This is the start of the stable review cycle for the 4.9.95 release.
There are 66 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu Apr 19 15:56:27 UTC 2018.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.95-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.9.95-rc1
Phil Elwell <phil(a)raspberrypi.org>
lan78xx: Correctly indicate invalid OTP
Stefan Hajnoczi <stefanha(a)redhat.com>
vhost: fix vhost_vq_access_ok() log check
Tejaswi Tanikella <tejaswit(a)codeaurora.org>
slip: Check if rstate is initialized before uncompressing
Ka-Cheong Poon <ka-cheong.poon(a)oracle.com>
rds: MP-RDS may use an invalid c_path
Bassem Boubaker <bassem.boubaker(a)actia.fr>
cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN
Marek Szyprowski <m.szyprowski(a)samsung.com>
hwmon: (ina2xx) Fix access to uninitialized mutex
Sudhir Sreedharan <ssreedharan(a)mvista.com>
rtl8187: Fix NULL pointer dereference in priv->conf_mutex
Szymon Janc <szymon.janc(a)codecoup.pl>
Bluetooth: Fix connection if directed advertising and privacy is used
Al Viro <viro(a)zeniv.linux.org.uk>
getname_kernel() needs to make sure that ->name != ->iname in long case
Vasily Gorbik <gor(a)linux.ibm.com>
s390/ipl: ensure loadparm valid flag is set
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qdio: don't merge ERROR output buffers
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qdio: don't retry EQBS after CCQ 96
Dan Williams <dan.j.williams(a)intel.com>
nfit: fix region registration vs block-data-window ranges
Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
block/loop: fix deadlock after loop_set_status
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Revert "perf tests: Decompress kernel module before objdump"
Eric Biggers <ebiggers(a)google.com>
sunrpc: remove incorrect HMAC request initialization
Mark Rutland <mark.rutland(a)arm.com>
arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
Mark Rutland <mark.rutland(a)arm.com>
arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: smccc: Make function identifiers an unsigned quantity
Mark Rutland <mark.rutland(a)arm.com>
firmware/psci: Expose SMCCC version through psci_ops
Mark Rutland <mark.rutland(a)arm.com>
firmware/psci: Expose PSCI conduit
Mark Rutland <mark.rutland(a)arm.com>
arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
Mark Rutland <mark.rutland(a)arm.com>
arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: KVM: Turn kvm_psci_version into a static inline
Mark Rutland <mark.rutland(a)arm.com>
arm64: KVM: Make PSCI_VERSION a fast path
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: KVM: Advertise SMCCC v1.1
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: KVM: Implement PSCI 1.0 support
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: KVM: Add smccc accessors to PSCI code
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: KVM: Add PSCI_VERSION helper
Mark Rutland <mark.rutland(a)arm.com>
arm/arm64: KVM: Consolidate the PSCI include files
Mark Rutland <mark.rutland(a)arm.com>
arm64: KVM: Increment PC after handling an SMC trap
Mark Rutland <mark.rutland(a)arm.com>
arm64: Branch predictor hardening for Cavium ThunderX2
Mark Rutland <mark.rutland(a)arm.com>
arm64: Implement branch predictor hardening for affected Cortex-A CPUs
Mark Rutland <mark.rutland(a)arm.com>
arm64: cpu_errata: Allow an erratum to be match for all revisions of a core
Mark Rutland <mark.rutland(a)arm.com>
arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75
Mark Rutland <mark.rutland(a)arm.com>
arm64: entry: Apply BP hardening for suspicious interrupts from EL0
Mark Rutland <mark.rutland(a)arm.com>
arm64: entry: Apply BP hardening for high-priority synchronous exceptions
Mark Rutland <mark.rutland(a)arm.com>
arm64: KVM: Use per-CPU vector when BP hardening is enabled
Mark Rutland <mark.rutland(a)arm.com>
mm: Introduce lm_alias
Mark Rutland <mark.rutland(a)arm.com>
arm64: Move BP hardening to check_and_switch_context
Mark Rutland <mark.rutland(a)arm.com>
arm64: Add skeleton to harden the branch predictor against aliasing attacks
Mark Rutland <mark.rutland(a)arm.com>
arm64: Move post_ttbr_update_workaround to C code
Mark Rutland <mark.rutland(a)arm.com>
arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro
Mark Rutland <mark.rutland(a)arm.com>
drivers/firmware: Expose psci_get_version through psci_ops structure
Mark Rutland <mark.rutland(a)arm.com>
arm64: cpufeature: Pass capability structure to ->enable callback
Mark Rutland <mark.rutland(a)arm.com>
arm64: Run enable method for errata work arounds on late CPUs
Mark Rutland <mark.rutland(a)arm.com>
arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early
Mark Rutland <mark.rutland(a)arm.com>
arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user
Mark Rutland <mark.rutland(a)arm.com>
arm64: uaccess: Don't bother eliding access_ok checks in __{get, put}_user
Mark Rutland <mark.rutland(a)arm.com>
arm64: uaccess: Prevent speculative use of the current addr_limit
Mark Rutland <mark.rutland(a)arm.com>
arm64: entry: Ensure branch through syscall table is bounded under speculation
Mark Rutland <mark.rutland(a)arm.com>
arm64: Use pointer masking to limit uaccess speculation
Mark Rutland <mark.rutland(a)arm.com>
arm64: Make USER_DS an inclusive limit
Mark Rutland <mark.rutland(a)arm.com>
arm64: move TASK_* definitions to <asm/processor.h>
Mark Rutland <mark.rutland(a)arm.com>
arm64: Implement array_index_mask_nospec()
Mark Rutland <mark.rutland(a)arm.com>
arm64: barrier: Add CSDB macros to control data-value prediction
Arnd Bergmann <arnd(a)arndb.de>
radeon: hide pointless #warning when compile testing
Prashant Bhole <bhole_prashant_q7(a)lab.ntt.co.jp>
perf/core: Fix use-after-free in uprobe_perf_close()
Adrian Hunter <adrian.hunter(a)intel.com>
perf intel-pt: Fix timestamp following overflow
Adrian Hunter <adrian.hunter(a)intel.com>
perf intel-pt: Fix error recovery from missing TIP packet
Adrian Hunter <adrian.hunter(a)intel.com>
perf intel-pt: Fix sync_switch
Adrian Hunter <adrian.hunter(a)intel.com>
perf intel-pt: Fix overlap detection to identify consecutive buffers correctly
Dexuan Cui <decui(a)microsoft.com>
Drivers: hv: vmbus: do not mark HV_PCIE as perf_device
Helge Deller <deller(a)gmx.de>
parisc: Fix out of array access in match_pci_device()
Mauro Carvalho Chehab <mchehab(a)kernel.org>
media: v4l2-compat-ioctl32: don't oops on overlay
-------------
Diffstat:
Makefile | 4 +-
arch/arm/include/asm/kvm_host.h | 6 +
arch/arm/include/asm/kvm_mmu.h | 10 +
arch/arm/include/asm/kvm_psci.h | 27 -
arch/arm/kvm/arm.c | 11 +-
arch/arm/kvm/handle_exit.c | 4 +-
arch/arm/kvm/psci.c | 143 +-
arch/arm64/Kconfig | 17 +
arch/arm64/crypto/sha256-core.S | 2061 ++++++++++++++++++++
