > [<c03b6bf4>] (SyS_ioctl) from [<c010b4a0>] (ret_fast_syscall+0x0/0x3c)
> >
> > Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
> > Fixes: 62c37eedb74c8 ("serial: samsung: add dma reqest/release functions")
> > Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
> > Reviewed-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> > Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ---
> > drivers/tty/serial/samsung.c | 31 ++++++++++++++++++++++++-------
> > 1 file changed, 24 insertions(+), 7 deletions(-)
> >
> > --- a/drivers/tty/serial/samsung.c
> > +++ b/drivers/tty/serial/samsung.c
> > @@ -859,7 +859,7 @@ static void s3c24xx_serial_break_ctl(str
> > static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p)
> > {
> > struct s3c24xx_uart_dma *dma = p->dma;
> > - unsigned long flags;
> > + int ret;
>
> This does not compile:
> http://www.krzk.eu/#/builders/5/builds/225
> It works fine in mainline because the patch 3/3 of the set was
> removing the user of the flags.
>
> I'll send a fixup for stable.
Ah, thanks, I didn't notice that on my test builds here :(
greg k-h
^ permalink raw reply
* Re: [PATCH for-3.18 00/24] Security fixes from 2015 and 2016 android security bulletins
From: Greg KH @ 2017-05-18 12:22 UTC (permalink / raw)
To: Amit Pundir; +Cc: stable
In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org>
On Tue, May 09, 2017 at 08:12:24PM +0530, Amit Pundir wrote:
> Hi Greg,
>
> Please consider following security fixes for linux-3.18.y. This
> is a follow up on my previous submission of similar security fixes,
> https://www.spinics.net/lists/stable/msg169868.html, picked up from
> android security bulletins published in year 2017 so far.
>
> Following are the fixes published in 2015 and 2016 monthly Android
> Security Bulletins https://source.android.com/security/bulletin/,
> and/or related follow-up fixes from upstream. Cherry-picked and build
> tested on v3.18.52 for ARCH=arm/arm64/x86/x86_64/mips + allmodconfig.
Thanks for these, I've applied all but 3, and will wait for those for
the next round of stable kernel releases (because they are needed in
other trees as well...)
greg k-h
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox