December 2017 - Linux-stable-mirror

[Linux-stable-mirror] [PATCH v4.4 backport] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one

by Christoffer Dall

From: Kristina Martsenko <kristina.martsenko(a)arm.com> Commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 47-bit addresses (instead of 48-bit) and also insufficiently checking the alignment. This patch fixes it. As an example, with 4k pages, before this patch we have: PHYS_MASK_SHIFT = 48 VTTBR_X = 37 - 24 = 13 VTTBR_BADDR_SHIFT = 13 - 1 = 12 VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000 Which is wrong, because the mask doesn't allow bit 47 of the VTTBR address to be set, and only requires the address to be 12-bit (4k) aligned, while it actually needs to be 13-bit (8k) aligned because we concatenate two 4k tables. With this patch, the mask becomes 0x0000ffffffffe000, which is what we want. Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions") Cc: <stable(a)vger.kernel.org> # 3.11.x Reviewed-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm64/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h index 2d960f8588b0..ef8e13d379cb 100644 --- a/arch/arm64/include/asm/kvm_arm.h +++ b/arch/arm64/include/asm/kvm_arm.h @@ -164,8 +164,7 @@ #define VTTBR_X (37 - VTCR_EL2_T0SZ_40B) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (UL(48)) #define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT) -- 2.14.2

7 years, 1 month

2
2
0 0

[Linux-stable-mirror] [PATCH] usb: add RESET_RESUME for ELSA MicroLink 56K

by Oliver Neukum

This modem needs this quirk to operate. It produces timeouts when resumed without reset. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> CC: stable(a)vger.kernel.org --- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c index f1dbab6f798f..360ae28ab83e 100644 --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -146,6 +146,9 @@ static const struct usb_device_id usb_quirk_list[] = { /* appletouch */ { USB_DEVICE(0x05ac, 0x021a), .driver_info = USB_QUIRK_RESET_RESUME }, + /* ELSA MicroLink 56K */ + { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME }, + /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */ { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM }, -- 2.13.6

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] [GIT PULL] commits for Linux 4.4

by alexander.levin＠verizon.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Greg, Pleae pull commits for Linux 4.4 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit 69b0bf95a51eb4b0890b3979531aed932cf51d7f: Linux 4.4.105 (2017-12-09 18:42:44 +0100) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.4-11122017 for you to fetch changes up to 85d60a17903274c04a99ef7387f43aa7e9f751ee: audit: ensure that 'audit=1' actually enables audit for PID 1 (2017-12-11 19:34:48 -0500) - ---------------------------------------------------------------- for-greg-4.4-11122017 - ---------------------------------------------------------------- Alexey Kardashevskiy (1): powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested Arvind Yadav (1): atm: horizon: Fix irq release error Ben Hutchings (1): mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Blomme, Maarten (1): spi_ks8995: fix "BUG: key accdaa28 not in .data!" Chris Brandt (1): i2c: riic: fix restart condition Christophe JAILLET (1): USB: gadgetfs: Fix a potential memory leak in 'dev_config()' Chuck Lever (1): sunrpc: Fix rpc_task_begin trace point Daniel Drake (1): HID: chicony: Add support for another ASUS Zen AiO keyboard David Daney (1): module: set __jump_table alignment to 8 David Howells (1): afs: Connect up the CB.ProbeUuid Florian Westphal (1): netfilter: don't track fragmented packets Franck Demathieu (1): irqchip/crossbar: Fix incorrect type of register size Guenter Roeck (2): ARM: OMAP2+: Fix device node reference counts ARM: OMAP2+: Release device node after it is no longer needed. Herbert Xu (1): xfrm: Copy policy family in clone_policy James Smart (1): scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Jan Kara (1): axonram: Fix gendisk handling Jason Baron (1): jump_label: Invoke jump_label_test() via early_initcall() Jim Mattson (1): kvm: nVMX: VMCLEAR should not cause the vCPU to shut down Jim Qu (1): drm/amd/amdgpu: fix console deadlock if late init failed Johannes Thumshirn (1): zram: set physical queue limits to avoid array out of bounds accesses John Keeping (1): usb: gadget: configs: plug memory leak JÃ©rÃ©my Lefaure (2): EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro EDAC, i5000, i5400: Fix definition of NRECMEMB register Keefe Liu (1): ipvlan: fix ipv6 outbound device Krzysztof Kozlowski (1): crypto: s5p-sss - Fix completing crypto request in IRQ handler Ladislav Michl (1): ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure Majd Dibbiny (1): IB/mlx5: Assign send CQ and recv CQ of UMR QP Mark Bloch (1): IB/mlx4: Increase maximal message size under UD QP Mark Rutland (2): arm: KVM: Survive unknown traps from guests arm64: KVM: Survive unknown traps from guests Masahiro Yamada (1): kbuild: pkg: use --transform option to prefix paths in tar Michal Schmidt (3): bnx2x: prevent crash when accessing PTP with interface down bnx2x: fix possible overrun of VFPF multicast addresses array bnx2x: do not rollback VF MAC/VLAN filters we did not configure Ming Lei (1): block: wake up all tasks blocked in get_request() Paul Moore (1): audit: ensure that 'audit=1' actually enables audit for PID 1 Pavel Tatashin (1): sparc64/mm: set fields in deferred pages Phil Reid (1): gpio: altera: Use handle_level_irq when configured as a level_high Randy Dunlap (1): dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Sachin Sant (1): selftest/powerpc: Fix false failures for skipped tests Sasha Levin (3): Revert "drm/armada: Fix compile fail" Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Revert "s390/kbuild: enable modversions for symbols exported from asm" Steffen Klassert (1): vti6: Don't report path MTU below IPV6_MIN_MTU. Stephen Bates (1): lib/genalloc.c: make the avail variable an atomic_long_t Tejun Heo (2): libata: drop WARN from protocol error in ata_sff_qc_issue() workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Thomas Gleixner (1): x86/hpet: Prevent might sleep splat on resume Trond Myklebust (1): NFS: Fix a typo in nfs_rename() WANG Cong (1): ipv6: reorder icmpv6_init() and ip6_mr_init() Wanpeng Li (1): KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset Xin Long (4): route: also update fnhe_genid when updating a route cache route: update fnhe_expires for redirect when the fnhe exists sctp: do not free asoc when it is already dead in sctp_sendmsg sctp: use the right sk after waking up from wait_buf sleep arch/arm/include/asm/kvm_arm.h | 1 + arch/arm/kvm/handle_exit.c | 19 +++++++----- arch/arm/mach-omap2/gpmc-onenand.c | 10 +++--- arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 25 ++++++++++----- arch/arm64/kvm/handle_exit.c | 19 +++++++----- arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++ arch/powerpc/sysdev/axonram.c | 5 ++- arch/s390/include/asm/asm-prototypes.h | 8 ----- arch/sparc/mm/init_64.c | 9 +++++- arch/x86/kernel/hpet.c | 2 +- arch/x86/kvm/vmx.c | 26 +++++----------- block/blk-core.c | 4 +-- drivers/ata/libata-sff.c | 1 - drivers/atm/horizon.c | 2 +- drivers/block/zram/zram_drv.c | 2 ++ drivers/crypto/s5p-sss.c | 5 +-- drivers/edac/i5000_edac.c | 8 ++--- drivers/edac/i5400_edac.c | 9 +++--- drivers/gpio/gpio-altera.c | 26 +++++++--------- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 ++- drivers/gpu/drm/armada/Makefile | 2 -- drivers/hid/Kconfig | 4 +-- drivers/hid/hid-chicony.c | 1 + drivers/hid/hid-core.c | 1 + drivers/hid/hid-ids.h | 1 + drivers/i2c/busses/i2c-riic.c | 6 +++- drivers/infiniband/hw/mlx4/qp.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 2 ++ drivers/irqchip/irq-crossbar.c | 8 ++--- drivers/memory/omap-gpmc.c | 4 +-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 20 +++++++++++- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 8 ++++- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 + drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +++++++------- drivers/net/ipvlan/ipvlan_core.c | 2 +- drivers/net/phy/spi_ks8995.c | 1 + drivers/net/wireless/mac80211_hwsim.c | 5 ++- drivers/scsi/lpfc/lpfc_els.c | 14 ++++++--- drivers/spi/Kconfig | 1 - drivers/usb/gadget/configfs.c | 1 + drivers/usb/gadget/legacy/inode.c | 4 ++- fs/afs/cmservice.c | 3 ++ fs/nfs/dir.c | 2 +- include/linux/genalloc.h | 3 +- include/linux/omap-gpmc.h | 5 +-- kernel/audit.c | 10 +++--- kernel/jump_label.c | 2 +- kernel/workqueue.c | 1 + lib/dynamic_debug.c | 4 +++ lib/genalloc.c | 10 +++--- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 +++ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 --- net/ipv4/route.c | 14 ++++++--- net/ipv6/af_inet6.c | 10 +++--- net/ipv6/ip6_vti.c | 8 +++-- net/sctp/socket.c | 38 +++++++++++++++-------- net/sunrpc/sched.c | 3 +- net/xfrm/xfrm_policy.c | 1 + scripts/module-common.lds | 2 ++ scripts/package/Makefile | 5 ++- tools/testing/selftests/powerpc/harness.c | 6 ++-- 61 files changed, 263 insertions(+), 173 deletions(-) delete mode 100644 arch/s390/include/asm/asm-prototypes.h -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJaLyneAAoJEN6mb/eXdyzcozsP/RWAsb1T3wV6ZCqlgGfWzKQH A68FoInZJb9gLpXziggxIBjHZeFhKrv86xBhq8hJXEWt8MHA4X3JBaWovK2Nt/NA +h2ncFvJC7QUmXSMnisonCzYuzs7RNll9bdUmZxIVfTE7d4JjjPjM7he/uIkwdub gc5f8vVJsg6XROUTuIpj1I+hbGshICj+4LtfRFoBe3EJKa7vnjy+RwMJMmfMVnNr cNo84Z5FqIpYBT2prM3+blTWv9EgSZKJVfWlV2mJFMzLgwhoUsZvbZmmDU/uRi50 CsIaYsIJhdyTRrUV59UAQVbEdlZ21FhVGoCd8La64k+boxDUfel81N11EH8CFLm8 g4i1u11k+f8TPc1JRRRDPbKMSGaev7yhMTJjsJ9z/Hu691ICl8CC3fIWZtP8Z6nH HsBmHJmSAGSdDf6Eau1G232lGhx6pVdZ0MFqWYhqu3XgT6T09ylzGyVEk6m9mwoK DonRnJ8L/TCB4cQDSSqSmJRBsLorlQht50uyRcyth/rkdW8OegymY98kPnyCkMm+ skHERh4ufUaQbpEBW5uH1xB05T/zCSonzXxldaC5DCrEs/ZxCwdib3U/fyu6hMKC m2y8KZ5P0OZ00wUhHePQuSY1mS7WpoAvpsTjp0mMf67ZH42xxBrOL59cRyJeTJdE QeW4v6fKJF2RMYKk58xI =bY4h -----END PGP SIGNATURE-----

7 years, 1 month

2
1
0 0

[Linux-stable-mirror] Patch "zram: set physical queue limits to avoid array out of bounds accesses" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled zram: set physical queue limits to avoid array out of bounds accesses to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Johannes Thumshirn <jthumshirn(a)suse.de> Date: Mon, 6 Mar 2017 11:23:35 +0100 Subject: zram: set physical queue limits to avoid array out of bounds accesses From: Johannes Thumshirn <jthumshirn(a)suse.de> [ Upstream commit 0bc315381fe9ed9fb91db8b0e82171b645ac008f ] zram can handle at most SECTORS_PER_PAGE sectors in a bio's bvec. When using the NVMe over Fabrics loopback target which potentially sends a huge bulk of pages attached to the bio's bvec this results in a kernel panic because of array out of bounds accesses in zram_decompress_page(). Signed-off-by: Johannes Thumshirn <jthumshirn(a)suse.de> Reviewed-by: Hannes Reinecke <hare(a)suse.com> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)fb.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/block/zram/zram_drv.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1247,6 +1247,8 @@ static int zram_add(void) blk_queue_io_min(zram->disk->queue, PAGE_SIZE); blk_queue_io_opt(zram->disk->queue, PAGE_SIZE); zram->disk->queue->limits.discard_granularity = PAGE_SIZE; + zram->disk->queue->limits.max_sectors = SECTORS_PER_PAGE; + zram->disk->queue->limits.chunk_sectors = 0; blk_queue_max_discard_sectors(zram->disk->queue, UINT_MAX); /* * zram_bio_discard() will clear all logical blocks if logical block Patches currently in stable-queue which might be from jthumshirn(a)suse.de are queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "xfrm: Copy policy family in clone_policy" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xfrm: Copy policy family in clone_policy to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xfrm-copy-policy-family-in-clone_policy.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Fri, 10 Nov 2017 14:14:06 +1100 Subject: xfrm: Copy policy family in clone_policy From: Herbert Xu <herbert(a)gondor.apana.org.au> [ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ] The syzbot found an ancient bug in the IPsec code. When we cloned a socket policy (for example, for a child TCP socket derived from a listening socket), we did not copy the family field. This results in a live policy with a zero family field. This triggers a BUG_ON check in the af_key code when the cloned policy is retrieved. This patch fixes it by copying the family field over. Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/xfrm/xfrm_policy.c | 1 + 1 file changed, 1 insertion(+) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1361,6 +1361,7 @@ static struct xfrm_policy *clone_policy( newp->xfrm_nr = old->xfrm_nr; newp->index = old->index; newp->type = old->type; + newp->family = old->family; memcpy(newp->xfrm_vec, old->xfrm_vec, newp->xfrm_nr*sizeof(struct xfrm_tmpl)); write_lock_bh(&net->xfrm.xfrm_policy_lock); Patches currently in stable-queue which might be from herbert(a)gondor.apana.org.au are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "x86/hpet: Prevent might sleep splat on resume" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/hpet: Prevent might sleep splat on resume to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86-hpet-prevent-might-sleep-splat-on-resume.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Thomas Gleixner <tglx(a)linutronix.de> Date: Wed, 1 Mar 2017 21:10:17 +0100 Subject: x86/hpet: Prevent might sleep splat on resume From: Thomas Gleixner <tglx(a)linutronix.de> [ Upstream commit bb1a2c26165640ba2cbcfe06c81e9f9d6db4e643 ] Sergey reported a might sleep warning triggered from the hpet resume path. It's caused by the call to disable_irq() from interrupt disabled context. The problem with the low level resume code is that it is not accounted as a special system_state like we do during the boot process. Calling the same code during system boot would not trigger the warning. That's inconsistent at best. In this particular case it's trivial to replace the disable_irq() with disable_hardirq() because this particular code path is solely used from system resume and the involved hpet interrupts can never be force threaded. Reported-and-tested-by: Sergey Senozhatsky <sergey.senozhatsky.work(a)gmail.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: "Rafael J. Wysocki" <rjw(a)sisk.pl> Cc: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: Borislav Petkov <bp(a)alien8.de> Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1703012108460.3684@nanos Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/hpet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/hpet.c +++ b/arch/x86/kernel/hpet.c @@ -353,7 +353,7 @@ static int hpet_resume(struct clock_even irq_domain_deactivate_irq(irq_get_irq_data(hdev->irq)); irq_domain_activate_irq(irq_get_irq_data(hdev->irq)); - disable_irq(hdev->irq); + disable_hardirq(hdev->irq); irq_set_affinity(hdev->irq, cpumask_of(hdev->cpu)); enable_irq(hdev->irq); } Patches currently in stable-queue which might be from tglx(a)linutronix.de are queue-4.4/efi-esrt-use-memunmap-instead-of-kfree-to-free-the-remapping.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "vti6: Don't report path MTU below IPV6_MIN_MTU." has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled vti6: Don't report path MTU below IPV6_MIN_MTU. to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Steffen Klassert <steffen.klassert(a)secunet.com> Date: Wed, 15 Feb 2017 11:38:58 +0100 Subject: vti6: Don't report path MTU below IPV6_MIN_MTU. From: Steffen Klassert <steffen.klassert(a)secunet.com> [ Upstream commit e3dc847a5f85b43ee2bfc8eae407a7e383483228 ] In vti6_xmit(), the check for IPV6_MIN_MTU before we send a ICMPV6_PKT_TOOBIG message is missing. So we might report a PMTU below 1280. Fix this by adding the required check. Fixes: ccd740cbc6e ("vti6: Add pmtu handling to vti6_xmit.") Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/ip6_vti.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -474,11 +474,15 @@ vti6_xmit(struct sk_buff *skb, struct ne if (!skb->ignore_df && skb->len > mtu) { skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu); - if (skb->protocol == htons(ETH_P_IPV6)) + if (skb->protocol == htons(ETH_P_IPV6)) { + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); - else + } else { icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); + } return -EMSGSIZE; } Patches currently in stable-queue which might be from steffen.klassert(a)secunet.com are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Tejun Heo <tj(a)kernel.org> Date: Mon, 6 Mar 2017 15:33:42 -0500 Subject: workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq From: Tejun Heo <tj(a)kernel.org> [ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ] If queue_delayed_work() gets called with NULL @wq, the kernel will oops asynchronuosly on timer expiration which isn't too helpful in tracking down the offender. This actually happened with smc. __queue_delayed_work() already does several input sanity checks synchronously. Add NULL @wq check. Reported-by: Dave Jones <davej(a)codemonkey.org.uk> Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- kernel/workqueue.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -1479,6 +1479,7 @@ static void __queue_delayed_work(int cpu struct timer_list *timer = &dwork->timer; struct work_struct *work = &dwork->work; + WARN_ON_ONCE(!wq); WARN_ON_ONCE(timer->function != delayed_work_timer_fn || timer->data != (unsigned long)dwork); WARN_ON_ONCE(timer_pending(timer)); Patches currently in stable-queue which might be from tj(a)kernel.org are queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "usb: gadget: configs: plug memory leak" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: gadget: configs: plug memory leak to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadget-configs-plug-memory-leak.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: John Keeping <john(a)metanate.com> Date: Tue, 28 Feb 2017 10:55:30 +0000 Subject: usb: gadget: configs: plug memory leak From: John Keeping <john(a)metanate.com> [ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ] When binding a gadget to a device, "name" is stored in gi->udc_name, but this does not happen when unregistering and the string is leaked. Signed-off-by: John Keeping <john(a)metanate.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/configfs.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -270,6 +270,7 @@ static ssize_t gadget_dev_desc_UDC_store ret = unregister_gadget(gi); if (ret) goto err; + kfree(name); } else { if (gi->udc_name) { ret = -EBUSY; Patches currently in stable-queue which might be from john(a)metanate.com are queue-4.4/usb-gadget-configs-plug-memory-leak.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "USB: gadgetfs: Fix a potential memory leak in 'dev_config()'" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: gadgetfs: Fix a potential memory leak in 'dev_config()' to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Tue, 21 Feb 2017 22:33:11 +0100 Subject: USB: gadgetfs: Fix a potential memory leak in 'dev_config()' From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> [ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ] 'kbuf' is allocated just a few lines above using 'memdup_user()'. If the 'if (dev->buf)' test fails, this memory is never released. Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/legacy/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -1837,8 +1837,10 @@ dev_config (struct file *fd, const char spin_lock_irq (&dev->lock); value = -EINVAL; - if (dev->buf) + if (dev->buf) { + kfree(kbuf); goto fail; + } dev->buf = kbuf; /* full or low speed config */ Patches currently in stable-queue which might be from christophe.jaillet(a)wanadoo.fr are queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch

7 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2017