arch/arm64/crypto/sha512-core.S | 1085 +++++++++++
arch/arm64/include/asm/assembler.h | 19 +
arch/arm64/include/asm/barrier.h | 23 +
arch/arm64/include/asm/cpucaps.h | 3 +-
arch/arm64/include/asm/cputype.h | 6 +
arch/arm64/include/asm/kvm_host.h | 5 +
arch/arm64/include/asm/kvm_mmu.h | 38 +
arch/arm64/include/asm/kvm_psci.h | 27 -
arch/arm64/include/asm/memory.h | 15 -
arch/arm64/include/asm/mmu.h | 39 +
arch/arm64/include/asm/processor.h | 24 +
arch/arm64/include/asm/sysreg.h | 2 +
arch/arm64/include/asm/uaccess.h | 153 +-
arch/arm64/kernel/Makefile | 4 +
arch/arm64/kernel/arm64ksyms.c | 4 +-
arch/arm64/kernel/bpi.S | 75 +
arch/arm64/kernel/cpu_errata.c | 189 +-
arch/arm64/kernel/cpufeature.c | 10 +-
arch/arm64/kernel/entry.S | 25 +-
arch/arm64/kvm/handle_exit.c | 16 +-
arch/arm64/kvm/hyp/hyp-entry.S | 20 +-
arch/arm64/kvm/hyp/switch.c | 5 +-
arch/arm64/lib/clear_user.S | 6 +-
arch/arm64/lib/copy_in_user.S | 4 +-
arch/arm64/mm/context.c | 12 +
arch/arm64/mm/fault.c | 34 +-
arch/arm64/mm/proc.S | 7 +-
arch/parisc/kernel/drivers.c | 4 +
arch/s390/kernel/ipl.c | 1 +
drivers/acpi/nfit/core.c | 22 +-
drivers/block/loop.c | 12 +-
drivers/firmware/psci.c | 57 +-
drivers/gpu/drm/radeon/radeon_object.c | 3 +-
drivers/hv/channel_mgmt.c | 2 +-
drivers/hwmon/ina2xx.c | 3 +-
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +-
drivers/net/slip/slhc.c | 5 +
drivers/net/usb/cdc_ether.c | 6 +
drivers/net/usb/lan78xx.c | 3 +-
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 2 +-
drivers/s390/cio/qdio_main.c | 42 +-
drivers/vhost/vhost.c | 8 +-
fs/namei.c | 3 +-
include/kvm/arm_psci.h | 51 +
include/linux/arm-smccc.h | 165 +-
include/linux/mm.h | 4 +
include/linux/psci.h | 14 +
include/net/bluetooth/hci_core.h | 2 +-
include/net/slhc_vj.h | 1 +
include/uapi/linux/psci.h | 3 +
kernel/events/core.c | 6 +
net/bluetooth/hci_conn.c | 29 +-
net/bluetooth/hci_event.c | 15 +-
net/bluetooth/l2cap_core.c | 2 +-
net/rds/send.c | 15 +-
net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 -
tools/perf/tests/code-reading.c | 20 +-
.../perf/util/intel-pt-decoder/intel-pt-decoder.c | 64 +-
.../perf/util/intel-pt-decoder/intel-pt-decoder.h | 2 +-
tools/perf/util/intel-pt.c | 37 +-
69 files changed, 4423 insertions(+), 320 deletions(-)
clang-7 has a new warning (-Wreturn-stack-address) for warning when a
function returns the address of a local variable. This is in general a
good warning, but the kernel has a few places where GNU statement
expressions return the address of a label in order to get the current
instruction pointer (see _THIS_IP_ and current_text_addr).
In order to disable a warning at a single call site, the kernel already
has __diag macros for inserting compiler and compiler-version specific
_Pragma's.
This series adds CLANG_VERSION macros necessary for proper __diag
support, and whitelists the case in _THIS_IP_. current_text_addr will be
consolidated in a follow up series.
Nick Desaulniers (2):
compiler-clang.h: Add CLANG_VERSION and __diag macros
kernel.h: Disable -Wreturn-stack-address for _THIS_IP_
include/linux/compiler-clang.h | 19 +++++++++++++++++++
include/linux/compiler_types.h | 4 ++++
include/linux/kernel.h | 10 +++++++++-
3 files changed, 32 insertions(+), 1 deletion(-)
--
2.18.0.345.g5c9ce644c3-goog
This is the start of the stable review cycle for the 4.4.106 release.
There are 105 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun Dec 17 09:22:39 UTC 2017.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.106-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.4.106-rc1
Vincent Pelletier <plr.vincent(a)gmail.com>
usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
Marc Zyngier <marc.zyngier(a)arm.com>
arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Revert "x86/efi: Hoist page table switching code into efi_call_virt()"
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Revert "x86/efi: Build our own page table structures"
Eric Dumazet <edumazet(a)google.com>
net/packet: fix a race in packet_bind() and packet_notifier()
Mike Maloney <maloney(a)google.com>
packet: fix crash in fanout_demux_rollover()
Hangbin Liu <liuhangbin(a)gmail.com>
sit: update frag_off info
Håkon Bugge <Haakon.Bugge(a)oracle.com>
rds: Fix NULL pointer dereference in __rds_rdma_map
Jon Maloy <jon.maloy(a)ericsson.com>
tipc: fix memory leak in tipc_accept_from_sock()
Al Viro <viro(a)zeniv.linux.org.uk>
more bio_map_user_iov() leak fixes
Heiko Carstens <heiko.carstens(a)de.ibm.com>
s390: always save and restore all registers on context switch
Masamitsu Yamazaki <m-yamazaki(a)ah.jp.nec.com>
ipmi: Stop timers before cleaning up the module
Paul Moore <paul(a)paul-moore.com>
audit: ensure that 'audit=1' actually enables audit for PID 1
Keefe Liu <liuqifa(a)huawei.com>
ipvlan: fix ipv6 outbound device
David Howells <dhowells(a)redhat.com>
afs: Connect up the CB.ProbeUuid
Majd Dibbiny <majd(a)mellanox.com>
IB/mlx5: Assign send CQ and recv CQ of UMR QP
Mark Bloch <markb(a)mellanox.com>
IB/mlx4: Increase maximal message size under UD QP
Herbert Xu <herbert(a)gondor.apana.org.au>
xfrm: Copy policy family in clone_policy
Jason Baron <jbaron(a)akamai.com>
jump_label: Invoke jump_label_test() via early_initcall()
Arvind Yadav <arvind.yadav.cs(a)gmail.com>
atm: horizon: Fix irq release error
Xin Long <lucien.xin(a)gmail.com>
sctp: use the right sk after waking up from wait_buf sleep
Xin Long <lucien.xin(a)gmail.com>
sctp: do not free asoc when it is already dead in sctp_sendmsg
Pavel Tatashin <pasha.tatashin(a)oracle.com>
sparc64/mm: set fields in deferred pages
Ming Lei <ming.lei(a)redhat.com>
block: wake up all tasks blocked in get_request()
Chuck Lever <chuck.lever(a)oracle.com>
sunrpc: Fix rpc_task_begin trace point
Trond Myklebust <trond.myklebust(a)primarydata.com>
NFS: Fix a typo in nfs_rename()
Randy Dunlap <rdunlap(a)infradead.org>
dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
Stephen Bates <sbates(a)raithlin.com>
lib/genalloc.c: make the avail variable an atomic_long_t
Xin Long <lucien.xin(a)gmail.com>
route: update fnhe_expires for redirect when the fnhe exists
Xin Long <lucien.xin(a)gmail.com>
route: also update fnhe_genid when updating a route cache
Ben Hutchings <ben.hutchings(a)codethink.co.uk>
mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
Masahiro Yamada <yamada.masahiro(a)socionext.com>
kbuild: pkg: use --transform option to prefix paths in tar
Jérémy Lefaure <jeremy.lefaure(a)lse.epita.fr>
EDAC, i5000, i5400: Fix definition of NRECMEMB register
Jérémy Lefaure <jeremy.lefaure(a)lse.epita.fr>
EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
Alexey Kardashevskiy <aik(a)ozlabs.ru>
powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
Jim Qu <Jim.Qu(a)amd.com>
drm/amd/amdgpu: fix console deadlock if late init failed
Jan Kara <jack(a)suse.cz>
axonram: Fix gendisk handling
Florian Westphal <fw(a)strlen.de>
netfilter: don't track fragmented packets
Johannes Thumshirn <jthumshirn(a)suse.de>
zram: set physical queue limits to avoid array out of bounds accesses
Chris Brandt <chris.brandt(a)renesas.com>
i2c: riic: fix restart condition
Krzysztof Kozlowski <krzk(a)kernel.org>
crypto: s5p-sss - Fix completing crypto request in IRQ handler
WANG Cong <xiyou.wangcong(a)gmail.com>
ipv6: reorder icmpv6_init() and ip6_mr_init()
Michal Schmidt <mschmidt(a)redhat.com>
bnx2x: do not rollback VF MAC/VLAN filters we did not configure
Michal Schmidt <mschmidt(a)redhat.com>
bnx2x: fix possible overrun of VFPF multicast addresses array
Michal Schmidt <mschmidt(a)redhat.com>
bnx2x: prevent crash when accessing PTP with interface down
Blomme, Maarten <Maarten.Blomme(a)flir.com>
spi_ks8995: fix "BUG: key accdaa28 not in .data!"
Mark Rutland <mark.rutland(a)arm.com>
arm64: KVM: Survive unknown traps from guests
Mark Rutland <mark.rutland(a)arm.com>
arm: KVM: Survive unknown traps from guests
Wanpeng Li <wanpeng.li(a)hotmail.com>
KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
Franck Demathieu <fdemathieu(a)gmail.com>
irqchip/crossbar: Fix incorrect type of register size
James Smart <jsmart2021(a)gmail.com>
scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
Tejun Heo <tj(a)kernel.org>
workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
Tejun Heo <tj(a)kernel.org>
libata: drop WARN from protocol error in ata_sff_qc_issue()
Jim Mattson <jmattson(a)google.com>
kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
Christophe JAILLET <christophe.jaillet(a)wanadoo.fr>
USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
John Keeping <john(a)metanate.com>
usb: gadget: configs: plug memory leak
Daniel Drake <drake(a)endlessm.com>
HID: chicony: Add support for another ASUS Zen AiO keyboard
Phil Reid <preid(a)electromag.com.au>
gpio: altera: Use handle_level_irq when configured as a level_high
Guenter Roeck <linux(a)roeck-us.net>
ARM: OMAP2+: Release device node after it is no longer needed.
Guenter Roeck <linux(a)roeck-us.net>
ARM: OMAP2+: Fix device node reference counts
David Daney <david.daney(a)cavium.com>
module: set __jump_table alignment to 8
Sachin Sant <sachinp(a)linux.vnet.ibm.com>
selftest/powerpc: Fix false failures for skipped tests
Thomas Gleixner <tglx(a)linutronix.de>
x86/hpet: Prevent might sleep splat on resume
Ladislav Michl <ladis(a)linux-mips.org>
ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
Steffen Klassert <steffen.klassert(a)secunet.com>
vti6: Don't report path MTU below IPV6_MIN_MTU.
Sasha Levin <alexander.levin(a)verizon.com>
Revert "s390/kbuild: enable modversions for symbols exported from asm"
Sasha Levin <alexander.levin(a)verizon.com>
Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
Sasha Levin <alexander.levin(a)verizon.com>
Revert "drm/armada: Fix compile fail"
Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com>
mm: drop unused pmdp_huge_get_and_clear_notify()
Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com>
thp: fix MADV_DONTNEED vs. numa balancing race
Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com>
thp: reduce indentation level in change_huge_pmd()
Stephen Hemminger <stephen(a)networkplumber.org>
scsi: storvsc: Workaround for virtual DVD SCSI version
Russell King <rmk+kernel(a)armlinux.org.uk>
ARM: avoid faulting on qemu
Russell King <rmk+kernel(a)armlinux.org.uk>
ARM: BUG if jumping to usermode address in kernel mode
Dave Martin <Dave.Martin(a)arm.com>
arm64: fpsimd: Prevent registers leaking from dead tasks
Andrew Honig <ahonig(a)google.com>
KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
Kristina Martsenko <kristina.martsenko(a)arm.com>
arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
Laurent Caumont <lcaumont2(a)gmail.com>
media: dvb: i2c transfers over usb cannot be done from stack
Marek Szyprowski <m.szyprowski(a)samsung.com>
drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
Dave Gordon <david.s.gordon(a)intel.com>
drm: extra printk() wrapper macros
Daniel Thompson <daniel.thompson(a)linaro.org>
kdb: Fix handling of kallsyms_symbol_next() return value
Heiko Carstens <heiko.carstens(a)de.ibm.com>
s390: fix compat system call table
Robin Murphy <robin.murphy(a)arm.com>
iommu/vt-d: Fix scatterlist offset handling
Jaejoong Kim <climbbb.kim(a)gmail.com>
ALSA: usb-audio: Add check return value for usb_string()
Jaejoong Kim <climbbb.kim(a)gmail.com>
ALSA: usb-audio: Fix out-of-bound error
Takashi Iwai <tiwai(a)suse.de>
ALSA: seq: Remove spurious WARN_ON() at timer check
Robb Glasser <rglasser(a)google.com>
ALSA: pcm: prevent UAF in snd_pcm_info
Rafael J. Wysocki <rafael.j.wysocki(a)intel.com>
x86/PCI: Make broadcom_postcore_init() check acpi_disabled
Eric Biggers <ebiggers(a)google.com>
X.509: reject invalid BIT STRING for subjectPublicKey
Eric Biggers <ebiggers(a)google.com>
ASN.1: check for error from ASN1_OP_END__ACT actions
Eric Biggers <ebiggers(a)google.com>
ASN.1: fix out-of-bounds read when parsing indefinite length item
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
efi: Move some sysfs files to be read-only by root
Huacai Chen <chenhc(a)lemote.com>
scsi: libsas: align sata_device's rps_resp on a cacheline
William Breathitt Gray <vilhelm.gray(a)gmail.com>
isa: Prevent NULL dereference in isa_bus driver callbacks
Paul Meyer <Paul.Meyer(a)microsoft.com>
hv: kvp: Avoid reading past allocated blocks from KVP file
weiping zhang <zwp10758(a)gmail.com>
virtio: release virtio index when fail to device_register
Martin Kelly <mkelly(a)xevo.com>
can: usb_8dev: cancel urb on -EPIPE and -EPROTO
Martin Kelly <mkelly(a)xevo.com>
can: esd_usb2: cancel urb on -EPIPE and -EPROTO
Martin Kelly <mkelly(a)xevo.com>
can: ems_usb: cancel urb on -EPIPE and -EPROTO
Martin Kelly <mkelly(a)xevo.com>
can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
Jimmy Assarsson <jimmyassarsson(a)gmail.com>
can: kvaser_usb: ratelimit errors if incomplete messages are received
Jimmy Assarsson <jimmyassarsson(a)gmail.com>
can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
Jimmy Assarsson <jimmyassarsson(a)gmail.com>
can: kvaser_usb: free buf in error paths
Oliver Stäbler <oliver.staebler(a)bytesatwork.ch>
can: ti_hecc: Fix napi poll return value for repoll
-------------
Diffstat:
Makefile | 4 +-
arch/arm/include/asm/assembler.h | 18 +++
arch/arm/include/asm/kvm_arm.h | 4 +-
arch/arm/kernel/entry-header.S | 6 +
arch/arm/kvm/handle_exit.c | 19 +--
arch/arm/mach-omap2/gpmc-onenand.c | 10 +-
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 25 ++--
arch/arm64/include/asm/kvm_arm.h | 3 +-
arch/arm64/kernel/process.c | 9 ++
arch/arm64/kvm/handle_exit.c | 19 +--
arch/powerpc/platforms/powernv/pci-ioda.c | 3 +
arch/powerpc/sysdev/axonram.c | 5 +-
arch/s390/include/asm/asm-prototypes.h | 8 --
arch/s390/include/asm/switch_to.h | 19 ++-
arch/s390/kernel/syscalls.S | 6 +-
arch/sparc/mm/init_64.c | 9 +-
arch/x86/include/asm/efi.h | 26 ----
arch/x86/kernel/hpet.c | 2 +-
arch/x86/kvm/vmx.c | 31 ++---
arch/x86/mm/pageattr.c | 17 ++-
arch/x86/pci/broadcom_bus.c | 2 +-
arch/x86/platform/efi/efi.c | 39 +++---
arch/x86/platform/efi/efi_32.c | 5 -
arch/x86/platform/efi/efi_64.c | 137 ++++++----------------
arch/x86/platform/efi/efi_stub_64.S | 43 +++++++
block/bio.c | 14 ++-
block/blk-core.c | 4 +-
crypto/asymmetric_keys/x509_cert_parser.c | 2 +
drivers/ata/libata-sff.c | 1 -
drivers/atm/horizon.c | 2 +-
drivers/base/isa.c | 10 +-
drivers/block/zram/zram_drv.c | 2 +
drivers/char/ipmi/ipmi_si_intf.c | 44 +++----
drivers/crypto/s5p-sss.c | 5 +-
drivers/edac/i5000_edac.c | 8 +-
drivers/edac/i5400_edac.c | 9 +-
drivers/firmware/efi/efi.c | 3 +-
drivers/firmware/efi/esrt.c | 15 +--
drivers/firmware/efi/runtime-map.c | 10 +-
drivers/gpio/gpio-altera.c | 26 ++--
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 +-
drivers/gpu/drm/armada/Makefile | 2 -
drivers/gpu/drm/exynos/exynos_drm_gem.c | 9 ++
drivers/hid/Kconfig | 4 +-
drivers/hid/hid-chicony.c | 1 +
drivers/hid/hid-core.c | 1 +
drivers/hid/hid-ids.h | 1 +
drivers/i2c/busses/i2c-riic.c | 6 +-
drivers/infiniband/hw/mlx4/qp.c | 2 +-
drivers/infiniband/hw/mlx5/main.c | 2 +
drivers/iommu/intel-iommu.c | 8 +-
drivers/irqchip/irq-crossbar.c | 8 +-
drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++-
drivers/memory/omap-gpmc.c | 4 +-
drivers/net/can/ti_hecc.c | 3 +
drivers/net/can/usb/ems_usb.c | 2 +
drivers/net/can/usb/esd_usb2.c | 2 +
drivers/net/can/usb/kvaser_usb.c | 13 +-
drivers/net/can/usb/usb_8dev.c | 2 +
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 20 +++-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 8 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 +
drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 ++--
drivers/net/ipvlan/ipvlan_core.c | 2 +-
drivers/net/phy/spi_ks8995.c | 1 +
drivers/net/wireless/mac80211_hwsim.c | 5 +-
drivers/scsi/lpfc/lpfc_els.c | 14 ++-
drivers/scsi/storvsc_drv.c | 27 +++--
drivers/spi/Kconfig | 1 -
drivers/usb/gadget/configfs.c | 1 +
drivers/usb/gadget/function/f_fs.c | 2 +-
drivers/usb/gadget/legacy/inode.c | 4 +-
drivers/virtio/virtio.c | 2 +
fs/afs/cmservice.c | 3 +
fs/nfs/dir.c | 2 +-
include/drm/drmP.h | 26 +++-
include/linux/genalloc.h | 3 +-
include/linux/mmu_notifier.h | 13 --
include/linux/omap-gpmc.h | 5 +-
include/linux/sysfs.h | 6 +
include/scsi/libsas.h | 2 +-
kernel/audit.c | 10 +-
kernel/debug/kdb/kdb_io.c | 2 +-
kernel/jump_label.c | 2 +-
kernel/workqueue.c | 1 +
lib/asn1_decoder.c | 49 ++++----
lib/dynamic_debug.c | 4 +
lib/genalloc.c | 10 +-
mm/huge_memory.c | 82 +++++++++----
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 +
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 -
net/ipv4/route.c | 14 ++-
net/ipv6/af_inet6.c | 10 +-
net/ipv6/ip6_vti.c | 8 +-
net/ipv6/sit.c | 1 +
net/packet/af_packet.c | 37 +++---
net/packet/internal.h | 1 -
net/rds/rdma.c | 2 +-
net/sctp/socket.c | 38 ++++--
net/sunrpc/sched.c | 3 +-
net/tipc/server.c | 1 +
net/xfrm/xfrm_policy.c | 1 +
scripts/module-common.lds | 2 +
scripts/package/Makefile | 5 +-
sound/core/pcm.c | 2 +
sound/core/seq/seq_timer.c | 2 +-
sound/usb/mixer.c | 13 +-
tools/hv/hv_kvp_daemon.c | 70 +++--------
tools/testing/selftests/powerpc/harness.c | 6 +-
109 files changed, 701 insertions(+), 570 deletions(-)
Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()"
There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().
Signed-off-by: Scott Bauer <scott.bauer(a)intel.com>
Signed-off-by: Scott Bauer <sbauer(a)plzdonthack.me>
Cc: stable(a)vger.kernel.org
---
drivers/cdrom/cdrom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index bfc566d3f31a..8cfa10ab7abc 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi,
if (!CDROM_CAN(CDC_SELECT_DISC) ||
(arg == CDSL_CURRENT || arg == CDSL_NONE))
return cdi->ops->drive_status(cdi, CDSL_CURRENT);
- if (((int)arg >= cdi->capacity))
+ if (arg >= cdi->capacity)
return -EINVAL;
return cdrom_slot_status(cdi, arg);
}
--
2.14.1
Some modems now use the Android Debug Bridge to provide a debugging
interface, and some phones can also export serial ports managed by the
"option" driver.
The ADB daemon running in userspace tries to use USB interfaces with
bDeviceClass=0xFF, bDeviceSubClass=0x42, bDeviceProtocol=1
Prevent the option driver from binding to those interfaces, as they
will not be serial ports.
