* [PATCH 4.4 009/103] infiniband: call ipv6 route lookup via the stub interface
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Abeni, Doug Ledford
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit eea40b8f624f25cbc02d55f2d93203f60cee9341 upstream.
The infiniband address handle can be triggered to resolve an ipv6
address in response to MAD packets, regardless of the ipv6
module being disabled via the kernel command line argument.
That will cause a call into the ipv6 routing code, which is not
initialized, and a conseguent oops.
This commit addresses the above issue replacing the direct lookup
call with an indirect one via the ipv6 stub, which is properly
initialized according to the ipv6 status (e.g. if ipv6 is
disabled, the routing lookup fails gracefully)
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -277,8 +277,8 @@ static int addr6_resolve(struct sockaddr
fl6.saddr = src_in->sin6_addr;
fl6.flowi6_oif = addr->bound_dev_if;
- dst = ip6_route_output(addr->net, NULL, &fl6);
- if ((ret = dst->error))
+ ret = ipv6_stub->ipv6_dst_lookup(addr->net, NULL, &dst, &fl6);
+ if (ret < 0)
goto put;
if (ipv6_addr_any(&fl6.saddr)) {
^ permalink raw reply
* [PATCH 4.4 008/103] tpm_crb: check for bad response size
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jerry Snitselaar, Jarkko Sakkinen
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerry Snitselaar <jsnitsel@redhat.com>
commit 8569defde8057258835c51ce01a33de82e14b148 upstream.
Make sure size of response buffer is at least 6 bytes, or
we will underflow and pass large size_t to memcpy_fromio().
This was encountered while testing earlier version of
locality patchset.
Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_crb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -118,8 +118,7 @@ static int crb_recv(struct tpm_chip *chi
memcpy_fromio(buf, priv->rsp, 6);
expected = be32_to_cpup((__be32 *) &buf[2]);
-
- if (expected > count)
+ if (expected > count || expected < 6)
return -EIO;
memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);
^ permalink raw reply
* [PATCH 4.4 000/103] 4.4.70-stable review
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
ben.hutchings, stable
This is the start of the stable review cycle for the 4.4.70 release.
There are 103 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu May 25 20:08:25 UTC 2017.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.70-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.4.70-rc1
Julius Werner <jwerner@chromium.org>
drivers: char: mem: Check for address space wraparound with mmap()
J. Bruce Fields <bfields@redhat.com>
nfsd: encoders mustn't use unitialized values in error cases
Mario Kleiner <mario.kleiner.de@gmail.com>
drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
Lukas Wunner <lukas@wunner.de>
PCI: Freeze PME scan before suspending devices
David Woodhouse <dwmw@amazon.co.uk>
PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
Thomas Gleixner <tglx@linutronix.de>
tracing/kprobes: Enforce kprobes teardown after testing
Al Viro <viro@zeniv.linux.org.uk>
osf_wait4(): fix infoleak
Thomas Gleixner <tglx@linutronix.de>
genirq: Fix chained interrupt data ordering
Johan Hovold <johan@kernel.org>
uwb: fix device quirk on big-endian hosts
Daniel Micay <danielmicay@gmail.com>
stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms
James Hogan <james.hogan@imgtec.com>
metag/uaccess: Check access_ok in strncpy_from_user
James Hogan <james.hogan@imgtec.com>
metag/uaccess: Fix access_ok()
KarimAllah Ahmed <karahmed@amazon.de>
iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings
Malcolm Priestley <tvboxspy@gmail.com>
staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
Malcolm Priestley <tvboxspy@gmail.com>
staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
Keno Fischer <keno@juliacomputing.com>
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
Takashi Iwai <tiwai@suse.de>
xc2028: Fix use-after-free bug properly
Kristina Martsenko <kristina.martsenko@arm.com>
arm64: documentation: document tagged pointer stack constraints
Mark Rutland <mark.rutland@arm.com>
arm64: uaccess: ensure extension of access_ok() addr
Mark Rutland <mark.rutland@arm.com>
arm64: xchg: hazard against entire exchange variable
Ludovic Desroches <ludovic.desroches@microchip.com>
ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
Ludovic Desroches <ludovic.desroches@microchip.com>
ARM: dts: at91: sama5d3_xplained: fix ADC vref
LiuHailong <liu.hailong6@zte.com.cn>
powerpc/64e: Fix hang when debugging programs with relocated kernel
Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
powerpc/book3s/mce: Move add_taint() later in virtual mode
Johan Hovold <johan@kernel.org>
cx231xx-cards: fix NULL-deref at probe
Johan Hovold <johan@kernel.org>
cx231xx-audio: fix NULL-deref at probe
Johan Hovold <johan@kernel.org>
cx231xx-audio: fix init error path
Daniel Scheller <d.scheller@gmx.net>
dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops
Alyssa Milburn <amilburn@zall.org>
zr364xx: enforce minimum size when reading header
Johan Hovold <johan@kernel.org>
dib0700: fix NULL-deref at probe
Marek Szyprowski <m.szyprowski@samsung.com>
s5p-mfc: Fix unbalanced call to clock management
Johan Hovold <johan@kernel.org>
gspca: konica: add missing endpoint sanity check
Yan, Zheng <zyan@redhat.com>
ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
Matt Ranostay <matt.ranostay@konsulko.com>
iio: proximity: as3935: fix as3935_write
Dan Carpenter <dan.carpenter@oracle.com>
ipx: call ipxitf_put() in ioctl error path
Peter Hurley <peter@hurleysoftware.com>
tty: Prevent ldisc drivers from re-using stale tty fields
Johan Hovold <johan@kernel.org>
USB: hub: fix non-SS hub-descriptor handling
Johan Hovold <johan@kernel.org>
USB: hub: fix SS hub-descriptor handling
Johan Hovold <johan@kernel.org>
USB: serial: io_ti: fix div-by-zero in set_termios
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix big-endian baud-rate handling
Bjørn Mork <bjorn@mork.no>
USB: serial: qcserial: add more Lenovo EM74xx device IDs
Daniele Palmas <dnlplm@gmail.com>
usb: serial: option: add Telit ME910 support
Johan Hovold <johan@kernel.org>
USB: iowarrior: fix info ioctl on big-endian hosts
Peter Ujfalusi <peter.ujfalusi@ti.com>
usb: musb: tusb6010_omap: Do not reset the other direction's packet size
Alyssa Milburn <amilburn@zall.org>
ttusb2: limit messages to buffer size
Johan Hovold <johan@kernel.org>
mceusb: fix NULL-deref at probe
Johan Hovold <johan@kernel.org>
usbvision: fix NULL-deref at probe
Johan Hovold <johan@kernel.org>
net: irda: irda-usb: fix firmware name on big-endian hosts
Peter Chen <peter.chen@nxp.com>
usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
usb: host: xhci-plat: propagate return value of platform_get_irq()
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
sched/fair: Initialize throttle_count for new task-groups lazily
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
sched/fair: Do not announce throttled next buddy in dequeue_task_fair()
Eric Biggers <ebiggers@google.com>
fscrypt: avoid collisions when presenting long encrypted filenames
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: check entire encrypted bigname when finding a dentry
Eric Biggers <ebiggers@google.com>
fscrypt: fix context consistency check when key(s) unavailable
Kristian Evensen <kristian.evensen@gmail.com>
net: qmi_wwan: Add SIMCom 7230E
Dan Carpenter <dan.carpenter@oracle.com>
ext4 crypto: fix some error handling
Theodore Ts'o <tytso@mit.edu>
ext4 crypto: don't let data integrity writebacks fail with ENOMEM
Andrey Korolyov <andrey@xdel.ru>
USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs
Anthony Mallet <anthony.mallet@laas.fr>
USB: serial: ftdi_sio: fix setting latency for unprivileged users
Kirill Tkhai <ktkhai@virtuozzo.com>
pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()
Eric W. Biederman <ebiederm@xmission.com>
pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
Pavel Roskin <plroskin@gmail.com>
iio: dac: ad7303: fix channel description
Rob Herring <robh@kernel.org>
of: fix sparse warning in of_pci_range_parser_one
Takashi Iwai <tiwai@suse.de>
proc: Fix unbalanced hard link numbers
Tobias Herzog <t-herzog@gmx.de>
cdc-acm: fix possible invalid access when processing notification
Ben Skeggs <bskeggs@redhat.com>
drm/nouveau/tmr: handle races with hw when updating the next alarm time
Ben Skeggs <bskeggs@redhat.com>
drm/nouveau/tmr: avoid processing completed alarms when adding a new one
Ben Skeggs <bskeggs@redhat.com>
drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm
Ben Skeggs <bskeggs@redhat.com>
drm/nouveau/tmr: ack interrupt before processing alarms
Ben Skeggs <bskeggs@redhat.com>
drm/nouveau/therm: remove ineffective workarounds for alarm bugs
Mario Kleiner <mario.kleiner.de@gmail.com>
drm/amdgpu: Make display watermark calculations more accurate
Mario Kleiner <mario.kleiner.de@gmail.com>
drm/amdgpu: Avoid overflows/divide-by-zero in latency_watermark calculations.
Johan Hovold <johan@kernel.org>
ath9k_htc: fix NULL-deref at probe
Dmitry Tunin <hanipouspilot@gmail.com>
ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device
Martin Schwidefsky <schwidefsky@de.ibm.com>
s390/cputime: fix incorrect system time
Michael Holzheu <holzheu@linux.vnet.ibm.com>
s390/kdump: Add final note
Richard Cochran <rcochran@linutronix.de>
regulator: tps65023: Fix inverted core enable logic.
Wanpeng Li <wanpeng.li@hotmail.com>
KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
Wanpeng Li <wanpeng.li@hotmail.com>
KVM: x86: Fix load damaged SSEx MXCSR register
Daniel Glöckner <dg@emlix.com>
ima: accept previously set IMA_NEW_FILE
Brian Norris <briannorris@chromium.org>
mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
Larry Finger <Larry.Finger@lwfinger.net>
rtlwifi: rtl8821ae: setup 8812ae RFE according to device type
Dennis Yang <dennisyang@qnap.com>
md: update slab_cache before releasing new stripes when stripes resizing
Joe Thornber <ejt@redhat.com>
dm space map disk: fix some book keeping in the disk space map
Joe Thornber <ejt@redhat.com>
dm thin metadata: call precommit before saving the roots
Mikulas Patocka <mpatocka@redhat.com>
dm bufio: make the parameter "retain_bytes" unsigned long
Mike Snitzer <snitzer@redhat.com>
dm cache metadata: fail operations if fail_io mode has been established
Mikulas Patocka <mpatocka@redhat.com>
dm bufio: check new buffer allocation watermark every 30 seconds
Mikulas Patocka <mpatocka@redhat.com>
dm bufio: avoid a possible ABBA deadlock
Mikulas Patocka <mpatocka@redhat.com>
dm raid: select the Kconfig option CONFIG_MD_RAID0
Vinothkumar Raja <vinraja@cs.stonybrook.edu>
dm btree: fix for dm_btree_find_lowest_key()
Paolo Abeni <pabeni@redhat.com>
infiniband: call ipv6 route lookup via the stub interface
Jerry Snitselaar <jsnitsel@redhat.com>
tpm_crb: check for bad response size
Marc Dietrich <marvin24@gmx.de>
ARM: tegra: paz00: Mark panel regulator as enabled on boot
Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
USB: core: replace %p with %pK
Willy Tarreau <w@1wt.eu>
char: lp: fix possible integer overflow in lp_setup()
Johan Hovold <johan@kernel.org>
watchdog: pcwd_usb: fix NULL-deref at probe
Alan Stern <stern@rowland.harvard.edu>
USB: ene_usb6250: fix DMA to the stack
Maksim Salau <maksim.salau@gmail.com>
usb: misc: legousbtower: Fix memory leak
Maksim Salau <maksim.salau@gmail.com>
usb: misc: legousbtower: Fix buffers on stack
-------------
Diffstat:
Documentation/arm64/tagged-pointers.txt | 62 ++++++++---
Makefile | 4 +-
arch/alpha/kernel/osf_sys.c | 6 +-
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 5 +-
arch/arm/boot/dts/tegra20-paz00.dts | 1 +
arch/arm64/include/asm/cmpxchg.h | 2 +-
arch/arm64/include/asm/uaccess.h | 3 +-
arch/metag/include/asm/uaccess.h | 49 ++++++---
arch/powerpc/kernel/exceptions-64e.S | 12 ++
arch/powerpc/kernel/mce.c | 2 +
arch/powerpc/kernel/traps.c | 4 +-
arch/powerpc/platforms/pseries/dlpar.c | 1 -
arch/s390/kernel/crash_dump.c | 15 +++
arch/s390/kernel/entry.S | 21 +++-
arch/x86/kernel/fpu/init.c | 1 +
arch/x86/kvm/x86.c | 33 ++++--
drivers/char/lp.c | 6 +-
drivers/char/mem.c | 5 +
drivers/char/tpm/tpm_crb.c | 3 +-
drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 29 ++---
drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 29 ++---
drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 29 ++---
drivers/gpu/drm/drm_edid.c | 8 ++
drivers/gpu/drm/nouveau/nvkm/subdev/therm/base.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/fan.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/fantog.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/temp.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 59 ++++++----
drivers/gpu/drm/nouveau/nvkm/subdev/timer/nv04.c | 2 +-
drivers/iio/dac/ad7303.c | 6 +-
drivers/iio/proximity/as3935.c | 3 +-
drivers/infiniband/core/addr.c | 4 +-
drivers/iommu/intel-iommu.c | 5 +-
drivers/md/Kconfig | 1 +
drivers/md/dm-bufio.c | 35 ++++--
drivers/md/dm-cache-metadata.c | 12 +-
drivers/md/dm-thin-metadata.c | 4 +-
drivers/md/persistent-data/dm-btree.c | 8 +-
drivers/md/persistent-data/dm-space-map-disk.c | 15 ++-
drivers/md/raid5.c | 6 +-
drivers/media/dvb-frontends/cxd2841er.c | 4 +-
drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 +
drivers/media/rc/mceusb.c | 4 +-
drivers/media/tuners/tuner-xc2028.c | 37 +++----
drivers/media/usb/cx231xx/cx231xx-audio.c | 42 ++++---
drivers/media/usb/cx231xx/cx231xx-cards.c | 45 +++++++-
drivers/media/usb/dvb-usb/dib0700_core.c | 3 +
drivers/media/usb/dvb-usb/ttusb2.c | 19 ++++
drivers/media/usb/gspca/konica.c | 3 +
drivers/media/usb/usbvision/usbvision-video.c | 9 +-
drivers/media/usb/zr364xx/zr364xx.c | 8 ++
drivers/net/irda/irda-usb.c | 2 +-
drivers/net/usb/qmi_wwan.c | 1 +
drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +
drivers/net/wireless/mwifiex/pcie.c | 7 ++
.../net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 122 ++++++++++++++++++---
.../net/wireless/realtek/rtlwifi/rtl8821ae/reg.h | 1 +
drivers/of/address.c | 2 +-
drivers/pci/pci-sysfs.c | 10 +-
drivers/pci/pci.c | 9 +-
drivers/regulator/tps65023-regulator.c | 3 +-
drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 11 +-
drivers/tty/tty_ldisc.c | 7 ++
drivers/usb/class/cdc-acm.c | 13 ++-
drivers/usb/core/devio.c | 4 +-
drivers/usb/core/hcd.c | 4 +-
drivers/usb/core/hub.c | 19 +++-
drivers/usb/core/urb.c | 2 +-
drivers/usb/host/xhci-mem.c | 2 +-
drivers/usb/host/xhci-pci.c | 7 +-
drivers/usb/host/xhci-plat.c | 2 +-
drivers/usb/misc/iowarrior.c | 2 +-
drivers/usb/misc/legousbtower.c | 38 +++++--
drivers/usb/musb/tusb6010_omap.c | 13 ++-
drivers/usb/serial/ftdi_sio.c | 10 +-
drivers/usb/serial/ftdi_sio_ids.h | 2 +
drivers/usb/serial/io_ti.c | 5 +-
drivers/usb/serial/mct_u232.c | 2 +-
drivers/usb/serial/option.c | 8 ++
drivers/usb/serial/qcserial.c | 2 +
drivers/usb/storage/ene_ub6250.c | 90 +++++++++------
drivers/uwb/i1480/dfu/usb.c | 5 +-
drivers/watchdog/pcwd_usb.c | 3 +
fs/ceph/acl.c | 4 +-
fs/ceph/inode.c | 27 +++--
fs/ceph/super.h | 1 +
fs/ext4/crypto.c | 37 ++++---
fs/ext4/crypto_fname.c | 2 +-
fs/ext4/crypto_policy.c | 66 ++++++++---
fs/ext4/ext4.h | 6 +-
fs/ext4/namei.c | 4 +-
fs/ext4/page-io.c | 14 ++-
fs/ext4/readpage.c | 2 +-
fs/f2fs/crypto_fname.c | 2 +-
fs/f2fs/crypto_policy.c | 65 ++++++++---
fs/f2fs/dir.c | 32 ++++--
fs/f2fs/f2fs.h | 3 +-
fs/f2fs/hash.c | 7 +-
fs/f2fs/inline.c | 4 +-
fs/nfsd/nfs4xdr.c | 8 +-
fs/proc/generic.c | 1 +
include/linux/kprobes.h | 4 +-
kernel/fork.c | 10 +-
kernel/irq/chip.c | 2 +-
kernel/kprobes.c | 2 +-
kernel/pid_namespace.c | 2 +-
kernel/sched/fair.c | 29 ++++-
kernel/sched/sched.h | 2 +-
kernel/trace/trace_kprobe.c | 5 +
mm/huge_memory.c | 12 +-
net/ipx/af_ipx.c | 5 +-
security/integrity/ima/ima_appraise.c | 5 +-
112 files changed, 1005 insertions(+), 443 deletions(-)
^ permalink raw reply
* [PATCH 4.4 018/103] md: update slab_cache before releasing new stripes when stripes resizing
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dennis Yang, NeilBrown, Shaohua Li
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Yang <dennisyang@qnap.com>
commit 583da48e388f472e8818d9bb60ef6a1d40ee9f9d upstream.
When growing raid5 device on machine with small memory, there is chance that
mdadm will be killed and the following bug report can be observed. The same
bug could also be reproduced in linux-4.10.6.
[57600.075774] BUG: unable to handle kernel NULL pointer dereference at (null)
[57600.083796] IP: [<ffffffff81a6aa87>] _raw_spin_lock+0x7/0x20
[57600.110378] PGD 421cf067 PUD 4442d067 PMD 0
[57600.114678] Oops: 0002 [#1] SMP
[57600.180799] CPU: 1 PID: 25990 Comm: mdadm Tainted: P O 4.2.8 #1
[57600.187849] Hardware name: To be filled by O.E.M. To be filled by O.E.M./MAHOBAY, BIOS QV05AR66 03/06/2013
[57600.197490] task: ffff880044e47240 ti: ffff880043070000 task.ti: ffff880043070000
[57600.204963] RIP: 0010:[<ffffffff81a6aa87>] [<ffffffff81a6aa87>] _raw_spin_lock+0x7/0x20
[57600.213057] RSP: 0018:ffff880043073810 EFLAGS: 00010046
[57600.218359] RAX: 0000000000000000 RBX: 000000000000000c RCX: ffff88011e296dd0
[57600.225486] RDX: 0000000000000001 RSI: ffffe8ffffcb46c0 RDI: 0000000000000000
[57600.232613] RBP: ffff880043073878 R08: ffff88011e5f8170 R09: 0000000000000282
[57600.239739] R10: 0000000000000005 R11: 28f5c28f5c28f5c3 R12: ffff880043073838
[57600.246872] R13: ffffe8ffffcb46c0 R14: 0000000000000000 R15: ffff8800b9706a00
[57600.253999] FS: 00007f576106c700(0000) GS:ffff88011e280000(0000) knlGS:0000000000000000
[57600.262078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[57600.267817] CR2: 0000000000000000 CR3: 00000000428fe000 CR4: 00000000001406e0
[57600.274942] Stack:
[57600.276949] ffffffff8114ee35 ffff880043073868 0000000000000282 000000000000eb3f
[57600.284383] ffffffff81119043 ffff880043073838 ffff880043073838 ffff88003e197b98
[57600.291820] ffffe8ffffcb46c0 ffff88003e197360 0000000000000286 ffff880043073968
[57600.299254] Call Trace:
[57600.301698] [<ffffffff8114ee35>] ? cache_flusharray+0x35/0xe0
[57600.307523] [<ffffffff81119043>] ? __page_cache_release+0x23/0x110
[57600.313779] [<ffffffff8114eb53>] kmem_cache_free+0x63/0xc0
[57600.319344] [<ffffffff81579942>] drop_one_stripe+0x62/0x90
[57600.324915] [<ffffffff81579b5b>] raid5_cache_scan+0x8b/0xb0
[57600.330563] [<ffffffff8111b98a>] shrink_slab.part.36+0x19a/0x250
[57600.336650] [<ffffffff8111e38c>] shrink_zone+0x23c/0x250
[57600.342039] [<ffffffff8111e4f3>] do_try_to_free_pages+0x153/0x420
[57600.348210] [<ffffffff8111e851>] try_to_free_pages+0x91/0xa0
[57600.353959] [<ffffffff811145b1>] __alloc_pages_nodemask+0x4d1/0x8b0
[57600.360303] [<ffffffff8157a30b>] check_reshape+0x62b/0x770
[57600.365866] [<ffffffff8157a4a5>] raid5_check_reshape+0x55/0xa0
[57600.371778] [<ffffffff81583df7>] update_raid_disks+0xc7/0x110
[57600.377604] [<ffffffff81592b73>] md_ioctl+0xd83/0x1b10
[57600.382827] [<ffffffff81385380>] blkdev_ioctl+0x170/0x690
[57600.388307] [<ffffffff81195238>] block_ioctl+0x38/0x40
[57600.393525] [<ffffffff811731c5>] do_vfs_ioctl+0x2b5/0x480
[57600.399010] [<ffffffff8115e07b>] ? vfs_write+0x14b/0x1f0
[57600.404400] [<ffffffff811733cc>] SyS_ioctl+0x3c/0x70
[57600.409447] [<ffffffff81a6ad97>] entry_SYSCALL_64_fastpath+0x12/0x6a
[57600.415875] Code: 00 00 00 00 55 48 89 e5 8b 07 85 c0 74 04 31 c0 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 ef b0 01 5d c3 90 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 85 d1 63 ff 5d
[57600.435460] RIP [<ffffffff81a6aa87>] _raw_spin_lock+0x7/0x20
[57600.441208] RSP <ffff880043073810>
[57600.444690] CR2: 0000000000000000
[57600.448000] ---[ end trace cbc6b5cc4bf9831d ]---
The problem is that resize_stripes() releases new stripe_heads before assigning new
slab cache to conf->slab_cache. If the shrinker function raid5_cache_scan() gets called
after resize_stripes() starting releasing new stripes but right before new slab cache
being assigned, it is possible that these new stripe_heads will be freed with the old
slab_cache which was already been destoryed and that triggers this bug.
Signed-off-by: Dennis Yang <dennisyang@qnap.com>
Fixes: edbe83ab4c27 ("md/raid5: allow the stripe_cache to grow and shrink.")
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -2232,6 +2232,10 @@ static int resize_stripes(struct r5conf
err = -ENOMEM;
mutex_unlock(&conf->cache_size_mutex);
+
+ conf->slab_cache = sc;
+ conf->active_name = 1-conf->active_name;
+
/* Step 4, return new stripes to service */
while(!list_empty(&newstripes)) {
nsh = list_entry(newstripes.next, struct stripe_head, lru);
@@ -2249,8 +2253,6 @@ static int resize_stripes(struct r5conf
}
/* critical section pass, GFP_NOIO no longer needed */
- conf->slab_cache = sc;
- conf->active_name = 1-conf->active_name;
if (!err)
conf->pool_size = newsize;
return err;
^ permalink raw reply
* [PATCH 4.4 028/103] ath9k_htc: fix NULL-deref at probe
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Kalle Valo
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1217,6 +1217,9 @@ static int send_eject_command(struct usb
u8 bulk_out_ep;
int r;
+ if (iface_desc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
/* Find bulk out endpoint */
for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc;
^ permalink raw reply
* [PATCH 4.4 033/103] drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Skeggs
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Skeggs <bskeggs@redhat.com>
commit 9fc64667ee48c9a25e7dca1a6bcb6906fec5bcc5 upstream.
At least therm/fantog "attempts" to work around this issue, which could
lead to corruption of the pending alarm list.
Fix it properly by not updating the timestamp without the lock held, or
trying to add an already pending alarm to the pending alarm list....
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -65,14 +65,17 @@ nvkm_timer_alarm(struct nvkm_timer *tmr,
struct nvkm_alarm *list;
unsigned long flags;
- alarm->timestamp = nvkm_timer_read(tmr) + nsec;
-
- /* append new alarm to list, in soonest-alarm-first order */
+ /* Remove alarm from pending list.
+ *
+ * This both protects against the corruption of the list,
+ * and implements alarm rescheduling/cancellation.
+ */
spin_lock_irqsave(&tmr->lock, flags);
- if (!nsec) {
- if (!list_empty(&alarm->head))
- list_del(&alarm->head);
- } else {
+ list_del_init(&alarm->head);
+
+ if (nsec) {
+ /* Insert into pending list, ordered earliest to latest. */
+ alarm->timestamp = nvkm_timer_read(tmr) + nsec;
list_for_each_entry(list, &tmr->alarms, head) {
if (list->timestamp > alarm->timestamp)
break;
^ permalink raw reply
* [PATCH 4.4 035/103] drm/nouveau/tmr: handle races with hw when updating the next alarm time
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Skeggs
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Skeggs <bskeggs@redhat.com>
commit 1b0f84380b10ee97f7d2dd191294de9017e94d1d upstream.
If the time to the next alarm is short enough, we could race with HW and
end up with an ~4 second delay until it triggers.
Fix this by checking again after we update HW.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 26 ++++++++++++++---------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -36,23 +36,29 @@ nvkm_timer_alarm_trigger(struct nvkm_tim
unsigned long flags;
LIST_HEAD(exec);
- /* move any due alarms off the pending list */
+ /* Process pending alarms. */
spin_lock_irqsave(&tmr->lock, flags);
list_for_each_entry_safe(alarm, atemp, &tmr->alarms, head) {
- if (alarm->timestamp <= nvkm_timer_read(tmr))
- list_move_tail(&alarm->head, &exec);
+ /* Have we hit the earliest alarm that hasn't gone off? */
+ if (alarm->timestamp > nvkm_timer_read(tmr)) {
+ /* Schedule it. If we didn't race, we're done. */
+ tmr->func->alarm_init(tmr, alarm->timestamp);
+ if (alarm->timestamp > nvkm_timer_read(tmr))
+ break;
+ }
+
+ /* Move to completed list. We'll drop the lock before
+ * executing the callback so it can reschedule itself.
+ */
+ list_move_tail(&alarm->head, &exec);
}
- /* reschedule interrupt for next alarm time */
- if (!list_empty(&tmr->alarms)) {
- alarm = list_first_entry(&tmr->alarms, typeof(*alarm), head);
- tmr->func->alarm_init(tmr, alarm->timestamp);
- } else {
+ /* Shut down interrupt if no more pending alarms. */
+ if (list_empty(&tmr->alarms))
tmr->func->alarm_fini(tmr);
- }
spin_unlock_irqrestore(&tmr->lock, flags);
- /* execute any pending alarm handlers */
+ /* Execute completed callbacks. */
list_for_each_entry_safe(alarm, atemp, &exec, head) {
list_del_init(&alarm->head);
alarm->func(alarm);
^ permalink raw reply
* [PATCH 4.4 040/103] pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vovo Yang, Guenter Roeck,
Eric W. Biederman
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric W. Biederman <ebiederm@xmission.com>
commit b9a985db98961ae1ba0be169f19df1c567e4ffe0 upstream.
The code can potentially sleep for an indefinite amount of time in
zap_pid_ns_processes triggering the hung task timeout, and increasing
the system average. This is undesirable. Sleep with a task state of
TASK_INTERRUPTIBLE instead of TASK_UNINTERRUPTIBLE to remove these
undesirable side effects.
Apparently under heavy load this has been allowing Chrome to trigger
the hung time task timeout error and cause ChromeOS to reboot.
Reported-by: Vovo Yang <vovoy@google.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Fixes: 6347e9009104 ("pidns: guarantee that the pidns init will be the last pidns process reaped")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/pid_namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -255,7 +255,7 @@ void zap_pid_ns_processes(struct pid_nam
* if reparented.
*/
for (;;) {
- set_current_state(TASK_UNINTERRUPTIBLE);
+ set_current_state(TASK_INTERRUPTIBLE);
if (pid_ns->nr_hashed == init_pids)
break;
schedule();
^ permalink raw reply
* [PATCH 4.4 041/103] pid_ns: Fix race between setnsed fork() and zap_pid_ns_processes()
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kirill Tkhai, Andrew Morton,
Ingo Molnar, Peter Zijlstra, Oleg Nesterov, Mike Rapoport,
Michal Hocko, Andy Lutomirski, Eric W. Biederman, Andrei Vagin,
Cyrill Gorcunov, Serge Hallyn
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kirill Tkhai <ktkhai@virtuozzo.com>
commit 3fd37226216620c1a468afa999739d5016fbc349 upstream.
Imagine we have a pid namespace and a task from its parent's pid_ns,
which made setns() to the pid namespace. The task is doing fork(),
while the pid namespace's child reaper is dying. We have the race
between them:
Task from parent pid_ns Child reaper
copy_process() ..
alloc_pid() ..
.. zap_pid_ns_processes()
.. disable_pid_allocation()
.. read_lock(&tasklist_lock)
.. iterate over pids in pid_ns
.. kill tasks linked to pids
.. read_unlock(&tasklist_lock)
write_lock_irq(&tasklist_lock); ..
attach_pid(p, PIDTYPE_PID); ..
.. ..
So, just created task p won't receive SIGKILL signal,
and the pid namespace will be in contradictory state.
Only manual kill will help there, but does the userspace
care about this? I suppose, the most users just inject
a task into a pid namespace and wait a SIGCHLD from it.
The patch fixes the problem. It simply checks for
(pid_ns->nr_hashed & PIDNS_HASH_ADDING) in copy_process().
We do it under the tasklist_lock, and can't skip
PIDNS_HASH_ADDING as noted by Oleg:
"zap_pid_ns_processes() does disable_pid_allocation()
and then takes tasklist_lock to kill the whole namespace.
Given that copy_process() checks PIDNS_HASH_ADDING
under write_lock(tasklist) they can't race;
if copy_process() takes this lock first, the new child will
be killed, otherwise copy_process() can't miss
the change in ->nr_hashed."
If allocation is disabled, we just return -ENOMEM
like it's made for such cases in alloc_pid().
v2: Do not move disable_pid_allocation(), do not
introduce a new variable in copy_process() and simplify
the patch as suggested by Oleg Nesterov.
Account the problem with double irq enabling
found by Eric W. Biederman.
Fixes: c876ad768215 ("pidns: Stop pid allocation when init dies")
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Ingo Molnar <mingo@kernel.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: Oleg Nesterov <oleg@redhat.com>
CC: Mike Rapoport <rppt@linux.vnet.ibm.com>
CC: Michal Hocko <mhocko@suse.com>
CC: Andy Lutomirski <luto@kernel.org>
CC: "Eric W. Biederman" <ebiederm@xmission.com>
CC: Andrei Vagin <avagin@openvz.org>
CC: Cyrill Gorcunov <gorcunov@openvz.org>
CC: Serge Hallyn <serge@hallyn.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/fork.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1590,11 +1590,13 @@ static struct task_struct *copy_process(
*/
recalc_sigpending();
if (signal_pending(current)) {
- spin_unlock(¤t->sighand->siglock);
- write_unlock_irq(&tasklist_lock);
retval = -ERESTARTNOINTR;
goto bad_fork_cancel_cgroup;
}
+ if (unlikely(!(ns_of_pid(pid)->nr_hashed & PIDNS_HASH_ADDING))) {
+ retval = -ENOMEM;
+ goto bad_fork_cancel_cgroup;
+ }
if (likely(p->pid)) {
ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
@@ -1645,6 +1647,8 @@ static struct task_struct *copy_process(
return p;
bad_fork_cancel_cgroup:
+ spin_unlock(¤t->sighand->siglock);
+ write_unlock_irq(&tasklist_lock);
cgroup_cancel_fork(p, cgrp_ss_priv);
bad_fork_free_pid:
threadgroup_change_end(current);
^ permalink raw reply
* [PATCH 4.4 042/103] USB: serial: ftdi_sio: fix setting latency for unprivileged users
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anthony Mallet, Johan Hovold
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Mallet <anthony.mallet@laas.fr>
commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.
Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") enables unprivileged users to set the FTDI latency timer,
but there was a logic flaw that skipped sending the corresponding
USB control message to the device.
Specifically, the device latency timer would not be updated until next
open, something which was later also inadvertently broken by commit
c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port
probe").
A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
low-latency setting") disabled the low-latency mode by default so we now
need this fix to allow unprivileged users to again enable it.
Signed-off-by: Anthony Mallet <anthony.mallet@laas.fr>
[johan: amend commit message]
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1508,9 +1508,9 @@ static int set_serial_info(struct tty_st
(new_serial.flags & ASYNC_FLAGS));
priv->custom_divisor = new_serial.custom_divisor;
+check_and_exit:
write_latency_timer(port);
-check_and_exit:
if ((old_priv.flags & ASYNC_SPD_MASK) !=
(priv->flags & ASYNC_SPD_MASK)) {
if ((priv->flags & ASYNC_SPD_MASK) == ASYNC_SPD_HI)
^ permalink raw reply
* [PATCH 4.4 045/103] ext4 crypto: fix some error handling
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Theodore Tso,
Eric Biggers
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 4762cc3fbbd89e5fd316d6e4d3244a8984444f8d upstream.
We should be testing for -ENOMEM but the minus sign is missing.
Fixes: c9af28fdd449 ('ext4 crypto: don't let data integrity writebacks fail with ENOMEM')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/page-io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -492,7 +492,7 @@ int ext4_bio_write_page(struct ext4_io_s
data_page = ext4_encrypt(inode, page, gfp_flags);
if (IS_ERR(data_page)) {
ret = PTR_ERR(data_page);
- if (ret == ENOMEM && wbc->sync_mode == WB_SYNC_ALL) {
+ if (ret == -ENOMEM && wbc->sync_mode == WB_SYNC_ALL) {
if (io->io_bio) {
ext4_io_submit(io);
congestion_wait(BLK_RW_ASYNC, HZ/50);
^ permalink raw reply
* [PATCH 4.4 053/103] xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit a0c16630d35a874e82bdf2088f58ecaca1024315 upstream.
Intel Denverton microserver is Atom based and need the PME and CAS quirks
as well.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -52,6 +52,7 @@
#define PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI 0x0aa8
#define PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI 0x1aa8
#define PCI_DEVICE_ID_INTEL_APL_XHCI 0x5aa8
+#define PCI_DEVICE_ID_INTEL_DNV_XHCI 0x19d0
static const char hcd_name[] = "xhci_hcd";
@@ -167,12 +168,14 @@ static void xhci_pci_quirks(struct devic
pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI ||
pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI ||
- pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI)) {
+ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_DNV_XHCI)) {
xhci->quirks |= XHCI_PME_STUCK_QUIRK;
}
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
(pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
- pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI))
+ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_DNV_XHCI))
xhci->quirks |= XHCI_MISSING_CAS;
if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
^ permalink raw reply
* [PATCH 4.4 056/103] [media] usbvision: fix NULL-deref at probe
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thierry MERLE, Johan Hovold,
Hans Verkuil, Mauro Carvalho Chehab
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")
Cc: Thierry MERLE <thierry.merle@free.fr>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1523,7 +1523,14 @@ static int usbvision_probe(struct usb_in
}
for (i = 0; i < usbvision->num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < 2) {
+ ret = -ENODEV;
+ goto err_pkt;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
wMaxPacketSize);
usbvision->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
^ permalink raw reply
* Re: Patch "nfsd: Fix up the "supattr_exclcreat" attributes" has been added to the 4.4-stable tree
From: J. Bruce Fields @ 2017-05-23 20:38 UTC (permalink / raw)
To: Greg KH; +Cc: trond.myklebust, stable, stable-commits, linux-nfs
In-Reply-To: <20170523192339.GA30111@kroah.com>
On Tue, May 23, 2017 at 09:23:39PM +0200, Greg KH wrote:
> Oops, nope, this breaks the build on 4.4, can someone please provide a
> working backport as it is "supposed" to be added to that kernel...
The issue is
916d2d844afd "nfsd: clean up supported attribute handling"
dcd208697707 "nfsd: fix supported attributes for acl & labels"
which replaced 3 numbered constants by an array, and went in between 4.8
and 4.10.
But for the purposes of older stable branches, best is probably just to
use the old constants. I'll send an updated patch.
--b.
>
> thanks,
>
> greg k-h
>
> On Tue, May 23, 2017 at 08:37:32PM +0200, gregkh@linuxfoundation.org wrote:
> >
> > This is a note to let you know that I've just added the patch titled
> >
> > nfsd: Fix up the "supattr_exclcreat" attributes
> >
> > to the 4.4-stable tree which can be found at:
> > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >
> > The filename of the patch is:
> > nfsd-fix-up-the-supattr_exclcreat-attributes.patch
> > and it can be found in the queue-4.4 subdirectory.
