* [PATCH 3.16 000/410] 3.16.57-rc1 review
@ 2018-06-07 14:05 Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 001/410] MIPS: Normalise code flow in the CpU exception handler Ben Hutchings
` (409 more replies)
0 siblings, 410 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.16.57 release.
There are 410 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu Jun 14 18:00:00 UTC 2018.
Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.
Ben.
-------------
Adrian Hunter (2):
mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
[f8870ae6e2d6be75b1accc2db981169fdfbea7ab]
mmc: sdhci: Allow override of mmc host operations
[bf60e592a1af4d6f65dd54593250183f14360eed]
Al Viro (2):
Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
[51bda2bca53b265715ca1852528f38dc67429d9a]
lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
[3b821409632ab778d46e807516b457dfa72736ed]
Alaa Hleihel (1):
IB/ipoib: Do not warn if IPoIB debugfs doesn't exist
[14fa91e0fef8e4d6feb8b1fa2a807828e0abe815]
Alex Chen (1):
ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
[853bc26a7ea39e354b9f8889ae7ad1492ffa28d2]
Alex Deucher (2):
drm/radeon: Add dpm quirk for Jet PRO (v2)
[239b5f64e12b1f09f506c164dff0374924782979]
drm/radeon: fix KV harvesting
[0b58d90f89545e021d188c289fa142e5ff9e708b]
Alexander Graf (1):
KVM: PPC: Book3S PR: Fix svcpu copying with preemption enabled
[07ae5389e98c53bb9e9f308fce9c903bc3ee7720]
Alexander Potapenko (1):
netlink: make sure nladdr has correct size in netlink_connect()
[7880287981b60a6808f39f297bb66936e8bdf57a]
Alexandra Yates (3):
Adding Intel Lewisburg device IDs for SATA
[f5bdd66c705484b4bc77eb914be15c1b7881fae7]
ahci: Order SATA device IDs for codename Lewisburg
[4d92f0099a06ef0e36c7673f7c090f1a448b2d1b]
ahci: add new Intel device IDs
[56e74338a535cbcc2f2da08b1ea1a92920194364]
Alexandru Ardelean (1):
staging: iio: adc: ad7192: fix external frequency setting
[e31b617d0a63c6558485aaa730fd162faa95a766]
Alexey Kodanev (4):
dccp: check sk for closed state in dccp_sendmsg()
[67f93df79aeefc3add4e4b31a752600f834236e2]
sch_netem: fix skb leak in netem_enqueue()
[35d889d10b649fda66121891ec05eca88150059d]
sctp: verify size of a new chunk in _sctp_make_chunk()
[07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c]
udplite: fix partial checksum initialization
[15f35d49c93f4fa9875235e7bf3e3783d2dd7a1b]
Aman Deep (1):
usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
[46408ea558df13b110e0866b99624384a33bdeba]
Anand Jain (1):
btrfs: use proper endianness accessors for super_copy
[3c181c12c431fe33b669410d663beb9cceefcd1b]
Andi Shyti (1):
Input: mms114 - fix license module information
[498e7e7ed1fd72c275a682f0903c4a20cc538658]
Andrew F. Davis (1):
ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
[7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057]
Andri Yngvason (3):
can: cc770: Fix queue stall & dropped RTR reply
[746201235b3f876792099079f4c6fea941d76183]
can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
[f4353daf4905c0099fd25fa742e2ffd4a4bab26a]
can: cc770: Fix use after free in cc770_tx_interrupt()
[9ffd7503944ec7c0ef41c3245d1306c221aef2be]
Andy Lutomirski (1):
x86/entry/64: Don't use IST entry for #BP stack
[d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9]
Andy Shevchenko (1):
x86/cpu: Rename Merrifield2 to Moorefield
[f5fbf848303c8704d0e1a1e7cabd08fd0a49552f]
Anna-Maria Gleixner (1):
hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
[48d0c9becc7f3c66874c100c126459a9da0fdced]
Arend Van Spriel (1):
brcmfmac: fix P2P_DEVICE ethernet address generation
[455f3e76cfc0d893585a5f358b9ddbe9c1e1e53b]
Arkadi Sharshevsky (1):
team: Fix double free in error path
[cbcc607e18422555db569b593608aec26111cb0b]
Arnaldo Carvalho de Melo (3):
perf evlist: Introduce perf_evlist__new_dummy constructor
[5bae0250237f7a5ec4355f9920701de247b8db91]
perf record: Generate PERF_RECORD_{MMAP,COMM,EXEC} with --delay
[d3dbf43c56f9176be325ce1cc72a44c8d3c210dc]
perf report: Fix -D output for user metadata events
[f250b09c779550e4a7a412dae6d3ad34d5201019]
Arnd Bergmann (7):
cfg80211: fix cfg80211_beacon_dup
[bee92d06157fc39d5d7836a061c7d41289a55797]
cifs: silence compiler warnings showing up with gcc-8.0.0
[ade7db991b47ab3016a414468164f4966bd08202]
media: exynos4-is: properly initialize frame format
[97913bcbe6da3957af27d9fdd76b3d97b99e6d6a]
mm: hide a #warning for COMPILE_TEST
[af27d9403f5b80685b79c88425086edccecaf711]
scsi: fas216: fix sense buffer initialization
[96d5eaa9bb74d299508d811d865c2c41b38b0301]
x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
[85c615eb52222bc5fab6c7190d146bc59fac289e]
x86/pti: Mark constant arrays as __initconst
[4bf5d56d429cbc96c23d809a08f63cd29e1a702e]
Ashok Raj (1):
KVM/x86: Add IBPB support
[15d45071523d89b3fb7372e2135fbd72f6af9506]
Aurelien Aptel (1):
CIFS: zero sensitive data when freeing
[97f4b7276b829a8927ac903a119bef2f963ccc58]
Baolin Wang (1):
usb: gadget: f_fs: Fix possibe deadlock
[b3ce3ce02d146841af012d08506b4071db8ffde3]
Bart Van Assche (1):
pktcdvd: Fix pkt_setup_dev() error path
[5a0ec388ef0f6e33841aeb810d7fa23f049ec4cd]
Bastian Stender (1):
mmc: block: fix updating ext_csd caches on ioctl call
[e74ef2194b41ba5e511fab29fe5ff00e72d2f42a]
Ben Crocker (1):
drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
[2c83029cda55a5e7665c7c6326909427d6a01350]
Ben Hutchings (3):
skb: Add skb_postpush_rcsum()
[f8ffad69c9f8b8dfb0b633425d4ef4d2493ba61a]
staging: android: ashmem: Fix a race condition in pin ioctls
[ce8a3a9e76d0193e2e8d74a06d275b3c324ca652]
xen: Add xen_arch_suspend()
[2b953a5e994ce279904ec70220f7d4f31d380a0a]
Benjamin Poirier (1):
e1000e: Fix check_for_link return value with autoneg off
[4e7dc08e57c95673d2edaba8983c3de4dd1f65f5]
Bjorn Andersson (1):
PM / devfreq: Propagate error from devfreq_add_device()
[d1bf2d30728f310f72296b54f0651ecdb09cbb12]
Boris Ostrovsky (1):
xen/arm: Define xen_arch_suspend()
[ffb7dbed47da6ac4460b606a3feee295bbe4d9e2]
Boris Pismenny (1):
IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
[c2b37f76485f073f020e60b5954b6dc4e55f693c]
Borislav Petkov (2):
x86, microcode: Fix accessing dis_ucode_ldr on 32-bit
[85be07c32496dc264661308e4d9d4e9ccaff8072]
x86/microcode/AMD: Do not load when running on a hypervisor
[a15a753539eca8ba243d576f02e7ca9c4b7d7042]
Charles_Rose@Dell.com (1):
ahci: Add Device ID for Intel Sunrise Point PCH
[c5967b79ecabe2baca40658d9073e28b30d7f6cf]
Chenjie (1):
mm/madvise.c: fix madvise() infinite loop under special circumstances
[6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91]
Chien Tin Tung (1):
RDMA/ucma: Correct option size check using optlen
[5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2]
Christian Borntraeger (1):
KVM: s390: provide io interrupt kvm_stat
[09a0fb67536a49af19f2bfc632100e9de91fe526]
Christian König (2):
drm/radeon: fix prime teardown order
[0f4f715bc6bed3bf14c5cd7d5fe88d443e756b14]
drm/ttm: fix adding foreign BOs to the swap LRU
[ed704a43e84cc536081423dcd3491acf2791aaeb]
Christophe JAILLET (3):
media: bt8xx: Fix err 'bt878_probe()'
[45392ff6881dbe56d41ef0b17c2e576065f8ffa1]
power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()'
[09edcb647542487864e23aa8d2ef26be3e08978a]
power: supply: ab8500_charger: Fix an error handling path
[bf59fddde1c3eab89eb8dca8f3d3dc097887d2bb]
Clay McClure (1):
ubi: Fix race condition between ubi volume creation and udev
[a51a0c8d213594bc094cb8e54aad0cb6d7f7b9a6]
Colin Ian King (3):
clocksource/drivers/fsl_ftm_timer: Fix error return checking
[f287eb9013ccf199cbfa4eabd80c36fedfc15a73]
scsi: aacraid: remove redundant setting of variable c
[91814744646351a470f256fbcb853fb5a7229a9f]
wl1251: check return from call to wl1251_acx_arp_ip_filter
[ac1181c60822292176ab96912208ec9f9819faf8]
Cong Wang (2):
netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
[db93a3632b0f8773a3899e04a3a3e0aa7a26eb46]
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
[7dc68e98757a8eccf8ca7a53a29b896f1eef1f76]
Corentin Labbe (2):
ia64: convert unwcheck.py to python3
[bd5edbe677948d0883f59d9625c444818d5284b1]
powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
[c1e150ceb61e4a585bad156da15c33bfe89f5858]
Dan Aloni (1):
cifs: empty TargetInfo leads to crash on recovery
[cabfb3680f78981d26c078a26e5c748531257ebb]
Dan Carpenter (10):
ALSA: pcm: potential uninitialized return values
[5607dddbfca774fb38bffadcb077fe03aa4ac5c6]
ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
[123af9043e93cb6f235207d260d50f832cdb5439]
ASoC: nuc900: Fix a loop timeout test
[65a12b3aafed5fc59f4ce41b22b752b1729e6701]
HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
[7ad81482cad67cbe1ec808490d1ddfc420c42008]
ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action()
[413fd2f5c0233d3cde391679b967c1f14cd2cb27]
cdrom: information leak in cdrom_ioctl_media_changed()
[9de4ee40547fd315d4a0ed1dd15a2fa3559ad707]
media: cpia2: Fix a couple off by one bugs
[d5ac225c7d64c9c3ef821239edc035634e594ec9]
staging: lustre: libcfs: Prevent harmless read underflow
[134aecbc25fd77645baaea5467b2a7ed8e9d1ea7]
staging: ncpfs: memory corruption in ncp_read_kernel()
[4c41aa24baa4ed338241d05494f2c595c885af8f]
staging: rts5208: Fix "seg_no" calculation in reset_ms_card()
[7f7aeea7cf30368b9fdb86dcc9d2c8a3ebc65dfb]
Daniel N Pettersson (1):
cifs: Fix autonegotiate security settings mismatch
[9aca7e454415f7878b28524e76bebe1170911a88]
Danilo Krummrich (1):
usb: quirks: add control message delay for 1b1c:1b20
[cb88a0588717ba6c756cb5972d75766b273a6817]
Dave Hansen (1):
x86/cpu: Rename "WESTMERE2" family to "NEHALEM_G"
[4b3b234f434d440fcd749b9636131b76e2ce561e]
Dave Young (1):
HID: add quirk for another PIXART OEM mouse used by HP
[01cffe9ded15c0d664e0beb33c594e00c0d57bba]
David Ahern (1):
net: Refactor rtable initialization
[d08c4f355403840fad98d9918db51a7113f38ee8]
David Matlack (1):
KVM: nVMX: mark vmcs12 pages dirty on L2 exit
[c9f04407f2e0b3fc9ff7913c65fcfcb0a4b61570]
David Rientjes (1):
kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
[88913bd8ea2a75d7e460a4bed5f75e1c32660d7e]
David Woodhouse (11):
x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
[a5b2966364538a0e68c9fa29bc0a3a1651799035]
x86/cpufeatures: Add AMD feature bits for Speculation Control
[5d10cbc91d9eb5537998b65608441b592eec65e7]
x86/cpufeatures: Add Intel feature bits for Speculation Control
[fc67dd70adb711a45d2ef34e12d1a8be75edde61]
x86/cpufeatures: Clean up Spectre v2 related CPUID flags
[2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2]
x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
[7fcae1118f5fd44a862aa5c3525248e35ee67c3b]
x86/msr: Add definitions for new speculation control MSRs
[1e340c60d0dd3ae07b5bedc16a0469c14b9f3410]
x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
[fec9434a12f38d3aeafeb75711b71d8a1fdef621]
x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
[20ffa1caecca4db8f79fe665acdeaa5af815a24d]
x86/speculation: Correct Speculation Control microcode blacklist again
[d37fc6d360a404b208547ba112e7dabb6533c7fc]
x86/speculation: Update Speculation Control microcode blacklist
[1751342095f0d2b36fa8114d8e12c5688c455ac4]
x86/speculation: Use IBRS if available before calling into firmware
[dd84441a797150dcc49298ec95c459a8891d8bb1]
Dmitry Torokhov (1):
Input: edt-ft5x06 - fix error handling for factory mode on non-M06
[4b3e910d7f430ab76dd37131bb75129878950163]
Dmitry Vyukov (1):
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
[1a38956cce5eabd7b74f94bab70265e4df83165e]
Eran Ben Elisha (1):
net/mlx4_en: Fix mixed PFC and Global pause user control requests
[6e8814ceb7e8f468659ef9253bd212c07ae19584]
Eric Biggers (15):
NFS: reject request for id_legacy key without auxdata
[49686cbbb3ebafe42e63868222f269d8053ead00]
binder: check for binder_thread allocation failure in binder_poll()
[f88982679f54f75daa5b8eff3da72508f1e7422f]
crypto: cryptd - pass through absence of ->setkey()
[841a3ff329713f796a63356fef6e2f72e4a3f6a3]
crypto: hash - annotate algorithms taking optional key
[a208fa8f33031b9e0aba44c7d1b7e68eb0cbd29e]
crypto: hash - introduce crypto_hash_alg_has_setkey()
[cd6ed77ad5d223dc6299fb58f62e0f5267f7e2ba]
crypto: hash - prevent using keyed hashes without setting key
[9fa68f620041be04720d0cbfb1bd3ddfc6310b24]
libata: fix length validation of ATAPI-relayed SCSI commands
[058f58e235cbe03e923b30ea7c49995a46a8725f]
libata: remove WARN() for DMA or PIO command without data
[9173e5e80729c8434b8d27531527c5245f4a5594]
pipe, sysctl: drop 'min' parameter from pipe-max-size converter
[4c2e4befb3cc9ce42d506aa537c9ab504723e98c]
pipe, sysctl: remove pipe_proc_fn()
[319e0a21bb7823abbb4818fe2724e572bbac77a2]
pipe: actually allow root to exceed the pipe buffer limits
[85c2dd5473b2718b4b63e74bfeb1ca876868e11f]
pipe: fix off-by-one error when checking buffer limits
[9903a91c763ecdae333a04a9d89d79d2b8966503]
pipe: read buffer limits atomically
[f7340761812fc10313e6fcc115e0bc4f7a799112]
pipe: reject F_SETPIPE_SZ with size over UINT_MAX
[96e99be40e4cff870a83233731121ec0f7f95075]
pipe: simplify round_pipe_size()
[c4fed5a91fadc8a277b1eda474317b501651dd3e]
Eric Dumazet (4):
l2tp: do not accept arbitrary sockets
[17cfe79a65f98abe535261856c5aef14f306dff7]
net: fix possible out-of-bound read in skb_network_protocol()
[1dfe82ebd7d8fd43dba9948fdfb31f145014baa0]
net: igmp: add a missing rcu locking section
[e7aadb27a5415e8125834b84a74477bfbee4eff5]
netfilter: IDLETIMER: be syzkaller friendly
[cfc2c740533368b96e2be5e0a4e8c3cace7d9814]
Eric W. Biederman (4):
fs: Teach path_connected to handle nfs filesystems with multiple roots.
[95dd77580ccd66a0da96e6d4696945b8cea39431]
mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy
[6ac1dc736b323011a55ecd1fc5897c24c4f77cbd]
signal/openrisc: Fix do_unaligned_access to send the proper signal
[500d58300571b6602341b041f97c082a461ef994]
signal/sh: Ensure si_signo is initialized in do_divide_error
[0e88bb002a9b2ee8cc3cc9478ce2dc126f849696]
Erik Veijola (1):
ALSA: usb-audio: Add a quirck for B&W PX headphones
[240a8af929c7c57dcde28682725b29cf8474e8e5]
Ernesto A . Fernández (1):
ext4: correct documentation for grpid mount option
[9f0372488cc9243018a812e8cfbf27de650b187b]
Eugene Syromiatnikov (1):
s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
[6dd0d2d22aa363fec075cb2577ba273ac8462e94]
Felix Kuehling (1):
drm/ttm: Don't add swapped BOs to swap-LRU list
[fd5002d6a3c602664b07668a24df4ef7a43bf078]
Florian Fainelli (2):
net: systemport: Rewrite __bcm_sysport_tx_reclaim()
[484d802d0f2f29c335563fcac2a8facf174a1bbc]
pinctrl: Really force states during suspend/resume
[981ed1bfbc6c4660b2ddaa8392893e20a6255048]
Florian Westphal (6):
netfilter: bridge: ebt_among: add missing match size checks
[c4585a2823edf4d1326da44d1524ecbfda26bb37]
netfilter: bridge: ebt_among: add more missing match size checks
[c8d70a700a5b486bfa8e5a7d33d805389f6e59f9]
netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
[b71812168571fa55e44cdd0254471331b9c4c4c6]
netfilter: ebtables: fix erroneous reject of last rule
[932909d9b28d27e807ff8eecb68c7748f6701628]
netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
[b078556aecd791b0e5cb3a59f4c3a14273b52121]
xfrm_user: uncoditionally validate esn replay attribute struct
[d97ca5d714a5334aecadadf696875da40f1fbf3e]
Ganesh Mahendran (1):
android: binder: use VM_ALLOC to get vm area
[aac6830ec1cb681544212838911cdc57f2638216]
Geert Uytterhoeven (1):
RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
[302d6424e4a293a5761997e6c9fc3dfb1e4c355f]
Greg Kroah-Hartman (2):
USB: serial: pl2303: new device id for Chilitag
[d08dd3f3dd2ae351b793fc5b76abdbf0fd317b12]
drm: udl: Properly check framebuffer mmap offsets
[3b82a4db8eaccce735dffd50b4d4e1578099b8e8]
Greg Kurz (1):
9p/trans_virtio: discard zero-length reply
[26d99834f89e76514076d9cd06f61e56e6a509b8]
Guillaume Nault (3):
l2tp: avoid using ->tunnel_sock for getting session's parent tunnel
[7198c77aa05560c257ee377ec1f4796812121580]
l2tp: don't close sessions in l2tp_tunnel_destruct()
[765924e362d12f87786060b98a49abd91e11ea96]
l2tp: remove l2tp_tunnel_count and l2tp_session_count
[c7fa745d988812c4dea7dbc645f025c5bfa4917e]
Hans de Goede (10):
ASoC: rt5651: Fix regcache sync errors on resume
[2d30e9494f1ea320aaaad0cff9ddd92c87eac355]
PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
[1903be8222b7c278ca897c129ce477c1dd6403a8]
USB: cdc-acm: Do not log urb submission errors on disconnect
[f0386c083c2ce85284dc0b419d7b89c8e567c09f]
ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
[998008b779e424bd7513c434d0ab9c1268459009]
ahci: Add PCI-id for the Highpoint Rocketraid 644L card
[28b2182dad43f6f8fcbd167539a26714fd12bd64]
libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
[62ac3f7305470e3f52f159de448bc1a771717e88]
libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
[9c7be59fc519af9081c46c48f06f2b8fadf55ad8]
libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
[3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f]
libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
[d418ff56b8f2d2b296daafa8da151fe27689b757]
uas: Log error codes when logging errors
[ce39fe6fa115d9fea0112c907773a400b98d2463]
Hans van Kranenburg (1):
btrfs: alloc_chunk: fix DUP stripe size handling
[92e222df7b8f05c565009c7383321b593eca488b]
Hemant Kumar (1):
usb: f_fs: Prevent gadget unbind if it is already unbound
[ce5bf9a50daf2d9078b505aca1cea22e88ecb94a]
Horia Geantă (1):
crypto: caam - fix endless loop when DECO acquire fails
[225ece3e7dad4cfc44cca38ce7a3a80f255ea8f1]
Ilya Dryomov (1):
rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
[e573427a440fd67d3f522357d7ac901d59281948]
Ingo Molnar (1):
x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
[d72f4e29e6d84b7ec02ae93088aa459ac70e733b]
Ioana Ciornei (1):
staging: iio: adc: remove the use of CamelCase
[5f7e280f5ae61450a7aecd9feefe3f032b6a5abf]
Ivan Delalande (1):
lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN
[5be2a5011c039506e2862650c928acfb2e3d7b9c]
Ivan Vecera (2):
kernfs: fix regression in kernfs_fop_write caused by wrong type
[ba87977a49913129962af8ac35b0e13e0fa4382d]
net/mlx4_en: do not ignore autoneg in mlx4_en_set_pauseparam()
[278d436a476f69fc95d5c82bf61b6c2d02f4d44e]
J. Bruce Fields (1):
NFS: commit direct writes even if they fail partially
[1b8d97b0a837beaf48a8449955b52c650a7114b4]
Jack Morgenstein (1):
IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports
[852f6927594d0d3e8632c889b2ab38cbc46476ad]
Jack Stocker (1):
Add delay-init quirk for Corsair K70 RGB keyboards
[7a1646d922577b5b48c0d222e03831141664bb59]
Jake Daryll Obina (1):
jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
[5bdd0c6f89fba430e18d636493398389dadc3b17]
Jakub Kicinski (1):
net: fix race on decreasing number of TX queues
[ac5b70198adc25c73fba28de4f78adcee8f6be0b]
James Chapman (5):
l2tp: don't use inet_shutdown on ppp session destroy
[225eb26489d05c679a4c4197ffcb81c81e9dcaf4]
l2tp: don't use inet_shutdown on tunnel destroy
[76a6abdb2513ad4ea0ded55d2c66160491f2e848]
l2tp: fix race in pppol2tp_release with session object destroy
[d02ba2a6110c530a32926af8ad441111774d2893]
l2tp: fix races with tunnel socket close
[d00fa9adc528c1b0e64d532556764852df8bd7b9]
l2tp: fix tunnel lookup use-after-free race
[28f5bfb819195ad9c2eb9486babe7b0e4efe925f]
James Hogan (2):
EDAC, octeon: Fix an uninitialized variable warning
[544e92581a2ac44607d7cc602c6b54d18656f56d]
MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec}
[5f2483eb2423152445b39f2db59d372f523e664e]
James Ralston (1):
ahci: Remove Device ID for Intel Sunrise Point PCH
[46319e13581a6c442b0a0e5a3bd5d9af4496f252]
Jan Beulich (1):
x86/mm: Fix {pmd,pud}_{set,clear}_flags()
[842cef9113c2120f74f645111ded1e020193d84c]
Jan Chochol (1):
nfs: Do not convert nfs_idmap_cache_timeout to jiffies
[cbebc6ef4fc830f4040d4140bf53484812d5d5d9]
Jan-Marek Glogowski (1):
ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
[fdcc968a3b290407bcba9d4c90e2fba6d8d928f1]
Jason Gunthorpe (1):
sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
[9302d7bb0c5cd46be5706859301f18c137b2439f]
Jason Wang (1):
vhost_net: stop device during reset owner
[4cd879515d686849eec5f718aeac62a70b067d82]
Jason Yan (5):
ata: do not schedule hot plug if it is a sas host
[6f54120e17e311fd7ac42b9ec2a0611caa5b46ad]
scsi: libsas: direct call probe and destruct
[0558f33c06bb910e2879e355192227a8e8f0219d]
scsi: libsas: fix error when getting phy events
[2b23d9509fd7174b362482cf5f3b5f9a2265bc33]
scsi: libsas: fix memory leak in sas_smp_get_phy_events()
[4a491b1ab11ca0556d2fda1ff1301e862a2d44c4]
scsi: libsas: remove the numbering for each event enum
[0d78f969b10f27e0be34210d482a01e1ee92994c]
Jean Delvare (1):
firmware: dmi_scan: Fix handling of empty DMI strings
[a7770ae194569e96a93c48aceb304edded9cc648]
Jens Axboe (1):
aio: fix serial draining in exit_aio()
[dc48e56d761610da4ea1088d1bea0a030b8e3e43]
Jeremy Boone (4):
tpm: fix potential buffer overruns caused by bit glitches on the bus
[3be23274755ee85771270a23af7691dc9b3a95db]
tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus
[9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed]
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
[f9d4d9b5a5ef2f017bc344fb65a58a902517173b]
tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
[6bb320ca4a4a7b5b3db8c8d7250cc40002046878]
Jia-Ju Bai (1):
USB: serial: io_edgeport: fix possible sleep-in-atomic
[c7b8f77872c73f69a16528a9eb87afefcccdc18b]
Jim Mattson (1):
KVM: nVMX: Eliminate vmcs02 pool
[de3a0021a60635de96aa92713c1a31a96747d72c]
Jiri Bohac (1):
x86/gart: Exclude GART aperture from vmcore
[2a3e83c6f96c513f43ce5a8c9034608ea584a255]
Joe Lawrence (3):
pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
[7a8d181949fb2c16be00f8cdb354794a30e46b39]
pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
[d3f14c485867cfb2e0c48aa88c41d0ef4bf5209c]
sysctl: check for UINT_MAX before unsigned int min/max
[fb910c42ccebf853c29296185c45c11164a56098]
Joel Fernandes (1):
staging: android: ashmem: Fix lockdep issue during llseek
[cb57469c9573f6018cd1302953dd45d6e05aba7b]
Johan Hovold (5):
USB: serial: add Medtronic CareLink USB driver
[cff9c2339a6d5105d7f6b1f9a96dd1d239cc76ac]
USB: serial: add Novatel Wireless GPS driver
[c5cd24d7b179a415df263e5b18b72f6e3aaf81e0]
USB: serial: add support for multi-port simple drivers
[b9f040389e23fb95fde36cb0a3c2c516fb3e9d1c]
USB: serial: simple: add Motorola Tetra driver
[46fe895e22ab3845515ec06b01eaf1282b342e29]
video: fbdev: atmel_lcdfb: fix display-timings lookup
[9cb18db0701f6b74f0c45c23ad767b3ebebe37f6]
Johannes Berg (1):
regulatory: add NUL to request alpha2
[657308f73e674e86b60509a430a46e569bf02846]
John Crispin (1):
MIPS: ralink: Don't set pm_power_off
[81ab9f6c5ff8565e4cba330e340a8979a10521d7]
Jonas Danielsson (1):
tty/serial: atmel: add new version check for usart
[fd63a8903a2c40425a9811c3371dd4d0f42c0ad3]
Ju Hyung Park (1):
libata: Enable queued TRIM for Samsung SSD 860
[ca6bfcb2f6d9deab3924bf901e73622a94900473]
Juergen Gross (2):
x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
[71c208dd54ab971036d83ff6d9837bae4976e623]
x86/xen: init %gs very early to avoid page faults with stack protector
[4f277295e54c5b7340e48efea3fc5cc21a2872b7]
Julia Lawall (3):
USB: usbmon: remove assignment from IS_ERR argument
[46c236dc7d1212d7417e6fb0317f91c44c719322]
drivers: video: fbdev: atmel_lcdfb.c: fix error return code
[6c131850eca653344c41d68ce87f3ab5a89af89e]
drm/radeon: adjust tested variable
[3a61b527b4e1f285d21b6e9e623dc45cf8bb391f]
Julian Wiedmann (2):
s390/qeth: fix SETIP command handling
[1c5b2216fbb973a9410e0b06389740b5c1289171]
s390/qeth: free netdevice when removing a card
[6be687395b3124f002a653c1a50b3260222b3cd7]
Julien Gomes (1):
tun: allow positive return values on dev_get_valid_name() call
[5c25f65fd1e42685f7ccd80e0621829c105785d9]
Justin Chen (1):
MIPS: BMIPS: Do not mask IPIs during suspend
[06a3f0c9f2725f5d7c63c4203839373c9bd00c28]
Kai-Heng Feng (3):
drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
[06998a756a3865817b87a129a7e5d5bb66dc1ec3]
libata: disable LPM for Crucial BX100 SSD 500GB drive
[b17e5729a630d8326a48ec34ef02e6b4464a6aef]
xhci: Fix front USB ports on ASUS PRIME B350M-A
[191edc5e2e515aab1075a3f0ef23599e80be5f59]
Kamil Konieczny (1):
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
[c927b080c67e3e97193c81fc1d27f4251bf4e036]
KarimAllah Ahmed (3):
KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
[b2ac58f90540e39324e7a29a7ad471407ae0bf48]
KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
[d28b387fb74da95d69d2615732f50cceb38e9a4d]
KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
[28c1c9fabf48d6ad596273a11c46e0d0da3e14cd]
Karsten Koop (1):
usb: ldusb: add PIDs for new CASSY devices supported by this driver
[52ad2bd8918158266fc88a05f95429b56b6a33c5]
Kees Cook (1):
NFC: llcp: Limit size of SDP URI
[fe9c842695e26d8116b61b80bfb905356f07834b]
Kirill Marinushkin (1):
ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
[a6618f4aedb2b60932d766bd82ae7ce866e842aa]
Konrad Rzeszutek Wilk (1):
x86/spectre_v2: Don't check microcode versions when running under hypervisors
[36268223c1e9981d6cfc33aff8520b3bde4b8114]
Lars-Peter Clausen (1):
iio: adis_lib: Initialize trigger before requesting interrupt
[f027e0b3a774e10302207e91d304bbf99e3a8b36]
Lassi Ylikojola (1):
ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
[5e35dc0338d85ccebacf3f77eca1e5dea73155e8]
Leon Romanovsky (11):
RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
[b081808a66345ba725b77ecd8d759bee874cd937]
RDMA/mlx5: Fix integer overflow while resizing CQ
[28e9091e3119933c38933cb8fc48d5618eb784c8]
RDMA/ucma: Check AF family prior resolving address
[2975d5de6428ff6d9317e9948f0968f7d42e5d74]
RDMA/ucma: Check that device exists prior to accessing it
[c8d3bcbfc5eab3f01cf373d039af725f3b488813]
RDMA/ucma: Check that device is connected prior to access it
[4b658d1bbc16605330694bb3ef2570c465ef383d]
RDMA/ucma: Check that user doesn't overflow QP state
[a5880b84430316e3e1c1f5d23aa32ec6000cc717]
RDMA/ucma: Don't allow join attempts for unsupported AF family
[0c81ffc60d5280991773d17e84bda605387148b1]
RDMA/ucma: Ensure that CM_ID exists prior to access it
[e8980d67d6017c8eee8f9c35f782c4bd68e004c9]
RDMA/ucma: Fix access to non-initialized CM_ID object
[7688f2c3bbf55e52388e37ac5d63ca471a7712e1]
RDMA/ucma: Fix use-after-free access in ucma_close
[ed65a4dc22083e73bac599ded6a262318cad7baf]
RDMA/ucma: Limit possible option size
[6a21dfc0d0db7b7e0acedce67ca533a6eb19283c]
Linus Lüssing (2):
batman-adv: fix multicast-via-unicast transmission with AP isolation
[f8fb3419ead44f9a3136995acd24e35da4525177]
batman-adv: fix packet loss for broadcasted DHCP packets to a server
[a752c0a4524889cdc0765925258fd1fd72344100]
Linus Torvalds (3):
kvm/x86: fix icebp instruction handling
[32d43cd391bacb5f0814c2624399a5dad3501d09]
perf/hwbp: Simplify the perf-hwbp code, fix documentation
[f67b15037a7a50c57f72e69a6d59941ad90a0f0f]
tty: vt: fix up tabstops properly
[f1869a890cdedb92a3fab969db5d0fd982850273]
Linus Walleij (1):
mtd: jedec_probe: Fix crash in jedec_read_mfr()
[87a73eb5b56fd6e07c8e499fe8608ef2d8912b82]
Liu Bo (4):
Btrfs: fix crash due to not cleaning up tree log block's dirty bits
[1846430c24d66e85cc58286b3319c82cd54debb2]
Btrfs: fix deadlock in run_delalloc_nocow
[e89166990f11c3f21e1649d760dd35f9e410321c]
Btrfs: fix extent state leak from tree log
[55237a5f2431a72435e3ed39e4306e973c0446b7]
Btrfs: fix use-after-free on root->orphan_block_rsv
[1a932ef4e47984dee227834667b5ff5a334e4805]
Lukas Czerner (1):
ext4: fix bitmap position validation
[22be37acce25d66ecf6403fc8f44df9c5ded2372]
Lukas Wunner (5):
Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
[d6fa7588fd7a8def4c747c0c574ce85d453e3788]
drm/nouveau: Fix deadlock on runtime suspend
[d61a5c1063515e855bedb1b81e20e50b0ac3541e]
drm/radeon: Fix deadlock on runtime suspend
[15734feff2bdac24aa3266c437cffa42851990e3]
drm: Allow determining if current task is output poll worker
[25c058ccaf2ebbc3e250ec1e199e161f91fe27d4]
workqueue: Allow retrieval of current task's work struct
[27d4ee03078aba88c5e07dcc4917e8d01d046f38]
Maciej W. Rozycki (1):
MIPS: Normalise code flow in the CpU exception handler
[27e28e8ec47a5ce335ebf25d34ca356c80635908]
Malcolm Priestley (2):
media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
[3d932ee27e852e4904647f15b64dedca51187ad7]
media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
[7bf7a7116ed313c601307f7e585419369926ab05]
Marc Kleine-Budde (1):
slip: sl_alloc(): remove unused parameter "dev_t line"
[936e5d8bdfa72577e28ea671d9e2ee4fef0d6b3e]
Marc Zyngier (2):
arm64: KVM: Increment PC after handling an SMC trap
[f5115e8869e1dfafac0e414b4f1664f3a84a4683]
arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
[20e8175d246e9f9deb377f2784b3e7dfb2ad3e86]
Mark Rutland (1):
arm64: remove __die()'s stack dump
[c5bc503cbeee8586395aa541d2b53c69c3dd6930]
Masahiro Yamada (1):
mmc: sdhci: export sdhci_execute_tuning()
[85a882c2e91d3655927ecdc1db823d1420a65b8f]
Masami Hiramatsu (1):
tracing: probeevent: Fix to support minus offset from symbol
[c5d343b6b7badd1f5fe0873eff2e8d63a193e732]
Masatake YAMATO (1):
route: remove unsed variable in __mkroute_input
[cb1c61680d29a054b91a23c7a504cea8a72bdcff]
Matt Redfearn (1):
MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS
[0cde5b44a30f1daaef1c34e08191239dc63271c4]
Matthew Wilcox (1):
cifs: Fix missing put_xid in cifs_file_strict_mmap
[f04a703c3d613845ae3141bfaf223489de8ab3eb]
Matthias Schiffer (4):
batman-adv: fix header size check in batadv_dbg_arp()
[6f27d2c2a8c236d296201c19abb8533ec20d212b]
batman-adv: fix packet checksum in receive path
[abd6360591d3f8259f41c34e31ac4826dfe621b8]
batman-adv: invalidate checksum on fragment reassembly
[3bf2a09da956b43ecfaa630a2ef9a477f991a46a]
batman-adv: update data pointers after skb_cow()
[bc44b78157f621ff2a2618fe287a827bcb094ac4]
Mauro Carvalho Chehab (1):
media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
[9893b905e743ded332575ca04486bd586c0772f7]
Max Filippov (1):
xtensa: fix futex_atomic_cmpxchg_inatomic
[ca47480921587ae30417dd234a9f79af188e3666]
Mel Gorman (1):
mm: pin address_space before dereferencing it while isolating an LRU page
[69d763fc6d3aee787a3e8c8c35092b4f4960fa5d]
Michael Kerrisk (8):
pipe: cap initial pipe capacity according to pipe-max-size limit
[086e774a57fba4695f14383c0818994c0b31da7c]
pipe: fix limit checking in alloc_pipe_info()
[a005ca0e6813e1d796a7422a7e31d8b8d6555df1]
pipe: fix limit checking in pipe_set_size()
[b0b91d18e2e97b741b294af9333824ecc3fadfd8]
pipe: make account_pipe_buffers() return a value, and use it
[9c87bcf0a31b338dc8a69a5d251a037565a94e13]
pipe: move limit checking logic into pipe_set_size()
[d37d41666408102bf0ac8e48d8efdce7b809e5f6]
pipe: refactor argument for account_pipe_buffers()
[3734a13b96ebf039b293d8d37a934fd1bd9e03ab]
pipe: relocate round_pipe_size() above pipe_set_size()
[f491bd71118beba608d39ac2d5f1530e1160cd2e]
pipe: simplify logic in alloc_pipe_info()
[09b4d1990094dd22c27fb0163534db419458569c]
Michael Lyle (1):
bcache: don't attach backing with duplicate UUID
[86755b7a96faed57f910f9e6b8061e019ac1ec08]
Michael Weiser (2):
arm64: Disable unhandled signal log messages by default
[5ee39a71fd89ab7240c5339d04161c44a8e03269]
arm64: Remove unimplemented syscall log message
[1962682d2b2fbe6cfa995a85c53c069fadda473e]
Michel Dänzer (1):
drm/radeon: Don't turn off DP sink when disconnected
[2681bc79eeb640562c932007bfebbbdc55bf6a7d]
Mika Westerberg (1):
ahci: Add Intel Cannon Lake PCH-H PCI ID
[f919dde0772a894c693a1eeabc77df69d6a9b937]
Mike Kravetz (2):
hugetlbfs: check for pgoff value overflow
[63489f8e821144000e0bdca7e65a8d1cc23a7ee7]
hugetlbfs: fix offset overflow in hugetlbfs mmap
[045c7a3f53d9403b62d396b6d051c4be5044cdb4]
Mikulas Patocka (2):
alpha: fix crash if pthread_create races with signal delivery
[21ffceda1c8b3807615c40d440d7815e0c85d366]
alpha: fix reboot on Avanti platform
[55fc633c41a08ce9244ff5f528f420b16b1e04d6]
Mimi Zohar (1):
ima: relax requiring a file signature for new files with zero length
[b7e27bc1d42e8e0cc58b602b529c25cd0071b336]
Miquel Raynal (1):
mtd: nand: Fix nand_do_read_oob() return value
[87e89ce8d0d14f573c068c61bec2117751fb5103]
Mulhern (1):
dm thin: fix documentation relative to low water mark threshold
[9b28a1102efc75d81298198166ead87d643a29ce]
Namjae Jeon (1):
cifs: fix memory leak when password is supplied multiple times
[d6ccf4997e62fb6629f9f003980dca5292138b7b]
Nathan Fontenot (1):
powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove
[1d9a090783bef19fe8cdec878620d22f05191316]
NeilBrown (1):
MIPS: ralink: Remove ralink_halt()
[891731f6a5dbe508d12443175a7e166a2fba616a]
Nicholas Piggin (1):
powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context
[acb1feab320e38588fccc568e3767761f494976f]
Nicolas Dichtel (2):
netlink: avoid a double skb free in genlmsg_mcast()
[02a2385f37a7c6594c9d89b64c4a1451276f08eb]
netlink: ensure to loop over all netns in genlmsg_multicast_allns()
[cb9f7a9a5c96a773bbc9c70660dc600cfff82f82]
Nicolas Pitre (1):
console/dummy: leave .con_font_get set to NULL
[724ba8b30b044aa0d94b1cd374fc15806cdd6f18]
Nikola Ciprich (1):
serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
[9f2068f35729948bde84d87a40d135015911345d]
Nikolay Borisov (1):
btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker
[f3038ee3a3f1017a1cbe9907e31fa12d366c5dcb]
OKAMOTO Yoshiaki (1):
usb: option: Add support for FS040U modem
[69341bd15018da0a662847e210f9b2380c71e623]
Oleg Nesterov (2):
aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()
[4b70ac5fd9b58bfaa5f25b4ea48f528aefbf3308]
aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx()
[855ef0dec7271ff7be7381feaaf3f4aed80bd503]
Oliver Neukum (3):
CDC-ACM: apply quirk for card reader
[df1cc78a52491f71d8170d513d0f6f114faa1bda]
uas: fix comparison for error code
[9a513c905bb95bef79d96feb08621c1ec8d8c4bb]
usb: uas: unconditionally bring back host after reset
[cbeef22fd611c4f47c494b821b2b105b8af970bb]
Paolo Abeni (7):
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
[dfec091439bb2acf763497cfc58f2bdfc67c56b7]
ipv6: the entire IPv6 header chain must fit the first fragment
[10b8a3de603df7b96004179b1b33b1708c76d144]
l2tp: fix races with ipv4-mapped ipv6 addresses
[b954f94023dcc61388c8384f0f14eb8e42c863c5]
netfilter: drop outermost socket lock in getsockopt()
[01ea306f2ac2baff98d472da719193e738759d93]
netfilter: nat: cope with negative port range
[db57ccf0f2f4624b4c4758379f8165277504fbd7]
netfilter: on sockopt() acquire sock lock only in the required scope
[3f34cfae1238848fd53f25e5c8fd59da57901f4b]
netfilter: x_tables: fix missing timer initialization in xt_LED
[10414014bc085aac9f787a5890b33b5605fbcfc4]
Paolo Bonzini (6):
KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
[946fbbc13dce68902f64515b610eeb2a6c3d7a64]
KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
[ecb586bd29c99fb4de599dec388658e74388daad]
KVM: VMX: introduce alloc_loaded_vmcs
[f21f165ef922c2146cc5bdc620f542953c41714b]
KVM: VMX: make MSR bitmaps per-VCPU
[904e14fb7cb96401a7dc803ca2863fd5ba32ffe6]
KVM: x86: pass host_initiated to functions that read MSRs
[609e36d372ad9329269e4a1467bd35311893d1d6]
KVM: x86: rename update_db_bp_intercept to update_bp_intercept
[a96036b8ef7df9f10cd575c0d78359bd33188e8e]
Parav Pandit (1):
RDMA/cma: Use correct size when writing netlink stats
[7baaa49af3716fb31877c61f59b74d029ce15b75]
Pete Zaitcev (1):
usb: usbmon: Read text within supplied buffer size
[a5f596830e27e15f7a0ecd6be55e433d776986d8]
Peter Malone (1):
fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
[250c6c49e3b68756b14983c076183568636e2bde]
Peter Zijlstra (1):
x86/speculation: Add <asm/msr-index.h> dependency
[ea00f301285ea2f07393678cd2b6057878320c9d]
Petr Machata (1):
ip_tunnel: Emit events for post-register MTU changes
[f6cc9c054e77b9a28d4594bcc201697edb21dfd2]
Raghava Aditya Renukunta (1):
scsi: aacraid: Fix udev inquiry race condition
[f4e8708d3104437fd7716e957f38c265b0c509ef]
Rasmus Villemoes (2):
kernel/async.c: revert "async: simplify lowest_in_progress()"
[4f7e988e63e336827f4150de48163bed05d653bd]
nospec: Allow index argument to have const-qualified type
[b98c6a160a057d5686a8c54c79cc6c8c94a7d0c8]
Roger Pau Monne (1):
xen/pirq: fix error path cleanup when binding MSIs
[910f8befdf5bccf25287d9f1743e3e546bcb7ce0]
Sabrina Dubroca (1):
ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu
[d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221]
Scott Lawson (1):
AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs
[8ba559fd09bcf4e87faad3efa465dacf04c076c9]
Scott Mayhew (1):
nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds
[ba4a76f703ab7eb72941fdaac848502073d6e9ee]
SeongJae Park (2):
rcutorture/configinit: Fix build directory error message
[2adfa4210f8f35cdfb4e08318cc06b99752964c2]
rcutorture/kvm.sh: Use consistent help text for --qemu-args
[8dcd6f3fe206c0bb8996e59386a04027b1c2fb9b]
Sergey Senozhatsky (1):
arm64: do not use print_symbol()
[4ef7963843d3243260aa335dfb9cb2fede06aacf]
Seunghun Han (1):
x86/MCE: Serialize sysfs changes
[b3b7c4795ccab5be71f080774c45bbbcc75c2aaf]
Shaohua Li (1):
ata: Add a new flag to destinguish sas controller
[5067c0469c643512f24786990e315f9c15cc7d24]
Shawn Lin (2):
mmc: dw_mmc: Factor out dw_mci_init_slot_caps
[a4faa4929ed3be15e2d500d2405f992f6dedc8eb]
mmc: dw_mmc: Fix out-of-bounds access for slot's caps
[0d84b9e5631d923744767dc6608672df906dd092]
Shuah Khan (3):
usbip: keep usbip_device sockfd state in sync with tcp_socket
[009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed]
usbip: list: don't list devices attached to vhci_hcd
[ef824501f50846589f02173d73ce3fe6021a9d2a]
usbip: prevent bind loops on devices attached to vhci_hcd
[ef54cf0c600fb8f5737fb001a9e357edda1a1de8]
Simon Shields (1):
ARM: dts: exynos: Correct Trats2 panel reset line
[1b377924841df1e13ab5b225be3a83f807a92b52]
Stefan Agner (1):
spi: imx: do not access registers while clocks disabled
[d593574aff0ab846136190b1729c151c736727ec]
Stefan Roese (1):
ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
[9066ae7ff5d89c0b5daa271e2d573540097a94fa]
Stefan Windfeldt-Prytz (1):
iio: buffer: check if a buffer has been set up when poll is called
[4cd140bda6494543f1c1b0ccceceaa44b676eef6]
Stefano Brivio (3):
ip_tunnel: Clamp MTU to bounds on new link
[24fc79798b8ddfd46f2dd363a8d29072c083b977]
vti4: Don't count header length twice on tunnel setup
[dd1df24737727e119c263acf1be2a92763938297]
vti4: Don't override MTU passed on link creation via IFLA_MTU
[03080e5ec72740c1a62e6730f2a5f3f114f11b19]
Stephan Mueller (1):
crypto: af_alg - whitelist mask and type
[bb30b8848c85e18ca7e371d0a869e94b3e383bdf]
Sven Eckelmann (2):
batman-adv: Fix internal interface indices types
[f22e08932c2960f29b5e828e745c9f3fb7c1bb86]
batman-adv: Fix skbuff rcsum on packet reroute
[fc04fdb2c8a894283259f5621d31d75610701091]
Takashi Iwai (8):
ALSA: aloop: Fix access to not-yet-ready substream via cable
[8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e]
ALSA: aloop: Sync stale timer before release
[67a01afaf3d34893cf7d2ea19b34555d6abb7cb0]
ALSA: hda/realtek - Always immediately update mute LED with pin VREF
[e40bdb03d3cd7da66bd0bc1e40cbcfb49351265c]
ALSA: seq: Clear client entry before deleting else at closing
[a2ff19f7b70118ced291a28d5313469914de451b]
ALSA: seq: Don't allow resizing pool in use
[d85739367c6d56e475c281945c68fdb05ca74b4c]
ALSA: seq: Fix possible UAF in snd_seq_check_queue()
[d0f833065221cbfcbadf19fd4102bcfa9330006a]
ALSA: seq: Fix racy pool initializations
[d15d662e89fc667b90cd294b0eb45694e33144da]
ALSA: seq: More protection for concurrent write and ioctl races
[7bd80091567789f1c0cb70eb4737aac8bcd2b6b9]
Tang Junhui (1):
bcache: fix crashes in duplicate cache device register
[cc40daf91bdddbba72a4a8cd0860640e06668309]
Tariq Toukan (1):
net/mlx4_core: Cleanup FMR unmapping flow
[fd4a3e2828b4ca35aef40e5bdc1ed7d87b3cb50a]
Teijo Kinnunen (1):
USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
[5126a504b63d82785eaece3a9c30c660b313785a]
Tejun Heo (3):
fs/aio: Add explicit RCU grace period when freeing kioctx
[a6d7cff472eea87d96899a20fa718d2bab7109f3]
fs/aio: Use RCU accessors for kioctx_table->table[]
[d0264c01e7587001a8c4608a5d1818dba9a4c11a]
tty: make n_tty_read() always abort if hangup is in progress
[28b0f8a6962a24ed21737578f3b1b07424635c9e]
Theodore Ts'o (2):
ext4: add validity checks for bitmap block numbers
[7dac4a1726a9c64a517d595c40e95e2d0d135f6f]
ext4: fail ext4_iget for root directory if unallocated
[8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44]
Thinh Nguyen (1):
usb: dwc3: gadget: Set maxpacket size for ep0 IN
[6180026341e852a250e1f97ebdcf71684a3c81b9]
Thomas Gleixner (1):
posix-timers: Protect posix clock array access against speculation
[19b558db12f9f4e45a22012bae7b4783e62224da]
Thomas Richter (1):
perf annotate: Fix objdump comment parsing for Intel mov dissassembly
[35a8a148d8c1ee9e5ae18f9565a880490f816f89]
Tim Chen (1):
x86/speculation: Use Indirect Branch Prediction Barrier in context switch
[18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7]
Tobias Jordan (1):
spi: sun6i: disable/unprepare clocks on remove
[2d9bbd02c54094ceffa555143b0d68cd06504d63]
Todd Kjos (1):
binder: replace "%p" with "%pK"
[8ca86f1639ec5890d400fff9211aca22d0a392eb]
Tony Luck (1):
x86/MCE: Save microcode revision in machine check records
[fa94d0c6e0f3431523f5701084d799c77c7d4a4f]
Toshiaki Makita (2):
net: Fix untag for vlan packets without ethernet header
[ae4745730cf8e693d354ccd4dbaf59ea440c09a9]
net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off
[4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61]
Trond Myklebust (2):
NFS: Add a cond_resched() to nfs_commit_release_pages()
[7f1bda447c9bd48b415acedba6b830f61591601f]
NFS: Fix 2 use after free issues in the I/O code
[196639ebbe63a037fe9a80669140bd292d8bcd80]
Tyrel Datwyler (1):
scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
[c39813652700f3df552b6557530f1e5f782dbe2f]
Ulf Magnusson (1):
ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
[8aa36a8dcde3183d84db7b0d622ffddcebb61077]
Ulrich Hecht (1):
serial: sh-sci: prevent lockup on full TTY buffers
[7842055bfce4bf0170d0f61df8b2add8399697be]
Vinicius Costa Gomes (1):
skbuff: Fix not waking applications when errors are enqueued
[6e5d58fdc9bedd0255a8781b258f10bbdc63e975]
Viresh Kumar (4):
arm: spear13xx: Fix dmas cells
[cdd10409914184c7eee5ae3e11beb890c9c16c61]
arm: spear13xx: Fix spics gpio controller's warning
[f8975cb1b8a36d0839b6365235778dd9df1d04ca]
arm: spear600: Add missing interrupt-parent of rtc
[6ffb5b4f248fe53e0361b8cbc2a523b432566442]
cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
[0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5]
Wang Nan (1):
x86/traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP
[b4d8327024637cb2a1f7910dcb5d0ad7a096f473]
Wanpeng Li (1):
KVM: mmu: Fix overlap between public and private memslots
[b28676bb8ae4569cced423dc2a88f7cb319d5379]
Wei Yongjun (1):
mtd: ubi: wl: Fix error return code in ubi_wl_init()
[7233982ade15eeac05c6f351e8d347406e6bcd2f]
Will Deacon (2):
arm64: __show_regs: Only resolve kernel symbols when running at EL1
[a06f818a70de21b4b3b4186816094208fc7accf9]
arm64: traps: Don't print stack or raw PC/LR values in backtraces
[a25ffd3a6302a67814280274d8f1aa4ae2ea4b59]
Xin Long (4):
bonding: fix the err path for dev hwaddr sync in bond_enslave
[5c78f6bfae2b10ff70e21d343e64584ea6280c26]
bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
[ae42cc62a9f07f1f6979054ed92606b9c30f4a2e]
bonding: process the err returned by dev_set_allmulti properly in bond_enslave
[9f5a90c107741b864398f4ac0014711a8c1d8474]
bridge: check brport attr show in brport_show
[1b12580af1d0677c3c3a19e35bfe5d59b03f737f]
Yisheng Xie (2):
mm/mempolicy.c: avoid use uninitialized preferred_node
[8970a63e965b43288c4f5f40efbc2bbf80de7f16]
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
[740a5759bf222332fbb5eda42f89aa25ba38f9b2]
Yufen Yu (1):
md raid10: fix NULL deference in handle_write_completed()
[01a69cab01c184d3786af09e9339311123d63d22]
Yunlei He (1):
f2fs: fix a panic caused by NULL flush_cmd_control
[d4fdf8ba0e5808ba9ad6b44337783bd9935e0982]
Zhang Bo (1):
Input: matrix_keypad - fix race when disabling interrupts
[ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7]
Zhouyi Zhou (1):
ext4: save error to disk in __ext4_grp_locked_error()
[06f29cc81f0350261f59643a505010531130eea0]
Zygo Blaxell (1):
btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
[c8195a7b1ad5648857ce20ba24f384faed8512bc]
Documentation/device-mapper/thin-provisioning.txt | 8 +-
Documentation/devicetree/bindings/dma/snps-dma.txt | 2 +-
Documentation/filesystems/ext4.txt | 2 +-
Makefile | 4 +-
arch/alpha/kernel/pci_impl.h | 3 +-
arch/alpha/kernel/process.c | 3 +-
arch/arm/boot/dts/exynos4412-trats2.dts | 2 +-
arch/arm/boot/dts/omap3-n900.dts | 4 +-
arch/arm/boot/dts/spear1310-evb.dts | 2 +-
arch/arm/boot/dts/spear1340.dtsi | 4 +-
arch/arm/boot/dts/spear13xx.dtsi | 6 +-
arch/arm/boot/dts/spear600.dtsi | 1 +
arch/arm/kvm/handle_exit.c | 13 +-
arch/arm/mach-mvebu/Kconfig | 4 +-
arch/arm/xen/enlighten.c | 1 +
arch/arm64/kernel/process.c | 16 +-
arch/arm64/kernel/traps.c | 58 +-
arch/arm64/kvm/handle_exit.c | 9 +
arch/ia64/scripts/unwcheck.py | 16 +-
arch/mips/boot/compressed/Makefile | 6 +-
arch/mips/kernel/smp-bmips.c | 8 +-
arch/mips/kernel/traps.c | 15 +-
arch/mips/ralink/reset.c | 8 -
arch/mips/txx9/rbtx4939/setup.c | 4 +-
arch/mn10300/mm/misalignment.c | 2 +-
arch/openrisc/kernel/traps.c | 10 +-
arch/powerpc/include/asm/kvm_book3s.h | 6 +-
arch/powerpc/include/asm/topology.h | 8 +
arch/powerpc/kernel/entry_64.S | 10 +-
arch/powerpc/kvm/book3s_interrupts.S | 4 +-
arch/powerpc/kvm/book3s_pr.c | 20 +-
arch/powerpc/mm/numa.c | 5 -
arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +
arch/s390/kernel/compat_linux.c | 8 +-
arch/s390/kvm/kvm-s390.c | 1 +
arch/sh/kernel/traps_32.c | 3 +-
arch/sparc/crypto/crc32c_glue.c | 1 +
arch/x86/crypto/crc32-pclmul_glue.c | 1 +
arch/x86/crypto/crc32c-intel_glue.c | 1 +
arch/x86/include/asm/apm.h | 6 +
arch/x86/include/asm/cpufeature.h | 15 +-
arch/x86/include/asm/efi.h | 8 +
arch/x86/include/asm/intel-family.h | 11 +-
arch/x86/include/asm/kvm_host.h | 8 +-
arch/x86/include/asm/nospec-branch.h | 37 ++
arch/x86/include/asm/pgtable.h | 4 +-
arch/x86/include/asm/pgtable_types.h | 5 +
arch/x86/include/asm/vmx.h | 1 +
arch/x86/include/uapi/asm/mce.h | 4 +
arch/x86/include/uapi/asm/msr-index.h | 12 +
arch/x86/kernel/aperture_64.c | 46 +-
arch/x86/kernel/cpu/bugs.c | 19 +-
arch/x86/kernel/cpu/common.c | 75 ++-
arch/x86/kernel/cpu/intel.c | 71 +++
arch/x86/kernel/cpu/mcheck/mce.c | 26 +-
arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/core_early.c | 29 +-
arch/x86/kernel/entry_64.S | 2 +-
arch/x86/kernel/traps.c | 27 +-
arch/x86/kvm/cpuid.c | 24 +-
arch/x86/kvm/cpuid.h | 31 ++
arch/x86/kvm/svm.c | 171 +++++-
arch/x86/kvm/vmx.c | 619 +++++++++++----------
arch/x86/kvm/x86.c | 111 ++--
arch/x86/mm/tlb.c | 19 +
arch/x86/oprofile/nmi_int.c | 2 +-
arch/x86/xen/mmu.c | 2 +-
arch/x86/xen/suspend.c | 24 +
arch/x86/xen/xen-head.S | 15 +
arch/xtensa/include/asm/futex.h | 23 +-
crypto/af_alg.c | 5 +
crypto/ahash.c | 33 +-
crypto/algif_hash.c | 54 +-
crypto/crc32.c | 1 +
crypto/crc32c_generic.c | 1 +
crypto/cryptd.c | 6 +-
crypto/shash.c | 25 +-
drivers/ata/ahci.c | 24 +-
drivers/ata/libata-core.c | 21 +-
drivers/ata/libata-eh.c | 3 +-
drivers/ata/libata-scsi.c | 4 +-
drivers/block/pktcdvd.c | 4 +-
drivers/block/rbd.c | 7 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/tpm/tpm-interface.c | 4 +
drivers/char/tpm/tpm_i2c_infineon.c | 5 +-
drivers/char/tpm/tpm_i2c_nuvoton.c | 8 +-
drivers/char/tpm/tpm_tis.c | 5 +-
drivers/clocksource/fsl_ftm_timer.c | 2 +-
drivers/cpufreq/s3c24xx-cpufreq.c | 8 +-
drivers/crypto/bfin_crc.c | 3 +-
drivers/crypto/caam/ctrl.c | 8 +-
drivers/crypto/s5p-sss.c | 12 +-
drivers/devfreq/devfreq.c | 2 +-
drivers/edac/octeon_edac-lmc.c | 1 +
drivers/firmware/dmi_scan.c | 22 +-
drivers/gpu/drm/drm_edid.c | 3 +
drivers/gpu/drm/drm_probe_helper.c | 20 +
drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +-
drivers/gpu/drm/radeon/cik.c | 31 +-
drivers/gpu/drm/radeon/radeon_connectors.c | 105 ++--
drivers/gpu/drm/radeon/radeon_device.c | 4 +
drivers/gpu/drm/radeon/radeon_gem.c | 2 -
drivers/gpu/drm/radeon/radeon_object.c | 2 +
drivers/gpu/drm/radeon/radeon_uvd.c | 2 +-
drivers/gpu/drm/radeon/si_dpm.c | 5 +
drivers/gpu/drm/ttm/ttm_bo.c | 3 +-
drivers/gpu/drm/udl/udl_fb.c | 9 +-
drivers/hid/hid-core.c | 3 +
drivers/hid/hid-ids.h | 4 +
drivers/hid/hid-roccat-kovaplus.c | 2 +
drivers/hid/usbhid/hid-quirks.c | 1 +
drivers/iio/imu/adis_trigger.c | 7 +-
drivers/iio/industrialio-buffer.c | 2 +-
drivers/infiniband/core/cma.c | 5 +-
drivers/infiniband/core/iwpm_util.c | 1 +
drivers/infiniband/core/ucma.c | 51 +-
drivers/infiniband/hw/mlx4/main.c | 13 +-
drivers/infiniband/hw/mlx5/cq.c | 7 +-
drivers/infiniband/hw/mlx5/qp.c | 5 +-
drivers/infiniband/hw/mlx5/srq.c | 15 +-
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 2 -
drivers/input/keyboard/matrix_keypad.c | 4 +-
drivers/input/touchscreen/edt-ft5x06.c | 14 +-
drivers/input/touchscreen/mms114.c | 2 +-
drivers/md/bcache/super.c | 27 +-
drivers/md/raid10.c | 6 +-
drivers/media/pci/bt8xx/bt878.c | 3 +-
drivers/media/platform/exynos4-is/fimc-isp.c | 14 +-
drivers/media/usb/cpia2/cpia2_v4l.c | 4 +-
drivers/media/usb/dvb-usb-v2/lmedm04.c | 39 +-
drivers/media/usb/dvb-usb/cxusb.c | 2 +
drivers/media/usb/dvb-usb/dib0700_devices.c | 1 +
drivers/misc/lkdtm.c | 2 +-
drivers/mmc/card/block.c | 21 +
drivers/mmc/host/dw_mmc-exynos.c | 1 +
drivers/mmc/host/dw_mmc.c | 68 ++-
drivers/mmc/host/dw_mmc.h | 2 +
drivers/mmc/host/sdhci-pci.c | 27 +
drivers/mmc/host/sdhci.c | 7 +-
drivers/mmc/host/sdhci.h | 1 +
drivers/mtd/chips/jedec_probe.c | 2 +
drivers/mtd/nand/nand_base.c | 5 +-
drivers/mtd/ubi/vmt.c | 15 +-
drivers/mtd/ubi/wl.c | 8 +-
drivers/net/bonding/bond_main.c | 73 +--
drivers/net/can/cc770/cc770.c | 100 ++--
drivers/net/can/cc770/cc770.h | 2 +
drivers/net/ethernet/broadcom/bcmsysport.c | 33 +-
drivers/net/ethernet/broadcom/bcmsysport.h | 2 +-
drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +-
drivers/net/ethernet/intel/e1000e/mac.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 23 +-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 27 +-
drivers/net/ethernet/mellanox/mlx4/en_main.c | 4 +-
drivers/net/ethernet/mellanox/mlx4/mr.c | 40 +-
drivers/net/ethernet/mellanox/mlx4/qp.c | 3 +
drivers/net/slip/slip.c | 4 +-
drivers/net/team/team.c | 4 +-
drivers/net/tun.c | 2 +-
drivers/net/wireless/ath/ath9k/htc_drv_main.c | 4 +
drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 24 +-
drivers/net/wireless/ti/wl1251/main.c | 3 +-
drivers/pci/quirks.c | 2 +
drivers/pinctrl/core.c | 24 +-
drivers/platform/x86/apple-gmux.c | 48 +-
drivers/power/ab8500_charger.c | 6 +-
drivers/s390/net/qeth_core.h | 5 +
drivers/s390/net/qeth_core_main.c | 16 +-
drivers/s390/net/qeth_l2_main.c | 2 +-
drivers/s390/net/qeth_l3_main.c | 2 +-
drivers/scsi/aacraid/aachba.c | 22 +-
drivers/scsi/arm/fas216.c | 2 +-
drivers/scsi/ibmvscsi/ibmvfc.h | 2 +-
drivers/scsi/ipr.c | 3 +-
drivers/scsi/libsas/sas_ata.c | 4 +-
drivers/scsi/libsas/sas_discover.c | 32 +-
drivers/scsi/libsas/sas_expander.c | 11 +-
drivers/scsi/libsas/sas_internal.h | 1 +
drivers/scsi/libsas/sas_port.c | 3 +
drivers/spi/spi-imx.c | 15 +-
drivers/spi/spi-sun6i.c | 2 +-
drivers/staging/android/ashmem.c | 32 +-
drivers/staging/android/binder.c | 14 +-
drivers/staging/iio/adc/ad7192.c | 29 +-
drivers/staging/iio/adc/ad7192.h | 2 +-
drivers/staging/iio/adc/ad7280a.c | 4 +-
.../lustre/libcfs/linux/linux-crypto-adler.c | 1 +
drivers/staging/lustre/lustre/libcfs/tracefile.c | 2 +-
drivers/staging/rts5208/ms.c | 3 +-
drivers/staging/usbip/stub_dev.c | 3 +
drivers/staging/usbip/userspace/src/usbip_bind.c | 9 +
drivers/staging/usbip/userspace/src/usbip_list.c | 9 +
drivers/staging/usbip/vhci_hcd.c | 2 +
drivers/tty/n_tty.c | 6 +
drivers/tty/serial/8250/8250_pci.c | 11 +
drivers/tty/serial/atmel_serial.c | 1 +
drivers/tty/serial/sh-sci.c | 2 +
drivers/tty/vt/vt.c | 8 +-
drivers/usb/class/cdc-acm.c | 5 +-
drivers/usb/core/message.c | 4 +
drivers/usb/core/quirks.c | 6 +-
drivers/usb/dwc3/gadget.c | 2 +
drivers/usb/gadget/f_fs.c | 9 +-
drivers/usb/host/ohci-q.c | 17 +-
drivers/usb/host/xhci-pci.c | 3 +
drivers/usb/host/xhci.c | 3 +
drivers/usb/host/xhci.h | 1 +
drivers/usb/misc/ldusb.c | 6 +
drivers/usb/mon/mon_text.c | 124 +++--
drivers/usb/serial/Kconfig | 3 +
drivers/usb/serial/io_edgeport.c | 1 -
drivers/usb/serial/option.c | 5 +
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 1 +
drivers/usb/serial/usb-serial-simple.c | 26 +-
drivers/usb/storage/uas.c | 22 +-
drivers/usb/storage/unusual_devs.h | 7 +
drivers/vhost/net.c | 1 +
drivers/video/console/dummycon.c | 1 -
drivers/video/fbdev/atmel_lcdfb.c | 10 +-
drivers/video/fbdev/sbuslib.c | 4 +-
drivers/xen/events/events_base.c | 4 +-
drivers/xen/manage.c | 9 +-
fs/aio.c | 134 +++--
fs/btrfs/backref.c | 11 +-
fs/btrfs/inode.c | 44 +-
fs/btrfs/sysfs.c | 6 +-
fs/btrfs/transaction.c | 20 +-
fs/btrfs/tree-log.c | 14 +-
fs/btrfs/volumes.c | 11 +-
fs/cifs/cifsencrypt.c | 3 +-
fs/cifs/cifssmb.c | 4 +-
fs/cifs/connect.c | 4 +-
fs/cifs/file.c | 26 +-
fs/cifs/misc.c | 14 +-
fs/cifs/smb2pdu.c | 6 +-
fs/dcache.c | 11 +-
fs/ext4/balloc.c | 17 +-
fs/ext4/ialloc.c | 6 +
fs/ext4/inode.c | 6 +
fs/ext4/super.c | 1 +
fs/f2fs/segment.c | 5 +-
fs/hugetlbfs/inode.c | 26 +-
fs/jffs2/fs.c | 1 -
fs/kernfs/file.c | 2 +-
fs/namei.c | 5 +-
fs/ncpfs/ncplib_kernel.c | 4 +
fs/nfs/direct.c | 4 +-
fs/nfs/idmap.c | 6 +-
fs/nfs/internal.h | 1 -
fs/nfs/nfs4sysctl.c | 2 +-
fs/nfs/pagelist.c | 26 +-
fs/nfs/pnfs.c | 6 +-
fs/nfs/super.c | 2 +
fs/nfs/write.c | 2 +
fs/ocfs2/cluster/nodemanager.c | 63 ++-
fs/pipe.c | 198 ++++---
include/crypto/hash.h | 34 +-
include/crypto/internal/hash.h | 2 +
include/drm/drm_crtc_helper.h | 1 +
include/linux/crypto.h | 8 +
include/linux/fs.h | 4 +
include/linux/libata.h | 1 +
include/linux/mlx5/driver.h | 4 +-
include/linux/mmc/sdhci.h | 1 +
include/linux/nospec.h | 3 +-
include/linux/pipe_fs_i.h | 4 +-
include/linux/skbuff.h | 17 +
include/linux/usb/quirks.h | 3 +
include/linux/workqueue.h | 1 +
include/net/ip.h | 11 +-
include/net/ip_fib.h | 1 +
include/net/regulatory.h | 2 +-
include/net/route.h | 3 +-
include/net/sch_generic.h | 8 +
include/net/sctp/sctp.h | 7 +-
include/net/udplite.h | 1 +
include/scsi/libsas.h | 33 +-
include/scsi/scsi_transport_sas.h | 1 +
include/uapi/linux/if_ether.h | 3 +
include/uapi/linux/usb/audio.h | 4 +-
include/xen/xen-ops.h | 1 +
kernel/async.c | 20 +-
kernel/events/hw_breakpoint.c | 30 +-
kernel/hrtimer.c | 7 +-
kernel/posix-timers.c | 15 +-
kernel/relay.c | 2 +-
kernel/sysctl.c | 33 +-
kernel/trace/trace_kprobe.c | 4 +-
kernel/trace/trace_probe.c | 8 +-
kernel/trace/trace_probe.h | 2 +-
kernel/workqueue.c | 16 +
mm/hugetlb.c | 9 +
mm/madvise.c | 3 +-
mm/memory.c | 2 +-
mm/mempolicy.c | 3 +
mm/vmscan.c | 14 +-
net/9p/trans_virtio.c | 3 +-
net/batman-adv/bat_iv_ogm.c | 16 +-
net/batman-adv/distributed-arp-table.c | 2 +-
net/batman-adv/fragmentation.c | 3 +-
net/batman-adv/gateway_client.c | 3 +
net/batman-adv/hard-interface.c | 9 +-
net/batman-adv/multicast.c | 4 +-
net/batman-adv/originator.c | 4 +-
net/batman-adv/originator.h | 4 +-
net/batman-adv/routing.c | 21 +-
net/batman-adv/soft-interface.c | 8 +-
net/batman-adv/types.h | 9 +-
net/bluetooth/hidp/core.c | 3 +-
net/bridge/br_sysfs_if.c | 3 +
net/bridge/netfilter/ebt_among.c | 55 +-
net/bridge/netfilter/ebtables.c | 17 +-
net/core/dev.c | 13 +-
net/core/skbuff.c | 11 +-
net/dccp/proto.c | 5 +
net/decnet/af_decnet.c | 62 ++-
net/ipv4/igmp.c | 4 +
net/ipv4/ip_sockglue.c | 21 +-
net/ipv4/ip_tunnel.c | 30 +-
net/ipv4/ip_vti.c | 2 -
net/ipv4/netfilter/ipt_CLUSTERIP.c | 24 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +-
net/ipv4/route.c | 114 ++--
net/ipv4/udp.c | 5 +
net/ipv4/xfrm4_policy.c | 1 +
net/ipv6/ip6_checksum.c | 5 +
net/ipv6/ip6_output.c | 13 +-
net/ipv6/ipv6_sockglue.c | 27 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 +-
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 +
net/l2tp/l2tp_core.c | 202 +++----
net/l2tp/l2tp_core.h | 26 +-
net/l2tp/l2tp_ip.c | 10 +-
net/l2tp/l2tp_ip6.c | 8 +-
net/l2tp/l2tp_ppp.c | 126 ++---
net/mac80211/cfg.c | 2 +-
net/netfilter/nf_nat_proto_common.c | 7 +-
net/netfilter/xt_IDLETIMER.c | 9 +-
net/netfilter/xt_LED.c | 12 +-
net/netfilter/xt_RATEEST.c | 22 +-
net/netlink/af_netlink.c | 3 +
net/netlink/genetlink.c | 12 +-
net/nfc/llcp_commands.c | 4 +
net/nfc/netlink.c | 3 +-
net/sched/sch_netem.c | 6 +-
net/sctp/sm_make_chunk.c | 8 +-
net/xfrm/xfrm_user.c | 21 +-
security/integrity/ima/ima_appraise.c | 3 +-
sound/core/oss/pcm_oss.c | 4 +-
sound/core/pcm_native.c | 2 +-
sound/core/seq/seq_clientmgr.c | 29 +-
sound/core/seq/seq_fifo.c | 2 +-
sound/core/seq/seq_memory.c | 14 +-
sound/core/seq/seq_memory.h | 3 +-
sound/core/seq/seq_prioq.c | 28 +-
sound/core/seq/seq_prioq.h | 6 +-
sound/core/seq/seq_queue.c | 28 +-
sound/drivers/aloop.c | 17 +-
sound/pci/hda/patch_realtek.c | 25 +-
sound/soc/au1x/ac97c.c | 6 +-
sound/soc/codecs/rt5651.c | 1 +
sound/soc/nuc900/nuc900-ac97.c | 4 +-
sound/usb/pcm.c | 9 +
sound/usb/quirks-table.h | 47 ++
tools/perf/builtin-record.c | 13 +
tools/perf/util/annotate.c | 8 +-
tools/perf/util/evlist.c | 28 +
tools/perf/util/evlist.h | 3 +
tools/perf/util/session.c | 3 +-
.../testing/selftests/rcutorture/bin/configinit.sh | 2 +-
tools/testing/selftests/rcutorture/bin/kvm.sh | 4 +-
virt/kvm/kvm_main.c | 3 +-
374 files changed, 3739 insertions(+), 2144 deletions(-)
--
Ben Hutchings
The most exhausting thing in life is being insincere.
