* [PATCH 3.16 000/202] 3.16.66-rc1 review
@ 2019-04-27 15:13 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 080/202] l2tp: copy 4 more bytes to linear part if necessary Ben Hutchings
` (202 more replies)
0 siblings, 203 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm, Denis Kirjanov
This is the start of the stable review cycle for the 3.16.66 release.
There are 202 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed May 01 18:00:00 UTC 2019.
Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.
Ben.
-------------
Aaro Koskinen (1):
MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
[dcf300a69ac307053dfb35c2e33972e754a98bce]
Alex Williamson (1):
vfio/type1: Limit DMA mappings per container
[492855939bdb59c6f947b0b5b44af9ad82b7e38c]
Alexander Popov (1):
KVM: x86: Fix single-step debugging
[5cc244a20b86090c087073c124284381cdf47234]
Alexandru Ardelean (1):
dmaengine: dmatest: unmap data on a single code-path when xfer done
[0255200bd29afc320c6ea4c1adf8bdc13a9b3c15]
Andrea Arcangeli (1):
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
[04f5866e41fb70690e28397487d8bd8eea7d712a]
Andy Lutomirski (1):
x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
[2a418cf3f5f1caf911af288e978d61c9844b0695]
Andy Shevchenko (1):
dmaengine: dmatest: Abort test in case of mapping error
[6454368a804c4955ccd116236037536f81e5b1f1]
Arend van Spriel (5):
brcmfmac: add subtype check for event handling in data path
[a4176ec356c73a46c07c181c6d04039fafa34a9f]
brcmfmac: assure SSID length from firmware is limited
[1b5e2423164b3670e8bc9174e4762d297990deff]
brcmfmac: consolidate ifp lookup in driver core
[75effb03ee8e4c9d4bbc909118ce5444b047dfde]
brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance
[796cfb65e3ed01a9b08e3a0b93e34120c54bbbd2]
brcmfmac: revise handling events in receive path
[9c349892ccc90c6de2baaa69cc78449f58082273]
Aya Levin (1):
net/mlx4_core: Add masking for a few queries on HCA caps
[a40ded6043658444ee4dd6ee374119e4e98b33fc]
B-Ak (1):
ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode
[667e9334fa64da2273e36ce131b05ac9e47c5769]
Ben Hutchings (1):
binfmt_elf: Fix missing SIGKILL for empty PIE
[not upstream; fixes bad backport]
Bin Liu (1):
usb: phy: am335x: fix race condition in _probe
[a53469a68eb886e84dd8b69a1458a623d3591793]
Borislav Petkov (1):
x86/a.out: Clear the dump structure initially
[10970e1b4be9c74fce8ab6e3c34a7d718f063f2c]
Charles Keepax (1):
ALSA: compress: Fix stop handling on compressed capture streams
[4f2ab5e1d13d6aa77c55f4914659784efd776eb4]
Charles Yeh (1):
USB: serial: pl2303: add new PID to support PL2303TB
[4dcf9ddc9ad5ab649abafa98c5a4d54b1a33dabb]
Christian Borntraeger (1):
s390/early: improve machine detection
[03aa047ef2db4985e444af6ee1c1dd084ad9fb4c]
Christoph Paasch (1):
net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec
[398f0132c14754fcd03c1c4f8e7176d001ce8ea1]
Cong Wang (1):
team: avoid complex list operations in team_nl_cmd_options_set()
[2fdeee2549231b1f989f011bb18191f5660d3745]
Dan Carpenter (4):
ALSA: cs46xx: Potential NULL dereference in probe
[1524f4e47f90b27a3ac84efbdd94c63172246a6f]
mfd: ab8500-core: Return zero in get_register_interruptible()
[10628e3ecf544fa2e4e24f8e112d95c37884dc98]
scsi: bnx2fc: Fix error handling in probe()
[b2d3492fc591b1fb46b81d79ca1fc44cac6ae0ae]
skge: potential memory corruption in skge_get_regs()
[294c149a209c6196c2de85f512b52ef50f519949]
Daniel Drake (1):
x86/kaslr: Fix incorrect i8254 outb() parameters
[7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4]
Daniele Palmas (1):
usb: cdc-acm: send ZLP for Telit 3G Intel based modems
[34aabf918717dd14e05051896aaecd3b16b53d95]
Darrick J. Wong (2):
tmpfs: fix link accounting when a tmpfile is linked in
[1062af920c07f5b54cf5060fde3339da6df0cf6b]
tmpfs: fix uninitialized return value in shmem_link
[29b00e609960ae0fcff382f4c7079dd0874a5311]
David Hildenbrand (1):
mm: migrate: don't rely on __PageMovable() of newpage after unlocking it
[e0a352fabce61f730341d119fbedf71ffdb8663f]
David Howells (1):
assoc_array: Fix shortcut creation
[bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08]
Davidlohr Bueso (1):
arc: do not export symbols in troubleshoot.c
[be2a7fce397d82b7dc3fdbc61fb0bdab118e65ca]
Dexuan Cui (1):
Drivers: hv: vmbus: Check for ring when getting debug info
[ba50bf1ce9a51fc97db58b96d01306aa70bc3979]
Eric Biggers (5):
KEYS: allow reaching the keys quotas exactly
[a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9]
KEYS: always initialize keyring_index_key::desc_len
[ede0fa98a900e657d1fcd80b50920efc896c1a4c]
KEYS: restrict /proc/keys by credentials at open time
[4aa68e07d845562561f5e73c04aa521376e95252]
KEYS: user: Align the payload buffer
[cc1780fc42c76c705dd07ea123f1143dc5057630]
crypto: authenc - fix parsing key with misaligned rta_len
[8f9c469348487844328e162db57112f7d347c49f]
Eric Dumazet (3):
batman-adv: fix uninit-value in batadv_interface_tx()
[4ffcbfac60642f63ae3d80891f573ba7e94a265c]
net/x25: fix a race in x25_bind()
[797a22bd5298c2674d927893f46cadf619dad11d]
vxlan: test dev->flags & IFF_UP before calling netif_rx()
[4179cb5a4c924cd233eaadd081882425bc98f44e]
Eric W. Biederman (4):
ipc/shm: Fix pid freeing.
[2236d4d39035b9839944603ec4b65ce71180a9ea]
signal: Always notice exiting tasks
[35634ffa1751b6efd8cf75010b509dcb0263e29b]
signal: Better detection of synchronous signals
[7146db3317c67b517258cb5e1b08af387da0618b]
signal: Restore the stop PTRACE_EVENT_EXIT
[cf43a757fd49442bc38f76088b70c2299eed2c2f]
Eugene Loh (1):
kallsyms: Handle too long symbols in kallsyms.c
[6db2983cd8064808141ccefd75218f5b4345ffae]
Eugeniy Paltsev (1):
ARC: U-boot: check arguments paranoidly
[a66f2e57bd566240d8b3884eedf503928fbbe557]
Felix Fietkau (1):
mac80211: ensure that mgmt tx skbs have tailroom for encryption
[9d0f50b80222dc273e67e4e14410fcfa4130a90c]
Feras Daoud (1):
IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start
[6ab4aba00f811a5265acc4d3eb1863bb3ca60562]
Florian Westphal (1):
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
[b8e9dc1c75714ceb53615743e1036f76e00f5a17]
Franky Lin (1):
brcmfmac: screening firmware event packet
[c56caa9db8abbbfb9e31325e0897705aa897db37]
Gabriel Krisman Bertazi (1):
sd: Clear PS bit before Mode Select.
[2c5d16d6a9e7218e57b716e4fd9d77c776d21471]
Gavin Li (1):
brcmfmac: fix incorrect event channel deduction
[8e290cecdd0178f3d4cf7d463c51dc7e462843b4]
Gerald Schaefer (1):
s390/smp: fix CPU hotplug deadlock with CPU rescan
[b7cb707c373094ce4008d4a6ac9b6b366ec52da5]
Greg Kroah-Hartman (3):
debugfs: fix debugfs_rename parameter checking
[d88c93f090f708c18195553b352b9f205e65418f]
tty: Handle problem if line discipline does not have receive_buf
[27cfb3a53be46a54ec5e0bd04e51995b74c90343]
tty: mark Siemens R3964 line discipline as BROKEN
[c7084edc3f6d67750f50d4183134c4fb5712a5c8]
Grygorii Strashko (1):
net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
[c1a8d0a3accf64a014d605e6806ce05d1c17adf1]
Guenter Roeck (1):
unicore32: Fix build error
[ca98565a6182a960cd857d7546267a0775154eb8]
Gustavo A. R. Silva (4):
char/mwave: fix potential Spectre v1 vulnerability
[701956d4018e5d5438570e39e8bda47edd32c489]
ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
[a7102c7461794a5bb31af24b08e9e0f50038897a]
perf tests evsel-tp-sched: Fix bitwise operator
[489338a717a0dfbbd5a3fabccf172b78f0ac9015]
usb: gadget: udc: net2272: Fix bitwise and boolean operations
[07c69f1148da7de3978686d3af9263325d9d60bd]
Hangbin Liu (1):
sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
[173656accaf583698bac3f9e269884ba60d51ef4]
Hans de Goede (2):
ACPI: power: Skip duplicate power resource references in _PRx
[7d7b467cb95bf29597b417d4990160d4ea6d69b9]
libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
[dd957493baa586f1431490f97f9c7c45eaf8ab10]
Heiner Kallweit (1):
net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
[1d16073a326891c2a964e4cb95bc18fbcafb5f74]
Hui Peng (1):
ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
[cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184]
Icenowy Zheng (2):
USB: storage: add quirk for SMI SM3350
[0a99cc4b8ee83885ab9f097a3737d1ab28455ac0]
USB: storage: don't insert sane sense for SPC3+ when bad sense specified
[c5603d2fdb424849360fe7e3f8c1befc97571b8c]
Ilya Dryomov (1):
rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set
[85f5a4d666fd9be73856ed16bb36c5af5b406b29]
Ingo Molnar (1):
perf/core: Fix impossible ring-buffer sizes warning
[528871b456026e6127d95b1b2bd8e3a003dc1614]
Ivan Mironov (3):
drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
[66a8d5bfb518f9f12d47e1d2dce1732279f9451e]
drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2
[62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e]
scsi: sd: Fix cache_type_store()
[44759979a49bfd2d20d789add7fa81a21eb1a4ab]
Jack Stocker (1):
USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB
[3483254b89438e60f719937376c5e0ce2bc46761]
Jacob Wen (1):
l2tp: copy 4 more bytes to linear part if necessary
[91c524708de6207f59dd3512518d8a1c7b434ee3]
Jann Horn (2):
fuse: call pipe_buf_release() under pipe lock
[9509941e9c534920ccc4771ae70bd6cbbe79df1c]
mm: enforce min addr even if capable() in expand_downwards()
[0a1d52994d440e21def1c2174932410b4f2a98a1]
Jason Gunthorpe (1):
packet: Do not leak dev refcounts on error exit
[d972f3dce8d161e2142da0ab1ef25df00e2f21a9]
Jiri Olsa (1):
perf/x86: Add check_period PMU callback
[81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb]
John Garry (1):
scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
[ffeafdd2bf0b280d67ec1a47ea6287910d271f3f]
John Johansen (1):
apparmor: provide userspace flag indicating binfmt_elf_mmap change
[34c426acb75cc21bdf84685e106db0c1a3565057]
Jonathan Bakker (1):
Input: bma150 - register input device after setting private data
[90cc55f067f6ca0e64e5e52883ece47d8af7b67b]
Jonathan Hunter (1):
mfd: tps6586x: Handle interrupts on suspend
[ac4ca4b9f4623ba5e1ea7a582f286567c611e027]
Jonathan Neuschäfer (1):
mmc: spi: Fix card detection during probe
[c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6]
Jose Abreu (1):
net: stmmac: Fix a race in EEE enable callback
[8a7493e58ad688eb23b81e45461c5d314f4402f1]
Julian Wiedmann (3):
s390/qeth: cancel close_dev work before removing a card
[c2780c1a3fb724560b1d44f7976e0de17bf153c7]
s390/qeth: conclude all event processing before offlining a card
[c0a2e4d10d9366ada133a8ae4ff2f32397f8b15b]
s390/qeth: fix use-after-free in error path
[afa0c5904ba16d59b0454f7ee4c807dae350f432]
Jun-Ru Chang (1):
MIPS: Remove function size check in get_frame_info()
[2b424cfc69728224fcb5fad138ea7260728e0901]
Kal Conley (1):
net/packet: fix 4gb buffer limit due to overflow check
[fc62814d690cf62189854464f4bd07457d5e9e50]
Kan Liang (1):
perf/x86/intel/uncore: Add Node ID mask
[9e63a7894fd302082cf3627fe90844421a6cbe7f]
Kangjie Lu (1):
ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages
[44fabd8cdaaa3acb80ad2bb3b5c61ae2136af661]
Kees Cook (1):
Yama: Check for pid death before checking ancestry
[9474f4e7cd71a633fa1ef93b7daefd44bbdfd482]
Leonid Iziumtsev (1):
dmaengine: imx-dma: fix wrong callback invoke
[341198eda723c8c1cddbb006a89ad9e362502ea2]
Linus Torvalds (1):
binfmt_elf: switch to new creds when switching to new mm
[9f834ec18defc369d73ccf9e87a2790bfa05bf46]
Linus Walleij (1):
ARM: dts: kirkwood: Fix polarity of GPIO fan lines
[b5f034845e70916fd33e172fad5ad530a29c10ab]
Liping Zhang (1):
netfilter: nft_compat: fix crash when related match/target module is removed
[4b512e1c1f8de6b9ceb796ecef8658e0a083cab7]
Logan Gunthorpe (1):
scsi: isci: initialize shost fully before calling scsi_add_host()
[cc29a1b0a3f2597ce887d339222fa85b9307706d]
Lukas Wunner (2):
dmaengine: bcm2835: Fix abort of transactions
[9e528c799d17a4ac37d788c81440b50377dd592d]
dmaengine: bcm2835: Fix interrupt race on RT
[f7da7782aba92593f7b82f03d2409a1c5f4db91b]
Manfred Schlaegl (1):
can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it
[7b12c8189a3dc50638e7d53714c88007268d47ef]
Manuel Reinhardt (1):
ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
[2bc16b9f3223d049b57202ee702fcb5b9b507019]
Marcel Holtmann (2):
Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt
[af3d5d1c87664a4f150fcf3534c6567cb19909b0]
Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
[7c9cbd0b5e38a1672fcd137894ace3b042dfbf69]
Mark Rutland (1):
perf/core: Don't WARN() for impossible ring-buffer sizes
[9dff0aa95a324e262ffb03f425d00e4751f3294e]
Martin Kepplinger (1):
mtd: rawnand: gpmi: fix MX28 bus master lockup problem
[d5d27fd9826b59979b184ec288e4812abac0e988]
Martin Schwidefsky (1):
s390/mm: always force a load of the primary ASCE on context switch
[a38662084c8bdb829ff486468c7ea801c13fcc34]
Martin Sperl (1):
dmaengine: bcm2835: add additional defines for DMA-registers
[e42685d7a7d5afa6278561ffd85c475eae246be3]
Matthias Schwarzott (1):
media: em28xx: Fix use-after-free when disconnecting
[910b0797fa9e8af09c44a3fa36cb310ba7a7218d]
Matti Kurkela (2):
Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
[e8b22d0a329f0fb5c7ef95406872d268f01ee3b1]
Input: elantech - force needed quirks on Fujitsu H760
[f9a703a54d16ba2470391c4b12236ee56591d50c]
Max Schulze (1):
USB: serial: simple: add Motorola Tetra TPG2200 device id
[b81c2c33eab79dfd3650293b2227ee5c6036585c]
Michael Straube (1):
staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
[5f74a8cbb38d10615ed46bc3e37d9a4c9af8045a]
Miklos Szeredi (2):
fuse: decrement NR_WRITEBACK_TEMP on the right page
[a2ebba824106dabe79937a9f29a875f837e1b6d4]
fuse: handle zero sized retrieve correctly
[97e1532ef81acb31c30f9e75bf00306c33a77812]
Naoya Horiguchi (1):
mm: hwpoison: use do_send_sig_info() instead of force_sig()
[6376360ecbe525a9c17b3d081dfd88ba3e4ed65b]
Nathan Sullivan (1):
net/phy: micrel: Add workaround for bad autoneg
[d2fd719bcb0e83cb39cfee22ee800f98a56eceb3]
Naveen N. Rao (1):
powerpc/signal: Properly handle return value from uprobe_deny_signal()
[46725b17f1c6c815a41429259b3f070c01e71bc1]
Nicolas Pitre (2):
vt: always call notifier with the console lock held
[7e1d226345f89ad5d0216a9092c81386c89b4983]
vt: invoke notifier on screen size change
[0c9b1965faddad7534b6974b5b36c4ad37998f8e]
Nikos Tsironis (1):
dm thin: fix bug where bio that overwrites thin block ignores FUA
[4ae280b4ee3463fa57bbe6eede26b97daff8a0f1]
Oleg Nesterov (1):
mm/mmap.c: expand_downwards: don't require the gap if !vm_prev
[32e4e6d5cbb0c0e427391635991fe65e17797af8]
Oliver Hartkopp (1):
can: bcm: check timer values before ktime conversion
[93171ba6f1deffd82f381d36cb13177872d023f6]
Pablo Neira Ayuso (2):
netfilter: nf_tables: fix flush after rule deletion in the same batch
[23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66]
netfilter: nft_compat: use-after-free when deleting targets
[753c111f655e38bbd52fc01321266633f022ebe2]
Paolo Abeni (1):
vsock: cope with memory allocation failure at socket creation time
[225d9464268599a5b4d094d02ec17808e44c7553]
Paul Elder (1):
usb: gadget: musb: fix short isoc packets with inventra dma
[c418fd6c01fbc5516a2cd1eaf1df1ec86869028a]
Paul Fulghum (1):
tty/n_hdlc: fix __might_sleep warning
[fc01d8c61ce02c034e67378cd3e645734bc18c8c]
Paul Moore (1):
netlabel: fix out-of-bounds memory accesses
[5578de4834fe0f2a34fedc7374be691443396d1f]
Pavel Shilovsky (3):
CIFS: Do not consider -ENODATA as stat failure for reads
[082aaa8700415f6471ec9c5ef0c8307ca214989a]
CIFS: Do not count -ENODATA as failure for query directory
[8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79]
CIFS: Do not hide EINTR after sending network packets
[ee13919c2e8d1f904e035ad4b4239029a8994131]
Peng Hao (1):
ARM: pxa: ssp: unneeded to free devm_ allocated data
[ba16adeb346387eb2d1ada69003588be96f098fa]
Peter Zijlstra (1):
perf/core: Fix perf_event_open() vs. execve() race
[79c9ce57eb2d5f1497546a3946b4ae21b6fdc438]
Rajasingh Thavamani (1):
net: phy: Micrel KSZ8061: link failure after cable connect
[232ba3a51cc224b339c7114888ed7f0d4d95695e]
Richard Weinberger (28):
Clean up signal_delivered()
[10b1c7ac8bfed429cf3dcb0225482c8dc1485d8e]
Rip out get_signal_to_deliver()
[828b1f65d23cf8a68795739f6dd08fc8abd9ee64]
arc: Use get_signal() signal_setup_done()
[f6dd2a3f1f8d8df640cfa2d60f85c0b818af1593]
arm64: Use get_signal() signal_setup_done()
[00554fa4f80279db92f82c4f52c8ae72711f173e]
avr32: Use get_signal() signal_setup_done()
[d809709a8845954a95c2ac86c13bd0dfd549c1ae]
blackfin: Use get_signal() signal_setup_done()
[1270cff147a39f7da5b25225dca6ca3132ca6130]
c6x: Use get_signal() signal_setup_done()
[e19c025bc9a184ed9c5daf06ffb89abc81d1696a]
cris: Use get_signal() signal_setup_done()
[fa0197722eb7559a6a9733881bbb8d9e76364f33]
frv: Use get_signal() signal_setup_done()
[720f36b983224ac52b6acdd8b646ce30f6b38763]
hexagon: Use get_signal() signal_setup_done()
[ac443624490f7033aefd06713e7761aee5977de3]
ia64: Use get_signal() signal_setup_done()
[98c20309b97fc30001adf643cf876125f334fd8a]
m32r: Use get_signal() signal_setup_done()
[0f5bef660a7c3b030eb60ceb29e3b2d89f894f56]
m68k: Use get_signal() signal_setup_done()
[0d97500d393012690f3579056629bea0369e6554]
microblaze: Use get_signal() signal_setup_done()
[9c53c7ec14a5738ae3117d7d71b7abf630526c9f]
mips: Use get_signal() signal_setup_done()
[81d103bf80678669c56658185e758fc3f9845d71]
mips: Use sigsp()
[7c4f563507c33ca97dcfbd62dba1e9232575d499]
mn10300: Use get_signal() signal_setup_done()
[8b166553a9aaf39774bc22f5e93c965584303929]
parisc: Use get_signal() signal_setup_done()
[e4dc894b61776733629b24507031dd46f5ba5efc]
powerpc: Use get_signal() signal_setup_done()
[129b69df9c9074750245fca8aa92df5cc1a86ef4]
powerpc: Use sigsp()
[059ade650ae57cfd371af690fdba887af04aded8]
s390: Use get_signal() signal_setup_done()
[067bf2d4d3a7aedc5982f6a58716054e5004b801]
score: Use get_signal() signal_setup_done()
[2bb12b773feb3e792145961e57ab356e6134d4a5]
sh: Use get_signal() signal_setup_done()
[b46e848768acc458ba94feef162b8901592dbb9c]
tile: Use get_signal() signal_setup_done()
[b3707c7ed013d36752272ca2f9ed20dc8aed92e4]
tracehook_signal_handler: Remove sig, info, ka and regs
[df5601f9c3d831b4c478b004a1ed90a18643adbe]
um: Use get_signal() signal_setup_done()
[307627eebbb0bc41b21e74d78b932362a6c1b38d]
unicore32: Use get_signal() signal_setup_done()
[649671c90eaf3cbbd0cd03460b6a92c0b674a32e]
xtensa: Use get_signal() signal_setup_done()
[5bdb7611eb7987102f3c0fef1220dd64b6fbd9fd]
Ross Lagerwall (1):
cifs: Fix potential OOB access of lock element array
[b9a74cde94957d82003fb9f7ab4777938ca851cd]
Rundong Ge (1):
net: dsa: slave: Don't propagate flag changes on down slave interfaces
[17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5]
Russell King (1):
ARM: iop32x/n2100: fix PCI IRQ mapping
[db4090920ba2d61a5827a23e441447926a02ffee]
Sakari Ailus (1):
media: v4l: ioctl: Validate num_planes for debug messages
[7fe9f01c04c2673bd6662c35b664f0f91888b96f]
Samir Virmani (1):
uart: Fix crash in uart_write and uart_put_char
[aff9cf5955185d1f183227e46c5f8673fa483813]
Sergei Shtylyov (1):
mmc: tmio_mmc_core: don't claim spurious interrupts
[5c27ff5db1491a947264d6d4e4cbe43ae6535bae]
Sergei Trofimovich (1):
alpha: fix page fault handling for r16-r18 targets
[491af60ffb848b59e82f7c9145833222e0bf27a5]
Shakeel Butt (1):
mm, oom: fix use-after-free in oom_kill_process
[cefc7ef3c87d02fc9307835868ff721ea12cc597]
Sheng Lan (1):
net: netem: fix skb length BUG_ON in __skb_to_sgvec
[5845f706388a4cde0f6b80f9e5d33527e942b7d9]
Shuah Khan (1):
[media] media: em28xx-dvb - fix em28xx_dvb_resume() to not unregister i2c and dvb
[6eb5e3399e8f45aa191ad21c0556bece8ea559f2]
Shubhrajyoti Datta (1):
i2c: cadence: Fix the hold bit setting
[d358def706880defa4c9e87381c5bf086a97d5f9]
Stefan Haberland (1):
s390/dasd: fix using offset into zero size array error
[4a8ef6999bce998fa5813023a9a6b56eea329dba]
Suravee Suthikulpanit (1):
iommu/amd: Fix IOMMU page flush when detach device from a domain
[9825bd94e3a2baae1f4874767ae3a7d4c049720e]
Sven Eckelmann (2):
batman-adv: Avoid WARN on net_device without parent in netns
[955d3411a17f590364238bd0d3329b61f20c1cd2]
batman-adv: Force mac header to start of data on xmit
[9114daa825fc3f335f9bea3313ce667090187280]
Takashi Iwai (2):
ALSA: usb-audio: Always check descriptor sizes in parser code
[3e96d7280f16e2f787307f695a31296b9e4a1cd7]
ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
[f4351a199cc120ff9d59e06d02e8657d08e6cc46]
Thomas Hellstrom (2):
drm/vmwgfx: Fix setting of dma masks
[4cbfa1e6c09e98450aab3240e5119b0ab2c9795b]
drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
[728354c005c36eaf44b6e5552372b67e60d17f56]
Thomas Richter (1):
perf test: Fix failure of 'evsel-tp-sched' test on s390
[03d309711d687460d1345de8a0363f45b1c8cd11]
Tina Zhang (1):
drm/modes: Prevent division by zero htotal
[a2fcd5c84f7a7825e028381b10182439067aa90d]
Vineet Gupta (2):
ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault
[4d447455e73b47c43dd35fcc38ed823d3182a474]
ARC: show_regs: lockdep: avoid page allocator...
[ab6c03676cb190156603cf4c5ecf97aa406c9c53]
Vitaly Kuznetsov (1):
x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available
[6b1971c694975e49af302229202c0043568b1791]
Vlad Tsyrklevich (1):
omap2fb: Fix stack memory disclosure
[a01421e4484327fe44f8e126793ed5a48a221e24]
Waiman Long (1):
fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb()
[1dbd449c9943e3145148cc893c2461b72ba6fef0]
Willem de Bruijn (2):
packet: validate address length
[99137b7888f4058087895d035d81c6b2d31015c5]
packet: validate address length if non-zero
[6b8d95f1795c42161dc0984b6863e95d6acf24ed]
Yi Zeng (1):
i2c: dev: prevent adapter retries and timeout being set as minus value
[6ebec961d59bccf65d08b13fc1ad4e6272a89338]
YueHaibing (2):
mdio_bus: Fix use-after-free on device_register fails
[6ff7b060535e87c2ae14dd8548512abfdda528fb]
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
[58bdd544e2933a21a51eecf17c3f5f94038261b5]
YunQiang Su (1):
Disable MSI also when pcie-octeon.pcie_disable on
[a214720cbf50cd8c3f76bbb9c3f5c283910e9d33]
Yunjian Wang (1):
net: bridge: Fix ethernet header pointer before check skb forwardable
[28c1382fa28f2e2d9d0d6f25ae879b5af2ecbd03]
Zach Brown (1):
net/phy: micrel: configure intterupts after autoneg workaround
[b866203d872d5deeafcecd25ea429d6748b5bd56]
Zheng Yan (1):
ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
[04242ff3ac0abbaa4362f97781dac268e6c3541a]
Zhiqiang Liu (1):
net: fix IPv6 prefix route residue
[e75913c93f7cd5f338ab373c34c93a655bd309cb]
Makefile | 4 +-
arch/alpha/mm/fault.c | 2 +-
arch/arc/kernel/head.S | 4 +-
arch/arc/kernel/setup.c | 88 ++++++++++----
arch/arc/kernel/signal.c | 39 +++---
arch/arc/kernel/troubleshoot.c | 27 ++---
arch/arc/mm/fault.c | 13 +-
arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 +-
arch/arm/mach-iop32x/n2100.c | 3 +-
arch/arm/plat-pxa/ssp.c | 3 -
arch/arm64/include/asm/signal32.h | 11 +-
arch/arm64/kernel/signal.c | 48 ++++----
arch/arm64/kernel/signal32.c | 14 +--
arch/avr32/kernel/signal.c | 43 +++----
arch/blackfin/kernel/signal.c | 39 +++---
arch/c6x/kernel/signal.c | 43 +++----
arch/cris/arch-v10/kernel/signal.c | 79 +++++-------
arch/cris/arch-v32/kernel/signal.c | 77 +++++-------
arch/frv/kernel/signal.c | 99 +++++++--------
arch/hexagon/kernel/signal.c | 45 +++----
arch/ia64/kernel/signal.c | 46 ++++---
arch/m32r/kernel/signal.c | 47 ++++----
arch/m68k/kernel/signal.c | 63 ++++------
arch/microblaze/kernel/signal.c | 48 +++-----
arch/mips/include/asm/abi.h | 10 +-
arch/mips/kernel/process.c | 7 +-
arch/mips/kernel/signal-common.h | 2 +-
arch/mips/kernel/signal.c | 72 +++++------
arch/mips/kernel/signal32.c | 39 +++---
arch/mips/kernel/signal_n32.c | 20 ++--
arch/mips/pci/msi-octeon.c | 4 +-
arch/mips/pci/pci-octeon.c | 10 +-
arch/mn10300/kernel/signal.c | 89 ++++++--------
arch/parisc/kernel/signal.c | 58 ++++-----
arch/powerpc/kernel/signal.c | 41 ++-----
arch/powerpc/kernel/signal.h | 14 +--
arch/powerpc/kernel/signal_32.c | 36 +++---
arch/powerpc/kernel/signal_64.c | 28 ++---
arch/s390/include/asm/mmu_context.h | 12 +-
arch/s390/kernel/compat_signal.c | 79 ++++++------
arch/s390/kernel/early.c | 4 +-
arch/s390/kernel/entry.h | 4 +-
arch/s390/kernel/setup.c | 2 +
arch/s390/kernel/signal.c | 78 +++++-------
arch/s390/kernel/smp.c | 4 +
arch/score/kernel/signal.c | 43 +++----
arch/sh/kernel/signal_32.c | 79 +++++-------
arch/sh/kernel/signal_64.c | 82 +++++--------
arch/tile/include/asm/compat.h | 3 +-
arch/tile/kernel/compat_signal.c | 29 ++---
arch/tile/kernel/signal.c | 54 ++++-----
arch/um/include/shared/frame_kern.h | 12 +-
arch/um/kernel/signal.c | 27 ++---
arch/unicore32/kernel/signal.c | 51 ++++----
arch/x86/boot/compressed/aslr.c | 4 +-
arch/x86/ia32/ia32_aout.c | 6 +-
arch/x86/include/asm/uaccess.h | 7 +-
arch/x86/kernel/cpu/perf_event.c | 9 ++
arch/x86/kernel/cpu/perf_event.h | 21 ++++
arch/x86/kernel/cpu/perf_event_intel.c | 9 ++
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
arch/x86/kvm/vmx.c | 7 +-
arch/x86/kvm/x86.c | 3 +-
arch/x86/um/signal.c | 45 ++++---
arch/xtensa/kernel/signal.c | 43 +++----
crypto/authenc.c | 14 ++-
drivers/acpi/power.c | 22 ++++
drivers/ata/libata-core.c | 1 +
drivers/block/rbd.c | 9 +-
drivers/char/Kconfig | 2 +-
drivers/char/ipmi/ipmi_msghandler.c | 6 +
drivers/char/mwave/mwavedd.c | 7 ++
drivers/dma/bcm2835-dma.c | 124 +++++++++++--------
drivers/dma/dmatest.c | 30 ++---
drivers/dma/imx-dma.c | 8 +-
drivers/gpu/drm/drm_fb_helper.c | 133 ++++++++++++---------
drivers/gpu/drm/drm_modes.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
drivers/hv/hyperv_vmbus.h | 5 +-
drivers/hv/ring_buffer.c | 31 +++--
drivers/hv/vmbus_drv.c | 91 +++++++++-----
drivers/i2c/busses/i2c-cadence.c | 9 +-
drivers/i2c/i2c-dev.c | 6 +
drivers/infiniband/ulp/ipoib/ipoib.h | 1 -
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +-
drivers/input/misc/bma150.c | 9 +-
drivers/input/mouse/elantech.c | 23 ++++
drivers/iommu/amd_iommu.c | 15 ++-
drivers/md/dm-thin.c | 55 ++++++++-
drivers/media/usb/em28xx/em28xx-dvb.c | 20 +---
drivers/media/v4l2-core/v4l2-ioctl.c | 4 +-
drivers/mfd/ab8500-core.c | 2 +-
drivers/mfd/tps6586x.c | 24 ++++
drivers/mmc/host/mmc_spi.c | 1 +
drivers/mmc/host/tmio_mmc_pio.c | 8 +-
drivers/mtd/nand/gpmi-nand/gpmi-lib.c | 13 +-
drivers/net/can/dev.c | 27 ++---
drivers/net/ethernet/marvell/skge.c | 6 +-
drivers/net/ethernet/mellanox/mlx4/fw.c | 68 +++++++----
.../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++--
drivers/net/phy/mdio_bus.c | 1 -
drivers/net/phy/micrel.c | 41 ++++++-
drivers/net/team/team.c | 27 +----
drivers/net/vxlan.c | 13 +-
drivers/net/wireless/brcm80211/brcmfmac/bcdc.c | 29 ++---
drivers/net/wireless/brcm80211/brcmfmac/dhd.h | 2 +-
drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h | 4 +-
.../net/wireless/brcm80211/brcmfmac/dhd_linux.c | 76 +++++++++---
drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 32 +++--
drivers/net/wireless/brcm80211/brcmfmac/fweh.h | 16 ++-
drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c | 11 +-
drivers/net/wireless/brcm80211/brcmfmac/proto.h | 18 ++-
drivers/net/wireless/brcm80211/brcmfmac/usb.c | 2 +-
.../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +
drivers/s390/block/dasd_eckd.c | 8 ++
drivers/s390/char/sclp_config.c | 2 +
drivers/s390/net/qeth_core.h | 3 +-
drivers/s390/net/qeth_core_main.c | 35 ++++--
drivers/s390/net/qeth_l2_main.c | 7 +-
drivers/s390/net/qeth_l3_main.c | 3 +
drivers/scsi/bnx2fc/bnx2fc_io.c | 4 +-
drivers/scsi/isci/init.c | 14 +--
drivers/scsi/libsas/sas_expander.c | 2 +
drivers/scsi/sd.c | 7 ++
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
drivers/tty/n_hdlc.c | 1 +
drivers/tty/serial/serial_core.c | 12 +-
drivers/tty/tty_io.c | 3 +-
drivers/tty/vt/vt.c | 3 +-
drivers/usb/class/cdc-acm.c | 7 ++
drivers/usb/core/quirks.c | 3 +-
drivers/usb/gadget/net2272.c | 2 +-
drivers/usb/musb/musb_gadget.c | 13 +-
drivers/usb/musb/musbhsdma.c | 21 ++--
drivers/usb/phy/phy-am335x.c | 5 +-
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 2 +
drivers/usb/serial/usb-serial-simple.c | 3 +-
drivers/usb/storage/scsiglue.c | 8 +-
drivers/usb/storage/unusual_devs.h | 12 ++
drivers/vfio/vfio_iommu_type1.c | 15 +++
drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 +
fs/binfmt_elf.c | 3 +-
fs/ceph/snap.c | 3 +-
fs/cifs/file.c | 8 +-
fs/cifs/smb2file.c | 4 +-
fs/cifs/smb2pdu.c | 6 +-
fs/cifs/transport.c | 2 +-
fs/dcache.c | 6 +-
fs/debugfs/inode.c | 7 ++
fs/fuse/dev.c | 4 +-
fs/fuse/file.c | 2 +-
fs/proc/task_mmu.c | 22 +++-
include/keys/user-type.h | 2 +-
include/linux/perf_event.h | 5 +
include/linux/sched.h | 21 ++++
include/linux/signal.h | 15 +--
include/linux/tracehook.h | 8 +-
include/sound/compress_driver.h | 6 +-
ipc/shm.c | 4 +-
kernel/events/core.c | 70 ++++++++---
kernel/events/ring_buffer.c | 3 +
kernel/signal.c | 105 ++++++++++++----
lib/assoc_array.c | 8 +-
mm/memory-failure.c | 3 +-
mm/migrate.c | 8 +-
mm/mmap.c | 24 ++--
mm/oom_kill.c | 8 ++
mm/shmem.c | 12 +-
net/batman-adv/hard-interface.c | 4 +-
net/batman-adv/soft-interface.c | 4 +
net/bluetooth/l2cap_core.c | 83 ++++++++-----
net/bridge/br_forward.c | 26 ++--
net/can/bcm.c | 27 +++++
net/dsa/slave.c | 13 +-
net/ipv4/cipso_ipv4.c | 6 +-
net/ipv6/addrconf.c | 3 +-
net/ipv6/sit.c | 3 +-
net/l2tp/l2tp_core.c | 5 +-
net/mac80211/tx.c | 9 +-
net/netfilter/nf_tables_api.c | 3 +
net/netfilter/nft_compat.c | 120 +++++++++++--------
net/nfc/llcp_commands.c | 20 ++++
net/nfc/llcp_core.c | 24 +++-
net/packet/af_packet.c | 12 +-
net/sched/sch_netem.c | 10 +-
net/vmw_vsock/vmci_transport.c | 4 +
net/x25/af_x25.c | 13 +-
scripts/kallsyms.c | 4 +-
security/apparmor/apparmorfs.c | 1 +
security/keys/key.c | 4 +-
security/keys/keyring.c | 4 +-
security/keys/proc.c | 11 +-
security/keys/request_key.c | 1 +
security/keys/request_key_auth.c | 2 +-
security/yama/yama_lsm.c | 4 +-
sound/pci/cs46xx/dsp_spos.c | 3 +
sound/soc/codecs/tlv320aic32x4.c | 4 +
sound/soc/intel/sst-mfld-platform-pcm.c | 8 +-
sound/usb/card.c | 5 +
sound/usb/mixer.c | 10 +-
sound/usb/pcm.c | 9 +-
sound/usb/quirks-table.h | 6 +
sound/usb/stream.c | 31 +++--
tools/perf/tests/evsel-tp-sched.c | 8 +-
206 files changed, 2364 insertions(+), 1834 deletions(-)
--
Ben Hutchings
Teamwork is essential - it allows you to blame someone else.
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 019/202] packet: Do not leak dev refcounts on error exit
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 055/202] vt: always call notifier with the console lock held Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 201/202] apparmor: provide userspace flag indicating binfmt_elf_mmap change Ben Hutchings
` (181 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Leon Romanovsky, David S. Miller,
Willem de Bruijn, Jason Gunthorpe
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@mellanox.com>
commit d972f3dce8d161e2142da0ab1ef25df00e2f21a9 upstream.
'dev' is non NULL when the addr_len check triggers so it must goto a label
that does the dev_put otherwise dev will have a leaked refcount.
This bug causes the ib_ipoib module to become unloadable when using
systemd-network as it triggers this check on InfiniBand links.
Fixes: 99137b7888f4 ("packet: validate address length")
Reported-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2302,7 +2302,7 @@ static int tpacket_snd(struct packet_soc
addr = saddr->sll_halen ? saddr->sll_addr : NULL;
dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
if (addr && dev && saddr->sll_halen < dev->addr_len)
- goto out;
+ goto out_put;
}
err = -ENXIO;
@@ -2464,7 +2464,7 @@ static int packet_snd(struct socket *soc
addr = saddr->sll_halen ? saddr->sll_addr : NULL;
dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
if (addr && dev && saddr->sll_halen < dev->addr_len)
- goto out;
+ goto out_unlock;
}
err = -ENXIO;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 142/202] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 089/202] dmaengine: bcm2835: Fix abort of transactions Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 008/202] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Ben Hutchings
` (2 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dmitry Torokhov, Matti Kurkela
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matti Kurkela <Matti.Kurkela@iki.fi>
commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream.
Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech
touchpad, but the driver needs to be told so to enable the middle touchpad
button.
The elantech_dmi_force_crc_enabled quirk was not necessary with the H780.
Also document the fw_version and caps values detected for both H760 and
H780 models.
Signed-off-by: Matti Kurkela <Matti.Kurkela@iki.fi>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/mouse/elantech.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1036,6 +1036,8 @@ static int elantech_get_resolution_v4(st
* Asus UX31 0x361f00 20, 15, 0e clickpad
* Asus UX32VD 0x361f02 00, 15, 0e clickpad
* Avatar AVIU-145A2 0x361f00 ? clickpad
+ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**)
+ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**)
* Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
* Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
* Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
@@ -1083,6 +1085,13 @@ static const struct dmi_system_id elante
DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
},
},
+ {
+ /* Fujitsu H780 also has a middle button */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"),
+ },
+ },
#endif
{ }
};
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 084/202] mm: hwpoison: use do_send_sig_info() instead of force_sig()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 121/202] mn10300: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 021/202] scsi: sd: Fix cache_type_store() Ben Hutchings
` (197 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Oleg Nesterov, Naoya Horiguchi,
William Kucharski, Dan Williams, Jane Chu, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
commit 6376360ecbe525a9c17b3d081dfd88ba3e4ed65b upstream.
Currently memory_failure() is racy against process's exiting, which
results in kernel crash by null pointer dereference.
The root cause is that memory_failure() uses force_sig() to forcibly
kill asynchronous (meaning not in the current context) processes. As
discussed in thread https://lkml.org/lkml/2010/6/8/236 years ago for OOM
fixes, this is not a right thing to do. OOM solves this issue by using
do_send_sig_info() as done in commit d2d393099de2 ("signal:
oom_kill_task: use SEND_SIG_FORCED instead of force_sig()"), so this
patch is suggesting to do the same for hwpoison. do_send_sig_info()
properly accesses to siglock with lock_task_sighand(), so is free from
the reported race.
I confirmed that the reported bug reproduces with inserting some delay
in kill_procs(), and it never reproduces with this patch.
Note that memory_failure() can send another type of signal using
force_sig_mceerr(), and the reported race shouldn't happen on it because
force_sig_mceerr() is called only for synchronous processes (i.e.
BUS_MCEERR_AR happens only when some process accesses to the corrupted
memory.)
Link: http://lkml.kernel.org/r/20190116093046.GA29835@hori1.linux.bs1.fc.nec.co.jp
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reported-by: Jane Chu <jane.chu@oracle.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/memory-failure.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -360,7 +360,8 @@ static void kill_procs(struct list_head
printk(KERN_ERR
"MCE %#lx: forcibly killing %s:%d because of failure to unmap corrupted page\n",
pfn, tk->tsk->comm, tk->tsk->pid);
- force_sig(SIGKILL, tk->tsk);
+ do_send_sig_info(SIGKILL, SEND_SIG_PRIV,
+ tk->tsk, PIDTYPE_PID);
}
/*
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 175/202] mmc: tmio_mmc_core: don't claim spurious interrupts
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (192 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 172/202] mdio_bus: Fix use-after-free on device_register fails Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 189/202] vfio/type1: Limit DMA mappings per container Ben Hutchings
` (8 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Ulf Hansson, Sergei Shtylyov, Simon Horman,
Wolfram Sang
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit 5c27ff5db1491a947264d6d4e4cbe43ae6535bae upstream.
I have encountered an interrupt storm during the eMMC chip probing (and
the chip finally didn't get detected). It turned out that U-Boot left
the DMAC interrupts enabled while the Linux driver didn't use those.
The SDHI driver's interrupt handler somehow assumes that, even if an
SDIO interrupt didn't happen, it should return IRQ_HANDLED. I think
that if none of the enabled interrupts happened and got handled, we
should return IRQ_NONE -- that way the kernel IRQ code recoginizes
a spurious interrupt and masks it off pretty quickly...
Fixes: 7729c7a232a9 ("mmc: tmio: Provide separate interrupt handlers")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
- tmio_mmc_sdio_irq() can be used directly as an interrupt handler, so
make it return IRQ_NONE for unhandled interrupts
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/host/tmio_mmc_pio.c
+++ b/drivers/mmc/host/tmio_mmc_pio.c
@@ -639,7 +639,7 @@ irqreturn_t tmio_mmc_sdio_irq(int irq, v
unsigned int ireg, status;
if (!(pdata->flags & TMIO_MMC_SDIO_IRQ))
- return IRQ_HANDLED;
+ return IRQ_NONE;
status = sd_ctrl_read16(host, CTL_SDIO_STATUS);
ireg = status & TMIO_SDIO_MASK_ALL & ~host->sdcard_irq_mask;
@@ -649,7 +649,7 @@ irqreturn_t tmio_mmc_sdio_irq(int irq, v
if (mmc->caps & MMC_CAP_SDIO_IRQ && ireg & TMIO_SDIO_STAT_IOIRQ)
mmc_signal_sdio_irq(mmc);
- return IRQ_HANDLED;
+ return ireg ? IRQ_HANDLED : IRQ_NONE;
}
EXPORT_SYMBOL(tmio_mmc_sdio_irq);
@@ -666,9 +666,7 @@ irqreturn_t tmio_mmc_irq(int irq, void *
if (__tmio_mmc_sdcard_irq(host, ireg, status))
return IRQ_HANDLED;
- tmio_mmc_sdio_irq(irq, devid);
-
- return IRQ_HANDLED;
+ return tmio_mmc_sdio_irq(irq, devid);
}
EXPORT_SYMBOL(tmio_mmc_irq);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 188/202] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 018/202] packet: validate address length if non-zero Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 117/202] m68k: Use get_signal() signal_setup_done() Ben Hutchings
` (111 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Marcel Holtmann, Johan Hedberg
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marcel Holtmann <marcel@holtmann.org>
commit af3d5d1c87664a4f150fcf3534c6567cb19909b0 upstream.
When doing option parsing for standard type values of 1, 2 or 4 octets,
the value is converted directly into a variable instead of a pointer. To
avoid being tricked into being a pointer, check that for these option
types that sizes actually match. In L2CAP every option is fixed size and
thus it is prudent anyway to ensure that the remote side sends us the
right option size along with option paramters.
If the option size is not matching the option type, then that option is
silently ignored. It is a protocol violation and instead of trying to
give the remote attacker any further hints just pretend that option is
not present and proceed with the default values. Implementation
following the specification and its qualification procedures will always
use the correct size and thus not being impacted here.
To keep the code readable and consistent accross all options, a few
cosmetic changes were also required.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/l2cap_core.c | 77 +++++++++++++++++++++++---------------
1 file changed, 46 insertions(+), 31 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3330,10 +3330,14 @@ static int l2cap_parse_conf_req(struct l
switch (type) {
case L2CAP_CONF_MTU:
+ if (olen != 2)
+ break;
mtu = val;
break;
case L2CAP_CONF_FLUSH_TO:
+ if (olen != 2)
+ break;
chan->flush_to = val;
break;
@@ -3341,26 +3345,30 @@ static int l2cap_parse_conf_req(struct l
break;
case L2CAP_CONF_RFC:
- if (olen == sizeof(rfc))
- memcpy(&rfc, (void *) val, olen);
+ if (olen != sizeof(rfc))
+ break;
+ memcpy(&rfc, (void *) val, olen);
break;
case L2CAP_CONF_FCS:
+ if (olen != 1)
+ break;
if (val == L2CAP_FCS_NONE)
set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
break;
case L2CAP_CONF_EFS:
- if (olen == sizeof(efs)) {
- remote_efs = 1;
- memcpy(&efs, (void *) val, olen);
- }
+ if (olen != sizeof(efs))
+ break;
+ remote_efs = 1;
+ memcpy(&efs, (void *) val, olen);
break;
case L2CAP_CONF_EWS:
+ if (olen != 2)
+ break;
if (!chan->conn->hs_enabled)
return -ECONNREFUSED;
-
set_bit(FLAG_EXT_CTRL, &chan->flags);
set_bit(CONF_EWS_RECV, &chan->conf_state);
chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
@@ -3370,7 +3378,6 @@ static int l2cap_parse_conf_req(struct l
default:
if (hint)
break;
-
result = L2CAP_CONF_UNKNOWN;
*((u8 *) ptr++) = type;
break;
@@ -3540,55 +3547,60 @@ static int l2cap_parse_conf_rsp(struct l
switch (type) {
case L2CAP_CONF_MTU:
+ if (olen != 2)
+ break;
if (val < L2CAP_DEFAULT_MIN_MTU) {
*result = L2CAP_CONF_UNACCEPT;
chan->imtu = L2CAP_DEFAULT_MIN_MTU;
} else
chan->imtu = val;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
+ endptr - ptr);
break;
case L2CAP_CONF_FLUSH_TO:
+ if (olen != 2)
+ break;
chan->flush_to = val;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
- 2, chan->flush_to, endptr - ptr);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
+ chan->flush_to, endptr - ptr);
break;
case L2CAP_CONF_RFC:
- if (olen == sizeof(rfc))
- memcpy(&rfc, (void *)val, olen);
-
+ if (olen != sizeof(rfc))
+ break;
+ memcpy(&rfc, (void *)val, olen);
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
return -ECONNREFUSED;
-
chan->fcs = 0;
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
- sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+ (unsigned long) &rfc, endptr - ptr);
break;
case L2CAP_CONF_EWS:
+ if (olen != 2)
+ break;
chan->ack_win = min_t(u16, val, chan->ack_win);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
chan->tx_win, endptr - ptr);
break;
case L2CAP_CONF_EFS:
- if (olen == sizeof(efs)) {
- memcpy(&efs, (void *)val, olen);
-
- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
- efs.stype != L2CAP_SERV_NOTRAFIC &&
- efs.stype != chan->local_stype)
- return -ECONNREFUSED;
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs, endptr - ptr);
- }
+ if (olen != sizeof(efs))
+ break;
+ memcpy(&efs, (void *)val, olen);
+ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+ efs.stype != L2CAP_SERV_NOTRAFIC &&
+ efs.stype != chan->local_stype)
+ return -ECONNREFUSED;
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+ (unsigned long) &efs, endptr - ptr);
break;
case L2CAP_CONF_FCS:
+ if (olen != 1)
+ break;
if (*result == L2CAP_CONF_PENDING)
if (val == L2CAP_FCS_NONE)
set_bit(CONF_RECV_NO_FCS,
@@ -3722,10 +3734,13 @@ static void l2cap_conf_rfc_get(struct l2
switch (type) {
case L2CAP_CONF_RFC:
- if (olen == sizeof(rfc))
- memcpy(&rfc, (void *)val, olen);
+ if (olen != sizeof(rfc))
+ break;
+ memcpy(&rfc, (void *)val, olen);
break;
case L2CAP_CONF_EWS:
+ if (olen != 2)
+ break;
txwin_ext = val;
break;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 154/202] x86/a.out: Clear the dump structure initially
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 165/202] ceph: avoid repeatedly adding inode to mdsc->snap_flush_list Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 192/202] brcmfmac: assure SSID length from firmware is limited Ben Hutchings
` (125 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Michael Matz, Linus Torvalds,
Borislav Petkov, x86, Derek Robson
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream.
dump_thread32() in aout_core_dump() does not clear the user32 structure
allocated on the stack as the first thing on function entry.
As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get
assigned before the clearing, get overwritten.
Rename that function to fill_dump() to make it clear what it does and
call it first thing.
This was caught while staring at a patch by Derek Robson
<robsonde@gmail.com>.
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Derek Robson <robsonde@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Matz <matz@suse.de>
Cc: x86@kernel.org
Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/ia32/ia32_aout.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -50,7 +50,7 @@ static unsigned long get_dr(int n)
/*
* fill in the user structure for a core dump..
*/
-static void dump_thread32(struct pt_regs *regs, struct user32 *dump)
+static void fill_dump(struct pt_regs *regs, struct user32 *dump)
{
u32 fs, gs;
memset(dump, 0, sizeof(*dump));
@@ -156,10 +156,12 @@ static int aout_core_dump(struct coredum
fs = get_fs();
set_fs(KERNEL_DS);
has_dumped = 1;
+
+ fill_dump(cprm->regs, &dump);
+
strncpy(dump.u_comm, current->comm, sizeof(current->comm));
dump.u_ar0 = offsetof(struct user32, regs);
dump.signal = cprm->siginfo->si_signo;
- dump_thread32(cprm->regs, &dump);
/*
* If the size of the dump file exceeds the rlimit, then see
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 136/202] Rip out get_signal_to_deliver()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 126/202] s390: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 115/202] ia64: Use get_signal() signal_setup_done() Ben Hutchings
` (43 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 828b1f65d23cf8a68795739f6dd08fc8abd9ee64 upstream.
Now we can turn get_signal() to the main function.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/signal.h | 14 +-------------
kernel/signal.c | 23 ++++++++++++-----------
2 files changed, 13 insertions(+), 24 deletions(-)
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -279,7 +279,7 @@ struct ksignal {
int sig;
};
-extern int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka, struct pt_regs *regs, void *cookie);
+extern int get_signal(struct ksignal *ksig);
extern void signal_setup_done(int failed, struct ksignal *ksig, int stepping);
extern void exit_signals(struct task_struct *tsk);
extern void kernel_sigaction(int, __sighandler_t);
@@ -299,18 +299,6 @@ static inline void disallow_signal(int s
kernel_sigaction(sig, SIG_IGN);
}
-/*
- * Eventually that'll replace get_signal_to_deliver(); macro for now,
- * to avoid nastiness with include order.
- */
-#define get_signal(ksig) \
-({ \
- struct ksignal *p = (ksig); \
- p->sig = get_signal_to_deliver(&p->info, &p->ka, \
- signal_pt_regs(), NULL);\
- p->sig > 0; \
-})
-
extern struct kmem_cache *sighand_cachep;
int unhandled_signal(struct task_struct *tsk, int sig);
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2174,8 +2174,7 @@ static int ptrace_signal(int signr, sigi
return signr;
}
-int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka,
- struct pt_regs *regs, void *cookie)
+int get_signal(struct ksignal *ksig)
{
struct sighand_struct *sighand = current->sighand;
struct signal_struct *signal = current->signal;
@@ -2245,13 +2244,13 @@ relock:
goto relock;
}
- signr = dequeue_signal(current, ¤t->blocked, info);
+ signr = dequeue_signal(current, ¤t->blocked, &ksig->info);
if (!signr)
break; /* will return 0 */
if (unlikely(current->ptrace) && signr != SIGKILL) {
- signr = ptrace_signal(signr, info);
+ signr = ptrace_signal(signr, &ksig->info);
if (!signr)
continue;
}
@@ -2259,13 +2258,13 @@ relock:
ka = &sighand->action[signr-1];
/* Trace actually delivered signals. */
- trace_signal_deliver(signr, info, ka);
+ trace_signal_deliver(signr, &ksig->info, ka);
if (ka->sa.sa_handler == SIG_IGN) /* Do nothing. */
continue;
if (ka->sa.sa_handler != SIG_DFL) {
/* Run the handler. */
- *return_ka = *ka;
+ ksig->ka = *ka;
if (ka->sa.sa_flags & SA_ONESHOT)
ka->sa.sa_handler = SIG_DFL;
@@ -2315,7 +2314,7 @@ relock:
spin_lock_irq(&sighand->siglock);
}
- if (likely(do_signal_stop(info->si_signo))) {
+ if (likely(do_signal_stop(ksig->info.si_signo))) {
/* It released the siglock. */
goto relock;
}
@@ -2336,7 +2335,7 @@ relock:
if (sig_kernel_coredump(signr)) {
if (print_fatal_signals)
- print_fatal_signal(info->si_signo);
+ print_fatal_signal(ksig->info.si_signo);
proc_coredump_connector(current);
/*
* If it was able to dump core, this kills all
@@ -2346,17 +2345,19 @@ relock:
* first and our do_group_exit call below will use
* that value and ignore the one we pass it.
*/
- do_coredump(info);
+ do_coredump(&ksig->info);
}
/*
* Death signals, no core dump.
*/
- do_group_exit(info->si_signo);
+ do_group_exit(ksig->info.si_signo);
/* NOTREACHED */
}
spin_unlock_irq(&sighand->siglock);
- return signr;
+
+ ksig->sig = signr;
+ return ksig->sig > 0;
}
/**
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 127/202] score: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 050/202] ARC: show_regs: lockdep: avoid page allocator Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 056/202] vt: invoke notifier on screen size change Ben Hutchings
` (78 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger, Lennox Wu
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 2bb12b773feb3e792145961e57ab356e6134d4a5 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Acked-by: Lennox Wu <lennox.wu@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/score/kernel/signal.c | 43 ++++++++++++++++----------------------
1 file changed, 18 insertions(+), 25 deletions(-)
--- a/arch/score/kernel/signal.c
+++ b/arch/score/kernel/signal.c
@@ -173,15 +173,15 @@ badframe:
return 0;
}
-static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs,
- int signr, sigset_t *set, siginfo_t *info)
+static int setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs,
+ sigset_t *set)
{
struct rt_sigframe __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
/*
* Set up the return code ...
@@ -194,7 +194,7 @@ static int setup_rt_frame(struct k_sigac
err |= __put_user(0x80008002, frame->rs_code + 1);
flush_cache_sigtramp((unsigned long) frame->rs_code);
- err |= copy_siginfo_to_user(&frame->rs_info, info);
+ err |= copy_siginfo_to_user(&frame->rs_info, &ksig->info);
err |= __put_user(0, &frame->rs_uc.uc_flags);
err |= __put_user(NULL, &frame->rs_uc.uc_link);
err |= __save_altstack(&frame->rs_uc.uc_stack, regs->regs[0]);
@@ -202,26 +202,23 @@ static int setup_rt_frame(struct k_sigac
err |= __copy_to_user(&frame->rs_uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
regs->regs[0] = (unsigned long) frame;
regs->regs[3] = (unsigned long) frame->rs_code;
- regs->regs[4] = signr;
+ regs->regs[4] = ksig->sig;
regs->regs[5] = (unsigned long) &frame->rs_info;
regs->regs[6] = (unsigned long) &frame->rs_uc;
- regs->regs[29] = (unsigned long) ka->sa.sa_handler;
- regs->cp0_epc = (unsigned long) ka->sa.sa_handler;
+ regs->regs[29] = (unsigned long) ksig->ka.sa.sa_handler;
+ regs->cp0_epc = (unsigned long) ksig->ka.sa.sa_handler;
return 0;
-
-give_sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
-static void handle_signal(unsigned long sig, siginfo_t *info,
- struct k_sigaction *ka, struct pt_regs *regs)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
+ int ret;
+
if (regs->is_syscall) {
switch (regs->regs[4]) {
case ERESTART_RESTARTBLOCK:
@@ -229,7 +226,7 @@ static void handle_signal(unsigned long
regs->regs[4] = EINTR;
break;
case ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->regs[4] = EINTR;
break;
}
@@ -245,17 +242,14 @@ static void handle_signal(unsigned long
/*
* Set up the stack frame
*/
- if (setup_rt_frame(ka, regs, sig, sigmask_to_save(), info) < 0)
- return;
+ ret = setup_rt_frame(ksig, regs, sigmask_to_save());
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
static void do_signal(struct pt_regs *regs)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which is why we may in certain
@@ -265,10 +259,9 @@ static void do_signal(struct pt_regs *re
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Actually deliver the signal. */
- handle_signal(signr, &info, &ka, regs);
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 114/202] hexagon: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 035/202] s390/mm: always force a load of the primary ASCE on context switch Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 086/202] dmaengine: imx-dma: fix wrong callback invoke Ben Hutchings
` (193 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Richard Weinberger, Richard Kuo
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit ac443624490f7033aefd06713e7761aee5977de3 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Acked-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/hexagon/kernel/signal.c | 45 +++++++++++++++---------------------
1 file changed, 18 insertions(+), 27 deletions(-)
--- a/arch/hexagon/kernel/signal.c
+++ b/arch/hexagon/kernel/signal.c
@@ -112,20 +112,20 @@ static int restore_sigcontext(struct pt_
/*
* Setup signal stack frame with siginfo structure
*/
-static int setup_rt_frame(int signr, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
int err = 0;
struct rt_sigframe __user *frame;
struct hexagon_vdso *vdso = current->mm->context.vdso;
- frame = get_sigframe(ka, regs, sizeof(struct rt_sigframe));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe));
if (!access_ok(VERIFY_WRITE, frame, sizeof(struct rt_sigframe)))
- goto sigsegv;
+ return -EFAULT;
- if (copy_siginfo_to_user(&frame->info, info))
- goto sigsegv;
+ if (copy_siginfo_to_user(&frame->info, &ksig->info))
+ return -EFAULT;
/* The on-stack signal trampoline is no longer executed;
* however, the libgcc signal frame unwinding code checks for
@@ -137,29 +137,26 @@ static int setup_rt_frame(int signr, str
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
err |= __save_altstack(&frame->uc.uc_stack, user_stack_pointer(regs));
if (err)
- goto sigsegv;
+ return -EFAULT;
/* Load r0/r1 pair with signumber/siginfo pointer... */
regs->r0100 = ((unsigned long long)((unsigned long)&frame->info) << 32)
- | (unsigned long long)signr;
+ | (unsigned long long)ksig->sig;
regs->r02 = (unsigned long) &frame->uc;
regs->r31 = (unsigned long) vdso->rt_signal_trampoline;
pt_psp(regs) = (unsigned long) frame;
- pt_set_elr(regs, (unsigned long)ka->sa.sa_handler);
+ pt_set_elr(regs, (unsigned long)ksig->ka.sa.sa_handler);
return 0;
-
-sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
/*
* Setup invocation of signal handler
*/
-static void handle_signal(int sig, siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
+ int ret;
+
/*
* If we're handling a signal that aborted a system call,
* set up the error return value before adding the signal
@@ -173,7 +170,7 @@ static void handle_signal(int sig, sigin
regs->r00 = -EINTR;
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->r00 = -EINTR;
break;
}
@@ -193,11 +190,9 @@ static void handle_signal(int sig, sigin
* only set up the rt_frame flavor.
*/
/* If there was an error on setup, no signal was delivered. */
- if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs) < 0)
- return;
+ ret = setup_rt_frame(ksig, sigmask_to_save(), regs);
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
}
/*
@@ -205,17 +200,13 @@ static void handle_signal(int sig, sigin
*/
void do_signal(struct pt_regs *regs)
{
- struct k_sigaction sigact;
- siginfo_t info;
- int signo;
+ struct ksignal ksig;
if (!user_mode(regs))
return;
- signo = get_signal_to_deliver(&info, &sigact, regs, NULL);
-
- if (signo > 0) {
- handle_signal(signo, &info, &sigact, regs);
+ if (get_signal(&ksig)) {
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 085/202] mm: migrate: don't rely on __PageMovable() of newpage after unlocking it
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 098/202] s390/qeth: conclude all event processing before offlining a card Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 199/202] binfmt_elf: Fix missing SIGKILL for empty PIE Ben Hutchings
` (177 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Naoya Horiguchi, Andrea Arcangeli,
Matthew Wilcox, David Hildenbrand, Mel Gorman, Dominik Brodowski,
Vratislav Bendel, Konstantin Khlebnikov, Rafael Aquini, Jan Kara,
Michal Hocko, Minchan Kim, Kirill A. Shutemov, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit e0a352fabce61f730341d119fbedf71ffdb8663f upstream.
We had a race in the old balloon compaction code before b1123ea6d3b3
("mm: balloon: use general non-lru movable page feature") refactored it
that became visible after backporting 195a8c43e93d ("virtio-balloon:
deflate via a page list") without the refactoring.
The bug existed from commit d6d86c0a7f8d ("mm/balloon_compaction:
redesign ballooned pages management") till b1123ea6d3b3 ("mm: balloon:
use general non-lru movable page feature"). d6d86c0a7f8d
("mm/balloon_compaction: redesign ballooned pages management") was
backported to 3.12, so the broken kernels are stable kernels [3.12 -
4.7].
There was a subtle race between dropping the page lock of the newpage in
__unmap_and_move() and checking for __is_movable_balloon_page(newpage).
Just after dropping this page lock, virtio-balloon could go ahead and
deflate the newpage, effectively dequeueing it and clearing PageBalloon,
in turn making __is_movable_balloon_page(newpage) fail.
This resulted in dropping the reference of the newpage via
putback_lru_page(newpage) instead of put_page(newpage), leading to
page->lru getting modified and a !LRU page ending up in the LRU lists.
With 195a8c43e93d ("virtio-balloon: deflate via a page list")
backported, one would suddenly get corrupted lists in
release_pages_balloon():
- WARNING: CPU: 13 PID: 6586 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0
- list_del corruption. prev->next should be ffffe253961090a0, but was dead000000000100
Nowadays this race is no longer possible, but it is hidden behind very
ugly handling of __ClearPageMovable() and __PageMovable().
__ClearPageMovable() will not make __PageMovable() fail, only
PageMovable(). So the new check (__PageMovable(newpage)) will still
hold even after newpage was dequeued by virtio-balloon.
If anybody would ever change that special handling, the BUG would be
introduced again. So instead, make it explicit and use the information
of the original isolated page before migration.
This patch can be backported fairly easy to stable kernels (in contrast
to the refactoring).
Link: http://lkml.kernel.org/r/20190129233217.10747-1-david@redhat.com
Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reported-by: Vratislav Bendel <vbendel@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Rafael Aquini <aquini@redhat.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Vratislav Bendel <vbendel@redhat.com>
Cc: Rafael Aquini <aquini@redhat.com>
Cc: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
Cc: Minchan Kim <minchan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Add the is_lru flag variable to unmap_and_move()
- Keep using __is_movable_balloon_page() instead of __PageMovable()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -927,6 +927,7 @@ static int unmap_and_move(new_page_t get
int rc = 0;
int *result = NULL;
struct page *newpage = get_new_page(page, private, &result);
+ bool is_lru = !__is_movable_balloon_page(page);
if (!newpage)
return -ENOMEM;
@@ -959,12 +960,15 @@ out:
/*
* If migration was not successful and there's a freeing callback, use
* it. Otherwise, putback_lru_page() will drop the reference grabbed
- * during isolation.
+ * during isolation. Use the old state of the isolated source page to
+ * determine if we migrated a LRU page. newpage was already unlocked
+ * and possibly modified by its owner - don't rely on the page
+ * state.
*/
if (rc != MIGRATEPAGE_SUCCESS && put_new_page) {
ClearPageSwapBacked(newpage);
put_new_page(newpage, private);
- } else if (unlikely(__is_movable_balloon_page(newpage))) {
+ } else if (unlikely(!is_lru)) {
/* drop our reference, page already in the balloon */
put_page(newpage);
} else
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 039/202] net/phy: micrel: Add workaround for bad autoneg
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (168 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 094/202] perf tests evsel-tp-sched: Fix bitwise operator Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 187/202] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Ben Hutchings
` (32 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Nathan Sullivan, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Sullivan <nathan.sullivan@ni.com>
commit d2fd719bcb0e83cb39cfee22ee800f98a56eceb3 upstream.
Very rarely, the KSZ9031 will appear to complete autonegotiation, but
will drop all traffic afterwards. When this happens, the idle error
count will read 0xFF after autonegotiation completes. Reset the PHY
when in that state.
Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16 as dependency of commit 1d16073a3268
"net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/phy/micrel.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -415,6 +415,27 @@ static int ksz8873mll_read_status(struct
return 0;
}
+static int ksz9031_read_status(struct phy_device *phydev)
+{
+ int err;
+ int regval;
+
+ err = genphy_read_status(phydev);
+ if (err)
+ return err;
+
+ /* Make sure the PHY is not broken. Read idle error count,
+ * and reset the PHY if it is maxed out.
+ */
+ regval = phy_read(phydev, MII_STAT1000);
+ if ((regval & 0xFF) == 0xFF) {
+ phy_init_hw(phydev);
+ phydev->link = 0;
+ }
+
+ return 0;
+}
+
static int ksz8873mll_config_aneg(struct phy_device *phydev)
{
return 0;
@@ -575,7 +596,7 @@ static struct phy_driver ksphy_driver[]
.flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT,
.config_init = ksz9031_config_init,
.config_aneg = genphy_config_aneg,
- .read_status = genphy_read_status,
+ .read_status = ksz9031_read_status,
.ack_interrupt = kszphy_ack_interrupt,
.config_intr = ksz9021_config_intr,
.suspend = genphy_suspend,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 037/202] x86/kaslr: Fix incorrect i8254 outb() parameters
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (183 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 060/202] can: bcm: check timer values before ktime conversion Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 133/202] xtensa: Use get_signal() signal_setup_done() Ben Hutchings
` (17 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, linux, Daniel Drake, bp, hpa, Thomas Gleixner
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Drake <drake@endlessm.com>
commit 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 upstream.
The outb() function takes parameters value and port, in that order. Fix
the parameters used in the kalsr i8254 fallback code.
Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions")
Signed-off-by: Daniel Drake <drake@endlessm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: bp@alien8.de
Cc: hpa@zytor.com
Cc: linux@endlessm.com
Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/boot/compressed/aslr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/boot/compressed/aslr.c
+++ b/arch/x86/boot/compressed/aslr.c
@@ -25,8 +25,8 @@ static inline u16 i8254(void)
u16 status, timer;
do {
- outb(I8254_PORT_CONTROL,
- I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
+ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0,
+ I8254_PORT_CONTROL);
status = inb(I8254_PORT_COUNTER0);
timer = inb(I8254_PORT_COUNTER0);
timer |= inb(I8254_PORT_COUNTER0) << 8;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 063/202] drm/modes: Prevent division by zero htotal
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 202/202] tty: mark Siemens R3964 line discipline as BROKEN Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 036/202] s390/smp: fix CPU hotplug deadlock with CPU rescan Ben Hutchings
` (158 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Adam Jackson, Tina Zhang, Daniel Vetter,
Dave Airlie, Daniel Vetter
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tina Zhang <tina.zhang@intel.com>
commit a2fcd5c84f7a7825e028381b10182439067aa90d upstream.
This patch prevents division by zero htotal.
In a follow-up mail Tina writes:
> > How did you manage to get here with htotal == 0? This needs backtraces (or if
> > this is just about static checkers, a mention of that).
> > -Daniel
>
> In GVT-g, we are trying to enable a virtual display w/o setting timings for a pipe
> (a.k.a htotal=0), then we met the following kernel panic:
>
> [ 32.832048] divide error: 0000 [#1] SMP PTI
> [ 32.833614] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.0-rc4-sriov+ #33
> [ 32.834438] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.10.1-0-g8891697-dirty-20180511_165818-tinazhang-linux-1 04/01/2014
> [ 32.835901] RIP: 0010:drm_mode_hsync+0x1e/0x40
> [ 32.836004] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66
> [ 32.836004] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206
> [ 32.836004] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000
> [ 32.836004] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0
> [ 32.836004] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330
> [ 32.836004] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000
> [ 32.836004] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800
> [ 32.836004] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000
> [ 32.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 32.836004] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0
> [ 32.836004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 32.836004] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 32.836004] Call Trace:
> [ 32.836004] intel_mode_from_pipe_config+0x72/0x90
> [ 32.836004] intel_modeset_setup_hw_state+0x569/0xf90
> [ 32.836004] intel_modeset_init+0x905/0x1db0
> [ 32.836004] i915_driver_load+0xb8c/0x1120
> [ 32.836004] i915_pci_probe+0x4d/0xb0
> [ 32.836004] local_pci_probe+0x44/0xa0
> [ 32.836004] ? pci_assign_irq+0x27/0x130
> [ 32.836004] pci_device_probe+0x102/0x1c0
> [ 32.836004] driver_probe_device+0x2b8/0x480
> [ 32.836004] __driver_attach+0x109/0x110
> [ 32.836004] ? driver_probe_device+0x480/0x480
> [ 32.836004] bus_for_each_dev+0x67/0xc0
> [ 32.836004] ? klist_add_tail+0x3b/0x70
> [ 32.836004] bus_add_driver+0x1e8/0x260
> [ 32.836004] driver_register+0x5b/0xe0
> [ 32.836004] ? mipi_dsi_bus_init+0x11/0x11
> [ 32.836004] do_one_initcall+0x4d/0x1eb
> [ 32.836004] kernel_init_freeable+0x197/0x237
> [ 32.836004] ? rest_init+0xd0/0xd0
> [ 32.836004] kernel_init+0xa/0x110
> [ 32.836004] ret_from_fork+0x35/0x40
> [ 32.836004] Modules linked in:
> [ 32.859183] ---[ end trace 525608b0ed0e8665 ]---
> [ 32.859722] RIP: 0010:drm_mode_hsync+0x1e/0x40
> [ 32.860287] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66
> [ 32.862680] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206
> [ 32.863309] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000
> [ 32.864182] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0
> [ 32.865206] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330
> [ 32.866359] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000
> [ 32.867213] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800
> [ 32.868075] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000
> [ 32.868983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 32.869659] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0
> [ 32.870599] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 32.871598] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 32.872549] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
>
> Since drm_mode_hsync() has the logic to check mode->htotal, I just extend it to cover the case htotal==0.
Signed-off-by: Tina Zhang <tina.zhang@intel.com>
Cc: Adam Jackson <ajax@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
[danvet: Add additional explanations + cc: stable.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/1548228539-3061-1-git-send-email-tina.zhang@intel.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_modes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -682,7 +682,7 @@ int drm_mode_hsync(const struct drm_disp
if (mode->hsync)
return mode->hsync;
- if (mode->htotal < 0)
+ if (mode->htotal <= 0)
return 0;
calc_val = (mode->clock * 1000) / mode->htotal; /* hsync in Hz */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 059/202] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 090/202] perf/x86/intel/uncore: Add Node ID mask Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 041/202] net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround Ben Hutchings
` (144 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Marc Kleine-Budde, Manfred Schlaegl
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
commit 7b12c8189a3dc50638e7d53714c88007268d47ef upstream.
This patch revert commit 7da11ba5c506
("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
After introduction of this change we encountered following new error
message on various i.MX plattforms (flexcan):
| flexcan 53fc8000.can can0: __can_get_echo_skb: BUG! Trying to echo non
| existing skb: can_priv::echo_skb[0]
The introduction of the message was a mistake because
priv->echo_skb[idx] = NULL is a perfectly valid in following case: If
CAN_RAW_LOOPBACK is disabled (setsockopt) in applications, the pkt_type
of the tx skb's given to can_put_echo_skb is set to PACKET_LOOPBACK. In
this case can_put_echo_skb will not set priv->echo_skb[idx]. It is
therefore kept NULL.
As additional argument for revert: The order of check and usage of idx
was changed. idx is used to access an array element before checking it's
boundaries.
Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Fixes: 7da11ba5c506 ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/dev.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -425,8 +425,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
{
struct can_priv *priv = netdev_priv(dev);
- struct sk_buff *skb = priv->echo_skb[idx];
- struct canfd_frame *cf;
if (idx >= priv->echo_skb_max) {
netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
@@ -434,20 +432,21 @@ struct sk_buff *__can_get_echo_skb(struc
return NULL;
}
- if (!skb) {
- netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
- __func__, idx);
- return NULL;
- }
+ if (priv->echo_skb[idx]) {
+ /* Using "struct canfd_frame::len" for the frame
+ * length is supported on both CAN and CANFD frames.
+ */
+ struct sk_buff *skb = priv->echo_skb[idx];
+ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+ u8 len = cf->len;
- /* Using "struct canfd_frame::len" for the frame
- * length is supported on both CAN and CANFD frames.
- */
- cf = (struct canfd_frame *)skb->data;
- *len_ptr = cf->len;
- priv->echo_skb[idx] = NULL;
+ *len_ptr = len;
+ priv->echo_skb[idx] = NULL;
+
+ return skb;
+ }
- return skb;
+ return NULL;
}
/*
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 071/202] usb: phy: am335x: fix race condition in _probe
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (170 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 187/202] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 026/202] rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set Ben Hutchings
` (30 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Bin Liu, Felipe Balbi
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu <b-liu@ti.com>
commit a53469a68eb886e84dd8b69a1458a623d3591793 upstream.
power off the phy should be done before populate the phy. Otherwise,
am335x_init() could be called by the phy owner to power on the phy first,
then am335x_phy_probe() turns off the phy again without the caller knowing
it.
Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup")
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/phy/phy-am335x.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/usb/phy/phy-am335x.c
+++ b/drivers/usb/phy/phy-am335x.c
@@ -56,9 +56,6 @@ static int am335x_phy_probe(struct platf
if (ret)
return ret;
- ret = usb_add_phy_dev(&am_phy->usb_phy_gen.phy);
- if (ret)
- return ret;
am_phy->usb_phy_gen.phy.init = am335x_init;
am_phy->usb_phy_gen.phy.shutdown = am335x_shutdown;
@@ -77,7 +74,7 @@ static int am335x_phy_probe(struct platf
device_set_wakeup_enable(dev, false);
phy_ctrl_power(am_phy->phy_ctrl, am_phy->id, false);
- return 0;
+ return usb_add_phy_dev(&am_phy->usb_phy_gen.phy);
}
static int am335x_phy_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 091/202] perf/core: Don't WARN() for impossible ring-buffer sizes
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 066/202] debugfs: fix debugfs_rename parameter checking Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 148/202] x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available Ben Hutchings
` (39 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Julien Thierry, Linus Torvalds,
Mark Rutland, Jiri Olsa, Thomas Gleixner, Peter Zijlstra (Intel),
Arnaldo Carvalho de Melo, Alexander Shishkin, Ingo Molnar,
Namhyung Kim
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.
The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine how
large its ringbuffer mmap should be. This can be configured to arbitrary
values, which can be larger than the maximum possible allocation from
kmalloc.
When this is configured to a suitably large value (e.g. thanks to the
perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE() in
__alloc_pages_nodemask():
WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511 __alloc_pages_nodemask+0x3f8/0xbc8
Let's avoid this by checking that the requested allocation is possible
before calling kzalloc.
Reported-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/events/ring_buffer.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -282,6 +282,9 @@ struct ring_buffer *rb_alloc(int nr_page
size = sizeof(struct ring_buffer);
size += nr_pages * sizeof(void *);
+ if (order_base_2(size) >= MAX_ORDER)
+ goto fail;
+
rb = kzalloc(size, GFP_KERNEL);
if (!rb)
goto fail;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 093/202] dmaengine: dmatest: Abort test in case of mapping error
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 143/202] vsock: cope with memory allocation failure at socket creation time Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 193/202] brcmfmac: consolidate ifp lookup in driver core Ben Hutchings
` (100 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Vinod Koul, Dan Williams, Andy Shevchenko
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 6454368a804c4955ccd116236037536f81e5b1f1 upstream.
In case of mapping error the DMA addresses are invalid and continuing
will screw system memory or potentially something else.
[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349 KB/s (0)
...
[ 240.912725] check: Corrupted low memory at 00000000c7c75ac9 (2940 phys) = 5656000000000000
[ 240.921998] check: Corrupted low memory at 000000005715a1cd (2948 phys) = 279f2aca5595ab2b
[ 240.931280] check: Corrupted low memory at 000000002f4024c0 (2950 phys) = 5e5624f349e793cf
...
Abort any test if mapping failed.
Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data")
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/dma/dmatest.c | 32 ++++++++++++++------------------
1 file changed, 14 insertions(+), 18 deletions(-)
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -562,11 +562,9 @@ static int dmatest_func(void *data)
srcs[i] = um->addr[i] + src_off;
ret = dma_mapping_error(dev->dev, um->addr[i]);
if (ret) {
- dmaengine_unmap_put(um);
result("src mapping error", total_tests,
src_off, dst_off, len, ret);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
um->to_cnt++;
}
@@ -581,11 +579,9 @@ static int dmatest_func(void *data)
DMA_BIDIRECTIONAL);
ret = dma_mapping_error(dev->dev, dsts[i]);
if (ret) {
- dmaengine_unmap_put(um);
result("dst mapping error", total_tests,
src_off, dst_off, len, ret);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
um->bidi_cnt++;
}
@@ -610,12 +606,10 @@ static int dmatest_func(void *data)
}
if (!tx) {
- dmaengine_unmap_put(um);
result("prep error", total_tests, src_off,
dst_off, len, ret);
msleep(100);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
done->done = false;
@@ -624,12 +618,10 @@ static int dmatest_func(void *data)
cookie = tx->tx_submit(tx);
if (dma_submit_error(cookie)) {
- dmaengine_unmap_put(um);
result("submit error", total_tests, src_off,
dst_off, len, ret);
msleep(100);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
dma_async_issue_pending(chan);
@@ -638,22 +630,20 @@ static int dmatest_func(void *data)
status = dma_async_is_tx_complete(chan, cookie, NULL, NULL);
- dmaengine_unmap_put(um);
-
if (!done->done) {
result("test timed out", total_tests, src_off, dst_off,
len, 0);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
} else if (status != DMA_COMPLETE) {
result(status == DMA_ERROR ?
"completion error status" :
"completion busy status", total_tests, src_off,
dst_off, len, ret);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
+ dmaengine_unmap_put(um);
+
if (params->noverify) {
verbose_result("test passed", total_tests, src_off,
dst_off, len, 0);
@@ -688,6 +678,12 @@ static int dmatest_func(void *data)
verbose_result("test passed", total_tests, src_off,
dst_off, len, 0);
}
+
+ continue;
+
+error_unmap_continue:
+ dmaengine_unmap_put(um);
+ failed_tests++;
}
runtime = ktime_us_delta(ktime_get(), ktime);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 103/202] ALSA: compress: Fix stop handling on compressed capture streams
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 152/202] team: avoid complex list operations in team_nl_cmd_options_set() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 163/202] assoc_array: Fix shortcut creation Ben Hutchings
` (153 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Charles Keepax
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.cirrus.com>
commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream.
It is normal user behaviour to start, stop, then start a stream
again without closing it. Currently this works for compressed
playback streams but not capture ones.
The states on a compressed capture stream go directly from OPEN to
PREPARED, unlike a playback stream which moves to SETUP and waits
for a write of data before moving to PREPARED. Currently however,
when a stop is sent the state is set to SETUP for both types of
streams. This leaves a capture stream in the situation where a new
start can't be sent as that requires the state to be PREPARED and
a new set_params can't be sent as that requires the state to be
OPEN. The only option being to close the stream, and then reopen.
Correct this issues by allowing snd_compr_drain_notify to set the
state depending on the stream direction, as we already do in
set_params.
Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/sound/compress_driver.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/include/sound/compress_driver.h
+++ b/include/sound/compress_driver.h
@@ -176,7 +176,11 @@ static inline void snd_compr_drain_notif
if (snd_BUG_ON(!stream))
return;
- stream->runtime->state = SNDRV_PCM_STATE_SETUP;
+ if (stream->direction == SND_COMPRESS_PLAYBACK)
+ stream->runtime->state = SNDRV_PCM_STATE_SETUP;
+ else
+ stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
+
wake_up(&stream->runtime->sleep);
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 110/202] blackfin: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 183/202] net: netem: fix skb length BUG_ON in __skb_to_sgvec Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 143/202] vsock: cope with memory allocation failure at socket creation time Ben Hutchings
` (102 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Richard Weinberger, Steven Miao
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 1270cff147a39f7da5b25225dca6ca3132ca6130 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Steven Miao <realmz6@gmail.com>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/blackfin/kernel/signal.c | 39 +++++++++++++++--------------------
1 file changed, 17 insertions(+), 22 deletions(-)
--- a/arch/blackfin/kernel/signal.c
+++ b/arch/blackfin/kernel/signal.c
@@ -152,23 +152,22 @@ static inline void *get_sigframe(struct
}
static int
-setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t * info,
- sigset_t * set, struct pt_regs *regs)
+setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
struct rt_sigframe *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
err |= __put_user((current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
- && sig < 32
+ && ksig->sig < 32
? current_thread_info()->exec_domain->
- signal_invmap[sig] : sig), &frame->sig);
+ signal_invmap[ksig->sig] : ksig->sig), &frame->sig);
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -183,7 +182,7 @@ setup_rt_frame(int sig, struct k_sigacti
/* Set up registers for signal handler */
if (current->personality & FDPIC_FUNCPTRS) {
struct fdpic_func_descriptor __user *funcptr =
- (struct fdpic_func_descriptor *) ka->sa.sa_handler;
+ (struct fdpic_func_descriptor *) ksig->ka.sa.sa_handler;
u32 pc, p3;
err |= __get_user(pc, &funcptr->text);
err |= __get_user(p3, &funcptr->GOT);
@@ -192,7 +191,7 @@ setup_rt_frame(int sig, struct k_sigacti
regs->pc = pc;
regs->p3 = p3;
} else
- regs->pc = (unsigned long)ka->sa.sa_handler;
+ regs->pc = (unsigned long)ksig->ka.sa.sa_handler;
wrusp((unsigned long)frame);
regs->rets = SIGRETURN_STUB;
@@ -237,20 +236,19 @@ handle_restart(struct pt_regs *regs, str
* OK, we're invoking a handler
*/
static void
-handle_signal(int sig, siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
+ int ret;
+
/* are we from a system call? to see pt_regs->orig_p0 */
if (regs->orig_p0 >= 0)
/* If so, check system call restarting.. */
- handle_restart(regs, ka, 1);
+ handle_restart(regs, &ksig->ka, 1);
/* set up the stack frame */
- if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs) < 0)
- force_sigsegv(sig, current);
- else
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ ret = setup_rt_frame(ksig, sigmask_to_save(), regs);
+
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
}
/*
@@ -264,16 +262,13 @@ handle_signal(int sig, siginfo_t *info,
*/
asmlinkage void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
current->thread.esp0 = (unsigned long)regs;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &info, &ka, regs);
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 122/202] parisc: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 161/202] netfilter: nf_tables: fix flush after rule deletion in the same batch Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 183/202] net: netem: fix skb length BUG_ON in __skb_to_sgvec Ben Hutchings
` (104 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Helge Deller, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit e4dc894b61776733629b24507031dd46f5ba5efc upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Helge Deller <deller@gmx.de>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/kernel/signal.c | 58 +++++++++++++++----------------------
1 file changed, 24 insertions(+), 34 deletions(-)
--- a/arch/parisc/kernel/signal.c
+++ b/arch/parisc/kernel/signal.c
@@ -227,8 +227,8 @@ setup_sigcontext(struct sigcontext __use
}
static long
-setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs, int in_syscall)
+setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs,
+ int in_syscall)
{
struct rt_sigframe __user *frame;
unsigned long rp, usp;
@@ -241,10 +241,10 @@ setup_rt_frame(int sig, struct k_sigacti
usp = (regs->gr[30] & ~(0x01UL));
/*FIXME: frame_size parameter is unused, remove it. */
- frame = get_sigframe(ka, usp, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, usp, sizeof(*frame));
DBG(1,"SETUP_RT_FRAME: START\n");
- DBG(1,"setup_rt_frame: frame %p info %p\n", frame, info);
+ DBG(1,"setup_rt_frame: frame %p info %p\n", frame, ksig->info);
#ifdef CONFIG_64BIT
@@ -253,7 +253,7 @@ setup_rt_frame(int sig, struct k_sigacti
if (is_compat_task()) {
DBG(1,"setup_rt_frame: frame->info = 0x%p\n", &compat_frame->info);
- err |= copy_siginfo_to_user32(&compat_frame->info, info);
+ err |= copy_siginfo_to_user32(&compat_frame->info, &ksig->info);
err |= __compat_save_altstack( &compat_frame->uc.uc_stack, regs->gr[30]);
DBG(1,"setup_rt_frame: frame->uc = 0x%p\n", &compat_frame->uc);
DBG(1,"setup_rt_frame: frame->uc.uc_mcontext = 0x%p\n", &compat_frame->uc.uc_mcontext);
@@ -265,7 +265,7 @@ setup_rt_frame(int sig, struct k_sigacti
#endif
{
DBG(1,"setup_rt_frame: frame->info = 0x%p\n", &frame->info);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
err |= __save_altstack(&frame->uc.uc_stack, regs->gr[30]);
DBG(1,"setup_rt_frame: frame->uc = 0x%p\n", &frame->uc);
DBG(1,"setup_rt_frame: frame->uc.uc_mcontext = 0x%p\n", &frame->uc.uc_mcontext);
@@ -275,7 +275,7 @@ setup_rt_frame(int sig, struct k_sigacti
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. The first words of tramp are used to
@@ -312,9 +312,9 @@ setup_rt_frame(int sig, struct k_sigacti
rp = (unsigned long) &frame->tramp[SIGRESTARTBLOCK_TRAMP];
if (err)
- goto give_sigsegv;
+ return -EFAULT;
- haddr = A(ka->sa.sa_handler);
+ haddr = A(ksig->ka.sa.sa_handler);
/* The sa_handler may be a pointer to a function descriptor */
#ifdef CONFIG_64BIT
if (is_compat_task()) {
@@ -326,7 +326,7 @@ setup_rt_frame(int sig, struct k_sigacti
err = __copy_from_user(&fdesc, ufdesc, sizeof(fdesc));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
haddr = fdesc.addr;
regs->gr[19] = fdesc.gp;
@@ -339,7 +339,7 @@ setup_rt_frame(int sig, struct k_sigacti
err = __copy_from_user(&fdesc, ufdesc, sizeof(fdesc));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
haddr = fdesc.addr;
regs->gr[19] = fdesc.gp;
@@ -386,7 +386,7 @@ setup_rt_frame(int sig, struct k_sigacti
}
regs->gr[2] = rp; /* userland return pointer */
- regs->gr[26] = sig; /* signal number */
+ regs->gr[26] = ksig->sig; /* signal number */
#ifdef CONFIG_64BIT
if (is_compat_task()) {
@@ -410,11 +410,6 @@ setup_rt_frame(int sig, struct k_sigacti
current->comm, current->pid, frame, regs->gr[30],
regs->iaoq[0], regs->iaoq[1], rp);
- return 1;
-
-give_sigsegv:
- DBG(1,"setup_rt_frame: sending SIGSEGV\n");
- force_sigsegv(sig, current);
return 0;
}
@@ -423,20 +418,19 @@ give_sigsegv:
*/
static void
-handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs, int in_syscall)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs, int in_syscall)
{
+ int ret;
sigset_t *oldset = sigmask_to_save();
+
DBG(1,"handle_signal: sig=%ld, ka=%p, info=%p, oldset=%p, regs=%p\n",
- sig, ka, info, oldset, regs);
+ ksig->sig, ksig->ka, ksig->info, oldset, regs);
/* Set up the stack frame */
- if (!setup_rt_frame(sig, ka, info, oldset, regs, in_syscall))
- return;
+ ret = setup_rt_frame(ksig, oldset, regs, in_syscall);
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP) ||
- test_thread_flag(TIF_BLOCKSTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP) ||
+ test_thread_flag(TIF_BLOCKSTEP));
DBG(1,KERN_DEBUG "do_signal: Exit (success), regs->gr[28] = %ld\n",
regs->gr[28]);
@@ -584,22 +578,18 @@ insert_restart_trampoline(struct pt_regs
asmlinkage void
do_signal(struct pt_regs *regs, long in_syscall)
{
- siginfo_t info;
- struct k_sigaction ka;
- int signr;
+ struct ksignal ksig;
DBG(1,"\ndo_signal: regs=0x%p, sr7 %#lx, in_syscall=%d\n",
regs, regs->sr[7], in_syscall);
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- DBG(3,"do_signal: signr = %d, regs->gr[28] = %ld\n", signr, regs->gr[28]);
-
- if (signr > 0) {
+ if (get_signal(&ksig)) {
+ DBG(3,"do_signal: signr = %d, regs->gr[28] = %ld\n", signr, regs->gr[28]);
/* Restart a system call if necessary. */
if (in_syscall)
- syscall_restart(regs, &ka);
+ syscall_restart(regs, &ksig.ka);
- handle_signal(signr, &info, &ka, regs, in_syscall);
+ handle_signal(&ksig, regs, in_syscall);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 131/202] unicore32: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 051/202] ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 179/202] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails Ben Hutchings
` (168 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 649671c90eaf3cbbd0cd03460b6a92c0b674a32e upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/unicore32/kernel/signal.c | 48 ++++++++++++++--------------------
1 file changed, 20 insertions(+), 28 deletions(-)
diff --git a/arch/unicore32/kernel/signal.c b/arch/unicore32/kernel/signal.c
index 6905f0ebdc77..780d77388dec 100644
--- a/arch/unicore32/kernel/signal.c
+++ b/arch/unicore32/kernel/signal.c
@@ -238,10 +238,10 @@ static int setup_return(struct pt_regs *regs, struct k_sigaction *ka,
return 0;
}
-static int setup_frame(int usig, struct k_sigaction *ka,
- sigset_t *set, struct pt_regs *regs)
+static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
- struct sigframe __user *frame = get_sigframe(ka, regs, sizeof(*frame));
+ struct sigframe __user *frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
int err = 0;
if (!frame)
@@ -254,29 +254,29 @@ static int setup_frame(int usig, struct k_sigaction *ka,
err |= setup_sigframe(frame, regs, set);
if (err == 0)
- err |= setup_return(regs, ka, frame->retcode, frame, usig);
+ err |= setup_return(regs, &ksig->ka, frame->retcode, frame, usig);
return err;
}
-static int setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame =
- get_sigframe(ka, regs, sizeof(*frame));
+ get_sigframe(&ksig->ka, regs, sizeof(*frame));
int err = 0;
if (!frame)
return 1;
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
err |= __put_user(0, &frame->sig.uc.uc_flags);
err |= __put_user(NULL, &frame->sig.uc.uc_link);
err |= __save_altstack(&frame->sig.uc.uc_stack, regs->UCreg_sp);
err |= setup_sigframe(&frame->sig, regs, set);
if (err == 0)
- err |= setup_return(regs, ka, frame->sig.retcode, frame, usig);
+ err |= setup_return(regs, &ksig->ka, frame->sig.retcode, frame, usig);
if (err == 0) {
/*
@@ -299,13 +299,13 @@ static inline void setup_syscall_restart(struct pt_regs *regs)
/*
* OK, we're invoking a handler
*/
-static void handle_signal(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, struct pt_regs *regs, int syscall)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs,
+ int syscall)
{
struct thread_info *thread = current_thread_info();
struct task_struct *tsk = current;
sigset_t *oldset = sigmask_to_save();
- int usig = sig;
+ int usig = ksig->sig;
int ret;
/*
@@ -318,7 +318,7 @@ static void handle_signal(unsigned long sig, struct k_sigaction *ka,
regs->UCreg_00 = -EINTR;
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->UCreg_00 = -EINTR;
break;
}
@@ -338,22 +338,17 @@ static void handle_signal(unsigned long sig, struct k_sigaction *ka,
/*
* Set up the stack frame
*/
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(usig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(usig, ka, oldset, regs);
+ ret = setup_frame(ksig, oldset, regs);
/*
* Check that the resulting registers are actually sane.
*/
ret |= !valid_user_regs(regs);
- if (ret != 0) {
- force_sigsegv(sig, tsk);
- return;
- }
-
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -367,9 +362,7 @@ static void handle_signal(unsigned long sig, struct k_sigaction *ka,
*/
static void do_signal(struct pt_regs *regs, int syscall)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which
@@ -380,9 +373,8 @@ static void do_signal(struct pt_regs *regs, int syscall)
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
- handle_signal(signr, &ka, &info, regs, syscall);
+ if (get_signsl(&ksig)) {
+ handle_signal(&ksig, regs, syscall);
return;
}
^ permalink raw reply related [flat|nested] 206+ messages in thread
* [PATCH 3.16 129/202] tile: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 025/202] drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 064/202] iommu/amd: Fix IOMMU page flush when detach device from a domain Ben Hutchings
` (49 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Chris Metcalf, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit b3707c7ed013d36752272ca2f9ed20dc8aed92e4 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/tile/include/asm/compat.h | 3 +-
arch/tile/kernel/compat_signal.c | 29 ++++++++---------
arch/tile/kernel/signal.c | 54 ++++++++++++++------------------
3 files changed, 40 insertions(+), 46 deletions(-)
--- a/arch/tile/include/asm/compat.h
+++ b/arch/tile/include/asm/compat.h
@@ -267,8 +267,7 @@ static inline int is_compat_task(void)
return current_thread_info()->status & TS_COMPAT;
}
-extern int compat_setup_rt_frame(int sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *set,
+extern int compat_setup_rt_frame(struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs);
/* Compat syscalls. */
--- a/arch/tile/kernel/compat_signal.c
+++ b/arch/tile/kernel/compat_signal.c
@@ -190,18 +190,18 @@ static inline void __user *compat_get_si
return (void __user *) sp;
}
-int compat_setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+int compat_setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
unsigned long restorer;
struct compat_rt_sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int usig;
- frame = compat_get_sigframe(ka, regs, sizeof(*frame));
+ frame = compat_get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ goto err;
usig = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -210,12 +210,12 @@ int compat_setup_rt_frame(int sig, struc
: sig;
/* Always write at least the signal number for the stack backtracer. */
- if (ka->sa.sa_flags & SA_SIGINFO) {
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
/* At sigreturn time, restore the callee-save registers too. */
- err |= copy_siginfo_to_user32(&frame->info, info);
+ err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
regs->flags |= PT_FLAGS_RESTORE_REGS;
} else {
- err |= __put_user(info->si_signo, &frame->info.si_signo);
+ err |= __put_user(ksig->info.si_signo, &frame->info.si_signo);
}
/* Create the ucontext. */
@@ -226,11 +226,11 @@ int compat_setup_rt_frame(int sig, struc
err |= setup_sigcontext(&frame->uc.uc_mcontext, regs);
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ goto err;
restorer = VDSO_SYM(&__vdso_rt_sigreturn);
- if (ka->sa.sa_flags & SA_RESTORER)
- restorer = ptr_to_compat_reg(ka->sa.sa_restorer);
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ restorer = ptr_to_compat_reg(ksig->ka.sa.sa_restorer);
/*
* Set up registers for signal handler.
@@ -239,7 +239,7 @@ int compat_setup_rt_frame(int sig, struc
* We always pass siginfo and mcontext, regardless of SA_SIGINFO,
* since some things rely on this (e.g. glibc's debug/segfault.c).
*/
- regs->pc = ptr_to_compat_reg(ka->sa.sa_handler);
+ regs->pc = ptr_to_compat_reg(ksig->ka.sa.sa_handler);
regs->ex1 = PL_ICS_EX1(USER_PL, 1); /* set crit sec in handler */
regs->sp = ptr_to_compat_reg(frame);
regs->lr = restorer;
@@ -249,7 +249,8 @@ int compat_setup_rt_frame(int sig, struc
regs->flags |= PT_FLAGS_CALLER_SAVES;
return 0;
-give_sigsegv:
- signal_fault("bad setup frame", regs, frame, sig);
+err:
+ trace_unhandled_signal("bad sigreturn frame", regs,
+ (unsigned long)frame, SIGSEGV);
return -EFAULT;
}
--- a/arch/tile/kernel/signal.c
+++ b/arch/tile/kernel/signal.c
@@ -153,18 +153,18 @@ static inline void __user *get_sigframe(
return (void __user *) sp;
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
unsigned long restorer;
struct rt_sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int usig;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ goto err;
usig = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -173,12 +173,12 @@ static int setup_rt_frame(int sig, struc
: sig;
/* Always write at least the signal number for the stack backtracer. */
- if (ka->sa.sa_flags & SA_SIGINFO) {
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
/* At sigreturn time, restore the callee-save registers too. */
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
regs->flags |= PT_FLAGS_RESTORE_REGS;
} else {
- err |= __put_user(info->si_signo, &frame->info.si_signo);
+ err |= __put_user(ksig->info.si_signo, &frame->info.si_signo);
}
/* Create the ucontext. */
@@ -189,11 +189,11 @@ static int setup_rt_frame(int sig, struc
err |= setup_sigcontext(&frame->uc.uc_mcontext, regs);
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ goto err;
restorer = VDSO_SYM(&__vdso_rt_sigreturn);
- if (ka->sa.sa_flags & SA_RESTORER)
- restorer = (unsigned long) ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ restorer = (unsigned long) ksig->ka.sa.sa_restorer;
/*
* Set up registers for signal handler.
@@ -202,7 +202,7 @@ static int setup_rt_frame(int sig, struc
* We always pass siginfo and mcontext, regardless of SA_SIGINFO,
* since some things rely on this (e.g. glibc's debug/segfault.c).
*/
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
regs->ex1 = PL_ICS_EX1(USER_PL, 1); /* set crit sec in handler */
regs->sp = (unsigned long) frame;
regs->lr = restorer;
@@ -212,8 +212,9 @@ static int setup_rt_frame(int sig, struc
regs->flags |= PT_FLAGS_CALLER_SAVES;
return 0;
-give_sigsegv:
- signal_fault("bad setup frame", regs, frame, sig);
+err:
+ trace_unhandled_signal("bad sigreturn frame", regs,
+ (unsigned long)frame, SIGSEGV);
return -EFAULT;
}
@@ -221,9 +222,7 @@ give_sigsegv:
* OK, we're invoking a handler
*/
-static void handle_signal(unsigned long sig, siginfo_t *info,
- struct k_sigaction *ka,
- struct pt_regs *regs)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
@@ -238,7 +237,7 @@ static void handle_signal(unsigned long
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->regs[0] = -EINTR;
break;
}
@@ -254,14 +253,12 @@ static void handle_signal(unsigned long
/* Set up the stack frame */
#ifdef CONFIG_COMPAT
if (is_compat_task())
- ret = compat_setup_rt_frame(sig, ka, info, oldset, regs);
+ ret = compat_setup_rt_frame(ksig, oldset, regs);
else
#endif
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
- if (ret)
- return;
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ ret = setup_rt_frame(ksig, oldset, regs);
+
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
}
/*
@@ -271,9 +268,7 @@ static void handle_signal(unsigned long
*/
void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* i386 will check if we're coming from kernel mode and bail out
@@ -282,10 +277,9 @@ void do_signal(struct pt_regs *regs)
* helpful, we can reinstate the check on "!user_mode(regs)".
*/
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &info, &ka, regs);
+ handle_signal(&ksig, regs);
goto done;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 157/202] netfilter: nf_tables: nft_compat: fix refcount leak on xt module
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 125/202] powerpc/signal: Properly handle return value from uprobe_deny_signal() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 161/202] netfilter: nf_tables: fix flush after rule deletion in the same batch Ben Hutchings
` (106 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Taehee Yoo, Florian Westphal, Pablo Neira Ayuso
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit b8e9dc1c75714ceb53615743e1036f76e00f5a17 upstream.
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nft_compat.c | 92 ++++++++++++++++++++++++--------------
1 file changed, 58 insertions(+), 34 deletions(-)
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -26,14 +26,24 @@ struct nft_xt {
struct list_head head;
struct nft_expr_ops ops;
unsigned int refcnt;
+
+ /* Unlike other expressions, ops doesn't have static storage duration.
+ * nft core assumes they do. We use kfree_rcu so that nft core can
+ * can check expr->ops->size even after nft_compat->destroy() frees
+ * the nft_xt struct that holds the ops structure.
+ */
+ struct rcu_head rcu_head;
};
-static void nft_xt_put(struct nft_xt *xt)
+static bool nft_xt_put(struct nft_xt *xt)
{
if (--xt->refcnt == 0) {
list_del(&xt->head);
- kfree(xt);
+ kfree_rcu(xt, rcu_head);
+ return true;
}
+
+ return false;
}
union nft_entry {
@@ -177,6 +187,7 @@ nft_target_init(const struct nft_ctx *ct
struct xt_target *target = expr->ops->data;
struct xt_tgchk_param par;
size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
+ struct nft_xt *nft_xt;
u8 proto = 0;
bool inv = false;
union nft_entry e = {};
@@ -187,25 +198,22 @@ nft_target_init(const struct nft_ctx *ct
if (ctx->nla[NFTA_RULE_COMPAT]) {
ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
if (ret < 0)
- goto err;
+ return ret;
}
nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
ret = xt_check_target(&par, size, proto, inv);
if (ret < 0)
- goto err;
+ return ret;
/* The standard target cannot be used */
- if (target->target == NULL) {
- ret = -EINVAL;
- goto err;
- }
+ if (!target->target)
+ return -EINVAL;
+ nft_xt = container_of(expr->ops, struct nft_xt, ops);
+ nft_xt->refcnt++;
return 0;
-err:
- module_put(target->me);
- return ret;
}
static void
@@ -222,8 +230,8 @@ nft_target_destroy(const struct nft_ctx
if (par.target->destroy != NULL)
par.target->destroy(&par);
- nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
- module_put(target->me);
+ if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+ module_put(target->me);
}
static int
@@ -383,6 +391,7 @@ nft_match_init(const struct nft_ctx *ctx
struct xt_match *match = expr->ops->data;
struct xt_mtchk_param par;
size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
+ struct nft_xt *nft_xt;
u8 proto = 0;
bool inv = false;
union nft_entry e = {};
@@ -393,19 +402,18 @@ nft_match_init(const struct nft_ctx *ctx
if (ctx->nla[NFTA_RULE_COMPAT]) {
ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
if (ret < 0)
- goto err;
+ return ret;
}
nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
ret = xt_check_match(&par, size, proto, inv);
if (ret < 0)
- goto err;
+ return ret;
+ nft_xt = container_of(expr->ops, struct nft_xt, ops);
+ nft_xt->refcnt++;
return 0;
-err:
- module_put(match->me);
- return ret;
}
static void
@@ -423,8 +431,8 @@ nft_match_destroy(const struct nft_ctx *
if (par.match->destroy != NULL)
par.match->destroy(&par);
- nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
- module_put(me);
+ if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+ module_put(me);
}
static int
@@ -653,13 +661,8 @@ nft_match_select_ops(const struct nft_ct
list_for_each_entry(nft_match, &nft_match_list, head) {
struct xt_match *match = nft_match->ops.data;
- if (nft_match_cmp(match, mt_name, rev, family)) {
- if (!try_module_get(match->me))
- return ERR_PTR(-ENOENT);
-
- nft_match->refcnt++;
+ if (nft_match_cmp(match, mt_name, rev, family))
return &nft_match->ops;
- }
}
match = xt_request_find_match(family, mt_name, rev);
@@ -671,7 +674,7 @@ nft_match_select_ops(const struct nft_ct
if (nft_match == NULL)
return ERR_PTR(-ENOMEM);
- nft_match->refcnt = 1;
+ nft_match->refcnt = 0;
nft_match->ops.type = &nft_match_type;
nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize) +
nft_compat_match_offset(match));
@@ -728,13 +731,8 @@ nft_target_select_ops(const struct nft_c
list_for_each_entry(nft_target, &nft_target_list, head) {
struct xt_target *target = nft_target->ops.data;
- if (nft_target_cmp(target, tg_name, rev, family)) {
- if (!try_module_get(target->me))
- return ERR_PTR(-ENOENT);
-
- nft_target->refcnt++;
+ if (nft_target_cmp(target, tg_name, rev, family))
return &nft_target->ops;
- }
}
target = xt_request_find_target(family, tg_name, rev);
@@ -746,7 +744,7 @@ nft_target_select_ops(const struct nft_c
if (nft_target == NULL)
return ERR_PTR(-ENOMEM);
- nft_target->refcnt = 1;
+ nft_target->refcnt = 0;
nft_target->ops.type = &nft_target_type;
nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize) +
nft_compat_target_offset(target));
@@ -801,6 +799,32 @@ err_match:
static void __exit nft_compat_module_exit(void)
{
+ struct nft_xt *xt, *next;
+
+ /* list should be empty here, it can be non-empty only in case there
+ * was an error that caused nft_xt expr to not be initialized fully
+ * and noone else requested the same expression later.
+ *
+ * In this case, the lists contain 0-refcount entries that still
+ * hold module reference.
+ */
+ list_for_each_entry_safe(xt, next, &nft_target_list, head) {
+ struct xt_target *target = xt->ops.data;
+
+ if (WARN_ON_ONCE(xt->refcnt))
+ continue;
+ module_put(target->me);
+ kfree(xt);
+ }
+
+ list_for_each_entry_safe(xt, next, &nft_match_list, head) {
+ struct xt_match *match = xt->ops.data;
+
+ if (WARN_ON_ONCE(xt->refcnt))
+ continue;
+ module_put(match->me);
+ kfree(xt);
+ }
nfnetlink_subsys_unregister(&nfnl_compat_subsys);
nft_unregister_expr(&nft_target_type);
nft_unregister_expr(&nft_match_type);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 179/202] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 131/202] unicore32: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 012/202] USB: storage: add quirk for SMI SM3350 Ben Hutchings
` (167 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Hulk Robot, David S. Miller, YueHaibing
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YueHaibing <yuehaibing@huawei.com>
commit 58bdd544e2933a21a51eecf17c3f5f94038261b5 upstream.
KASAN report this:
BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401
CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
kasan_report+0x171/0x18d mm/kasan/report.c:321
memcpy+0x1f/0x50 mm/kasan/common.c:130
nfc_llcp_build_gb+0x37f/0x540 [nfc]
nfc_llcp_register_device+0x6eb/0xb50 [nfc]
nfc_register_device+0x50/0x1d0 [nfc]
nfcsim_device_new+0x394/0x67d [nfcsim]
? 0xffffffffc1080000
nfcsim_init+0x6b/0x1000 [nfcsim]
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
nfc_llcp_build_tlv will return NULL on fails, caller should check it,
otherwise will trigger a NULL dereference.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/nfc/llcp_commands.c | 20 ++++++++++++++++++++
net/nfc/llcp_core.c | 24 ++++++++++++++++++++----
2 files changed, 40 insertions(+), 4 deletions(-)
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -418,6 +418,10 @@ int nfc_llcp_send_connect(struct nfc_llc
sock->service_name,
sock->service_name_len,
&service_name_tlv_length);
+ if (!service_name_tlv) {
+ err = -ENOMEM;
+ goto error_tlv;
+ }
size += service_name_tlv_length;
}
@@ -428,9 +432,17 @@ int nfc_llcp_send_connect(struct nfc_llc
miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
&miux_tlv_length);
+ if (!miux_tlv) {
+ err = -ENOMEM;
+ goto error_tlv;
+ }
size += miux_tlv_length;
rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
+ if (!rw_tlv) {
+ err = -ENOMEM;
+ goto error_tlv;
+ }
size += rw_tlv_length;
pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len);
@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_soc
miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
&miux_tlv_length);
+ if (!miux_tlv) {
+ err = -ENOMEM;
+ goto error_tlv;
+ }
size += miux_tlv_length;
rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
+ if (!rw_tlv) {
+ err = -ENOMEM;
+ goto error_tlv;
+ }
size += rw_tlv_length;
skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size);
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -531,10 +531,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(stru
static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
{
- u8 *gb_cur, *version_tlv, version, version_length;
- u8 *lto_tlv, lto_length;
- u8 *wks_tlv, wks_length;
- u8 *miux_tlv, miux_length;
+ u8 *gb_cur, version, version_length;
+ u8 lto_length, wks_length, miux_length;
+ u8 *version_tlv = NULL, *lto_tlv = NULL,
+ *wks_tlv = NULL, *miux_tlv = NULL;
__be16 wks = cpu_to_be16(local->local_wks);
u8 gb_len = 0;
int ret = 0;
@@ -542,17 +542,33 @@ static int nfc_llcp_build_gb(struct nfc_
version = LLCP_VERSION_11;
version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
1, &version_length);
+ if (!version_tlv) {
+ ret = -ENOMEM;
+ goto out;
+ }
gb_len += version_length;
lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length);
+ if (!lto_tlv) {
+ ret = -ENOMEM;
+ goto out;
+ }
gb_len += lto_length;
pr_debug("Local wks 0x%lx\n", local->local_wks);
wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
+ if (!wks_tlv) {
+ ret = -ENOMEM;
+ goto out;
+ }
gb_len += wks_length;
miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
&miux_length);
+ if (!miux_tlv) {
+ ret = -ENOMEM;
+ goto out;
+ }
gb_len += miux_length;
gb_len += ARRAY_SIZE(llcp_magic);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 194/202] brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 200/202] binfmt_elf: switch to new creds when switching to new mm Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 105/202] Input: bma150 - register input device after setting private data Ben Hutchings
` (23 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Arend van Spriel, Pieter-Paul Giesberts,
Franky (Zhenhui) Lin, Kalle Valo, Hante Meuleman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend van Spriel <arend@broadcom.com>
commit 796cfb65e3ed01a9b08e3a0b93e34120c54bbbd2 upstream.
Avoid spreading the ifidx in the driver, but have it return the
struct brcmf_if instance.
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Drop changes to PCIe bus support
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c
@@ -272,11 +272,11 @@ brcmf_proto_bcdc_hdrpush(struct brcmf_pu
}
static int
-brcmf_proto_bcdc_hdrpull(struct brcmf_pub *drvr, bool do_fws, u8 *ifidx,
- struct sk_buff *pktbuf)
+brcmf_proto_bcdc_hdrpull(struct brcmf_pub *drvr, bool do_fws,
+ struct sk_buff *pktbuf, struct brcmf_if **ifp)
{
struct brcmf_proto_bcdc_header *h;
- struct brcmf_if *ifp;
+ struct brcmf_if *tmp_if;
brcmf_dbg(BCDC, "Enter\n");
@@ -290,21 +290,21 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu
trace_brcmf_bcdchdr(pktbuf->data);
h = (struct brcmf_proto_bcdc_header *)(pktbuf->data);
- ifp = brcmf_get_ifp(drvr, BCDC_GET_IF_IDX(h));
- if (IS_ERR_OR_NULL(ifp)) {
+ tmp_if = brcmf_get_ifp(drvr, BCDC_GET_IF_IDX(h));
+ if (!tmp_if) {
brcmf_dbg(INFO, "no matching ifp found\n");
return -EBADE;
}
if (((h->flags & BCDC_FLAG_VER_MASK) >> BCDC_FLAG_VER_SHIFT) !=
BCDC_PROTO_VER) {
brcmf_err("%s: non-BCDC packet received, flags 0x%x\n",
- brcmf_ifname(drvr, ifp->ifidx), h->flags);
+ brcmf_ifname(drvr, tmp_if->ifidx), h->flags);
return -EBADE;
}
if (h->flags & BCDC_FLAG_SUM_GOOD) {
brcmf_dbg(BCDC, "%s: BDC rcv, good checksum, flags 0x%x\n",
- brcmf_ifname(drvr, ifp->ifidx), h->flags);
+ brcmf_ifname(drvr, tmp_if->ifidx), h->flags);
pktbuf->ip_summed = CHECKSUM_UNNECESSARY;
}
@@ -312,7 +312,7 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu
skb_pull(pktbuf, BCDC_HEADER_LEN);
if (do_fws)
- brcmf_fws_hdrpull(drvr, ifp->ifidx, h->data_offset << 2,
+ brcmf_fws_hdrpull(drvr, tmp_if->ifidx, h->data_offset << 2,
pktbuf);
else
skb_pull(pktbuf, h->data_offset << 2);
@@ -320,7 +320,7 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu
if (pktbuf->len == 0)
return -ENODATA;
- *ifidx = ifp->ifidx;
+ *ifp = tmp_if;
return 0;
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -85,7 +85,7 @@ struct brcmf_if *brcmf_get_ifp(struct br
{
if (ifidx < 0 || ifidx >= BRCMF_MAX_IFS) {
brcmf_err("ifidx %d out of range\n", ifidx);
- return ERR_PTR(-ERANGE);
+ return NULL;
}
/* The ifidx is the idx to map to matching netdev/ifp. When receiving
@@ -537,17 +537,15 @@ void brcmf_rx_frame(struct device *dev,
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
struct brcmf_pub *drvr = bus_if->drvr;
struct brcmf_skb_reorder_data *rd;
- u8 ifidx;
int ret;
brcmf_dbg(DATA, "Enter: %s: rxp=%p\n", dev_name(dev), skb);
/* process and remove protocol-specific header */
- ret = brcmf_proto_hdrpull(drvr, true, &ifidx, skb);
- ifp = drvr->iflist[ifidx];
+ ret = brcmf_proto_hdrpull(drvr, true, skb, &ifp);
if (ret || !ifp || !ifp->ndev) {
- if ((ret != -ENODATA) && ifp)
+ if (ret != -ENODATA && ifp)
ifp->stats.rx_errors++;
brcmu_pkt_buf_free_skb(skb);
return;
@@ -590,17 +588,17 @@ void brcmf_txcomplete(struct device *dev
{
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
struct brcmf_pub *drvr = bus_if->drvr;
- u8 ifidx;
+ struct brcmf_if *ifp;
/* await txstatus signal for firmware if active */
if (brcmf_fws_fc_active(drvr->fws)) {
if (!success)
brcmf_fws_bustxfail(drvr->fws, txp);
} else {
- if (brcmf_proto_hdrpull(drvr, false, &ifidx, txp))
+ if (brcmf_proto_hdrpull(drvr, false, txp, &ifp))
brcmu_pkt_buf_free_skb(txp);
else
- brcmf_txfinalize(drvr, txp, ifidx, success);
+ brcmf_txfinalize(drvr, txp, ifp->ifidx, success);
}
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c
@@ -1420,7 +1420,7 @@ brcmf_fws_txs_process(struct brcmf_fws_i
struct sk_buff *skb;
struct brcmf_skbuff_cb *skcb;
struct brcmf_fws_mac_descriptor *entry = NULL;
- u8 ifidx;
+ struct brcmf_if *ifp;
brcmf_dbg(DATA, "flags %d\n", flags);
@@ -1469,15 +1469,16 @@ brcmf_fws_txs_process(struct brcmf_fws_i
}
brcmf_fws_macdesc_return_req_credit(skb);
- if (brcmf_proto_hdrpull(fws->drvr, false, &ifidx, skb)) {
+ ret = brcmf_proto_hdrpull(fws->drvr, false, skb, &ifp);
+ if (ret) {
brcmu_pkt_buf_free_skb(skb);
return -EINVAL;
}
if (!remove_from_hanger)
- ret = brcmf_fws_txstatus_suppressed(fws, fifo, skb, ifidx,
+ ret = brcmf_fws_txstatus_suppressed(fws, fifo, skb, ifp->ifidx,
genbit, seq);
if (remove_from_hanger || ret)
- brcmf_txfinalize(fws->drvr, skb, ifidx, true);
+ brcmf_txfinalize(fws->drvr, skb, ifp->ifidx, true);
return 0;
}
@@ -1820,7 +1821,7 @@ static int brcmf_fws_commit_skb(struct b
entry->transit_count--;
if (entry->suppressed)
entry->suppr_transit_count--;
- brcmf_proto_hdrpull(fws->drvr, false, &ifidx, skb);
+ (void)brcmf_proto_hdrpull(fws->drvr, false, skb, NULL);
goto rollback;
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/proto.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/proto.h
@@ -17,8 +17,8 @@
#define BRCMFMAC_PROTO_H
struct brcmf_proto {
- int (*hdrpull)(struct brcmf_pub *drvr, bool do_fws, u8 *ifidx,
- struct sk_buff *skb);
+ int (*hdrpull)(struct brcmf_pub *drvr, bool do_fws,
+ struct sk_buff *skb, struct brcmf_if **ifp);
int (*query_dcmd)(struct brcmf_pub *drvr, int ifidx, uint cmd,
void *buf, uint len);
int (*set_dcmd)(struct brcmf_pub *drvr, int ifidx, uint cmd, void *buf,
@@ -33,9 +33,19 @@ int brcmf_proto_attach(struct brcmf_pub
void brcmf_proto_detach(struct brcmf_pub *drvr);
static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws,
- u8 *ifidx, struct sk_buff *skb)
+ struct sk_buff *skb,
+ struct brcmf_if **ifp)
{
- return drvr->proto->hdrpull(drvr, do_fws, ifidx, skb);
+ struct brcmf_if *tmp = NULL;
+
+ /* assure protocol is always called with
+ * non-null initialized pointer.
+ */
+ if (ifp)
+ *ifp = NULL;
+ else
+ ifp = &tmp;
+ return drvr->proto->hdrpull(drvr, do_fws, skb, ifp);
}
static inline int brcmf_proto_query_dcmd(struct brcmf_pub *drvr, int ifidx,
uint cmd, void *buf, uint len)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 189/202] vfio/type1: Limit DMA mappings per container
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (193 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 175/202] mmc: tmio_mmc_core: don't claim spurious interrupts Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 150/202] net/packet: fix 4gb buffer limit due to overflow check Ben Hutchings
` (7 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Alex Williamson, Peter Xu, Cornelia Huck,
Eric Auger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit 492855939bdb59c6f947b0b5b44af9ad82b7e38c upstream.
Memory backed DMA mappings are accounted against a user's locked
memory limit, including multiple mappings of the same memory. This
accounting bounds the number of such mappings that a user can create.
However, DMA mappings that are not backed by memory, such as DMA
mappings of device MMIO via mmaps, do not make use of page pinning
and therefore do not count against the user's locked memory limit.
These mappings still consume memory, but the memory is not well
associated to the process for the purpose of oom killing a task.
To add bounding on this use case, we introduce a limit to the total
number of concurrent DMA mappings that a user is allowed to create.
This limit is exposed as a tunable module option where the default
value of 64K is expected to be well in excess of any reasonable use
case (a large virtual machine configuration would typically only make
use of tens of concurrent mappings).
This fixes CVE-2019-3882.
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
[bwh: Backported to 3.16:
- Add the out_unlock label in vfio_dma_do_map()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -53,10 +53,16 @@ module_param_named(disable_hugepages,
MODULE_PARM_DESC(disable_hugepages,
"Disable VFIO IOMMU support for IOMMU hugepages.");
+static unsigned int dma_entry_limit __read_mostly = U16_MAX;
+module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644);
+MODULE_PARM_DESC(dma_entry_limit,
+ "Maximum number of user DMA mappings per container (65535).");
+
struct vfio_iommu {
struct list_head domain_list;
struct mutex lock;
struct rb_root dma_list;
+ unsigned int dma_avail;
bool v2;
};
@@ -364,6 +370,7 @@ static void vfio_remove_dma(struct vfio_
vfio_unmap_unpin(iommu, dma);
vfio_unlink_dma(iommu, dma);
kfree(dma);
+ iommu->dma_avail++;
}
static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)
@@ -549,12 +556,18 @@ static int vfio_dma_do_map(struct vfio_i
return -EEXIST;
}
+ if (!iommu->dma_avail) {
+ ret = -ENOSPC;
+ goto out_unlock;
+ }
+
dma = kzalloc(sizeof(*dma), GFP_KERNEL);
if (!dma) {
mutex_unlock(&iommu->lock);
return -ENOMEM;
}
+ iommu->dma_avail--;
dma->iova = iova;
dma->vaddr = vaddr;
dma->prot = prot;
@@ -586,6 +599,7 @@ static int vfio_dma_do_map(struct vfio_i
if (ret)
vfio_remove_dma(iommu, dma);
+out_unlock:
mutex_unlock(&iommu->lock);
return ret;
}
@@ -816,6 +830,7 @@ static void *vfio_iommu_type1_open(unsig
INIT_LIST_HEAD(&iommu->domain_list);
iommu->dma_list = RB_ROOT;
+ iommu->dma_avail = dma_entry_limit;
mutex_init(&iommu->lock);
iommu->v2 = (arg == VFIO_TYPE1v2_IOMMU);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 099/202] MIPS: Remove function size check in get_frame_info()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 147/202] net: fix IPv6 prefix route residue Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 185/202] [media] media: em28xx-dvb - fix em28xx_dvb_resume() to not unregister i2c and dvb Ben Hutchings
` (130 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, yamada.masahiro, linux-mips, peterz, mingo,
jhogan, Paul Burton, Tony Wu, ralf, macro, Jun-Ru Chang
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jun-Ru Chang <jrjang@realtek.com>
commit 2b424cfc69728224fcb5fad138ea7260728e0901 upstream.
Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of
microMIPS function size.") introduces additional function size
check for microMIPS by only checking insn between ip and ip + func_size.
However, func_size in get_frame_info() is always 0 if KALLSYMS is not
enabled. This causes get_frame_info() to return immediately without
calculating correct frame_size, which in turn causes "Can't analyze
schedule() prologue" warning messages at boot time.
This patch removes func_size check, and let the frame_size check run
up to 128 insns for both MIPS and microMIPS.
Signed-off-by: Jun-Ru Chang <jrjang@realtek.com>
Signed-off-by: Tony Wu <tonywu@realtek.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS function size.")
Cc: <ralf@linux-mips.org>
Cc: <jhogan@kernel.org>
Cc: <macro@mips.com>
Cc: <yamada.masahiro@socionext.com>
Cc: <peterz@infradead.org>
Cc: <mingo@kernel.org>
Cc: <linux-mips@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/process.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -373,7 +373,7 @@ static inline int is_sp_move_ins(union m
static int get_frame_info(struct mips_frame_info *info)
{
bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
- union mips_instruction insn, *ip, *ip_end;
+ union mips_instruction insn, *ip;
const unsigned int max_insns = 128;
unsigned int last_insn_size = 0;
unsigned int i;
@@ -385,10 +385,9 @@ static int get_frame_info(struct mips_fr
if (!ip)
goto err;
- ip_end = (void *)ip + info->func_size;
-
- for (i = 0; i < max_insns && ip < ip_end; i++) {
+ for (i = 0; i < max_insns; i++) {
ip = (void *)ip + last_insn_size;
+
if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
insn.word = ip->halfword[0] << 16;
last_insn_size = 2;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 201/202] apparmor: provide userspace flag indicating binfmt_elf_mmap change
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 019/202] packet: Do not leak dev refcounts on error exit Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 069/202] kallsyms: Handle too long symbols in kallsyms.c Ben Hutchings
` (180 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, John Johansen
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 34c426acb75cc21bdf84685e106db0c1a3565057 upstream.
Commit 9f834ec18def ("binfmt_elf: switch to new creds when switching to new mm")
changed when the creds are installed by the binfmt_elf handler. This
affects which creds are used to mmap the executable into the address
space. Which can have an affect on apparmor policy.
Add a flag to apparmor at
/sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
to make it possible to detect this semantic change so that the userspace
tools and the regression test suite can correctly deal with the change.
BugLink: http://bugs.launchpad.net/bugs/1630069
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/apparmor/apparmorfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -794,6 +794,7 @@ static struct aa_fs_entry aa_fs_entry_do
AA_FS_FILE_BOOLEAN("change_hatv", 1),
AA_FS_FILE_BOOLEAN("change_onexec", 1),
AA_FS_FILE_BOOLEAN("change_profile", 1),
+ AA_FS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1),
{ }
};
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 170/202] KEYS: restrict /proc/keys by credentials at open time
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 167/202] tmpfs: fix link accounting when a tmpfile is linked in Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 054/202] tty/n_hdlc: fix __might_sleep warning Ben Hutchings
` (133 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Eric Biggers, David Howells
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 4aa68e07d845562561f5e73c04aa521376e95252 upstream.
When checking for permission to view keys whilst reading from
/proc/keys, we should use the credentials with which the /proc/keys file
was opened. This is because, in a classic type of exploit, it can be
possible to bypass checks for the *current* credentials by passing the
file descriptor to a suid program.
Following commit 34dbbcdbf633 ("Make file credentials available to the
seqfile interfaces") we can finally fix it. So let's do it.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/proc.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -193,7 +193,7 @@ static int proc_keys_show(struct seq_fil
struct keyring_search_context ctx = {
.index_key.type = key->type,
.index_key.description = key->description,
- .cred = current_cred(),
+ .cred = m->file->f_cred,
.match = lookup_user_key_possessed,
.match_data = key,
.flags = (KEYRING_SEARCH_NO_STATE_CHECK |
@@ -213,11 +213,7 @@ static int proc_keys_show(struct seq_fil
}
}
- /* check whether the current task is allowed to view the key (assuming
- * non-possession)
- * - the caller holds a spinlock, and thus the RCU read lock, making our
- * access to __current_cred() safe
- */
+ /* check whether the current task is allowed to view the key */
rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
if (rc < 0)
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 177/202] tmpfs: fix uninitialized return value in shmem_link
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 073/202] scsi: bnx2fc: Fix error handling in probe() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 004/202] mfd: ab8500-core: Return zero in get_register_interruptible() Ben Hutchings
` (60 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Al Viro, Hugh Dickins, Darrick J. Wong,
Matej Kupljen, Dan Carpenter, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit 29b00e609960ae0fcff382f4c7079dd0874a5311 upstream.
When we made the shmem_reserve_inode call in shmem_link conditional, we
forgot to update the declaration for ret so that it always has a known
value. Dan Carpenter pointed out this deficiency in the original patch.
Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Matej Kupljen <matej.kupljen@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/shmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2007,7 +2007,7 @@ static int shmem_create(struct inode *di
static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry)
{
struct inode *inode = old_dentry->d_inode;
- int ret;
+ int ret = 0;
/*
* No ordinary (disk based) filesystem counts links as inodes;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 025/202] drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 182/202] netlabel: fix out-of-bounds memory accesses Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 129/202] tile: Use get_signal() signal_setup_done() Ben Hutchings
` (50 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Daniel Vetter, Ivan Mironov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Mironov <mironov.ivan@gmail.com>
commit 66a8d5bfb518f9f12d47e1d2dce1732279f9451e upstream.
Strict requirement of pixclock to be zero breaks support of SDL 1.2
which contains hardcoded table of supported video modes with non-zero
pixclock values[1].
To better understand which pixclock values are considered valid and how
driver should handle these values, I briefly examined few existing fbdev
drivers and documentation in Documentation/fb/. And it looks like there
are no strict rules on that and actual behaviour varies:
* some drivers treat (pixclock == 0) as "use defaults" (uvesafb.c);
* some treat (pixclock == 0) as invalid value which leads to
-EINVAL (clps711x-fb.c);
* some pass converted pixclock value to hardware (uvesafb.c);
* some are trying to find nearest value from predefined table
(vga16fb.c, video_gx.c).
Given this, I believe that it should be safe to just ignore this value if
changing is not supported. It seems that any portable fbdev application
which was not written only for one specific device working under one
specific kernel version should not rely on any particular behaviour of
pixclock anyway.
However, while enabling SDL1 applications to work out of the box when
there is no /etc/fb.modes with valid settings, this change affects the
video mode choosing logic in SDL. Depending on current screen
resolution, contents of /etc/fb.modes and resolution requested by
application, this may lead to user-visible difference (not always):
image will be displayed in a right way, but it will be aligned to the
left instead of center. There is no "right behaviour" here as well, as
emulated fbdev, opposing to old fbdev drivers, simply ignores any
requsts of video mode changes with resolutions smaller than current.
The easiest way to reproduce this problem is to install sdl-sopwith[2],
remove /etc/fb.modes file if it exists, and then try to run sopwith
from console without X. At least in Fedora 29, sopwith may be simply
installed from standard repositories.
[1] SDL 1.2.15 source code, src/video/fbcon/SDL_fbvideo.c, vesa_timings
[2] http://sdl-sopwith.sourceforge.net/
Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
Fixes: 79e539453b34e ("DRM: i915: add mode setting support")
Fixes: 771fe6b912fca ("drm/radeon: introduce kernel modesetting for radeon hardware")
Fixes: 785b93ef8c309 ("drm/kms: move driver specific fb common code to helper functions (v2)")
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-3-mironov.ivan@gmail.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_fb_helper.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -838,9 +838,14 @@ int drm_fb_helper_check_var(struct fb_va
struct drm_fb_helper *fb_helper = info->par;
struct drm_framebuffer *fb = fb_helper->fb;
- if (var->pixclock != 0 || in_dbg_master())
+ if (in_dbg_master())
return -EINVAL;
+ if (var->pixclock != 0) {
+ DRM_DEBUG("fbdev emulation doesn't support changing the pixel clock, value of pixclock is ignored\n");
+ var->pixclock = 0;
+ }
+
/* Need to resize the fb object !!! */
if (var->bits_per_pixel > fb->bits_per_pixel ||
var->xres > fb->width || var->yres > fb->height ||
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 034/202] s390/early: improve machine detection
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 070/202] usb: gadget: udc: net2272: Fix bitwise and boolean operations Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 149/202] batman-adv: fix uninit-value in batadv_interface_tx() Ben Hutchings
` (11 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Martin Schwidefsky, Heiko Carstens,
Christian Borntraeger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christian Borntraeger <borntraeger@de.ibm.com>
commit 03aa047ef2db4985e444af6ee1c1dd084ad9fb4c upstream.
Right now the early machine detection code check stsi 3.2.2 for "KVM"
and set MACHINE_IS_VM if this is different. As the console detection
uses diagnose 8 if MACHINE_IS_VM returns true this will crash Linux
early for any non z/VM system that sets a different value than KVM.
So instead of assuming z/VM, do not set any of MACHINE_IS_LPAR,
MACHINE_IS_VM, or MACHINE_IS_KVM.
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/kernel/early.c | 4 ++--
arch/s390/kernel/setup.c | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/arch/s390/kernel/early.c
+++ b/arch/s390/kernel/early.c
@@ -232,10 +232,10 @@ static noinline __init void detect_machi
if (stsi(vmms, 3, 2, 2) || !vmms->count)
return;
- /* Running under KVM? If not we assume z/VM */
+ /* Detect known hypervisors */
if (!memcmp(vmms->vm[0].cpi, "\xd2\xe5\xd4", 3))
S390_lowcore.machine_flags |= MACHINE_FLAG_KVM;
- else
+ else if (!memcmp(vmms->vm[0].cpi, "\xa9\x61\xe5\xd4", 4))
S390_lowcore.machine_flags |= MACHINE_FLAG_VM;
}
--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -831,6 +831,8 @@ void __init setup_arch(char **cmdline_p)
pr_info("Linux is running under KVM in 64-bit mode\n");
else if (MACHINE_IS_LPAR)
pr_info("Linux is running natively in 64-bit mode\n");
+ else
+ pr_info("Linux is running as a guest in 64-bit mode\n");
#endif /* CONFIG_64BIT */
/* Have one command line that is parsed and saved in /proc/cmdline */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 053/202] uart: Fix crash in uart_write and uart_put_char
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 086/202] dmaengine: imx-dma: fix wrong callback invoke Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 007/202] ALSA: usb-audio: Always check descriptor sizes in parser code Ben Hutchings
` (191 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Samir Virmani, Tycho Andersen
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Samir Virmani <samir@embedur.com>
commit aff9cf5955185d1f183227e46c5f8673fa483813 upstream.
We were experiencing a crash similar to the one reported as part of
commit:a5ba1d95e46e ("uart: fix race between uart_put_char() and
uart_shutdown()") in our testbed as well. We continue to observe the same
crash after integrating the commit a5ba1d95e46e ("uart: fix race between
uart_put_char() and uart_shutdown()")
On reviewing the change, the port lock should be taken prior to checking for
if (!circ->buf) in fn. __uart_put_char and other fns. that update the buffer
uart_state->xmit.
Traceback:
[11/27/2018 06:24:32.4870] Unable to handle kernel NULL pointer dereference
at virtual address 0000003b
[11/27/2018 06:24:32.4950] PC is at memcpy+0x48/0x180
[11/27/2018 06:24:32.4950] LR is at uart_write+0x74/0x120
[11/27/2018 06:24:32.4950] pc : [<ffffffc0002e6808>]
lr : [<ffffffc0003747cc>] pstate: 000001c5
[11/27/2018 06:24:32.4950] sp : ffffffc076433d30
[11/27/2018 06:24:32.4950] x29: ffffffc076433d30 x28: 0000000000000140
[11/27/2018 06:24:32.4950] x27: ffffffc0009b9d5e x26: ffffffc07ce36580
[11/27/2018 06:24:32.4950] x25: 0000000000000000 x24: 0000000000000140
[11/27/2018 06:24:32.4950] x23: ffffffc000891200 x22: ffffffc01fc34000
[11/27/2018 06:24:32.4950] x21: 0000000000000fff x20: 0000000000000076
[11/27/2018 06:24:32.4950] x19: 0000000000000076 x18: 0000000000000000
[11/27/2018 06:24:32.4950] x17: 000000000047cf08 x16: ffffffc000099e68
[11/27/2018 06:24:32.4950] x15: 0000000000000018 x14: 776d726966205948
[11/27/2018 06:24:32.4950] x13: 50203a6c6974755f x12: 74647075205d3333
[11/27/2018 06:24:32.4950] x11: 3a35323a36203831 x10: 30322f37322f3131
[11/27/2018 06:24:32.4950] x9 : 5b205d303638342e x8 : 746164206f742070
[11/27/2018 06:24:32.4950] x7 : 7520736920657261 x6 : 000000000000003b
[11/27/2018 06:24:32.4950] x5 : 000000000000817a x4 : 0000000000000008
[11/27/2018 06:24:32.4950] x3 : 2f37322f31312a5b x2 : 000000000000006e
[11/27/2018 06:24:32.4950] x1 : ffffffc0009b9cf0 x0 : 000000000000003b
[11/27/2018 06:24:32.4950] CPU2: stopping
[11/27/2018 06:24:32.4950] CPU: 2 PID: 0 Comm: swapper/2 Tainted: P D O 4.1.51 #3
[11/27/2018 06:24:32.4950] Hardware name: Broadcom-v8A (DT)
[11/27/2018 06:24:32.4950] Call trace:
[11/27/2018 06:24:32.4950] [<ffffffc0000883b8>] dump_backtrace+0x0/0x150
[11/27/2018 06:24:32.4950] [<ffffffc00008851c>] show_stack+0x14/0x20
[11/27/2018 06:24:32.4950] [<ffffffc0005ee810>] dump_stack+0x90/0xb0
[11/27/2018 06:24:32.4950] [<ffffffc00008e844>] handle_IPI+0x18c/0x1a0
[11/27/2018 06:24:32.4950] [<ffffffc000080c68>] gic_handle_irq+0x88/0x90
Fixes: a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()")
Signed-off-by: Samir Virmani <samir@embedur.com>
Acked-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Keep open-coding uart_port_lock()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/serial_core.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -480,10 +480,12 @@ static inline int __uart_put_char(struct
unsigned long flags;
int ret = 0;
- if (!circ->buf)
+ spin_lock_irqsave(&port->lock, flags);
+ if (!circ->buf) {
+ spin_unlock_irqrestore(&port->lock, flags);
return 0;
+ }
- spin_lock_irqsave(&port->lock, flags);
if (uart_circ_chars_free(circ) != 0) {
circ->buf[circ->head] = c;
circ->head = (circ->head + 1) & (UART_XMIT_SIZE - 1);
@@ -524,12 +526,14 @@ static int uart_write(struct tty_struct
}
port = state->uart_port;
+ spin_lock_irqsave(&port->lock, flags);
circ = &state->xmit;
- if (!circ->buf)
+ if (!circ->buf) {
+ spin_unlock_irqrestore(&port->lock, flags);
return 0;
+ }
- spin_lock_irqsave(&port->lock, flags);
while (1) {
c = CIRC_SPACE_TO_END(circ->head, circ->tail, UART_XMIT_SIZE);
if (count < c)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 052/202] net: bridge: Fix ethernet header pointer before check skb forwardable
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 111/202] c6x: Use get_signal() signal_setup_done() Ben Hutchings
` (201 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, bridge, David S. Miller,
Nkolay Aleksandrov, Roopa Prabhu, Yunjian Wang,
Stephen Hemminger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yunjian Wang <wangyunjian@huawei.com>
commit 28c1382fa28f2e2d9d0d6f25ae879b5af2ecbd03 upstream.
The skb header should be set to ethernet header before using
is_skb_forwardable. Because the ethernet header length has been
considered in is_skb_forwardable(including dev->hard_header_len
length).
To reproduce the issue:
1, add 2 ports on linux bridge br using following commands:
$ brctl addbr br
$ brctl addif br eth0
$ brctl addif br eth1
2, the MTU of eth0 and eth1 is 1500
3, send a packet(Data 1480, UDP 8, IP 20, Ethernet 14, VLAN 4)
from eth0 to eth1
So the expect result is packet larger than 1500 cannot pass through
eth0 and eth1. But currently, the packet passes through success, it
means eth1's MTU limit doesn't take effect.
Fixes: f6367b4660dd ("bridge: use is_skb_forwardable in forward path")
Cc: bridge@lists.linux-foundation.org
Cc: Nkolay Aleksandrov <nikolay@cumulusnetworks.com>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- br_dev_queue_push_xmit() has to call nf_bridge_maybe_copy_header()
before pushing the Ethernet header
- adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -38,16 +38,21 @@ static inline int should_deliver(const s
int br_dev_queue_push_xmit(struct sk_buff *skb)
{
/* ip_fragment doesn't copy the MAC header */
- if (nf_bridge_maybe_copy_header(skb) ||
- !is_skb_forwardable(skb->dev, skb)) {
- kfree_skb(skb);
- } else {
- skb_push(skb, ETH_HLEN);
- br_drop_fake_rtable(skb);
- dev_queue_xmit(skb);
- }
+ if (nf_bridge_maybe_copy_header(skb))
+ goto drop;
+
+ skb_push(skb, ETH_HLEN);
+ if (!is_skb_forwardable(skb->dev, skb))
+ goto drop;
+
+ br_drop_fake_rtable(skb);
+ dev_queue_xmit(skb);
return 0;
+
+drop:
+ kfree_skb(skb);
+ return 0;
}
int br_forward_finish(struct sk_buff *skb)
@@ -66,12 +71,11 @@ static void __br_deliver(const struct ne
skb->dev = to->dev;
if (unlikely(netpoll_tx_running(to->br->dev))) {
+ skb_push(skb, ETH_HLEN);
if (!is_skb_forwardable(skb->dev, skb))
kfree_skb(skb);
- else {
- skb_push(skb, ETH_HLEN);
+ else
br_netpoll_send_skb(to, skb);
- }
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 040/202] net/phy: micrel: configure intterupts after autoneg workaround
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 109/202] avr32: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 160/202] i2c: cadence: Fix the hold bit setting Ben Hutchings
` (64 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Andrew Lunn, Florian Fainelli, Zach Brown,
David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zach Brown <zach.brown@ni.com>
commit b866203d872d5deeafcecd25ea429d6748b5bd56 upstream.
The commit ("net/phy: micrel: Add workaround for bad autoneg") fixes an
autoneg failure case by resetting the hardware. This turns off
intterupts. Things will work themselves out if the phy polls, as it will
figure out it's state during a poll. However if the phy uses only
intterupts, the phy will stall, since interrupts are off. This patch
fixes the issue by calling config_intr after resetting the phy.
Fixes: d2fd719bcb0e ("net/phy: micrel: Add workaround for bad autoneg ")
Signed-off-by: Zach Brown <zach.brown@ni.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/phy/micrel.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -431,6 +431,8 @@ static int ksz9031_read_status(struct ph
if ((regval & 0xFF) == 0xFF) {
phy_init_hw(phydev);
phydev->link = 0;
+ if (phydev->drv->config_intr && phy_interrupt_is_valid(phydev))
+ phydev->drv->config_intr(phydev);
}
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 166/202] net: stmmac: Fix a race in EEE enable callback
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 108/202] arm64: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 132/202] unicore32: Fix build error Ben Hutchings
` (74 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jose Abreu, Alexandre Torgue, Joao Pinto,
Giuseppe Cavallaro, David S. Miller, Jose Abreu
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jose Abreu <jose.abreu@synopsys.com>
commit 8a7493e58ad688eb23b81e45461c5d314f4402f1 upstream.
We are saving the status of EEE even before we try to enable it. This
leads to a race with XMIT function that tries to arm EEE timer before we
set it up.
Fix this by only saving the EEE parameters after all operations are
performed with success.
Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support")
Cc: Joao Pinto <jpinto@synopsys.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Alexandre Torgue <alexandre.torgue@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
.../ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++++++++++---------
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
@@ -616,25 +616,27 @@ static int stmmac_ethtool_op_set_eee(str
struct ethtool_eee *edata)
{
struct stmmac_priv *priv = netdev_priv(dev);
+ int ret;
- priv->eee_enabled = edata->eee_enabled;
-
- if (!priv->eee_enabled)
+ if (!edata->eee_enabled) {
stmmac_disable_eee_mode(priv);
- else {
+ } else {
/* We are asking for enabling the EEE but it is safe
* to verify all by invoking the eee_init function.
* In case of failure it will return an error.
*/
- priv->eee_enabled = stmmac_eee_init(priv);
- if (!priv->eee_enabled)
+ edata->eee_enabled = stmmac_eee_init(priv);
+ if (!edata->eee_enabled)
return -EOPNOTSUPP;
-
- /* Do not change tx_lpi_timer in case of failure */
- priv->tx_lpi_timer = edata->tx_lpi_timer;
}
- return phy_ethtool_set_eee(priv->phydev, edata);
+ ret = phy_ethtool_set_eee(priv->phydev, edata);
+ if (ret)
+ return ret;
+
+ priv->eee_enabled = edata->eee_enabled;
+ priv->tx_lpi_timer = edata->tx_lpi_timer;
+ return 0;
}
static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 045/202] fuse: decrement NR_WRITEBACK_TEMP on the right page
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 049/202] arc: do not export symbols in troubleshoot.c Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 046/202] media: v4l: ioctl: Validate num_planes for debug messages Ben Hutchings
` (93 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Miklos Szeredi
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream.
NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not
the page cache page.
Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1846,7 +1846,7 @@ static bool fuse_writepage_in_flight(str
spin_unlock(&fc->lock);
dec_bdi_stat(bdi, BDI_WRITEBACK);
- dec_zone_page_state(page, NR_WRITEBACK_TEMP);
+ dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP);
bdi_writeout_inc(bdi);
fuse_writepage_free(fc, new_req);
fuse_request_free(new_req);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 058/202] tty: Handle problem if line discipline does not have receive_buf
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 118/202] microblaze: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [Bridge] " Ben Hutchings
` (122 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Jann Horn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 27cfb3a53be46a54ec5e0bd04e51995b74c90343 upstream.
Some tty line disciplines do not have a receive buf callback, so
properly check for that before calling it. If they do not have this
callback, just eat the character quietly, as we can't fail this call.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/tty_io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2219,7 +2219,8 @@ static int tiocsti(struct tty_struct *tt
return -EFAULT;
tty_audit_tiocsti(tty, ch);
ld = tty_ldisc_ref_wait(tty);
- ld->ops->receive_buf(tty, &ch, &mbz, 1);
+ if (ld->ops->receive_buf)
+ ld->ops->receive_buf(tty, &ch, &mbz, 1);
tty_ldisc_deref(ld);
return 0;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 056/202] vt: invoke notifier on screen size change
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 127/202] score: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 076/202] CIFS: Do not consider -ENODATA as stat failure for reads Ben Hutchings
` (77 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Nicolas Pitre, Greg Kroah-Hartman, Nicolas Pitre
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <nicolas.pitre@linaro.org>
commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.
User space using poll() on /dev/vcs devices are not awaken when a
screen size change occurs. Let's fix that.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/vt.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -953,6 +953,7 @@ static int vc_do_resize(struct tty_struc
if (CON_IS_VISIBLE(vc))
update_screen(vc);
vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);
+ notify_update(vc);
return err;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 062/202] ARM: pxa: ssp: unneeded to free devm_ allocated data
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 173/202] net/x25: fix a race in x25_bind() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 113/202] frv: Use get_signal() signal_setup_done() Ben Hutchings
` (115 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Robert Jarzmik, Peng Hao
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peng Hao <peng.hao2@zte.com.cn>
commit ba16adeb346387eb2d1ada69003588be96f098fa upstream.
devm_ allocated data will be automatically freed. The free
of devm_ allocated data is invalid.
Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions")
Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
[title's prefix changed]
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/plat-pxa/ssp.c | 3 ---
1 file changed, 3 deletions(-)
--- a/arch/arm/plat-pxa/ssp.c
+++ b/arch/arm/plat-pxa/ssp.c
@@ -239,8 +239,6 @@ static int pxa_ssp_remove(struct platfor
if (ssp == NULL)
return -ENODEV;
- iounmap(ssp->mmio_base);
-
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
release_mem_region(res->start, resource_size(res));
@@ -250,7 +248,6 @@ static int pxa_ssp_remove(struct platfor
list_del(&ssp->node);
mutex_unlock(&ssp_lock);
- kfree(ssp);
return 0;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 067/202] KVM: x86: Fix single-step debugging
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 184/202] ipc/shm: Fix pid freeing Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 144/202] alpha: fix page fault handling for r16-r18 targets Ben Hutchings
` (84 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Bonzini, Alexander Popov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Popov <alex.popov@linux.com>
commit 5cc244a20b86090c087073c124284381cdf47234 upstream.
The single-step debugging of KVM guests on x86 is broken: if we run
gdb 'stepi' command at the breakpoint when the guest interrupts are
enabled, RIP always jumps to native_apic_mem_write(). Then other
nasty effects follow.
Long investigation showed that on Jun 7, 2017 the
commit c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall")
introduced the kvm_run.debug corruption: kvm_vcpu_do_singlestep() can
be called without X86_EFLAGS_TF set.
Let's fix it. Please consider that for -stable.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Fixes: c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/x86.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5400,8 +5400,7 @@ restart:
kvm_make_request(KVM_REQ_EVENT, vcpu);
vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
kvm_rip_write(vcpu, ctxt->eip);
- if (r == EMULATE_DONE &&
- (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
+ if (r == EMULATE_DONE && ctxt->tf)
kvm_vcpu_do_singlestep(vcpu, &r);
kvm_set_rflags(vcpu, ctxt->eflags);
} else
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 066/202] debugfs: fix debugfs_rename parameter checking
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 092/202] dmaengine: dmatest: unmap data on a single code-path when xfer done Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 091/202] perf/core: Don't WARN() for impossible ring-buffer sizes Ben Hutchings
` (40 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d88c93f090f708c18195553b352b9f205e65418f upstream.
debugfs_rename() needs to check that the dentries passed into it really
are valid, as sometimes they are not (i.e. if the return value of
another debugfs call is passed into this one.) So fix this up by
properly checking if the two parent directories are errors (they are
allowed to be NULL), and if the dentry to rename is not NULL or an
error.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/debugfs/inode.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -622,6 +622,13 @@ struct dentry *debugfs_rename(struct den
struct dentry *dentry = NULL, *trap;
struct name_snapshot old_name;
+ if (IS_ERR(old_dir))
+ return old_dir;
+ if (IS_ERR(new_dir))
+ return new_dir;
+ if (IS_ERR_OR_NULL(old_dentry))
+ return old_dentry;
+
trap = lock_rename(new_dir, old_dir);
/* Source or destination directories don't exist? */
if (!old_dir->d_inode || !new_dir->d_inode)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 057/202] char/mwave: fix potential Spectre v1 vulnerability
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 014/202] ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 078/202] usb: gadget: musb: fix short isoc packets with inventra dma Ben Hutchings
` (141 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Greg Kroah-Hartman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
commit 701956d4018e5d5438570e39e8bda47edd32c489 upstream.
ipcnum is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap)
Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/mwave/mwavedd.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/char/mwave/mwavedd.c
+++ b/drivers/char/mwave/mwavedd.c
@@ -59,6 +59,7 @@
#include <linux/mutex.h>
#include <linux/delay.h>
#include <linux/serial_8250.h>
+#include <linux/nospec.h>
#include "smapi.h"
#include "mwavedd.h"
#include "3780i.h"
@@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *fil
ipcnum);
return -EINVAL;
}
+ ipcnum = array_index_nospec(ipcnum,
+ ARRAY_SIZE(pDrvData->IPCs));
PRINTK_3(TRACE_MWAVE,
"mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC"
" ipcnum %x entry usIntCount %x\n",
@@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *fil
" Invalid ipcnum %x\n", ipcnum);
return -EINVAL;
}
+ ipcnum = array_index_nospec(ipcnum,
+ ARRAY_SIZE(pDrvData->IPCs));
PRINTK_3(TRACE_MWAVE,
"mwavedd::mwave_ioctl IOCTL_MW_GET_IPC"
" ipcnum %x, usIntCount %x\n",
@@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *fil
ipcnum);
return -EINVAL;
}
+ ipcnum = array_index_nospec(ipcnum,
+ ARRAY_SIZE(pDrvData->IPCs));
mutex_lock(&mwave_mutex);
if (pDrvData->IPCs[ipcnum].bIsEnabled == TRUE) {
pDrvData->IPCs[ipcnum].bIsEnabled = FALSE;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 069/202] kallsyms: Handle too long symbols in kallsyms.c
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 201/202] apparmor: provide userspace flag indicating binfmt_elf_mmap change Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 098/202] s390/qeth: conclude all event processing before offlining a card Ben Hutchings
` (179 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Eugene Loh, Ard Biesheuvel, Masahiro Yamada
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eugene Loh <eugene.loh@oracle.com>
commit 6db2983cd8064808141ccefd75218f5b4345ffae upstream.
When checking for symbols with excessively long names,
account for null terminating character.
Fixes: f3462aa952cf ("Kbuild: Handle longer symbols in kallsyms.c")
Signed-off-by: Eugene Loh <eugene.loh@oracle.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
scripts/kallsyms.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/scripts/kallsyms.c
+++ b/scripts/kallsyms.c
@@ -121,8 +121,8 @@ static int read_symbol(FILE *in, struct
fprintf(stderr, "Read error or end of file.\n");
return -1;
}
- if (strlen(str) > KSYM_NAME_LEN) {
- fprintf(stderr, "Symbol %s too long for kallsyms (%zu vs %d).\n"
+ if (strlen(str) >= KSYM_NAME_LEN) {
+ fprintf(stderr, "Symbol %s too long for kallsyms (%zu >= %d).\n"
"Please increase KSYM_NAME_LEN both in kernel and kallsyms.c\n",
str, strlen(str), KSYM_NAME_LEN);
return -1;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 064/202] iommu/amd: Fix IOMMU page flush when detach device from a domain
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 129/202] tile: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 112/202] cris: Use get_signal() signal_setup_done() Ben Hutchings
` (48 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Suravee Suthikulpanit, Joerg Roedel,
Boris Ostrovsky, Joerg Roedel, Brijesh Singh
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
commit 9825bd94e3a2baae1f4874767ae3a7d4c049720e upstream.
When a VM is terminated, the VFIO driver detaches all pass-through
devices from VFIO domain by clearing domain id and page table root
pointer from each device table entry (DTE), and then invalidates
the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages.
Currently, the IOMMU driver keeps track of which IOMMU and how many
devices are attached to the domain. When invalidate IOMMU pages,
the driver checks if the IOMMU is still attached to the domain before
issuing the invalidate page command.
However, since VFIO has already detached all devices from the domain,
the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as
there is no IOMMU attached to the domain. This results in data
corruption and could cause the PCI device to end up in indeterministic
state.
Fix this by invalidate IOMMU pages when detach a device, and
before decrementing the per-domain device reference counts.
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Suggested-by: Joerg Roedel <joro@8bytes.org>
Co-developed-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Fixes: 6de8ad9b9ee0 ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iommu/amd_iommu.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2185,14 +2185,11 @@ static void do_attach(struct iommu_dev_d
static void do_detach(struct iommu_dev_data *dev_data)
{
+ struct protection_domain *domain = dev_data->domain;
struct amd_iommu *iommu;
iommu = amd_iommu_rlookup_table[dev_data->devid];
- /* decrease reference counters */
- dev_data->domain->dev_iommu[iommu->index] -= 1;
- dev_data->domain->dev_cnt -= 1;
-
/* Update data structures */
dev_data->domain = NULL;
list_del(&dev_data->list);
@@ -2200,6 +2197,16 @@ static void do_detach(struct iommu_dev_d
/* Flush the DTE entry */
device_flush_dte(dev_data);
+
+ /* Flush IOTLB */
+ domain_flush_tlb_pde(domain);
+
+ /* Wait for the flushes to finish */
+ domain_flush_complete(domain);
+
+ /* decrease reference counters - needs to happen after the flushes */
+ domain->dev_iommu[iommu->index] -= 1;
+ domain->dev_cnt -= 1;
}
/*
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 060/202] can: bcm: check timer values before ktime conversion
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 027/202] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 037/202] x86/kaslr: Fix incorrect i8254 outb() parameters Ben Hutchings
` (18 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Kyungtae Kim, Oliver Hartkopp,
Marc Kleine-Budde, Andre Naujoks
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream.
Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
when the conversion into ktime multiplies the given value with NSEC_PER_USEC
(1000).
Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2
Add a check for the given tv_usec, so that the value stays below one second.
Additionally limit the tv_sec value to a reasonable value for CAN related
use-cases of 400 days and ensure all values to be positive.
Reported-by: Kyungtae Kim <kt0755@gmail.com>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Tested-by: Kyungtae Kim <kt0755@gmail.com>
Acked-by: Andre Naujoks <nautsch2@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/can/bcm.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -67,6 +67,9 @@
*/
#define MAX_NFRAMES 256
+/* limit timers to 400 days for sending/timeouts */
+#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
+
/* use of last_frames[index].can_dlc */
#define RX_RECV 0x40 /* received data for this element */
#define RX_THR 0x80 /* element not been sent due to throttle feature */
@@ -133,6 +136,22 @@ static inline struct bcm_sock *bcm_sk(co
return (struct bcm_sock *)sk;
}
+/* check limitations for timeval provided by user */
+static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
+{
+ if ((msg_head->ival1.tv_sec < 0) ||
+ (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
+ (msg_head->ival1.tv_usec < 0) ||
+ (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
+ (msg_head->ival2.tv_sec < 0) ||
+ (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
+ (msg_head->ival2.tv_usec < 0) ||
+ (msg_head->ival2.tv_usec >= USEC_PER_SEC))
+ return true;
+
+ return false;
+}
+
#define CFSIZ sizeof(struct can_frame)
#define OPSIZ sizeof(struct bcm_op)
#define MHSIZ sizeof(struct bcm_msg_head)
@@ -851,6 +870,10 @@ static int bcm_tx_setup(struct bcm_msg_h
if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
return -EINVAL;
+ /* check timeval limitations */
+ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+ return -EINVAL;
+
/* check the given can_id */
op = bcm_find_op(&bo->tx_ops, msg_head->can_id, ifindex);
@@ -1018,6 +1041,10 @@ static int bcm_rx_setup(struct bcm_msg_h
(!(msg_head->can_id & CAN_RTR_FLAG))))
return -EINVAL;
+ /* check timeval limitations */
+ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+ return -EINVAL;
+
/* check the given can_id */
op = bcm_find_op(&bo->rx_ops, msg_head->can_id, ifindex);
if (op) {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 061/202] ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 036/202] s390/smp: fix CPU hotplug deadlock with CPU rescan Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 010/202] usb: cdc-acm: send ZLP for Telit 3G Intel based modems Ben Hutchings
` (156 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Corey Minyard, Gustavo A. R. Silva
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
commit a7102c7461794a5bb31af24b08e9e0f50038897a upstream.
channel and addr->channel are indirectly controlled by user-space,
hence leading to a potential exploitation of the Spectre variant 1
vulnerability.
These issues were detected with the help of Smatch:
drivers/char/ipmi/ipmi_msghandler.c:1381 ipmi_set_my_address() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:1401 ipmi_get_my_address() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:1421 ipmi_set_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:1441 ipmi_get_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
drivers/char/ipmi/ipmi_msghandler.c:2260 check_addr() warn: potential spectre issue 'intf->addrinfo' [r] (local cap)
Fix this by sanitizing channel and addr->channel before using them to
index user->intf->addrinfo and intf->addrinfo, correspondingly.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -46,6 +46,7 @@
#include <linux/proc_fs.h>
#include <linux/rcupdate.h>
#include <linux/interrupt.h>
+#include <linux/nospec.h>
#define PFX "IPMI message handler: "
@@ -1116,6 +1117,7 @@ int ipmi_set_my_address(ipmi_user_t us
{
if (channel >= IPMI_MAX_CHANNELS)
return -EINVAL;
+ channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
user->intf->channels[channel].address = address;
return 0;
}
@@ -1127,6 +1129,7 @@ int ipmi_get_my_address(ipmi_user_t us
{
if (channel >= IPMI_MAX_CHANNELS)
return -EINVAL;
+ channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
*address = user->intf->channels[channel].address;
return 0;
}
@@ -1138,6 +1141,7 @@ int ipmi_set_my_LUN(ipmi_user_t user,
{
if (channel >= IPMI_MAX_CHANNELS)
return -EINVAL;
+ channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
user->intf->channels[channel].lun = LUN & 0x3;
return 0;
}
@@ -1149,6 +1153,7 @@ int ipmi_get_my_LUN(ipmi_user_t user,
{
if (channel >= IPMI_MAX_CHANNELS)
return -EINVAL;
+ channel = array_index_nospec(channel, IPMI_MAX_CHANNELS);
*address = user->intf->channels[channel].lun;
return 0;
}
@@ -1875,6 +1880,7 @@ static int check_addr(ipmi_smi_t i
{
if (addr->channel >= IPMI_MAX_CHANNELS)
return -EINVAL;
+ addr->channel = array_index_nospec(addr->channel, IPMI_MAX_CHANNELS);
*lun = intf->channels[addr->channel].lun;
*saddr = intf->channels[addr->channel].address;
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 065/202] net/mlx4_core: Add masking for a few queries on HCA caps
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 174/202] mmc: spi: Fix card detection during probe Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 116/202] m32r: Use get_signal() signal_setup_done() Ben Hutchings
` (164 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Tariq Toukan, Aya Levin
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aya Levin <ayal@mellanox.com>
commit a40ded6043658444ee4dd6ee374119e4e98b33fc upstream.
Driver reads the query HCA capabilities without the corresponding masks.
Without the correct masks, the base addresses of the queues are
unaligned. In addition some reserved bits were wrongly read. Using the
correct masks, ensures alignment of the base addresses and allows future
firmware versions safe use of the reserved bits.
Fixes: ab9c17a009ee ("mlx4_core: Modify driver initialization flow to accommodate SRIOV for Ethernet")
Fixes: 0ff1fb654bec ("{NET, IB}/mlx4: Add device managed flow steering firmware API")
Signed-off-by: Aya Levin <ayal@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- There are no num_sys_eqs or dmfs_high_steer_mode parameters
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
@@ -1542,9 +1542,10 @@ int mlx4_QUERY_HCA(struct mlx4_dev *dev,
{
struct mlx4_cmd_mailbox *mailbox;
__be32 *outbox;
+ u64 qword_field;
u32 dword_field;
- int err;
u8 byte_field;
+ int err;
#define QUERY_HCA_GLOBAL_CAPS_OFFSET 0x04
#define QUERY_HCA_CORE_CLOCK_OFFSET 0x0c
@@ -1566,18 +1567,30 @@ int mlx4_QUERY_HCA(struct mlx4_dev *dev,
/* QPC/EEC/CQC/EQC/RDMARC attributes */
- MLX4_GET(param->qpc_base, outbox, INIT_HCA_QPC_BASE_OFFSET);
- MLX4_GET(param->log_num_qps, outbox, INIT_HCA_LOG_QP_OFFSET);
- MLX4_GET(param->srqc_base, outbox, INIT_HCA_SRQC_BASE_OFFSET);
- MLX4_GET(param->log_num_srqs, outbox, INIT_HCA_LOG_SRQ_OFFSET);
- MLX4_GET(param->cqc_base, outbox, INIT_HCA_CQC_BASE_OFFSET);
- MLX4_GET(param->log_num_cqs, outbox, INIT_HCA_LOG_CQ_OFFSET);
- MLX4_GET(param->altc_base, outbox, INIT_HCA_ALTC_BASE_OFFSET);
- MLX4_GET(param->auxc_base, outbox, INIT_HCA_AUXC_BASE_OFFSET);
- MLX4_GET(param->eqc_base, outbox, INIT_HCA_EQC_BASE_OFFSET);
- MLX4_GET(param->log_num_eqs, outbox, INIT_HCA_LOG_EQ_OFFSET);
- MLX4_GET(param->rdmarc_base, outbox, INIT_HCA_RDMARC_BASE_OFFSET);
- MLX4_GET(param->log_rd_per_qp, outbox, INIT_HCA_LOG_RD_OFFSET);
+ MLX4_GET(qword_field, outbox, INIT_HCA_QPC_BASE_OFFSET);
+ param->qpc_base = qword_field & ~((u64)0x1f);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_QP_OFFSET);
+ param->log_num_qps = byte_field & 0x1f;
+ MLX4_GET(qword_field, outbox, INIT_HCA_SRQC_BASE_OFFSET);
+ param->srqc_base = qword_field & ~((u64)0x1f);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_SRQ_OFFSET);
+ param->log_num_srqs = byte_field & 0x1f;
+ MLX4_GET(qword_field, outbox, INIT_HCA_CQC_BASE_OFFSET);
+ param->cqc_base = qword_field & ~((u64)0x1f);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_CQ_OFFSET);
+ param->log_num_cqs = byte_field & 0x1f;
+ MLX4_GET(qword_field, outbox, INIT_HCA_ALTC_BASE_OFFSET);
+ param->altc_base = qword_field;
+ MLX4_GET(qword_field, outbox, INIT_HCA_AUXC_BASE_OFFSET);
+ param->auxc_base = qword_field;
+ MLX4_GET(qword_field, outbox, INIT_HCA_EQC_BASE_OFFSET);
+ param->eqc_base = qword_field & ~((u64)0x1f);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_EQ_OFFSET);
+ param->log_num_eqs = byte_field & 0x1f;
+ MLX4_GET(qword_field, outbox, INIT_HCA_RDMARC_BASE_OFFSET);
+ param->rdmarc_base = qword_field & ~((u64)0x1f);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_RD_OFFSET);
+ param->log_rd_per_qp = byte_field & 0x7;
MLX4_GET(dword_field, outbox, INIT_HCA_FLAGS_OFFSET);
if (dword_field & (1 << INIT_HCA_DEVICE_MANAGED_FLOW_STEERING_EN)) {
@@ -1592,18 +1605,18 @@ int mlx4_QUERY_HCA(struct mlx4_dev *dev,
/* steering attributes */
if (param->steering_mode == MLX4_STEERING_MODE_DEVICE_MANAGED) {
MLX4_GET(param->mc_base, outbox, INIT_HCA_FS_BASE_OFFSET);
- MLX4_GET(param->log_mc_entry_sz, outbox,
- INIT_HCA_FS_LOG_ENTRY_SZ_OFFSET);
- MLX4_GET(param->log_mc_table_sz, outbox,
- INIT_HCA_FS_LOG_TABLE_SZ_OFFSET);
+ MLX4_GET(byte_field, outbox, INIT_HCA_FS_LOG_ENTRY_SZ_OFFSET);
+ param->log_mc_entry_sz = byte_field & 0x1f;
+ MLX4_GET(byte_field, outbox, INIT_HCA_FS_LOG_TABLE_SZ_OFFSET);
+ param->log_mc_table_sz = byte_field & 0x1f;
} else {
MLX4_GET(param->mc_base, outbox, INIT_HCA_MC_BASE_OFFSET);
- MLX4_GET(param->log_mc_entry_sz, outbox,
- INIT_HCA_LOG_MC_ENTRY_SZ_OFFSET);
- MLX4_GET(param->log_mc_hash_sz, outbox,
- INIT_HCA_LOG_MC_HASH_SZ_OFFSET);
- MLX4_GET(param->log_mc_table_sz, outbox,
- INIT_HCA_LOG_MC_TABLE_SZ_OFFSET);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_MC_ENTRY_SZ_OFFSET);
+ param->log_mc_entry_sz = byte_field & 0x1f;
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_MC_HASH_SZ_OFFSET);
+ param->log_mc_hash_sz = byte_field & 0x1f;
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_MC_TABLE_SZ_OFFSET);
+ param->log_mc_table_sz = byte_field & 0x1f;
}
/* CX3 is capable of extending CQEs/EQEs from 32 to 64 bytes */
@@ -1616,15 +1629,18 @@ int mlx4_QUERY_HCA(struct mlx4_dev *dev,
/* TPT attributes */
MLX4_GET(param->dmpt_base, outbox, INIT_HCA_DMPT_BASE_OFFSET);
- MLX4_GET(param->mw_enabled, outbox, INIT_HCA_TPT_MW_OFFSET);
- MLX4_GET(param->log_mpt_sz, outbox, INIT_HCA_LOG_MPT_SZ_OFFSET);
+ MLX4_GET(byte_field, outbox, INIT_HCA_TPT_MW_OFFSET);
+ param->mw_enabled = byte_field >> 7;
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_MPT_SZ_OFFSET);
+ param->log_mpt_sz = byte_field & 0x3f;
MLX4_GET(param->mtt_base, outbox, INIT_HCA_MTT_BASE_OFFSET);
MLX4_GET(param->cmpt_base, outbox, INIT_HCA_CMPT_BASE_OFFSET);
/* UAR attributes */
MLX4_GET(param->uar_page_sz, outbox, INIT_HCA_UAR_PAGE_SZ_OFFSET);
- MLX4_GET(param->log_uar_sz, outbox, INIT_HCA_LOG_UAR_SZ_OFFSET);
+ MLX4_GET(byte_field, outbox, INIT_HCA_LOG_UAR_SZ_OFFSET);
+ param->log_uar_sz = byte_field & 0xf;
out:
mlx4_free_cmd_mailbox(dev, mailbox);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 068/202] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 029/202] Disable MSI also when pcie-octeon.pcie_disable on Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 047/202] Yama: Check for pid death before checking ancestry Ben Hutchings
` (57 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Leon Romanovsky, Jason Gunthorpe,
Erez Shitrit, Feras Daoud
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Feras Daoud <ferasda@mellanox.com>
commit 6ab4aba00f811a5265acc4d3eb1863bb3ca60562 upstream.
The following BUG was reported by kasan:
BUG: KASAN: use-after-free in ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
Read of size 80 at addr ffff88034c30bcd0 by task kworker/u16:1/24020
Workqueue: ipoib_wq ipoib_cm_tx_start [ib_ipoib]
Call Trace:
dump_stack+0x9a/0xeb
print_address_description+0xe3/0x2e0
kasan_report+0x18a/0x2e0
? ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
memcpy+0x1f/0x50
ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
? kvm_clock_read+0x1f/0x30
? ipoib_cm_skb_reap+0x610/0x610 [ib_ipoib]
? __lock_is_held+0xc2/0x170
? process_one_work+0x880/0x1960
? process_one_work+0x912/0x1960
process_one_work+0x912/0x1960
? wq_pool_ids_show+0x310/0x310
? lock_acquire+0x145/0x440
worker_thread+0x87/0xbb0
? process_one_work+0x1960/0x1960
kthread+0x314/0x3d0
? kthread_create_worker_on_cpu+0xc0/0xc0
ret_from_fork+0x3a/0x50
Allocated by task 0:
kasan_kmalloc+0xa0/0xd0
kmem_cache_alloc_trace+0x168/0x3e0
path_rec_create+0xa2/0x1f0 [ib_ipoib]
ipoib_start_xmit+0xa98/0x19e0 [ib_ipoib]
dev_hard_start_xmit+0x159/0x8d0
sch_direct_xmit+0x226/0xb40
__dev_queue_xmit+0x1d63/0x2950
neigh_update+0x889/0x1770
arp_process+0xc47/0x21f0
arp_rcv+0x462/0x760
__netif_receive_skb_core+0x1546/0x2da0
netif_receive_skb_internal+0xf2/0x590
napi_gro_receive+0x28e/0x390
ipoib_ib_handle_rx_wc_rss+0x873/0x1b60 [ib_ipoib]
ipoib_rx_poll_rss+0x17d/0x320 [ib_ipoib]
net_rx_action+0x427/0xe30
__do_softirq+0x28e/0xc42
Freed by task 26680:
__kasan_slab_free+0x11d/0x160
kfree+0xf5/0x360
ipoib_flush_paths+0x532/0x9d0 [ib_ipoib]
ipoib_set_mode_rss+0x1ad/0x560 [ib_ipoib]
set_mode+0xc8/0x150 [ib_ipoib]
kernfs_fop_write+0x279/0x440
__vfs_write+0xd8/0x5c0
vfs_write+0x15e/0x470
ksys_write+0xb8/0x180
do_syscall_64+0x9b/0x420
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88034c30bcc8
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
512-byte region [ffff88034c30bcc8, ffff88034c30bec8)
The buggy address belongs to the page:
The following race between change mode and xmit flow is the reason for
this use-after-free:
Change mode Send packet 1 to GID XX Send packet 2 to GID XX
| | |
start | |
| | |
| | |
| Create new path for GID XX |
| and update neigh path |
| | |
| | |
| | |
flush_paths | |
| |
queue_work(cm.start_task) |
| Path for GID XX not found
| create new path
|
|
start_task runs with old
released path
There is no locking to protect the lifetime of the path through the
ipoib_cm_tx struct, so delete it entirely and always use the newly looked
up path under the priv->lock.
Fixes: 546481c2816e ("IB/ipoib: Fix memory corruption in ipoib cm mode connect flow")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Reviewed-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 -
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -228,7 +228,6 @@ struct ipoib_cm_tx {
struct list_head list;
struct net_device *dev;
struct ipoib_neigh *neigh;
- struct ipoib_path *path;
struct ipoib_cm_tx_buf *tx_ring;
unsigned tx_head;
unsigned tx_tail;
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1279,7 +1279,6 @@ struct ipoib_cm_tx *ipoib_cm_create_tx(s
neigh->cm = tx;
tx->neigh = neigh;
- tx->path = path;
tx->dev = dev;
list_add(&tx->list, &priv->cm.start_list);
set_bit(IPOIB_FLAG_INITIALIZED, &tx->flags);
@@ -1338,7 +1337,7 @@ static void ipoib_cm_tx_start(struct wor
neigh->daddr + QPN_AND_OPTIONS_OFFSET);
goto free_neigh;
}
- memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);
+ memcpy(&pathrec, &path->pathrec, sizeof(pathrec));
spin_unlock_irqrestore(&priv->lock, flags);
netif_tx_unlock_bh(dev);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 073/202] scsi: bnx2fc: Fix error handling in probe()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 096/202] s390/qeth: fix use-after-free in error path Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 177/202] tmpfs: fix uninitialized return value in shmem_link Ben Hutchings
` (61 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Dan Carpenter, Martin K. Petersen
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit b2d3492fc591b1fb46b81d79ca1fc44cac6ae0ae upstream.
There are two issues here. First if cmgr->hba is not set early enough then
it leads to a NULL dereference. Second if we don't completely initialize
cmgr->io_bdt_pool[] then we end up dereferencing uninitialized pointers.
Fixes: 853e2bd2103a ("[SCSI] bnx2fc: Broadcom FCoE offload driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backorted to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/bnx2fc/bnx2fc_io.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/scsi/bnx2fc/bnx2fc_io.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_io.c
@@ -271,6 +271,7 @@ struct bnx2fc_cmd_mgr *bnx2fc_cmd_mgr_al
return NULL;
}
+ cmgr->hba = hba;
cmgr->free_list = kzalloc(sizeof(*cmgr->free_list) *
arr_sz, GFP_KERNEL);
if (!cmgr->free_list) {
@@ -287,7 +288,6 @@ struct bnx2fc_cmd_mgr *bnx2fc_cmd_mgr_al
goto mem_err;
}
- cmgr->hba = hba;
cmgr->cmds = (struct bnx2fc_cmd **)(cmgr + 1);
for (i = 0; i < arr_sz; i++) {
@@ -326,7 +326,7 @@ struct bnx2fc_cmd_mgr *bnx2fc_cmd_mgr_al
/* Allocate pool of io_bdts - one for each bnx2fc_cmd */
mem_size = num_ios * sizeof(struct io_bdt *);
- cmgr->io_bdt_pool = kmalloc(mem_size, GFP_KERNEL);
+ cmgr->io_bdt_pool = kzalloc(mem_size, GFP_KERNEL);
if (!cmgr->io_bdt_pool) {
printk(KERN_ERR PFX "failed to alloc io_bdt_pool\n");
goto mem_err;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 074/202] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 120/202] mips: Use sigsp() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 125/202] powerpc/signal: Properly handle return value from uprobe_deny_signal() Ben Hutchings
` (108 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Paul Burton, linux-mips, Aaro Koskinen
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
commit dcf300a69ac307053dfb35c2e33972e754a98bce upstream.
Don't set octeon_dma_bar_type if PCI is disabled. This avoids creation
of the MSI irqchip later on, and saves a bit of memory.
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: a214720cbf50 ("Disable MSI also when pcie-octeon.pcie_disable on")
Cc: linux-mips@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/pci/pci-octeon.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/mips/pci/pci-octeon.c
+++ b/arch/mips/pci/pci-octeon.c
@@ -575,6 +575,11 @@ static int __init octeon_pci_setup(void)
if (octeon_has_feature(OCTEON_FEATURE_PCIE))
return 0;
+ if (!octeon_is_pci_host()) {
+ pr_notice("Not in host mode, PCI Controller not initialized\n");
+ return 0;
+ }
+
/* Point pcibios_map_irq() to the PCI version of it */
octeon_pcibios_map_irq = octeon_pci_pcibios_map_irq;
@@ -586,11 +591,6 @@ static int __init octeon_pci_setup(void)
else
octeon_dma_bar_type = OCTEON_DMA_BAR_TYPE_BIG;
- if (!octeon_is_pci_host()) {
- pr_notice("Not in host mode, PCI Controller not initialized\n");
- return 0;
- }
-
/* PCI I/O and PCI MEM values */
set_io_port_base(OCTEON_PCI_IOSPACE_BASE);
ioport_resource.start = 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 070/202] usb: gadget: udc: net2272: Fix bitwise and boolean operations
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 119/202] mips: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 034/202] s390/early: improve machine detection Ben Hutchings
` (12 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Felipe Balbi
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
commit 07c69f1148da7de3978686d3af9263325d9d60bd upstream.
(!x & y) strikes again.
Fix bitwise and boolean operations by enclosing the expression:
intcsr & (1 << NET2272_PCI_IRQ)
in parentheses, before applying the boolean operator '!'.
Notice that this code has been there since 2011. So, it would
be helpful if someone can double-check this.
This issue was detected with the help of Coccinelle.
Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/net2272.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/net2272.c
+++ b/drivers/usb/gadget/net2272.c
@@ -2072,7 +2072,7 @@ static irqreturn_t net2272_irq(int irq,
#if defined(PLX_PCI_RDK2)
/* see if PCI int for us by checking irqstat */
intcsr = readl(dev->rdk2.fpga_base_addr + RDK2_IRQSTAT);
- if (!intcsr & (1 << NET2272_PCI_IRQ)) {
+ if (!(intcsr & (1 << NET2272_PCI_IRQ))) {
spin_unlock(&dev->lock);
return IRQ_NONE;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 072/202] s390/dasd: fix using offset into zero size array error
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 080/202] l2tp: copy 4 more bytes to linear part if necessary Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 111/202] c6x: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 121/202] mn10300: Use get_signal() signal_setup_done() Ben Hutchings
` (199 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Martin Schwidefsky, Dan Carpenter,
Stefan Haberland
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit 4a8ef6999bce998fa5813023a9a6b56eea329dba upstream.
Dan Carpenter reported the following:
The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
checker warning:
drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
error: using offset into zero size array 'psf_data[]'
drivers/s390/block/dasd_eckd.c
4458 /* Copy parms from caller */
4459 rc = -EFAULT;
4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
^^^^^^^
The user can specify any "usrparm.psf_data_len". They choose zero by
mistake.
4461 goto out;
4462 if (is_compat_task()) {
4463 /* Make sure pointers are sane even on 31 bit. */
4464 rc = -EINVAL;
4465 if ((usrparm.psf_data >> 32) != 0)
4466 goto out;
4467 if ((usrparm.rssd_result >> 32) != 0)
4468 goto out;
4469 usrparm.psf_data &= 0x7fffffffULL;
4470 usrparm.rssd_result &= 0x7fffffffULL;
4471 }
4472 /* alloc I/O data area */
4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
| GFP_DMA);
4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
| GFP_DMA);
4475 if (!psf_data || !rssd_result) {
kzalloc() returns a ZERO_SIZE_PTR (0x16).
4476 rc = -ENOMEM;
4477 goto out_free;
4478 }
4479
4480 /* get syscall header from user space */
4481 rc = -EFAULT;
4482 if (copy_from_user(psf_data,
4483 (void __user *)(unsigned long)
usrparm.psf_data,
4484 usrparm.psf_data_len))
That all works great.
4485 goto out_free;
4486 psf0 = psf_data[0];
4487 psf1 = psf_data[1];
But now we're assuming that "->psf_data_len" was at least 2 bytes.
Fix this by checking the user specified length psf_data_len.
Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/block/dasd_eckd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -3945,6 +3945,14 @@ static int dasd_symm_io(struct dasd_devi
usrparm.psf_data &= 0x7fffffffULL;
usrparm.rssd_result &= 0x7fffffffULL;
}
+ /* at least 2 bytes are accessed and should be allocated */
+ if (usrparm.psf_data_len < 2) {
+ DBF_DEV_EVENT(DBF_WARNING, device,
+ "Symmetrix ioctl invalid data length %d",
+ usrparm.psf_data_len);
+ rc = -EINVAL;
+ goto out;
+ }
/* alloc I/O data area */
psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 077/202] ARM: iop32x/n2100: fix PCI IRQ mapping
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 022/202] scsi: isci: initialize shost fully before calling scsi_add_host() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 094/202] perf tests evsel-tp-sched: Fix bitwise operator Ben Hutchings
` (34 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Arnd Bergmann, Russell King
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit db4090920ba2d61a5827a23e441447926a02ffee upstream.
Booting 4.20 on a TheCUS N2100 results in a kernel oops while probing
PCI, due to n2100_pci_map_irq() having been discarded during boot.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-iop32x/n2100.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/arm/mach-iop32x/n2100.c
+++ b/arch/arm/mach-iop32x/n2100.c
@@ -75,8 +75,7 @@ void __init n2100_map_io(void)
/*
* N2100 PCI.
*/
-static int __init
-n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
+static int n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
int irq;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 075/202] CIFS: Do not count -ENODATA as failure for query directory
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 024/202] drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 027/202] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Ben Hutchings
` (20 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Steve French, Pavel Shilovsky
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilov@microsoft.com>
commit 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 upstream.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2260,8 +2260,8 @@ SMB2_query_directory(const unsigned int
if (rc == -ENODATA && rsp->hdr.Status == STATUS_NO_MORE_FILES) {
srch_inf->endOfSearch = true;
rc = 0;
- }
- cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE);
+ } else
+ cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE);
goto qdir_exit;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 078/202] usb: gadget: musb: fix short isoc packets with inventra dma
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 057/202] char/mwave: fix potential Spectre v1 vulnerability Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 088/202] dmaengine: bcm2835: Fix interrupt race on RT Ben Hutchings
` (140 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Bin Liu, Greg Kroah-Hartman, Paul Elder
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Elder <paul.elder@ideasonboard.com>
commit c418fd6c01fbc5516a2cd1eaf1df1ec86869028a upstream.
Handling short packets (length < max packet size) in the Inventra DMA
engine in the MUSB driver causes the MUSB DMA controller to hang. An
example of a problem that is caused by this problem is when streaming
video out of a UVC gadget, only the first video frame is transferred.
For short packets (mode-0 or mode-1 DMA), MUSB_TXCSR_TXPKTRDY must be
set manually by the driver. This was previously done in musb_g_tx
(musb_gadget.c), but incorrectly (all csr flags were cleared, and only
MUSB_TXCSR_MODE and MUSB_TXCSR_TXPKTRDY were set). Fixing that problem
allows some requests to be transferred correctly, but multiple requests
were often put together in one USB packet, and caused problems if the
packet size was not a multiple of 4. Instead, set MUSB_TXCSR_TXPKTRDY
in dma_controller_irq (musbhsdma.c), just like host mode transfers.
This topic was originally tackled by Nicolas Boichat [0] [1] and is
discussed further at [2] as part of his GSoC project [3].
[0] https://groups.google.com/forum/?hl=en#!topic/beagleboard-gsoc/k8Azwfp75CU
[1] https://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/commit/b0be3b6cc195ba732189b04f1d43ec843c3e54c9?p=beagleboard-usbsniffer:beagleboard-usbsniffer-kernel.git;a=patch;h=b0be3b6cc195ba732189b04f1d43ec843c3e54c9
[2] http://beagleboard-usbsniffer.blogspot.com/2010/07/musb-isochronous-transfers-fixed.html
[3] http://elinux.org/BeagleBoard/GSoC/USBSniffer
Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Fold in the earlier commit fb91cddc54e7 "usb: musb: Remove DMA ifdef
for musb_gadget.c short_packet"
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/musb/musb_gadget.c | 13 +------------
drivers/usb/musb/musbhsdma.c | 21 +++++++++++----------
2 files changed, 12 insertions(+), 22 deletions(-)
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -488,10 +488,8 @@ void musb_g_tx(struct musb *musb, u8 epn
}
if (request) {
- u8 is_dma = 0;
if (dma && (csr & MUSB_TXCSR_DMAENAB)) {
- is_dma = 1;
csr |= MUSB_TXCSR_P_WZC_BITS;
csr &= ~(MUSB_TXCSR_DMAENAB | MUSB_TXCSR_P_UNDERRUN |
MUSB_TXCSR_TXPKTRDY | MUSB_TXCSR_AUTOSET);
@@ -507,15 +505,10 @@ void musb_g_tx(struct musb *musb, u8 epn
* First, maybe a terminating short packet. Some DMA
* engines might handle this by themselves.
*/
- if ((request->zero && request->length
+ if ((request->zero && request->length)
&& (request->length % musb_ep->packet_sz == 0)
- && (request->actual == request->length))
-#if defined(CONFIG_USB_INVENTRA_DMA) || defined(CONFIG_USB_UX500_DMA)
- || (is_dma && (!dma->desired_mode ||
- (request->actual &
- (musb_ep->packet_sz - 1))))
-#endif
- ) {
+ && (request->actual == request->length)) {
+
/*
* On DMA completion, FIFO may not be
* available yet...
--- a/drivers/usb/musb/musbhsdma.c
+++ b/drivers/usb/musb/musbhsdma.c
@@ -319,12 +319,10 @@ static irqreturn_t dma_controller_irq(in
channel->status = MUSB_DMA_STATUS_FREE;
/* completed */
- if ((devctl & MUSB_DEVCTL_HM)
- && (musb_channel->transmit)
- && ((channel->desired_mode == 0)
- || (channel->actual_len &
- (musb_channel->max_packet_sz - 1)))
- ) {
+ if (musb_channel->transmit &&
+ (!channel->desired_mode ||
+ (channel->actual_len %
+ musb_channel->max_packet_sz))) {
u8 epnum = musb_channel->epnum;
int offset = MUSB_EP_OFFSET(epnum,
MUSB_TXCSR);
@@ -336,11 +334,14 @@ static irqreturn_t dma_controller_irq(in
*/
musb_ep_select(mbase, epnum);
txcsr = musb_readw(mbase, offset);
- txcsr &= ~(MUSB_TXCSR_DMAENAB
+ if (channel->desired_mode == 1) {
+ txcsr &= ~(MUSB_TXCSR_DMAENAB
| MUSB_TXCSR_AUTOSET);
- musb_writew(mbase, offset, txcsr);
- /* Send out the packet */
- txcsr &= ~MUSB_TXCSR_DMAMODE;
+ musb_writew(mbase, offset, txcsr);
+ /* Send out the packet */
+ txcsr &= ~MUSB_TXCSR_DMAMODE;
+ txcsr |= MUSB_TXCSR_DMAENAB;
+ }
txcsr |= MUSB_TXCSR_TXPKTRDY;
musb_writew(mbase, offset, txcsr);
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 076/202] CIFS: Do not consider -ENODATA as stat failure for reads
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 056/202] vt: invoke notifier on screen size change Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 108/202] arm64: Use get_signal() signal_setup_done() Ben Hutchings
` (76 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Steve French, Pavel Shilovsky
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilov@microsoft.com>
commit 082aaa8700415f6471ec9c5ef0c8307ca214989a upstream.
When doing reads beyound the end of a file the server returns
error STATUS_END_OF_FILE error which is mapped to -ENODATA.
Currently we report it as a failure which confuses read stats.
Change it to not consider -ENODATA as failure for stat purposes.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1861,7 +1861,7 @@ smb2_readv_callback(struct mid_q_entry *
rdata->result = -EIO;
}
- if (rdata->result)
+ if (rdata->result && rdata->result != -ENODATA)
cifs_stats_fail_inc(tcon, SMB2_READ_HE);
queue_work(cifsiod_wq, &rdata->work);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 140/202] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 088/202] dmaengine: bcm2835: Fix interrupt race on RT Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 196/202] brcmfmac: fix incorrect event channel deduction Ben Hutchings
` (138 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Manuel Reinhardt, Takashi Iwai
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Manuel Reinhardt <manuel.rhdt@gmail.com>
commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream.
The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to
separate function") introduced an error in the handling of quirks for
implicit feedback endpoints. This commit fixes this.
If a quirk successfully sets up an implicit feedback endpoint, usb-audio
no longer tries to find the implicit fb endpoint itself.
Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function")
Signed-off-by: Manuel Reinhardt <manuel.rhdt@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/pcm.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -313,6 +313,9 @@ static int search_roland_implicit_fb(str
return 0;
}
+/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk
+ * applies. Returns 1 if a quirk was found.
+ */
static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
struct usb_device *dev,
struct usb_interface_descriptor *altsd,
@@ -381,7 +384,7 @@ add_sync_ep:
subs->data_endpoint->sync_master = subs->sync_endpoint;
- return 0;
+ return 1;
}
static int set_sync_endpoint(struct snd_usb_substream *subs,
@@ -406,6 +409,10 @@ static int set_sync_endpoint(struct snd_
if (err < 0)
return err;
+ /* endpoint set by quirk */
+ if (err > 0)
+ return 0;
+
if (altsd->bNumEndpoints < 2)
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 088/202] dmaengine: bcm2835: Fix interrupt race on RT
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 078/202] usb: gadget: musb: fix short isoc packets with inventra dma Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 140/202] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Ben Hutchings
` (139 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Clive Messer, Matthias Reichl,
Florian Meier, Martin Sperl, Frank Pavlic, Vinod Koul,
Lukas Wunner, Stefan Wahren, Florian Kauer
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit f7da7782aba92593f7b82f03d2409a1c5f4db91b upstream.
If IRQ handlers are threaded (either because CONFIG_PREEMPT_RT_BASE is
enabled or "threadirqs" was passed on the command line) and if system
load is sufficiently high that wakeup latency of IRQ threads degrades,
SPI DMA transactions on the BCM2835 occasionally break like this:
ks8851 spi0.0: SPI transfer timed out
bcm2835-dma 3f007000.dma: DMA transfer could not be terminated
ks8851 spi0.0 eth2: ks8851_rdfifo: spi_sync() failed
The root cause is an assumption made by the DMA driver which is
documented in a code comment in bcm2835_dma_terminate_all():
/*
* Stop DMA activity: we assume the callback will not be called
* after bcm_dma_abort() returns (even if it does, it will see
* c->desc is NULL and exit.)
*/
That assumption falls apart if the IRQ handler bcm2835_dma_callback() is
threaded: A client may terminate a descriptor and issue a new one
before the IRQ handler had a chance to run. In fact the IRQ handler may
miss an *arbitrary* number of descriptors. The result is the following
race condition:
1. A descriptor finishes, its interrupt is deferred to the IRQ thread.
2. A client calls dma_terminate_async() which sets channel->desc = NULL.
3. The client issues a new descriptor. Because channel->desc is NULL,
bcm2835_dma_issue_pending() immediately starts the descriptor.
4. Finally the IRQ thread runs and writes BCM2835_DMA_INT to the CS
register to acknowledge the interrupt. This clears the ACTIVE flag,
so the newly issued descriptor is paused in the middle of the
transaction. Because channel->desc is not NULL, the IRQ thread
finalizes the descriptor and tries to start the next one.
I see two possible solutions: The first is to call synchronize_irq()
in bcm2835_dma_issue_pending() to wait until the IRQ thread has
finished before issuing a new descriptor. The downside of this approach
is unnecessary latency if clients desire rapidly terminating and
re-issuing descriptors and don't have any use for an IRQ callback.
(The SPI TX DMA channel is a case in point.)
A better alternative is to make the IRQ thread recognize that it has
missed descriptors and avoid finalizing the newly issued descriptor.
So first of all, set the ACTIVE flag when acknowledging the interrupt.
This keeps a newly issued descriptor running.
If the descriptor was finished, the channel remains idle despite the
ACTIVE flag being set. However the ACTIVE flag can then no longer be
used to check whether the channel is idle, so instead check whether
the register containing the current control block address is zero
and finalize the current descriptor only if so.
That way, there is no impact on latency and throughput if the client
doesn't care for the interrupt: Only minimal additional overhead is
introduced for non-cyclic descriptors as one further MMIO read is
necessary per interrupt to check for idleness of the channel. Cyclic
descriptors are sped up slightly by removing one MMIO write per
interrupt.
Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Frank Pavlic <f.pavlic@kunbus.de>
Cc: Martin Sperl <kernel@martin.sperl.org>
Cc: Florian Meier <florian.meier@koalo.de>
Cc: Clive Messer <clive.m.messer@gmail.com>
Cc: Matthias Reichl <hias@horus.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Kauer <florian.kauer@koalo.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/dma/bcm2835-dma.c | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
--- a/drivers/dma/bcm2835-dma.c
+++ b/drivers/dma/bcm2835-dma.c
@@ -197,7 +197,12 @@ static int bcm2835_dma_abort(void __iome
long int timeout = 10000;
cs = readl(chan_base + BCM2835_DMA_CS);
- if (!(cs & BCM2835_DMA_ACTIVE))
+
+ /*
+ * A zero control block address means the channel is idle.
+ * (The ACTIVE flag in the CS register is not a reliable indicator.)
+ */
+ if (!readl(chan_base + BCM2835_DMA_ADDR))
return 0;
/* Write 0 to the active bit - Pause the DMA */
@@ -252,8 +257,15 @@ static irqreturn_t bcm2835_dma_callback(
spin_lock_irqsave(&c->vc.lock, flags);
- /* Acknowledge interrupt */
- writel(BCM2835_DMA_INT, c->chan_base + BCM2835_DMA_CS);
+ /*
+ * Clear the INT flag to receive further interrupts. Keep the channel
+ * active in case the descriptor is cyclic or in case the client has
+ * already terminated the descriptor and issued a new one. (May happen
+ * if this IRQ handler is threaded.) If the channel is finished, it
+ * will remain idle despite the ACTIVE flag being set.
+ */
+ writel(BCM2835_DMA_INT | BCM2835_DMA_ACTIVE,
+ c->chan_base + BCM2835_DMA_CS);
d = c->desc;
@@ -262,9 +274,6 @@ static irqreturn_t bcm2835_dma_callback(
vchan_cyclic_callback(&d->vd);
}
- /* Keep the DMA engine running */
- writel(BCM2835_DMA_ACTIVE, c->chan_base + BCM2835_DMA_CS);
-
spin_unlock_irqrestore(&c->vc.lock, flags);
return IRQ_HANDLED;
@@ -507,19 +516,14 @@ static int bcm2835_dma_terminate_all(str
list_del_init(&c->node);
spin_unlock(&d->lock);
- /*
- * Stop DMA activity: we assume the callback will not be called
- * after bcm_dma_abort() returns (even if it does, it will see
- * c->desc is NULL and exit.)
- */
+ /* stop DMA activity */
if (c->desc) {
c->desc = NULL;
bcm2835_dma_abort(c->chan_base);
/* Wait for stopping */
while (--timeout) {
- if (!(readl(c->chan_base + BCM2835_DMA_CS) &
- BCM2835_DMA_ACTIVE))
+ if (!readl(c->chan_base + BCM2835_DMA_ADDR))
break;
cpu_relax();
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 089/202] dmaengine: bcm2835: Fix abort of transactions
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (197 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 005/202] mfd: tps6586x: Handle interrupts on suspend Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 142/202] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Ben Hutchings
` (3 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Stefan Wahren, Lukas Wunner, Vinod Koul,
Florian Kauer, Florian Meier, Matthias Reichl, Clive Messer,
Frank Pavlic, Martin Sperl
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 9e528c799d17a4ac37d788c81440b50377dd592d upstream.
There are multiple issues with bcm2835_dma_abort() (which is called on
termination of a transaction):
* The algorithm to abort the transaction first pauses the channel by
clearing the ACTIVE flag in the CS register, then waits for the PAUSED
flag to clear. Page 49 of the spec documents the latter as follows:
"Indicates if the DMA is currently paused and not transferring data.
This will occur if the active bit has been cleared [...]"
https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf
So the function is entering an infinite loop because it is waiting for
PAUSED to clear which is always set due to the function having cleared
the ACTIVE flag. The only thing that's saving it from itself is the
upper bound of 10000 loop iterations.
The code comment says that the intention is to "wait for any current
AXI transfer to complete", so the author probably wanted to check the
WAITING_FOR_OUTSTANDING_WRITES flag instead. Amend the function
accordingly.
* The CS register is only read at the beginning of the function. It
needs to be read again after pausing the channel and before checking
for outstanding writes, otherwise writes which were issued between
the register read at the beginning of the function and pausing the
channel may not be waited for.
* The function seeks to abort the transfer by writing 0 to the NEXTCONBK
register and setting the ABORT and ACTIVE flags. Thereby, the 0 in
NEXTCONBK is sought to be loaded into the CONBLK_AD register. However
experimentation has shown this approach to not work: The CONBLK_AD
register remains the same as before and the CS register contains
0x00000030 (PAUSED | DREQ_STOPS_DMA). In other words, the control
block is not aborted but merely paused and it will be resumed once the
next DMA transaction is started. That is absolutely not the desired
behavior.
A simpler approach is to set the channel's RESET flag instead. This
reliably zeroes the NEXTCONBK as well as the CS register. It requires
less code and only a single MMIO write. This is also what popular
user space DMA drivers do, e.g.:
https://github.com/metachris/RPIO/blob/master/source/c_pwm/pwm.c
Note that the spec is contradictory whether the NEXTCONBK register
is writeable at all. On the one hand, page 41 claims:
"The value loaded into the NEXTCONBK register can be overwritten so
that the linked list of Control Block data structures can be
dynamically altered. However it is only safe to do this when the DMA
is paused."
On the other hand, page 40 specifies:
"Only three registers in each channel's register set are directly
writeable (CS, CONBLK_AD and DEBUG). The other registers (TI,
SOURCE_AD, DEST_AD, TXFR_LEN, STRIDE & NEXTCONBK), are automatically
loaded from a Control Block data structure held in external memory."
Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Frank Pavlic <f.pavlic@kunbus.de>
Cc: Martin Sperl <kernel@martin.sperl.org>
Cc: Florian Meier <florian.meier@koalo.de>
Cc: Clive Messer <clive.m.messer@gmail.com>
Cc: Matthias Reichl <hias@horus.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Kauer <florian.kauer@koalo.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/dma/bcm2835-dma.c | 41 +++++++++------------------------------
1 file changed, 9 insertions(+), 32 deletions(-)
--- a/drivers/dma/bcm2835-dma.c
+++ b/drivers/dma/bcm2835-dma.c
@@ -191,13 +191,11 @@ static void bcm2835_dma_desc_free(struct
kfree(desc);
}
-static int bcm2835_dma_abort(void __iomem *chan_base)
+static int bcm2835_dma_abort(struct bcm2835_chan *c)
{
- unsigned long cs;
+ void __iomem *chan_base = c->chan_base;
long int timeout = 10000;
- cs = readl(chan_base + BCM2835_DMA_CS);
-
/*
* A zero control block address means the channel is idle.
* (The ACTIVE flag in the CS register is not a reliable indicator.)
@@ -209,25 +207,16 @@ static int bcm2835_dma_abort(void __iome
writel(0, chan_base + BCM2835_DMA_CS);
/* Wait for any current AXI transfer to complete */
- while ((cs & BCM2835_DMA_ISPAUSED) && --timeout) {
+ while ((readl(chan_base + BCM2835_DMA_CS) &
+ BCM2835_DMA_WAITING_FOR_WRITES) && --timeout)
cpu_relax();
- cs = readl(chan_base + BCM2835_DMA_CS);
- }
- /* We'll un-pause when we set of our next DMA */
+ /* Peripheral might be stuck and fail to signal AXI write responses */
if (!timeout)
- return -ETIMEDOUT;
-
- if (!(cs & BCM2835_DMA_ACTIVE))
- return 0;
-
- /* Terminate the control block chain */
- writel(0, chan_base + BCM2835_DMA_NEXTCB);
-
- /* Abort the whole DMA */
- writel(BCM2835_DMA_ABORT | BCM2835_DMA_ACTIVE,
- chan_base + BCM2835_DMA_CS);
+ dev_err(c->vc.chan.device->dev,
+ "failed to complete outstanding writes\n");
+ writel(BCM2835_DMA_RESET, chan_base + BCM2835_DMA_CS);
return 0;
}
@@ -506,7 +495,6 @@ static int bcm2835_dma_terminate_all(str
{
struct bcm2835_dmadev *d = to_bcm2835_dma_dev(c->vc.chan.device);
unsigned long flags;
- int timeout = 10000;
LIST_HEAD(head);
spin_lock_irqsave(&c->vc.lock, flags);
@@ -519,18 +507,7 @@ static int bcm2835_dma_terminate_all(str
/* stop DMA activity */
if (c->desc) {
c->desc = NULL;
- bcm2835_dma_abort(c->chan_base);
-
- /* Wait for stopping */
- while (--timeout) {
- if (!readl(c->chan_base + BCM2835_DMA_ADDR))
- break;
-
- cpu_relax();
- }
-
- if (!timeout)
- dev_err(d->ddev.dev, "DMA transfer could not be terminated\n");
+ bcm2835_dma_abort(c);
}
vchan_get_all_descriptors(&c->vc, &head);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 086/202] dmaengine: imx-dma: fix wrong callback invoke
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 114/202] hexagon: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 053/202] uart: Fix crash in uart_write and uart_put_char Ben Hutchings
` (192 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Vinod Koul, Leonid Iziumtsev
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
commit 341198eda723c8c1cddbb006a89ad9e362502ea2 upstream.
Once the "ld_queue" list is not empty, next descriptor will migrate
into "ld_active" list. The "desc" variable will be overwritten
during that transition. And later the dmaengine_desc_get_callback_invoke()
will use it as an argument. As result we invoke wrong callback.
That behaviour was in place since:
commit fcaaba6c7136 ("dmaengine: imx-dma: fix callback path in tasklet").
But after commit 4cd13c21b207 ("softirq: Let ksoftirqd do its job")
things got worse, since possible delay between tasklet_schedule()
from DMA irq handler and actual tasklet function execution got bigger.
And that gave more time for new DMA request to be submitted and
to be put into "ld_queue" list.
It has been noticed that DMA issue is causing problems for "mxc-mmc"
driver. While stressing the system with heavy network traffic and
writing/reading to/from sd card simultaneously the timeout may happen:
10013000.sdhci: mxcmci_watchdog: read time out (status = 0x30004900)
That often lead to file system corruption.
Signed-off-by: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/dma/imx-dma.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/dma/imx-dma.c
+++ b/drivers/dma/imx-dma.c
@@ -624,7 +624,7 @@ static void imxdma_tasklet(unsigned long
{
struct imxdma_channel *imxdmac = (void *)data;
struct imxdma_engine *imxdma = imxdmac->imxdma;
- struct imxdma_desc *desc;
+ struct imxdma_desc *desc, *next_desc;
unsigned long flags;
spin_lock_irqsave(&imxdma->lock, flags);
@@ -654,10 +654,10 @@ static void imxdma_tasklet(unsigned long
list_move_tail(imxdmac->ld_active.next, &imxdmac->ld_free);
if (!list_empty(&imxdmac->ld_queue)) {
- desc = list_first_entry(&imxdmac->ld_queue, struct imxdma_desc,
- node);
+ next_desc = list_first_entry(&imxdmac->ld_queue,
+ struct imxdma_desc, node);
list_move_tail(imxdmac->ld_queue.next, &imxdmac->ld_active);
- if (imxdma_xfer_desc(desc) < 0)
+ if (imxdma_xfer_desc(next_desc) < 0)
dev_warn(imxdma->dev, "%s: channel: %d couldn't xfer desc\n",
__func__, imxdmac->channel);
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 079/202] fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 023/202] Drivers: hv: vmbus: Check for ring when getting debug info Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 195/202] brcmfmac: screening firmware event packet Ben Hutchings
` (147 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Waiman Long, Linus Torvalds, Dave Chinner
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit 1dbd449c9943e3145148cc893c2461b72ba6fef0 upstream.
The nr_dentry_unused per-cpu counter tracks dentries in both the LRU
lists and the shrink lists where the DCACHE_LRU_LIST bit is set.
The shrink_dcache_sb() function moves dentries from the LRU list to a
shrink list and subtracts the dentry count from nr_dentry_unused. This
is incorrect as the nr_dentry_unused count will also be decremented in
shrink_dentry_list() via d_shrink_del().
To fix this double decrement, the decrement in the shrink_dcache_sb()
function is taken out.
Fixes: 4e717f5c1083 ("list_lru: remove special case function list_lru_dispose_all."
Signed-off-by: Waiman Long <longman@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/dcache.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1063,15 +1063,11 @@ static enum lru_status dentry_lru_isolat
*/
void shrink_dcache_sb(struct super_block *sb)
{
- long freed;
-
do {
LIST_HEAD(dispose);
- freed = list_lru_walk(&sb->s_dentry_lru,
+ list_lru_walk(&sb->s_dentry_lru,
dentry_lru_isolate_shrink, &dispose, 1024);
-
- this_cpu_sub(nr_dentry_unused, freed);
shrink_dentry_list(&dispose);
cond_resched();
} while (list_lru_count(&sb->s_dentry_lru) > 0);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 092/202] dmaengine: dmatest: unmap data on a single code-path when xfer done
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 115/202] ia64: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 066/202] debugfs: fix debugfs_rename parameter checking Ben Hutchings
` (41 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Vinod Koul, Alexandru Ardelean
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Ardelean <alexandru.ardelean@analog.com>
commit 0255200bd29afc320c6ea4c1adf8bdc13a9b3c15 upstream.
After the DMA transfer is done, we don't need to call the un-mapping code
in 3 places. One is enough.
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[bwh: Backported to 3.16 as dependency of commit 6454368a804c
"dmaengine: dmatest: Abort test in case of mapping error"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/dma/dmatest.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -638,14 +638,14 @@ static int dmatest_func(void *data)
status = dma_async_is_tx_complete(chan, cookie, NULL, NULL);
+ dmaengine_unmap_put(um);
+
if (!done->done) {
- dmaengine_unmap_put(um);
result("test timed out", total_tests, src_off, dst_off,
len, 0);
failed_tests++;
continue;
} else if (status != DMA_COMPLETE) {
- dmaengine_unmap_put(um);
result(status == DMA_ERROR ?
"completion error status" :
"completion busy status", total_tests, src_off,
@@ -654,8 +654,6 @@ static int dmatest_func(void *data)
continue;
}
- dmaengine_unmap_put(um);
-
if (params->noverify) {
verbose_result("test passed", total_tests, src_off,
dst_off, len, 0);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 080/202] l2tp: copy 4 more bytes to linear part if necessary
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 111/202] c6x: Use get_signal() signal_setup_done() Ben Hutchings
` (201 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jacob Wen, Guillaume Nault, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Wen <jian.w.wen@oracle.com>
commit 91c524708de6207f59dd3512518d8a1c7b434ee3 upstream.
The size of L2TPv2 header with all optional fields is 14 bytes.
l2tp_udp_recv_core only moves 10 bytes to the linear part of a
skb. This may lead to l2tp_recv_common read data outside of a skb.
This patch make sure that there is at least 14 bytes in the linear
part of a skb to meet the maximum need of l2tp_udp_recv_core and
l2tp_recv_common. The minimum size of both PPP HDLC-like frame and
Ethernet frame is larger than 14 bytes, so we are safe to do so.
Also remove L2TP_HDR_SIZE_NOSEQ, it is unused now.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
Acked-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -82,8 +82,7 @@
#define L2TP_SLFLAG_S 0x40000000
#define L2TP_SL_SEQ_MASK 0x00ffffff
-#define L2TP_HDR_SIZE_SEQ 10
-#define L2TP_HDR_SIZE_NOSEQ 6
+#define L2TP_HDR_SIZE_MAX 14
/* Default trace flags */
#define L2TP_DEFAULT_DEBUG_FLAGS 0
@@ -897,7 +896,7 @@ static int l2tp_udp_recv_core(struct l2t
__skb_pull(skb, sizeof(struct udphdr));
/* Short packet? */
- if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
+ if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
l2tp_info(tunnel, L2TP_MSG_DATA,
"%s: recv short packet (len=%d)\n",
tunnel->name, skb->len);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 038/202] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 028/202] crypto: authenc - fix parsing key with misaligned rta_len Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 050/202] ARC: show_regs: lockdep: avoid page allocator Ben Hutchings
` (80 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Larry Finger, Michael Straube
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Straube <straube.linux@gmail.com>
commit 5f74a8cbb38d10615ed46bc3e37d9a4c9af8045a upstream.
This device was added to the stand-alone driver on github.
Add it to the staging driver as well.
Link: https://github.com/lwfinger/rtl8188eu/commit/a0619a07cd1e
Signed-off-by: Michael Straube <straube.linux@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -59,6 +59,7 @@ static struct usb_device_id rtw_usb_id_t
{USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
{USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
+ {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 090/202] perf/x86/intel/uncore: Add Node ID mask
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 195/202] brcmfmac: screening firmware event packet Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 059/202] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it Ben Hutchings
` (145 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Peter Zijlstra (Intel),
Song Liu, Thomas Gleixner, Jiri Olsa, Kan Liang, Ingo Molnar,
Alexander Shishkin, Arnaldo Carvalho de Melo, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <kan.liang@linux.intel.com>
commit 9e63a7894fd302082cf3627fe90844421a6cbe7f upstream.
Some PCI uncore PMUs cannot be registered on an 8-socket system (HPE
Superdome Flex).
To understand which Socket the PCI uncore PMUs belongs to, perf retrieves
the local Node ID of the uncore device from CPUNODEID(0xC0) of the PCI
configuration space, and the mapping between Socket ID and Node ID from
GIDNIDMAP(0xD4). The Socket ID can be calculated accordingly.
The local Node ID is only available at bit 2:0, but current code doesn't
mask it. If a BIOS doesn't clear the rest of the bits, an incorrect Node ID
will be fetched.
Filter the Node ID by adding a mask.
Reported-by: Song Liu <songliubraving@fb.com>
Tested-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 7c94ee2e0917 ("perf/x86: Add Intel Nehalem and Sandy Bridge-EP uncore support")
Link: https://lkml.kernel.org/r/1548600794-33162-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@@ -1004,6 +1004,8 @@ static struct pci_driver snbep_uncore_pc
.id_table = snbep_uncore_pci_ids,
};
+#define NODE_ID_MASK 0x7
+
/*
* build pci bus to socket mapping
*/
@@ -1024,7 +1026,7 @@ static int snbep_pci2phy_map_init(int de
err = pci_read_config_dword(ubox_dev, 0x40, &config);
if (err)
break;
- nodeid = config;
+ nodeid = config & NODE_ID_MASK;
/* get the Node ID mapping */
err = pci_read_config_dword(ubox_dev, 0x54, &config);
if (err)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 095/202] perf test: Fix failure of 'evsel-tp-sched' test on s390
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 130/202] um: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 097/202] s390/qeth: cancel close_dev work before removing a card Ben Hutchings
` (69 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Martin Schwidefsky, Thomas Richter,
Hendrik Brueckner, Arnaldo Carvalho de Melo, Heiko Carstens
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Richter <tmricht@linux.ibm.com>
commit 03d309711d687460d1345de8a0363f45b1c8cd11 upstream.
Commit 489338a717a0 ("perf tests evsel-tp-sched: Fix bitwise operator")
causes test case 14 "Parse sched tracepoints fields" to fail on s390.
This test succeeds on x86.
In fact this test now fails on all architectures with type char treated
as type unsigned char.
The root cause is the signed-ness of character arrays in the tracepoints
sched_switch for structure members prev_comm and next_comm.
On s390 the output of:
[root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
name: sched_switch
ID: 287
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
...
field:char prev_comm[16]; offset:8; size:16; signed:0;
...
field:char next_comm[16]; offset:40; size:16; signed:0;
reveals the character arrays prev_comm and next_comm are per
default unsigned char and have values in the range of 0..255.
On x86 both fields are signed as this output shows:
[root@f29]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format
name: sched_switch
ID: 287
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
...
field:char prev_comm[16]; offset:8; size:16; signed:1;
...
field:char next_comm[16]; offset:40; size:16; signed:1;
and the character arrays prev_comm and next_comm are per default signed
char and have values in the range of -1..127. The implementation of
type char is architecture specific.
Since the character arrays in both tracepoints sched_switch and
sched_wakeup should contain ascii characters, simply omit the check for
signedness in the test case.
Output before:
[root@m35lp76 perf]# ./perf test -F 14
14: Parse sched tracepoints fields :
--- start ---
sched:sched_switch: "prev_comm" signedness(0) is wrong, should be 1
sched:sched_switch: "next_comm" signedness(0) is wrong, should be 1
sched:sched_wakeup: "comm" signedness(0) is wrong, should be 1
---- end ----
14: Parse sched tracepoints fields : FAILED!
[root@m35lp76 perf]#
Output after:
[root@m35lp76 perf]# ./perf test -Fv 14
14: Parse sched tracepoints fields :
--- start ---
---- end ----
Parse sched tracepoints fields: Ok
[root@m35lp76 perf]#
Fixes: 489338a717a0 ("perf tests evsel-tp-sched: Fix bitwise operator")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Link: http://lkml.kernel.org/r/20190219153639.31267-1-tmricht@linux.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/tests/evsel-tp-sched.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/tools/perf/tests/evsel-tp-sched.c
+++ b/tools/perf/tests/evsel-tp-sched.c
@@ -40,7 +40,7 @@ int test__perf_evsel__tp_sched_test(void
return -1;
}
- if (perf_evsel__test_field(evsel, "prev_comm", 16, true))
+ if (perf_evsel__test_field(evsel, "prev_comm", 16, false))
ret = -1;
if (perf_evsel__test_field(evsel, "prev_pid", 4, true))
@@ -52,7 +52,7 @@ int test__perf_evsel__tp_sched_test(void
if (perf_evsel__test_field(evsel, "prev_state", sizeof(long), true))
ret = -1;
- if (perf_evsel__test_field(evsel, "next_comm", 16, true))
+ if (perf_evsel__test_field(evsel, "next_comm", 16, false))
ret = -1;
if (perf_evsel__test_field(evsel, "next_pid", 4, true))
@@ -65,7 +65,7 @@ int test__perf_evsel__tp_sched_test(void
evsel = perf_evsel__newtp("sched", "sched_wakeup");
- if (perf_evsel__test_field(evsel, "comm", 16, true))
+ if (perf_evsel__test_field(evsel, "comm", 16, false))
ret = -1;
if (perf_evsel__test_field(evsel, "pid", 4, true))
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 104/202] mtd: rawnand: gpmi: fix MX28 bus master lockup problem
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 196/202] brcmfmac: fix incorrect event channel deduction Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 190/202] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Ben Hutchings
` (136 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Miquel Raynal, Manfred Schlaegl,
Boris Brezillon, Martin Kepplinger, Han Xu, Fabio Estevam
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Kepplinger <martin.kepplinger@ginzinger.com>
commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream.
Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft
reset may cause bus master lock up") for MX28 too. It has the same
problem.
Observed problem: once per 100,000+ MX28 reboots NAND read failed on
DMA timeout errors:
[ 1.770823] UBI: attaching mtd3 to ubi0
[ 2.768088] gpmi_nand: DMA timeout, last DMA :1
[ 3.958087] gpmi_nand: BCH timeout, last DMA :1
[ 4.156033] gpmi_nand: Error in ECC-based read: -110
[ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64
bytes from PEB 0:0, read only 0 bytes, retry
[ 4.171283] step 1 error
[ 4.173846] gpmi_nand: Chip: 0, Error -1
Without BCH soft reset we successfully executed 1,000,000 MX28 reboots.
I have a quote from NXP regarding this problem, from July 18th 2016:
"As the i.MX23 and i.MX28 are of the same generation, they share many
characteristics. Unfortunately, also the erratas may be shared.
In case of the documented erratas and the workarounds, you can also
apply the workaround solution of one device on the other one. This have
been reported, but I’m afraid that there are not an estimated date for
updating the Errata documents.
Please accept our apologies for any inconveniences this may cause."
Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems")
Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/gpmi-nand/gpmi-lib.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/drivers/mtd/nand/gpmi-nand/gpmi-lib.c
+++ b/drivers/mtd/nand/gpmi-nand/gpmi-lib.c
@@ -168,9 +168,10 @@ int gpmi_init(struct gpmi_nand_data *thi
/*
* Reset BCH here, too. We got failures otherwise :(
- * See later BCH reset for explanation of MX23 handling
+ * See later BCH reset for explanation of MX23 and MX28 handling
*/
- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
+ ret = gpmi_reset_block(r->bch_regs,
+ GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
if (ret)
goto err_out;
@@ -275,12 +276,10 @@ int bch_set_geometry(struct gpmi_nand_da
/*
* Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this
* chip, otherwise it will lock up. So we skip resetting BCH on the MX23.
- * On the other hand, the MX28 needs the reset, because one case has been
- * seen where the BCH produced ECC errors constantly after 10000
- * consecutive reboots. The latter case has not been seen on the MX23
- * yet, still we don't know if it could happen there as well.
+ * and MX28.
*/
- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
+ ret = gpmi_reset_block(r->bch_regs,
+ GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
if (ret)
goto err_out;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 094/202] perf tests evsel-tp-sched: Fix bitwise operator
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 077/202] ARM: iop32x/n2100: fix PCI IRQ mapping Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 039/202] net/phy: micrel: Add workaround for bad autoneg Ben Hutchings
` (33 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Peter Zijlstra, Jiri Olsa,
Arnaldo Carvalho de Melo, Alexander Shishkin, Namhyung Kim,
Gustavo A. R. Silva
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
commit 489338a717a0dfbbd5a3fabccf172b78f0ac9015 upstream.
Notice that the use of the bitwise OR operator '|' always leads to true
in this particular case, which seems a bit suspicious due to the context
in which this expression is being used.
Fix this by using bitwise AND operator '&' instead.
This bug was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields")
Link: http://lkml.kernel.org/r/20190122233439.GA5868@embeddedor
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/tests/evsel-tp-sched.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/tests/evsel-tp-sched.c
+++ b/tools/perf/tests/evsel-tp-sched.c
@@ -14,7 +14,7 @@ static int perf_evsel__test_field(struct
return -1;
}
- is_signed = !!(field->flags | FIELD_IS_SIGNED);
+ is_signed = !!(field->flags & FIELD_IS_SIGNED);
if (should_be_signed && !is_signed) {
pr_debug("%s: \"%s\" signedness(%d) is wrong, should be %d\n",
evsel->name, name, is_signed, should_be_signed);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 105/202] Input: bma150 - register input device after setting private data
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 194/202] brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 024/202] drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2 Ben Hutchings
` (22 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Paweł Chmiel, Jonathan Bakker,
Dmitry Torokhov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Bakker <xc-racer2@live.ca>
commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream.
Otherwise we introduce a race condition where userspace can request input
before we're ready leading to null pointer dereference such as
input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3
Unable to handle kernel NULL pointer dereference at virtual address 00000018
pgd = (ptrval)
[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] PREEMPT ARM
Modules linked in: bma150 input_polldev [last unloaded: bma150]
CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46
Hardware name: Samsung S5PC110/S5PV210-based board
PC is at input_event+0x8/0x60
LR is at bma150_report_xyz+0x9c/0xe0 [bma150]
pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013
sp : a4c1fd78 ip : 00000081 fp : 00020000
r10: 00000000 r9 : a5e2944c r8 : a7455000
r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048
r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000
Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 54e34019 DAC: 00000051
Process accelerometer (pid: 2870, stack limit = 0x(ptrval))
Stackck: (0xa4c1fd78 to 0xa4c20000)
fd60: fffffff3 fc813f6c
fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324
fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10
fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0
fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c
fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000
fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041
fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8
fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001
fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048
fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8
fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720
fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00
ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3
ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002
ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c
ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100
ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000
ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000
ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038
ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000
[<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c)
Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018)
---[ end trace 1c691ee85f2ff243 ]---
Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/misc/bma150.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/input/misc/bma150.c
+++ b/drivers/input/misc/bma150.c
@@ -483,13 +483,14 @@ static int bma150_register_input_device(
idev->close = bma150_irq_close;
input_set_drvdata(idev, bma150);
+ bma150->input = idev;
+
error = input_register_device(idev);
if (error) {
input_free_device(idev);
return error;
}
- bma150->input = idev;
return 0;
}
@@ -512,15 +513,15 @@ static int bma150_register_polled_device
bma150_init_input_device(bma150, ipoll_dev->input);
+ bma150->input_polled = ipoll_dev;
+ bma150->input = ipoll_dev->input;
+
error = input_register_polled_device(ipoll_dev);
if (error) {
input_free_polled_device(ipoll_dev);
return error;
}
- bma150->input_polled = ipoll_dev;
- bma150->input = ipoll_dev->input;
-
return 0;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 106/202] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 017/202] packet: validate address length Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 102/202] drm/vmwgfx: Fix setting of dma masks Ben Hutchings
` (173 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jens Axboe, Hans de Goede
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit dd957493baa586f1431490f97f9c7c45eaf8ab10 upstream.
We've received a bugreport that using LPM with a SAMSUNG
MZ7TE512HMHP-000L1 SSD leads to system instability, we already have
a quirk for the MZ7TD256HAFV-000L9, which is also a Samsun EVO 840 /
PM851 OEM model, so it seems some of these models have a LPM issue.
This commits adds a NOLPM quirk for the model string from the new
bugeport, to avoid the reported stability issues.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4250,6 +4250,7 @@ static const struct ata_blacklist_entry
{ "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
{ "SAMSUNG SSD PM830 mSATA *", "CXM13D1Q", ATA_HORKAGE_NOLPM, },
{ "SAMSUNG MZ7TD256HAFV-000L9", NULL, ATA_HORKAGE_NOLPM, },
+ { "SAMSUNG MZ7TE512HMHP-000L1", "EXT06L0Q", ATA_HORKAGE_NOLPM, },
/* devices that don't properly handle queued TRIM commands */
{ "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 112/202] cris: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 064/202] iommu/amd: Fix IOMMU page flush when detach device from a domain Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 016/202] ALSA: cs46xx: Potential NULL dereference in probe Ben Hutchings
` (47 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit fa0197722eb7559a6a9733881bbb8d9e76364f33 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/cris/arch-v10/kernel/signal.c | 79 +++++++++++++-----------------
arch/cris/arch-v32/kernel/signal.c | 77 ++++++++++++-----------------
2 files changed, 63 insertions(+), 93 deletions(-)
--- a/arch/cris/arch-v10/kernel/signal.c
+++ b/arch/cris/arch-v10/kernel/signal.c
@@ -228,33 +228,33 @@ get_sigframe(struct k_sigaction *ka, str
* user-mode trampoline.
*/
-static int setup_frame(int sig, struct k_sigaction *ka,
- sigset_t *set, struct pt_regs *regs)
+static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct sigframe __user *frame;
unsigned long return_ip;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
if (_NSIG_WORDS > 1) {
err |= __copy_to_user(frame->extramask, &set->sig[1],
sizeof(frame->extramask));
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- return_ip = (unsigned long)ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ return_ip = (unsigned long)ksig->ka.sa.sa_restorer;
} else {
/* trampoline - the desired return ip is the retcode itself */
return_ip = (unsigned long)&frame->retcode;
@@ -265,42 +265,38 @@ static int setup_frame(int sig, struct k
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
- regs->irp = (unsigned long) ka->sa.sa_handler; /* what we enter NOW */
+ regs->irp = (unsigned long) ksig->ka.sa.sa_handler; /* what we enter NOW */
regs->srp = return_ip; /* what we enter LATER */
- regs->r10 = sig; /* first argument is signo */
+ regs->r10 = ksig->sig; /* first argument is signo */
/* actually move the usp to reflect the stacked frame */
wrusp((unsigned long)frame);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
unsigned long return_ip;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Clear all the bits of the ucontext we don't use. */
err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext));
@@ -312,12 +308,12 @@ static int setup_rt_frame(int sig, struc
err |= __save_altstack(&frame->uc.uc_stack, rdusp());
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- return_ip = (unsigned long)ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ return_ip = (unsigned long)ksig->ka.sa.sa_restorer;
} else {
/* trampoline - the desired return ip is the retcode itself */
return_ip = (unsigned long)&frame->retcode;
@@ -329,18 +325,18 @@ static int setup_rt_frame(int sig, struc
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* TODO what is the current->exec_domain stuff and invmap ? */
/* Set up registers for signal handler */
/* What we enter NOW */
- regs->irp = (unsigned long) ka->sa.sa_handler;
+ regs->irp = (unsigned long) ksig->ka.sa.sa_handler;
/* What we enter LATER */
regs->srp = return_ip;
/* First argument is signo */
- regs->r10 = sig;
+ regs->r10 = ksig->sig;
/* Second argument is (siginfo_t *) */
regs->r11 = (unsigned long)&frame->info;
/* Third argument is unused */
@@ -350,19 +346,14 @@ static int setup_rt_frame(int sig, struc
wrusp((unsigned long)frame);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/*
* OK, we're invoking a handler
*/
-static inline void handle_signal(int canrestart, unsigned long sig,
- siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs)
+static inline void handle_signal(int canrestart, struct ksignal *ksig,
+ struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
@@ -383,7 +374,7 @@ static inline void handle_signal(int can
/* ERESTARTSYS means to restart the syscall if
* there is no handler or the handler was
* registered with SA_RESTART */
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->r10 = -EINTR;
break;
}
@@ -396,13 +387,12 @@ static inline void handle_signal(int can
}
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(sig, ka, oldset, regs);
+ ret = setup_frame(ksig, oldset, regs);
- if (ret == 0)
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -419,9 +409,7 @@ static inline void handle_signal(int can
void do_signal(int canrestart, struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which
@@ -432,10 +420,9 @@ void do_signal(int canrestart, struct pt
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
- handle_signal(canrestart, signr, &info, &ka, regs);
+ handle_signal(canrestart, &ksig, regs);
return;
}
--- a/arch/cris/arch-v32/kernel/signal.c
+++ b/arch/cris/arch-v32/kernel/signal.c
@@ -215,23 +215,22 @@ get_sigframe(struct k_sigaction *ka, str
* trampoline.
*/
static int
-setup_frame(int sig, struct k_sigaction *ka, sigset_t *set,
- struct pt_regs * regs)
+setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
int err;
unsigned long return_ip;
struct signal_frame __user *frame;
err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
if (_NSIG_WORDS > 1) {
err |= __copy_to_user(frame->extramask, &set->sig[1],
@@ -239,14 +238,14 @@ setup_frame(int sig, struct k_sigaction
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Set up to return from user-space. If provided, use a stub
* already located in user-space.
*/
- if (ka->sa.sa_flags & SA_RESTORER) {
- return_ip = (unsigned long)ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ return_ip = (unsigned long)ksig->ka.sa.sa_restorer;
} else {
/* Trampoline - the desired return ip is in the signal return page. */
return_ip = cris_signal_return_page;
@@ -264,7 +263,7 @@ setup_frame(int sig, struct k_sigaction
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Set up registers for signal handler.
@@ -273,42 +272,37 @@ setup_frame(int sig, struct k_sigaction
* Where the code enter later.
* First argument, signo.
*/
- regs->erp = (unsigned long) ka->sa.sa_handler;
+ regs->erp = (unsigned long) ksig->ka.sa.sa_handler;
regs->srp = return_ip;
- regs->r10 = sig;
+ regs->r10 = ksig->sig;
/* Actually move the USP to reflect the stacked frame. */
wrusp((unsigned long)frame);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
static int
-setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs * regs)
+setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
int err;
unsigned long return_ip;
struct rt_signal_frame __user *frame;
err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
/* TODO: what is the current->exec_domain stuff and invmap ? */
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Clear all the bits of the ucontext we don't use. */
err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext));
@@ -317,14 +311,14 @@ setup_rt_frame(int sig, struct k_sigacti
err |= __save_altstack(&frame->uc.uc_stack, rdusp());
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Set up to return from user-space. If provided, use a stub
* already located in user-space.
*/
- if (ka->sa.sa_flags & SA_RESTORER) {
- return_ip = (unsigned long) ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ return_ip = (unsigned long) ksig->ka.sa.sa_restorer;
} else {
/* Trampoline - the desired return ip is in the signal return page. */
return_ip = cris_signal_return_page + 6;
@@ -345,7 +339,7 @@ setup_rt_frame(int sig, struct k_sigacti
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Set up registers for signal handler.
@@ -356,9 +350,9 @@ setup_rt_frame(int sig, struct k_sigacti
* Second argument is (siginfo_t *).
* Third argument is unused.
*/
- regs->erp = (unsigned long) ka->sa.sa_handler;
+ regs->erp = (unsigned long) ksig->ka.sa.sa_handler;
regs->srp = return_ip;
- regs->r10 = sig;
+ regs->r10 = ksig->sig;
regs->r11 = (unsigned long) &frame->info;
regs->r12 = 0;
@@ -366,17 +360,11 @@ setup_rt_frame(int sig, struct k_sigacti
wrusp((unsigned long)frame);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/* Invoke a signal handler to, well, handle the signal. */
static inline void
-handle_signal(int canrestart, unsigned long sig,
- siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs * regs)
+handle_signal(int canrestart, struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
@@ -404,7 +392,7 @@ handle_signal(int canrestart, unsigned l
* there is no handler, or the handler
* was registered with SA_RESTART.
*/
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->r10 = -EINTR;
break;
}
@@ -423,13 +411,12 @@ handle_signal(int canrestart, unsigned l
}
/* Set up the stack frame. */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(sig, ka, oldset, regs);
+ ret = setup_frame(ksig, oldset, regs);
- if (ret == 0)
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -446,9 +433,7 @@ handle_signal(int canrestart, unsigned l
void
do_signal(int canrestart, struct pt_regs *regs)
{
- int signr;
- siginfo_t info;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* The common case should go fast, which is why this point is
@@ -458,11 +443,9 @@ do_signal(int canrestart, struct pt_regs
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
-
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
- handle_signal(canrestart, signr, &info, &ka, regs);
+ handle_signal(canrestart, &ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 109/202] avr32: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 198/202] brcmfmac: add subtype check for event handling in data path Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 040/202] net/phy: micrel: configure intterupts after autoneg workaround Ben Hutchings
` (65 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Richard Weinberger, Hans-Christian Egtvedt
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit d809709a8845954a95c2ac86c13bd0dfd549c1ae upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/kernel/signal.c | 43 ++++++++++++++++----------------------
1 file changed, 18 insertions(+), 25 deletions(-)
--- a/arch/avr32/kernel/signal.c
+++ b/arch/avr32/kernel/signal.c
@@ -138,13 +138,12 @@ get_sigframe(struct k_sigaction *ka, str
}
static int
-setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
err = -EFAULT;
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
goto out;
@@ -164,7 +163,7 @@ setup_rt_frame(int sig, struct k_sigacti
err = __put_user(0x3008d733 | (__NR_rt_sigreturn << 20),
&frame->retcode);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Set up the ucontext */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -176,12 +175,12 @@ setup_rt_frame(int sig, struct k_sigacti
if (err)
goto out;
- regs->r12 = sig;
+ regs->r12 = ksig->sig;
regs->r11 = (unsigned long) &frame->info;
regs->r10 = (unsigned long) &frame->uc;
regs->sp = (unsigned long) frame;
- if (ka->sa.sa_flags & SA_RESTORER)
- regs->lr = (unsigned long)ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ regs->lr = (unsigned long)ksig->ka.sa.sa_restorer;
else {
printk(KERN_NOTICE "[%s:%d] did not set SA_RESTORER\n",
current->comm, current->pid);
@@ -189,10 +188,10 @@ setup_rt_frame(int sig, struct k_sigacti
}
pr_debug("SIG deliver [%s:%d]: sig=%d sp=0x%lx pc=0x%lx->0x%p lr=0x%lx\n",
- current->comm, current->pid, sig, regs->sp,
- regs->pc, ka->sa.sa_handler, regs->lr);
+ current->comm, current->pid, ksig->sig, regs->sp,
+ regs->pc, ksig->ka.sa.sa_handler, regs->lr);
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long)ksig->ka.sa.sa_handler;
out:
return err;
@@ -208,15 +207,14 @@ static inline void setup_syscall_restart
}
static inline void
-handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
- struct pt_regs *regs, int syscall)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs, int syscall)
{
int ret;
/*
* Set up the stack frame
*/
- ret = setup_rt_frame(sig, ka, info, sigmask_to_save(), regs);
+ ret = setup_rt_frame(ksig, sigmask_to_save(), regs);
/*
* Check that the resulting registers are sane
@@ -226,10 +224,7 @@ handle_signal(unsigned long sig, struct
/*
* Block the signal if we were successful.
*/
- if (ret != 0)
- force_sigsegv(sig, current);
- else
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -239,9 +234,7 @@ handle_signal(unsigned long sig, struct
*/
static void do_signal(struct pt_regs *regs, int syscall)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which is why we may in
@@ -251,18 +244,18 @@ static void do_signal(struct pt_regs *re
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
+ get_signal(&ksig);
if (syscall) {
switch (regs->r12) {
case -ERESTART_RESTARTBLOCK:
case -ERESTARTNOHAND:
- if (signr > 0) {
+ if (ksig.sig > 0) {
regs->r12 = -EINTR;
break;
}
/* fall through */
case -ERESTARTSYS:
- if (signr > 0 && !(ka.sa.sa_flags & SA_RESTART)) {
+ if (ksig.sig > 0 && !(ksig.ka.sa.sa_flags & SA_RESTART)) {
regs->r12 = -EINTR;
break;
}
@@ -272,13 +265,13 @@ static void do_signal(struct pt_regs *re
}
}
- if (signr == 0) {
+ if (!ksig.sig) {
/* No signal to deliver -- put the saved sigmask back */
restore_saved_sigmask();
return;
}
- handle_signal(signr, &ka, &info, regs, syscall);
+ handle_signal(&ksig, regs, syscall);
}
asmlinkage void do_notify_resume(struct pt_regs *regs, struct thread_info *ti)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 116/202] m32r: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 065/202] net/mlx4_core: Add masking for a few queries on HCA caps Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 158/202] netfilter: nft_compat: use-after-free when deleting targets Ben Hutchings
` (163 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 0f5bef660a7c3b030eb60ceb29e3b2d89f894f56 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/m32r/kernel/signal.c | 47 +++++++++++++++++----------------------
1 file changed, 20 insertions(+), 27 deletions(-)
--- a/arch/m32r/kernel/signal.c
+++ b/arch/m32r/kernel/signal.c
@@ -173,17 +173,17 @@ get_sigframe(struct k_sigaction *ka, uns
return (void __user *)((sp - frame_size) & -8ul);
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
int err = 0;
- int signal;
+ int signal, sig = ksig->sig;
- frame = get_sigframe(ka, regs->spu, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs->spu, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
signal = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -193,13 +193,13 @@ static int setup_rt_frame(int sig, struc
err |= __put_user(signal, &frame->sig);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -208,17 +208,17 @@ static int setup_rt_frame(int sig, struc
err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0]);
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. */
- regs->lr = (unsigned long)ka->sa.sa_restorer;
+ regs->lr = (unsigned long)ksig->ka.sa.sa_restorer;
/* Set up registers for signal handler */
regs->spu = (unsigned long)frame;
regs->r0 = signal; /* Arg for signal handler */
regs->r1 = (unsigned long)&frame->info;
regs->r2 = (unsigned long)&frame->uc;
- regs->bpc = (unsigned long)ka->sa.sa_handler;
+ regs->bpc = (unsigned long)ksig->ka.sa.sa_handler;
set_fs(USER_DS);
@@ -228,10 +228,6 @@ static int setup_rt_frame(int sig, struc
#endif
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
static int prev_insn(struct pt_regs *regs)
@@ -252,9 +248,10 @@ static int prev_insn(struct pt_regs *reg
*/
static void
-handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
- struct pt_regs *regs)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
+ int ret;
+
/* Are we from a system call? */
if (regs->syscall_nr >= 0) {
/* If so, check system call restarting.. */
@@ -265,7 +262,7 @@ handle_signal(unsigned long sig, struct
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->r0 = -EINTR;
break;
}
@@ -278,10 +275,9 @@ handle_signal(unsigned long sig, struct
}
/* Set up the stack frame */
- if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs))
- return;
+ ret = setup_rt_frame(ksig, sigmask_to_save(), regs);
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -291,9 +287,7 @@ handle_signal(unsigned long sig, struct
*/
static void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which
@@ -304,8 +298,7 @@ static void do_signal(struct pt_regs *re
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Re-enable any watchpoints before delivering the
* signal to user space. The processor register will
* have been cleared if the watchpoint triggered
@@ -313,7 +306,7 @@ static void do_signal(struct pt_regs *re
*/
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &ka, &info, regs);
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 036/202] s390/smp: fix CPU hotplug deadlock with CPU rescan
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 063/202] drm/modes: Prevent division by zero htotal Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 061/202] ipmi: msghandler: Fix potential Spectre v1 vulnerabilities Ben Hutchings
` (157 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Gerald Schaefer, Martin Schwidefsky
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
commit b7cb707c373094ce4008d4a6ac9b6b366ec52da5 upstream.
smp_rescan_cpus() is called without the device_hotplug_lock, which can lead
to a dedlock when a new CPU is found and immediately set online by a udev
rule.
This was observed on an older kernel version, where the cpu_hotplug_begin()
loop was still present, and it resulted in hanging chcpu and systemd-udev
processes. This specific deadlock will not show on current kernels. However,
there may be other possible deadlocks, and since smp_rescan_cpus() can still
trigger a CPU hotplug operation, the device_hotplug_lock should be held.
For reference, this was the deadlock with the old cpu_hotplug_begin() loop:
chcpu (rescan) systemd-udevd
echo 1 > /sys/../rescan
-> smp_rescan_cpus()
-> (*) get_online_cpus()
(increases refcount)
-> smp_add_present_cpu()
(new CPU found)
-> register_cpu()
-> device_add()
-> udev "add" event triggered -----------> udev rule sets CPU online
-> echo 1 > /sys/.../online
-> lock_device_hotplug_sysfs()
(this is missing in rescan path)
-> device_online()
-> (**) device_lock(new CPU dev)
-> cpu_up()
-> cpu_hotplug_begin()
(loops until refcount == 0)
-> deadlock with (*)
-> bus_probe_device()
-> device_attach()
-> device_lock(new CPU dev)
-> deadlock with (**)
Fix this by taking the device_hotplug_lock in the CPU rescan path.
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/kernel/smp.c | 4 ++++
drivers/s390/char/sclp_config.c | 2 ++
2 files changed, 6 insertions(+)
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
@@ -1032,7 +1032,11 @@ static ssize_t __ref rescan_store(struct
{
int rc;
+ rc = lock_device_hotplug_sysfs();
+ if (rc)
+ return rc;
rc = smp_rescan_cpus();
+ unlock_device_hotplug();
return rc ? rc : count;
}
static DEVICE_ATTR(rescan, 0200, NULL, rescan_store);
--- a/drivers/s390/char/sclp_config.c
+++ b/drivers/s390/char/sclp_config.c
@@ -43,7 +43,9 @@ static void sclp_cpu_capability_notify(s
static void __ref sclp_cpu_change_notify(struct work_struct *work)
{
+ lock_device_hotplug();
smp_rescan_cpus();
+ unlock_device_hotplug();
}
static void sclp_conf_receiver_fn(struct evbuf_header *evbuf)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 144/202] alpha: fix page fault handling for r16-r18 targets
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 067/202] KVM: x86: Fix single-step debugging Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 083/202] mm, oom: fix use-after-free in oom_kill_process Ben Hutchings
` (83 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Ivan Kokshaysky, Richard Henderson,
linux-alpha, Sergei Trofimovich, Matt Turner
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Trofimovich <slyfox@gentoo.org>
commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream.
Fix page fault handling code to fixup r16-r18 registers.
Before the patch code had off-by-two registers bug.
This bug caused overwriting of ps,pc,gp registers instead
of fixing intended r16,r17,r18 (see `struct pt_regs`).
More details:
Initially Dmitry noticed a kernel bug as a failure
on strace test suite. Test passes unmapped userspace
pointer to io_submit:
```c
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
#include <asm/unistd.h>
int main(void)
{
unsigned long ctx = 0;
if (syscall(__NR_io_setup, 1, &ctx))
err(1, "io_setup");
const size_t page_size = sysconf(_SC_PAGESIZE);
const size_t size = page_size * 2;
void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (MAP_FAILED == ptr)
err(1, "mmap(%zu)", size);
if (munmap(ptr, size))
err(1, "munmap");
syscall(__NR_io_submit, ctx, 1, ptr + page_size);
syscall(__NR_io_destroy, ctx);
return 0;
}
```
Running this test causes kernel to crash when handling page fault:
```
Unable to handle kernel paging request at virtual address ffffffffffff9468
CPU 3
aio(26027): Oops 0
pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted
pc is at sys_io_submit+0x108/0x200
ra is at sys_io_submit+0x6c/0x200
v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000
t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0
t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000
s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000
s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2
s6 = fffffc00c58e6300
a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000
a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001
t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440
t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000
gp = 0000000000000000 sp = 00000000265fd174
Disabling lock debugging due to kernel taint
Trace:
[<fffffc0000311404>] entSys+0xa4/0xc0
```
Here `gp` has invalid value. `gp is s overwritten by a fixup for the
following page fault handler in `io_submit` syscall handler:
```
__se_sys_io_submit
...
ldq a1,0(t1)
bne t0,4280 <__se_sys_io_submit+0x180>
```
After a page fault `t0` should contain -EFALUT and `a1` is 0.
Instead `gp` was overwritten in place of `a1`.
This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
(aka `a0-a2`).
I think the bug went unnoticed for a long time as `gp` is one
of scratch registers. Any kernel function call would re-calculate `gp`.
Dmitry tracked down the bug origin back to 2.1.32 kernel version
where trap_a{0,1,2} fields were inserted into struct pt_regs.
And even before that `dpf_reg()` contained off-by-one error.
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: linux-alpha@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org>
Bug: https://bugs.gentoo.org/672040
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/alpha/mm/fault.c
+++ b/arch/alpha/mm/fault.c
@@ -78,7 +78,7 @@ __load_new_mm_context(struct mm_struct *
/* Macro for exception fixup code to access integer registers. */
#define dpf_reg(r) \
(((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
- (r) <= 18 ? (r)+8 : (r)-10])
+ (r) <= 18 ? (r)+10 : (r)-10])
asmlinkage void
do_page_fault(unsigned long address, unsigned long mmcsr,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 113/202] frv: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 062/202] ARM: pxa: ssp: unneeded to free devm_ allocated data Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 101/202] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Ben Hutchings
` (114 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 720f36b983224ac52b6acdd8b646ce30f6b38763 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/frv/kernel/signal.c | 99 ++++++++++++++++------------------------
1 file changed, 40 insertions(+), 59 deletions(-)
--- a/arch/frv/kernel/signal.c
+++ b/arch/frv/kernel/signal.c
@@ -180,17 +180,17 @@ static inline void __user *get_sigframe(
/*
*
*/
-static int setup_frame(int sig, struct k_sigaction *ka, sigset_t *set)
+static int setup_frame(struct ksignal *ksig, sigset_t *set)
{
struct sigframe __user *frame;
- int rsig;
+ int rsig, sig = ksig->sig;
set_fs(USER_DS);
- frame = get_sigframe(ka, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
rsig = sig;
if (sig < 32 &&
@@ -199,22 +199,22 @@ static int setup_frame(int sig, struct k
rsig = __current_thread_info->exec_domain->signal_invmap[sig];
if (__put_user(rsig, &frame->sig) < 0)
- goto give_sigsegv;
+ return -EFAULT;
if (setup_sigcontext(&frame->sc, set->sig[0]))
- goto give_sigsegv;
+ return -EFAULT;
if (_NSIG_WORDS > 1) {
if (__copy_to_user(frame->extramask, &set->sig[1],
sizeof(frame->extramask)))
- goto give_sigsegv;
+ return -EFAULT;
}
/* Set up to return from userspace. If provided, use a stub
* already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- if (__put_user(ka->sa.sa_restorer, &frame->pretcode) < 0)
- goto give_sigsegv;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ if (__put_user(ksig->ka.sa.sa_restorer, &frame->pretcode) < 0)
+ return -EFAULT;
}
else {
/* Set up the following code on the stack:
@@ -224,7 +224,7 @@ static int setup_frame(int sig, struct k
if (__put_user((__sigrestore_t)frame->retcode, &frame->pretcode) ||
__put_user(0x8efc0000|__NR_sigreturn, &frame->retcode[0]) ||
__put_user(0xc0700000, &frame->retcode[1]))
- goto give_sigsegv;
+ return -EFAULT;
flush_icache_range((unsigned long) frame->retcode,
(unsigned long) (frame->retcode + 2));
@@ -233,14 +233,14 @@ static int setup_frame(int sig, struct k
/* Set up registers for the signal handler */
if (current->personality & FDPIC_FUNCPTRS) {
struct fdpic_func_descriptor __user *funcptr =
- (struct fdpic_func_descriptor __user *) ka->sa.sa_handler;
+ (struct fdpic_func_descriptor __user *) ksig->ka.sa.sa_handler;
struct fdpic_func_descriptor desc;
if (copy_from_user(&desc, funcptr, sizeof(desc)))
- goto give_sigsegv;
+ return -EFAULT;
__frame->pc = desc.text;
__frame->gr15 = desc.GOT;
} else {
- __frame->pc = (unsigned long) ka->sa.sa_handler;
+ __frame->pc = (unsigned long) ksig->ka.sa.sa_handler;
__frame->gr15 = 0;
}
@@ -255,29 +255,23 @@ static int setup_frame(int sig, struct k
#endif
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
-
} /* end setup_frame() */
/*****************************************************************************/
/*
*
*/
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set)
{
struct rt_sigframe __user *frame;
- int rsig;
+ int rsig, sig = ksig->sig;
set_fs(USER_DS);
- frame = get_sigframe(ka, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
rsig = sig;
if (sig < 32 &&
@@ -288,28 +282,28 @@ static int setup_rt_frame(int sig, struc
if (__put_user(rsig, &frame->sig) ||
__put_user(&frame->info, &frame->pinfo) ||
__put_user(&frame->uc, &frame->puc))
- goto give_sigsegv;
+ return -EFAULT;
- if (copy_siginfo_to_user(&frame->info, info))
- goto give_sigsegv;
+ if (copy_siginfo_to_user(&frame->info, &ksig->info))
+ return -EFAULT;
/* Create the ucontext. */
if (__put_user(0, &frame->uc.uc_flags) ||
__put_user(NULL, &frame->uc.uc_link) ||
__save_altstack(&frame->uc.uc_stack, __frame->sp))
- goto give_sigsegv;
+ return -EFAULT;
if (setup_sigcontext(&frame->uc.uc_mcontext, set->sig[0]))
- goto give_sigsegv;
+ return -EFAULT;
if (__copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
* already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- if (__put_user(ka->sa.sa_restorer, &frame->pretcode))
- goto give_sigsegv;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ if (__put_user(ksig->ka.sa.sa_restorer, &frame->pretcode))
+ return -EFAULT;
}
else {
/* Set up the following code on the stack:
@@ -319,7 +313,7 @@ static int setup_rt_frame(int sig, struc
if (__put_user((__sigrestore_t)frame->retcode, &frame->pretcode) ||
__put_user(0x8efc0000|__NR_rt_sigreturn, &frame->retcode[0]) ||
__put_user(0xc0700000, &frame->retcode[1]))
- goto give_sigsegv;
+ return -EFAULT;
flush_icache_range((unsigned long) frame->retcode,
(unsigned long) (frame->retcode + 2));
@@ -328,14 +322,14 @@ static int setup_rt_frame(int sig, struc
/* Set up registers for signal handler */
if (current->personality & FDPIC_FUNCPTRS) {
struct fdpic_func_descriptor __user *funcptr =
- (struct fdpic_func_descriptor __user *) ka->sa.sa_handler;
+ (struct fdpic_func_descriptor __user *) ksig->ka.sa.sa_handler;
struct fdpic_func_descriptor desc;
if (copy_from_user(&desc, funcptr, sizeof(desc)))
- goto give_sigsegv;
+ return -EFAULT;
__frame->pc = desc.text;
__frame->gr15 = desc.GOT;
} else {
- __frame->pc = (unsigned long) ka->sa.sa_handler;
+ __frame->pc = (unsigned long) ksig->ka.sa.sa_handler;
__frame->gr15 = 0;
}
@@ -349,21 +343,15 @@ static int setup_rt_frame(int sig, struc
sig, current->comm, current->pid, frame, __frame->pc,
frame->pretcode);
#endif
-
return 0;
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
-
} /* end setup_rt_frame() */
/*****************************************************************************/
/*
* OK, we're invoking a handler
*/
-static void handle_signal(unsigned long sig, siginfo_t *info,
- struct k_sigaction *ka)
+static void handle_signal(struct ksignal *ksig)
{
sigset_t *oldset = sigmask_to_save();
int ret;
@@ -378,7 +366,7 @@ static void handle_signal(unsigned long
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
__frame->gr8 = -EINTR;
break;
}
@@ -392,16 +380,12 @@ static void handle_signal(unsigned long
}
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset);
else
- ret = setup_frame(sig, ka, oldset);
+ ret = setup_frame(ksig, oldset);
- if (ret)
- return;
-
- signal_delivered(sig, info, ka, __frame,
- test_thread_flag(TIF_SINGLESTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
} /* end handle_signal() */
/*****************************************************************************/
@@ -412,13 +396,10 @@ static void handle_signal(unsigned long
*/
static void do_signal(void)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
-
- signr = get_signal_to_deliver(&info, &ka, __frame, NULL);
- if (signr > 0) {
- handle_signal(signr, &info, &ka);
+ struct ksignal ksig;
+
+ if (get_signal(&ksig)) {
+ handle_signal(&ksig);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 117/202] m68k: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 188/202] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 120/202] mips: Use sigsp() Ben Hutchings
` (110 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 0d97500d393012690f3579056629bea0369e6554 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/m68k/kernel/signal.c | 63 +++++++++++++++------------------------
1 file changed, 24 insertions(+), 39 deletions(-)
--- a/arch/m68k/kernel/signal.c
+++ b/arch/m68k/kernel/signal.c
@@ -850,23 +850,23 @@ get_sigframe(struct k_sigaction *ka, str
return (void __user *)((usp - frame_size) & -8UL);
}
-static int setup_frame (int sig, struct k_sigaction *ka,
- sigset_t *set, struct pt_regs *regs)
+static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct sigframe __user *frame;
int fsize = frame_extra_sizes(regs->format);
struct sigcontext context;
- int err = 0;
+ int err = 0, sig = ksig->sig;
if (fsize < 0) {
#ifdef DEBUG
printk ("setup_frame: Unknown frame format %#x\n",
regs->format);
#endif
- goto give_sigsegv;
+ return -EFAULT;
}
- frame = get_sigframe(ka, regs, sizeof(*frame) + fsize);
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame) + fsize);
if (fsize)
err |= copy_to_user (frame + 1, regs + 1, fsize);
@@ -899,7 +899,7 @@ static int setup_frame (int sig, struct
#endif
if (err)
- goto give_sigsegv;
+ return -EFAULT;
push_cache ((unsigned long) &frame->retcode);
@@ -908,7 +908,7 @@ static int setup_frame (int sig, struct
* to destroy is successfully copied to sigframe.
*/
wrusp ((unsigned long) frame);
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
adjustformat(regs);
/*
@@ -934,28 +934,24 @@ static int setup_frame (int sig, struct
tregs->sr = regs->sr;
}
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return err;
}
-static int setup_rt_frame (int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
int fsize = frame_extra_sizes(regs->format);
- int err = 0;
+ int err = 0, sig = ksig->sig;
if (fsize < 0) {
#ifdef DEBUG
printk ("setup_frame: Unknown frame format %#x\n",
regs->format);
#endif
- goto give_sigsegv;
+ return -EFAULT;
}
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (fsize)
err |= copy_to_user (&frame->uc.uc_extra, regs + 1, fsize);
@@ -968,7 +964,7 @@ static int setup_rt_frame (int sig, stru
&frame->sig);
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -996,7 +992,7 @@ static int setup_rt_frame (int sig, stru
#endif /* CONFIG_MMU */
if (err)
- goto give_sigsegv;
+ return -EFAULT;
push_cache ((unsigned long) &frame->retcode);
@@ -1005,7 +1001,7 @@ static int setup_rt_frame (int sig, stru
* to destroy is successfully copied to sigframe.
*/
wrusp ((unsigned long) frame);
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
adjustformat(regs);
/*
@@ -1031,10 +1027,6 @@ static int setup_rt_frame (int sig, stru
tregs->sr = regs->sr;
}
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return err;
}
static inline void
@@ -1074,26 +1066,22 @@ handle_restart(struct pt_regs *regs, str
* OK, we're invoking a handler
*/
static void
-handle_signal(int sig, struct k_sigaction *ka, siginfo_t *info,
- struct pt_regs *regs)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int err;
/* are we from a system call? */
if (regs->orig_d0 >= 0)
/* If so, check system call restarting.. */
- handle_restart(regs, ka, 1);
+ handle_restart(regs, &ksig->ka, 1);
/* set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- err = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ err = setup_rt_frame(ksig, oldset, regs);
else
- err = setup_frame(sig, ka, oldset, regs);
-
- if (err)
- return;
+ err = setup_frame(ksig, oldset, regs);
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(err, ksig, 0);
if (test_thread_flag(TIF_DELAYED_TRACE)) {
regs->sr &= ~0x8000;
@@ -1108,16 +1096,13 @@ handle_signal(int sig, struct k_sigactio
*/
static void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- struct k_sigaction ka;
- int signr;
+ struct ksignal ksig;
current->thread.esp0 = (unsigned long) regs;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &ka, &info, regs);
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 115/202] ia64: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 136/202] Rip out get_signal_to_deliver() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 092/202] dmaengine: dmatest: unmap data on a single code-path when xfer done Ben Hutchings
` (42 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 98c20309b97fc30001adf643cf876125f334fd8a upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
This inverts also the return codes of force_sigsegv_info()
and setup_frame() to follow the kernel convention.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/ia64/kernel/signal.c | 46 ++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 25 deletions(-)
--- a/arch/ia64/kernel/signal.c
+++ b/arch/ia64/kernel/signal.c
@@ -309,12 +309,11 @@ force_sigsegv_info (int sig, void __user
si.si_uid = from_kuid_munged(current_user_ns(), current_uid());
si.si_addr = addr;
force_sig_info(SIGSEGV, &si, current);
- return 0;
+ return 1;
}
static long
-setup_frame (int sig, struct k_sigaction *ka, siginfo_t *info, sigset_t *set,
- struct sigscratch *scr)
+setup_frame(struct ksignal *ksig, sigset_t *set, struct sigscratch *scr)
{
extern char __kernel_sigtramp[];
unsigned long tramp_addr, new_rbs = 0, new_sp;
@@ -323,7 +322,7 @@ setup_frame (int sig, struct k_sigaction
new_sp = scr->pt.r12;
tramp_addr = (unsigned long) __kernel_sigtramp;
- if (ka->sa.sa_flags & SA_ONSTACK) {
+ if (ksig->ka.sa.sa_flags & SA_ONSTACK) {
int onstack = sas_ss_flags(new_sp);
if (onstack == 0) {
@@ -347,29 +346,29 @@ setup_frame (int sig, struct k_sigaction
*/
check_sp = (new_sp - sizeof(*frame)) & -STACK_ALIGN;
if (!likely(on_sig_stack(check_sp)))
- return force_sigsegv_info(sig, (void __user *)
+ return force_sigsegv_info(ksig->sig, (void __user *)
check_sp);
}
}
frame = (void __user *) ((new_sp - sizeof(*frame)) & -STACK_ALIGN);
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- return force_sigsegv_info(sig, frame);
+ return force_sigsegv_info(ksig->sig, frame);
- err = __put_user(sig, &frame->arg0);
+ err = __put_user(ksig->sig, &frame->arg0);
err |= __put_user(&frame->info, &frame->arg1);
err |= __put_user(&frame->sc, &frame->arg2);
err |= __put_user(new_rbs, &frame->sc.sc_rbs_base);
err |= __put_user(0, &frame->sc.sc_loadrs); /* initialize to zero */
- err |= __put_user(ka->sa.sa_handler, &frame->handler);
+ err |= __put_user(ksig->ka.sa.sa_handler, &frame->handler);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
err |= __save_altstack(&frame->sc.sc_stack, scr->pt.r12);
err |= setup_sigcontext(&frame->sc, set, scr);
if (unlikely(err))
- return force_sigsegv_info(sig, frame);
+ return force_sigsegv_info(ksig->sig, frame);
scr->pt.r12 = (unsigned long) frame - 16; /* new stack pointer */
scr->pt.ar_fpsr = FPSR_DEFAULT; /* reset fpsr for signal handler */
@@ -394,22 +393,20 @@ setup_frame (int sig, struct k_sigaction
#if DEBUG_SIG
printk("SIG deliver (%s:%d): sig=%d sp=%lx ip=%lx handler=%p\n",
- current->comm, current->pid, sig, scr->pt.r12, frame->sc.sc_ip, frame->handler);
+ current->comm, current->pid, ksig->sig, scr->pt.r12, frame->sc.sc_ip, frame->handler);
#endif
- return 1;
+ return 0;
}
static long
-handle_signal (unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
- struct sigscratch *scr)
+handle_signal (struct ksignal *ksig, struct sigscratch *scr)
{
- if (!setup_frame(sig, ka, info, sigmask_to_save(), scr))
- return 0;
+ int ret = setup_frame(ksig, sigmask_to_save(), scr);
- signal_delivered(sig, info, ka, &scr->pt,
- test_thread_flag(TIF_SINGLESTEP));
+ if (!ret)
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
- return 1;
+ return ret;
}
/*
@@ -419,17 +416,16 @@ handle_signal (unsigned long sig, struct
void
ia64_do_signal (struct sigscratch *scr, long in_syscall)
{
- struct k_sigaction ka;
- siginfo_t info;
long restart = in_syscall;
long errno = scr->pt.r8;
+ struct ksignal ksig;
/*
* This only loops in the rare cases of handle_signal() failing, in which case we
* need to push through a forced SIGSEGV.
*/
while (1) {
- int signr = get_signal_to_deliver(&info, &ka, &scr->pt, NULL);
+ get_signal(&ksig);
/*
* get_signal_to_deliver() may have run a debugger (via notify_parent())
@@ -446,7 +442,7 @@ ia64_do_signal (struct sigscratch *scr,
*/
restart = 0;
- if (signr <= 0)
+ if (ksig.sig <= 0)
break;
if (unlikely(restart)) {
@@ -458,7 +454,7 @@ ia64_do_signal (struct sigscratch *scr,
break;
case ERESTARTSYS:
- if ((ka.sa.sa_flags & SA_RESTART) == 0) {
+ if ((ksig.ka.sa.sa_flags & SA_RESTART) == 0) {
scr->pt.r8 = EINTR;
/* note: scr->pt.r10 is already -1 */
break;
@@ -473,7 +469,7 @@ ia64_do_signal (struct sigscratch *scr,
* Whee! Actually deliver the signal. If the delivery failed, we need to
* continue to iterate in this loop so we can deliver the SIGSEGV...
*/
- if (handle_signal(signr, &ka, &info, scr))
+ if (handle_signal(&ksig, scr))
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 108/202] arm64: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 076/202] CIFS: Do not consider -ENODATA as stat failure for reads Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 166/202] net: stmmac: Fix a race in EEE enable callback Ben Hutchings
` (75 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 00554fa4f80279db92f82c4f52c8ae72711f173e upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/signal32.h | 11 ++++---
arch/arm64/kernel/signal.c | 48 +++++++++++++------------------
arch/arm64/kernel/signal32.c | 14 ++++-----
3 files changed, 32 insertions(+), 41 deletions(-)
--- a/arch/arm64/include/asm/signal32.h
+++ b/arch/arm64/include/asm/signal32.h
@@ -24,22 +24,21 @@
extern const compat_ulong_t aarch32_sigret_code[6];
-int compat_setup_frame(int usig, struct k_sigaction *ka, sigset_t *set,
+int compat_setup_frame(int usig, struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs);
-int compat_setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs);
+int compat_setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs);
void compat_setup_restart_syscall(struct pt_regs *regs);
#else
-static inline int compat_setup_frame(int usid, struct k_sigaction *ka,
+static inline int compat_setup_frame(int usid, struct ksignal *ksig,
sigset_t *set, struct pt_regs *regs)
{
return -ENOSYS;
}
-static inline int compat_setup_rt_frame(int usig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *set,
+static inline int compat_setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs)
{
return -ENOSYS;
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -253,13 +253,13 @@ static void setup_return(struct pt_regs
regs->regs[30] = (unsigned long)sigtramp;
}
-static int setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs);
+ frame = get_sigframe(&ksig->ka, regs);
if (!frame)
return 1;
@@ -269,9 +269,9 @@ static int setup_rt_frame(int usig, stru
err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
err |= setup_sigframe(frame, regs, set);
if (err == 0) {
- setup_return(regs, ka, frame, usig);
- if (ka->sa.sa_flags & SA_SIGINFO) {
- err |= copy_siginfo_to_user(&frame->info, info);
+ setup_return(regs, &ksig->ka, frame, usig);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
regs->regs[1] = (unsigned long)&frame->info;
regs->regs[2] = (unsigned long)&frame->uc;
}
@@ -291,13 +291,12 @@ static void setup_restart_syscall(struct
/*
* OK, we're invoking a handler
*/
-static void handle_signal(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, struct pt_regs *regs)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
struct thread_info *thread = current_thread_info();
struct task_struct *tsk = current;
sigset_t *oldset = sigmask_to_save();
- int usig = sig;
+ int usig = ksig->sig;
int ret;
/*
@@ -310,13 +309,12 @@ static void handle_signal(unsigned long
* Set up the stack frame
*/
if (is_compat_task()) {
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = compat_setup_rt_frame(usig, ka, info, oldset,
- regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = compat_setup_rt_frame(usig, ksig, oldset, regs);
else
- ret = compat_setup_frame(usig, ka, oldset, regs);
+ ret = compat_setup_frame(usig, ksig, oldset, regs);
} else {
- ret = setup_rt_frame(usig, ka, info, oldset, regs);
+ ret = setup_rt_frame(usig, ksig, oldset, regs);
}
/*
@@ -324,18 +322,14 @@ static void handle_signal(unsigned long
*/
ret |= !valid_user_regs(®s->user_regs, current);
- if (ret != 0) {
- force_sigsegv(sig, tsk);
- return;
- }
-
/*
* Fast forward the stepping logic so we step into the signal
* handler.
*/
- user_fastforward_single_step(tsk);
+ if (!ret)
+ user_fastforward_single_step(tsk);
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -350,10 +344,9 @@ static void handle_signal(unsigned long
static void do_signal(struct pt_regs *regs)
{
unsigned long continue_addr = 0, restart_addr = 0;
- struct k_sigaction ka;
- siginfo_t info;
- int signr, retval = 0;
+ int retval = 0;
int syscall = (int)regs->syscallno;
+ struct ksignal ksig;
/*
* If we were from a system call, check for system call restarting...
@@ -387,8 +380,7 @@ static void do_signal(struct pt_regs *re
* Get the signal to deliver. When running under ptrace, at this point
* the debugger may change all of our registers.
*/
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/*
* Depending on the signal settings, we may need to revert the
* decision to restart the system call, but skip this if a
@@ -398,12 +390,12 @@ static void do_signal(struct pt_regs *re
(retval == -ERESTARTNOHAND ||
retval == -ERESTART_RESTARTBLOCK ||
(retval == -ERESTARTSYS &&
- !(ka.sa.sa_flags & SA_RESTART)))) {
+ !(ksig.ka.sa.sa_flags & SA_RESTART)))) {
regs->regs[0] = -EINTR;
regs->pc = continue_addr;
}
- handle_signal(signr, &ka, &info, regs);
+ handle_signal(&ksig, regs);
return;
}
--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -543,18 +543,18 @@ static int compat_setup_sigframe(struct
/*
* 32-bit signal handling routines called from signal.c
*/
-int compat_setup_rt_frame(int usig, struct k_sigaction *ka, siginfo_t *info,
+int compat_setup_rt_frame(int usig, struct ksignal *ksig,
sigset_t *set, struct pt_regs *regs)
{
struct compat_rt_sigframe __user *frame;
int err = 0;
- frame = compat_get_sigframe(ka, regs, sizeof(*frame));
+ frame = compat_get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!frame)
return 1;
- err |= copy_siginfo_to_user32(&frame->info, info);
+ err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
__put_user_error(0, &frame->sig.uc.uc_flags, err);
__put_user_error(0, &frame->sig.uc.uc_link, err);
@@ -564,7 +564,7 @@ int compat_setup_rt_frame(int usig, stru
err |= compat_setup_sigframe(&frame->sig, regs, set);
if (err == 0) {
- compat_setup_return(regs, ka, frame->sig.retcode, frame, usig);
+ compat_setup_return(regs, &ksig->ka, frame->sig.retcode, frame, usig);
regs->regs[1] = (compat_ulong_t)(unsigned long)&frame->info;
regs->regs[2] = (compat_ulong_t)(unsigned long)&frame->sig.uc;
}
@@ -572,13 +572,13 @@ int compat_setup_rt_frame(int usig, stru
return err;
}
-int compat_setup_frame(int usig, struct k_sigaction *ka, sigset_t *set,
+int compat_setup_frame(int usig, struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs)
{
struct compat_sigframe __user *frame;
int err = 0;
- frame = compat_get_sigframe(ka, regs, sizeof(*frame));
+ frame = compat_get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!frame)
return 1;
@@ -587,7 +587,7 @@ int compat_setup_frame(int usig, struct
err |= compat_setup_sigframe(frame, regs, set);
if (err == 0)
- compat_setup_return(regs, ka, frame->retcode, frame, usig);
+ compat_setup_return(regs, &ksig->ka, frame->retcode, frame, usig);
return err;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 111/202] c6x: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 080/202] l2tp: copy 4 more bytes to linear part if necessary Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 072/202] s390/dasd: fix using offset into zero size array error Ben Hutchings
` (200 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Mark Salter, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit e19c025bc9a184ed9c5daf06ffb89abc81d1696a upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Tested-by: Mark Salter <msalter@redhat.com>
Acked-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/c6x/kernel/signal.c | 43 +++++++++++++++++-----------------------
1 file changed, 18 insertions(+), 25 deletions(-)
--- a/arch/c6x/kernel/signal.c
+++ b/arch/c6x/kernel/signal.c
@@ -146,21 +146,21 @@ static inline void __user *get_sigframe(
return (void __user *)((sp - framesize) & ~7);
}
-static int setup_rt_frame(int signr, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
unsigned long __user *retcode;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto segv_and_exit;
+ return -EFAULT;
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Clear all the bits of the ucontext we don't use. */
err |= __clear_user(&frame->uc, offsetof(struct ucontext, uc_mcontext));
@@ -188,7 +188,7 @@ static int setup_rt_frame(int signr, str
#undef COPY
if (err)
- goto segv_and_exit;
+ return -EFAULT;
flush_icache_range((unsigned long) &frame->retcode,
(unsigned long) &frame->retcode + RETCODE_SIZE);
@@ -198,10 +198,10 @@ static int setup_rt_frame(int signr, str
/* Change user context to branch to signal handler */
regs->sp = (unsigned long) frame - 8;
regs->b3 = (unsigned long) retcode;
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
/* Give the signal number to the handler */
- regs->a4 = signr;
+ regs->a4 = ksig->sig;
/*
* For realtime signals we must also set the second and third
@@ -212,10 +212,6 @@ static int setup_rt_frame(int signr, str
regs->a6 = (unsigned long)&frame->uc;
return 0;
-
-segv_and_exit:
- force_sigsegv(signr, current);
- return -EFAULT;
}
static inline void
@@ -245,10 +241,11 @@ do_restart:
/*
* handle the actual delivery of a signal to userspace
*/
-static void handle_signal(int sig,
- siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs, int syscall)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs,
+ int syscall)
{
+ int ret;
+
/* Are we from a system call? */
if (syscall) {
/* If so, check system call restarting.. */
@@ -259,7 +256,7 @@ static void handle_signal(int sig,
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->a4 = -EINTR;
break;
}
@@ -272,9 +269,8 @@ static void handle_signal(int sig,
}
/* Set up the stack frame */
- if (setup_rt_frame(sig, ka, info, sigmask_to_save(), regs) < 0)
- return;
- signal_delivered(sig, info, ka, regs, 0);
+ ret = setup_rt_frame(ksig, sigmask_to_save(), regs);
+ signal_setup_done(ret, ksig, 0);
}
/*
@@ -282,18 +278,15 @@ static void handle_signal(int sig,
*/
static void do_signal(struct pt_regs *regs, int syscall)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
+ struct ksignal ksig;
/* we want the common case to go fast, which is why we may in certain
* cases get here from kernel mode */
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
- handle_signal(signr, &info, &ka, regs, syscall);
+ if (get_signal(&ksig)) {
+ handle_signal(&ksig, regs, syscall);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 107/202] arc: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 003/202] ACPI: power: Skip duplicate power resource references in _PRx Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 049/202] arc: do not export symbols in troubleshoot.c Ben Hutchings
` (95 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Richard Weinberger, Vineet Gupta
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit f6dd2a3f1f8d8df640cfa2d60f85c0b818af1593 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Vineet Gupta <vgupta@synopsys.com>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"
- Adjust to apply after "ARC: signal handling robustify"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/signal.c | 39 +++++++++++++++------------------------
1 file changed, 15 insertions(+), 24 deletions(-)
--- a/arch/arc/kernel/signal.c
+++ b/arch/arc/kernel/signal.c
@@ -189,14 +189,13 @@ static inline int map_sig(int sig)
}
static int
-setup_rt_frame(int signo, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
struct rt_sigframe __user *sf;
unsigned int magic = 0;
int err = 0;
- sf = get_sigframe(ka, regs, sizeof(struct rt_sigframe));
+ sf = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe));
if (!sf)
return 1;
@@ -215,8 +214,8 @@ setup_rt_frame(int signo, struct k_sigac
* #2: struct siginfo
* #3: struct ucontext (completely populated)
*/
- if (unlikely(ka->sa.sa_flags & SA_SIGINFO)) {
- err |= copy_siginfo_to_user(&sf->info, info);
+ if (unlikely(ksig->ka.sa.sa_flags & SA_SIGINFO)) {
+ err |= copy_siginfo_to_user(&sf->info, &ksig->info);
err |= __put_user(0, &sf->uc.uc_flags);
err |= __put_user(NULL, &sf->uc.uc_link);
err |= __save_altstack(&sf->uc.uc_stack, regs->sp);
@@ -237,19 +236,19 @@ setup_rt_frame(int signo, struct k_sigac
return err;
/* #1 arg to the user Signal handler */
- regs->r0 = map_sig(signo);
+ regs->r0 = map_sig(ksig->sig);
/* setup PC of user space signal handler */
- regs->ret = (unsigned long)ka->sa.sa_handler;
+ regs->ret = (unsigned long)ksig->ka.sa.sa_handler;
/*
* handler returns using sigreturn stub provided already by userpsace
* If not, nuke the process right away
*/
- if(!(ka->sa.sa_flags & SA_RESTORER))
+ if(!(ksig->ka.sa.sa_flags & SA_RESTORER))
return 1;
- regs->blink = (unsigned long)ka->sa.sa_restorer;
+ regs->blink = (unsigned long)ksig->ka.sa.sa_restorer;
/* User Stack for signal handler will be above the frame just carved */
regs->sp = (unsigned long)sf;
@@ -311,38 +310,30 @@ static void arc_restart_syscall(struct k
* OK, we're invoking a handler
*/
static void
-handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
- struct pt_regs *regs)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int failed;
/* Set up the stack frame */
- failed = setup_rt_frame(sig, ka, info, oldset, regs);
+ failed = setup_rt_frame(ksig, oldset, regs);
- if (failed)
- force_sigsegv(sig, current);
- else
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(failed, ksig, 0);
}
void do_signal(struct pt_regs *regs)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
+ struct ksignal ksig;
int restart_scall;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
-
restart_scall = in_syscall(regs) && syscall_restartable(regs);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
if (restart_scall) {
- arc_restart_syscall(&ka, regs);
+ arc_restart_syscall(&ksig.ka, regs);
syscall_wont_restart(regs); /* No more restarts */
}
- handle_signal(signr, &ka, &info, regs);
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 121/202] mn10300: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 072/202] s390/dasd: fix using offset into zero size array error Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 084/202] mm: hwpoison: use do_send_sig_info() instead of force_sig() Ben Hutchings
` (198 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 8b166553a9aaf39774bc22f5e93c965584303929 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mn10300/kernel/signal.c | 89 +++++++++++++++---------------------
1 file changed, 36 insertions(+), 53 deletions(-)
--- a/arch/mn10300/kernel/signal.c
+++ b/arch/mn10300/kernel/signal.c
@@ -207,16 +207,16 @@ static inline void __user *get_sigframe(
/*
* set up a normal signal frame
*/
-static int setup_frame(int sig, struct k_sigaction *ka, sigset_t *set,
+static int setup_frame(struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs)
{
struct sigframe __user *frame;
- int rsig;
+ int rsig, sig = ksig->sig;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
rsig = sig;
if (sig < 32 &&
@@ -226,40 +226,40 @@ static int setup_frame(int sig, struct k
if (__put_user(rsig, &frame->sig) < 0 ||
__put_user(&frame->sc, &frame->psc) < 0)
- goto give_sigsegv;
+ return -EFAULT;
if (setup_sigcontext(&frame->sc, &frame->fpuctx, regs, set->sig[0]))
- goto give_sigsegv;
+ return -EFAULT;
if (_NSIG_WORDS > 1) {
if (__copy_to_user(frame->extramask, &set->sig[1],
sizeof(frame->extramask)))
- goto give_sigsegv;
+ return -EFAULT;
}
/* set up to return from userspace. If provided, use a stub already in
* userspace */
- if (ka->sa.sa_flags & SA_RESTORER) {
- if (__put_user(ka->sa.sa_restorer, &frame->pretcode))
- goto give_sigsegv;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ if (__put_user(ksig->ka.sa.sa_restorer, &frame->pretcode))
+ return -EFAULT;
} else {
if (__put_user((void (*)(void))frame->retcode,
&frame->pretcode))
- goto give_sigsegv;
+ return -EFAULT;
/* this is mov $,d0; syscall 0 */
if (__put_user(0x2c, (char *)(frame->retcode + 0)) ||
__put_user(__NR_sigreturn, (char *)(frame->retcode + 1)) ||
__put_user(0x00, (char *)(frame->retcode + 2)) ||
__put_user(0xf0, (char *)(frame->retcode + 3)) ||
__put_user(0xe0, (char *)(frame->retcode + 4)))
- goto give_sigsegv;
+ return -EFAULT;
flush_icache_range((unsigned long) frame->retcode,
(unsigned long) frame->retcode + 5);
}
/* set up registers for signal handler */
regs->sp = (unsigned long) frame;
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
regs->d0 = sig;
regs->d1 = (unsigned long) &frame->sc;
@@ -270,25 +270,21 @@ static int setup_frame(int sig, struct k
#endif
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/*
* set up a realtime signal frame
*/
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
- int rsig;
+ int rsig, sig = ksig->sig;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
rsig = sig;
if (sig < 32 &&
@@ -299,8 +295,8 @@ static int setup_rt_frame(int sig, struc
if (__put_user(rsig, &frame->sig) ||
__put_user(&frame->info, &frame->pinfo) ||
__put_user(&frame->uc, &frame->puc) ||
- copy_siginfo_to_user(&frame->info, info))
- goto give_sigsegv;
+ copy_siginfo_to_user(&frame->info, &ksig->info))
+ return -EFAULT;
/* create the ucontext. */
if (__put_user(0, &frame->uc.uc_flags) ||
@@ -309,13 +305,14 @@ static int setup_rt_frame(int sig, struc
setup_sigcontext(&frame->uc.uc_mcontext,
&frame->fpuctx, regs, set->sig[0]) ||
__copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set)))
- goto give_sigsegv;
+ return -EFAULT;
/* set up to return from userspace. If provided, use a stub already in
* userspace */
- if (ka->sa.sa_flags & SA_RESTORER) {
- if (__put_user(ka->sa.sa_restorer, &frame->pretcode))
- goto give_sigsegv;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ if (__put_user(ksig->ka.sa.sa_restorer, &frame->pretcode))
+ return -EFAULT;
+
} else {
if (__put_user((void(*)(void))frame->retcode,
&frame->pretcode) ||
@@ -326,7 +323,7 @@ static int setup_rt_frame(int sig, struc
__put_user(0x00, (char *)(frame->retcode + 2)) ||
__put_user(0xf0, (char *)(frame->retcode + 3)) ||
__put_user(0xe0, (char *)(frame->retcode + 4)))
- goto give_sigsegv;
+ return -EFAULT;
flush_icache_range((u_long) frame->retcode,
(u_long) frame->retcode + 5);
@@ -334,7 +331,7 @@ static int setup_rt_frame(int sig, struc
/* Set up registers for signal handler */
regs->sp = (unsigned long) frame;
- regs->pc = (unsigned long) ka->sa.sa_handler;
+ regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
regs->d0 = sig;
regs->d1 = (long) &frame->info;
@@ -345,10 +342,6 @@ static int setup_rt_frame(int sig, struc
#endif
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
static inline void stepback(struct pt_regs *regs)
@@ -360,9 +353,7 @@ static inline void stepback(struct pt_re
/*
* handle the actual delivery of a signal to userspace
*/
-static int handle_signal(int sig,
- siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs)
+static int handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
@@ -377,7 +368,7 @@ static int handle_signal(int sig,
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->d0 = -EINTR;
break;
}
@@ -390,15 +381,12 @@ static int handle_signal(int sig,
}
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(sig, ka, oldset, regs);
- if (ret)
- return ret;
+ ret = setup_frame(ksig, oldset, regs);
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
return 0;
}
@@ -407,15 +395,10 @@ static int handle_signal(int sig,
*/
static void do_signal(struct pt_regs *regs)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
-
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
- if (handle_signal(signr, &info, &ka, regs) == 0) {
- }
+ struct ksignal ksig;
+ if (get_signal(&ksig)) {
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 119/202] mips: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 015/202] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 070/202] usb: gadget: udc: net2272: Fix bitwise and boolean operations Ben Hutchings
` (13 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 81d103bf80678669c56658185e758fc3f9845d71 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/abi.h | 10 ++---
arch/mips/kernel/signal-common.h | 2 +-
arch/mips/kernel/signal.c | 66 ++++++++++++--------------------
arch/mips/kernel/signal32.c | 39 ++++++++-----------
arch/mips/kernel/signal_n32.c | 20 ++++------
5 files changed, 53 insertions(+), 84 deletions(-)
--- a/arch/mips/include/asm/abi.h
+++ b/arch/mips/include/asm/abi.h
@@ -13,13 +13,11 @@
#include <asm/siginfo.h>
struct mips_abi {
- int (* const setup_frame)(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr,
- sigset_t *set);
+ int (* const setup_frame)(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set);
const unsigned long signal_return_offset;
- int (* const setup_rt_frame)(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr,
- sigset_t *set, siginfo_t *info);
+ int (* const setup_rt_frame)(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set);
const unsigned long rt_signal_return_offset;
const unsigned long restart;
};
--- a/arch/mips/kernel/signal-common.h
+++ b/arch/mips/kernel/signal-common.h
@@ -22,7 +22,7 @@
/*
* Determine which stack to use..
*/
-extern void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
+extern void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
size_t frame_size);
/* Check and clear pending FPU exceptions in saved CSR */
extern int fpcsr_pending(unsigned int __user *fpcsr);
--- a/arch/mips/kernel/signal.c
+++ b/arch/mips/kernel/signal.c
@@ -428,20 +428,20 @@ badframe:
}
#ifdef CONFIG_TRAD_SIGNALS
-static int setup_frame(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr, sigset_t *set)
+static int setup_frame(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set)
{
struct sigframe __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
- goto give_sigsegv;
+ return -EFAULT;
err |= setup_sigcontext(regs, &frame->sf_sc);
err |= __copy_to_user(&frame->sf_mask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Arguments to signal handler:
@@ -453,37 +453,32 @@ static int setup_frame(void *sig_return,
* $25 and c0_epc point to the signal handler, $29 points to the
* struct sigframe.
*/
- regs->regs[ 4] = signr;
+ regs->regs[ 4] = ksig->sig;
regs->regs[ 5] = 0;
regs->regs[ 6] = (unsigned long) &frame->sf_sc;
regs->regs[29] = (unsigned long) frame;
regs->regs[31] = (unsigned long) sig_return;
- regs->cp0_epc = regs->regs[25] = (unsigned long) ka->sa.sa_handler;
+ regs->cp0_epc = regs->regs[25] = (unsigned long) ksig->ka.sa.sa_handler;
DEBUGP("SIG deliver (%s:%d): sp=0x%p pc=0x%lx ra=0x%lx\n",
current->comm, current->pid,
frame, regs->cp0_epc, regs->regs[31]);
return 0;
-
-give_sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
#endif
-static int setup_rt_frame(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr, sigset_t *set,
- siginfo_t *info)
+static int setup_rt_frame(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set)
{
struct rt_sigframe __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
- goto give_sigsegv;
+ return -EFAULT;
/* Create siginfo. */
- err |= copy_siginfo_to_user(&frame->rs_info, info);
+ err |= copy_siginfo_to_user(&frame->rs_info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->rs_uc.uc_flags);
@@ -493,7 +488,7 @@ static int setup_rt_frame(void *sig_retu
err |= __copy_to_user(&frame->rs_uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Arguments to signal handler:
@@ -505,22 +500,18 @@ static int setup_rt_frame(void *sig_retu
* $25 and c0_epc point to the signal handler, $29 points to
* the struct rt_sigframe.
*/
- regs->regs[ 4] = signr;
+ regs->regs[ 4] = ksig->sig;
regs->regs[ 5] = (unsigned long) &frame->rs_info;
regs->regs[ 6] = (unsigned long) &frame->rs_uc;
regs->regs[29] = (unsigned long) frame;
regs->regs[31] = (unsigned long) sig_return;
- regs->cp0_epc = regs->regs[25] = (unsigned long) ka->sa.sa_handler;
+ regs->cp0_epc = regs->regs[25] = (unsigned long) ksig->ka.sa.sa_handler;
DEBUGP("SIG deliver (%s:%d): sp=0x%p pc=0x%lx ra=0x%lx\n",
current->comm, current->pid,
frame, regs->cp0_epc, regs->regs[31]);
return 0;
-
-give_sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
struct mips_abi mips_abi = {
@@ -534,8 +525,7 @@ struct mips_abi mips_abi = {
.restart = __NR_restart_syscall
};
-static void handle_signal(unsigned long sig, siginfo_t *info,
- struct k_sigaction *ka, struct pt_regs *regs)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
@@ -557,7 +547,7 @@ static void handle_signal(unsigned long
regs->regs[2] = EINTR;
break;
case ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
regs->regs[2] = EINTR;
break;
}
@@ -571,29 +561,23 @@ static void handle_signal(unsigned long
regs->regs[0] = 0; /* Don't deal with this again. */
}
- if (sig_uses_siginfo(ka))
+ if (sig_uses_siginfo(&ksig->ka))
ret = abi->setup_rt_frame(vdso + abi->rt_signal_return_offset,
- ka, regs, sig, oldset, info);
+ ksig, regs, oldset);
else
- ret = abi->setup_frame(vdso + abi->signal_return_offset,
- ka, regs, sig, oldset);
-
- if (ret)
- return;
+ ret = abi->setup_frame(vdso + abi->signal_return_offset, ksig,
+ regs, oldset);
- signal_delivered(sig, info, ka, regs, 0);
+ signal_setup_done(ret, ksig, 0);
}
static void do_signal(struct pt_regs *regs)
{
- struct k_sigaction ka;
- siginfo_t info;
- int signr;
+ struct ksignal ksig;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &info, &ka, regs);
+ handle_signal(&ksig, regs);
return;
}
--- a/arch/mips/kernel/signal32.c
+++ b/arch/mips/kernel/signal32.c
@@ -488,21 +488,21 @@ badframe:
force_sig(SIGSEGV, current);
}
-static int setup_frame_32(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr, sigset_t *set)
+static int setup_frame_32(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set)
{
struct sigframe32 __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
- goto give_sigsegv;
+ return -EFAULT;
err |= setup_sigcontext32(regs, &frame->sf_sc);
err |= __copy_conv_sigset_to_user(&frame->sf_mask, set);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Arguments to signal handler:
@@ -514,37 +514,32 @@ static int setup_frame_32(void *sig_retu
* $25 and c0_epc point to the signal handler, $29 points to the
* struct sigframe.
*/
- regs->regs[ 4] = signr;
+ regs->regs[ 4] = ksig->sig;
regs->regs[ 5] = 0;
regs->regs[ 6] = (unsigned long) &frame->sf_sc;
regs->regs[29] = (unsigned long) frame;
regs->regs[31] = (unsigned long) sig_return;
- regs->cp0_epc = regs->regs[25] = (unsigned long) ka->sa.sa_handler;
+ regs->cp0_epc = regs->regs[25] = (unsigned long) ksig->ka.sa.sa_handler;
DEBUGP("SIG deliver (%s:%d): sp=0x%p pc=0x%lx ra=0x%lx\n",
current->comm, current->pid,
frame, regs->cp0_epc, regs->regs[31]);
return 0;
-
-give_sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
-static int setup_rt_frame_32(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr, sigset_t *set,
- siginfo_t *info)
+static int setup_rt_frame_32(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set)
{
struct rt_sigframe32 __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
- goto give_sigsegv;
+ return -EFAULT;
/* Convert (siginfo_t -> compat_siginfo_t) and copy to user. */
- err |= copy_siginfo_to_user32(&frame->rs_info, info);
+ err |= copy_siginfo_to_user32(&frame->rs_info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->rs_uc.uc_flags);
@@ -554,7 +549,7 @@ static int setup_rt_frame_32(void *sig_r
err |= __copy_conv_sigset_to_user(&frame->rs_uc.uc_sigmask, set);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Arguments to signal handler:
@@ -566,22 +561,18 @@ static int setup_rt_frame_32(void *sig_r
* $25 and c0_epc point to the signal handler, $29 points to
* the struct rt_sigframe32.
*/
- regs->regs[ 4] = signr;
+ regs->regs[ 4] = ksig->sig;
regs->regs[ 5] = (unsigned long) &frame->rs_info;
regs->regs[ 6] = (unsigned long) &frame->rs_uc;
regs->regs[29] = (unsigned long) frame;
regs->regs[31] = (unsigned long) sig_return;
- regs->cp0_epc = regs->regs[25] = (unsigned long) ka->sa.sa_handler;
+ regs->cp0_epc = regs->regs[25] = (unsigned long) ksig->ka.sa.sa_handler;
DEBUGP("SIG deliver (%s:%d): sp=0x%p pc=0x%lx ra=0x%lx\n",
current->comm, current->pid,
frame, regs->cp0_epc, regs->regs[31]);
return 0;
-
-give_sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
/*
--- a/arch/mips/kernel/signal_n32.c
+++ b/arch/mips/kernel/signal_n32.c
@@ -102,18 +102,18 @@ badframe:
force_sig(SIGSEGV, current);
}
-static int setup_rt_frame_n32(void *sig_return, struct k_sigaction *ka,
- struct pt_regs *regs, int signr, sigset_t *set, siginfo_t *info)
+static int setup_rt_frame_n32(void *sig_return, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set)
{
struct rt_sigframe_n32 __user *frame;
int err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
- goto give_sigsegv;
+ return -EFAULT;
/* Create siginfo. */
- err |= copy_siginfo_to_user32(&frame->rs_info, info);
+ err |= copy_siginfo_to_user32(&frame->rs_info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->rs_uc.uc_flags);
@@ -123,7 +123,7 @@ static int setup_rt_frame_n32(void *sig_
err |= __copy_conv_sigset_to_user(&frame->rs_uc.uc_sigmask, set);
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/*
* Arguments to signal handler:
@@ -135,22 +135,18 @@ static int setup_rt_frame_n32(void *sig_
* $25 and c0_epc point to the signal handler, $29 points to
* the struct rt_sigframe.
*/
- regs->regs[ 4] = signr;
+ regs->regs[ 4] = ksig->sig;
regs->regs[ 5] = (unsigned long) &frame->rs_info;
regs->regs[ 6] = (unsigned long) &frame->rs_uc;
regs->regs[29] = (unsigned long) frame;
regs->regs[31] = (unsigned long) sig_return;
- regs->cp0_epc = regs->regs[25] = (unsigned long) ka->sa.sa_handler;
+ regs->cp0_epc = regs->regs[25] = (unsigned long) ksig->ka.sa.sa_handler;
DEBUGP("SIG deliver (%s:%d): sp=0x%p pc=0x%lx ra=0x%lx\n",
current->comm, current->pid,
frame, regs->cp0_epc, regs->regs[31]);
return 0;
-
-give_sigsegv:
- force_sigsegv(signr, current);
- return -EFAULT;
}
struct mips_abi mips_abi_n32 = {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 118/202] microblaze: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 192/202] brcmfmac: assure SSID length from firmware is limited Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 058/202] tty: Handle problem if line discipline does not have receive_buf Ben Hutchings
` (123 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 9c53c7ec14a5738ae3117d7d71b7abf630526c9f upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/microblaze/kernel/signal.c | 48 ++++++++++++---------------------
1 file changed, 17 insertions(+), 31 deletions(-)
--- a/arch/microblaze/kernel/signal.c
+++ b/arch/microblaze/kernel/signal.c
@@ -156,11 +156,11 @@ get_sigframe(struct k_sigaction *ka, str
return (void __user *)((sp - frame_size) & -8UL);
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int signal;
unsigned long address = 0;
#ifdef CONFIG_MMU
@@ -168,10 +168,10 @@ static int setup_rt_frame(int sig, struc
pte_t *ptep;
#endif
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
signal = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -179,8 +179,8 @@ static int setup_rt_frame(int sig, struc
? current_thread_info()->exec_domain->signal_invmap[sig]
: sig;
- if (info)
- err |= copy_siginfo_to_user(&frame->info, info);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -227,7 +227,7 @@ static int setup_rt_frame(int sig, struc
flush_dcache_range(address, address + 8);
#endif
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->r1 = (unsigned long) frame;
@@ -237,7 +237,7 @@ static int setup_rt_frame(int sig, struc
regs->r6 = (unsigned long) &frame->info; /* arg 1: siginfo */
regs->r7 = (unsigned long) &frame->uc; /* arg2: ucontext */
/* Offset to handle microblaze rtid r14, 0 */
- regs->pc = (unsigned long)ka->sa.sa_handler;
+ regs->pc = (unsigned long)ksig->ka.sa.sa_handler;
set_fs(USER_DS);
@@ -247,10 +247,6 @@ static int setup_rt_frame(int sig, struc
#endif
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/* Handle restarting system calls */
@@ -283,23 +279,15 @@ do_restart:
*/
static void
-handle_signal(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, struct pt_regs *regs)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
- else
- ret = setup_rt_frame(sig, ka, NULL, oldset, regs);
-
- if (ret)
- return;
+ ret = setup_rt_frame(ksig, oldset, regs);
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
}
/*
@@ -313,21 +301,19 @@ handle_signal(unsigned long sig, struct
*/
static void do_signal(struct pt_regs *regs, int in_syscall)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
+
#ifdef DEBUG_SIG
pr_info("do signal: %p %d\n", regs, in_syscall);
pr_info("do signal2: %lx %lx %ld [%lx]\n", regs->pc, regs->r1,
regs->r12, current_thread_info()->flags);
#endif
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
if (in_syscall)
- handle_restart(regs, &ka, 1);
- handle_signal(signr, &ka, &info, regs);
+ handle_restart(regs, &ksig.ka, 1);
+ handle_signal(&ksig, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 123/202] powerpc: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 002/202] batman-adv: Force mac header to start of data on xmit Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 051/202] ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault Ben Hutchings
` (170 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 129b69df9c9074750245fca8aa92df5cc1a86ef4 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
This inverts also the return codes of setup_*frame() to follow the
kernel convention.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/signal.c | 31 ++++++++++------------------
arch/powerpc/kernel/signal.h | 14 +++++--------
arch/powerpc/kernel/signal_32.c | 36 +++++++++++++++------------------
arch/powerpc/kernel/signal_64.c | 28 ++++++++++++-------------
4 files changed, 45 insertions(+), 64 deletions(-)
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -105,25 +105,23 @@ static void check_syscall_restart(struct
}
}
-static int do_signal(struct pt_regs *regs)
+static void do_signal(struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
int ret;
int is32 = is_32bit_task();
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
+ get_signal(&ksig);
/* Is there any syscall restart business here ? */
- check_syscall_restart(regs, &ka, signr > 0);
+ check_syscall_restart(regs, &ksig.ka, ksig.sig > 0);
- if (signr <= 0) {
+ if (ksig.sig <= 0) {
/* No signal to deliver -- put the saved sigmask back */
restore_saved_sigmask();
regs->trap = 0;
- return 0; /* no signals delivered */
+ return; /* no signals delivered */
}
#ifndef CONFIG_PPC_ADV_DEBUG_REGS
@@ -140,23 +138,16 @@ static int do_signal(struct pt_regs *reg
thread_change_pc(current, regs);
if (is32) {
- if (ka.sa.sa_flags & SA_SIGINFO)
- ret = handle_rt_signal32(signr, &ka, &info, oldset,
- regs);
+ if (ksig.ka.sa.sa_flags & SA_SIGINFO)
+ ret = handle_rt_signal32(&ksig, oldset, regs);
else
- ret = handle_signal32(signr, &ka, &info, oldset,
- regs);
+ ret = handle_signal32(&ksig, oldset, regs);
} else {
- ret = handle_rt_signal64(signr, &ka, &info, oldset, regs);
+ ret = handle_rt_signal64(&ksig, oldset, regs);
}
regs->trap = 0;
- if (ret) {
- signal_delivered(signr, &info, &ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
- }
-
- return ret;
+ signal_setup_done(ret, &ksig, test_thread_flag(TIF_SINGLESTEP));
}
void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags)
--- a/arch/powerpc/kernel/signal.h
+++ b/arch/powerpc/kernel/signal.h
@@ -12,15 +12,13 @@
extern void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags);
-extern void __user * get_sigframe(struct k_sigaction *ka, unsigned long sp,
+extern void __user *get_sigframe(struct ksignal *ksig, unsigned long sp,
size_t frame_size, int is_32);
-extern int handle_signal32(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset,
+extern int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
struct pt_regs *regs);
-extern int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset,
+extern int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
struct pt_regs *regs);
extern unsigned long copy_fpr_to_user(void __user *to,
@@ -44,14 +42,12 @@ extern unsigned long copy_transact_vsx_f
#ifdef CONFIG_PPC64
-extern int handle_rt_signal64(int signr, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *set,
+extern int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs);
#else /* CONFIG_PPC64 */
-static inline int handle_rt_signal64(int signr, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *set,
+static inline int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
struct pt_regs *regs)
{
return -EFAULT;
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1001,9 +1001,8 @@ int copy_siginfo_from_user32(siginfo_t *
* Set up a signal frame for a "real-time" signal handler
* (one which gets siginfo).
*/
-int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset,
- struct pt_regs *regs)
+int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *rt_sf;
struct mcontext __user *frame;
@@ -1015,13 +1014,13 @@ int handle_rt_signal32(unsigned long sig
/* Set up Signal Frame */
/* Put a Real Time Context onto stack */
- rt_sf = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*rt_sf), 1);
+ rt_sf = get_sigframe(&ksig->ka, get_tm_stackpointer(regs), sizeof(*rt_sf), 1);
addr = rt_sf;
if (unlikely(rt_sf == NULL))
goto badframe;
/* Put the siginfo & fill in most of the ucontext */
- if (copy_siginfo_to_user(&rt_sf->info, info)
+ if (copy_siginfo_to_user(&rt_sf->info, &ksig->info)
|| __put_user(0, &rt_sf->uc.uc_flags)
|| __save_altstack(&rt_sf->uc.uc_stack, regs->gpr[1])
|| __put_user(to_user_ptr(&rt_sf->uc.uc_mcontext),
@@ -1071,15 +1070,15 @@ int handle_rt_signal32(unsigned long sig
/* Fill registers for signal handler */
regs->gpr[1] = newsp;
- regs->gpr[3] = sig;
+ regs->gpr[3] = ksig->sig;
regs->gpr[4] = (unsigned long) &rt_sf->info;
regs->gpr[5] = (unsigned long) &rt_sf->uc;
regs->gpr[6] = (unsigned long) rt_sf;
- regs->nip = (unsigned long) ka->sa.sa_handler;
+ regs->nip = (unsigned long) ksig->ka.sa.sa_handler;
/* enter the signal handler in native-endian mode */
regs->msr &= ~MSR_LE;
regs->msr |= (MSR_KERNEL & MSR_LE);
- return 1;
+ return 0;
badframe:
if (show_unhandled_signals)
@@ -1089,8 +1088,7 @@ badframe:
current->comm, current->pid,
addr, regs->nip, regs->link);
- force_sigsegv(sig, current);
- return 0;
+ return 1;
}
static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int sig)
@@ -1437,8 +1435,7 @@ int sys_debug_setcontext(struct ucontext
/*
* OK, we're invoking a handler
*/
-int handle_signal32(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset, struct pt_regs *regs)
+int handle_signal32(struct ksignal *ksig, sigset_t *oldset, struct pt_regs *regs)
{
struct sigcontext __user *sc;
struct sigframe __user *frame;
@@ -1448,7 +1445,7 @@ int handle_signal32(unsigned long sig, s
unsigned long tramp;
/* Set up Signal Frame */
- frame = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*frame), 1);
+ frame = get_sigframe(&ksig->ka, get_tm_stackpointer(regs), sizeof(*frame), 1);
if (unlikely(frame == NULL))
goto badframe;
sc = (struct sigcontext __user *) &frame->sctx;
@@ -1456,7 +1453,7 @@ int handle_signal32(unsigned long sig, s
#if _NSIG != 64
#error "Please adjust handle_signal()"
#endif
- if (__put_user(to_user_ptr(ka->sa.sa_handler), &sc->handler)
+ if (__put_user(to_user_ptr(ksig->ka.sa.sa_handler), &sc->handler)
|| __put_user(oldset->sig[0], &sc->oldmask)
#ifdef CONFIG_PPC64
|| __put_user((oldset->sig[0] >> 32), &sc->_unused[3])
@@ -1464,7 +1461,7 @@ int handle_signal32(unsigned long sig, s
|| __put_user(oldset->sig[1], &sc->_unused[3])
#endif
|| __put_user(to_user_ptr(&frame->mctx), &sc->regs)
- || __put_user(sig, &sc->signal))
+ || __put_user(ksig->sig, &sc->signal))
goto badframe;
if (vdso32_sigtramp && current->mm->context.vdso_base) {
@@ -1499,12 +1496,12 @@ int handle_signal32(unsigned long sig, s
goto badframe;
regs->gpr[1] = newsp;
- regs->gpr[3] = sig;
+ regs->gpr[3] = ksig->sig;
regs->gpr[4] = (unsigned long) sc;
- regs->nip = (unsigned long) ka->sa.sa_handler;
+ regs->nip = (unsigned long) (unsigned long)ksig->ka.sa.sa_handler;
/* enter the signal handler in big-endian mode */
regs->msr &= ~MSR_LE;
- return 1;
+ return 0;
badframe:
if (show_unhandled_signals)
@@ -1514,8 +1511,7 @@ badframe:
current->comm, current->pid,
frame, regs->nip, regs->link);
- force_sigsegv(sig, current);
- return 0;
+ return 1;
}
/*
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -743,20 +743,19 @@ badframe:
return 0;
}
-int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
unsigned long newsp = 0;
long err = 0;
- frame = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*frame), 0);
+ frame = get_sigframe(&ksig->ka, get_tm_stackpointer(regs), sizeof(*frame), 0);
if (unlikely(frame == NULL))
goto badframe;
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
if (err)
goto badframe;
@@ -771,15 +770,15 @@ int handle_rt_signal64(int signr, struct
err |= __put_user(&frame->uc_transact, &frame->uc.uc_link);
err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext,
&frame->uc_transact.uc_mcontext,
- regs, signr,
+ regs, ksig->sig,
NULL,
- (unsigned long)ka->sa.sa_handler);
+ (unsigned long)ksig->ka.sa.sa_handler);
} else
#endif
{
err |= __put_user(0, &frame->uc.uc_link);
- err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, signr,
- NULL, (unsigned long)ka->sa.sa_handler,
+ err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, ksig->sig,
+ NULL, (unsigned long)ksig->ka.sa.sa_handler,
1);
}
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
@@ -805,7 +804,7 @@ int handle_rt_signal64(int signr, struct
/* Set up "regs" so we "return" to the signal handler. */
if (is_elf2_task()) {
- regs->nip = (unsigned long) ka->sa.sa_handler;
+ regs->nip = (unsigned long) ksig->ka.sa.sa_handler;
regs->gpr[12] = regs->nip;
} else {
/* Handler is *really* a pointer to the function descriptor for
@@ -814,7 +813,7 @@ int handle_rt_signal64(int signr, struct
* entry is the TOC value we need to use.
*/
func_descr_t __user *funct_desc_ptr =
- (func_descr_t __user *) ka->sa.sa_handler;
+ (func_descr_t __user *) ksig->ka.sa.sa_handler;
err |= get_user(regs->nip, &funct_desc_ptr->entry);
err |= get_user(regs->gpr[2], &funct_desc_ptr->toc);
@@ -824,9 +823,9 @@ int handle_rt_signal64(int signr, struct
regs->msr &= ~MSR_LE;
regs->msr |= (MSR_KERNEL & MSR_LE);
regs->gpr[1] = newsp;
- regs->gpr[3] = signr;
+ regs->gpr[3] = ksig->sig;
regs->result = 0;
- if (ka->sa.sa_flags & SA_SIGINFO) {
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
err |= get_user(regs->gpr[4], (unsigned long __user *)&frame->pinfo);
err |= get_user(regs->gpr[5], (unsigned long __user *)&frame->puc);
regs->gpr[6] = (unsigned long) frame;
@@ -836,7 +835,7 @@ int handle_rt_signal64(int signr, struct
if (err)
goto badframe;
- return 1;
+ return 0;
badframe:
if (show_unhandled_signals)
@@ -844,6 +843,5 @@ badframe:
current->comm, current->pid, "setup_rt_frame",
(long)frame, regs->nip, regs->link);
- force_sigsegv(signr, current);
- return 0;
+ return 1;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 124/202] powerpc: Use sigsp()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 097/202] s390/qeth: cancel close_dev work before removing a card Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 198/202] brcmfmac: add subtype check for event handling in data path Ben Hutchings
` (67 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 059ade650ae57cfd371af690fdba887af04aded8 upstream.