This can fix issues like:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781256
Signed-off-by: Romain Izard <romain.izard.pro(a)gmail.com>
Cc: stable <stable(a)vger.kernel.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 664e61f16b6a..f98943a57ff0 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1987,6 +1987,12 @@ static int option_probe(struct usb_serial *serial,
if (iface_desc->bInterfaceClass == USB_CLASS_MASS_STORAGE)
return -ENODEV;
+ /* Do not bind Android Debug Bridge interfaces */
+ if (iface_desc->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
+ iface_desc->bInterfaceSubClass == 0x42 &&
+ iface_desc->bInterfaceProtocol == 1)
+ return -ENODEV;
+
/*
* Don't bind reserved interfaces (like network ones) which often have
* the same class/subclass/protocol as the serial interfaces. Look at
--
2.17.1
'type' is user-controlled, so sanitize it after the bounds check to
avoid using it in speculative execution. This covers the following
potential gadgets detected with the help of smatch:
* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
'sb_dqopt(sb)->files' [r]
* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
'sb_dqopt(sb)->files' [r]
* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
'sb_dqopt(sb)->info' [w]
* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
'dquots' [r]
* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
issue 'dqopt->ops' [r]
* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
issue 'dqopt->files' [w] (local cap)
* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
issue 'dqopt->ops' [w] (local cap)
* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
issue 'dqopt->info' [w] (local cap)
* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
'sb_dqopt(sb)->info' [r]
* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
issue 'quota_magics' [w]
* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
issue 'quota_versions' [w]
* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
issue 'dqopt->info' [r]
* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
issue 'dqopt->info' [r]
Additionally, a quick inspection indicates there are array accesses with
'type' in quota_on() and quota_off() functions which are also addressed
by this.
Cc: Josh Poimboeuf <jpoimboe(a)redhat.com>
Cc: stable(a)vger.kernel.org
Signed-off-by: Jeremy Cline <jcline(a)redhat.com>
---
This patch isn't going to cleanly apply to stable without the "fs/quota:
Replace XQM_MAXQUOTAS usage with MAXQUOTAS" patch, but I'm not sure that
patch is really stable material and XQM_MAXQUOTAS has been 3 since
pre-v4.4 so the end result will be the same even if that patch isn't
backported.
fs/quota/quota.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/quota/quota.c b/fs/quota/quota.c
index d403392d8a0f..f0cbf58ad4da 100644
--- a/fs/quota/quota.c
+++ b/fs/quota/quota.c
@@ -18,6 +18,7 @@
#include <linux/quotaops.h>
#include <linux/types.h>
#include <linux/writeback.h>
+#include <linux/nospec.h>
static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
qid_t id)
@@ -701,6 +702,7 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id,
if (type >= MAXQUOTAS)
return -EINVAL;
+ type = array_index_nospec(type, MAXQUOTAS);
/*
* Quota not supported on this fs? Check this before s_quota_types
* since they needn't be set if quota is not supported at all.
--
2.17.1
Hi Greg,
Kindly consider/review following net/sched fixes for stable 4.9.y.
This patchset is a follow-up of upstream fix
87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
cherry-picked on stable 4.9.y.
It fix null pointer dereferences due to uninitialized timer
(qdisc watchdog) or double frees due to ->destroy cleaning up a
second time. Here is the original submission
https://www.mail-archive.com/netdev@vger.kernel.org/msg186003.html
Cherry-picked and build tested on Linux 4.9.116 for ARCH=arm/arm64.
These fixes are applicable for stable 4.4.y kernel as well, but
one of the patches needed a minor rebasing, so I'm resending this
series for 4.4.y in a separate thread to avoid any confusion.
Regards,
Amit Pundir
Nikolay Aleksandrov (5):
sch_htb: fix crash on init failure
sch_multiq: fix double free on init failure
sch_hhf: fix null pointer dereference on init failure
sch_netem: avoid null pointer deref on init failure
sch_tbf: fix two null pointer dereferences on init failure
net/sched/sch_hhf.c | 3 +++
net/sched/sch_htb.c | 5 +++--
net/sched/sch_multiq.c | 7 +------
net/sched/sch_netem.c | 4 ++--
net/sched/sch_tbf.c | 5 +++--
5 files changed, 12 insertions(+), 12 deletions(-)
--
2.7.4