- Anne Morrow Lindberg
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 001/410] MIPS: Normalise code flow in the CpU exception handler
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, Maciej W. Rozycki, linux-mips
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@linux-mips.org>
commit 27e28e8ec47a5ce335ebf25d34ca356c80635908 upstream.
Changes applied to `do_cpu' over time reduced the use of the SIGILL
issued with `force_sig' at the end to a single CU3 case only in the
switch statement there. Move that `force_sig' call over to right where
required then and toss out the pile of gotos now not needed to skip over
the call, replacing them with regular breaks out of the switch.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9683/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/traps.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -1247,7 +1247,7 @@ asmlinkage void do_cpu(struct pt_regs *r
status = -1;
if (unlikely(compute_return_epc(regs) < 0))
- goto out;
+ break;
if (get_isa16_mode(regs->cp0_epc)) {
unsigned short mmop[2] = { 0 };
@@ -1280,7 +1280,7 @@ asmlinkage void do_cpu(struct pt_regs *r
force_sig(status, current);
}
- goto out;
+ break;
case 3:
/*
@@ -1296,8 +1296,10 @@ asmlinkage void do_cpu(struct pt_regs *r
* erroneously too, so they are covered by this choice
* as well.
*/
- if (raw_cpu_has_fpu)
+ if (raw_cpu_has_fpu) {
+ force_sig(SIGILL, current);
break;
+ }
/* Fall through. */
case 1:
@@ -1320,16 +1322,13 @@ asmlinkage void do_cpu(struct pt_regs *r
if (!process_fpemu_return(sig, fault_addr, fcr31) && !err)
mt_ase_fp_affinity();
- goto out;
+ break;
case 2:
raw_notifier_call_chain(&cu2_chain, CU2_EXCEPTION, regs);
- goto out;
+ break;
}
- force_sig(SIGILL, current);
-
-out:
exception_exit(prev_state);
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 097/410] signal/sh: Ensure si_signo is initialized in do_divide_error
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Rich Felker, Eric W. Biederman, Paul Mundt, Yoshinori Sato,
linux-sh
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 0e88bb002a9b2ee8cc3cc9478ce2dc126f849696 upstream.
Set si_signo.
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: linux-sh@vger.kernel.org
Fixes: 0983b31849bb ("sh: Wire up division and address error exceptions on SH-2A.")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/kernel/traps_32.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/sh/kernel/traps_32.c
+++ b/arch/sh/kernel/traps_32.c
@@ -607,7 +607,8 @@ asmlinkage void do_divide_error(unsigned
break;
}
- force_sig_info(SIGFPE, &info, current);
+ info.si_signo = SIGFPE;
+ force_sig_info(info.si_signo, &info, current);
}
#endif
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 267/410] arm64: do not use print_symbol()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 141/410] nfs: Do not convert nfs_idmap_cache_timeout to jiffies Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 386/410] MIPS: ralink: Remove ralink_halt() Ben Hutchings
` (405 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-arm-kernel
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
commit 4ef7963843d3243260aa335dfb9cb2fede06aacf upstream.
print_symbol() is a very old API that has been obsoleted by %pS format
specifier in a normal printk() call.
Replace print_symbol() with a direct printk("%pS") call.
Link: http://lkml.kernel.org/r/20171211125025.2270-3-sergey.senozhatsky@gmail.com
To: Andrew Morton <akpm@linux-foundation.org>
To: Russell King <linux@armlinux.org.uk>
To: Catalin Marinas <catalin.marinas@arm.com>
To: Mark Salter <msalter@redhat.com>
To: Tony Luck <tony.luck@intel.com>
To: David Howells <dhowells@redhat.com>
To: Yoshinori Sato <ysato@users.sourceforge.jp>
To: Guan Xuetao <gxt@mprc.pku.edu.cn>
To: Borislav Petkov <bp@alien8.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Thomas Gleixner <tglx@linutronix.de>
To: Peter Zijlstra <peterz@infradead.org>
To: Vineet Gupta <vgupta@synopsys.com>
To: Fengguang Wu <fengguang.wu@intel.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: LKML <linux-kernel@vger.kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-c6x-dev@linux-c6x.org
Cc: linux-ia64@vger.kernel.org
Cc: linux-am33-list@redhat.com
Cc: linux-sh@vger.kernel.org
Cc: linux-edac@vger.kernel.org
Cc: x86@kernel.org
Cc: linux-snps-arc@lists.infradead.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
[pmladek@suse.com: updated commit message]
Signed-off-by: Petr Mladek <pmladek@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/process.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -31,7 +31,6 @@
#include <linux/delay.h>
#include <linux/reboot.h>
#include <linux/interrupt.h>
-#include <linux/kallsyms.h>
#include <linux/init.h>
#include <linux/cpu.h>
#include <linux/elfcore.h>
@@ -198,8 +197,8 @@ void __show_regs(struct pt_regs *regs)
}
show_regs_print_info(KERN_DEFAULT);
- print_symbol("pc : %s\n", regs->pc);
- print_symbol("lr : %s\n", lr);
+ printk("pc : %pS\n", (void *)regs->pc);
+ printk("lr : %pS\n", (void *)lr);
printk("sp : %016llx pstate : %08llx\n", sp, regs->pstate);
for (i = top_reg; i >= 0; i--) {
printk("x%-2d: %016llx ", i, regs->regs[i]);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 014/410] cifs: empty TargetInfo leads to crash on recovery
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, linux-cifs, Dan Aloni
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Aloni <dan@kernelim.com>
commit cabfb3680f78981d26c078a26e5c748531257ebb upstream.
[ resend from Oct 20, 2014, see [1] ]
A trivially patched Samba server (see [2] [3]) can cause a remote kernel
crash (see [4]) in a client's CIFS kernel module upon session recovery,
under kernels prior to v4.11. The server patch can made by a single
source line modification - returning an empty TargetInfo in an NTLMSSP
setup negotiation response.
To reproduce at the client side, the CIFS client can be instructed to
mount with SMB 2.0, on a share without user/password credentials, e.g:
mount -t cifs //[host]/[share] -o vers=2.0,guest [mountpoint]
(It may also reproduce with credentials, but I used a simpler
configuration for the reproduction)
An demo patch to Samba 4.7.4 is provided in the links provided.
As for the client crash itself:
When the session is recovered (after a server start/stop, for example),
the following condition turns out to be true:
ses->auth_key.len != 0 && ses->auth_key.response == NULL
This will cause the following memcpy() in setup_ntlmv2_rsp() to GPF,
because tiblob == NULL and tilen != 0 (these are the old auth_key values):
memcpy(ses->auth_key.response + baselen, tiblob, tilen);
By bisecting, upstream commit cabfb3680f78 ("CIFS: Enable encryption
during session setup phase") from v4.11 have fixed this issue.
According to my tests, LTS kernels versions 4.4.x and 4.9.x are affected.
The patch below applies for 4.4.x however a similar patch can be applied
to 4.9.x and older kernels.
Signed-off-by: Dan Aloni <dan@kernelim.com>
CC: Steve French <sfrench@samba.org>
CC: linux-cifs@vger.kernel.org
CC: linux-kernel@vger.kernel.org
[1]
https://patchwork.kernel.org/patch/5106391/
[2] (temporary url)
http://copr-dist-git.fedorainfracloud.org/cgit/alonid/samba-for-client-crash-repro/samba.git/tree/0001-Patch.patch?id=43229c84abe008bfc11aa86f5bacb03a1e54f88c
[3] (temporary url)
https://copr.fedorainfracloud.org/coprs/alonid/samba-for-client-crash-repro/
[4]
[ 3414.518134] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 3414.518200] IP: memcpy_erms+0x6/0x10
[ 3414.518227] PGD 0
[ 3414.518252] Oops: 0000 [#1] SMP
[ 3414.518272] Modules linked in: arc4 md4 cifs rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables snd_hda_codec_generic ppdev snd_hda_intel snd_hda_codec crct10dif_pclmul crc32_pclmul snd_hwdep snd_hda_core ghash_clmulni_intel snd_seq snd_seq_device snd_pcm joydev parport_pc tpm_tis parport tpm_tis_core tpm snd_timer snd soundcore qemu_fw_cfg virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc
xfs libcrc32c
[ 3414.518708] virtio_blk virtio_console virtio_net qxl drm_kms_helper ttm crc32c_intel drm ata_generic nvme serio_raw nvme_core virtio_pci virtio_ring virtio pata_acpi
[ 3414.518803] CPU: 3 PID: 1697 Comm: kworker/3:1 Not tainted 4.10.0-rc6-dan-00097-ge765a3d89ede #20
[ 3414.518852] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
[ 3414.518927] Workqueue: cifsiod smb2_reconnect_server [cifs]
[ 3414.518960] task: ffff8cc6764a4000 task.stack: ffff9bc548808000
[ 3414.518997] RIP: 0010:memcpy_erms+0x6/0x10
[ 3414.519021] RSP: 0018:ffff9bc54880bbc8 EFLAGS: 00010296
[ 3414.519051] RAX: ffff8cc6ba00d8dc RBX: ffff8cc676190400 RCX: 0000000000000010
[ 3414.519091] RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8cc6ba00d8dc
[ 3414.519130] RBP: ffff9bc54880bc30 R08: ffff9bc54880bb58 R09: ffff9bc54880bb58
[ 3414.519170] R10: 000000004619520e R11: 00000000f46cd8cf R12: 0000000000000000
[ 3414.519209] R13: 0000000000000000 R14: ffff8cc6ba00d8a0 R15: 0000000000000010
[ 3414.519250] FS: 0000000000000000(0000) GS:ffff8cc6bfd80000(0000) knlGS:0000000000000000
[ 3414.519314] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3414.519347] CR2: 0000000000000000 CR3: 000000007992a000 CR4: 00000000003406e0
[ 3414.519392] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3414.519431] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3414.519470] Call Trace:
[ 3414.519510] ? setup_ntlmv2_rsp+0x124/0xa10 [cifs]
[ 3414.519553] build_ntlmssp_auth_blob+0x36/0x310 [cifs]
[ 3414.519597] SMB2_sess_auth_rawntlmssp_authenticate+0xc7/0x300 [cifs]
[ 3414.519646] SMB2_sess_setup+0x9a/0x140 [cifs]
[ 3414.519685] cifs_setup_session+0x78/0x100 [cifs]
[ 3414.519722] ? cifs_negotiate_protocol+0x84/0xd0 [cifs]
[ 3414.519763] smb2_reconnect+0x308/0x3e0 [cifs]
[ 3414.519793] ? __internal_add_timer+0x1f/0x60
[ 3414.519831] smb2_reconnect_server+0x187/0x260 [cifs]
[ 3414.519863] process_one_work+0x19e/0x440
[ 3414.519887] worker_thread+0x4e/0x4a0
[ 3414.519910] ? process_one_work+0x440/0x440
[ 3414.519936] kthread+0x11e/0x140
[ 3414.520493] ? kthread_park+0x90/0x90
[ 3414.520989] ret_from_fork+0x2c/0x40
[ 3414.521450] Code: 78 ff ff ff 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
[ 3414.522488] RIP: memcpy_erms+0x6/0x10 RSP: ffff9bc54880bbc8
[ 3414.522964] CR2: 0000000000000000
[ 3414.526127] ---[ end trace bbe4aa1e45cc6c17 ]---
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -596,6 +596,7 @@ SMB2_sess_setup(const unsigned int xid,
*/
kfree(ses->auth_key.response);
ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
/*
* If memory allocation is successful, caller of this function
@@ -756,6 +757,7 @@ ssetup_exit:
rc = server->ops->generate_signingkey(ses);
kfree(ses->auth_key.response);
ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
if (rc) {
cifs_dbg(FYI,
"SMB3 session key generation failed\n");
@@ -780,6 +782,7 @@ keygen_exit:
if (!server->sign) {
kfree(ses->auth_key.response);
ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
}
kfree(ses->ntlmssp);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 192/410] firmware: dmi_scan: Fix handling of empty DMI strings
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (260 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 140/410] mtd: ubi: wl: Fix error return code in ubi_wl_init() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 005/410] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket Ben Hutchings
` (147 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Parag Warudkar, Ingo Molnar, Jean Delvare, Thomas Gleixner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jean Delvare <jdelvare@suse.de>
commit a7770ae194569e96a93c48aceb304edded9cc648 upstream.
The handling of empty DMI strings looks quite broken to me:
* Strings from 1 to 7 spaces are not considered empty.
* True empty DMI strings (string index set to 0) are not considered
empty, and result in allocating a 0-char string.
* Strings with invalid index also result in allocating a 0-char
string.
* Strings starting with 8 spaces are all considered empty, even if
non-space characters follow (sounds like a weird thing to do, but
I have actually seen occurrences of this in DMI tables before.)
* Strings which are considered empty are reported as 8 spaces,
instead of being actually empty.
Some of these issues are the result of an off-by-one error in memcmp,
the rest is incorrect by design.
So let's get it square: missing strings and strings made of only
spaces, regardless of their length, should be treated as empty and
no memory should be allocated for them. All other strings are
non-empty and should be allocated.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Fixes: 79da4721117f ("x86: fix DMI out of memory problems")
Cc: Parag Warudkar <parag.warudkar@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/firmware/dmi_scan.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
@@ -15,7 +15,7 @@
* of and an antecedent to, SMBIOS, which stands for System
* Management BIOS. See further: http://www.dmtf.org/standards
*/
-static const char dmi_empty_string[] = " ";
+static const char dmi_empty_string[] = "";
static u16 __initdata dmi_ver;
/*
@@ -36,25 +36,21 @@ static int dmi_memdev_nr;
static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s)
{
const u8 *bp = ((u8 *) dm) + dm->length;
+ const u8 *nsp;
if (s) {
- s--;
- while (s > 0 && *bp) {
+ while (--s > 0 && *bp)
bp += strlen(bp) + 1;
- s--;
- }
- if (*bp != 0) {
- size_t len = strlen(bp)+1;
- size_t cmp_len = len > 8 ? 8 : len;
-
- if (!memcmp(bp, dmi_empty_string, cmp_len))
- return dmi_empty_string;
+ /* Strings containing only spaces are considered empty */
+ nsp = bp;
+ while (*nsp == ' ')
+ nsp++;
+ if (*nsp != '\0')
return bp;
- }
}
- return "";
+ return dmi_empty_string;
}
static const char * __init dmi_string(const struct dmi_header *dm, u8 s)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 181/410] netfilter: on sockopt() acquire sock lock only in the required scope
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 205/410] pipe: make account_pipe_buffers() return a value, and use it Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 074/410] HID: add quirk for another PIXART OEM mouse used by HP Ben Hutchings
` (281 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+a4c2dc980ac1af699b36, Pablo Neira Ayuso,
Florian Westphal, Paolo Abeni
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 3f34cfae1238848fd53f25e5c8fd59da57901f4b upstream.
Syzbot reported several deadlocks in the netfilter area caused by
rtnl lock and socket lock being acquired with a different order on
different code paths, leading to backtraces like the following one:
======================================================
WARNING: possible circular locking dependency detected
4.15.0-rc9+ #212 Not tainted
------------------------------------------------------
syzkaller041579/3682 is trying to acquire lock:
(sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>] lock_sock
include/net/sock.h:1463 [inline]
(sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607
tee_tg_check+0x1a0/0x280 net/netfilter/xt_TEE.c:106
xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845
check_target net/ipv6/netfilter/ip6_tables.c:538 [inline]
find_check_entry.isra.7+0x935/0xcf0
net/ipv6/netfilter/ip6_tables.c:580
translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749
do_replace net/ipv6/netfilter/ip6_tables.c:1165 [inline]
do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1691
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
-> #0 (sk_lock-AF_INET6){+.+.}:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
lock_sock_nested+0xc2/0x110 net/core/sock.c:2780
lock_sock include/net/sock.h:1463 [inline]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
*** DEADLOCK ***
1 lock held by syzkaller041579/3682:
#0: (rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
The problem, as Florian noted, is that nf_setsockopt() is always
called with the socket held, even if the lock itself is required only
for very tight scopes and only for some operation.
This patch addresses the issues moving the lock_sock() call only
where really needed, namely in ipv*_getorigdst(), so that nf_setsockopt()
does not need anymore to acquire both locks.
Fixes: 22265a5c3c10 ("netfilter: xt_TEE: resolve oif using netdevice notifiers")
Reported-by: syzbot+a4c2dc980ac1af699b36@syzkaller.appspotmail.com
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_sockglue.c | 14 ++++----------
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +++++-
net/ipv6/ipv6_sockglue.c | 17 +++++------------
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 ++++++++++++------
4 files changed, 26 insertions(+), 29 deletions(-)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1106,11 +1106,8 @@ int ip_setsockopt(struct sock *sk, int l
if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
optname != IP_IPSEC_POLICY &&
optname != IP_XFRM_POLICY &&
- !ip_mroute_opt(optname)) {
- lock_sock(sk);
+ !ip_mroute_opt(optname))
err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
- release_sock(sk);
- }
#endif
return err;
}
@@ -1135,12 +1132,9 @@ int compat_ip_setsockopt(struct sock *sk
if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
optname != IP_IPSEC_POLICY &&
optname != IP_XFRM_POLICY &&
- !ip_mroute_opt(optname)) {
- lock_sock(sk);
- err = compat_nf_setsockopt(sk, PF_INET, optname,
- optval, optlen);
- release_sock(sk);
- }
+ !ip_mroute_opt(optname))
+ err = compat_nf_setsockopt(sk, PF_INET, optname, optval,
+ optlen);
#endif
return err;
}
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -269,15 +269,19 @@ getorigdst(struct sock *sk, int optval,
struct nf_conntrack_tuple tuple;
memset(&tuple, 0, sizeof(tuple));
+
+ lock_sock(sk);
tuple.src.u3.ip = inet->inet_rcv_saddr;
tuple.src.u.tcp.port = inet->inet_sport;
tuple.dst.u3.ip = inet->inet_daddr;
tuple.dst.u.tcp.port = inet->inet_dport;
tuple.src.l3num = PF_INET;
tuple.dst.protonum = sk->sk_protocol;
+ release_sock(sk);
/* We only do TCP and SCTP at the moment: is there a better way? */
- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
+ if (tuple.dst.protonum != IPPROTO_TCP &&
+ tuple.dst.protonum != IPPROTO_SCTP) {
pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
return -ENOPROTOOPT;
}
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -871,12 +871,8 @@ int ipv6_setsockopt(struct sock *sk, int
#ifdef CONFIG_NETFILTER
/* we need to exclude all possible ENOPROTOOPTs except default case */
if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
- optname != IPV6_XFRM_POLICY) {
- lock_sock(sk);
- err = nf_setsockopt(sk, PF_INET6, optname, optval,
- optlen);
- release_sock(sk);
- }
+ optname != IPV6_XFRM_POLICY)
+ err = nf_setsockopt(sk, PF_INET6, optname, optval, optlen);
#endif
return err;
}
@@ -907,12 +903,9 @@ int compat_ipv6_setsockopt(struct sock *
#ifdef CONFIG_NETFILTER
/* we need to exclude all possible ENOPROTOOPTs except default case */
if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
- optname != IPV6_XFRM_POLICY) {
- lock_sock(sk);
- err = compat_nf_setsockopt(sk, PF_INET6, optname,
- optval, optlen);
- release_sock(sk);
- }
+ optname != IPV6_XFRM_POLICY)
+ err = compat_nf_setsockopt(sk, PF_INET6, optname, optval,
+ optlen);
#endif
return err;
}
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -240,20 +240,27 @@ static struct nf_hook_ops ipv6_conntrack
static int
ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
{
- const struct inet_sock *inet = inet_sk(sk);
+ struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
const struct ipv6_pinfo *inet6 = inet6_sk(sk);
+ const struct inet_sock *inet = inet_sk(sk);
const struct nf_conntrack_tuple_hash *h;
struct sockaddr_in6 sin6;
- struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
struct nf_conn *ct;
+ __be32 flow_label;
+ int bound_dev_if;
+ lock_sock(sk);
tuple.src.u3.in6 = sk->sk_v6_rcv_saddr;
tuple.src.u.tcp.port = inet->inet_sport;
tuple.dst.u3.in6 = sk->sk_v6_daddr;
tuple.dst.u.tcp.port = inet->inet_dport;
tuple.dst.protonum = sk->sk_protocol;
+ bound_dev_if = sk->sk_bound_dev_if;
+ flow_label = inet6->flow_label;
+ release_sock(sk);
- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP)
+ if (tuple.dst.protonum != IPPROTO_TCP &&
+ tuple.dst.protonum != IPPROTO_SCTP)
return -ENOPROTOOPT;
if (*len < 0 || (unsigned int) *len < sizeof(sin6))
@@ -271,14 +278,13 @@ ipv6_getorigdst(struct sock *sk, int opt
sin6.sin6_family = AF_INET6;
sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port;
- sin6.sin6_flowinfo = inet6->flow_label & IPV6_FLOWINFO_MASK;
+ sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK;
memcpy(&sin6.sin6_addr,
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6,
sizeof(sin6.sin6_addr));
nf_ct_put(ct);
- sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr,
- sk->sk_bound_dev_if);
+ sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if);
return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 149/410] usb: option: Add support for FS040U modem
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 269/410] arm64: Remove unimplemented syscall log message Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 396/410] tty: vt: fix up tabstops properly Ben Hutchings
` (303 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, OKAMOTO Yoshiaki, Johan Hovold, Greg Kroah-Hartman,
Hiroyuki Yamamoto
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: OKAMOTO Yoshiaki <yokamoto@allied-telesis.co.jp>
commit 69341bd15018da0a662847e210f9b2380c71e623 upstream.
FS040U modem is manufactured by omega, and sold by Fujisoft. This patch
adds ID of the modem to use option1 driver. Interface 3 is used as
qmi_wwan, so the interface is ignored.
Signed-off-by: Yoshiaki Okamoto <yokamoto@allied-telesis.co.jp>
Signed-off-by: Hiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -385,6 +385,9 @@ static void option_instat_callback(struc
#define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603
#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01
+/* Fujisoft products */
+#define FUJISOFT_PRODUCT_FS040U 0x9b02
+
/* iBall 3.5G connect wireless modem */
#define IBALL_3_5G_CONNECT 0x9605
@@ -1908,6 +1911,8 @@ static const struct usb_device_id option
{ USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100),
.driver_info = (kernel_ulong_t)&four_g_w100_blacklist
},
+ {USB_DEVICE(LONGCHEER_VENDOR_ID, FUJISOFT_PRODUCT_FS040U),
+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist},
{ USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
{ USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff),
.driver_info = (kernel_ulong_t)&net_intf3_blacklist },
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 225/410] ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (273 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 076/410] media: cpia2: Fix a couple off by one bugs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 039/410] x86/cpu: Rename "WESTMERE2" family to "NEHALEM_G" Ben Hutchings
` (134 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Lassi Ylikojola
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lassi Ylikojola <lassi.ylikojola@gmail.com>
commit 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 upstream.
Add quirk to ensure a sync endpoint is properly configured.
This patch is a fix for same symptoms on Behringer UFX1204 as patch
from Albertto Aquirre on Dec 8 2016 for Axe-Fx II.
Signed-off-by: Lassi Ylikojola <lassi.ylikojola@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/pcm.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -348,6 +348,15 @@ static int set_sync_ep_implicit_fb_quirk
alts = &iface->altsetting[1];
goto add_sync_ep;
+ case USB_ID(0x1397, 0x0002):
+ ep = 0x81;
+ iface = usb_ifnum_to_if(dev, 1);
+
+ if (!iface || iface->num_altsetting == 0)
+ return -EINVAL;
+
+ alts = &iface->altsetting[1];
+ goto add_sync_ep;
}
if (attr == USB_ENDPOINT_SYNC_ASYNC &&
altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 003/410] x86, microcode: Fix accessing dis_ucode_ldr on 32-bit
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 312/410] xen/pirq: fix error path cleanup when binding MSIs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 157/410] usbip: list: don't list devices attached to vhci_hcd Ben Hutchings
` (394 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Borislav Petkov, Richard Hendershot
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit 85be07c32496dc264661308e4d9d4e9ccaff8072 upstream.
We should be accessing it through a pointer, like on the BSP.
Tested-by: Richard Hendershot <rshendershot@mchsi.com>
Fixes: 65cef1311d5d ("x86, microcode: Add a disable chicken bit")
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/microcode/core_early.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/microcode/core_early.c
+++ b/arch/x86/kernel/cpu/microcode/core_early.c
@@ -124,7 +124,7 @@ void __init load_ucode_bsp(void)
static bool check_loader_disabled_ap(void)
{
#ifdef CONFIG_X86_32
- return __pa_nodebug(dis_ucode_ldr);
+ return *((bool *)__pa_nodebug(&dis_ucode_ldr));
#else
return dis_ucode_ldr;
#endif
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 240/410] crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (291 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 250/410] mm: hide a #warning for COMPILE_TEST Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 035/410] cdrom: information leak in cdrom_ioctl_media_changed() Ben Hutchings
` (116 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Anand Moon, Kamil Konieczny, Krzysztof Kozlowski, Herbert Xu
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kamil Konieczny <k.konieczny@partner.samsung.com>
commit c927b080c67e3e97193c81fc1d27f4251bf4e036 upstream.
In AES-ECB mode crypt is done with key only, so any use of IV
can cause kernel Oops. Use IV only in AES-CBC and AES-CTR.
Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Reported-by: Anand Moon <linux.amoon@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Tested-by: Anand Moon <linux.amoon@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/s5p-sss.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -426,15 +426,21 @@ static void s5p_aes_crypt_start(struct s
uint32_t aes_control;
int err;
unsigned long flags;
+ u8 *iv;
aes_control = SSS_AES_KEY_CHANGE_MODE;
if (mode & FLAGS_AES_DECRYPT)
aes_control |= SSS_AES_MODE_DECRYPT;
- if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC)
+ if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC) {
aes_control |= SSS_AES_CHAIN_MODE_CBC;
- else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR)
+ iv = req->info;
+ } else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR) {
aes_control |= SSS_AES_CHAIN_MODE_CTR;
+ iv = req->info;
+ } else {
+ iv = NULL; /* AES_ECB */
+ }
if (dev->ctx->keylen == AES_KEYSIZE_192)
aes_control |= SSS_AES_KEY_SIZE_192;
@@ -465,7 +471,7 @@ static void s5p_aes_crypt_start(struct s
goto outdata_error;
SSS_AES_WRITE(dev, AES_CONTROL, aes_control);
- s5p_set_aes(dev, dev->ctx->aes_key, req->info, dev->ctx->keylen);
+ s5p_set_aes(dev, dev->ctx->aes_key, iv, dev->ctx->keylen);
s5p_set_dma_indata(dev, req->src);
s5p_set_dma_outdata(dev, req->dst);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 258/410] nospec: Allow index argument to have const-qualified type
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 342/410] ALSA: seq: Fix possible UAF in snd_seq_check_queue() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 082/410] ima: relax requiring a file signature for new files with zero length Ben Hutchings
` (385 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Hansen, Greg Kroah-Hartman, Ingo Molnar,
Rasmus Villemoes, Peter Zijlstra, Borislav Petkov,
Andy Lutomirski, David Woodhouse, Dan Williams, Will Deacon,
Thomas Gleixner, Linus Torvalds, linux-arch, Josh Poimboeuf,
Arjan van de Ven
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
commit b98c6a160a057d5686a8c54c79cc6c8c94a7d0c8 upstream.
The last expression in a statement expression need not be a bare
variable, quoting gcc docs
The last thing in the compound statement should be an expression
followed by a semicolon; the value of this subexpression serves as the
value of the entire construct.
and we already use that in e.g. the min/max macros which end with a
ternary expression.
This way, we can allow index to have const-qualified type, which will in
some cases avoid the need for introducing a local copy of index of
non-const qualified type. That, in turn, can prevent readers not
familiar with the internals of array_index_nospec from wondering about
the seemingly redundant extra variable, and I think that's worthwhile
considering how confusing the whole _nospec business is.
The expression _i&_mask has type unsigned long (since that is the type
of _mask, and the BUILD_BUG_ONs guarantee that _i will get promoted to
that), so in order not to change the type of the whole expression, add
a cast back to typeof(_i).
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/151881604837.17395.10812767547837568328.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/nospec.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -53,7 +53,6 @@ static inline unsigned long array_index_
BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \
BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \
\
- _i &= _mask; \
- _i; \
+ (typeof(_i)) (_i & _mask); \
})
#endif /* _LINUX_NOSPEC_H */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 136/410] usb: uas: unconditionally bring back host after reset
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (397 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 228/410] libata: fix length validation of ATAPI-relayed SCSI commands Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 148/410] staging: lustre: libcfs: Prevent harmless read underflow Ben Hutchings
` (10 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Oliver Neukum, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit cbeef22fd611c4f47c494b821b2b105b8af970bb upstream.
Quoting Hans:
If we return 1 from our post_reset handler, then our disconnect handler
will be called immediately afterwards. Since pre_reset blocks all scsi
requests our disconnect handler will then hang in the scsi_remove_host
call.
This is esp. bad because our disconnect handler hanging for ever also
stops the USB subsys from enumerating any new USB devices, causes commands
like lsusb to hang, etc.
In practice this happens when unplugging some uas devices because the hub
code may see the device as needing a warm-reset and calls usb_reset_device
before seeing the disconnect. In this case uas_configure_endpoints fails
with -ENODEV. We do not want to print an error for this, so this commit
also silences the shost_printk for -ENODEV.
ENDQUOTE
However, if we do that we better drop any unconditional execution
and report to the SCSI subsystem that we have undergone a reset
but we are not operational now.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/uas.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -1195,20 +1195,19 @@ static int uas_post_reset(struct usb_int
return 0;
err = uas_configure_endpoints(devinfo);
- if (err) {
+ if (err && err != ENODEV)
shost_printk(KERN_ERR, shost,
"%s: alloc streams error %d after reset",
__func__, err);
- return 1;
- }
+ /* we must unblock the host in every case lest we deadlock */
spin_lock_irqsave(shost->host_lock, flags);
scsi_report_bus_reset(shost, 0);
spin_unlock_irqrestore(shost->host_lock, flags);
scsi_unblock_requests(shost);
- return 0;
+ return err ? 1 : 0;
}
static int uas_suspend(struct usb_interface *intf, pm_message_t message)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 130/410] console/dummy: leave .con_font_get set to NULL
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 384/410] RDMA/ucma: Correct option size check using optlen Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 294/410] l2tp: fix tunnel lookup use-after-free race Ben Hutchings
` (351 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicolas Pitre, Nicolas Pitre, Bartlomiej Zolnierkiewicz
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <nicolas.pitre@linaro.org>
commit 724ba8b30b044aa0d94b1cd374fc15806cdd6f18 upstream.
When this method is set, the caller expects struct console_font fields
to be properly initialized when it returns. Leave it unset otherwise
nonsensical (leaked kernel stack) values are returned to user space.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/video/console/dummycon.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/video/console/dummycon.c
+++ b/drivers/video/console/dummycon.c
@@ -71,7 +71,6 @@ const struct consw dummy_con = {
.con_switch = DUMMY,
.con_blank = DUMMY,
.con_font_set = DUMMY,
- .con_font_get = DUMMY,
.con_font_default = DUMMY,
.con_font_copy = DUMMY,
.con_set_palette = DUMMY,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 233/410] net: fix race on decreasing number of TX queues
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 025/410] ALSA: seq: Don't allow resizing pool in use Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 279/410] KVM: mmu: Fix overlap between public and private memslots Ben Hutchings
` (223 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Jakub Kicinski
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <jakub.kicinski@netronome.com>
commit ac5b70198adc25c73fba28de4f78adcee8f6be0b upstream.
netif_set_real_num_tx_queues() can be called when netdev is up.
That usually happens when user requests change of number of
channels/rings with ethtool -L. The procedure for changing
the number of queues involves resetting the qdiscs and setting
dev->num_tx_queues to the new value. When the new value is
lower than the old one, extra care has to be taken to ensure
ordering of accesses to the number of queues vs qdisc reset.
Currently the queues are reset before new dev->num_tx_queues
is assigned, leaving a window of time where packets can be
enqueued onto the queues going down, leading to a likely
crash in the drivers, since most drivers don't check if TX
skbs are assigned to an active queue.
Fixes: e6484930d7c7 ("net: allocate tx queues in register_netdevice")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2084,8 +2084,11 @@ EXPORT_SYMBOL(netif_set_xps_queue);
*/
int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
{
+ bool disabling;
int rc;
+ disabling = txq < dev->real_num_tx_queues;
+
if (txq < 1 || txq > dev->num_tx_queues)
return -EINVAL;
@@ -2101,15 +2104,19 @@ int netif_set_real_num_tx_queues(struct
if (dev->num_tc)
netif_setup_tc(dev, txq);
- if (txq < dev->real_num_tx_queues) {
+ dev->real_num_tx_queues = txq;
+
+ if (disabling) {
+ synchronize_net();
qdisc_reset_all_tx_gt(dev, txq);
#ifdef CONFIG_XPS
netif_reset_xps_queues_gt(dev, txq);
#endif
}
+ } else {
+ dev->real_num_tx_queues = txq;
}
- dev->real_num_tx_queues = txq;
return 0;
}
EXPORT_SYMBOL(netif_set_real_num_tx_queues);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 404/410] net: fix possible out-of-bound read in skb_network_protocol()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (276 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 070/410] ARM: dts: omap3-n900: Fix the audio CODEC's reset pin Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 050/410] x86/speculation: Use IBRS if available before calling into firmware Ben Hutchings
` (131 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Reported-by: syzbot, Pravin B Shelar,
Eric Dumazet
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 upstream.
skb mac header is not necessarily set at the time skb_network_protocol()
is called. Use skb->data instead.
BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
harmonize_features net/core/dev.c:2924 [inline]
netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
packet_snd net/packet/af_packet.c:2944 [inline]
packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@ovn.org>
Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2336,7 +2336,7 @@ __be16 skb_network_protocol(struct sk_bu
if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
return 0;
- eth = (struct ethhdr *)skb_mac_header(skb);
+ eth = (struct ethhdr *)skb->data;
type = eth->h_proto;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 165/410] cifs: Fix autonegotiate security settings mismatch
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (348 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 223/410] s390/qeth: fix SETIP command handling Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 256/410] drm/nouveau: Fix deadlock on runtime suspend Ben Hutchings
` (59 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniel N Pettersson, Steve French
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel N Pettersson <danielnp@axis.com>
commit 9aca7e454415f7878b28524e76bebe1170911a88 upstream.
Autonegotiation gives a security settings mismatch error if the SMB
server selects an SMBv3 dialect that isn't SMB3.02. The exact error is
"protocol revalidation - security settings mismatch".
This can be tested using Samba v4.2 or by setting the global Samba
setting max protocol = SMB3_00.
The check that fails in smb3_validate_negotiate is the dialect
verification of the negotiate info response. This is because it tries
to verify against the protocol_id in the global smbdefault_values. The
protocol_id in smbdefault_values is SMB3.02.
In SMB2_negotiate the protocol_id in smbdefault_values isn't updated,
it is global so it probably shouldn't be, but server->dialect is.
This patch changes the check in smb3_validate_negotiate to use
server->dialect instead of server->vals->protocol_id. The patch works
with autonegotiate and when using a specific version in the vers mount
option.
Signed-off-by: Daniel N Pettersson <danielnp@axis.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -541,8 +541,7 @@ int smb3_validate_negotiate(const unsign
}
/* check validate negotiate info response matches what we got earlier */
- if (pneg_rsp->Dialect !=
- cpu_to_le16(tcon->ses->server->vals->protocol_id))
+ if (pneg_rsp->Dialect != cpu_to_le16(tcon->ses->server->dialect))
goto vneg_out;
if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 069/410] perf report: Fix -D output for user metadata events
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (318 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 036/410] perf/hwbp: Simplify the perf-hwbp code, fix documentation Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 170/410] cifs: fix memory leak when password is supplied multiple times Ben Hutchings
` (89 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnaldo Carvalho de Melo, Adrian Hunter, Wang Nan,
Jiri Olsa, Namhyung Kim, David Ahern, Thomas Gleixner,
Andi Kleen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit f250b09c779550e4a7a412dae6d3ad34d5201019 upstream.
The PERF_RECORD_USER_ events are synthesized by the tool to assist in
processing the PERF_RECORD_ ones generated by the kernel, the printing
of that information doesn't come with a perf_sample structure, so, when
dumping the event fields using 'perf report -D' there were columns that
end up not being printed.
To tidy up a bit this, fake a perf_sample structure with zeroes to have
the missing columns printed and avoid the occasional surprise with that.
Before:
0 0x45b8 [0x68]: PERF_RECORD_MMAP -1/0: [0xffffffffc12ec000(0x4000) @ 0]: x /lib/modules/4.14.0+/kernel/fs/nls/nls_utf8.ko
0x4620 [0x28]: PERF_RECORD_THREAD_MAP nr: 1 thread: 27820
0x4648 [0x18]: PERF_RECORD_CPU_MAP: 0-3
0 0x4660 [0x28]: PERF_RECORD_COMM: perf:27820/27820
0x4a58 [0x8]: PERF_RECORD_FINISHED_ROUND
447723433020976 0x4688 [0x28]: PERF_RECORD_SAMPLE(IP, 0x4001): 27820/27820: 0xffffffff8f1b6d7a period: 1 addr: 0
After:
$ perf report -D | grep PERF_RECORD_ | head
0 0xe8 [0x20]: PERF_RECORD_TIME_CONV: unhandled!
0 0x108 [0x28]: PERF_RECORD_THREAD_MAP nr: 1 thread: 32555
0 0x130 [0x18]: PERF_RECORD_CPU_MAP: 0-3
0 0x148 [0x28]: PERF_RECORD_COMM: perf:32555/32555
0 0x4e8 [0x8]: PERF_RECORD_FINISHED_ROUND
448743409421205 0x170 [0x28]: PERF_RECORD_COMM exec: sleep:32555/32555
448743409431883 0x198 [0x68]: PERF_RECORD_MMAP2 32555/32555: [0x55e11d75a000(0x208000) @ 0 fd:00 3147174 2566255743]: r-xp /usr/bin/sleep
448743409443873 0x200 [0x70]: PERF_RECORD_MMAP2 32555/32555: [0x7f0ced316000(0x229000) @ 0 fd:00 3151761 2566238119]: r-xp /usr/lib64/ld-2.25.so
448743409454790 0x270 [0x60]: PERF_RECORD_MMAP2 32555/32555: [0x7ffe84f6d000(0x2000) @ 0 00:00 0 0]: r-xp [vdso]
448743409479500 0x2d0 [0x28]: PERF_RECORD_SAMPLE(IP, 0x4002): 32555/32555: 0xffffffff8f84c7e7 period: 1 addr: 0
$
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 9aefcab0de47 ("perf session: Consolidate the dump code")
Link: https://lkml.kernel.org/n/tip-todcu15x0cwgppkh1gi6uhru@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/util/session.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -996,10 +996,11 @@ static int perf_session_deliver_event(st
static int perf_session__process_user_event(struct perf_session *session, union perf_event *event,
struct perf_tool *tool, u64 file_offset)
{
+ struct perf_sample sample = { .time = 0, };
int fd = perf_data_file__fd(session->file);
int err;
- dump_event(session, event, file_offset, NULL);
+ dump_event(session, event, file_offset, &sample);
/* These events are processed right away */
switch (event->header.type) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 027/410] hugetlbfs: fix offset overflow in hugetlbfs mmap
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (214 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 319/410] ahci: Add PCI-id for the Highpoint Rocketraid 644L card Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 028/410] hugetlbfs: check for pgoff value overflow Ben Hutchings
` (193 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Naoya Horiguchi, Mike Kravetz, Kirill A . Shutemov,
Hillf Danton, Vegard Nossum, Michal Hocko, Dmitry Vyukov,
Linus Torvalds, Andrey Ryabinin
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Kravetz <mike.kravetz@oracle.com>
commit 045c7a3f53d9403b62d396b6d051c4be5044cdb4 upstream.
If mmap() maps a file, it can be passed an offset into the file at which
the mapping is to start. Offset could be a negative value when
represented as a loff_t. The offset plus length will be used to update
the file size (i_size) which is also a loff_t.
Validate the value of offset and offset + length to make sure they do
not overflow and appear as negative.
Found by syzcaller with commit ff8c0c53c475 ("mm/hugetlb.c: don't call
region_abort if region_chg fails") applied. Prior to this commit, the
overflow would still occur but we would luckily return ENOMEM.
To reproduce:
mmap(0, 0x2000, 0, 0x40021, 0xffffffffffffffffULL, 0x8000000000000000ULL);
Resulted in,
kernel BUG at mm/hugetlb.c:742!
Call Trace:
hugetlbfs_evict_inode+0x80/0xa0
evict+0x24a/0x620
iput+0x48f/0x8c0
dentry_unlink_inode+0x31f/0x4d0
__dentry_kill+0x292/0x5e0
dput+0x730/0x830
__fput+0x438/0x720
____fput+0x1a/0x20
task_work_run+0xfe/0x180
exit_to_usermode_loop+0x133/0x150
syscall_return_slowpath+0x184/0x1c0
entry_SYSCALL_64_fastpath+0xab/0xad
Fixes: ff8c0c53c475 ("mm/hugetlb.c: don't call region_abort if region_chg fails")
Link: http://lkml.kernel.org/r/1491951118-30678-1-git-send-email-mike.kravetz@oracle.com
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hugetlbfs/inode.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -115,17 +115,26 @@ static int hugetlbfs_file_mmap(struct fi
vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
vma->vm_ops = &hugetlb_vm_ops;
+ /*
+ * Offset passed to mmap (before page shift) could have been
+ * negative when represented as a (l)off_t.
+ */
+ if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
+ return -EINVAL;
+
if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
return -EINVAL;
vma_len = (loff_t)(vma->vm_end - vma->vm_start);
+ len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
+ /* check for overflow */
+ if (len < vma_len)
+ return -EINVAL;
mutex_lock(&inode->i_mutex);
file_accessed(file);
ret = -ENOMEM;
- len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
-
if (hugetlb_reserve_pages(inode,
vma->vm_pgoff >> huge_page_order(h),
len >> huge_page_shift(h), vma,
@@ -135,7 +144,7 @@ static int hugetlbfs_file_mmap(struct fi
ret = 0;
hugetlb_prefault_arch_hook(vma->vm_mm);
if (vma->vm_flags & VM_WRITE && inode->i_size < len)
- inode->i_size = len;
+ i_size_write(inode, len);
out:
mutex_unlock(&inode->i_mutex);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 035/410] cdrom: information leak in cdrom_ioctl_media_changed()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (292 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 240/410] crypto: s5p-sss - Fix kernel Oops in AES-ECB mode Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 012/410] scsi: libsas: direct call probe and destruct Ben Hutchings
` (115 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Christoph Hellwig, Jens Axboe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream.
This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned
long. The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.
This bug is pretty old and it predates git.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/cdrom/cdrom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2357,7 +2357,7 @@ static int cdrom_ioctl_media_changed(str
if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
return media_changed(cdi, 1);
- if ((unsigned int)arg >= cdi->capacity)
+ if (arg >= cdi->capacity)
return -EINVAL;
info = kmalloc(sizeof(*info), GFP_KERNEL);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 385/410] MIPS: ralink: Don't set pm_power_off
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (389 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 089/410] pinctrl: Really force states during suspend/resume Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 160/410] scsi: fas216: fix sense buffer initialization Ben Hutchings
` (18 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, linux-mips, Ralf Baechle, John Crispin
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John Crispin <blogic@openwrt.org>
commit 81ab9f6c5ff8565e4cba330e340a8979a10521d7 upstream.
Setting pm_power_off is apprently wrong and makes drivers such as
gpio-poweroff not work.
Signed-off-by: John Crispin <blogic@openwrt.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/11445/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/ralink/reset.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/mips/ralink/reset.c
+++ b/arch/mips/ralink/reset.c
@@ -98,7 +98,6 @@ static int __init mips_reboot_setup(void
{
_machine_restart = ralink_restart;
_machine_halt = ralink_halt;
- pm_power_off = ralink_halt;
return 0;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 397/410] netlink: make sure nladdr has correct size in netlink_connect()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 162/410] HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 118/410] arm: spear13xx: Fix spics gpio controller's warning Ben Hutchings
` (229 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Alexander Potapenko
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
commit 7880287981b60a6808f39f297bb66936e8bdf57a upstream.
KMSAN reports use of uninitialized memory in the case when |alen| is
smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't
fully copied from the userspace.
Signed-off-by: Alexander Potapenko <glider@google.com>
Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlink/af_netlink.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -990,6 +990,9 @@ static int netlink_connect(struct socket
if (addr->sa_family != AF_NETLINK)
return -EINVAL;
+ if (alen < sizeof(struct sockaddr_nl))
+ return -EINVAL;
+
if ((nladdr->nl_groups || nladdr->nl_pid) &&
!netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
return -EPERM;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 311/410] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jan Beulich, boris.ostrovsky, Juergen Gross, xen-devel,
Thomas Gleixner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
commit 71c208dd54ab971036d83ff6d9837bae4976e623 upstream.
Older Xen versions (4.5 and before) might have problems migrating pv
guests with MSR_IA32_SPEC_CTRL having a non-zero value. So before
suspending zero that MSR and restore it after being resumed.
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cc: xen-devel@lists.xenproject.org
Cc: boris.ostrovsky@oracle.com
Link: https://lkml.kernel.org/r/20180226140818.4849-1-jgross@suse.com
[bwh: Backported to 3.16:
- Include <asm/cpufeature.h> instead of <asm/cpufeatures.h>
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/xen/suspend.c
+++ b/arch/x86/xen/suspend.c
@@ -1,10 +1,13 @@
#include <linux/types.h>
#include <linux/clockchips.h>
+#include <linux/percpu-defs.h>
#include <xen/interface/xen.h>
#include <xen/grant_table.h>
#include <xen/events.h>
+#include <asm/cpufeature.h>
+#include <asm/msr-index.h>
#include <asm/xen/hypercall.h>
#include <asm/xen/page.h>
#include <asm/fixmap.h>
@@ -12,6 +15,8 @@
#include "xen-ops.h"
#include "mmu.h"
+static DEFINE_PER_CPU(u64, spec_ctrl);
+
static void xen_pv_pre_suspend(void)
{
xen_mm_pin_all();
@@ -84,6 +89,9 @@ static void xen_vcpu_notify_restore(void
{
unsigned long reason = (unsigned long)data;
+ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL))
+ wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl));
+
/* Boot processor notified via generic timekeeping_resume() */
if ( smp_processor_id() == 0)
return;
@@ -93,6 +101,13 @@ static void xen_vcpu_notify_restore(void
static void xen_vcpu_notify_suspend(void *data)
{
+ u64 tmp;
+
+ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) {
+ rdmsrl(MSR_IA32_SPEC_CTRL, tmp);
+ this_cpu_write(spec_ctrl, tmp);
+ wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+ }
}
void xen_arch_resume(void)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 297/410] tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (338 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 349/410] can: cc770: Fix queue stall & dropped RTR reply Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 197/410] netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert Ben Hutchings
` (69 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Morris, James Bottomley, Jeremy Boone, Jarkko Sakkinen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Boone <jeremy.boone@nccgroup.trust>
commit 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed upstream.
Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips. In all the
driver _recv() functions, we need to use a u32 to unmarshal the
response size, otherwise a bit flip of the 31st bit would cause the
expected variable to go negative, which would then try to read a huge
amount of data. Also sanity check that the expected amount of data is
large enough for the TPM header.
Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/tpm/tpm_i2c_infineon.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/char/tpm/tpm_i2c_infineon.c
+++ b/drivers/char/tpm/tpm_i2c_infineon.c
@@ -436,7 +436,8 @@ static int recv_data(struct tpm_chip *ch
static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
{
int size = 0;
- int expected, status;
+ int status;
+ u32 expected;
if (count < TPM_HEADER_SIZE) {
size = -EIO;
@@ -451,7 +452,7 @@ static int tpm_tis_i2c_recv(struct tpm_c
}
expected = be32_to_cpu(*(__be32 *)(buf + 2));
- if ((size_t) expected > count) {
+ if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) {
size = -EIO;
goto out;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 018/410] ext4: fail ext4_iget for root directory if unallocated
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 254/410] workqueue: Allow retrieval of current task's work struct Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 053/410] KVM: VMX: introduce alloc_loaded_vmcs Ben Hutchings
` (317 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Wen Xu
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream.
If the root directory has an i_links_count of zero, then when the file
system is mounted, then when ext4_fill_super() notices the problem and
tries to call iput() the root directory in the error return path,
ext4_evict_inode() will try to free the inode on disk, before all of
the file system structures are set up, and this will result in an OOPS
caused by a NULL pointer dereference.
This issue has been assigned CVE-2018-1092.
https://bugzilla.kernel.org/show_bug.cgi?id=199179
https://bugzilla.redhat.com/show_bug.cgi?id=1560777
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: use EIO instead of EFSCORRUPTED]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4198,6 +4198,12 @@ struct inode *ext4_iget(struct super_blo
goto bad_inode;
raw_inode = ext4_raw_inode(&iloc);
+ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+ EXT4_ERROR_INODE(inode, "root inode unallocated");
+ ret = -EIO;
+ goto bad_inode;
+ }
+
if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 104/410] ext4: save error to disk in __ext4_grp_locked_error()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 373/410] batman-adv: Fix skbuff rcsum on packet reroute Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 065/410] perf evlist: Introduce perf_evlist__new_dummy constructor Ben Hutchings
` (269 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Zhouyi Zhou
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zhouyi Zhou <zhouzhouyi@gmail.com>
commit 06f29cc81f0350261f59643a505010531130eea0 upstream.
In the function __ext4_grp_locked_error(), __save_error_info()
is called to save error info in super block block, but does not sync
that information to disk to info the subsequence fsck after reboot.
This patch writes the error information to disk. After this patch,
I think there is no obvious EXT4 error handle branches which leads to
"Remounting filesystem read-only" will leave the disk partition miss
the subsequence fsck.
Signed-off-by: Zhouyi Zhou <zhouzhouyi@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -678,6 +678,7 @@ __acquires(bitlock)
}
ext4_unlock_group(sb, grp);
+ ext4_commit_super(sb, 1);
ext4_handle_error(sb);
/*
* We only get here in the ERRORS_RO case; relocking the group
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 247/410] binder: replace "%p" with "%pK"
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 113/410] ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 123/410] crypto: hash - annotate algorithms taking optional key Ben Hutchings
` (313 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Todd Kjos, Todd Kjos, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Todd Kjos <tkjos@android.com>
commit 8ca86f1639ec5890d400fff9211aca22d0a392eb upstream.
The format specifier "%p" can leak kernel addresses. Use
"%pK" instead. There were 4 remaining cases in binder.c.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/android/binder.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -1242,7 +1242,7 @@ static void binder_transaction_buffer_re
int debug_id = buffer->debug_id;
binder_debug(BINDER_DEBUG_TRANSACTION,
- "%d buffer release %d, size %zd-%zd, failed at %p\n",
+ "%d buffer release %d, size %zd-%zd, failed at %pK\n",
proc->pid, buffer->debug_id,
buffer->data_size, buffer->offsets_size, failed_at);
@@ -2059,7 +2059,7 @@ static int binder_thread_write(struct bi
}
}
binder_debug(BINDER_DEBUG_DEAD_BINDER,
- "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n",
+ "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
proc->pid, thread->pid, (u64)cookie,
death);
if (death == NULL) {
@@ -3162,7 +3162,7 @@ static void print_binder_transaction(str
struct binder_transaction *t)
{
seq_printf(m,
- "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
+ "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d",
prefix, t->debug_id, t,
t->from ? t->from->proc->pid : 0,
t->from ? t->from->pid : 0,
@@ -3176,7 +3176,7 @@ static void print_binder_transaction(str
if (t->buffer->target_node)
seq_printf(m, " node %d",
t->buffer->target_node->debug_id);
- seq_printf(m, " size %zd:%zd data %p\n",
+ seq_printf(m, " size %zd:%zd data %pK\n",
t->buffer->data_size, t->buffer->offsets_size,
t->buffer->data);
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 056/410] KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, kvm, KarimAllah Ahmed, Linus Torvalds, Thomas Gleixner,
Konrad Rzeszutek Wilk, Andi Kleen, Andy Lutomirski,
Arjan Van De Ven, Darren Kenny, Dan Williams, Dave Hansen,
Jim Mattson, Jun Nakajima, Andrea Arcangeli, David Woodhouse,
Ashok Raj, Asit Mallick, Greg KH, Paolo Bonzini, Tim Chen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: KarimAllah Ahmed <karahmed@amazon.de>
commit 28c1c9fabf48d6ad596273a11c46e0d0da3e14cd upstream.
Intel processors use MSR_IA32_ARCH_CAPABILITIES MSR to indicate RDCL_NO
(bit 0) and IBRS_ALL (bit 1). This is a read-only MSR. By default the
contents will come directly from the hardware, but user-space can still
override it.
[dwmw2: The bit in kvm_cpuid_7_0_edx_x86_features can be unconditional]
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: kvm@vger.kernel.org
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Ashok Raj <ashok.raj@intel.com>
Link: https://lkml.kernel.org/r/1517522386-18410-4-git-send-email-karahmed@amazon.de
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Add mapping of the relevant CPUID word
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/cpuid.c | 11 +++++++++--
arch/x86/kvm/cpuid.h | 8 ++++++++
arch/x86/kvm/vmx.c | 15 +++++++++++++++
arch/x86/kvm/x86.c | 3 ++-
4 files changed, 34 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -316,6 +316,10 @@ static inline int __do_cpuid_ent(struct
F(BMI2) | F(ERMS) | f_invpcid | F(RTM) | f_mpx | F(RDSEED) |
F(ADX) | F(SMAP);
+ /* cpuid 7.0.edx*/
+ const u32 kvm_cpuid_7_0_edx_x86_features =
+ F(ARCH_CAPABILITIES);
+
/* all calls to cpuid_count() should be made on the same cpu */
get_cpu();
@@ -387,11 +391,14 @@ static inline int __do_cpuid_ent(struct
cpuid_mask(&entry->ebx, 9);
// TSC_ADJUST is emulated
entry->ebx |= F(TSC_ADJUST);
- } else
+ entry->edx &= kvm_cpuid_7_0_edx_x86_features;
+ cpuid_mask(&entry->edx, 10);
+ } else {
entry->ebx = 0;
+ entry->edx = 0;
+ }
entry->eax = 0;
entry->ecx = 0;
- entry->edx = 0;
break;
}
case 9:
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -115,5 +115,13 @@ static inline bool guest_cpuid_has_ibpb(
return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL));
}
+static inline bool guest_cpuid_has_arch_capabilities(struct kvm_vcpu *vcpu)
+{
+ struct kvm_cpuid_entry2 *best;
+
+ best = kvm_find_cpuid_entry(vcpu, 7, 0);
+ return best && (best->edx & bit(X86_FEATURE_ARCH_CAPABILITIES));
+}
+
#endif
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -432,6 +432,8 @@ struct vcpu_vmx {
u64 msr_guest_kernel_gs_base;
#endif
+ u64 arch_capabilities;
+
u32 vm_entry_controls_shadow;
u32 vm_exit_controls_shadow;
/*
@@ -2522,6 +2524,12 @@ static int vmx_get_msr(struct kvm_vcpu *
case MSR_IA32_TSC:
msr_info->data = guest_read_tsc();
break;
+ case MSR_IA32_ARCH_CAPABILITIES:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has_arch_capabilities(vcpu))
+ return 1;
+ msr_info->data = to_vmx(vcpu)->arch_capabilities;
+ break;
case MSR_IA32_SYSENTER_CS:
msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
break;
@@ -2641,6 +2649,11 @@ static int vmx_set_msr(struct kvm_vcpu *
vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
MSR_TYPE_W);
break;
+ case MSR_IA32_ARCH_CAPABILITIES:
+ if (!msr_info->host_initiated)
+ return 1;
+ vmx->arch_capabilities = data;
+ break;
case MSR_IA32_CR_PAT:
if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
@@ -4584,6 +4597,8 @@ static int vmx_vcpu_setup(struct vcpu_vm
++vmx->nmsrs;
}
+ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities);
vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -893,7 +893,8 @@ static u32 msrs_to_save[] = {
MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
#endif
MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS
+ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS,
+ MSR_IA32_ARCH_CAPABILITIES
};
static unsigned num_msrs_to_save;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 338/410] USB: usbmon: remove assignment from IS_ERR argument
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (342 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 051/410] KVM: nVMX: mark vmcs12 pages dirty on L2 exit Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 202/410] pipe: fix limit checking in pipe_set_size() Ben Hutchings
` (65 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Julia Lawall, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julia Lawall <Julia.Lawall@lip6.fr>
commit 46c236dc7d1212d7417e6fb0317f91c44c719322 upstream.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression e1,e2;
statement S1,S2;
@@
+e1 = e2;
if (IS_ERR(
e1
- = e2
)) S1 else S2
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/mon/mon_text.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/mon/mon_text.c
+++ b/drivers/usb/mon/mon_text.c
@@ -386,7 +386,8 @@ static ssize_t mon_text_read_t(struct fi
struct mon_event_text *ep;
struct mon_text_ptr ptr;
- if (IS_ERR(ep = mon_text_read_wait(rp, file)))
+ ep = mon_text_read_wait(rp, file);
+ if (IS_ERR(ep))
return PTR_ERR(ep);
mutex_lock(&rp->printf_lock);
ptr.cnt = 0;
@@ -413,7 +414,8 @@ static ssize_t mon_text_read_u(struct fi
struct mon_event_text *ep;
struct mon_text_ptr ptr;
- if (IS_ERR(ep = mon_text_read_wait(rp, file)))
+ ep = mon_text_read_wait(rp, file);
+ if (IS_ERR(ep))
return PTR_ERR(ep);
mutex_lock(&rp->printf_lock);
ptr.cnt = 0;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 036/410] perf/hwbp: Simplify the perf-hwbp code, fix documentation
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (317 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 153/410] USB: serial: add Novatel Wireless GPS driver Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 069/410] perf report: Fix -D output for user metadata events Ben Hutchings
` (90 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, Arnaldo Carvalho de Melo, Stephane Eranian,
Jiri Olsa, Ingo Molnar, Alexander Shishkin, Linus Torvalds,
Thomas Gleixner, Vince Weaver, Andy Lutomirski,
Frederic Weisbecker
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream.
Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
modification of a breakpoint - simplify it and remove the pointless
local variables.
Also update the stale Docbook while at it.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/events/hw_breakpoint.c | 30 +++++++-----------------------
1 file changed, 7 insertions(+), 23 deletions(-)
--- a/kernel/events/hw_breakpoint.c
+++ b/kernel/events/hw_breakpoint.c
@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break
* modify_user_hw_breakpoint - modify a user-space hardware breakpoint
* @bp: the breakpoint structure to modify
* @attr: new breakpoint attributes
- * @triggered: callback to trigger when we hit the breakpoint
- * @tsk: pointer to 'task_struct' of the process to which the address belongs
*/
int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
{
- u64 old_addr = bp->attr.bp_addr;
- u64 old_len = bp->attr.bp_len;
- int old_type = bp->attr.bp_type;
- int err = 0;
-
/*
* modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
* will not be possible to raise IPIs that invoke __perf_event_disable.
@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per
bp->attr.bp_addr = attr->bp_addr;
bp->attr.bp_type = attr->bp_type;
bp->attr.bp_len = attr->bp_len;
+ bp->attr.disabled = 1;
- if (attr->disabled)
- goto end;
-
- err = validate_hw_breakpoint(bp);
- if (!err)
- perf_event_enable(bp);
+ if (!attr->disabled) {
+ int err = validate_hw_breakpoint(bp);
- if (err) {
- bp->attr.bp_addr = old_addr;
- bp->attr.bp_type = old_type;
- bp->attr.bp_len = old_len;
- if (!bp->attr.disabled)
- perf_event_enable(bp);
+ if (err)
+ return err;
- return err;
+ perf_event_enable(bp);
+ bp->attr.disabled = 0;
}
-end:
- bp->attr.disabled = attr->disabled;
-
return 0;
}
EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 283/410] batman-adv: invalidate checksum on fragment reassembly
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (262 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 005/410] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 091/410] drivers: video: fbdev: atmel_lcdfb.c: fix error return code Ben Hutchings
` (145 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Simon Wunderlich, Maximilian Wilhelm,
Matthias Schiffer
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <mschiffer@universe-factory.net>
commit 3bf2a09da956b43ecfaa630a2ef9a477f991a46a upstream.
A more sophisticated implementation could try to combine fragment checksums
when all fragments have CHECKSUM_COMPLETE and are split at even offsets.
For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure"
warnings in the kernel log when fragmented frames are received. In
consequence, skb_pull_rcsum() can be replaced with skb_pull().
Note that in usual setups, packets don't reach batman-adv with
CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
batadv's ethtype?), which is why the log messages do not occur on every
system using batman-adv. I could reproduce this issue by stacking
batman-adv on top of a VXLAN interface.
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Tested-by: Maximilian Wilhelm <max@sdn.clinic>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/fragmentation.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -262,7 +262,8 @@ batadv_frag_merge_packets(struct hlist_h
/* Move the existing MAC header to just before the payload. (Override
* the fragment header.)
*/
- skb_pull_rcsum(skb_out, hdr_size);
+ skb_pull(skb_out, hdr_size);
+ skb_out->ip_summed = CHECKSUM_NONE;
memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN);
skb_set_mac_header(skb_out, -ETH_HLEN);
skb_reset_network_header(skb_out);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 372/410] skb: Add skb_postpush_rcsum()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (279 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 010/410] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 077/410] slip: sl_alloc(): remove unused parameter "dev_t line" Ben Hutchings
` (128 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniel Borkmann, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
This is based on commit f8ffad69c9f8b8dfb0b633425d4ef4d2493ba61a upstream,
"bpf: add skb_postpush_rcsum and fix dev_forward_skb occasions". We don't
need the bpf fixes here, just the new function.
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2477,6 +2477,23 @@ static inline void skb_postpull_rcsum(st
unsigned char *skb_pull_rcsum(struct sk_buff *skb, unsigned int len);
+static inline void skb_postpush_rcsum(struct sk_buff *skb,
+ const void *start, unsigned int len)
+{
+ /* For performing the reverse operation to skb_postpull_rcsum(),
+ * we can instead of ...
+ *
+ * skb->csum = csum_add(skb->csum, csum_partial(start, len, 0));
+ *
+ * ... just use this equivalent version here to save a few
+ * instructions. Feeding csum of 0 in csum_partial() and later
+ * on adding skb->csum is equivalent to feed skb->csum in the
+ * first place.
+ */
+ if (skb->ip_summed == CHECKSUM_COMPLETE)
+ skb->csum = csum_partial(start, len, skb->csum);
+}
+
/**
* pskb_trim_rcsum - trim received skb and update checksum
* @skb: buffer to trim
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 269/410] arm64: Remove unimplemented syscall log message
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 262/410] ASoC: rt5651: Fix regcache sync errors on resume Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 149/410] usb: option: Add support for FS040U modem Ben Hutchings
` (304 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Michael Weiser
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Weiser <michael.weiser@gmx.de>
commit 1962682d2b2fbe6cfa995a85c53c069fadda473e upstream.
Stop printing a (ratelimited) kernel message for each instance of an
unimplemented syscall being called. Userland making an unimplemented
syscall is not necessarily misbehaviour and to be expected with a
current userland running on an older kernel. Also, the current message
looks scary to users but does not actually indicate a real problem nor
help them narrow down the cause. Just rely on sys_ni_syscall() to return
-ENOSYS.
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: Deleted code was slightly different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/traps.c | 8 --------
1 file changed, 8 deletions(-)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -251,14 +251,6 @@ asmlinkage long do_ni_syscall(struct pt_
}
#endif
- if (show_unhandled_signals && printk_ratelimit()) {
- pr_info("%s[%d]: syscall %d\n", current->comm,
- task_pid_nr(current), (int)regs->syscallno);
- dump_instr("", regs);
- if (user_mode(regs))
- __show_regs(regs);
- }
-
return sys_ni_syscall();
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 111/410] Adding Intel Lewisburg device IDs for SATA
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (344 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 202/410] pipe: fix limit checking in pipe_set_size() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 368/410] skbuff: Fix not waking applications when errors are enqueued Ben Hutchings
` (63 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexandra Yates, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Yates <alexandra.yates@linux.intel.com>
commit f5bdd66c705484b4bc77eb914be15c1b7881fae7 upstream.
This patch complements the list of device IDs previously
added for lewisburg sata.
Signed-off-by: Alexandra Yates <alexandra.yates@linux.intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -365,15 +365,21 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Lewisburg AHCI*/
{ PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0x2827), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa182), board_ahci }, /* Lewisburg AHCI*/
{ PCI_VDEVICE(INTEL, 0xa184), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa186), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa18e), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa1d2), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa1d6), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa202), board_ahci }, /* Lewisburg AHCI*/
{ PCI_VDEVICE(INTEL, 0xa204), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
/* JMicron 360/1/3/5/6, match class to avoid IDE function */
{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 156/410] usbip: prevent bind loops on devices attached to vhci_hcd
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (298 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 049/410] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 260/410] iio: buffer: check if a buffer has been set up when poll is called Ben Hutchings
` (109 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Shuah Khan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuahkh@osg.samsung.com>
commit ef54cf0c600fb8f5737fb001a9e357edda1a1de8 upstream.
usbip host binds to devices attached to vhci_hcd on the same server
when user does attach over localhost or specifies the server as the
remote.
usbip attach -r localhost -b busid
or
usbip attach -r servername (or server IP)
Unbind followed by bind works, however device is left in a bad state with
accesses via the attached busid result in errors and system hangs during
shutdown.
Fix it to check and bail out if the device is already attached to vhci_hcd.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/usbip/userspace/src/usbip_bind.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/staging/usbip/userspace/src/usbip_bind.c
+++ b/drivers/staging/usbip/userspace/src/usbip_bind.c
@@ -144,6 +144,7 @@ static int bind_device(char *busid)
int rc;
struct udev *udev;
struct udev_device *dev;
+ const char *devpath;
/* Check whether the device with this bus ID exists. */
udev = udev_new();
@@ -152,8 +153,16 @@ static int bind_device(char *busid)
err("device with the specified bus ID does not exist");
return -1;
}
+ devpath = udev_device_get_devpath(dev);
udev_unref(udev);
+ /* If the device is already attached to vhci_hcd - bail out */
+ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) {
+ err("bind loop detected: device: %s is attached to %s\n",
+ devpath, USBIP_VHCI_DRV_NAME);
+ return -1;
+ }
+
rc = unbind_other(busid);
if (rc == UNBIND_ST_FAILED) {
err("could not unbind driver from device on busid %s", busid);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 150/410] staging: rts5208: Fix "seg_no" calculation in reset_ms_card()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 174/410] RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 169/410] jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path Ben Hutchings
` (320 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 7f7aeea7cf30368b9fdb86dcc9d2c8a3ebc65dfb upstream.
I get some static checker warnings like this:
drivers/staging/rts5208/ms.c:2607 ms_build_l2p_tbl()
error: buffer underflow 'ms_card->segment' (-1)-16
The problem is that we memset "ms_card" to zero at the start of the
reset_ms_card() function. That means that when we try to calculate
"ms_card->total_block / 512 - 1" then it's just always -1. The fix is
to calculate "seg_no" before doing the memset().
This is a static checker fix, and I am not able to test it. My theory
is that reset_ms_card() gets very little testing which is why this bug
exists.
Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/rts5208/ms.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/staging/rts5208/ms.c
+++ b/drivers/staging/rts5208/ms.c
@@ -2397,6 +2397,7 @@ BUILD_FAIL:
int reset_ms_card(struct rtsx_chip *chip)
{
struct ms_info *ms_card = &(chip->ms_card);
+ int seg_no = ms_card->total_block / 512 - 1;
int retval;
memset(ms_card, 0, sizeof(struct ms_info));
@@ -2430,7 +2431,7 @@ int reset_ms_card(struct rtsx_chip *chip
/* Build table for the last segment,
* to check if L2P table block exists, erasing it
*/
- retval = ms_build_l2p_tbl(chip, ms_card->total_block / 512 - 1);
+ retval = ms_build_l2p_tbl(chip, seg_no);
if (retval != STATUS_SUCCESS)
TRACE_RET(chip, STATUS_FAIL);
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 335/410] x86/MCE: Save microcode revision in machine check records
@ 2018-06-07 14:05 ` Ben Hutchings
0 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yazen Ghannam, Borislav Petkov, linux-edac,
Thomas Gleixner, Tony Luck
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
commit fa94d0c6e0f3431523f5701084d799c77c7d4a4f upstream.
Updating microcode used to be relatively rare. Now that it has become
more common we should save the microcode version in a machine check
record to make sure that those people looking at the error have this
important information bundled with the rest of the logged information.
[ Borislav: Simplify a bit. ]
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Yazen Ghannam <yazen.ghannam@amd.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180301233449.24311-1-tony.luck@intel.com
[bwh: Backported to 3.2:
- Add other new fields to struct mce, to match upstream UAPI
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/uapi/asm/mce.h
+++ b/arch/x86/include/uapi/asm/mce.h
@@ -25,6 +25,10 @@ struct mce {
__u32 socketid; /* CPU socket ID */
__u32 apicid; /* CPU initial apic ID */
__u64 mcgcap; /* MCGCAP MSR: machine check capabilities of CPU */
+ __u64 synd; /* MCA_SYND MSR: only valid on SMCA systems */
+ __u64 ipid; /* MCA_IPID MSR: only valid on SMCA systems */
+ __u64 ppin; /* Protected Processor Inventory Number */
+ __u32 microcode;/* Microcode revision */
};
#define MCE_GET_RECORD_LEN _IOR('M', 1, int)
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -135,6 +135,8 @@ void mce_setup(struct mce *m)
m->socketid = cpu_data(m->extcpu).phys_proc_id;
m->apicid = cpu_data(m->extcpu).initial_apicid;
rdmsrl(MSR_IA32_MCG_CAP, m->mcgcap);
+
+ m->microcode = boot_cpu_data.microcode;
}
DEFINE_PER_CPU(struct mce, injectm);
@@ -282,7 +284,7 @@ static void print_mce(struct mce *m)
*/
pr_emerg(HW_ERR "PROCESSOR %u:%x TIME %llu SOCKET %u APIC %x microcode %x\n",
m->cpuvendor, m->cpuid, m->time, m->socketid, m->apicid,
- cpu_data(m->extcpu).microcode);
+ m->microcode);
/*
* Print out human-readable details about the MCE error,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 358/410] fs/aio: Use RCU accessors for kioctx_table->table[]
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (207 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 224/410] Input: matrix_keypad - fix race when disabling interrupts Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 383/410] RDMA/ucma: Ensure that CM_ID exists prior to access it Ben Hutchings
` (200 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Tejun Heo, Benjamin LaHaise, Jann Horn
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit d0264c01e7587001a8c4608a5d1818dba9a4c11a upstream.