> >
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> >
> >
> > >From b26b78cb726007533d81fdf90a62e915002ef5c8 Mon Sep 17 00:00:00 2001
> > From: Trond Myklebust <trond.myklebust@primarydata.com>
> > Date: Tue, 9 May 2017 16:24:59 -0400
> > Subject: nfsd: Fix up the "supattr_exclcreat" attributes
> >
> > From: Trond Myklebust <trond.myklebust@primarydata.com>
> >
> > commit b26b78cb726007533d81fdf90a62e915002ef5c8 upstream.
> >
> > If an NFSv4 client asks us for the supattr_exclcreat, then we must
> > not return attributes that are unsupported by this minor version.
> >
> > Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
> > Fixes: 75976de6556f ("NFSD: Return word2 bitmask if setting security..,")
> > Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ---
> > fs/nfsd/nfs4xdr.c | 11 ++++++++---
> > 1 file changed, 8 insertions(+), 3 deletions(-)
> >
> > --- a/fs/nfsd/nfs4xdr.c
> > +++ b/fs/nfsd/nfs4xdr.c
> > @@ -2753,9 +2753,14 @@ out_acl:
> > }
> > #endif /* CONFIG_NFSD_PNFS */
> > if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
> > - status = nfsd4_encode_bitmap(xdr, NFSD_SUPPATTR_EXCLCREAT_WORD0,
> > - NFSD_SUPPATTR_EXCLCREAT_WORD1,
> > - NFSD_SUPPATTR_EXCLCREAT_WORD2);
> > + u32 supp[3];
> > +
> > + memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
> > + supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
> > + supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
> > + supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
> > +
> > + status = nfsd4_encode_bitmap(xdr, supp[0], supp[1], supp[2]);
> > if (status)
> > goto out;
> > }
> >
> >
> > Patches currently in stable-queue which might be from trond.myklebust@primarydata.com are
> >
> > queue-4.4/nfsd-fix-up-the-supattr_exclcreat-attributes.patch
^ permalink raw reply
* [PATCH 4.4 025/103] s390/kdump: Add final note
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michael Holzheu, Martin Schwidefsky
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
commit dcc00b79fc3d076832f7240de8870f492629b171 upstream.
Since linux v3.14 with commit 38dfac843cb6d7be1 ("vmcore: prevent PT_NOTE
p_memsz overflow during header update") on s390 we get the following
message in the kdump kernel:
Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x6b6b6b6b,
n_descsz=0x6b6b6b6b
The reason for this is that we don't create a final zero note in
the ELF header which the proc/vmcore code uses to find out the end
of the notes section (see also kernel/kexec_core.c:final_note()).
It still worked on s390 by chance because we (most of the time?) have the
byte pattern 0x6b6b6b6b after the notes section which also makes the notes
parsing code stop in update_note_header_size_elf64() because 0x6b6b6b6b is
interpreded as note size:
if ((real_sz + sz) > max_sz) {
pr_warn("Warning: Exceeded p_memsz, dropping P ...);
break;
}
So fix this and add the missing final note to the ELF header.
We don't have to adjust the memory size for ELF header ("alloc_size")
because the new ELF note still fits into the 0x1000 base memory.
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/crash_dump.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/arch/s390/kernel/crash_dump.c
+++ b/arch/s390/kernel/crash_dump.c
@@ -464,6 +464,20 @@ static void *nt_vmcoreinfo(void *ptr)
}
/*
+ * Initialize final note (needed for /proc/vmcore code)
+ */
+static void *nt_final(void *ptr)
+{
+ Elf64_Nhdr *note;
+
+ note = (Elf64_Nhdr *) ptr;
+ note->n_namesz = 0;
+ note->n_descsz = 0;
+ note->n_type = 0;
+ return PTR_ADD(ptr, sizeof(Elf64_Nhdr));
+}
+
+/*
* Initialize ELF header (new kernel)
*/
static void *ehdr_init(Elf64_Ehdr *ehdr, int mem_chunk_cnt)
@@ -553,6 +567,7 @@ static void *notes_init(Elf64_Phdr *phdr
ptr = fill_cpu_elf_notes(ptr, &sa_ext->sa, sa_ext->vx_regs);
}
ptr = nt_vmcoreinfo(ptr);
+ ptr = nt_final(ptr);
memset(phdr, 0, sizeof(*phdr));
phdr->p_type = PT_NOTE;
phdr->p_offset = notes_offset;
^ permalink raw reply
* [PATCH 4.4 026/103] s390/cputime: fix incorrect system time
From: Greg Kroah-Hartman @ 2017-05-23 20:08 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Borntraeger,
Martin Schwidefsky
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e upstream.
git commit c5328901aa1db134 "[S390] entry[64].S improvements" removed
the update of the exit_timer lowcore field from the critical section
cleanup of the .Lsysc_restore/.Lsysc_done and .Lio_restore/.Lio_done
blocks. If the PSW is updated by the critical section cleanup to point to
user space again, the interrupt entry code will do a vtime calculation
after the cleanup completed with an exit_timer value which has *not* been
updated. Due to this incorrect system time deltas are calculated.
If an interrupt occured with an old PSW between .Lsysc_restore/.Lsysc_done
or .Lio_restore/.Lio_done update __LC_EXIT_TIMER with the system entry
time of the interrupt.
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/entry.S | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -308,6 +308,7 @@ ENTRY(system_call)
lg %r14,__LC_VDSO_PER_CPU
lmg %r0,%r10,__PT_R0(%r11)
mvc __LC_RETURN_PSW(16),__PT_PSW(%r11)
+.Lsysc_exit_timer:
stpt __LC_EXIT_TIMER
mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
lmg %r11,%r15,__PT_R11(%r11)
@@ -593,6 +594,7 @@ ENTRY(io_int_handler)
lg %r14,__LC_VDSO_PER_CPU
lmg %r0,%r10,__PT_R0(%r11)
mvc __LC_RETURN_PSW(16),__PT_PSW(%r11)
+.Lio_exit_timer:
stpt __LC_EXIT_TIMER
mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
lmg %r11,%r15,__PT_R11(%r11)
@@ -1118,15 +1120,23 @@ cleanup_critical:
br %r14
.Lcleanup_sysc_restore:
+ # check if stpt has been executed
clg %r9,BASED(.Lcleanup_sysc_restore_insn)
+ jh 0f
+ mvc __LC_EXIT_TIMER(8),__LC_ASYNC_ENTER_TIMER
+ cghi %r11,__LC_SAVE_AREA_ASYNC
je 0f
+ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER
+0: clg %r9,BASED(.Lcleanup_sysc_restore_insn+8)
+ je 1f
lg %r9,24(%r11) # get saved pointer to pt_regs
mvc __LC_RETURN_PSW(16),__PT_PSW(%r9)
mvc 0(64,%r11),__PT_R8(%r9)
lmg %r0,%r7,__PT_R0(%r9)
-0: lmg %r8,%r9,__LC_RETURN_PSW
+1: lmg %r8,%r9,__LC_RETURN_PSW
br %r14
.Lcleanup_sysc_restore_insn:
+ .quad .Lsysc_exit_timer
.quad .Lsysc_done - 4
.Lcleanup_io_tif:
@@ -1134,15 +1144,20 @@ cleanup_critical:
br %r14
.Lcleanup_io_restore:
+ # check if stpt has been executed
clg %r9,BASED(.Lcleanup_io_restore_insn)
- je 0f
+ jh 0f
+ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER
+0: clg %r9,BASED(.Lcleanup_io_restore_insn+8)
+ je 1f
lg %r9,24(%r11) # get saved r11 pointer to pt_regs
mvc __LC_RETURN_PSW(16),__PT_PSW(%r9)
mvc 0(64,%r11),__PT_R8(%r9)
lmg %r0,%r7,__PT_R0(%r9)
-0: lmg %r8,%r9,__LC_RETURN_PSW
+1: lmg %r8,%r9,__LC_RETURN_PSW
br %r14
.Lcleanup_io_restore_insn:
+ .quad .Lio_exit_timer
.quad .Lio_done - 4
.Lcleanup_idle:
^ permalink raw reply
* [PATCH 4.4 065/103] USB: hub: fix SS hub-descriptor handling
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, John Youn, Alan Stern, Johan Hovold
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2c25a2c818023df64463aac3288a9f969491e507 upstream.
A SuperSpeed hub descriptor does not have any variable-length fields so
bail out when reading a short descriptor.
This avoids parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes.
Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
Cc: John Youn <John.Youn@synopsys.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -376,8 +376,12 @@ static int get_hub_descriptor(struct usb
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
dtype << 8, 0, data, size,
USB_CTRL_GET_TIMEOUT);
- if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2))
+ if (hub_is_superspeed(hdev)) {
+ if (ret == size)
+ return ret;
+ } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
return ret;
+ }
}
return -EINVAL;
}
@@ -1303,7 +1307,7 @@ static int hub_configure(struct usb_hub
/* Request the entire hub descriptor.
* hub->descriptor can handle USB_MAXCHILDREN ports,
- * but the hub can/will return fewer bytes here.
+ * but a (non-SS) hub can/will return fewer bytes here.
*/
ret = get_hub_descriptor(hdev, hub->descriptor);
if (ret < 0) {
^ permalink raw reply
* [PATCH 4.4 066/103] USB: hub: fix non-SS hub-descriptor handling
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Alan Stern
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit bec444cd1c94c48df409a35ad4e5b143c245c3f7 upstream.
Add missing sanity check on the non-SuperSpeed hub-descriptor length in
order to avoid parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes (or a compound-device debug
statement).
Note that we only make sure that the DeviceRemovable field is always
present (and specifically ignore the unused PortPwrCtrlMask field) in
order to continue support any hubs with non-compliant descriptors. As a
further safeguard, the descriptor buffer is also cleared.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -358,7 +358,8 @@ static void usb_set_lpm_parameters(struc
}
/* USB 2.0 spec Section 11.24.4.5 */
-static int get_hub_descriptor(struct usb_device *hdev, void *data)
+static int get_hub_descriptor(struct usb_device *hdev,
+ struct usb_hub_descriptor *desc)
{
int i, ret, size;
unsigned dtype;
@@ -374,12 +375,16 @@ static int get_hub_descriptor(struct usb
for (i = 0; i < 3; i++) {
ret = usb_control_msg(hdev, usb_rcvctrlpipe(hdev, 0),
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
- dtype << 8, 0, data, size,
+ dtype << 8, 0, desc, size,
USB_CTRL_GET_TIMEOUT);
if (hub_is_superspeed(hdev)) {
if (ret == size)
return ret;
- } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
+ } else if (ret >= USB_DT_HUB_NONVAR_SIZE + 2) {
+ /* Make sure we have the DeviceRemovable field. */
+ size = USB_DT_HUB_NONVAR_SIZE + desc->bNbrPorts / 8 + 1;
+ if (ret < size)
+ return -EMSGSIZE;
return ret;
}
}
@@ -1299,7 +1304,7 @@ static int hub_configure(struct usb_hub
}
mutex_init(&hub->status_mutex);
- hub->descriptor = kmalloc(sizeof(*hub->descriptor), GFP_KERNEL);
+ hub->descriptor = kzalloc(sizeof(*hub->descriptor), GFP_KERNEL);
if (!hub->descriptor) {
ret = -ENOMEM;
goto fail;
^ permalink raw reply
* [PATCH 4.4 067/103] tty: Prevent ldisc drivers from re-using stale tty fields
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tilman Schmidt, Sasha Levin,
Peter Hurley, Amit Pundir
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Hurley <peter@hurleysoftware.com>
commit dd42bf1197144ede075a9d4793123f7689e164bc upstream.
Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].
Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.
[1]
commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
Author: Tilman Schmidt <tilman@imap.cc>
Date: Tue Jul 14 00:37:13 2015 +0200
isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
[2] Report from Sasha Levin <sasha.levin@oracle.com>
[ 634.336761] ==================================================================
[ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
[ 634.339558] Read of size 4 by task syzkaller_execu/8981
[ 634.340359] =============================================================================
[ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
...
[ 634.405018] Call Trace:
[ 634.405277] dump_stack (lib/dump_stack.c:52)
[ 634.405775] print_trailer (mm/slub.c:655)
[ 634.406361] object_err (mm/slub.c:662)
[ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
[ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
[ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
[ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
[ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/tty_ldisc.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -421,6 +421,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush);
* prevent the ldisc driver from re-using stale information for
* the new ldisc instance.
*
+ * The line discipline-related tty_struct fields are reset to
+ * prevent the ldisc driver from re-using stale information for
+ * the new ldisc instance.
+ *
* Locking: takes termios_rwsem
*/
@@ -619,6 +623,9 @@ static void tty_reset_termios(struct tty
tty->termios.c_ispeed = tty_termios_input_baud_rate(&tty->termios);
tty->termios.c_ospeed = tty_termios_baud_rate(&tty->termios);
up_write(&tty->termios_rwsem);
+
+ tty->disc_data = NULL;
+ tty->receive_room = 0;
}
^ permalink raw reply
* [PATCH 4.4 071/103] [media] gspca: konica: add missing endpoint sanity check
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans de Goede, Johan Hovold,
Hans Verkuil, Mauro Carvalho Chehab
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.
Make sure to check the number of endpoints to avoid accessing memory
beyond the endpoint array should a device lack the expected endpoints.
Note that, as far as I can tell, the gspca framework has already made
sure there is at least one endpoint in the current alternate setting so
there should be no risk for a NULL-pointer dereference here.
Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
konica chipset using cams")
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/gspca/konica.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/gspca/konica.c
+++ b/drivers/media/usb/gspca/konica.c
@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs
return -EIO;
}
+ if (alt->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
^ permalink raw reply
* [PATCH 4.4 074/103] [media] zr364xx: enforce minimum size when reading header
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alyssa Milburn, Mauro Carvalho Chehab
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alyssa Milburn <amilburn@zall.org>
commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.
This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.
Signed-off-by: Alyssa Milburn <amilburn@zall.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(s
ptr = pdest = frm->lpvbits;
if (frm->ulState == ZR364XX_READ_IDLE) {
+ if (purb->actual_length < 128) {
+ /* header incomplete */
+ dev_info(&cam->udev->dev,
+ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+ __func__, purb->actual_length);
+ return -EINVAL;
+ }
+
frm->ulState = ZR364XX_READ_FRAME;
frm->cur_size = 0;
^ permalink raw reply
* [PATCH 4.4 083/103] ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ludovic Desroches, Nicolas Ferre,
Alexandre Belloni
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ludovic Desroches <ludovic.desroches@microchip.com>
commit d3df1ec06353e51fc44563d2e7e18d42811af290 upstream.
Remove ADC channels that are not available by default on the sama5d3_xplained
board (resistor not populated) in order to not create confusion.