Use sigsp() instead of the open coded variant.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/signal.c | 10 ++--------
arch/powerpc/kernel/signal_32.c | 4 ++--
arch/powerpc/kernel/signal_64.c | 2 +-
3 files changed, 5 insertions(+), 11 deletions(-)
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -31,20 +31,14 @@ int show_unhandled_signals = 1;
/*
* Allocate space for the signal frame
*/
-void __user * get_sigframe(struct k_sigaction *ka, unsigned long sp,
+void __user *get_sigframe(struct ksignal *ksig, unsigned long sp,
size_t frame_size, int is_32)
{
unsigned long oldsp, newsp;
/* Default to using normal stack */
oldsp = get_clean_sp(sp, is_32);
-
- /* Check for alt stack */
- if ((ka->sa.sa_flags & SA_ONSTACK) &&
- current->sas_ss_size && !on_sig_stack(oldsp))
- oldsp = (current->sas_ss_sp + current->sas_ss_size);
-
- /* Get aligned frame */
+ oldsp = sigsp(oldsp, ksig);
newsp = (oldsp - frame_size) & ~0xFUL;
/* Check access */
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1014,7 +1014,7 @@ int handle_rt_signal32(struct ksignal *k
/* Set up Signal Frame */
/* Put a Real Time Context onto stack */
- rt_sf = get_sigframe(&ksig->ka, get_tm_stackpointer(regs), sizeof(*rt_sf), 1);
+ rt_sf = get_sigframe(ksig, get_tm_stackpointer(regs), sizeof(*rt_sf), 1);
addr = rt_sf;
if (unlikely(rt_sf == NULL))
goto badframe;
@@ -1445,7 +1445,7 @@ int handle_signal32(struct ksignal *ksig
unsigned long tramp;
/* Set up Signal Frame */
- frame = get_sigframe(&ksig->ka, get_tm_stackpointer(regs), sizeof(*frame), 1);
+ frame = get_sigframe(ksig, get_tm_stackpointer(regs), sizeof(*frame), 1);
if (unlikely(frame == NULL))
goto badframe;
sc = (struct sigcontext __user *) &frame->sctx;
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -749,7 +749,7 @@ int handle_rt_signal64(struct ksignal *k
unsigned long newsp = 0;
long err = 0;
- frame = get_sigframe(&ksig->ka, get_tm_stackpointer(regs), sizeof(*frame), 0);
+ frame = get_sigframe(ksig, get_tm_stackpointer(regs), sizeof(*frame), 0);
if (unlikely(frame == NULL))
goto badframe;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 120/202] mips: Use sigsp()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 117/202] m68k: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 074/202] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled Ben Hutchings
` (109 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 7c4f563507c33ca97dcfbd62dba1e9232575d499 upstream.
Use sigsp() instead of the open coded variant.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/signal.c | 10 ++++------
arch/mips/kernel/signal32.c | 4 ++--
arch/mips/kernel/signal_n32.c | 2 +-
3 files changed, 7 insertions(+), 9 deletions(-)
--- a/arch/mips/kernel/signal.c
+++ b/arch/mips/kernel/signal.c
@@ -280,7 +280,7 @@ int restore_sigcontext(struct pt_regs *r
return err;
}
-void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
+void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
size_t frame_size)
{
unsigned long sp;
@@ -295,9 +295,7 @@ void __user *get_sigframe(struct k_sigac
*/
sp -= 32;
- /* This is the X/Open sanctioned signal stack switching. */
- if ((ka->sa.sa_flags & SA_ONSTACK) && (sas_ss_flags (sp) == 0))
- sp = current->sas_ss_sp + current->sas_ss_size;
+ sp = sigsp(sp, ksig);
return (void __user *)((sp - frame_size) & (ICACHE_REFILLS_WORKAROUND_WAR ? ~(cpu_icache_line_size()-1) : ALMASK));
}
@@ -434,7 +432,7 @@ static int setup_frame(void *sig_return,
struct sigframe __user *frame;
int err = 0;
- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
return -EFAULT;
@@ -473,7 +471,7 @@ static int setup_rt_frame(void *sig_retu
struct rt_sigframe __user *frame;
int err = 0;
- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
return -EFAULT;
--- a/arch/mips/kernel/signal32.c
+++ b/arch/mips/kernel/signal32.c
@@ -494,7 +494,7 @@ static int setup_frame_32(void *sig_retu
struct sigframe32 __user *frame;
int err = 0;
- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
return -EFAULT;
@@ -534,7 +534,7 @@ static int setup_rt_frame_32(void *sig_r
struct rt_sigframe32 __user *frame;
int err = 0;
- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
return -EFAULT;
--- a/arch/mips/kernel/signal_n32.c
+++ b/arch/mips/kernel/signal_n32.c
@@ -108,7 +108,7 @@ static int setup_rt_frame_n32(void *sig_
struct rt_sigframe_n32 __user *frame;
int err = 0;
- frame = get_sigframe(&ksig->ka, regs, sizeof(*frame));
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
return -EFAULT;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 035/202] s390/mm: always force a load of the primary ASCE on context switch
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 087/202] dmaengine: bcm2835: add additional defines for DMA-registers Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 114/202] hexagon: Use get_signal() signal_setup_done() Ben Hutchings
` (194 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Heiko Carstens, Martin Schwidefsky
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit a38662084c8bdb829ff486468c7ea801c13fcc34 upstream.
The ASCE of an mm_struct can be modified after a task has been created,
e.g. via crst_table_downgrade for a compat process. The active_mm logic
to avoid the switch_mm call if the next task is a kernel thread can
lead to a situation where switch_mm is called where 'prev == next' is
true but 'prev->context.asce == next->context.asce' is not.
This can lead to a situation where a CPU uses the outdated ASCE to run
a task. The result can be a crash, endless loops and really subtle
problem due to TLBs being created with an invalid ASCE.
Fixes: 53e857f30867 ("s390/mm,tlb: race of lazy TLB flush vs. recreation")
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16:
- Keep the updates of mm_context_t::attach_count conditional on prev != next
- Keep the update of mm_context_t::cpu_attach_mask conditional on both
MACHINE_HAS_TLB_LC and prev != next
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/s390/include/asm/mmu_context.h
+++ b/arch/s390/include/asm/mmu_context.h
@@ -69,17 +69,17 @@ static inline void switch_mm(struct mm_s
{
int cpu = smp_processor_id();
- if (prev == next)
- return;
if (MACHINE_HAS_TLB_LC)
cpumask_set_cpu(cpu, &next->context.cpu_attach_mask);
/* Clear old ASCE by loading the kernel ASCE. */
__ctl_load(S390_lowcore.kernel_asce, 1, 1);
__ctl_load(S390_lowcore.kernel_asce, 7, 7);
- atomic_inc(&next->context.attach_count);
- atomic_dec(&prev->context.attach_count);
- if (MACHINE_HAS_TLB_LC)
- cpumask_clear_cpu(cpu, &prev->context.cpu_attach_mask);
+ if (prev != next) {
+ atomic_inc(&next->context.attach_count);
+ atomic_dec(&prev->context.attach_count);
+ if (MACHINE_HAS_TLB_LC)
+ cpumask_clear_cpu(cpu, &prev->context.cpu_attach_mask);
+ }
S390_lowcore.user_asce = next->context.asce_bits | __pa(next->pgd);
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 125/202] powerpc/signal: Properly handle return value from uprobe_deny_signal()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 074/202] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 157/202] netfilter: nf_tables: nft_compat: fix refcount leak on xt module Ben Hutchings
` (107 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Michael Ellerman, Naveen N. Rao, Anton Blanchard
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
commit 46725b17f1c6c815a41429259b3f070c01e71bc1 upstream.
When a uprobe is installed on an instruction that we currently do not
emulate, we copy the instruction into a xol buffer and single step
that instruction. If that instruction generates a fault, we abort the
single stepping before invoking the signal handler. Once the signal
handler is done, the uprobe trap is hit again since the instruction is
retried and the process repeats.
We use uprobe_deny_signal() to detect if the xol instruction triggered
a signal. If so, we clear TIF_SIGPENDING and set TIF_UPROBE so that the
signal is not handled until after the single stepping is aborted. In
this case, uprobe_deny_signal() returns true and get_signal() ends up
returning 0. However, in do_signal(), we are not looking at the return
value, but depending on ksig.sig for further action, all with an
uninitialized ksig that is not touched in this scenario. Fix the same
by initializing ksig.sig to 0.
Fixes: 129b69df9c90 ("powerpc: Use get_signal() signal_setup_done()")
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/signal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -102,7 +102,7 @@ static void check_syscall_restart(struct
static void do_signal(struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
- struct ksignal ksig;
+ struct ksignal ksig = { .sig = 0 };
int ret;
int is32 = is_32bit_task();
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 126/202] s390: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 138/202] signal: Better detection of synchronous signals Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 136/202] Rip out get_signal_to_deliver() Ben Hutchings
` (44 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 067bf2d4d3a7aedc5982f6a58716054e5004b801 upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/kernel/compat_signal.c | 79 ++++++++++++++------------------
arch/s390/kernel/entry.h | 4 +-
arch/s390/kernel/signal.c | 78 +++++++++++++------------------
3 files changed, 69 insertions(+), 92 deletions(-)
--- a/arch/s390/kernel/compat_signal.c
+++ b/arch/s390/kernel/compat_signal.c
@@ -320,38 +320,39 @@ static inline int map_signal(int sig)
return sig;
}
-static int setup_frame32(int sig, struct k_sigaction *ka,
- sigset_t *set, struct pt_regs * regs)
+static int setup_frame32(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
- sigframe32 __user *frame = get_sigframe(ka, regs, sizeof(sigframe32));
+ int sig = ksig->sig;
+ sigframe32 __user *frame = get_sigframe(&ksig->ka, regs, sizeof(sigframe32));
if (frame == (void __user *) -1UL)
- goto give_sigsegv;
+ return -EFAULT;
if (__copy_to_user(&frame->sc.oldmask, &set->sig, _SIGMASK_COPY_SIZE32))
- goto give_sigsegv;
+ return -EFAULT;
if (save_sigregs32(regs, &frame->sregs))
- goto give_sigsegv;
+ return -EFAULT;
if (save_sigregs_gprs_high(regs, frame->gprs_high))
- goto give_sigsegv;
+ return -EFAULT;
if (__put_user((unsigned long) &frame->sregs, &frame->sc.sregs))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- regs->gprs[14] = (__u64 __force) ka->sa.sa_restorer | PSW32_ADDR_AMODE;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ regs->gprs[14] = (__u64 __force) ksig->ka.sa.sa_restorer | PSW32_ADDR_AMODE;
} else {
regs->gprs[14] = (__u64 __force) frame->retcode | PSW32_ADDR_AMODE;
if (__put_user(S390_SYSCALL_OPCODE | __NR_sigreturn,
(u16 __force __user *)(frame->retcode)))
- goto give_sigsegv;
+ return -EFAULT;
}
/* Set up backchain. */
if (__put_user(regs->gprs[15], (unsigned int __user *) frame))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->gprs[15] = (__force __u64) frame;
@@ -359,7 +360,7 @@ static int setup_frame32(int sig, struct
regs->psw.mask = PSW_MASK_BA |
(PSW_USER_BITS & PSW_MASK_ASC) |
(regs->psw.mask & ~PSW_MASK_ASC);
- regs->psw.addr = (__force __u64) ka->sa.sa_handler;
+ regs->psw.addr = (__force __u64) ksig->ka.sa.sa_handler;
regs->gprs[2] = map_signal(sig);
regs->gprs[3] = (__force __u64) &frame->sc;
@@ -376,25 +377,21 @@ static int setup_frame32(int sig, struct
/* Place signal number on stack to allow backtrace from handler. */
if (__put_user(regs->gprs[2], (int __force __user *) &frame->signo))
- goto give_sigsegv;
+ return -EFAULT;
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
-static int setup_rt_frame32(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs * regs)
+static int setup_rt_frame32(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
int err = 0;
- rt_sigframe32 __user *frame = get_sigframe(ka, regs, sizeof(rt_sigframe32));
+ rt_sigframe32 __user *frame = get_sigframe(&ksig->ka, regs, sizeof(rt_sigframe32));
if (frame == (void __user *) -1UL)
- goto give_sigsegv;
+ return -EFAULT;
- if (copy_siginfo_to_user32(&frame->info, info))
- goto give_sigsegv;
+ if (copy_siginfo_to_user32(&frame->info, &ksig->info))
+ return -EFAULT;
/* Create the ucontext. */
err |= __put_user(UC_EXTENDED, &frame->uc.uc_flags);
@@ -404,22 +401,22 @@ static int setup_rt_frame32(int sig, str
err |= save_sigregs_gprs_high(regs, frame->gprs_high);
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- regs->gprs[14] = (__u64 __force) ka->sa.sa_restorer | PSW32_ADDR_AMODE;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ regs->gprs[14] = (__u64 __force) ksig->ka.sa.sa_restorer | PSW32_ADDR_AMODE;
} else {
regs->gprs[14] = (__u64 __force) frame->retcode | PSW32_ADDR_AMODE;
if (__put_user(S390_SYSCALL_OPCODE | __NR_rt_sigreturn,
(u16 __force __user *)(frame->retcode)))
- goto give_sigsegv;
+ return -EFAULT;
}
/* Set up backchain. */
if (__put_user(regs->gprs[15], (unsigned int __force __user *) frame))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->gprs[15] = (__force __u64) frame;
@@ -427,36 +424,30 @@ static int setup_rt_frame32(int sig, str
regs->psw.mask = PSW_MASK_BA |
(PSW_USER_BITS & PSW_MASK_ASC) |
(regs->psw.mask & ~PSW_MASK_ASC);
- regs->psw.addr = (__u64 __force) ka->sa.sa_handler;
+ regs->psw.addr = (__u64 __force) ksig->ka.sa.sa_handler;
- regs->gprs[2] = map_signal(sig);
+ regs->gprs[2] = map_signal(ksig->sig);
regs->gprs[3] = (__force __u64) &frame->info;
regs->gprs[4] = (__force __u64) &frame->uc;
regs->gprs[5] = task_thread_info(current)->last_break;
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/*
* OK, we're invoking a handler
*/
-void handle_signal32(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset, struct pt_regs *regs)
+void handle_signal32(struct ksignal *ksig, sigset_t *oldset,
+ struct pt_regs *regs)
{
int ret;
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame32(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame32(ksig, oldset, regs);
else
- ret = setup_frame32(sig, ka, oldset, regs);
- if (ret)
- return;
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLE_STEP));
+ ret = setup_frame32(ksig, oldset, regs);
+
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLE_STEP));
}
--- a/arch/s390/kernel/entry.h
+++ b/arch/s390/kernel/entry.h
@@ -48,8 +48,8 @@ void do_per_trap(struct pt_regs *regs);
void syscall_trace(struct pt_regs *regs, int entryexit);
void kernel_stack_overflow(struct pt_regs * regs);
void do_signal(struct pt_regs *regs);
-void handle_signal32(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset, struct pt_regs *regs);
+void handle_signal32(struct ksignal *ksig, sigset_t *oldset,
+ struct pt_regs *regs);
void do_notify_resume(struct pt_regs *regs);
void __init init_IRQ(void);
--- a/arch/s390/kernel/signal.c
+++ b/arch/s390/kernel/signal.c
@@ -200,15 +200,15 @@ static int setup_frame(int sig, struct k
frame = get_sigframe(ka, regs, sizeof(sigframe));
if (frame == (void __user *) -1UL)
- goto give_sigsegv;
+ return -EFAULT;
if (__copy_to_user(&frame->sc.oldmask, &set->sig, _SIGMASK_COPY_SIZE))
- goto give_sigsegv;
+ return -EFAULT;
if (save_sigregs(regs, &frame->sregs))
- goto give_sigsegv;
+ return -EFAULT;
if (__put_user(&frame->sregs, &frame->sc.sregs))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
@@ -220,12 +220,12 @@ static int setup_frame(int sig, struct k
frame->retcode | PSW_ADDR_AMODE;
if (__put_user(S390_SYSCALL_OPCODE | __NR_sigreturn,
(u16 __user *)(frame->retcode)))
- goto give_sigsegv;
+ return -EFAULT;
}
/* Set up backchain. */
if (__put_user(regs->gprs[15], (addr_t __user *) frame))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->gprs[15] = (unsigned long) frame;
@@ -250,27 +250,23 @@ static int setup_frame(int sig, struct k
/* Place signal number on stack to allow backtrace from handler. */
if (__put_user(regs->gprs[2], (int __user *) &frame->signo))
- goto give_sigsegv;
+ return -EFAULT;
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs * regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
int err = 0;
rt_sigframe __user *frame;
- frame = get_sigframe(ka, regs, sizeof(rt_sigframe));
+ frame = get_sigframe(&ksig->ka, regs, sizeof(rt_sigframe));
if (frame == (void __user *) -1UL)
- goto give_sigsegv;
+ return -EFAULT;
- if (copy_siginfo_to_user(&frame->info, info))
- goto give_sigsegv;
+ if (copy_siginfo_to_user(&frame->info, &ksig->info))
+ return -EFAULT;
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -279,24 +275,24 @@ static int setup_rt_frame(int sig, struc
err |= save_sigregs(regs, &frame->uc.uc_mcontext);
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
regs->gprs[14] = (unsigned long)
- ka->sa.sa_restorer | PSW_ADDR_AMODE;
+ ksig->ka.sa.sa_restorer | PSW_ADDR_AMODE;
} else {
regs->gprs[14] = (unsigned long)
frame->retcode | PSW_ADDR_AMODE;
if (__put_user(S390_SYSCALL_OPCODE | __NR_rt_sigreturn,
(u16 __user *)(frame->retcode)))
- goto give_sigsegv;
+ return -EFAULT;
}
/* Set up backchain. */
if (__put_user(regs->gprs[15], (addr_t __user *) frame))
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->gprs[15] = (unsigned long) frame;
@@ -304,34 +300,27 @@ static int setup_rt_frame(int sig, struc
regs->psw.mask = PSW_MASK_EA | PSW_MASK_BA |
(PSW_USER_BITS & PSW_MASK_ASC) |
(regs->psw.mask & ~PSW_MASK_ASC);
- regs->psw.addr = (unsigned long) ka->sa.sa_handler | PSW_ADDR_AMODE;
+ regs->psw.addr = (unsigned long) ksig->ka.sa.sa_handler | PSW_ADDR_AMODE;
- regs->gprs[2] = map_signal(sig);
+ regs->gprs[2] = map_signal(ksig->sig);
regs->gprs[3] = (unsigned long) &frame->info;
regs->gprs[4] = (unsigned long) &frame->uc;
regs->gprs[5] = task_thread_info(current)->last_break;
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
-static void handle_signal(unsigned long sig, struct k_sigaction *ka,
- siginfo_t *info, sigset_t *oldset,
- struct pt_regs *regs)
+static void handle_signal(struct ksignal *ksig, sigset_t *oldset,
+ struct pt_regs *regs)
{
int ret;
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(sig, ka, oldset, regs);
- if (ret)
- return;
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLE_STEP));
+ ret = setup_frame(ksig->sig, &ksig->ka, oldset, regs);
+
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLE_STEP));
}
/*
@@ -345,9 +334,7 @@ static void handle_signal(unsigned long
*/
void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
sigset_t *oldset = sigmask_to_save();
/*
@@ -357,9 +344,8 @@ void do_signal(struct pt_regs *regs)
*/
current_thread_info()->system_call =
test_pt_regs_flag(regs, PIF_SYSCALL) ? regs->int_code : 0;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
+ if (get_signal(&ksig)) {
/* Whee! Actually deliver the signal. */
if (current_thread_info()->system_call) {
regs->int_code = current_thread_info()->system_call;
@@ -370,7 +356,7 @@ void do_signal(struct pt_regs *regs)
regs->gprs[2] = -EINTR;
break;
case -ERESTARTSYS:
- if (!(ka.sa.sa_flags & SA_RESTART)) {
+ if (!(ksig.ka.sa.sa_flags & SA_RESTART)) {
regs->gprs[2] = -EINTR;
break;
}
@@ -387,9 +373,9 @@ void do_signal(struct pt_regs *regs)
clear_pt_regs_flag(regs, PIF_SYSCALL);
if (is_compat_task())
- handle_signal32(signr, &ka, &info, oldset, regs);
+ handle_signal32(&ksig, oldset, regs);
else
- handle_signal(signr, &ka, &info, oldset, regs);
+ handle_signal(&ksig, oldset, regs);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 043/202] fuse: handle zero sized retrieve correctly
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 193/202] brcmfmac: consolidate ifp lookup in driver core Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 001/202] batman-adv: Avoid WARN on net_device without parent in netns Ben Hutchings
` (98 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, syzbot+c1e36d30ee3416289cc0, Miklos Szeredi
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream.
Dereferencing req->page_descs[0] will Oops if req->max_pages is zero.
Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
Fixes: b2430d7567a3 ("fuse: add per-page descriptor <offset, length> to fuse_req")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1652,7 +1652,6 @@ static int fuse_retrieve(struct fuse_con
req->in.h.nodeid = outarg->nodeid;
req->in.numargs = 2;
req->in.argpages = 1;
- req->page_descs[0].offset = offset;
req->end = fuse_retrieve_end;
index = outarg->offset >> PAGE_CACHE_SHIFT;
@@ -1667,6 +1666,7 @@ static int fuse_retrieve(struct fuse_con
this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset);
req->pages[req->num_pages] = page;
+ req->page_descs[req->num_pages].offset = offset;
req->page_descs[req->num_pages].length = this_num;
req->num_pages++;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 134/202] tracehook_signal_handler: Remove sig, info, ka and regs
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 199/202] binfmt_elf: Fix missing SIGKILL for empty PIE Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 017/202] packet: validate address length Ben Hutchings
` (175 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit df5601f9c3d831b4c478b004a1ed90a18643adbe upstream.
These parameters are nowhere used, so we can remove them.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/tracehook.h | 8 +-------
kernel/signal.c | 2 +-
2 files changed, 2 insertions(+), 8 deletions(-)
--- a/include/linux/tracehook.h
+++ b/include/linux/tracehook.h
@@ -133,10 +133,6 @@ static inline void tracehook_report_sysc
/**
* tracehook_signal_handler - signal handler setup is complete
- * @sig: number of signal being delivered
- * @info: siginfo_t of signal being delivered
- * @ka: sigaction setting that chose the handler
- * @regs: user register state
* @stepping: nonzero if debugger single-step or block-step in use
*
* Called by the arch code after a signal handler has been set up.
@@ -146,9 +142,7 @@ static inline void tracehook_report_sysc
* Called without locks, shortly before returning to user mode
* (or handling more signals).
*/
-static inline void tracehook_signal_handler(int sig, siginfo_t *info,
- const struct k_sigaction *ka,
- struct pt_regs *regs, int stepping)
+static inline void tracehook_signal_handler(int stepping)
{
if (stepping)
ptrace_notify(SIGTRAP);
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2387,7 +2387,7 @@ void signal_delivered(int sig, siginfo_t
if (!(ka->sa.sa_flags & SA_NODEFER))
sigaddset(&blocked, sig);
set_current_blocked(&blocked);
- tracehook_signal_handler(sig, info, ka, regs, stepping);
+ tracehook_signal_handler(stepping);
}
void signal_setup_done(int failed, struct ksignal *ksig, int stepping)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 130/202] um: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 006/202] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 095/202] perf test: Fix failure of 'evsel-tp-sched' test on s390 Ben Hutchings
` (70 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 307627eebbb0bc41b21e74d78b932362a6c1b38d upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/um/include/shared/frame_kern.h | 12 +++-----
arch/um/kernel/signal.c | 27 +++++++----------
arch/x86/um/signal.c | 45 ++++++++++++++---------------
3 files changed, 36 insertions(+), 48 deletions(-)
--- a/arch/um/include/shared/frame_kern.h
+++ b/arch/um/include/shared/frame_kern.h
@@ -6,14 +6,10 @@
#ifndef __FRAME_KERN_H_
#define __FRAME_KERN_H_
-extern int setup_signal_stack_sc(unsigned long stack_top, int sig,
- struct k_sigaction *ka,
- struct pt_regs *regs,
- sigset_t *mask);
-extern int setup_signal_stack_si(unsigned long stack_top, int sig,
- struct k_sigaction *ka,
- struct pt_regs *regs, struct siginfo *info,
- sigset_t *mask);
+extern int setup_signal_stack_sc(unsigned long stack_top, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *mask);
+extern int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *mask);
#endif
--- a/arch/um/kernel/signal.c
+++ b/arch/um/kernel/signal.c
@@ -18,8 +18,7 @@ EXPORT_SYMBOL(unblock_signals);
/*
* OK, we're invoking a handler
*/
-static void handle_signal(struct pt_regs *regs, unsigned long signr,
- struct k_sigaction *ka, struct siginfo *info)
+static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int singlestep = 0;
@@ -39,7 +38,7 @@ static void handle_signal(struct pt_regs
break;
case -ERESTARTSYS:
- if (!(ka->sa.sa_flags & SA_RESTART)) {
+ if (!(ksig->ka.sa.sa_flags & SA_RESTART)) {
PT_REGS_SYSCALL_RET(regs) = -EINTR;
break;
}
@@ -52,32 +51,28 @@ static void handle_signal(struct pt_regs
}
sp = PT_REGS_SP(regs);
- if ((ka->sa.sa_flags & SA_ONSTACK) && (sas_ss_flags(sp) == 0))
+ if ((ksig->ka.sa.sa_flags & SA_ONSTACK) && (sas_ss_flags(sp) == 0))
sp = current->sas_ss_sp + current->sas_ss_size;
#ifdef CONFIG_ARCH_HAS_SC_SIGNALS
- if (!(ka->sa.sa_flags & SA_SIGINFO))
- err = setup_signal_stack_sc(sp, signr, ka, regs, oldset);
+ if (!(ksig->ka.sa.sa_flags & SA_SIGINFO))
+ err = setup_signal_stack_sc(sp, ksig, regs, oldset);
else
#endif
- err = setup_signal_stack_si(sp, signr, ka, regs, info, oldset);
+ err = setup_signal_stack_si(sp, ksig, regs, oldset);
- if (err)
- force_sigsegv(signr, current);
- else
- signal_delivered(signr, info, ka, regs, singlestep);
+ signal_setup_done(err, ksig, singlestep);
}
static int kern_do_signal(struct pt_regs *regs)
{
- struct k_sigaction ka_copy;
- struct siginfo info;
- int sig, handled_sig = 0;
+ struct ksignal ksig;
+ int handled_sig = 0;
- while ((sig = get_signal_to_deliver(&info, &ka_copy, regs, NULL)) > 0) {
+ while (get_signal(&ksig)) {
handled_sig = 1;
/* Whee! Actually deliver the signal. */
- handle_signal(regs, sig, &ka_copy, &info);
+ handle_signal(&ksig, regs);
}
/* Did we come from a system call? */
--- a/arch/x86/um/signal.c
+++ b/arch/x86/um/signal.c
@@ -370,13 +370,12 @@ struct rt_sigframe
char retcode[8];
};
-int setup_signal_stack_sc(unsigned long stack_top, int sig,
- struct k_sigaction *ka, struct pt_regs *regs,
- sigset_t *mask)
+int setup_signal_stack_sc(unsigned long stack_top, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *mask)
{
struct sigframe __user *frame;
void __user *restorer;
- int err = 0;
+ int err = 0, sig = ksig->sig;
/* This is the same calculation as i386 - ((sp + 4) & 15) == 0 */
stack_top = ((stack_top + 4) & -16UL) - 4;
@@ -385,8 +384,8 @@ int setup_signal_stack_sc(unsigned long
return 1;
restorer = frame->retcode;
- if (ka->sa.sa_flags & SA_RESTORER)
- restorer = ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ restorer = ksig->ka.sa.sa_restorer;
err |= __put_user(restorer, &frame->pretcode);
err |= __put_user(sig, &frame->sig);
@@ -410,20 +409,19 @@ int setup_signal_stack_sc(unsigned long
return err;
PT_REGS_SP(regs) = (unsigned long) frame;
- PT_REGS_IP(regs) = (unsigned long) ka->sa.sa_handler;
+ PT_REGS_IP(regs) = (unsigned long) ksig->ka.sa.sa_handler;
PT_REGS_AX(regs) = (unsigned long) sig;
PT_REGS_DX(regs) = (unsigned long) 0;
PT_REGS_CX(regs) = (unsigned long) 0;
return 0;
}
-int setup_signal_stack_si(unsigned long stack_top, int sig,
- struct k_sigaction *ka, struct pt_regs *regs,
- siginfo_t *info, sigset_t *mask)
+int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *mask)
{
struct rt_sigframe __user *frame;
void __user *restorer;
- int err = 0;
+ int err = 0, sig = ksig->sig;
stack_top &= -8UL;
frame = (struct rt_sigframe __user *) stack_top - 1;
@@ -431,14 +429,14 @@ int setup_signal_stack_si(unsigned long
return 1;
restorer = frame->retcode;
- if (ka->sa.sa_flags & SA_RESTORER)
- restorer = ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ restorer = ksig->ka.sa.sa_restorer;
err |= __put_user(restorer, &frame->pretcode);
err |= __put_user(sig, &frame->sig);
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
err |= copy_ucontext_to_user(&frame->uc, &frame->fpstate, mask,
PT_REGS_SP(regs));
@@ -457,7 +455,7 @@ int setup_signal_stack_si(unsigned long
return err;
PT_REGS_SP(regs) = (unsigned long) frame;
- PT_REGS_IP(regs) = (unsigned long) ka->sa.sa_handler;
+ PT_REGS_IP(regs) = (unsigned long) ksig->ka.sa.sa_handler;
PT_REGS_AX(regs) = (unsigned long) sig;
PT_REGS_DX(regs) = (unsigned long) &frame->info;
PT_REGS_CX(regs) = (unsigned long) &frame->uc;
@@ -502,12 +500,11 @@ struct rt_sigframe
struct _fpstate fpstate;
};
-int setup_signal_stack_si(unsigned long stack_top, int sig,
- struct k_sigaction *ka, struct pt_regs * regs,
- siginfo_t *info, sigset_t *set)
+int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
+ struct pt_regs *regs, sigset_t *set)
{
struct rt_sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
frame = (struct rt_sigframe __user *)
round_down(stack_top - sizeof(struct rt_sigframe), 16);
@@ -517,8 +514,8 @@ int setup_signal_stack_si(unsigned long
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
goto out;
- if (ka->sa.sa_flags & SA_SIGINFO) {
- err |= copy_siginfo_to_user(&frame->info, info);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
if (err)
goto out;
}
@@ -543,8 +540,8 @@ int setup_signal_stack_si(unsigned long
* already in userspace.
*/
/* x86-64 should always use SA_RESTORER. */
- if (ka->sa.sa_flags & SA_RESTORER)
- err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
+ if (ksig->ka.sa.sa_flags & SA_RESTORER)
+ err |= __put_user(ksig->ka.sa.sa_restorer, &frame->pretcode);
else
/* could use a vstub here */
return err;
@@ -570,7 +567,7 @@ int setup_signal_stack_si(unsigned long
*/
PT_REGS_SI(regs) = (unsigned long) &frame->info;
PT_REGS_DX(regs) = (unsigned long) &frame->uc;
- PT_REGS_IP(regs) = (unsigned long) ka->sa.sa_handler;
+ PT_REGS_IP(regs) = (unsigned long) ksig->ka.sa.sa_handler;
out:
return err;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 046/202] media: v4l: ioctl: Validate num_planes for debug messages
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 045/202] fuse: decrement NR_WRITEBACK_TEMP on the right page Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 171/202] KEYS: always initialize keyring_index_key::desc_len Ben Hutchings
` (92 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Hans Verkuil, Mauro Carvalho Chehab,
Thierry Reding, Sakari Ailus
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 7fe9f01c04c2673bd6662c35b664f0f91888b96f upstream.
The num_planes field in struct v4l2_pix_format_mplane is used in a loop
before validating it. As the use is printing a debug message in this case,
just cap the value to the maximum allowed.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/v4l2-core/v4l2-ioctl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -247,6 +247,7 @@ static void v4l_print_format(const void
const struct v4l2_sliced_vbi_format *sliced;
const struct v4l2_window *win;
const struct v4l2_sdr_format *sdr;
+ u32 planes;
unsigned i;
pr_cont("type=%s", prt_names(p->type, v4l2_type_names));
@@ -279,7 +280,8 @@ static void v4l_print_format(const void
(mp->pixelformat >> 24) & 0xff,
prt_names(mp->field, v4l2_field_names),
mp->colorspace, mp->num_planes);
- for (i = 0; i < mp->num_planes; i++)
+ planes = min_t(u32, mp->num_planes, VIDEO_MAX_PLANES);
+ for (i = 0; i < planes; i++)
printk(KERN_DEBUG "plane %u: bytesperline=%u sizeimage=%u\n", i,
mp->plane_fmt[i].bytesperline,
mp->plane_fmt[i].sizeimage);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 135/202] Clean up signal_delivered()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 042/202] net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 055/202] vt: always call notifier with the console lock held Ben Hutchings
` (183 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 10b1c7ac8bfed429cf3dcb0225482c8dc1485d8e upstream.
- Pass a ksignal struct to it
- Remove unused regs parameter
- Make it private as it's nowhere outside of kernel/signal.c is used
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/signal.h | 1 -
kernel/signal.c | 21 ++++++++-------------
2 files changed, 8 insertions(+), 14 deletions(-)
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -281,7 +281,6 @@ struct ksignal {
extern int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka, struct pt_regs *regs, void *cookie);
extern void signal_setup_done(int failed, struct ksignal *ksig, int stepping);
-extern void signal_delivered(int sig, siginfo_t *info, struct k_sigaction *ka, struct pt_regs *regs, int stepping);
extern void exit_signals(struct task_struct *tsk);
extern void kernel_sigaction(int, __sighandler_t);
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2361,19 +2361,15 @@ relock:
/**
* signal_delivered -
- * @sig: number of signal being delivered
- * @info: siginfo_t of signal being delivered
- * @ka: sigaction setting that chose the handler
- * @regs: user register state
+ * @ksig: kernel signal struct
* @stepping: nonzero if debugger single-step or block-step in use
*
* This function should be called when a signal has successfully been
- * delivered. It updates the blocked signals accordingly (@ka->sa.sa_mask
+ * delivered. It updates the blocked signals accordingly (@ksig->ka.sa.sa_mask
* is always blocked, and the signal itself is blocked unless %SA_NODEFER
- * is set in @ka->sa.sa_flags. Tracing is notified.
+ * is set in @ksig->ka.sa.sa_flags. Tracing is notified.
*/
-void signal_delivered(int sig, siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs *regs, int stepping)
+static void signal_delivered(struct ksignal *ksig, int stepping)
{
sigset_t blocked;
@@ -2383,9 +2379,9 @@ void signal_delivered(int sig, siginfo_t
simply clear the restore sigmask flag. */
clear_restore_sigmask();
- sigorsets(&blocked, ¤t->blocked, &ka->sa.sa_mask);
- if (!(ka->sa.sa_flags & SA_NODEFER))
- sigaddset(&blocked, sig);
+ sigorsets(&blocked, ¤t->blocked, &ksig->ka.sa.sa_mask);
+ if (!(ksig->ka.sa.sa_flags & SA_NODEFER))
+ sigaddset(&blocked, ksig->sig);
set_current_blocked(&blocked);
tracehook_signal_handler(stepping);
}
@@ -2395,8 +2391,7 @@ void signal_setup_done(int failed, struc
if (failed)
force_sigsegv(ksig->sig, current);
else
- signal_delivered(ksig->sig, &ksig->info, &ksig->ka,
- signal_pt_regs(), stepping);
+ signal_delivered(ksig, stepping);
}
/*
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 132/202] unicore32: Fix build error
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 166/202] net: stmmac: Fix a race in EEE enable callback Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 153/202] perf/core: Fix impossible ring-buffer sizes warning Ben Hutchings
` (73 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Richard Weinberger, Guenter Roeck, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit ca98565a6182a960cd857d7546267a0775154eb8 upstream.
unicore32 builds fail with
arch/unicore32/kernel/signal.c: In function ‘setup_frame’:
arch/unicore32/kernel/signal.c:257: error: ‘usig’ undeclared (first use in this function)
arch/unicore32/kernel/signal.c:279: error: ‘usig’ undeclared (first use in this function)
arch/unicore32/kernel/signal.c: In function ‘handle_signal’:
arch/unicore32/kernel/signal.c:306: warning: unused variable ‘tsk’
arch/unicore32/kernel/signal.c: In function ‘do_signal’:
arch/unicore32/kernel/signal.c:376: error: implicit declaration of function ‘get_signsl’
make[1]: *** [arch/unicore32/kernel/signal.o] Error 1
make: *** [arch/unicore32/kernel/signal.o] Error 2
Bisect points to commit 649671c90eaf ("unicore32: Use get_signal()
signal_setup_done()").
This code never even compiled. Reverting the patch does not work, since
previously used functions no longer exist, so try to fix it up. Compile
tested only.
Fixes: 649671c90eaf ("unicore32: Use get_signal() signal_setup_done()")
Cc: Richard Weinberger <richard@nod.at>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/unicore32/kernel/signal.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/unicore32/kernel/signal.c
+++ b/arch/unicore32/kernel/signal.c
@@ -254,7 +254,8 @@ static int setup_frame(struct ksignal *k
err |= setup_sigframe(frame, regs, set);
if (err == 0)
- err |= setup_return(regs, &ksig->ka, frame->retcode, frame, usig);
+ err |= setup_return(regs, &ksig->ka, frame->retcode, frame,
+ ksig->sig);
return err;
}
@@ -276,7 +277,8 @@ static int setup_rt_frame(struct ksignal
err |= __save_altstack(&frame->sig.uc.uc_stack, regs->UCreg_sp);
err |= setup_sigframe(&frame->sig, regs, set);
if (err == 0)
- err |= setup_return(regs, &ksig->ka, frame->sig.retcode, frame, usig);
+ err |= setup_return(regs, &ksig->ka, frame->sig.retcode, frame,
+ ksig->sig);
if (err == 0) {
/*
@@ -303,7 +305,6 @@ static void handle_signal(struct ksignal
int syscall)
{
struct thread_info *thread = current_thread_info();
- struct task_struct *tsk = current;
sigset_t *oldset = sigmask_to_save();
int usig = ksig->sig;
int ret;
@@ -373,7 +374,7 @@ static void do_signal(struct pt_regs *re
if (!user_mode(regs))
return;
- if (get_signsl(&ksig)) {
+ if (get_signal(&ksig)) {
handle_signal(&ksig, regs, syscall);
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 128/202] sh: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 047/202] Yama: Check for pid death before checking ancestry Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 009/202] USB: serial: simple: add Motorola Tetra TPG2200 device id Ben Hutchings
` (55 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit b46e848768acc458ba94feef162b8901592dbb9c upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/kernel/signal_32.c | 79 +++++++++++++++---------------------
arch/sh/kernel/signal_64.c | 82 +++++++++++++++-----------------------
2 files changed, 64 insertions(+), 97 deletions(-)
--- a/arch/sh/kernel/signal_32.c
+++ b/arch/sh/kernel/signal_32.c
@@ -262,17 +262,17 @@ get_sigframe(struct k_sigaction *ka, uns
extern void __kernel_sigreturn(void);
extern void __kernel_rt_sigreturn(void);
-static int setup_frame(int sig, struct k_sigaction *ka,
- sigset_t *set, struct pt_regs *regs)
+static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int signal;
- frame = get_sigframe(ka, regs->regs[15], sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
signal = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -288,8 +288,8 @@ static int setup_frame(int sig, struct k
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- regs->pr = (unsigned long) ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ regs->pr = (unsigned long) ksig->ka.sa.sa_restorer;
#ifdef CONFIG_VSYSCALL
} else if (likely(current->mm->context.vdso)) {
regs->pr = VDSO_SYM(&__kernel_sigreturn);
@@ -309,7 +309,7 @@ static int setup_frame(int sig, struct k
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->regs[15] = (unsigned long) frame;
@@ -319,15 +319,15 @@ static int setup_frame(int sig, struct k
if (current->personality & FDPIC_FUNCPTRS) {
struct fdpic_func_descriptor __user *funcptr =
- (struct fdpic_func_descriptor __user *)ka->sa.sa_handler;
+ (struct fdpic_func_descriptor __user *)ksig->ka.sa.sa_handler;
err |= __get_user(regs->pc, &funcptr->text);
err |= __get_user(regs->regs[12], &funcptr->GOT);
} else
- regs->pc = (unsigned long)ka->sa.sa_handler;
+ regs->pc = (unsigned long)ksig->ka.sa.sa_handler;
if (err)
- goto give_sigsegv;
+ return -EFAULT;
set_fs(USER_DS);
@@ -335,23 +335,19 @@ static int setup_frame(int sig, struct k
current->comm, task_pid_nr(current), frame, regs->pc, regs->pr);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int signal;
- frame = get_sigframe(ka, regs->regs[15], sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
signal = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -359,7 +355,7 @@ static int setup_rt_frame(int sig, struc
? current_thread_info()->exec_domain->signal_invmap[sig]
: sig;
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -371,8 +367,8 @@ static int setup_rt_frame(int sig, struc
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
- regs->pr = (unsigned long) ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ regs->pr = (unsigned long) ksig->ka.sa.sa_restorer;
#ifdef CONFIG_VSYSCALL
} else if (likely(current->mm->context.vdso)) {
regs->pr = VDSO_SYM(&__kernel_rt_sigreturn);
@@ -392,7 +388,7 @@ static int setup_rt_frame(int sig, struc
}
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up registers for signal handler */
regs->regs[15] = (unsigned long) frame;
@@ -402,15 +398,15 @@ static int setup_rt_frame(int sig, struc
if (current->personality & FDPIC_FUNCPTRS) {
struct fdpic_func_descriptor __user *funcptr =
- (struct fdpic_func_descriptor __user *)ka->sa.sa_handler;
+ (struct fdpic_func_descriptor __user *)ksig->ka.sa.sa_handler;
err |= __get_user(regs->pc, &funcptr->text);
err |= __get_user(regs->regs[12], &funcptr->GOT);
} else
- regs->pc = (unsigned long)ka->sa.sa_handler;
+ regs->pc = (unsigned long)ksig->ka.sa.sa_handler;
if (err)
- goto give_sigsegv;
+ return -EFAULT;
set_fs(USER_DS);
@@ -418,10 +414,6 @@ static int setup_rt_frame(int sig, struc
current->comm, task_pid_nr(current), frame, regs->pc, regs->pr);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
static inline void
@@ -455,22 +447,18 @@ handle_syscall_restart(unsigned long sav
* OK, we're invoking a handler
*/
static void
-handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
- struct pt_regs *regs, unsigned int save_r0)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs, unsigned int save_r0)
{
sigset_t *oldset = sigmask_to_save();
int ret;
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(sig, ka, oldset, regs);
+ ret = setup_frame(ksig, oldset, regs);
- if (ret)
- return;
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
}
/*
@@ -484,9 +472,7 @@ handle_signal(unsigned long sig, struct
*/
static void do_signal(struct pt_regs *regs, unsigned int save_r0)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which
@@ -497,12 +483,11 @@ static void do_signal(struct pt_regs *re
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
- if (signr > 0) {
- handle_syscall_restart(save_r0, regs, &ka.sa);
+ if (get_signal(&ksig)) {
+ handle_syscall_restart(save_r0, regs, &ksig.ka.sa);
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &ka, &info, regs, save_r0);
+ handle_signal(&ksig, regs, save_r0);
return;
}
--- a/arch/sh/kernel/signal_64.c
+++ b/arch/sh/kernel/signal_64.c
@@ -41,8 +41,7 @@
#define DEBUG_SIG 0
static void
-handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs * regs);
+handle_signal(struct ksignal *ksig, struct pt_regs *regs);
static inline void
handle_syscall_restart(struct pt_regs *regs, struct sigaction *sa)
@@ -82,9 +81,7 @@ handle_syscall_restart(struct pt_regs *r
*/
static void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
/*
* We want the common case to go fast, which
@@ -95,12 +92,11 @@ static void do_signal(struct pt_regs *re
if (!user_mode(regs))
return;
- signr = get_signal_to_deliver(&info, &ka, regs, 0);
- if (signr > 0) {
- handle_syscall_restart(regs, &ka.sa);
+ if (get_signal(&ksig)) {
+ handle_syscall_restart(regs, &ksig.ka.sa);
/* Whee! Actually deliver the signal. */
- handle_signal(signr, &info, &ka, regs);
+ handle_signal(&ksig, regs);
return;
}
@@ -378,17 +374,16 @@ get_sigframe(struct k_sigaction *ka, uns
void sa_default_restorer(void); /* See comments below */
void sa_default_rt_restorer(void); /* See comments below */
-static int setup_frame(int sig, struct k_sigaction *ka,
- sigset_t *set, struct pt_regs *regs)
+static int setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
{
struct sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int signal;
- frame = get_sigframe(ka, regs->regs[REG_SP], sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
signal = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -400,7 +395,7 @@ static int setup_frame(int sig, struct k
/* Give up earlier as i386, in case */
if (err)
- goto give_sigsegv;
+ return -EFAULT;
if (_NSIG_WORDS > 1) {
err |= __copy_to_user(frame->extramask, &set->sig[1],
@@ -408,16 +403,16 @@ static int setup_frame(int sig, struct k
/* Give up earlier as i386, in case */
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
/*
* On SH5 all edited pointers are subject to NEFF
*/
DEREF_REG_PR = neff_sign_extend((unsigned long)
- ka->sa.sa_restorer | 0x1);
+ ksig->ka->sa.sa_restorer | 0x1);
} else {
/*
* Different approach on SH5.
@@ -435,7 +430,7 @@ static int setup_frame(int sig, struct k
if (__copy_to_user(frame->retcode,
(void *)((unsigned long)sa_default_restorer & (~1)), 16) != 0)
- goto give_sigsegv;
+ return -EFAULT;
/* Cohere the trampoline with the I-cache. */
flush_cache_sigtramp(DEREF_REG_PR-1);
@@ -460,7 +455,7 @@ static int setup_frame(int sig, struct k
regs->regs[REG_ARG2] = (unsigned long long)(unsigned long)(signed long)&frame->sc;
regs->regs[REG_ARG3] = (unsigned long long)(unsigned long)(signed long)&frame->sc;
- regs->pc = neff_sign_extend((unsigned long)ka->sa.sa_handler);
+ regs->pc = neff_sign_extend((unsigned long)ksig->ka.sa.sa_handler);
set_fs(USER_DS);
@@ -471,23 +466,19 @@ static int setup_frame(int sig, struct k
DEREF_REG_PR >> 32, DEREF_REG_PR & 0xffffffff);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
-static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_rt_frame(struct ksignal *kig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe __user *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int signal;
- frame = get_sigframe(ka, regs->regs[REG_SP], sizeof(*frame));
+ frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
- goto give_sigsegv;
+ return -EFAULT;
signal = current_thread_info()->exec_domain
&& current_thread_info()->exec_domain->signal_invmap
@@ -497,11 +488,11 @@ static int setup_rt_frame(int sig, struc
err |= __put_user(&frame->info, &frame->pinfo);
err |= __put_user(&frame->uc, &frame->puc);
- err |= copy_siginfo_to_user(&frame->info, info);
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
/* Give up earlier as i386, in case */
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Create the ucontext. */
err |= __put_user(0, &frame->uc.uc_flags);
@@ -513,16 +504,16 @@ static int setup_rt_frame(int sig, struc
/* Give up earlier as i386, in case */
if (err)
- goto give_sigsegv;
+ return -EFAULT;
/* Set up to return from userspace. If provided, use a stub
already in userspace. */
- if (ka->sa.sa_flags & SA_RESTORER) {
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
/*
* On SH5 all edited pointers are subject to NEFF
*/
DEREF_REG_PR = neff_sign_extend((unsigned long)
- ka->sa.sa_restorer | 0x1);
+ ksig->ka.sa.sa_restorer | 0x1);
} else {
/*
* Different approach on SH5.
@@ -540,7 +531,7 @@ static int setup_rt_frame(int sig, struc
if (__copy_to_user(frame->retcode,
(void *)((unsigned long)sa_default_rt_restorer & (~1)), 16) != 0)
- goto give_sigsegv;
+ return -EFAULT;
/* Cohere the trampoline with the I-cache. */
flush_icache_range(DEREF_REG_PR-1, DEREF_REG_PR-1+15);
@@ -554,7 +545,7 @@ static int setup_rt_frame(int sig, struc
regs->regs[REG_ARG1] = signal; /* Arg for signal handler */
regs->regs[REG_ARG2] = (unsigned long long)(unsigned long)(signed long)&frame->info;
regs->regs[REG_ARG3] = (unsigned long long)(unsigned long)(signed long)&frame->uc.uc_mcontext;
- regs->pc = neff_sign_extend((unsigned long)ka->sa.sa_handler);
+ regs->pc = neff_sign_extend((unsigned long)ksig->ka.sa.sa_handler);
set_fs(USER_DS);
@@ -564,33 +555,24 @@ static int setup_rt_frame(int sig, struc
DEREF_REG_PR >> 32, DEREF_REG_PR & 0xffffffff);
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/*
* OK, we're invoking a handler
*/
static void
-handle_signal(unsigned long sig, siginfo_t *info, struct k_sigaction *ka,
- struct pt_regs * regs)
+handle_signal(struct ksignal *ksig, struct pt_regs *regs)
{
sigset_t *oldset = sigmask_to_save();
int ret;
/* Set up the stack frame */
- if (ka->sa.sa_flags & SA_SIGINFO)
- ret = setup_rt_frame(sig, ka, info, oldset, regs);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO)
+ ret = setup_rt_frame(ksig, oldset, regs);
else
- ret = setup_frame(sig, ka, oldset, regs);
-
- if (ret)
- return;
+ ret = setup_frame(ksig, oldset, regs);
- signal_delivered(sig, info, ka, regs,
- test_thread_flag(TIF_SINGLESTEP));
+ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
}
asmlinkage void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 133/202] xtensa: Use get_signal() signal_setup_done()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 037/202] x86/kaslr: Fix incorrect i8254 outb() parameters Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 191/202] perf/core: Fix perf_event_open() vs. execve() race Ben Hutchings
` (16 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 5bdb7611eb7987102f3c0fef1220dd64b6fbd9fd upstream.
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16 as dependency of commit 35634ffa1751
"signal: Always notice exiting tasks"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/xtensa/kernel/signal.c | 43 ++++++++++++++-----------------------
1 file changed, 16 insertions(+), 27 deletions(-)
diff --git a/arch/xtensa/kernel/signal.c b/arch/xtensa/kernel/signal.c
index 98b67d5f1514..4612321c73cc 100644
--- a/arch/xtensa/kernel/signal.c
+++ b/arch/xtensa/kernel/signal.c
@@ -331,17 +331,17 @@ gen_return_code(unsigned char *codemem)
}
-static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
- sigset_t *set, struct pt_regs *regs)
+static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
{
struct rt_sigframe *frame;
- int err = 0;
+ int err = 0, sig = ksig->sig;
int signal;
unsigned long sp, ra, tp;
sp = regs->areg[1];
- if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) {
+ if ((ksig->ka.sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) {
sp = current->sas_ss_sp + current->sas_ss_size;
}
@@ -351,7 +351,7 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
panic ("Double exception sys_sigreturn\n");
if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) {
- goto give_sigsegv;
+ return -EFAULT;
}
signal = current_thread_info()->exec_domain
@@ -360,8 +360,8 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
? current_thread_info()->exec_domain->signal_invmap[sig]
: sig;
- if (ka->sa.sa_flags & SA_SIGINFO) {
- err |= copy_siginfo_to_user(&frame->info, info);
+ if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
+ err |= copy_siginfo_to_user(&frame->info, &ksig->info);
}
/* Create the user context. */
@@ -372,8 +372,8 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
err |= setup_sigcontext(frame, regs);
err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
- if (ka->sa.sa_flags & SA_RESTORER) {
- ra = (unsigned long)ka->sa.sa_restorer;
+ if (ksig->ka.sa.sa_flags & SA_RESTORER) {
+ ra = (unsigned long)ksig->ka.sa.sa_restorer;
} else {
/* Create sys_rt_sigreturn syscall in stack frame */
@@ -381,7 +381,7 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
err |= gen_return_code(frame->retcode);
if (err) {
- goto give_sigsegv;
+ return -EFAULT;
}
ra = (unsigned long) frame->retcode;
}
@@ -393,7 +393,7 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
/* Set up registers for signal handler; preserve the threadptr */
tp = regs->threadptr;
- start_thread(regs, (unsigned long) ka->sa.sa_handler,
+ start_thread(regs, (unsigned long) ksig->ka.sa.sa_handler,
(unsigned long) frame);
/* Set up a stack frame for a call4
@@ -416,10 +416,6 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
#endif
return 0;
-
-give_sigsegv:
- force_sigsegv(sig, current);
- return -EFAULT;
}
/*
@@ -433,15 +429,11 @@ static int setup_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
*/
static void do_signal(struct pt_regs *regs)
{
- siginfo_t info;
- int signr;
- struct k_sigaction ka;
+ struct ksignal ksig;
task_pt_regs(current)->icountlevel = 0;
- signr = get_signal_to_deliver(&info, &ka, regs, NULL);
-
- if (signr > 0) {
+ if (get_signal(&ksig)) {
int ret;
/* Are we from a system call? */
@@ -457,7 +449,7 @@ static void do_signal(struct pt_regs *regs)
break;
case -ERESTARTSYS:
- if (!(ka.sa.sa_flags & SA_RESTART)) {
+ if (!(ksig.ka.sa.sa_flags & SA_RESTART)) {
regs->areg[2] = -EINTR;
break;
}
@@ -476,11 +468,8 @@ static void do_signal(struct pt_regs *regs)
/* Whee! Actually deliver the signal. */
/* Set up the stack frame */
- ret = setup_frame(signr, &ka, &info, sigmask_to_save(), regs);
- if (ret)
- return;
-
- signal_delivered(signr, &info, &ka, regs, 0);
+ ret = setup_frame(&ksig, sigmask_to_save(), regs);
+ signal_setup_done(ret, &ksig, 0);
if (current->ptrace & PT_SINGLESTEP)
task_pt_regs(current)->icountlevel = 1;
^ permalink raw reply related [flat|nested] 206+ messages in thread
* [PATCH 3.16 145/202] perf/x86: Add check_period PMU callback
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 176/202] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 200/202] binfmt_elf: switch to new creds when switching to new mm Ben Hutchings
` (25 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jiri Olsa, Stephane Eranian,
Thomas Gleixner, Vince Weaver, Peter Zijlstra, Jiri Olsa,
Arnaldo Carvalho de Melo, Ravi Bangoria,
Arnaldo Carvalho de Melo, Alexander Shishkin, Ingo Molnar,
Linus Torvalds, Naveen N. Rao
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@redhat.com>
commit 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb upstream.
Vince (and later on Ravi) reported crashes in the BTS code during
fuzzing with the following backtrace:
general protection fault: 0000 [#1] SMP PTI
...
RIP: 0010:perf_prepare_sample+0x8f/0x510
...
Call Trace:
<IRQ>
? intel_pmu_drain_bts_buffer+0x194/0x230
intel_pmu_drain_bts_buffer+0x160/0x230
? tick_nohz_irq_exit+0x31/0x40
? smp_call_function_single_interrupt+0x48/0xe0
? call_function_single_interrupt+0xf/0x20
? call_function_single_interrupt+0xa/0x20
? x86_schedule_events+0x1a0/0x2f0
? x86_pmu_commit_txn+0xb4/0x100
? find_busiest_group+0x47/0x5d0
? perf_event_set_state.part.42+0x12/0x50
? perf_mux_hrtimer_restart+0x40/0xb0
intel_pmu_disable_event+0xae/0x100
? intel_pmu_disable_event+0xae/0x100
x86_pmu_stop+0x7a/0xb0
x86_pmu_del+0x57/0x120
event_sched_out.isra.101+0x83/0x180
group_sched_out.part.103+0x57/0xe0
ctx_sched_out+0x188/0x240
ctx_resched+0xa8/0xd0
__perf_event_enable+0x193/0x1e0
event_function+0x8e/0xc0
remote_function+0x41/0x50
flush_smp_call_function_queue+0x68/0x100
generic_smp_call_function_single_interrupt+0x13/0x30
smp_call_function_single_interrupt+0x3e/0xe0
call_function_single_interrupt+0xf/0x20
</IRQ>
The reason is that while event init code does several checks
for BTS events and prevents several unwanted config bits for
BTS event (like precise_ip), the PERF_EVENT_IOC_PERIOD allows
to create BTS event without those checks being done.
Following sequence will cause the crash:
If we create an 'almost' BTS event with precise_ip and callchains,
and it into a BTS event it will crash the perf_prepare_sample()
function because precise_ip events are expected to come
in with callchain data initialized, but that's not the
case for intel_pmu_drain_bts_buffer() caller.
Adding a check_period callback to be called before the period
is changed via PERF_EVENT_IOC_PERIOD. It will deny the change
if the event would become BTS. Plus adding also the limit_period
check as well.
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20190204123532.GA4794@krava
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Don't call limit_period operation, which doesn't exist and isn't needed here
- Add the intel_pmu_has_bts() function, which didn't previously exist here
- Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -1920,6 +1920,14 @@ void perf_check_microcode(void)
}
EXPORT_SYMBOL_GPL(perf_check_microcode);
+static int x86_pmu_check_period(struct perf_event *event, u64 value)
+{
+ if (x86_pmu.check_period && x86_pmu.check_period(event, value))
+ return -EINVAL;
+
+ return 0;
+}
+
static struct pmu pmu = {
.pmu_enable = x86_pmu_enable,
.pmu_disable = x86_pmu_disable,
@@ -1940,6 +1948,7 @@ static struct pmu pmu = {
.event_idx = x86_pmu_event_idx,
.flush_branch_stack = x86_pmu_flush_branch_stack,
+ .check_period = x86_pmu_check_period,
};
void arch_perf_update_userpage(struct perf_event_mmap_page *userpg, u64 now)
--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -473,6 +473,11 @@ struct x86_pmu {
* Intel host/guest support (KVM)
*/
struct perf_guest_switch_msr *(*guest_get_msrs)(int *nr);
+
+ /*
+ * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
+ */
+ int (*check_period) (struct perf_event *event, u64 period);
};
#define x86_add_quirk(func_) \
@@ -634,6 +639,22 @@ static inline int amd_pmu_init(void)
#ifdef CONFIG_CPU_SUP_INTEL
+static inline bool intel_pmu_has_bts_period(struct perf_event *event, u64 period)
+{
+ if (event->attr.config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS &&
+ !event->attr.freq && period == 1)
+ return true;
+
+ return false;
+}
+
+static inline bool intel_pmu_has_bts(struct perf_event *event)
+{
+ struct hw_perf_event *hwc = &event->hw;
+
+ return intel_pmu_has_bts_period(event, hwc->sample_period);
+}
+
int intel_pmu_save_and_restart(struct perf_event *event);
struct event_constraint *
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1969,6 +1969,11 @@ ssize_t intel_event_sysfs_show(char *pag
return x86_event_sysfs_show(page, config, event);
}
+static int intel_pmu_check_period(struct perf_event *event, u64 value)
+{
+ return intel_pmu_has_bts_period(event, value) ? -EINVAL : 0;
+}
+
static __initconst const struct x86_pmu core_pmu = {
.name = "core",
.handle_irq = x86_pmu_handle_irq,
@@ -1995,6 +2000,8 @@ static __initconst const struct x86_pmu
.guest_get_msrs = core_guest_get_msrs,
.format_attrs = intel_arch_formats_attr,
.events_sysfs_show = intel_event_sysfs_show,
+
+ .check_period = intel_pmu_check_period,
};
struct intel_shared_regs *allocate_shared_regs(int cpu)
@@ -2145,6 +2152,8 @@ static __initconst const struct x86_pmu
.cpu_dying = intel_pmu_cpu_dying,
.guest_get_msrs = intel_guest_get_msrs,
.flush_branch_stack = intel_pmu_flush_branch_stack,
+
+ .check_period = intel_pmu_check_period,
};
static __init void intel_clovertown_quirk(void)
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -262,6 +262,11 @@ struct pmu {
* flush branch stack on context-switches (needed in cpu-wide mode)
*/
void (*flush_branch_stack) (void);
+
+ /*
+ * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
+ */
+ int (*check_period) (struct perf_event *event, u64 value); /* optional */
};
/**
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -3805,6 +3805,11 @@ static int __perf_event_period(void *inf
return 0;
}
+static int perf_event_check_period(struct perf_event *event, u64 value)
+{
+ return event->pmu->check_period(event, value);
+}
+
static int perf_event_period(struct perf_event *event, u64 __user *arg)
{
struct period_event pe = { .event = event, };
@@ -3824,6 +3829,9 @@ static int perf_event_period(struct perf
if (event->attr.freq && value > sysctl_perf_event_sample_rate)
return -EINVAL;
+ if (perf_event_check_period(event, value))
+ return -EINVAL;
+
task = ctx->task;
pe.value = value;
@@ -6649,6 +6657,11 @@ static int perf_pmu_nop_int(struct pmu *
return 0;
}
+static int perf_event_nop_int(struct perf_event *event, u64 value)
+{
+ return 0;
+}
+
static void perf_pmu_start_txn(struct pmu *pmu)
{
perf_pmu_disable(pmu);
@@ -6903,6 +6916,9 @@ got_cpu_context:
pmu->pmu_disable = perf_pmu_nop_void;
}
+ if (!pmu->check_period)
+ pmu->check_period = perf_event_nop_int;
+
if (!pmu->event_idx)
pmu->event_idx = perf_event_idx_default;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 146/202] vxlan: test dev->flags & IFF_UP before calling netif_rx()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 026/202] rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 181/202] mm: enforce min addr even if capable() in expand_downwards() Ben Hutchings
` (28 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Stefano Brivio, Eric Dumazet,
David S. Miller, Petr Machata, Roopa Prabhu, Ido Schimmel
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 4179cb5a4c924cd233eaadd081882425bc98f44e upstream.
netif_rx() must be called under a strict contract.
At device dismantle phase, core networking clears IFF_UP
and flush_all_backlogs() is called after rcu grace period
to make sure no incoming packet might be in a cpu backlog
and still referencing the device.
Most drivers call netif_rx() from their interrupt handler,
and since the interrupts are disabled at device dismantle,
netif_rx() does not have to check dev->flags & IFF_UP
Virtual drivers do not have this guarantee, and must
therefore make the check themselves.
Otherwise we risk use-after-free and/or crashes.
Note this patch also fixes a small issue that came
with commit ce6502a8f957 ("vxlan: fix a use after free
in vxlan_encap_bypass"), since the dev->stats.rx_dropped
change was done on the wrong device.
Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Fixes: ce6502a8f957 ("vxlan: fix a use after free in vxlan_encap_bypass")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Machata <petrm@mellanox.com>
Cc: Ido Schimmel <idosch@mellanox.com>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/vxlan.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1772,7 +1772,7 @@ static void vxlan_encap_bypass(struct sk
struct pcpu_sw_netstats *tx_stats, *rx_stats;
union vxlan_addr loopback;
union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip;
- struct net_device *dev = skb->dev;
+ struct net_device *dev;
int len = skb->len;
tx_stats = this_cpu_ptr(src_vxlan->dev->tstats);
@@ -1792,8 +1792,15 @@ static void vxlan_encap_bypass(struct sk
#endif
}
+ rcu_read_lock();
+ dev = skb->dev;
+ if (unlikely(!(dev->flags & IFF_UP))) {
+ kfree_skb(skb);
+ goto drop;
+ }
+
if (dst_vxlan->flags & VXLAN_F_LEARN)
- vxlan_snoop(skb->dev, &loopback, eth_hdr(skb)->h_source);
+ vxlan_snoop(dev, &loopback, eth_hdr(skb)->h_source);
u64_stats_update_begin(&tx_stats->syncp);
tx_stats->tx_packets++;
@@ -1806,8 +1813,10 @@ static void vxlan_encap_bypass(struct sk
rx_stats->rx_bytes += len;
u64_stats_update_end(&rx_stats->syncp);
} else {
+drop:
dev->stats.rx_dropped++;
}
+ rcu_read_unlock();
}
static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 148/202] x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 091/202] perf/core: Don't WARN() for impossible ring-buffer sizes Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 044/202] fuse: call pipe_buf_release() under pipe lock Ben Hutchings
` (38 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jim Mattson, Vitaly Kuznetsov,
Zdenek Kaspar, Paolo Bonzini
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vitaly Kuznetsov <vkuznets@redhat.com>
commit 6b1971c694975e49af302229202c0043568b1791 upstream.
SDM says MSR_IA32_VMX_PROCBASED_CTLS2 is only available "If
(CPUID.01H:ECX.[5] && IA32_VMX_PROCBASED_CTLS[63])". It was found that
some old cpus (namely "Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (family: 0x6,
model: 0xf, stepping: 0x6") don't have it. Add the missing check.
Reported-by: Zdenek Kaspar <zkaspar82@gmail.com>
Tested-by: Zdenek Kaspar <zkaspar82@gmail.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
- The MSR values are stored in static variables
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2320,8 +2320,11 @@ static __init void nested_vmx_setup_ctls
nested_vmx_procbased_ctls_high |= CPU_BASED_USE_MSR_BITMAPS;
/* secondary cpu-based controls */
- rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,
- nested_vmx_secondary_ctls_low, nested_vmx_secondary_ctls_high);
+ if (nested_vmx_procbased_ctls_high & CPU_BASED_ACTIVATE_SECONDARY_CONTROLS)
+ rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,
+ nested_vmx_secondary_ctls_low,
+ nested_vmx_secondary_ctls_high);
+
nested_vmx_secondary_ctls_low = 0;
nested_vmx_secondary_ctls_high &=
SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 137/202] signal: Always notice exiting tasks
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 169/202] KEYS: user: Align the payload buffer Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 042/202] net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031 Ben Hutchings
` (185 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Eric W. Biederman, Dmitry Vyukov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.
Recently syzkaller was able to create unkillablle processes by
creating a timer that is delivered as a thread local signal on SIGHUP,
and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop
failing to deliver SIGHUP but always trying.
Upon examination it turns out part of the problem is actually most of
the solution. Since 2.5 signal delivery has found all fatal signals,
marked the signal group for death, and queued SIGKILL in every threads
thread queue relying on signal->group_exit_code to preserve the
information of which was the actual fatal signal.
The conversion of all fatal signals to SIGKILL results in the
synchronous signal heuristic in next_signal kicking in and preferring
SIGHUP to SIGKILL. Which is especially problematic as all
fatal signals have already been transformed into SIGKILL.
Instead of dequeueing signals and depending upon SIGKILL to
be the first signal dequeued, first test if the signal group
has already been marked for death. This guarantees that
nothing in the signal queue can prevent a process that needs
to exit from exiting.
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/signal.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2231,6 +2231,11 @@ relock:
goto relock;
}
+ /* Has this task already been marked for death? */
+ ksig->info.si_signo = signr = SIGKILL;
+ if (signal_group_exit(signal))
+ goto fatal;
+
for (;;) {
struct k_sigaction *ka;
@@ -2326,6 +2331,7 @@ relock:
continue;
}
+ fatal:
spin_unlock_irq(&sighand->siglock);
/*
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 147/202] net: fix IPv6 prefix route residue
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 054/202] tty/n_hdlc: fix __might_sleep warning Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 099/202] MIPS: Remove function size check in get_frame_info() Ben Hutchings
` (131 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Wenhao Zhang, Zhiqiang Liu
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
commit e75913c93f7cd5f338ab373c34c93a655bd309cb upstream.
Follow those steps:
# ip addr add 2001:123::1/32 dev eth0
# ip addr add 2001:123:456::2/64 dev eth0
# ip addr del 2001:123::1/32 dev eth0
# ip addr del 2001:123:456::2/64 dev eth0
and then prefix route of 2001:123::1/32 will still exist.
This is because ipv6_prefix_equal in check_cleanup_prefix_route
func does not check whether two IPv6 addresses have the same
prefix length. If the prefix of one address starts with another
shorter address prefix, even though their prefix lengths are
different, the return value of ipv6_prefix_equal is true.
Here I add a check of whether two addresses have the same prefix
to decide whether their prefixes are equal.
Fixes: 5b84efecb7d9 ("ipv6 addrconf: don't cleanup prefix route for IFA_F_NOPREFIXROUTE")
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reported-by: Wenhao Zhang <zhangwenhao8@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -943,7 +943,8 @@ check_cleanup_prefix_route(struct inet6_
list_for_each_entry(ifa, &idev->addr_list, if_list) {
if (ifa == ifp)
continue;
- if (!ipv6_prefix_equal(&ifa->addr, &ifp->addr,
+ if (ifa->prefix_len != ifp->prefix_len ||
+ !ipv6_prefix_equal(&ifa->addr, &ifp->addr,
ifp->prefix_len))
continue;
if (ifa->flags & (IFA_F_PERMANENT | IFA_F_NOPREFIXROUTE))
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 149/202] batman-adv: fix uninit-value in batadv_interface_tx()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 034/202] s390/early: improve machine detection Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 172/202] mdio_bus: Fix use-after-free on device_register fails Ben Hutchings
` (10 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Marek Lindner, Antonio Quartulli,
Eric Dumazet, David S. Miller, Simon Wunderlich, syzbot
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 4ffcbfac60642f63ae3d80891f573ba7e94a265c upstream.
KMSAN reported batadv_interface_tx() was possibly using a
garbage value [1]
batadv_get_vid() does have a pskb_may_pull() call
but batadv_interface_tx() does not actually make sure
this did not fail.
[1]
BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
__netdev_start_xmit include/linux/netdevice.h:4356 [inline]
netdev_start_xmit include/linux/netdevice.h:4365 [inline]
xmit_one net/core/dev.c:3257 [inline]
dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273
__dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843
dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876
packet_snd net/packet/af_packet.c:2928 [inline]
packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
__sys_sendto+0x8c4/0xac0 net/socket.c:1788
__do_sys_sendto net/socket.c:1800 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:1796
__x64_sys_sendto+0x6e/0x90 net/socket.c:1796
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x441889
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889
RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0
R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2759 [inline]
__kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
__kmalloc_reserve net/core/skbuff.c:137 [inline]
__alloc_skb+0x309/0xa20 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:998 [inline]
alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220
sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083
packet_alloc_skb net/packet/af_packet.c:2781 [inline]
packet_snd net/packet/af_packet.c:2872 [inline]
packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
__sys_sendto+0x8c4/0xac0 net/socket.c:1788
__do_sys_sendto net/socket.c:1800 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:1796
__x64_sys_sendto+0x6e/0x90 net/socket.c:1796
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Marek Lindner <mareklindner@neomailbox.ch>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Cc: Antonio Quartulli <a@unstable.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/soft-interface.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -186,6 +186,8 @@ static int batadv_interface_tx(struct sk
switch (ntohs(ethhdr->h_proto)) {
case ETH_P_8021Q:
+ if (!pskb_may_pull(skb, sizeof(*vhdr)))
+ goto dropped;
vhdr = vlan_eth_hdr(skb);
if (vhdr->h_vlan_encapsulated_proto != ethertype) {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 156/202] netfilter: nft_compat: fix crash when related match/target module is removed
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 163/202] assoc_array: Fix shortcut creation Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 155/202] signal: Restore the stop PTRACE_EVENT_EXIT Ben Hutchings
` (151 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Pablo Neira Ayuso, Liping Zhang
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <liping.zhang@spreadtrum.com>
commit 4b512e1c1f8de6b9ceb796ecef8658e0a083cab7 upstream.
We "cache" the loaded match/target modules and reuse them, but when the
modules are removed, we still point to them. Then we may end up with
invalid memory references when using iptables-compat to add rules later.
Input the following commands will reproduce the kernel crash:
# iptables-compat -A INPUT -j LOG
# iptables-compat -D INPUT -j LOG
# rmmod xt_LOG
# iptables-compat -A INPUT -j LOG
BUG: unable to handle kernel paging request at ffffffffa05a9010
IP: [<ffffffff813f783e>] strcmp+0xe/0x30
Call Trace:
[<ffffffffa05acc43>] nft_target_select_ops+0x83/0x1f0 [nft_compat]
[<ffffffffa058a177>] nf_tables_expr_parse+0x147/0x1f0 [nf_tables]
[<ffffffffa058e541>] nf_tables_newrule+0x301/0x810 [nf_tables]
[<ffffffff8141ca00>] ? nla_parse+0x20/0x100
[<ffffffffa057fa8f>] nfnetlink_rcv+0x33f/0x53d [nfnetlink]
[<ffffffffa057f94b>] ? nfnetlink_rcv+0x1fb/0x53d [nfnetlink]
[<ffffffff817116b8>] netlink_unicast+0x178/0x220
[<ffffffff81711a5b>] netlink_sendmsg+0x2fb/0x3a0
[<ffffffff816b7fc8>] sock_sendmsg+0x38/0x50
[<ffffffff816b8a7e>] ___sys_sendmsg+0x28e/0x2a0
[<ffffffff816bcb7e>] ? release_sock+0x1e/0xb0
[<ffffffff81804ac5>] ? _raw_spin_unlock_bh+0x35/0x40
[<ffffffff816bcbe2>] ? release_sock+0x82/0xb0
[<ffffffff816b93d4>] __sys_sendmsg+0x54/0x90
[<ffffffff816b9422>] SyS_sendmsg+0x12/0x20
[<ffffffff81805172>] entry_SYSCALL_64_fastpath+0x1a/0xa9
So when nobody use the related match/target module, there's no need to
"cache" it. And nft_[match|target]_release are useless anymore, remove
them.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nft_compat.c | 43 ++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 23 deletions(-)
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -22,6 +22,20 @@
#include <asm/uaccess.h> /* for set_fs */
#include <net/netfilter/nf_tables.h>
+struct nft_xt {
+ struct list_head head;
+ struct nft_expr_ops ops;
+ unsigned int refcnt;
+};
+
+static void nft_xt_put(struct nft_xt *xt)
+{
+ if (--xt->refcnt == 0) {
+ list_del(&xt->head);
+ kfree(xt);
+ }
+}
+
union nft_entry {
struct ipt_entry e4;
struct ip6t_entry e6;
@@ -208,6 +222,7 @@ nft_target_destroy(const struct nft_ctx
if (par.target->destroy != NULL)
par.target->destroy(&par);
+ nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
module_put(target->me);
}
@@ -408,6 +423,7 @@ nft_match_destroy(const struct nft_ctx *
if (par.match->destroy != NULL)
par.match->destroy(&par);
+ nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
module_put(me);
}
@@ -606,11 +622,6 @@ static const struct nfnetlink_subsystem
static LIST_HEAD(nft_match_list);
-struct nft_xt {
- struct list_head head;
- struct nft_expr_ops ops;
-};
-
static struct nft_expr_type nft_match_type;
static bool nft_match_cmp(const struct xt_match *match,
@@ -646,6 +657,7 @@ nft_match_select_ops(const struct nft_ct
if (!try_module_get(match->me))
return ERR_PTR(-ENOENT);
+ nft_match->refcnt++;
return &nft_match->ops;
}
}
@@ -659,6 +671,7 @@ nft_match_select_ops(const struct nft_ct
if (nft_match == NULL)
return ERR_PTR(-ENOMEM);
+ nft_match->refcnt = 1;
nft_match->ops.type = &nft_match_type;
nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize) +
nft_compat_match_offset(match));
@@ -674,14 +687,6 @@ nft_match_select_ops(const struct nft_ct
return &nft_match->ops;
}
-static void nft_match_release(void)
-{
- struct nft_xt *nft_match, *tmp;
-
- list_for_each_entry_safe(nft_match, tmp, &nft_match_list, head)
- kfree(nft_match);
-}
-
static struct nft_expr_type nft_match_type __read_mostly = {
.name = "match",
.select_ops = nft_match_select_ops,
@@ -727,6 +732,7 @@ nft_target_select_ops(const struct nft_c
if (!try_module_get(target->me))
return ERR_PTR(-ENOENT);
+ nft_target->refcnt++;
return &nft_target->ops;
}
}
@@ -740,6 +746,7 @@ nft_target_select_ops(const struct nft_c
if (nft_target == NULL)
return ERR_PTR(-ENOMEM);
+ nft_target->refcnt = 1;
nft_target->ops.type = &nft_target_type;
nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize) +
nft_compat_target_offset(target));
@@ -755,14 +762,6 @@ nft_target_select_ops(const struct nft_c
return &nft_target->ops;
}
-static void nft_target_release(void)
-{
- struct nft_xt *nft_target, *tmp;
-
- list_for_each_entry_safe(nft_target, tmp, &nft_target_list, head)
- kfree(nft_target);
-}
-
static struct nft_expr_type nft_target_type __read_mostly = {
.name = "target",
.select_ops = nft_target_select_ops,
@@ -805,8 +804,6 @@ static void __exit nft_compat_module_exi
nfnetlink_subsys_unregister(&nfnl_compat_subsys);
nft_unregister_expr(&nft_target_type);
nft_unregister_expr(&nft_match_type);
- nft_match_release();
- nft_target_release();
}
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 016/202] ALSA: cs46xx: Potential NULL dereference in probe
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 112/202] cris: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 138/202] signal: Better detection of synchronous signals Ben Hutchings
` (46 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Dan Carpenter, Takashi Iwai, Yavuz, Tuba
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream.
The "chip->dsp_spos_instance" can be NULL on some of the ealier error
paths in snd_cs46xx_create().
Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/cs46xx/dsp_spos.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/pci/cs46xx/dsp_spos.c
+++ b/sound/pci/cs46xx/dsp_spos.c
@@ -899,6 +899,9 @@ int cs46xx_dsp_proc_done (struct snd_cs4
struct dsp_spos_instance * ins = chip->dsp_spos_instance;
int i;
+ if (!ins)
+ return 0;
+
snd_info_free_entry(ins->proc_sym_info_entry);
ins->proc_sym_info_entry = NULL;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 151/202] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 178/202] net: phy: Micrel KSZ8061: link failure after cable connect Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 013/202] USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB Ben Hutchings
` (119 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Kal Conley, Andrey Konovalov,
David S. Miller, Christoph Paasch
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <cpaasch@apple.com>
commit 398f0132c14754fcd03c1c4f8e7176d001ce8ea1 upstream.
Since commit fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check")
one can now allocate packet ring buffers >= UINT_MAX. However, syzkaller
found that that triggers a warning:
[ 21.100000] WARNING: CPU: 2 PID: 2075 at mm/page_alloc.c:4584 __alloc_pages_nod0
[ 21.101490] Modules linked in:
[ 21.101921] CPU: 2 PID: 2075 Comm: syz-executor.0 Not tainted 5.0.0 #146
[ 21.102784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[ 21.103887] RIP: 0010:__alloc_pages_nodemask+0x2a0/0x630
[ 21.104640] Code: fe ff ff 65 48 8b 04 25 c0 de 01 00 48 05 90 0f 00 00 41 bd 01 00 00 00 48 89 44 24 48 e9 9c fe 3
[ 21.107121] RSP: 0018:ffff88805e1cf920 EFLAGS: 00010246
[ 21.107819] RAX: 0000000000000000 RBX: ffffffff85a488a0 RCX: 0000000000000000
[ 21.108753] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000
[ 21.109699] RBP: 1ffff1100bc39f28 R08: ffffed100bcefb67 R09: ffffed100bcefb67
[ 21.110646] R10: 0000000000000001 R11: ffffed100bcefb66 R12: 000000000000000d
[ 21.111623] R13: 0000000000000000 R14: ffff88805e77d888 R15: 000000000000000d
[ 21.112552] FS: 00007f7c7de05700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
[ 21.113612] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 21.114405] CR2: 000000000065c000 CR3: 000000005e58e006 CR4: 00000000001606e0
[ 21.115367] Call Trace:
[ 21.115705] ? __alloc_pages_slowpath+0x21c0/0x21c0
[ 21.116362] alloc_pages_current+0xac/0x1e0
[ 21.116923] kmalloc_order+0x18/0x70
[ 21.117393] kmalloc_order_trace+0x18/0x110
[ 21.117949] packet_set_ring+0x9d5/0x1770
[ 21.118524] ? packet_rcv_spkt+0x440/0x440
[ 21.119094] ? lock_downgrade+0x620/0x620
[ 21.119646] ? __might_fault+0x177/0x1b0
[ 21.120177] packet_setsockopt+0x981/0x2940
[ 21.120753] ? __fget+0x2fb/0x4b0
[ 21.121209] ? packet_release+0xab0/0xab0
[ 21.121740] ? sock_has_perm+0x1cd/0x260
[ 21.122297] ? selinux_secmark_relabel_packet+0xd0/0xd0
[ 21.123013] ? __fget+0x324/0x4b0
[ 21.123451] ? selinux_netlbl_socket_setsockopt+0x101/0x320
[ 21.124186] ? selinux_netlbl_sock_rcv_skb+0x3a0/0x3a0
[ 21.124908] ? __lock_acquire+0x529/0x3200
[ 21.125453] ? selinux_socket_setsockopt+0x5d/0x70
[ 21.126075] ? __sys_setsockopt+0x131/0x210
[ 21.126533] ? packet_release+0xab0/0xab0
[ 21.127004] __sys_setsockopt+0x131/0x210
[ 21.127449] ? kernel_accept+0x2f0/0x2f0
[ 21.127911] ? ret_from_fork+0x8/0x50
[ 21.128313] ? do_raw_spin_lock+0x11b/0x280
[ 21.128800] __x64_sys_setsockopt+0xba/0x150
[ 21.129271] ? lockdep_hardirqs_on+0x37f/0x560
[ 21.129769] do_syscall_64+0x9f/0x450
[ 21.130182] entry_SYSCALL_64_after_hwframe+0x49/0xbe
We should allocate with __GFP_NOWARN to handle this.
Cc: Kal Conley <kal.conley@dectris.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Fixes: fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3828,7 +3828,7 @@ static struct pgv *alloc_pg_vec(struct t
struct pgv *pg_vec;
int i;
- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL);
+ pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN);
if (unlikely(!pg_vec))
goto out;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 150/202] net/packet: fix 4gb buffer limit due to overflow check
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 189/202] vfio/type1: Limit DMA mappings per container Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 197/202] brcmfmac: revise handling events in receive path Ben Hutchings
` (6 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kal Conley, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kal Conley <kal.conley@dectris.com>
commit fc62814d690cf62189854464f4bd07457d5e9e50 upstream.
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow. Check it for overflow without limiting the total buffer
size to UINT_MAX.
This change fixes support for packet ring buffers >= UINT_MAX.
Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr")
Signed-off-by: Kal Conley <kal.conley@dectris.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3915,7 +3915,7 @@ static int packet_set_ring(struct sock *
rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
if (unlikely(rb->frames_per_block <= 0))
goto out;
- if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+ if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr))
goto out;
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
req->tp_frame_nr))
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 152/202] team: avoid complex list operations in team_nl_cmd_options_set()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 010/202] usb: cdc-acm: send ZLP for Telit 3G Intel based modems Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 103/202] ALSA: compress: Fix stop handling on compressed capture streams Ben Hutchings
` (154 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Paolo Abeni, syzbot+68ee510075cf64260cc4,
syzbot+4d4af685432dc0e56c91, Cong Wang, Jiri Pirko,
David S. Miller, Jiri Pirko
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 2fdeee2549231b1f989f011bb18191f5660d3745 upstream.
The current opt_inst_list operations inside team_nl_cmd_options_set()
is too complex to track:
LIST_HEAD(opt_inst_list);
nla_for_each_nested(...) {
list_for_each_entry(opt_inst, &team->option_inst_list, list) {
if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst))
continue;
list_add(&opt_inst->tmp_list, &opt_inst_list);
}
}
team_nl_send_event_options_get(team, &opt_inst_list);
as while we retrieve 'opt_inst' from team->option_inst_list, it could
be added to the local 'opt_inst_list' for multiple times. The
__team_option_inst_tmp_find() doesn't work, as the setter
team_mode_option_set() still calls team->ops.exit() which uses
->tmp_list too in __team_options_change_check().
Simplify the list operations by moving the 'opt_inst_list' and
team_nl_send_event_options_get() into the nla_for_each_nested() loop so
that it can be guranteed that we won't insert a same list entry for
multiple times. Therefore, __team_option_inst_tmp_find() can be removed
too.
Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list")
Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/team/team.c | 27 +++++----------------------
1 file changed, 5 insertions(+), 22 deletions(-)
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -253,17 +253,6 @@ static void __team_option_inst_mark_remo
}
}
-static bool __team_option_inst_tmp_find(const struct list_head *opts,
- const struct team_option_inst *needle)
-{
- struct team_option_inst *opt_inst;
-
- list_for_each_entry(opt_inst, opts, tmp_list)
- if (opt_inst == needle)
- return true;
- return false;
-}
-
static int __team_options_register(struct team *team,
const struct team_option *option,
size_t option_count)
@@ -2420,7 +2409,6 @@ static int team_nl_cmd_options_set(struc
int err = 0;
int i;
struct nlattr *nl_option;
- LIST_HEAD(opt_inst_list);
team = team_nl_team_get(info);
if (!team)
@@ -2436,6 +2424,7 @@ static int team_nl_cmd_options_set(struc
struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1];
struct nlattr *attr;
struct nlattr *attr_data;
+ LIST_HEAD(opt_inst_list);
enum team_option_type opt_type;
int opt_port_ifindex = 0; /* != 0 for per-port options */
u32 opt_array_index = 0;
@@ -2539,23 +2528,17 @@ static int team_nl_cmd_options_set(struc
if (err)
goto team_put;
opt_inst->changed = true;
-
- /* dumb/evil user-space can send us duplicate opt,
- * keep only the last one
- */
- if (__team_option_inst_tmp_find(&opt_inst_list,
- opt_inst))
- continue;
-
list_add(&opt_inst->tmp_list, &opt_inst_list);
}
if (!opt_found) {
err = -ENOENT;
goto team_put;
}
- }
- err = team_nl_send_event_options_get(team, &opt_inst_list);
+ err = team_nl_send_event_options_get(team, &opt_inst_list);
+ if (err)
+ break;
+ }
team_put:
team_nl_team_put(team);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 158/202] netfilter: nft_compat: use-after-free when deleting targets
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 116/202] m32r: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 100/202] net: dsa: slave: Don't propagate flag changes on down slave interfaces Ben Hutchings
` (162 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pablo Neira Ayuso
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 753c111f655e38bbd52fc01321266633f022ebe2 upstream.
Fetch pointer to module before target object is released.
Fixes: 29e3880109e3 ("netfilter: nf_tables: fix use-after-free when deleting compat expressions")
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nft_compat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -221,6 +221,7 @@ nft_target_destroy(const struct nft_ctx
{
struct xt_target *target = expr->ops->data;
void *info = nft_expr_priv(expr);
+ struct module *me = target->me;
struct xt_tgdtor_param par;
par.net = ctx->net;
@@ -231,7 +232,7 @@ nft_target_destroy(const struct nft_ctx
par.target->destroy(&par);
if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
- module_put(target->me);
+ module_put(me);
}
static int
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 153/202] perf/core: Fix impossible ring-buffer sizes warning
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 132/202] unicore32: Fix build error Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 006/202] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Ben Hutchings
` (72 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Peter Zijlstra, Jiri Olsa, Thomas Gleixner,
Namhyung Kim, Greg Kroah-Hartman, Alexander Shishkin,
Ingo Molnar, Jin, Yao, Arnaldo Carvalho de Melo, Julien Thierry,
Mark Rutland, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ingo Molnar <mingo@kernel.org>
commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream.
The following commit:
9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
results in perf recording failures with larger mmap areas:
root@skl:/tmp# perf record -g -a
failed to mmap with 12 (Cannot allocate memory)
The root cause is that the following condition is buggy:
if (order_base_2(size) >= MAX_ORDER)
goto fail;
The problem is that @size is in bytes and MAX_ORDER is in pages,
so the right test is:
if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
goto fail;
Fix it.
Reported-by: "Jin, Yao" <yao.jin@linux.intel.com>
Bisected-by: Borislav Petkov <bp@alien8.de>
Analyzed-by: Peter Zijlstra <peterz@infradead.org>
Cc: Julien Thierry <julien.thierry@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/events/ring_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -282,7 +282,7 @@ struct ring_buffer *rb_alloc(int nr_page
size = sizeof(struct ring_buffer);
size += nr_pages * sizeof(void *);
- if (order_base_2(size) >= MAX_ORDER)
+ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
goto fail;
rb = kzalloc(size, GFP_KERNEL);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 182/202] netlabel: fix out-of-bounds memory accesses
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 031/202] CIFS: Do not hide EINTR after sending network packets Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 025/202] drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock Ben Hutchings
` (51 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jann Horn, David S. Miller, Paul Moore
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
commit 5578de4834fe0f2a34fedc7374be691443396d1f upstream.
There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
errors are embarassingly simple, and the fixes are straightforward.
As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.
Reported-by: Jann Horn <jannh@google.com>
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16 following Paul's hint]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -165,7 +165,8 @@ static int cipso_v4_bitmap_walk(const un
(state == 0 && (byte & bitmask) == 0))
return bit_spot;
- bit_spot++;
+ if (++bit_spot >= bitmap_len)
+ return -1;
bitmask >>= 1;
if (bitmask == 0) {
byte = bitmap[++byte_offset];
@@ -735,7 +736,8 @@ static int cipso_v4_map_lvl_valid(const
case CIPSO_V4_MAP_PASS:
return 0;
case CIPSO_V4_MAP_TRANS:
- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
+ if ((level < doi_def->map.std->lvl.cipso_size) &&
+ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
return 0;
break;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 181/202] mm: enforce min addr even if capable() in expand_downwards()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 146/202] vxlan: test dev->flags & IFF_UP before calling netif_rx() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 176/202] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation Ben Hutchings
` (27 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Linus Torvalds, Jann Horn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
security_mmap_addr() does a capability check with current_cred(), but
we can reach this code from contexts like a VFS write handler where
current_cred() must not be used.
This can be abused on systems without SMAP to make NULL pointer
dereferences exploitable again.
Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/mmap.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2244,12 +2244,11 @@ int expand_downwards(struct vm_area_stru
unsigned long address)
{
struct vm_area_struct *prev;
- int error;
+ int error = 0;
address &= PAGE_MASK;
- error = security_mmap_addr(address);
- if (error)
- return error;
+ if (address < mmap_min_addr)
+ return -EPERM;
/* Enforce stack_guard_gap */
prev = vma->vm_prev;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 180/202] mm/mmap.c: expand_downwards: don't require the gap if !vm_prev
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 155/202] signal: Restore the stop PTRACE_EVENT_EXIT Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 023/202] Drivers: hv: vmbus: Check for ring when getting debug info Ben Hutchings
` (149 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Oleg Nesterov, Hugh Dickins, Michal Hocko,
Linus Torvalds, Larry Woodman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 32e4e6d5cbb0c0e427391635991fe65e17797af8 upstream.
expand_stack(vma) fails if address < stack_guard_gap even if there is no
vma->vm_prev. I don't think this makes sense, and we didn't do this
before the recent commit 1be7107fbe18 ("mm: larger stack guard gap,
between vmas").
We do not need a gap in this case, any address is fine as long as
security_mmap_addr() doesn't object.
This also simplifies the code, we know that address >= prev->vm_end and
thus underflow is not possible.
Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/mmap.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2244,7 +2244,6 @@ int expand_downwards(struct vm_area_stru
unsigned long address)
{
struct vm_area_struct *prev;
- unsigned long gap_addr;
int error;
address &= PAGE_MASK;
@@ -2253,15 +2252,12 @@ int expand_downwards(struct vm_area_stru
return error;
/* Enforce stack_guard_gap */
- gap_addr = address - stack_guard_gap;
- if (gap_addr > address)
- return -ENOMEM;
prev = vma->vm_prev;
- if (prev && prev->vm_end > gap_addr &&
+ /* Check that both stack segments have the same anon_vma? */
+ if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
(prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
- if (!(prev->vm_flags & VM_GROWSDOWN))
+ if (address - prev->vm_end < stack_guard_gap)
return -ENOMEM;
- /* Check that both stack segments have the same anon_vma? */
}
/* We must make sure the anon_vma is allocated. */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 155/202] signal: Restore the stop PTRACE_EVENT_EXIT
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 156/202] netfilter: nft_compat: fix crash when related match/target module is removed Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 180/202] mm/mmap.c: expand_downwards: don't require the gap if !vm_prev Ben Hutchings
` (150 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Eric W. Biederman, Oleg Nesterov, Ivan Delalande
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream.
In the middle of do_exit() there is there is a call
"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process
in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for
for the debugger to release the task or SIGKILL to be delivered.
Skipping past dequeue_signal when we know a fatal signal has already
been delivered resulted in SIGKILL remaining pending and
TIF_SIGPENDING remaining set. This in turn caused the
scheduler to not sleep in PTACE_EVENT_EXIT as it figured
a fatal signal was pending. This also caused ptrace_freeze_traced
in ptrace_check_attach to fail because it left a per thread
SIGKILL pending which is what fatal_signal_pending tests for.
This difference in signal state caused strace to report
strace: Exit of unknown pid NNNNN ignored
Therefore update the signal handling state like dequeue_signal
would when removing a per thread SIGKILL, by removing SIGKILL
from the per thread signal mask and clearing TIF_SIGPENDING.
Acked-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Ivan Delalande <colona@arista.com>
Fixes: 35634ffa1751 ("signal: Always notice exiting tasks")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/signal.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2274,9 +2274,12 @@ relock:
}
/* Has this task already been marked for death? */
- ksig->info.si_signo = signr = SIGKILL;
- if (signal_group_exit(signal))
+ if (signal_group_exit(signal)) {
+ ksig->info.si_signo = signr = SIGKILL;
+ sigdelset(¤t->pending.signal, SIGKILL);
+ recalc_sigpending();
goto fatal;
+ }
for (;;) {
struct k_sigaction *ka;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 047/202] Yama: Check for pid death before checking ancestry
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 068/202] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 128/202] sh: Use get_signal() signal_setup_done() Ben Hutchings
` (56 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Oleg Nesterov, James Morris,
syzbot+a9ac39bf55329e206219, Kees Cook
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream.
It's possible that a pid has died before we take the rcu lock, in which
case we can't walk the ancestry list as it may be detached. Instead, check
for death first before doing the walk.
Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
Fixes: 2d514487faf1 ("security: Yama LSM")
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/yama/yama_lsm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -299,7 +299,9 @@ int yama_ptrace_access_check(struct task
break;
case YAMA_SCOPE_RELATIONAL:
rcu_read_lock();
- if (!task_is_descendant(current, child) &&
+ if (!pid_alive(child))
+ rc = -EPERM;
+ if (!rc && !task_is_descendant(current, child) &&
!ptracer_exception_found(current, child) &&
!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
rc = -EPERM;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 041/202] net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 059/202] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 014/202] ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode Ben Hutchings
` (143 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Grygorii Strashko, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Grygorii Strashko <grygorii.strashko@ti.com>
commit c1a8d0a3accf64a014d605e6806ce05d1c17adf1 upstream.
Under some circumstances driver will perform PHY reset in
ksz9031_read_status() to fix autoneg failure case (idle error count =
0xFF). When this happens ksz9031 will not detect link status change any
more when connecting to Netgear 1G switch (link can be recovered sometimes by
restarting netdevice "ifconfig down up"). Reproduced with TI am572x board
equipped with ksz9031 PHY while connecting to Netgear 1G switch.
Fix the issue by reconfiguring autonegotiation after PHY reset in
ksz9031_read_status().
Fixes: d2fd719bcb0e ("net/phy: micrel: Add workaround for bad autoneg")
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/phy/micrel.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -433,6 +433,7 @@ static int ksz9031_read_status(struct ph
phydev->link = 0;
if (phydev->drv->config_intr && phy_interrupt_is_valid(phydev))
phydev->drv->config_intr(phydev);
+ return genphy_config_aneg(phydev);
}
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 049/202] arc: do not export symbols in troubleshoot.c
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 107/202] arc: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 045/202] fuse: decrement NR_WRITEBACK_TEMP on the right page Ben Hutchings
` (94 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Davidlohr Bueso, Davidlohr Bueso,
Vineet Gupta, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
commit be2a7fce397d82b7dc3fdbc61fb0bdab118e65ca upstream.
print_task_path_n_nm() is local to this file, its only user being
show_regs(). Mark the function static and avoid the EXPORT_SYMBOL.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Vineet Gupta <vgupta@synoipsys.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16 as dependency of commit ab6c03676cb1
"ARC: show_regs: lockdep: avoid page allocator..."]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/troubleshoot.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/arc/kernel/troubleshoot.c
+++ b/arch/arc/kernel/troubleshoot.c
@@ -52,7 +52,7 @@ static void show_callee_regs(struct call
print_reg_file(&(cregs->r13), 13);
}
-void print_task_path_n_nm(struct task_struct *tsk, char *buf)
+static void print_task_path_n_nm(struct task_struct *tsk, char *buf)
{
struct path path;
char *path_nm = NULL;
@@ -77,7 +77,6 @@ void print_task_path_n_nm(struct task_st
done:
pr_info("Path: %s\n", path_nm);
}
-EXPORT_SYMBOL(print_task_path_n_nm);
static void show_faulting_vma(unsigned long address, char *buf)
{
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 051/202] ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 123/202] powerpc: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 131/202] unicore32: Use get_signal() signal_setup_done() Ben Hutchings
` (169 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Vineet Gupta
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <vgupta@synopsys.com>
commit 4d447455e73b47c43dd35fcc38ed823d3182a474 upstream.
do_page_fault() forgot to relinquish mmap_sem if a signal came while
handling handle_mm_fault() - due to say a ctl+c or oom etc.
This would later cause a deadlock by acquiring it twice.
This came to light when running libc testsuite tst-tls3-malloc test but
is likely also the cause for prior seen LTP failures. Using lockdep
clearly showed what the issue was.
| # while true; do ./tst-tls3-malloc ; done
| Didn't expect signal from child: got `Segmentation fault'
| ^C
| ============================================
| WARNING: possible recursive locking detected
| 4.17.0+ #25 Not tainted
| --------------------------------------------
| tst-tls3-malloc/510 is trying to acquire lock:
| 606c7728 (&mm->mmap_sem){++++}, at: __might_fault+0x28/0x5c
|
|but task is already holding lock:
|606c7728 (&mm->mmap_sem){++++}, at: do_page_fault+0x9c/0x2a0
|
| other info that might help us debug this:
| Possible unsafe locking scenario:
|
| CPU0
| ----
| lock(&mm->mmap_sem);
| lock(&mm->mmap_sem);
|
| *** DEADLOCK ***
|
------------------------------------------------------------
What the change does is not obvious (note to myself)
prior code was
| do_page_fault
|
| down_read() <-- lock taken
| handle_mm_fault <-- signal pending as this runs
| if fatal_signal_pending
| if VM_FAULT_ERROR
| up_read
| if user_mode
| return <-- lock still held, this was the BUG
New code
| do_page_fault
|
| down_read() <-- lock taken
| handle_mm_fault <-- signal pending as this runs
| if fatal_signal_pending
| if VM_FAULT_RETRY
| return <-- not same case as above, but still OK since
| core mm already relinq lock for FAULT_RETRY
| ...
|
| < Now falls through for bug case above >
|
| up_read() <-- lock relinquished
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/mm/fault.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/arch/arc/mm/fault.c
+++ b/arch/arc/mm/fault.c
@@ -131,12 +131,17 @@ good_area:
*/
fault = handle_mm_fault(mm, vma, address, flags);
- /* If Pagefault was interrupted by SIGKILL, exit page fault "early" */
if (unlikely(fatal_signal_pending(current))) {
- if ((fault & VM_FAULT_ERROR) && !(fault & VM_FAULT_RETRY))
- up_read(&mm->mmap_sem);
- if (user_mode(regs))
+
+ /*
+ * if fault retry, mmap_sem already relinquished by core mm
+ * so OK to return to user mode (with signal handled first)
+ */
+ if (fault & VM_FAULT_RETRY) {
+ if (!user_mode(regs))
+ goto no_context;
return;
+ }
}
if (likely(!(fault & VM_FAULT_ERROR))) {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 055/202] vt: always call notifier with the console lock held
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 135/202] Clean up signal_delivered() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 019/202] packet: Do not leak dev refcounts on error exit Ben Hutchings
` (182 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Nicolas Pitre, Nicolas Pitre
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <nicolas.pitre@linaro.org>
commit 7e1d226345f89ad5d0216a9092c81386c89b4983 upstream.
Every invocation of notify_write() and notify_update() is performed
under the console lock, except for one case. Let's fix that.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2415,8 +2415,8 @@ rescan_last_byte:
}
FLUSH
console_conditional_schedule();
- console_unlock();
notify_update(vc);
+ console_unlock();
return n;
#undef FLUSH
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 042/202] net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 137/202] signal: Always notice exiting tasks Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 135/202] Clean up signal_delivered() Ben Hutchings
` (184 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Sekhar Nori, Florian Fainelli,
Tony Lindgren, David S. Miller, Heiner Kallweit
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
commit 1d16073a326891c2a964e4cb95bc18fbcafb5f74 upstream.
So far genphy_soft_reset was used automatically if the PHY driver
didn't implement the soft_reset callback. This changed with the
mentioned commit and broke KSZ9031. To fix this configure the
KSZ9031 PHY driver to use genphy_soft_reset.
Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset")
Reported-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Tested-by: Tony Lindgren <tony@atomide.com>
Tested-by: Sekhar Nori <nsekhar@ti.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/phy/micrel.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -596,6 +596,7 @@ static struct phy_driver ksphy_driver[]
.flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT,
.config_init = ksz9031_config_init,
.config_aneg = genphy_config_aneg,
+ .soft_reset = genphy_soft_reset,
.read_status = ksz9031_read_status,
.ack_interrupt = kszphy_ack_interrupt,
.config_intr = ksz9021_config_intr,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 050/202] ARC: show_regs: lockdep: avoid page allocator...
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 038/202] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 127/202] score: Use get_signal() signal_setup_done() Ben Hutchings
` (79 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, William Kucharski, Vineet Gupta
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <vgupta@synopsys.com>
commit ab6c03676cb190156603cf4c5ecf97aa406c9c53 upstream.
and use smaller/on-stack buffer instead
The motivation for this change was lockdep splat like below.
| potentially unexpected fatal signal 11.
| BUG: sleeping function called from invalid context at ../mm/page_alloc.c:4317
| in_atomic(): 1, irqs_disabled(): 0, pid: 57, name: segv
| no locks held by segv/57.
| Preemption disabled at:
| [<8182f17e>] get_signal+0x4a6/0x7c4
| CPU: 0 PID: 57 Comm: segv Not tainted 4.17.0+ #23
|
| Stack Trace:
| arc_unwind_core.constprop.1+0xd0/0xf4
| __might_sleep+0x1f6/0x234
| __get_free_pages+0x174/0xca0
| show_regs+0x22/0x330
| get_signal+0x4ac/0x7c4 # print_fatal_signals() -> preempt_disable()
| do_signal+0x30/0x224
| resume_user_mode_begin+0x90/0xd8
So signal handling core calls show_regs() with preemption disabled but
an ensuing GFP_KERNEL page allocator call is flagged by lockdep.
We could have switched to GFP_NOWAIT, but turns out that is not enough
anways and eliding page allocator call leads to less code and
instruction traces to sift thru when debugging pesky crashes.
FWIW, this patch doesn't cure the lockdep splat (which next patch does).
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/troubleshoot.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
--- a/arch/arc/kernel/troubleshoot.c
+++ b/arch/arc/kernel/troubleshoot.c
@@ -15,6 +15,8 @@
#include <linux/file.h>
#include <asm/arcregs.h>
+#define ARC_PATH_MAX 256
+
/*
* Common routine to print scratch regs (r0-r12) or callee regs (r13-r25)
* -Prints 3 regs per line and a CR.
@@ -52,12 +54,13 @@ static void show_callee_regs(struct call
print_reg_file(&(cregs->r13), 13);
}
-static void print_task_path_n_nm(struct task_struct *tsk, char *buf)
+static void print_task_path_n_nm(struct task_struct *tsk)
{
struct path path;
char *path_nm = NULL;
struct mm_struct *mm;
struct file *exe_file;
+ char buf[ARC_PATH_MAX];
mm = get_task_mm(tsk);
if (!mm)
@@ -70,7 +73,7 @@ static void print_task_path_n_nm(struct
path = exe_file->f_path;
path_get(&exe_file->f_path);
fput(exe_file);
- path_nm = d_path(&path, buf, 255);
+ path_nm = d_path(&path, buf, ARC_PATH_MAX-1);
path_put(&path);
}
@@ -78,13 +81,12 @@ done:
pr_info("Path: %s\n", path_nm);
}
-static void show_faulting_vma(unsigned long address, char *buf)
+static void show_faulting_vma(unsigned long address)
{
struct vm_area_struct *vma;
struct inode *inode;
unsigned long ino = 0;
dev_t dev = 0;
- char *nm = buf;
struct mm_struct *active_mm = current->active_mm;
/* can't use print_vma_addr() yet as it doesn't check for
@@ -98,9 +100,12 @@ static void show_faulting_vma(unsigned l
*/
if (vma && (vma->vm_start <= address)) {
struct file *file = vma->vm_file;
+ char buf[ARC_PATH_MAX];
+ char *nm = "?";
+
if (file) {
struct path *path = &file->f_path;
- nm = d_path(path, buf, PAGE_SIZE - 1);
+ nm = d_path(path, buf, ARC_PATH_MAX-1);
inode = file_inode(vma->vm_file);
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
@@ -165,13 +170,8 @@ void show_regs(struct pt_regs *regs)
{
struct task_struct *tsk = current;
struct callee_regs *cregs;
- char *buf;
- buf = (char *)__get_free_page(GFP_TEMPORARY);
- if (!buf)
- return;
-
- print_task_path_n_nm(tsk, buf);
+ print_task_path_n_nm(tsk);
show_regs_print_info(KERN_INFO);
show_ecr_verbose(regs);
@@ -181,7 +181,7 @@ void show_regs(struct pt_regs *regs)
(void *)regs->blink, (void *)regs->ret);
if (user_mode(regs))
- show_faulting_vma(regs->ret, buf); /* faulting code, not data */
+ show_faulting_vma(regs->ret); /* faulting code, not data */
pr_info("[STAT32]: 0x%08lx", regs->status32);
@@ -205,8 +205,6 @@ void show_regs(struct pt_regs *regs)
cregs = (struct callee_regs *)current->thread.callee_reg;
if (cregs)
show_callee_regs(cregs);
-
- free_page((unsigned long)buf);
}
void show_kernel_fault_diag(const char *str, struct pt_regs *regs,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 054/202] tty/n_hdlc: fix __might_sleep warning
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 170/202] KEYS: restrict /proc/keys by credentials at open time Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 147/202] net: fix IPv6 prefix route residue Ben Hutchings
` (132 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, syzbot, Greg Kroah-Hartman, Paul Fulghum,
Arnd Bergmann, Tetsuo Handa, Alan Cox
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Fulghum <paulkf@microgate.com>
commit fc01d8c61ce02c034e67378cd3e645734bc18c8c upstream.
Fix __might_sleep warning[1] in tty/n_hdlc.c read due to copy_to_user
call while current is TASK_INTERRUPTIBLE. This is a false positive
since the code path does not depend on current state remaining
TASK_INTERRUPTIBLE. The loop breaks out and sets TASK_RUNNING after
calling copy_to_user.
This patch supresses the warning by setting TASK_RUNNING before calling
copy_to_user.
[1] https://syzkaller.appspot.com/bug?id=17d5de7f1fcab794cb8c40032f893f52de899324
Signed-off-by: Paul Fulghum <paulkf@microgate.com>
Reported-by: syzbot <syzbot+c244af085a0159d22879@syzkaller.appspotmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/n_hdlc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -598,6 +598,7 @@ static ssize_t n_hdlc_tty_read(struct tt
/* too large for caller's buffer */
ret = -EOVERFLOW;
} else {
+ __set_current_state(TASK_RUNNING);
if (copy_to_user(buf, rbuf->buf, rbuf->count))
ret = -EFAULT;
else
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 030/202] i2c: dev: prevent adapter retries and timeout being set as minus value
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 171/202] KEYS: always initialize keyring_index_key::desc_len Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 186/202] media: em28xx: Fix use-after-free when disconnecting Ben Hutchings
` (90 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Wolfram Sang, Yi Zeng
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yi Zeng <yizeng@asrmicro.com>
commit 6ebec961d59bccf65d08b13fc1ad4e6272a89338 upstream.
If adapter->retries is set to a minus value from user space via ioctl,
it will make __i2c_transfer and __i2c_smbus_xfer skip the calling to
adapter->algo->master_xfer and adapter->algo->smbus_xfer that is
registered by the underlying bus drivers, and return value 0 to all the
callers. The bus driver will never be accessed anymore by all users,
besides, the users may still get successful return value without any
error or information log print out.
If adapter->timeout is set to minus value from user space via ioctl,
it will make the retrying loop in __i2c_transfer and __i2c_smbus_xfer
always break after the the first try, due to the time_after always
returns true.
Signed-off-by: Yi Zeng <yizeng@asrmicro.com>
[wsa: minor grammar updates to commit message]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/i2c-dev.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -467,9 +467,15 @@ static long i2cdev_ioctl(struct file *fi
return i2cdev_ioctl_smbus(client, arg);
case I2C_RETRIES:
+ if (arg > INT_MAX)
+ return -EINVAL;
+
client->adapter->retries = arg;
break;
case I2C_TIMEOUT:
+ if (arg > INT_MAX)
+ return -EINVAL;
+
/* For historical reasons, user-space sets the timeout
* value in units of 10 ms.
*/
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 024/202] drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 105/202] Input: bma150 - register input device after setting private data Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 075/202] CIFS: Do not count -ENODATA as failure for query directory Ben Hutchings
` (21 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, saahriktu, Ivan Mironov, Daniel Vetter
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Mironov <mironov.ivan@gmail.com>
commit 62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e upstream.
SDL 1.2 sets all fields related to the pixel format to zero in some
cases[1]. Prior to commit db05c48197759 ("drm: fb-helper: Reject all
pixel format changing requests"), there was an unintentional workaround
for this that existed for more than a decade. First in device-specific DRM
drivers, then here in drm_fb_helper.c.
Previous code containing this workaround just ignores pixel format fields
from userspace code. Not a good thing either, as this way, driver may
silently use pixel format different from what client actually requested,
and this in turn will lead to displaying garbage on the screen. I think
that returning EINVAL to userspace in this particular case is the right
option, so I decided to left code from problematic commit untouched
instead of just reverting it entirely.
Here is the steps required to reproduce this problem exactly:
1) Compile fceux[2] with SDL 1.2.15 and without GTK or OpenGL
support. SDL should be compiled with fbdev support (which is
on by default).
2) Create /etc/fb.modes with following contents (values seems
not used, and just required to trigger problematic code in
SDL):
mode "test"
geometry 1 1 1 1 1
timings 1 1 1 1 1 1 1
endmode
3) Create ~/.fceux/fceux.cfg with following contents:
SDL.Hotkeys.Quit = 27
SDL.DoubleBuffering = 1
4) Ensure that screen resolution is at least 1280x960 (e.g.
append "video=Virtual-1:1280x960-32" to the kernel cmdline
for qemu/QXL).
5) Try to run fceux on VT with some ROM file[3]:
# ./fceux color_test.nes
[1] SDL 1.2.15 source code, src/video/fbcon/SDL_fbvideo.c,
FB_SetVideoMode()
[2] http://www.fceux.com
[3] Example ROM: https://github.com/bokuweb/rustynes/blob/master/roms/color_test.nes
Reported-by: saahriktu <mail@saahriktu.org>
Suggested-by: saahriktu <mail@saahriktu.org>
Fixes: db05c48197759 ("drm: fb-helper: Reject all pixel format changing requests")
Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
[danvet: Delete misleading comment.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-2-mironov.ivan@gmail.com
Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-2-mironov.ivan@gmail.com
[bwh: Backported to 3.16:
- Use fb->depth instead of fb->format->depth
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_fb_helper.c | 126 ++++++++++++++++++--------------
1 file changed, 73 insertions(+), 53 deletions(-)
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -769,6 +769,64 @@ static bool drm_fb_pixel_format_equal(co
var_1->transp.msb_right == var_2->transp.msb_right;
}
+static void drm_fb_helper_fill_pixel_fmt(struct fb_var_screeninfo *var,
+ u8 depth)
+{
+ switch (depth) {
+ case 8:
+ var->red.offset = 0;
+ var->green.offset = 0;
+ var->blue.offset = 0;
+ var->red.length = 8; /* 8bit DAC */
+ var->green.length = 8;
+ var->blue.length = 8;
+ var->transp.offset = 0;
+ var->transp.length = 0;
+ break;
+ case 15:
+ var->red.offset = 10;
+ var->green.offset = 5;
+ var->blue.offset = 0;
+ var->red.length = 5;
+ var->green.length = 5;
+ var->blue.length = 5;
+ var->transp.offset = 15;
+ var->transp.length = 1;
+ break;
+ case 16:
+ var->red.offset = 11;
+ var->green.offset = 5;
+ var->blue.offset = 0;
+ var->red.length = 5;
+ var->green.length = 6;
+ var->blue.length = 5;
+ var->transp.offset = 0;
+ break;
+ case 24:
+ var->red.offset = 16;
+ var->green.offset = 8;
+ var->blue.offset = 0;
+ var->red.length = 8;
+ var->green.length = 8;
+ var->blue.length = 8;
+ var->transp.offset = 0;
+ var->transp.length = 0;
+ break;
+ case 32:
+ var->red.offset = 16;
+ var->green.offset = 8;
+ var->blue.offset = 0;
+ var->red.length = 8;
+ var->green.length = 8;
+ var->blue.length = 8;
+ var->transp.offset = 24;
+ var->transp.length = 8;
+ break;
+ default:
+ break;
+ }
+}
+
/**
* drm_fb_helper_check_var - implementation for ->fb_check_var
* @var: screeninfo to check
@@ -796,6 +854,20 @@ int drm_fb_helper_check_var(struct fb_va
}
/*
+ * Workaround for SDL 1.2, which is known to be setting all pixel format
+ * fields values to zero in some cases. We treat this situation as a
+ * kind of "use some reasonable autodetected values".
+ */
+ if (!var->red.offset && !var->green.offset &&
+ !var->blue.offset && !var->transp.offset &&
+ !var->red.length && !var->green.length &&
+ !var->blue.length && !var->transp.length &&
+ !var->red.msb_right && !var->green.msb_right &&
+ !var->blue.msb_right && !var->transp.msb_right) {
+ drm_fb_helper_fill_pixel_fmt(var, fb->depth);
+ }
+
+ /*
* drm fbdev emulation doesn't support changing the pixel format at all,
* so reject all pixel format changing requests.
*/
@@ -1058,59 +1130,7 @@ void drm_fb_helper_fill_var(struct fb_in
info->var.height = -1;
info->var.width = -1;
- switch (fb->depth) {
- case 8:
- info->var.red.offset = 0;
- info->var.green.offset = 0;
- info->var.blue.offset = 0;
- info->var.red.length = 8; /* 8bit DAC */
- info->var.green.length = 8;
- info->var.blue.length = 8;
- info->var.transp.offset = 0;
- info->var.transp.length = 0;
- break;
- case 15:
- info->var.red.offset = 10;
- info->var.green.offset = 5;
- info->var.blue.offset = 0;
- info->var.red.length = 5;
- info->var.green.length = 5;
- info->var.blue.length = 5;
- info->var.transp.offset = 15;
- info->var.transp.length = 1;
- break;
- case 16:
- info->var.red.offset = 11;
- info->var.green.offset = 5;
- info->var.blue.offset = 0;
- info->var.red.length = 5;
- info->var.green.length = 6;
- info->var.blue.length = 5;
- info->var.transp.offset = 0;
- break;
- case 24:
- info->var.red.offset = 16;
- info->var.green.offset = 8;
- info->var.blue.offset = 0;
- info->var.red.length = 8;
- info->var.green.length = 8;
- info->var.blue.length = 8;
- info->var.transp.offset = 0;
- info->var.transp.length = 0;
- break;
- case 32:
- info->var.red.offset = 16;
- info->var.green.offset = 8;
- info->var.blue.offset = 0;
- info->var.red.length = 8;
- info->var.green.length = 8;
- info->var.blue.length = 8;
- info->var.transp.offset = 24;
- info->var.transp.length = 8;
- break;
- default:
- break;
- }
+ drm_fb_helper_fill_pixel_fmt(&info->var, fb->depth);
info->var.xres = fb_width;
info->var.yres = fb_height;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 032/202] cifs: Fix potential OOB access of lock element array
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 007/202] ALSA: usb-audio: Always check descriptor sizes in parser code Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 082/202] skge: potential memory corruption in skge_get_regs() Ben Hutchings
` (189 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Steve French, Ross Lagerwall
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ross Lagerwall <ross.lagerwall@citrix.com>
commit b9a74cde94957d82003fb9f7ab4777938ca851cd upstream.
If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/file.c | 8 ++++----
fs/cifs/smb2file.c | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1066,10 +1066,10 @@ cifs_push_mandatory_locks(struct cifsFil
/*
* Accessing maxBuf is racy with cifs_reconnect - need to store value
- * and check it for zero before using.
+ * and check it before using.
*/
max_buf = tcon->ses->server->maxBuf;
- if (!max_buf) {
+ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
free_xid(xid);
return -EINVAL;
}
@@ -1403,10 +1403,10 @@ cifs_unlock_range(struct cifsFileInfo *c
/*
* Accessing maxBuf is racy with cifs_reconnect - need to store value
- * and check it for zero before using.
+ * and check it before using.
*/
max_buf = tcon->ses->server->maxBuf;
- if (!max_buf)
+ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
return -EINVAL;
max_num = (max_buf - sizeof(struct smb_hdr)) /
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -101,10 +101,10 @@ smb2_unlock_range(struct cifsFileInfo *c
/*
* Accessing maxBuf is racy with cifs_reconnect - need to store value
- * and check it for zero before using.
+ * and check it before using.
*/
max_buf = tcon->ses->server->maxBuf;
- if (!max_buf)
+ if (max_buf < sizeof(struct smb2_lock_element))
return -EINVAL;
max_num = max_buf / sizeof(struct smb2_lock_element);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 044/202] fuse: call pipe_buf_release() under pipe lock
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 148/202] x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 011/202] USB: storage: don't insert sane sense for SPC3+ when bad sense specified Ben Hutchings
` (37 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Miklos Szeredi, Jann Horn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.
Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.
This bug should only lead to a memory leak, nothing terrible.
Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/dev.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1978,10 +1978,12 @@ static ssize_t fuse_dev_splice_write(str
ret = fuse_dev_do_write(fc, &cs, len);
+ pipe_lock(pipe);
for (idx = 0; idx < nbuf; idx++) {
struct pipe_buffer *buf = &bufs[idx];
buf->ops->release(pipe, buf);
}
+ pipe_unlock(pipe);
out:
kfree(bufs);
return ret;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 031/202] CIFS: Do not hide EINTR after sending network packets
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 168/202] ARC: U-boot: check arguments paranoidly Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 182/202] netlabel: fix out-of-bounds memory accesses Ben Hutchings
` (52 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Steve French, Jeff Layton, Pavel Shilovsky
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilov@microsoft.com>
commit ee13919c2e8d1f904e035ad4b4239029a8994131 upstream.
Currently we hide EINTR code returned from sock_sendmsg()
and return 0 instead. This makes a caller think that we
successfully completed the network operation which is not
true. Fix this by properly returning EINTR to callers.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -376,7 +376,7 @@ uncork:
if (rc < 0 && rc != -EINTR)
cifs_dbg(VFS, "Error %d sending data on socket to server\n",
rc);
- else
+ else if (rc > 0)
rc = 0;
return rc;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 048/202] USB: serial: pl2303: add new PID to support PL2303TB
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (200 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 008/202] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 18:41 ` [PATCH 3.16 000/202] 3.16.66-rc1 review Guenter Roeck
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Charles Yeh, Johan Hovold
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Charles Yeh <charlesyeh522@gmail.com>
commit 4dcf9ddc9ad5ab649abafa98c5a4d54b1a33dabb upstream.
Add new PID to support PL2303TB (TYPE_HX)
Signed-off-by: Charles Yeh <charlesyeh522@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 2 ++
2 files changed, 3 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -47,6 +47,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_HCR331) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MOTOROLA) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ZTEK) },
+ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_TB) },
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) },
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) },
{ USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID) },
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -13,6 +13,7 @@
#define PL2303_VENDOR_ID 0x067b
#define PL2303_PRODUCT_ID 0x2303
+#define PL2303_PRODUCT_ID_TB 0x2304
#define PL2303_PRODUCT_ID_RSAQ2 0x04bb
#define PL2303_PRODUCT_ID_DCU11 0x1234
#define PL2303_PRODUCT_ID_PHAROS 0xaaa0
@@ -25,6 +26,7 @@
#define PL2303_PRODUCT_ID_MOTOROLA 0x0307
#define PL2303_PRODUCT_ID_ZTEK 0xe1f1
+
#define ATEN_VENDOR_ID 0x0557
#define ATEN_VENDOR_ID2 0x0547
#define ATEN_PRODUCT_ID 0x2008
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 159/202] dm thin: fix bug where bio that overwrites thin block ignores FUA
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 164/202] scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 165/202] ceph: avoid repeatedly adding inode to mdsc->snap_flush_list Ben Hutchings
` (127 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Nikos Tsironis, Mikulas Patocka,
Mike Snitzer, Joe Thornber
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikos Tsironis <ntsironis@arrikto.com>
commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream.
When provisioning a new data block for a virtual block, either because
the block was previously unallocated or because we are breaking sharing,
if the whole block of data is being overwritten the bio that triggered
the provisioning is issued immediately, skipping copying or zeroing of
the data block.
When this bio completes the new mapping is inserted in to the pool's
metadata by process_prepared_mapping(), where the bio completion is
signaled to the upper layers.
This completion is signaled without first committing the metadata. If
the bio in question has the REQ_FUA flag set and the system crashes
right after its completion and before the next metadata commit, then the
write is lost despite the REQ_FUA flag requiring that I/O completion for
this request must only be signaled after the data has been committed to
non-volatile storage.
Fix this by deferring the completion of overwrite bios, with the REQ_FUA
flag set, until after the metadata has been committed.
Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Acked-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[bwh: Backported to 3.16:
- bio_endio() takes an error parameter
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 50 insertions(+), 5 deletions(-)
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -185,6 +185,7 @@ struct pool {
spinlock_t lock;
struct bio_list deferred_flush_bios;
+ struct bio_list deferred_flush_completions;
struct list_head prepared_mappings;
struct list_head prepared_discards;
struct list_head active_thins;
@@ -665,6 +666,39 @@ static void process_prepared_mapping_fai
mempool_free(m, m->tc->pool->mapping_pool);
}
+static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio)
+{
+ struct pool *pool = tc->pool;
+ unsigned long flags;
+
+ /*
+ * If the bio has the REQ_FUA flag set we must commit the metadata
+ * before signaling its completion.
+ */
+ if (!bio_triggers_commit(tc, bio)) {
+ bio_endio(bio, 0);
+ return;
+ }
+
+ /*
+ * Complete bio with an error if earlier I/O caused changes to the
+ * metadata that can't be committed, e.g, due to I/O errors on the
+ * metadata device.
+ */
+ if (dm_thin_aborted_changes(tc->td)) {
+ bio_io_error(bio);
+ return;
+ }
+
+ /*
+ * Batch together any bios that trigger commits and then issue a
+ * single commit for them in process_deferred_bios().
+ */
+ spin_lock_irqsave(&pool->lock, flags);
+ bio_list_add(&pool->deferred_flush_completions, bio);
+ spin_unlock_irqrestore(&pool->lock, flags);
+}
+
static void process_prepared_mapping(struct dm_thin_new_mapping *m)
{
struct thin_c *tc = m->tc;
@@ -703,7 +737,7 @@ static void process_prepared_mapping(str
*/
if (bio) {
cell_defer_no_holder(tc, m->cell);
- bio_endio(bio, 0);
+ complete_overwrite_bio(tc, bio);
} else
cell_defer(tc, m->cell);
@@ -1575,7 +1609,7 @@ static void process_deferred_bios(struct
{
unsigned long flags;
struct bio *bio;
- struct bio_list bios;
+ struct bio_list bios, bio_completions;
struct thin_c *tc;
tc = get_first_thin(pool);
@@ -1585,26 +1619,36 @@ static void process_deferred_bios(struct
}
/*
- * If there are any deferred flush bios, we must commit
- * the metadata before issuing them.
+ * If there are any deferred flush bios, we must commit the metadata
+ * before issuing them or signaling their completion.
*/
bio_list_init(&bios);
+ bio_list_init(&bio_completions);
+
spin_lock_irqsave(&pool->lock, flags);
bio_list_merge(&bios, &pool->deferred_flush_bios);
bio_list_init(&pool->deferred_flush_bios);
+
+ bio_list_merge(&bio_completions, &pool->deferred_flush_completions);
+ bio_list_init(&pool->deferred_flush_completions);
spin_unlock_irqrestore(&pool->lock, flags);
- if (bio_list_empty(&bios) &&
+ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) &&
!(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool)))
return;
if (commit(pool)) {
+ bio_list_merge(&bios, &bio_completions);
+
while ((bio = bio_list_pop(&bios)))
bio_io_error(bio);
return;
}
pool->last_commit_jiffies = jiffies;
+ while ((bio = bio_list_pop(&bio_completions)))
+ bio_endio(bio, 0);
+
while ((bio = bio_list_pop(&bios)))
generic_make_request(bio);
}
@@ -2174,6 +2218,7 @@ static struct pool *pool_create(struct m
INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout);
spin_lock_init(&pool->lock);
bio_list_init(&pool->deferred_flush_bios);
+ bio_list_init(&pool->deferred_flush_completions);
INIT_LIST_HEAD(&pool->prepared_mappings);
INIT_LIST_HEAD(&pool->prepared_discards);
INIT_LIST_HEAD(&pool->active_thins);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 186/202] media: em28xx: Fix use-after-free when disconnecting
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 030/202] i2c: dev: prevent adapter retries and timeout being set as minus value Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 139/202] sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() Ben Hutchings
` (89 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Matthias Schwarzott
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schwarzott <zzam@gentoo.org>
commit 910b0797fa9e8af09c44a3fa36cb310ba7a7218d upstream.
Fix bug by moving the i2c_unregister_device calls after deregistration
of dvb frontend.
The new style i2c drivers already destroys the frontend object at
i2c_unregister_device time.
When the dvb frontend is unregistered afterwards it leads to this oops:
[ 6058.866459] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f8
[ 6058.866578] IP: dvb_frontend_stop+0x30/0xd0 [dvb_core]
[ 6058.866644] PGD 0
[ 6058.866646] P4D 0
[ 6058.866726] Oops: 0000 [#1] SMP
[ 6058.866768] Modules linked in: rc_pinnacle_pctv_hd(O) em28xx_rc(O) si2157(O) si2168(O) em28xx_dvb(O) em28xx(O) si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) videobuf2_core(O) videodev(O) media(O) bluetooth ecdh_generic ums_realtek uas rtl8192cu rtl_usb rtl8192c_common rtlwifi usb_storage snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic i2c_mux snd_hda_intel snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core kvm_intel kvm irqbypass [last unloaded: videobuf2_memops]
[ 6058.867497] CPU: 2 PID: 7349 Comm: kworker/2:0 Tainted: G W O 4.13.9-gentoo #1
[ 6058.867595] Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014
[ 6058.867692] Workqueue: usb_hub_wq hub_event
[ 6058.867746] task: ffff88011a15e040 task.stack: ffffc90003074000
[ 6058.867825] RIP: 0010:dvb_frontend_stop+0x30/0xd0 [dvb_core]
[ 6058.867896] RSP: 0018:ffffc90003077b58 EFLAGS: 00010293
[ 6058.867964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000010040001f
[ 6058.868056] RDX: ffff88011a15e040 RSI: ffffea000464e400 RDI: ffff88001cbe3028
[ 6058.868150] RBP: ffffc90003077b68 R08: ffff880119390380 R09: 000000010040001f
[ 6058.868241] R10: ffffc90003077b18 R11: 000000000001e200 R12: ffff88001cbe3028
[ 6058.868330] R13: ffff88001cbe68d0 R14: ffff8800cf734000 R15: ffff8800cf734098
[ 6058.868419] FS: 0000000000000000(0000) GS:ffff88011fb00000(0000) knlGS:0000000000000000
[ 6058.868511] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6058.868578] CR2: 00000000000001f8 CR3: 00000001113c5000 CR4: 00000000001406e0
[ 6058.868662] Call Trace:
[ 6058.868705] dvb_unregister_frontend+0x2a/0x80 [dvb_core]
[ 6058.868774] em28xx_dvb_fini+0x132/0x220 [em28xx_dvb]
[ 6058.868840] em28xx_close_extension+0x34/0x90 [em28xx]
[ 6058.868902] em28xx_usb_disconnect+0x4e/0x70 [em28xx]
[ 6058.868968] usb_unbind_interface+0x6d/0x260
[ 6058.869025] device_release_driver_internal+0x150/0x210
[ 6058.869094] device_release_driver+0xd/0x10
[ 6058.869150] bus_remove_device+0xe4/0x160
[ 6058.869204] device_del+0x1ce/0x2f0
[ 6058.869253] usb_disable_device+0x99/0x270
[ 6058.869306] usb_disconnect+0x8d/0x260
[ 6058.869359] hub_event+0x93d/0x1520
[ 6058.869408] ? dequeue_task_fair+0xae5/0xd20
[ 6058.869467] process_one_work+0x1d9/0x3e0
[ 6058.869522] worker_thread+0x43/0x3e0
[ 6058.869576] kthread+0x104/0x140
[ 6058.869602] ? trace_event_raw_event_workqueue_work+0x80/0x80
[ 6058.869640] ? kthread_create_on_node+0x40/0x40
[ 6058.869673] ret_from_fork+0x22/0x30
[ 6058.869698] Code: 54 49 89 fc 53 48 8b 9f 18 03 00 00 0f 1f 44 00 00 41 83 bc 24 04 05 00 00 02 74 0c 41 c7 84 24 04 05 00 00 01 00 00 00 0f ae f0 <48> 8b bb f8 01 00 00 48 85 ff 74 5c e8 df 40 f0 e0 48 8b 93 f8
[ 6058.869850] RIP: dvb_frontend_stop+0x30/0xd0 [dvb_core] RSP: ffffc90003077b58
[ 6058.869894] CR2: 00000000000001f8
[ 6058.875880] ---[ end trace 717eecf7193b3fc6 ]---
Signed-off-by: Matthias Schwarzott <zzam@gentoo.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/em28xx/em28xx-dvb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/em28xx/em28xx-dvb.c
+++ b/drivers/media/usb/em28xx/em28xx-dvb.c
@@ -1651,6 +1651,8 @@ static int em28xx_dvb_fini(struct em28xx
prevent_sleep(&dvb->fe[1]->ops);
}
+ em28xx_unregister_dvb(dvb);
+
/* remove I2C tuner */
if (client) {
module_put(client->dev.driver->owner);
@@ -1664,7 +1666,6 @@ static int em28xx_dvb_fini(struct em28xx
i2c_unregister_device(client);
}
- em28xx_unregister_dvb(dvb);
kfree(dvb);
dev->dvb = NULL;
kref_put(&dev->ref, em28xx_free_device);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 183/202] net: netem: fix skb length BUG_ON in __skb_to_sgvec
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 122/202] parisc: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 110/202] blackfin: Use get_signal() signal_setup_done() Ben Hutchings
` (103 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Qin Ji, Sheng Lan, Eric Dumazet,
David S. Miller, Eric Dumazet
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sheng Lan <lansheng@huawei.com>
commit 5845f706388a4cde0f6b80f9e5d33527e942b7d9 upstream.
It can be reproduced by following steps:
1. virtio_net NIC is configured with gso/tso on
2. configure nginx as http server with an index file bigger than 1M bytes
3. use tc netem to produce duplicate packets and delay:
tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90%
4. continually curl the nginx http server to get index file on client
5. BUG_ON is seen quickly
[10258690.371129] kernel BUG at net/core/skbuff.c:4028!
[10258690.371748] invalid opcode: 0000 [#1] SMP PTI
[10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2
[10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202
[10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea
[10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002
[10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028
[10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000
[10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0
[10258690.372094] Call Trace:
[10258690.372094] <IRQ>
[10258690.372094] skb_to_sgvec+0x11/0x40
[10258690.372094] start_xmit+0x38c/0x520 [virtio_net]
[10258690.372094] dev_hard_start_xmit+0x9b/0x200
[10258690.372094] sch_direct_xmit+0xff/0x260
[10258690.372094] __qdisc_run+0x15e/0x4e0
[10258690.372094] net_tx_action+0x137/0x210
[10258690.372094] __do_softirq+0xd6/0x2a9
[10258690.372094] irq_exit+0xde/0xf0
[10258690.372094] smp_apic_timer_interrupt+0x74/0x140
[10258690.372094] apic_timer_interrupt+0xf/0x20
[10258690.372094] </IRQ>
In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's
linear data size and nonlinear data size, thus BUG_ON triggered.
Because the skb is cloned and a part of nonlinear data is split off.
Duplicate packet is cloned in netem_enqueue() and may be delayed
some time in qdisc. When qdisc len reached the limit and returns
NET_XMIT_DROP, the skb will be retransmit later in write queue.
the skb will be fragmented by tso_fragment(), the limit size
that depends on cwnd and mss decrease, the skb's nonlinear
data will be split off. The length of the skb cloned by netem
will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(),
the BUG_ON trigger.
To fix it, netem returns NET_XMIT_SUCCESS to upper stack
when it clones a duplicate packet.
Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()")
Signed-off-by: Sheng Lan <lansheng@huawei.com>
Reported-by: Qin Ji <jiqin.ji@huawei.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: netem_enqueue() may call qdisc_reshape_fail();
keep returning NET_XMIT_SUCCESS if that succeeds]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -444,6 +444,7 @@ static int netem_enqueue(struct sk_buff
int nb = 0;
int count = 1;
int rc = NET_XMIT_SUCCESS;
+ int rc_drop = NET_XMIT_DROP;
/* Random duplication */
if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor))
@@ -480,6 +481,7 @@ static int netem_enqueue(struct sk_buff
qdisc_enqueue_root(skb2, rootq);
q->duplicate = dupsave;
+ rc_drop = NET_XMIT_SUCCESS;
}
/*
@@ -492,7 +494,7 @@ static int netem_enqueue(struct sk_buff
if (skb_is_gso(skb)) {
segs = netem_segment(skb, sch);
if (!segs)
- return NET_XMIT_DROP;
+ return rc_drop;
} else {
segs = skb;
}
@@ -514,8 +516,10 @@ static int netem_enqueue(struct sk_buff
if (unlikely(skb_queue_len(&sch->q) >= sch->limit)) {
/* qdisc_reshape_fail() can't handle segmented skb */
if (segs)
- return qdisc_drop_all(skb, sch);
- return qdisc_reshape_fail(skb, sch);
+ qdisc_drop_all(skb, sch);
+ else if (qdisc_reshape_fail(skb, sch) == NET_XMIT_SUCCESS)
+ return NET_XMIT_SUCCESS;
+ return rc_drop;
}
sch->qstats.backlog += qdisc_pkt_len(skb);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 184/202] ipc/shm: Fix pid freeing.
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 033/202] omap2fb: Fix stack memory disclosure Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 067/202] KVM: x86: Fix single-step debugging Ben Hutchings
` (85 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Nagarathnam Muthusamy, kernel test robot,
Eric W. Biederman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 2236d4d39035b9839944603ec4b65ce71180a9ea upstream.
The 0day kernel test build report reported an oops:
>
> IP: put_pid+0x22/0x5c
> PGD 19efa067 P4D 19efa067 PUD 0
> Oops: 0000 [#1]
> CPU: 0 PID: 727 Comm: trinity Not tainted 4.16.0-rc2-00010-g98f929b #1
> RIP: 0010:put_pid+0x22/0x5c
> RSP: 0018:ffff986719f73e48 EFLAGS: 00010202
> RAX: 00000006d765f710 RBX: ffff98671a4fa4d0 RCX: ffff986719f73d40
> RDX: 000000006f6e6125 RSI: 0000000000000000 RDI: ffffffffa01e6d21
> RBP: ffffffffa0955fe0 R08: 0000000000000020 R09: 0000000000000000
> R10: 0000000000000078 R11: ffff986719f73e76 R12: 0000000000001000
> R13: 00000000ffffffea R14: 0000000054000fb0 R15: 0000000000000000
> FS: 00000000028c2880(0000) GS:ffffffffa06ad000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000677846439 CR3: 0000000019fc1005 CR4: 00000000000606b0
> Call Trace:
> ? ipc_update_pid+0x36/0x3e
> ? newseg+0x34c/0x3a6
> ? ipcget+0x5d/0x528
> ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
> ? SyS_shmget+0x5a/0x84
> ? do_syscall_64+0x194/0x1b3
> ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
> Code: ff 05 e7 20 9b 03 58 c9 c3 48 ff 05 85 21 9b 03 48 85 ff 74 4f 8b 47 04 8b 17 48 ff 05 7c 21 9b 03 48 83 c0 03 48 c1 e0 04 ff ca <48> 8b 44 07 08 74 1f 48 ff 05 6c 21 9b 03 ff 0f 0f 94 c2 48 ff
> RIP: put_pid+0x22/0x5c RSP: ffff986719f73e48
> CR2: 0000000677846439
> ---[ end trace ab8c5cb4389d37c5 ]---
> Kernel panic - not syncing: Fatal exception
In newseg when changing shm_cprid and shm_lprid from pid_t to struct
pid* I misread the kvmalloc as kvzalloc and thought shp was
initialized to 0. As that is not the case it is not safe to for the
error handling to address shm_cprid and shm_lprid before they are
initialized.
Therefore move the cleanup of shm_cprid and shm_lprid from the no_file
error cleanup path to the no_id error cleanup path. Ensuring that an
early error exit won't cause the oops above.
Reported-by: kernel test robot <fengguang.wu@intel.com>
Reviewed-by: Nagarathnam Muthusamy <nagarathnam.muthusamy@oracle.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
ipc/shm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -620,12 +620,12 @@ static int newseg(struct ipc_namespace *
return error;
no_id:
+ ipc_update_pid(&shp->shm_cprid, NULL);
+ ipc_update_pid(&shp->shm_lprid, NULL);
if (is_file_hugepages(file) && shp->mlock_user)
user_shm_unlock(size, shp->mlock_user);
fput(file);
no_file:
- ipc_update_pid(&shp->shm_cprid, NULL);
- ipc_update_pid(&shp->shm_lprid, NULL);
ipc_rcu_putref(shp, shm_rcu_free);
return error;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 178/202] net: phy: Micrel KSZ8061: link failure after cable connect
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2019-04-27 15:13 ` [Bridge] " Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 151/202] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Ben Hutchings
` (120 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Andrew Lunn,
Rajasingh Thavamani, Alexander Onnasch
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
commit 232ba3a51cc224b339c7114888ed7f0d4d95695e upstream.
With Micrel KSZ8061 PHY, the link may occasionally not come up after
Ethernet cable connect. The vendor's (Microchip, former Micrel) errata
sheet 80000688A.pdf descripes the problem and possible workarounds in
detail, see below.
The batch implements workaround 1, which permanently fixes the issue.
DESCRIPTION
Link-up may not occur properly when the Ethernet cable is initially
connected. This issue occurs more commonly when the cable is connected
slowly, but it may occur any time a cable is connected. This issue occurs
in the auto-negotiation circuit, and will not occur if auto-negotiation
is disabled (which requires that the two link partners be set to the
same speed and duplex).
END USER IMPLICATIONS
When this issue occurs, link is not established. Subsequent cable
plug/unplaug cycle will not correct the issue.
WORk AROUND
There are four approaches to work around this issue:
1. This issue can be prevented by setting bit 15 in MMD device address 1,
register 2, prior to connecting the cable or prior to setting the
Restart Auto-negotiation bit in register 0h. The MMD registers are
accessed via the indirect access registers Dh and Eh, or via the Micrel
EthUtil utility as shown here:
. if using the EthUtil utility (usually with a Micrel KSZ8061
Evaluation Board), type the following commands:
> address 1
> mmd 1
> iw 2 b61a
. Alternatively, write the following registers to write to the
indirect MMD register:
Write register Dh, data 0001h
Write register Eh, data 0002h
Write register Dh, data 4001h
Write register Eh, data B61Ah
2. The issue can be avoided by disabling auto-negotiation in the KSZ8061,
either by the strapping option, or by clearing bit 12 in register 0h.
Care must be taken to ensure that the KSZ8061 and the link partner
will link with the same speed and duplex. Note that the KSZ8061
defaults to full-duplex when auto-negotiation is off, but other
devices may default to half-duplex in the event of failed
auto-negotiation.
3. The issue can be avoided by connecting the cable prior to powering-up
or resetting the KSZ8061, and leaving it plugged in thereafter.
4. If the above measures are not taken and the problem occurs, link can
be recovered by setting the Restart Auto-Negotiation bit in
register 0h, or by resetting or power cycling the device. Reset may
be either hardware reset or software reset (register 0h, bit 15).
PLAN
This errata will not be corrected in the future revision.
Fixes: 7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs")
Signed-off-by: Alexander Onnasch <alexander.onnasch@landisgyr.com>
Signed-off-by: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Include <linux/mdio.h> for register definition
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -26,6 +26,7 @@
#include <linux/phy.h>
#include <linux/micrel_phy.h>
#include <linux/of.h>
+#include <linux/mdio.h>
/* Operation Mode Strap Override */
#define MII_KSZPHY_OMSO 0x16
@@ -211,6 +212,17 @@ static int ks8051_config_init(struct phy
return rc < 0 ? rc : 0;
}
+static int ksz8061_config_init(struct phy_device *phydev)
+{
+ int ret;
+
+ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A);
+ if (ret)
+ return ret;
+
+ return kszphy_config_init(phydev);
+}
+
static int ksz9021_load_values_from_of(struct phy_device *phydev,
struct device_node *of_node, u16 reg,
char *field1, char *field2,
@@ -565,7 +577,7 @@ static struct phy_driver ksphy_driver[]
.phy_id_mask = 0x00fffff0,
.features = (PHY_BASIC_FEATURES | SUPPORTED_Pause),
.flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT,
- .config_init = kszphy_config_init,
+ .config_init = ksz8061_config_init,
.config_aneg = genphy_config_aneg,
.read_status = genphy_read_status,
.ack_interrupt = kszphy_ack_interrupt,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 196/202] brcmfmac: fix incorrect event channel deduction
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 140/202] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 104/202] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Ben Hutchings
` (137 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Kalle Valo, Arend van Spriel, Gavin Li
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Li <git@thegavinli.com>
commit 8e290cecdd0178f3d4cf7d463c51dc7e462843b4 upstream.
brcmf_sdio_fromevntchan() was being called on the the data frame
rather than the software header, causing some frames to be
mischaracterized as on the event channel rather than the data channel.
This fixes a major performance regression (due to dropped packets). With
this patch the download speed jumped from 1Mbit/s back up to 40MBit/s due
to the sheer amount of packets being incorrectly processed.
Fixes: c56caa9db8ab ("brcmfmac: screening firmware event packet")
Signed-off-by: Gavin Li <git@thegavinli.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
[kvalo@codeaurora.org: improve commit logs based on email discussion]
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -1710,7 +1710,7 @@ static u8 brcmf_sdio_rxglom(struct brcmf
pfirst->len, pfirst->next,
pfirst->prev);
skb_unlink(pfirst, &bus->glom);
- if (brcmf_sdio_fromevntchan(pfirst->data))
+ if (brcmf_sdio_fromevntchan(&dptr[SDPCM_HWHDR_LEN]))
brcmf_rx_event(bus->sdiodev->dev, pfirst);
else
brcmf_rx_frame(bus->sdiodev->dev, pfirst,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 185/202] [media] media: em28xx-dvb - fix em28xx_dvb_resume() to not unregister i2c and dvb
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 099/202] MIPS: Remove function size check in get_frame_info() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 164/202] scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached Ben Hutchings
` (129 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Shuah Khan, Antti Palosaari
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuah.kh@samsung.com>
commit 6eb5e3399e8f45aa191ad21c0556bece8ea559f2 upstream.
em28xx_dvb_resume() unregisters i2c tuner, i2c demod, and dvb.
This erroneous cleanup results in i2c tuner, i2c demod, and dvb
devices unregistered and removed during resume. This error is a
result of merge conflict between two patches that went into 3.15.
Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
Reviewed-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/em28xx/em28xx-dvb.c | 17 -----------------
1 file changed, 17 deletions(-)
--- a/drivers/media/usb/em28xx/em28xx-dvb.c
+++ b/drivers/media/usb/em28xx/em28xx-dvb.c
@@ -1712,7 +1712,6 @@ static int em28xx_dvb_resume(struct em28
em28xx_info("Resuming DVB extension\n");
if (dev->dvb) {
struct em28xx_dvb *dvb = dev->dvb;
- struct i2c_client *client = dvb->i2c_client_tuner;
if (dvb->fe[0]) {
ret = dvb_frontend_resume(dvb->fe[0]);
@@ -1723,22 +1722,6 @@ static int em28xx_dvb_resume(struct em28
ret = dvb_frontend_resume(dvb->fe[1]);
em28xx_info("fe1 resume %d\n", ret);
}
- /* remove I2C tuner */
- if (client) {
- module_put(client->dev.driver->owner);
- i2c_unregister_device(client);
- }
-
- /* remove I2C demod */
- client = dvb->i2c_client_demod;
- if (client) {
- module_put(client->dev.driver->owner);
- i2c_unregister_device(client);
- }
-
- em28xx_unregister_dvb(dvb);
- kfree(dvb);
- dev->dvb = NULL;
}
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 191/202] perf/core: Fix perf_event_open() vs. execve() race
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 133/202] xtensa: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 015/202] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages Ben Hutchings
` (15 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Stephane Eranian, Jiri Olsa,
Thomas Gleixner, Peter Zijlstra, Vince Weaver,
Arnaldo Carvalho de Melo, Jann Horn, Alexander Shishkin,
Ingo Molnar
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438 upstream.
Jann reported that the ptrace_may_access() check in
find_lively_task_by_vpid() is racy against exec().
Specifically:
perf_event_open() execve()
ptrace_may_access()
commit_creds()
... if (get_dumpable() != SUID_DUMP_USER)
perf_event_exit_task();
perf_install_in_context()
would result in installing a counter across the creds boundary.
Fix this by wrapping lots of perf_event_open() in cred_guard_mutex.
This should be fine as perf_event_exit_task() is already called with
cred_guard_mutex held, so all perf locks already nest inside it.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Update another failure path in perf_event_open()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/events/core.c | 52 ++++++++++++++++++++++++++++++--------------
1 file changed, 36 insertions(+), 16 deletions(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -936,6 +936,7 @@ static void put_ctx(struct perf_event_co
* function.
*
* Lock order:
+ * cred_guard_mutex
* task_struct::perf_event_mutex
* perf_event_context::mutex
* perf_event_context::lock
@@ -3231,7 +3232,6 @@ static struct task_struct *
find_lively_task_by_vpid(pid_t vpid)
{
struct task_struct *task;
- int err;
rcu_read_lock();
if (!vpid)
@@ -3245,16 +3245,7 @@ find_lively_task_by_vpid(pid_t vpid)
if (!task)
return ERR_PTR(-ESRCH);
- /* Reuse ptrace permission checks for now. */
- err = -EACCES;
- if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
- goto errout;
-
return task;
-errout:
- put_task_struct(task);
- return ERR_PTR(err);
-
}
/*
@@ -7491,18 +7482,36 @@ SYSCALL_DEFINE5(perf_event_open,
get_online_cpus();
+ if (task) {
+ err = mutex_lock_interruptible(&task->signal->cred_guard_mutex);
+ if (err)
+ goto err_cpus;
+
+ /*
+ * Reuse ptrace permission checks for now.
+ *
+ * We must hold cred_guard_mutex across this and any potential
+ * perf_install_in_context() call for this new event to
+ * serialize against exec() altering our credentials (and the
+ * perf_event_exit_task() that could imply).
+ */
+ err = -EACCES;
+ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
+ goto err_cred;
+ }
+
event = perf_event_alloc(&attr, cpu, task, group_leader, NULL,
NULL, NULL);
if (IS_ERR(event)) {
err = PTR_ERR(event);
- goto err_cpus;
+ goto err_cred;
}
if (flags & PERF_FLAG_PID_CGROUP) {
err = perf_cgroup_connect(pid, event, &attr, group_leader);
if (err) {
__free_event(event);
- goto err_cpus;
+ goto err_cred;
}
}
@@ -7552,11 +7561,6 @@ SYSCALL_DEFINE5(perf_event_open,
goto err_alloc;
}
- if (task) {
- put_task_struct(task);
- task = NULL;
- }
-
/*
* Look up the group leader (we will attach this event to it):
*/
@@ -7658,6 +7662,11 @@ SYSCALL_DEFINE5(perf_event_open,
WARN_ON_ONCE(ctx->parent_ctx);
+ /*
+ * This is the point on no return; we cannot fail hereafter. This is
+ * where we start modifying current state.
+ */
+
if (move_group) {
/*
* Wait for everybody to stop referencing the events through
@@ -7683,6 +7692,11 @@ SYSCALL_DEFINE5(perf_event_open,
}
mutex_unlock(&ctx->mutex);
+ if (task) {
+ mutex_unlock(&task->signal->cred_guard_mutex);
+ put_task_struct(task);
+ }
+
put_online_cpus();
event->owner = current;
@@ -7722,6 +7736,9 @@ err_alloc:
*/
if (!event_file)
free_event(event);
+err_cred:
+ if (task)
+ mutex_unlock(&task->signal->cred_guard_mutex);
err_cpus:
put_online_cpus();
err_task:
@@ -7956,6 +7973,9 @@ static void perf_event_exit_task_context
/*
* When a child task exits, feed back event values to parent events.
+ *
+ * Can be called with cred_guard_mutex held when called from
+ * install_exec_creds().
*/
void perf_event_exit_task(struct task_struct *child)
{
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 187/202] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 039/202] net/phy: micrel: Add workaround for bad autoneg Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 071/202] usb: phy: am335x: fix race condition in _probe Ben Hutchings
` (31 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Johan Hedberg, Marcel Holtmann, Greg Kroah-Hartman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marcel Holtmann <marcel@holtmann.org>
commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 upstream.
The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len
as length value. The opt->len however is in control over the remote user
and can be used by an attacker to gain access beyond the bounds of the
actual packet.
To prevent any potential leak of heap memory, it is enough to check that
the resulting len calculation after calling l2cap_get_conf_opt is not
below zero. A well formed packet will always return >= 0 here and will
end with the length value being zero after the last option has been
parsed. In case of malformed packets messing with the opt->len field the
length value will become negative. If that is the case, then just abort
and ignore the option.
In case an attacker uses a too short opt->len value, then garbage will
be parsed, but that is protected by the unknown option handling and also
the option parameter size checks.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/l2cap_core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3322,6 +3322,8 @@ static int l2cap_parse_conf_req(struct l
while (len >= L2CAP_CONF_OPT_SIZE) {
len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
+ if (len < 0)
+ break;
hint = type & L2CAP_CONF_HINT;
type &= L2CAP_CONF_MASK;
@@ -3533,6 +3535,8 @@ static int l2cap_parse_conf_rsp(struct l
while (len >= L2CAP_CONF_OPT_SIZE) {
len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+ if (len < 0)
+ break;
switch (type) {
case L2CAP_CONF_MTU:
@@ -3713,6 +3717,8 @@ static void l2cap_conf_rfc_get(struct l2
while (len >= L2CAP_CONF_OPT_SIZE) {
len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+ if (len < 0)
+ break;
switch (type) {
case L2CAP_CONF_RFC:
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 195/202] brcmfmac: screening firmware event packet
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 079/202] fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 090/202] perf/x86/intel/uncore: Add Node ID mask Ben Hutchings
` (146 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Arend van Spriel, Pieter-Paul Giesberts,
Kalle Valo, Franky Lin
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Franky Lin <franky.lin@broadcom.com>
commit c56caa9db8abbbfb9e31325e0897705aa897db37 upstream.
Firmware uses asynchronized events as a communication method to the
host. The event packets are marked as ETH_P_LINK_CTL protocol type. For
SDIO and PCIe bus, this kind of packets are delivered through virtual
event channel not data channel. This patch adds a screening logic to
make sure the event handler only processes the events coming from the
correct channel.
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Drop changes to PCIe bus support
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
@@ -168,7 +168,9 @@ bool brcmf_c_prec_enq(struct device *dev
int prec);
/* Receive frame for delivery to OS. Callee disposes of rxp. */
-void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp);
+void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_evnt);
+/* Receive async event packet from firmware. Callee disposes of rxp. */
+void brcmf_rx_event(struct device *dev, struct sk_buff *rxp);
/* Indication from bus module regarding presence/insertion of dongle. */
int brcmf_attach(struct device *dev);
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -306,16 +306,17 @@ void brcmf_txflowblock(struct device *de
brcmf_fws_bus_blocked(drvr, state);
}
-static void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
+static void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb,
+ bool handle_event)
{
- skb->dev = ifp->ndev;
- skb->protocol = eth_type_trans(skb, skb->dev);
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
if (skb->pkt_type == PACKET_MULTICAST)
ifp->stats.multicast++;
/* Process special event packets */
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ if (handle_event)
+ brcmf_fweh_process_skb(ifp->drvr, skb);
if (!(ifp->ndev->flags & IFF_UP)) {
brcmu_pkt_buf_free_skb(skb);
@@ -376,7 +377,7 @@ static void brcmf_rxreorder_process_info
/* validate flags and flow id */
if (flags == 0xFF) {
brcmf_err("invalid flags...so ignore this packet\n");
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
return;
}
@@ -388,7 +389,7 @@ static void brcmf_rxreorder_process_info
if (rfi == NULL) {
brcmf_dbg(INFO, "received flags to cleanup, but no flow (%d) yet\n",
flow_id);
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
return;
}
@@ -413,7 +414,7 @@ static void brcmf_rxreorder_process_info
rfi = kzalloc(buf_size, GFP_ATOMIC);
if (rfi == NULL) {
brcmf_err("failed to alloc buffer\n");
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
return;
}
@@ -527,11 +528,11 @@ static void brcmf_rxreorder_process_info
netif_rx:
skb_queue_walk_safe(&reorder_list, pkt, pnext) {
__skb_unlink(pkt, &reorder_list);
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
}
}
-void brcmf_rx_frame(struct device *dev, struct sk_buff *skb)
+void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_evnt)
{
struct brcmf_if *ifp;
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
@@ -555,7 +556,32 @@ void brcmf_rx_frame(struct device *dev,
if (rd->reorder)
brcmf_rxreorder_process_info(ifp, rd->reorder, skb);
else
- brcmf_netif_rx(ifp, skb);
+ brcmf_netif_rx(ifp, skb, handle_evnt);
+}
+
+void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
+{
+ struct brcmf_if *ifp;
+ struct brcmf_bus *bus_if = dev_get_drvdata(dev);
+ struct brcmf_pub *drvr = bus_if->drvr;
+ int ret;
+
+ brcmf_dbg(EVENT, "Enter: %s: rxp=%p\n", dev_name(dev), skb);
+
+ /* process and remove protocol-specific header */
+ ret = brcmf_proto_hdrpull(drvr, true, skb, &ifp);
+
+ if (ret || !ifp || !ifp->ndev) {
+ if (ret != -ENODATA && ifp)
+ ifp->stats.rx_errors++;
+ brcmu_pkt_buf_free_skb(skb);
+ return;
+ }
+
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
+
+ brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmu_pkt_buf_free_skb(skb);
}
void brcmf_txfinalize(struct brcmf_pub *drvr, struct sk_buff *txp, u8 ifidx,
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -1339,6 +1339,17 @@ static inline u8 brcmf_sdio_getdatoffset
return (u8)((hdrvalue & SDPCM_DOFFSET_MASK) >> SDPCM_DOFFSET_SHIFT);
}
+static inline bool brcmf_sdio_fromevntchan(u8 *swheader)
+{
+ u32 hdrvalue;
+ u8 ret;
+
+ hdrvalue = *(u32 *)swheader;
+ ret = (u8)((hdrvalue & SDPCM_CHANNEL_MASK) >> SDPCM_CHANNEL_SHIFT);
+
+ return (ret == SDPCM_EVENT_CHANNEL);
+}
+
static int brcmf_sdio_hdparse(struct brcmf_sdio *bus, u8 *header,
struct brcmf_sdio_hdrinfo *rd,
enum brcmf_sdio_frmtype type)
@@ -1699,7 +1710,11 @@ static u8 brcmf_sdio_rxglom(struct brcmf
pfirst->len, pfirst->next,
pfirst->prev);
skb_unlink(pfirst, &bus->glom);
- brcmf_rx_frame(bus->sdiodev->dev, pfirst);
+ if (brcmf_sdio_fromevntchan(pfirst->data))
+ brcmf_rx_event(bus->sdiodev->dev, pfirst);
+ else
+ brcmf_rx_frame(bus->sdiodev->dev, pfirst,
+ false);
bus->sdcnt.rxglompkts++;
}
@@ -2026,18 +2041,19 @@ static uint brcmf_sdio_readframes(struct
__skb_trim(pkt, rd->len);
skb_pull(pkt, rd->dat_offset);
+ if (pkt->len == 0)
+ brcmu_pkt_buf_free_skb(pkt);
+ else if (rd->channel == SDPCM_EVENT_CHANNEL)
+ brcmf_rx_event(bus->sdiodev->dev, pkt);
+ else
+ brcmf_rx_frame(bus->sdiodev->dev, pkt,
+ false);
+
/* prepare the descriptor for the next read */
rd->len = rd->len_nxtfrm << 4;
rd->len_nxtfrm = 0;
/* treat all packet as event if we don't know */
rd->channel = SDPCM_EVENT_CHANNEL;
-
- if (pkt->len == 0) {
- brcmu_pkt_buf_free_skb(pkt);
- continue;
- }
-
- brcmf_rx_frame(bus->sdiodev->dev, pkt);
}
rxcount = maxframes - rxleft;
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -441,7 +441,7 @@ static void brcmf_usb_rx_complete(struct
if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP) {
skb_put(skb, urb->actual_length);
- brcmf_rx_frame(devinfo->dev, skb);
+ brcmf_rx_frame(devinfo->dev, skb, true);
brcmf_usb_rx_refill(devinfo, req);
} else {
brcmu_pkt_buf_free_skb(skb);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 198/202] brcmfmac: add subtype check for event handling in data path
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 124/202] powerpc: Use sigsp() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 109/202] avr32: Use get_signal() signal_setup_done() Ben Hutchings
` (66 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Arend van Spriel, Kalle Valo, Franky Lin,
Hante Meuleman, Pieter-Paul Giesberts
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend van Spriel <arend.vanspriel@broadcom.com>
commit a4176ec356c73a46c07c181c6d04039fafa34a9f upstream.
For USB there is no separate channel being used to pass events
from firmware to the host driver and as such are passed over the
data path. In order to detect mock event messages an additional
check is needed on event subtype. This check is added conditionally
using unlikely() keyword.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Drop changes to PCIe bus support
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -553,7 +553,8 @@ void brcmf_rx_frame(struct device *dev,
} else {
/* Process special event packets */
if (handle_event)
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmf_fweh_process_skb(ifp->drvr, skb,
+ BCMILCP_SUBTYPE_VENDOR_LONG);
brcmf_netif_rx(ifp, skb);
}
@@ -580,7 +581,7 @@ void brcmf_rx_event(struct device *dev,
skb->protocol = eth_type_trans(skb, ifp->ndev);
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
brcmu_pkt_buf_free_skb(skb);
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
@@ -174,7 +174,7 @@ enum brcmf_fweh_event_code {
*/
#define BRCM_OUI "\x00\x10\x18"
#define BCMILCP_BCM_SUBTYPE_EVENT 1
-
+#define BCMILCP_SUBTYPE_VENDOR_LONG 32769
/**
* struct brcm_ethhdr - broadcom specific ether header.
@@ -292,10 +292,10 @@ void brcmf_fweh_process_event(struct brc
u32 packet_len);
static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
- struct sk_buff *skb)
+ struct sk_buff *skb, u16 stype)
{
struct brcmf_event *event_packet;
- u16 usr_stype;
+ u16 subtype, usr_stype;
/* only process events when protocol matches */
if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
@@ -304,8 +304,16 @@ static inline void brcmf_fweh_process_sk
if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
return;
- /* check for BRCM oui match */
event_packet = (struct brcmf_event *)skb_mac_header(skb);
+
+ /* check subtype if needed */
+ if (unlikely(stype)) {
+ subtype = get_unaligned_be16(&event_packet->hdr.subtype);
+ if (subtype != stype)
+ return;
+ }
+
+ /* check for BRCM oui match */
if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
sizeof(event_packet->hdr.oui)))
return;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 190/202] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 104/202] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 167/202] tmpfs: fix link accounting when a tmpfile is linked in Ben Hutchings
` (135 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jason Gunthorpe, Linus Torvalds,
Michal Hocko, Andrea Arcangeli, Peter Xu, Oleg Nesterov,
Mike Rapoport, Jann Horn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Arcangeli <aarcange@redhat.com>
commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it. Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier. For example in Hugh's post from Jul 2017:
https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils
"Not strictly relevant here, but a related note: I was very surprised
to discover, only quite recently, how handle_mm_fault() may be called
without down_read(mmap_sem) - when core dumping. That seems a
misguided optimization to me, which would also be nice to correct"
In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.
Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.
Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.
For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs. Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.
Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.
In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.
Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm(). The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.
Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Drop changes in Infiniband and userfaultfd
- In clear_refs_write(), use up_read() as we never upgrade to a write lock
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -809,8 +809,27 @@ static ssize_t clear_refs_write(struct f
.private = &cp,
};
down_read(&mm->mmap_sem);
- if (type == CLEAR_REFS_SOFT_DIRTY)
+ if (type == CLEAR_REFS_SOFT_DIRTY) {
+ /*
+ * Avoid to modify vma->vm_flags
+ * without locked ops while the
+ * coredump reads the vm_flags.
+ */
+ if (!mmget_still_valid(mm)) {
+ /*
+ * Silently return "count"
+ * like if get_task_mm()
+ * failed. FIXME: should this
+ * function have returned
+ * -ESRCH if get_task_mm()
+ * failed like if
+ * get_proc_task() fails?
+ */
+ up_read(&mm->mmap_sem);
+ goto out_mm;
+ }
mmu_notifier_invalidate_range_start(mm, 0, -1);
+ }
for (vma = mm->mmap; vma; vma = vma->vm_next) {
cp.vma = vma;
if (is_vm_hugetlb_page(vma))
@@ -841,6 +860,7 @@ static ssize_t clear_refs_write(struct f
mmu_notifier_invalidate_range_end(mm, 0, -1);
flush_tlb_mm(mm);
up_read(&mm->mmap_sem);
+out_mm:
mmput(mm);
}
put_task_struct(task);
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2425,6 +2425,27 @@ static inline void mmdrop(struct mm_stru
__mmdrop(mm);
}
+/*
+ * This has to be called after a get_task_mm()/mmget_not_zero()
+ * followed by taking the mmap_sem for writing before modifying the
+ * vmas or anything the coredump pretends not to change from under it.
+ *
+ * NOTE: find_extend_vma() called from GUP context is the only place
+ * that can modify the "mm" (notably the vm_start/end) under mmap_sem
+ * for reading and outside the context of the process, so it is also
+ * the only case that holds the mmap_sem for reading that must call
+ * this function. Generally if the mmap_sem is hold for reading
+ * there's no need of this check after get_task_mm()/mmget_not_zero().
+ *
+ * This function can be obsoleted and the check can be removed, after
+ * the coredump code will hold the mmap_sem for writing before
+ * invoking the ->core_dump methods.
+ */
+static inline bool mmget_still_valid(struct mm_struct *mm)
+{
+ return likely(!mm->core_state);
+}
+
/* mmput gets rid of the mappings and all user-space */
extern void mmput(struct mm_struct *);
/* Grab a reference to a task's mm, if it is not already going away */
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -40,6 +40,7 @@
#include <linux/notifier.h>
#include <linux/memory.h>
#include <linux/printk.h>
+#include <linux/sched.h>
#include <asm/uaccess.h>
#include <asm/cacheflush.h>
@@ -2341,7 +2342,8 @@ find_extend_vma(struct mm_struct *mm, un
vma = find_vma_prev(mm, addr, &prev);
if (vma && (vma->vm_start <= addr))
return vma;
- if (!prev || expand_stack(prev, addr))
+ /* don't alter vm_end if the coredump is running */
+ if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr))
return NULL;
if (prev->vm_flags & VM_LOCKED)
__mlock_vma_pages_range(prev, addr, prev->vm_end, NULL);
@@ -2367,6 +2369,9 @@ find_extend_vma(struct mm_struct * mm, u
return vma;
if (!(vma->vm_flags & VM_GROWSDOWN))
return NULL;
+ /* don't alter vm_start if the coredump is running */
+ if (!mmget_still_valid(mm))
+ return NULL;
start = vma->vm_start;
if (expand_stack(vma, addr))
return NULL;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 001/202] batman-adv: Avoid WARN on net_device without parent in netns
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 043/202] fuse: handle zero sized retrieve correctly Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 003/202] ACPI: power: Skip duplicate power resource references in _PRx Ben Hutchings
` (97 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Dmitry Vyukov, syzbot+c764de0fcfadca9a8595,
Sven Eckelmann, Simon Wunderlich
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 955d3411a17f590364238bd0d3329b61f20c1cd2 upstream.
It is not allowed to use WARN* helpers on potential incorrect input from
the user or transient problems because systems configured as panic_on_warn
will reboot due to such a problem.
A NULL return value of __dev_get_by_index can be caused by various problems
which can either be related to the system configuration or problems
(incorrectly returned network namespaces) in other (virtual) net_device
drivers. batman-adv should not cause a (harmful) WARN in this situation and
instead only report it via a simple message.
Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface")
Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -89,8 +89,10 @@ static bool batadv_is_on_batman_iface(co
/* recurse over the parent device */
parent_dev = __dev_get_by_index(&init_net, net_dev->iflink);
/* if we got a NULL parent_dev there is something broken.. */
- if (WARN(!parent_dev, "Cannot find parent device"))
+ if (!parent_dev) {
+ pr_err("Cannot find parent device\n");
return false;
+ }
ret = batadv_is_on_batman_iface(parent_dev);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 197/202] brcmfmac: revise handling events in receive path
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (195 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 150/202] net/packet: fix 4gb buffer limit due to overflow check Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 005/202] mfd: tps6586x: Handle interrupts on suspend Ben Hutchings
` (5 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Kalle Valo, Hante Meuleman, Franky Lin,
Arend van Spriel, Pieter-Paul Giesberts
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend van Spriel <arend@broadcom.com>
commit 9c349892ccc90c6de2baaa69cc78449f58082273 upstream.
Move event handling out of brcmf_netif_rx() avoiding the need
to pass a flag. This flag is only ever true for USB hosts as
other interface use separate brcmf_rx_event() function.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16 as dependency of commit a4176ec356c7
"brcmfmac: add subtype check for event handling in data path"
- Drop changes to PCIe bus support
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h
@@ -168,7 +168,7 @@ bool brcmf_c_prec_enq(struct device *dev
int prec);
/* Receive frame for delivery to OS. Callee disposes of rxp. */
-void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_evnt);
+void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_event);
/* Receive async event packet from firmware. Callee disposes of rxp. */
void brcmf_rx_event(struct device *dev, struct sk_buff *rxp);
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -306,18 +306,11 @@ void brcmf_txflowblock(struct device *de
brcmf_fws_bus_blocked(drvr, state);
}
-static void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb,
- bool handle_event)
+static void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
{
- skb->protocol = eth_type_trans(skb, ifp->ndev);
-
if (skb->pkt_type == PACKET_MULTICAST)
ifp->stats.multicast++;
- /* Process special event packets */
- if (handle_event)
- brcmf_fweh_process_skb(ifp->drvr, skb);
-
if (!(ifp->ndev->flags & IFF_UP)) {
brcmu_pkt_buf_free_skb(skb);
return;
@@ -377,7 +370,7 @@ static void brcmf_rxreorder_process_info
/* validate flags and flow id */
if (flags == 0xFF) {
brcmf_err("invalid flags...so ignore this packet\n");
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
return;
}
@@ -389,7 +382,7 @@ static void brcmf_rxreorder_process_info
if (rfi == NULL) {
brcmf_dbg(INFO, "received flags to cleanup, but no flow (%d) yet\n",
flow_id);
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
return;
}
@@ -414,7 +407,7 @@ static void brcmf_rxreorder_process_info
rfi = kzalloc(buf_size, GFP_ATOMIC);
if (rfi == NULL) {
brcmf_err("failed to alloc buffer\n");
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
return;
}
@@ -528,11 +521,11 @@ static void brcmf_rxreorder_process_info
netif_rx:
skb_queue_walk_safe(&reorder_list, pkt, pnext) {
__skb_unlink(pkt, &reorder_list);
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
}
}
-void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_evnt)
+void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event)
{
struct brcmf_if *ifp;
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
@@ -552,11 +545,18 @@ void brcmf_rx_frame(struct device *dev,
return;
}
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
+
rd = (struct brcmf_skb_reorder_data *)skb->cb;
- if (rd->reorder)
+ if (rd->reorder) {
brcmf_rxreorder_process_info(ifp, rd->reorder, skb);
- else
- brcmf_netif_rx(ifp, skb, handle_evnt);
+ } else {
+ /* Process special event packets */
+ if (handle_event)
+ brcmf_fweh_process_skb(ifp->drvr, skb);
+
+ brcmf_netif_rx(ifp, skb);
+ }
}
void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 192/202] brcmfmac: assure SSID length from firmware is limited
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 154/202] x86/a.out: Clear the dump structure initially Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 118/202] microblaze: Use get_signal() signal_setup_done() Ben Hutchings
` (124 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Pieter-Paul Giesberts, Hante Meuleman,
Franky Lin, Kalle Valo, Arend van Spriel
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend van Spriel <arend.vanspriel@broadcom.com>
commit 1b5e2423164b3670e8bc9174e4762d297990deff upstream.
The SSID length as received from firmware should not exceed
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3082,6 +3082,8 @@ brcmf_notify_sched_scan_results(struct b
brcmf_dbg(SCAN, "SSID:%s Channel:%d\n",
netinfo->SSID, netinfo->channel);
+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
memcpy(ssid[i].ssid, netinfo->SSID, netinfo->SSID_len);
ssid[i].ssid_len = netinfo->SSID_len;
request->n_ssids++;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 193/202] brcmfmac: consolidate ifp lookup in driver core
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 093/202] dmaengine: dmatest: Abort test in case of mapping error Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 043/202] fuse: handle zero sized retrieve correctly Ben Hutchings
` (99 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Hante Meuleman, Kalle Valo,
Arend van Spriel, Pieter-Paul Giesberts, Franky (Zhenhui) Lin
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend van Spriel <arend@broadcom.com>
commit 75effb03ee8e4c9d4bbc909118ce5444b047dfde upstream.
In rx path the firmware provide an interface index which is used to
map to a struct brcmf_if instance. However, this involves some trick
that is done in two places. This is changed by having driver core
providing brcmf_get_ifp() function.
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Drop changes to PCIe bus support
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bcdc.c
@@ -276,6 +276,7 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu
struct sk_buff *pktbuf)
{
struct brcmf_proto_bcdc_header *h;
+ struct brcmf_if *ifp;
brcmf_dbg(BCDC, "Enter\n");
@@ -289,30 +290,21 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu
trace_brcmf_bcdchdr(pktbuf->data);
h = (struct brcmf_proto_bcdc_header *)(pktbuf->data);
- *ifidx = BCDC_GET_IF_IDX(h);
- if (*ifidx >= BRCMF_MAX_IFS) {
- brcmf_err("rx data ifnum out of range (%d)\n", *ifidx);
+ ifp = brcmf_get_ifp(drvr, BCDC_GET_IF_IDX(h));
+ if (IS_ERR_OR_NULL(ifp)) {
+ brcmf_dbg(INFO, "no matching ifp found\n");
return -EBADE;
}
- /* The ifidx is the idx to map to matching netdev/ifp. When receiving
- * events this is easy because it contains the bssidx which maps
- * 1-on-1 to the netdev/ifp. But for data frames the ifidx is rcvd.
- * bssidx 1 is used for p2p0 and no data can be received or
- * transmitted on it. Therefor bssidx is ifidx + 1 if ifidx > 0
- */
- if (*ifidx)
- (*ifidx)++;
-
if (((h->flags & BCDC_FLAG_VER_MASK) >> BCDC_FLAG_VER_SHIFT) !=
BCDC_PROTO_VER) {
brcmf_err("%s: non-BCDC packet received, flags 0x%x\n",
- brcmf_ifname(drvr, *ifidx), h->flags);
+ brcmf_ifname(drvr, ifp->ifidx), h->flags);
return -EBADE;
}
if (h->flags & BCDC_FLAG_SUM_GOOD) {
brcmf_dbg(BCDC, "%s: BDC rcv, good checksum, flags 0x%x\n",
- brcmf_ifname(drvr, *ifidx), h->flags);
+ brcmf_ifname(drvr, ifp->ifidx), h->flags);
pktbuf->ip_summed = CHECKSUM_UNNECESSARY;
}
@@ -320,12 +312,15 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pu
skb_pull(pktbuf, BCDC_HEADER_LEN);
if (do_fws)
- brcmf_fws_hdrpull(drvr, *ifidx, h->data_offset << 2, pktbuf);
+ brcmf_fws_hdrpull(drvr, ifp->ifidx, h->data_offset << 2,
+ pktbuf);
else
skb_pull(pktbuf, h->data_offset << 2);
if (pktbuf->len == 0)
return -ENODATA;
+
+ *ifidx = ifp->ifidx;
return 0;
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
@@ -81,6 +81,25 @@ char *brcmf_ifname(struct brcmf_pub *drv
return "<if_none>";
}
+struct brcmf_if *brcmf_get_ifp(struct brcmf_pub *drvr, int ifidx)
+{
+ if (ifidx < 0 || ifidx >= BRCMF_MAX_IFS) {
+ brcmf_err("ifidx %d out of range\n", ifidx);
+ return ERR_PTR(-ERANGE);
+ }
+
+ /* The ifidx is the idx to map to matching netdev/ifp. When receiving
+ * events this is easy because it contains the bssidx which maps
+ * 1-on-1 to the netdev/ifp. But for data frames the ifidx is rcvd.
+ * bssidx 1 is used for p2p0 and no data can be received or
+ * transmitted on it. Therefor bssidx is ifidx + 1 if ifidx > 0
+ */
+ if (ifidx)
+ ifidx++;
+
+ return drvr->iflist[ifidx];
+}
+
static void _brcmf_set_multicast_list(struct work_struct *work)
{
struct brcmf_if *ifp;
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd.h
@@ -178,7 +178,7 @@ int brcmf_netdev_wait_pend8021x(struct n
/* Return pointer to interface name */
char *brcmf_ifname(struct brcmf_pub *drvr, int idx);
-
+struct brcmf_if *brcmf_get_ifp(struct brcmf_pub *drvr, int ifidx);
int brcmf_net_attach(struct brcmf_if *ifp, bool rtnl_locked);
struct brcmf_if *brcmf_add_if(struct brcmf_pub *drvr, s32 bssidx, s32 ifidx,
char *name, u8 *mac_addr);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 200/202] binfmt_elf: switch to new creds when switching to new mm
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 145/202] perf/x86: Add check_period PMU callback Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 194/202] brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance Ben Hutchings
` (24 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Eric W. Biederman, Willy Tarreau,
Oleg Nesterov, Robert Święcki, Peter Zijlstra, Al Viro,
Kees Cook, David Howells, Andy Lutomirski, Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 upstream.
We used to delay switching to the new credentials until after we had
mapped the executable (and possible elf interpreter). That was kind of
odd to begin with, since the new executable will actually then _run_
with the new creds, but whatever.
The bigger problem was that we also want to make sure that we turn off
prof events and tracing before we start mapping the new executable
state. So while this is a cleanup, it's also a fix for a possible
information leak.
Reported-by: Robert Święcki <robert@swiecki.net>
Tested-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: David Howells <dhowells@redhat.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/binfmt_elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -736,6 +736,7 @@ static int load_elf_binary(struct linux_
current->flags |= PF_RANDOMIZE;
setup_new_exec(bprm);
+ install_exec_creds(bprm);
/* Do this so that we can load the interpreter, if need be. We will
change some of these later */
@@ -951,7 +952,6 @@ static int load_elf_binary(struct linux_
}
#endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
- install_exec_creds(bprm);
retval = create_elf_tables(bprm, &loc->elf_ex,
load_addr, interp_load_addr);
if (retval < 0) {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 199/202] binfmt_elf: Fix missing SIGKILL for empty PIE
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 085/202] mm: migrate: don't rely on __PageMovable() of newpage after unlocking it Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 134/202] tracehook_signal_handler: Remove sig, info, ka and regs Ben Hutchings
` (176 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
Commit ea08dc5191d9 "fs/binfmt_elf.c: fix bug in loading of PIE
binaries", which was a backport of commit a87938b2e246 upstream,
added a new failure path to load_elf_binary().
Before commit 19d860a140be "handle suicide on late failure exits in
execve() in search_binary_handler()", load_elf_binary() wass
responsible for sending a fatal signal to the task in case of an error
after flushing the old executable. Add that to the new failure path.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -822,6 +822,7 @@ static int load_elf_binary(struct linux_
total_size = total_mapping_size(elf_phdata,
loc->elf_ex.e_phnum);
if (!total_size) {
+ send_sig(SIGKILL, current, 0);
retval = -EINVAL;
goto out_free_dentry;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 202/202] tty: mark Siemens R3964 line discipline as BROKEN
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 081/202] mac80211: ensure that mgmt tx skbs have tailroom for encryption Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 063/202] drm/modes: Prevent division by zero htotal Ben Hutchings
` (159 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Linus Torvalds, Greg Kroah-Hartman, Jann Horn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7084edc3f6d67750f50d4183134c4fb5712a5c8 upstream.
The n_r3964 line discipline driver was written in a different time, when
SMP machines were rare, and users were trusted to do the right thing.
Since then, the world has moved on but not this code, it has stayed
rooted in the past with its lovely hand-crafted list structures and
loads of "interesting" race conditions all over the place.
After attempting to clean up most of the issues, I just gave up and am
now marking the driver as BROKEN so that hopefully someone who has this
hardware will show up out of the woodwork (I know you are out there!)
and will help with debugging a raft of changes that I had laying around
for the code, but was too afraid to commit as odds are they would break
things.
Many thanks to Jann and Linus for pointing out the initial problems in
this codebase, as well as many reviews of my attempts to fix the issues.
It was a case of whack-a-mole, and as you can see, the mole won.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -380,7 +380,7 @@ config XILINX_HWICAP
config R3964
tristate "Siemens R3964 line discipline"
- depends on TTY
+ depends on TTY && BROKEN
---help---
This driver allows synchronous communication with devices using the
Siemens R3964 packet protocol. Unless you are dealing with special
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 164/202] scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 185/202] [media] media: em28xx-dvb - fix em28xx_dvb_resume() to not unregister i2c and dvb Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 159/202] dm thin: fix bug where bio that overwrites thin block ignores FUA Ben Hutchings
` (128 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, dann frazier, Jason Yan, John Garry,
Martin K. Petersen
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.garry@huawei.com>
commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f upstream.
The sysfs phy_identifier attribute for a sas_end_device comes from the rphy
phy_identifier value.
Currently this is not being set for rphys with an end device attached, so
we see incorrect symlinks from systemd disk/by-path:
root@localhost:~# ls -l /dev/disk/by-path/
total 0
lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb
lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2
lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3
Indeed, each sas_end_device phy_identifier value is 0:
root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier
0
root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier
0
This patch fixes the discovery code to set the phy_identifier. With this,
we now get proper symlinks:
root@localhost:~# ls -l /dev/disk/by-path/
total 0
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3
lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2
lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Reported-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Tested-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/libsas/sas_expander.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -817,6 +817,7 @@ static struct domain_device *sas_ex_disc
rphy = sas_end_device_alloc(phy->port);
if (!rphy)
goto out_free;
+ rphy->identify.phy_identifier = phy_id;
child->rphy = rphy;
get_device(&rphy->dev);
@@ -844,6 +845,7 @@ static struct domain_device *sas_ex_disc
child->rphy = rphy;
get_device(&rphy->dev);
+ rphy->identify.phy_identifier = phy_id;
sas_fill_in_rphy(child, rphy);
list_add_tail(&child->disco_list_node, &parent->port->disco_list);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 163/202] assoc_array: Fix shortcut creation
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 103/202] ALSA: compress: Fix stop handling on compressed capture streams Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 156/202] netfilter: nft_compat: fix crash when related match/target module is removed Ben Hutchings
` (152 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David Howells, James Morris
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 upstream.
Fix the creation of shortcuts for which the length of the index key value
is an exact multiple of the machine word size. The problem is that the
code that blanks off the unused bits of the shortcut value malfunctions if
the number of bits in the last word equals machine word size. This is due
to the "<<" operator being given a shift of zero in this case, and so the
mask that should be all zeros is all ones instead. This causes the
subsequent masking operation to clear everything rather than clearing
nothing.
Ordinarily, the presence of the hash at the beginning of the tree index key
makes the issue very hard to test for, but in this case, it was encountered
due to a development mistake that caused the hash output to be either 0
(keyring) or 1 (non-keyring) only. This made it susceptible to the
keyctl/unlink/valid test in the keyutils package.
The fix is simply to skip the blanking if the shift would be 0. For
example, an index key that is 64 bits long would produce a 0 shift and thus
a 'blank' of all 1s. This would then be inverted and AND'd onto the
index_key, incorrectly clearing the entire last word.
Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
lib/assoc_array.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/lib/assoc_array.c
+++ b/lib/assoc_array.c
@@ -780,9 +780,11 @@ all_leaves_cluster_together:
new_s0->index_key[i] =
ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE);
- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
- new_s0->index_key[keylen - 1] &= ~blank;
+ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) {
+ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
+ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
+ new_s0->index_key[keylen - 1] &= ~blank;
+ }
/* This now reduces to a node splitting exercise for which we'll need
* to regenerate the disparity table.
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 176/202] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (174 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 181/202] mm: enforce min addr even if capable() in expand_downwards() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 145/202] perf/x86: Add check_period PMU callback Ben Hutchings
` (26 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Peter Zijlstra, Denys Vlasenko,
Josh Poimboeuf, Brian Gerst, Andy Lutomirski, Borislav Petkov,
Linus Torvalds
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit 2a418cf3f5f1caf911af288e978d61c9844b0695 upstream.
When calling __put_user(foo(), ptr), the __put_user() macro would call
foo() in between __uaccess_begin() and __uaccess_end(). If that code
were buggy, then those bugs would be run without SMAP protection.
Fortunately, there seem to be few instances of the problem in the
kernel. Nevertheless, __put_user() should be fixed to avoid doing this.
Therefore, evaluate __put_user()'s argument before setting AC.
This issue was noticed when an objtool hack by Peter Zijlstra complained
about genregs_get() and I compared the assembly output to the C source.
[ bp: Massage commit message and fixed up whitespace. ]
Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -311,8 +311,7 @@ do { \
__put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \
break; \
case 8: \
- __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \
- errret); \
+ __put_user_asm_u64(x, ptr, retval, errret); \
break; \
default: \
__put_user_bad(); \
@@ -423,8 +422,10 @@ do { \
#define __put_user_nocheck(x, ptr, size) \
({ \
int __pu_err; \
+ __typeof__(*(ptr)) __pu_val; \
+ __pu_val = x; \
__uaccess_begin(); \
- __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \
+ __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT); \
__uaccess_end(); \
__pu_err; \
})
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 169/202] KEYS: user: Align the payload buffer
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 020/202] sd: Clear PS bit before Mode Select Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 137/202] signal: Always notice exiting tasks Ben Hutchings
` (186 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, James Morris, Eric Biggers, David Howells,
Aaro Koskinen
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit cc1780fc42c76c705dd07ea123f1143dc5057630 upstream.
Align the payload of "user" and "logon" keys so that users of the
keyrings service can access it as a struct that requires more than
2-byte alignment. fscrypt currently does this which results in the read
of fscrypt_key::size being misaligned as it needs 4-byte alignment.
Align to __alignof__(u64) rather than __alignof__(long) since in the
future it's conceivable that people would use structs beginning with
u64, which on some platforms would require more than 'long' alignment.
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Fixes: 2aa349f6e37c ("[PATCH] Keys: Export user-defined keyring operations")
Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/keys/user-type.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h
@@ -29,7 +29,7 @@
struct user_key_payload {
struct rcu_head rcu; /* RCU destructor */
unsigned short datalen; /* length of this data */
- char data[0]; /* actual data */
+ char data[0] __aligned(__alignof__(u64)); /* actual data */
};
extern struct key_type key_type_user;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 160/202] i2c: cadence: Fix the hold bit setting
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 040/202] net/phy: micrel: configure intterupts after autoneg workaround Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 096/202] s390/qeth: fix use-after-free in error path Ben Hutchings
` (63 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Michal Simek, Wolfram Sang, Kyle Roeschley,
Shubhrajyoti Datta
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
commit d358def706880defa4c9e87381c5bf086a97d5f9 upstream.
In case the hold bit is not needed we are carrying the old values.
Fix the same by resetting the bit when not needed.
Fixes the sporadic i2c bus lockups on National Instruments
Zynq-based devices.
Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller")
Reported-by: Kyle Roeschley <kyle.roeschley@ni.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Tested-by: Kyle Roeschley <kyle.roeschley@ni.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/busses/i2c-cadence.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/i2c/busses/i2c-cadence.c
+++ b/drivers/i2c/busses/i2c-cadence.c
@@ -320,8 +320,10 @@ static void cdns_i2c_mrecv(struct cdns_i
* Check for the message size against FIFO depth and set the
* 'hold bus' bit if it is greater than FIFO depth.
*/
- if (id->recv_count > CDNS_I2C_FIFO_DEPTH)
+ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
ctrl_reg |= CDNS_I2C_CR_HOLD;
+ else
+ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
@@ -375,8 +377,11 @@ static void cdns_i2c_msend(struct cdns_i
* Check for the message size against FIFO depth and set the
* 'hold bus' bit if it is greater than FIFO depth.
*/
- if (id->send_count > CDNS_I2C_FIFO_DEPTH)
+ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
ctrl_reg |= CDNS_I2C_CR_HOLD;
+ else
+ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+
cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
/* Clear the interrupts in interrupt status register. */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 161/202] netfilter: nf_tables: fix flush after rule deletion in the same batch
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 157/202] netfilter: nf_tables: nft_compat: fix refcount leak on xt module Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 122/202] parisc: Use get_signal() signal_setup_done() Ben Hutchings
` (105 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Phil Sutter, Pablo Neira Ayuso
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream.
Flush after rule deletion bogusly hits -ENOENT. Skip rules that have
been already from nft_delrule_by_chain() which is always called from the
flush path.
Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table")
Reported-by: Phil Sutter <phil@nwl.cc>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16:
- Use nft_rule_is_active_next() instead of nft_is_active_next()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1897,6 +1897,9 @@ static int nf_table_delrule_by_chain(str
int err;
list_for_each_entry(rule, &ctx->chain->rules, list) {
+ if (!nft_rule_is_active_next(ctx->net, rule))
+ continue;
+
err = nf_tables_delrule_one(ctx, rule);
if (err < 0)
return err;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 171/202] KEYS: always initialize keyring_index_key::desc_len
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 046/202] media: v4l: ioctl: Validate num_planes for debug messages Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 030/202] i2c: dev: prevent adapter retries and timeout being set as minus value Ben Hutchings
` (91 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, James Morris, David Howells, Eric Biggers,
syzbot+ec24e95ea483de0a24da
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ede0fa98a900e657d1fcd80b50920efc896c1a4c upstream.
syzbot hit the 'BUG_ON(index_key->desc_len == 0);' in __key_link_begin()
called from construct_alloc_key() during sys_request_key(), because the
length of the key description was never calculated.
The problem is that we rely on ->desc_len being initialized by
search_process_keyrings(), specifically by search_nested_keyrings().
But, if the process isn't subscribed to any keyrings that never happens.
Fix it by always initializing keyring_index_key::desc_len as soon as the
description is set, like we already do in some places.
The following program reproduces the BUG_ON() when it's run as root and
no session keyring has been installed. If it doesn't work, try removing
pam_keyinit.so from /etc/pam.d/login and rebooting.
#include <stdlib.h>
#include <unistd.h>
#include <keyutils.h>
int main(void)
{
int id = add_key("keyring", "syz", NULL, 0, KEY_SPEC_USER_KEYRING);
keyctl_setperm(id, KEY_OTH_WRITE);
setreuid(5000, 5000);
request_key("user", "desc", "", id);
}
Reported-by: syzbot+ec24e95ea483de0a24da@syzkaller.appspotmail.com
Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/keyring.c | 4 +---
security/keys/proc.c | 3 +--
security/keys/request_key.c | 1 +
security/keys/request_key_auth.c | 2 +-
4 files changed, 4 insertions(+), 6 deletions(-)
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -604,9 +604,6 @@ static bool search_nested_keyrings(struc
ctx->index_key.type->name,
ctx->index_key.description);
- if (ctx->index_key.description)
- ctx->index_key.desc_len = strlen(ctx->index_key.description);
-
/* Check to see if this top-level keyring is what we are looking for
* and whether it is valid or not.
*/
@@ -870,6 +867,7 @@ key_ref_t keyring_search(key_ref_t keyri
struct keyring_search_context ctx = {
.index_key.type = type,
.index_key.description = description,
+ .index_key.desc_len = strlen(description),
.cred = current_cred(),
.match = type->match,
.match_data = description,
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -191,8 +191,7 @@ static int proc_keys_show(struct seq_fil
int rc;
struct keyring_search_context ctx = {
- .index_key.type = key->type,
- .index_key.description = key->description,
+ .index_key = key->index_key,
.cred = m->file->f_cred,
.match = lookup_user_key_possessed,
.match_data = key,
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -561,6 +561,7 @@ struct key *request_key_and_link(struct
struct keyring_search_context ctx = {
.index_key.type = type,
.index_key.description = description,
+ .index_key.desc_len = strlen(description),
.cred = current_cred(),
.match = type->match,
.match_data = description,
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -233,7 +233,7 @@ struct key *key_get_instantiation_authke
struct key *authkey;
key_ref_t authkey_ref;
- sprintf(description, "%x", target_id);
+ ctx.index_key.desc_len = sprintf(description, "%x", target_id);
authkey_ref = search_process_keyrings(&ctx);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 172/202] mdio_bus: Fix use-after-free on device_register fails
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 149/202] batman-adv: fix uninit-value in batadv_interface_tx() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 175/202] mmc: tmio_mmc_core: don't claim spurious interrupts Ben Hutchings
` (9 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, YueHaibing, Andrew Lunn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YueHaibing <yuehaibing@huawei.com>
commit 6ff7b060535e87c2ae14dd8548512abfdda528fb upstream.
KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.
KASAN report details as below:
BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
print_address_description+0x65/0x270 mm/kasan/report.c:187
kasan_report+0x149/0x18d mm/kasan/report.c:317
mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
? 0xffffffffc0e40000
? 0xffffffffc0e40000
? 0xffffffffc0e40000
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
Allocated by task 3524:
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3524:
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
slab_free_hook mm/slub.c:1409 [inline]
slab_free_freelist_hook mm/slub.c:1436 [inline]
slab_free mm/slub.c:2986 [inline]
kfree+0xe1/0x270 mm/slub.c:3938
device_release+0x78/0x200 drivers/base/core.c:919
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:67 [inline]
kobject_put+0x146/0x240 lib/kobject.c:708
put_device+0x1c/0x30 drivers/base/core.c:2060
__mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881dc824c80
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/phy/mdio_bus.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -261,7 +261,6 @@ int mdiobus_register(struct mii_bus *bus
err = device_register(&bus->dev);
if (err) {
pr_err("mii_bus %s failed to register\n", bus->id);
- put_device(&bus->dev);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 174/202] mmc: spi: Fix card detection during probe
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 012/202] USB: storage: add quirk for SMI SM3350 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 065/202] net/mlx4_core: Add masking for a few queries on HCA caps Ben Hutchings
` (165 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Ulf Hansson, Jonathan Neuschäfer,
Linus Walleij
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
commit c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 upstream.
When using the mmc_spi driver with a card-detect pin, I noticed that the
card was not detected immediately after probe, but only after it was
unplugged and plugged back in (and the CD IRQ fired).
The call tree looks something like this:
mmc_spi_probe
mmc_add_host
mmc_start_host
_mmc_detect_change
mmc_schedule_delayed_work(&host->detect, 0)
mmc_rescan
host->bus_ops->detect(host)
mmc_detect
_mmc_detect_card_removed
host->ops->get_cd(host)
mmc_gpio_get_cd -> -ENOSYS (ctx->cd_gpio not set)
mmc_gpiod_request_cd
ctx->cd_gpio = desc
To fix this issue, call mmc_detect_change after the card-detect GPIO/IRQ
is registered.
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/host/mmc_spi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -1438,6 +1438,7 @@ static int mmc_spi_probe(struct spi_devi
goto fail_add_host;
mmc_gpiod_request_cd_irq(mmc);
}
+ mmc_detect_change(mmc, 0);
if (host->pdata && host->pdata->flags & MMC_SPI_USE_RO_GPIO) {
has_ro = true;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 005/202] mfd: tps6586x: Handle interrupts on suspend
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 197/202] brcmfmac: revise handling events in receive path Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 089/202] dmaengine: bcm2835: Fix abort of transactions Ben Hutchings
` (4 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jonathan Hunter, Thierry Reding,
Dmitry Osipenko, Lee Jones
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Hunter <jonathanh@nvidia.com>
commit ac4ca4b9f4623ba5e1ea7a582f286567c611e027 upstream.
The tps6586x driver creates an irqchip that is used by its various child
devices for managing interrupts. The tps6586x-rtc device is one of its
children that uses the tps6586x irqchip. When using the tps6586x-rtc as
a wake-up device from suspend, the following is seen:
PM: Syncing filesystems ... done.
Freezing user space processes ... (elapsed 0.001 seconds) done.
OOM killer disabled.
Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done.
Disabling non-boot CPUs ...
Entering suspend state LP1
Enabling non-boot CPUs ...
CPU1 is up
tps6586x 3-0034: failed to read interrupt status
tps6586x 3-0034: failed to read interrupt status
The reason why the tps6586x interrupt status cannot be read is because
the tps6586x interrupt is not masked during suspend and when the
tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is
seen before the i2c controller has been resumed in order to read the
tps6586x interrupt status.
The tps6586x-rtc driver sets it's interrupt as a wake-up source during
suspend, which gets propagated to the parent tps6586x interrupt.
However, the tps6586x-rtc driver cannot disable it's interrupt during
suspend otherwise we would never be woken up and so the tps6586x must
disable it's interrupt instead.
Prevent the tps6586x interrupt handler from executing on exiting suspend
before the i2c controller has been resumed by disabling the tps6586x
interrupt on entering suspend and re-enabling it on resuming from
suspend.
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
Tested-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mfd/tps6586x.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/drivers/mfd/tps6586x.c
+++ b/drivers/mfd/tps6586x.c
@@ -601,6 +601,29 @@ static int tps6586x_i2c_remove(struct i2
return 0;
}
+static int __maybe_unused tps6586x_i2c_suspend(struct device *dev)
+{
+ struct tps6586x *tps6586x = dev_get_drvdata(dev);
+
+ if (tps6586x->client->irq)
+ disable_irq(tps6586x->client->irq);
+
+ return 0;
+}
+
+static int __maybe_unused tps6586x_i2c_resume(struct device *dev)
+{
+ struct tps6586x *tps6586x = dev_get_drvdata(dev);
+
+ if (tps6586x->client->irq)
+ enable_irq(tps6586x->client->irq);
+
+ return 0;
+}
+
+static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend,
+ tps6586x_i2c_resume);
+
static const struct i2c_device_id tps6586x_id_table[] = {
{ "tps6586x", 0 },
{ },
@@ -612,6 +635,7 @@ static struct i2c_driver tps6586x_driver
.name = "tps6586x",
.owner = THIS_MODULE,
.of_match_table = of_match_ptr(tps6586x_of_match),
+ .pm = &tps6586x_pm_ops,
},
.probe = tps6586x_i2c_probe,
.remove = tps6586x_i2c_remove,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 173/202] net/x25: fix a race in x25_bind()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 141/202] Input: elantech - force needed quirks on Fujitsu H760 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 062/202] ARM: pxa: ssp: unneeded to free devm_ allocated data Ben Hutchings
` (116 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Eric Dumazet, andrew hendry
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 797a22bd5298c2674d927893f46cadf619dad11d upstream.
syzbot was able to trigger another soft lockup [1]
I first thought it was the O(N^2) issue I mentioned in my
prior fix (f657d22ee1f "net/x25: do not hold the cpu
too long in x25_new_lci()"), but I eventually found
that x25_bind() was not checking SOCK_ZAPPED state under
socket lock protection.
This means that multiple threads can end up calling
x25_insert_socket() for the same socket, and corrupt x25_list
[1]
watchdog: BUG: soft lockup - CPU#0 stuck for 123s! [syz-executor.2:10492]
Modules linked in:
irq event stamp: 27515
hardirqs last enabled at (27514): [<ffffffff81006673>] trace_hardirqs_on_thunk+0x1a/0x1c
hardirqs last disabled at (27515): [<ffffffff8100668f>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last enabled at (32): [<ffffffff8632ee73>] x25_get_neigh+0xa3/0xd0 net/x25/x25_link.c:336
softirqs last disabled at (34): [<ffffffff86324bc3>] x25_find_socket+0x23/0x140 net/x25/af_x25.c:341
CPU: 0 PID: 10492 Comm: syz-executor.2 Not tainted 5.0.0-rc7+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__sanitizer_cov_trace_pc+0x4/0x50 kernel/kcov.c:97
Code: f4 ff ff ff e8 11 9f ea ff 48 c7 05 12 fb e5 08 00 00 00 00 e9 c8 e9 ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 <48> 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 38 0c 92 7e 81 e2
RSP: 0018:ffff88806e94fc48 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffff1100d84dac5 RBX: 0000000000000001 RCX: ffffc90006197000
RDX: 0000000000040000 RSI: ffffffff86324bf3 RDI: ffff88806c26d628
RBP: ffff88806e94fc48 R08: ffff88806c1c6500 R09: fffffbfff1282561
R10: fffffbfff1282560 R11: ffffffff89412b03 R12: ffff88806c26d628
R13: ffff888090455200 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f3a107e4700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3a107e3db8 CR3: 00000000a5544000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__x25_find_socket net/x25/af_x25.c:327 [inline]
x25_find_socket+0x7d/0x140 net/x25/af_x25.c:342
x25_new_lci net/x25/af_x25.c:355 [inline]
x25_connect+0x380/0xde0 net/x25/af_x25.c:784
__sys_connect+0x266/0x330 net/socket.c:1662
__do_sys_connect net/socket.c:1673 [inline]
__se_sys_connect net/socket.c:1670 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1670
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3a107e3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29
RDX: 0000000000000012 RSI: 0000000020000200 RDI: 0000000000000005
RBP: 000000000073c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3a107e46d4
R13: 00000000004be362 R14: 00000000004ceb98 R15: 00000000ffffffff
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 10493 Comm: syz-executor.3 Not tainted 5.0.0-rc7+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:queued_write_lock_slowpath+0x143/0x290 kernel/locking/qrwlock.c:86
Code: 4c 8d 2c 01 41 83 c7 03 41 0f b6 45 00 41 38 c7 7c 08 84 c0 0f 85 0c 01 00 00 8b 03 3d 00 01 00 00 74 1a f3 90 41 0f b6 55 00 <41> 38 d7 7c eb 84 d2 74 e7 48 89 df e8 cc aa 4e 00 eb dd be 04 00
RSP: 0018:ffff888085c47bd8 EFLAGS: 00000206
RAX: 0000000000000300 RBX: ffffffff89412b00 RCX: 1ffffffff1282560
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff89412b00
RBP: ffff888085c47c70 R08: 1ffffffff1282560 R09: fffffbfff1282561
R10: fffffbfff1282560 R11: ffffffff89412b03 R12: 00000000000000ff
R13: fffffbfff1282560 R14: 1ffff11010b88f7d R15: 0000000000000003
FS: 00007fdd04086700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdd04064db8 CR3: 0000000090be0000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
queued_write_lock include/asm-generic/qrwlock.h:104 [inline]
do_raw_write_lock+0x1d6/0x290 kernel/locking/spinlock_debug.c:203
__raw_write_lock_bh include/linux/rwlock_api_smp.h:204 [inline]
_raw_write_lock_bh+0x3b/0x50 kernel/locking/spinlock.c:312
x25_insert_socket+0x21/0xe0 net/x25/af_x25.c:267
x25_bind+0x273/0x340 net/x25/af_x25.c:703
__sys_bind+0x23f/0x290 net/socket.c:1481
__do_sys_bind net/socket.c:1492 [inline]
__se_sys_bind net/socket.c:1490 [inline]
__x64_sys_bind+0x73/0xb0 net/socket.c:1490
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e29
Fixes: 90c27297a9bf ("X.25 remove bkl in bind")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: andrew hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/x25/af_x25.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -680,8 +680,7 @@ static int x25_bind(struct socket *sock,
struct sockaddr_x25 *addr = (struct sockaddr_x25 *)uaddr;
int len, i, rc = 0;
- if (!sock_flag(sk, SOCK_ZAPPED) ||
- addr_len != sizeof(struct sockaddr_x25) ||
+ if (addr_len != sizeof(struct sockaddr_x25) ||
addr->sx25_family != AF_X25) {
rc = -EINVAL;
goto out;
@@ -696,9 +695,13 @@ static int x25_bind(struct socket *sock,
}
lock_sock(sk);
- x25_sk(sk)->source_addr = addr->sx25_addr;
- x25_insert_socket(sk);
- sock_reset_flag(sk, SOCK_ZAPPED);
+ if (sock_flag(sk, SOCK_ZAPPED)) {
+ x25_sk(sk)->source_addr = addr->sx25_addr;
+ x25_insert_socket(sk);
+ sock_reset_flag(sk, SOCK_ZAPPED);
+ } else {
+ rc = -EINVAL;
+ }
release_sock(sk);
SOCK_DEBUG(sk, "x25_bind: socket is bound\n");
out:
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 167/202] tmpfs: fix link accounting when a tmpfile is linked in
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 190/202] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 170/202] KEYS: restrict /proc/keys by credentials at open time Ben Hutchings
` (134 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Linus Torvalds, Matej Kupljen,
Hugh Dickins, Al Viro, Darrick J. Wong
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit 1062af920c07f5b54cf5060fde3339da6df0cf6b upstream.
tmpfs has a peculiarity of accounting hard links as if they were
separate inodes: so that when the number of inodes is limited, as it is
by default, a user cannot soak up an unlimited amount of unreclaimable
dcache memory just by repeatedly linking a file.
But when v3.11 added O_TMPFILE, and the ability to use linkat() on the
fd, we missed accommodating this new case in tmpfs: "df -i" shows that
an extra "inode" remains accounted after the file is unlinked and the fd
closed and the actual inode evicted. If a user repeatedly links
tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they
are deleted.
Just skip the extra reservation from shmem_link() in this case: there's
a sense in which this first link of a tmpfile is then cheaper than a
hard link of another file, but the accounting works out, and there's
still good limiting, so no need to do anything more complicated.
Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils
Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Matej Kupljen <matej.kupljen@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/shmem.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2013,10 +2013,14 @@ static int shmem_link(struct dentry *old
* No ordinary (disk based) filesystem counts links as inodes;
* but each new link needs a new dentry, pinning lowmem, and
* tmpfs dentries cannot be pruned until they are unlinked.
+ * But if an O_TMPFILE file is linked into the tmpfs, the
+ * first link must skip that, to get the accounting right.
*/
- ret = shmem_reserve_inode(inode->i_sb);
- if (ret)
- goto out;
+ if (inode->i_nlink) {
+ ret = shmem_reserve_inode(inode->i_sb);
+ if (ret)
+ goto out;
+ }
dir->i_size += BOGO_DIRENT_SIZE;
inode->i_ctime = dir->i_ctime = dir->i_mtime = CURRENT_TIME;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 162/202] KEYS: allow reaching the keys quotas exactly
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 139/202] sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 033/202] omap2fb: Fix stack memory disclosure Ben Hutchings
` (87 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, James Morris, Eric Biggers, David Howells
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9 upstream.
If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
actually users can only add up to 'n - 1' keys. Likewise for
'kernel.keys.maxbytes' and the root_* versions of these sysctls. But
these sysctls are apparently supposed to be *maximums*, as per their
names and all documentation I could find -- the keyrings(7) man page,
Documentation/security/keys/core.rst, and all the mentions of EDQUOT
meaning that the key quota was *exceeded* (as opposed to reached).
Thus, fix the code to allow reaching the quotas exactly.
Fixes: 0b77f5bfb45c ("keys: make the keyring quotas controllable through /proc/sys")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/key.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -260,8 +260,8 @@ struct key *key_alloc(struct key_type *t
spin_lock(&user->lock);
if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
- if (user->qnkeys + 1 >= maxkeys ||
- user->qnbytes + quotalen >= maxbytes ||
+ if (user->qnkeys + 1 > maxkeys ||
+ user->qnbytes + quotalen > maxbytes ||
user->qnbytes + quotalen < user->qnbytes)
goto no_quota;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 168/202] ARC: U-boot: check arguments paranoidly
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 009/202] USB: serial: simple: add Motorola Tetra TPG2200 device id Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 031/202] CIFS: Do not hide EINTR after sending network packets Ben Hutchings
` (53 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Eugeniy Paltsev, Vineet Gupta, Corentin LABBE
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
commit a66f2e57bd566240d8b3884eedf503928fbbe557 upstream.
Handle U-boot arguments paranoidly:
* don't allow to pass unknown tag.
* try to use external device tree blob only if corresponding tag
(TAG_DTB) is set.
* don't check uboot_tag if kernel build with no ARC_UBOOT_SUPPORT.
NOTE:
If U-boot args are invalid we skip them and try to use embedded device
tree blob. We can't panic on invalid U-boot args as we really pass
invalid args due to bug in U-boot code.
This happens if we don't provide external DTB to U-boot and
don't set 'bootargs' U-boot environment variable (which is default
case at least for HSDK board) In that case we will pass
{r0 = 1 (bootargs in r2); r1 = 0; r2 = 0;} to linux which is invalid.
While I'm at it refactor U-boot arguments handling code.
Tested-by: Corentin LABBE <clabbe@baylibre.com>
Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/head.S | 4 +-
arch/arc/kernel/setup.c | 87 +++++++++++++++++++++++++++++------------
2 files changed, 64 insertions(+), 27 deletions(-)
--- a/arch/arc/kernel/head.S
+++ b/arch/arc/kernel/head.S
@@ -85,9 +85,9 @@ stext:
; Uboot - kernel ABI
; r0 = [0] No uboot interaction, [1] cmdline in r2, [2] DTB in r2
- ; r1 = magic number (board identity, unused as of now
+ ; r1 = magic number (always zero as of now)
; r2 = pointer to uboot provided cmdline or external DTB in mem
- ; These are handled later in setup_arch()
+ ; These are handled later in handle_uboot_args()
st r0, [@uboot_tag]
st r2, [@uboot_arg]
--- a/arch/arc/kernel/setup.c
+++ b/arch/arc/kernel/setup.c
@@ -314,40 +314,78 @@ void setup_processor(void)
arc_chk_fpu();
}
-static inline int is_kernel(unsigned long addr)
+static inline bool uboot_arg_invalid(unsigned long addr)
{
- if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
- return 1;
- return 0;
+ /*
+ * Check that it is a untranslated address (although MMU is not enabled
+ * yet, it being a high address ensures this is not by fluke)
+ */
+ if (addr < PAGE_OFFSET)
+ return true;
+
+ /* Check that address doesn't clobber resident kernel image */
+ return addr >= (unsigned long)_stext && addr <= (unsigned long)_end;
}
-void __init setup_arch(char **cmdline_p)
+#define IGNORE_ARGS "Ignore U-boot args: "
+
+/* uboot_tag values for U-boot - kernel ABI revision 0; see head.S */
+#define UBOOT_TAG_NONE 0
+#define UBOOT_TAG_CMDLINE 1
+#define UBOOT_TAG_DTB 2
+
+void __init handle_uboot_args(void)
{
- /* make sure that uboot passed pointer to cmdline/dtb is valid */
- if (uboot_tag && is_kernel((unsigned long)uboot_arg))
- panic("Invalid uboot arg\n");
-
- /* See if u-boot passed an external Device Tree blob */
- machine_desc = setup_machine_fdt(uboot_arg); /* uboot_tag == 2 */
- if (!machine_desc) {
- /* No, so try the embedded one */
+ bool use_embedded_dtb = true;
+ bool append_cmdline = false;
+
+ /* check that we know this tag */
+ if (uboot_tag != UBOOT_TAG_NONE &&
+ uboot_tag != UBOOT_TAG_CMDLINE &&
+ uboot_tag != UBOOT_TAG_DTB) {
+ pr_warn(IGNORE_ARGS "invalid uboot tag: '%08x'\n", uboot_tag);
+ goto ignore_uboot_args;
+ }
+
+ if (uboot_tag != UBOOT_TAG_NONE &&
+ uboot_arg_invalid((unsigned long)uboot_arg)) {
+ pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg);
+ goto ignore_uboot_args;
+ }
+
+ /* see if U-boot passed an external Device Tree blob */
+ if (uboot_tag == UBOOT_TAG_DTB) {
+ machine_desc = setup_machine_fdt((void *)uboot_arg);
+
+ /* external Device Tree blob is invalid - use embedded one */
+ use_embedded_dtb = !machine_desc;
+ }
+
+ if (uboot_tag == UBOOT_TAG_CMDLINE)
+ append_cmdline = true;
+
+ignore_uboot_args:
+
+ if (use_embedded_dtb) {
machine_desc = setup_machine_fdt(__dtb_start);
if (!machine_desc)
panic("Embedded DT invalid\n");
+ }
- /*
- * If we are here, it is established that @uboot_arg didn't
- * point to DT blob. Instead if u-boot says it is cmdline,
- * Appent to embedded DT cmdline.
- * setup_machine_fdt() would have populated @boot_command_line
- */
- if (uboot_tag == 1) {
- /* Ensure a whitespace between the 2 cmdlines */
- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
- strlcat(boot_command_line, uboot_arg,
- COMMAND_LINE_SIZE);
- }
+ /*
+ * NOTE: @boot_command_line is populated by setup_machine_fdt() so this
+ * append processing can only happen after.
+ */
+ if (append_cmdline) {
+ /* Ensure a whitespace between the 2 cmdlines */
+ strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
+ strlcat(boot_command_line, uboot_arg, COMMAND_LINE_SIZE);
}
+}
+
+void __init setup_arch(char **cmdline_p)
+{
+ handle_uboot_args();
/* Save unparsed command line copy for /proc/cmdline */
*cmdline_p = boot_command_line;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 083/202] mm, oom: fix use-after-free in oom_kill_process
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 144/202] alpha: fix page fault handling for r16-r18 targets Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 028/202] crypto: authenc - fix parsing key with misaligned rta_len Ben Hutchings
` (82 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David Rientjes,
syzbot+7fbbfa368521945f0e3d, Roman Gushchin, Shakeel Butt,
Tetsuo Handa, Linus Torvalds, Michal Hocko, Johannes Weiner
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shakeel Butt <shakeelb@google.com>
commit cefc7ef3c87d02fc9307835868ff721ea12cc597 upstream.
Syzbot instance running on upstream kernel found a use-after-free bug in
oom_kill_process. On further inspection it seems like the process
selected to be oom-killed has exited even before reaching
read_lock(&tasklist_lock) in oom_kill_process(). More specifically the
tsk->usage is 1 which is due to get_task_struct() in oom_evaluate_task()
and the put_task_struct within for_each_thread() frees the tsk and
for_each_thread() tries to access the tsk. The easiest fix is to do
get/put across the for_each_thread() on the selected task.
Now the next question is should we continue with the oom-kill as the
previously selected task has exited? However before adding more
complexity and heuristics, let's answer why we even look at the children
of oom-kill selected task? The select_bad_process() has already selected
the worst process in the system/memcg. Due to race, the selected
process might not be the worst at the kill time but does that matter?
The userspace can use the oom_score_adj interface to prefer children to
be killed before the parent. I looked at the history but it seems like
this is there before git history.
Link: http://lkml.kernel.org/r/20190121215850.221745-1-shakeelb@google.com
Reported-by: syzbot+7fbbfa368521945f0e3d@syzkaller.appspotmail.com
Fixes: 6b0c81b3be11 ("mm, oom: reduce dependency on tasklist_lock")
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Roman Gushchin <guro@fb.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/oom_kill.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/mm/oom_kill.c
+++ b/mm/oom_kill.c
@@ -466,6 +466,13 @@ void oom_kill_process(struct task_struct
* still freeing memory.
*/
read_lock(&tasklist_lock);
+
+ /*
+ * The task 'p' might have already exited before reaching here. The
+ * put_task_struct() will free task_struct 'p' while the loop still try
+ * to access the field of 'p', so, get an extra reference.
+ */
+ get_task_struct(p);
for_each_thread(p, t) {
list_for_each_entry(child, &t->children, sibling) {
unsigned int child_points;
@@ -485,6 +492,7 @@ void oom_kill_process(struct task_struct
}
}
}
+ put_task_struct(p);
read_unlock(&tasklist_lock);
p = find_lock_task_mm(victim);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 165/202] ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 159/202] dm thin: fix bug where bio that overwrites thin block ignores FUA Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 154/202] x86/a.out: Clear the dump structure initially Ben Hutchings
` (126 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Yan, Zheng, Ilya Dryomov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Yan, Zheng" <zyan@redhat.com>
commit 04242ff3ac0abbaa4362f97781dac268e6c3541a upstream.
Otherwise, mdsc->snap_flush_list may get corrupted.
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ceph/snap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ceph/snap.c
+++ b/fs/ceph/snap.c
@@ -579,7 +579,8 @@ int __ceph_finish_cap_snap(struct ceph_i
capsnap->size);
spin_lock(&mdsc->snap_flush_lock);
- list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list);
+ if (list_empty(&ci->i_snap_flush_item))
+ list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list);
spin_unlock(&mdsc->snap_flush_lock);
return 1; /* caller may want to ceph_flush_snaps */
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 087/202] dmaengine: bcm2835: add additional defines for DMA-registers
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 021/202] scsi: sd: Fix cache_type_store() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 035/202] s390/mm: always force a load of the primary ASCE on context switch Ben Hutchings
` (195 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Vinod Koul, Martin Sperl, Eric Anholt
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Sperl <kernel@martin.sperl.org>
commit e42685d7a7d5afa6278561ffd85c475eae246be3 upstream.
Add additional defines describing the DMA registers
as well as adding some more documentation to those registers.
Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
[bwh: Backported to 3.16 as dependency of commit 9e528c799d17
"dmaengine: bcm2835: Fix abort of transactions"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/dma/bcm2835-dma.c | 57 +++++++++++++++++++++++++++++++++------
1 file changed, 49 insertions(+), 8 deletions(-)
--- a/drivers/dma/bcm2835-dma.c
+++ b/drivers/dma/bcm2835-dma.c
@@ -91,26 +91,67 @@ struct bcm2835_desc {
#define BCM2835_DMA_CS 0x00
#define BCM2835_DMA_ADDR 0x04
+#define BCM2835_DMA_TI 0x08
#define BCM2835_DMA_SOURCE_AD 0x0c
#define BCM2835_DMA_DEST_AD 0x10
-#define BCM2835_DMA_NEXTCB 0x1C
+#define BCM2835_DMA_LEN 0x14
+#define BCM2835_DMA_STRIDE 0x18
+#define BCM2835_DMA_NEXTCB 0x1c
+#define BCM2835_DMA_DEBUG 0x20
/* DMA CS Control and Status bits */
-#define BCM2835_DMA_ACTIVE BIT(0)
-#define BCM2835_DMA_INT BIT(2)
+#define BCM2835_DMA_ACTIVE BIT(0) /* activate the DMA */
+#define BCM2835_DMA_END BIT(1) /* current CB has ended */
+#define BCM2835_DMA_INT BIT(2) /* interrupt status */
+#define BCM2835_DMA_DREQ BIT(3) /* DREQ state */
#define BCM2835_DMA_ISPAUSED BIT(4) /* Pause requested or not active */
#define BCM2835_DMA_ISHELD BIT(5) /* Is held by DREQ flow control */
-#define BCM2835_DMA_ERR BIT(8)
+#define BCM2835_DMA_WAITING_FOR_WRITES BIT(6) /* waiting for last
+ * AXI-write to ack
+ */
+#define BCM2835_DMA_ERR BIT(8)
+#define BCM2835_DMA_PRIORITY(x) ((x & 15) << 16) /* AXI priority */
+#define BCM2835_DMA_PANIC_PRIORITY(x) ((x & 15) << 20) /* panic priority */
+/* current value of TI.BCM2835_DMA_WAIT_RESP */
+#define BCM2835_DMA_WAIT_FOR_WRITES BIT(28)
+#define BCM2835_DMA_DIS_DEBUG BIT(29) /* disable debug pause signal */
#define BCM2835_DMA_ABORT BIT(30) /* Stop current CB, go to next, WO */
#define BCM2835_DMA_RESET BIT(31) /* WO, self clearing */
+/* Transfer information bits - also bcm2835_cb.info field */
#define BCM2835_DMA_INT_EN BIT(0)
+#define BCM2835_DMA_TDMODE BIT(1) /* 2D-Mode */
+#define BCM2835_DMA_WAIT_RESP BIT(3) /* wait for AXI-write to be acked */
#define BCM2835_DMA_D_INC BIT(4)
-#define BCM2835_DMA_D_DREQ BIT(6)
+#define BCM2835_DMA_D_WIDTH BIT(5) /* 128bit writes if set */
+#define BCM2835_DMA_D_DREQ BIT(6) /* enable DREQ for destination */
+#define BCM2835_DMA_D_IGNORE BIT(7) /* ignore destination writes */
#define BCM2835_DMA_S_INC BIT(8)
-#define BCM2835_DMA_S_DREQ BIT(10)
+#define BCM2835_DMA_S_WIDTH BIT(9) /* 128bit writes if set */
+#define BCM2835_DMA_S_DREQ BIT(10) /* enable SREQ for source */
+#define BCM2835_DMA_S_IGNORE BIT(11) /* ignore source reads - read 0 */
+#define BCM2835_DMA_BURST_LENGTH(x) ((x & 15) << 12)
+#define BCM2835_DMA_PER_MAP(x) ((x & 31) << 16) /* REQ source */
+#define BCM2835_DMA_WAIT(x) ((x & 31) << 21) /* add DMA-wait cycles */
+#define BCM2835_DMA_NO_WIDE_BURSTS BIT(26) /* no 2 beat write bursts */
-#define BCM2835_DMA_PER_MAP(x) ((x) << 16)
+/* debug register bits */
+#define BCM2835_DMA_DEBUG_LAST_NOT_SET_ERR BIT(0)
+#define BCM2835_DMA_DEBUG_FIFO_ERR BIT(1)
+#define BCM2835_DMA_DEBUG_READ_ERR BIT(2)
+#define BCM2835_DMA_DEBUG_OUTSTANDING_WRITES_SHIFT 4
+#define BCM2835_DMA_DEBUG_OUTSTANDING_WRITES_BITS 4
+#define BCM2835_DMA_DEBUG_ID_SHIFT 16
+#define BCM2835_DMA_DEBUG_ID_BITS 9
+#define BCM2835_DMA_DEBUG_STATE_SHIFT 16
+#define BCM2835_DMA_DEBUG_STATE_BITS 9
+#define BCM2835_DMA_DEBUG_VERSION_SHIFT 25
+#define BCM2835_DMA_DEBUG_VERSION_BITS 3
+#define BCM2835_DMA_DEBUG_LITE BIT(28)
+
+/* shared registers for all dma channels */
+#define BCM2835_DMA_INT_STATUS 0xfe0
+#define BCM2835_DMA_ENABLE 0xff0
#define BCM2835_DMA_DATA_TYPE_S8 1
#define BCM2835_DMA_DATA_TYPE_S16 2
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 098/202] s390/qeth: conclude all event processing before offlining a card
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 069/202] kallsyms: Handle too long symbols in kallsyms.c Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 085/202] mm: migrate: don't rely on __PageMovable() of newpage after unlocking it Ben Hutchings
` (178 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Julian Wiedmann
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann <jwi@linux.ibm.com>
commit c0a2e4d10d9366ada133a8ae4ff2f32397f8b15b upstream.
Work for Bridgeport events is currently placed on a driver-wide
workqueue. If the card is removed and freed while any such work is still
active, this causes a use-after-free.
So put the events on a per-card queue, where we can control their
lifetime. As we also don't want stale events to last beyond an
offline & online cycle, flush this queue when setting the card offline.
Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Add gdev parameter to qeth_alloc_card(), as done upstream by commit
121ca39aa558 "s390/qeth: uninstall IRQ handler on device removal"
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/net/qeth_core.h | 2 +-
drivers/s390/net/qeth_core_main.c | 10 ++++++++--
drivers/s390/net/qeth_l2_main.c | 6 ++++--
drivers/s390/net/qeth_l3_main.c | 2 ++
4 files changed, 15 insertions(+), 5 deletions(-)
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -793,6 +793,7 @@ struct qeth_card {
struct qeth_seqno seqno;
struct qeth_card_options options;
+ struct workqueue_struct *event_wq;
wait_queue_head_t wait_q;
spinlock_t vlanlock;
spinlock_t mclock;
@@ -903,7 +904,6 @@ extern const struct attribute_group *qet
extern const struct attribute_group qeth_device_attr_group;
extern const struct attribute_group qeth_device_blkt_group;
extern const struct device_type qeth_generic_devtype;
-extern struct workqueue_struct *qeth_wq;
const char *qeth_get_cardname_short(struct qeth_card *);
int qeth_realloc_buffer_pool(struct qeth_card *, int);
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -67,8 +67,7 @@ static void qeth_notify_skbs(struct qeth
static void qeth_release_skbs(struct qeth_qdio_out_buffer *buf);
static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *, int);
-struct workqueue_struct *qeth_wq;
-EXPORT_SYMBOL_GPL(qeth_wq);
+static struct workqueue_struct *qeth_wq;
static void qeth_close_dev_handler(struct work_struct *work)
{
@@ -1497,7 +1496,7 @@ static void qeth_core_sl_print(struct se
CARD_BUS_ID(card), card->info.mcl_level);
}
-static struct qeth_card *qeth_alloc_card(void)
+static struct qeth_card *qeth_alloc_card(struct ccwgroup_device *gdev)
{
struct qeth_card *card;
@@ -1511,6 +1510,10 @@ static struct qeth_card *qeth_alloc_card
QETH_DBF_TEXT(SETUP, 0, "iptbdnom");
goto out_card;
}
+
+ card->event_wq = alloc_ordered_workqueue("%s", 0, dev_name(&gdev->dev));
+ if (!card->event_wq)
+ goto out_wq;
if (qeth_setup_channel(&card->read))
goto out_ip;
if (qeth_setup_channel(&card->write))
@@ -1523,6 +1526,8 @@ static struct qeth_card *qeth_alloc_card
out_channel:
qeth_clean_channel(&card->read);
out_ip:
+ destroy_workqueue(card->event_wq);
+out_wq:
kfree(card->ip_tbd_list);
out_card:
kfree(card);
@@ -4869,6 +4874,7 @@ static void qeth_core_free_card(struct q
QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
qeth_clean_channel(&card->read);
qeth_clean_channel(&card->write);
+ destroy_workqueue(card->event_wq);
kfree(card->ip_tbd_list);
qeth_free_qdio_buffers(card);
unregister_service_level(&card->qeth_service_level);
@@ -5332,7 +5338,7 @@ static int qeth_core_probe_device(struct
QETH_DBF_TEXT_(SETUP, 2, "%s", dev_name(&gdev->dev));
- card = qeth_alloc_card();
+ card = qeth_alloc_card(gdev);
if (!card) {
QETH_DBF_TEXT_(SETUP, 2, "1err%d", -ENOMEM);
rc = -ENOMEM;
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -407,6 +407,8 @@ static int qeth_l2_stop_card(struct qeth
qeth_clear_cmd_buffers(&card->read);
qeth_clear_cmd_buffers(&card->write);
}
+
+ flush_workqueue(card->event_wq);
return rc;
}
@@ -1542,7 +1544,7 @@ static void qeth_bridge_state_change(str
data->card = card;
memcpy(&data->qports, qports,
sizeof(struct qeth_sbp_state_change) + extrasize);
- queue_work(qeth_wq, &data->worker);
+ queue_work(card->event_wq, &data->worker);
}
struct qeth_bridge_host_data {
@@ -1614,7 +1616,7 @@ static void qeth_bridge_host_event(struc
data->card = card;
memcpy(&data->hostevs, hostevs,
sizeof(struct qeth_ipacmd_addr_change) + extrasize);
- queue_work(qeth_wq, &data->worker);
+ queue_work(card->event_wq, &data->worker);
}
/* SETBRIDGEPORT support; sending commands */
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -2180,6 +2180,8 @@ static int qeth_l3_stop_card(struct qeth
qeth_clear_cmd_buffers(&card->read);
qeth_clear_cmd_buffers(&card->write);
}
+
+ flush_workqueue(card->event_wq);
return rc;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 101/202] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 113/202] frv: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 018/202] packet: validate address length if non-zero Ben Hutchings
` (113 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Deepak Rawat, Thomas Hellstrom
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellstrom <thellstrom@vmware.com>
commit 728354c005c36eaf44b6e5552372b67e60d17f56 upstream.
The function was unconditionally returning 0, and a caller would have to
rely on the returned fence pointer being NULL to detect errors. However,
the function vmw_execbuf_copy_fence_user() would expect a non-zero error
code in that case and would BUG otherwise.
So make sure we return a proper non-zero error code if the fence pointer
returned is NULL.
Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2326,7 +2326,7 @@ int vmw_execbuf_fence_commands(struct dr
*p_fence = NULL;
}
- return 0;
+ return ret;
}
/**
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 081/202] mac80211: ensure that mgmt tx skbs have tailroom for encryption
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 100/202] net: dsa: slave: Don't propagate flag changes on down slave interfaces Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 202/202] tty: mark Siemens R3964 line discipline as BROKEN Ben Hutchings
` (160 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Felix Fietkau, Johannes Berg
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
commit 9d0f50b80222dc273e67e4e14410fcfa4130a90c upstream.
Some drivers use IEEE80211_KEY_FLAG_SW_MGMT_TX to indicate that management
frames need to be software encrypted. Since normal data packets are still
encrypted by the hardware, crypto_tx_tailroom_needed_cnt gets decremented
after key upload to hw. This can lead to passing skbs to ccmp_encrypt_skb,
which don't have the necessary tailroom for software encryption.
Change the code to add tailroom for encrypted management packets, even if
crypto_tx_tailroom_needed_cnt is 0.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16: we always expand cloned skbs here; don't change that]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1465,9 +1465,16 @@ static int ieee80211_skb_resize(struct i
int head_need, bool may_encrypt)
{
struct ieee80211_local *local = sdata->local;
+ struct ieee80211_hdr *hdr;
+ bool enc_tailroom;
int tail_need = 0;
- if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) {
+ hdr = (struct ieee80211_hdr *) skb->data;
+ enc_tailroom = may_encrypt &&
+ (sdata->crypto_tx_tailroom_needed_cnt ||
+ ieee80211_is_mgmt(hdr->frame_control));
+
+ if (enc_tailroom) {
tail_need = IEEE80211_ENCRYPT_TAILROOM;
tail_need -= skb_tailroom(skb);
tail_need = max_t(int, tail_need, 0);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 141/202] Input: elantech - force needed quirks on Fujitsu H760
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 013/202] USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 173/202] net/x25: fix a race in x25_bind() Ben Hutchings
` (117 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Matti Kurkela, Dmitry Torokhov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matti Kurkela <Matti.Kurkela@iki.fi>
commit f9a703a54d16ba2470391c4b12236ee56591d50c upstream.
Just like Fujitsu CELSIUS H730, the H760 also has an Elantech touchpad with
the same quirks. Without this patch, the touchpad is useless out-of-the-box
as the mouse pointer won't move.
This patch makes the driver aware of both the crc_enabled=1 requirement and
the middle button, making the touchpad fully functional out-of-the-box.
Signed-off-by: Matti Kurkela <Matti.Kurkela@iki.fi>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/mouse/elantech.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1076,6 +1076,13 @@ static const struct dmi_system_id elante
DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H730"),
},
},
+ {
+ /* Fujitsu H760 also has a middle button */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
+ },
+ },
#endif
{ }
};
@@ -1420,6 +1427,13 @@ static const struct dmi_system_id elante
},
},
{
+ /* Fujitsu H760 does not work with crc_enabled == 0 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
+ },
+ },
+ {
/* Fujitsu LIFEBOOK E544 does not work with crc_enabled == 0 */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 143/202] vsock: cope with memory allocation failure at socket creation time
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 110/202] blackfin: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 093/202] dmaengine: dmatest: Abort test in case of mapping error Ben Hutchings
` (101 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jorgen Hansen, Paolo Abeni,
Stefano Garzarella, Xiumei Mu, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 225d9464268599a5b4d094d02ec17808e44c7553 upstream.
In the unlikely event that the kmalloc call in vmci_transport_socket_init()
fails, we end-up calling vmci_transport_destruct() with a NULL vmci_trans()
and oopsing.
This change addresses the above explicitly checking for zero vmci_trans()
at destruction time.
Reported-by: Xiumei Mu <xmu@redhat.com>
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/vmw_vsock/vmci_transport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1658,6 +1658,10 @@ static void vmci_transport_cleanup(struc
static void vmci_transport_destruct(struct vsock_sock *vsk)
{
+ /* transport can be NULL if we hit a failure at init() time */
+ if (!vmci_trans(vsk))
+ return;
+
/* Ensure that the detach callback doesn't use the sk/vsk
* we are about to destruct.
*/
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 138/202] signal: Better detection of synchronous signals
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 016/202] ALSA: cs46xx: Potential NULL dereference in probe Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 126/202] s390: Use get_signal() signal_setup_done() Ben Hutchings
` (45 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Eric W. Biederman, Dmitry Vyukov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 7146db3317c67b517258cb5e1b08af387da0618b upstream.
Recently syzkaller was able to create unkillablle processes by
creating a timer that is delivered as a thread local signal on SIGHUP,
and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing
to deliver SIGHUP but always trying.
When the stack overflows delivery of SIGHUP fails and force_sigsegv is
called. Unfortunately because SIGSEGV is numerically higher than
SIGHUP next_signal tries again to deliver a SIGHUP.
=46roma quality of implementation standpoint attempting to deliver the
timer SIGHUP signal is wrong. We should attempt to deliver the
synchronous SIGSEGV signal we just forced.
We can make that happening in a fairly straight forward manner by
instead of just looking at the signal number we also look at the
si_code. In particular for exceptions (aka synchronous signals) the
si_code is always greater than 0.
That still has the potential to pick up a number of asynchronous
signals as in a few cases the same si_codes that are used
for synchronous signals are also used for asynchronous signals,
and SI_KERNEL is also included in the list of possible si_codes.
Still the heuristic is much better and timer signals are definitely
excluded. Which is enough to prevent all known ways for someone
sending a process signals fast enough to cause unexpected and
arguably incorrect behavior.
Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals")
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16: s/kernel_siginfo_t/siginfo_t/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/signal.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 51 insertions(+), 1 deletion(-)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -684,6 +684,48 @@ int dequeue_signal(struct task_struct *t
return signr;
}
+static int dequeue_synchronous_signal(siginfo_t *info)
+{
+ struct task_struct *tsk = current;
+ struct sigpending *pending = &tsk->pending;
+ struct sigqueue *q, *sync = NULL;
+
+ /*
+ * Might a synchronous signal be in the queue?
+ */
+ if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))
+ return 0;
+
+ /*
+ * Return the first synchronous signal in the queue.
+ */
+ list_for_each_entry(q, &pending->list, list) {
+ /* Synchronous signals have a postive si_code */
+ if ((q->info.si_code > SI_USER) &&
+ (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {
+ sync = q;
+ goto next;
+ }
+ }
+ return 0;
+next:
+ /*
+ * Check if there is another siginfo for the same signal.
+ */
+ list_for_each_entry_continue(q, &pending->list, list) {
+ if (q->info.si_signo == sync->info.si_signo)
+ goto still_pending;
+ }
+
+ sigdelset(&pending->signal, sync->info.si_signo);
+ recalc_sigpending();
+still_pending:
+ list_del_init(&sync->list);
+ copy_siginfo(info, &sync->info);
+ __sigqueue_free(sync);
+ return info->si_signo;
+}
+
/*
* Tell a process that it has a new active signal..
*
@@ -2249,7 +2291,15 @@ relock:
goto relock;
}
- signr = dequeue_signal(current, ¤t->blocked, &ksig->info);
+ /*
+ * Signals generated by the execution of an instruction
+ * need to be delivered before any other pending signals
+ * so that the instruction pointer in the signal stack
+ * frame points to the faulting instruction.
+ */
+ signr = dequeue_synchronous_signal(&ksig->info);
+ if (!signr)
+ signr = dequeue_signal(current, ¤t->blocked, &ksig->info);
if (!signr)
break; /* will return 0 */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 100/202] net: dsa: slave: Don't propagate flag changes on down slave interfaces
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 158/202] netfilter: nft_compat: use-after-free when deleting targets Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 081/202] mac80211: ensure that mgmt tx skbs have tailroom for encryption Ben Hutchings
` (161 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David S. Miller, Rundong Ge
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rundong Ge <rdong.ge@gmail.com>
commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 upstream.
The unbalance of master's promiscuity or allmulti will happen after ifdown
and ifup a slave interface which is in a bridge.
When we ifdown a slave interface , both the 'dsa_slave_close' and
'dsa_slave_change_rx_flags' will clear the master's flags. The flags
of master will be decrease twice.
In the other hand, if we ifup the slave interface again, since the
slave's flags were cleared the 'dsa_slave_open' won't set the master's
flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
will set the master's flags. The flags of master is increase once.
Only propagating flag changes when a slave interface is up makes
sure this does not happen. The 'vlan_dev_change_rx_flags' had the
same problem and was fixed, and changes here follows that fix.
Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
Signed-off-by: Rundong Ge <rdong.ge@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dsa/slave.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -117,11 +117,14 @@ static void dsa_slave_change_rx_flags(st
{
struct dsa_slave_priv *p = netdev_priv(dev);
struct net_device *master = p->parent->dst->master_netdev;
-
- if (change & IFF_ALLMULTI)
- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1);
- if (change & IFF_PROMISC)
- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1);
+ if (dev->flags & IFF_UP) {
+ if (change & IFF_ALLMULTI)
+ dev_set_allmulti(master,
+ dev->flags & IFF_ALLMULTI ? 1 : -1);
+ if (change & IFF_PROMISC)
+ dev_set_promiscuity(master,
+ dev->flags & IFF_PROMISC ? 1 : -1);
+ }
}
static void dsa_slave_set_rx_mode(struct net_device *dev)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 102/202] drm/vmwgfx: Fix setting of dma masks
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 106/202] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 002/202] batman-adv: Force mac header to start of data on xmit Ben Hutchings
` (172 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Thomas Hellstrom, Deepak Rawat
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellstrom <thellstrom@vmware.com>
commit 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b upstream.
Previously we set only the dma mask and not the coherent mask. Fix that.
Also, for clarity, make sure both are initially set to 64 bits.
Fixes: 0d00c488f3de: ("drm/vmwgfx: Fix the driver for large dma addresses")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -567,13 +567,16 @@ out_fixup:
static int vmw_dma_masks(struct vmw_private *dev_priv)
{
struct drm_device *dev = dev_priv->dev;
+ int ret = 0;
- if (intel_iommu_enabled &&
+ ret = dma_set_mask_and_coherent(dev->dev, DMA_BIT_MASK(64));
+ if (dev_priv->map_mode != vmw_dma_phys &&
(sizeof(unsigned long) == 4 || vmw_restrict_dma_mask)) {
DRM_INFO("Restricting DMA addresses to 44 bits.\n");
- return dma_set_mask(dev->dev, DMA_BIT_MASK(44));
+ return dma_set_mask_and_coherent(dev->dev, DMA_BIT_MASK(44));
}
- return 0;
+
+ return ret;
}
#else
static int vmw_dma_masks(struct vmw_private *dev_priv)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 097/202] s390/qeth: cancel close_dev work before removing a card
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 095/202] perf test: Fix failure of 'evsel-tp-sched' test on s390 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 124/202] powerpc: Use sigsp() Ben Hutchings
` (68 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Julian Wiedmann, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann <jwi@linux.ibm.com>
commit c2780c1a3fb724560b1d44f7976e0de17bf153c7 upstream.
A card's close_dev work is scheduled on a driver-wide workqueue. If the
card is removed and freed while the work is still active, this causes a
use-after-free.
So make sure that the work is completed before freeing the card.
Fixes: 0f54761d167f ("qeth: Support VEPA mode")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/net/qeth_core.h | 1 +
drivers/s390/net/qeth_l2_main.c | 2 ++
drivers/s390/net/qeth_l3_main.c | 1 +
3 files changed, 4 insertions(+)
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -18,6 +18,7 @@
#include <linux/bitops.h>
#include <linux/seq_file.h>
#include <linux/ethtool.h>
+#include <linux/workqueue.h>
#include <net/ipv6.h>
#include <net/if_inet6.h>
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -924,6 +924,7 @@ static void qeth_l2_remove_device(struct
if (cgdev->state == CCWGROUP_ONLINE)
qeth_l2_set_offline(cgdev);
+ cancel_work_sync(&card->close_dev_work);
if (card->dev) {
unregister_netdev(card->dev);
free_netdev(card->dev);
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3342,6 +3342,7 @@ static void qeth_l3_remove_device(struct
if (cgdev->state == CCWGROUP_ONLINE)
qeth_l3_set_offline(cgdev);
+ cancel_work_sync(&card->close_dev_work);
if (card->dev) {
unregister_netdev(card->dev);
free_netdev(card->dev);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 082/202] skge: potential memory corruption in skge_get_regs()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 032/202] cifs: Fix potential OOB access of lock element array Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 020/202] sd: Clear PS bit before Mode Select Ben Hutchings
` (188 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dan Carpenter, David S. Miller
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 294c149a209c6196c2de85f512b52ef50f519949 upstream.
The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value
of "regs->len" is in the 1-0x4000 range. The bug here is that
"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
memory corruption and an abrupt crash.
Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/marvell/skge.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/marvell/skge.c
+++ b/drivers/net/ethernet/marvell/skge.c
@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev
memset(p, 0, regs->len);
memcpy_fromio(p, io, B3_RAM_ADDR);
- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
- regs->len - B3_RI_WTO_R1);
+ if (regs->len > B3_RI_WTO_R1) {
+ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
+ regs->len - B3_RI_WTO_R1);
+ }
}
/* Wake on Lan only supported on Yukon chips with rev 1 or above */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 096/202] s390/qeth: fix use-after-free in error path
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 160/202] i2c: cadence: Fix the hold bit setting Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 073/202] scsi: bnx2fc: Fix error handling in probe() Ben Hutchings
` (62 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Julian Wiedmann, Alexandra Winter
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann <jwi@linux.ibm.com>
commit afa0c5904ba16d59b0454f7ee4c807dae350f432 upstream.
The error path in qeth_alloc_qdio_buffers() that takes care of
cleaning up the Output Queues is buggy. It first frees the queue, but
then calls qeth_clear_outq_buffers() with that very queue struct.
Make the call to qeth_clear_outq_buffers() part of the free action
(in the correct order), and while at it fix the naming of the helper.
Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Add the qeth_free_output_queue() function, which didn't exist here
- Keep using kfree() to free to free the qeth_qdio_out_q structure]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/net/qeth_core_main.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -1288,6 +1288,15 @@ static void qeth_free_buffer_pool(struct
}
}
+static void qeth_free_output_queue(struct qeth_qdio_out_q *q)
+{
+ if (!q)
+ return;
+
+ qeth_clear_outq_buffers(q, 1);
+ kfree(q);
+}
+
static void qeth_free_qdio_buffers(struct qeth_card *card)
{
int i, j;
@@ -1308,10 +1317,8 @@ static void qeth_free_qdio_buffers(struc
qeth_free_buffer_pool(card);
/* free outbound qdio_qs */
if (card->qdio.out_qs) {
- for (i = 0; i < card->qdio.no_out_queues; ++i) {
- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
- kfree(card->qdio.out_qs[i]);
- }
+ for (i = 0; i < card->qdio.no_out_queues; i++)
+ qeth_free_output_queue(card->qdio.out_qs[i]);
kfree(card->qdio.out_qs);
card->qdio.out_qs = NULL;
}
@@ -2483,10 +2490,8 @@ out_freeoutqbufs:
card->qdio.out_qs[i]->bufs[j] = NULL;
}
out_freeoutq:
- while (i > 0) {
- kfree(card->qdio.out_qs[--i]);
- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
- }
+ while (i > 0)
+ qeth_free_output_queue(card->qdio.out_qs[--i]);
kfree(card->qdio.out_qs);
card->qdio.out_qs = NULL;
out_freepool:
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 006/202] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 153/202] perf/core: Fix impossible ring-buffer sizes warning Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 130/202] um: Use get_signal() signal_setup_done() Ben Hutchings
` (71 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
malformed descriptor is given. Fix it by assignment after the bLength
check.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/mixer.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1787,7 +1787,7 @@ static int build_audio_procunit(struct m
char *name)
{
struct uac_processing_unit_descriptor *desc = raw_desc;
- int num_ins = desc->bNrInPins;
+ int num_ins;
struct usb_mixer_elem_info *cval;
struct snd_kcontrol *kctl;
int i, err, nameid, type, len;
@@ -1802,7 +1802,13 @@ static int build_audio_procunit(struct m
0, NULL, default_value_info
};
- if (desc->bLength < 13 || desc->bLength < 13 + num_ins ||
+ if (desc->bLength < 13) {
+ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
+ return -EINVAL;
+ }
+
+ num_ins = desc->bNrInPins;
+ if (desc->bLength < 13 + num_ins ||
desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {
usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
return -EINVAL;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 027/202] ARM: dts: kirkwood: Fix polarity of GPIO fan lines
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (181 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 075/202] CIFS: Do not count -ENODATA as failure for query directory Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 060/202] can: bcm: check timer values before ktime conversion Ben Hutchings
` (19 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Sebastian Hesselbarth,
Julien D'Ascenzio, Andrew Lunn, Guenter Roeck, Linus Walleij,
Jamie Lentin, Gregory Clement, Jason Cooper
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit b5f034845e70916fd33e172fad5ad530a29c10ab upstream.
These two lines are active high, not active low. The bug was
found when we changed the kernel to respect the polarity defined
in the device tree.
Fixes: 1b90e06b1429 ("ARM: kirkwood: Use devicetree to define DNS-32[05] fan")
Cc: Jamie Lentin <jm@lentin.co.uk>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Gregory Clement <gregory.clement@bootlin.com>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Cc: Julien D'Ascenzio <jdascenzio@posteo.net>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Tested-by: Jamie Lentin <jm@lentin.co.uk>
Reported-by: Julien D'Ascenzio <jdascenzio@posteo.net>
Tested-by: Julien D'Ascenzio <jdascenzio@posteo.net>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/boot/dts/kirkwood-dnskw.dtsi
+++ b/arch/arm/boot/dts/kirkwood-dnskw.dtsi
@@ -35,8 +35,8 @@
compatible = "gpio-fan";
pinctrl-0 = <&pmx_fan_high_speed &pmx_fan_low_speed>;
pinctrl-names = "default";
- gpios = <&gpio1 14 GPIO_ACTIVE_LOW
- &gpio1 13 GPIO_ACTIVE_LOW>;
+ gpios = <&gpio1 14 GPIO_ACTIVE_HIGH
+ &gpio1 13 GPIO_ACTIVE_HIGH>;
gpio-fan,speed-map = <0 0
3000 1
6000 2>;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 026/202] rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 071/202] usb: phy: am335x: fix race condition in _probe Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 146/202] vxlan: test dev->flags & IFF_UP before calling netif_rx() Ben Hutchings
` (29 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dongsheng Yang, Ilya Dryomov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 85f5a4d666fd9be73856ed16bb36c5af5b406b29 upstream.
There is a window between when RBD_DEV_FLAG_REMOVING is set and when
the device is removed from rbd_dev_list. During this window, we set
"already" and return 0.
Returning 0 from write(2) can confuse userspace tools because
0 indicates that nothing was written. In particular, "rbd unmap"
will retry the write multiple times a second:
10:28:05.463299 write(4, "0", 1) = 0
10:28:05.463509 write(4, "0", 1) = 0
10:28:05.463720 write(4, "0", 1) = 0
10:28:05.463942 write(4, "0", 1) = 0
10:28:05.464155 write(4, "0", 1) = 0
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Tested-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/block/rbd.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -5422,7 +5422,6 @@ static ssize_t do_rbd_remove(struct bus_
struct list_head *tmp;
int dev_id;
unsigned long ul;
- bool already = false;
int ret;
ret = kstrtoul(buf, 10, &ul);
@@ -5447,13 +5446,13 @@ static ssize_t do_rbd_remove(struct bus_
spin_lock_irq(&rbd_dev->lock);
if (rbd_dev->open_count)
ret = -EBUSY;
- else
- already = test_and_set_bit(RBD_DEV_FLAG_REMOVING,
- &rbd_dev->flags);
+ else if (test_and_set_bit(RBD_DEV_FLAG_REMOVING,
+ &rbd_dev->flags))
+ ret = -EINPROGRESS;
spin_unlock_irq(&rbd_dev->lock);
}
spin_unlock(&rbd_dev_list_lock);
- if (ret < 0 || already)
+ if (ret)
return ret;
rbd_dev_header_unwatch_sync(rbd_dev);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 139/202] sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 186/202] media: em28xx: Fix use-after-free when disconnecting Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 162/202] KEYS: allow reaching the keys quotas exactly Ben Hutchings
` (88 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, Jianlin Shi,
Stefano Brivio, Oussama Ghorbel, Hangbin Liu
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit 173656accaf583698bac3f9e269884ba60d51ef4 upstream.
If we disabled IPv6 from the kernel command line (ipv6.disable=1), we should
not call ip6_err_gen_icmpv6_unreach(). This:
ip link add sit1 type sit local 192.0.2.1 remote 192.0.2.2 ttl 1
ip link set sit1 up
ip addr add 198.51.100.1/24 dev sit1
ping 198.51.100.2
if IPv6 is disabled at boot time, will crash the kernel.
v2: there's no need to use in6_dev_get(), use __in6_dev_get() instead,
as we only need to check that idev exists and we are under
rcu_read_lock() (from netif_receive_skb_internal()).
Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes: ca15a078bd90 ("sit: generate icmpv6 error when receiving icmpv4 error")
Cc: Oussama Ghorbel <ghorbel@pivasoftware.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/sit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -576,7 +576,8 @@ static int ipip6_err(struct sk_buff *skb
goto out;
err = 0;
- if (!ipip6_err_gen_icmpv6_unreach(skb))
+ if (__in6_dev_get(skb->dev) &&
+ !ipip6_err_gen_icmpv6_unreach(skb))
goto out;
if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED)
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 004/202] mfd: ab8500-core: Return zero in get_register_interruptible()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 177/202] tmpfs: fix uninitialized return value in shmem_link Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 029/202] Disable MSI also when pcie-octeon.pcie_disable on Ben Hutchings
` (59 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Lee Jones, Dan Carpenter, Linus Walleij
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 10628e3ecf544fa2e4e24f8e112d95c37884dc98 upstream.
This function is supposed to return zero on success or negative error
codes on error. Unfortunately, there is a bug so it sometimes returns
non-zero, positive numbers on success.
I noticed this bug during review and I can't test it. It does appear
that the return is sometimes propogated back to _regmap_read() where all
non-zero returns are treated as failure so this may affect run time.
Fixes: 47c1697508f2 ("mfd: Align ab8500 with the abx500 interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mfd/ab8500-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/ab8500-core.c
+++ b/drivers/mfd/ab8500-core.c
@@ -259,7 +259,7 @@ static int get_register_interruptible(st
mutex_unlock(&ab8500->lock);
dev_vdbg(ab8500->dev, "rd: addr %#x => data %#x\n", addr, ret);
- return ret;
+ return (ret < 0) ? ret : 0;
}
static int ab8500_get_register(struct device *dev, u8 bank,
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 029/202] Disable MSI also when pcie-octeon.pcie_disable on
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 004/202] mfd: ab8500-core: Return zero in get_register_interruptible() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 068/202] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start Ben Hutchings
` (58 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Paul Burton, linux-mips, YunQiang Su,
aaro.koskinen, pburton
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YunQiang Su <ysu@wavecomp.com>
commit a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 upstream.
Octeon has an boot-time option to disable pcie.
Since MSI depends on PCI-E, we should also disable MSI also with
this option is on in order to avoid inadvertently accessing PCIe
registers.
Signed-off-by: YunQiang Su <ysu@wavecomp.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: pburton@wavecomp.com
Cc: linux-mips@vger.kernel.org
Cc: aaro.koskinen@iki.fi
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/pci/msi-octeon.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/mips/pci/msi-octeon.c
+++ b/arch/mips/pci/msi-octeon.c
@@ -371,7 +371,9 @@ int __init octeon_msi_initialize(void)
int irq;
struct irq_chip *msi;
- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
+ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) {
+ return 0;
+ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0;
msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1;
msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 033/202] omap2fb: Fix stack memory disclosure
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 162/202] KEYS: allow reaching the keys quotas exactly Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 184/202] ipc/shm: Fix pid freeing Ben Hutchings
` (86 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Kees Cook, security,
Bartlomiej Zolnierkiewicz, Vlad Tsyrklevich
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.
Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.
Fix them by clearing the shared union used to store copied out data.
[1] https://github.com/vlad902/kernel-uninitialized-memory-checker
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Reviewed-by: Kees Cook <keescook@chromium.org>
Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -606,6 +606,8 @@ int omapfb_ioctl(struct fb_info *fbi, un
int r = 0;
+ memset(&p, 0, sizeof(p));
+
switch (cmd) {
case OMAPFB_SYNC_GFX:
DBG("ioctl SYNC_GFX\n");
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 007/202] ALSA: usb-audio: Always check descriptor sizes in parser code
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 053/202] uart: Fix crash in uart_write and uart_put_char Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 032/202] cifs: Fix potential OOB access of lock element array Ben Hutchings
` (190 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Hui Peng, Takashi Iwai, Mathias Payer
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 3e96d7280f16e2f787307f695a31296b9e4a1cd7 upstream.
There are a few places where we access the data without checking the
actual object size from the USB audio descriptor. This may result in
OOB access, as recently reported.
This patch addresses these missing checks. Most of added codes are
simple bLength checks in the caller side. For the input and output
terminal parsers, we put the length check in the parser functions.
For the input terminal, a new argument is added to distinguish between
UAC1 and the rest, as they treat different objects.
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reported-by: Hui Peng <benquike@163.com>
Tested-by: Hui Peng <benquike@163.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16:
- Drop changes in parse_audio_input_terminal() and UAC3 handling
- Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -258,6 +258,11 @@ static int snd_usb_create_streams(struct
return -EINVAL;
}
+ if (h1->bLength < sizeof(*h1)) {
+ dev_err(&dev->dev, "cannot find UAC_HEADER\n");
+ return -EINVAL;
+ }
+
if (!h1->bInCollection) {
dev_info(&dev->dev, "skipping empty audio interface (v1)\n");
return -EINVAL;
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -412,12 +412,8 @@ static int parse_uac_endpoint_attributes
csep = snd_usb_find_desc(alts->extra, alts->extralen, NULL, USB_DT_CS_ENDPOINT);
if (!csep || csep->bLength < 7 ||
- csep->bDescriptorSubtype != UAC_EP_GENERAL) {
- usb_audio_warn(chip,
- "%u:%d : no or invalid class specific endpoint descriptor\n",
- iface_no, altsd->bAlternateSetting);
- return 0;
- }
+ csep->bDescriptorSubtype != UAC_EP_GENERAL)
+ goto error;
if (protocol == UAC_VERSION_1) {
attributes = csep->bmAttributes;
@@ -425,6 +421,8 @@ static int parse_uac_endpoint_attributes
struct uac2_iso_endpoint_descriptor *csep2 =
(struct uac2_iso_endpoint_descriptor *) csep;
+ if (csep2->bLength < sizeof(*csep2))
+ goto error;
attributes = csep->bmAttributes & UAC_EP_CS_ATTR_FILL_MAX;
/* emulate the endpoint attributes of a v1 device */
@@ -433,6 +431,12 @@ static int parse_uac_endpoint_attributes
}
return attributes;
+
+ error:
+ usb_audio_warn(chip,
+ "%u:%d : no or invalid class specific endpoint descriptor\n",
+ iface_no, altsd->bAlternateSetting);
+ return 0;
}
/* find an input terminal descriptor (either UAC1 or UAC2) with the given
@@ -440,13 +444,17 @@ static int parse_uac_endpoint_attributes
*/
static void *
snd_usb_find_input_terminal_descriptor(struct usb_host_interface *ctrl_iface,
- int terminal_id)
+ int terminal_id, bool uac2)
{
struct uac2_input_terminal_descriptor *term = NULL;
+ size_t minlen = uac2 ? sizeof(struct uac2_input_terminal_descriptor) :
+ sizeof(struct uac_input_terminal_descriptor);
while ((term = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen,
term, UAC_INPUT_TERMINAL))) {
+ if (term->bLength < minlen)
+ continue;
if (term->bTerminalID == terminal_id)
return term;
}
@@ -463,7 +471,8 @@ static struct uac2_output_terminal_descr
while ((term = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen,
term, UAC_OUTPUT_TERMINAL))) {
- if (term->bTerminalID == terminal_id)
+ if (term->bLength >= sizeof(*term) &&
+ term->bTerminalID == terminal_id)
return term;
}
@@ -561,7 +570,8 @@ int snd_usb_parse_audio_interface(struct
format = le16_to_cpu(as->wFormatTag); /* remember the format value */
iterm = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
- as->bTerminalLink);
+ as->bTerminalLink,
+ false);
if (iterm) {
num_channels = iterm->bNrChannels;
chconfig = le16_to_cpu(iterm->wChannelConfig);
@@ -597,7 +607,8 @@ int snd_usb_parse_audio_interface(struct
/* lookup the terminal associated to this interface
* to extract the clock */
input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
- as->bTerminalLink);
+ as->bTerminalLink,
+ true);
if (input_term) {
clock = input_term->bCSourceID;
if (!chconfig && (num_channels == input_term->bNrChannels))
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 022/202] scsi: isci: initialize shost fully before calling scsi_add_host()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 011/202] USB: storage: don't insert sane sense for SPC3+ when bad sense specified Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 077/202] ARM: iop32x/n2100: fix PCI IRQ mapping Ben Hutchings
` (35 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Jeff Moyer, Artur Paszkiewicz,
James E.J. Bottomley, Christoph Hellwig, Martin K. Petersen,
Intel SCU Linux support, Logan Gunthorpe, Jens Axboe
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Logan Gunthorpe <logang@deltatee.com>
commit cc29a1b0a3f2597ce887d339222fa85b9307706d upstream.
scsi_mq_setup_tags(), which is called by scsi_add_host(), calculates the
command size to allocate based on the prot_capabilities. In the isci
driver, scsi_host_set_prot() is called after scsi_add_host() so the command
size gets calculated to be smaller than it needs to be. Eventually,
scsi_mq_init_request() locates the 'prot_sdb' after the command assuming it
was sized correctly and a buffer overrun may occur.
However, seeing blk_mq_alloc_rqs() rounds up to the nearest cache line
size, the mistake can go unnoticed.
The bug was noticed after the struct request size was reduced by commit
9d037ad707ed ("block: remove req->timeout_list")
Which likely reduced the allocated space for the request by an entire cache
line, enough that the overflow could be hit and it caused a panic, on boot,
at:
RIP: 0010:t10_pi_complete+0x77/0x1c0
Call Trace:
<IRQ>
sd_done+0xf5/0x340
scsi_finish_command+0xc3/0x120
blk_done_softirq+0x83/0xb0
__do_softirq+0xa1/0x2e6
irq_exit+0xbc/0xd0
call_function_single_interrupt+0xf/0x20
</IRQ>
sd_done() would call scsi_prot_sg_count() which reads the number of
entities in 'prot_sdb', but seeing 'prot_sdb' is located after the end of
the allocated space it reads a garbage number and erroneously calls
t10_pi_complete().
To prevent this, the calls to scsi_host_set_prot() are moved into
isci_host_alloc() before the call to scsi_add_host(). Out of caution, also
move the similar call to scsi_host_set_guard().
Fixes: 3d2d75254915 ("[SCSI] isci: T10 DIF support")
Link: http://lkml.kernel.org/r/da851333-eadd-163a-8c78-e1f4ec5ec857@deltatee.com
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Cc: Intel SCU Linux support <intel-linux-scu@intel.com>
Cc: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jeff Moyer <jmoyer@redhat.com>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/isci/init.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/scsi/isci/init.c
+++ b/drivers/scsi/isci/init.c
@@ -598,6 +598,13 @@ static struct isci_host *isci_host_alloc
shost->max_lun = ~0;
shost->max_cmd_len = MAX_COMMAND_SIZE;
+ /* turn on DIF support */
+ scsi_host_set_prot(shost,
+ SHOST_DIF_TYPE1_PROTECTION |
+ SHOST_DIF_TYPE2_PROTECTION |
+ SHOST_DIF_TYPE3_PROTECTION);
+ scsi_host_set_guard(shost, SHOST_DIX_GUARD_CRC);
+
err = scsi_add_host(shost, &pdev->dev);
if (err)
goto err_shost;
@@ -685,13 +692,6 @@ static int isci_pci_probe(struct pci_dev
goto err_host_alloc;
}
pci_info->hosts[i] = h;
-
- /* turn on DIF support */
- scsi_host_set_prot(to_shost(h),
- SHOST_DIF_TYPE1_PROTECTION |
- SHOST_DIF_TYPE2_PROTECTION |
- SHOST_DIF_TYPE3_PROTECTION);
- scsi_host_set_guard(to_shost(h), SHOST_DIX_GUARD_CRC);
}
err = isci_setup_interrupts(pdev);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 008/202] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (199 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 142/202] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 048/202] USB: serial: pl2303: add new PID to support PL2303TB Ben Hutchings
2019-04-27 18:41 ` [PATCH 3.16 000/202] 3.16.66-rc1 review Guenter Roeck
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Hui Peng, Takashi Iwai
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hui Peng <benquike@163.com>
commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.
In `create_composite_quirk`, the terminating condition of for loops is
`quirk->ifnum < 0`. So any composite quirks should end with `struct
snd_usb_audio_quirk` object with ifnum < 0.
for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
.....
}
the data field of Bower's & Wilkins PX headphones usb device device quirks
do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
This Patch fix the bug by adding an ending quirk object.
Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
Signed-off-by: Hui Peng <benquike@163.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/quirks-table.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -3304,6 +3304,12 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
}
}
},
+ {
+ .ifnum = -1
+ },
+ {
+ .ifnum = -1
+ },
}
}
},
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 028/202] crypto: authenc - fix parsing key with misaligned rta_len
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 083/202] mm, oom: fix use-after-free in oom_kill_process Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 038/202] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 Ben Hutchings
` (81 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu, Eric Biggers
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 8f9c469348487844328e162db57112f7d347c49f upstream.
Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
'enckeylen', followed by an authentication key and an encryption key.
crypto_authenc_extractkeys() parses the key to find the inner keys.
However, it fails to consider the case where the rtattr's payload is
longer than 4 bytes but not 4-byte aligned, and where the key ends
before the next 4-byte aligned boundary. In this case, 'keylen -=
RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
causes a buffer overread and crash during crypto_ahash_setkey().
Fix it by restricting the rtattr payload to the expected size.
Reproducer using AF_ALG:
#include <linux/if_alg.h>
#include <linux/rtnetlink.h>
#include <sys/socket.h>
int main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "aead",
.salg_name = "authenc(hmac(sha256),cbc(aes))",
};
struct {
struct rtattr attr;
__be32 enckeylen;
char keys[1];
} __attribute__((packed)) key = {
.attr.rta_len = sizeof(key),
.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
};
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
}
It caused:
BUG: unable to handle kernel paging request at ffff88007ffdc000
PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
Oops: 0000 [#1] SMP
CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
[...]
Call Trace:
sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
crypto_shash_digest+0x24/0x40 crypto/shash.c:202
hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
shash_async_setkey+0x10/0x20 crypto/shash.c:223
crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
aead_setkey+0xc/0x10 crypto/algif_aead.c:526
alg_setkey crypto/af_alg.c:223 [inline]
alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
__sys_setsockopt+0x6d/0xd0 net/socket.c:1902
__do_sys_setsockopt net/socket.c:1913 [inline]
__se_sys_setsockopt net/socket.c:1910 [inline]
__x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/authenc.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -62,14 +62,22 @@ int crypto_authenc_extractkeys(struct cr
return -EINVAL;
if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
return -EINVAL;
- if (RTA_PAYLOAD(rta) < sizeof(*param))
+
+ /*
+ * RTA_OK() didn't align the rtattr's payload when validating that it
+ * fits in the buffer. Yet, the keys should start on the next 4-byte
+ * aligned boundary. To avoid confusion, require that the rtattr
+ * payload be exactly the param struct, which has a 4-byte aligned size.
+ */
+ if (RTA_PAYLOAD(rta) != sizeof(*param))
return -EINVAL;
+ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
param = RTA_DATA(rta);
keys->enckeylen = be32_to_cpu(param->enckeylen);
- key += RTA_ALIGN(rta->rta_len);
- keylen -= RTA_ALIGN(rta->rta_len);
+ key += rta->rta_len;
+ keylen -= rta->rta_len;
if (keylen < keys->enckeylen)
return -EINVAL;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 014/202] ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 041/202] net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 057/202] char/mwave: fix potential Spectre v1 vulnerability Ben Hutchings
` (142 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mark Brown, b-ak
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: b-ak <anur.bhargav@gmail.com>
commit 667e9334fa64da2273e36ce131b05ac9e47c5769 upstream.
During the bootup of the kernel, the DAPM bias level is in the OFF
state. As soon as the DAPM framework kicks in it pushes the codec
into STANDBY state.
The probe function doesn't prepare the clock, and STANDBY state
does a clk_disable_unprepare() without checking the previous state.
This leads to an OOPS.
Not transitioning from an OFF state to the STANDBY state fixes the
problem.
Signed-off-by: b-ak <anur.bhargav@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16:
- Open-code snd_soc_component_get_bias_level()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/codecs/tlv320aic32x4.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/sound/soc/codecs/tlv320aic32x4.c
+++ b/sound/soc/codecs/tlv320aic32x4.c
@@ -534,6 +534,10 @@ static int aic32x4_set_bias_level(struct
case SND_SOC_BIAS_PREPARE:
break;
case SND_SOC_BIAS_STANDBY:
+ /* Initial cold start */
+ if (codec->dapm.bias_level == SND_SOC_BIAS_OFF)
+ break;
+
/* Switch off BCLK_N Divider */
snd_soc_update_bits(codec, AIC32X4_BCLKN,
AIC32X4_BCLKEN, 0);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 023/202] Drivers: hv: vmbus: Check for ring when getting debug info
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 180/202] mm/mmap.c: expand_downwards: don't require the gap if !vm_prev Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 079/202] fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() Ben Hutchings
` (148 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Dexuan Cui, K. Y. Srinivasan,
Stephen Hemminger, Sasha Levin, Haiyang Zhang
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dexuan Cui <decui@microsoft.com>
commit ba50bf1ce9a51fc97db58b96d01306aa70bc3979 upstream.
fc96df16a1ce is good and can already fix the "return stack garbage" issue,
but let's also improve hv_ringbuffer_get_debuginfo(), which would silently
return stack garbage, if people forget to check channel->state or
ring_info->ring_buffer, when using the function in the future.
Having an error check in the function would eliminate the potential risk.
Add a Fixes tag to indicate the patch depdendency.
Fixes: fc96df16a1ce ("Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels")
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hv/ring_buffer.c | 31 +++++++-------
drivers/hv/vmbus_drv.c | 91 +++++++++++++++++++++++++++-------------
include/linux/hyperv.h | 5 ++-
3 files changed, 79 insertions(+), 48 deletions(-)
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -329,26 +329,25 @@ static u32 hv_copyto_ringbuffer(
* Get various debug metrics for the specified ring buffer
*
*/
-void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
- struct hv_ring_buffer_debug_info *debug_info)
+int hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
+ struct hv_ring_buffer_debug_info *debug_info)
{
u32 bytes_avail_towrite;
u32 bytes_avail_toread;
- if (ring_info->ring_buffer) {
- hv_get_ringbuffer_availbytes(ring_info,
- &bytes_avail_toread,
- &bytes_avail_towrite);
+ if (!ring_info->ring_buffer)
+ return -EINVAL;
- debug_info->bytes_avail_toread = bytes_avail_toread;
- debug_info->bytes_avail_towrite = bytes_avail_towrite;
- debug_info->current_read_index =
- ring_info->ring_buffer->read_index;
- debug_info->current_write_index =
- ring_info->ring_buffer->write_index;
- debug_info->current_interrupt_mask =
- ring_info->ring_buffer->interrupt_mask;
- }
+ hv_get_ringbuffer_availbytes(ring_info,
+ &bytes_avail_toread,
+ &bytes_avail_towrite);
+ debug_info->bytes_avail_toread = bytes_avail_toread;
+ debug_info->bytes_avail_towrite = bytes_avail_towrite;
+ debug_info->current_read_index = ring_info->ring_buffer->read_index;
+ debug_info->current_write_index = ring_info->ring_buffer->write_index;
+ debug_info->current_interrupt_mask
+ = ring_info->ring_buffer->interrupt_mask;
+ return 0;
}
/*
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -257,12 +257,16 @@ static ssize_t out_intr_mask_show(struct
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info outbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
+ &outbound);
+ if (ret < 0)
+ return ret;
+
return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
}
static DEVICE_ATTR_RO(out_intr_mask);
@@ -272,12 +276,15 @@ static ssize_t out_read_index_show(struc
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info outbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
+ &outbound);
+ if (ret < 0)
+ return ret;
return sprintf(buf, "%d\n", outbound.current_read_index);
}
static DEVICE_ATTR_RO(out_read_index);
@@ -288,12 +295,15 @@ static ssize_t out_write_index_show(stru
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info outbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
+ &outbound);
+ if (ret < 0)
+ return ret;
return sprintf(buf, "%d\n", outbound.current_write_index);
}
static DEVICE_ATTR_RO(out_write_index);
@@ -304,12 +314,15 @@ static ssize_t out_read_bytes_avail_show
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info outbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
+ &outbound);
+ if (ret < 0)
+ return ret;
return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
}
static DEVICE_ATTR_RO(out_read_bytes_avail);
@@ -320,12 +333,15 @@ static ssize_t out_write_bytes_avail_sho
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info outbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
+ &outbound);
+ if (ret < 0)
+ return ret;
return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
}
static DEVICE_ATTR_RO(out_write_bytes_avail);
@@ -335,12 +351,15 @@ static ssize_t in_intr_mask_show(struct
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info inbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ if (ret < 0)
+ return ret;
+
return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
}
static DEVICE_ATTR_RO(in_intr_mask);
@@ -350,12 +369,15 @@ static ssize_t in_read_index_show(struct
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info inbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ if (ret < 0)
+ return ret;
+
return sprintf(buf, "%d\n", inbound.current_read_index);
}
static DEVICE_ATTR_RO(in_read_index);
@@ -365,12 +387,15 @@ static ssize_t in_write_index_show(struc
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info inbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ if (ret < 0)
+ return ret;
+
return sprintf(buf, "%d\n", inbound.current_write_index);
}
static DEVICE_ATTR_RO(in_write_index);
@@ -381,12 +406,15 @@ static ssize_t in_read_bytes_avail_show(
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info inbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ if (ret < 0)
+ return ret;
+
return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
}
static DEVICE_ATTR_RO(in_read_bytes_avail);
@@ -397,12 +425,15 @@ static ssize_t in_write_bytes_avail_show
{
struct hv_device *hv_dev = device_to_hv_device(dev);
struct hv_ring_buffer_debug_info inbound;
+ int ret;
if (!hv_dev->channel)
return -ENODEV;
- if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
- return -EINVAL;
- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+
+ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ if (ret < 0)
+ return ret;
+
return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
}
static DEVICE_ATTR_RO(in_write_bytes_avail);
--- a/drivers/hv/hyperv_vmbus.h
+++ b/drivers/hv/hyperv_vmbus.h
@@ -580,8 +580,9 @@ int hv_ringbuffer_read(struct hv_ring_bu
u32 offset, bool *signal);
-void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
- struct hv_ring_buffer_debug_info *debug_info);
+
+int hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
+ struct hv_ring_buffer_debug_info *debug_info);
void hv_begin_read(struct hv_ring_buffer_info *rbi);
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 020/202] sd: Clear PS bit before Mode Select.
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 082/202] skge: potential memory corruption in skge_get_regs() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 169/202] KEYS: user: Align the payload buffer Ben Hutchings
` (187 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Martin K. Petersen, Gabriel Krisman Bertazi
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
commit 2c5d16d6a9e7218e57b716e4fd9d77c776d21471 upstream.
According to SPC-4, in a Mode Select, the PS bit in Mode Pages is
reserved and must be set to 0 by the driver. In the sd implementation,
function cache_type_store does a Mode Sense, which might set the PS bit
on the read buffer, followed by a Mode Select, which receives the same
buffer, without explicitly clearing the PS bit. So, in cases where
target supports saving the Mode Page to a non-volatile location, we end
up doing a Mode Select with the PS bit set, which could cause an illegal
request error if the target is checking this.
This was observed on a new firmware change, which was subsequently
reverted, but this changes sd.c to be more compliant with SPC-4.
This patch clears the PS bit in the buffer returned by Mode Select,
right before it is used in the Mode Select command.
Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/sd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -192,6 +192,7 @@ cache_type_store(struct device *dev, str
buffer_data[2] &= ~0x05;
buffer_data[2] |= wce << 2 | rcd;
sp = buffer_data[0] & 0x80 ? 1 : 0;
+ buffer_data[0] &= ~0x80;
if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
SD_MAX_RETRIES, &data, &sshdr)) {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 021/202] scsi: sd: Fix cache_type_store()
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 084/202] mm: hwpoison: use do_send_sig_info() instead of force_sig() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 087/202] dmaengine: bcm2835: add additional defines for DMA-registers Ben Hutchings
` (196 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Martin K. Petersen, Ivan Mironov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Mironov <mironov.ivan@gmail.com>
commit 44759979a49bfd2d20d789add7fa81a21eb1a4ab upstream.
Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may
fail if device responds to MODE SENSE command with DPOFUA flag set, and
then checks this flag to be not set on MODE SELECT command.
In this scenario, when trying to change cache_type, write always fails:
# echo "none" >cache_type
bash: echo: write error: Invalid argument
And following appears in dmesg:
[13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current]
[13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list
=46romSBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC
PARAMETER field in the mode parameter header:
...
The write protect (WP) bit for mode data sent with a MODE SELECT
command shall be ignored by the device server.
...
The DPOFUA bit is reserved for mode data sent with a MODE SELECT
command.
...
The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved
and shall be set to zero.
[mkp: shuffled commentary to commit description]
Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/sd.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -194,6 +194,12 @@ cache_type_store(struct device *dev, str
sp = buffer_data[0] & 0x80 ? 1 : 0;
buffer_data[0] &= ~0x80;
+ /*
+ * Ensure WP, DPOFUA, and RESERVED fields are cleared in
+ * received mode parameter buffer before doing MODE SELECT.
+ */
+ data.device_specific = 0;
+
if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
SD_MAX_RETRIES, &data, &sshdr)) {
if (scsi_sense_valid(&sshdr))
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 018/202] packet: validate address length if non-zero
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 101/202] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 188/202] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Ben Hutchings
` (112 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Ido Schimmel, David S. Miller, Willem de Bruijn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed upstream.
Validate packet socket address length if a length is given. Zero
length is equivalent to not setting an address.
Fixes: 99137b7888f4 ("packet: validate address length")
Reported-by: Ido Schimmel <idosch@idosch.org>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2299,7 +2299,7 @@ static int tpacket_snd(struct packet_soc
sll_addr)))
goto out;
proto = saddr->sll_protocol;
- addr = saddr->sll_addr;
+ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
if (addr && dev && saddr->sll_halen < dev->addr_len)
goto out;
@@ -2461,7 +2461,7 @@ static int packet_snd(struct socket *soc
if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
goto out;
proto = saddr->sll_protocol;
- addr = saddr->sll_addr;
+ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
if (addr && dev && saddr->sll_halen < dev->addr_len)
goto out;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 003/202] ACPI: power: Skip duplicate power resource references in _PRx
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 001/202] batman-adv: Avoid WARN on net_device without parent in netns Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 107/202] arc: Use get_signal() signal_setup_done() Ben Hutchings
` (96 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Hans de Goede, Rafael J. Wysocki
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 7d7b467cb95bf29597b417d4990160d4ea6d69b9 upstream.
Some ACPI tables contain duplicate power resource references like this:
Name (_PR0, Package (0x04) // _PR0: Power Resources for D0
{
P28P,
P18P,
P18P,
CLK4
})
This causes a WARN_ON in sysfs_add_link_to_group() because we end up
adding a link to the same acpi_device twice:
sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/808622C1:00/OVTI2680:00/power_resources_D0/LNXPOWER:0a'
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.12-301.fc29.x86_64 #1
Hardware name: Insyde CherryTrail/Type2 - Board Product Name, BIOS jumperx.T87.KFBNEEA02 04/13/2016
Call Trace:
dump_stack+0x5c/0x80
sysfs_warn_dup.cold.3+0x17/0x2a
sysfs_do_create_link_sd.isra.2+0xa9/0xb0
sysfs_add_link_to_group+0x30/0x50
acpi_power_expose_list+0x74/0xa0
acpi_power_add_remove_device+0x50/0xa0
acpi_add_single_object+0x26b/0x5f0
acpi_bus_check_add+0xc4/0x250
...
To address this issue, make acpi_extract_power_resources() check for
duplicates and simply skip them when found.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
[ rjw: Subject & changelog, comments ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/acpi/power.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/drivers/acpi/power.c
+++ b/drivers/acpi/power.c
@@ -132,6 +132,23 @@ void acpi_power_resources_list_free(stru
}
}
+static bool acpi_power_resource_is_dup(union acpi_object *package,
+ unsigned int start, unsigned int i)
+{
+ acpi_handle rhandle, dup;
+ unsigned int j;
+
+ /* The caller is expected to check the package element types */
+ rhandle = package->package.elements[i].reference.handle;
+ for (j = start; j < i; j++) {
+ dup = package->package.elements[j].reference.handle;
+ if (dup == rhandle)
+ return true;
+ }
+
+ return false;
+}
+
int acpi_extract_power_resources(union acpi_object *package, unsigned int start,
struct list_head *list)
{
@@ -151,6 +168,11 @@ int acpi_extract_power_resources(union a
err = -ENODEV;
break;
}
+
+ /* Some ACPI tables contain duplicate power resource references */
+ if (acpi_power_resource_is_dup(package, start, i))
+ continue;
+
err = acpi_add_power_resource(rhandle);
if (err)
break;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 015/202] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 191/202] perf/core: Fix perf_event_open() vs. execve() race Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 119/202] mips: Use get_signal() signal_setup_done() Ben Hutchings
` (14 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Pierre-Louis Bossart, Kangjie Lu, Mark Brown
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kjlu@umn.edu>
commit 44fabd8cdaaa3acb80ad2bb3b5c61ae2136af661 upstream.
snd_pcm_lib_malloc_pages() may fail, so let's check its status and
return its error code upstream.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/intel/sst-mfld-platform-pcm.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/sound/soc/intel/sst-mfld-platform-pcm.c
+++ b/sound/soc/intel/sst-mfld-platform-pcm.c
@@ -383,7 +383,13 @@ static snd_pcm_uframes_t sst_platform_pc
static int sst_platform_pcm_hw_params(struct snd_pcm_substream *substream,
struct snd_pcm_hw_params *params)
{
- snd_pcm_lib_malloc_pages(substream, params_buffer_bytes(params));
+ int ret;
+
+ ret =
+ snd_pcm_lib_malloc_pages(substream,
+ params_buffer_bytes(params));
+ if (ret)
+ return ret;
memset(substream->runtime->dma_area, 0, params_buffer_bytes(params));
return 0;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 009/202] USB: serial: simple: add Motorola Tetra TPG2200 device id
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 128/202] sh: Use get_signal() signal_setup_done() Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 168/202] ARC: U-boot: check arguments paranoidly Ben Hutchings
` (54 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Schulze, Johan Hovold
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Max Schulze <max.schulze@posteo.de>
commit b81c2c33eab79dfd3650293b2227ee5c6036585c upstream.
Add new Motorola Tetra device id for Motorola Solutions TETRA PEI device
T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0cad ProdID=9016 Rev=24.16
S: Manufacturer=Motorola Solutions, Inc.
S: Product=TETRA PEI interface
C: #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=usb_serial_simple
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=usb_serial_simple
Signed-off-by: Max Schulze <max.schulze@posteo.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/usb-serial-simple.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -88,7 +88,8 @@ DEVICE(moto_modem, MOTO_IDS);
/* Motorola Tetra driver */
#define MOTOROLA_TETRA_IDS() \
{ USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \
- { USB_DEVICE(0x0cad, 0x9012) } /* MTP6550 */
+ { USB_DEVICE(0x0cad, 0x9012) }, /* MTP6550 */ \
+ { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */
DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
/* Novatel Wireless GPS driver */
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 012/202] USB: storage: add quirk for SMI SM3350
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 179/202] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 174/202] mmc: spi: Fix card detection during probe Ben Hutchings
` (166 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Alan Stern, Icenowy Zheng
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <icenowy@aosc.io>
commit 0a99cc4b8ee83885ab9f097a3737d1ab28455ac0 upstream.
The SMI SM3350 USB-UFS bridge controller cannot handle long sense request
correctly and will make the chip refuse to do read/write when requested
long sense.
Add a bad sense quirk for it.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/unusual_devs.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1194,6 +1194,18 @@ UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xf
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_FIX_CAPACITY ),
+/*
+ * Reported by Icenowy Zheng <icenowy@aosc.io>
+ * The SMI SM3350 USB-UFS bridge controller will enter a wrong state
+ * that do not process read/write command if a long sense is requested,
+ * so force to use 18-byte sense.
+ */
+UNUSUAL_DEV( 0x090c, 0x3350, 0x0000, 0xffff,
+ "SMI",
+ "SM3350 UFS-to-USB-Mass-Storage bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_BAD_SENSE ),
+
/* Reported by Paul Hartman <paul.hartman+linux@gmail.com>
* This card reader returns "Illegal Request, Logical Block Address
* Out of Range" for the first READ(10) after a new card is inserted.
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 011/202] USB: storage: don't insert sane sense for SPC3+ when bad sense specified
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 044/202] fuse: call pipe_buf_release() under pipe lock Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 022/202] scsi: isci: initialize shost fully before calling scsi_add_host() Ben Hutchings
` (36 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Alan Stern, Icenowy Zheng
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <icenowy@aosc.io>
commit c5603d2fdb424849360fe7e3f8c1befc97571b8c upstream.
Currently the code will set US_FL_SANE_SENSE flag unconditionally if
device claims SPC3+, however we should allow US_FL_BAD_SENSE flag to
prevent this behavior, because SMI SM3350 UFS-USB bridge controller,
which claims SPC4, will show strange behavior with 96-byte sense
(put the chip into a wrong state that cannot read/write anything).
Check the presence of US_FL_BAD_SENSE when assuming US_FL_SANE_SENSE on
SPC4+ devices.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/scsiglue.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/usb/storage/scsiglue.c
+++ b/drivers/usb/storage/scsiglue.c
@@ -223,8 +223,12 @@ static int slave_configure(struct scsi_d
if (!(us->fflags & US_FL_NEEDS_CAP16))
sdev->try_rc_10_first = 1;
- /* assume SPC3 or latter devices support sense size > 18 */
- if (sdev->scsi_level > SCSI_SPC_2)
+ /*
+ * assume SPC3 or latter devices support sense size > 18
+ * unless US_FL_BAD_SENSE quirk is specified.
+ */
+ if (sdev->scsi_level > SCSI_SPC_2 &&
+ !(us->fflags & US_FL_BAD_SENSE))
us->fflags |= US_FL_SANE_SENSE;
/* USB-IDE bridges tend to report SK = 0x04 (Non-recoverable
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 017/202] packet: validate address length
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 134/202] tracehook_signal_handler: Remove sig, info, ka and regs Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 106/202] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Ben Hutchings
` (174 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, David S. Miller, syzbot, Willem de Bruijn
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit 99137b7888f4058087895d035d81c6b2d31015c5 upstream.
Packet sockets with SOCK_DGRAM may pass an address for use in
dev_hard_header. Ensure that it is of sufficient length.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2301,6 +2301,8 @@ static int tpacket_snd(struct packet_soc
proto = saddr->sll_protocol;
addr = saddr->sll_addr;
dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
}
err = -ENXIO;
@@ -2461,6 +2463,8 @@ static int packet_snd(struct socket *soc
proto = saddr->sll_protocol;
addr = saddr->sll_addr;
dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
}
err = -ENXIO;
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 002/202] batman-adv: Force mac header to start of data on xmit
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 102/202] drm/vmwgfx: Fix setting of dma masks Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 123/202] powerpc: Use get_signal() signal_setup_done() Ben Hutchings
` (171 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, syzbot+9d7405c7faa390e60b4e,
syzbot+7d20bc3f1ddddc0f9079, Sven Eckelmann, Simon Wunderlich
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 9114daa825fc3f335f9bea3313ce667090187280 upstream.
The caller of ndo_start_xmit may not already have called
skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
therefore can be in the wrong position and even outside the current skbuff.
This for example happens when the user binds to the device using a
PF_PACKET-SOCK_RAW with enabled qdisc-bypass:
int opt = 4;
setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));
Since eth_hdr is used all over the codebase, the batadv_interface_tx
function must always take care of resetting it.
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/soft-interface.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -180,6 +180,8 @@ static int batadv_interface_tx(struct sk
soft_iface->trans_start = jiffies;
vid = batadv_get_vid(skb, 0);
+
+ skb_reset_mac_header(skb);
ethhdr = eth_hdr(skb);
switch (ntohs(ethhdr->h_proto)) {
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 013/202] USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 151/202] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 141/202] Input: elantech - force needed quirks on Fujitsu H760 Ben Hutchings
` (118 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Jack Stocker
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Stocker <jackstocker.93@gmail.com>
commit 3483254b89438e60f719937376c5e0ce2bc46761 upstream.
To match the Corsair Strafe RGB, the Corsair K70 RGB also requires
USB_QUIRK_DELAY_CTRL_MSG to completely resolve boot connection issues
discussed here: https://github.com/ckb-next/ckb-next/issues/42.
Otherwise roughly 1 in 10 boots the keyboard will fail to be detected.
Patch that applied delay control quirk for Corsair Strafe RGB:
cb88a0588717 ("usb: quirks: add control message delay for 1b1c:1b20")
Previous K70 RGB patch to add delay-init quirk:
7a1646d92257 ("Add delay-init quirk for Corsair K70 RGB keyboards")
Signed-off-by: Jack Stocker <jackstocker.93@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -240,7 +240,8 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1a40, 0x0101), .driver_info = USB_QUIRK_HUB_SLOW_RESET },
/* Corsair K70 RGB */
- { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
/* Corsair Strafe */
{ USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |
^ permalink raw reply [flat|nested] 206+ messages in thread
* [PATCH 3.16 010/202] usb: cdc-acm: send ZLP for Telit 3G Intel based modems
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 061/202] ipmi: msghandler: Fix potential Spectre v1 vulnerabilities Ben Hutchings
@ 2019-04-27 15:13 ` Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 152/202] team: avoid complex list operations in team_nl_cmd_options_set() Ben Hutchings
` (155 subsequent siblings)
202 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denis Kirjanov, Daniele Palmas, Greg Kroah-Hartman
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit 34aabf918717dd14e05051896aaecd3b16b53d95 upstream.
Telit 3G Intel based modems require zero packet to be sent if
out data size is equal to the endpoint max packet size.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1903,6 +1903,13 @@ static const struct usb_device_id acm_id
.driver_info = IGNORE_DEVICE,
},
+ { USB_DEVICE(0x1bc7, 0x0021), /* Telit 3G ACM only composition */
+ .driver_info = SEND_ZERO_PACKET,
+ },
+ { USB_DEVICE(0x1bc7, 0x0023), /* Telit 3G ACM + ECM composition */
+ .driver_info = SEND_ZERO_PACKET,
+ },
+
/* control interfaces without any protocol set */
{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
USB_CDC_PROTO_NONE) },
^ permalink raw reply [flat|nested] 206+ messages in thread
* [Bridge] [PATCH 3.16 052/202] net: bridge: Fix ethernet header pointer before check skb forwardable
@ 2019-04-27 15:13 ` Ben Hutchings
0 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-27 15:13 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Yunjian Wang, Nkolay Aleksandrov, Roopa Prabhu, bridge,
David S. Miller, akpm, Denis Kirjanov
3.16.66-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yunjian Wang <wangyunjian@huawei.com>
commit 28c1382fa28f2e2d9d0d6f25ae879b5af2ecbd03 upstream.
The skb header should be set to ethernet header before using
is_skb_forwardable. Because the ethernet header length has been
considered in is_skb_forwardable(including dev->hard_header_len
length).
To reproduce the issue:
1, add 2 ports on linux bridge br using following commands:
$ brctl addbr br
$ brctl addif br eth0
$ brctl addif br eth1
2, the MTU of eth0 and eth1 is 1500
3, send a packet(Data 1480, UDP 8, IP 20, Ethernet 14, VLAN 4)
from eth0 to eth1
So the expect result is packet larger than 1500 cannot pass through
eth0 and eth1. But currently, the packet passes through success, it
means eth1's MTU limit doesn't take effect.
Fixes: f6367b4660dd ("bridge: use is_skb_forwardable in forward path")
Cc: bridge@lists.linux-foundation.org
Cc: Nkolay Aleksandrov <nikolay@cumulusnetworks.com>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- br_dev_queue_push_xmit() has to call nf_bridge_maybe_copy_header()
before pushing the Ethernet header
- adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -38,16 +38,21 @@ static inline int should_deliver(const s
int br_dev_queue_push_xmit(struct sk_buff *skb)
{
/* ip_fragment doesn't copy the MAC header */
- if (nf_bridge_maybe_copy_header(skb) ||
- !is_skb_forwardable(skb->dev, skb)) {
- kfree_skb(skb);
- } else {
- skb_push(skb, ETH_HLEN);
- br_drop_fake_rtable(skb);
- dev_queue_xmit(skb);
- }
+ if (nf_bridge_maybe_copy_header(skb))
+ goto drop;
+
+ skb_push(skb, ETH_HLEN);
+ if (!is_skb_forwardable(skb->dev, skb))
+ goto drop;
+
+ br_drop_fake_rtable(skb);
+ dev_queue_xmit(skb);
return 0;
+
+drop:
+ kfree_skb(skb);
+ return 0;
}
int br_forward_finish(struct sk_buff *skb)
@@ -66,12 +71,11 @@ static void __br_deliver(const struct ne
skb->dev = to->dev;
if (unlikely(netpoll_tx_running(to->br->dev))) {
+ skb_push(skb, ETH_HLEN);
if (!is_skb_forwardable(skb->dev, skb))
kfree_skb(skb);
- else {
- skb_push(skb, ETH_HLEN);
+ else
br_netpoll_send_skb(to, skb);
- }
return;
}
^ permalink raw reply [flat|nested] 206+ messages in thread
* Re: [PATCH 3.16 000/202] 3.16.66-rc1 review
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
` (201 preceding siblings ...)
2019-04-27 15:13 ` [PATCH 3.16 048/202] USB: serial: pl2303: add new PID to support PL2303TB Ben Hutchings
@ 2019-04-27 18:41 ` Guenter Roeck
2019-04-28 15:45 ` Ben Hutchings
202 siblings, 1 reply; 206+ messages in thread
From: Guenter Roeck @ 2019-04-27 18:41 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov
On 4/27/19 8:13 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.66 release.
> There are 202 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed May 01 18:00:00 UTC 2019.
> Anything received after that time might be too late.
>
Build results:
total: 137 pass: 136 fail: 1
Failed builds:
i386:tools/perf
Qemu test results:
total: 226 pass: 226 fail: 0
Guenter
^ permalink raw reply [flat|nested] 206+ messages in thread
* Re: [PATCH 3.16 000/202] 3.16.66-rc1 review
2019-04-27 18:41 ` [PATCH 3.16 000/202] 3.16.66-rc1 review Guenter Roeck
@ 2019-04-28 15:45 ` Ben Hutchings
0 siblings, 0 replies; 206+ messages in thread
From: Ben Hutchings @ 2019-04-28 15:45 UTC (permalink / raw)
To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov
[-- Attachment #1: Type: text/plain, Size: 751 bytes --]
On Sat, 2019-04-27 at 11:41 -0700, Guenter Roeck wrote:
> On 4/27/19 8:13 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.66 release.
> > There are 202 patches in this series, which will be posted as responses
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed May 01 18:00:00 UTC 2019.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 137 pass: 136 fail: 1
> Failed builds:
> i386:tools/perf
> Qemu test results:
> total: 226 pass: 226 fail: 0
Thanks for checking,
Ben.
--
Ben Hutchings
Power corrupts. Absolute power is kind of neat. - John Lehman
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 206+ messages in thread
end of thread, other threads:[~2019-04-28 15:45 UTC | newest]
Thread overview: 206+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-27 15:13 [PATCH 3.16 000/202] 3.16.66-rc1 review Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 080/202] l2tp: copy 4 more bytes to linear part if necessary Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 111/202] c6x: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 072/202] s390/dasd: fix using offset into zero size array error Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 121/202] mn10300: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 084/202] mm: hwpoison: use do_send_sig_info() instead of force_sig() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 021/202] scsi: sd: Fix cache_type_store() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 087/202] dmaengine: bcm2835: add additional defines for DMA-registers Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 035/202] s390/mm: always force a load of the primary ASCE on context switch Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 114/202] hexagon: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 086/202] dmaengine: imx-dma: fix wrong callback invoke Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 053/202] uart: Fix crash in uart_write and uart_put_char Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 007/202] ALSA: usb-audio: Always check descriptor sizes in parser code Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 032/202] cifs: Fix potential OOB access of lock element array Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 082/202] skge: potential memory corruption in skge_get_regs() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 020/202] sd: Clear PS bit before Mode Select Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 169/202] KEYS: user: Align the payload buffer Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 137/202] signal: Always notice exiting tasks Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 042/202] net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 135/202] Clean up signal_delivered() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 055/202] vt: always call notifier with the console lock held Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 019/202] packet: Do not leak dev refcounts on error exit Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 201/202] apparmor: provide userspace flag indicating binfmt_elf_mmap change Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 069/202] kallsyms: Handle too long symbols in kallsyms.c Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 098/202] s390/qeth: conclude all event processing before offlining a card Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 085/202] mm: migrate: don't rely on __PageMovable() of newpage after unlocking it Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 199/202] binfmt_elf: Fix missing SIGKILL for empty PIE Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 134/202] tracehook_signal_handler: Remove sig, info, ka and regs Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 017/202] packet: validate address length Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 106/202] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 102/202] drm/vmwgfx: Fix setting of dma masks Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 002/202] batman-adv: Force mac header to start of data on xmit Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 123/202] powerpc: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 051/202] ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 131/202] unicore32: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 179/202] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 012/202] USB: storage: add quirk for SMI SM3350 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 174/202] mmc: spi: Fix card detection during probe Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 065/202] net/mlx4_core: Add masking for a few queries on HCA caps Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 116/202] m32r: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 158/202] netfilter: nft_compat: use-after-free when deleting targets Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 100/202] net: dsa: slave: Don't propagate flag changes on down slave interfaces Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 081/202] mac80211: ensure that mgmt tx skbs have tailroom for encryption Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 202/202] tty: mark Siemens R3964 line discipline as BROKEN Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 063/202] drm/modes: Prevent division by zero htotal Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 036/202] s390/smp: fix CPU hotplug deadlock with CPU rescan Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 061/202] ipmi: msghandler: Fix potential Spectre v1 vulnerabilities Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 010/202] usb: cdc-acm: send ZLP for Telit 3G Intel based modems Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 152/202] team: avoid complex list operations in team_nl_cmd_options_set() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 103/202] ALSA: compress: Fix stop handling on compressed capture streams Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 163/202] assoc_array: Fix shortcut creation Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 156/202] netfilter: nft_compat: fix crash when related match/target module is removed Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 155/202] signal: Restore the stop PTRACE_EVENT_EXIT Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 180/202] mm/mmap.c: expand_downwards: don't require the gap if !vm_prev Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 023/202] Drivers: hv: vmbus: Check for ring when getting debug info Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 079/202] fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 195/202] brcmfmac: screening firmware event packet Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 090/202] perf/x86/intel/uncore: Add Node ID mask Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 059/202] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 041/202] net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 014/202] ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 057/202] char/mwave: fix potential Spectre v1 vulnerability Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 078/202] usb: gadget: musb: fix short isoc packets with inventra dma Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 088/202] dmaengine: bcm2835: Fix interrupt race on RT Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 140/202] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 196/202] brcmfmac: fix incorrect event channel deduction Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 104/202] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 190/202] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 167/202] tmpfs: fix link accounting when a tmpfile is linked in Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 170/202] KEYS: restrict /proc/keys by credentials at open time Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 054/202] tty/n_hdlc: fix __might_sleep warning Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 147/202] net: fix IPv6 prefix route residue Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 099/202] MIPS: Remove function size check in get_frame_info() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 185/202] [media] media: em28xx-dvb - fix em28xx_dvb_resume() to not unregister i2c and dvb Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 164/202] scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 159/202] dm thin: fix bug where bio that overwrites thin block ignores FUA Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 165/202] ceph: avoid repeatedly adding inode to mdsc->snap_flush_list Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 154/202] x86/a.out: Clear the dump structure initially Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 192/202] brcmfmac: assure SSID length from firmware is limited Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 118/202] microblaze: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 058/202] tty: Handle problem if line discipline does not have receive_buf Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 052/202] net: bridge: Fix ethernet header pointer before check skb forwardable Ben Hutchings
2019-04-27 15:13 ` [Bridge] " Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 178/202] net: phy: Micrel KSZ8061: link failure after cable connect Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 151/202] net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 013/202] USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 141/202] Input: elantech - force needed quirks on Fujitsu H760 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 173/202] net/x25: fix a race in x25_bind() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 062/202] ARM: pxa: ssp: unneeded to free devm_ allocated data Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 113/202] frv: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 101/202] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 018/202] packet: validate address length if non-zero Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 188/202] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 117/202] m68k: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 120/202] mips: Use sigsp() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 074/202] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 125/202] powerpc/signal: Properly handle return value from uprobe_deny_signal() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 157/202] netfilter: nf_tables: nft_compat: fix refcount leak on xt module Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 161/202] netfilter: nf_tables: fix flush after rule deletion in the same batch Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 122/202] parisc: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 183/202] net: netem: fix skb length BUG_ON in __skb_to_sgvec Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 110/202] blackfin: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 143/202] vsock: cope with memory allocation failure at socket creation time Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 093/202] dmaengine: dmatest: Abort test in case of mapping error Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 193/202] brcmfmac: consolidate ifp lookup in driver core Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 043/202] fuse: handle zero sized retrieve correctly Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 001/202] batman-adv: Avoid WARN on net_device without parent in netns Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 003/202] ACPI: power: Skip duplicate power resource references in _PRx Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 107/202] arc: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 049/202] arc: do not export symbols in troubleshoot.c Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 045/202] fuse: decrement NR_WRITEBACK_TEMP on the right page Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 046/202] media: v4l: ioctl: Validate num_planes for debug messages Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 171/202] KEYS: always initialize keyring_index_key::desc_len Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 030/202] i2c: dev: prevent adapter retries and timeout being set as minus value Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 186/202] media: em28xx: Fix use-after-free when disconnecting Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 139/202] sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 162/202] KEYS: allow reaching the keys quotas exactly Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 033/202] omap2fb: Fix stack memory disclosure Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 184/202] ipc/shm: Fix pid freeing Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 067/202] KVM: x86: Fix single-step debugging Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 144/202] alpha: fix page fault handling for r16-r18 targets Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 083/202] mm, oom: fix use-after-free in oom_kill_process Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 028/202] crypto: authenc - fix parsing key with misaligned rta_len Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 038/202] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 050/202] ARC: show_regs: lockdep: avoid page allocator Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 127/202] score: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 056/202] vt: invoke notifier on screen size change Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 076/202] CIFS: Do not consider -ENODATA as stat failure for reads Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 108/202] arm64: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 166/202] net: stmmac: Fix a race in EEE enable callback Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 132/202] unicore32: Fix build error Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 153/202] perf/core: Fix impossible ring-buffer sizes warning Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 006/202] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 130/202] um: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 095/202] perf test: Fix failure of 'evsel-tp-sched' test on s390 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 097/202] s390/qeth: cancel close_dev work before removing a card Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 124/202] powerpc: Use sigsp() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 198/202] brcmfmac: add subtype check for event handling in data path Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 109/202] avr32: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 040/202] net/phy: micrel: configure intterupts after autoneg workaround Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 160/202] i2c: cadence: Fix the hold bit setting Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 096/202] s390/qeth: fix use-after-free in error path Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 073/202] scsi: bnx2fc: Fix error handling in probe() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 177/202] tmpfs: fix uninitialized return value in shmem_link Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 004/202] mfd: ab8500-core: Return zero in get_register_interruptible() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 029/202] Disable MSI also when pcie-octeon.pcie_disable on Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 068/202] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 047/202] Yama: Check for pid death before checking ancestry Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 128/202] sh: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 009/202] USB: serial: simple: add Motorola Tetra TPG2200 device id Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 168/202] ARC: U-boot: check arguments paranoidly Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 031/202] CIFS: Do not hide EINTR after sending network packets Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 182/202] netlabel: fix out-of-bounds memory accesses Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 025/202] drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 129/202] tile: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 064/202] iommu/amd: Fix IOMMU page flush when detach device from a domain Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 112/202] cris: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 016/202] ALSA: cs46xx: Potential NULL dereference in probe Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 138/202] signal: Better detection of synchronous signals Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 126/202] s390: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 136/202] Rip out get_signal_to_deliver() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 115/202] ia64: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 092/202] dmaengine: dmatest: unmap data on a single code-path when xfer done Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 066/202] debugfs: fix debugfs_rename parameter checking Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 091/202] perf/core: Don't WARN() for impossible ring-buffer sizes Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 148/202] x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 044/202] fuse: call pipe_buf_release() under pipe lock Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 011/202] USB: storage: don't insert sane sense for SPC3+ when bad sense specified Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 022/202] scsi: isci: initialize shost fully before calling scsi_add_host() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 077/202] ARM: iop32x/n2100: fix PCI IRQ mapping Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 094/202] perf tests evsel-tp-sched: Fix bitwise operator Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 039/202] net/phy: micrel: Add workaround for bad autoneg Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 187/202] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 071/202] usb: phy: am335x: fix race condition in _probe Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 026/202] rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 146/202] vxlan: test dev->flags & IFF_UP before calling netif_rx() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 181/202] mm: enforce min addr even if capable() in expand_downwards() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 176/202] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 145/202] perf/x86: Add check_period PMU callback Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 200/202] binfmt_elf: switch to new creds when switching to new mm Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 194/202] brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 105/202] Input: bma150 - register input device after setting private data Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 024/202] drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 075/202] CIFS: Do not count -ENODATA as failure for query directory Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 027/202] ARM: dts: kirkwood: Fix polarity of GPIO fan lines Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 060/202] can: bcm: check timer values before ktime conversion Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 037/202] x86/kaslr: Fix incorrect i8254 outb() parameters Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 133/202] xtensa: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 191/202] perf/core: Fix perf_event_open() vs. execve() race Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 015/202] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 119/202] mips: Use get_signal() signal_setup_done() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 070/202] usb: gadget: udc: net2272: Fix bitwise and boolean operations Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 034/202] s390/early: improve machine detection Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 149/202] batman-adv: fix uninit-value in batadv_interface_tx() Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 172/202] mdio_bus: Fix use-after-free on device_register fails Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 175/202] mmc: tmio_mmc_core: don't claim spurious interrupts Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 189/202] vfio/type1: Limit DMA mappings per container Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 150/202] net/packet: fix 4gb buffer limit due to overflow check Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 197/202] brcmfmac: revise handling events in receive path Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 005/202] mfd: tps6586x: Handle interrupts on suspend Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 089/202] dmaengine: bcm2835: Fix abort of transactions Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 142/202] Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 008/202] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Ben Hutchings
2019-04-27 15:13 ` [PATCH 3.16 048/202] USB: serial: pl2303: add new PID to support PL2303TB Ben Hutchings
2019-04-27 18:41 ` [PATCH 3.16 000/202] 3.16.66-rc1 review Guenter Roeck
2019-04-28 15:45 ` Ben Hutchings
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.