While converting ioctx index from a list to a table, db446a08c23d
("aio: convert the ioctx list to table lookup v3") missed tagging
kioctx_table->table[] as an array of RCU pointers and using the
appropriate RCU accessors. This introduces a small window in the
lookup path where init and access may race.
Mark kioctx_table->table[] with __rcu and use the approriate RCU
accessors when using the field.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jann Horn <jannh@google.com>
Fixes: db446a08c23d ("aio: convert the ioctx list to table lookup v3")
Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Drop changes to aio_ring_mremap()
-
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/aio.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -68,9 +68,9 @@ struct aio_ring {
#define AIO_RING_PAGES 8
struct kioctx_table {
- struct rcu_head rcu;
- unsigned nr;
- struct kioctx *table[];
+ struct rcu_head rcu;
+ unsigned nr;
+ struct kioctx __rcu *table[];
};
struct kioctx_cpu {
@@ -588,9 +588,9 @@ static int ioctx_add_table(struct kioctx
while (1) {
if (table)
for (i = 0; i < table->nr; i++)
- if (!table->table[i]) {
+ if (!rcu_access_pointer(table->table[i])) {
ctx->id = i;
- table->table[i] = ctx;
+ rcu_assign_pointer(table->table[i], ctx);
spin_unlock(&mm->ioctx_lock);
/* While kioctx setup is in progress,
@@ -765,8 +765,8 @@ static int kill_ioctx(struct mm_struct *
spin_lock(&mm->ioctx_lock);
table = rcu_dereference_raw(mm->ioctx_table);
- WARN_ON(ctx != table->table[ctx->id]);
- table->table[ctx->id] = NULL;
+ WARN_ON(ctx != rcu_access_pointer(table->table[ctx->id]));
+ RCU_INIT_POINTER(table->table[ctx->id], NULL);
spin_unlock(&mm->ioctx_lock);
/* free_ioctx_reqs() will do the necessary RCU synchronization */
@@ -827,7 +827,8 @@ void exit_aio(struct mm_struct *mm)
skipped = 0;
for (i = 0; i < table->nr; ++i) {
- struct kioctx *ctx = table->table[i];
+ struct kioctx *ctx =
+ rcu_dereference_protected(table->table[i], true);
if (!ctx) {
skipped++;
@@ -1022,7 +1023,7 @@ static struct kioctx *lookup_ioctx(unsig
if (!table || id >= table->nr)
goto out;
- ctx = table->table[id];
+ ctx = rcu_dereference(table->table[id]);
if (ctx && ctx->user_id == ctx_id) {
percpu_ref_get(&ctx->users);
ret = ctx;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 070/410] ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (275 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 039/410] x86/cpu: Rename "WESTMERE2" family to "NEHALEM_G" Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 15:03 ` Andrew F. Davis
2018-06-07 14:05 ` [PATCH 3.16 404/410] net: fix possible out-of-bound read in skb_network_protocol() Ben Hutchings
` (132 subsequent siblings)
409 siblings, 1 reply; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andrew F. Davis, Tony Lindgren
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Andrew F. Davis" <afd@ti.com>
commit 7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057 upstream.
The correct DT property for specifying a GPIO used for reset
is "reset-gpios", fix this here.
Fixes: 14e3e295b2b9 ("ARM: dts: omap3-n900: Add TLV320AIC3X support")
Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/omap3-n900.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/boot/dts/omap3-n900.dts
+++ b/arch/arm/boot/dts/omap3-n900.dts
@@ -427,7 +427,7 @@
tlv320aic3x: tlv320aic3x@18 {
compatible = "ti,tlv320aic3x";
reg = <0x18>;
- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
+ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
ai3x-gpio-func = <
0 /* AIC3X_GPIO1_FUNC_DISABLED */
5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */
@@ -444,7 +444,7 @@
tlv320aic3x_aux: tlv320aic3x@19 {
compatible = "ti,tlv320aic3x";
reg = <0x19>;
- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
+ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
AVDD-supply = <&vmmc2>;
DRVDD-supply = <&vmmc2>;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 188/410] Btrfs: fix extent state leak from tree log
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (368 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 083/410] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 128/410] NFS: Fix 2 use after free issues in the I/O code Ben Hutchings
` (39 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Liu Bo, Josef Bacik, David Sterba
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo <bo.li.liu@oracle.com>
commit 55237a5f2431a72435e3ed39e4306e973c0446b7 upstream.
It's possible that btrfs_sync_log() bails out after one of the two
btrfs_write_marked_extents() which convert extent state's state bit into
EXTENT_NEED_WAIT from EXTENT_DIRTY/EXTENT_NEW, however only EXTENT_DIRTY
and EXTENT_NEW are searched by free_log_tree() so that those extent states
with EXTENT_NEED_WAIT lead to memory leak.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/tree-log.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2731,13 +2731,14 @@ static void free_log_tree(struct btrfs_t
while (1) {
ret = find_first_extent_bit(&log->dirty_log_pages,
- 0, &start, &end, EXTENT_DIRTY | EXTENT_NEW,
+ 0, &start, &end,
+ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT,
NULL);
if (ret)
break;
clear_extent_bits(&log->dirty_log_pages, start, end,
- EXTENT_DIRTY | EXTENT_NEW, GFP_NOFS);
+ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT, GFP_NOFS);
}
/*
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 202/410] pipe: fix limit checking in pipe_set_size()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (343 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 338/410] USB: usbmon: remove assignment from IS_ERR argument Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 111/410] Adding Intel Lewisburg device IDs for SATA Ben Hutchings
` (64 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jens Axboe, Willy Tarreau, Al Viro, socketpair,
Michael Kerrisk (man-pages),
Tetsuo Handa, Vegard Nossum, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit b0b91d18e2e97b741b294af9333824ecc3fadfd8 upstream.
The limit checking in pipe_set_size() (used by fcntl(F_SETPIPE_SZ))
has the following problems:
(1) When increasing the pipe capacity, the checks against the limits in
/proc/sys/fs/pipe-user-pages-{soft,hard} are made against existing
consumption, and exclude the memory required for the increased pipe
capacity. The new increase in pipe capacity can then push the total
memory used by the user for pipes (possibly far) over a limit. This
can also trigger the problem described next.
(2) The limit checks are performed even when the new pipe capacity is
less than the existing pipe capacity. This can lead to problems if a
user sets a large pipe capacity, and then the limits are lowered,
with the result that the user will no longer be able to decrease the
pipe capacity.
(3) As currently implemented, accounting and checking against the
limits is done as follows:
(a) Test whether the user has exceeded the limit.
(b) Make new pipe buffer allocation.
(c) Account new allocation against the limits.
This is racey. Multiple processes may pass point (a)
simultaneously, and then allocate pipe buffers that are accounted
for only in step (c). The race means that the user's pipe buffer
allocation could be pushed over the limit (by an arbitrary amount,
depending on how unlucky we were in the race). [Thanks to Vegard
Nossum for spotting this point, which I had missed.]
This patch addresses the above problems as follows:
* Perform checks against the limits only when increasing a pipe's
capacity; an unprivileged user can always decrease a pipe's capacity.
* Alter the checks against limits to include the memory required for
the new pipe capacity.
* Re-order the accounting step so that it precedes the buffer
allocation. If the accounting step determines that a limit has
been reached, revert the accounting and cause the operation to fail.
The program below can be used to demonstrate problems 1 and 2, and the
effect of the fix. The program takes one or more command-line arguments.
The first argument specifies the number of pipes that the program should
create. The remaining arguments are, alternately, pipe capacities that
should be set using fcntl(F_SETPIPE_SZ), and sleep intervals (in
seconds) between the fcntl() operations. (The sleep intervals allow the
possibility to change the limits between fcntl() operations.)
Problem 1
=========
Using the test program on an unpatched kernel, we first set some
limits:
# echo 0 > /proc/sys/fs/pipe-user-pages-soft
# echo 1000000000 > /proc/sys/fs/pipe-max-size
# echo 10000 > /proc/sys/fs/pipe-user-pages-hard # 40.96 MB
Then show that we can set a pipe with capacity (100MB) that is
over the hard limit
# sudo -u mtk ./test_F_SETPIPE_SZ 1 100000000
Initial pipe capacity: 65536
Loop 1: set pipe capacity to 100000000 bytes
F_SETPIPE_SZ returned 134217728
Now set the capacity to 100MB twice. The second call fails (which is
probably surprising to most users, since it seems like a no-op):
# sudo -u mtk ./test_F_SETPIPE_SZ 1 100000000 0 100000000
Initial pipe capacity: 65536
Loop 1: set pipe capacity to 100000000 bytes
F_SETPIPE_SZ returned 134217728
Loop 2: set pipe capacity to 100000000 bytes
Loop 2, pipe 0: F_SETPIPE_SZ failed: fcntl: Operation not permitted
With a patched kernel, setting a capacity over the limit fails at the
first attempt:
# echo 0 > /proc/sys/fs/pipe-user-pages-soft
# echo 1000000000 > /proc/sys/fs/pipe-max-size
# echo 10000 > /proc/sys/fs/pipe-user-pages-hard
# sudo -u mtk ./test_F_SETPIPE_SZ 1 100000000
Initial pipe capacity: 65536
Loop 1: set pipe capacity to 100000000 bytes
Loop 1, pipe 0: F_SETPIPE_SZ failed: fcntl: Operation not permitted
There is a small chance that the change to fix this problem could
break user-space, since there are cases where fcntl(F_SETPIPE_SZ)
calls that previously succeeded might fail. However, the chances are
small, since (a) the pipe-user-pages-{soft,hard} limits are new (in
4.5), and the default soft/hard limits are high/unlimited. Therefore,
it seems warranted to make these limits operate more precisely (and
behave more like what users probably expect).
Problem 2
=========
Running the test program on an unpatched kernel, we first set some limits:
# getconf PAGESIZE
4096
# echo 0 > /proc/sys/fs/pipe-user-pages-soft
# echo 1000000000 > /proc/sys/fs/pipe-max-size
# echo 10000 > /proc/sys/fs/pipe-user-pages-hard # 40.96 MB
Now perform two fcntl(F_SETPIPE_SZ) operations on a single pipe,
first setting a pipe capacity (10MB), sleeping for a few seconds,
during which time the hard limit is lowered, and then set pipe
capacity to a smaller amount (5MB):
# sudo -u mtk ./test_F_SETPIPE_SZ 1 10000000 15 5000000 &
[1] 748
# Initial pipe capacity: 65536
Loop 1: set pipe capacity to 10000000 bytes
F_SETPIPE_SZ returned 16777216
Sleeping 15 seconds
# echo 1000 > /proc/sys/fs/pipe-user-pages-hard # 4.096 MB
# Loop 2: set pipe capacity to 5000000 bytes
Loop 2, pipe 0: F_SETPIPE_SZ failed: fcntl: Operation not permitted
In this case, the user should be able to lower the limit.
With a kernel that has the patch below, the second fcntl()
succeeds:
# echo 0 > /proc/sys/fs/pipe-user-pages-soft
# echo 1000000000 > /proc/sys/fs/pipe-max-size
# echo 10000 > /proc/sys/fs/pipe-user-pages-hard
# sudo -u mtk ./test_F_SETPIPE_SZ 1 10000000 15 5000000 &
[1] 3215
# Initial pipe capacity: 65536
# Loop 1: set pipe capacity to 10000000 bytes
F_SETPIPE_SZ returned 16777216
Sleeping 15 seconds
# echo 1000 > /proc/sys/fs/pipe-user-pages-hard
# Loop 2: set pipe capacity to 5000000 bytes
F_SETPIPE_SZ returned 8388608
8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---
/* test_F_SETPIPE_SZ.c
(C) 2016, Michael Kerrisk; licensed under GNU GPL version 2 or later
Test operation of fcntl(F_SETPIPE_SZ) for setting pipe capacity
and interactions with limits defined by /proc/sys/fs/pipe-* files.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
int
main(int argc, char *argv[])
{
int (*pfd)[2];
int npipes;
int pcap, rcap;
int j, p, s, stime, loop;
if (argc < 2) {
fprintf(stderr, "Usage: %s num-pipes "
"[pipe-capacity sleep-time]...\n", argv[0]);
exit(EXIT_FAILURE);
}
npipes = atoi(argv[1]);
pfd = calloc(npipes, sizeof (int [2]));
if (pfd == NULL) {
perror("calloc");
exit(EXIT_FAILURE);
}
for (j = 0; j < npipes; j++) {
if (pipe(pfd[j]) == -1) {
fprintf(stderr, "Loop %d: pipe() failed: ", j);
perror("pipe");
exit(EXIT_FAILURE);
}
}
printf("Initial pipe capacity: %d\n", fcntl(pfd[0][0], F_GETPIPE_SZ));
for (j = 2; j < argc; j += 2 ) {
loop = j / 2;
pcap = atoi(argv[j]);
printf(" Loop %d: set pipe capacity to %d bytes\n", loop, pcap);
for (p = 0; p < npipes; p++) {
s = fcntl(pfd[p][0], F_SETPIPE_SZ, pcap);
if (s == -1) {
fprintf(stderr, " Loop %d, pipe %d: F_SETPIPE_SZ "
"failed: ", loop, p);
perror("fcntl");
exit(EXIT_FAILURE);
}
if (p == 0) {
printf(" F_SETPIPE_SZ returned %d\n", s);
rcap = s;
} else {
if (s != rcap) {
fprintf(stderr, " Loop %d, pipe %d: F_SETPIPE_SZ "
"unexpected return: %d\n", loop, p, s);
exit(EXIT_FAILURE);
}
}
stime = (j + 1 < argc) ? atoi(argv[j + 1]) : 0;
if (stime > 0) {
printf(" Sleeping %d seconds\n", stime);
sleep(stime);
}
}
}
exit(EXIT_SUCCESS);
}
8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---8x---
Patch history:
v2
* Switch order of test in 'if' statement to avoid function call
(to capability()) in normal path. [This is a fix to a preexisting
wart in the code. Thanks to Willy Tarreau]
* Perform (size > pipe_max_size) check before calling
account_pipe_buffers(). [Thanks to Vegard Nossum]
Quoting Vegard:
The potential problem happens if the user passes a very large number
which will overflow pipe->user->pipe_bufs.
On 32-bit, sizeof(int) == sizeof(long), so if they pass arg = INT_MAX
then round_pipe_size() returns INT_MAX. Although it's true that the
accounting is done in terms of pages and not bytes, so you'd need on
the order of (1 << 13) = 8192 processes hitting the limit at the same
time in order to make it overflow, which seems a bit unlikely.
(See https://lkml.org/lkml/2016/8/12/215 for another discussion on the
limit checking)
Link: http://lkml.kernel.org/r/1e464945-536b-2420-798b-e77b9c7e8593@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 41 +++++++++++++++++++++++++++++++----------
1 file changed, 31 insertions(+), 10 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1013,6 +1013,7 @@ static long pipe_set_size(struct pipe_in
{
struct pipe_buffer *bufs;
unsigned int size, nr_pages;
+ long ret = 0;
size = round_pipe_size(arg);
nr_pages = size >> PAGE_SHIFT;
@@ -1020,13 +1021,26 @@ static long pipe_set_size(struct pipe_in
if (!nr_pages)
return -EINVAL;
- if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size)
+ /*
+ * If trying to increase the pipe capacity, check that an
+ * unprivileged user is not trying to exceed various limits
+ * (soft limit check here, hard limit check just below).
+ * Decreasing the pipe capacity is always permitted, even
+ * if the user is currently over a limit.
+ */
+ if (nr_pages > pipe->buffers &&
+ size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
return -EPERM;
- if ((too_many_pipe_buffers_hard(pipe->user) ||
- too_many_pipe_buffers_soft(pipe->user)) &&
- !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
- return -EPERM;
+ account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
+
+ if (nr_pages > pipe->buffers &&
+ (too_many_pipe_buffers_hard(pipe->user) ||
+ too_many_pipe_buffers_soft(pipe->user)) &&
+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
+ ret = -EPERM;
+ goto out_revert_acct;
+ }
/*
* We can shrink the pipe, if arg >= pipe->nrbufs. Since we don't
@@ -1034,12 +1048,16 @@ static long pipe_set_size(struct pipe_in
* again like we would do for growing. If the pipe currently
* contains more buffers than arg, then return busy.
*/
- if (nr_pages < pipe->nrbufs)
- return -EBUSY;
+ if (nr_pages < pipe->nrbufs) {
+ ret = -EBUSY;
+ goto out_revert_acct;
+ }
bufs = kcalloc(nr_pages, sizeof(*bufs), GFP_KERNEL | __GFP_NOWARN);
- if (unlikely(!bufs))
- return -ENOMEM;
+ if (unlikely(!bufs)) {
+ ret = -ENOMEM;
+ goto out_revert_acct;
+ }
/*
* The pipe array wraps around, so just start the new one at zero
@@ -1062,12 +1080,15 @@ static long pipe_set_size(struct pipe_in
memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer));
}
- account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
pipe->curbuf = 0;
kfree(pipe->bufs);
pipe->bufs = bufs;
pipe->buffers = nr_pages;
return nr_pages * PAGE_SIZE;
+
+out_revert_acct:
+ account_pipe_buffers(pipe->user, nr_pages, pipe->buffers);
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 274/410] libata: disable LPM for Crucial BX100 SSD 500GB drive
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 399/410] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 006/410] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi() Ben Hutchings
` (256 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kai-Heng Feng, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
commit b17e5729a630d8326a48ec34ef02e6b4464a6aef upstream.
After Laptop Mode Tools starts to use min_power for LPM, a user found
out Crucial BX100 SSD can't get mounted.
Crucial BX100 SSD 500GB drive don't work well with min_power. This also
happens to med_power_with_dipm.
So let's disable LPM for Crucial BX100 SSD 500GB drive.
BugLink: https://bugs.launchpad.net/bugs/1726930
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4224,6 +4224,9 @@ static const struct ata_blacklist_entry
{ "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER },
{ "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER },
+ /* Crucial BX100 SSD 500GB has broken LPM support */
+ { "CT500BX100SSD1", "MU02", ATA_HORKAGE_NOLPM },
+
/* The 512GB version of the MX100 has both queued TRIM and LPM issues */
{ "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
ATA_HORKAGE_NOLPM, },
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 228/410] libata: fix length validation of ATAPI-relayed SCSI commands
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (396 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 318/410] ata: do not schedule hot plug if it is a sas host Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 136/410] usb: uas: unconditionally bring back host after reset Ben Hutchings
` (11 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Biggers,
syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 058f58e235cbe03e923b30ea7c49995a46a8725f upstream.
syzkaller reported a crash in ata_bmdma_fill_sg() when writing to
/dev/sg1. The immediate cause was that the ATA command's scatterlist
was not DMA-mapped, which causes 'pi - 1' to underflow, resulting in a
write to 'qc->ap->bmdma_prd[0xffffffff]'.
Strangely though, the flag ATA_QCFLAG_DMAMAP was set in qc->flags. The
root cause is that when __ata_scsi_queuecmd() is preparing to relay a
SCSI command to an ATAPI device, it doesn't correctly validate the CDB
length before copying it into the 16-byte buffer 'cdb' in 'struct
ata_queued_cmd'. Namely, it validates the fixed CDB length expected
based on the SCSI opcode but not the actual CDB length, which can be
larger due to the use of the SG_NEXT_CMD_LEN ioctl. Since 'flags' is
the next member in ata_queued_cmd, a buffer overflow corrupts it.
Fix it by requiring that the actual CDB length be <= 16 (ATAPI_CDB_LEN).
[Really it seems the length should be required to be <= dev->cdb_len,
but the current behavior seems to have been intentionally introduced by
commit 607126c2a21c ("libata-scsi: be tolerant of 12-byte ATAPI commands
in 16-byte CDBs") to work around a userspace bug in mplayer. Probably
the workaround is no longer needed (mplayer was fixed in 2007), but
continuing to allow lengths to up 16 appears harmless for now.]
Here's a reproducer that works in QEMU when /dev/sg1 refers to the
CD-ROM drive that qemu-system-x86_64 creates by default:
#include <fcntl.h>
#include <sys/ioctl.h>
#include <unistd.h>
#define SG_NEXT_CMD_LEN 0x2283
int main()
{
char buf[53] = { [36] = 0x7e, [52] = 0x02 };
int fd = open("/dev/sg1", O_RDWR);
ioctl(fd, SG_NEXT_CMD_LEN, &(int){ 17 });
write(fd, buf, sizeof(buf));
}
The crash was:
BUG: unable to handle kernel paging request at ffff8cb97db37ffc
IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2623 [inline]
IP: ata_bmdma_qc_prep+0xa4/0xc0 drivers/ata/libata-sff.c:2727
PGD fb6c067 P4D fb6c067 PUD 0
Oops: 0002 [#1] SMP
CPU: 1 PID: 150 Comm: syz_ata_bmdma_q Not tainted 4.15.0-next-20180202 #99
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
[...]
Call Trace:
ata_qc_issue+0x100/0x1d0 drivers/ata/libata-core.c:5421
ata_scsi_translate+0xc9/0x1a0 drivers/ata/libata-scsi.c:2024
__ata_scsi_queuecmd drivers/ata/libata-scsi.c:4326 [inline]
ata_scsi_queuecmd+0x8c/0x210 drivers/ata/libata-scsi.c:4375
scsi_dispatch_cmd+0xa2/0xe0 drivers/scsi/scsi_lib.c:1727
scsi_request_fn+0x24c/0x530 drivers/scsi/scsi_lib.c:1865
__blk_run_queue_uncond block/blk-core.c:412 [inline]
__blk_run_queue+0x3a/0x60 block/blk-core.c:432
blk_execute_rq_nowait+0x93/0xc0 block/blk-exec.c:78
sg_common_write.isra.7+0x272/0x5a0 drivers/scsi/sg.c:806
sg_write+0x1ef/0x340 drivers/scsi/sg.c:677
__vfs_write+0x31/0x160 fs/read_write.c:480
vfs_write+0xa7/0x160 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0x4d/0xc0 fs/read_write.c:581
do_syscall_64+0x5e/0x110 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x21/0x86
Fixes: 607126c2a21c ("libata-scsi: be tolerant of 12-byte ATAPI commands in 16-byte CDBs")
Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-scsi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3435,7 +3435,9 @@ static inline int __ata_scsi_queuecmd(st
if (likely((scsi_op != ATA_16) || !atapi_passthru16)) {
/* relay SCSI command to ATAPI device */
int len = COMMAND_SIZE(scsi_op);
- if (unlikely(len > scmd->cmd_len || len > dev->cdb_len))
+ if (unlikely(len > scmd->cmd_len ||
+ len > dev->cdb_len ||
+ scmd->cmd_len > ATAPI_CDB_LEN))
goto bad_cdb_len;
xlat_func = atapi_xlat;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 064/410] x86/speculation: Correct Speculation Control microcode blacklist again
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (219 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 394/410] batman-adv: fix multicast-via-unicast transmission with AP isolation Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 196/410] arm64: KVM: Increment PC after handling an SMC trap Ben Hutchings
` (188 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, David Woodhouse, Borislav Petkov,
Ingo Molnar, Greg Kroah-Hartman, Dave Hansen, pbonzini, kvm,
Linus Torvalds, Thomas Gleixner, Arjan van de Ven,
Josh Poimboeuf, David Woodhouse, Andy Lutomirski,
Arjan van de Ven, Dan Williams, dave.hansen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit d37fc6d360a404b208547ba112e7dabb6533c7fc upstream.
Arjan points out that the Intel document only clears the 0xc2 microcode
on *some* parts with CPUID 506E3 (INTEL_FAM6_SKYLAKE_DESKTOP stepping 3).
For the Skylake H/S platform it's OK but for Skylake E3 which has the
same CPUID it isn't (yet) cleared.
So removing it from the blacklist was premature. Put it back for now.
Also, Arjan assures me that the 0x84 microcode for Kaby Lake which was
featured in one of the early revisions of the Intel document was never
released to the public, and won't be until/unless it is also validated
as safe. So those can change to 0x80 which is what all *other* versions
of the doc have identified.
Once the retrospective testing of existing public microcodes is done, we
should be back into a mode where new microcodes are only released in
batches and we shouldn't even need to update the blacklist for those
anyway, so this tweaking of the list isn't expected to be a thing which
keeps happening.
Requested-by: Arjan van de Ven <arjan.van.de.ven@intel.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: arjan.van.de.ven@intel.com
Cc: dave.hansen@intel.com
Cc: kvm@vger.kernel.org
Cc: pbonzini@redhat.com
Link: http://lkml.kernel.org/r/1518449255-2182-1-git-send-email-dwmw@amazon.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/intel.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -40,13 +40,14 @@ struct sku_microcode {
u32 microcode;
};
static const struct sku_microcode spectre_bad_microcodes[] = {
- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x84 },
- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x84 },
- { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x84 },
- { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x84 },
- { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 },
+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x80 },
+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x80 },
+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x80 },
+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x80 },
+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x80 },
{ INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
{ INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
+ { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
{ INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
{ INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
{ INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 167/410] lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (374 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 185/410] net: igmp: add a missing rcu locking section Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 171/410] CIFS: zero sensitive data when freeing Ben Hutchings
` (33 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kees Cook, Greg Kroah-Hartman, Travis Brown, Ivan Delalande
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Delalande <colona@arista.com>
commit 5be2a5011c039506e2862650c928acfb2e3d7b9c upstream.
Function handle_IRQ_event was retired in v2.6.39 and replaced with
handle_irq_event but nobody changed it in lkdtm so INT_HW_IRQ_EN has
been broken for a while.
Fixes: 33b054b867b8 ("genirq: Remove handle_IRQ_event")
Signed-off-by: Travis Brown <travisb@arista.com>
Signed-off-by: Ivan Delalande <colona@arista.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/misc/lkdtm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -566,7 +566,7 @@ static int lkdtm_register_cpoint(enum cn
lkdtm.entry = (kprobe_opcode_t*) jp_do_irq;
break;
case CN_INT_HW_IRQ_EN:
- lkdtm.kp.symbol_name = "handle_IRQ_event";
+ lkdtm.kp.symbol_name = "handle_irq_event";
lkdtm.entry = (kprobe_opcode_t*) jp_handle_irq_event;
break;
case CN_INT_TASKLET_ENTRY:
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 218/410] crypto: caam - fix endless loop when DECO acquire fails
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (252 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 129/410] nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 052/410] KVM: nVMX: Eliminate vmcs02 pool Ben Hutchings
` (155 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Herbert Xu, Horia Geantă, Auer Lukas, Bryan O'Donoghue
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Horia Geantă <horia.geanta@nxp.com>
commit 225ece3e7dad4cfc44cca38ce7a3a80f255ea8f1 upstream.
In case DECO0 cannot be acquired - i.e. run_descriptor_deco0() fails
with -ENODEV, caam_probe() enters an endless loop:
run_descriptor_deco0
ret -ENODEV
-> instantiate_rng
-ENODEV, overwritten by -EAGAIN
ret -EAGAIN
-> caam_probe
-EAGAIN results in endless loop
It turns out the error path in instantiate_rng() is incorrect,
the checks are done in the wrong order.
Fixes: 1005bccd7a4a6 ("crypto: caam - enable instantiation of all RNG4 state handles")
Reported-by: Bryan O'Donoghue <pure.logic@nexus-software.ie>
Suggested-by: Auer Lukas <lukas.auer@aisec.fraunhofer.de>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/caam/ctrl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -196,12 +196,16 @@ static int instantiate_rng(struct device
* without any error (HW optimizations for later
* CAAM eras), then try again.
*/
+ if (ret)
+ break;
+
rdsta_val =
rd_reg32(&topregs->ctrl.r4tst[0].rdsta) & RDSTA_IFMASK;
- if (status || !(rdsta_val & (1 << sh_idx)))
+ if (status || !(rdsta_val & (1 << sh_idx))) {
ret = -EAGAIN;
- if (ret)
break;
+ }
+
dev_info(ctrldev, "Instantiated RNG4 SH%d\n", sh_idx);
/* Clear the contents before recreating the descriptor */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 334/410] x86/spectre_v2: Don't check microcode versions when running under hypervisors
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (264 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 091/410] drivers: video: fbdev: atmel_lcdfb.c: fix error return code Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [OpenRISC] " Ben Hutchings
` (143 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Borislav Petkov, Paolo Bonzini, Konrad Rzeszutek Wilk,
H. Peter Anvin, kvm, Thomas Gleixner, Wanpeng Li,
Krčmář
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
commit 36268223c1e9981d6cfc33aff8520b3bde4b8114 upstream.
As:
1) It's known that hypervisors lie about the environment anyhow (host
mismatch)
2) Even if the hypervisor (Xen, KVM, VMWare, etc) provided a valid
"correct" value, it all gets to be very murky when migration happens
(do you provide the "new" microcode of the machine?).
And in reality the cloud vendors are the ones that should make sure that
the microcode that is running is correct and we should just sing lalalala
and trust them.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wanpeng Li <kernellwp@gmail.com>
Cc: kvm <kvm@vger.kernel.org>
Cc: Krčmář <rkrcmar@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
CC: "H. Peter Anvin" <hpa@zytor.com>
Link: https://lkml.kernel.org/r/20180226213019.GE9497@char.us.oracle.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/intel.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -68,6 +68,13 @@ static bool bad_spectre_microcode(struct
{
int i;
+ /*
+ * We know that the hypervisor lie to us on the microcode version so
+ * we may as well hope that it is running the correct version.
+ */
+ if (cpu_has(c, X86_FEATURE_HYPERVISOR))
+ return false;
+
for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
if (c->x86_model == spectre_bad_microcodes[i].model &&
c->x86_mask == spectre_bad_microcodes[i].stepping)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 124/410] crypto: hash - prevent using keyed hashes without setting key
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 060/410] x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 109/410] ahci: Add Device ID for Intel Sunrise Point PCH Ben Hutchings
` (400 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Eric Biggers, syzbot
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream.
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16:
- In hash_accept_parent_nokey(), update initialisation of ds to use tfm
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -203,11 +203,18 @@ int crypto_ahash_setkey(struct crypto_ah
unsigned int keylen)
{
unsigned long alignmask = crypto_ahash_alignmask(tfm);
+ int err;
if ((unsigned long)key & alignmask)
- return ahash_setkey_unaligned(tfm, key, keylen);
+ err = ahash_setkey_unaligned(tfm, key, keylen);
+ else
+ err = tfm->setkey(tfm, key, keylen);
+
+ if (err)
+ return err;
- return tfm->setkey(tfm, key, keylen);
+ crypto_ahash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
+ return 0;
}
EXPORT_SYMBOL_GPL(crypto_ahash_setkey);
@@ -380,7 +387,12 @@ EXPORT_SYMBOL_GPL(crypto_ahash_finup);
int crypto_ahash_digest(struct ahash_request *req)
{
- return crypto_ahash_op(req, crypto_ahash_reqtfm(req)->digest);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+
+ if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ return -ENOKEY;
+
+ return crypto_ahash_op(req, tfm->digest);
}
EXPORT_SYMBOL_GPL(crypto_ahash_digest);
@@ -466,7 +478,6 @@ static int crypto_ahash_init_tfm(struct
struct ahash_alg *alg = crypto_ahash_alg(hash);
hash->setkey = ahash_nosetkey;
- hash->has_setkey = false;
hash->export = ahash_no_export;
hash->import = ahash_no_import;
@@ -481,7 +492,8 @@ static int crypto_ahash_init_tfm(struct
if (alg->setkey) {
hash->setkey = alg->setkey;
- hash->has_setkey = true;
+ if (!(alg->halg.base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
+ crypto_ahash_set_flags(hash, CRYPTO_TFM_NEED_KEY);
}
if (alg->export)
hash->export = alg->export;
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -34,11 +34,6 @@ struct hash_ctx {
struct ahash_request req;
};
-struct algif_hash_tfm {
- struct crypto_ahash *hash;
- bool has_key;
-};
-
static int hash_sendmsg(struct kiocb *unused, struct socket *sock,
struct msghdr *msg, size_t ignored)
{
@@ -258,7 +253,7 @@ static int hash_check_key(struct socket
int err = 0;
struct sock *psk;
struct alg_sock *pask;
- struct algif_hash_tfm *tfm;
+ struct crypto_ahash *tfm;
struct sock *sk = sock->sk;
struct alg_sock *ask = alg_sk(sk);
@@ -272,7 +267,7 @@ static int hash_check_key(struct socket
err = -ENOKEY;
lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
- if (!tfm->has_key)
+ if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
goto unlock;
if (!pask->refcnt++)
@@ -363,41 +358,17 @@ static struct proto_ops algif_hash_ops_n
static void *hash_bind(const char *name, u32 type, u32 mask)
{
- struct algif_hash_tfm *tfm;
- struct crypto_ahash *hash;
-
- tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
- if (!tfm)
- return ERR_PTR(-ENOMEM);
-
- hash = crypto_alloc_ahash(name, type, mask);
- if (IS_ERR(hash)) {
- kfree(tfm);
- return ERR_CAST(hash);
- }
-
- tfm->hash = hash;
-
- return tfm;
+ return crypto_alloc_ahash(name, type, mask);
}
static void hash_release(void *private)
{
- struct algif_hash_tfm *tfm = private;
-
- crypto_free_ahash(tfm->hash);
- kfree(tfm);
+ crypto_free_ahash(private);
}
static int hash_setkey(void *private, const u8 *key, unsigned int keylen)
{
- struct algif_hash_tfm *tfm = private;
- int err;
-
- err = crypto_ahash_setkey(tfm->hash, key, keylen);
- tfm->has_key = !err;
-
- return err;
+ return crypto_ahash_setkey(private, key, keylen);
}
static void hash_sock_destruct(struct sock *sk)
@@ -413,12 +384,11 @@ static void hash_sock_destruct(struct so
static int hash_accept_parent_nokey(void *private, struct sock *sk)
{
- struct hash_ctx *ctx;
+ struct crypto_ahash *tfm = private;
struct alg_sock *ask = alg_sk(sk);
- struct algif_hash_tfm *tfm = private;
- struct crypto_ahash *hash = tfm->hash;
- unsigned len = sizeof(*ctx) + crypto_ahash_reqsize(hash);
- unsigned ds = crypto_ahash_digestsize(hash);
+ struct hash_ctx *ctx;
+ unsigned int len = sizeof(*ctx) + crypto_ahash_reqsize(tfm);
+ unsigned ds = crypto_ahash_digestsize(tfm);
ctx = sock_kmalloc(sk, len, GFP_KERNEL);
if (!ctx)
@@ -438,7 +408,7 @@ static int hash_accept_parent_nokey(void
ask->private = ctx;
- ahash_request_set_tfm(&ctx->req, hash);
+ ahash_request_set_tfm(&ctx->req, tfm);
ahash_request_set_callback(&ctx->req, CRYPTO_TFM_REQ_MAY_BACKLOG,
af_alg_complete, &ctx->completion);
@@ -449,9 +419,9 @@ static int hash_accept_parent_nokey(void
static int hash_accept_parent(void *private, struct sock *sk)
{
- struct algif_hash_tfm *tfm = private;
+ struct crypto_ahash *tfm = private;
- if (!tfm->has_key && crypto_ahash_has_setkey(tfm->hash))
+ if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
return -ENOKEY;
return hash_accept_parent_nokey(private, sk);
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -57,11 +57,18 @@ int crypto_shash_setkey(struct crypto_sh
{
struct shash_alg *shash = crypto_shash_alg(tfm);
unsigned long alignmask = crypto_shash_alignmask(tfm);
+ int err;
if ((unsigned long)key & alignmask)
- return shash_setkey_unaligned(tfm, key, keylen);
+ err = shash_setkey_unaligned(tfm, key, keylen);
+ else
+ err = shash->setkey(tfm, key, keylen);
+
+ if (err)
+ return err;
- return shash->setkey(tfm, key, keylen);
+ crypto_shash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
+ return 0;
}
EXPORT_SYMBOL_GPL(crypto_shash_setkey);
@@ -180,6 +187,9 @@ int crypto_shash_digest(struct shash_des
struct shash_alg *shash = crypto_shash_alg(tfm);
unsigned long alignmask = crypto_shash_alignmask(tfm);
+ if (crypto_shash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ return -ENOKEY;
+
if (((unsigned long)data | (unsigned long)out) & alignmask)
return shash_digest_unaligned(desc, data, len, out);
@@ -359,7 +369,8 @@ int crypto_init_shash_ops_async(struct c
crt->digest = shash_async_digest;
crt->setkey = shash_async_setkey;
- crt->has_setkey = alg->setkey != shash_no_setkey;
+ crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) &
+ CRYPTO_TFM_NEED_KEY);
if (alg->export)
crt->export = shash_async_export;
@@ -519,8 +530,14 @@ static unsigned int crypto_shash_ctxsize
static int crypto_shash_init_tfm(struct crypto_tfm *tfm)
{
struct crypto_shash *hash = __crypto_shash_cast(tfm);
+ struct shash_alg *alg = crypto_shash_alg(hash);
+
+ hash->descsize = alg->descsize;
+
+ if (crypto_shash_alg_has_setkey(alg) &&
+ !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
+ crypto_shash_set_flags(hash, CRYPTO_TFM_NEED_KEY);
- hash->descsize = crypto_shash_alg(hash)->descsize;
return 0;
}
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -94,7 +94,6 @@ struct crypto_ahash {
unsigned int keylen);
unsigned int reqsize;
- bool has_setkey;
struct crypto_tfm base;
};
@@ -183,11 +182,6 @@ static inline void *ahash_request_ctx(st
int crypto_ahash_setkey(struct crypto_ahash *tfm, const u8 *key,
unsigned int keylen);
-static inline bool crypto_ahash_has_setkey(struct crypto_ahash *tfm)
-{
- return tfm->has_setkey;
-}
-
int crypto_ahash_finup(struct ahash_request *req);
int crypto_ahash_final(struct ahash_request *req);
int crypto_ahash_digest(struct ahash_request *req);
@@ -199,12 +193,22 @@ static inline int crypto_ahash_export(st
static inline int crypto_ahash_import(struct ahash_request *req, const void *in)
{
- return crypto_ahash_reqtfm(req)->import(req, in);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+
+ if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ return -ENOKEY;
+
+ return tfm->import(req, in);
}
static inline int crypto_ahash_init(struct ahash_request *req)
{
- return crypto_ahash_reqtfm(req)->init(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+
+ if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ return -ENOKEY;
+
+ return tfm->init(req);
}
static inline int crypto_ahash_update(struct ahash_request *req)
@@ -343,12 +347,22 @@ static inline int crypto_shash_export(st
static inline int crypto_shash_import(struct shash_desc *desc, const void *in)
{
- return crypto_shash_alg(desc->tfm)->import(desc, in);
+ struct crypto_shash *tfm = desc->tfm;
+
+ if (crypto_shash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ return -ENOKEY;
+
+ return crypto_shash_alg(tfm)->import(desc, in);
}
static inline int crypto_shash_init(struct shash_desc *desc)
{
- return crypto_shash_alg(desc->tfm)->init(desc);
+ struct crypto_shash *tfm = desc->tfm;
+
+ if (crypto_shash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
+ return -ENOKEY;
+
+ return crypto_shash_alg(tfm)->init(desc);
}
int crypto_shash_update(struct shash_desc *desc, const u8 *data,
--- a/include/linux/crypto.h
+++ b/include/linux/crypto.h
@@ -103,6 +103,8 @@
/*
* Transform masks and values (for crt_flags).
*/
+#define CRYPTO_TFM_NEED_KEY 0x00000001
+
#define CRYPTO_TFM_REQ_MASK 0x000fff00
#define CRYPTO_TFM_RES_MASK 0xfff00000
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 105/410] drm/radeon: Add dpm quirk for Jet PRO (v2)
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 301/410] mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 238/410] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n Ben Hutchings
` (236 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christian König, Alex Deucher
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 239b5f64e12b1f09f506c164dff0374924782979 upstream.
Fixes stability issues.
v2: clamp sclk to 600 Mhz
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103370
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/si_dpm.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2974,6 +2974,11 @@ static void si_apply_state_adjust_rules(
max_sclk = 75000;
max_mclk = 80000;
}
+ if ((rdev->pdev->revision == 0xC3) ||
+ (rdev->pdev->device == 0x6665)) {
+ max_sclk = 60000;
+ max_mclk = 80000;
+ }
}
/* Apply dpm quirks */
while (p && p->chip_device != 0) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 213/410] pipe: fix off-by-one error when checking buffer limits
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 102/410] usb: gadget: f_fs: Fix possibe deadlock Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 075/410] spi: sun6i: disable/unprepare clocks on remove Ben Hutchings
` (252 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Kerrisk, Kees Cook, Eric Biggers, Mikulas Patocka,
Willy Tarreau, Alexander Viro, Joe Lawrence, Linus Torvalds,
Luis R . Rodriguez
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 9903a91c763ecdae333a04a9d89d79d2b8966503 upstream.
With pipe-user-pages-hard set to 'N', users were actually only allowed up
to 'N - 1' buffers; and likewise for pipe-user-pages-soft.
Fix this to allow up to 'N' buffers, as would be expected.
Link: http://lkml.kernel.org/r/20180111052902.14409-5-ebiggers3@gmail.com
Fixes: b0b91d18e2e9 ("pipe: fix limit checking in pipe_set_size()")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Willy Tarreau <w@1wt.eu>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -593,12 +593,12 @@ static unsigned long account_pipe_buffer
static bool too_many_pipe_buffers_soft(unsigned long user_bufs)
{
- return pipe_user_pages_soft && user_bufs >= pipe_user_pages_soft;
+ return pipe_user_pages_soft && user_bufs > pipe_user_pages_soft;
}
static bool too_many_pipe_buffers_hard(unsigned long user_bufs)
{
- return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard;
+ return pipe_user_pages_hard && user_bufs > pipe_user_pages_hard;
}
static bool is_unprivileged_user(void)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 101/410] scsi: aacraid: remove redundant setting of variable c
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 294/410] l2tp: fix tunnel lookup use-after-free race Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 380/410] libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version Ben Hutchings
` (349 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Colin Ian King, Martin K. Petersen, Raghava Aditya Renukunta
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit 91814744646351a470f256fbcb853fb5a7229a9f upstream.
A previous commit no longer stores the contents of c, so we now have a
situation where c is being updated but the value is never read. Clean up
the code by removing the now redundant setting of variable c.
Cleans up clang warning:
drivers/scsi/aacraid/aachba.c:943:3: warning: Value stored to 'c' is
never read
Fixes: f4e8708d3104 ("scsi: aacraid: Fix udev inquiry race condition")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/aacraid/aachba.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -796,11 +796,8 @@ static void setinqstr(struct aac_dev *de
while (*cp == ' ')
++cp;
/* last six chars reserved for vol type */
- c = 0;
- if (strlen(cp) > sizeof(str->pid)) {
- c = cp[sizeof(str->pid)];
+ if (strlen(cp) > sizeof(str->pid))
cp[sizeof(str->pid)] = '\0';
- }
inqstrcpy (cp, str->pid);
kfree(cname);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 303/410] mmc: dw_mmc: Fix out-of-bounds access for slot's caps
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 021/410] dccp: check sk for closed state in dccp_sendmsg() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 048/410] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Ben Hutchings
` (388 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Geert Uytterhoeven, Shawn Lin
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit 0d84b9e5631d923744767dc6608672df906dd092 upstream.
Add num_caps field for dw_mci_drv_data to validate the controller
id from DT alias and non-DT ways.
Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
- Drop changes to dw_mmc-{k3,rockchip,zx}.c
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/host/dw_mmc-exynos.c
+++ b/drivers/mmc/host/dw_mmc-exynos.c
@@ -394,6 +394,7 @@ static unsigned long exynos_dwmmc_caps[4
static const struct dw_mci_drv_data exynos_drv_data = {
.caps = exynos_dwmmc_caps,
+ .num_caps = ARRAY_SIZE(exynos_dwmmc_caps),
.init = dw_mci_exynos_priv_init,
.setup_clock = dw_mci_exynos_setup_clock,
.prepare_command = dw_mci_exynos_prepare_command,
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2064,8 +2064,15 @@ static int dw_mci_init_slot_caps(struct
} else {
ctrl_id = to_platform_device(host->dev)->id;
}
- if (drv_data && drv_data->caps)
+
+ if (drv_data && drv_data->caps) {
+ if (ctrl_id >= drv_data->num_caps) {
+ dev_err(host->dev, "invalid controller id %d\n",
+ ctrl_id);
+ return -EINVAL;
+ }
mmc->caps |= drv_data->caps[ctrl_id];
+ }
if (host->pdata->caps2)
mmc->caps2 = host->pdata->caps2;
--- a/drivers/mmc/host/dw_mmc.h
+++ b/drivers/mmc/host/dw_mmc.h
@@ -237,6 +237,7 @@ struct dw_mci_tuning_data {
/**
* dw_mci driver data - dw-mshc implementation specific driver data.
* @caps: mmc subsystem specified capabilities of the controller(s).
+ * @num_caps: number of capabilities specified by @caps.
* @init: early implementation specific initialization.
* @setup_clock: implementation specific clock configuration.
* @prepare_command: handle CMD register extensions.
@@ -250,6 +251,7 @@ struct dw_mci_tuning_data {
*/
struct dw_mci_drv_data {
unsigned long *caps;
+ u32 num_caps;
int (*init)(struct dw_mci *host);
int (*setup_clock)(struct dw_mci *host);
void (*prepare_command)(struct dw_mci *host, u32 *cmdr);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 308/410] serial: sh-sci: prevent lockup on full TTY buffers
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (282 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 307/410] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 114/410] ahci: Add Intel Cannon Lake PCH-H PCI ID Ben Hutchings
` (125 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Geert Uytterhoeven, Greg Kroah-Hartman, Ulrich Hecht,
Nguyen Viet Dung, Yoshihiro Shimoda
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream.
When the TTY buffers fill up to the configured maximum, a system lockup
occurs:
[ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks:
[ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1
[ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126)
[ 598.838755] Task dump for CPU 0:
[ 598.841977] swapper/0 R running task 0 0 0 0x00000022
[ 598.849023] Call trace:
[ 598.851476] __switch_to+0x98/0xb0
[ 598.854870] (null)
This can be prevented by doing a dummy read of the RX data register.
This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0;
reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms
as well.
Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/sh-sci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -734,6 +734,8 @@ static void sci_receive_chars(struct uar
/* Tell the rest of the system the news. New characters! */
tty_flip_buffer_push(tport);
} else {
+ /* TTY buffers full; read from RX reg to prevent lockup */
+ serial_port_in(port, SCxRDR);
serial_port_in(port, SCxSR); /* dummy read */
serial_port_out(port, SCxSR, SCxSR_RDxF_CLEAR(port));
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 396/410] tty: vt: fix up tabstops properly
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 149/410] usb: option: Add support for FS040U modem Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 391/410] mm/mempolicy.c: avoid use uninitialized preferred_node Ben Hutchings
` (302 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, James Holderness, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit f1869a890cdedb92a3fab969db5d0fd982850273 upstream.
Tabs on a console with long lines do not wrap properly, so correctly
account for the line length when computing the tab placement location.
Reported-by: James Holderness <j4_james@hotmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/vt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1705,7 +1705,7 @@ static void reset_terminal(struct vc_dat
default_attr(vc);
update_attr(vc);
- vc->vc_tab_stop[0] = 0x01010100;
+ vc->vc_tab_stop[0] =
vc->vc_tab_stop[1] =
vc->vc_tab_stop[2] =
vc->vc_tab_stop[3] =
@@ -1748,7 +1748,7 @@ static void do_con_trol(struct tty_struc
vc->vc_pos -= (vc->vc_x << 1);
while (vc->vc_x < vc->vc_cols - 1) {
vc->vc_x++;
- if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31)))
+ if (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31)))
break;
}
vc->vc_pos += (vc->vc_x << 1);
@@ -1808,7 +1808,7 @@ static void do_con_trol(struct tty_struc
lf(vc);
return;
case 'H':
- vc->vc_tab_stop[vc->vc_x >> 5] |= (1 << (vc->vc_x & 31));
+ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31));
return;
case 'Z':
respond_ID(tty);
@@ -2001,7 +2001,7 @@ static void do_con_trol(struct tty_struc
return;
case 'g':
if (!vc->vc_par[0])
- vc->vc_tab_stop[vc->vc_x >> 5] &= ~(1 << (vc->vc_x & 31));
+ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31));
else if (vc->vc_par[0] == 3) {
vc->vc_tab_stop[0] =
vc->vc_tab_stop[1] =
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 290/410] l2tp: don't use inet_shutdown on tunnel destroy
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 232/410] ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 333/410] drm/radeon: fix KV harvesting Ben Hutchings
` (343 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Chapman, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
commit 76a6abdb2513ad4ea0ded55d2c66160491f2e848 upstream.
Previously, if a tunnel was closed, we called inet_shutdown to mark
the socket as unconnected such that userspace would get errors and
then close the socket. This could race with userspace closing the
socket. Instead, leave userspace to close the socket in its own time
(our tunnel will be detached anyway).
BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
IP: __lock_acquire+0x263/0x1630
PGD 0 P4D 0
Oops: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 2 PID: 42 Comm: kworker/u8:2 Not tainted 4.15.0-rc7+ #129
Workqueue: l2tp l2tp_tunnel_del_work
RIP: 0010:__lock_acquire+0x263/0x1630
RSP: 0018:ffff88001a37fc70 EFLAGS: 00010002
RAX: 0000000000000001 RBX: 0000000000000088 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88001a37fd18 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 00000000000076fd R12: 00000000000000a0
R13: ffff88001a3722c0 R14: 0000000000000001 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88001ad00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000a0 CR3: 000000001730b000 CR4: 00000000000006e0
Call Trace:
? __lock_acquire+0xc77/0x1630
? console_trylock+0x11/0xa0
lock_acquire+0x117/0x230
? lock_sock_nested+0x3a/0xa0
_raw_spin_lock_bh+0x3a/0x50
? lock_sock_nested+0x3a/0xa0
lock_sock_nested+0x3a/0xa0
inet_shutdown+0x33/0xf0
l2tp_tunnel_del_work+0x60/0xef
process_one_work+0x1ea/0x5f0
? process_one_work+0x162/0x5f0
worker_thread+0x48/0x3e0
? trace_hardirqs_on+0xd/0x10
kthread+0x108/0x140
? process_one_work+0x5f0/0x5f0
? kthread_stop+0x2a0/0x2a0
ret_from_fork+0x24/0x30
Code: 00 41 81 ff ff 1f 00 00 0f 87 7a 13 00 00 45 85 f6 49 8b 85
68 08 00 00 0f 84 ae 03 00 00 c7 44 24 18 00 00 00 00 e9 f0 00 00 00 <49> 81 3c
24 80 93 3f 83 b8 00 00 00 00 44 0f 44 c0 83 fe 01 0f
RIP: __lock_acquire+0x263/0x1630 RSP: ffff88001a37fc70
CR2: 00000000000000a0
Fixes: 309795f4bec2d ("l2tp: Add netlink control API for L2TP")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1415,17 +1415,10 @@ static void l2tp_tunnel_del_work(struct
sock = sk->sk_socket;
- /* If the tunnel socket was created by userspace, then go through the
- * inet layer to shut the socket down, and let userspace close it.
- * Otherwise, if we created the socket directly within the kernel, use
+ /* If the tunnel socket was created within the kernel, use
* the sk API to release it here.
- * In either case the tunnel resources are freed in the socket
- * destructor when the tunnel socket goes away.
*/
- if (tunnel->fd >= 0) {
- if (sock)
- inet_shutdown(sock, 2);
- } else {
+ if (tunnel->fd < 0) {
if (sock)
kernel_sock_shutdown(sock, SHUT_RDWR);
sk_release_kernel(sk);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 293/410] l2tp: fix race in pppol2tp_release with session object destroy
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (268 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 024/410] ALSA: seq: Fix racy pool initializations Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 108/410] ahci: add new Intel device IDs Ben Hutchings
` (139 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, James Chapman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
commit d02ba2a6110c530a32926af8ad441111774d2893 upstream.
pppol2tp_release uses call_rcu to put the final ref on its socket. But
the session object doesn't hold a ref on the session socket so may be
freed while the pppol2tp_put_sk RCU callback is scheduled. Fix this by
having the session hold a ref on its socket until the session is
destroyed. It is this ref that is dropped via call_rcu.
Sessions are also deleted via l2tp_tunnel_closeall. This must now also put
the final ref via call_rcu. So move the call_rcu call site into
pppol2tp_session_close so that this happens in both destroy paths. A
common destroy path should really be implemented, perhaps with
l2tp_tunnel_closeall calling l2tp_session_delete like pppol2tp_release
does, but this will be looked at later.
ODEBUG: activate active (active state 1) object type: rcu_head hint: (null)
WARNING: CPU: 3 PID: 13407 at lib/debugobjects.c:291 debug_print_object+0x166/0x220
Modules linked in:
CPU: 3 PID: 13407 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #38
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:debug_print_object+0x166/0x220
RSP: 0018:ffff880013647a00 EFLAGS: 00010082
RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff814d3333
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88001a59f6d0
RBP: ffff880013647a40 R08: 0000000000000000 R09: 0000000000000001
R10: ffff8800136479a8 R11: 0000000000000000 R12: 0000000000000001
R13: ffffffff86161420 R14: ffffffff85648b60 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88001a580000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000006022000 CR4: 00000000000006e0
Call Trace:
debug_object_activate+0x38b/0x530
? debug_object_assert_init+0x3b0/0x3b0
? __mutex_unlock_slowpath+0x85/0x8b0
? pppol2tp_session_destruct+0x110/0x110
__call_rcu.constprop.66+0x39/0x890
? __call_rcu.constprop.66+0x39/0x890
call_rcu_sched+0x17/0x20
pppol2tp_release+0x2c7/0x440
? fcntl_setlk+0xca0/0xca0
? sock_alloc_file+0x340/0x340
sock_release+0x92/0x1e0
sock_close+0x1b/0x20
__fput+0x296/0x6e0
____fput+0x1a/0x20
task_work_run+0x127/0x1a0
do_exit+0x7f9/0x2ce0
? SYSC_connect+0x212/0x310
? mm_update_next_owner+0x690/0x690
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
do_group_exit+0x10d/0x330
? do_group_exit+0x330/0x330
SyS_exit_group+0x22/0x30
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f362e471259
RSP: 002b:00007ffe389abe08 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f362e471259
RDX: 00007f362e471259 RSI: 000000000000002e RDI: 0000000000000000
RBP: 00007ffe389abe30 R08: 0000000000000000 R09: 00007f362e944270
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffe389abf50 R14: 0000000000000000 R15: 0000000000000000
Code: 8d 3c dd a0 8f 64 85 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7b 48 8b 14 dd a0 8f 64 85 4c 89 f6 48 c7 c7 20 85 64 85 e
8 2a 55 14 ff <0f> 0b 83 05 ad 2a 68 04 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41
Fixes: ee40fb2e1eb5b ("l2tp: protect sock pointer of struct pppol2tp_session with RCU")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 52 +++++++++++++++++++++++----------------------
1 file changed, 27 insertions(+), 25 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -437,10 +437,28 @@ abort:
* Session (and tunnel control) socket create/destroy.
*****************************************************************************/
+static void pppol2tp_put_sk(struct rcu_head *head)
+{
+ struct pppol2tp_session *ps;
+
+ ps = container_of(head, typeof(*ps), rcu);
+ sock_put(ps->__sk);
+}
+
/* Called by l2tp_core when a session socket is being closed.
*/
static void pppol2tp_session_close(struct l2tp_session *session)
{
+ struct pppol2tp_session *ps;
+
+ ps = l2tp_session_priv(session);
+ mutex_lock(&ps->sk_lock);
+ ps->__sk = rcu_dereference_protected(ps->sk,
+ lockdep_is_held(&ps->sk_lock));
+ RCU_INIT_POINTER(ps->sk, NULL);
+ if (ps->__sk)
+ call_rcu(&ps->rcu, pppol2tp_put_sk);
+ mutex_unlock(&ps->sk_lock);
}
/* Really kill the session socket. (Called from sock_put() if
@@ -460,14 +478,6 @@ static void pppol2tp_session_destruct(st
}
}
-static void pppol2tp_put_sk(struct rcu_head *head)
-{
- struct pppol2tp_session *ps;
-
- ps = container_of(head, typeof(*ps), rcu);
- sock_put(ps->__sk);
-}
-
/* Called when the PPPoX socket (session) is closed.
*/
static int pppol2tp_release(struct socket *sock)
@@ -491,26 +501,17 @@ static int pppol2tp_release(struct socke
sock_orphan(sk);
sock->sk = NULL;
+ /* If the socket is associated with a session,
+ * l2tp_session_delete will call pppol2tp_session_close which
+ * will drop the session's ref on the socket.
+ */
session = pppol2tp_sock_to_session(sk);
-
- if (session != NULL) {
- struct pppol2tp_session *ps;
-
+ if (session) {
l2tp_session_delete(session);
-
- ps = l2tp_session_priv(session);
- mutex_lock(&ps->sk_lock);
- ps->__sk = rcu_dereference_protected(ps->sk,
- lockdep_is_held(&ps->sk_lock));
- RCU_INIT_POINTER(ps->sk, NULL);
- mutex_unlock(&ps->sk_lock);
- call_rcu(&ps->rcu, pppol2tp_put_sk);
-
- /* Rely on the sock_put() call at the end of the function for
- * dropping the reference held by pppol2tp_sock_to_session().
- * The last reference will be dropped by pppol2tp_put_sk().
- */
+ /* drop the ref obtained by pppol2tp_sock_to_session */
+ sock_put(sk);
}
+
release_sock(sk);
/* This will delete the session context via
@@ -815,6 +816,7 @@ static int pppol2tp_connect(struct socke
out_no_ppp:
/* This is how we get the session context from the socket. */
+ sock_hold(sk);
sk->sk_user_data = session;
rcu_assign_pointer(ps->sk, sk);
mutex_unlock(&ps->sk_lock);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 214/410] pipe: reject F_SETPIPE_SZ with size over UINT_MAX
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 379/410] libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 085/410] media: bt8xx: Fix err 'bt878_probe()' Ben Hutchings
` (363 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Kerrisk, Kees Cook, Mikulas Patocka, Eric Biggers,
Joe Lawrence, Willy Tarreau, Alexander Viro, Luis R . Rodriguez,
Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 96e99be40e4cff870a83233731121ec0f7f95075 upstream.
A pipe's size is represented as an 'unsigned int'. As expected, writing a
value greater than UINT_MAX to /proc/sys/fs/pipe-max-size fails with
EINVAL. However, the F_SETPIPE_SZ fcntl silently truncates such values to
32 bits, rather than failing with EINVAL as expected. (It *does* fail
with EINVAL for values above (1 << 31) but <= UINT_MAX.)
Fix this by moving the check against UINT_MAX into round_pipe_size() which
is called in both cases.
Link: http://lkml.kernel.org/r/20180111052902.14409-6-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 5 ++++-
include/linux/pipe_fs_i.h | 2 +-
kernel/sysctl.c | 3 ---
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1008,10 +1008,13 @@ const struct file_operations pipefifo_fo
* Currently we rely on the pipe array holding a power-of-2 number
* of pages. Returns 0 on error.
*/
-unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned long size)
{
unsigned long nr_pages;
+ if (size > UINT_MAX)
+ return 0;
+
/* Minimum pipe size, as required by POSIX */
if (size < PAGE_SIZE)
size = PAGE_SIZE;
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -148,6 +148,6 @@ long pipe_fcntl(struct file *, unsigned
struct pipe_inode_info *get_pipe_info(struct file *file);
int create_pipe_files(struct file **, int);
-unsigned int round_pipe_size(unsigned int size);
+unsigned int round_pipe_size(unsigned long size);
#endif
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2230,9 +2230,6 @@ static int do_proc_dopipe_max_size_conv(
if (write) {
unsigned int val;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
-
val = round_pipe_size(*lvalp);
if (*negp || val == 0)
return -EINVAL;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 215/410] pipe: simplify round_pipe_size()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 122/410] crypto: cryptd - pass through absence of ->setkey() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 325/410] MIPS: BMIPS: Do not mask IPIs during suspend Ben Hutchings
` (217 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Joe Lawrence, Alexander Viro, Willy Tarreau,
Mikulas Patocka, Eric Biggers, Kees Cook, Michael Kerrisk,
Luis R . Rodriguez, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit c4fed5a91fadc8a277b1eda474317b501651dd3e upstream.
round_pipe_size() calculates the number of pages the requested size
corresponds to, then rounds the page count up to the next power of 2.
However, it also rounds everything < PAGE_SIZE up to PAGE_SIZE.
Therefore, there's no need to actually translate the size into a page
count; we just need to round the size up to the next power of 2.
We do need to verify the size isn't greater than (1 << 31), since on
32-bit systems roundup_pow_of_two() would be undefined in that case. But
that can just be combined with the UINT_MAX check which we need anyway
now.
Finally, update pipe_set_size() to not redundantly check the return value
of round_pipe_size() for the "invalid size" case twice.
Link: http://lkml.kernel.org/r/20180111052902.14409-7-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1010,20 +1010,14 @@ const struct file_operations pipefifo_fo
*/
unsigned int round_pipe_size(unsigned long size)
{
- unsigned long nr_pages;
-
- if (size > UINT_MAX)
+ if (size > (1U << 31))
return 0;
/* Minimum pipe size, as required by POSIX */
if (size < PAGE_SIZE)
- size = PAGE_SIZE;
-
- nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
- if (nr_pages == 0)
- return 0;
+ return PAGE_SIZE;
- return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
+ return roundup_pow_of_two(size);
}
/*
@@ -1038,8 +1032,6 @@ static long pipe_set_size(struct pipe_in
long ret = 0;
size = round_pipe_size(arg);
- if (size == 0)
- return -EINVAL;
nr_pages = size >> PAGE_SHIFT;
if (!nr_pages)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 392/410] tracing: probeevent: Fix to support minus offset from symbol
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 309/410] xen: Add xen_arch_suspend() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 096/410] xtensa: fix futex_atomic_cmpxchg_inatomic Ben Hutchings
` (367 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steven Rostedt (VMware),
Masami Hiramatsu, Ingo Molnar, Ravi Bangoria,
Arnaldo Carvalho de Melo, Tom Zanussi, Namhyung Kim
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu <mhiramat@kernel.org>
commit c5d343b6b7badd1f5fe0873eff2e8d63a193e732 upstream.
In Documentation/trace/kprobetrace.txt, it says
@SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
However, the parser doesn't parse minus offset correctly, since
commit 2fba0c8867af ("tracing/kprobes: Fix probe offset to be
unsigned") drops minus ("-") offset support for kprobe probe
address usage.
This fixes the traceprobe_split_symbol_offset() to parse minus
offset again with checking the offset range, and add a minus
offset check in kprobe probe address usage.
Link: http://lkml.kernel.org/r/152129028983.31874.13419301530285775521.stgit@devbox
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Fixes: 2fba0c8867af ("tracing/kprobes: Fix probe offset to be unsigned")
Acked-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace_kprobe.c | 4 ++--
kernel/trace/trace_probe.c | 8 +++-----
kernel/trace/trace_probe.h | 2 +-
3 files changed, 6 insertions(+), 8 deletions(-)
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -611,7 +611,7 @@ static int create_trace_kprobe(int argc,
bool is_return = false, is_delete = false;
char *symbol = NULL, *event = NULL, *group = NULL;
char *arg;
- unsigned long offset = 0;
+ long offset = 0;
void *addr = NULL;
char buf[MAX_EVENT_NAME_LEN];
@@ -684,7 +684,7 @@ static int create_trace_kprobe(int argc,
symbol = argv[1];
/* TODO: support .init module functions */
ret = traceprobe_split_symbol_offset(symbol, &offset);
- if (ret) {
+ if (ret || offset < 0 || offset > UINT_MAX) {
pr_info("Failed to parse either an address or a symbol.\n");
return ret;
}
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -291,7 +291,7 @@ static fetch_func_t get_fetch_size_funct
}
/* Split symbol and offset. */
-int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset)
+int traceprobe_split_symbol_offset(char *symbol, long *offset)
{
char *tmp;
int ret;
@@ -299,13 +299,11 @@ int traceprobe_split_symbol_offset(char
if (!offset)
return -EINVAL;
- tmp = strchr(symbol, '+');
+ tmp = strpbrk(symbol, "+-");
if (tmp) {
- /* skip sign because kstrtoul doesn't accept '+' */
- ret = kstrtoul(tmp + 1, 0, offset);
+ ret = kstrtol(tmp, 0, offset);
if (ret)
return ret;
-
*tmp = '\0';
} else
*offset = 0;
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -341,7 +341,7 @@ extern int traceprobe_conflict_field_nam
extern void traceprobe_update_arg(struct probe_arg *arg);
extern void traceprobe_free_probe_arg(struct probe_arg *arg);
-extern int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset);
+extern int traceprobe_split_symbol_offset(char *symbol, long *offset);
extern ssize_t traceprobe_probes_write(struct file *file,
const char __user *buffer, size_t count, loff_t *ppos,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 184/410] KVM: PPC: Book3S PR: Fix svcpu copying with preemption enabled
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (232 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 313/410] KVM: s390: provide io interrupt kvm_stat Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 355/410] aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx() Ben Hutchings
` (175 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simon Guo, Paul Mackerras, Alexander Graf
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Graf <agraf@suse.de>
commit 07ae5389e98c53bb9e9f308fce9c903bc3ee7720 upstream.
When copying between the vcpu and svcpu, we may get scheduled away onto
a different host CPU which in turn means our svcpu pointer may change.
That means we need to atomically copy to and from the svcpu with preemption
disabled, so that all code around it always sees a coherent state.
Reported-by: Simon Guo <wei.guo.simon@gmail.com>
Fixes: 3d3319b45eea ("KVM: PPC: Book3S: PR: Enable interrupts earlier")
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/kvm_book3s.h | 6 ++----
arch/powerpc/kvm/book3s_interrupts.S | 4 +---
arch/powerpc/kvm/book3s_pr.c | 20 +++++++++-----------
3 files changed, 12 insertions(+), 18 deletions(-)
--- a/arch/powerpc/include/asm/kvm_book3s.h
+++ b/arch/powerpc/include/asm/kvm_book3s.h
@@ -190,10 +190,8 @@ extern void kvmppc_hv_entry_trampoline(v
extern u32 kvmppc_alignment_dsisr(struct kvm_vcpu *vcpu, unsigned int inst);
extern ulong kvmppc_alignment_dar(struct kvm_vcpu *vcpu, unsigned int inst);
extern int kvmppc_h_pr(struct kvm_vcpu *vcpu, unsigned long cmd);
-extern void kvmppc_copy_to_svcpu(struct kvmppc_book3s_shadow_vcpu *svcpu,
- struct kvm_vcpu *vcpu);
-extern void kvmppc_copy_from_svcpu(struct kvm_vcpu *vcpu,
- struct kvmppc_book3s_shadow_vcpu *svcpu);
+extern void kvmppc_copy_to_svcpu(struct kvm_vcpu *vcpu);
+extern void kvmppc_copy_from_svcpu(struct kvm_vcpu *vcpu);
static inline struct kvmppc_vcpu_book3s *to_book3s(struct kvm_vcpu *vcpu)
{
--- a/arch/powerpc/kvm/book3s_interrupts.S
+++ b/arch/powerpc/kvm/book3s_interrupts.S
@@ -96,7 +96,7 @@ kvm_start_entry:
kvm_start_lightweight:
/* Copy registers into shadow vcpu so we can access them in real mode */
- GET_SHADOW_VCPU(r3)
+ mr r3, r4
bl FUNC(kvmppc_copy_to_svcpu)
nop
REST_GPR(4, r1)
@@ -165,9 +165,7 @@ after_sprg3_load:
stw r12, VCPU_TRAP(r3)
/* Transfer reg values from shadow vcpu back to vcpu struct */
- /* On 64-bit, interrupts are still off at this point */
- GET_SHADOW_VCPU(r4)
bl FUNC(kvmppc_copy_from_svcpu)
nop
--- a/arch/powerpc/kvm/book3s_pr.c
+++ b/arch/powerpc/kvm/book3s_pr.c
@@ -82,7 +82,7 @@ static void kvmppc_core_vcpu_put_pr(stru
#ifdef CONFIG_PPC_BOOK3S_64
struct kvmppc_book3s_shadow_vcpu *svcpu = svcpu_get(vcpu);
if (svcpu->in_use) {
- kvmppc_copy_from_svcpu(vcpu, svcpu);
+ kvmppc_copy_from_svcpu(vcpu);
}
memcpy(to_book3s(vcpu)->slb_shadow, svcpu->slb, sizeof(svcpu->slb));
to_book3s(vcpu)->slb_shadow_max = svcpu->slb_max;
@@ -95,9 +95,10 @@ static void kvmppc_core_vcpu_put_pr(stru
}
/* Copy data needed by real-mode code from vcpu to shadow vcpu */
-void kvmppc_copy_to_svcpu(struct kvmppc_book3s_shadow_vcpu *svcpu,
- struct kvm_vcpu *vcpu)
+void kvmppc_copy_to_svcpu(struct kvm_vcpu *vcpu)
{
+ struct kvmppc_book3s_shadow_vcpu *svcpu = svcpu_get(vcpu);
+
svcpu->gpr[0] = vcpu->arch.gpr[0];
svcpu->gpr[1] = vcpu->arch.gpr[1];
svcpu->gpr[2] = vcpu->arch.gpr[2];
@@ -121,17 +122,14 @@ void kvmppc_copy_to_svcpu(struct kvmppc_
svcpu->shadow_fscr = vcpu->arch.shadow_fscr;
#endif
svcpu->in_use = true;
+
+ svcpu_put(svcpu);
}
/* Copy data touched by real-mode code from shadow vcpu back to vcpu */
-void kvmppc_copy_from_svcpu(struct kvm_vcpu *vcpu,
- struct kvmppc_book3s_shadow_vcpu *svcpu)
+void kvmppc_copy_from_svcpu(struct kvm_vcpu *vcpu)
{
- /*
- * vcpu_put would just call us again because in_use hasn't
- * been updated yet.
- */
- preempt_disable();
+ struct kvmppc_book3s_shadow_vcpu *svcpu = svcpu_get(vcpu);
/*
* Maybe we were already preempted and synced the svcpu from
@@ -169,7 +167,7 @@ void kvmppc_copy_from_svcpu(struct kvm_v
svcpu->in_use = false;
out:
- preempt_enable();
+ svcpu_put(svcpu);
}
static int kvmppc_core_check_requests_pr(struct kvm_vcpu *vcpu)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 265/410] arm64: remove __die()'s stack dump
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 346/410] l2tp: fix races with ipv4-mapped ipv6 addresses Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 375/410] ip_tunnel: Clamp MTU to bounds on new link Ben Hutchings
` (291 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Laura Abbott, Will Deacon, James Morse, Catalin Marinas,
Ard Biesheuvel, Mark Rutland
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit c5bc503cbeee8586395aa541d2b53c69c3dd6930 upstream.
Our __die() implementation tries to dump the stack memory, in addition
to a backtrace, which is problematic.
For contemporary 16K stacks, this can be a lot of data, which can take a
long time to dump, and can push other useful context out of the kernel's
printk ringbuffer (and/or a user's scrollback buffer on an attached
console).
Additionally, the code implicitly assumes that the SP is on the task's
stack, and tries to dump everything between the SP and the highest task
stack address. When the SP points at an IRQ stack (or is corrupted),
this makes the kernel attempt to dump vast amounts of VA space. With
vmap'd stacks, this may result in erroneous accesses to peripherals.
This patch removes the memory dump, leaving us to rely on the backtrace,
and other means of dumping stack memory such as kdump.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Will Deacon <will.deacon@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: James Morse <james.morse@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/traps.c | 2 --
1 file changed, 2 deletions(-)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -206,8 +206,6 @@ static int __die(const char *str, int er
TASK_COMM_LEN, tsk->comm, task_pid_nr(tsk), thread + 1);
if (!user_mode(regs) || in_interrupt()) {
- dump_mem(KERN_EMERG, "Stack: ", regs->sp,
- THREAD_SIZE + (unsigned long)task_stack_page(tsk));
dump_backtrace(regs, tsk);
dump_instr(KERN_EMERG, regs);
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 058/410] KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jun Nakajima, Ashok Raj, Andrea Arcangeli, David Woodhouse,
Greg KH, Asit Mallick, Paolo Bonzini, Tim Chen, KarimAllah Ahmed,
kvm, Thomas Gleixner, Linus Torvalds, Konrad Rzeszutek Wilk,
Andi Kleen, Andy Lutomirski, Arjan Van De Ven, Dan Williams,
Dave Hansen, Darren Kenny
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: KarimAllah Ahmed <karahmed@amazon.de>
commit b2ac58f90540e39324e7a29a7ad471407ae0bf48 upstream.
[ Based on a patch from Paolo Bonzini <pbonzini@redhat.com> ]
... basically doing exactly what we do for VMX:
- Passthrough SPEC_CTRL to guests (if enabled in guest CPUID)
- Save and restore SPEC_CTRL around VMExit and VMEntry only if the guest
actually used it.
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: kvm@vger.kernel.org
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ashok Raj <ashok.raj@intel.com>
Link: https://lkml.kernel.org/r/1517669783-20732-1-git-send-email-karahmed@amazon.de
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/svm.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 88 insertions(+)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -146,6 +146,8 @@ struct vcpu_svm {
u64 gs_base;
} host;
+ u64 spec_ctrl;
+
u32 *msrpm;
ulong nmi_iret_rip;
@@ -180,6 +182,7 @@ static const struct svm_direct_access_ms
{ .index = MSR_CSTAR, .always = true },
{ .index = MSR_SYSCALL_MASK, .always = true },
#endif
+ { .index = MSR_IA32_SPEC_CTRL, .always = false },
{ .index = MSR_IA32_PRED_CMD, .always = false },
{ .index = MSR_IA32_LASTBRANCHFROMIP, .always = false },
{ .index = MSR_IA32_LASTBRANCHTOIP, .always = false },
@@ -762,6 +765,25 @@ static bool valid_msr_intercept(u32 inde
return false;
}
+static bool msr_write_intercepted(struct kvm_vcpu *vcpu, unsigned msr)
+{
+ u8 bit_write;
+ unsigned long tmp;
+ u32 offset;
+ u32 *msrpm;
+
+ msrpm = is_guest_mode(vcpu) ? to_svm(vcpu)->nested.msrpm:
+ to_svm(vcpu)->msrpm;
+
+ offset = svm_msrpm_offset(msr);
+ bit_write = 2 * (msr & 0x0f) + 1;
+ tmp = msrpm[offset];
+
+ BUG_ON(offset == MSR_INVALID);
+
+ return !!test_bit(bit_write, &tmp);
+}
+
static void set_msr_interception(u32 *msrpm, unsigned msr,
int read, int write)
{
@@ -1206,6 +1228,8 @@ static void svm_vcpu_reset(struct kvm_vc
u32 dummy;
u32 eax = 1;
+ svm->spec_ctrl = 0;
+
init_vmcb(svm);
kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy);
@@ -3112,6 +3136,13 @@ static int svm_get_msr(struct kvm_vcpu *
case MSR_VM_CR:
msr_info->data = svm->nested.vm_cr_msr;
break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has_ibrs(vcpu))
+ return 1;
+
+ msr_info->data = svm->spec_ctrl;
+ break;
case MSR_IA32_UCODE_REV:
msr_info->data = 0x01000065;
break;
@@ -3184,6 +3215,33 @@ static int svm_set_msr(struct kvm_vcpu *
case MSR_IA32_TSC:
kvm_write_tsc(vcpu, msr);
break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr->host_initiated &&
+ !guest_cpuid_has_ibrs(vcpu))
+ return 1;
+
+ /* The STIBP bit doesn't fault even if it's not advertised */
+ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP))
+ return 1;
+
+ svm->spec_ctrl = data;
+
+ if (!data)
+ break;
+
+ /*
+ * For non-nested:
+ * When it's written (to non-zero) for the first time, pass
+ * it through.
+ *
+ * For nested:
+ * The handling of the MSR bitmap for L2 guests is done in
+ * nested_svm_vmrun_msrpm.
+ * We update the L1 MSR bit as well since it will end up
+ * touching the MSR anyway now.
+ */
+ set_msr_interception(svm->msrpm, MSR_IA32_SPEC_CTRL, 1, 1);
+ break;
case MSR_IA32_PRED_CMD:
if (!msr->host_initiated &&
!guest_cpuid_has_ibpb(vcpu))
@@ -3902,6 +3960,15 @@ static void svm_vcpu_run(struct kvm_vcpu
local_irq_enable();
+ /*
+ * If this vCPU has touched SPEC_CTRL, restore the guest's value if
+ * it's non-zero. Since vmentry is serialising on affected CPUs, there
+ * is no need to worry about the conditional branch over the wrmsr
+ * being speculatively taken.
+ */
+ if (svm->spec_ctrl)
+ wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+
asm volatile (
"push %%" _ASM_BP "; \n\t"
"mov %c[rbx](%[svm]), %%" _ASM_BX " \n\t"
@@ -3994,6 +4061,27 @@ static void svm_vcpu_run(struct kvm_vcpu
#endif
);
+ /*
+ * We do not use IBRS in the kernel. If this vCPU has used the
+ * SPEC_CTRL MSR it may have left it on; save the value and
+ * turn it off. This is much more efficient than blindly adding
+ * it to the atomic save/restore list. Especially as the former
+ * (Saving guest MSRs on vmexit) doesn't even exist in KVM.
+ *
+ * For non-nested case:
+ * If the L01 MSR bitmap does not intercept the MSR, then we need to
+ * save it.
+ *
+ * For nested case:
+ * If the L02 MSR bitmap does not intercept the MSR, then we need to
+ * save it.
+ */
+ if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))
+ rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+
+ if (svm->spec_ctrl)
+ wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 110/410] ahci: Order SATA device IDs for codename Lewisburg
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 029/410] scsi: libsas: fix memory leak in sas_smp_get_phy_events() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 152/410] USB: serial: add support for multi-port simple drivers Ben Hutchings
` (373 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Alexandra Yates
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Yates <alexandra.yates@linux.intel.com>
commit 4d92f0099a06ef0e36c7673f7c090f1a448b2d1b upstream.
This change was to preserve the ascending order of device IDs.
There was an exception with the first two Lewisburg device IDs to
keep all device IDs of the same kind grouped by code name.
Signed-off-by: Alexandra Yates <alexandra.yates@linux.intel.com>
signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -332,16 +332,6 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0x1f37), board_ahci_avn }, /* Avoton RAID */
{ PCI_VDEVICE(INTEL, 0x1f3e), board_ahci_avn }, /* Avoton RAID */
{ PCI_VDEVICE(INTEL, 0x1f3f), board_ahci_avn }, /* Avoton RAID */
- { PCI_VDEVICE(INTEL, 0xa182), board_ahci }, /* Lewisburg AHCI*/
- { PCI_VDEVICE(INTEL, 0xa202), board_ahci }, /* Lewisburg AHCI*/
- { PCI_VDEVICE(INTEL, 0xa184), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa204), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa186), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa18e), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Wellsburg RAID */
{ PCI_VDEVICE(INTEL, 0x2827), board_ahci }, /* Wellsburg RAID */
{ PCI_VDEVICE(INTEL, 0x8d02), board_ahci }, /* Wellsburg AHCI */
@@ -374,6 +364,16 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0xa106), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
+ { PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa182), board_ahci }, /* Lewisburg AHCI*/
+ { PCI_VDEVICE(INTEL, 0xa184), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa186), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa18e), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa202), board_ahci }, /* Lewisburg AHCI*/
+ { PCI_VDEVICE(INTEL, 0xa204), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
/* JMicron 360/1/3/5/6, match class to avoid IDE function */
{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 220/410] netlink: ensure to loop over all netns in genlmsg_multicast_allns()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (305 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 175/410] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 135/410] uas: Log error codes when logging errors Ben Hutchings
` (102 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johannes Berg, David S. Miller, Nicolas Dichtel
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
commit cb9f7a9a5c96a773bbc9c70660dc600cfff82f82 upstream.
Nowadays, nlmsg_multicast() returns only 0 or -ESRCH but this was not the
case when commit 134e63756d5f was pushed.
However, there was no reason to stop the loop if a netns does not have
listeners.
Returns -ESRCH only if there was no listeners in all netns.
To avoid having the same problem in the future, I didn't take the
assumption that nlmsg_multicast() returns only 0 or -ESRCH.
Fixes: 134e63756d5f ("genetlink: make netns aware")
CC: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlink/genetlink.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1042,6 +1042,7 @@ static int genlmsg_mcast(struct sk_buff
{
struct sk_buff *tmp;
struct net *net, *prev = NULL;
+ bool delivered = false;
int err;
for_each_net_rcu(net) {
@@ -1053,14 +1054,21 @@ static int genlmsg_mcast(struct sk_buff
}
err = nlmsg_multicast(prev->genl_sock, tmp,
portid, group, flags);
- if (err)
+ if (!err)
+ delivered = true;
+ else if (err != -ESRCH)
goto error;
}
prev = net;
}
- return nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
+ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
+ if (!err)
+ delivered = true;
+ else if (err != -ESRCH)
+ goto error;
+ return delivered ? 0 : -ESRCH;
error:
kfree_skb(skb);
return err;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 074/410] HID: add quirk for another PIXART OEM mouse used by HP
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 181/410] netfilter: on sockopt() acquire sock lock only in the required scope Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 172/410] staging: iio: adc: remove the use of CamelCase Ben Hutchings
` (280 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Benjamin Tissoires, Jiri Kosina, Dave Young
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Young <dyoung@redhat.com>
commit 01cffe9ded15c0d664e0beb33c594e00c0d57bba upstream.
This mouse keep disconnecting in runleve 3 like below, add it needs the
quirk to mute the anoying messages.
[ 111.230555] usb 2-2: USB disconnect, device number 6
[ 112.718156] usb 2-2: new low-speed USB device number 7 using xhci_hcd
[ 112.941594] usb 2-2: New USB device found, idVendor=03f0, idProduct=094a
[ 112.984866] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 113.027731] usb 2-2: Product: HP USB Optical Mouse
[ 113.069977] usb 2-2: Manufacturer: PixArt
[ 113.113500] input: PixArt HP USB Optical Mouse as /devices/pci0000:00/0000:00:14.0/usb2/2-2/2-2:1.0/0003:03F0:094A.0002/input/input14
[ 113.156787] hid-generic 0003:03F0:094A.0002: input: USB HID v1.11 Mouse [PixArt HP USB Optical Mouse] on usb-0000:00:14.0-2/input0
[ 173.262642] usb 2-2: USB disconnect, device number 7
[ 174.750244] usb 2-2: new low-speed USB device number 8 using xhci_hcd
[ 174.935740] usb 2-2: New USB device found, idVendor=03f0, idProduct=094a
[ 174.990435] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 175.014984] usb 2-2: Product: HP USB Optical Mouse
[ 175.037886] usb 2-2: Manufacturer: PixArt
[ 175.061794] input: PixArt HP USB Optical Mouse as /devices/pci0000:00/0000:00:14.0/usb2/2-2/2-2:1.0/0003:03F0:094A.0003/input/input15
[ 175.084946] hid-generic 0003:03F0:094A.0003: input: USB HID v1.11 Mouse [PixArt HP USB Optical Mouse] on usb-0000:00:14.0-2/input0
Signed-off-by: Dave Young <dyoung@redhat.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16:
- Don't use HID_USB_DEVICE()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -488,6 +488,7 @@
#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a
#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a
#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a
+#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A 0x094a
#define USB_VENDOR_ID_HUION 0x256c
#define USB_DEVICE_ID_HUION_580 0x006e
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -99,6 +99,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_KEYBOARD_G710_PLUS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C01A, HID_QUIRK_ALWAYS_POLL },
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 125/410] signal/openrisc: Fix do_unaligned_access to send the proper signal
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnd Bergmann, Jonas Bonn, Stefan Kristiansson,
Stafford Horne, openrisc, Eric W. Biederman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 500d58300571b6602341b041f97c082a461ef994 upstream.
While reviewing the signal sending on openrisc the do_unaligned_access
function stood out because it is obviously wrong. A comment about an
si_code set above when actually si_code is never set. Leading to a
random si_code being sent to userspace in the event of an unaligned
access.
Looking further SIGBUS BUS_ADRALN is the proper pair of signal and
si_code to send for an unaligned access. That is what other
architectures do and what is required by posix.
Given that do_unaligned_access is broken in a way that no one can be
relying on it on openrisc fix the code to just do the right thing.
Fixes: 769a8a96229e ("OpenRISC: Traps")
Cc: Jonas Bonn <jonas@southpole.se>
Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
Cc: Stafford Horne <shorne@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: openrisc@lists.librecores.org
Acked-by: Stafford Horne <shorne@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/openrisc/kernel/traps.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/openrisc/kernel/traps.c
+++ b/arch/openrisc/kernel/traps.c
@@ -302,12 +302,12 @@ asmlinkage void do_unaligned_access(stru
siginfo_t info;
if (user_mode(regs)) {
- /* Send a SIGSEGV */
- info.si_signo = SIGSEGV;
+ /* Send a SIGBUS */
+ info.si_signo = SIGBUS;
info.si_errno = 0;
- /* info.si_code has been set above */
- info.si_addr = (void *)address;
- force_sig_info(SIGSEGV, &info, current);
+ info.si_code = BUS_ADRALN;
+ info.si_addr = (void __user *)address;
+ force_sig_info(SIGBUS, &info, current);
} else {
printk("KERNEL: Unaligned Access 0x%.8lx\n", address);
show_registers(regs);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 102/410] usb: gadget: f_fs: Fix possibe deadlock
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 204/410] pipe: fix limit checking in alloc_pipe_info() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 213/410] pipe: fix off-by-one error when checking buffer limits Ben Hutchings
` (253 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Baolin Wang, Michal Nazarewicz
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Baolin Wang <baolin.wang@linaro.org>
commit b3ce3ce02d146841af012d08506b4071db8ffde3 upstream.
When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().
[ 52.642225] c1 ======================================================
[ 52.642228] c1 [ INFO: possible circular locking dependency detected ]
[ 52.642236] c1 4.4.6+ #1 Tainted: G W O
[ 52.642241] c1 -------------------------------------------------------
[ 52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[ 52.642270] c0 (udc_lock){+.+.+.}, at: [<ffffffc00065aeec>]
usb_gadget_unregister_driver+0x3c/0xc8
[ 52.642272] c1 but task is already holding lock:
[ 52.642283] c0 (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
ffs_data_clear+0x30/0x140
[ 52.642285] c1 which lock already depends on the new lock.
[ 52.642287] c1
the existing dependency chain (in reverse order) is:
[ 52.642295] c0
-> #1 (ffs_lock){+.+.+.}:
[ 52.642307] c0 [<ffffffc00012340c>] __lock_acquire+0x20f0/0x2238
[ 52.642314] c0 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[ 52.642322] c0 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[ 52.642328] c0 [<ffffffc00066f7bc>] ffs_func_bind+0x504/0x6e8
[ 52.642334] c0 [<ffffffc000654004>] usb_add_function+0x84/0x184
[ 52.642340] c0 [<ffffffc000658ca4>] configfs_composite_bind+0x264/0x39c
[ 52.642346] c0 [<ffffffc00065b348>] udc_bind_to_driver+0x58/0x11c
[ 52.642352] c0 [<ffffffc00065b49c>] usb_udc_attach_driver+0x90/0xc8
[ 52.642358] c0 [<ffffffc0006598e0>] gadget_dev_desc_UDC_store+0xd4/0x128
[ 52.642369] c0 [<ffffffc0002c14e8>] configfs_write_file+0xd0/0x13c
[ 52.642376] c0 [<ffffffc00023c054>] vfs_write+0xb8/0x214
[ 52.642381] c0 [<ffffffc00023cad4>] SyS_write+0x54/0xb0
[ 52.642388] c0 [<ffffffc000085ff0>] el0_svc_naked+0x24/0x28
[ 52.642395] c0
-> #0 (udc_lock){+.+.+.}:
[ 52.642401] c0 [<ffffffc00011e3d0>] print_circular_bug+0x84/0x2e4
[ 52.642407] c0 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[ 52.642412] c0 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[ 52.642420] c0 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[ 52.642427] c0 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[ 52.642432] c0 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[ 52.642439] c0 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[ 52.642444] c0 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[ 52.642450] c0 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[ 52.642454] c0 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[ 52.642460] c0 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[ 52.642466] c0 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[ 52.642473] c0 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[ 52.642482] c0 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[ 52.642487] c0 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[ 52.642494] c0 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[ 52.642501] c0 [<ffffffc00008a8f0>] do_signal+0x154/0x518
[ 52.642507] c0 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[ 52.642512] c0 [<ffffffc000085ee8>] work_pending+0x1c/0x20
[ 52.642514] c1
other info that might help us debug this:
[ 52.642517] c1 Possible unsafe locking scenario:
[ 52.642518] c1 CPU0 CPU1
[ 52.642520] c1 ---- ----
[ 52.642525] c0 lock(ffs_lock);
[ 52.642529] c0 lock(udc_lock);
[ 52.642533] c0 lock(ffs_lock);
[ 52.642537] c0 lock(udc_lock);
[ 52.642539] c1
*** DEADLOCK ***
[ 52.642543] c1 1 lock held by usb ffs open/2808:
[ 52.642555] c0 #0: (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
ffs_data_clear+0x30/0x140
[ 52.642557] c1 stack backtrace:
[ 52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[ 52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[ 52.642568] c1 Call trace:
[ 52.642573] c1 [<ffffffc00008b430>] dump_backtrace+0x0/0x170
[ 52.642577] c1 [<ffffffc00008b5c0>] show_stack+0x20/0x28
[ 52.642583] c1 [<ffffffc000422694>] dump_stack+0xa8/0xe0
[ 52.642587] c1 [<ffffffc00011e548>] print_circular_bug+0x1fc/0x2e4
[ 52.642591] c1 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[ 52.642595] c1 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[ 52.642599] c1 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[ 52.642604] c1 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[ 52.642608] c1 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[ 52.642613] c1 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[ 52.642618] c1 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[ 52.642621] c1 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[ 52.642625] c1 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[ 52.642629] c1 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[ 52.642633] c1 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[ 52.642636] c1 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[ 52.642640] c1 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[ 52.642644] c1 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[ 52.642647] c1 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[ 52.642651] c1 [<ffffffc00008a8f0>] do_signal+0x154/0x518
[ 52.642656] c1 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[ 52.642659] c1 [<ffffffc000085ee8>] work_pending+0x1c/0x20
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/f_fs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -2998,6 +2998,7 @@ done:
static void ffs_closed(struct ffs_data *ffs)
{
struct ffs_dev *ffs_obj;
+ struct config_item *ci;
ENTER();
ffs_dev_lock();
@@ -3015,8 +3016,11 @@ static void ffs_closed(struct ffs_data *
|| !ffs_obj->opts->func_inst.group.cg_item.ci_parent)
goto done;
- unregister_gadget_item(ffs_obj->opts->
- func_inst.group.cg_item.ci_parent->ci_parent);
+ ci = ffs_obj->opts->func_inst.group.cg_item.ci_parent->ci_parent;
+ ffs_dev_unlock();
+
+ unregister_gadget_item(ci);
+ return;
done:
ffs_dev_unlock();
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 314/410] btrfs: alloc_chunk: fix DUP stripe size handling
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2018-06-07 14:05 ` Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 316/410] staging: android: ashmem: Fix lockdep issue during llseek Ben Hutchings
` (242 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Naohiro Aota, Hans van Kranenburg, David Sterba
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
commit 92e222df7b8f05c565009c7383321b593eca488b upstream.
In case of using DUP, we search for enough unallocated disk space on a
device to hold two stripes.
The devices_info[ndevs-1].max_avail that holds the amount of unallocated
space found is directly assigned to stripe_size, while it's actually
twice the stripe size.
Later on in the code, an unconditional division of stripe_size by
dev_stripes corrects the value, but in the meantime there's a check to
see if the stripe_size does not exceed max_chunk_size. Since during this
check stripe_size is twice the amount as intended, the check will reduce
the stripe_size to max_chunk_size if the actual correct to be used
stripe_size is more than half the amount of max_chunk_size.
The unconditional division later tries to correct stripe_size, but will
actually make sure we can't allocate more than half the max_chunk_size.
Fix this by moving the division by dev_stripes before the max chunk size
check, so it always contains the right value, instead of putting a duct
tape division in further on to get it fixed again.
Since in all other cases than DUP, dev_stripes is 1, this change only
affects DUP.
Other attempts in the past were made to fix this:
* 37db63a400 "Btrfs: fix max chunk size check in chunk allocator" tried
to fix the same problem, but still resulted in part of the code acting
on a wrongly doubled stripe_size value.
* 86db25785a "Btrfs: fix max chunk size on raid5/6" unintentionally
broke this fix again.
The real problem was already introduced with the rest of the code in
73c5de0051.
The user visible result however will be that the max chunk size for DUP
will suddenly double, while it's actually acting according to the limits
in the code again like it was 5 years ago.
Reported-by: Naohiro Aota <naohiro.aota@wdc.com>
Link: https://www.spinics.net/lists/linux-btrfs/msg69752.html
Fixes: 73c5de0051 ("btrfs: quasi-round-robin for chunk allocation")
Fixes: 86db25785a ("Btrfs: fix max chunk size on raid5/6")
Signed-off-by: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ update comment ]
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: We were using do_div() here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/volumes.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -4241,10 +4241,13 @@ static int __btrfs_alloc_chunk(struct bt
if (devs_max && ndevs > devs_max)
ndevs = devs_max;
/*
- * the primary goal is to maximize the number of stripes, so use as many
- * devices as possible, even if the stripes are not maximum sized.
+ * The primary goal is to maximize the number of stripes, so use as
+ * many devices as possible, even if the stripes are not maximum sized.
+ *
+ * The DUP profile stores more than one stripe per device, the
+ * max_avail is the total size so we have to adjust.
*/
- stripe_size = devices_info[ndevs-1].max_avail;
+ stripe_size = div_u64(devices_info[ndevs - 1].max_avail, dev_stripes);
num_stripes = ndevs * dev_stripes;
/*
@@ -4284,8 +4287,6 @@ static int __btrfs_alloc_chunk(struct bt
stripe_size = devices_info[ndevs-1].max_avail;
}
- do_div(stripe_size, dev_stripes);
-
/* align to BTRFS_STRIPE_LEN */
do_div(stripe_size, raid_stripe_len);
stripe_size *= raid_stripe_len;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 020/410] ext4: fix bitmap position validation
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 340/410] xhci: Fix front USB ports on ASUS PRIME B350M-A Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 232/410] ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 Ben Hutchings
` (345 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Ilya Dryomov, Lukas Czerner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Czerner <lczerner@redhat.com>
commit 22be37acce25d66ecf6403fc8f44df9c5ded2372 upstream.
Currently in ext4_valid_block_bitmap() we expect the bitmap to be
positioned anywhere between 0 and s_blocksize clusters, but that's
wrong because the bitmap can be placed anywhere in the block group. This
causes false positives when validating bitmaps on perfectly valid file
system layouts. Fix it by checking whether the bitmap is within the group
boundary.
The problem can be reproduced using the following
mkfs -t ext3 -E stride=256 /dev/vdb1
mount /dev/vdb1 /mnt/test
cd /mnt/test
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.16.3.tar.xz
tar xf linux-4.16.3.tar.xz
This will result in the warnings in the logs
EXT4-fs error (device vdb1): ext4_validate_block_bitmap:399: comm tar: bg 84: block 2774529: invalid block bitmap
[ Changed slightly for clarity and to not drop a overflow test -- TYT ]
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Ilya Dryomov <idryomov@gmail.com>
Fixes: 7dac4a1726a9 ("ext4: add validity checks for bitmap block numbers")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/balloc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -323,6 +323,7 @@ static ext4_fsblk_t ext4_valid_block_bit
struct ext4_sb_info *sbi = EXT4_SB(sb);
ext4_grpblk_t offset;
ext4_grpblk_t next_zero_bit;
+ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb);
ext4_fsblk_t blk;
ext4_fsblk_t group_first_block;
@@ -340,7 +341,7 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether block bitmap block number is set */
blk = ext4_block_bitmap(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
@@ -348,7 +349,7 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether the inode bitmap block number is set */
blk = ext4_inode_bitmap(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
@@ -356,8 +357,8 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether the inode table block number is set */
blk = ext4_inode_table(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
- EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit)
return blk;
next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 059/410] KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 109/410] ahci: Add Device ID for Intel Sunrise Point PCH Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 296/410] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
` (398 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Woodhouse, Jim Mattson, Peter Zijlstra,
Paolo Bonzini, Ingo Molnar, Greg Kroah-Hartman, kvm,
KarimAllah Ahmed, Linus Torvalds, Thomas Gleixner,
Radim Krčmář
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit ecb586bd29c99fb4de599dec388658e74388daad upstream.
Having a paravirt indirect call in the IBRS restore path is not a
good idea, since we are trying to protect from speculative execution
of bogus indirect branch targets. It is also slower, so use
native_wrmsrl() on the vmentry path too.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: KarimAllah Ahmed <karahmed@amazon.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kvm@vger.kernel.org
Fixes: d28b387fb74da95d69d2615732f50cceb38e9a4d
Link: http://lkml.kernel.org/r/20180222154318.20361-2-pbonzini@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/svm.c | 7 ++++---
arch/x86/kvm/vmx.c | 7 ++++---
2 files changed, 8 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -36,6 +36,7 @@
#include <asm/desc.h>
#include <asm/debugreg.h>
#include <asm/kvm_para.h>
+#include <asm/microcode.h>
#include <asm/nospec-branch.h>
#include <asm/virtext.h>
@@ -3967,7 +3968,7 @@ static void svm_vcpu_run(struct kvm_vcpu
* being speculatively taken.
*/
if (svm->spec_ctrl)
- wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+ native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
asm volatile (
"push %%" _ASM_BP "; \n\t"
@@ -4077,10 +4078,10 @@ static void svm_vcpu_run(struct kvm_vcpu
* save it.
*/
if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))
- rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+ svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
if (svm->spec_ctrl)
- wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+ native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -46,6 +46,7 @@
#include <asm/perf_event.h>
#include <asm/debugreg.h>
#include <asm/kexec.h>
+#include <asm/microcode.h>
#include <asm/nospec-branch.h>
#include "trace.h"
@@ -7542,7 +7543,7 @@ static void __noclone vmx_vcpu_run(struc
* being speculatively taken.
*/
if (vmx->spec_ctrl)
- wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+ native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
vmx->__launched = vmx->loaded_vmcs->launched;
asm(
@@ -7673,10 +7674,10 @@ static void __noclone vmx_vcpu_run(struc
* save it.
*/
if (!msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL))
- rdmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+ vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
if (vmx->spec_ctrl)
- wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+ native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 409/410] mtd: jedec_probe: Fix crash in jedec_read_mfr()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (266 preceding siblings ...)
2018-06-07 14:05 ` [OpenRISC] " Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 024/410] ALSA: seq: Fix racy pool initializations Ben Hutchings
` (141 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Boris Brezillon
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:
Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>] lr : [<00000004>] psr: 60000013
sp : c382dd18 ip : 0000ffff fp : 00000000
r10: c0626388 r9 : 00020000 r8 : c0626340
r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70
r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 0000397f Table: 00004000 DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))
Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.
Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/chips/jedec_probe.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/chips/jedec_probe.c
+++ b/drivers/mtd/chips/jedec_probe.c
@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
do {
uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
mask = (1 << (cfi->device_type * 8)) - 1;
+ if (ofs >= map->size)
+ return 0;
result = map_read(map, base + ofs);
bank++;
} while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 288/410] l2tp: don't close sessions in l2tp_tunnel_destruct()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (346 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 368/410] skbuff: Fix not waking applications when errors are enqueued Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 223/410] s390/qeth: fix SETIP command handling Ben Hutchings
` (61 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 765924e362d12f87786060b98a49abd91e11ea96 upstream.
Sessions are already removed by the proto ->destroy() handlers, and
since commit f3c66d4e144a ("l2tp: prevent creation of sessions on terminated tunnels"),
we're guaranteed that no new session can be created afterwards.
Furthermore, l2tp_tunnel_closeall() can sleep when there are sessions
left to close. So we really shouldn't call it in a ->sk_destruct()
handler, as it can be used from atomic context.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 2 --
1 file changed, 2 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1322,8 +1322,6 @@ static void l2tp_tunnel_destruct(struct
list_del_rcu(&tunnel->list);
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
- l2tp_tunnel_closeall(tunnel);
-
tunnel->sock = NULL;
l2tp_tunnel_dec_refcount(tunnel);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 172/410] staging: iio: adc: remove the use of CamelCase
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 074/410] HID: add quirk for another PIXART OEM mouse used by HP Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 004/410] x86/microcode/AMD: Do not load when running on a hypervisor Ben Hutchings
` (279 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Baluta, Greg Kroah-Hartman, Ioana Ciornei
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ciorneiioana@gmail.com>
commit 5f7e280f5ae61450a7aecd9feefe3f032b6a5abf upstream.
Remove the use of CamelCase to follow the kernel naming conventions
Signed-off-by: Ioana Ciornei <ciorneiioana@gmail.com>
Reviewed-by: Daniel Baluta <daniel.baluta@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/adc/ad7192.c | 10 +++++-----
drivers/staging/iio/adc/ad7192.h | 2 +-
drivers/staging/iio/adc/ad7280a.c | 4 ++--
3 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -125,7 +125,7 @@
#define AD7192_GPOCON_P1DAT (1 << 1) /* P1 state */
#define AD7192_GPOCON_P0DAT (1 << 0) /* P0 state */
-#define AD7192_INT_FREQ_MHz 4915200
+#define AD7192_INT_FREQ_MHZ 4915200
/* NOTE:
* The AD7190/2/5 features a dual use data out ready DOUT/RDY output.
@@ -226,14 +226,14 @@ static int ad7192_setup(struct ad7192_st
switch (pdata->clock_source_sel) {
case AD7192_CLK_EXT_MCLK1_2:
case AD7192_CLK_EXT_MCLK2:
- st->mclk = AD7192_INT_FREQ_MHz;
+ st->mclk = AD7192_INT_FREQ_MHZ;
break;
case AD7192_CLK_INT:
case AD7192_CLK_INT_CO:
- if (pdata->ext_clk_Hz)
- st->mclk = pdata->ext_clk_Hz;
+ if (pdata->ext_clk_hz)
+ st->mclk = pdata->ext_clk_hz;
else
- st->mclk = AD7192_INT_FREQ_MHz;
+ st->mclk = AD7192_INT_FREQ_MHZ;
break;
default:
ret = -EINVAL;
--- a/drivers/staging/iio/adc/ad7192.h
+++ b/drivers/staging/iio/adc/ad7192.h
@@ -34,7 +34,7 @@
struct ad7192_platform_data {
u16 vref_mv;
u8 clock_source_sel;
- u32 ext_clk_Hz;
+ u32 ext_clk_hz;
bool refin2_en;
bool rej60_en;
bool sinc3_en;
--- a/drivers/staging/iio/adc/ad7280a.c
+++ b/drivers/staging/iio/adc/ad7280a.c
@@ -89,7 +89,7 @@
#define AD7280A_ALL_CELLS (0xAD << 16)
-#define AD7280A_MAX_SPI_CLK_Hz 700000 /* < 1MHz */
+#define AD7280A_MAX_SPI_CLK_HZ 700000 /* < 1MHz */
#define AD7280A_MAX_CHAIN 8
#define AD7280A_CELLS_PER_DEV 6
#define AD7280A_BITS 12
@@ -850,7 +850,7 @@ static int ad7280_probe(struct spi_devic
ad7280_crc8_build_table(st->crc_tab);
- st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_Hz;
+ st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ;
st->spi->mode = SPI_MODE_1;
spi_setup(st->spi);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 072/410] power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()'
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 323/410] bcache: don't attach backing with duplicate UUID Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 367/410] net: systemport: Rewrite __bcm_sysport_tx_reclaim() Ben Hutchings
` (265 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christophe JAILLET, Sebastian Reichel
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 09edcb647542487864e23aa8d2ef26be3e08978a upstream.
If an error occurs when we enable the backup battery charging, we should
go through the error handling path directly.
Before commit db43e6c473b5 ("ab8500-bm: Add usb power path support") this
was the case, but this commit has added some code between the last test and
the 'out' label.
So, in case of error, this added code is executed and the error may be
silently ignored.
Fix it by adding the missing 'goto out', as done in all other error
handling paths.
Fixes: db43e6c473b5 ("ab8500-bm: Add usb power path support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/power/ab8500_charger.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/power/ab8500_charger.c
+++ b/drivers/power/ab8500_charger.c
@@ -3227,8 +3227,10 @@ static int ab8500_charger_init_hw_regist
ret = abx500_mask_and_set_register_interruptible(di->dev,
AB8500_RTC, AB8500_RTC_CTRL_REG,
RTC_BUP_CH_ENA, RTC_BUP_CH_ENA);
- if (ret < 0)
+ if (ret < 0) {
dev_err(di->dev, "%s mask and set failed\n", __func__);
+ goto out;
+ }
if (is_ab8540(di->parent)) {
ret = abx500_mask_and_set_register_interruptible(di->dev,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 094/410] scsi: aacraid: Fix udev inquiry race condition
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (239 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 330/410] l2tp: do not accept arbitrary sockets Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 366/410] net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off Ben Hutchings
` (168 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin K. Petersen, Raghava Aditya Renukunta
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
commit f4e8708d3104437fd7716e957f38c265b0c509ef upstream.
When udev requests for a devices inquiry string, it might create multiple
threads causing a race condition on the shared inquiry resource string.
Created a buffer with the string for each thread.
Fixes: 3bc8070fb75b3315 ([SCSI] aacraid: SMC vendor identification)
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16:
- s/sup_adap_info->adapter_type_text/dev->supplement_adapter_info.AdapterTypeText/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -770,8 +770,16 @@ static void setinqstr(struct aac_dev *de
memset(str, ' ', sizeof(*str));
if (dev->supplement_adapter_info.AdapterTypeText[0]) {
- char * cp = dev->supplement_adapter_info.AdapterTypeText;
int c;
+ char *cp;
+ char *cname = kmemdup(dev->supplement_adapter_info.AdapterTypeText,
+ sizeof(dev->supplement_adapter_info.AdapterTypeText),
+ GFP_ATOMIC);
+
+ if (!cname)
+ return;
+
+ cp = cname;
if ((cp[0] == 'A') && (cp[1] == 'O') && (cp[2] == 'C'))
inqstrcpy("SMC", str->vid);
else {
@@ -780,8 +788,7 @@ static void setinqstr(struct aac_dev *de
++cp;
c = *cp;
*cp = '\0';
- inqstrcpy (dev->supplement_adapter_info.AdapterTypeText,
- str->vid);
+ inqstrcpy(cname, str->vid);
*cp = c;
while (*cp && *cp != ' ')
++cp;
@@ -795,8 +802,8 @@ static void setinqstr(struct aac_dev *de
cp[sizeof(str->pid)] = '\0';
}
inqstrcpy (cp, str->pid);
- if (c)
- cp[sizeof(str->pid)] = c;
+
+ kfree(cname);
} else {
struct aac_driver_ident *mp = aac_get_driver_ident(dev->cardtype);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 197/410] netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (339 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 297/410] tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 336/410] team: Fix double free in error path Ben Hutchings
` (68 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, syzbot+5cb189720978275e4c75, Cong Wang,
Pablo Neira Ayuso, Florian Westphal
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 7dc68e98757a8eccf8ca7a53a29b896f1eef1f76 upstream.
rateest_hash is supposed to be protected by xt_rateest_mutex,
and, as suggested by Eric, lookup and insert should be atomic,
so we should acquire the xt_rateest_mutex once for both.
So introduce a non-locking helper for internal use and keep the
locking one for external.
Reported-by: <syzbot+5cb189720978275e4c75@syzkaller.appspotmail.com>
Fixes: 5859034d7eb8 ("[NETFILTER]: x_tables: add RATEEST target")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/xt_RATEEST.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -40,23 +40,31 @@ static void xt_rateest_hash_insert(struc
hlist_add_head(&est->list, &rateest_hash[h]);
}
-struct xt_rateest *xt_rateest_lookup(const char *name)
+static struct xt_rateest *__xt_rateest_lookup(const char *name)
{
struct xt_rateest *est;
unsigned int h;
h = xt_rateest_hash(name);
- mutex_lock(&xt_rateest_mutex);
hlist_for_each_entry(est, &rateest_hash[h], list) {
if (strcmp(est->name, name) == 0) {
est->refcnt++;
- mutex_unlock(&xt_rateest_mutex);
return est;
}
}
- mutex_unlock(&xt_rateest_mutex);
+
return NULL;
}
+
+struct xt_rateest *xt_rateest_lookup(const char *name)
+{
+ struct xt_rateest *est;
+
+ mutex_lock(&xt_rateest_mutex);
+ est = __xt_rateest_lookup(name);
+ mutex_unlock(&xt_rateest_mutex);
+ return est;
+}
EXPORT_SYMBOL_GPL(xt_rateest_lookup);
void xt_rateest_put(struct xt_rateest *est)
@@ -104,8 +112,10 @@ static int xt_rateest_tg_checkentry(cons
rnd_inited = true;
}
- est = xt_rateest_lookup(info->name);
+ mutex_lock(&xt_rateest_mutex);
+ est = __xt_rateest_lookup(info->name);
if (est) {
+ mutex_unlock(&xt_rateest_mutex);
/*
* If estimator parameters are specified, they must match the
* existing estimator.
@@ -143,11 +153,13 @@ static int xt_rateest_tg_checkentry(cons
info->est = est;
xt_rateest_hash_insert(est);
+ mutex_unlock(&xt_rateest_mutex);
return 0;
err2:
kfree(est);
err1:
+ mutex_unlock(&xt_rateest_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 367/410] net: systemport: Rewrite __bcm_sysport_tx_reclaim()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 072/410] power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()' Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 187/410] Btrfs: fix crash due to not cleaning up tree log block's dirty bits Ben Hutchings
` (264 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 484d802d0f2f29c335563fcac2a8facf174a1bbc upstream.
There is no need for complex checking between the last consumed index
and current consumed index, a simple subtraction will do.
This also eliminates the possibility of a permanent transmit queue stall
under the following conditions:
- one CPU bursts ring->size worth of traffic (up to 256 buffers), to the
point where we run out of free descriptors, so we stop the transmit
queue at the end of bcm_sysport_xmit()
- because of our locking, we have the transmit process disable
interrupts which means we can be blocking the TX reclamation process
- when TX reclamation finally runs, we will be computing the difference
between ring->c_index (last consumed index by SW) and what the HW
reports through its register
- this register is masked with (ring->size - 1) = 0xff, which will lead
to stripping the upper bits of the index (register is 16-bits wide)
- we will be computing last_tx_cn as 0, which means there is no work to
be done, and we never wake-up the transmit queue, leaving it
permanently disabled
A practical example is e.g: ring->c_index aka last_c_index = 12, we
pushed 256 entries, HW consumer index = 268, we mask it with 0xff = 12,
so last_tx_cn == 0, nothing happens.
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/broadcom/bcmsysport.c | 33 ++++++++++------------
drivers/net/ethernet/broadcom/bcmsysport.h | 2 +-
2 files changed, 16 insertions(+), 19 deletions(-)
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -584,37 +584,33 @@ static unsigned int __bcm_sysport_tx_rec
struct bcm_sysport_tx_ring *ring)
{
struct net_device *ndev = priv->netdev;
- unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs;
unsigned int pkts_compl = 0, bytes_compl = 0;
+ unsigned int txbds_processed = 0;
struct bcm_sysport_cb *cb;
+ unsigned int txbds_ready;
+ unsigned int c_index;
u32 hw_ind;
/* Compute how many descriptors have been processed since last call */
hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index));
c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK;
- ring->p_index = (hw_ind & RING_PROD_INDEX_MASK);
-
- last_c_index = ring->c_index;
- num_tx_cbs = ring->size;
-
- c_index &= (num_tx_cbs - 1);
-
- if (c_index >= last_c_index)
- last_tx_cn = c_index - last_c_index;
- else
- last_tx_cn = num_tx_cbs - last_c_index + c_index;
+ txbds_ready = (c_index - ring->c_index) & RING_CONS_INDEX_MASK;
netif_dbg(priv, tx_done, ndev,
- "ring=%d c_index=%d last_tx_cn=%d last_c_index=%d\n",
- ring->index, c_index, last_tx_cn, last_c_index);
+ "ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n",
+ ring->index, ring->c_index, c_index, txbds_ready);
- while (last_tx_cn-- > 0) {
- cb = ring->cbs + last_c_index;
+ while (txbds_processed < txbds_ready) {
+ cb = &ring->cbs[ring->clean_index];
bcm_sysport_tx_reclaim_one(priv, cb, &bytes_compl, &pkts_compl);
ring->desc_count++;
- last_c_index++;
- last_c_index &= (num_tx_cbs - 1);
+ txbds_processed++;
+
+ if (likely(ring->clean_index < ring->size - 1))
+ ring->clean_index++;
+ else
+ ring->clean_index = 0;
}
ring->c_index = c_index;
@@ -1036,6 +1032,7 @@ static int bcm_sysport_init_tx_ring(stru
netif_napi_add(priv->netdev, &ring->napi, bcm_sysport_tx_poll, 64);
ring->index = index;
ring->size = size;
+ ring->clean_index = 0;
ring->alloc_size = ring->size;
ring->desc_cpu = p;
ring->desc_count = ring->size;
--- a/drivers/net/ethernet/broadcom/bcmsysport.h
+++ b/drivers/net/ethernet/broadcom/bcmsysport.h
@@ -624,7 +624,7 @@ struct bcm_sysport_tx_ring {
unsigned int desc_count; /* Number of descriptors */
unsigned int curr_desc; /* Current descriptor */
unsigned int c_index; /* Last consumer index */
- unsigned int p_index; /* Current producer index */
+ unsigned int clean_index; /* Current clean index */
struct bcm_sysport_cb *cbs; /* Transmit control blocks */
struct dma_desc *desc_cpu; /* CPU view of the descriptor */
struct bcm_sysport_priv *priv; /* private context backpointer */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 175/410] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (304 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 370/410] batman-adv: fix header size check in batadv_dbg_arp() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 220/410] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Ben Hutchings
` (103 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab, Enrico Mioso
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
commit 9893b905e743ded332575ca04486bd586c0772f7 upstream.
The XC2028_I2C_FLUSH only needs to be implemented on a few
devices. Others can safely ignore it.
That prevents filling the dmesg with lots of messages like:
dib0700: stk7700ph_xc3028_callback: unknown command 2, arg 0
Fixes: 4d37ece757a8 ("[media] tuner/xc2028: Add I2C flush callback")
Reported-by: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/dvb-usb/cxusb.c | 2 ++
drivers/media/usb/dvb-usb/dib0700_devices.c | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -816,6 +816,8 @@ static int dvico_bluebird_xc2028_callbac
case XC2028_RESET_CLK:
deb_info("%s: XC2028_RESET_CLK %d\n", __func__, arg);
break;
+ case XC2028_I2C_FLUSH:
+ break;
default:
deb_info("%s: unknown command %d, arg %d\n", __func__,
command, arg);
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
@@ -405,6 +405,7 @@ static int stk7700ph_xc3028_callback(voi
dib7000p_set_gpio(adap->fe_adap[0].fe, 8, 0, 1);
break;
case XC2028_RESET_CLK:
+ case XC2028_I2C_FLUSH:
break;
default:
err("%s: unknown command %d, arg %d\n", __func__,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 153/410] USB: serial: add Novatel Wireless GPS driver
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (316 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 037/410] KVM: x86: rename update_db_bp_intercept to update_bp_intercept Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 036/410] perf/hwbp: Simplify the perf-hwbp code, fix documentation Ben Hutchings
` (91 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Kirk Madsen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c5cd24d7b179a415df263e5b18b72f6e3aaf81e0 upstream.
Add simple driver for Novatel Wireless GPS receivers.
Reported-by: Kirk Madsen <kirkm@Navsys.com>
Tested-by: Kirk Madsen <kirkm@Navsys.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/Kconfig | 1 +
drivers/usb/serial/usb-serial-simple.c | 7 +++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/Kconfig
+++ b/drivers/usb/serial/Kconfig
@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE
- Google USB serial devices
- HP4x calculators
- a number of Motorola phones
+ - Novatel Wireless GPS receivers
- Siemens USB/MPI adapter.
- ViVOtech ViVOpay USB device.
- Infineon Modem Flashloader USB interface
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -75,6 +75,11 @@ DEVICE(vivopay, VIVOPAY_IDS);
{ USB_DEVICE(0x22b8, 0x2c64) } /* Motorola V950 phone */
DEVICE(moto_modem, MOTO_IDS);
+/* Novatel Wireless GPS driver */
+#define NOVATEL_IDS() \
+ { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */
+DEVICE_N(novatel_gps, NOVATEL_IDS, 3);
+
/* HP4x (48/49) Generic Serial driver */
#define HP4X_IDS() \
{ USB_DEVICE(0x03f0, 0x0121) }
@@ -99,6 +104,7 @@ static struct usb_serial_driver * const
&google_device,
&vivopay_device,
&moto_modem_device,
+ &novatel_gps_device,
&hp4x_device,
&suunto_device,
&siemens_mpi_device,
@@ -112,6 +118,7 @@ static const struct usb_device_id id_tab
GOOGLE_IDS(),
VIVOPAY_IDS(),
MOTO_IDS(),
+ NOVATEL_IDS(),
HP4X_IDS(),
SUUNTO_IDS(),
SIEMENS_IDS(),
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 196/410] arm64: KVM: Increment PC after handling an SMC trap
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (220 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 064/410] x86/speculation: Correct Speculation Control microcode blacklist again Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 008/410] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Ben Hutchings
` (187 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoffer Dall, Catalin Marinas, Ard Biesheuvel, Marc Zyngier
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <marc.zyngier@arm.com>
commit f5115e8869e1dfafac0e414b4f1664f3a84a4683 upstream.
When handling an SMC trap, the "preferred return address" is set
to that of the SMC, and not the next PC (which is a departure from
the behaviour of an SMC that isn't trapped).
Increment PC in the handler, as the guest is otherwise forever
stuck...
Fixes: acfb3b883f6d ("arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls")
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kvm/handle_exit.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -43,7 +43,16 @@ static int handle_hvc(struct kvm_vcpu *v
static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
{
+ /*
+ * "If an SMC instruction executed at Non-secure EL1 is
+ * trapped to EL2 because HCR_EL2.TSC is 1, the exception is a
+ * Trap exception, not a Secure Monitor Call exception [...]"
+ *
+ * We need to advance the PC after the trap, as it would
+ * otherwise return to the same address...
+ */
*vcpu_reg(vcpu, 0) = ~0UL;
+ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
return 1;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 045/410] x86/pti: Mark constant arrays as __initconst
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (296 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 145/410] kernfs: fix regression in kernfs_fop_write caused by wrong type Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 049/410] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel Ben Hutchings
` (111 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andy Lutomirski, Arnd Bergmann, Thomas Garnier,
Thomas Gleixner, Greg Kroah-Hartman, Ricardo Neri,
Borislav Petkov, David Woodhouse
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4bf5d56d429cbc96c23d809a08f63cd29e1a702e upstream.
I'm seeing build failures from the two newly introduced arrays that
are marked 'const' and '__initdata', which are mutually exclusive:
arch/x86/kernel/cpu/common.c:882:43: error: 'cpu_no_speculation' causes a section type conflict with 'e820_table_firmware_init'
arch/x86/kernel/cpu/common.c:895:43: error: 'cpu_no_meltdown' causes a section type conflict with 'e820_table_firmware_init'
The correct annotation is __initconst.
Fixes: fec9434a12f3 ("x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Thomas Garnier <thgarnie@google.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/20180202213959.611210-1-arnd@arndb.de
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -763,7 +763,7 @@ static void identify_cpu_without_cpuid(s
#endif
}
-static const __initdata struct x86_cpu_id cpu_no_speculation[] = {
+static const __initconst struct x86_cpu_id cpu_no_speculation[] = {
{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY },
{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY },
{ X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY },
@@ -776,7 +776,7 @@ static const __initdata struct x86_cpu_i
{}
};
-static const __initdata struct x86_cpu_id cpu_no_meltdown[] = {
+static const __initconst struct x86_cpu_id cpu_no_meltdown[] = {
{ X86_VENDOR_AMD },
{}
};
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 033/410] x86/traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (210 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 408/410] RDMA/ucma: Check that device exists prior to accessing it Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 261/410] libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs Ben Hutchings
` (197 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steven Rostedt, Masami Hiramatsu, Wang Nan, Ingo Molnar,
dave.hansen, oleg, lizefan, luto
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wang Nan <wangnan0@huawei.com>
commit b4d8327024637cb2a1f7910dcb5d0ad7a096f473 upstream.
Before this patch early_trap_init() installs DEBUG_STACK for
X86_TRAP_BP and X86_TRAP_DB. However, DEBUG_STACK doesn't work
correctly until cpu_init() <-- trap_init().
This patch passes 0 to set_intr_gate_ist() and
set_system_intr_gate_ist() instead of DEBUG_STACK to let it use
same stack as kernel, and installs DEBUG_STACK for them in
trap_init().
As core runs at ring 0 between early_trap_init() and
trap_init(), there is no chance to get a bad stack before
trap_init().
As NMI is also enabled in trap_init(), we don't need to care
about is_debug_stack() and related things used in
arch/x86/kernel/nmi.c.
Signed-off-by: Wang Nan <wangnan0@huawei.com>
Reviewed-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: <dave.hansen@linux.intel.com>
Cc: <lizefan@huawei.com>
Cc: <luto@amacapital.net>
Cc: <oleg@redhat.com>
Link: http://lkml.kernel.org/r/1424929779-13174-1-git-send-email-wangnan0@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/traps.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -773,9 +773,17 @@ dotraplinkage void do_iret_error(struct
/* Set of traps needed for early debugging. */
void __init early_trap_init(void)
{
- set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
+ /*
+ * Don't set ist to DEBUG_STACK as it doesn't work until TSS is
+ * ready in cpu_init() <-- trap_init(). Before trap_init(), CPU
+ * runs at ring 0 so it is impossible to hit an invalid stack.
+ * Using the original stack works well enough at this early
+ * stage. DEBUG_STACK will be equipped after cpu_init() in
+ * trap_init().
+ */
+ set_intr_gate_ist(X86_TRAP_DB, &debug, 0);
/* int3 can be called from all */
- set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
+ set_system_intr_gate_ist(X86_TRAP_BP, &int3, 0);
#ifdef CONFIG_X86_32
set_intr_gate(X86_TRAP_PF, page_fault);
#endif
@@ -853,6 +861,15 @@ void __init trap_init(void)
*/
cpu_init();
+ /*
+ * X86_TRAP_DB and X86_TRAP_BP have been set
+ * in early_trap_init(). However, DEBUG_STACK works only after
+ * cpu_init() loads TSS. See comments in early_trap_init().
+ */
+ set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
+ /* int3 can be called from all */
+ set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
+
x86_init.irqs.trap_init();
#ifdef CONFIG_X86_64
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 179/410] scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 375/410] ip_tunnel: Clamp MTU to bounds on new link Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 393/410] ip_tunnel: Emit events for post-register MTU changes Ben Hutchings
` (289 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tyrel Datwyler, Martin K. Petersen, Hannes Reinecke
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
commit c39813652700f3df552b6557530f1e5f782dbe2f upstream.
The fcp_rsp_info structure as defined in the FC spec has an initial 3
bytes reserved field. The ibmvfc driver mistakenly defined this field as
4 bytes resulting in the rsp_code field being defined in what should be
the start of the second reserved field and thus always being reported as
zero by the driver.
Ideally, we should wire ibmvfc up with libfc for the sake of code
deduplication, and ease of maintaining standardized structures in a
single place. However, for now simply fixup the definition in ibmvfc for
backporting to distros on older kernels. Wiring up with libfc will be
done in a followup patch.
Reported-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/ibmvscsi/ibmvfc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/ibmvscsi/ibmvfc.h
+++ b/drivers/scsi/ibmvscsi/ibmvfc.h
@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes {
};
struct ibmvfc_fcp_rsp_info {
- u16 reserved;
+ u8 reserved[3];
u8 rsp_code;
u8 reserved2[4];
}__attribute__((packed, aligned (2)));
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 019/410] ext4: add validity checks for bitmap block numbers
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 061/410] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 398/410] ipv6: the entire IPv6 header chain must fit the first fragment Ben Hutchings
` (298 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Wen Xu
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream.
An privileged attacker can cause a crash by mounting a crafted ext4
image which triggers a out-of-bounds read in the function
ext4_valid_block_bitmap() in fs/ext4/balloc.c.
This issue has been assigned CVE-2018-1093.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16:
- In ext4_read_block_bitmap_nowait() and ext4_read_inode_bitmap(),
return NULL on error
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -340,20 +340,25 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether block bitmap block number is set */
blk = ext4_block_bitmap(sb, desc);
offset = blk - group_first_block;
- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
/* check whether the inode bitmap block number is set */
blk = ext4_inode_bitmap(sb, desc);
offset = blk - group_first_block;
- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
/* check whether the inode table block number is set */
blk = ext4_inode_table(sb, desc);
offset = blk - group_first_block;
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
+ return blk;
next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
EXT4_B2C(sbi, offset));
@@ -416,6 +421,7 @@ struct buffer_head *
ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
{
struct ext4_group_desc *desc;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
struct buffer_head *bh;
ext4_fsblk_t bitmap_blk;
@@ -423,6 +429,12 @@ ext4_read_block_bitmap_nowait(struct sup
if (!desc)
return NULL;
bitmap_blk = ext4_block_bitmap(sb, desc);
+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+ ext4_error(sb, "Invalid block bitmap block %llu in "
+ "block_group %u", bitmap_blk, block_group);
+ return NULL;
+ }
bh = sb_getblk(sb, bitmap_blk);
if (unlikely(!bh)) {
ext4_error(sb, "Cannot get buffer for block bitmap - "
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -133,6 +133,12 @@ ext4_read_inode_bitmap(struct super_bloc
return NULL;
bitmap_blk = ext4_inode_bitmap(sb, desc);
+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+ ext4_error(sb, "Invalid inode bitmap blk %llu in "
+ "block_group %u", bitmap_blk, block_group);
+ return NULL;
+ }
bh = sb_getblk(sb, bitmap_blk);
if (unlikely(!bh)) {
ext4_error(sb, "Cannot read inode bitmap - "
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 203/410] pipe: simplify logic in alloc_pipe_info()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 279/410] KVM: mmu: Fix overlap between public and private memslots Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 186/410] Btrfs: fix deadlock in run_delalloc_nocow Ben Hutchings
` (221 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Tetsuo Handa, Vegard Nossum,
Michael Kerrisk (man-pages),
socketpair, Al Viro, Willy Tarreau, Jens Axboe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit 09b4d1990094dd22c27fb0163534db419458569c upstream.
Replace an 'if' block that covers most of the code in this function
with a 'goto'. This makes the code a little simpler to read, and also
simplifies the next patch (fix limit checking in alloc_pipe_info())
Link: http://lkml.kernel.org/r/aef030c1-0257-98a9-4988-186efa48530c@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Don't use GFP_KERNEL_ACCOUNT
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -611,31 +611,34 @@ static bool too_many_pipe_buffers_hard(s
struct pipe_inode_info *alloc_pipe_info(void)
{
struct pipe_inode_info *pipe;
+ unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
+ struct user_struct *user = get_current_user();
pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
- if (pipe) {
- unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
- struct user_struct *user = get_current_user();
+ if (pipe == NULL)
+ goto out_free_uid;
- if (!too_many_pipe_buffers_hard(user)) {
- if (too_many_pipe_buffers_soft(user))
- pipe_bufs = 1;
- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL);
- }
+ if (!too_many_pipe_buffers_hard(user)) {
+ if (too_many_pipe_buffers_soft(user))
+ pipe_bufs = 1;
+ pipe->bufs = kcalloc(pipe_bufs,
+ sizeof(struct pipe_buffer),
+ GFP_KERNEL);
+ }
- if (pipe->bufs) {
- init_waitqueue_head(&pipe->wait);
- pipe->r_counter = pipe->w_counter = 1;
- pipe->buffers = pipe_bufs;
- pipe->user = user;
- account_pipe_buffers(user, 0, pipe_bufs);
- mutex_init(&pipe->mutex);
- return pipe;
- }
- free_uid(user);
- kfree(pipe);
+ if (pipe->bufs) {
+ init_waitqueue_head(&pipe->wait);
+ pipe->r_counter = pipe->w_counter = 1;
+ pipe->buffers = pipe_bufs;
+ pipe->user = user;
+ account_pipe_buffers(user, 0, pipe_bufs);
+ mutex_init(&pipe->mutex);
+ return pipe;
}
+ kfree(pipe);
+out_free_uid:
+ free_uid(user);
return NULL;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 075/410] spi: sun6i: disable/unprepare clocks on remove
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 213/410] pipe: fix off-by-one error when checking buffer limits Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 134/410] USB: cdc-acm: Do not log urb submission errors on disconnect Ben Hutchings
` (251 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Maxime Ripard, Tobias Jordan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Jordan <Tobias.Jordan@elektrobit.com>
commit 2d9bbd02c54094ceffa555143b0d68cd06504d63 upstream.
sun6i_spi_probe() uses sun6i_spi_runtime_resume() to prepare/enable
clocks, so sun6i_spi_remove() should use sun6i_spi_runtime_suspend() to
disable/unprepare them if we're not suspended.
Replacing pm_runtime_disable() by pm_runtime_force_suspend() will ensure
that sun6i_spi_runtime_suspend() is called if needed.
Found by Linux Driver Verification project (linuxtesting.org).
Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver)
Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/spi/spi-sun6i.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -457,7 +457,7 @@ err_free_master:
static int sun6i_spi_remove(struct platform_device *pdev)
{
- pm_runtime_disable(&pdev->dev);
+ pm_runtime_force_suspend(&pdev->dev);
return 0;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 246/410] binder: check for binder_thread allocation failure in binder_poll()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 327/410] usb: quirks: add control message delay for 1b1c:1b20 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 309/410] xen: Add xen_arch_suspend() Ben Hutchings
` (369 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Eric Biggers, syzbot
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.
If the kzalloc() in binder_get_thread() fails, binder_poll()
dereferences the resulting NULL pointer.
Fix it by returning POLLERR if the memory allocation failed.
This bug was found by syzkaller using fault injection.
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Drop the binder global lock before returning
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -2572,6 +2572,10 @@ static unsigned int binder_poll(struct f
binder_lock(__func__);
thread = binder_get_thread(proc);
+ if (!thread) {
+ binder_unlock(__func__);
+ return POLLERR;
+ }
wait_for_proc_work = thread->transaction_stack == NULL &&
list_empty(&thread->todo) && thread->return_error == BR_OK;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 122/410] crypto: cryptd - pass through absence of ->setkey()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 387/410] ALSA: aloop: Sync stale timer before release Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 215/410] pipe: simplify round_pipe_size() Ben Hutchings
` (218 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Eric Biggers
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 841a3ff329713f796a63356fef6e2f72e4a3f6a3 upstream.
When the cryptd template is used to wrap an unkeyed hash algorithm,
don't install a ->setkey() method to the cryptd instance. This change
is necessary for cryptd to keep working with unkeyed hash algorithms
once we start enforcing that ->setkey() is called when present.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/cryptd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -617,7 +617,8 @@ static int cryptd_create_hash(struct cry
inst->alg.finup = cryptd_hash_finup_enqueue;
inst->alg.export = cryptd_hash_export;
inst->alg.import = cryptd_hash_import;
- inst->alg.setkey = cryptd_hash_setkey;
+ if (crypto_shash_alg_has_setkey(salg))
+ inst->alg.setkey = cryptd_hash_setkey;
inst->alg.digest = cryptd_hash_digest_enqueue;
err = ahash_register_instance(tmpl, inst);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 001/410] MIPS: Normalise code flow in the CpU exception handler Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 141/410] nfs: Do not convert nfs_idmap_cache_timeout to jiffies Ben Hutchings
` (407 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jason Gunthorpe, Leon Romanovsky, syzbot+7b62c837c2516f8f38c8
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 4b658d1bbc16605330694bb3ef2570c465ef383d upstream.
Add missing check that device is connected prior to access it.
[ 55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[ 55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
[ 55.360255]
[ 55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b8b88 #91
[ 55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[ 55.363264] Call Trace:
[ 55.363833] dump_stack+0x5c/0x77
[ 55.364215] kasan_report+0x163/0x380
[ 55.364610] ? rdma_init_qp_attr+0x4a/0x2c0
[ 55.365238] rdma_init_qp_attr+0x4a/0x2c0
[ 55.366410] ucma_init_qp_attr+0x111/0x200
[ 55.366846] ? ucma_notify+0xf0/0xf0
[ 55.367405] ? _get_random_bytes+0xea/0x1b0
[ 55.367846] ? urandom_read+0x2f0/0x2f0
[ 55.368436] ? kmem_cache_alloc_trace+0xd2/0x1e0
[ 55.369104] ? refcount_inc_not_zero+0x9/0x60
[ 55.369583] ? refcount_inc+0x5/0x30
[ 55.370155] ? rdma_create_id+0x215/0x240
[ 55.370937] ? _copy_to_user+0x4f/0x60
[ 55.371620] ? mem_cgroup_commit_charge+0x1f5/0x290
[ 55.372127] ? _copy_from_user+0x5e/0x90
[ 55.372720] ucma_write+0x174/0x1f0
[ 55.373090] ? ucma_close_id+0x40/0x40
[ 55.373805] ? __lru_cache_add+0xa8/0xd0
[ 55.374403] __vfs_write+0xc4/0x350
[ 55.374774] ? kernel_read+0xa0/0xa0
[ 55.375173] ? fsnotify+0x899/0x8f0
[ 55.375544] ? fsnotify_unmount_inodes+0x170/0x170
[ 55.376689] ? __fsnotify_update_child_dentry_flags+0x30/0x30
[ 55.377522] ? handle_mm_fault+0x174/0x320
[ 55.378169] vfs_write+0xf7/0x280
[ 55.378864] SyS_write+0xa1/0x120
[ 55.379270] ? SyS_read+0x120/0x120
[ 55.379643] ? mm_fault_error+0x180/0x180
[ 55.380071] ? task_work_run+0x7d/0xd0
[ 55.380910] ? __task_pid_nr_ns+0x120/0x140
[ 55.381366] ? SyS_read+0x120/0x120
[ 55.381739] do_syscall_64+0xeb/0x250
[ 55.382143] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 55.382841] RIP: 0033:0x7fc2ef803e99
[ 55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[ 55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
[ 55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
[ 55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
[ 55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
[ 55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
[ 55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[ 55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
[ 55.532648] CR2: 00000000000000b0
[ 55.534396] ---[ end trace 70cee64090251c0b ]---
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45500bd ("IB/core: Convert ah_attr from OPA to IB when copying to user")
Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1067,6 +1067,11 @@ static ssize_t ucma_init_qp_attr(struct
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ if (!ctx->cm_id->device) {
+ ret = -EINVAL;
+ goto out;
+ }
+
resp.qp_attr_mask = 0;
memset(&qp_attr, 0, sizeof qp_attr);
qp_attr.qp_state = cmd.qp_state;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 089/410] pinctrl: Really force states during suspend/resume
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (388 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 389/410] posix-timers: Protect posix clock array access against speculation Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 385/410] MIPS: ralink: Don't set pm_power_off Ben Hutchings
` (19 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andy Shevchenko, Linus Walleij, Florian Fainelli
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 981ed1bfbc6c4660b2ddaa8392893e20a6255048 upstream.
In case a platform only defaults a "default" set of pins, but not a
"sleep" set of pins, and this particular platform suspends and resumes
in a way that the pin states are not preserved by the hardware, when we
resume, we would call pinctrl_single_resume() -> pinctrl_force_default()
-> pinctrl_select_state() and the first thing we do is check that the
pins state is the same as before, and do nothing.
In order to fix this, decouple the actual state change from
pinctrl_select_state() and move it pinctrl_commit_state(), while keeping
the p->state == state check in pinctrl_select_state() not to change the
caller assumptions. pinctrl_force_sleep() and pinctrl_force_default()
are updated to bypass the state check by calling pinctrl_commit_state().
[Linus Walleij]
The forced pin control states are currently only used in some pin
controller drivers that grab their own reference to their own pins.
This is equal to the pin control hogs: pins taken by pin control
devices since there are no corresponding device in the Linux device
hierarchy, such as memory controller lines or unused GPIO lines,
or GPIO lines that are used orthogonally from the GPIO subsystem
but pincontrol-wise managed as hogs (non-strict mode, allowing
simultaneous use by GPIO and pin control). For this case forcing
the state from the drivers' suspend()/resume() callbacks makes
sense and should semantically match the name of the function.
Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pinctrl/core.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -977,19 +977,16 @@ struct pinctrl_state *pinctrl_lookup_sta
EXPORT_SYMBOL_GPL(pinctrl_lookup_state);
/**
- * pinctrl_select_state() - select/activate/program a pinctrl state to HW
+ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW
* @p: the pinctrl handle for the device that requests configuration
* @state: the state handle to select/activate/program
*/
-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
+static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state)
{
struct pinctrl_setting *setting, *setting2;
struct pinctrl_state *old_state = p->state;
int ret;
- if (p->state == state)
- return 0;
-
if (p->state) {
/*
* The set of groups with a mux configuration in the old state
@@ -1067,6 +1064,19 @@ unapply_new_state:
return ret;
}
+
+/**
+ * pinctrl_select_state() - select/activate/program a pinctrl state to HW
+ * @p: the pinctrl handle for the device that requests configuration
+ * @state: the state handle to select/activate/program
+ */
+int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
+{
+ if (p->state == state)
+ return 0;
+
+ return pinctrl_commit_state(p, state);
+}
EXPORT_SYMBOL_GPL(pinctrl_select_state);
static void devm_pinctrl_release(struct device *dev, void *res)
@@ -1235,7 +1245,7 @@ void pinctrl_unregister_map(struct pinct
int pinctrl_force_sleep(struct pinctrl_dev *pctldev)
{
if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep))
- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep);
+ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep);
return 0;
}
EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
@@ -1247,7 +1257,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
int pinctrl_force_default(struct pinctrl_dev *pctldev)
{
if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default))
- return pinctrl_select_state(pctldev->p, pctldev->hog_default);
+ return pinctrl_commit_state(pctldev->p, pctldev->hog_default);
return 0;
}
EXPORT_SYMBOL_GPL(pinctrl_force_default);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 219/410] powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (362 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 095/410] pktcdvd: Fix pkt_setup_dev() error path Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 155/410] USB: serial: simple: add Motorola Tetra driver Ben Hutchings
` (45 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nathan Fontenot, Tyrel Datwyler, Michael Ellerman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Fontenot <nfont@linux.vnet.ibm.com>
commit 1d9a090783bef19fe8cdec878620d22f05191316 upstream.
When DLPAR removing a CPU, the unmapping of the cpu from a node in
unmap_cpu_from_node() should also invalidate the CPUs entry in the
numa_cpu_lookup_table. There is not a guarantee that on a subsequent
DLPAR add of the CPU the associativity will be the same and thus
could be in a different node. Invalidating the entry in the
numa_cpu_lookup_table causes the associativity to be read from the
device tree at the time of the add.
The current behavior of not invalidating the CPUs entry in the
numa_cpu_lookup_table can result in scenarios where the the topology
layout of CPUs in the partition does not match the device tree
or the topology reported by the HMC.
This bug looks like it was introduced in 2004 in the commit titled
"ppc64: cpu hotplug notifier for numa", which is 6b15e4e87e32 in the
linux-fullhist tree. Hence tag it for all stable releases.
Signed-off-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Reviewed-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/topology.h | 5 +++++
arch/powerpc/mm/numa.c | 5 -----
arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 ++
3 files changed, 7 insertions(+), 5 deletions(-)
--- a/arch/powerpc/include/asm/topology.h
+++ b/arch/powerpc/include/asm/topology.h
@@ -44,6 +44,11 @@ extern void __init dump_numa_cpu_topolog
extern int sysfs_add_device_to_node(struct device *dev, int nid);
extern void sysfs_remove_device_from_node(struct device *dev, int nid);
+static inline void update_numa_cpu_lookup_table(unsigned int cpu, int node)
+{
+ numa_cpu_lookup_table[cpu] = node;
+}
+
static inline int early_cpu_to_node(int cpu)
{
int nid;
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -162,11 +162,6 @@ static void reset_numa_cpu_lookup_table(
numa_cpu_lookup_table[cpu] = -1;
}
-static void update_numa_cpu_lookup_table(unsigned int cpu, int node)
-{
- numa_cpu_lookup_table[cpu] = node;
-}
-
static void map_cpu_to_node(int cpu, int node)
{
update_numa_cpu_lookup_table(cpu, node);
--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
+++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
@@ -31,6 +31,7 @@
#include <asm/vdso_datapage.h>
#include <asm/xics.h>
#include <asm/plpar_wrappers.h>
+#include <asm/topology.h>
#include "offline_states.h"
@@ -328,6 +329,7 @@ static void pseries_remove_processor(str
BUG_ON(cpu_online(cpu));
set_cpu_present(cpu, false);
set_hard_smp_processor_id(cpu, -1);
+ update_numa_cpu_lookup_table(cpu, -1);
break;
}
if (cpu >= nr_cpu_ids)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 012/410] scsi: libsas: direct call probe and destruct
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (293 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 035/410] cdrom: information leak in cdrom_ioctl_media_changed() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
[not found] ` <a0338db1-e901-a2f4-8976-307ceeeadd57@huawei.com>
2018-06-07 14:05 ` [PATCH 3.16 401/410] bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave Ben Hutchings
` (114 subsequent siblings)
409 siblings, 1 reply; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Williams, Ewan Milne, Jason Yan, Hannes Reinecke,
John Garry, Christoph Hellwig, Tomas Henzl, Martin K. Petersen,
Johannes Thumshirn
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan <yanaijie@huawei.com>
commit 0558f33c06bb910e2879e355192227a8e8f0219d upstream.
In commit 87c8331fcf72 ("[SCSI] libsas: prevent domain rediscovery
competing with ata error handling") introduced disco mutex to prevent
rediscovery competing with ata error handling and put the whole
revalidation in the mutex. But the rphy add/remove needs to wait for the
error handling which also grabs the disco mutex. This may leads to dead
lock.So the probe and destruct event were introduce to do the rphy
add/remove asynchronously and out of the lock.
The asynchronously processed workers makes the whole discovery process
not atomic, the other events may interrupt the process. For example,
if a loss of signal event inserted before the probe event, the
sas_deform_port() is called and the port will be deleted.
And sas_port_delete() may run before the destruct event, but the
port-x:x is the top parent of end device or expander. This leads to
a kernel WARNING such as:
[ 82.042979] sysfs group 'power' not found for kobject 'phy-1:0:22'
[ 82.042983] ------------[ cut here ]------------
[ 82.042986] WARNING: CPU: 54 PID: 1714 at fs/sysfs/group.c:237
sysfs_remove_group+0x94/0xa0
[ 82.043059] Call trace:
[ 82.043082] [<ffff0000082e7624>] sysfs_remove_group+0x94/0xa0
[ 82.043085] [<ffff00000864e320>] dpm_sysfs_remove+0x60/0x70
[ 82.043086] [<ffff00000863ee10>] device_del+0x138/0x308
[ 82.043089] [<ffff00000869a2d0>] sas_phy_delete+0x38/0x60
[ 82.043091] [<ffff00000869a86c>] do_sas_phy_delete+0x6c/0x80
[ 82.043093] [<ffff00000863dc20>] device_for_each_child+0x58/0xa0
[ 82.043095] [<ffff000008696f80>] sas_remove_children+0x40/0x50
[ 82.043100] [<ffff00000869d1bc>] sas_destruct_devices+0x64/0xa0
[ 82.043102] [<ffff0000080e93bc>] process_one_work+0x1fc/0x4b0
[ 82.043104] [<ffff0000080e96c0>] worker_thread+0x50/0x490
[ 82.043105] [<ffff0000080f0364>] kthread+0xfc/0x128
[ 82.043107] [<ffff0000080836c0>] ret_from_fork+0x10/0x50
Make probe and destruct a direct call in the disco and revalidate function,
but put them outside the lock. The whole discovery or revalidate won't
be interrupted by other events. And the DISCE_PROBE and DISCE_DESTRUCT
event are deleted as a result of the direct call.
Introduce a new list to destruct the sas_port and put the port delete after
the destruct. This makes sure the right order of destroying the sysfs
kobject and fix the warning above.
In sas_ex_revalidate_domain() have a loop to find all broadcasted
device, and sometimes we have a chance to find the same expander twice.
Because the sas_port will be deleted at the end of the whole revalidate
process, sas_port with the same name cannot be added before this.
Otherwise the sysfs will complain of creating duplicate filename. Since
the LLDD will send broadcast for every device change, we can only
process one expander's revalidation.
[mkp: kbuild test robot warning]
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: Johannes Thumshirn <jthumshirn@suse.de>
CC: Ewan Milne <emilne@redhat.com>
CC: Christoph Hellwig <hch@lst.de>
CC: Tomas Henzl <thenzl@redhat.com>
CC: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 4.9: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/libsas/sas_ata.c | 1 -
drivers/scsi/libsas/sas_discover.c | 32 +++++++++++++++++-------------
drivers/scsi/libsas/sas_expander.c | 8 +++-----
drivers/scsi/libsas/sas_internal.h | 1 +
drivers/scsi/libsas/sas_port.c | 3 +++
include/scsi/libsas.h | 3 +--
include/scsi/scsi_transport_sas.h | 1 +
7 files changed, 27 insertions(+), 22 deletions(-)
--- a/drivers/scsi/libsas/sas_ata.c
+++ b/drivers/scsi/libsas/sas_ata.c
@@ -782,7 +782,6 @@ int sas_discover_sata(struct domain_devi
if (res)
return res;
- sas_discover_event(dev->port, DISCE_PROBE);
return 0;
}
--- a/drivers/scsi/libsas/sas_discover.c
+++ b/drivers/scsi/libsas/sas_discover.c
@@ -212,13 +212,9 @@ void sas_notify_lldd_dev_gone(struct dom
}
}
-static void sas_probe_devices(struct work_struct *work)
+static void sas_probe_devices(struct asd_sas_port *port)
{
struct domain_device *dev, *n;
- struct sas_discovery_event *ev = to_sas_discovery_event(work);
- struct asd_sas_port *port = ev->port;
-
- clear_bit(DISCE_PROBE, &port->disc.pending);
/* devices must be domain members before link recovery and probe */
list_for_each_entry(dev, &port->disco_list, disco_list_node) {
@@ -294,7 +290,6 @@ int sas_discover_end_dev(struct domain_d
res = sas_notify_lldd_dev_found(dev);
if (res)
return res;
- sas_discover_event(dev->port, DISCE_PROBE);
return 0;
}
@@ -353,13 +348,9 @@ static void sas_unregister_common_dev(st
sas_put_device(dev);
}
-static void sas_destruct_devices(struct work_struct *work)
+void sas_destruct_devices(struct asd_sas_port *port)
{
struct domain_device *dev, *n;
- struct sas_discovery_event *ev = to_sas_discovery_event(work);
- struct asd_sas_port *port = ev->port;
-
- clear_bit(DISCE_DESTRUCT, &port->disc.pending);
list_for_each_entry_safe(dev, n, &port->destroy_list, disco_list_node) {
list_del_init(&dev->disco_list_node);
@@ -370,6 +361,16 @@ static void sas_destruct_devices(struct
}
}
+static void sas_destruct_ports(struct asd_sas_port *port)
+{
+ struct sas_port *sas_port, *p;
+
+ list_for_each_entry_safe(sas_port, p, &port->sas_port_del_list, del_list) {
+ list_del_init(&sas_port->del_list);
+ sas_port_delete(sas_port);
+ }
+}
+
void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev)
{
if (!test_bit(SAS_DEV_DESTROY, &dev->state) &&
@@ -384,7 +385,6 @@ void sas_unregister_dev(struct asd_sas_p
if (!test_and_set_bit(SAS_DEV_DESTROY, &dev->state)) {
sas_rphy_unlink(dev->rphy);
list_move_tail(&dev->disco_list_node, &port->destroy_list);
- sas_discover_event(dev->port, DISCE_DESTRUCT);
}
}
@@ -490,6 +490,8 @@ static void sas_discover_domain(struct w
port->port_dev = NULL;
}
+ sas_probe_devices(port);
+
SAS_DPRINTK("DONE DISCOVERY on port %d, pid:%d, result:%d\n", port->id,
task_pid_nr(current), error);
}
@@ -523,6 +525,10 @@ static void sas_revalidate_domain(struct
port->id, task_pid_nr(current), res);
out:
mutex_unlock(&ha->disco_mutex);
+
+ sas_destruct_devices(port);
+ sas_destruct_ports(port);
+ sas_probe_devices(port);
}
/* ---------- Events ---------- */
@@ -578,10 +584,8 @@ void sas_init_disc(struct sas_discovery
static const work_func_t sas_event_fns[DISC_NUM_EVENTS] = {
[DISCE_DISCOVER_DOMAIN] = sas_discover_domain,
[DISCE_REVALIDATE_DOMAIN] = sas_revalidate_domain,
- [DISCE_PROBE] = sas_probe_devices,
[DISCE_SUSPEND] = sas_suspend_devices,
[DISCE_RESUME] = sas_resume_devices,
- [DISCE_DESTRUCT] = sas_destruct_devices,
};
disc->pending = 0;
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -1903,7 +1903,8 @@ static void sas_unregister_devs_sas_addr
sas_port_delete_phy(phy->port, phy->phy);
sas_device_set_phy(found, phy->port);
if (phy->port->num_phys == 0)
- sas_port_delete(phy->port);
+ list_add_tail(&phy->port->del_list,
+ &parent->port->sas_port_del_list);
phy->port = NULL;
}
}
@@ -2111,7 +2112,7 @@ int sas_ex_revalidate_domain(struct doma
struct domain_device *dev = NULL;
res = sas_find_bcast_dev(port_dev, &dev);
- while (res == 0 && dev) {
+ if (res == 0 && dev) {
struct expander_device *ex = &dev->ex_dev;
int i = 0, phy_id;
@@ -2123,9 +2124,6 @@ int sas_ex_revalidate_domain(struct doma
res = sas_rediscover(dev, phy_id);
i = phy_id + 1;
} while (i < ex->num_phys);
-
- dev = NULL;
- res = sas_find_bcast_dev(port_dev, &dev);
}
return res;
}
--- a/drivers/scsi/libsas/sas_internal.h
+++ b/drivers/scsi/libsas/sas_internal.h
@@ -100,6 +100,7 @@ int sas_try_ata_reset(struct asd_sas_phy
void sas_hae_reset(struct work_struct *work);
void sas_free_device(struct kref *kref);
+void sas_destruct_devices(struct asd_sas_port *port);
#ifdef CONFIG_SCSI_SAS_HOST_SMP
extern int sas_smp_host_handler(struct Scsi_Host *shost, struct request *req,
--- a/drivers/scsi/libsas/sas_port.c
+++ b/drivers/scsi/libsas/sas_port.c
@@ -66,6 +66,7 @@ static void sas_resume_port(struct asd_s
rc = sas_notify_lldd_dev_found(dev);
if (rc) {
sas_unregister_dev(port, dev);
+ sas_destruct_devices(port);
continue;
}
@@ -219,6 +220,7 @@ void sas_deform_port(struct asd_sas_phy
if (port->num_phys == 1) {
sas_unregister_domain_devices(port, gone);
+ sas_destruct_devices(port);
sas_port_delete(port->port);
port->port = NULL;
} else {
@@ -323,6 +325,7 @@ static void sas_init_port(struct asd_sas
INIT_LIST_HEAD(&port->dev_list);
INIT_LIST_HEAD(&port->disco_list);
INIT_LIST_HEAD(&port->destroy_list);
+ INIT_LIST_HEAD(&port->sas_port_del_list);
spin_lock_init(&port->phy_list_lock);
INIT_LIST_HEAD(&port->phy_list);
port->ha = sas_ha;
--- a/include/scsi/libsas.h
+++ b/include/scsi/libsas.h
@@ -87,10 +87,8 @@ enum discover_event {
DISCE_DISCOVER_DOMAIN = 0U,
DISCE_REVALIDATE_DOMAIN,
DISCE_PORT_GONE,
- DISCE_PROBE,
DISCE_SUSPEND,
DISCE_RESUME,
- DISCE_DESTRUCT,
DISC_NUM_EVENTS,
};
@@ -274,6 +272,7 @@ struct asd_sas_port {
struct list_head dev_list;
struct list_head disco_list;
struct list_head destroy_list;
+ struct list_head sas_port_del_list;
enum sas_linkrate linkrate;
struct sas_work work;
--- a/include/scsi/scsi_transport_sas.h
+++ b/include/scsi/scsi_transport_sas.h
@@ -145,6 +145,7 @@ struct sas_port {
struct mutex phy_list_mutex;
struct list_head phy_list;
+ struct list_head del_list; /* libsas only */
};
#define dev_to_sas_port(d) \
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 344/410] netfilter: bridge: ebt_among: add missing match size checks
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (382 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 016/410] netfilter: ebtables: fix erroneous reject of last rule Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 206/410] pipe: cap initial pipe capacity according to pipe-max-size limit Ben Hutchings
` (25 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+fe0b19af568972814355, Florian Westphal, Pablo Neira Ayuso
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream.
ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.
Therefore it must check that the size of the match structure
provided from userspace is sane by making sure em->match_size
is at least the minimum size of the expected structure.
The module has such a check, but its only done after accessing
a structure that might be out of bounds.
tested with: ebtables -A INPUT ... \
--among-dst fe:fe:fe:fe:fe:fe
--among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe
--among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe
Reported-by: <syzbot+fe0b19af568972814355@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb,
return true;
}
+static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
+{
+ return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
+}
+
static int ebt_among_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_among_info *info = par->matchinfo;
const struct ebt_entry_match *em =
container_of(par->matchinfo, const struct ebt_entry_match, data);
- int expected_length = sizeof(struct ebt_among_info);
+ unsigned int expected_length = sizeof(struct ebt_among_info);
const struct ebt_mac_wormhash *wh_dst, *wh_src;
int err;
+ if (expected_length > em->match_size)
+ return -EINVAL;
+
wh_dst = ebt_among_wh_dst(info);
- wh_src = ebt_among_wh_src(info);
+ if (poolsize_invalid(wh_dst))
+ return -EINVAL;
+
expected_length += ebt_mac_wormhash_size(wh_dst);
+ if (expected_length > em->match_size)
+ return -EINVAL;
+
+ wh_src = ebt_among_wh_src(info);
+ if (poolsize_invalid(wh_src))
+ return -EINVAL;
+
expected_length += ebt_mac_wormhash_size(wh_src);
if (em->match_size != EBT_ALIGN(expected_length)) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 186/410] Btrfs: fix deadlock in run_delalloc_nocow
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 203/410] pipe: simplify logic in alloc_pipe_info() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 387/410] ALSA: aloop: Sync stale timer before release Ben Hutchings
` (220 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Liu Bo, Josef Bacik
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo <bo.li.liu@oracle.com>
commit e89166990f11c3f21e1649d760dd35f9e410321c upstream.
@cur_offset is not set back to what it should be (@cow_start) if
btrfs_next_leaf() returns something wrong, and the range [cow_start,
cur_offset) remains locked forever.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1235,8 +1235,11 @@ next_slot:
leaf = path->nodes[0];
if (path->slots[0] >= btrfs_header_nritems(leaf)) {
ret = btrfs_next_leaf(root, path);
- if (ret < 0)
+ if (ret < 0) {
+ if (cow_start != (u64)-1)
+ cur_offset = cow_start;
goto error;
+ }
if (ret > 0)
break;
leaf = path->nodes[0];
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 323/410] bcache: don't attach backing with duplicate UUID
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 239/410] x86/speculation: Add <asm/msr-index.h> dependency Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 072/410] power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()' Ben Hutchings
` (266 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jens Axboe, Michael Lyle, Tang Junhui
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Lyle <mlyle@lyle.org>
commit 86755b7a96faed57f910f9e6b8061e019ac1ec08 upstream.
This can happen e.g. during disk cloning.
This is an incomplete fix: it does not catch duplicate UUIDs earlier
when things are still unattached. It does not unregister the device.
Further changes to cope better with this are planned but conflict with
Coly's ongoing improvements to handling device errors. In the meantime,
one can manually stop the device after this has happened.
Attempts to attach a duplicate device result in:
[ 136.372404] loop: module loaded
[ 136.424461] bcache: register_bdev() registered backing device loop0
[ 136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but duplicate UUID already attached
My test procedure is:
dd if=/dev/sdb1 of=imgfile bs=1024 count=262144
losetup -f imgfile
Signed-off-by: Michael Lyle <mlyle@lyle.org>
Reviewed-by: Tang Junhui <tang.junhui@zte.com.cn>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/bcache/super.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -964,6 +964,7 @@ int bch_cached_dev_attach(struct cached_
uint32_t rtime = cpu_to_le32(get_seconds());
struct uuid_entry *u;
char buf[BDEVNAME_SIZE];
+ struct cached_dev *exist_dc, *t;
bdevname(dc->bdev, buf);
@@ -987,6 +988,16 @@ int bch_cached_dev_attach(struct cached_
return -EINVAL;
}
+ /* Check whether already attached */
+ list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) {
+ if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) {
+ pr_err("Tried to attach %s but duplicate UUID already attached",
+ buf);
+
+ return -EINVAL;
+ }
+ }
+
u = uuid_find(c, dc->sb.uuid);
if (u &&
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 120/410] crypto: af_alg - whitelist mask and type
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 395/410] batman-adv: fix packet loss for broadcasted DHCP packets to a server Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` Ben Hutchings
` (244 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, syzbot, Stephan Mueller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Mueller <smueller@chronox.de>
commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream.
The user space interface allows specifying the type and mask field used
to allocate the cipher. Only a subset of the possible flags are intended
for user space. Therefore, white-list the allowed flags.
In case the user space caller uses at least one non-allowed flag, EINVAL
is returned.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: We don't have a CRYPTO_ALG_INTENRAL flag and
didn't blacklist it here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -149,6 +149,7 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent)
static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
{
+ const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
struct sock *sk = sock->sk;
struct alg_sock *ask = alg_sk(sk);
struct sockaddr_alg *sa = (void *)uaddr;
@@ -156,6 +157,10 @@ static int alg_bind(struct socket *sock,
void *private;
int err;
+ /* If caller uses non-allowed flag, return error. */
+ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
+ return -EINVAL;
+
if (sock->state == SS_CONNECTED)
return -EINVAL;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 117/410] arm: spear13xx: Fix dmas cells
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (229 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 329/410] sch_netem: fix skb leak in netem_enqueue() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 084/410] USB: serial: io_edgeport: fix possible sleep-in-atomic Ben Hutchings
` (178 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Viresh Kumar, Olof Johansson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit cdd10409914184c7eee5ae3e11beb890c9c16c61 upstream.
The "dmas" cells for the designware DMA controller need to have only 3
properties apart from the phandle: request line, src master and
destination master. But the commit 6e8887f60f60 updated it incorrectly
while moving from platform code to DT. Fix it.
Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/devicetree/bindings/dma/snps-dma.txt | 2 +-
arch/arm/boot/dts/spear1340.dtsi | 4 ++--
arch/arm/boot/dts/spear13xx.dtsi | 6 +++---
3 files changed, 6 insertions(+), 6 deletions(-)
--- a/Documentation/devicetree/bindings/dma/snps-dma.txt
+++ b/Documentation/devicetree/bindings/dma/snps-dma.txt
@@ -58,6 +58,6 @@ Example:
interrupts = <0 35 0x4>;
status = "disabled";
dmas = <&dmahost 12 0 1>,
- <&dmahost 13 0 1 0>;
+ <&dmahost 13 1 0>;
dma-names = "rx", "rx";
};
--- a/arch/arm/boot/dts/spear1340.dtsi
+++ b/arch/arm/boot/dts/spear1340.dtsi
@@ -113,8 +113,8 @@
reg = <0xb4100000 0x1000>;
interrupts = <0 105 0x4>;
status = "disabled";
- dmas = <&dwdma0 0x600 0 0 1>, /* 0xC << 11 */
- <&dwdma0 0x680 0 1 0>; /* 0xD << 7 */
+ dmas = <&dwdma0 12 0 1>,
+ <&dwdma0 13 1 0>;
dma-names = "tx", "rx";
};
--- a/arch/arm/boot/dts/spear13xx.dtsi
+++ b/arch/arm/boot/dts/spear13xx.dtsi
@@ -100,7 +100,7 @@
reg = <0xb2800000 0x1000>;
interrupts = <0 29 0x4>;
status = "disabled";
- dmas = <&dwdma0 0 0 0 0>;
+ dmas = <&dwdma0 0 0 0>;
dma-names = "data";
};
@@ -283,8 +283,8 @@
#size-cells = <0>;
interrupts = <0 31 0x4>;
status = "disabled";
- dmas = <&dwdma0 0x2000 0 0 0>, /* 0x4 << 11 */
- <&dwdma0 0x0280 0 0 0>; /* 0x5 << 7 */
+ dmas = <&dwdma0 4 0 0>,
+ <&dwdma0 5 0 0>;
dma-names = "tx", "rx";
};
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 145/410] kernfs: fix regression in kernfs_fop_write caused by wrong type
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (295 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 401/410] bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 045/410] x86/pti: Mark constant arrays as __initconst Ben Hutchings
` (112 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Ivan Vecera, Al Viro
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
commit ba87977a49913129962af8ac35b0e13e0fa4382d upstream.
Commit b7ce40cff0b9 ("kernfs: cache atomic_write_len in
kernfs_open_file") changes type of local variable 'len' from ssize_t
to size_t. This change caused that the *ppos value is updated also
when the previous write callback failed.
Mentioned snippet:
...
len = ops->write(...); <- return value can be negative
...
if (len > 0) <- true here in this case
*ppos += len;
...
Fixes: b7ce40cff0b9 ("kernfs: cache atomic_write_len in kernfs_open_file")
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/kernfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -267,7 +267,7 @@ static ssize_t kernfs_fop_write(struct f
{
struct kernfs_open_file *of = kernfs_of(file);
const struct kernfs_ops *ops;
- size_t len;
+ ssize_t len;
char *buf;
if (of->atomic_write_len) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 132/410] IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (285 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 244/410] Add delay-init quirk for Corsair K70 RGB keyboards Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 047/410] x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support Ben Hutchings
` (122 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Jack Morgenstein, Jason Gunthorpe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 852f6927594d0d3e8632c889b2ab38cbc46476ad upstream.
Allocating steerable UD QPs depends on having at least one IB port,
while releasing those QPs does not.
As a result, when there are only ETH ports, the IB (RoCE) driver
requests releasing a qp range whose base qp is zero, with
qp count zero.
When SR-IOV is enabled, and the VF driver is running on a VM over
a hypervisor which treats such qp release calls as errors
(rather than NOPs), we see lines in the VM message log like:
mlx4_core 0002:00:02.0: Failed to release qp range base:0 cnt:0
Fix this by adding a check for a zero count in mlx4_release_qp_range()
(which thus treats releasing 0 qps as a nop), and eliminating the
check for device managed flow steering when releasing steerable UD QPs.
(Freeing ib_uc_qpns_bitmap unconditionally is also OK, since it
remains NULL when steerable UD QPs are not allocated).
Fixes: 4196670be786 ("IB/mlx4: Don't allocate range of steerable UD QPs for Ethernet-only device")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/main.c | 13 +++++--------
drivers/net/ethernet/mellanox/mlx4/qp.c | 3 +++
2 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -2272,9 +2272,8 @@ err_steer_free_bitmap:
kfree(ibdev->ib_uc_qpns_bitmap);
err_steer_qp_release:
- if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED)
- mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
- ibdev->steer_qpn_count);
+ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_count);
err_counter:
for (; i; --i)
if (ibdev->counters[i - 1] != -1)
@@ -2373,11 +2372,9 @@ static void mlx4_ib_remove(struct mlx4_d
ibdev->iboe.nb.notifier_call = NULL;
}
- if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED) {
- mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
- ibdev->steer_qpn_count);
- kfree(ibdev->ib_uc_qpns_bitmap);
- }
+ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_count);
+ kfree(ibdev->ib_uc_qpns_bitmap);
if (ibdev->iboe.nb_inet.notifier_call) {
if (unregister_inetaddr_notifier(&ibdev->iboe.nb_inet))
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
@@ -257,6 +257,9 @@ void mlx4_qp_release_range(struct mlx4_d
u64 in_param = 0;
int err;
+ if (!cnt)
+ return;
+
if (mlx4_is_mfunc(dev)) {
set_param_l(&in_param, base_qpn);
set_param_h(&in_param, cnt);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 092/410] video: fbdev: atmel_lcdfb: fix display-timings lookup
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (246 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 287/410] l2tp: remove l2tp_tunnel_count and l2tp_session_count Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 305/410] tty: make n_tty_read() always abort if hangup is in progress Ben Hutchings
` (161 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bartlomiej Zolnierkiewicz,
Jean-Christophe PLAGNIOL-VILLARD, Johan Hovold,
Alexandre Belloni, Nicolas Ferre
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9cb18db0701f6b74f0c45c23ad767b3ebebe37f6 upstream.
Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.
To make things worse, the parent display node was also prematurely
freed.
Note that the display and timings node references are never put after a
successful dt-initialisation so the nodes would leak on later probe
deferrals and on driver unbind.
Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport")
Cc: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/video/fbdev/atmel_lcdfb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/atmel_lcdfb.c
+++ b/drivers/video/fbdev/atmel_lcdfb.c
@@ -1105,7 +1105,7 @@ static int atmel_lcdfb_of_init(struct at
goto put_display_node;
}
- timings_np = of_find_node_by_name(display_np, "display-timings");
+ timings_np = of_get_child_by_name(display_np, "display-timings");
if (!timings_np) {
dev_err(dev, "failed to find display-timings node\n");
ret = -ENODEV;
@@ -1126,6 +1126,12 @@ static int atmel_lcdfb_of_init(struct at
fb_add_videomode(&fb_vm, &info->modelist);
}
+ /*
+ * FIXME: Make sure we are not referencing any fields in display_np
+ * and timings_np and drop our references to them before returning to
+ * avoid leaking the nodes on probe deferral and driver unbind.
+ */
+
return 0;
put_timings_node:
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 390/410] s390/qeth: free netdevice when removing a card
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (325 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 282/410] batman-adv: fix packet checksum in receive path Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 158/410] NFS: reject request for id_legacy key without auxdata Ben Hutchings
` (82 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ursula Braun, Julian Wiedmann, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
commit 6be687395b3124f002a653c1a50b3260222b3cd7 upstream.
On removal, a qeth card's netdevice is currently not properly freed
because the call chain looks as follows:
qeth_core_remove_device(card)
lx_remove_device(card)
unregister_netdev(card->dev)
card->dev = NULL !!!
qeth_core_free_card(card)
if (card->dev) !!!
free_netdev(card->dev)
Fix it by free'ing the netdev straight after unregistering. This also
fixes the sysfs-driven layer switch case (qeth_dev_layer2_store()),
where the need to free the current netdevice was not considered at all.
Note that free_netdev() takes care of the netif_napi_del() for us too.
Fixes: 4a71df50047f ("qeth: new qeth device driver")
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/net/qeth_core_main.c | 2 --
drivers/s390/net/qeth_l2_main.c | 2 +-
drivers/s390/net/qeth_l3_main.c | 2 +-
3 files changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -4857,8 +4857,6 @@ static void qeth_core_free_card(struct q
QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
qeth_clean_channel(&card->read);
qeth_clean_channel(&card->write);
- if (card->dev)
- free_netdev(card->dev);
kfree(card->ip_tbd_list);
qeth_free_qdio_buffers(card);
unregister_service_level(&card->qeth_service_level);
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -922,8 +922,8 @@ static void qeth_l2_remove_device(struct
qeth_l2_set_offline(cgdev);
if (card->dev) {
- netif_napi_del(&card->napi);
unregister_netdev(card->dev);
+ free_netdev(card->dev);
card->dev = NULL;
}
return;
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3340,8 +3340,8 @@ static void qeth_l3_remove_device(struct
qeth_l3_set_offline(cgdev);
if (card->dev) {
- netif_napi_del(&card->napi);
unregister_netdev(card->dev);
+ free_netdev(card->dev);
card->dev = NULL;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 085/410] media: bt8xx: Fix err 'bt878_probe()'
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 214/410] pipe: reject F_SETPIPE_SZ with size over UINT_MAX Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 374/410] vti4: Don't count header length twice on tunnel setup Ben Hutchings
` (362 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christophe JAILLET, Mauro Carvalho Chehab
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 45392ff6881dbe56d41ef0b17c2e576065f8ffa1 upstream.
This is odd to call 'pci_disable_device()' in an error path before a
coresponding successful 'pci_enable_device()'.
Return directly instead.
Fixes: 77e0be12100a ("V4L/DVB (4176): Bug-fix: Fix memory overflow")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/pci/bt8xx/bt878.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/pci/bt8xx/bt878.c
+++ b/drivers/media/pci/bt8xx/bt878.c
@@ -433,8 +433,7 @@ static int bt878_probe(struct pci_dev *d
bt878_num);
if (bt878_num >= BT878_MAX) {
printk(KERN_ERR "bt878: Too many devices inserted\n");
- result = -ENOMEM;
- goto fail0;
+ return -ENOMEM;
}
if (pci_enable_device(dev))
return -EIO;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 343/410] ALSA: seq: Clear client entry before deleting else at closing
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 151/410] CDC-ACM: apply quirk for card reader Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 174/410] RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure Ben Hutchings
` (322 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit a2ff19f7b70118ced291a28d5313469914de451b upstream.
When releasing a client, we need to clear the clienttab[] entry at
first, then call snd_seq_queue_client_leave(). Otherwise, the
in-flight cell in the queue might be picked up by the timer interrupt
via snd_seq_check_queue() before calling snd_seq_queue_client_leave(),
and it's delivered to another queue while the client is clearing
queues. This may eventually result in an uncleared cell remaining in
a queue, and the later snd_seq_pool_delete() may need to wait for a
long time until the event gets really processed.
By moving the clienttab[] clearance at the beginning of release, any
event delivery of a cell belonging to this client will fail at a later
point, since snd_seq_client_ptr() returns NULL. Thus the cell that
was picked up by the timer interrupt will be returned immediately
without further delivery, and the long stall of snd_seq_delete_pool()
can be avoided, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_clientmgr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -270,12 +270,12 @@ static int seq_free_client1(struct snd_s
if (!client)
return 0;
- snd_seq_delete_all_ports(client);
- snd_seq_queue_client_leave(client->number);
spin_lock_irqsave(&clients_lock, flags);
clienttablock[client->number] = 1;
clienttab[client->number] = NULL;
spin_unlock_irqrestore(&clients_lock, flags);
+ snd_seq_delete_all_ports(client);
+ snd_seq_queue_client_leave(client->number);
snd_use_lock_sync(&client->use_lock);
snd_seq_queue_client_termination(client->number);
if (client->pool)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 369/410] batman-adv: update data pointers after skb_cow()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 154/410] USB: serial: add Medtronic CareLink USB driver Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 025/410] ALSA: seq: Don't allow resizing pool in use Ben Hutchings
` (225 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matthias Schiffer, Sven Eckelmann, Simon Wunderlich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <mschiffer@universe-factory.net>
commit bc44b78157f621ff2a2618fe287a827bcb094ac4 upstream.
batadv_check_unicast_ttvn() calls skb_cow(), so pointers into the SKB data
must be (re)set after calling it. The ethhdr variable is dropped
altogether.
Fixes: 7cdcf6dddc42 ("batman-adv: add UNICAST_4ADDR packet type")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- There's no ethhdr variable here
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -886,8 +886,6 @@ int batadv_recv_unicast_packet(struct sk
bool is4addr;
unicast_packet = (struct batadv_unicast_packet *)skb->data;
- unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
-
is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
/* the caller function should have already pulled 2 bytes */
if (is4addr)
@@ -907,9 +905,13 @@ int batadv_recv_unicast_packet(struct sk
if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
return NET_RX_DROP;
+ unicast_packet = (struct batadv_unicast_packet *)skb->data;
+
/* packet for me */
if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
if (is4addr) {
+ unicast_4addr_packet =
+ (struct batadv_unicast_4addr_packet *)skb->data;
batadv_dat_inc_counter(bat_priv,
unicast_4addr_packet->subtype);
orig_addr = unicast_4addr_packet->src;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 008/410] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (221 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 196/410] arm64: KVM: Increment PC after handling an SMC trap Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 046/410] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes Ben Hutchings
` (186 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andrey Konovalov, Mauro Carvalho Chehab, Malcolm Priestley
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 7bf7a7116ed313c601307f7e585419369926ab05 upstream.
When the tuner was split from m88rs2000 the attach function is in wrong
place.
Move to dm04_lme2510_tuner to trap errors on failure and removing
a call to lme_coldreset.
Prevents driver starting up without any tuner connected.
Fixes to trap for ts2020 fail.
LME2510(C): FE Found M88RS2000
ts2020: probe of 0-0060 failed with error -11
...
LME2510(C): TUN Found RS2000 tuner
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -1115,8 +1115,6 @@ static int dm04_lme2510_frontend_attach(
if (adap->fe[0]) {
info("FE Found M88RS2000");
- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
- &d->i2c_adap);
st->i2c_tuner_gate_w = 5;
st->i2c_tuner_gate_r = 5;
st->i2c_tuner_addr = 0x60;
@@ -1179,17 +1177,18 @@ static int dm04_lme2510_tuner(struct dvb
ret = st->tuner_config;
break;
case TUNER_RS2000:
- ret = st->tuner_config;
+ if (dvb_attach(ts2020_attach, adap->fe[0],
+ &ts2020_config, &d->i2c_adap))
+ ret = st->tuner_config;
break;
default:
break;
}
- if (ret)
+ if (ret) {
info("TUN Found %s tuner", tun_msg[ret]);
- else {
- info("TUN No tuner found --- resetting device");
- lme_coldreset(d);
+ } else {
+ info("TUN No tuner found");
return -ENODEV;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 289/410] l2tp: avoid using ->tunnel_sock for getting session's parent tunnel
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 302/410] mmc: dw_mmc: Factor out dw_mci_init_slot_caps Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 359/410] RDMA/ucma: Fix access to non-initialized CM_ID object Ben Hutchings
` (330 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit 7198c77aa05560c257ee377ec1f4796812121580 upstream.
Sessions don't need to use l2tp_sock_to_tunnel(xxx->tunnel_sock) for
accessing their parent tunnel. They have the .tunnel field in the
l2tp_session structure for that. Furthermore, in all these cases, the
session is registered, so we're guaranteed that .tunnel isn't NULL and
that the session properly holds a reference on the tunnel.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 66 +++++++++------------------------------------
1 file changed, 12 insertions(+), 54 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -312,7 +312,6 @@ static int pppol2tp_sendmsg(struct kiocb
int error;
struct l2tp_session *session;
struct l2tp_tunnel *tunnel;
- struct pppol2tp_session *ps;
int uhlen;
error = -ENOTCONN;
@@ -325,10 +324,7 @@ static int pppol2tp_sendmsg(struct kiocb
if (session == NULL)
goto error;
- ps = l2tp_session_priv(session);
- tunnel = l2tp_sock_to_tunnel(ps->tunnel_sock);
- if (tunnel == NULL)
- goto error_put_sess;
+ tunnel = session->tunnel;
uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
@@ -339,7 +335,7 @@ static int pppol2tp_sendmsg(struct kiocb
sizeof(ppph) + total_len,
0, GFP_KERNEL);
if (!skb)
- goto error_put_sess_tun;
+ goto error_put_sess;
/* Reserve space for headers. */
skb_reserve(skb, NET_SKB_PAD);
@@ -358,20 +354,17 @@ static int pppol2tp_sendmsg(struct kiocb
total_len);
if (error < 0) {
kfree_skb(skb);
- goto error_put_sess_tun;
+ goto error_put_sess;
}
local_bh_disable();
l2tp_xmit_skb(session, skb, session->hdr_len);
local_bh_enable();
- sock_put(ps->tunnel_sock);
sock_put(sk);
return total_len;
-error_put_sess_tun:
- sock_put(ps->tunnel_sock);
error_put_sess:
sock_put(sk);
error:
@@ -396,10 +389,8 @@ static int pppol2tp_xmit(struct ppp_chan
{
static const u8 ppph[2] = { 0xff, 0x03 };
struct sock *sk = (struct sock *) chan->private;
- struct sock *sk_tun;
struct l2tp_session *session;
struct l2tp_tunnel *tunnel;
- struct pppol2tp_session *ps;
int uhlen, headroom;
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
@@ -410,13 +401,7 @@ static int pppol2tp_xmit(struct ppp_chan
if (session == NULL)
goto abort;
- ps = l2tp_session_priv(session);
- sk_tun = ps->tunnel_sock;
- if (sk_tun == NULL)
- goto abort_put_sess;
- tunnel = l2tp_sock_to_tunnel(sk_tun);
- if (tunnel == NULL)
- goto abort_put_sess;
+ tunnel = session->tunnel;
uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
headroom = NET_SKB_PAD +
@@ -425,7 +410,7 @@ static int pppol2tp_xmit(struct ppp_chan
session->hdr_len + /* L2TP header */
sizeof(ppph); /* PPP header */
if (skb_cow_head(skb, headroom))
- goto abort_put_sess_tun;
+ goto abort_put_sess;
/* Setup PPP header */
__skb_push(skb, sizeof(ppph));
@@ -436,12 +421,10 @@ static int pppol2tp_xmit(struct ppp_chan
l2tp_xmit_skb(session, skb, session->hdr_len);
local_bh_enable();
- sock_put(sk_tun);
sock_put(sk);
+
return 1;
-abort_put_sess_tun:
- sock_put(sk_tun);
abort_put_sess:
sock_put(sk);
abort:
@@ -938,9 +921,7 @@ static int pppol2tp_getname(struct socke
goto end;
pls = l2tp_session_priv(session);
- tunnel = l2tp_sock_to_tunnel(pls->tunnel_sock);
- if (tunnel == NULL)
- goto end_put_sess;
+ tunnel = session->tunnel;
inet = inet_sk(tunnel->sock);
if ((tunnel->version == 2) && (tunnel->sock->sk_family == AF_INET)) {
@@ -1020,8 +1001,6 @@ static int pppol2tp_getname(struct socke
*usockaddr_len = len;
error = 0;
- sock_put(pls->tunnel_sock);
-end_put_sess:
sock_put(sk);
end:
return error;
@@ -1262,7 +1241,6 @@ static int pppol2tp_ioctl(struct socket
struct sock *sk = sock->sk;
struct l2tp_session *session;
struct l2tp_tunnel *tunnel;
- struct pppol2tp_session *ps;
int err;
if (!sk)
@@ -1286,16 +1264,10 @@ static int pppol2tp_ioctl(struct socket
/* Special case: if session's session_id is zero, treat ioctl as a
* tunnel ioctl
*/
- ps = l2tp_session_priv(session);
if ((session->session_id == 0) &&
(session->peer_session_id == 0)) {
- err = -EBADF;
- tunnel = l2tp_sock_to_tunnel(ps->tunnel_sock);
- if (tunnel == NULL)
- goto end_put_sess;
-
+ tunnel = session->tunnel;
err = pppol2tp_tunnel_ioctl(tunnel, cmd, arg);
- sock_put(ps->tunnel_sock);
goto end_put_sess;
}
@@ -1421,7 +1393,6 @@ static int pppol2tp_setsockopt(struct so
struct sock *sk = sock->sk;
struct l2tp_session *session;
struct l2tp_tunnel *tunnel;
- struct pppol2tp_session *ps;
int val;
int err;
@@ -1446,20 +1417,14 @@ static int pppol2tp_setsockopt(struct so
/* Special case: if session_id == 0x0000, treat as operation on tunnel
*/
- ps = l2tp_session_priv(session);
if ((session->session_id == 0) &&
(session->peer_session_id == 0)) {
- err = -EBADF;
- tunnel = l2tp_sock_to_tunnel(ps->tunnel_sock);
- if (tunnel == NULL)
- goto end_put_sess;
-
+ tunnel = session->tunnel;
err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
- sock_put(ps->tunnel_sock);
- } else
+ } else {
err = pppol2tp_session_setsockopt(sk, session, optname, val);
+ }
-end_put_sess:
sock_put(sk);
end:
return err;
@@ -1547,7 +1512,6 @@ static int pppol2tp_getsockopt(struct so
struct l2tp_tunnel *tunnel;
int val, len;
int err;
- struct pppol2tp_session *ps;
if (level != SOL_PPPOL2TP)
return -EINVAL;
@@ -1571,16 +1535,10 @@ static int pppol2tp_getsockopt(struct so
goto end;
/* Special case: if session_id == 0x0000, treat as operation on tunnel */
- ps = l2tp_session_priv(session);
if ((session->session_id == 0) &&
(session->peer_session_id == 0)) {
- err = -EBADF;
- tunnel = l2tp_sock_to_tunnel(ps->tunnel_sock);
- if (tunnel == NULL)
- goto end_put_sess;
-
+ tunnel = session->tunnel;
err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
- sock_put(ps->tunnel_sock);
if (err)
goto end_put_sess;
} else {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 029/410] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 164/410] cifs: Fix missing put_xid in cifs_file_strict_mmap Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 110/410] ahci: Order SATA device IDs for codename Lewisburg Ben Hutchings
` (374 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jason Yan, chenxiang, John Garry, Hannes Reinecke,
Christoph Hellwig, chenqilin, Martin K. Petersen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan <yanaijie@huawei.com>
commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 upstream.
We've got a memory leak with the following producer:
while true;
do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
done
The buffer req is allocated and not freed after we return. Fix it.
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: chenqilin <chenqilin2@huawei.com>
CC: chenxiang <chenxiang66@hisilicon.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/libsas/sas_expander.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_ph
phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
out:
+ kfree(req);
kfree(resp);
return res;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 408/410] RDMA/ucma: Check that device exists prior to accessing it
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (209 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 383/410] RDMA/ucma: Ensure that CM_ID exists prior to access it Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 033/410] x86/traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP Ben Hutchings
` (198 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, syzbot+71655d44855ac3e76366, Jason Gunthorpe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit c8d3bcbfc5eab3f01cf373d039af725f3b488813 upstream.
Ensure that device exists prior to accessing its properties.
Reported-by: <syzbot+71655d44855ac3e76366@syzkaller.appspotmail.com>
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1229,7 +1229,7 @@ static ssize_t ucma_notify(struct ucma_f
{
struct rdma_ucm_notify cmd;
struct ucma_context *ctx;
- int ret;
+ int ret = -EINVAL;
if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
return -EFAULT;
@@ -1238,7 +1238,9 @@ static ssize_t ucma_notify(struct ucma_f
if (IS_ERR(ctx))
return PTR_ERR(ctx);
- ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event);
+ if (ctx->cm_id->device)
+ ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event);
+
ucma_put_ctx(ctx);
return ret;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 302/410] mmc: dw_mmc: Factor out dw_mci_init_slot_caps
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 090/410] net/mlx4_core: Cleanup FMR unmapping flow Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 289/410] l2tp: avoid using ->tunnel_sock for getting session's parent tunnel Ben Hutchings
` (331 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shawn Lin, Ulf Hansson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
commit a4faa4929ed3be15e2d500d2405f992f6dedc8eb upstream.
Factor out dw_mci_init_slot_caps to consolidate parsing
all differents types of capabilities from host contrllers.
No functional change intended.
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
- We don't set MMC_CAP_ERASE or MMC_CAP2_SDIO_IRQ_NOTHREAD capabilities
- Fold in required changes to the exit path from commits 51da2240906c
"mmc: dw_mmc: use mmc_regulator_get_supply to handle regulators" and
3cf890fc42b2 "mmc: dw_mmc: Pass back errors from mmc_of_parse()"
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2044,12 +2044,40 @@ static struct device_node *dw_mci_of_fin
}
#endif /* CONFIG_OF */
+static int dw_mci_init_slot_caps(struct dw_mci_slot *slot)
+{
+ struct dw_mci *host = slot->host;
+ const struct dw_mci_drv_data *drv_data = host->drv_data;
+ struct mmc_host *mmc = slot->mmc;
+ int ctrl_id;
+
+ if (host->pdata->caps)
+ mmc->caps = host->pdata->caps;
+
+ if (host->pdata->pm_caps)
+ mmc->pm_caps = host->pdata->pm_caps;
+
+ if (host->dev->of_node) {
+ ctrl_id = of_alias_get_id(host->dev->of_node, "mshc");
+ if (ctrl_id < 0)
+ ctrl_id = 0;
+ } else {
+ ctrl_id = to_platform_device(host->dev)->id;
+ }
+ if (drv_data && drv_data->caps)
+ mmc->caps |= drv_data->caps[ctrl_id];
+
+ if (host->pdata->caps2)
+ mmc->caps2 = host->pdata->caps2;
+
+ return 0;
+}
+
static int dw_mci_init_slot(struct dw_mci *host, unsigned int id)
{
struct mmc_host *mmc;
struct dw_mci_slot *slot;
- const struct dw_mci_drv_data *drv_data = host->drv_data;
- int ctrl_id, ret;
+ int ret;
u32 freq[2];
mmc = mmc_alloc_host(sizeof(struct dw_mci_slot), host->dev);
@@ -2076,27 +2104,12 @@ static int dw_mci_init_slot(struct dw_mc
mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34;
- if (host->pdata->caps)
- mmc->caps = host->pdata->caps;
-
- if (host->pdata->pm_caps)
- mmc->pm_caps = host->pdata->pm_caps;
-
- if (host->dev->of_node) {
- ctrl_id = of_alias_get_id(host->dev->of_node, "mshc");
- if (ctrl_id < 0)
- ctrl_id = 0;
- } else {
- ctrl_id = to_platform_device(host->dev)->id;
- }
- if (drv_data && drv_data->caps)
- mmc->caps |= drv_data->caps[ctrl_id];
-
- if (host->pdata->caps2)
- mmc->caps2 = host->pdata->caps2;
-
mmc_of_parse(mmc);
+ ret = dw_mci_init_slot_caps(slot);
+ if (ret)
+ goto err_host_allocated;
+
if (host->pdata->blk_settings) {
mmc->max_segs = host->pdata->blk_settings->max_segs;
mmc->max_blk_size = host->pdata->blk_settings->max_blk_size;
@@ -2127,7 +2140,7 @@ static int dw_mci_init_slot(struct dw_mc
ret = mmc_add_host(mmc);
if (ret)
- goto err_setup_bus;
+ goto err_host_allocated;
#if defined(CONFIG_DEBUG_FS)
dw_mci_init_debugfs(slot);
@@ -2138,9 +2151,9 @@ static int dw_mci_init_slot(struct dw_mc
return 0;
-err_setup_bus:
+err_host_allocated:
mmc_free_host(mmc);
- return -EINVAL;
+ return ret;
}
static void dw_mci_cleanup_slot(struct dw_mci_slot *slot, unsigned int id)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 158/410] NFS: reject request for id_legacy key without auxdata
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (326 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 390/410] s390/qeth: free netdevice when removing a card Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 278/410] drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE Ben Hutchings
` (81 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Trond Myklebust, Eric Biggers, syzbot+5dfdbcf7b3eb5912abbb
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 49686cbbb3ebafe42e63868222f269d8053ead00 upstream.
nfs_idmap_legacy_upcall() is supposed to be called with 'aux' pointing
to a 'struct idmap', via the call to request_key_with_auxdata() in
nfs_idmap_request_key().
However it can also be reached via the request_key() system call in
which case 'aux' will be NULL, causing a NULL pointer dereference in
nfs_idmap_prepare_pipe_upcall(), assuming that the key description is
valid enough to get that far.
Fix this by making nfs_idmap_legacy_upcall() negate the key if no
auxdata is provided.
As usual, this bug was found by syzkaller. A simple reproducer using
the command-line keyctl program is:
keyctl request2 id_legacy uid:0 '' @s
Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring")
Reported-by: syzbot+5dfdbcf7b3eb5912abbb@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Trond Myklebust <trondmy@gmail.com>
pbwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/idmap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -577,9 +577,13 @@ static int nfs_idmap_legacy_upcall(struc
struct idmap_msg *im;
struct idmap *idmap = (struct idmap *)aux;
struct key *key = cons->key;
- int ret = -ENOMEM;
+ int ret = -ENOKEY;
+
+ if (!aux)
+ goto out1;
/* msg and im are freed in idmap_pipe_destroy_msg */
+ ret = -ENOMEM;
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
goto out1;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 015/410] netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 234/410] netfilter: drop outermost socket lock in getsockopt() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 376/410] vti4: Don't override MTU passed on link creation via IFLA_MTU Ben Hutchings
` (232 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Westphal, Pablo Neira Ayuso, syzbot+845a53d13171abf8bf29
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.
We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.
The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.
Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.
Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2010,7 +2010,9 @@ static int ebt_size_mwt(struct compat_eb
if (match_kern)
match_kern->match_size = ret;
- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+ return -EINVAL;
+
match32 = (struct compat_ebt_entry_mwt *) buf;
}
@@ -2067,6 +2069,15 @@ static int size_entry_mwt(struct ebt_ent
*
* offsets are relative to beginning of struct ebt_entry (i.e., 0).
*/
+ for (i = 0; i < 4 ; ++i) {
+ if (offsets[i] >= *total)
+ return -EINVAL;
+ if (i == 0)
+ continue;
+ if (offsets[i-1] > offsets[i])
+ return -EINVAL;
+ }
+
for (i = 0, j = 1 ; j < 4 ; j++, i++) {
struct compat_ebt_entry_mwt *match32;
unsigned int size;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 376/410] vti4: Don't override MTU passed on link creation via IFLA_MTU
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 015/410] netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 162/410] HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() Ben Hutchings
` (231 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sabrina Dubroca, Steffen Klassert, Stefano Brivio
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio <sbrivio@redhat.com>
commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 upstream.
Don't hardcode a MTU value on vti tunnel initialization,
ip_tunnel_newlink() is able to deal with this already. See also
commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK").
Fixes: 1181412c1a67 ("net/ipv4: VTI support new module for ip_vti.")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_vti.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -359,7 +359,6 @@ static int vti_tunnel_init(struct net_de
memcpy(dev->dev_addr, &iph->saddr, 4);
memcpy(dev->broadcast, &iph->daddr, 4);
- dev->mtu = ETH_DATA_LEN;
dev->flags = IFF_NOARP;
dev->iflink = 0;
dev->addr_len = 4;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 388/410] ALSA: aloop: Fix access to not-yet-ready substream via cable
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (332 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 324/410] ia64: convert unwcheck.py to python3 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 146/410] alpha: fix reboot on Avanti platform Ben Hutchings
` (75 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream.
In loopback_open() and loopback_close(), we assign and release the
substream object to the corresponding cable in a racy way. It's
neither locked nor done in the right position. The open callback
assigns the substream before its preparation finishes, hence the other
side of the cable may pick it up, which may lead to the invalid memory
access.
This patch addresses these: move the assignment to the end of the open
callback, and wrap with cable->lock for avoiding concurrent accesses.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/drivers/aloop.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -667,7 +667,9 @@ static void free_cable(struct snd_pcm_su
return;
if (cable->streams[!substream->stream]) {
/* other stream is still alive */
+ spin_lock_irq(&cable->lock);
cable->streams[substream->stream] = NULL;
+ spin_unlock_irq(&cable->lock);
} else {
/* free the cable */
loopback->cables[substream->number][dev] = NULL;
@@ -707,7 +709,6 @@ static int loopback_open(struct snd_pcm_
loopback->cables[substream->number][dev] = cable;
}
dpcm->cable = cable;
- cable->streams[substream->stream] = dpcm;
snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS);
@@ -739,6 +740,11 @@ static int loopback_open(struct snd_pcm_
runtime->hw = loopback_pcm_hardware;
else
runtime->hw = cable->hw;
+
+ spin_lock_irq(&cable->lock);
+ cable->streams[substream->stream] = dpcm;
+ spin_unlock_irq(&cable->lock);
+
unlock:
if (err < 0) {
free_cable(substream);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 208/410] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 112/410] AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 360/410] RDMA/ucma: Don't allow join attempts for unsupported AF family Ben Hutchings
` (391 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Josh Poimboeuf, Michael Kerrisk,
Randy Dunlap, Al Viro, Joe Lawrence, Mikulas Patocka, Jens Axboe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joe Lawrence <joe.lawrence@redhat.com>
commit 7a8d181949fb2c16be00f8cdb354794a30e46b39 upstream.
pipe_max_size is assigned directly via procfs sysctl:
static struct ctl_table fs_table[] = {
...
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
},
...
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
...
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
...
and then later rounded in-place a few statements later:
...
pipe_max_size = round_pipe_size(pipe_max_size);
...
This leaves a window of time between initial assignment and rounding
that may be visible to other threads. (For example, one thread sets a
non-rounded value to pipe_max_size while another reads its value.)
Similar reads of pipe_max_size are potentially racy:
pipe.c :: alloc_pipe_info()
pipe.c :: pipe_set_size()
Add a new proc_dopipe_max_size() that consolidates reading the new value
from the user buffer, verifying bounds, and calling round_pipe_size()
with a single assignment to pipe_max_size.
Link: http://lkml.kernel.org/r/1507658689-11669-4-git-send-email-joe.lawrence@redhat.com
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: Continue using int sysctl functions because we don't
have proper unsigned int support]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1008,7 +1008,7 @@ const struct file_operations pipefifo_fo
* Currently we rely on the pipe array holding a power-of-2 number
* of pages. Returns 0 on error.
*/
-static inline unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
@@ -1112,25 +1112,13 @@ out_revert_acct:
}
/*
- * This should work even if CONFIG_PROC_FS isn't set, as proc_dointvec_minmax
+ * This should work even if CONFIG_PROC_FS isn't set, as proc_dopipe_max_size
* will return an error.
*/
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
- unsigned int rounded_pipe_max_size;
- int ret;
-
- ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
- if (ret < 0 || !write)
- return ret;
-
- rounded_pipe_max_size = round_pipe_size(pipe_max_size);
- if (rounded_pipe_max_size == 0)
- return -EINVAL;
-
- pipe_max_size = rounded_pipe_max_size;
- return ret;
+ return proc_dopipe_max_size(table, write, buf, lenp, ppos);
}
/*
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -149,5 +149,6 @@ long pipe_fcntl(struct file *, unsigned
struct pipe_inode_info *get_pipe_info(struct file *file);
int create_pipe_files(struct file **, int);
+unsigned int round_pipe_size(unsigned int size);
#endif
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -45,6 +45,9 @@ extern int proc_dointvec(struct ctl_tabl
void __user *, size_t *, loff_t *);
extern int proc_dointvec_minmax(struct ctl_table *, int,
void __user *, size_t *, loff_t *);
+extern int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos);
extern int proc_dointvec_jiffies(struct ctl_table *, int,
void __user *, size_t *, loff_t *);
extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -64,6 +64,7 @@
#include <linux/sched/sysctl.h>
#include <linux/kexec.h>
#include <linux/mount.h>
+#include <linux/pipe_fs_i.h>
#include <asm/uaccess.h>
#include <asm/processor.h>
@@ -2222,6 +2223,47 @@ int proc_dointvec_minmax(struct ctl_tabl
do_proc_dointvec_minmax_conv, ¶m);
}
+struct do_proc_dopipe_max_size_conv_param {
+ unsigned int *min;
+};
+
+static int do_proc_dopipe_max_size_conv(bool *negp, unsigned long *lvalp,
+ int *valp, int write, void *data)
+{
+ struct do_proc_dopipe_max_size_conv_param *param = data;
+
+ if (write) {
+ unsigned int val = round_pipe_size(*lvalp);
+
+ if (*negp || val == 0)
+ return -EINVAL;
+
+ if (param->min && *param->min > val)
+ return -ERANGE;
+
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
+ *valp = val;
+ } else {
+ unsigned int val = *valp;
+ *negp = false;
+ *lvalp = (unsigned long) val;
+ }
+
+ return 0;
+}
+
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ struct do_proc_dopipe_max_size_conv_param param = {
+ .min = (unsigned int *) table->extra1,
+ };
+ return do_proc_dointvec(table, write, buffer, lenp, ppos,
+ do_proc_dopipe_max_size_conv, ¶m);
+}
+
static void validate_coredump_safety(void)
{
#ifdef CONFIG_COREDUMP
@@ -2737,6 +2779,12 @@ int proc_dointvec_minmax(struct ctl_tabl
return -ENOSYS;
}
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ return -ENOSYS;
+}
+
int proc_dointvec_jiffies(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -2778,6 +2826,7 @@ int proc_doulongvec_ms_jiffies_minmax(st
EXPORT_SYMBOL(proc_dointvec);
EXPORT_SYMBOL(proc_dointvec_jiffies);
EXPORT_SYMBOL(proc_dointvec_minmax);
+EXPORT_SYMBOL_GPL(proc_dopipe_max_size);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 236/410] netfilter: x_tables: fix missing timer initialization in xt_LED
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (241 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 366/410] net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 073/410] perf annotate: Fix objdump comment parsing for Intel mov dissassembly Ben Hutchings
` (166 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pablo Neira Ayuso, syzbot+10c98dc5725c6c8fc7fb, Paolo Abeni
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 10414014bc085aac9f787a5890b33b5605fbcfc4 upstream.
syzbot reported that xt_LED may try to use the ledinternal->timer
without previously initializing it:
------------[ cut here ]------------
kernel BUG at kernel/time/timer.c:958!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 1826 Comm: kworker/1:2 Not tainted 4.15.0+ #306
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:__mod_timer kernel/time/timer.c:958 [inline]
RIP: 0010:mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102
RSP: 0018:ffff8801d24fe9f8 EFLAGS: 00010293
RAX: ffff8801d25246c0 RBX: ffff8801aec6cb50 RCX: ffffffff816052c6
RDX: 0000000000000000 RSI: 00000000fffbd14b RDI: ffff8801aec6cb68
RBP: ffff8801d24fec98 R08: 0000000000000000 R09: 1ffff1003a49fd6c
R10: ffff8801d24feb28 R11: 0000000000000005 R12: dffffc0000000000
R13: ffff8801d24fec70 R14: 00000000fffbd14b R15: ffff8801af608f90
FS: 0000000000000000(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000206d6fd0 CR3: 0000000006a22001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
led_tg+0x1db/0x2e0 net/netfilter/xt_LED.c:75
ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365
ip6table_raw_hook+0x65/0x80 net/ipv6/netfilter/ip6table_raw.c:42
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook.constprop.27+0x3f6/0x830 include/linux/netfilter.h:243
NF_HOOK include/linux/netfilter.h:286 [inline]
ndisc_send_skb+0xa51/0x1370 net/ipv6/ndisc.c:491
ndisc_send_ns+0x38a/0x870 net/ipv6/ndisc.c:633
addrconf_dad_work+0xb9e/0x1320 net/ipv6/addrconf.c:4008
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
Code: 85 2a 0b 00 00 4d 8b 3c 24 4d 85 ff 75 9f 4c 8b bd 60 fd ff ff e8 bb
57 10 00 65 ff 0d 94 9a a1 7e e9 d9 fc ff ff e8 aa 57 10 00 <0f> 0b e8 a3
57 10 00 e9 14 fb ff ff e8 99 57 10 00 4c 89 bd 70
RIP: __mod_timer kernel/time/timer.c:958 [inline] RSP: ffff8801d24fe9f8
RIP: mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: ffff8801d24fe9f8
---[ end trace f661ab06f5dd8b3d ]---
The ledinternal struct can be shared between several different
xt_LED targets, but the related timer is currently initialized only
if the first target requires it. Fix it by unconditionally
initializing the timer struct.
v1 -> v2: call del_timer_sync() unconditionally, too.
Fixes: 268cb38e1802 ("netfilter: x_tables: add LED trigger target")
Reported-by: syzbot+10c98dc5725c6c8fc7fb@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: Keep using setup_timer()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -139,10 +139,11 @@ static int led_tg_check(const struct xt_
goto exit_alloc;
}
- /* See if we need to set up a timer */
- if (ledinfo->delay > 0)
- setup_timer(&ledinternal->timer, led_timeout_callback,
- (unsigned long)ledinternal);
+ /* Since the letinternal timer can be shared between multiple targets,
+ * always set it up, even if the current target does not need it
+ */
+ setup_timer(&ledinternal->timer, led_timeout_callback,
+ (unsigned long)ledinternal);
list_add_tail(&ledinternal->list, &xt_led_triggers);
@@ -179,8 +180,7 @@ static void led_tg_destroy(const struct
list_del(&ledinternal->list);
- if (ledinfo->delay > 0)
- del_timer_sync(&ledinternal->timer);
+ del_timer_sync(&ledinternal->timer);
led_trigger_unregister(&ledinternal->netfilter_led_trigger);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 141/410] nfs: Do not convert nfs_idmap_cache_timeout to jiffies
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 001/410] MIPS: Normalise code flow in the CpU exception handler Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 034/410] x86/entry/64: Don't use IST entry for #BP stack Ben Hutchings
` (406 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Chochol, Trond Myklebust
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Chochol <jan@chochol.info>
commit cbebc6ef4fc830f4040d4140bf53484812d5d5d9 upstream.
Since commit 57e62324e469 ("NFS: Store the legacy idmapper result in the
keyring") nfs_idmap_cache_timeout changed units from jiffies to seconds.
Unfortunately sysctl interface was not updated accordingly.
As a effect updating /proc/sys/fs/nfs/idmap_cache_timeout with some
value will incorrectly multiply this value by HZ.
Also reading /proc/sys/fs/nfs/idmap_cache_timeout will show real value
divided by HZ.
Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring")
Signed-off-by: Jan Chochol <jan@chochol.info>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/nfs4sysctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/nfs4sysctl.c
+++ b/fs/nfs/nfs4sysctl.c
@@ -31,7 +31,7 @@ static struct ctl_table nfs4_cb_sysctls[
.data = &nfs_idmap_cache_timeout,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec_jiffies,
+ .proc_handler = proc_dointvec,
},
{ }
};
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 399/410] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 362/410] mmc: block: fix updating ext_csd caches on ioctl call Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 274/410] libata: disable LPM for Crucial BX100 SSD 500GB drive Ben Hutchings
` (257 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stefan Roese, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Roese <sr@denx.de>
commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.
When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.
This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.
Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese <sr@denx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/pcm_native.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3219,7 +3219,7 @@ int snd_pcm_lib_default_mmap(struct snd_
area,
substream->runtime->dma_area,
substream->runtime->dma_addr,
- area->vm_end - area->vm_start);
+ substream->runtime->dma_bytes);
#elif defined(CONFIG_MIPS) && defined(CONFIG_DMA_NONCOHERENT)
if (substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV &&
!plat_device_is_coherent(substream->dma_buffer.dev.dev))
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 159/410] btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (386 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 017/410] kvm/x86: fix icebp instruction handling Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 389/410] posix-timers: Protect posix clock array access against speculation Ben Hutchings
` (21 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Qu Wenruo, Nikolay Borisov, David Sterba
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Borisov <nborisov@suse.com>
commit f3038ee3a3f1017a1cbe9907e31fa12d366c5dcb upstream.
This function was introduced by 247e743cbe6e ("Btrfs: Use async helpers
to deal with pages that have been improperly dirtied") and it didn't do
any error handling then. This function might very well fail in ENOMEM
situation, yet it's not handled, this could lead to inconsistent state.
So let's handle the failure by setting the mapping error bit.
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/inode.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1847,7 +1847,15 @@ again:
goto out;
}
- btrfs_set_extent_delalloc(inode, page_start, page_end, &cached_state);
+ ret = btrfs_set_extent_delalloc(inode, page_start, page_end,
+ &cached_state);
+ if (ret) {
+ mapping_set_error(page->mapping, ret);
+ end_extent_writepage(page, ret, page_start, page_end);
+ ClearPageChecked(page);
+ goto out;
+ }
+
ClearPageChecked(page);
set_page_dirty(page);
out:
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 004/410] x86/microcode/AMD: Do not load when running on a hypervisor
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 172/410] staging: iio: adc: remove the use of CamelCase Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 200/410] pipe: move limit checking logic into pipe_set_size() Ben Hutchings
` (278 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Greg Kroah-Hartman, Borislav Petkov,
Juergen Gross, Rolf Neugebauer, Boris Ostrovsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit a15a753539eca8ba243d576f02e7ca9c4b7d7042 upstream.
Doing so is completely void of sense for multiple reasons so prevent
it. Set dis_ucode_ldr to true and thus disable the microcode loader by
default to address xen pv guests which execute the AP path but not the
BSP path.
By having it turned off by default, the APs won't run into the loader
either.
Also, check CPUID(1).ECX[31] which hypervisors set. Well almost, not the
xen pv one. That one gets the aforementioned "fix".
Also, improve the detection method by caching the final decision whether
to continue loading in dis_ucode_ldr and do it once on the BSP. The APs
then simply test that value.
Signed-off-by: Borislav Petkov <bp@suse.de>
Tested-by: Juergen Gross <jgross@suse.com>
Tested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Acked-by: Juergen Gross <jgross@suse.com>
Link: http://lkml.kernel.org/r/20161218164414.9649-4-bp@alien8.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Rolf Neugebauer <rolf.neugebauer@docker.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Early microcode loader is optional, so only set dis_ucode_ldr by default
if it is enabled
- Adjust context, filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/cpu/microcode/core.c
+++ b/arch/x86/kernel/cpu/microcode/core.c
@@ -97,7 +97,7 @@ MODULE_LICENSE("GPL");
static struct microcode_ops *microcode_ops;
-bool dis_ucode_ldr;
+bool dis_ucode_ldr = IS_ENABLED(CONFIG_MICROCODE_EARLY);
module_param(dis_ucode_ldr, bool, 0);
/*
--- a/arch/x86/kernel/cpu/microcode/core_early.c
+++ b/arch/x86/kernel/cpu/microcode/core_early.c
@@ -76,6 +76,8 @@ static int x86_family(void)
static bool __init check_loader_disabled_bsp(void)
{
+ u32 a, b, c, d;
+
#ifdef CONFIG_X86_32
const char *cmdline = (const char *)__pa_nodebug(boot_command_line);
const char *opt = "dis_ucode_ldr";
@@ -88,8 +90,23 @@ static bool __init check_loader_disabled
bool *res = &dis_ucode_ldr;
#endif
- if (cmdline_find_option_bool(cmdline, option))
- *res = true;
+ if (!have_cpuid_p())
+ return *res;
+
+ a = 1;
+ c = 0;
+ native_cpuid(&a, &b, &c, &d);
+
+ /*
+ * CPUID(1).ECX[31]: reserved for hypervisor use. This is still not
+ * completely accurate as xen pv guests don't see that CPUID bit set but
+ * that's good enough as they don't land on the BSP path anyway.
+ */
+ if (c & BIT(31))
+ return *res;
+
+ if (cmdline_find_option_bool(cmdline, option) <= 0)
+ *res = false;
return *res;
}
@@ -101,9 +118,6 @@ void __init load_ucode_bsp(void)
if (check_loader_disabled_bsp())
return;
- if (!have_cpuid_p())
- return;
-
vendor = x86_vendor();
x86 = x86_family();
@@ -137,9 +151,6 @@ void load_ucode_ap(void)
if (check_loader_disabled_ap())
return;
- if (!have_cpuid_p())
- return;
-
vendor = x86_vendor();
x86 = x86_family();
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 174/410] RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 343/410] ALSA: seq: Clear client entry before deleting else at closing Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 150/410] staging: rts5208: Fix "seg_no" calculation in reset_ms_card() Ben Hutchings
` (321 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jason Gunthorpe, Majd Dibbiny, Leon Romanovsky, Yuval Shaia
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit b081808a66345ba725b77ecd8d759bee874cd937 upstream.
Failure in XRCD FW deallocation command leaves memory leaked and
returns error to the user which he can't do anything about it.
This patch changes behavior to always free memory and always return
success to the user.
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Reviewed-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/qp.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -3050,12 +3050,9 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd
int err;
err = mlx5_core_xrcd_dealloc(&dev->mdev, xrcdn);
- if (err) {
+ if (err)
mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn);
- return err;
- }
kfree(xrcd);
-
return 0;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 086/410] ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (256 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 031/410] drm: udl: Properly check framebuffer mmap offsets Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 400/410] bonding: fix the err path for dev hwaddr sync in bond_enslave Ben Hutchings
` (151 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Kalle Valo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 413fd2f5c0233d3cde391679b967c1f14cd2cb27 upstream.
Smatch generates a warning here:
drivers/net/wireless/ath/ath9k/htc_drv_main.c:1688 ath9k_htc_ampdu_action()
error: buffer overflow 'ista->tid_state' 8 <= 15
I don't know if it's a real bug or not but the other paths through this
function all ensure that "tid" is less than ATH9K_HTC_MAX_TID (8) so
checking here makes things more consistent.
Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ath/ath9k/htc_drv_main.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -1672,6 +1672,10 @@ static int ath9k_htc_ampdu_action(struct
ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid);
break;
case IEEE80211_AMPDU_TX_OPERATIONAL:
+ if (tid >= ATH9K_HTC_MAX_TID) {
+ ret = -EINVAL;
+ break;
+ }
ista = (struct ath9k_htc_sta *) sta->drv_priv;
spin_lock_bh(&priv->tx.tx_lock);
ista->tid_state[tid] = AGGR_OPERATIONAL;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 199/410] pipe: relocate round_pipe_size() above pipe_set_size()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 281/410] ALSA: usb-audio: Add a quirck for B&W PX headphones Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 166/410] USB: serial: pl2303: new device id for Chilitag Ben Hutchings
` (325 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Vegard Nossum, Tetsuo Handa,
Michael Kerrisk (man-pages),
socketpair, Al Viro, Willy Tarreau, Jens Axboe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit f491bd71118beba608d39ac2d5f1530e1160cd2e upstream.
Patch series "pipe: fix limit handling", v2.
When changing a pipe's capacity with fcntl(F_SETPIPE_SZ), various limits
defined by /proc/sys/fs/pipe-* files are checked to see if unprivileged
users are exceeding limits on memory consumption.
While documenting and testing the operation of these limits I noticed
that, as currently implemented, these checks have a number of problems:
(1) When increasing the pipe capacity, the checks against the limits
in /proc/sys/fs/pipe-user-pages-{soft,hard} are made against
existing consumption, and exclude the memory required for the
increased pipe capacity. The new increase in pipe capacity can then
push the total memory used by the user for pipes (possibly far) over
a limit. This can also trigger the problem described next.
(2) The limit checks are performed even when the new pipe capacity
is less than the existing pipe capacity. This can lead to problems
if a user sets a large pipe capacity, and then the limits are
lowered, with the result that the user will no longer be able to
decrease the pipe capacity.
(3) As currently implemented, accounting and checking against the
limits is done as follows:
(a) Test whether the user has exceeded the limit.
(b) Make new pipe buffer allocation.
(c) Account new allocation against the limits.
This is racey. Multiple processes may pass point (a) simultaneously,
and then allocate pipe buffers that are accounted for only in step
(c). The race means that the user's pipe buffer allocation could be
pushed over the limit (by an arbitrary amount, depending on how
unlucky we were in the race). [Thanks to Vegard Nossum for spotting
this point, which I had missed.]
This patch series addresses these three problems.
This patch (of 8):
This is a minor preparatory patch. After subsequent patches,
round_pipe_size() will be called from pipe_set_size(), so place
round_pipe_size() above pipe_set_size().
Link: http://lkml.kernel.org/r/91a91fdb-a959-ba7f-b551-b62477cc98a1@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -994,6 +994,18 @@ const struct file_operations pipefifo_fo
};
/*
+ * Currently we rely on the pipe array holding a power-of-2 number
+ * of pages.
+ */
+static inline unsigned int round_pipe_size(unsigned int size)
+{
+ unsigned long nr_pages;
+
+ nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
+}
+
+/*
* Allocate a new array of pipe buffers and copy the info over. Returns the
* pipe size if successful, or return -ERROR on error.
*/
@@ -1044,18 +1056,6 @@ static long pipe_set_size(struct pipe_in
}
/*
- * Currently we rely on the pipe array holding a power-of-2 number
- * of pages.
- */
-static inline unsigned int round_pipe_size(unsigned int size)
-{
- unsigned long nr_pages;
-
- nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
- return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
-}
-
-/*
* This should work even if CONFIG_PROC_FS isn't set, as proc_dointvec_minmax
* will return an error.
*/
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 009/410] mm/madvise.c: fix madvise() infinite loop under special circumstances
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 267/410] " Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 373/410] batman-adv: Fix skbuff rcsum on packet reroute Ben Hutchings
` (271 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Miao Xie, Dan Williams, David Rientjes, Carsten Otte,
Shaohua Li, Mel Gorman, Mike Rapoport, Linus Torvalds,
Anshuman Khandual, Kirill A. Shutemov, Rik van Riel, zhangyi (F),
Andrea Arcangeli, Michal Hocko, guoxuenan, Minchan Kim, chenjie
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: chenjie <chenjie6@huawei.com>
commit 6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 upstream.
MADVISE_WILLNEED has always been a noop for DAX (formerly XIP) mappings.
Unfortunately madvise_willneed() doesn't communicate this information
properly to the generic madvise syscall implementation. The calling
convention is quite subtle there. madvise_vma() is supposed to either
return an error or update &prev otherwise the main loop will never
advance to the next vma and it will keep looping for ever without a way
to get out of the kernel.
It seems this has been broken since introduction. Nobody has noticed
because nobody seems to be using MADVISE_WILLNEED on these DAX mappings.
[mhocko@suse.com: rewrite changelog]
Link: http://lkml.kernel.org/r/20171127115318.911-1-guoxuenan@huawei.com
Fixes: fe77ba6f4f97 ("[PATCH] xip: madvice/fadvice: execute in place")
Signed-off-by: chenjie <chenjie6@huawei.com>
Signed-off-by: guoxuenan <guoxuenan@huawei.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: zhangyi (F) <yi.zhang@huawei.com>
Cc: Miao Xie <miaoxie@huawei.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Shaohua Li <shli@fb.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Carsten Otte <cotte@de.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -221,9 +221,9 @@ static long madvise_willneed(struct vm_a
{
struct file *file = vma->vm_file;
+ *prev = vma;
#ifdef CONFIG_SWAP
if (!file || mapping_cap_swap_backed(file->f_mapping)) {
- *prev = vma;
if (!file)
force_swapin_readahead(vma, start, end);
else
@@ -241,7 +241,6 @@ static long madvise_willneed(struct vm_a
return 0;
}
- *prev = vma;
start = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
if (end > vma->vm_end)
end = vma->vm_end;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 305/410] tty: make n_tty_read() always abort if hangup is in progress
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (247 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 092/410] video: fbdev: atmel_lcdfb: fix display-timings lookup Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 127/410] NFS: Add a cond_resched() to nfs_commit_release_pages() Ben Hutchings
` (160 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Greg Kroah-Hartman, Alan Cox
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit 28b0f8a6962a24ed21737578f3b1b07424635c9e upstream.
A tty is hung up by __tty_hangup() setting file->f_op to
hung_up_tty_fops, which is skipped on ttys whose write operation isn't
tty_write(). This means that, for example, /dev/console whose write
op is redirected_tty_write() is never actually marked hung up.
Because n_tty_read() uses the hung up status to decide whether to
abort the waiting readers, the lack of hung-up marking can lead to the
following scenario.
1. A session contains two processes. The leader and its child. The
child ignores SIGHUP.
2. The leader exits and starts disassociating from the controlling
terminal (/dev/console).
3. __tty_hangup() skips setting f_op to hung_up_tty_fops.
4. SIGHUP is delivered and ignored.
5. tty_ldisc_hangup() is invoked. It wakes up the waits which should
clear the read lockers of tty->ldisc_sem.
6. The reader wakes up but because tty_hung_up_p() is false, it
doesn't abort and goes back to sleep while read-holding
tty->ldisc_sem.
7. The leader progresses to tty_ldisc_lock() in tty_ldisc_hangup()
and is now stuck in D sleep indefinitely waiting for
tty->ldisc_sem.
The following is Alan's explanation on why some ttys aren't hung up.
http://lkml.kernel.org/r/20171101170908.6ad08580@alans-desktop
1. It broke the serial consoles because they would hang up and close
down the hardware. With tty_port that *should* be fixable properly
for any cases remaining.
2. The console layer was (and still is) completely broken and doens't
refcount properly. So if you turn on console hangups it breaks (as
indeed does freeing consoles and half a dozen other things).
As neither can be fixed quickly, this patch works around the problem
by introducing a new flag, TTY_HUPPING, which is used solely to tell
n_tty_read() that hang-up is in progress for the console and the
readers should be aborted regardless of the hung-up status of the
device.
The following is a sample hung task warning caused by this issue.
INFO: task agetty:2662 blocked for more than 120 seconds.
Not tainted 4.11.3-dbg-tty-lockup-02478-gfd6c7ee-dirty #28
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
0 2662 1 0x00000086
Call Trace:
__schedule+0x267/0x890
schedule+0x36/0x80
schedule_timeout+0x23c/0x2e0
ldsem_down_write+0xce/0x1f6
tty_ldisc_lock+0x16/0x30
tty_ldisc_hangup+0xb3/0x1b0
__tty_hangup+0x300/0x410
disassociate_ctty+0x6c/0x290
do_exit+0x7ef/0xb00
do_group_exit+0x3f/0xa0
get_signal+0x1b3/0x5d0
do_signal+0x28/0x660
exit_to_usermode_loop+0x46/0x86
do_syscall_64+0x9c/0xb0
entry_SYSCALL64_slow_path+0x25/0x25
The following is the repro. Run "$PROG /dev/console". The parent
process hangs in D state.
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <signal.h>
#include <time.h>
#include <termios.h>
int main(int argc, char **argv)
{
struct sigaction sact = { .sa_handler = SIG_IGN };
struct timespec ts1s = { .tv_sec = 1 };
pid_t pid;
int fd;
if (argc < 2) {
fprintf(stderr, "test-hung-tty /dev/$TTY\n");
return 1;
}
/* fork a child to ensure that it isn't already the session leader */
pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
if (pid > 0) {
/* top parent, wait for everyone */
while (waitpid(-1, NULL, 0) >= 0)
;
if (errno != ECHILD)
perror("waitpid");
return 0;
}
/* new session, start a new session and set the controlling tty */
if (setsid() < 0) {
perror("setsid");
return 1;
}
fd = open(argv[1], O_RDWR);
if (fd < 0) {
perror("open");
return 1;
}
if (ioctl(fd, TIOCSCTTY, 1) < 0) {
perror("ioctl");
return 1;
}
/* fork a child, sleep a bit and exit */
pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
if (pid > 0) {
nanosleep(&ts1s, NULL);
printf("Session leader exiting\n");
exit(0);
}
/*
* The child ignores SIGHUP and keeps reading from the controlling
* tty. Because SIGHUP is ignored, the child doesn't get killed on
* parent exit and the bug in n_tty makes the read(2) block the
* parent's control terminal hangup attempt. The parent ends up in
* D sleep until the child is explicitly killed.
*/
sigaction(SIGHUP, &sact, NULL);
printf("Child reading tty\n");
while (1) {
char buf[1024];
if (read(fd, buf, sizeof(buf)) < 0) {
perror("read");
return 1;
}
}
return 0;
}
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Alan Cox <alan@llwyncelyn.cymru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: TTY_HUPPING is not really a new flag; it's an old flag
that was wrongly removed in 3.19. Just add the test for it in n_tty_read().]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2261,6 +2261,12 @@ static ssize_t n_tty_read(struct tty_str
}
if (tty_hung_up_p(file))
break;
+ /*
+ * Abort readers for ttys which never actually
+ * get hung up. See __tty_hangup().
+ */
+ if (test_bit(TTY_HUPPING, &tty->flags))
+ break;
if (!timeout)
break;
if (file->f_flags & O_NONBLOCK) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 170/410] cifs: fix memory leak when password is supplied multiple times
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (319 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 069/410] perf report: Fix -D output for user metadata events Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 249/410] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Ben Hutchings
` (88 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Namjae Jeon, Ashish Sangwan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <namjae.jeon@samsung.com>
commit d6ccf4997e62fb6629f9f003980dca5292138b7b upstream.
Unlikely but possible. When password is supplied multiple times, we have
to free the previous allocation.
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Ashish Sangwan <a.sangwan@samsung.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/connect.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1614,6 +1614,7 @@ cifs_parse_mount_options(const char *mou
tmp_end++;
if (!(tmp_end < end && tmp_end[1] == delim)) {
/* No it is not. Set the password to NULL */
+ kfree(vol->password);
vol->password = NULL;
break;
}
@@ -1651,6 +1652,7 @@ cifs_parse_mount_options(const char *mou
options = end;
}
+ kfree(vol->password);
/* Now build new password string */
temp_len = strlen(value);
vol->password = kzalloc(temp_len+1, GFP_KERNEL);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 098/410] spi: imx: do not access registers while clocks disabled
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 231/410] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 410/410] net: Fix untag for vlan packets without ethernet header Ben Hutchings
` (378 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Stefan Agner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Agner <stefan@agner.ch>
commit d593574aff0ab846136190b1729c151c736727ec upstream.
Since clocks are disabled except during message transfer clocks
are also disabled when spi_imx_remove gets called. Accessing
registers leads to a freeeze at least on a i.MX 6ULL. Enable
clocks before disabling accessing the MXC_CSPICTRL register.
Fixes: 9e556dcc55774 ("spi: spi-imx: only enable the clocks when we start to transfer a message")
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/spi/spi-imx.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -943,12 +943,23 @@ static int spi_imx_remove(struct platfor
{
struct spi_master *master = platform_get_drvdata(pdev);
struct spi_imx_data *spi_imx = spi_master_get_devdata(master);
+ int ret;
spi_bitbang_stop(&spi_imx->bitbang);
+ ret = clk_enable(spi_imx->clk_per);
+ if (ret)
+ return ret;
+
+ ret = clk_enable(spi_imx->clk_ipg);
+ if (ret) {
+ clk_disable(spi_imx->clk_per);
+ return ret;
+ }
+
writel(0, spi_imx->base + MXC_CSPICTRL);
- clk_unprepare(spi_imx->clk_ipg);
- clk_unprepare(spi_imx->clk_per);
+ clk_disable_unprepare(spi_imx->clk_ipg);
+ clk_disable_unprepare(spi_imx->clk_per);
spi_master_put(master);
return 0;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 121/410] crypto: hash - introduce crypto_hash_alg_has_setkey()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 406/410] net/mlx4_en: Fix mixed PFC and Global pause user control requests Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 262/410] ASoC: rt5651: Fix regcache sync errors on resume Ben Hutchings
` (306 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Eric Biggers
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit cd6ed77ad5d223dc6299fb58f62e0f5267f7e2ba upstream.
Templates that use an shash spawn can use crypto_shash_alg_has_setkey()
to determine whether the underlying algorithm requires a key or not.
But there was no corresponding function for ahash spawns. Add it.
Note that the new function actually has to support both shash and ahash
algorithms, since the ahash API can be used with either.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/ahash.c | 11 +++++++++++
include/crypto/internal/hash.h | 2 ++
2 files changed, 13 insertions(+)
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -630,5 +630,16 @@ struct hash_alg_common *ahash_attr_alg(s
}
EXPORT_SYMBOL_GPL(ahash_attr_alg);
+bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg)
+{
+ struct crypto_alg *alg = &halg->base;
+
+ if (alg->cra_type != &crypto_ahash_type)
+ return crypto_shash_alg_has_setkey(__crypto_shash_alg(alg));
+
+ return __crypto_ahash_alg(alg)->setkey != NULL;
+}
+EXPORT_SYMBOL_GPL(crypto_hash_alg_has_setkey);
+
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Asynchronous cryptographic hash type");
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -91,6 +91,8 @@ static inline bool crypto_shash_alg_has_
return alg->setkey != shash_no_setkey;
}
+bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
+
int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
struct hash_alg_common *alg,
struct crypto_instance *inst);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 292/410] l2tp: fix races with tunnel socket close
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (307 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 135/410] uas: Log error codes when logging errors Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 328/410] brcmfmac: fix P2P_DEVICE ethernet address generation Ben Hutchings
` (100 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, James Chapman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
commit d00fa9adc528c1b0e64d532556764852df8bd7b9 upstream.
The tunnel socket tunnel->sock (struct sock) is accessed when
preparing a new ppp session on a tunnel at pppol2tp_session_init. If
the socket is closed by a thread while another is creating a new
session, the threads race. In pppol2tp_connect, the tunnel object may
be created if the pppol2tp socket is associated with the special
session_id 0 and the tunnel socket is looked up using the provided
fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel
socket to prevent it being destroyed during pppol2tp_connect since
this may itself may race with the socket being destroyed. Doing
sockfd_lookup in pppol2tp_connect isn't sufficient to prevent
tunnel->sock going away either because a given tunnel socket fd may be
reused between calls to pppol2tp_connect. Instead, have
l2tp_tunnel_create sock_hold the tunnel socket before it does
sockfd_put. This ensures that the tunnel's socket is always extant
while the tunnel object exists. Hold a ref on the socket until the
tunnel is destroyed and ensure that all tunnel destroy paths go
through a common function (l2tp_tunnel_delete) since this will do the
final sock_put to release the tunnel socket.
Since the tunnel's socket is now guaranteed to exist if the tunnel
exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel
to derive the tunnel from the socket since this is always
sk_user_data.
Also, sessions no longer sock_hold the tunnel socket since sessions
already hold a tunnel ref and the tunnel sock will not be freed until
the tunnel is freed. Removing these sock_holds in
l2tp_session_register avoids a possible sock leak in the
pppol2tp_connect error path if l2tp_session_register succeeds but
attaching a ppp channel fails. The pppol2tp_connect error path could
have been fixed instead and have the sock ref dropped when the session
is freed, but doing a sock_put of the tunnel socket when the session
is freed would require a new session_free callback. It is simpler to
just remove the sock_hold of the tunnel socket in
l2tp_session_register, now that the tunnel socket lifetime is
guaranteed.
Finally, some init code in l2tp_tunnel_create is reordered to ensure
that the new tunnel object's refcount is set and the tunnel socket ref
is taken before the tunnel socket destructor callbacks are set.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:pppol2tp_session_init+0x1d6/0x500
RSP: 0018:ffff88001377fb40 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d
RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228
RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002
R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76
FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0
Call Trace:
pppol2tp_connect+0xd18/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7ffb3e376259
RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259
RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004
RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60
R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000
Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f
a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16
Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh; Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 117 +++++++++++++------------------------------
net/l2tp/l2tp_core.h | 23 +--------
net/l2tp/l2tp_ip.c | 10 ++--
net/l2tp/l2tp_ip6.c | 8 ++-
4 files changed, 42 insertions(+), 116 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -135,51 +135,6 @@ l2tp_session_id_hash_2(struct l2tp_net *
}
-/* Lookup the tunnel socket, possibly involving the fs code if the socket is
- * owned by userspace. A struct sock returned from this function must be
- * released using l2tp_tunnel_sock_put once you're done with it.
- */
-static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
-{
- int err = 0;
- struct socket *sock = NULL;
- struct sock *sk = NULL;
-
- if (!tunnel)
- goto out;
-
- if (tunnel->fd >= 0) {
- /* Socket is owned by userspace, who might be in the process
- * of closing it. Look the socket up using the fd to ensure
- * consistency.
- */
- sock = sockfd_lookup(tunnel->fd, &err);
- if (sock)
- sk = sock->sk;
- } else {
- /* Socket is owned by kernelspace */
- sk = tunnel->sock;
- sock_hold(sk);
- }
-
-out:
- return sk;
-}
-
-/* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
-static void l2tp_tunnel_sock_put(struct sock *sk)
-{
- struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
- if (tunnel) {
- if (tunnel->fd >= 0) {
- /* Socket is owned by userspace */
- sockfd_put(sk->sk_socket);
- }
- sock_put(sk);
- }
- sock_put(sk);
-}
-
/* Lookup a session by id in the global session list
*/
static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
@@ -241,6 +196,13 @@ struct l2tp_session *l2tp_session_find(s
}
EXPORT_SYMBOL_GPL(l2tp_session_find);
+void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
+{
+ sock_put(tunnel->sock);
+ /* the tunnel is freed in the socket destructor */
+}
+EXPORT_SYMBOL(l2tp_tunnel_free);
+
/* Lookup a tunnel. A new reference is held on the returned tunnel. */
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
{
@@ -405,13 +367,11 @@ int l2tp_session_register(struct l2tp_se
}
l2tp_tunnel_inc_refcount(tunnel);
- sock_hold(tunnel->sock);
hlist_add_head_rcu(&session->global_hlist, g_head);
spin_unlock_bh(&pn->l2tp_session_hlist_lock);
} else {
l2tp_tunnel_inc_refcount(tunnel);
- sock_hold(tunnel->sock);
}
hlist_add_head(&session->hlist, head);
@@ -1051,7 +1011,7 @@ int l2tp_udp_encap_recv(struct sock *sk,
{
struct l2tp_tunnel *tunnel;
- tunnel = l2tp_sock_to_tunnel(sk);
+ tunnel = l2tp_tunnel(sk);
if (tunnel == NULL)
goto pass_up;
@@ -1059,13 +1019,10 @@ int l2tp_udp_encap_recv(struct sock *sk,
tunnel->name, skb->len);
if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
- goto pass_up_put;
+ goto pass_up;
- sock_put(sk);
return 0;
-pass_up_put:
- sock_put(sk);
pass_up:
return 1;
}
@@ -1299,7 +1256,6 @@ static void l2tp_tunnel_destruct(struct
l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
-
/* Disable udp encapsulation */
switch (tunnel->encap) {
case L2TP_ENCAPTYPE_UDP:
@@ -1322,12 +1278,11 @@ static void l2tp_tunnel_destruct(struct
list_del_rcu(&tunnel->list);
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
- tunnel->sock = NULL;
- l2tp_tunnel_dec_refcount(tunnel);
-
/* Call the original destructor */
if (sk->sk_destruct)
(*sk->sk_destruct)(sk);
+
+ kfree_rcu(tunnel, rcu);
end:
return;
}
@@ -1391,30 +1346,22 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
/* Tunnel socket destroy hook for UDP encapsulation */
static void l2tp_udp_encap_destroy(struct sock *sk)
{
- struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
- if (tunnel) {
- l2tp_tunnel_closeall(tunnel);
- sock_put(sk);
- }
+ struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
+
+ if (tunnel)
+ l2tp_tunnel_delete(tunnel);
}
/* Workqueue tunnel deletion function */
static void l2tp_tunnel_del_work(struct work_struct *work)
{
- struct l2tp_tunnel *tunnel = NULL;
- struct socket *sock = NULL;
- struct sock *sk = NULL;
-
- tunnel = container_of(work, struct l2tp_tunnel, del_work);
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+ struct sock *sk = tunnel->sock;
+ struct socket *sock = sk->sk_socket;
l2tp_tunnel_closeall(tunnel);
- sk = l2tp_tunnel_sock_lookup(tunnel);
- if (!sk)
- goto out;
-
- sock = sk->sk_socket;
-
/* If the tunnel socket was created within the kernel, use
* the sk API to release it here.
*/
@@ -1424,8 +1371,10 @@ static void l2tp_tunnel_del_work(struct
sk_release_kernel(sk);
}
- l2tp_tunnel_sock_put(sk);
-out:
+ /* drop initial ref */
+ l2tp_tunnel_dec_refcount(tunnel);
+
+ /* drop workqueue ref */
l2tp_tunnel_dec_refcount(tunnel);
}
@@ -1717,13 +1666,22 @@ int l2tp_tunnel_create(struct net *net,
sk->sk_user_data = tunnel;
+ /* Bump the reference count. The tunnel context is deleted
+ * only when this drops to zero. A reference is also held on
+ * the tunnel socket to ensure that it is not released while
+ * the tunnel is extant. Must be done before sk_destruct is
+ * set.
+ */
+ atomic_set(&tunnel->ref_count, 1);
+ sock_hold(sk);
+ tunnel->sock = sk;
+ tunnel->fd = fd;
+
/* Hook on the tunnel socket destructor so that we can cleanup
* if the tunnel socket goes away.
*/
tunnel->old_sk_destruct = sk->sk_destruct;
sk->sk_destruct = &l2tp_tunnel_destruct;
- tunnel->sock = sk;
- tunnel->fd = fd;
lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
sk->sk_allocation = GFP_ATOMIC;
@@ -1733,11 +1691,6 @@ int l2tp_tunnel_create(struct net *net,
/* Add tunnel to our list */
INIT_LIST_HEAD(&tunnel->list);
-
- /* Bump the reference count. The tunnel context is deleted
- * only when this drops to zero. Must be done before list insertion
- */
- l2tp_tunnel_inc_refcount(tunnel);
spin_lock_bh(&pn->l2tp_tunnel_list_lock);
list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
@@ -1778,8 +1731,6 @@ void l2tp_session_free(struct l2tp_sessi
if (tunnel) {
BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
- sock_put(tunnel->sock);
- session->tunnel = NULL;
l2tp_tunnel_dec_refcount(tunnel);
}
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -229,27 +229,8 @@ static inline void *l2tp_session_priv(st
return &session->priv[0];
}
-static inline struct l2tp_tunnel *l2tp_sock_to_tunnel(struct sock *sk)
-{
- struct l2tp_tunnel *tunnel;
-
- if (sk == NULL)
- return NULL;
-
- sock_hold(sk);
- tunnel = (struct l2tp_tunnel *)(sk->sk_user_data);
- if (tunnel == NULL) {
- sock_put(sk);
- goto out;
- }
-
- BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
-
-out:
- return tunnel;
-}
-
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
+void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
struct l2tp_session *l2tp_session_get(const struct net *net,
struct l2tp_tunnel *tunnel,
@@ -303,7 +284,7 @@ static inline void l2tp_tunnel_inc_refco
static inline void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
{
if (atomic_dec_and_test(&tunnel->ref_count))
- kfree_rcu(tunnel, rcu);
+ l2tp_tunnel_free(tunnel);
}
/* Session reference counts. Incremented when code obtains a reference
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -234,17 +234,13 @@ static void l2tp_ip_close(struct sock *s
static void l2tp_ip_destroy_sock(struct sock *sk)
{
struct sk_buff *skb;
- struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+ struct l2tp_tunnel *tunnel = sk->sk_user_data;
while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL)
kfree_skb(skb);
- if (tunnel) {
- l2tp_tunnel_closeall(tunnel);
- sock_put(sk);
- }
-
- sk_refcnt_debug_dec(sk);
+ if (tunnel)
+ l2tp_tunnel_delete(tunnel);
}
static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -246,16 +246,14 @@ static void l2tp_ip6_close(struct sock *
static void l2tp_ip6_destroy_sock(struct sock *sk)
{
- struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+ struct l2tp_tunnel *tunnel = sk->sk_user_data;
lock_sock(sk);
ip6_flush_pending_frames(sk);
release_sock(sk);
- if (tunnel) {
- l2tp_tunnel_closeall(tunnel);
- sock_put(sk);
- }
+ if (tunnel)
+ l2tp_tunnel_delete(tunnel);
inet6_destroy_sock(sk);
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 133/410] hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 268/410] arm64: Disable unhandled signal log messages by default Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 229/410] libata: remove WARN() for DMA or PIO command without data Ben Hutchings
` (354 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Linus Torvalds, John Stultz,
Peter Zijlstra, Anna-Maria Gleixner, keescook, Christoph Hellwig,
Ingo Molnar
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anna-Maria Gleixner <anna-maria@linutronix.de>
commit 48d0c9becc7f3c66874c100c126459a9da0fdced upstream.
The POSIX specification defines that relative CLOCK_REALTIME timers are not
affected by clock modifications. Those timers have to use CLOCK_MONOTONIC
to ensure POSIX compliance.
The introduction of the additional HRTIMER_MODE_PINNED mode broke this
requirement for pinned timers.
There is no user space visible impact because user space timers are not
using pinned mode, but for consistency reasons this needs to be fixed.
Check whether the mode has the HRTIMER_MODE_REL bit set instead of
comparing with HRTIMER_MODE_ABS.
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: keescook@chromium.org
Fixes: 597d0275736d ("timers: Framework for identifying pinned timers")
Link: http://lkml.kernel.org/r/20171221104205.7269-7-anna-maria@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/hrtimer.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -1197,7 +1197,12 @@ static void __hrtimer_init(struct hrtime
cpu_base = &__raw_get_cpu_var(hrtimer_bases);
- if (clock_id == CLOCK_REALTIME && mode != HRTIMER_MODE_ABS)
+ /*
+ * POSIX magic: Relative CLOCK_REALTIME timers are not affected by
+ * clock modifications, so they needs to become CLOCK_MONOTONIC to
+ * ensure POSIX compliance.
+ */
+ if (clock_id == CLOCK_REALTIME && mode & HRTIMER_MODE_REL)
clock_id = CLOCK_MONOTONIC;
base = hrtimer_clockid_to_base(clock_id);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 131/410] ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (400 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 078/410] powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 217/410] cifs: silence compiler warnings showing up with gcc-8.0.0 Ben Hutchings
` (7 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Mark Brown
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 123af9043e93cb6f235207d260d50f832cdb5439 upstream.
The loop timeout doesn't work because it's a post op and ends with "tmo"
set to -1. I changed it from a post-op to a pre-op and I changed the
initial the starting value from 5 to 6 so we still iterate 5 times. I
left the other as it was because it's a large number.
Fixes: b3c70c9ea62a ("ASoC: Alchemy AC97C/I2SC audio support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/au1x/ac97c.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/soc/au1x/ac97c.c
+++ b/sound/soc/au1x/ac97c.c
@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_rea
do {
mutex_lock(&ctx->lock);
- tmo = 5;
- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
+ tmo = 6;
+ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
udelay(21); /* wait an ac97 frame time */
if (!tmo) {
pr_debug("ac97rd timeout #1\n");
@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_rea
* poll, Forrest, poll...
*/
tmo = 0x10000;
- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
+ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
asm volatile ("nop");
data = RD(ctx, AC97_CMDRESP);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 317/410] ata: Add a new flag to destinguish sas controller
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (235 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 284/410] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 040/410] x86/cpu: Rename Merrifield2 to Moorefield Ben Hutchings
` (172 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Shaohua Li
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shaohua Li <shli@fb.com>
commit 5067c0469c643512f24786990e315f9c15cc7d24 upstream.
SAS controller has its own tag allocation, which doesn't directly match to ATA
tag, so SAS and SATA have different code path for ata tags. Originally we use
port->scsi_host (98bd4be1) to destinguish SAS controller, but libsas set
->scsi_host too, so we can't use it for the destinguish, we add a new flag for
this purpose.
Without this patch, the following oops can happen because scsi-mq uses
a host-wide tag map shared among all devices with some integer tag
values >= ATA_MAX_QUEUE. These unexpectedly high tag values cause
__ata_qc_from_tag() to return NULL, which is then dereferenced in
ata_qc_new_init().
BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
IP: [<ffffffff804fd46e>] ata_qc_new_init+0x3e/0x120
PGD 32adf0067 PUD 32adf1067 PMD 0
Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi igb
i2c_algo_bit ptp pps_core pm80xx libsas scsi_transport_sas sg coretemp
eeprom w83795 i2c_i801
CPU: 4 PID: 1450 Comm: cydiskbench Not tainted 4.0.0-rc3 #1
Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b 05/04/12
task: ffff8800ba86d500 ti: ffff88032a064000 task.ti: ffff88032a064000
RIP: 0010:[<ffffffff804fd46e>] [<ffffffff804fd46e>] ata_qc_new_init+0x3e/0x120
RSP: 0018:ffff88032a067858 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8800ba0d2230 RCX: 000000000000002a
RDX: ffffffff80505ae0 RSI: 0000000000000020 RDI: ffff8800ba0d2230
RBP: ffff88032a067868 R08: 0000000000000201 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800ba0d0000
R13: ffff8800ba0d2230 R14: ffffffff80505ae0 R15: ffff8800ba0d0000
FS: 0000000041223950(0063) GS:ffff88033e480000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000058 CR3: 000000032a0a3000 CR4: 00000000000006e0
Stack:
ffff880329eee758 ffff880329eee758 ffff88032a0678a8 ffffffff80502dad
ffff8800ba167978 ffff880329eee758 ffff88032bf9c520 ffff8800ba167978
ffff88032bf9c520 ffff88032bf9a290 ffff88032a0678b8 ffffffff80506909
Call Trace:
[<ffffffff80502dad>] ata_scsi_translate+0x3d/0x1b0
[<ffffffff80506909>] ata_sas_queuecmd+0x149/0x2a0
[<ffffffffa0046650>] sas_queuecommand+0xa0/0x1f0 [libsas]
[<ffffffff804ea544>] scsi_dispatch_cmd+0xd4/0x1a0
[<ffffffff804eb50f>] scsi_queue_rq+0x66f/0x7f0
[<ffffffff803e5098>] __blk_mq_run_hw_queue+0x208/0x3f0
[<ffffffff803e54b8>] blk_mq_run_hw_queue+0x88/0xc0
[<ffffffff803e5c74>] blk_mq_insert_request+0xc4/0x130
[<ffffffff803e0b63>] blk_execute_rq_nowait+0x73/0x160
[<ffffffffa0023fca>] sg_common_write+0x3da/0x720 [sg]
[<ffffffffa0025100>] sg_new_write+0x250/0x360 [sg]
[<ffffffffa0025feb>] sg_write+0x13b/0x450 [sg]
[<ffffffff8032ec91>] vfs_write+0xd1/0x1b0
[<ffffffff8032ee54>] SyS_write+0x54/0xc0
[<ffffffff80689932>] system_call_fastpath+0x12/0x17
tj: updated description.
Fixes: 12cb5ce101ab ("libata: use blk taging")
Reported-and-tested-by: Tony Battersby <tonyb@cybernetics.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: Drop changes to ata_qc_{new_init,free}(); we don't
actually have the tag allocation bug]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 4 ++--
drivers/scsi/ipr.c | 3 ++-
drivers/scsi/libsas/sas_ata.c | 3 ++-
include/linux/libata.h | 1 +
4 files changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -6862,7 +6862,8 @@ static struct ata_port_operations ipr_sa
};
static struct ata_port_info sata_port_info = {
- .flags = ATA_FLAG_SATA | ATA_FLAG_PIO_DMA,
+ .flags = ATA_FLAG_SATA | ATA_FLAG_PIO_DMA |
+ ATA_FLAG_SAS_HOST,
.pio_mask = ATA_PIO4_ONLY,
.mwdma_mask = ATA_MWDMA2,
.udma_mask = ATA_UDMA6,
--- a/drivers/scsi/libsas/sas_ata.c
+++ b/drivers/scsi/libsas/sas_ata.c
@@ -566,7 +566,8 @@ static struct ata_port_operations sas_sa
};
static struct ata_port_info sata_port_info = {
- .flags = ATA_FLAG_SATA | ATA_FLAG_PIO_DMA | ATA_FLAG_NCQ,
+ .flags = ATA_FLAG_SATA | ATA_FLAG_PIO_DMA | ATA_FLAG_NCQ |
+ ATA_FLAG_SAS_HOST,
.pio_mask = ATA_PIO4,
.mwdma_mask = ATA_MWDMA2,
.udma_mask = ATA_UDMA6,
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -232,6 +232,7 @@ enum {
* led */
ATA_FLAG_NO_DIPM = (1 << 23), /* host not happy with DIPM */
ATA_FLAG_LOWTAG = (1 << 24), /* host wants lowest available tag */
+ ATA_FLAG_SAS_HOST = (1 << 25), /* SAS host */
/* bits 24:31 of ap->flags are reserved for LLD specific flags */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 198/410] kernel/async.c: revert "async: simplify lowest_in_progress()"
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 382/410] RDMA/ucma: Fix use-after-free access in ucma_close Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 301/410] mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers Ben Hutchings
` (238 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tejun Heo, Arjan van de Ven, Linus Torvalds, Adam Wallis,
Rasmus Villemoes, Lai Jiangshan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
commit 4f7e988e63e336827f4150de48163bed05d653bd upstream.
This reverts commit 92266d6ef60c ("async: simplify lowest_in_progress()")
which was simply wrong: In the case where domain is NULL, we now use the
wrong offsetof() in the list_first_entry macro, so we don't actually
fetch the ->cookie value, but rather the eight bytes located
sizeof(struct list_head) further into the struct async_entry.
On 64 bit, that's the data member, while on 32 bit, that's a u64 built
from func and data in some order.
I think the bug happens to be harmless in practice: It obviously only
affects callers which pass a NULL domain, and AFAICT the only such
caller is
async_synchronize_full() ->
async_synchronize_full_domain(NULL) ->
async_synchronize_cookie_domain(ASYNC_COOKIE_MAX, NULL)
and the ASYNC_COOKIE_MAX means that in practice we end up waiting for
the async_global_pending list to be empty - but it would break if
somebody happened to pass (void*)-1 as the data element to
async_schedule, and of course also if somebody ever does a
async_synchronize_cookie_domain(, NULL) with a "finite" cookie value.
Maybe the "harmless in practice" means this isn't -stable material. But
I'm not completely confident my quick git grep'ing is enough, and there
might be affected code in one of the earlier kernels that has since been
removed, so I'll leave the decision to the stable guys.
Link: http://lkml.kernel.org/r/20171128104938.3921-1-linux@rasmusvillemoes.dk
Fixes: 92266d6ef60c "async: simplify lowest_in_progress()"
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Adam Wallis <awallis@codeaurora.org>
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/async.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/kernel/async.c
+++ b/kernel/async.c
@@ -84,20 +84,24 @@ static atomic_t entry_count;
static async_cookie_t lowest_in_progress(struct async_domain *domain)
{
- struct list_head *pending;
+ struct async_entry *first = NULL;
async_cookie_t ret = ASYNC_COOKIE_MAX;
unsigned long flags;
spin_lock_irqsave(&async_lock, flags);
- if (domain)
- pending = &domain->pending;
- else
- pending = &async_global_pending;
+ if (domain) {
+ if (!list_empty(&domain->pending))
+ first = list_first_entry(&domain->pending,
+ struct async_entry, domain_list);
+ } else {
+ if (!list_empty(&async_global_pending))
+ first = list_first_entry(&async_global_pending,
+ struct async_entry, global_list);
+ }
- if (!list_empty(pending))
- ret = list_first_entry(pending, struct async_entry,
- domain_list)->cookie;
+ if (first)
+ ret = first->cookie;
spin_unlock_irqrestore(&async_lock, flags);
return ret;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 321/410] e1000e: Fix check_for_link return value with autoneg off
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (243 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 073/410] perf annotate: Fix objdump comment parsing for Intel mov dissassembly Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 298/410] tpm: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
` (164 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Aaron Brown, Benjamin Poirier, Jeff Kirsher, Sasha Neftin
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Poirier <bpoirier@suse.com>
commit 4e7dc08e57c95673d2edaba8983c3de4dd1f65f5 upstream.
When autoneg is off, the .check_for_link callback functions clear the
get_link_status flag and systematically return a "pseudo-error". This means
that the link is not detected as up until the next execution of the
e1000_watchdog_task() 2 seconds later.
Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Acked-by: Sasha Neftin <sasha.neftin@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +-
drivers/net/ethernet/intel/e1000e/mac.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -1442,7 +1442,7 @@ static s32 e1000_check_for_copper_link_i
* we have already determined whether we have link or not.
*/
if (!mac->autoneg)
- return -E1000_ERR_CONFIG;
+ return 1;
/* Auto-Neg is enabled. Auto Speed Detection takes care
* of MAC speed/duplex configuration. So we only need to
--- a/drivers/net/ethernet/intel/e1000e/mac.c
+++ b/drivers/net/ethernet/intel/e1000e/mac.c
@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct
* we have already determined whether we have link or not.
*/
if (!mac->autoneg)
- return -E1000_ERR_CONFIG;
+ return 1;
/* Auto-Neg is enabled. Auto Speed Detection takes care
* of MAC speed/duplex configuration. So we only need to
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 239/410] x86/speculation: Add <asm/msr-index.h> dependency
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 065/410] perf evlist: Introduce perf_evlist__new_dummy constructor Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 323/410] bcache: don't attach backing with duplicate UUID Ben Hutchings
` (267 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, bp, dwmw, dave.hansen, Joe Konno, gregkh,
Ingo Molnar, Thomas Gleixner, Linus Torvalds, hpa, jpoimboe,
arjan, luto, dwmw2, dan.j.williams, linux-tip-commits
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit ea00f301285ea2f07393678cd2b6057878320c9d upstream.
Joe Konno reported a compile failure resulting from using an MSR
without inclusion of <asm/msr-index.h>, and while the current code builds
fine (by accident) this needs fixing for future patches.
Reported-by: Joe Konno <joe.konno@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: arjan@linux.intel.com
Cc: bp@alien8.de
Cc: dan.j.williams@intel.com
Cc: dave.hansen@linux.intel.com
Cc: dwmw2@infradead.org
Cc: dwmw@amazon.co.uk
Cc: gregkh@linuxfoundation.org
Cc: hpa@zytor.com
Cc: jpoimboe@redhat.com
Cc: linux-tip-commits@vger.kernel.org
Cc: luto@kernel.org
Fixes: 20ffa1caecca ("x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support")
Link: http://lkml.kernel.org/r/20180213132819.GJ25201@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/nospec-branch.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -6,6 +6,7 @@
#include <asm/alternative.h>
#include <asm/alternative-asm.h>
#include <asm/cpufeature.h>
+#include <asm/msr-index.h>
/*
* Fill the CPU return stack buffer.
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 099/410] wl1251: check return from call to wl1251_acx_arp_ip_filter
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (301 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 013/410] f2fs: fix a panic caused by NULL flush_cmd_control Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 168/410] android: binder: use VM_ALLOC to get vm area Ben Hutchings
` (106 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Colin Ian King
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit ac1181c60822292176ab96912208ec9f9819faf8 upstream.
Currently the less than zero error check on ret is incorrect
as it is checking a far earlier ret assignment rather than the
return from the call to wl1251_acx_arp_ip_filter. Fix this by
adding in the missing assginment.
Detected by CoverityScan, CID#1164835 ("Logically dead code")
Fixes: 204cc5c44fb6 ("wl1251: implement hardware ARP filtering")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ti/wl1251/main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/wireless/ti/wl1251/main.c
+++ b/drivers/net/wireless/ti/wl1251/main.c
@@ -1199,8 +1199,7 @@ static void wl1251_op_bss_info_changed(s
WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS);
enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc;
- wl1251_acx_arp_ip_filter(wl, enable, addr);
-
+ ret = wl1251_acx_arp_ip_filter(wl, enable, addr);
if (ret < 0)
goto out_sleep;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 296/410] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 059/410] KVM/x86: Remove indirect MSR op calls from SPEC_CTRL Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` Ben Hutchings
` (397 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jarkko Sakkinen, Jeremy Boone, James Bottomley, James Morris
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Boone <jeremy.boone@nccgroup.trust>
commit f9d4d9b5a5ef2f017bc344fb65a58a902517173b upstream.
Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips. In all the
driver _recv() functions, we need to use a u32 to unmarshal the
response size, otherwise a bit flip of the 31st bit would cause the
expected variable to go negative, which would then try to read a huge
amount of data. Also sanity check that the expected amount of data is
large enough for the TPM header.
Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/tpm/tpm_i2c_nuvoton.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
@@ -267,7 +267,11 @@ static int i2c_nuvoton_recv(struct tpm_c
struct device *dev = chip->dev;
struct i2c_client *client = to_i2c_client(dev);
s32 rc;
- int expected, status, burst_count, retries, size = 0;
+ int status;
+ int burst_count;
+ int retries;
+ int size = 0;
+ u32 expected;
if (count < TPM_HEADER_SIZE) {
i2c_nuvoton_ready(chip); /* return to idle */
@@ -309,7 +313,7 @@ static int i2c_nuvoton_recv(struct tpm_c
* to machine native
*/
expected = be32_to_cpu(*(__be32 *) (buf + 2));
- if (expected > count) {
+ if (expected > count || expected < size) {
dev_err(dev, "%s() expected > count\n", __func__);
size = -EIO;
continue;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 281/410] ALSA: usb-audio: Add a quirck for B&W PX headphones
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 255/410] drm: Allow determining if current task is output poll worker Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 199/410] pipe: relocate round_pipe_size() above pipe_set_size() Ben Hutchings
` (326 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Erik Veijola
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erik Veijola <erik.veijola@gmail.com>
commit 240a8af929c7c57dcde28682725b29cf8474e8e5 upstream.
The capture interface doesn't work and the playback interface only
supports 48 kHz sampling rate even though it advertises more rates.
Signed-off-by: Erik Veijola <erik.veijola@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/quirks-table.h | 47 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -3266,4 +3266,51 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
}
},
+{
+ /*
+ * Bower's & Wilkins PX headphones only support the 48 kHz sample rate
+ * even though it advertises more. The capture interface doesn't work
+ * even on windows.
+ */
+ USB_DEVICE(0x19b5, 0x0021),
+ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ .ifnum = QUIRK_ANY_INTERFACE,
+ .type = QUIRK_COMPOSITE,
+ .data = (const struct snd_usb_audio_quirk[]) {
+ {
+ .ifnum = 0,
+ .type = QUIRK_AUDIO_STANDARD_MIXER,
+ },
+ /* Capture */
+ {
+ .ifnum = 1,
+ .type = QUIRK_IGNORE_INTERFACE,
+ },
+ /* Playback */
+ {
+ .ifnum = 2,
+ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
+ .data = &(const struct audioformat) {
+ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ .channels = 2,
+ .iface = 2,
+ .altsetting = 1,
+ .altset_idx = 1,
+ .attributes = UAC_EP_CS_ATTR_FILL_MAX |
+ UAC_EP_CS_ATTR_SAMPLE_RATE,
+ .endpoint = 0x03,
+ .ep_attr = USB_ENDPOINT_XFER_ISOC,
+ .rates = SNDRV_PCM_RATE_48000,
+ .rate_min = 48000,
+ .rate_max = 48000,
+ .nr_rates = 1,
+ .rate_table = (unsigned int[]) {
+ 48000
+ }
+ }
+ },
+ }
+ }
+},
+
#undef USB_DEVICE_VENDOR_SPEC
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 040/410] x86/cpu: Rename Merrifield2 to Moorefield
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (236 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 317/410] ata: Add a new flag to destinguish sas controller Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 138/410] dm thin: fix documentation relative to low water mark threshold Ben Hutchings
` (171 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Andy Shevchenko, Linus Torvalds,
Ingo Molnar, Dave Hansen, Peter Zijlstra
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit f5fbf848303c8704d0e1a1e7cabd08fd0a49552f upstream.
Merrifield2 is actually Moorefield.
Rename it accordingly and drop tail digit from Merrifield1.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20160906184254.94440-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: Drop driver changes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/intel-family.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/include/asm/intel-family.h
+++ b/arch/x86/include/asm/intel-family.h
@@ -56,8 +56,8 @@
#define INTEL_FAM6_ATOM_SILVERMONT1 0x37 /* BayTrail/BYT / Valleyview */
#define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */
#define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */
-#define INTEL_FAM6_ATOM_MERRIFIELD1 0x4A /* Tangier */
-#define INTEL_FAM6_ATOM_MERRIFIELD2 0x5A /* Annidale */
+#define INTEL_FAM6_ATOM_MERRIFIELD 0x4A /* Tangier */
+#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Annidale */
#define INTEL_FAM6_ATOM_GOLDMONT 0x5C
#define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 342/410] ALSA: seq: Fix possible UAF in snd_seq_check_queue()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 048/410] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 258/410] nospec: Allow index argument to have const-qualified type Ben Hutchings
` (386 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicolai Stange, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d0f833065221cbfcbadf19fd4102bcfa9330006a upstream.
Although we've covered the races between concurrent write() and
ioctl() in the previous patch series, there is still a possible UAF in
the following scenario:
A: user client closed B: timer irq
-> snd_seq_release() -> snd_seq_timer_interrupt()
-> snd_seq_free_client() -> snd_seq_check_queue()
-> cell = snd_seq_prioq_cell_peek()
-> snd_seq_prioq_leave()
.... removing all cells
-> snd_seq_pool_done()
.... vfree()
-> snd_seq_compare_tick_time(cell)
... Oops
So the problem is that a cell is peeked and accessed without any
protection until it's retrieved from the queue again via
snd_seq_prioq_cell_out().
This patch tries to address it, also cleans up the code by a slight
refactoring. snd_seq_prioq_cell_out() now receives an extra pointer
argument. When it's non-NULL, the function checks the event timestamp
with the given pointer. The caller needs to pass the right reference
either to snd_seq_tick or snd_seq_realtime depending on the event
timestamp type.
A good news is that the above change allows us to remove the
snd_seq_prioq_cell_peek(), too, thus the patch actually reduces the
code size.
Reviewed-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_prioq.c | 28 ++++++++++++++--------------
sound/core/seq/seq_prioq.h | 6 ++----
sound/core/seq/seq_queue.c | 28 +++++++++-------------------
3 files changed, 25 insertions(+), 37 deletions(-)
--- a/sound/core/seq/seq_prioq.c
+++ b/sound/core/seq/seq_prioq.c
@@ -87,7 +87,7 @@ void snd_seq_prioq_delete(struct snd_seq
if (f->cells > 0) {
/* drain prioQ */
while (f->cells > 0)
- snd_seq_cell_free(snd_seq_prioq_cell_out(f));
+ snd_seq_cell_free(snd_seq_prioq_cell_out(f, NULL));
}
kfree(f);
@@ -214,8 +214,18 @@ int snd_seq_prioq_cell_in(struct snd_seq
return 0;
}
+/* return 1 if the current time >= event timestamp */
+static int event_is_ready(struct snd_seq_event *ev, void *current_time)
+{
+ if ((ev->flags & SNDRV_SEQ_TIME_STAMP_MASK) == SNDRV_SEQ_TIME_STAMP_TICK)
+ return snd_seq_compare_tick_time(current_time, &ev->time.tick);
+ else
+ return snd_seq_compare_real_time(current_time, &ev->time.time);
+}
+
/* dequeue cell from prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f)
+struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
+ void *current_time)
{
struct snd_seq_event_cell *cell;
unsigned long flags;
@@ -227,6 +237,8 @@ struct snd_seq_event_cell *snd_seq_prioq
spin_lock_irqsave(&f->lock, flags);
cell = f->head;
+ if (cell && current_time && !event_is_ready(&cell->event, current_time))
+ cell = NULL;
if (cell) {
f->head = cell->next;
@@ -252,18 +264,6 @@ int snd_seq_prioq_avail(struct snd_seq_p
return f->cells;
}
-
-/* peek at cell at the head of the prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq * f)
-{
- if (f == NULL) {
- pr_debug("ALSA: seq: snd_seq_prioq_cell_in() called with NULL prioq\n");
- return NULL;
- }
- return f->head;
-}
-
-
static inline int prioq_match(struct snd_seq_event_cell *cell,
int client, int timestamp)
{
--- a/sound/core/seq/seq_prioq.h
+++ b/sound/core/seq/seq_prioq.h
@@ -44,14 +44,12 @@ void snd_seq_prioq_delete(struct snd_seq
int snd_seq_prioq_cell_in(struct snd_seq_prioq *f, struct snd_seq_event_cell *cell);
/* dequeue cell from prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f);
+struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
+ void *current_time);
/* return number of events available in prioq */
int snd_seq_prioq_avail(struct snd_seq_prioq *f);
-/* peek at cell at the head of the prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq *f);
-
/* client left queue */
void snd_seq_prioq_leave(struct snd_seq_prioq *f, int client, int timestamp);
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -273,30 +273,20 @@ void snd_seq_check_queue(struct snd_seq_
__again:
/* Process tick queue... */
- while ((cell = snd_seq_prioq_cell_peek(q->tickq)) != NULL) {
- if (snd_seq_compare_tick_time(&q->timer->tick.cur_tick,
- &cell->event.time.tick)) {
- cell = snd_seq_prioq_cell_out(q->tickq);
- if (cell)
- snd_seq_dispatch_event(cell, atomic, hop);
- } else {
- /* event remains in the queue */
+ for (;;) {
+ cell = snd_seq_prioq_cell_out(q->tickq,
+ &q->timer->tick.cur_tick);
+ if (!cell)
break;
- }
+ snd_seq_dispatch_event(cell, atomic, hop);
}
-
/* Process time queue... */
- while ((cell = snd_seq_prioq_cell_peek(q->timeq)) != NULL) {
- if (snd_seq_compare_real_time(&q->timer->cur_time,
- &cell->event.time.time)) {
- cell = snd_seq_prioq_cell_out(q->timeq);
- if (cell)
- snd_seq_dispatch_event(cell, atomic, hop);
- } else {
- /* event remains in the queue */
+ for (;;) {
+ cell = snd_seq_prioq_cell_out(q->timeq, &q->timer->cur_time);
+ if (!cell)
break;
- }
+ snd_seq_dispatch_event(cell, atomic, hop);
}
/* free lock */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 284/410] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (234 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 355/410] aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 317/410] ata: Add a new flag to destinguish sas controller Ben Hutchings
` (173 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.
l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.
Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct
!l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
target, maniptype))
return false;
+
+ /* must reload, offset might have changed */
+ ipv6h = (void *)skb->data + iphdroff;
+
manip_addr:
if (maniptype == NF_NAT_MANIP_SRC)
ipv6h->saddr = target->src.u3.in6;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 249/410] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (320 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 170/410] cifs: fix memory leak when password is supplied multiple times Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 273/410] x86/mm: Fix {pmd,pud}_{set,clear}_flags() Ben Hutchings
` (87 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+d7a918a7a8e1c952bc36, Yisheng Xie, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yisheng Xie <xieyisheng1@huawei.com>
commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream.
ashmem_mutex may create a chain of dependencies like:
CPU0 CPU1
mmap syscall ioctl syscall
-> mmap_sem (acquired) -> ashmem_ioctl
-> ashmem_mmap -> ashmem_mutex (acquired)
-> ashmem_mutex (try to acquire) -> copy_from_user
-> mmap_sem (try to acquire)
There is a lock odering problem between mmap_sem and ashmem_mutex causing
a lockdep splat[1] during a syzcaller test. This patch fixes the problem
by move copy_from_user out of ashmem_mutex.
[1] https://www.spinics.net/lists/kernel/msg2733200.html
Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls)
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/android/ashmem.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -703,16 +703,14 @@ static int ashmem_pin_unpin(struct ashme
size_t pgstart, pgend;
int ret = -EINVAL;
+ if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
+ return -EFAULT;
+
mutex_lock(&ashmem_mutex);
if (unlikely(!asma->file))
goto out_unlock;
- if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
- ret = -EFAULT;
- goto out_unlock;
- }
-
/* per custom, you can pass zero for len to mean "everything onward" */
if (!pin.len)
pin.len = PAGE_ALIGN(asma->size) - pin.offset;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 026/410] ALSA: seq: More protection for concurrent write and ioctl races
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 142/410] drm/ttm: fix adding foreign BOs to the swap LRU Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 267/410] " Ben Hutchings
` (273 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicolai Stange, Takashi Iwai, 范龙飞
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 upstream.
This patch is an attempt for further hardening against races between
the concurrent write and ioctls. The previous fix d15d662e89fc
("ALSA: seq: Fix racy pool initializations") covered the race of the
pool initialization at writer and the pool resize ioctl by the
client->ioctl_mutex (CVE-2018-1000004). However, basically this mutex
should be applied more widely to the whole write operation for
avoiding the unexpected pool operations by another thread.
The only change outside snd_seq_write() is the additional mutex
argument to helper functions, so that we can unlock / relock the given
mutex temporarily during schedule() call for blocking write.
Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
Reported-by: 范龙飞 <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Reviewed-and-tested-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_clientmgr.c | 18 +++++++++++-------
sound/core/seq/seq_fifo.c | 2 +-
sound/core/seq/seq_memory.c | 14 ++++++++++----
sound/core/seq/seq_memory.h | 3 ++-
4 files changed, 24 insertions(+), 13 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -919,7 +919,8 @@ int snd_seq_dispatch_event(struct snd_se
static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
struct snd_seq_event *event,
struct file *file, int blocking,
- int atomic, int hop)
+ int atomic, int hop,
+ struct mutex *mutexp)
{
struct snd_seq_event_cell *cell;
int err;
@@ -957,7 +958,8 @@ static int snd_seq_client_enqueue_event(
return -ENXIO; /* queue is not allocated */
/* allocate an event cell */
- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file);
+ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic,
+ file, mutexp);
if (err < 0)
return err;
@@ -1026,12 +1028,11 @@ static ssize_t snd_seq_write(struct file
return -ENXIO;
/* allocate the pool now if the pool is not allocated yet */
+ mutex_lock(&client->ioctl_mutex);
if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
- mutex_lock(&client->ioctl_mutex);
err = snd_seq_pool_init(client->pool);
- mutex_unlock(&client->ioctl_mutex);
if (err < 0)
- return -ENOMEM;
+ goto out;
}
/* only process whole events */
@@ -1082,7 +1083,7 @@ static ssize_t snd_seq_write(struct file
/* ok, enqueue it */
err = snd_seq_client_enqueue_event(client, &event, file,
!(file->f_flags & O_NONBLOCK),
- 0, 0);
+ 0, 0, &client->ioctl_mutex);
if (err < 0)
break;
@@ -1093,6 +1094,8 @@ static ssize_t snd_seq_write(struct file
written += len;
}
+ out:
+ mutex_unlock(&client->ioctl_mutex);
return written ? written : err;
}
@@ -2355,7 +2358,8 @@ static int kernel_client_enqueue(int cli
if (! cptr->accept_output)
result = -EPERM;
else /* send it */
- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop);
+ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking,
+ atomic, hop, NULL);
snd_seq_client_unlock(cptr);
return result;
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq
return -EINVAL;
snd_use_lock_use(&f->use_lock);
- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */
+ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */
if (err < 0) {
if ((err == -ENOMEM) || (err == -EAGAIN))
atomic_inc(&f->overflow);
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_ev
*/
static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
struct snd_seq_event_cell **cellp,
- int nonblock, struct file *file)
+ int nonblock, struct file *file,
+ struct mutex *mutexp)
{
struct snd_seq_event_cell *cell;
unsigned long flags;
@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd
set_current_state(TASK_INTERRUPTIBLE);
add_wait_queue(&pool->output_sleep, &wait);
spin_unlock_irq(&pool->lock);
+ if (mutexp)
+ mutex_unlock(mutexp);
schedule();
+ if (mutexp)
+ mutex_lock(mutexp);
spin_lock_irq(&pool->lock);
remove_wait_queue(&pool->output_sleep, &wait);
/* interrupted? */
@@ -288,7 +293,7 @@ __error:
*/
int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
struct snd_seq_event_cell **cellp, int nonblock,
- struct file *file)
+ struct file *file, struct mutex *mutexp)
{
int ncells, err;
unsigned int extlen;
@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_poo
if (ncells >= pool->total_elements)
return -ENOMEM;
- err = snd_seq_cell_alloc(pool, &cell, nonblock, file);
+ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp);
if (err < 0)
return err;
@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_poo
int size = sizeof(struct snd_seq_event);
if (len < size)
size = len;
- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file);
+ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file,
+ mutexp);
if (err < 0)
goto __error;
if (cell->event.data.ext.ptr == NULL)
--- a/sound/core/seq/seq_memory.h
+++ b/sound/core/seq/seq_memory.h
@@ -66,7 +66,8 @@ struct snd_seq_pool {
void snd_seq_cell_free(struct snd_seq_event_cell *cell);
int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
- struct snd_seq_event_cell **cellp, int nonblock, struct file *file);
+ struct snd_seq_event_cell **cellp, int nonblock,
+ struct file *file, struct mutex *mutexp);
/* return number of unused (free) cells */
static inline int snd_seq_unused_cells(struct snd_seq_pool *pool)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 402/410] bonding: process the err returned by dev_set_allmulti properly in bond_enslave
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (250 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 207/410] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 129/410] nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds Ben Hutchings
` (157 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Xin Long, Andy Gospodarek
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit 9f5a90c107741b864398f4ac0014711a8c1d8474 upstream.
When dev_set_promiscuity(1) succeeds but dev_set_allmulti(1) fails,
dev_set_promiscuity(-1) should be done before going to the err path.
Otherwise, dev->promiscuity will leak.
Fixes: 7e1a1ac1fbaa ("bonding: Check return of dev_set_promiscuity/allmulti")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/bonding/bond_main.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1579,8 +1579,11 @@ int bond_enslave(struct net_device *bond
/* set allmulti level to new slave */
if (bond_dev->flags & IFF_ALLMULTI) {
res = dev_set_allmulti(slave_dev, 1);
- if (res)
+ if (res) {
+ if (bond_dev->flags & IFF_PROMISC)
+ dev_set_promiscuity(slave_dev, -1);
goto err_sysfs_del;
+ }
}
netif_addr_lock_bh(bond_dev);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 291/410] l2tp: don't use inet_shutdown on ppp session destroy
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 245/410] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 090/410] net/mlx4_core: Cleanup FMR unmapping flow Ben Hutchings
` (333 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, James Chapman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
commit 225eb26489d05c679a4c4197ffcb81c81e9dcaf4 upstream.
Previously, if a ppp session was closed, we called inet_shutdown to mark
the socket as unconnected such that userspace would get errors and
then close the socket. This could race with userspace closing the
socket. Instead, leave userspace to close the socket in its own time
(our session will be detached anyway).
BUG: KASAN: use-after-free in inet_shutdown+0x5d/0x1c0
Read of size 4 at addr ffff880010ea3ac0 by task syzbot_347bd5ac/8296
CPU: 3 PID: 8296 Comm: syzbot_347bd5ac Not tainted 4.16.0-rc1+ #91
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Call Trace:
dump_stack+0x101/0x157
? inet_shutdown+0x5d/0x1c0
print_address_description+0x78/0x260
? inet_shutdown+0x5d/0x1c0
kasan_report+0x240/0x360
__asan_load4+0x78/0x80
inet_shutdown+0x5d/0x1c0
? pppol2tp_show+0x80/0x80
pppol2tp_session_close+0x68/0xb0
l2tp_tunnel_closeall+0x199/0x210
? udp_v6_flush_pending_frames+0x90/0x90
l2tp_udp_encap_destroy+0x6b/0xc0
? l2tp_tunnel_del_work+0x2e0/0x2e0
udpv6_destroy_sock+0x8c/0x90
sk_common_release+0x47/0x190
udp_lib_close+0x15/0x20
inet_release+0x85/0xd0
inet6_release+0x43/0x60
sock_release+0x53/0x100
? sock_alloc_file+0x260/0x260
sock_close+0x1b/0x20
__fput+0x19f/0x380
____fput+0x1a/0x20
task_work_run+0xd2/0x110
exit_to_usermode_loop+0x18d/0x190
do_syscall_64+0x389/0x3b0
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x7fe240a45259
RSP: 002b:00007fe241132df8 EFLAGS: 00000297 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe240a45259
RDX: 00007fe240a45259 RSI: 0000000000000000 RDI: 00000000000000a5
RBP: 00007fe241132e20 R08: 00007fe241133700 R09: 0000000000000000
R10: 00007fe241133700 R11: 0000000000000297 R12: 0000000000000000
R13: 00007ffc49aff84f R14: 0000000000000000 R15: 00007fe241141040
Allocated by task 8331:
save_stack+0x43/0xd0
kasan_kmalloc+0xad/0xe0
kasan_slab_alloc+0x12/0x20
kmem_cache_alloc+0x144/0x3e0
sock_alloc_inode+0x22/0x130
alloc_inode+0x3d/0xf0
new_inode_pseudo+0x1c/0x90
sock_alloc+0x30/0x110
__sock_create+0xaa/0x4c0
SyS_socket+0xbe/0x130
do_syscall_64+0x128/0x3b0
entry_SYSCALL_64_after_hwframe+0x26/0x9b
Freed by task 8314:
save_stack+0x43/0xd0
__kasan_slab_free+0x11a/0x170
kasan_slab_free+0xe/0x10
kmem_cache_free+0x88/0x2b0
sock_destroy_inode+0x49/0x50
destroy_inode+0x77/0xb0
evict+0x285/0x340
iput+0x429/0x530
dentry_unlink_inode+0x28c/0x2c0
__dentry_kill+0x1e3/0x2f0
dput.part.21+0x500/0x560
dput+0x24/0x30
__fput+0x2aa/0x380
____fput+0x1a/0x20
task_work_run+0xd2/0x110
exit_to_usermode_loop+0x18d/0x190
do_syscall_64+0x389/0x3b0
entry_SYSCALL_64_after_hwframe+0x26/0x9b
Fixes: fd558d186df2c ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 10 ----------
1 file changed, 10 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -441,16 +441,6 @@ abort:
*/
static void pppol2tp_session_close(struct l2tp_session *session)
{
- struct sock *sk;
-
- BUG_ON(session->magic != L2TP_SESSION_MAGIC);
-
- sk = pppol2tp_session_get_sock(session);
- if (sk) {
- if (sk->sk_socket)
- inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
- sock_put(sk);
- }
}
/* Really kill the session socket. (Called from sock_put() if
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 090/410] net/mlx4_core: Cleanup FMR unmapping flow
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 291/410] l2tp: don't use inet_shutdown on ppp session destroy Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 302/410] mmc: dw_mmc: Factor out dw_mci_init_slot_caps Ben Hutchings
` (332 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Moshe Shemesh, David S. Miller, Tariq Toukan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tariq Toukan <tariqt@mellanox.com>
commit fd4a3e2828b4ca35aef40e5bdc1ed7d87b3cb50a upstream.
Remove redundant and not essential operations in fmr unmap/free.
According to device spec, in FMR unmap it is sufficient to set
ownership bit to SW. This allows remapping afterwards.
Fixes: 8ad11fb6b073 ("IB/mlx4: Implement FMRs")
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/mr.c | 40 +++++++++++++------------
1 file changed, 21 insertions(+), 19 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/mr.c
+++ b/drivers/net/ethernet/mellanox/mlx4/mr.c
@@ -944,30 +944,16 @@ EXPORT_SYMBOL_GPL(mlx4_fmr_enable);
void mlx4_fmr_unmap(struct mlx4_dev *dev, struct mlx4_fmr *fmr,
u32 *lkey, u32 *rkey)
{
- struct mlx4_cmd_mailbox *mailbox;
- int err;
-
if (!fmr->maps)
return;
- fmr->maps = 0;
+ /* To unmap: it is sufficient to take back ownership from HW */
+ *(u8 *)fmr->mpt = MLX4_MPT_STATUS_SW;
- mailbox = mlx4_alloc_cmd_mailbox(dev);
- if (IS_ERR(mailbox)) {
- err = PTR_ERR(mailbox);
- pr_warn("mlx4_ib: mlx4_alloc_cmd_mailbox failed (%d)\n", err);
- return;
- }
+ /* Make sure MPT status is visible */
+ wmb();
- err = mlx4_HW2SW_MPT(dev, NULL,
- key_to_hw_index(fmr->mr.key) &
- (dev->caps.num_mpts - 1));
- mlx4_free_cmd_mailbox(dev, mailbox);
- if (err) {
- pr_warn("mlx4_ib: mlx4_HW2SW_MPT failed (%d)\n", err);
- return;
- }
- fmr->mr.enabled = MLX4_MPT_EN_SW;
+ fmr->maps = 0;
}
EXPORT_SYMBOL_GPL(mlx4_fmr_unmap);
@@ -977,6 +963,22 @@ int mlx4_fmr_free(struct mlx4_dev *dev,
if (fmr->maps)
return -EBUSY;
+ if (fmr->mr.enabled == MLX4_MPT_EN_HW) {
+ /* In case of FMR was enabled and unmapped
+ * make sure to give ownership of MPT back to HW
+ * so HW2SW_MPT command will success.
+ */
+ *(u8 *)fmr->mpt = MLX4_MPT_STATUS_SW;
+ /* Make sure MPT status is visible before changing MPT fields */
+ wmb();
+ fmr->mpt->length = 0;
+ fmr->mpt->start = 0;
+ /* Make sure MPT data is visible after changing MPT status */
+ wmb();
+ *(u8 *)fmr->mpt = MLX4_MPT_STATUS_HW;
+ /* make sure MPT status is visible */
+ wmb();
+ }
ret = mlx4_mr_free(dev, &fmr->mr);
if (ret)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 328/410] brcmfmac: fix P2P_DEVICE ethernet address generation
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (308 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 292/410] l2tp: fix races with tunnel socket close Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 173/410] staging: iio: adc: ad7192: fix external frequency setting Ben Hutchings
` (99 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hans de Goede, Hante Meuleman, Arend Van Spriel,
Franky Lin, Kalle Valo, Pieter-Paul Giesberts
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
commit 455f3e76cfc0d893585a5f358b9ddbe9c1e1e53b upstream.
The firmware has a requirement that the P2P_DEVICE address should
be different from the address of the primary interface. When not
specified by user-space, the driver generates the MAC address for
the P2P_DEVICE interface using the MAC address of the primary
interface and setting the locally administered bit. However, the MAC
address of the primary interface may already have that bit set causing
the creation of the P2P_DEVICE interface to fail with -EBUSY. Fix this
by using a random address instead to determine the P2P_DEVICE address.
Reported-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 24 +++++++++----------
1 file changed, 11 insertions(+), 13 deletions(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -457,25 +457,23 @@ static int brcmf_p2p_set_firmware(struct
* @dev_addr: optional device address.
*
* P2P needs mac addresses for P2P device and interface. If no device
- * address it specified, these are derived from the primary net device, ie.
- * the permanent ethernet address of the device.
+ * address it specified, these are derived from a random ethernet
+ * address.
*/
static void brcmf_p2p_generate_bss_mac(struct brcmf_p2p_info *p2p, u8 *dev_addr)
{
- struct brcmf_if *pri_ifp = p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif->ifp;
- bool local_admin = false;
+ bool random_addr = false;
- if (!dev_addr || is_zero_ether_addr(dev_addr)) {
- dev_addr = pri_ifp->mac_addr;
- local_admin = true;
- }
+ if (!dev_addr || is_zero_ether_addr(dev_addr))
+ random_addr = true;
- /* Generate the P2P Device Address. This consists of the device's
- * primary MAC address with the locally administered bit set.
+ /* Generate the P2P Device Address obtaining a random ethernet
+ * address with the locally administered bit set.
*/
- memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
- if (local_admin)
- p2p->dev_addr[0] |= 0x02;
+ if (random_addr)
+ eth_random_addr(p2p->dev_addr);
+ else
+ memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
/* Generate the P2P Interface Address. If the discovery and connection
* BSSCFGs need to simultaneously co-exist, then this address must be
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 340/410] xhci: Fix front USB ports on ASUS PRIME B350M-A
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 378/410] libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 020/410] ext4: fix bitmap position validation Ben Hutchings
` (346 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Kai-Heng Feng, Mathias Nyman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
commit 191edc5e2e515aab1075a3f0ef23599e80be5f59 upstream.
When a USB device gets plugged on ASUS PRIME B350M-A's front ports, the
xHC stops working:
[ 549.114587] xhci_hcd 0000:02:00.0: WARN: xHC CMD_RUN timeout
[ 549.114608] suspend_common(): xhci_pci_suspend+0x0/0xc0 returns -110
[ 549.114638] xhci_hcd 0000:02:00.0: can't suspend (hcd_pci_runtime_suspend returned -110)
Delay before running xHC command CMD_RUN can workaround the issue.
Use a new quirk to make the delay only targets to the affected xHC.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-pci.c | 3 +++
drivers/usb/host/xhci.c | 3 +++
drivers/usb/host/xhci.h | 1 +
3 files changed, 7 insertions(+)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -124,6 +124,9 @@ static void xhci_pci_quirks(struct devic
if (pdev->vendor == PCI_VENDOR_ID_AMD && usb_amd_find_chipset_info())
xhci->quirks |= XHCI_AMD_PLL_FIX;
+ if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x43bb)
+ xhci->quirks |= XHCI_SUSPEND_DELAY;
+
if (pdev->vendor == PCI_VENDOR_ID_AMD)
xhci->quirks |= XHCI_TRUST_TX_LENGTH;
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -922,6 +922,9 @@ int xhci_suspend(struct xhci_hcd *xhci,
clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
del_timer_sync(&hcd->rh_timer);
+ if (xhci->quirks & XHCI_SUSPEND_DELAY)
+ usleep_range(1000, 1500);
+
spin_lock_irq(&xhci->lock);
clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
clear_bit(HCD_FLAG_HW_ACCESSIBLE, &xhci->shared_hcd->flags);
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1571,6 +1571,7 @@ struct xhci_hcd {
#define XHCI_MISSING_CAS (1 << 24)
#define XHCI_U2_DISABLE_WAKE (1 << 27)
#define XHCI_ASMEDIA_MODIFY_FLOWCONTROL (1 << 28)
+#define XHCI_SUSPEND_DELAY (1 << 30)
unsigned int num_active_eps;
unsigned int limit_active_eps;
/* There are two roothubs to keep track of bus suspend info for */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 318/410] ata: do not schedule hot plug if it is a sas host
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (395 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 209/410] sysctl: check for UINT_MAX before unsigned int min/max Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 228/410] libata: fix length validation of ATAPI-relayed SCSI commands Ben Hutchings
` (12 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Jason Yan, Ding Xiang
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan <yanaijie@huawei.com>
commit 6f54120e17e311fd7ac42b9ec2a0611caa5b46ad upstream.
We've got a kernel panic when using sata disk with sas controller:
[115946.152283] Unable to handle kernel NULL pointer dereference at virtual address 000007d8
[115946.223963] CPU: 0 PID: 22175 Comm: kworker/0:1 Tainted: G W OEL 4.14.0 #1
[115946.232925] Workqueue: events ata_scsi_hotplug
[115946.237938] task: ffff8021ee50b180 task.stack: ffff00000d5d0000
[115946.244717] PC is at sas_find_dev_by_rphy+0x44/0x114
[115946.250224] LR is at sas_find_dev_by_rphy+0x3c/0x114
......
[115946.355701] Process kworker/0:1 (pid: 22175, stack limit = 0xffff00000d5d0000)
[115946.363369] Call trace:
[115946.456356] [<ffff000008878a9c>] sas_find_dev_by_rphy+0x44/0x114
[115946.462908] [<ffff000008878b8c>] sas_target_alloc+0x20/0x5c
[115946.469408] [<ffff00000885a31c>] scsi_alloc_target+0x250/0x308
[115946.475781] [<ffff00000885ba30>] __scsi_add_device+0xb0/0x154
[115946.481991] [<ffff0000088b520c>] ata_scsi_scan_host+0x180/0x218
[115946.488367] [<ffff0000088b53d8>] ata_scsi_hotplug+0xb0/0xcc
[115946.494801] [<ffff0000080ebd70>] process_one_work+0x144/0x390
[115946.501115] [<ffff0000080ec100>] worker_thread+0x144/0x418
[115946.507093] [<ffff0000080f2c98>] kthread+0x10c/0x138
[115946.512792] [<ffff0000080855dc>] ret_from_fork+0x10/0x18
We found that Ding Xiang has reported a similar bug before:
https://patchwork.kernel.org/patch/9179817/
And this bug still exists in mainline. Since libsas handles hotplug and
device adding/removing itself, do not need to schedule ata hot plug task
here if it is a sas host.
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Cc: Ding Xiang <dingxiang@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-eh.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -815,7 +815,8 @@ void ata_scsi_port_error_handler(struct
if (ap->pflags & ATA_PFLAG_LOADING)
ap->pflags &= ~ATA_PFLAG_LOADING;
- else if (ap->pflags & ATA_PFLAG_SCSI_HOTPLUG)
+ else if ((ap->pflags & ATA_PFLAG_SCSI_HOTPLUG) &&
+ !(ap->flags & ATA_FLAG_SAS_HOST))
schedule_delayed_work(&ap->hotplug_task, 0);
if (ap->pflags & ATA_PFLAG_RECOVERED)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 079/410] ASoC: nuc900: Fix a loop timeout test
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 393/410] ip_tunnel: Emit events for post-register MTU changes Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` Ben Hutchings
` (287 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Dan Carpenter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 65a12b3aafed5fc59f4ce41b22b752b1729e6701 upstream.
We should be finishing the loop with timeout set to zero but because
this is a post-op we finish with timeout == -1.
Fixes: 1082e2703a2d ("ASoC: NUC900/audio: add nuc900 audio driver support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/nuc900/nuc900-ac97.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/soc/nuc900/nuc900-ac97.c
+++ b/sound/soc/nuc900/nuc900-ac97.c
@@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(s
/* polling the AC_R_FINISH */
while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH)
- && timeout--)
+ && --timeout)
mdelay(1);
if (!timeout) {
@@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd
/* polling the AC_W_FINISH */
while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH)
- && timeout--)
+ && --timeout)
mdelay(1);
if (!timeout)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 137/410] NFS: commit direct writes even if they fail partially
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 054/410] KVM: VMX: make MSR bitmaps per-VCPU Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 346/410] l2tp: fix races with ipv4-mapped ipv6 addresses Ben Hutchings
` (293 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, J. Bruce Fields, Trond Myklebust
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "J. Bruce Fields" <bfields@redhat.com>
commit 1b8d97b0a837beaf48a8449955b52c650a7114b4 upstream.
If some of the WRITE calls making up an O_DIRECT write syscall fail,
we neglect to commit, even if some of the WRITEs succeed.
We also depend on the commit code to free the reference count on the
nfs_page taken in the "if (request_commit)" case at the end of
nfs_direct_write_completion(). The problem was originally noticed
because ENOSPC's encountered partway through a write would result in a
closed file being sillyrenamed when it should have been unlinked.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/direct.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -732,10 +732,8 @@ static void nfs_direct_write_completion(
spin_lock(&dreq->lock);
- if (test_bit(NFS_IOHDR_ERROR, &hdr->flags)) {
- dreq->flags = 0;
+ if (test_bit(NFS_IOHDR_ERROR, &hdr->flags))
dreq->error = hdr->error;
- }
if (dreq->error != 0)
bit = NFS_IOHDR_ERROR;
else {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 039/410] x86/cpu: Rename "WESTMERE2" family to "NEHALEM_G"
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (274 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 225/410] ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 070/410] ARM: dts: omap3-n900: Fix the audio CODEC's reset pin Ben Hutchings
` (133 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Linus Torvalds, Ingo Molnar, Len Brown,
Dave Hansen, Peter Zijlstra, Dave Hansen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 4b3b234f434d440fcd749b9636131b76e2ce561e upstream.
Len Brown noticed something was amiss in our INTEL_FAM6_*
definitions. It seems like model 0x1F was a Nehalem part,
marketed as "Intel Core i7 and i5 Processors" (according to the
SDM). But, although it was a Nehalem 0x1F had some uncore events
which were shared with Westmere.
Len also mentioned he thought it was called "Havendale", which
Wikipedia says was graphics-oriented and canceled:
https://en.wikipedia.org/wiki/Nehalem_(microarchitecture)
So either way, it's probably not imporant what we call it, but
call it Nehalem to be accurate, and add a "G" since it seems
graphics-related. If it were canceled that would be a good reason
why it's so sparsely and inconsistently referred to in the code.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Len Brown <lenb@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20160629192737.949C41A8@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: drop changes in intel_idle.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/intel-family.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/include/asm/intel-family.h
+++ b/arch/x86/include/asm/intel-family.h
@@ -18,10 +18,10 @@
#define INTEL_FAM6_CORE2_DUNNINGTON 0x1D
#define INTEL_FAM6_NEHALEM 0x1E
+#define INTEL_FAM6_NEHALEM_G 0x1F /* Auburndale / Havendale */
#define INTEL_FAM6_NEHALEM_EP 0x1A
#define INTEL_FAM6_NEHALEM_EX 0x2E
#define INTEL_FAM6_WESTMERE 0x25
-#define INTEL_FAM6_WESTMERE2 0x1F
#define INTEL_FAM6_WESTMERE_EP 0x2C
#define INTEL_FAM6_WESTMERE_EX 0x2F
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 400/410] bonding: fix the err path for dev hwaddr sync in bond_enslave
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (257 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 086/410] ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 315/410] btrfs: use proper endianness accessors for super_copy Ben Hutchings
` (150 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Nikolay Aleksandrov, Xin Long, Andy Gospodarek
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 upstream.
vlan_vids_add_by_dev is called right after dev hwaddr sync, so on
the err path it should unsync dev hwaddr. Otherwise, the slave
dev's hwaddr will never be unsync when this err happens.
Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/bonding/bond_main.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1451,7 +1451,7 @@ int bond_enslave(struct net_device *bond
if (res) {
pr_err("%s: Error: Couldn't add bond vlan ids to %s\n",
bond_dev->name, slave_dev->name);
- goto err_close;
+ goto err_hwaddr_unsync;
}
prev_slave = bond_last_slave(bond);
@@ -1626,9 +1626,6 @@ err_unregister:
netdev_rx_handler_unregister(slave_dev);
err_detach:
- if (!bond_uses_primary(bond))
- bond_hw_addr_flush(bond_dev, slave_dev);
-
vlan_vids_del_by_dev(slave_dev, bond_dev);
if (bond->primary_slave == new_slave)
bond->primary_slave = NULL;
@@ -1642,6 +1639,10 @@ err_detach:
}
slave_disable_netpoll(new_slave);
+err_hwaddr_unsync:
+ if (!bond_uses_primary(bond))
+ bond_hw_addr_flush(bond_dev, slave_dev);
+
err_close:
slave_dev->priv_flags &= ~IFF_BONDING;
dev_close(slave_dev);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 242/410] usb: ldusb: add PIDs for new CASSY devices supported by this driver
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 264/410] drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 326/410] uas: fix comparison for error code Ben Hutchings
` (284 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Karsten Koop, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Karsten Koop <kkoop@ld-didactic.de>
commit 52ad2bd8918158266fc88a05f95429b56b6a33c5 upstream.
This patch adds support for new CASSY devices to the ldusb driver. The
PIDs are also added to the ignore list in hid-quirks.
Signed-off-by: Karsten Koop <kkoop@ld-didactic.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/hid-core.c | 3 +++
drivers/hid/hid-ids.h | 3 +++
drivers/usb/misc/ldusb.c | 6 ++++++
3 files changed, 12 insertions(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2309,6 +2309,9 @@ static const struct hid_device_id hid_ig
{ HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
{ HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
{ HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
{ HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
{ HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
{ HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -582,6 +582,9 @@
#define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033
#define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035
#define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038
+#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040
+#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042
+#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043
#define USB_DEVICE_ID_LD_JWM 0x1080
#define USB_DEVICE_ID_LD_DMMP 0x1081
#define USB_DEVICE_ID_LD_UMIP 0x1090
--- a/drivers/usb/misc/ldusb.c
+++ b/drivers/usb/misc/ldusb.c
@@ -46,6 +46,9 @@
#define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 /* USB Product ID of Micro-CASSY Time (reserved) */
#define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 /* USB Product ID of Micro-CASSY Temperature */
#define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 /* USB Product ID of Micro-CASSY pH */
+#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 /* USB Product ID of Power Analyser CASSY */
+#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 /* USB Product ID of Converter Controller CASSY */
+#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 /* USB Product ID of Machine Test CASSY */
#define USB_DEVICE_ID_LD_JWM 0x1080 /* USB Product ID of Joule and Wattmeter */
#define USB_DEVICE_ID_LD_DMMP 0x1081 /* USB Product ID of Digital Multimeter P (reserved) */
#define USB_DEVICE_ID_LD_UMIP 0x1090 /* USB Product ID of UMI P */
@@ -94,6 +97,9 @@ static const struct usb_device_id ld_usb
{ USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
{ USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
{ USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
+ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
{ USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
{ USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
{ USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 379/410] libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 088/410] RDMA/cma: Use correct size when writing netlink stats Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 214/410] pipe: reject F_SETPIPE_SZ with size over UINT_MAX Ben Hutchings
` (364 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Kai-Heng Feng, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f upstream.
Commit b17e5729a630 ("libata: disable LPM for Crucial BX100 SSD 500GB
drive"), introduced a ATA_HORKAGE_NOLPM quirk for Crucial BX100 500GB SSDs
but limited this to the MU02 firmware version, according to:
http://www.crucial.com/usa/en/support-ssd-firmware
MU02 is the last version, so there are no newer possibly fixed versions
and if the MU02 version has broken LPM then the MU01 almost certainly
also has broken LPM, so this commit changes the quirk to apply to all
firmware versions.
Fixes: b17e5729a630 ("libata: disable LPM for Crucial BX100 SSD 500GB...")
Cc: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4225,7 +4225,7 @@ static const struct ata_blacklist_entry
{ "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER },
/* Crucial BX100 SSD 500GB has broken LPM support */
- { "CT500BX100SSD1", "MU02", ATA_HORKAGE_NOLPM },
+ { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM },
/* The 512GB version of the MX100 has both queued TRIM and LPM issues */
{ "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 267/410] arm64: do not use print_symbol()
@ 2018-06-07 14:05 ` Ben Hutchings
0 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sergey Senozhatsky, linux-edac, Petr Mladek, linux-sh,
Will Deacon, linux-snps-arc, Sergey Senozhatsky, linux-c6x-dev,
x86, linux-arm-kernel, linux-ia64, Catalin Marinas,
Steven Rostedt, linux-am33-list
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
commit 4ef7963843d3243260aa335dfb9cb2fede06aacf upstream.
print_symbol() is a very old API that has been obsoleted by %pS format
specifier in a normal printk() call.
Replace print_symbol() with a direct printk("%pS") call.
Link: http://lkml.kernel.org/r/20171211125025.2270-3-sergey.senozhatsky@gmail.com
To: Andrew Morton <akpm@linux-foundation.org>
To: Russell King <linux@armlinux.org.uk>
To: Catalin Marinas <catalin.marinas@arm.com>
To: Mark Salter <msalter@redhat.com>
To: Tony Luck <tony.luck@intel.com>
To: David Howells <dhowells@redhat.com>
To: Yoshinori Sato <ysato@users.sourceforge.jp>
To: Guan Xuetao <gxt@mprc.pku.edu.cn>
To: Borislav Petkov <bp@alien8.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Thomas Gleixner <tglx@linutronix.de>
To: Peter Zijlstra <peterz@infradead.org>
To: Vineet Gupta <vgupta@synopsys.com>
To: Fengguang Wu <fengguang.wu@intel.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: LKML <linux-kernel@vger.kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-c6x-dev@linux-c6x.org
Cc: linux-ia64@vger.kernel.org
Cc: linux-am33-list@redhat.com
Cc: linux-sh@vger.kernel.org
Cc: linux-edac@vger.kernel.org
Cc: x86@kernel.org
Cc: linux-snps-arc@lists.infradead.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
[pmladek@suse.com: updated commit message]
Signed-off-by: Petr Mladek <pmladek@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/process.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -31,7 +31,6 @@
#include <linux/delay.h>
#include <linux/reboot.h>
#include <linux/interrupt.h>
-#include <linux/kallsyms.h>
#include <linux/init.h>
#include <linux/cpu.h>
#include <linux/elfcore.h>
@@ -198,8 +197,8 @@ void __show_regs(struct pt_regs *regs)
}
show_regs_print_info(KERN_DEFAULT);
- print_symbol("pc : %s\n", regs->pc);
- print_symbol("lr : %s\n", lr);
+ printk("pc : %pS\n", (void *)regs->pc);
+ printk("lr : %pS\n", (void *)lr);
printk("sp : %016llx pstate : %08llx\n", sp, regs->pstate);
for (i = top_reg; i >= 0; i--) {
printk("x%-2d: %016llx ", i, regs->regs[i]);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 173/410] staging: iio: adc: ad7192: fix external frequency setting
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (309 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 328/410] brcmfmac: fix P2P_DEVICE ethernet address generation Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 119/410] mtd: nand: Fix nand_do_read_oob() return value Ben Hutchings
` (98 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Alexandru Ardelean
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Ardelean <alexandru.ardelean@analog.com>
commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream.
The external clock frequency was set only when selecting
the internal clock, which is fixed at 4.9152 Mhz.
This is incorrect, since it should be set when any of
the external clock or crystal settings is selected.
Added range validation for the external (crystal/clock)
frequency setting.
Valid values are between 2.4576 and 5.12 Mhz.
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -125,6 +125,8 @@
#define AD7192_GPOCON_P1DAT (1 << 1) /* P1 state */
#define AD7192_GPOCON_P0DAT (1 << 0) /* P0 state */
+#define AD7192_EXT_FREQ_MHZ_MIN 2457600
+#define AD7192_EXT_FREQ_MHZ_MAX 5120000
#define AD7192_INT_FREQ_MHZ 4915200
/* NOTE:
@@ -200,6 +202,12 @@ static int ad7192_calibrate_all(struct a
ARRAY_SIZE(ad7192_calib_arr));
}
+static inline bool ad7192_valid_external_frequency(u32 freq)
+{
+ return (freq >= AD7192_EXT_FREQ_MHZ_MIN &&
+ freq <= AD7192_EXT_FREQ_MHZ_MAX);
+}
+
static int ad7192_setup(struct ad7192_state *st,
const struct ad7192_platform_data *pdata)
{
@@ -224,17 +232,20 @@ static int ad7192_setup(struct ad7192_st
dev_warn(&st->sd.spi->dev, "device ID query failed (0x%X)\n", id);
switch (pdata->clock_source_sel) {
- case AD7192_CLK_EXT_MCLK1_2:
- case AD7192_CLK_EXT_MCLK2:
- st->mclk = AD7192_INT_FREQ_MHZ;
- break;
case AD7192_CLK_INT:
case AD7192_CLK_INT_CO:
- if (pdata->ext_clk_hz)
- st->mclk = pdata->ext_clk_hz;
- else
- st->mclk = AD7192_INT_FREQ_MHZ;
+ st->mclk = AD7192_INT_FREQ_MHZ;
break;
+ case AD7192_CLK_EXT_MCLK1_2:
+ case AD7192_CLK_EXT_MCLK2:
+ if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) {
+ st->mclk = pdata->ext_clk_hz;
+ break;
+ }
+ dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n",
+ pdata->ext_clk_hz);
+ ret = -EINVAL;
+ goto out;
default:
ret = -EINVAL;
goto out;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 191/410] Input: mms114 - fix license module information
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 002/410] tun: allow positive return values on dev_get_valid_name() call Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 21:41 ` Dmitry Torokhov
2018-06-07 14:05 ` [PATCH 3.16 183/410] mm: pin address_space before dereferencing it while isolating an LRU page Ben Hutchings
` (357 subsequent siblings)
409 siblings, 1 reply; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Andi Shyti, Marcus Folkesson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andi Shyti <andi.shyti@samsung.com>
commit 498e7e7ed1fd72c275a682f0903c4a20cc538658 upstream.
The driver has been released with GNU Public License v2 as stated
in the header, but the module license information has been tagged
as "GPL" (GNU Public License v2 or later).
Fix the module license information so that it matches the one in
the header as "GPL v2".
Fixes: 07b8481d4aff ("Input: add MELFAS mms114 touchscreen driver")
Reported-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/touchscreen/mms114.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/mms114.c
+++ b/drivers/input/touchscreen/mms114.c
@@ -592,4 +592,4 @@ module_i2c_driver(mms114_driver);
/* Module information */
MODULE_AUTHOR("Joonyoung Shim <jy0922.shim@samsung.com>");
MODULE_DESCRIPTION("MELFAS mms114 Touchscreen driver");
-MODULE_LICENSE("GPL");
+MODULE_LICENSE("GPL v2");
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 114/410] ahci: Add Intel Cannon Lake PCH-H PCI ID
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (283 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 308/410] serial: sh-sci: prevent lockup on full TTY buffers Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 244/410] Add delay-init quirk for Corsair K70 RGB keyboards Ben Hutchings
` (124 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mika Westerberg, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit f919dde0772a894c693a1eeabc77df69d6a9b937 upstream.
Add Intel Cannon Lake PCH-H PCI ID to the list of supported controllers.
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -376,6 +376,7 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */
{ PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */
{ PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */
{ PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 155/410] USB: serial: simple: add Motorola Tetra driver
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (363 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 219/410] powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 248/410] staging: android: ashmem: Fix a race condition in pin ioctls Ben Hutchings
` (44 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Max Schulze, Johan Hovold, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 46fe895e22ab3845515ec06b01eaf1282b342e29 upstream.
Add new Motorola Tetra (simple) driver for Motorola Solutions TETRA PEI
devices.
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0cad ProdID=9011 Rev=24.16
S: Manufacturer=Motorola Solutions Inc.
S: Product=Motorola Solutions TETRA PEI interface
C: #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
Note that these devices do not support the CDC SET_CONTROL_LINE_STATE
request (for any interface).
Reported-by: Max Schulze <max.schulze@posteo.de>
Tested-by: Max Schulze <max.schulze@posteo.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/Kconfig | 1 +
drivers/usb/serial/usb-serial-simple.c | 7 +++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/Kconfig
+++ b/drivers/usb/serial/Kconfig
@@ -63,6 +63,7 @@ config USB_SERIAL_SIMPLE
- Google USB serial devices
- HP4x calculators
- a number of Motorola phones
+ - Motorola Tetra devices
- Novatel Wireless GPS receivers
- Siemens USB/MPI adapter.
- ViVOtech ViVOpay USB device.
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -80,6 +80,11 @@ DEVICE(vivopay, VIVOPAY_IDS);
{ USB_DEVICE(0x22b8, 0x2c64) } /* Motorola V950 phone */
DEVICE(moto_modem, MOTO_IDS);
+/* Motorola Tetra driver */
+#define MOTOROLA_TETRA_IDS() \
+ { USB_DEVICE(0x0cad, 0x9011) } /* Motorola Solutions TETRA PEI */
+DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
+
/* Novatel Wireless GPS driver */
#define NOVATEL_IDS() \
{ USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */
@@ -110,6 +115,7 @@ static struct usb_serial_driver * const
&google_device,
&vivopay_device,
&moto_modem_device,
+ &motorola_tetra_device,
&novatel_gps_device,
&hp4x_device,
&suunto_device,
@@ -125,6 +131,7 @@ static const struct usb_device_id id_tab
GOOGLE_IDS(),
VIVOPAY_IDS(),
MOTO_IDS(),
+ MOTOROLA_TETRA_IDS(),
NOVATEL_IDS(),
HP4X_IDS(),
SUUNTO_IDS(),
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 278/410] drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (327 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 158/410] NFS: reject request for id_legacy key without auxdata Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 216/410] pipe: read buffer limits atomically Ben Hutchings
` (80 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ben Crocker, Alex Deucher
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Crocker <bcrocker@redhat.com>
commit 2c83029cda55a5e7665c7c6326909427d6a01350 upstream.
In radeon_device_init, set the need_dma32 flag for Cedar chips
(e.g. FirePro 2270). This fixes, or at least works around, a bug
on PowerPC exposed by last year's commits
8e3f1b1d8255105f31556aacf8aeb6071b00d469 (Russell Currey)
and
253fd51e2f533552ae35a0c661705da6c4842c1b (Alistair Popple)
which enabled the 64-bit DMA iommu bypass.
This caused the device to freeze, in some cases unrecoverably, and is
the subject of several bug reports internal to Red Hat.
Signed-off-by: Ben Crocker <bcrocker@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_device.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1339,6 +1339,10 @@ int radeon_device_init(struct radeon_dev
if ((rdev->flags & RADEON_IS_PCI) &&
(rdev->family <= CHIP_RS740))
rdev->need_dma32 = true;
+#ifdef CONFIG_PPC64
+ if (rdev->family == CHIP_CEDAR)
+ rdev->need_dma32 = true;
+#endif
dma_bits = rdev->need_dma32 ? 32 : 40;
r = pci_set_dma_mask(rdev->pdev, DMA_BIT_MASK(dma_bits));
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 044/410] x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (370 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 128/410] NFS: Fix 2 use after free issues in the I/O code Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 306/410] tty/serial: atmel: add new version check for usart Ben Hutchings
` (37 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, gregkh, ak, Dave Hansen, torvalds, Thomas Gleixner,
karahmed, arjan, gnomes, Greg Kroah-Hartman, tim.c.chen,
pbonzini, peterz, Borislav Petkov, bp, David Woodhouse,
ashok.raj
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit fec9434a12f38d3aeafeb75711b71d8a1fdef621 upstream.
Also, for CPUs which don't speculate at all, don't report that they're
vulnerable to the Spectre variants either.
Leave the cpu_no_meltdown[] match table with just X86_VENDOR_AMD in it
for now, even though that could be done with a simple comparison, on the
assumption that we'll have more to add.
Based on suggestions from Dave Hansen and Alan Cox.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Acked-by: Dave Hansen <dave.hansen@intel.com>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: ak@linux.intel.com
Cc: ashok.raj@intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1516896855-7642-6-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/common.c | 48 ++++++++++++++++++++++++++++++++----
1 file changed, 43 insertions(+), 5 deletions(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -41,6 +41,8 @@
#include <asm/pat.h>
#include <asm/microcode.h>
#include <asm/microcode_intel.h>
+#include <asm/intel-family.h>
+#include <asm/cpu_device_id.h>
#ifdef CONFIG_X86_LOCAL_APIC
#include <asm/uv/uv.h>
@@ -761,6 +763,41 @@ static void identify_cpu_without_cpuid(s
#endif
}
+static const __initdata struct x86_cpu_id cpu_no_speculation[] = {
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW, X86_FEATURE_ANY },
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW, X86_FEATURE_ANY },
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT, X86_FEATURE_ANY },
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL, X86_FEATURE_ANY },
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW, X86_FEATURE_ANY },
+ { X86_VENDOR_CENTAUR, 5 },
+ { X86_VENDOR_INTEL, 5 },
+ { X86_VENDOR_NSC, 5 },
+ { X86_VENDOR_ANY, 4 },
+ {}
+};
+
+static const __initdata struct x86_cpu_id cpu_no_meltdown[] = {
+ { X86_VENDOR_AMD },
+ {}
+};
+
+static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c)
+{
+ u64 ia32_cap = 0;
+
+ if (x86_match_cpu(cpu_no_meltdown))
+ return false;
+
+ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
+
+ /* Rogue Data Cache Load? No! */
+ if (ia32_cap & ARCH_CAP_RDCL_NO)
+ return false;
+
+ return true;
+}
+
/*
* Do minimum CPU detection early.
* Fields really needed: vendor, cpuid_level, family, model, mask,
@@ -809,11 +846,12 @@ static void __init early_identify_cpu(st
setup_force_cpu_cap(X86_FEATURE_ALWAYS);
- if (c->x86_vendor != X86_VENDOR_AMD)
- setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
-
- setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
- setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+ if (!x86_match_cpu(cpu_no_speculation)) {
+ if (cpu_vulnerable_to_meltdown(c))
+ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+ }
}
void __init early_cpu_init(void)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 081/410] rcutorture/kvm.sh: Use consistent help text for --qemu-args
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 364/410] fs: Teach path_connected to handle nfs filesystems with multiple roots Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 071/410] power: supply: ab8500_charger: Fix an error handling path Ben Hutchings
` (213 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, SeongJae Park, Paul E. McKenney
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj38.park@gmail.com>
commit 8dcd6f3fe206c0bb8996e59386a04027b1c2fb9b upstream.
The '--qemu-args' option's help text is wrongly copied from '--qemu-cmd'
option and its argument type description message format is inconsistent
with other arguments. This commit fixes the usage and type messages to
be consistent with others.
Fixes: e9ce640001c6 ("rcutorture: Add --qemu-args argument to kvm.sh")
Signed-off-by: SeongJae Park <sj38.park@gmail.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/testing/selftests/rcutorture/bin/kvm.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/rcutorture/bin/kvm.sh
+++ b/tools/testing/selftests/rcutorture/bin/kvm.sh
@@ -67,7 +67,7 @@ usage () {
echo " --kversion vN.NN"
echo " --mac nn:nn:nn:nn:nn:nn"
echo " --no-initrd"
- echo " --qemu-args qemu-system-..."
+ echo " --qemu-args qemu-arguments"
echo " --qemu-cmd qemu-system-..."
echo " --results absolute-pathname"
echo " --torture rcu"
@@ -142,7 +142,7 @@ do
TORTURE_INITRD=""; export TORTURE_INITRD
;;
--qemu-args)
- checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
+ checkarg --qemu-args "(qemu arguments)" $# "$2" '^-' '^error'
TORTURE_QEMU_ARG="$2"
shift
;;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 262/410] ASoC: rt5651: Fix regcache sync errors on resume
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 121/410] crypto: hash - introduce crypto_hash_alg_has_setkey() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 269/410] arm64: Remove unimplemented syscall log message Ben Hutchings
` (305 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 2d30e9494f1ea320aaaad0cff9ddd92c87eac355 upstream.
The ALC5651 does not like multi-write accesses, avoid them. This fixes:
rt5651 i2c-10EC5651:00: Unable to sync registers 0x27-0x28. -121
Errors on resume (and all registers after the registers in the error not
being synced).
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/codecs/rt5651.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/soc/codecs/rt5651.c
+++ b/sound/soc/codecs/rt5651.c
@@ -1732,6 +1732,7 @@ static const struct regmap_config rt5651
.num_reg_defaults = ARRAY_SIZE(rt5651_reg),
.ranges = rt5651_ranges,
.num_ranges = ARRAY_SIZE(rt5651_ranges),
+ .use_single_rw = true,
};
static const struct i2c_device_id rt5651_i2c_id[] = {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 271/410] netfilter: IDLETIMER: be syzkaller friendly
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 152/410] USB: serial: add support for multi-port simple drivers Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 327/410] usb: quirks: add control message delay for 1b1c:1b20 Ben Hutchings
` (371 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Pablo Neira Ayuso, syzkaller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit cfc2c740533368b96e2be5e0a4e8c3cace7d9814 upstream.
We had one report from syzkaller [1]
First issue is that INIT_WORK() should be done before mod_timer()
or we risk timer being fired too soon, even with a 1 second timer.
Second issue is that we need to reject too big info->timeout
to avoid overflows in msecs_to_jiffies(info->timeout * 1000), or
risk looping, if result after overflow is 0.
[1]
WARNING: CPU: 1 PID: 5129 at kernel/workqueue.c:1444 __queue_work+0xdf4/0x1230 kernel/workqueue.c:1444
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 5129 Comm: syzkaller159866 Not tainted 4.16.0-rc1+ #230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:988
RIP: 0010:__queue_work+0xdf4/0x1230 kernel/workqueue.c:1444
RSP: 0018:ffff8801db507538 EFLAGS: 00010006
RAX: ffff8801aeb46080 RBX: ffff8801db530200 RCX: ffffffff81481404
RDX: 0000000000000100 RSI: ffffffff86b42640 RDI: 0000000000000082
RBP: ffff8801db507758 R08: 1ffff1003b6a0de5 R09: 000000000000000c
R10: ffff8801db5073f0 R11: 0000000000000020 R12: 1ffff1003b6a0eb6
R13: ffff8801b1067ae0 R14: 00000000000001f8 R15: dffffc0000000000
queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1488
queue_work include/linux/workqueue.h:488 [inline]
schedule_work include/linux/workqueue.h:546 [inline]
idletimer_tg_expired+0x44/0x60 net/netfilter/xt_IDLETIMER.c:116
call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x5e/0xba kernel/locking/spinlock.c:184
RSP: 0018:ffff8801c20173c8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff12
RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000006
RDX: 1ffffffff0d592cd RSI: 1ffff10035d68d23 RDI: 0000000000000282
RBP: ffff8801c20173d8 R08: 1ffff10038402e47 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8820e5c8
R13: ffff8801b1067ad8 R14: ffff8801aea7c268 R15: ffff8801aea7c278
__debug_object_init+0x235/0x1040 lib/debugobjects.c:378
debug_object_init+0x17/0x20 lib/debugobjects.c:391
__init_work+0x2b/0x60 kernel/workqueue.c:506
idletimer_tg_create net/netfilter/xt_IDLETIMER.c:152 [inline]
idletimer_tg_checkentry+0x691/0xb00 net/netfilter/xt_IDLETIMER.c:213
xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:850
check_target net/ipv6/netfilter/ip6_tables.c:533 [inline]
find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:575
translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744
do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2976
SYSC_setsockopt net/socket.c:1850 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1829
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/xt_IDLETIMER.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -146,11 +146,11 @@ static int idletimer_tg_create(struct id
(unsigned long) info->timer);
info->timer->refcnt = 1;
+ INIT_WORK(&info->timer->work, idletimer_tg_work);
+
mod_timer(&info->timer->timer,
msecs_to_jiffies(info->timeout * 1000) + jiffies);
- INIT_WORK(&info->timer->work, idletimer_tg_work);
-
return 0;
out_free_attr:
@@ -191,7 +191,10 @@ static int idletimer_tg_checkentry(const
pr_debug("timeout value is zero\n");
return -EINVAL;
}
-
+ if (info->timeout >= INT_MAX / 1000) {
+ pr_debug("timeout value is too big\n");
+ return -EINVAL;
+ }
if (info->label[0] == '\0' ||
strnlen(info->label,
MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 084/410] USB: serial: io_edgeport: fix possible sleep-in-atomic
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (230 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 117/410] arm: spear13xx: Fix dmas cells Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 313/410] KVM: s390: provide io interrupt kvm_stat Ben Hutchings
` (177 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jia-Ju Bai, Johan Hovold
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jia-Ju Bai <baijiaju1990@gmail.com>
commit c7b8f77872c73f69a16528a9eb87afefcccdc18b upstream.
According to drivers/usb/serial/io_edgeport.c, the driver may sleep
under a spinlock.
The function call path is:
edge_bulk_in_callback (acquire the spinlock)
process_rcvd_data
process_rcvd_status
change_port_settings
send_iosp_ext_cmd
write_cmd_usb
usb_kill_urb --> may sleep
To fix it, the redundant usb_kill_urb() is removed from the error path
after usb_submit_urb() fails.
This possible bug is found by my static analysis tool (DSAC) and checked
by my code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/io_edgeport.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2219,7 +2219,6 @@ static int write_cmd_usb(struct edgeport
/* something went wrong */
dev_err(dev, "%s - usb_submit_urb(write command) failed, status = %d\n",
__func__, status);
- usb_kill_urb(urb);
usb_free_urb(urb);
atomic_dec(&CmdUrbs);
return status;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 180/410] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 187/410] Btrfs: fix crash due to not cleaning up tree log block's dirty bits Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 277/410] regulatory: add NUL to request alpha2 Ben Hutchings
` (262 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, syzbot, Pablo Neira Ayuso, Dmitry Vyukov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Vyukov <dvyukov@google.com>
commit 1a38956cce5eabd7b74f94bab70265e4df83165e upstream.
Commit 136e92bbec0a switched local_nodes from an array to a bitmask
but did not add proper bounds checks. As the result
clusterip_config_init_nodelist() can both over-read
ipt_clusterip_tgt_info.local_nodes and over-write
clusterip_config.local_nodes.
Add bounds checks for both.
Fixes: 136e92bbec0a ("[NETFILTER] CLUSTERIP: use a bitmap to store node responsibility data")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -366,7 +366,7 @@ static int clusterip_tg_check(const stru
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
struct clusterip_config *config;
- int ret;
+ int ret, i;
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
@@ -380,8 +380,18 @@ static int clusterip_tg_check(const stru
pr_info("Please specify destination IP\n");
return -EINVAL;
}
-
- /* FIXME: further sanity checks */
+ if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) {
+ pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes);
+ return -EINVAL;
+ }
+ for (i = 0; i < cipinfo->num_local_nodes; i++) {
+ if (cipinfo->local_nodes[i] - 1 >=
+ sizeof(config->local_nodes) * 8) {
+ pr_info("bad local_nodes[%d] %u\n",
+ i, cipinfo->local_nodes[i]);
+ return -EINVAL;
+ }
+ }
config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1);
if (!config) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 398/410] ipv6: the entire IPv6 header chain must fit the first fragment
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 019/410] ext4: add validity checks for bitmap block numbers Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 221/410] netlink: avoid a double skb free in genlmsg_mcast() Ben Hutchings
` (297 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, syzbot+91e6f9932ff122fa4410, Paolo Abeni,
David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 10b8a3de603df7b96004179b1b33b1708c76d144 upstream.
While building ipv6 datagram we currently allow arbitrary large
extheaders, even beyond pmtu size. The syzbot has found a way
to exploit the above to trigger the following splat:
kernel BUG at ./include/linux/skbuff.h:2073!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline]
RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636
RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293
RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18
RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000
R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6
R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0
FS: 0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ip6_finish_skb include/net/ipv6.h:969 [inline]
udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073
udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
__sys_sendmmsg+0x1ee/0x620 net/socket.c:2136
SYSC_sendmmsg net/socket.c:2167 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2162
do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4404c9
RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9
RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0
R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000
Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29
5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d
87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe
RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0
RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP:
ffff8801bc18f0f0
As stated by RFC 7112 section 5:
When a host fragments an IPv6 datagram, it MUST include the entire
IPv6 Header Chain in the First Fragment.
So this patch addresses the issue dropping datagrams with excessive
extheader length. It also updates the error path to report to the
calling socket nonnegative pmtu values.
The issue apparently predates git history.
v1 -> v2: cleanup error path, as per Eric's suggestion
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_output.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1146,7 +1146,7 @@ int ip6_append_data(struct sock *sk, int
struct ipv6_pinfo *np = inet6_sk(sk);
struct inet_cork *cork;
struct sk_buff *skb, *skb_prev = NULL;
- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, headersize;
+ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, headersize, pmtu;
int exthdrlen;
int dst_exthdrlen;
int hh_len;
@@ -1242,6 +1242,12 @@ int ip6_append_data(struct sock *sk, int
sizeof(struct frag_hdr) : 0) +
rt->rt6i_nfheader_len;
+ /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
+ * the first fragment
+ */
+ if (headersize + transhdrlen > mtu)
+ goto emsgsize;
+
if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
unsigned int maxnonfragsize;
@@ -1261,9 +1267,8 @@ int ip6_append_data(struct sock *sk, int
if (cork->length + length > maxnonfragsize - headersize) {
emsgsize:
- ipv6_local_error(sk, EMSGSIZE, fl6,
- mtu - headersize +
- sizeof(struct ipv6hdr));
+ pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
+ ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
return -EMSGSIZE;
}
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 068/410] ARM: dts: exynos: Correct Trats2 panel reset line
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 238/410] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 234/410] netfilter: drop outermost socket lock in getsockopt() Ben Hutchings
` (234 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Shields, Marek Szyprowski, Krzysztof Kozlowski
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Shields <simon@lineageos.org>
commit 1b377924841df1e13ab5b225be3a83f807a92b52 upstream.
Trats2 uses gpf2-1 as the panel reset GPIO. gpy4-5 was only used
on early revisions of the board.
Fixes: 420ae8451a22 ("ARM: dts: exynos4412-trats2: add panel node")
Signed-off-by: Simon Shields <simon@lineageos.org>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/exynos4412-trats2.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/exynos4412-trats2.dts
+++ b/arch/arm/boot/dts/exynos4412-trats2.dts
@@ -628,7 +628,7 @@
reg = <0>;
vdd3-supply = <&lcd_vdd3_reg>;
vci-supply = <&ldo25_reg>;
- reset-gpios = <&gpy4 5 0>;
+ reset-gpios = <&gpf2 1 0>;
power-on-delay= <50>;
reset-delay = <100>;
init-delay = <100>;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 146/410] alpha: fix reboot on Avanti platform
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (333 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 388/410] ALSA: aloop: Fix access to not-yet-ready substream via cable Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 182/410] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes" Ben Hutchings
` (74 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mikulas Patocka, Matt Turner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 55fc633c41a08ce9244ff5f528f420b16b1e04d6 upstream.
We need to define NEED_SRM_SAVE_RESTORE on the Avanti, otherwise we get
machine check exception when attempting to reboot the machine.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/kernel/pci_impl.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/alpha/kernel/pci_impl.h
+++ b/arch/alpha/kernel/pci_impl.h
@@ -143,7 +143,8 @@ struct pci_iommu_arena
};
#if defined(CONFIG_ALPHA_SRM) && \
- (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA))
+ (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA) || \
+ defined(CONFIG_ALPHA_AVANTI))
# define NEED_SRM_SAVE_RESTORE
#else
# undef NEED_SRM_SAVE_RESTORE
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 386/410] MIPS: ralink: Remove ralink_halt()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 034/410] x86/entry/64: Don't use IST entry for #BP stack Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 222/410] 9p/trans_virtio: discard zero-length reply Ben Hutchings
` (404 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, John Crispin, linux-mips, NeilBrown, James Hogan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
commit 891731f6a5dbe508d12443175a7e166a2fba616a upstream.
ralink_halt() does nothing that machine_halt() doesn't already do, so it
adds no value.
It actually causes incorrect behaviour due to the "unreachable()" at the
end. This tells the compiler that the end of the function will never be
reached, which isn't true. The compiler responds by not adding a
'return' instruction, so control simply moves on to whatever bytes come
afterwards in memory. In my tested, that was the ralink_restart()
function. This means that an attempt to 'halt' the machine would
actually cause a reboot.
So remove ralink_halt() so that a 'halt' really does halt.
Fixes: c06e836ada59 ("MIPS: ralink: adds reset code")
Signed-off-by: NeilBrown <neil@brown.name>
Cc: John Crispin <john@phrozen.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/18851/
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/ralink/reset.c | 7 -------
1 file changed, 7 deletions(-)
--- a/arch/mips/ralink/reset.c
+++ b/arch/mips/ralink/reset.c
@@ -88,16 +88,9 @@ static void ralink_restart(char *command
unreachable();
}
-static void ralink_halt(void)
-{
- local_irq_disable();
- unreachable();
-}
-
static int __init mips_reboot_setup(void)
{
_machine_restart = ralink_restart;
- _machine_halt = ralink_halt;
return 0;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 123/410] crypto: hash - annotate algorithms taking optional key
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 247/410] binder: replace "%p" with "%pK" Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 365/410] RDMA/ucma: Check AF family prior resolving address Ben Hutchings
` (312 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Eric Biggers
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit a208fa8f33031b9e0aba44c7d1b7e68eb0cbd29e upstream.
We need to consistently enforce that keyed hashes cannot be used without
setting the key. To do this we need a reliable way to determine whether
a given hash algorithm is keyed or not. AF_ALG currently does this by
checking for the presence of a ->setkey() method. However, this is
actually slightly broken because the CRC-32 algorithms implement
->setkey() but can also be used without a key. (The CRC-32 "key" is not
actually a cryptographic key but rather represents the initial state.
If not overridden, then a default initial state is used.)
Prepare to fix this by introducing a flag CRYPTO_ALG_OPTIONAL_KEY which
indicates that the algorithm has a ->setkey() method, but it is not
required to be called. Then set it on all the CRC-32 algorithms.
The same also applies to the Adler-32 implementation in Lustre.
Also, the cryptd and mcryptd templates have to pass through the flag
from their underlying algorithm.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16:
- Drop changes to nonexistent drivers
- There's no CRYPTO_ALG_INTERNAL flag
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/sparc/crypto/crc32c_glue.c
+++ b/arch/sparc/crypto/crc32c_glue.c
@@ -133,6 +133,7 @@ static struct shash_alg alg = {
.cra_name = "crc32c",
.cra_driver_name = "crc32c-sparc64",
.cra_priority = SPARC_CR_OPCODE_PRIORITY,
+ .cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_ctxsize = sizeof(u32),
.cra_alignmask = 7,
--- a/arch/x86/crypto/crc32-pclmul_glue.c
+++ b/arch/x86/crypto/crc32-pclmul_glue.c
@@ -162,6 +162,7 @@ static struct shash_alg alg = {
.cra_name = "crc32",
.cra_driver_name = "crc32-pclmul",
.cra_priority = 200,
+ .cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_ctxsize = sizeof(u32),
.cra_module = THIS_MODULE,
--- a/arch/x86/crypto/crc32c-intel_glue.c
+++ b/arch/x86/crypto/crc32c-intel_glue.c
@@ -240,6 +240,7 @@ static struct shash_alg alg = {
.cra_name = "crc32c",
.cra_driver_name = "crc32c-intel",
.cra_priority = 200,
+ .cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_ctxsize = sizeof(u32),
.cra_module = THIS_MODULE,
--- a/crypto/crc32.c
+++ b/crypto/crc32.c
@@ -133,6 +133,7 @@ static struct shash_alg alg = {
.cra_name = "crc32",
.cra_driver_name = "crc32-table",
.cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_ctxsize = sizeof(u32),
.cra_module = THIS_MODULE,
--- a/crypto/crc32c_generic.c
+++ b/crypto/crc32c_generic.c
@@ -146,6 +146,7 @@ static struct shash_alg alg = {
.cra_name = "crc32c",
.cra_driver_name = "crc32c-generic",
.cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_alignmask = 3,
.cra_ctxsize = sizeof(struct chksum_ctx),
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -603,7 +603,8 @@ static int cryptd_create_hash(struct cry
if (err)
goto out_free_inst;
- inst->alg.halg.base.cra_flags = CRYPTO_ALG_ASYNC;
+ inst->alg.halg.base.cra_flags = CRYPTO_ALG_ASYNC |
+ (alg->cra_flags & CRYPTO_ALG_OPTIONAL_KEY);
inst->alg.halg.digestsize = salg->digestsize;
inst->alg.halg.base.cra_ctxsize = sizeof(struct cryptd_hash_ctx);
--- a/drivers/crypto/bfin_crc.c
+++ b/drivers/crypto/bfin_crc.c
@@ -514,7 +514,8 @@ static struct ahash_alg algs = {
.cra_driver_name = DRIVER_NAME,
.cra_priority = 100,
.cra_flags = CRYPTO_ALG_TYPE_AHASH |
- CRYPTO_ALG_ASYNC,
+ CRYPTO_ALG_ASYNC |
+ CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct bfin_crypto_crc_ctx),
.cra_alignmask = 3,
--- a/drivers/staging/lustre/lustre/libcfs/linux/linux-crypto-adler.c
+++ b/drivers/staging/lustre/lustre/libcfs/linux/linux-crypto-adler.c
@@ -123,6 +123,7 @@ static struct shash_alg alg = {
.cra_name = "adler32",
.cra_driver_name = "adler32-zlib",
.cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize = CHKSUM_BLOCK_SIZE,
.cra_ctxsize = sizeof(u32),
.cra_module = THIS_MODULE,
--- a/include/linux/crypto.h
+++ b/include/linux/crypto.h
@@ -95,6 +95,12 @@
#define CRYPTO_ALG_KERN_DRIVER_ONLY 0x00001000
/*
+ * Set if the algorithm has a ->setkey() method but can be used without
+ * calling it first, i.e. there is a default key.
+ */
+#define CRYPTO_ALG_OPTIONAL_KEY 0x00004000
+
+/*
* Transform masks and values (for crt_flags).
*/
#define CRYPTO_TFM_REQ_MASK 0x000fff00
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 366/410] net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (240 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 094/410] scsi: aacraid: Fix udev inquiry race condition Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 236/410] netfilter: x_tables: fix missing timer initialization in xt_LED Ben Hutchings
` (167 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Brandon Carpenter, Toshiaki Makita, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
commit 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61 upstream.
When we have a bridge with vlan_filtering on and a vlan device on top of
it, packets would be corrupted in skb_vlan_untag() called from
br_dev_xmit().
The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(),
which makes use of skb->mac_len. In this function mac_len is meant for
handling rx path with vlan devices with reorder_header disabled, but in
tx path mac_len is typically 0 and cannot be used, which is the problem
in this case.
The current code even does not properly handle rx path (skb_vlan_untag()
called from __netif_receive_skb_core()) with reorder_header off actually.
In rx path single tag case, it works as follows:
- Before skb_reorder_vlan_header()
mac_header data
v v
+-------------------+-------------+------+----
| ETH | VLAN | ETH |
| ADDRS | TPID | TCI | TYPE |
+-------------------+-------------+------+----
<-------- mac_len --------->
<------------->
to be removed
- After skb_reorder_vlan_header()
mac_header data
v v
+-------------------+------+----
| ETH | ETH |
| ADDRS | TYPE |
+-------------------+------+----
<-------- mac_len --------->
This is ok, but in rx double tag case, it corrupts packets:
- Before skb_reorder_vlan_header()
mac_header data
v v
+-------------------+-------------+-------------+------+----
| ETH | VLAN | VLAN | ETH |
| ADDRS | TPID | TCI | TPID | TCI | TYPE |
+-------------------+-------------+-------------+------+----
<--------------- mac_len ---------------->
<------------->
should be removed
<--------------------------->
actually will be removed
- After skb_reorder_vlan_header()
mac_header data
v v
+-------------------+------+----
| ETH | ETH |
| ADDRS | TYPE |
+-------------------+------+----
<--------------- mac_len ---------------->
So, two of vlan tags are both removed while only inner one should be
removed and mac_header (and mac_len) is broken.
skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2),
so use skb->data and skb->mac_header to calculate the right offset.
Reported-by: Brandon Carpenter <brandon.carpenter@cypherpath.com>
Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off")
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/uapi/linux/if_ether.h | 1 +
net/core/skbuff.c | 7 +++++--
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/include/uapi/linux/if_ether.h
+++ b/include/uapi/linux/if_ether.h
@@ -29,6 +29,7 @@
*/
#define ETH_ALEN 6 /* Octets in one ethernet addr */
+#define ETH_TLEN 2 /* Octets in ethernet type field */
#define ETH_HLEN 14 /* Total octets in header. */
#define ETH_ZLEN 60 /* Min. octets in frame sans FCS */
#define ETH_DATA_LEN 1500 /* Max. octets in payload */
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3994,13 +3994,16 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_segl
static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
{
+ int mac_len;
+
if (skb_cow(skb, skb_headroom(skb)) < 0) {
kfree_skb(skb);
return NULL;
}
- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
- 2 * ETH_ALEN);
+ mac_len = skb->data - skb_mac_header(skb);
+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+ mac_len - VLAN_HLEN - ETH_TLEN);
skb->mac_header += VLAN_HLEN;
return skb;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 067/410] EDAC, octeon: Fix an uninitialized variable warning
@ 2018-06-07 14:05 ` Ben Hutchings
0 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-edac, David Daney, linux-mips, James Hogan, Borislav Petkov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <jhogan@kernel.org>
commit 544e92581a2ac44607d7cc602c6b54d18656f56d upstream.
Fix an uninitialized variable warning in the Octeon EDAC driver, as seen
in MIPS cavium_octeon_defconfig builds since v4.14 with Codescape GNU
Tools 2016.05-03:
drivers/edac/octeon_edac-lmc.c In function ‘octeon_lmc_edac_poll_o2’:
drivers/edac/octeon_edac-lmc.c:87:24: warning: ‘((long unsigned int*)&int_reg)[1]’ may \
be used uninitialized in this function [-Wmaybe-uninitialized]
if (int_reg.s.sec_err || int_reg.s.ded_err) {
^
Iinitialise the whole int_reg variable to zero before the conditional
assignments in the error injection case.
Signed-off-by: James Hogan <jhogan@kernel.org>
Acked-by: David Daney <david.daney@cavium.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: linux-mips@linux-mips.org
Fixes: 1bc021e81565 ("EDAC: Octeon: Add error injection support")
Link: http://lkml.kernel.org/r/20171113161206.20990-1-james.hogan@mips.com
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/edac/octeon_edac-lmc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/edac/octeon_edac-lmc.c
+++ b/drivers/edac/octeon_edac-lmc.c
@@ -79,6 +79,7 @@ static void octeon_lmc_edac_poll_o2(stru
if (!pvt->inject)
int_reg.u64 = cvmx_read_csr(CVMX_LMCX_INT(mci->mc_idx));
else {
+ int_reg.u64 = 0;
if (pvt->error_type == 1)
int_reg.s.sec_err = 1;
if (pvt->error_type == 2)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 077/410] slip: sl_alloc(): remove unused parameter "dev_t line"
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (280 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 372/410] skb: Add skb_postpush_rcsum() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 307/410] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Ben Hutchings
` (127 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Marc Kleine-Budde
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 936e5d8bdfa72577e28ea671d9e2ee4fef0d6b3e upstream.
The first and only parameter of sl_alloc() is unused, so remove it.
Fixes: 5342b77c4123 slip: ("Clean up create and destroy")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/slip/slip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -732,7 +732,7 @@ static void sl_sync(void)
/* Find a free SLIP channel, and link in this `tty' line. */
-static struct slip *sl_alloc(dev_t line)
+static struct slip *sl_alloc(void)
{
int i;
char name[IFNAMSIZ];
@@ -814,7 +814,7 @@ static int slip_open(struct tty_struct *
/* OK. Find a free SLIP channel to use. */
err = -ENFILE;
- sl = sl_alloc(tty_devnum(tty));
+ sl = sl_alloc();
if (sl == NULL)
goto err_exit;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 238/410] powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 105/410] drm/radeon: Add dpm quirk for Jet PRO (v2) Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 068/410] ARM: dts: exynos: Correct Trats2 panel reset line Ben Hutchings
` (235 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Corentin Labbe, Michael Ellerman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Corentin Labbe <clabbe@baylibre.com>
commit c1e150ceb61e4a585bad156da15c33bfe89f5858 upstream.
When CONFIG_NUMA is not set, the build fails with:
arch/powerpc/platforms/pseries/hotplug-cpu.c:335:4:
error: déclaration implicite de la fonction « update_numa_cpu_lookup_table »
So we have to add update_numa_cpu_lookup_table() as an empty function
when CONFIG_NUMA is not set.
Fixes: 1d9a090783be ("powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/topology.h | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/powerpc/include/asm/topology.h
+++ b/arch/powerpc/include/asm/topology.h
@@ -76,6 +76,9 @@ static inline void sysfs_remove_device_f
int nid)
{
}
+
+static inline void update_numa_cpu_lookup_table(unsigned int cpu, int node) {}
+
#endif /* CONFIG_NUMA */
#if defined(CONFIG_NUMA) && defined(CONFIG_PPC_SPLPAR)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 312/410] xen/pirq: fix error path cleanup when binding MSIs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2018-06-07 14:05 ` Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 003/410] x86, microcode: Fix accessing dis_ucode_ldr on 32-bit Ben Hutchings
` (395 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hooman Mirhadi, Juergen Gross, Boris Ostrovsky, Amit Shah,
Roger Pau Monne
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roger Pau Monne <roger.pau@citrix.com>
commit 910f8befdf5bccf25287d9f1743e3e546bcb7ce0 upstream.
Current cleanup in the error path of xen_bind_pirq_msi_to_irq is
wrong. First of all there's an off-by-one in the cleanup loop, which
can lead to unbinding wrong IRQs.
Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
Note that there's no need to differentiate between bound and unbound
IRQs when freeing them, __unbind_from_irq will deal with both of them
correctly.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
Reported-by: Hooman Mirhadi <mirhadih@amazon.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Amit Shah <aams@amazon.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/events/events_base.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -763,8 +763,8 @@ out:
mutex_unlock(&irq_mapping_update_lock);
return irq;
error_irq:
- for (; i >= 0; i--)
- __unbind_from_irq(irq + i);
+ while (nvec--)
+ __unbind_from_irq(irq + nvec);
mutex_unlock(&irq_mapping_update_lock);
return ret;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 373/410] batman-adv: Fix skbuff rcsum on packet reroute
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 009/410] mm/madvise.c: fix madvise() infinite loop under special circumstances Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 104/410] ext4: save error to disk in __ext4_grp_locked_error() Ben Hutchings
` (270 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Simon Wunderlich, Matthias Schiffer
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fc04fdb2c8a894283259f5621d31d75610701091 upstream.
batadv_check_unicast_ttvn may redirect a packet to itself or another
originator. This involves rewriting the ttvn and the destination address in
the batadv unicast header. These field were not yet pulled (with skb rcsum
update) and thus any change to them also requires a change in the receive
checksum.
Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/routing.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -687,6 +687,7 @@ out:
/**
* batadv_reroute_unicast_packet - update the unicast header for re-routing
* @bat_priv: the bat priv with all the soft interface information
+ * @skb: unicast packet to process
* @unicast_packet: the unicast header to be updated
* @dst_addr: the payload destination
* @vid: VLAN identifier
@@ -698,7 +699,7 @@ out:
* Returns true if the packet header has been updated, false otherwise
*/
static bool
-batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
+batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
struct batadv_unicast_packet *unicast_packet,
uint8_t *dst_addr, unsigned short vid)
{
@@ -727,8 +728,10 @@ batadv_reroute_unicast_packet(struct bat
}
/* update the packet header */
+ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
ether_addr_copy(unicast_packet->dest, orig_addr);
unicast_packet->ttvn = orig_ttvn;
+ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
ret = true;
out:
@@ -768,7 +771,7 @@ static int batadv_check_unicast_ttvn(str
* the packet to
*/
if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) {
- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
+ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
ethhdr->h_dest, vid))
net_ratelimited_function(batadv_dbg, BATADV_DBG_TT,
bat_priv,
@@ -814,7 +817,7 @@ static int batadv_check_unicast_ttvn(str
* destination can possibly be updated and forwarded towards the new
* target host
*/
- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
+ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
ethhdr->h_dest, vid)) {
net_ratelimited_function(batadv_dbg, BATADV_DBG_TT, bat_priv,
"Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n",
@@ -837,12 +840,14 @@ static int batadv_check_unicast_ttvn(str
if (!primary_if)
return 0;
+ /* update the packet header */
+ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr);
+ unicast_packet->ttvn = curr_ttvn;
+ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
batadv_hardif_free_ref(primary_if);
- unicast_packet->ttvn = curr_ttvn;
-
return 1;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 299/410] mmc: sdhci: Allow override of mmc host operations
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (392 preceding siblings ...)
2018-06-07 14:05 ` Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 266/410] arm64: traps: Don't print stack or raw PC/LR values in backtraces Ben Hutchings
` (15 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Adrian Hunter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit bf60e592a1af4d6f65dd54593250183f14360eed upstream.
In the past, fixes for specific hardware devices were implemented
in sdhci using quirks. That approach is no longer accepted because
the growing number of quirks was starting to make the code difficult
to understand and maintain.
One alternative to quirks, is to allow drivers to override the default
mmc host operations. This patch makes it easy to do that, and it is
needed for a subsequent bug fix, for which separate patches are
provided.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/host/sdhci.c | 3 ++-
include/linux/mmc/sdhci.h | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2781,6 +2781,8 @@ struct sdhci_host *sdhci_alloc_host(stru
host = mmc_priv(mmc);
host->mmc = mmc;
+ host->mmc_host_ops = sdhci_ops;
+ mmc->ops = &host->mmc_host_ops;
return host;
}
@@ -2939,7 +2941,6 @@ int sdhci_add_host(struct sdhci_host *ho
/*
* Set host parameters.
*/
- mmc->ops = &sdhci_ops;
mmc->f_max = host->max_clk;
if (host->ops->get_min_clock)
mmc->f_min = host->ops->get_min_clock(host);
--- a/include/linux/mmc/sdhci.h
+++ b/include/linux/mmc/sdhci.h
@@ -109,6 +109,7 @@ struct sdhci_host {
/* Internal data */
struct mmc_host *mmc; /* MMC structure */
+ struct mmc_host_ops mmc_host_ops; /* MMC host ops */
u64 dma_mask; /* custom DMA mask */
#if defined(CONFIG_LEDS_CLASS) || defined(CONFIG_LEDS_CLASS_MODULE)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 080/410] rcutorture/configinit: Fix build directory error message
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (311 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 119/410] mtd: nand: Fix nand_do_read_oob() return value Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 126/410] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Ben Hutchings
` (96 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul E. McKenney, SeongJae Park
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj38.park@gmail.com>
commit 2adfa4210f8f35cdfb4e08318cc06b99752964c2 upstream.
The 'configinit.sh' script checks the format of optional argument for the
build directory, printing an error message if the format is not valid.
However, the error message uses the wrong variable, indicating an empty
string even though the user entered a non-empty (but erroneous) string.
This commit fixes the script to use the correct variable.
Fixes: c87b9c601ac8 ("rcutorture: Add KVM-based test framework")
Signed-off-by: SeongJae Park <sj38.park@gmail.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/testing/selftests/rcutorture/bin/configinit.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/rcutorture/bin/configinit.sh
+++ b/tools/testing/selftests/rcutorture/bin/configinit.sh
@@ -51,7 +51,7 @@ then
mkdir $builddir
fi
else
- echo Bad build directory: \"$builddir\"
+ echo Bad build directory: \"$buildloc\"
exit 2
fi
fi
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 280/410] lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 365/410] RDMA/ucma: Check AF family prior resolving address Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 377/410] can: cc770: Fix use after free in cc770_tx_interrupt() Ben Hutchings
` (310 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 3b821409632ab778d46e807516b457dfa72736ed upstream.
In case when dentry passed to lock_parent() is protected from freeing only
by the fact that it's on a shrink list and trylock of parent fails, we
could get hit by __dentry_kill() (and subsequent dentry_kill(parent))
between unlocking dentry and locking presumed parent. We need to recheck
that dentry is alive once we lock both it and parent *and* postpone
rcu_read_unlock() until after that point. Otherwise we could return
a pointer to struct dentry that already is rcu-scheduled for freeing, with
->d_lock held on it; caller's subsequent attempt to unlock it can end
up with memory corruption.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/dcache.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -590,11 +590,16 @@ again:
spin_unlock(&parent->d_lock);
goto again;
}
- rcu_read_unlock();
- if (parent != dentry)
+ if (parent != dentry) {
spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
- else
+ if (unlikely(dentry->d_lockref.count < 0)) {
+ spin_unlock(&parent->d_lock);
+ parent = NULL;
+ }
+ } else {
parent = NULL;
+ }
+ rcu_read_unlock();
return parent;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 254/410] workqueue: Allow retrieval of current task's work struct
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 169/410] jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 018/410] ext4: fail ext4_iget for root directory if unallocated Ben Hutchings
` (318 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Airlie, Ben Skeggs, Lai Jiangshan, Alex Deucher,
Tejun Heo, Lukas Wunner, Lyude Paul
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 27d4ee03078aba88c5e07dcc4917e8d01d046f38 upstream.
Introduce a helper to retrieve the current task's work struct if it is
a workqueue worker.
This allows us to fix a long-standing deadlock in several DRM drivers
wherein the ->runtime_suspend callback waits for a specific worker to
finish and that worker in turn calls a function which waits for runtime
suspend to finish. That function is invoked from multiple call sites
and waiting for runtime suspend to finish is the correct thing to do
except if it's executing in the context of the worker.
Cc: Lai Jiangshan <jiangshanlai@gmail.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://patchwork.freedesktop.org/patch/msgid/2d8f603074131eb87e588d2b803a71765bd3a2fd.1518338788.git.lukas@wunner.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/workqueue.h | 1 +
kernel/workqueue.c | 16 ++++++++++++++++
2 files changed, 17 insertions(+)
--- a/include/linux/workqueue.h
+++ b/include/linux/workqueue.h
@@ -455,6 +455,7 @@ extern bool cancel_delayed_work_sync(str
extern void workqueue_set_max_active(struct workqueue_struct *wq,
int max_active);
+extern struct work_struct *current_work(void);
extern bool current_is_workqueue_rescuer(void);
extern bool workqueue_congested(int cpu, struct workqueue_struct *wq);
extern unsigned int work_busy(struct work_struct *work);
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4369,6 +4369,22 @@ void workqueue_set_max_active(struct wor
EXPORT_SYMBOL_GPL(workqueue_set_max_active);
/**
+ * current_work - retrieve %current task's work struct
+ *
+ * Determine if %current task is a workqueue worker and what it's working on.
+ * Useful to find out the context that the %current task is running in.
+ *
+ * Return: work struct if %current task is a workqueue worker, %NULL otherwise.
+ */
+struct work_struct *current_work(void)
+{
+ struct worker *worker = current_wq_worker();
+
+ return worker ? worker->current_work : NULL;
+}
+EXPORT_SYMBOL(current_work);
+
+/**
* current_is_workqueue_rescuer - is %current workqueue rescuer?
*
* Determine whether %current is a workqueue rescuer. Can be used from
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 331/410] RDMA/ucma: Limit possible option size
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (357 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 212/410] pipe: actually allow root to exceed the pipe buffer limits Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 243/410] usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() Ben Hutchings
` (50 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+a38b0e9f694c379ca7ce, Doug Ledford, Leon Romanovsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream.
Users of ucma are supposed to provide size of option level,
in most paths it is supposed to be equal to u8 or u16, but
it is not the case for the IB path record, where it can be
multiple of struct ib_path_rec_data.
This patch takes simplest possible approach and prevents providing
values more than possible to allocate.
Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1187,6 +1187,9 @@ static ssize_t ucma_set_option(struct uc
if (IS_ERR(ctx))
return PTR_ERR(ctx);
+ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+ return -EINVAL;
+
optval = memdup_user((void __user *) (unsigned long) cmd.optval,
cmd.optlen);
if (IS_ERR(optval)) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 352/410] net: Refactor rtable initialization
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (384 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 206/410] pipe: cap initial pipe capacity according to pipe-max-size limit Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 017/410] kvm/x86: fix icebp instruction handling Ben Hutchings
` (23 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Ahern, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dsa@cumulusnetworks.com>
commit d08c4f355403840fad98d9918db51a7113f38ee8 upstream.
All callers to rt_dst_alloc have nearly the same initialization following
a successful allocation. Consolidate it into rt_dst_alloc.
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1435,12 +1435,33 @@ static void rt_set_nexthop(struct rtable
}
static struct rtable *rt_dst_alloc(struct net_device *dev,
+ unsigned int flags, u16 type,
bool nopolicy, bool noxfrm, bool will_cache)
{
- return dst_alloc(&ipv4_dst_ops, dev, 1, DST_OBSOLETE_FORCE_CHK,
- (will_cache ? 0 : (DST_HOST | DST_NOCACHE)) |
- (nopolicy ? DST_NOPOLICY : 0) |
- (noxfrm ? DST_NOXFRM : 0));
+ struct rtable *rt;
+
+ rt = dst_alloc(&ipv4_dst_ops, dev, 1, DST_OBSOLETE_FORCE_CHK,
+ (will_cache ? 0 : (DST_HOST | DST_NOCACHE)) |
+ (nopolicy ? DST_NOPOLICY : 0) |
+ (noxfrm ? DST_NOXFRM : 0));
+
+ if (rt) {
+ rt->rt_genid = rt_genid_ipv4(dev_net(dev));
+ rt->rt_flags = flags;
+ rt->rt_type = type;
+ rt->rt_is_input = 0;
+ rt->rt_iif = 0;
+ rt->rt_pmtu = 0;
+ rt->rt_gateway = 0;
+ rt->rt_uses_gateway = 0;
+ INIT_LIST_HEAD(&rt->rt_uncached);
+
+ rt->dst.output = ip_output;
+ if (flags & RTCF_LOCAL)
+ rt->dst.input = ip_local_deliver;
+ }
+
+ return rt;
}
/* called in rcu_read_lock() section */
@@ -1480,6 +1501,7 @@ static int ip_route_input_mc(struct sk_b
{
struct in_device *in_dev = __in_dev_get_rcu(dev);
struct rtable *rth;
+ unsigned int flags = RTCF_MULTICAST;
u32 itag = 0;
int err;
@@ -1487,7 +1509,10 @@ static int ip_route_input_mc(struct sk_b
if (err)
return err;
- rth = rt_dst_alloc(dev_net(dev)->loopback_dev,
+ if (our)
+ flags |= RTCF_LOCAL;
+
+ rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST,
IN_DEV_CONF_GET(in_dev, NOPOLICY), false, false);
if (!rth)
return -ENOBUFS;
@@ -1496,20 +1521,7 @@ static int ip_route_input_mc(struct sk_b
rth->dst.tclassid = itag;
#endif
rth->dst.output = ip_rt_bug;
-
- rth->rt_genid = rt_genid_ipv4(dev_net(dev));
- rth->rt_flags = RTCF_MULTICAST;
- rth->rt_type = RTN_MULTICAST;
rth->rt_is_input= 1;
- rth->rt_iif = 0;
- rth->rt_pmtu = 0;
- rth->rt_gateway = 0;
- rth->rt_uses_gateway = 0;
- INIT_LIST_HEAD(&rth->rt_uncached);
- if (our) {
- rth->dst.input= ip_local_deliver;
- rth->rt_flags |= RTCF_LOCAL;
- }
#ifdef CONFIG_IP_MROUTE
if (!ipv4_is_local_multicast(daddr) && IN_DEV_MFORWARD(in_dev))
@@ -1650,7 +1662,7 @@ rt_cache:
}
}
- rth = rt_dst_alloc(out_dev->dev,
+ rth = rt_dst_alloc(out_dev->dev, 0, res->type,
IN_DEV_CONF_GET(in_dev, NOPOLICY),
IN_DEV_CONF_GET(out_dev, NOXFRM), do_cache);
if (!rth) {
@@ -1658,19 +1670,10 @@ rt_cache:
goto cleanup;
}
- rth->rt_genid = rt_genid_ipv4(dev_net(rth->dst.dev));
- rth->rt_flags = 0;
- rth->rt_type = res->type;
rth->rt_is_input = 1;
- rth->rt_iif = 0;
- rth->rt_pmtu = 0;
- rth->rt_gateway = 0;
- rth->rt_uses_gateway = 0;
- INIT_LIST_HEAD(&rth->rt_uncached);
RT_CACHE_STAT_INC(in_slow_tot);
rth->dst.input = ip_forward;
- rth->dst.output = ip_output;
rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag);
skb_dst_set(skb, &rth->dst);
@@ -1821,26 +1824,17 @@ local_input:
}
}
- rth = rt_dst_alloc(net->loopback_dev,
+ rth = rt_dst_alloc(net->loopback_dev, flags | RTCF_LOCAL, res.type,
IN_DEV_CONF_GET(in_dev, NOPOLICY), false, do_cache);
if (!rth)
goto e_nobufs;
- rth->dst.input= ip_local_deliver;
rth->dst.output= ip_rt_bug;
#ifdef CONFIG_IP_ROUTE_CLASSID
rth->dst.tclassid = itag;
#endif
-
- rth->rt_genid = rt_genid_ipv4(net);
- rth->rt_flags = flags|RTCF_LOCAL;
- rth->rt_type = res.type;
rth->rt_is_input = 1;
- rth->rt_iif = 0;
- rth->rt_pmtu = 0;
- rth->rt_gateway = 0;
- rth->rt_uses_gateway = 0;
- INIT_LIST_HEAD(&rth->rt_uncached);
+
RT_CACHE_STAT_INC(in_slow_tot);
if (res.type == RTN_UNREACHABLE) {
rth->dst.input= ip_error;
@@ -2037,29 +2031,16 @@ rt_cache:
}
add:
- rth = rt_dst_alloc(dev_out,
+ rth = rt_dst_alloc(dev_out, flags, type,
IN_DEV_CONF_GET(in_dev, NOPOLICY),
IN_DEV_CONF_GET(in_dev, NOXFRM),
do_cache);
if (!rth)
return ERR_PTR(-ENOBUFS);
- rth->dst.output = ip_output;
-
- rth->rt_genid = rt_genid_ipv4(dev_net(dev_out));
- rth->rt_flags = flags;
- rth->rt_type = type;
- rth->rt_is_input = 0;
rth->rt_iif = orig_oif ? : 0;
- rth->rt_pmtu = 0;
- rth->rt_gateway = 0;
- rth->rt_uses_gateway = 0;
- INIT_LIST_HEAD(&rth->rt_uncached);
-
RT_CACHE_STAT_INC(out_slow_tot);
- if (flags & RTCF_LOCAL)
- rth->dst.input = ip_local_deliver;
if (flags & (RTCF_BROADCAST | RTCF_MULTICAST)) {
if (flags & RTCF_LOCAL &&
!(dev_out->flags & IFF_LOOPBACK)) {
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 017/410] kvm/x86: fix icebp instruction handling
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (385 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 352/410] net: Refactor rtable initialization Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 159/410] btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker Ben Hutchings
` (22 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Andy Lutomirski, Paolo Bonzini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 32d43cd391bacb5f0814c2624399a5dad3501d09 upstream.
The undocumented 'icebp' instruction (aka 'int1') works pretty much like
'int3' in the absense of in-circuit probing equipment (except,
obviously, that it raises #DB instead of raising #BP), and is used by
some validation test-suites as such.
But Andy Lutomirski noticed that his test suite acted differently in kvm
than on bare hardware.
The reason is that kvm used an inexact test for the icebp instruction:
it just assumed that an all-zero VM exit qualification value meant that
the VM exit was due to icebp.
That is not unlike the guess that do_debug() does for the actual
exception handling case, but it's purely a heuristic, not an absolute
rule. do_debug() does it because it wants to ascribe _some_ reasons to
the #DB that happened, and an empty %dr6 value means that 'icebp' is the
most likely casue and we have no better information.
But kvm can just do it right, because unlike the do_debug() case, kvm
actually sees the real reason for the #DB in the VM-exit interruption
information field.
So instead of relying on an inexact heuristic, just use the actual VM
exit information that says "it was 'icebp'".
Right now the 'icebp' instruction isn't technically documented by Intel,
but that will hopefully change. The special "privileged software
exception" information _is_ actually mentioned in the Intel SDM, even
though the cause of it isn't enumerated.
Reported-by: Andy Lutomirski <luto@kernel.org>
Tested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[carnil: Backport to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/vmx.h | 1 +
arch/x86/kvm/vmx.c | 9 ++++++++-
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -296,6 +296,7 @@ enum vmcs_field {
#define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */
#define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */
#define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */
+#define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */
#define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */
/* GUEST_INTERRUPTIBILITY_INFO flags. */
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -868,6 +868,13 @@ static inline bool is_machine_check(u32
(INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
}
+/* Undocumented: icebp/int1 */
+static inline bool is_icebp(u32 intr_info)
+{
+ return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
+ == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK);
+}
+
static inline bool cpu_has_vmx_msr_bitmap(void)
{
return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
@@ -4915,7 +4922,7 @@ static int handle_exception(struct kvm_v
(KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
vcpu->arch.dr6 &= ~15;
vcpu->arch.dr6 |= dr6;
- if (!(dr6 & ~DR6_RESERVED)) /* icebp */
+ if (is_icebp(intr_info))
skip_emulated_instruction(vcpu);
kvm_queue_exception(vcpu, DB_VECTOR);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 171/410] CIFS: zero sensitive data when freeing
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (375 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 167/410] lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 350/410] libata: Enable queued TRIM for Samsung SSD 860 Ben Hutchings
` (32 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aurelien Aptel, Pavel Shilovsky, Steve French
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aurelien Aptel <aaptel@suse.com>
commit 97f4b7276b829a8927ac903a119bef2f963ccc58 upstream.
also replaces memset()+kfree() by kzfree().
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifsencrypt.c | 3 +--
fs/cifs/connect.c | 6 +++---
fs/cifs/misc.c | 14 ++++----------
3 files changed, 8 insertions(+), 15 deletions(-)
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -303,9 +303,8 @@ int calc_lanman_hash(const char *passwor
{
int i;
int rc;
- char password_with_pad[CIFS_ENCPWD_SIZE];
+ char password_with_pad[CIFS_ENCPWD_SIZE] = {0};
- memset(password_with_pad, 0, CIFS_ENCPWD_SIZE);
if (password)
strncpy(password_with_pad, password, CIFS_ENCPWD_SIZE);
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1614,7 +1614,7 @@ cifs_parse_mount_options(const char *mou
tmp_end++;
if (!(tmp_end < end && tmp_end[1] == delim)) {
/* No it is not. Set the password to NULL */
- kfree(vol->password);
+ kzfree(vol->password);
vol->password = NULL;
break;
}
@@ -1652,7 +1652,7 @@ cifs_parse_mount_options(const char *mou
options = end;
}
- kfree(vol->password);
+ kzfree(vol->password);
/* Now build new password string */
temp_len = strlen(value);
vol->password = kzalloc(temp_len+1, GFP_KERNEL);
@@ -4039,7 +4039,7 @@ cifs_construct_tcon(struct cifs_sb_info
reset_cifs_unix_caps(0, tcon, NULL, vol_info);
out:
kfree(vol_info->username);
- kfree(vol_info->password);
+ kzfree(vol_info->password);
kfree(vol_info);
return tcon;
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -99,14 +99,11 @@ sesInfoFree(struct cifs_ses *buf_to_free
kfree(buf_to_free->serverOS);
kfree(buf_to_free->serverDomain);
kfree(buf_to_free->serverNOS);
- if (buf_to_free->password) {
- memset(buf_to_free->password, 0, strlen(buf_to_free->password));
- kfree(buf_to_free->password);
- }
+ kzfree(buf_to_free->password);
kfree(buf_to_free->user_name);
kfree(buf_to_free->domainName);
- kfree(buf_to_free->auth_key.response);
- kfree(buf_to_free);
+ kzfree(buf_to_free->auth_key.response);
+ kzfree(buf_to_free);
}
struct cifs_tcon *
@@ -137,10 +134,7 @@ tconInfoFree(struct cifs_tcon *buf_to_fr
}
atomic_dec(&tconInfoAllocCount);
kfree(buf_to_free->nativeFileSystem);
- if (buf_to_free->password) {
- memset(buf_to_free->password, 0, strlen(buf_to_free->password));
- kfree(buf_to_free->password);
- }
+ kzfree(buf_to_free->password);
kfree(buf_to_free);
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 381/410] ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (378 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 038/410] KVM: x86: pass host_initiated to functions that read MSRs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 341/410] RDMA/mlx5: Fix integer overflow while resizing CQ Ben Hutchings
` (29 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kirill Marinushkin, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kirill Marinushkin <k.marinushkin@gmail.com>
commit a6618f4aedb2b60932d766bd82ae7ce866e842aa upstream.
Currently, the offsets in the UAC2 processing unit descriptor are
calculated incorrectly. It causes an issue when connecting the device which
provides such a feature:
~~~~
[84126.724420] usb 1-1.3.1: invalid Processing Unit descriptor (id 18)
~~~~
After this patch is applied, the UAC2 processing unit inits w/o this error.
Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/uapi/linux/usb/audio.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/uapi/linux/usb/audio.h
+++ b/include/uapi/linux/usb/audio.h
@@ -369,7 +369,7 @@ static inline __u8 uac_processing_unit_b
{
return (protocol == UAC_VERSION_1) ?
desc->baSourceID[desc->bNrInPins + 4] :
- desc->baSourceID[desc->bNrInPins + 6];
+ 2; /* in UAC2, this value is constant */
}
static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_descriptor *desc,
@@ -377,7 +377,7 @@ static inline __u8 *uac_processing_unit_
{
return (protocol == UAC_VERSION_1) ?
&desc->baSourceID[desc->bNrInPins + 5] :
- &desc->baSourceID[desc->bNrInPins + 7];
+ &desc->baSourceID[desc->bNrInPins + 6];
}
static inline __u8 uac_processing_unit_iProcessing(struct uac_processing_unit_descriptor *desc,
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 259/410] iio: adis_lib: Initialize trigger before requesting interrupt
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (270 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 108/410] ahci: add new Intel device IDs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 251/410] NFC: llcp: Limit size of SDP URI Ben Hutchings
` (137 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Robin Getz, Lars-Peter Clausen, Jonathan Cameron
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit f027e0b3a774e10302207e91d304bbf99e3a8b36 upstream.
The adis_probe_trigger() creates a new IIO trigger and requests an
interrupt associated with the trigger. The interrupt uses the generic
iio_trigger_generic_data_rdy_poll() function as its interrupt handler.
Currently the driver initializes some fields of the trigger structure after
the interrupt has been requested. But an interrupt can fire as soon as it
has been requested. This opens up a race condition.
iio_trigger_generic_data_rdy_poll() will access the trigger data structure
and dereference the ops field. If the ops field is not yet initialized this
will result in a NULL pointer deref.
It is not expected that the device generates an interrupt at this point, so
typically this issue did not surface unless e.g. due to a hardware
misconfiguration (wrong interrupt number, wrong polarity, etc.).
But some newer devices from the ADIS family start to generate periodic
interrupts in their power-on reset configuration and unfortunately the
interrupt can not be masked in the device. This makes the race condition
much more visible and the following crash has been observed occasionally
when booting a system using the ADIS16460.
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = c0004000
[00000008] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257
Hardware name: Xilinx Zynq Platform
task: ef04f640 task.stack: ef050000
PC is at iio_trigger_notify_done+0x30/0x68
LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20
pc : [<c042d868>] lr : [<c042d924>] psr: 60000193
sp : ef051bb8 ip : 00000000 fp : ef106400
r10: c081d80a r9 : ef3bfa00 r8 : 00000087
r7 : ef051bec r6 : 00000000 r5 : ef3bfa00 r4 : ee92ab00
r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : ee97e400
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
Control: 18c5387d Table: 0000404a DAC: 00000051
Process swapper/0 (pid: 1, stack limit = 0xef050210)
[<c042d868>] (iio_trigger_notify_done) from [<c0065b10>] (__handle_irq_event_percpu+0x88/0x118)
[<c0065b10>] (__handle_irq_event_percpu) from [<c0065bbc>] (handle_irq_event_percpu+0x1c/0x58)
[<c0065bbc>] (handle_irq_event_percpu) from [<c0065c30>] (handle_irq_event+0x38/0x5c)
[<c0065c30>] (handle_irq_event) from [<c0068e28>] (handle_level_irq+0xa4/0x130)
[<c0068e28>] (handle_level_irq) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
[<c0064e74>] (generic_handle_irq) from [<c021ab7c>] (zynq_gpio_irqhandler+0xb8/0x13c)
[<c021ab7c>] (zynq_gpio_irqhandler) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
[<c0064e74>] (generic_handle_irq) from [<c0065370>] (__handle_domain_irq+0x5c/0xb4)
[<c0065370>] (__handle_domain_irq) from [<c000940c>] (gic_handle_irq+0x48/0x8c)
[<c000940c>] (gic_handle_irq) from [<c0013e8c>] (__irq_svc+0x6c/0xa8)
To fix this make sure that the trigger is fully initialized before
requesting the interrupt.
Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library")
Reported-by: Robin Getz <Robin.Getz@analog.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/imu/adis_trigger.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis
if (adis->trig == NULL)
return -ENOMEM;
+ adis->trig->dev.parent = &adis->spi->dev;
+ adis->trig->ops = &adis_trigger_ops;
+ iio_trigger_set_drvdata(adis->trig, adis);
+
ret = request_irq(adis->spi->irq,
&iio_trigger_generic_data_rdy_poll,
IRQF_TRIGGER_RISING,
@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis
if (ret)
goto error_free_trig;
- adis->trig->dev.parent = &adis->spi->dev;
- adis->trig->ops = &adis_trigger_ops;
- iio_trigger_set_drvdata(adis->trig, adis);
ret = iio_trigger_register(adis->trig);
indio_dev->trig = iio_trigger_get(adis->trig);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 127/410] NFS: Add a cond_resched() to nfs_commit_release_pages()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (248 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 305/410] tty: make n_tty_read() always abort if hangup is in progress Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 207/410] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Ben Hutchings
` (159 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Trond Myklebust, Mike Galbraith
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit 7f1bda447c9bd48b415acedba6b830f61591601f upstream.
The commit list can get very large, and so we need a cond_resched()
in nfs_commit_release_pages() in order to ensure we don't hog the CPU
for excessive periods of time.
Reported-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/write.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -1661,6 +1661,8 @@ static void nfs_commit_release_pages(str
set_bit(NFS_CONTEXT_RESEND_WRITES, &req->wb_context->flags);
next:
nfs_unlock_and_release_request(req);
+ /* Latency breaker */
+ cond_resched();
}
nfs_init_cinfo(&cinfo, data->inode, data->dreq);
if (atomic_dec_and_test(&cinfo.mds->rpcs_out))
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 310/410] xen/arm: Define xen_arch_suspend()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 348/410] can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 235/410] netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Ben Hutchings
` (209 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Boris Ostrovsky, Michal Suchanek, David Vrabel, Stefano Stabellini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
commit ffb7dbed47da6ac4460b606a3feee295bbe4d9e2 upstream.
Commit 2b953a5e994c ("xen: Suspend ticks on all CPUs during suspend")
introduced xen_arch_suspend() routine but did so only for x86, breaking
ARM builds.
We need to add it to ARM as well.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reported-by: Michal Suchanek <hramrach@gmail.com>
Tested-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/xen/enlighten.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/xen/enlighten.c
+++ b/arch/arm/xen/enlighten.c
@@ -344,6 +344,7 @@ void xen_arch_pre_suspend(void) { }
void xen_arch_post_suspend(int suspend_cancelled) { }
void xen_timer_resume(void) { }
void xen_arch_resume(void) { }
+void xen_arch_suspend(void) { }
/* In the hypervisor.S file. */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 126/410] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (312 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 080/410] rcutorture/configinit: Fix build directory error message Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 195/410] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Ben Hutchings
` (95 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Howells, Eric W. Biederman, Masakazu Urade, Koichi Yasutake
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 6ac1dc736b323011a55ecd1fc5897c24c4f77cbd upstream.
Setting si_code to 0 is the same a setting si_code to SI_USER which is definitely
not correct. With si_code set to SI_USER si_pid and si_uid will be copied to
userspace instead of si_addr. Which is very wrong.
So fix this by using a sensible si_code (SEGV_MAPERR) for this failure.
Fixes: b920de1b77b7 ("mn10300: add the MN10300/AM33 architecture to the kernel")
Cc: David Howells <dhowells@redhat.com>
Cc: Masakazu Urade <urade.masakazu@jp.panasonic.com>
Cc: Koichi Yasutake <yasutake.koichi@jp.panasonic.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mn10300/mm/misalignment.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mn10300/mm/misalignment.c
+++ b/arch/mn10300/mm/misalignment.c
@@ -437,7 +437,7 @@ transfer_failed:
info.si_signo = SIGSEGV;
info.si_errno = 0;
- info.si_code = 0;
+ info.si_code = SEGV_MAPERR;
info.si_addr = (void *) regs->pc;
force_sig_info(SIGSEGV, &info, current);
return;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 347/410] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (365 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 248/410] staging: android: ashmem: Fix a race condition in pin ioctls Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 066/410] perf record: Generate PERF_RECORD_{MMAP,COMM,EXEC} with --delay Ben Hutchings
` (42 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Doug Ledford, syzkaller, Leon Romanovsky, Boris Pismenny
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boris Pismenny <borisp@mellanox.com>
commit c2b37f76485f073f020e60b5954b6dc4e55f693c upstream.
This patch validates user provided input to prevent integer overflow due
to integer manipulation in the mlx5_ib_create_srq function.
Cc: syzkaller <syzkaller@googlegroups.com>
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/srq.c | 15 +++++++++------
include/linux/mlx5/driver.h | 4 ++--
2 files changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/hw/mlx5/srq.c
+++ b/drivers/infiniband/hw/mlx5/srq.c
@@ -234,8 +234,8 @@ struct ib_srq *mlx5_ib_create_srq(struct
{
struct mlx5_ib_dev *dev = to_mdev(pd->device);
struct mlx5_ib_srq *srq;
- int desc_size;
- int buf_size;
+ size_t desc_size;
+ size_t buf_size;
int err;
struct mlx5_create_srq_mbox_in *uninitialized_var(in);
int uninitialized_var(inlen);
@@ -261,15 +261,18 @@ struct ib_srq *mlx5_ib_create_srq(struct
desc_size = sizeof(struct mlx5_wqe_srq_next_seg) +
srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg);
+ if (desc_size == 0 || srq->msrq.max_gs > desc_size)
+ return ERR_PTR(-EINVAL);
desc_size = roundup_pow_of_two(desc_size);
- desc_size = max_t(int, 32, desc_size);
+ desc_size = max_t(size_t, 32, desc_size);
+ if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg))
+ return ERR_PTR(-EINVAL);
srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) /
sizeof(struct mlx5_wqe_data_seg);
srq->msrq.wqe_shift = ilog2(desc_size);
buf_size = srq->msrq.max * desc_size;
- mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n",
- desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs,
- srq->msrq.max_avail_gather);
+ if (buf_size < desc_size)
+ return ERR_PTR(-EINVAL);
if (pd->uobject)
err = create_srq_user(pd, srq, &in, udata, buf_size, &inlen);
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -432,8 +432,8 @@ struct mlx5_core_mr {
struct mlx5_core_srq {
u32 srqn;
int max;
- int max_gs;
- int max_avail_gather;
+ size_t max_gs;
+ size_t max_avail_gather;
int wqe_shift;
void (*event) (struct mlx5_core_srq *, enum mlx5_event);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 315/410] btrfs: use proper endianness accessors for super_copy
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (258 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 400/410] bonding: fix the err path for dev hwaddr sync in bond_enslave Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 20:02 ` Anand Jain
2018-06-07 14:05 ` [PATCH 3.16 140/410] mtd: ubi: wl: Fix error return code in ubi_wl_init() Ben Hutchings
` (149 subsequent siblings)
409 siblings, 1 reply; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Liu Bo, Anand Jain, David Sterba
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anand Jain <anand.jain@oracle.com>
commit 3c181c12c431fe33b669410d663beb9cceefcd1b upstream.
The fs_info::super_copy is a byte copy of the on-disk structure and all
members must use the accessor macros/functions to obtain the right
value. This was missing in update_super_roots and in sysfs readers.
Moving between opposite endianness hosts will report bogus numbers in
sysfs, and mount may fail as the root will not be restored correctly. If
the filesystem is always used on a same endian host, this will not be a
problem.
Fix this by using the btrfs_set_super...() functions to set
fs_info::super_copy values, and for the sysfs, use the cached
fs_info::nodesize/sectorsize values.
Fixes: df93589a17378 ("btrfs: export more from FS_INFO to sysfs")
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ update changelog ]
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
- btrfs_fs_info doesn't have cached nodesize or sectorsize fields, so use
the accessor functions
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -406,7 +406,7 @@ static ssize_t btrfs_nodesize_show(struc
{
struct btrfs_fs_info *fs_info = to_fs_info(kobj);
- return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->super_copy->nodesize);
+ return snprintf(buf, PAGE_SIZE, "%u\n", btrfs_super_nodesize(fs_info->super_copy));
}
BTRFS_ATTR_RW(nodesize, 0444, btrfs_nodesize_show, btrfs_no_store);
@@ -416,7 +416,7 @@ static ssize_t btrfs_sectorsize_show(str
{
struct btrfs_fs_info *fs_info = to_fs_info(kobj);
- return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->super_copy->sectorsize);
+ return snprintf(buf, PAGE_SIZE, "%u\n", btrfs_super_sectorsize(fs_info->super_copy));
}
BTRFS_ATTR_RW(sectorsize, 0444, btrfs_sectorsize_show, btrfs_no_store);
@@ -426,7 +426,7 @@ static ssize_t btrfs_clone_alignment_sho
{
struct btrfs_fs_info *fs_info = to_fs_info(kobj);
- return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->super_copy->sectorsize);
+ return snprintf(buf, PAGE_SIZE, "%u\n", btrfs_super_sectorsize(fs_info->super_copy));
}
BTRFS_ATTR_RW(clone_alignment, 0444, btrfs_clone_alignment_show, btrfs_no_store);
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -1428,19 +1428,23 @@ static void update_super_roots(struct bt
super = root->fs_info->super_copy;
+ /* update latest btrfs_super_block::chunk_root refs */
root_item = &root->fs_info->chunk_root->root_item;
- super->chunk_root = root_item->bytenr;
- super->chunk_root_generation = root_item->generation;
- super->chunk_root_level = root_item->level;
+ btrfs_set_super_chunk_root(super, root_item->bytenr);
+ btrfs_set_super_chunk_root_generation(super, root_item->generation);
+ btrfs_set_super_chunk_root_level(super, root_item->level);
+ /* update latest btrfs_super_block::root refs */
root_item = &root->fs_info->tree_root->root_item;
- super->root = root_item->bytenr;
- super->generation = root_item->generation;
- super->root_level = root_item->level;
+ btrfs_set_super_root(super, root_item->bytenr);
+ btrfs_set_super_generation(super, root_item->generation);
+ btrfs_set_super_root_level(super, root_item->level);
+
if (btrfs_test_opt(root, SPACE_CACHE))
- super->cache_generation = root_item->generation;
+ btrfs_set_super_cache_generation(super, root_item->generation);
if (root->fs_info->update_uuid_tree_gen)
- super->uuid_tree_generation = root_item->generation;
+ btrfs_set_super_uuid_tree_generation(super,
+ root_item->generation);
}
int btrfs_transaction_in_commit(struct btrfs_fs_info *info)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 134/410] USB: cdc-acm: Do not log urb submission errors on disconnect
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 075/410] spi: sun6i: disable/unprepare clocks on remove Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 043/410] x86/msr: Add definitions for new speculation control MSRs Ben Hutchings
` (250 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Oliver Neukum, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit f0386c083c2ce85284dc0b419d7b89c8e567c09f upstream.
When disconnected sometimes the cdc-acm driver logs errors like these:
[20278.039417] cdc_acm 2-2:2.1: urb 9 failed submission with -19
[20278.042924] cdc_acm 2-2:2.1: urb 10 failed submission with -19
[20278.046449] cdc_acm 2-2:2.1: urb 11 failed submission with -19
[20278.049920] cdc_acm 2-2:2.1: urb 12 failed submission with -19
[20278.053442] cdc_acm 2-2:2.1: urb 13 failed submission with -19
[20278.056915] cdc_acm 2-2:2.1: urb 14 failed submission with -19
[20278.060418] cdc_acm 2-2:2.1: urb 15 failed submission with -19
Silence these by not logging errors when the result is -ENODEV.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -378,7 +378,7 @@ static int acm_submit_read_urb(struct ac
res = usb_submit_urb(acm->read_urbs[index], mem_flags);
if (res) {
- if (res != -EPERM) {
+ if (res != -EPERM && res != -ENODEV) {
dev_err(&acm->data->dev,
"%s - usb_submit_urb failed: %d\n",
__func__, res);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 313/410] KVM: s390: provide io interrupt kvm_stat
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (231 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 084/410] USB: serial: io_edgeport: fix possible sleep-in-atomic Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 184/410] KVM: PPC: Book3S PR: Fix svcpu copying with preemption enabled Ben Hutchings
` (176 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christian Borntraeger, David Hildenbrand, Cornelia Huck
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christian Borntraeger <borntraeger@de.ibm.com>
commit 09a0fb67536a49af19f2bfc632100e9de91fe526 upstream.
We already count io interrupts, but we forgot to print them.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Fixes: d8346b7d9b ("KVM: s390: Support for I/O interrupts.")
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/kvm/kvm-s390.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -62,6 +62,7 @@ struct kvm_stats_debugfs_item debugfs_en
{ "deliver_prefix_signal", VCPU_STAT(deliver_prefix_signal) },
{ "deliver_restart_signal", VCPU_STAT(deliver_restart_signal) },
{ "deliver_program_interruption", VCPU_STAT(deliver_program_int) },
+ { "deliver_io_interrupt", VCPU_STAT(deliver_io_int) },
{ "exit_wait_state", VCPU_STAT(exit_wait_state) },
{ "instruction_pfmf", VCPU_STAT(instruction_pfmf) },
{ "instruction_stidp", VCPU_STAT(instruction_stidp) },
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 353/410] ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 071/410] power: supply: ab8500_charger: Fix an error handling path Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 348/410] can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack Ben Hutchings
` (211 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Sabrina Dubroca, Stefano Brivio
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
commit d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 upstream.
Prior to the rework of PMTU information storage in commit
2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer."),
when a PMTU event advertising a PMTU smaller than
net.ipv4.route.min_pmtu was received, we would disable setting the DF
flag on packets by locking the MTU metric, and set the PMTU to
net.ipv4.route.min_pmtu.
Since then, we don't disable DF, and set PMTU to
net.ipv4.route.min_pmtu, so the intermediate router that has this link
with a small MTU will have to drop the packets.
This patch reestablishes pre-2.6.39 behavior by splitting
rtable->rt_pmtu into a bitfield with rt_mtu_locked and rt_pmtu.
rt_mtu_locked indicates that we shouldn't set the DF bit on that path,
and is checked in ip_dont_fragment().
One possible workaround is to set net.ipv4.route.min_pmtu to a value low
enough to accommodate the lowest MTU encountered.
Fixes: 2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/ip.h | 11 +++++++++--
include/net/ip_fib.h | 1 +
include/net/route.h | 3 ++-
net/ipv4/route.c | 26 +++++++++++++++++++-------
net/ipv4/xfrm4_policy.c | 1 +
5 files changed, 32 insertions(+), 10 deletions(-)
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -263,12 +263,19 @@ int ip_decrease_ttl(struct iphdr *iph)
return --iph->ttl;
}
+static inline int ip_mtu_locked(const struct dst_entry *dst)
+{
+ const struct rtable *rt = (const struct rtable *)dst;
+
+ return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU);
+}
+
static inline
int ip_dont_fragment(struct sock *sk, struct dst_entry *dst)
{
return inet_sk(sk)->pmtudisc == IP_PMTUDISC_DO ||
(inet_sk(sk)->pmtudisc == IP_PMTUDISC_WANT &&
- !(dst_metric_locked(dst, RTAX_MTU)));
+ !ip_mtu_locked(dst));
}
static inline bool ip_sk_accept_pmtu(const struct sock *sk)
@@ -294,7 +301,7 @@ static inline unsigned int ip_dst_mtu_ma
struct net *net = dev_net(dst->dev);
if (net->ipv4.sysctl_ip_fwd_use_pmtu ||
- dst_metric_locked(dst, RTAX_MTU) ||
+ ip_mtu_locked(dst) ||
!forwarding)
return dst_mtu(dst);
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -54,6 +54,7 @@ struct fib_nh_exception {
int fnhe_genid;
__be32 fnhe_daddr;
u32 fnhe_pmtu;
+ bool fnhe_mtu_locked;
__be32 fnhe_gw;
unsigned long fnhe_expires;
struct rtable __rcu *fnhe_rth_input;
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -61,7 +61,8 @@ struct rtable {
__be32 rt_gateway;
/* Miscellaneous cached information */
- u32 rt_pmtu;
+ u32 rt_mtu_locked:1,
+ rt_pmtu:31;
struct list_head rt_uncached;
};
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -608,6 +608,7 @@ static inline u32 fnhe_hashfun(__be32 da
static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
{
rt->rt_pmtu = fnhe->fnhe_pmtu;
+ rt->rt_mtu_locked = fnhe->fnhe_mtu_locked;
rt->dst.expires = fnhe->fnhe_expires;
if (fnhe->fnhe_gw) {
@@ -618,7 +619,7 @@ static void fill_route_from_fnhe(struct
}
static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
- u32 pmtu, unsigned long expires)
+ u32 pmtu, bool lock, unsigned long expires)
{
struct fnhe_hash_bucket *hash;
struct fib_nh_exception *fnhe;
@@ -655,8 +656,10 @@ static void update_or_create_fnhe(struct
fnhe->fnhe_genid = genid;
if (gw)
fnhe->fnhe_gw = gw;
- if (pmtu)
+ if (pmtu) {
fnhe->fnhe_pmtu = pmtu;
+ fnhe->fnhe_mtu_locked = lock;
+ }
fnhe->fnhe_expires = max(1UL, expires);
/* Update all cached dsts too */
rt = rcu_dereference(fnhe->fnhe_rth_input);
@@ -680,6 +683,7 @@ static void update_or_create_fnhe(struct
fnhe->fnhe_daddr = daddr;
fnhe->fnhe_gw = gw;
fnhe->fnhe_pmtu = pmtu;
+ fnhe->fnhe_mtu_locked = lock;
fnhe->fnhe_expires = expires;
/* Exception created; mark the cached routes for the nexthop
@@ -761,7 +765,8 @@ static void __ip_do_redirect(struct rtab
struct fib_nh *nh = &FIB_RES_NH(res);
update_or_create_fnhe(nh, fl4->daddr, new_gw,
- 0, jiffies + ip_rt_gc_timeout);
+ 0, false,
+ jiffies + ip_rt_gc_timeout);
}
if (kill_route)
rt->dst.obsolete = DST_OBSOLETE_KILL;
@@ -970,15 +975,18 @@ static void __ip_rt_update_pmtu(struct r
{
struct dst_entry *dst = &rt->dst;
struct fib_result res;
+ bool lock = false;
- if (dst_metric_locked(dst, RTAX_MTU))
+ if (ip_mtu_locked(dst))
return;
if (dst->dev->mtu < mtu)
return;
- if (mtu < ip_rt_min_pmtu)
+ if (mtu < ip_rt_min_pmtu) {
+ lock = true;
mtu = ip_rt_min_pmtu;
+ }
if (rt->rt_pmtu == mtu &&
time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
@@ -988,7 +996,7 @@ static void __ip_rt_update_pmtu(struct r
if (fib_lookup(dev_net(dst->dev), fl4, &res) == 0) {
struct fib_nh *nh = &FIB_RES_NH(res);
- update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
+ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
jiffies + ip_rt_mtu_expires);
}
rcu_read_unlock();
@@ -1243,7 +1251,7 @@ static unsigned int ipv4_mtu(const struc
mtu = dst->dev->mtu;
- if (unlikely(dst_metric_locked(dst, RTAX_MTU))) {
+ if (unlikely(ip_mtu_locked(dst))) {
if (rt->rt_uses_gateway && mtu > 576)
mtu = 576;
}
@@ -1452,6 +1460,7 @@ static struct rtable *rt_dst_alloc(struc
rt->rt_is_input = 0;
rt->rt_iif = 0;
rt->rt_pmtu = 0;
+ rt->rt_mtu_locked = 0;
rt->rt_gateway = 0;
rt->rt_uses_gateway = 0;
INIT_LIST_HEAD(&rt->rt_uncached);
@@ -2308,6 +2317,7 @@ struct dst_entry *ipv4_blackhole_route(s
rt->rt_is_input = ort->rt_is_input;
rt->rt_iif = ort->rt_iif;
rt->rt_pmtu = ort->rt_pmtu;
+ rt->rt_mtu_locked = ort->rt_mtu_locked;
rt->rt_genid = rt_genid_ipv4(net);
rt->rt_flags = ort->rt_flags;
@@ -2411,6 +2421,8 @@ static int rt_fill_info(struct net *net,
memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics));
if (rt->rt_pmtu && expires)
metrics[RTAX_MTU - 1] = rt->rt_pmtu;
+ if (rt->rt_mtu_locked && expires)
+ metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU);
if (rtnetlink_put_metrics(skb, metrics) < 0)
goto nla_put_failure;
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -93,6 +93,7 @@ static int xfrm4_fill_dst(struct xfrm_ds
xdst->u.rt.rt_gateway = rt->rt_gateway;
xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
xdst->u.rt.rt_pmtu = rt->rt_pmtu;
+ xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked;
INIT_LIST_HEAD(&xdst->u.rt.rt_uncached);
return 0;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 374/410] vti4: Don't count header length twice on tunnel setup
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 085/410] media: bt8xx: Fix err 'bt878_probe()' Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 143/410] drm/ttm: Don't add swapped BOs to swap-LRU list Ben Hutchings
` (361 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steffen Klassert, Stefano Brivio, Sabrina Dubroca
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio <sbrivio@redhat.com>
commit dd1df24737727e119c263acf1be2a92763938297 upstream.
This re-introduces the effect of commit a32452366b72 ("vti4:
Don't count header length twice.") which was accidentally
reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec").
The commit message from Steffen Klassert said:
We currently count the size of LL_MAX_HEADER and struct iphdr
twice for vti4 devices, this leads to a wrong device mtu.
The size of LL_MAX_HEADER and struct iphdr is already counted in
ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
And this is still the case now: ip_tunnel_bind_dev() already
accounts for the header length of the link layer (not
necessarily LL_MAX_HEADER, if the output device is found), plus
one IP header.
For example, with a vti device on top of veth, with MTU of 1500,
the existing implementation would set the initial vti MTU to
1332, accounting once for LL_MAX_HEADER (128, included in
hard_header_len by vti) and twice for the same IP header (once
from hard_header_len, once from ip_tunnel_bind_dev()).
It should instead be 1480, because ip_tunnel_bind_dev() is able
to figure out that the output device is veth, so no additional
link layer header is attached, and will properly count one
single IP header.
The existing issue had the side effect of avoiding PMTUD for
most xfrm policies, by arbitrarily lowering the initial MTU.
However, the only way to get a consistent PMTU value is to let
the xfrm PMTU discovery do its course, and commit d6af1a31cc72
("vti: Add pmtu handling to vti_xmit.") now takes care of local
delivery cases where the application ignores local socket
notifications.
Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code")
Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_vti.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -359,7 +359,6 @@ static int vti_tunnel_init(struct net_de
memcpy(dev->dev_addr, &iph->saddr, 4);
memcpy(dev->broadcast, &iph->daddr, 4);
- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr);
dev->mtu = ETH_DATA_LEN;
dev->flags = IFF_NOARP;
dev->iflink = 0;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 010/410] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (278 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 050/410] x86/speculation: Use IBRS if available before calling into firmware Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 372/410] skb: Add skb_postpush_rcsum() Ben Hutchings
` (129 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Joseph Qi, Mark Fasheh, Linus Torvalds, alex chen,
Jun Piao, Junxiao Bi, Joel Becker
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: alex chen <alex.chen@huawei.com>
commit 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 upstream.
The subsystem.su_mutex is required while accessing the item->ci_parent,
otherwise, NULL pointer dereference to the item->ci_parent will be
triggered in the following situation:
add node delete node
sys_write
vfs_write
configfs_write_file
o2nm_node_store
o2nm_node_local_write
do_rmdir
vfs_rmdir
configfs_rmdir
mutex_lock(&subsys->su_mutex);
unlink_obj
item->ci_group = NULL;
item->ci_parent = NULL;
to_o2nm_cluster_from_node
node->nd_item.ci_parent->ci_parent
BUG since of NULL pointer dereference to nd_item.ci_parent
Moreover, the o2nm_cluster also should be protected by the
subsystem.su_mutex.
[alex.chen@huawei.com: v2]
Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com
Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Reviewed-by: Jun Piao <piaojun@huawei.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/cluster/nodemanager.c | 63 +++++++++++++++++++++++++++++-----
1 file changed, 55 insertions(+), 8 deletions(-)
--- a/fs/ocfs2/cluster/nodemanager.c
+++ b/fs/ocfs2/cluster/nodemanager.c
@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_
"panic", /* O2NM_FENCE_PANIC */
};
+static inline void o2nm_lock_subsystem(void);
+static inline void o2nm_unlock_subsystem(void);
+
struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
{
struct o2nm_node *node = NULL;
@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_clus
{
/* through the first node_set .parent
* mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
- return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ if (node->nd_item.ci_parent)
+ return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+ else
+ return NULL;
}
enum {
@@ -194,7 +200,7 @@ enum {
static ssize_t o2nm_node_num_write(struct o2nm_node *node, const char *page,
size_t count)
{
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
unsigned long tmp;
char *p = (char *)page;
@@ -213,6 +219,13 @@ static ssize_t o2nm_node_num_write(struc
!test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
return -EINVAL; /* XXX */
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
write_lock(&cluster->cl_nodes_lock);
if (cluster->cl_nodes[tmp])
p = NULL;
@@ -222,6 +235,8 @@ static ssize_t o2nm_node_num_write(struc
set_bit(tmp, cluster->cl_nodes_bitmap);
}
write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
if (p == NULL)
return -EEXIST;
@@ -261,7 +276,7 @@ static ssize_t o2nm_node_ipv4_address_wr
const char *page,
size_t count)
{
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
int ret, i;
struct rb_node **p, *parent;
unsigned int octets[4];
@@ -278,6 +293,13 @@ static ssize_t o2nm_node_ipv4_address_wr
be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
}
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ o2nm_unlock_subsystem();
+ return -EINVAL;
+ }
+
ret = 0;
write_lock(&cluster->cl_nodes_lock);
if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
@@ -287,6 +309,8 @@ static ssize_t o2nm_node_ipv4_address_wr
rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
}
write_unlock(&cluster->cl_nodes_lock);
+ o2nm_unlock_subsystem();
+
if (ret)
return ret;
@@ -303,7 +327,7 @@ static ssize_t o2nm_node_local_read(stru
static ssize_t o2nm_node_local_write(struct o2nm_node *node, const char *page,
size_t count)
{
- struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+ struct o2nm_cluster *cluster;
unsigned long tmp;
char *p = (char *)page;
ssize_t ret;
@@ -321,17 +345,26 @@ static ssize_t o2nm_node_local_write(str
!test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
return -EINVAL; /* XXX */
+ o2nm_lock_subsystem();
+ cluster = to_o2nm_cluster_from_node(node);
+ if (!cluster) {
+ ret = -EINVAL;
+ goto out;
+ }
+
/* the only failure case is trying to set a new local node
* when a different one is already set */
if (tmp && tmp == cluster->cl_has_local &&
- cluster->cl_local_node != node->nd_num)
- return -EBUSY;
+ cluster->cl_local_node != node->nd_num) {
+ ret = -EBUSY;
+ goto out;
+ }
/* bring up the rx thread if we're setting the new local node. */
if (tmp && !cluster->cl_has_local) {
ret = o2net_start_listening(node);
if (ret)
- return ret;
+ goto out;
}
if (!tmp && cluster->cl_has_local &&
@@ -346,7 +379,11 @@ static ssize_t o2nm_node_local_write(str
cluster->cl_local_node = node->nd_num;
}
- return count;
+ ret = count;
+
+out:
+ o2nm_unlock_subsystem();
+ return ret;
}
struct o2nm_node_attribute {
@@ -889,6 +926,16 @@ static struct o2nm_cluster_group o2nm_cl
},
};
+static inline void o2nm_lock_subsystem(void)
+{
+ mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
+static inline void o2nm_unlock_subsystem(void)
+{
+ mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+
int o2nm_depend_item(struct config_item *item)
{
return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 270/410] arm64: __show_regs: Only resolve kernel symbols when running at EL1
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (380 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 341/410] RDMA/mlx5: Fix integer overflow while resizing CQ Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 016/410] netfilter: ebtables: fix erroneous reject of last rule Ben Hutchings
` (27 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, NCSC Security, Will Deacon
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit a06f818a70de21b4b3b4186816094208fc7accf9 upstream.
__show_regs pretty prints PC and LR by attempting to map them to kernel
function names to improve the utility of crash reports. Unfortunately,
this mapping is applied even when the pt_regs corresponds to user mode,
resulting in a KASLR oracle.
Avoid this issue by only looking up the function symbols when the register
state indicates that we're actually running at EL1.
Reported-by: NCSC Security <security@ncsc.gov.uk>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/process.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -197,8 +197,15 @@ void __show_regs(struct pt_regs *regs)
}
show_regs_print_info(KERN_DEFAULT);
- printk("pc : %pS\n", (void *)regs->pc);
- printk("lr : %pS\n", (void *)lr);
+
+ if (!user_mode(regs)) {
+ printk("pc : %pS\n", (void *)regs->pc);
+ printk("lr : %pS\n", (void *)lr);
+ } else {
+ printk("pc : %016llx\n", regs->pc);
+ printk("lr : %016llx\n", lr);
+ }
+
printk("sp : %016llx pstate : %08llx\n", sp, regs->pstate);
for (i = top_reg; i >= 0; i--) {
printk("x%-2d: %016llx ", i, regs->regs[i]);
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 251/410] NFC: llcp: Limit size of SDP URI
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (271 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 259/410] iio: adis_lib: Initialize trigger before requesting interrupt Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 076/410] media: cpia2: Fix a couple off by one bugs Ben Hutchings
` (136 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kees Cook, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit fe9c842695e26d8116b61b80bfb905356f07834b upstream.
The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
this both in the NLA policy and in the code that performs the allocation
and copy, to avoid writing past the end of the allocated buffer.
Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/nfc/llcp_commands.c | 4 ++++
net/nfc/netlink.c | 3 ++-
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_
pr_debug("uri: %s, len: %zu\n", uri, uri_len);
+ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
+ if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
+ return NULL;
+
sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
if (sdreq == NULL)
return NULL;
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -60,7 +60,8 @@ static const struct nla_policy nfc_genl_
};
static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
+ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
+ .len = U8_MAX - 4 },
[NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
};
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 129/410] nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (251 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 402/410] bonding: process the err returned by dev_set_allmulti properly in bond_enslave Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 218/410] crypto: caam - fix endless loop when DECO acquire fails Ben Hutchings
` (156 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Scott Mayhew, Trond Myklebust
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit ba4a76f703ab7eb72941fdaac848502073d6e9ee upstream.
Currently when falling back to doing I/O through the MDS (via
pnfs_{read|write}_through_mds), the client frees the nfs_pgio_header
without releasing the reference taken on the dreq
via pnfs_generic_pg_{read|write}pages -> nfs_pgheader_init ->
nfs_direct_pgio_init. It then takes another reference on the dreq via
nfs_generic_pg_pgios -> nfs_pgheader_init -> nfs_direct_pgio_init and
as a result the requester will become stuck in inode_dio_wait. Once
that happens, other processes accessing the inode will become stuck as
well.
Ensure that pnfs_read_through_mds() and pnfs_write_through_mds() clean
up correctly by calling hdr->completion_ops->completion() instead of
calling hdr->release() directly.
This can be reproduced (sometimes) by performing "storage failover
takeover" commands on NetApp filer while doing direct I/O from a client.
This can also be reproduced using SystemTap to simulate a failure while
doing direct I/O from a client (from Dave Wysochanski
<dwysocha@redhat.com>):
stap -v -g -e 'probe module("nfs_layout_nfsv41_files").function("nfs4_fl_prepare_ds").return { $return=NULL; exit(); }'
Suggested-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Fixes: 1ca018d28d ("pNFS: Fix a memory leak when attempted pnfs fails")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/pnfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1557,7 +1557,7 @@ pnfs_write_through_mds(struct nfs_pageio
nfs_pageio_reset_write_mds(desc);
desc->pg_recoalesce = 1;
}
- hdr->release(hdr);
+ hdr->completion_ops->completion(hdr);
}
static enum pnfs_try_status
@@ -1694,7 +1694,7 @@ pnfs_read_through_mds(struct nfs_pageio_
nfs_pageio_reset_read_mds(desc);
desc->pg_recoalesce = 1;
}
- hdr->release(hdr);
+ hdr->completion_ops->completion(hdr);
}
/*
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 359/410] RDMA/ucma: Fix access to non-initialized CM_ID object
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 289/410] l2tp: avoid using ->tunnel_sock for getting session's parent tunnel Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 304/410] cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() Ben Hutchings
` (329 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sean Hefty, Doug Ledford, syzbot+e6aba77967bd72cbc9d6,
Leon Romanovsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 upstream.
The attempt to join multicast group without ensuring that CMA device
exists will lead to the following crash reported by syzkaller.
[ 64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0
[ 64.076797] Read of size 8 at addr 00000000000000b0 by task join/691
[ 64.076797]
[ 64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23
[ 64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
[ 64.076803] Call Trace:
[ 64.076809] dump_stack+0x5c/0x77
[ 64.076817] kasan_report+0x163/0x380
[ 64.085859] ? rdma_join_multicast+0x26e/0x12c0
[ 64.086634] rdma_join_multicast+0x26e/0x12c0
[ 64.087370] ? rdma_disconnect+0xf0/0xf0
[ 64.088579] ? __radix_tree_replace+0xc3/0x110
[ 64.089132] ? node_tag_clear+0x81/0xb0
[ 64.089606] ? idr_alloc_u32+0x12e/0x1a0
[ 64.090517] ? __fprop_inc_percpu_max+0x150/0x150
[ 64.091768] ? tracing_record_taskinfo+0x10/0xc0
[ 64.092340] ? idr_alloc+0x76/0xc0
[ 64.092951] ? idr_alloc_u32+0x1a0/0x1a0
[ 64.093632] ? ucma_process_join+0x23d/0x460
[ 64.094510] ucma_process_join+0x23d/0x460
[ 64.095199] ? ucma_migrate_id+0x440/0x440
[ 64.095696] ? futex_wake+0x10b/0x2a0
[ 64.096159] ucma_join_multicast+0x88/0xe0
[ 64.096660] ? ucma_process_join+0x460/0x460
[ 64.097540] ? _copy_from_user+0x5e/0x90
[ 64.098017] ucma_write+0x174/0x1f0
[ 64.098640] ? ucma_resolve_route+0xf0/0xf0
[ 64.099343] ? rb_erase_cached+0x6c7/0x7f0
[ 64.099839] __vfs_write+0xc4/0x350
[ 64.100622] ? perf_syscall_enter+0xe4/0x5f0
[ 64.101335] ? kernel_read+0xa0/0xa0
[ 64.103525] ? perf_sched_cb_inc+0xc0/0xc0
[ 64.105510] ? syscall_exit_register+0x2a0/0x2a0
[ 64.107359] ? __switch_to+0x351/0x640
[ 64.109285] ? fsnotify+0x899/0x8f0
[ 64.111610] ? fsnotify_unmount_inodes+0x170/0x170
[ 64.113876] ? __fsnotify_update_child_dentry_flags+0x30/0x30
[ 64.115813] ? ring_buffer_record_is_on+0xd/0x20
[ 64.117824] ? __fget+0xa8/0xf0
[ 64.119869] vfs_write+0xf7/0x280
[ 64.122001] SyS_write+0xa1/0x120
[ 64.124213] ? SyS_read+0x120/0x120
[ 64.126644] ? SyS_read+0x120/0x120
[ 64.128563] do_syscall_64+0xeb/0x250
[ 64.130732] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 64.132984] RIP: 0033:0x7f5c994ade99
[ 64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
[ 64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
[ 64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
[ 64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
[ 64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
[ 64.151060]
[ 64.153703] Disabling lock debugging due to kernel taint
[ 64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
[ 64.159066] IP: rdma_join_multicast+0x26e/0x12c0
[ 64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0
[ 64.164442] Oops: 0000 [#1] SMP KASAN PTI
[ 64.166817] CPU: 1 PID: 691 Comm: join Tainted: G B 4.16.0-rc1-00219-gb97853b65b93 #23
[ 64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
[ 64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0
[ 64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282
[ 64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522
[ 64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297
[ 64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7
[ 64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000
[ 64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400
[ 64.196105] FS: 00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
[ 64.199211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0
[ 64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 64.211554] Call Trace:
[ 64.213464] ? rdma_disconnect+0xf0/0xf0
[ 64.216124] ? __radix_tree_replace+0xc3/0x110
[ 64.219337] ? node_tag_clear+0x81/0xb0
[ 64.222140] ? idr_alloc_u32+0x12e/0x1a0
[ 64.224422] ? __fprop_inc_percpu_max+0x150/0x150
[ 64.226588] ? tracing_record_taskinfo+0x10/0xc0
[ 64.229763] ? idr_alloc+0x76/0xc0
[ 64.232186] ? idr_alloc_u32+0x1a0/0x1a0
[ 64.234505] ? ucma_process_join+0x23d/0x460
[ 64.237024] ucma_process_join+0x23d/0x460
[ 64.240076] ? ucma_migrate_id+0x440/0x440
[ 64.243284] ? futex_wake+0x10b/0x2a0
[ 64.245302] ucma_join_multicast+0x88/0xe0
[ 64.247783] ? ucma_process_join+0x460/0x460
[ 64.250841] ? _copy_from_user+0x5e/0x90
[ 64.253878] ucma_write+0x174/0x1f0
[ 64.257008] ? ucma_resolve_route+0xf0/0xf0
[ 64.259877] ? rb_erase_cached+0x6c7/0x7f0
[ 64.262746] __vfs_write+0xc4/0x350
[ 64.265537] ? perf_syscall_enter+0xe4/0x5f0
[ 64.267792] ? kernel_read+0xa0/0xa0
[ 64.270358] ? perf_sched_cb_inc+0xc0/0xc0
[ 64.272575] ? syscall_exit_register+0x2a0/0x2a0
[ 64.275367] ? __switch_to+0x351/0x640
[ 64.277700] ? fsnotify+0x899/0x8f0
[ 64.280530] ? fsnotify_unmount_inodes+0x170/0x170
[ 64.283156] ? __fsnotify_update_child_dentry_flags+0x30/0x30
[ 64.286182] ? ring_buffer_record_is_on+0xd/0x20
[ 64.288749] ? __fget+0xa8/0xf0
[ 64.291136] vfs_write+0xf7/0x280
[ 64.292972] SyS_write+0xa1/0x120
[ 64.294965] ? SyS_read+0x120/0x120
[ 64.297474] ? SyS_read+0x120/0x120
[ 64.299751] do_syscall_64+0xeb/0x250
[ 64.301826] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 64.304352] RIP: 0033:0x7f5c994ade99
[ 64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
[ 64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
[ 64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
[ 64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
[ 64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
[ 64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8
[ 64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860
[ 64.332979] CR2: 00000000000000b0
[ 64.335550] ---[ end trace 0c00c17a408849c1 ]---
Reported-by: <syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com>
Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3355,6 +3355,9 @@ int rdma_join_multicast(struct rdma_cm_i
struct cma_multicast *mc;
int ret;
+ if (!id->device)
+ return -EINVAL;
+
id_priv = container_of(id, struct rdma_id_private, id);
if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) &&
!cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED))
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 047/410] x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (286 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 132/410] IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [3.16,030/410] " Ben Hutchings
` (121 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, pbonzini, tim.c.chen, peterz,
ashok.raj, David Woodhouse, bp, ak, gregkh, dave.hansen,
KarimAllah Ahmed, torvalds, arjan, gnomes
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 20ffa1caecca4db8f79fe665acdeaa5af815a24d upstream.
Expose indirect_branch_prediction_barrier() for use in subsequent patches.
[ tglx: Add IBPB status to spectre_v2 sysfs file ]
Co-developed-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: ak@linux.intel.com
Cc: ashok.raj@intel.com
Cc: dave.hansen@intel.com
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1516896855-7642-8-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Renumber the feature bit
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/cpufeature.h | 2 ++
arch/x86/include/asm/nospec-branch.h | 13 +++++++++++++
arch/x86/kernel/cpu/bugs.c | 10 +++++++++-
3 files changed, 24 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -189,6 +189,8 @@
#define X86_FEATURE_INVPCID_SINGLE (7*32+10) /* Effectively INVPCID && CR4.PCIDE=1 */
#define X86_FEATURE_RSB_CTXSW (7*32+11) /* "" Fill RSB on context switches */
+#define X86_FEATURE_IBPB (7*32+12) /* Indirect Branch Prediction Barrier enabled*/
+
#define X86_FEATURE_RETPOLINE (7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
#define X86_FEATURE_RETPOLINE_AMD (7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -194,5 +194,18 @@ static inline void vmexit_fill_RSB(void)
#endif
}
+static inline void indirect_branch_prediction_barrier(void)
+{
+ asm volatile(ALTERNATIVE("",
+ "movl %[msr], %%ecx\n\t"
+ "movl %[val], %%eax\n\t"
+ "movl $0, %%edx\n\t"
+ "wrmsr",
+ X86_FEATURE_IBPB)
+ : : [msr] "i" (MSR_IA32_PRED_CMD),
+ [val] "i" (PRED_CMD_IBPB)
+ : "eax", "ecx", "edx", "memory");
+}
+
#endif /* __ASSEMBLY__ */
#endif /* _ASM_X86_NOSPEC_BRANCH_H_ */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -358,6 +358,13 @@ retpoline_auto:
setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
pr_info("Filling RSB on context switch\n");
}
+
+ /* Initialize Indirect Branch Prediction Barrier if supported */
+ if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
+ boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) {
+ setup_force_cpu_cap(X86_FEATURE_IBPB);
+ pr_info("Enabling Indirect Branch Prediction Barrier\n");
+ }
}
#undef pr_fmt
@@ -387,7 +394,8 @@ ssize_t cpu_show_spectre_v2(struct devic
if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
return sprintf(buf, "Not affected\n");
- return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+ return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+ boot_cpu_has(X86_FEATURE_IBPB) ? ", IPBP" : "",
spectre_v2_module_string());
}
#endif
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 164/410] cifs: Fix missing put_xid in cifs_file_strict_mmap
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 189/410] Btrfs: fix use-after-free on root->orphan_block_rsv Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 029/410] scsi: libsas: fix memory leak in sas_smp_get_phy_events() Ben Hutchings
` (375 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Matthew Wilcox
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox <mawilcox@microsoft.com>
commit f04a703c3d613845ae3141bfaf223489de8ab3eb upstream.
If cifs_zap_mapping() returned an error, we would return without putting
the xid that we got earlier. Restructure cifs_file_strict_mmap() and
cifs_file_mmap() to be more similar to each other and have a single
point of return that always puts the xid.
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/file.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -3116,20 +3116,18 @@ static struct vm_operations_struct cifs_
int cifs_file_strict_mmap(struct file *file, struct vm_area_struct *vma)
{
- int rc, xid;
+ int xid, rc = 0;
struct inode *inode = file_inode(file);
xid = get_xid();
- if (!CIFS_CACHE_READ(CIFS_I(inode))) {
+ if (!CIFS_CACHE_READ(CIFS_I(inode)))
rc = cifs_zap_mapping(inode);
- if (rc)
- return rc;
- }
-
- rc = generic_file_mmap(file, vma);
- if (rc == 0)
+ if (!rc)
+ rc = generic_file_mmap(file, vma);
+ if (!rc)
vma->vm_ops = &cifs_file_vm_ops;
+
free_xid(xid);
return rc;
}
@@ -3139,16 +3137,16 @@ int cifs_file_mmap(struct file *file, st
int rc, xid;
xid = get_xid();
+
rc = cifs_revalidate_file(file);
- if (rc) {
+ if (rc)
cifs_dbg(FYI, "Validation prior to mmap failed, error=%d\n",
rc);
- free_xid(xid);
- return rc;
- }
- rc = generic_file_mmap(file, vma);
- if (rc == 0)
+ if (!rc)
+ rc = generic_file_mmap(file, vma);
+ if (!rc)
vma->vm_ops = &cifs_file_vm_ops;
+
free_xid(xid);
return rc;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 395/410] batman-adv: fix packet loss for broadcasted DHCP packets to a server
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 403/410] ALSA: pcm: potential uninitialized return values Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 120/410] crypto: af_alg - whitelist mask and type Ben Hutchings
` (245 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Lüssing, Sven Eckelmann, Simon Wunderlich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Lüssing <linus.luessing@c0d3.blue>
commit a752c0a4524889cdc0765925258fd1fd72344100 upstream.
DHCP connectivity issues can currently occur if the following conditions
are met:
1) A DHCP packet from a client to a server
2) This packet has a multicast destination
3) This destination has a matching entry in the translation table
(FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03
for IPv6)
4) The orig-node determined by TT for the multicast destination
does not match the orig-node determined by best-gateway-selection
In this case the DHCP packet will be dropped.
The "gateway-out-of-range" check is supposed to only be applied to
unicasted DHCP packets to a specific DHCP server.
In that case dropping the the unicasted frame forces the client to
retry via a broadcasted one, but now directed to the new best
gateway.
A DHCP packet with broadcast/multicast destination is already ensured to
always be delivered to the best gateway. Dropping a multicasted
DHCP packet here will only prevent completing DHCP as there is no
other fallback.
So far, it seems the unicast check was implicitly performed by
expecting the batadv_transtable_search() to return NULL for multicast
destinations. However, a multicast address could have always ended up in
the translation table and in fact is now common.
To fix this potential loss of a DHCP client-to-server packet to a
multicast address this patch adds an explicit multicast destination
check to reliably bail out of the gateway-out-of-range check for such
destinations.
The issue and fix were tested in the following three node setup:
- Line topology, A-B-C
- A: gateway client, DHCP client
- B: gateway server, hop-penalty increased: 30->60, DHCP server
- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF
Without this patch, A would never transmit its DHCP Discover packet
due to an always "out-of-range" condition. With this patch,
a full DHCP handshake between A and B was possible again.
Fixes: be7af5cf9cae ("batman-adv: refactoring gateway handling code")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16: Drop redundant change to initialisation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -804,6 +804,9 @@ bool batadv_gw_out_of_range(struct batad
vid = batadv_get_vid(skb, 0);
+ if (is_multicast_ether_addr(ethhdr->h_dest))
+ goto out;
+
orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
ethhdr->h_dest, vid);
if (!orig_dst_node)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 277/410] regulatory: add NUL to request alpha2
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 180/410] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [3.16,335/410] " Ben Hutchings
` (261 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kees Cook, Johannes Berg
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 657308f73e674e86b60509a430a46e569bf02846 upstream.
Similar to the ancient commit a5fe8e7695dc ("regulatory: add NUL
to alpha2"), add another byte to alpha2 in the request struct so
that when we use nla_put_string(), we don't overrun anything.
Fixes: 73d54c9e74c4 ("cfg80211: add regulatory netlink multicast group")
Reported-by: Kees Cook <keescook@google.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/regulatory.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/net/regulatory.h
+++ b/include/net/regulatory.h
@@ -78,7 +78,7 @@ struct regulatory_request {
int wiphy_idx;
enum nl80211_reg_initiator initiator;
enum nl80211_user_reg_hint_type user_reg_hint_type;
- char alpha2[2];
+ char alpha2[3];
enum nl80211_dfs_regions dfs_region;
bool intersect;
bool processed;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 410/410] net: Fix untag for vlan packets without ethernet header
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 098/410] spi: imx: do not access registers while clocks disabled Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 189/410] Btrfs: fix use-after-free on root->orphan_block_rsv Ben Hutchings
` (377 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Eric Dumazet, Toshiaki Makita
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 upstream.
In some situation vlan packets do not have ethernet headers. One example
is packets from tun devices. Users can specify vlan protocol in tun_pi
field instead of IP protocol, and skb_vlan_untag() attempts to untag such
packets.
skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
however did not expect packets without ethernet headers, so in such a case
size argument for memmove() underflowed and triggered crash.
====
BUG: unable to handle kernel paging request at ffff8801cccb8000
IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
Oops: 000b [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
memmove include/linux/string.h:360 [inline]
skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
__netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
netif_receive_skb+0xae/0x390 net/core/dev.c:4725
tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
call_write_iter include/linux/fs.h:1782 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454879
RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
CR2: ffff8801cccb8000
====
We don't need to copy headers for packets which do not have preceding
headers of vlan headers, so skip memmove() in that case.
Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/skbuff.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4002,8 +4002,10 @@ static struct sk_buff *skb_reorder_vlan_
}
mac_len = skb->data - skb_mac_header(skb);
- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
- mac_len - VLAN_HLEN - ETH_TLEN);
+ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+ mac_len - VLAN_HLEN - ETH_TLEN);
+ }
skb->mac_header += VLAN_HLEN;
return skb;
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 168/410] android: binder: use VM_ALLOC to get vm area
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (302 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 099/410] wl1251: check return from call to wl1251_acx_arp_ip_filter Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 370/410] batman-adv: fix header size check in batadv_dbg_arp() Ben Hutchings
` (105 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Ganesh Mahendran, Todd Kjos, Martijn Coenen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ganesh Mahendran <opensource.ganesh@gmail.com>
commit aac6830ec1cb681544212838911cdc57f2638216 upstream.
VM_IOREMAP is used to access hardware through a mechanism called
I/O mapped memory. Android binder is a IPC machanism which will
not access I/O memory.
And VM_IOREMAP has alignment requiement which may not needed in
binder.
__get_vm_area_node()
{
...
if (flags & VM_IOREMAP)
align = 1ul << clamp_t(int, fls_long(size),
PAGE_SHIFT, IOREMAP_MAX_ORDER);
...
}
This patch will save some kernel vm area, especially for 32bit os.
In 32bit OS, kernel vm area is only 240MB. We may got below
error when launching a app:
<3>[ 4482.440053] binder_alloc: binder_alloc_mmap_handler: 15728 8ce67000-8cf65000 get_vm_area failed -12
<3>[ 4483.218817] binder_alloc: binder_alloc_mmap_handler: 15745 8ce67000-8cf65000 get_vm_area failed -12
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>
Acked-by: Martijn Coenen <maco@android.com>
Acked-by: Todd Kjos <tkjos@google.com>
----
V3: update comments
V2: update comments
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -2808,7 +2808,7 @@ static int binder_mmap(struct file *filp
goto err_already_mapped;
}
- area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP);
+ area = get_vm_area(vma->vm_end - vma->vm_start, VM_ALLOC);
if (area == NULL) {
ret = -ENOMEM;
failure_string = "get_vm_area";
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 037/410] KVM: x86: rename update_db_bp_intercept to update_bp_intercept
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (315 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 161/410] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 153/410] USB: serial: add Novatel Wireless GPS driver Ben Hutchings
` (92 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Bonzini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit a96036b8ef7df9f10cd575c0d78359bd33188e8e upstream.
Because #DB is now intercepted unconditionally, this callback
only operates on #BP for both VMX and SVM.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[carnil: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/svm.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
arch/x86/kvm/x86.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -682,7 +682,7 @@ struct kvm_x86_ops {
void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu);
void (*vcpu_put)(struct kvm_vcpu *vcpu);
- void (*update_db_bp_intercept)(struct kvm_vcpu *vcpu);
+ void (*update_bp_intercept)(struct kvm_vcpu *vcpu);
int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata);
int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
u64 (*get_segment_base)(struct kvm_vcpu *vcpu, int seg);
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4353,7 +4353,7 @@ static struct kvm_x86_ops svm_x86_ops =
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
- .update_db_bp_intercept = update_bp_intercept,
+ .update_bp_intercept = update_bp_intercept,
.get_msr = svm_get_msr,
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8932,7 +8932,7 @@ static struct kvm_x86_ops vmx_x86_ops =
.vcpu_load = vmx_vcpu_load,
.vcpu_put = vmx_vcpu_put,
- .update_db_bp_intercept = update_exception_bitmap,
+ .update_bp_intercept = update_exception_bitmap,
.get_msr = vmx_get_msr,
.set_msr = vmx_set_msr,
.get_segment_base = vmx_get_segment_base,
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6732,7 +6732,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
*/
kvm_set_rflags(vcpu, rflags);
- kvm_x86_ops->update_db_bp_intercept(vcpu);
+ kvm_x86_ops->update_bp_intercept(vcpu);
r = 0;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 350/410] libata: Enable queued TRIM for Samsung SSD 860
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (376 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 171/410] CIFS: zero sensitive data when freeing Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 038/410] KVM: x86: pass host_initiated to functions that read MSRs Ben Hutchings
` (31 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin K. Petersen, Tejun Heo, Ju Hyung Park
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ju Hyung Park <qkrwngud825@gmail.com>
commit ca6bfcb2f6d9deab3924bf901e73622a94900473 upstream.
Samsung explicitly states that queued TRIM is supported for Linux with
860 PRO and 860 EVO.
Make the previous blacklist to cover only 840 and 850 series.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: There's no ATA_HORKAGE_ZERO_AFTER_TRIM flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4237,7 +4237,8 @@ static const struct ata_blacklist_entry
{ "Micron_M5[15]0_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*M550*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
{ "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
/* devices that don't properly handle TRIM commands */
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 370/410] batman-adv: fix header size check in batadv_dbg_arp()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (303 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 168/410] android: binder: use VM_ALLOC to get vm area Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 175/410] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Ben Hutchings
` (104 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matthias Schiffer, Sven Eckelmann, Simon Wunderlich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <mschiffer@universe-factory.net>
commit 6f27d2c2a8c236d296201c19abb8533ec20d212b upstream.
Checking for 0 is insufficient: when an SKB without a batadv header, but
with a VLAN header is received, hdr_size will be 4, making the following
code interpret the Ethernet header as a batadv header.
Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/distributed-arp-table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -343,7 +343,7 @@ static void batadv_dbg_arp(struct batadv
batadv_arp_hw_src(skb, hdr_size), &ip_src,
batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
- if (hdr_size == 0)
+ if (hdr_size < sizeof(struct batadv_unicast_packet))
return;
unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 357/410] fs/aio: Add explicit RCU grace period when freeing kioctx
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (354 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 351/410] route: remove unsed variable in __mkroute_input Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 210/410] pipe, sysctl: drop 'min' parameter from pipe-max-size converter Ben Hutchings
` (53 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jann Horn, Kent Overstreet, Tejun Heo, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit a6d7cff472eea87d96899a20fa718d2bab7109f3 upstream.
While fixing refcounting, e34ecee2ae79 ("aio: Fix a trinity splat")
incorrectly removed explicit RCU grace period before freeing kioctx.
The intention seems to be depending on the internal RCU grace periods
of percpu_ref; however, percpu_ref uses a different flavor of RCU,
sched-RCU. This can lead to kioctx being freed while RCU read
protected dereferences are still in progress.
Fix it by updating free_ioctx() to go through call_rcu() explicitly.
v2: Comment added to explain double bouncing.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jann Horn <jannh@google.com>
Fixes: e34ecee2ae79 ("aio: Fix a trinity splat")
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/aio.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -115,7 +115,8 @@ struct kioctx {
struct page **ring_pages;
long nr_pages;
- struct work_struct free_work;
+ struct rcu_head free_rcu;
+ struct work_struct free_work; /* see free_ioctx() */
/*
* signals when all in-flight requests are done
@@ -512,6 +513,12 @@ static int kiocb_cancel(struct kiocb *ki
return cancel(kiocb);
}
+/*
+ * free_ioctx() should be RCU delayed to synchronize against the RCU
+ * protected lookup_ioctx() and also needs process context to call
+ * aio_free_ring(), so the double bouncing through kioctx->free_rcu and
+ * ->free_work.
+ */
static void free_ioctx(struct work_struct *work)
{
struct kioctx *ctx = container_of(work, struct kioctx, free_work);
@@ -523,6 +530,14 @@ static void free_ioctx(struct work_struc
kmem_cache_free(kioctx_cachep, ctx);
}
+static void free_ioctx_rcufn(struct rcu_head *head)
+{
+ struct kioctx *ctx = container_of(head, struct kioctx, free_rcu);
+
+ INIT_WORK(&ctx->free_work, free_ioctx);
+ schedule_work(&ctx->free_work);
+}
+
static void free_ioctx_reqs(struct percpu_ref *ref)
{
struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
@@ -531,8 +546,8 @@ static void free_ioctx_reqs(struct percp
if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count))
complete(&ctx->rq_wait->comp);
- INIT_WORK(&ctx->free_work, free_ioctx);
- schedule_work(&ctx->free_work);
+ /* Synchronize against RCU protected table->table[] dereferences */
+ call_rcu(&ctx->free_rcu, free_ioctx_rcufn);
}
/*
@@ -754,7 +769,7 @@ static int kill_ioctx(struct mm_struct *
table->table[ctx->id] = NULL;
spin_unlock(&mm->ioctx_lock);
- /* percpu_ref_kill() will do the necessary call_rcu() */
+ /* free_ioctx_reqs() will do the necessary RCU synchronization */
wake_up_all(&ctx->wait);
/*
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 034/410] x86/entry/64: Don't use IST entry for #BP stack
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 141/410] nfs: Do not convert nfs_idmap_cache_timeout to jiffies Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 386/410] MIPS: ralink: Remove ralink_halt() Ben Hutchings
` (405 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Linus Torvalds, Andy Lutomirski
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 upstream.
There's nothing IST-worthy about #BP/int3. We don't allow kprobes
in the small handful of places in the kernel that run at CPL0 with
an invalid stack, and 32-bit kernels have used normal interrupt
gates for #BP forever.
Furthermore, we don't allow kprobes in places that have usergs while
in kernel mode, so "paranoid" is also unnecessary.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[carnil: Backport to 3.16:
- Adjust finename change: arch/x86/kernel/entry_64.S
- Context changes
]
[bwh: Rebase on top of "x86/traps: Enable DEBUG_STACK after cpu_init() for
TRAP_DB/BP", and restore change in trap_init() instead of early_trap_init()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1322,7 +1322,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTO
#endif /* CONFIG_HYPERV */
idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
-idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
+idtentry int3 do_int3 has_error_code=0
idtentry stack_segment do_stack_segment has_error_code=1
#ifdef CONFIG_XEN
idtentry xen_debug do_debug has_error_code=0
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -334,7 +334,6 @@ exit:
}
NOKPROBE_SYMBOL(do_general_protection);
-/* May run on IST stack. */
dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
{
enum ctx_state prev_state;
@@ -367,15 +366,9 @@ dotraplinkage void notrace do_int3(struc
SIGTRAP) == NOTIFY_STOP)
goto exit;
- /*
- * Let others (NMI) know that the debug stack is in use
- * as we may switch to the interrupt stack.
- */
- debug_stack_usage_inc();
preempt_conditional_sti(regs);
do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL);
preempt_conditional_cli(regs);
- debug_stack_usage_dec();
exit:
exception_exit(prev_state);
}
@@ -862,19 +855,16 @@ void __init trap_init(void)
cpu_init();
/*
- * X86_TRAP_DB and X86_TRAP_BP have been set
- * in early_trap_init(). However, DEBUG_STACK works only after
- * cpu_init() loads TSS. See comments in early_trap_init().
+ * X86_TRAP_DB was installed in early_trap_init(). However,
+ * DEBUG_STACK works only after cpu_init() loads TSS. See comments
+ * in early_trap_init().
*/
set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
- /* int3 can be called from all */
- set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
x86_init.irqs.trap_init();
#ifdef CONFIG_X86_64
memcpy(&debug_idt_table, &idt_table, IDT_ENTRIES * 16);
set_nmi_gate(X86_TRAP_DB, &debug);
- set_nmi_gate(X86_TRAP_BP, &int3);
#endif
}
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 161/410] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (314 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 195/410] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 037/410] KVM: x86: rename update_db_bp_intercept to update_bp_intercept Ben Hutchings
` (93 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Schwidefsky, Heiko Carstens, Eugene Syromiatnikov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eugene Syromiatnikov <esyr@redhat.com>
commit 6dd0d2d22aa363fec075cb2577ba273ac8462e94 upstream.
For some reason, the implementation of some 16-bit ID system calls
(namely, setuid16/setgid16 and setfsuid16/setfsgid16) used type cast
instead of low2highgid/low2highuid macros for converting [GU]IDs, which
led to incorrect handling of value of -1 (which ought to be considered
invalid).
Discovered by strace test suite.
Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/kernel/compat_linux.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -110,7 +110,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setregid16,
COMPAT_SYSCALL_DEFINE1(s390_setgid16, u16, gid)
{
- return sys_setgid((gid_t)gid);
+ return sys_setgid(low2highgid(gid));
}
COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid)
@@ -120,7 +120,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setreuid16,
COMPAT_SYSCALL_DEFINE1(s390_setuid16, u16, uid)
{
- return sys_setuid((uid_t)uid);
+ return sys_setuid(low2highuid(uid));
}
COMPAT_SYSCALL_DEFINE3(s390_setresuid16, u16, ruid, u16, euid, u16, suid)
@@ -173,12 +173,12 @@ COMPAT_SYSCALL_DEFINE3(s390_getresgid16,
COMPAT_SYSCALL_DEFINE1(s390_setfsuid16, u16, uid)
{
- return sys_setfsuid((uid_t)uid);
+ return sys_setfsuid(low2highuid(uid));
}
COMPAT_SYSCALL_DEFINE1(s390_setfsgid16, u16, gid)
{
- return sys_setfsgid((gid_t)gid);
+ return sys_setfsgid(low2highgid(gid));
}
static int groups16_to_user(u16 __user *grouplist, struct group_info *group_info)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 403/410] ALSA: pcm: potential uninitialized return values
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 144/410] MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec} Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 395/410] batman-adv: fix packet loss for broadcasted DHCP packets to a server Ben Hutchings
` (246 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dan Carpenter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
Smatch complains that "tmp" can be uninitialized if we do a zero size
write.
Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/oss/pcm_oss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1362,7 +1362,7 @@ static ssize_t snd_pcm_oss_write2(struct
static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
@@ -1469,7 +1469,7 @@ static ssize_t snd_pcm_oss_read2(struct
static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 354/410] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (254 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 052/410] KVM: nVMX: Eliminate vmcs02 pool Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 031/410] drm: udl: Properly check framebuffer mmap offsets Ben Hutchings
` (153 subsequent siblings)
409 siblings, 0 replies; 445+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Oleg Nesterov, Benjamin LaHaise
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 4b70ac5fd9b58bfaa5f25b4ea48f528aefbf3308 upstream.
On 04/30, Benjamin LaHaise wrote:
>
> > - ctx->mmap_size = 0;
> > -
> > - kill_ioctx(mm, ctx, NULL);
> > + if (ctx) {
> > + ctx->mmap_size = 0;
> > + kill_ioctx(mm, ctx, NULL);
> > + }
>
> Rather than indenting and moving the two lines changing mmap_size and the
> kill_ioctx() call, why not just do "if (!ctx) ... continue;"? That reduces
> the number of lines changed and avoid excessive indentation.
OK. To me the code looks better/simpler with "if (ctx)", but this is subjective
of course, I won't argue.
The patch still removes the empty line between mmap_size = 0 and kill_ioctx(),
we reset mmap_size only for kill_ioctx(). But feel free to remove this change.
-------------------------------------------------------------------------------
Subject: [PATCH v3 1/2] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()
1. We can read ->ioctx_table only once and we do not read rcu_read_lock()
or even rcu_dereference().
This mm has no users, nobody else can play with ->ioctx_table. Otherwise
the code is buggy anyway, if we need rcu_read_lock() in a loop because
->ioctx_table can be updated then kfree(table) is obviously wrong.
2. Update the comment. "exit_mmap(mm) is coming" is the good reason to avoid
munmap(), but another reason is that we simply can't do vm_munmap() unless
current->mm == mm and this is not true in general, the caller is mmput().
3. We do not really need to nullify mm->ioctx_table before return, probably
the current code does this to catch the potential problems. But in this
case RCU_INIT_POINTER(NULL) looks better.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
[bwh: Backported to 3.16: Adjust context to apply after backport of commit
6098b45b32e6 "aio: block exit_aio() until all context requests are completed"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -803,46 +803,35 @@ EXPORT_SYMBOL(wait_on_sync_kiocb);
*/
void exit_aio(struct mm_struct *mm)
{
- struct kioctx_table *table;
- struct kioctx *ctx;
- unsigned i = 0;
+ struct kioctx_table *table = rcu_dereference_raw(mm->ioctx_table);
+ int i;
- while (1) {
+ if (!table)
+ return;
+
+ for (i = 0; i < table->nr; ++i) {
+ struct kioctx *ctx = table->table[i];
struct completion requests_done =
COMPLETION_INITIALIZER_ONSTACK(requests_done);
- rcu_read_lock();
- table = rcu_dereference(mm->ioctx_table);
-
- do {
- if (!table || i >= table->nr) {
- rcu_read_unlock();
- rcu_assign_pointer(mm->ioctx_table, NULL);
- if (table)
- kfree(table);
- return;
- }
-
- ctx = table->table[i++];
- } while (!ctx);
-
- rcu_read_unlock();
-
+ if (!ctx)
+ continue;
/*
- * We don't need to bother with munmap() here -
- * exit_mmap(mm) is coming and it'll unmap everything.
- * Since aio_free_ring() uses non-zero ->mmap_size
- * as indicator that it needs to unmap the area,
- * just set it to 0; aio_free_ring() is the only
- * place that uses ->mmap_size, so it's safe.
+ * We don't need to bother with munmap() here - exit_mmap(mm)
+ * is coming and it'll unmap everything. And we simply can't,
+ * this is not necessarily our ->mm.
+ * Since kill_ioctx() uses non-zero ->mmap_size as indicator
+ * that it needs to unmap the area, just set it to 0.
*/
ctx->mmap_size = 0;
-
kill_ioctx(mm, ctx, &requests_done);
/* Wait until all IO for the context are done. */
wait_for_completion(&requests_done);
}
+
+ RCU_INIT_POINTER(mm->ioctx_table, NULL);
+ kfree(table);
}
static void put_reqs_available(struct kioctx *ctx, unsigned nr)
^ permalink raw reply [flat|nested] 445+ messages in thread
* [PATCH 3.16 135/410] uas: Log error codes when logging errors
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (306 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 220/410] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 292/410] l2tp: fix r