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
@@ -163,9 +163,9 @@
adc0: adc@f8018000 {
atmel,adc-vref = <3300>;
+ atmel,adc-channels-used = <0xfe>;
pinctrl-0 = <
&pinctrl_adc0_adtrg
- &pinctrl_adc0_ad0
&pinctrl_adc0_ad1
&pinctrl_adc0_ad2
&pinctrl_adc0_ad3
@@ -173,8 +173,6 @@
&pinctrl_adc0_ad5
&pinctrl_adc0_ad6
&pinctrl_adc0_ad7
- &pinctrl_adc0_ad8
- &pinctrl_adc0_ad9
>;
status = "okay";
};
^ permalink raw reply
* [PATCH 4.4 086/103] arm64: documentation: document tagged pointer stack constraints
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dave Martin, Will Deacon,
Kristina Martsenko, Catalin Marinas
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kristina Martsenko <kristina.martsenko@arm.com>
commit f0e421b1bf7af97f026e1bb8bfe4c5a7a8c08f42 upstream.
Some kernel features don't currently work if a task puts a non-zero
address tag in its stack pointer, frame pointer, or frame record entries
(FP, LR).
For example, with a tagged stack pointer, the kernel can't deliver
signals to the process, and the task is killed instead. As another
example, with a tagged frame pointer or frame records, perf fails to
generate call graphs or resolve symbols.
For now, just document these limitations, instead of finding and fixing
everything that doesn't work, as it's not known if anyone needs to use
tags in these places anyway.
In addition, as requested by Dave Martin, generalize the limitations
into a general kernel address tag policy, and refactor
tagged-pointers.txt to include it.
Fixes: d50240a5f6ce ("arm64: mm: permit use of tagged pointers at EL0")
Reviewed-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/tagged-pointers.txt | 66 +++++++++++++++++++++++---------
1 file changed, 49 insertions(+), 17 deletions(-)
--- a/Documentation/arm64/tagged-pointers.txt
+++ b/Documentation/arm64/tagged-pointers.txt
@@ -11,24 +11,56 @@ in AArch64 Linux.
The kernel configures the translation tables so that translations made
via TTBR0 (i.e. userspace mappings) have the top byte (bits 63:56) of
the virtual address ignored by the translation hardware. This frees up
-this byte for application use, with the following caveats:
+this byte for application use.
- (1) The kernel requires that all user addresses passed to EL1
- are tagged with tag 0x00. This means that any syscall
- parameters containing user virtual addresses *must* have
- their top byte cleared before trapping to the kernel.
-
- (2) Non-zero tags are not preserved when delivering signals.
- This means that signal handlers in applications making use
- of tags cannot rely on the tag information for user virtual
- addresses being maintained for fields inside siginfo_t.
- One exception to this rule is for signals raised in response
- to watchpoint debug exceptions, where the tag information
- will be preserved.
-
- (3) Special care should be taken when using tagged pointers,
- since it is likely that C compilers will not hazard two
- virtual addresses differing only in the upper byte.
+
+Passing tagged addresses to the kernel
+--------------------------------------
+
+All interpretation of userspace memory addresses by the kernel assumes
+an address tag of 0x00.
+
+This includes, but is not limited to, addresses found in:
+
+ - pointer arguments to system calls, including pointers in structures
+ passed to system calls,
+
+ - the stack pointer (sp), e.g. when interpreting it to deliver a
+ signal,
+
+ - the frame pointer (x29) and frame records, e.g. when interpreting
+ them to generate a backtrace or call graph.
+
+Using non-zero address tags in any of these locations may result in an
+error code being returned, a (fatal) signal being raised, or other modes
+of failure.
+
+For these reasons, passing non-zero address tags to the kernel via
+system calls is forbidden, and using a non-zero address tag for sp is
+strongly discouraged.
+
+Programs maintaining a frame pointer and frame records that use non-zero
+address tags may suffer impaired or inaccurate debug and profiling
+visibility.
+
+
+Preserving tags
+---------------
+
+Non-zero tags are not preserved when delivering signals. This means that
+signal handlers in applications making use of tags cannot rely on the
+tag information for user virtual addresses being maintained for fields
+inside siginfo_t. One exception to this rule is for signals raised in
+response to watchpoint debug exceptions, where the tag information will
+be preserved.
The architecture prevents the use of a tagged PC, so the upper byte will
be set to a sign-extension of bit 55 on exception return.
+
+
+Other considerations
+--------------------
+
+Special care should be taken when using tagged pointers, since it is
+likely that C compilers will not hazard two virtual addresses differing
+only in the upper byte.
^ permalink raw reply
* [PATCH 4.4 088/103] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Keno Fischer, Kirill A. Shutemov,
Greg Thelen, Nicholas Piggin, Willy Tarreau, Oleg Nesterov,
Kees Cook, Andy Lutomirski, Michal Hocko, Hugh Dickins,
Andrew Morton, Linus Torvalds, Amit Pundir
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keno Fischer <keno@juliacomputing.com>
commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream.
In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE
after a COW was resolved to setting the (newly introduced) FOLL_COW
instead. Simultaneously, the check in gup.c was updated to still allow
writes with FOLL_FORCE set if FOLL_COW had also been set.
However, a similar check in huge_memory.c was forgotten. As a result,
remote memory writes to ro regions of memory backed by transparent huge
pages cause an infinite loop in the kernel (handle_mm_fault sets
FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails
out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is
true.
While in this state the process is stil SIGKILLable, but little else
works (e.g. no ptrace attach, no other signals). This is easily
reproduced with the following code (assuming thp are set to always):
#include <assert.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define TEST_SIZE 5 * 1024 * 1024
int main(void) {
int status;
pid_t child;
int fd = open("/proc/self/mem", O_RDWR);
void *addr = mmap(NULL, TEST_SIZE, PROT_READ,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
assert(addr != MAP_FAILED);
pid_t parent_pid = getpid();
if ((child = fork()) == 0) {
void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
assert(addr2 != MAP_FAILED);
memset(addr2, 'a', TEST_SIZE);
pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr);
return 0;
}
assert(child == waitpid(child, &status, 0));
assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
return 0;
}
Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously
to the update in gup.c in the original commit. The same pattern exists
in follow_devmap_pmd. However, we should not be able to reach that
check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we
ever do.
[akpm@linux-foundation.org: coding-style fixes]
Link: http://lkml.kernel.org/r/20170106015025.GA38411@juliacomputing.com
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[AmitP: Minor refactoring of upstream changes for linux-3.18.y,
where follow_devmap_pmd() doesn't exist.]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1269,6 +1269,16 @@ out_unlock:
return ret;
}
+/*
+ * FOLL_FORCE can write to even unwritable pmd's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)
+{
+ return pmd_write(pmd) ||
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));
+}
+
struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
unsigned long addr,
pmd_t *pmd,
@@ -1279,7 +1289,7 @@ struct page *follow_trans_huge_pmd(struc
assert_spin_locked(pmd_lockptr(mm, pmd));
- if (flags & FOLL_WRITE && !pmd_write(*pmd))
+ if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, flags))
goto out;
/* Avoid dumping huge zero page */
^ permalink raw reply
* [PATCH 4.4 090/103] staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
From: Greg Kroah-Hartman @ 2017-05-23 20:09 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley
In-Reply-To: <20170523200856.903752266@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 90be652c9f157d44b9c2803f902a8839796c090d upstream.
EPROM_CMD is 2 byte aligned on PCI map so calling with rtl92e_readl
will return invalid data so use rtl92e_readw.
The device is unable to select the right eeprom type.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
+++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
@@ -627,7 +627,7 @@ void rtl92e_get_eeprom_size(struct net_d
struct r8192_priv *priv = rtllib_priv(dev);
RT_TRACE(COMP_INIT, "===========>%s()\n", __func__);
- curCR = rtl92e_readl(dev, EPROM_CMD);
+ curCR = rtl92e_readw(dev, EPROM_CMD);
RT_TRACE(COMP_INIT, "read from Reg Cmd9346CR(%x):%x\n", EPROM_CMD,
curCR);
priv->epromtype = (curCR & EPROM_CMD_9356SEL) ? EEPROM_93C56 :
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox