- Linux-stable-mirror - lists.linaro.org

[PATCH v4.4.y] bpf: reject wrong sized filters earlier

by Zubin Mithra

From: Daniel Borkmann <daniel(a)iogearbox.net> commit f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b upstream Add a bpf_check_basics_ok() and reject filters that are of invalid size much earlier, so we don't do any useless work such as invoking bpf_prog_alloc(). Currently, rejection happens in bpf_check_classic() only, but it's really unnecessarily late and they should be rejected at earliest point. While at it, also clean up one bpf_prog_size() to make it consistent with the remaining invocations. Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Zubin Mithra <zsm(a)chromium.org> --- Notes: * Syzkaller reported a kernel BUG related to a kernel paging request in bpf_prog_create with the following stacktrace when fuzzing a 4.4 kernel. Call Trace: [<ffffffff822ac1c8>] bpf_prog_create+0xc8/0x210 net/core/filter.c:1067 [<ffffffff82454699>] bpf_mt_check+0xb9/0x120 net/netfilter/xt_bpf.c:31 [<ffffffff82437db8>] xt_check_match+0x238/0x730 net/netfilter/x_tables.c:409 [<ffffffff82940254>] ebt_check_match net/bridge/netfilter/ebtables.c:380 [inline] [<ffffffff82940254>] ebt_check_entry+0x844/0x1740 net/bridge/netfilter/ebtables.c:709 [<ffffffff82946842>] translate_table+0xcb2/0x1e80 net/bridge/netfilter/ebtables.c:946 [<ffffffff8294a918>] do_replace_finish+0x6e8/0x1fd0 net/bridge/netfilter/ebtables.c:1002 [<ffffffff8294c419>] do_replace+0x219/0x370 net/bridge/netfilter/ebtables.c:1145 [<ffffffff8294c649>] do_ebt_set_ctl+0xd9/0x110 net/bridge/netfilter/ebtables.c:1492 [<ffffffff8239a87c>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [<ffffffff8239a87c>] nf_setsockopt+0x6c/0xc0 net/netfilter/nf_sockopt.c:114 [<ffffffff825ddeb6>] ip_setsockopt+0xa6/0xc0 net/ipv4/ip_sockglue.c:1226 [<ffffffff825fd3c7>] tcp_setsockopt+0x87/0xd0 net/ipv4/tcp.c:2701 [<ffffffff8220343a>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2690 [<ffffffff822006ed>] SYSC_setsockopt net/socket.c:1767 [inline] [<ffffffff822006ed>] SyS_setsockopt+0x15d/0x240 net/socket.c:1746 [<ffffffff82a16f9b>] entry_SYSCALL_64_fastpath+0x18/0x94 * This patch resolves the following conflicts when applying to v4.4.y: - __get_filter does not exist in v4.4. Instead the checks are moved into __sk_attach_filter. * This patch is present in v4.9.y. * Tests run: Chrome OS tryjobs, Syzkaller reproducer net/core/filter.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 1a9ded6af138..3c5f51198c41 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -742,6 +742,17 @@ static bool chk_code_allowed(u16 code_to_probe) return codes[code_to_probe]; } +static bool bpf_check_basics_ok(const struct sock_filter *filter, + unsigned int flen) +{ + if (filter == NULL) + return false; + if (flen == 0 || flen > BPF_MAXINSNS) + return false; + + return true; +} + /** * bpf_check_classic - verify socket filter code * @filter: filter to verify @@ -762,9 +773,6 @@ static int bpf_check_classic(const struct sock_filter *filter, bool anc_found; int pc; - if (flen == 0 || flen > BPF_MAXINSNS) - return -EINVAL; - /* Check the filter code now */ for (pc = 0; pc < flen; pc++) { const struct sock_filter *ftest = &filter[pc]; @@ -1057,7 +1065,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) struct bpf_prog *fp; /* Make sure new filter is there and in the right amounts. */ - if (fprog->filter == NULL) + if (!bpf_check_basics_ok(fprog->filter, fprog->len)) return -EINVAL; fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); @@ -1104,7 +1112,7 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, int err; /* Make sure new filter is there and in the right amounts. */ - if (fprog->filter == NULL) + if (!bpf_check_basics_ok(fprog->filter, fprog->len)) return -EINVAL; fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); @@ -1184,7 +1192,6 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, bool locked) { unsigned int fsize = bpf_classic_proglen(fprog); - unsigned int bpf_fsize = bpf_prog_size(fprog->len); struct bpf_prog *prog; int err; @@ -1192,10 +1199,10 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, return -EPERM; /* Make sure new filter is there and in the right amounts. */ - if (fprog->filter == NULL) + if (!bpf_check_basics_ok(fprog->filter, fprog->len)) return -EINVAL; - prog = bpf_prog_alloc(bpf_fsize, 0); + prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); if (!prog) return -ENOMEM; -- 2.21.0.593.g511ec345e18-goog

6 years, 4 months

2
1
0 0

❎ FAIL: Stable queue: queue-5.0

by CKI Project

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: d3da1f09fff2 - Linux 5.0.10 The results of these automated tests are provided below. Overall result: FAILED (see details below) Merge: OK Compile: FAILED We attempted to compile the kernel for multiple architectures, but the compile failed on one or more architectures: s390x: FAILED (see build-s390x.log.xz attachment) We hope that these logs can help you find the problem quickly. For the full detail on our testing procedures, please scroll to the bottom of this message. Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out the following commit: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: d3da1f09fff2 - Linux 5.0.10 We then merged the patchset with `git am`: netfilter-nf_tables-bogus-ebusy-when-deleting-set-af.patch netfilter-nf_tables-bogus-ebusy-in-helper-removal-fr.patch intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch alsa-hda-realtek-move-to-act_init-state.patch fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch cifs-fix-memory-leak-in-smb2_read.patch cifs-fix-page-reference-leak-with-readv-writev.patch cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch tracing-fix-buffer_ref-pipe-ops.patch crypto-xts-fix-atomic-sleep-when-walking-skcipher.patch crypto-lrw-fix-atomic-sleep-when-walking-skcipher.patch gpio-eic-sprd-fix-incorrect-irq-type-setting-for-the-sync-eic.patch zram-pass-down-the-bvec-we-need-to-read-into-in-the-work-struct.patch lib-kconfig.debug-fix-build-error-without-config_block.patch mips-scall64-o32-fix-indirect-syscall-number-load.patch trace-fix-preempt_enable_no_resched-abuse.patch mm-do-not-boost-watermarks-to-avoid-fragmentation-for-the-discontig-memory-model.patch arm64-mm-ensure-tail-of-unaligned-initrd-is-reserved.patch ib-rdmavt-fix-frwr-memory-registration.patch rdma-mlx5-do-not-allow-the-user-to-write-to-the-clock-page.patch rdma-mlx5-use-rdma_user_map_io-for-mapping-bar-pages.patch rdma-ucontext-fix-regression-with-disassociate.patch sched-numa-fix-a-possible-divide-by-zero.patch ceph-only-use-d_name-directly-when-parent-is-locked.patch ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch ceph-fix-ci-i_head_snapc-leak.patch nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch sunrpc-don-t-mark-uninitialised-items-as-valid.patch perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch vfio-type1-limit-dma-mappings-per-container.patch dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch powerpc-mm-radix-make-radix-require-hugetlb_page.patch drm-vc4-fix-memory-leak-during-gpu-reset.patch drm-ttm-fix-re-init-of-global-structures.patch revert-drm-i915-fbdev-actually-configure-untiled-displays.patch drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch usb-add-new-usb-lpm-helpers.patch usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch ext4-fix-some-error-pointer-dereferences.patch Compile testing --------------- We compiled the kernel for 4 architectures: aarch64: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/aarch64/kernel-stable_queue-aarch6… kernel build: https://artifacts.cki-project.org/builds/aarch64/kernel-stable_queue-aarch6… ppc64le: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/ppc64le/kernel-stable_queue-ppc64l… kernel build: https://artifacts.cki-project.org/builds/ppc64le/kernel-stable_queue-ppc64l… s390x: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg x86_64: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/x86_64/kernel-stable_queue-x86_64-… kernel build: https://artifacts.cki-project.org/builds/x86_64/kernel-stable_queue-x86_64-…

6 years, 4 months

1
0
0 0

[PATCH] scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value

by Pedro Sousa

Fix RX_TERMINATION_FORCE_ENABLE define value from 0x0089 to 0x00A9 according to MIPI Alliance MPHY specification. Fixes: e785060ea3a1 ("ufs: definitions for phy interface") Cc: stable(a)vger.kernel.org Signed-off-by: Pedro Sousa <sousa(a)synopsys.com> --- drivers/scsi/ufs/unipro.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/ufs/unipro.h b/drivers/scsi/ufs/unipro.h index 23129d7..c77e365 100644 --- a/drivers/scsi/ufs/unipro.h +++ b/drivers/scsi/ufs/unipro.h @@ -52,7 +52,7 @@ #define RX_HS_UNTERMINATED_ENABLE 0x00A6 #define RX_ENTER_HIBERN8 0x00A7 #define RX_BYPASS_8B10B_ENABLE 0x00A8 -#define RX_TERMINATION_FORCE_ENABLE 0x0089 +#define RX_TERMINATION_FORCE_ENABLE 0x00A9 #define RX_MIN_ACTIVATETIME_CAPABILITY 0x008F #define RX_HIBERN8TIME_CAPABILITY 0x0092 #define RX_REFCLKFREQ 0x00EB -- 2.7.4

6 years, 4 months

4
4
0 0

[PATCH] powerpc/32s: fix BATs setting with CONFIG_STRICT_KERNEL_RWX

by Christophe Leroy

Serge reported some crashes with CONFIG_STRICT_KERNEL_RWX enabled on a book3s32 machine. Analysis shows two issues: - BATs addresses and sizes are not properly aligned. - There is a gap between the last address covered by BATs and the first address covered by pages. Memory mapped with DBATs: 0: 0xc0000000-0xc07fffff 0x00000000 Kernel RO coherent 1: 0xc0800000-0xc0bfffff 0x00800000 Kernel RO coherent 2: 0xc0c00000-0xc13fffff 0x00c00000 Kernel RW coherent 3: 0xc1400000-0xc23fffff 0x01400000 Kernel RW coherent 4: 0xc2400000-0xc43fffff 0x02400000 Kernel RW coherent 5: 0xc4400000-0xc83fffff 0x04400000 Kernel RW coherent 6: 0xc8400000-0xd03fffff 0x08400000 Kernel RW coherent 7: 0xd0400000-0xe03fffff 0x10400000 Kernel RW coherent Memory mapped with pages: 0xe1000000-0xefffffff 0x21000000 240M rw present dirty accessed This patch fixes both issues. With the patch, we get the following which is as expected: Memory mapped with DBATs: 0: 0xc0000000-0xc07fffff 0x00000000 Kernel RO coherent 1: 0xc0800000-0xc0bfffff 0x00800000 Kernel RO coherent 2: 0xc0c00000-0xc0ffffff 0x00c00000 Kernel RW coherent 3: 0xc1000000-0xc1ffffff 0x01000000 Kernel RW coherent 4: 0xc2000000-0xc3ffffff 0x02000000 Kernel RW coherent 5: 0xc4000000-0xc7ffffff 0x04000000 Kernel RW coherent 6: 0xc8000000-0xcfffffff 0x08000000 Kernel RW coherent 7: 0xd0000000-0xdfffffff 0x10000000 Kernel RW coherent Memory mapped with pages: 0xe0000000-0xefffffff 0x20000000 256M rw present dirty accessed Reported-by: Serge Belyshev <belyshev(a)depni.sinp.msu.ru> Fixes: 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX") Cc: stable(a)vger.kernel.org Signed-off-by: Christophe Leroy <christophe.leroy(a)c-s.fr> --- arch/powerpc/mm/ppc_mmu_32.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/mm/ppc_mmu_32.c b/arch/powerpc/mm/ppc_mmu_32.c index bf1de3ca39bc..37cf2af98f6a 100644 --- a/arch/powerpc/mm/ppc_mmu_32.c +++ b/arch/powerpc/mm/ppc_mmu_32.c @@ -101,7 +101,7 @@ static int find_free_bat(void) static unsigned int block_size(unsigned long base, unsigned long top) { unsigned int max_size = (cpu_has_feature(CPU_FTR_601) ? 8 : 256) << 20; - unsigned int base_shift = (fls(base) - 1) & 31; + unsigned int base_shift = (ffs(base) - 1) & 31; unsigned int block_shift = (fls(top - base) - 1) & 31; return min3(max_size, 1U << base_shift, 1U << block_shift); @@ -157,7 +157,7 @@ static unsigned long __init __mmu_mapin_ram(unsigned long base, unsigned long to unsigned long __init mmu_mapin_ram(unsigned long base, unsigned long top) { - int done; + unsigned long done; unsigned long border = (unsigned long)__init_begin - PAGE_OFFSET; if (__map_without_bats) { @@ -169,10 +169,10 @@ unsigned long __init mmu_mapin_ram(unsigned long base, unsigned long top) return __mmu_mapin_ram(base, top); done = __mmu_mapin_ram(base, border); - if (done != border - base) + if (done != border) return done; - return done + __mmu_mapin_ram(border, top); + return __mmu_mapin_ram(border, top); } void mmu_mark_initmem_nx(void) -- 2.13.3

6 years, 4 months

2
1
0 0

[PATCH stable] binder: fix race between munmap() and direct reclaim

by Todd Kjos

From: Todd Kjos <tkjos(a)android.com> commit 5cec2d2e5839f9c0fec319c523a911e0a7fd299f upstream. An munmap() on a binder device causes binder_vma_close() to be called which clears the alloc->vma pointer. If direct reclaim causes binder_alloc_free_page() to be called, there is a race where alloc->vma is read into a local vma pointer and then used later after the mm->mmap_sem is acquired. This can result in calling zap_page_range() with an invalid vma which manifests as a use-after-free in zap_page_range(). The fix is to check alloc->vma after acquiring the mmap_sem (which we were acquiring anyway) and skip zap_page_range() if it has changed to NULL. Signed-off-by: Todd Kjos <tkjos(a)google.com> Reviewed-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> Cc: stable <stable(a)vger.kernel.org> # 5.0, 4.19, 4.14 Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- Greg: This applies to 5.0, 4.19, 4.14. Not needed before 4.12. drivers/android/binder_alloc.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 022cd80e80cc..a6e556bf62df 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -959,14 +959,13 @@ enum lru_status binder_alloc_free_page(struct list_head *item, index = page - alloc->pages; page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; + + mm = alloc->vma_vm_mm; + if (!mmget_not_zero(mm)) + goto err_mmget; + if (!down_write_trylock(&mm->mmap_sem)) + goto err_down_write_mmap_sem_failed; vma = binder_alloc_get_vma(alloc); - if (vma) { - if (!mmget_not_zero(alloc->vma_vm_mm)) - goto err_mmget; - mm = alloc->vma_vm_mm; - if (!down_write_trylock(&mm->mmap_sem)) - goto err_down_write_mmap_sem_failed; - } list_lru_isolate(lru, item); spin_unlock(lock); @@ -979,10 +978,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, PAGE_SIZE); trace_binder_unmap_user_end(alloc, index); - - up_write(&mm->mmap_sem); - mmput(mm); } + up_write(&mm->mmap_sem); + mmput(mm); trace_binder_unmap_kernel_start(alloc, index); -- 2.21.0.392.gf8f6787159e-goog

6 years, 4 months

2
1
0 0

✅ PASS: Stable queue: queue-5.0

by CKI Project

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: d3da1f09fff2 - Linux 5.0.10 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out the following commit: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: d3da1f09fff2 - Linux 5.0.10 We then merged the patchset with `git am`: Compile testing --------------- We compiled the kernel for 4 architectures: aarch64: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/aarch64/kernel-stable_queue-aarch6… kernel build: https://artifacts.cki-project.org/builds/aarch64/kernel-stable_queue-aarch6… ppc64le: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/ppc64le/kernel-stable_queue-ppc64l… kernel build: https://artifacts.cki-project.org/builds/ppc64le/kernel-stable_queue-ppc64l… s390x: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/s390x/kernel-stable_queue-s390x-85… kernel build: https://artifacts.cki-project.org/builds/s390x/kernel-stable_queue-s390x-85… x86_64: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/x86_64/kernel-stable_queue-x86_64-… kernel build: https://artifacts.cki-project.org/builds/x86_64/kernel-stable_queue-x86_64-… Hardware testing ---------------- We booted each kernel and ran the following tests: aarch64: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ AMTU (Abstract Machine Test Utility) [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ Usex - version 1.9-29 [7] ✅ lvm thinp sanity [8] 🚧 ✅ audit: audit testsuite test [9] 🚧 ✅ stress: stress-ng [10] ppc64le: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ AMTU (Abstract Machine Test Utility) [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ Usex - version 1.9-29 [7] ✅ lvm thinp sanity [8] 🚧 ✅ audit: audit testsuite test [9] 🚧 ✅ selinux-policy: serge-testsuite [11] 🚧 ✅ stress: stress-ng [10] s390x: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ Usex - version 1.9-29 [7] ✅ lvm thinp sanity [8] 🚧 ✅ audit: audit testsuite test [9] 🚧 ✅ stress: stress-ng [10] x86_64: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ AMTU (Abstract Machine Test Utility) [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ Usex - version 1.9-29 [7] ✅ lvm thinp sanity [8] 🚧 ✅ audit: audit testsuite test [9] 🚧 ✅ selinux-policy: serge-testsuite [11] 🚧 ✅ stress: stress-ng [10] Test source: [0]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [1]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [2]: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… [3]: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu [4]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [5]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/iot… [6]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… [7]: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… [8]: https://github.com/CKI-project/tests-beaker/archive/master.zip#storage/lvm/… [9]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/aud… [10]: https://github.com/CKI-project/tests-beaker/archive/master.zip#stress/stres… [11]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/packages/se… Waived tests (marked with 🚧) ----------------------------- This test run included waived tests. Such tests are executed but their results are not taken into account. Tests are waived when their results are not reliable enough, e.g. when they're just introduced or are being fixed.

6 years, 4 months

1
0
0 0

[PATCH] RDMA/uverbs: Fix compilation error on s390 and mips platforms

by Leon Romanovsky

From: Leon Romanovsky <leonro(a)mellanox.com> Most platforms ignore parameter provided to ZERO_PAGE macro, hence wrong parameter was used and missed. This caused to compilation error like presented below. drivers/infiniband/core/uverbs_main.c: In function 'rdma_umap_fault': drivers/infiniband/core/uverbs_main.c:898:28: error: 'struct vm_fault' has no member named 'vm_start' vmf->page = ZERO_PAGE(vmf->vm_start); ^~ Cc: stable(a)vger.kernel.org Cc: Geert Uytterhoeven <geert(a)linux-m68k.org> Cc: Doug Ledford <dledford(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)mellanox.com> Fixes: 67f269b37f9b ("RDMA/ucontext: Fix regression with disassociate") Signed-off-by: Heiko Carstens <heiko.carstens(a)de.ibm.com> Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> --- drivers/infiniband/core/uverbs_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c index 7843e89235c3..65fe89b3fa2d 100644 --- a/drivers/infiniband/core/uverbs_main.c +++ b/drivers/infiniband/core/uverbs_main.c @@ -895,7 +895,7 @@ static vm_fault_t rdma_umap_fault(struct vm_fault *vmf) /* Read only pages can just use the system zero page. */ if (!(vmf->vma->vm_flags & (VM_WRITE | VM_MAYWRITE))) { - vmf->page = ZERO_PAGE(vmf->vm_start); + vmf->page = ZERO_PAGE(vmf->vma->vm_start); get_page(vmf->page); return 0; } -- 2.20.1

6 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] powerpc/mm/radix: Make Radix require HUGETLB_PAGE" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 8adddf349fda0d3de2f6bb41ddf838cbf36a8ad2 Mon Sep 17 00:00:00 2001 From: Michael Ellerman <mpe(a)ellerman.id.au> Date: Tue, 16 Apr 2019 23:59:02 +1000 Subject: [PATCH] powerpc/mm/radix: Make Radix require HUGETLB_PAGE Joel reported weird crashes using skiroot_defconfig, in his case we jumped into an NX page: kernel tried to execute exec-protected page (c000000002bff4f0) - exploit attempt? (uid: 0) BUG: Unable to handle kernel instruction fetch Faulting instruction address: 0xc000000002bff4f0 Looking at the disassembly, we had simply branched to that address: c000000000c001bc 49fff335 bl c000000002bff4f0 But that didn't match the original kernel image: c000000000c001bc 4bfff335 bl c000000000bff4f0 <kobject_get+0x8> When STRICT_KERNEL_RWX is enabled, and we're using the radix MMU, we call radix__change_memory_range() late in boot to change page protections. We do that both to mark rodata read only and also to mark init text no-execute. That involves walking the kernel page tables, and clearing _PAGE_WRITE or _PAGE_EXEC respectively. With radix we may use hugepages for the linear mapping, so the code in radix__change_memory_range() uses eg. pmd_huge() to test if it has found a huge mapping, and if so it stops the page table walk and changes the PMD permissions. However if the kernel is built without HUGETLBFS support, pmd_huge() is just a #define that always returns 0. That causes the code in radix__change_memory_range() to incorrectly interpret the PMD value as a pointer to a PTE page rather than as a PTE at the PMD level. We can see this using `dv` in xmon which also uses pmd_huge(): 0:mon> dv c000000000000000 pgd @ 0xc000000001740000 pgdp @ 0xc000000001740000 = 0x80000000ffffb009 pudp @ 0xc0000000ffffb000 = 0x80000000ffffa009 pmdp @ 0xc0000000ffffa000 = 0xc00000000000018f <- this is a PTE ptep @ 0xc000000000000100 = 0xa64bb17da64ab07d <- kernel text The end result is we treat the value at 0xc000000000000100 as a PTE and clear _PAGE_WRITE or _PAGE_EXEC, potentially corrupting the code at that address. In Joel's specific case we cleared the sign bit in the offset of the branch, causing a backward branch to turn into a forward branch which caused us to branch into a non-executable page. However the exact nature of the crash depends on kernel version, compiler version, and other factors. We need to fix radix__change_memory_range() to not use accessors that depend on HUGETLBFS, but we also have radix memory hotplug code that uses pmd_huge() etc that will also need fixing. So for now just disallow the broken combination of Radix with HUGETLBFS disabled. The only defconfig we have that is affected is skiroot_defconfig, so turn on HUGETLBFS there so that it still gets Radix. Fixes: 566ca99af026 ("powerpc/mm/radix: Add dummy radix_enabled()") Cc: stable(a)vger.kernel.org # v4.7+ Reported-by: Joel Stanley <joel(a)jms.id.au> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig index 5ba131c30f6b..1bcd468ab422 100644 --- a/arch/powerpc/configs/skiroot_defconfig +++ b/arch/powerpc/configs/skiroot_defconfig @@ -266,6 +266,7 @@ CONFIG_UDF_FS=m CONFIG_MSDOS_FS=m CONFIG_VFAT_FS=m CONFIG_PROC_KCORE=y +CONFIG_HUGETLBFS=y # CONFIG_MISC_FILESYSTEMS is not set # CONFIG_NETWORK_FILESYSTEMS is not set CONFIG_NLS=y diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype index 842b2c7e156a..50cd09b4e05d 100644 --- a/arch/powerpc/platforms/Kconfig.cputype +++ b/arch/powerpc/platforms/Kconfig.cputype @@ -324,7 +324,7 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK config PPC_RADIX_MMU bool "Radix MMU Support" - depends on PPC_BOOK3S_64 + depends on PPC_BOOK3S_64 && HUGETLB_PAGE select ARCH_HAS_GIGANTIC_PAGE if (MEMORY_ISOLATION && COMPACTION) || CMA default y help

6 years, 4 months

1
0
0 0

[PATCH 2/2] cpufreq: armada-37xx: fix frequency calculation for opp

by Gregory CLEMENT

The frequency calculation was based on the current(max) frequency of the CPU. However for low frequency, the value used was already the parent frequency divided by a factor of 2. Instead of using this frequency, this fix directly get the frequency from the parent clock. Fixes: 92ce45fb875d ("cpufreq: Add DVFS support for Armada 37xx") Cc: <stable(a)vger.kernel.org> Reported-by: Christian Neubert <christian.neubert.86(a)gmail.com> Signed-off-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> --- drivers/cpufreq/armada-37xx-cpufreq.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c index ad4463e4266e..a0962463805e 100644 --- a/drivers/cpufreq/armada-37xx-cpufreq.c +++ b/drivers/cpufreq/armada-37xx-cpufreq.c @@ -373,11 +373,11 @@ static int __init armada37xx_cpufreq_driver_init(void) struct armada_37xx_dvfs *dvfs; struct platform_device *pdev; unsigned long freq; - unsigned int cur_frequency; + unsigned int cur_frequency, base_frequency; struct regmap *nb_pm_base, *avs_base; struct device *cpu_dev; int load_lvl, ret; - struct clk *clk; + struct clk *clk, *parent; nb_pm_base = syscon_regmap_lookup_by_compatible("marvell,armada-3700-nb-pm"); @@ -413,6 +413,22 @@ static int __init armada37xx_cpufreq_driver_init(void) return PTR_ERR(clk); } + parent = clk_get_parent(clk); + if (IS_ERR(parent)) { + dev_err(cpu_dev, "Cannot get parent clock for CPU0\n"); + clk_put(clk); + return PTR_ERR(parent); + } + + /* Get parent CPU frequency */ + base_frequency = clk_get_rate(parent); + + if (!base_frequency) { + dev_err(cpu_dev, "Failed to get parent clock rate for CPU\n"); + clk_put(clk); + return -EINVAL; + } + /* Get nominal (current) CPU frequency */ cur_frequency = clk_get_rate(clk); if (!cur_frequency) { @@ -445,7 +461,7 @@ static int __init armada37xx_cpufreq_driver_init(void) for (load_lvl = ARMADA_37XX_DVFS_LOAD_0; load_lvl < LOAD_LEVEL_NR; load_lvl++) { unsigned long u_volt = avs_map[dvfs->avs[load_lvl]] * 1000; - freq = cur_frequency / dvfs->divider[load_lvl]; + freq = base_frequency / dvfs->divider[load_lvl]; ret = dev_pm_opp_add(cpu_dev, freq, u_volt); if (ret) goto remove_opp; -- 2.20.1

6 years, 4 months

2
2
0 0

Re: Patch "RDMA/ucontext: Fix regression with disassociate" has been added to the 5.0-stable tree

by Leon Romanovsky

On Mon, Apr 29, 2019 at 11:11:49AM +0200, gregkh(a)linuxfoundation.org wrote: > > This is a note to let you know that I've just added the patch titled > > RDMA/ucontext: Fix regression with disassociate > > to the 5.0-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > rdma-ucontext-fix-regression-with-disassociate.patch > and it can be found in the queue-5.0 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Greg, Please be aware that this patch has compilation issues on s390 platform. https://patchwork.kernel.org/patch/10920895/#22610993 Thanks > > > From 67f269b37f9b4d52c5e7f97acea26c0852e9b8a1 Mon Sep 17 00:00:00 2001 > From: Jason Gunthorpe <jgg(a)mellanox.com> > Date: Tue, 16 Apr 2019 14:07:28 +0300 > Subject: RDMA/ucontext: Fix regression with disassociate > > From: Jason Gunthorpe <jgg(a)mellanox.com> > > commit 67f269b37f9b4d52c5e7f97acea26c0852e9b8a1 upstream. > > When this code was consolidated the intention was that the VMA would > become backed by anonymous zero pages after the zap_vma_pte - however this > very subtly relied on setting the vm_ops = NULL and clearing the VM_SHARED > bits to transform the VMA into an anonymous VMA. Since the vm_ops was > removed this broke. > > Now userspace gets a SIGBUS if it touches the vma after disassociation. > > Instead of converting the VMA to anonymous provide a fault handler that > puts a zero'd page into the VMA when user-space touches it after > disassociation. > > Cc: stable(a)vger.kernel.org > Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> > Fixes: 5f9794dc94f5 ("RDMA/ucontext: Add a core API for mmaping driver IO memory") > Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> > Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> > Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > > --- > drivers/infiniband/core/uverbs.h | 1 > drivers/infiniband/core/uverbs_main.c | 52 ++++++++++++++++++++++++++++++++-- > 2 files changed, 50 insertions(+), 3 deletions(-) > > --- a/drivers/infiniband/core/uverbs.h > +++ b/drivers/infiniband/core/uverbs.h > @@ -160,6 +160,7 @@ struct ib_uverbs_file { > > struct mutex umap_lock; > struct list_head umaps; > + struct page *disassociate_page; > > struct idr idr; > /* spinlock protects write access to idr */ > --- a/drivers/infiniband/core/uverbs_main.c > +++ b/drivers/infiniband/core/uverbs_main.c > @@ -208,6 +208,9 @@ void ib_uverbs_release_file(struct kref > kref_put(&file->async_file->ref, > ib_uverbs_release_async_event_file); > put_device(&file->device->dev); > + > + if (file->disassociate_page) > + __free_pages(file->disassociate_page, 0); > kfree(file); > } > > @@ -876,9 +879,50 @@ static void rdma_umap_close(struct vm_ar > kfree(priv); > } > > +/* > + * Once the zap_vma_ptes has been called touches to the VMA will come here and > + * we return a dummy writable zero page for all the pfns. > + */ > +static vm_fault_t rdma_umap_fault(struct vm_fault *vmf) > +{ > + struct ib_uverbs_file *ufile = vmf->vma->vm_file->private_data; > + struct rdma_umap_priv *priv = vmf->vma->vm_private_data; > + vm_fault_t ret = 0; > + > + if (!priv) > + return VM_FAULT_SIGBUS; > + > + /* Read only pages can just use the system zero page. */ > + if (!(vmf->vma->vm_flags & (VM_WRITE | VM_MAYWRITE))) { > + vmf->page = ZERO_PAGE(vmf->vm_start); > + get_page(vmf->page); > + return 0; > + } > + > + mutex_lock(&ufile->umap_lock); > + if (!ufile->disassociate_page) > + ufile->disassociate_page = > + alloc_pages(vmf->gfp_mask | __GFP_ZERO, 0); > + > + if (ufile->disassociate_page) { > + /* > + * This VMA is forced to always be shared so this doesn't have > + * to worry about COW. > + */ > + vmf->page = ufile->disassociate_page; > + get_page(vmf->page); > + } else { > + ret = VM_FAULT_SIGBUS; > + } > + mutex_unlock(&ufile->umap_lock); > + > + return ret; > +} > + > static const struct vm_operations_struct rdma_umap_ops = { > .open = rdma_umap_open, > .close = rdma_umap_close, > + .fault = rdma_umap_fault, > }; > > static struct rdma_umap_priv *rdma_user_mmap_pre(struct ib_ucontext *ucontext, > @@ -888,6 +932,9 @@ static struct rdma_umap_priv *rdma_user_ > struct ib_uverbs_file *ufile = ucontext->ufile; > struct rdma_umap_priv *priv; > > + if (!(vma->vm_flags & VM_SHARED)) > + return ERR_PTR(-EINVAL); > + > if (vma->vm_end - vma->vm_start != size) > return ERR_PTR(-EINVAL); > > @@ -991,7 +1038,7 @@ void uverbs_user_mmap_disassociate(struc > * at a time to get the lock ordering right. Typically there > * will only be one mm, so no big deal. > */ > - down_write(&mm->mmap_sem); > + down_read(&mm->mmap_sem); > if (!mmget_still_valid(mm)) > goto skip_mm; > mutex_lock(&ufile->umap_lock); > @@ -1005,11 +1052,10 @@ void uverbs_user_mmap_disassociate(struc > > zap_vma_ptes(vma, vma->vm_start, > vma->vm_end - vma->vm_start); > - vma->vm_flags &= ~(VM_SHARED | VM_MAYSHARE); > } > mutex_unlock(&ufile->umap_lock); > skip_mm: > - up_write(&mm->mmap_sem); > + up_read(&mm->mmap_sem); > mmput(mm); > } > } > > > Patches currently in stable-queue which might be from jgg(a)mellanox.com are > > queue-5.0/rdma-ucontext-fix-regression-with-disassociate.patch > queue-5.0/ib-rdmavt-fix-frwr-memory-registration.patch > queue-5.0/rdma-mlx5-use-rdma_user_map_io-for-mapping-bar-pages.patch > queue-5.0/rdma-mlx5-do-not-allow-the-user-to-write-to-the-clock-page.patch

6 years, 4 months

2
2
0 0

FAILED: patch "[PATCH] Revert "drm/i915/fbdev: Actually configure untiled displays"" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fa246256e09dc30820524401cdbeeaadee94025 Mon Sep 17 00:00:00 2001 From: Dave Airlie <airlied(a)redhat.com> Date: Wed, 24 Apr 2019 10:47:56 +1000 Subject: [PATCH] Revert "drm/i915/fbdev: Actually configure untiled displays" This reverts commit d179b88deb3bf6fed4991a31fd6f0f2cad21fab5. This commit is documented to break userspace X.org modesetting driver in certain configurations. The X.org modesetting userspace driver is broken. No fixes are available yet. In order for this patch to be applied it either needs a config option or a workaround developed. This has been reported a few times, saying it's a userspace problem is clearly against the regression rules. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109806 Signed-off-by: Dave Airlie <airlied(a)redhat.com> Cc: <stable(a)vger.kernel.org> # v3.19+ diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c index e8f694b57b8a..376ffe842e26 100644 --- a/drivers/gpu/drm/i915/intel_fbdev.c +++ b/drivers/gpu/drm/i915/intel_fbdev.c @@ -338,8 +338,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, bool *enabled, int width, int height) { struct drm_i915_private *dev_priv = to_i915(fb_helper->dev); + unsigned long conn_configured, conn_seq, mask; unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG); - unsigned long conn_configured, conn_seq; int i, j; bool *save_enabled; bool fallback = true, ret = true; @@ -357,9 +357,10 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, drm_modeset_backoff(&ctx); memcpy(save_enabled, enabled, count); - conn_seq = GENMASK(count - 1, 0); + mask = GENMASK(count - 1, 0); conn_configured = 0; retry: + conn_seq = conn_configured; for (i = 0; i < count; i++) { struct drm_fb_helper_connector *fb_conn; struct drm_connector *connector; @@ -372,8 +373,7 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, if (conn_configured & BIT(i)) continue; - /* First pass, only consider tiled connectors */ - if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile) + if (conn_seq == 0 && !connector->has_tile) continue; if (connector->status == connector_status_connected) @@ -477,10 +477,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, conn_configured |= BIT(i); } - if (conn_configured != conn_seq) { /* repeat until no more are found */ - conn_seq = conn_configured; + if ((conn_configured & mask) != mask && conn_configured != conn_seq) goto retry; - } /* * If the BIOS didn't enable everything it could, fall back to have the

6 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] Revert "drm/i915/fbdev: Actually configure untiled displays"" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fa246256e09dc30820524401cdbeeaadee94025 Mon Sep 17 00:00:00 2001 From: Dave Airlie <airlied(a)redhat.com> Date: Wed, 24 Apr 2019 10:47:56 +1000 Subject: [PATCH] Revert "drm/i915/fbdev: Actually configure untiled displays" This reverts commit d179b88deb3bf6fed4991a31fd6f0f2cad21fab5. This commit is documented to break userspace X.org modesetting driver in certain configurations. The X.org modesetting userspace driver is broken. No fixes are available yet. In order for this patch to be applied it either needs a config option or a workaround developed. This has been reported a few times, saying it's a userspace problem is clearly against the regression rules. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109806 Signed-off-by: Dave Airlie <airlied(a)redhat.com> Cc: <stable(a)vger.kernel.org> # v3.19+ diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c index e8f694b57b8a..376ffe842e26 100644 --- a/drivers/gpu/drm/i915/intel_fbdev.c +++ b/drivers/gpu/drm/i915/intel_fbdev.c @@ -338,8 +338,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, bool *enabled, int width, int height) { struct drm_i915_private *dev_priv = to_i915(fb_helper->dev); + unsigned long conn_configured, conn_seq, mask; unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG); - unsigned long conn_configured, conn_seq; int i, j; bool *save_enabled; bool fallback = true, ret = true; @@ -357,9 +357,10 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, drm_modeset_backoff(&ctx); memcpy(save_enabled, enabled, count); - conn_seq = GENMASK(count - 1, 0); + mask = GENMASK(count - 1, 0); conn_configured = 0; retry: + conn_seq = conn_configured; for (i = 0; i < count; i++) { struct drm_fb_helper_connector *fb_conn; struct drm_connector *connector; @@ -372,8 +373,7 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, if (conn_configured & BIT(i)) continue; - /* First pass, only consider tiled connectors */ - if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile) + if (conn_seq == 0 && !connector->has_tile) continue; if (connector->status == connector_status_connected) @@ -477,10 +477,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, conn_configured |= BIT(i); } - if (conn_configured != conn_seq) { /* repeat until no more are found */ - conn_seq = conn_configured; + if ((conn_configured & mask) != mask && conn_configured != conn_seq) goto retry; - } /* * If the BIOS didn't enable everything it could, fall back to have the

6 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] powerpc/mm/radix: Make Radix require HUGETLB_PAGE" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 8adddf349fda0d3de2f6bb41ddf838cbf36a8ad2 Mon Sep 17 00:00:00 2001 From: Michael Ellerman <mpe(a)ellerman.id.au> Date: Tue, 16 Apr 2019 23:59:02 +1000 Subject: [PATCH] powerpc/mm/radix: Make Radix require HUGETLB_PAGE Joel reported weird crashes using skiroot_defconfig, in his case we jumped into an NX page: kernel tried to execute exec-protected page (c000000002bff4f0) - exploit attempt? (uid: 0) BUG: Unable to handle kernel instruction fetch Faulting instruction address: 0xc000000002bff4f0 Looking at the disassembly, we had simply branched to that address: c000000000c001bc 49fff335 bl c000000002bff4f0 But that didn't match the original kernel image: c000000000c001bc 4bfff335 bl c000000000bff4f0 <kobject_get+0x8> When STRICT_KERNEL_RWX is enabled, and we're using the radix MMU, we call radix__change_memory_range() late in boot to change page protections. We do that both to mark rodata read only and also to mark init text no-execute. That involves walking the kernel page tables, and clearing _PAGE_WRITE or _PAGE_EXEC respectively. With radix we may use hugepages for the linear mapping, so the code in radix__change_memory_range() uses eg. pmd_huge() to test if it has found a huge mapping, and if so it stops the page table walk and changes the PMD permissions. However if the kernel is built without HUGETLBFS support, pmd_huge() is just a #define that always returns 0. That causes the code in radix__change_memory_range() to incorrectly interpret the PMD value as a pointer to a PTE page rather than as a PTE at the PMD level. We can see this using `dv` in xmon which also uses pmd_huge(): 0:mon> dv c000000000000000 pgd @ 0xc000000001740000 pgdp @ 0xc000000001740000 = 0x80000000ffffb009 pudp @ 0xc0000000ffffb000 = 0x80000000ffffa009 pmdp @ 0xc0000000ffffa000 = 0xc00000000000018f <- this is a PTE ptep @ 0xc000000000000100 = 0xa64bb17da64ab07d <- kernel text The end result is we treat the value at 0xc000000000000100 as a PTE and clear _PAGE_WRITE or _PAGE_EXEC, potentially corrupting the code at that address. In Joel's specific case we cleared the sign bit in the offset of the branch, causing a backward branch to turn into a forward branch which caused us to branch into a non-executable page. However the exact nature of the crash depends on kernel version, compiler version, and other factors. We need to fix radix__change_memory_range() to not use accessors that depend on HUGETLBFS, but we also have radix memory hotplug code that uses pmd_huge() etc that will also need fixing. So for now just disallow the broken combination of Radix with HUGETLBFS disabled. The only defconfig we have that is affected is skiroot_defconfig, so turn on HUGETLBFS there so that it still gets Radix. Fixes: 566ca99af026 ("powerpc/mm/radix: Add dummy radix_enabled()") Cc: stable(a)vger.kernel.org # v4.7+ Reported-by: Joel Stanley <joel(a)jms.id.au> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig index 5ba131c30f6b..1bcd468ab422 100644 --- a/arch/powerpc/configs/skiroot_defconfig +++ b/arch/powerpc/configs/skiroot_defconfig @@ -266,6 +266,7 @@ CONFIG_UDF_FS=m CONFIG_MSDOS_FS=m CONFIG_VFAT_FS=m CONFIG_PROC_KCORE=y +CONFIG_HUGETLBFS=y # CONFIG_MISC_FILESYSTEMS is not set # CONFIG_NETWORK_FILESYSTEMS is not set CONFIG_NLS=y diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype index 842b2c7e156a..50cd09b4e05d 100644 --- a/arch/powerpc/platforms/Kconfig.cputype +++ b/arch/powerpc/platforms/Kconfig.cputype @@ -324,7 +324,7 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK config PPC_RADIX_MMU bool "Radix MMU Support" - depends on PPC_BOOK3S_64 + depends on PPC_BOOK3S_64 && HUGETLB_PAGE select ARCH_HAS_GIGANTIC_PAGE if (MEMORY_ISOLATION && COMPACTION) || CMA default y help

6 years, 4 months

1
0
0 0

Re: [PATCH-tip v6 01/20] locking/rwsem: Prevent decrement of reader count before increment

by Waiman Long

On 4/28/19 4:39 PM, Sasha Levin wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a "Fixes:" tag, > fixing commit: 70800c3c0cc5 locking/rwsem: Scan the wait_list for readers only once. > > The bot has tested the following trees: v5.0.10, v4.19.37, v4.14.114, v4.9.171. > > v5.0.10: Failed to apply! Possible dependencies: > 412f34a82ccf ("locking/qspinlock_stat: Track the no MCS node available case") > 46ad0840b158 ("locking/rwsem: Remove arch specific rwsem files") > 579afe866f52 ("xtensa: use generic spinlock/rwlock implementation") > a8654596f037 ("locking/rwsem: Enable lock event counting") > ad53fa10fa9e ("locking/qspinlock_stat: Introduce generic lockevent_*() counting APIs") > c7580c1e8443 ("locking/rwsem: Move owner setting code from rwsem.c to rwsem.h") > ce9084ba0d1d ("x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol") > d682b596d993 ("locking/qspinlock: Handle > 4 slowpath nesting levels") > eecec78f7777 ("locking/rwsem: Relocate rwsem_down_read_failed()") > fb346fd9fc08 ("locking/lock_events: Make lock_events available for all archs & other locks") > > v4.19.37: Failed to apply! Possible dependencies: > 0fa809ca7f81 ("locking/pvqspinlock: Extend node size when pvqspinlock is configured") > 1222109a5363 ("locking/qspinlock_stat: Count instances of nested lock slowpaths") > 412f34a82ccf ("locking/qspinlock_stat: Track the no MCS node available case") > 46ad0840b158 ("locking/rwsem: Remove arch specific rwsem files") > 4b486b535c33 ("locking/rwsem: Exit read lock slowpath if queue empty & no writer") > 925b9cd1b89a ("locking/rwsem: Make owner store task pointer of last owning reader") > a8654596f037 ("locking/rwsem: Enable lock event counting") > ad53fa10fa9e ("locking/qspinlock_stat: Introduce generic lockevent_*() counting APIs") > c7580c1e8443 ("locking/rwsem: Move owner setting code from rwsem.c to rwsem.h") > ce9084ba0d1d ("x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol") > d682b596d993 ("locking/qspinlock: Handle > 4 slowpath nesting levels") > eecec78f7777 ("locking/rwsem: Relocate rwsem_down_read_failed()") > fb346fd9fc08 ("locking/lock_events: Make lock_events available for all archs & other locks") > > v4.14.114: Failed to apply! Possible dependencies: > 0fa809ca7f81 ("locking/pvqspinlock: Extend node size when pvqspinlock is configured") > 11752adb68a3 ("locking/pvqspinlock: Implement hybrid PV queued/unfair locks") > 1222109a5363 ("locking/qspinlock_stat: Count instances of nested lock slowpaths") > 1958b5fc4010 ("x86/boot: Add early boot support when running with SEV active") > 1cd9c22fee3a ("x86/mm/encrypt: Move page table helpers into separate translation unit") > 271ca788774a ("arch: enable relative relocations for arm64, power and x86") > 412f34a82ccf ("locking/qspinlock_stat: Track the no MCS node available case") > 81d3dc9a349b ("locking/qspinlock: Add stat tracking for pending vs. slowpath") > 94d49eb30e85 ("x86/mm: Decouple dynamic __PHYSICAL_MASK from AMD SME") > a8654596f037 ("locking/rwsem: Enable lock event counting") > ad53fa10fa9e ("locking/qspinlock_stat: Introduce generic lockevent_*() counting APIs") > ce9084ba0d1d ("x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol") > d682b596d993 ("locking/qspinlock: Handle > 4 slowpath nesting levels") > d7b417fa08d1 ("x86/mm: Add DMA support for SEV memory encryption") > d8aa7eea78a1 ("x86/mm: Add Secure Encrypted Virtualization (SEV) support") > dfaaec9033b8 ("x86: Add support for changing memory encryption attribute in early boot") > fb346fd9fc08 ("locking/lock_events: Make lock_events available for all archs & other locks") > > v4.9.171: Failed to apply! Possible dependencies: > 1a8b6d76dc5b ("net:add one common config ARCH_WANT_RELAX_ORDER to support relax ordering") > 271ca788774a ("arch: enable relative relocations for arm64, power and x86") > 29dee3c03abc ("locking/refcounts: Out-of-line everything") > 40565b5aedd6 ("sched/cputime, powerpc, s390: Make scaled cputime arch specific") > 4ad8622dc548 ("powerpc/8xx: Implement hw_breakpoint") > 51c9c0843993 ("powerpc/kprobes: Implement Optprobes") > 5b9ff0278598 ("powerpc: Build-time sort the exception table") > 65c059bcaa73 ("powerpc: Enable support for GCC plugins") > 9fea59bd7ca5 ("powerpc/mm: Add support for runtime configuration of ASLR limits") > a7d2475af7ae ("powerpc: Sort the selects under CONFIG_PPC") > a8654596f037 ("locking/rwsem: Enable lock event counting") > bd174169c7a1 ("locking/refcount: Add refcount_t API kernel-doc comments") > ce9084ba0d1d ("x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol") > d557d1b58b35 ("refcount: change EXPORT_SYMBOL markings") > ebfa50df435e ("powerpc: Add helper to check if offset is within relative branch range") > f405df5de317 ("refcount_t: Introduce a special purpose refcount type") > fa769d3f58e6 ("powerpc/32: Enable HW_BREAKPOINT on BOOK3S") > fb346fd9fc08 ("locking/lock_events: Make lock_events available for all archs & other locks") > fd25d19f6b8d ("locking/refcount: Create unchecked atomic_t implementation") > > > How should we proceed with this patch? I will send out a version that will be easier to backport once this patch lands in the mainline. Cheers, Longman

6 years, 4 months

1
0
0 0

[PATCH-tip v6 01/20] locking/rwsem: Prevent decrement of reader count before increment

by Waiman Long

During my rwsem testing, it was found that after a down_read(), the reader count may occasionally become 0 or even negative. Consequently, a writer may steal the lock at that time and execute with the reader in parallel thus breaking the mutual exclusion guarantee of the write lock. In other words, both readers and writer can become rwsem owners simultaneously. The current reader wakeup code does it in one pass to clear waiter->task and put them into wake_q before fully incrementing the reader count. Once waiter->task is cleared, the corresponding reader may see it, finish the critical section and do unlock to decrement the count before the count is incremented. This is not a problem if there is only one reader to wake up as the count has been pre-incremented by 1. It is a problem if there are more than one readers to be woken up and writer can steal the lock. The wakeup is actually done in 2 passes before the v4.9 commit 70800c3c0cc5 ("locking/rwsem: Scan the wait_list for readers only once"). To fix this problem, the wakeup is now done in two passes again. In the first pass, we collect the readers and count them. The reader count is then fully incremented. In the second pass, the waiter->task is then cleared and they are put into wake_q to be woken up later. Fixes: 70800c3c0cc5 ("locking/rwsem: Scan the wait_list for readers only once") Cc: <stable(a)vger.kernel.org> Signed-off-by: Waiman Long <longman(a)redhat.com> --- kernel/locking/rwsem-xadd.c | 45 +++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c index 6b3ee9948bf1..cab5b1f6b2de 100644 --- a/kernel/locking/rwsem-xadd.c +++ b/kernel/locking/rwsem-xadd.c @@ -130,6 +130,7 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, { struct rwsem_waiter *waiter, *tmp; long oldcount, woken = 0, adjustment = 0; + struct list_head wlist; /* * Take a peek at the queue head waiter such that we can determine @@ -188,18 +189,44 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, * of the queue. We know that woken will be at least 1 as we accounted * for above. Note we increment the 'active part' of the count by the * number of readers before waking any processes up. + * + * We have to do wakeup in 2 passes to prevent the possibility that + * the reader count may be decremented before it is incremented. It + * is because the to-be-woken waiter may not have slept yet. So it + * may see waiter->task got cleared, finish its critical section and + * do an unlock before the reader count increment. + * + * 1) Collect the read-waiters in a separate list, count them and + * fully increment the reader count in rwsem. + * 2) For each waiters in the new list, clear waiter->task and + * put them into wake_q to be woken up later. */ + INIT_LIST_HEAD(&wlist); list_for_each_entry_safe(waiter, tmp, &sem->wait_list, list) { - struct task_struct *tsk; - if (waiter->type == RWSEM_WAITING_FOR_WRITE) break; woken++; - tsk = waiter->task; + list_move_tail(&waiter->list, &wlist); + } + + adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; + lockevent_cond_inc(rwsem_wake_reader, woken); + if (list_empty(&sem->wait_list)) { + /* hit end of list above */ + adjustment -= RWSEM_WAITING_BIAS; + } + + if (adjustment) + atomic_long_add(adjustment, &sem->count); + + /* 2nd pass */ + list_for_each_entry(waiter, &wlist, list) { + struct task_struct *tsk; + tsk = waiter->task; get_task_struct(tsk); - list_del(&waiter->list); + /* * Ensure calling get_task_struct() before setting the reader * waiter to nil such that rwsem_down_read_failed() cannot @@ -213,16 +240,6 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, */ wake_q_add_safe(wake_q, tsk); } - - adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; - lockevent_cond_inc(rwsem_wake_reader, woken); - if (list_empty(&sem->wait_list)) { - /* hit end of list above */ - adjustment -= RWSEM_WAITING_BIAS; - } - - if (adjustment) - atomic_long_add(adjustment, &sem->count); } /* -- 2.18.1

6 years, 4 months

2
4
0 0

Experienced Remote Web Application Developer

by AnjanPatra

Do you want web development and design? We work full time working online. We do not ask for advance payment. Try for 7 days, If you like our work then only pay and continue long term. Web Design , Development , PHP , Graphic Design , Rate @ 125 USD / Week General Office Work (BPO) - Rate @ 90 US / Week ( Mon - Sat 40 Hrs per week ). Our Expertise ( PHP | MySQL | HTML | CSS, Dreamweaver, Photoshop etc..) We are always online on Skype(id-anjanindi) and email. Please visit codelogics . com to see our previous work samples If you are not interested we will never send you email again ever. Thanks Anjan Patra

6 years, 4 months

1
0
0 0

[PATCH 3.16 000/202] 3.16.66-rc1 review

by Ben Hutchings

This is the start of the stable review cycle for the 3.16.66 release. There are 202 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 01 18:00:00 UTC 2019. Anything received after that time might be too late. All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. ------------- Aaro Koskinen (1): MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled [dcf300a69ac307053dfb35c2e33972e754a98bce] Alex Williamson (1): vfio/type1: Limit DMA mappings per container [492855939bdb59c6f947b0b5b44af9ad82b7e38c] Alexander Popov (1): KVM: x86: Fix single-step debugging [5cc244a20b86090c087073c124284381cdf47234] Alexandru Ardelean (1): dmaengine: dmatest: unmap data on a single code-path when xfer done [0255200bd29afc320c6ea4c1adf8bdc13a9b3c15] Andrea Arcangeli (1): coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping [04f5866e41fb70690e28397487d8bd8eea7d712a] Andy Lutomirski (1): x86/uaccess: Don't leak the AC flag into __put_user() value evaluation [2a418cf3f5f1caf911af288e978d61c9844b0695] Andy Shevchenko (1): dmaengine: dmatest: Abort test in case of mapping error [6454368a804c4955ccd116236037536f81e5b1f1] Arend van Spriel (5): brcmfmac: add subtype check for event handling in data path [a4176ec356c73a46c07c181c6d04039fafa34a9f] brcmfmac: assure SSID length from firmware is limited [1b5e2423164b3670e8bc9174e4762d297990deff] brcmfmac: consolidate ifp lookup in driver core [75effb03ee8e4c9d4bbc909118ce5444b047dfde] brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance [796cfb65e3ed01a9b08e3a0b93e34120c54bbbd2] brcmfmac: revise handling events in receive path [9c349892ccc90c6de2baaa69cc78449f58082273] Aya Levin (1): net/mlx4_core: Add masking for a few queries on HCA caps [a40ded6043658444ee4dd6ee374119e4e98b33fc] B-Ak (1): ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode [667e9334fa64da2273e36ce131b05ac9e47c5769] Ben Hutchings (1): binfmt_elf: Fix missing SIGKILL for empty PIE [not upstream; fixes bad backport] Bin Liu (1): usb: phy: am335x: fix race condition in _probe [a53469a68eb886e84dd8b69a1458a623d3591793] Borislav Petkov (1): x86/a.out: Clear the dump structure initially [10970e1b4be9c74fce8ab6e3c34a7d718f063f2c] Charles Keepax (1): ALSA: compress: Fix stop handling on compressed capture streams [4f2ab5e1d13d6aa77c55f4914659784efd776eb4] Charles Yeh (1): USB: serial: pl2303: add new PID to support PL2303TB [4dcf9ddc9ad5ab649abafa98c5a4d54b1a33dabb] Christian Borntraeger (1): s390/early: improve machine detection [03aa047ef2db4985e444af6ee1c1dd084ad9fb4c] Christoph Paasch (1): net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec [398f0132c14754fcd03c1c4f8e7176d001ce8ea1] Cong Wang (1): team: avoid complex list operations in team_nl_cmd_options_set() [2fdeee2549231b1f989f011bb18191f5660d3745] Dan Carpenter (4): ALSA: cs46xx: Potential NULL dereference in probe [1524f4e47f90b27a3ac84efbdd94c63172246a6f] mfd: ab8500-core: Return zero in get_register_interruptible() [10628e3ecf544fa2e4e24f8e112d95c37884dc98] scsi: bnx2fc: Fix error handling in probe() [b2d3492fc591b1fb46b81d79ca1fc44cac6ae0ae] skge: potential memory corruption in skge_get_regs() [294c149a209c6196c2de85f512b52ef50f519949] Daniel Drake (1): x86/kaslr: Fix incorrect i8254 outb() parameters [7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4] Daniele Palmas (1): usb: cdc-acm: send ZLP for Telit 3G Intel based modems [34aabf918717dd14e05051896aaecd3b16b53d95] Darrick J. Wong (2): tmpfs: fix link accounting when a tmpfile is linked in [1062af920c07f5b54cf5060fde3339da6df0cf6b] tmpfs: fix uninitialized return value in shmem_link [29b00e609960ae0fcff382f4c7079dd0874a5311] David Hildenbrand (1): mm: migrate: don't rely on __PageMovable() of newpage after unlocking it [e0a352fabce61f730341d119fbedf71ffdb8663f] David Howells (1): assoc_array: Fix shortcut creation [bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08] Davidlohr Bueso (1): arc: do not export symbols in troubleshoot.c [be2a7fce397d82b7dc3fdbc61fb0bdab118e65ca] Dexuan Cui (1): Drivers: hv: vmbus: Check for ring when getting debug info [ba50bf1ce9a51fc97db58b96d01306aa70bc3979] Eric Biggers (5): KEYS: allow reaching the keys quotas exactly [a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9] KEYS: always initialize keyring_index_key::desc_len [ede0fa98a900e657d1fcd80b50920efc896c1a4c] KEYS: restrict /proc/keys by credentials at open time [4aa68e07d845562561f5e73c04aa521376e95252] KEYS: user: Align the payload buffer [cc1780fc42c76c705dd07ea123f1143dc5057630] crypto: authenc - fix parsing key with misaligned rta_len [8f9c469348487844328e162db57112f7d347c49f] Eric Dumazet (3): batman-adv: fix uninit-value in batadv_interface_tx() [4ffcbfac60642f63ae3d80891f573ba7e94a265c] net/x25: fix a race in x25_bind() [797a22bd5298c2674d927893f46cadf619dad11d] vxlan: test dev->flags & IFF_UP before calling netif_rx() [4179cb5a4c924cd233eaadd081882425bc98f44e] Eric W. Biederman (4): ipc/shm: Fix pid freeing. [2236d4d39035b9839944603ec4b65ce71180a9ea] signal: Always notice exiting tasks [35634ffa1751b6efd8cf75010b509dcb0263e29b] signal: Better detection of synchronous signals [7146db3317c67b517258cb5e1b08af387da0618b] signal: Restore the stop PTRACE_EVENT_EXIT [cf43a757fd49442bc38f76088b70c2299eed2c2f] Eugene Loh (1): kallsyms: Handle too long symbols in kallsyms.c [6db2983cd8064808141ccefd75218f5b4345ffae] Eugeniy Paltsev (1): ARC: U-boot: check arguments paranoidly [a66f2e57bd566240d8b3884eedf503928fbbe557] Felix Fietkau (1): mac80211: ensure that mgmt tx skbs have tailroom for encryption [9d0f50b80222dc273e67e4e14410fcfa4130a90c] Feras Daoud (1): IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start [6ab4aba00f811a5265acc4d3eb1863bb3ca60562] Florian Westphal (1): netfilter: nf_tables: nft_compat: fix refcount leak on xt module [b8e9dc1c75714ceb53615743e1036f76e00f5a17] Franky Lin (1): brcmfmac: screening firmware event packet [c56caa9db8abbbfb9e31325e0897705aa897db37] Gabriel Krisman Bertazi (1): sd: Clear PS bit before Mode Select. [2c5d16d6a9e7218e57b716e4fd9d77c776d21471] Gavin Li (1): brcmfmac: fix incorrect event channel deduction [8e290cecdd0178f3d4cf7d463c51dc7e462843b4] Gerald Schaefer (1): s390/smp: fix CPU hotplug deadlock with CPU rescan [b7cb707c373094ce4008d4a6ac9b6b366ec52da5] Greg Kroah-Hartman (3): debugfs: fix debugfs_rename parameter checking [d88c93f090f708c18195553b352b9f205e65418f] tty: Handle problem if line discipline does not have receive_buf [27cfb3a53be46a54ec5e0bd04e51995b74c90343] tty: mark Siemens R3964 line discipline as BROKEN [c7084edc3f6d67750f50d4183134c4fb5712a5c8] Grygorii Strashko (1): net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround [c1a8d0a3accf64a014d605e6806ce05d1c17adf1] Guenter Roeck (1): unicore32: Fix build error [ca98565a6182a960cd857d7546267a0775154eb8] Gustavo A. R. Silva (4): char/mwave: fix potential Spectre v1 vulnerability [701956d4018e5d5438570e39e8bda47edd32c489] ipmi: msghandler: Fix potential Spectre v1 vulnerabilities [a7102c7461794a5bb31af24b08e9e0f50038897a] perf tests evsel-tp-sched: Fix bitwise operator [489338a717a0dfbbd5a3fabccf172b78f0ac9015] usb: gadget: udc: net2272: Fix bitwise and boolean operations [07c69f1148da7de3978686d3af9263325d9d60bd] Hangbin Liu (1): sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() [173656accaf583698bac3f9e269884ba60d51ef4] Hans de Goede (2): ACPI: power: Skip duplicate power resource references in _PRx [7d7b467cb95bf29597b417d4990160d4ea6d69b9] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD [dd957493baa586f1431490f97f9c7c45eaf8ab10] Heiner Kallweit (1): net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031 [1d16073a326891c2a964e4cb95bc18fbcafb5f74] Hui Peng (1): ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks [cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184] Icenowy Zheng (2): USB: storage: add quirk for SMI SM3350 [0a99cc4b8ee83885ab9f097a3737d1ab28455ac0] USB: storage: don't insert sane sense for SPC3+ when bad sense specified [c5603d2fdb424849360fe7e3f8c1befc97571b8c] Ilya Dryomov (1): rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set [85f5a4d666fd9be73856ed16bb36c5af5b406b29] Ingo Molnar (1): perf/core: Fix impossible ring-buffer sizes warning [528871b456026e6127d95b1b2bd8e3a003dc1614] Ivan Mironov (3): drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock [66a8d5bfb518f9f12d47e1d2dce1732279f9451e] drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2 [62d85b3bf9d978ed4b6b2aeef5cf0ccf1423906e] scsi: sd: Fix cache_type_store() [44759979a49bfd2d20d789add7fa81a21eb1a4ab] Jack Stocker (1): USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB [3483254b89438e60f719937376c5e0ce2bc46761] Jacob Wen (1): l2tp: copy 4 more bytes to linear part if necessary [91c524708de6207f59dd3512518d8a1c7b434ee3] Jann Horn (2): fuse: call pipe_buf_release() under pipe lock [9509941e9c534920ccc4771ae70bd6cbbe79df1c] mm: enforce min addr even if capable() in expand_downwards() [0a1d52994d440e21def1c2174932410b4f2a98a1] Jason Gunthorpe (1): packet: Do not leak dev refcounts on error exit [d972f3dce8d161e2142da0ab1ef25df00e2f21a9] Jiri Olsa (1): perf/x86: Add check_period PMU callback [81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb] John Garry (1): scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached [ffeafdd2bf0b280d67ec1a47ea6287910d271f3f] John Johansen (1): apparmor: provide userspace flag indicating binfmt_elf_mmap change [34c426acb75cc21bdf84685e106db0c1a3565057] Jonathan Bakker (1): Input: bma150 - register input device after setting private data [90cc55f067f6ca0e64e5e52883ece47d8af7b67b] Jonathan Hunter (1): mfd: tps6586x: Handle interrupts on suspend [ac4ca4b9f4623ba5e1ea7a582f286567c611e027] Jonathan Neuschäfer (1): mmc: spi: Fix card detection during probe [c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6] Jose Abreu (1): net: stmmac: Fix a race in EEE enable callback [8a7493e58ad688eb23b81e45461c5d314f4402f1] Julian Wiedmann (3): s390/qeth: cancel close_dev work before removing a card [c2780c1a3fb724560b1d44f7976e0de17bf153c7] s390/qeth: conclude all event processing before offlining a card [c0a2e4d10d9366ada133a8ae4ff2f32397f8b15b] s390/qeth: fix use-after-free in error path [afa0c5904ba16d59b0454f7ee4c807dae350f432] Jun-Ru Chang (1): MIPS: Remove function size check in get_frame_info() [2b424cfc69728224fcb5fad138ea7260728e0901] Kal Conley (1): net/packet: fix 4gb buffer limit due to overflow check [fc62814d690cf62189854464f4bd07457d5e9e50] Kan Liang (1): perf/x86/intel/uncore: Add Node ID mask [9e63a7894fd302082cf3627fe90844421a6cbe7f] Kangjie Lu (1): ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages [44fabd8cdaaa3acb80ad2bb3b5c61ae2136af661] Kees Cook (1): Yama: Check for pid death before checking ancestry [9474f4e7cd71a633fa1ef93b7daefd44bbdfd482] Leonid Iziumtsev (1): dmaengine: imx-dma: fix wrong callback invoke [341198eda723c8c1cddbb006a89ad9e362502ea2] Linus Torvalds (1): binfmt_elf: switch to new creds when switching to new mm [9f834ec18defc369d73ccf9e87a2790bfa05bf46] Linus Walleij (1): ARM: dts: kirkwood: Fix polarity of GPIO fan lines [b5f034845e70916fd33e172fad5ad530a29c10ab] Liping Zhang (1): netfilter: nft_compat: fix crash when related match/target module is removed [4b512e1c1f8de6b9ceb796ecef8658e0a083cab7] Logan Gunthorpe (1): scsi: isci: initialize shost fully before calling scsi_add_host() [cc29a1b0a3f2597ce887d339222fa85b9307706d] Lukas Wunner (2): dmaengine: bcm2835: Fix abort of transactions [9e528c799d17a4ac37d788c81440b50377dd592d] dmaengine: bcm2835: Fix interrupt race on RT [f7da7782aba92593f7b82f03d2409a1c5f4db91b] Manfred Schlaegl (1): can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it [7b12c8189a3dc50638e7d53714c88007268d47ef] Manuel Reinhardt (1): ALSA: usb-audio: Fix implicit fb endpoint setup by quirk [2bc16b9f3223d049b57202ee702fcb5b9b507019] Marcel Holtmann (2): Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt [af3d5d1c87664a4f150fcf3534c6567cb19909b0] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer [7c9cbd0b5e38a1672fcd137894ace3b042dfbf69] Mark Rutland (1): perf/core: Don't WARN() for impossible ring-buffer sizes [9dff0aa95a324e262ffb03f425d00e4751f3294e] Martin Kepplinger (1): mtd: rawnand: gpmi: fix MX28 bus master lockup problem [d5d27fd9826b59979b184ec288e4812abac0e988] Martin Schwidefsky (1): s390/mm: always force a load of the primary ASCE on context switch [a38662084c8bdb829ff486468c7ea801c13fcc34] Martin Sperl (1): dmaengine: bcm2835: add additional defines for DMA-registers [e42685d7a7d5afa6278561ffd85c475eae246be3] Matthias Schwarzott (1): media: em28xx: Fix use-after-free when disconnecting [910b0797fa9e8af09c44a3fa36cb310ba7a7218d] Matti Kurkela (2): Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 [e8b22d0a329f0fb5c7ef95406872d268f01ee3b1] Input: elantech - force needed quirks on Fujitsu H760 [f9a703a54d16ba2470391c4b12236ee56591d50c] Max Schulze (1): USB: serial: simple: add Motorola Tetra TPG2200 device id [b81c2c33eab79dfd3650293b2227ee5c6036585c] Michael Straube (1): staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 [5f74a8cbb38d10615ed46bc3e37d9a4c9af8045a] Miklos Szeredi (2): fuse: decrement NR_WRITEBACK_TEMP on the right page [a2ebba824106dabe79937a9f29a875f837e1b6d4] fuse: handle zero sized retrieve correctly [97e1532ef81acb31c30f9e75bf00306c33a77812] Naoya Horiguchi (1): mm: hwpoison: use do_send_sig_info() instead of force_sig() [6376360ecbe525a9c17b3d081dfd88ba3e4ed65b] Nathan Sullivan (1): net/phy: micrel: Add workaround for bad autoneg [d2fd719bcb0e83cb39cfee22ee800f98a56eceb3] Naveen N. Rao (1): powerpc/signal: Properly handle return value from uprobe_deny_signal() [46725b17f1c6c815a41429259b3f070c01e71bc1] Nicolas Pitre (2): vt: always call notifier with the console lock held [7e1d226345f89ad5d0216a9092c81386c89b4983] vt: invoke notifier on screen size change [0c9b1965faddad7534b6974b5b36c4ad37998f8e] Nikos Tsironis (1): dm thin: fix bug where bio that overwrites thin block ignores FUA [4ae280b4ee3463fa57bbe6eede26b97daff8a0f1] Oleg Nesterov (1): mm/mmap.c: expand_downwards: don't require the gap if !vm_prev [32e4e6d5cbb0c0e427391635991fe65e17797af8] Oliver Hartkopp (1): can: bcm: check timer values before ktime conversion [93171ba6f1deffd82f381d36cb13177872d023f6] Pablo Neira Ayuso (2): netfilter: nf_tables: fix flush after rule deletion in the same batch [23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66] netfilter: nft_compat: use-after-free when deleting targets [753c111f655e38bbd52fc01321266633f022ebe2] Paolo Abeni (1): vsock: cope with memory allocation failure at socket creation time [225d9464268599a5b4d094d02ec17808e44c7553] Paul Elder (1): usb: gadget: musb: fix short isoc packets with inventra dma [c418fd6c01fbc5516a2cd1eaf1df1ec86869028a] Paul Fulghum (1): tty/n_hdlc: fix __might_sleep warning [fc01d8c61ce02c034e67378cd3e645734bc18c8c] Paul Moore (1): netlabel: fix out-of-bounds memory accesses [5578de4834fe0f2a34fedc7374be691443396d1f] Pavel Shilovsky (3): CIFS: Do not consider -ENODATA as stat failure for reads [082aaa8700415f6471ec9c5ef0c8307ca214989a] CIFS: Do not count -ENODATA as failure for query directory [8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79] CIFS: Do not hide EINTR after sending network packets [ee13919c2e8d1f904e035ad4b4239029a8994131] Peng Hao (1): ARM: pxa: ssp: unneeded to free devm_ allocated data [ba16adeb346387eb2d1ada69003588be96f098fa] Peter Zijlstra (1): perf/core: Fix perf_event_open() vs. execve() race [79c9ce57eb2d5f1497546a3946b4ae21b6fdc438] Rajasingh Thavamani (1): net: phy: Micrel KSZ8061: link failure after cable connect [232ba3a51cc224b339c7114888ed7f0d4d95695e] Richard Weinberger (28): Clean up signal_delivered() [10b1c7ac8bfed429cf3dcb0225482c8dc1485d8e] Rip out get_signal_to_deliver() [828b1f65d23cf8a68795739f6dd08fc8abd9ee64] arc: Use get_signal() signal_setup_done() [f6dd2a3f1f8d8df640cfa2d60f85c0b818af1593] arm64: Use get_signal() signal_setup_done() [00554fa4f80279db92f82c4f52c8ae72711f173e] avr32: Use get_signal() signal_setup_done() [d809709a8845954a95c2ac86c13bd0dfd549c1ae] blackfin: Use get_signal() signal_setup_done() [1270cff147a39f7da5b25225dca6ca3132ca6130] c6x: Use get_signal() signal_setup_done() [e19c025bc9a184ed9c5daf06ffb89abc81d1696a] cris: Use get_signal() signal_setup_done() [fa0197722eb7559a6a9733881bbb8d9e76364f33] frv: Use get_signal() signal_setup_done() [720f36b983224ac52b6acdd8b646ce30f6b38763] hexagon: Use get_signal() signal_setup_done() [ac443624490f7033aefd06713e7761aee5977de3] ia64: Use get_signal() signal_setup_done() [98c20309b97fc30001adf643cf876125f334fd8a] m32r: Use get_signal() signal_setup_done() [0f5bef660a7c3b030eb60ceb29e3b2d89f894f56] m68k: Use get_signal() signal_setup_done() [0d97500d393012690f3579056629bea0369e6554] microblaze: Use get_signal() signal_setup_done() [9c53c7ec14a5738ae3117d7d71b7abf630526c9f] mips: Use get_signal() signal_setup_done() [81d103bf80678669c56658185e758fc3f9845d71] mips: Use sigsp() [7c4f563507c33ca97dcfbd62dba1e9232575d499] mn10300: Use get_signal() signal_setup_done() [8b166553a9aaf39774bc22f5e93c965584303929] parisc: Use get_signal() signal_setup_done() [e4dc894b61776733629b24507031dd46f5ba5efc] powerpc: Use get_signal() signal_setup_done() [129b69df9c9074750245fca8aa92df5cc1a86ef4] powerpc: Use sigsp() [059ade650ae57cfd371af690fdba887af04aded8] s390: Use get_signal() signal_setup_done() [067bf2d4d3a7aedc5982f6a58716054e5004b801] score: Use get_signal() signal_setup_done() [2bb12b773feb3e792145961e57ab356e6134d4a5] sh: Use get_signal() signal_setup_done() [b46e848768acc458ba94feef162b8901592dbb9c] tile: Use get_signal() signal_setup_done() [b3707c7ed013d36752272ca2f9ed20dc8aed92e4] tracehook_signal_handler: Remove sig, info, ka and regs [df5601f9c3d831b4c478b004a1ed90a18643adbe] um: Use get_signal() signal_setup_done() [307627eebbb0bc41b21e74d78b932362a6c1b38d] unicore32: Use get_signal() signal_setup_done() [649671c90eaf3cbbd0cd03460b6a92c0b674a32e] xtensa: Use get_signal() signal_setup_done() [5bdb7611eb7987102f3c0fef1220dd64b6fbd9fd] Ross Lagerwall (1): cifs: Fix potential OOB access of lock element array [b9a74cde94957d82003fb9f7ab4777938ca851cd] Rundong Ge (1): net: dsa: slave: Don't propagate flag changes on down slave interfaces [17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5] Russell King (1): ARM: iop32x/n2100: fix PCI IRQ mapping [db4090920ba2d61a5827a23e441447926a02ffee] Sakari Ailus (1): media: v4l: ioctl: Validate num_planes for debug messages [7fe9f01c04c2673bd6662c35b664f0f91888b96f] Samir Virmani (1): uart: Fix crash in uart_write and uart_put_char [aff9cf5955185d1f183227e46c5f8673fa483813] Sergei Shtylyov (1): mmc: tmio_mmc_core: don't claim spurious interrupts [5c27ff5db1491a947264d6d4e4cbe43ae6535bae] Sergei Trofimovich (1): alpha: fix page fault handling for r16-r18 targets [491af60ffb848b59e82f7c9145833222e0bf27a5] Shakeel Butt (1): mm, oom: fix use-after-free in oom_kill_process [cefc7ef3c87d02fc9307835868ff721ea12cc597] Sheng Lan (1): net: netem: fix skb length BUG_ON in __skb_to_sgvec [5845f706388a4cde0f6b80f9e5d33527e942b7d9] Shuah Khan (1): [media] media: em28xx-dvb - fix em28xx_dvb_resume() to not unregister i2c and dvb [6eb5e3399e8f45aa191ad21c0556bece8ea559f2] Shubhrajyoti Datta (1): i2c: cadence: Fix the hold bit setting [d358def706880defa4c9e87381c5bf086a97d5f9] Stefan Haberland (1): s390/dasd: fix using offset into zero size array error [4a8ef6999bce998fa5813023a9a6b56eea329dba] Suravee Suthikulpanit (1): iommu/amd: Fix IOMMU page flush when detach device from a domain [9825bd94e3a2baae1f4874767ae3a7d4c049720e] Sven Eckelmann (2): batman-adv: Avoid WARN on net_device without parent in netns [955d3411a17f590364238bd0d3329b61f20c1cd2] batman-adv: Force mac header to start of data on xmit [9114daa825fc3f335f9bea3313ce667090187280] Takashi Iwai (2): ALSA: usb-audio: Always check descriptor sizes in parser code [3e96d7280f16e2f787307f695a31296b9e4a1cd7] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() [f4351a199cc120ff9d59e06d02e8657d08e6cc46] Thomas Hellstrom (2): drm/vmwgfx: Fix setting of dma masks [4cbfa1e6c09e98450aab3240e5119b0ab2c9795b] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user [728354c005c36eaf44b6e5552372b67e60d17f56] Thomas Richter (1): perf test: Fix failure of 'evsel-tp-sched' test on s390 [03d309711d687460d1345de8a0363f45b1c8cd11] Tina Zhang (1): drm/modes: Prevent division by zero htotal [a2fcd5c84f7a7825e028381b10182439067aa90d] Vineet Gupta (2): ARC: mm: do_page_fault fixes #1: relinquish mmap_sem if signal arrives while handle_mm_fault [4d447455e73b47c43dd35fcc38ed823d3182a474] ARC: show_regs: lockdep: avoid page allocator... [ab6c03676cb190156603cf4c5ecf97aa406c9c53] Vitaly Kuznetsov (1): x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available [6b1971c694975e49af302229202c0043568b1791] Vlad Tsyrklevich (1): omap2fb: Fix stack memory disclosure [a01421e4484327fe44f8e126793ed5a48a221e24] Waiman Long (1): fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() [1dbd449c9943e3145148cc893c2461b72ba6fef0] Willem de Bruijn (2): packet: validate address length [99137b7888f4058087895d035d81c6b2d31015c5] packet: validate address length if non-zero [6b8d95f1795c42161dc0984b6863e95d6acf24ed] Yi Zeng (1): i2c: dev: prevent adapter retries and timeout being set as minus value [6ebec961d59bccf65d08b13fc1ad4e6272a89338] YueHaibing (2): mdio_bus: Fix use-after-free on device_register fails [6ff7b060535e87c2ae14dd8548512abfdda528fb] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails [58bdd544e2933a21a51eecf17c3f5f94038261b5] YunQiang Su (1): Disable MSI also when pcie-octeon.pcie_disable on [a214720cbf50cd8c3f76bbb9c3f5c283910e9d33] Yunjian Wang (1): net: bridge: Fix ethernet header pointer before check skb forwardable [28c1382fa28f2e2d9d0d6f25ae879b5af2ecbd03] Zach Brown (1): net/phy: micrel: configure intterupts after autoneg workaround [b866203d872d5deeafcecd25ea429d6748b5bd56] Zheng Yan (1): ceph: avoid repeatedly adding inode to mdsc->snap_flush_list [04242ff3ac0abbaa4362f97781dac268e6c3541a] Zhiqiang Liu (1): net: fix IPv6 prefix route residue [e75913c93f7cd5f338ab373c34c93a655bd309cb] Makefile | 4 +- arch/alpha/mm/fault.c | 2 +- arch/arc/kernel/head.S | 4 +- arch/arc/kernel/setup.c | 88 ++++++++++---- arch/arc/kernel/signal.c | 39 +++--- arch/arc/kernel/troubleshoot.c | 27 ++--- arch/arc/mm/fault.c | 13 +- arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 +- arch/arm/mach-iop32x/n2100.c | 3 +- arch/arm/plat-pxa/ssp.c | 3 - arch/arm64/include/asm/signal32.h | 11 +- arch/arm64/kernel/signal.c | 48 ++++---- arch/arm64/kernel/signal32.c | 14 +-- arch/avr32/kernel/signal.c | 43 +++---- arch/blackfin/kernel/signal.c | 39 +++--- arch/c6x/kernel/signal.c | 43 +++---- arch/cris/arch-v10/kernel/signal.c | 79 +++++------- arch/cris/arch-v32/kernel/signal.c | 77 +++++------- arch/frv/kernel/signal.c | 99 +++++++-------- arch/hexagon/kernel/signal.c | 45 +++---- arch/ia64/kernel/signal.c | 46 ++++--- arch/m32r/kernel/signal.c | 47 ++++---- arch/m68k/kernel/signal.c | 63 ++++------ arch/microblaze/kernel/signal.c | 48 +++----- arch/mips/include/asm/abi.h | 10 +- arch/mips/kernel/process.c | 7 +- arch/mips/kernel/signal-common.h | 2 +- arch/mips/kernel/signal.c | 72 +++++------ arch/mips/kernel/signal32.c | 39 +++--- arch/mips/kernel/signal_n32.c | 20 ++-- arch/mips/pci/msi-octeon.c | 4 +- arch/mips/pci/pci-octeon.c | 10 +- arch/mn10300/kernel/signal.c | 89 ++++++-------- arch/parisc/kernel/signal.c | 58 ++++----- arch/powerpc/kernel/signal.c | 41 ++----- arch/powerpc/kernel/signal.h | 14 +-- arch/powerpc/kernel/signal_32.c | 36 +++--- arch/powerpc/kernel/signal_64.c | 28 ++--- arch/s390/include/asm/mmu_context.h | 12 +- arch/s390/kernel/compat_signal.c | 79 ++++++------ arch/s390/kernel/early.c | 4 +- arch/s390/kernel/entry.h | 4 +- arch/s390/kernel/setup.c | 2 + arch/s390/kernel/signal.c | 78 +++++------- arch/s390/kernel/smp.c | 4 + arch/score/kernel/signal.c | 43 +++---- arch/sh/kernel/signal_32.c | 79 +++++------- arch/sh/kernel/signal_64.c | 82 +++++-------- arch/tile/include/asm/compat.h | 3 +- arch/tile/kernel/compat_signal.c | 29 ++--- arch/tile/kernel/signal.c | 54 ++++----- arch/um/include/shared/frame_kern.h | 12 +- arch/um/kernel/signal.c | 27 ++--- arch/unicore32/kernel/signal.c | 51 ++++---- arch/x86/boot/compressed/aslr.c | 4 +- arch/x86/ia32/ia32_aout.c | 6 +- arch/x86/include/asm/uaccess.h | 7 +- arch/x86/kernel/cpu/perf_event.c | 9 ++ arch/x86/kernel/cpu/perf_event.h | 21 ++++ arch/x86/kernel/cpu/perf_event_intel.c | 9 ++ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kvm/vmx.c | 7 +- arch/x86/kvm/x86.c | 3 +- arch/x86/um/signal.c | 45 ++++--- arch/xtensa/kernel/signal.c | 43 +++---- crypto/authenc.c | 14 ++- drivers/acpi/power.c | 22 ++++ drivers/ata/libata-core.c | 1 + drivers/block/rbd.c | 9 +- drivers/char/Kconfig | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 6 + drivers/char/mwave/mwavedd.c | 7 ++ drivers/dma/bcm2835-dma.c | 124 +++++++++++-------- drivers/dma/dmatest.c | 30 ++--- drivers/dma/imx-dma.c | 8 +- drivers/gpu/drm/drm_fb_helper.c | 133 ++++++++++++--------- drivers/gpu/drm/drm_modes.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- drivers/hv/hyperv_vmbus.h | 5 +- drivers/hv/ring_buffer.c | 31 +++-- drivers/hv/vmbus_drv.c | 91 +++++++++----- drivers/i2c/busses/i2c-cadence.c | 9 +- drivers/i2c/i2c-dev.c | 6 + drivers/infiniband/ulp/ipoib/ipoib.h | 1 - drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +- drivers/input/misc/bma150.c | 9 +- drivers/input/mouse/elantech.c | 23 ++++ drivers/iommu/amd_iommu.c | 15 ++- drivers/md/dm-thin.c | 55 ++++++++- drivers/media/usb/em28xx/em28xx-dvb.c | 20 +--- drivers/media/v4l2-core/v4l2-ioctl.c | 4 +- drivers/mfd/ab8500-core.c | 2 +- drivers/mfd/tps6586x.c | 24 ++++ drivers/mmc/host/mmc_spi.c | 1 + drivers/mmc/host/tmio_mmc_pio.c | 8 +- drivers/mtd/nand/gpmi-nand/gpmi-lib.c | 13 +- drivers/net/can/dev.c | 27 ++--- drivers/net/ethernet/marvell/skge.c | 6 +- drivers/net/ethernet/mellanox/mlx4/fw.c | 68 +++++++---- .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++-- drivers/net/phy/mdio_bus.c | 1 - drivers/net/phy/micrel.c | 41 ++++++- drivers/net/team/team.c | 27 +---- drivers/net/vxlan.c | 13 +- drivers/net/wireless/brcm80211/brcmfmac/bcdc.c | 29 ++--- drivers/net/wireless/brcm80211/brcmfmac/dhd.h | 2 +- drivers/net/wireless/brcm80211/brcmfmac/dhd_bus.h | 4 +- .../net/wireless/brcm80211/brcmfmac/dhd_linux.c | 76 +++++++++--- drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 32 +++-- drivers/net/wireless/brcm80211/brcmfmac/fweh.h | 16 ++- drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c | 11 +- drivers/net/wireless/brcm80211/brcmfmac/proto.h | 18 ++- drivers/net/wireless/brcm80211/brcmfmac/usb.c | 2 +- .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 + drivers/s390/block/dasd_eckd.c | 8 ++ drivers/s390/char/sclp_config.c | 2 + drivers/s390/net/qeth_core.h | 3 +- drivers/s390/net/qeth_core_main.c | 35 ++++-- drivers/s390/net/qeth_l2_main.c | 7 +- drivers/s390/net/qeth_l3_main.c | 3 + drivers/scsi/bnx2fc/bnx2fc_io.c | 4 +- drivers/scsi/isci/init.c | 14 +-- drivers/scsi/libsas/sas_expander.c | 2 + drivers/scsi/sd.c | 7 ++ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + drivers/tty/n_hdlc.c | 1 + drivers/tty/serial/serial_core.c | 12 +- drivers/tty/tty_io.c | 3 +- drivers/tty/vt/vt.c | 3 +- drivers/usb/class/cdc-acm.c | 7 ++ drivers/usb/core/quirks.c | 3 +- drivers/usb/gadget/net2272.c | 2 +- drivers/usb/musb/musb_gadget.c | 13 +- drivers/usb/musb/musbhsdma.c | 21 ++-- drivers/usb/phy/phy-am335x.c | 5 +- drivers/usb/serial/pl2303.c | 1 + drivers/usb/serial/pl2303.h | 2 + drivers/usb/serial/usb-serial-simple.c | 3 +- drivers/usb/storage/scsiglue.c | 8 +- drivers/usb/storage/unusual_devs.h | 12 ++ drivers/vfio/vfio_iommu_type1.c | 15 +++ drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 + fs/binfmt_elf.c | 3 +- fs/ceph/snap.c | 3 +- fs/cifs/file.c | 8 +- fs/cifs/smb2file.c | 4 +- fs/cifs/smb2pdu.c | 6 +- fs/cifs/transport.c | 2 +- fs/dcache.c | 6 +- fs/debugfs/inode.c | 7 ++ fs/fuse/dev.c | 4 +- fs/fuse/file.c | 2 +- fs/proc/task_mmu.c | 22 +++- include/keys/user-type.h | 2 +- include/linux/perf_event.h | 5 + include/linux/sched.h | 21 ++++ include/linux/signal.h | 15 +-- include/linux/tracehook.h | 8 +- include/sound/compress_driver.h | 6 +- ipc/shm.c | 4 +- kernel/events/core.c | 70 ++++++++--- kernel/events/ring_buffer.c | 3 + kernel/signal.c | 105 ++++++++++++---- lib/assoc_array.c | 8 +- mm/memory-failure.c | 3 +- mm/migrate.c | 8 +- mm/mmap.c | 24 ++-- mm/oom_kill.c | 8 ++ mm/shmem.c | 12 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 + net/bluetooth/l2cap_core.c | 83 ++++++++----- net/bridge/br_forward.c | 26 ++-- net/can/bcm.c | 27 +++++ net/dsa/slave.c | 13 +- net/ipv4/cipso_ipv4.c | 6 +- net/ipv6/addrconf.c | 3 +- net/ipv6/sit.c | 3 +- net/l2tp/l2tp_core.c | 5 +- net/mac80211/tx.c | 9 +- net/netfilter/nf_tables_api.c | 3 + net/netfilter/nft_compat.c | 120 +++++++++++-------- net/nfc/llcp_commands.c | 20 ++++ net/nfc/llcp_core.c | 24 +++- net/packet/af_packet.c | 12 +- net/sched/sch_netem.c | 10 +- net/vmw_vsock/vmci_transport.c | 4 + net/x25/af_x25.c | 13 +- scripts/kallsyms.c | 4 +- security/apparmor/apparmorfs.c | 1 + security/keys/key.c | 4 +- security/keys/keyring.c | 4 +- security/keys/proc.c | 11 +- security/keys/request_key.c | 1 + security/keys/request_key_auth.c | 2 +- security/yama/yama_lsm.c | 4 +- sound/pci/cs46xx/dsp_spos.c | 3 + sound/soc/codecs/tlv320aic32x4.c | 4 + sound/soc/intel/sst-mfld-platform-pcm.c | 8 +- sound/usb/card.c | 5 + sound/usb/mixer.c | 10 +- sound/usb/pcm.c | 9 +- sound/usb/quirks-table.h | 6 + sound/usb/stream.c | 31 +++-- tools/perf/tests/evsel-tp-sched.c | 8 +- 206 files changed, 2364 insertions(+), 1834 deletions(-) -- Ben Hutchings Teamwork is essential - it allows you to blame someone else.

6 years, 4 months

2
204
0 0

[PATCH V8 3/7] blk-mq: free hw queue's resource in hctx's release handler

by Ming Lei

Once blk_cleanup_queue() returns, tags shouldn't be used any more, because blk_mq_free_tag_set() may be called. Commit 45a9c9d909b2 ("blk-mq: Fix a use-after-free") fixes this issue exactly. However, that commit introduces another issue. Before 45a9c9d909b2, we are allowed to run queue during cleaning up queue if the queue's kobj refcount is held. After that commit, queue can't be run during queue cleaning up, otherwise oops can be triggered easily because some fields of hctx are freed by blk_mq_free_queue() in blk_cleanup_queue(). We have invented ways for addressing this kind of issue before, such as: 8dc765d438f1 ("SCSI: fix queue cleanup race before queue initialization is done") c2856ae2f315 ("blk-mq: quiesce queue before freeing queue") But still can't cover all cases, recently James reports another such kind of issue: https://marc.info/?l=linux-scsi&m=155389088124782&w=2 This issue can be quite hard to address by previous way, given scsi_run_queue() may run requeues for other LUNs. Fixes the above issue by freeing hctx's resources in its release handler, and this way is safe becasue tags isn't needed for freeing such hctx resource. This approach follows typical design pattern wrt. kobject's release handler. Cc: Dongli Zhang <dongli.zhang(a)oracle.com> Cc: James Smart <james.smart(a)broadcom.com> Cc: Bart Van Assche <bart.vanassche(a)wdc.com> Cc: linux-scsi(a)vger.kernel.org, Cc: Martin K . Petersen <martin.petersen(a)oracle.com>, Cc: Christoph Hellwig <hch(a)lst.de>, Cc: James E . J . Bottomley <jejb(a)linux.vnet.ibm.com>, Reported-by: James Smart <james.smart(a)broadcom.com> Fixes: 45a9c9d909b2 ("blk-mq: Fix a use-after-free") Cc: stable(a)vger.kernel.org Reviewed-by: Hannes Reinecke <hare(a)suse.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Tested-by: James Smart <james.smart(a)broadcom.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- block/blk-core.c | 2 +- block/blk-mq-sysfs.c | 6 ++++++ block/blk-mq.c | 8 ++------ block/blk-mq.h | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/block/blk-core.c b/block/blk-core.c index 93dc588fabe2..2dd94b3e9ece 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -374,7 +374,7 @@ void blk_cleanup_queue(struct request_queue *q) blk_exit_queue(q); if (queue_is_mq(q)) - blk_mq_free_queue(q); + blk_mq_exit_queue(q); percpu_ref_exit(&q->q_usage_counter); diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c index 3f9c3f4ac44c..4040e62c3737 100644 --- a/block/blk-mq-sysfs.c +++ b/block/blk-mq-sysfs.c @@ -10,6 +10,7 @@ #include <linux/smp.h> #include <linux/blk-mq.h> +#include "blk.h" #include "blk-mq.h" #include "blk-mq-tag.h" @@ -33,6 +34,11 @@ static void blk_mq_hw_sysfs_release(struct kobject *kobj) { struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj); + + if (hctx->flags & BLK_MQ_F_BLOCKING) + cleanup_srcu_struct(hctx->srcu); + blk_free_flush_queue(hctx->fq); + sbitmap_free(&hctx->ctx_map); free_cpumask_var(hctx->cpumask); kfree(hctx->ctxs); kfree(hctx); diff --git a/block/blk-mq.c b/block/blk-mq.c index 89781309a108..d98cb9614dfa 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2267,12 +2267,7 @@ static void blk_mq_exit_hctx(struct request_queue *q, if (set->ops->exit_hctx) set->ops->exit_hctx(hctx, hctx_idx); - if (hctx->flags & BLK_MQ_F_BLOCKING) - cleanup_srcu_struct(hctx->srcu); - blk_mq_remove_cpuhp(hctx); - blk_free_flush_queue(hctx->fq); - sbitmap_free(&hctx->ctx_map); } static void blk_mq_exit_hw_queues(struct request_queue *q, @@ -2907,7 +2902,8 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, } EXPORT_SYMBOL(blk_mq_init_allocated_queue); -void blk_mq_free_queue(struct request_queue *q) +/* tags can _not_ be used after returning from blk_mq_exit_queue */ +void blk_mq_exit_queue(struct request_queue *q) { struct blk_mq_tag_set *set = q->tag_set; diff --git a/block/blk-mq.h b/block/blk-mq.h index 423ea88ab6fb..633a5a77ee8b 100644 --- a/block/blk-mq.h +++ b/block/blk-mq.h @@ -37,7 +37,7 @@ struct blk_mq_ctx { struct kobject kobj; } ____cacheline_aligned_in_smp; -void blk_mq_free_queue(struct request_queue *q); +void blk_mq_exit_queue(struct request_queue *q); int blk_mq_update_nr_requests(struct request_queue *q, unsigned int nr); void blk_mq_wake_waiters(struct request_queue *q); bool blk_mq_dispatch_rq_list(struct request_queue *, struct list_head *, bool); -- 2.9.5

6 years, 4 months

1
0
0 0

[PATCH AUTOSEL 5.0 01/79] ASoC: tlv320aic3x: fix reset gpio reference counting

by Sasha Levin

From: Philipp Puschmann <philipp.puschmann(a)emlix.com> [ Upstream commit 82ad759143ed77673db0d93d53c1cde7b99917ee ] This patch fixes a bug that prevents freeing the reset gpio on unloading the module. aic3x_i2c_probe is called when loading the module and it calls list_add with a probably uninitialized list entry aic3x->list (next = prev = NULL)). So even if list_del is called it does nothing and in the end the gpio_reset is not freed. Then a repeated module probing fails silently because gpio_request fails. When moving INIT_LIST_HEAD to aic3x_i2c_probe we also have to move list_del to aic3x_i2c_remove because aic3x_remove may be called multiple times without aic3x_i2c_remove being called which leads to a NULL pointer dereference. Signed-off-by: Philipp Puschmann <philipp.puschmann(a)emlix.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/codecs/tlv320aic3x.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/tlv320aic3x.c b/sound/soc/codecs/tlv320aic3x.c index 6aa0edf8c5ef..cea3ebecdb12 100644 --- a/sound/soc/codecs/tlv320aic3x.c +++ b/sound/soc/codecs/tlv320aic3x.c @@ -1609,7 +1609,6 @@ static int aic3x_probe(struct snd_soc_component *component) struct aic3x_priv *aic3x = snd_soc_component_get_drvdata(component); int ret, i; - INIT_LIST_HEAD(&aic3x->list); aic3x->component = component; for (i = 0; i < ARRAY_SIZE(aic3x->supplies); i++) { @@ -1692,7 +1691,6 @@ static void aic3x_remove(struct snd_soc_component *component) struct aic3x_priv *aic3x = snd_soc_component_get_drvdata(component); int i; - list_del(&aic3x->list); for (i = 0; i < ARRAY_SIZE(aic3x->supplies); i++) regulator_unregister_notifier(aic3x->supplies[i].consumer, &aic3x->disable_nb[i].nb); @@ -1890,6 +1888,7 @@ static int aic3x_i2c_probe(struct i2c_client *i2c, if (ret != 0) goto err_gpio; + INIT_LIST_HEAD(&aic3x->list); list_add(&aic3x->list, &reset_list); return 0; @@ -1906,6 +1905,8 @@ static int aic3x_i2c_remove(struct i2c_client *client) { struct aic3x_priv *aic3x = i2c_get_clientdata(client); + list_del(&aic3x->list); + if (gpio_is_valid(aic3x->gpio_reset) && !aic3x_is_shared_reset(aic3x)) { gpio_set_value(aic3x->gpio_reset, 0); -- 2.19.1

6 years, 4 months

3
82
0 0

[PATCH 4.14 stable 0/5] net: ip6 defrag: backport fixes

by Peter Oskolkov

This is a backport of a 5.1rc patchset: https://patchwork.ozlabs.org/cover/1029418/ Which was backported into 4.19: https://patchwork.ozlabs.org/cover/1081619/ I had to backport two additional patches into 4.14 to make it work. John Masinter (captwiggum), could you, please, confirm that this patchset fixes TAHI tests? (I'm reasonably certain that it does, as I ran ip_defrag selftest, but given the amount of changes here, another set of completed tests would be nice to have). Eric Dumazet (1): ipv6: frags: fix a lockdep false positive Florian Westphal (1): ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module Peter Oskolkov (3): net: IP defrag: encapsulate rbtree defrag code into callable functions net: IP6 defrag: use rbtrees for IPv6 defrag net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c include/net/inet_frag.h | 16 +- include/net/ipv6.h | 29 -- include/net/ipv6_frag.h | 111 +++++++ net/ieee802154/6lowpan/reassembly.c | 2 +- net/ipv4/inet_fragment.c | 293 ++++++++++++++++++ net/ipv4/ip_fragment.c | 290 ++---------------- net/ipv6/netfilter/nf_conntrack_reasm.c | 279 +++++------------ net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 3 +- net/ipv6/reassembly.c | 357 +++++----------------- net/openvswitch/conntrack.c | 1 + 10 files changed, 616 insertions(+), 765 deletions(-) create mode 100644 include/net/ipv6_frag.h -- 2.21.0.593.g511ec345e18-goog

6 years, 4 months

4
8
0 0

Linux 5.0.10

by Greg KH

I'm announcing the release of the 5.0.10 kernel. All users of the 5.0 kernel series must upgrade. The updated 5.0.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.0.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 5 arch/arm64/include/asm/futex.h | 2 arch/s390/boot/mem_detect.c | 2 arch/x86/crypto/poly1305-avx2-x86_64.S | 14 + arch/x86/crypto/poly1305-sse2-x86_64.S | 22 +- arch/x86/events/amd/core.c | 35 +++- arch/x86/events/intel/core.c | 2 arch/x86/events/perf_event.h | 38 ++-- arch/x86/kernel/cpu/bugs.c | 6 arch/x86/kernel/kprobes/core.c | 48 ++++++ arch/x86/kernel/process.c | 8 - arch/x86/kvm/emulate.c | 21 +- arch/x86/kvm/svm.c | 24 ++- arch/x86/kvm/vmx/vmx.c | 4 arch/x86/kvm/x86.c | 10 - arch/x86/kvm/x86.h | 2 crypto/testmgr.h | 44 +++++ drivers/acpi/nfit/core.c | 63 +++++--- drivers/acpi/nfit/nfit.h | 11 + drivers/base/memory.c | 2 drivers/char/ipmi/ipmi_msghandler.c | 19 ++ drivers/char/tpm/eventlog/tpm2.c | 4 drivers/char/tpm/tpm-dev-common.c | 9 + drivers/char/tpm/tpm_i2c_atmel.c | 4 drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c | 1 drivers/gpu/drm/ttm/ttm_page_alloc.c | 5 drivers/i3c/master.c | 5 drivers/i3c/master/dw-i3c-master.c | 2 drivers/iio/accel/kxcjk-1013.c | 2 drivers/iio/adc/ad_sigma_delta.c | 1 drivers/iio/adc/at91_adc.c | 28 ++- drivers/iio/chemical/bme680.h | 6 drivers/iio/chemical/bme680_core.c | 54 +++++-- drivers/iio/chemical/bme680_i2c.c | 21 -- drivers/iio/chemical/bme680_spi.c | 115 ++++++++++----- drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c | 7 drivers/iio/dac/mcp4725.c | 1 drivers/iio/gyro/bmg160_core.c | 6 drivers/iio/gyro/mpu3050-core.c | 8 - drivers/iio/industrialio-buffer.c | 5 drivers/iio/industrialio-core.c | 4 drivers/infiniband/core/uverbs_main.c | 3 drivers/input/mouse/elan_i2c_core.c | 25 +++ drivers/net/bonding/bond_main.c | 6 drivers/net/ethernet/cavium/thunder/nicvf_main.c | 22 ++ drivers/net/ethernet/freescale/fec_main.c | 30 ++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 - drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 94 +++++++++--- drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 4 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 61 +++---- drivers/net/ethernet/mellanox/mlxsw/core.c | 6 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 2 drivers/net/ethernet/netronome/nfp/flower/action.c | 3 drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 3 drivers/net/ethernet/netronome/nfp/flower/match.c | 14 - drivers/net/team/team.c | 26 +++ drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 14 + drivers/net/wireless/ralink/rt2x00/rt2x00.h | 1 drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 10 - drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 15 + drivers/scsi/libfc/fc_rport.c | 1 drivers/scsi/scsi_lib.c | 6 drivers/staging/comedi/drivers/ni_usb6501.c | 10 - drivers/staging/comedi/drivers/vmk80xx.c | 8 - drivers/staging/iio/adc/ad7192.c | 8 - drivers/staging/iio/meter/ade7854.c | 2 drivers/staging/most/core.c | 2 drivers/tty/serial/sh-sci.c | 6 drivers/tty/vt/vt.c | 3 drivers/vhost/vhost.c | 6 fs/cifs/cifsglob.h | 2 fs/cifs/file.c | 30 +++ fs/cifs/misc.c | 25 +++ fs/cifs/smb2misc.c | 6 fs/cifs/smb2ops.c | 2 fs/cifs/smb2pdu.c | 11 - fs/dax.c | 15 + fs/proc/task_mmu.c | 18 ++ fs/userfaultfd.c | 9 + include/linux/kprobes.h | 1 include/linux/netdevice.h | 3 include/linux/sched/mm.h | 21 ++ include/net/nfc/nci_core.h | 2 include/net/tls.h | 4 kernel/events/ring_buffer.c | 33 +--- kernel/kprobes.c | 6 kernel/sched/fair.c | 25 +++ kernel/sysctl.c | 3 kernel/time/sched_clock.c | 4 kernel/time/tick-common.c | 2 kernel/time/timekeeping.h | 7 kernel/trace/ftrace.c | 6 mm/mmap.c | 7 mm/percpu.c | 8 - mm/vmstat.c | 5 net/atm/lec.c | 6 net/bridge/br_input.c | 23 +-- net/bridge/br_multicast.c | 4 net/bridge/br_netlink.c | 2 net/core/dev.c | 16 +- net/core/failover.c | 6 net/core/skbuff.c | 10 + net/ipv4/fou.c | 4 net/ipv4/route.c | 16 +- net/ipv4/tcp_input.c | 10 - net/ipv6/route.c | 4 net/mac80211/driver-ops.h | 3 net/nfc/nci/hci.c | 8 + net/sched/sch_cake.c | 57 +++---- net/strparser/strparser.c | 12 - net/tipc/name_table.c | 3 net/tls/tls_device.c | 12 + net/tls/tls_main.c | 24 +++ net/tls/tls_sw.c | 15 - security/device_cgroup.c | 2 sound/core/info.c | 12 + sound/core/init.c | 18 +- sound/pci/hda/patch_realtek.c | 6 122 files changed, 1135 insertions(+), 477 deletions(-) Alex Deucher (1): drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming Alexander Shishkin (1): perf/ring_buffer: Fix AUX record suppression Andi Kleen (1): x86/cpu/bugs: Use __initconst for 'const' init data Andrea Arcangeli (1): coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Andy Duan (1): net: fec: manage ahb clock in runtime pm Aneesh Kumar K.V (1): fs/dax: Deposit pagetable even when installing zero page Aurelien Aptel (1): CIFS: keep FileInfo handle live during oplock break Chang-An Chen (1): timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze() Christian Gromm (1): staging: most: core: use device description as name Christian König (1): drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Corey Minyard (1): ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier Dan Carpenter (2): NFC: nci: Add some bounds checking in nci_hci_cmd_received() nfc: nci: Potential off by one in ->pipes[] array Dan Williams (4): nfit/ars: Remove ars_start_flags nfit/ars: Introduce scrub_flags nfit/ars: Allow root to busy-poll the ARS state machine nfit/ars: Avoid stale ARS results Dmytro Linkin (1): net/mlx5e: Protect against non-uplink representor for encap Dragos Bogdan (1): iio: ad_sigma_delta: select channel when reading register Eric Biggers (1): crypto: x86/poly1305 - fix overflow during partial reduction Eric Dumazet (2): tcp: tcp_grow_window() needs to respect tcp_space() ipv4: ensure rcu_read_lock() in ipv4_link_failure() Fabrice Gasnier (1): iio: core: fix a possible circular locking dependency Felix Fietkau (1): mac80211: do not call driver wake_tx_queue op during reconfig Geert Uytterhoeven (2): serial: sh-sci: Fix HSCIF RX sampling point adjustment serial: sh-sci: Fix HSCIF RX sampling point calculation Georg Ottinger (1): iio: adc: at91: disable adc channel interrupt in timeout case Greg Kroah-Hartman (1): Linux 5.0.10 Gustavo A. R. Silva (1): net: atm: Fix potential Spectre v1 vulnerabilities Gwendal Grignou (1): iio: cros_ec: Fix the maths for gyro scale calculation Hangbin Liu (1): team: set slave to promisc if team is already in promisc mode Hoang Le (1): tipc: missing entries in name table of publications Hui Wang (1): ALSA: hda/realtek - add two more pin configuration sets to quirk table Ian Abbott (4): staging: comedi: vmk80xx: Fix use of uninitialized semaphore staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf staging: comedi: ni_usb6501: Fix use of uninitialized mutex staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf Ido Schimmel (5): mlxsw: spectrum_switchdev: Add MDB entries in prepare phase mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue mlxsw: spectrum_router: Do not check VRF MAC address Jaesoo Lee (1): scsi: core: set result when the command cannot be dispatched Jakub Kicinski (5): net/tls: fix the IV leaks net/tls: don't leak partially sent record in device mode net: strparser: partially revert "strparser: Call skb_unclone conditionally" net/tls: fix build without CONFIG_TLS_DEVICE net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() Jann Horn (1): device_cgroup: fix RCU imbalance in error case Jarkko Sakkinen (1): tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Jason Wang (1): vhost: reject zero size iova range Jean-Francois Dagenais (1): iio: dac: mcp4725: add missing powerdown bits in store eeprom Joe Perches (1): s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD) Jonathan Lemon (1): route: Avoid crash from dereferencing NULL rt->from KT Liao (1): Input: elan_i2c - add hardware ID for multiple Lenovo laptops Kan Liang (1): perf/x86: Fix incorrect PEBS_REGS Kim Phillips (1): perf/x86/amd: Add event map for AMD Family 17h Konstantin Khlebnikov (2): net/mlx5e: Switch to Toeplitz RSS hash by default mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n Lars-Peter Clausen (1): iio: Fix scan mask selection Leonard Pollak (1): Staging: iio: meter: fixed typo Lorenzo Bianconi (1): net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv Masami Hiramatsu (4): x86/kprobes: Verify stack frame on kretprobe kprobes: Mark ftrace mcount handler functions nokprobe x86/kprobes: Avoid kretprobe recursion bug kprobes: Fix error check when reusing optimized probes Matteo Croce (3): net: thunderx: raise XDP MTU to 1508 net: thunderx: don't allow jumbo frames with XDP percpu: stop printing kernel addresses Matthias Kaehlcke (1): Revert "kbuild: use -Oz instead of -Os when using clang" Mike Looijmans (3): iio/gyro/bmg160: Use millidegrees for temperature scale iio:chemical:bme680: Fix, report temperature in millidegrees iio:chemical:bme680: Fix SPI read interface Mikulas Patocka (1): vt: fix cursor when clearing the screen Mircea Caprioru (1): staging: iio: ad7192: Fix ad7193 channel address Nathan Chancellor (1): arm64: futex: Restore oldval initialization to work around buggy compilers Nikolay Aleksandrov (3): net: bridge: fix per-port af_packet sockets net: bridge: multicast: use rcu to access port list from br_multicast_start_querier net: bridge: fix netlink export of vlan_stats_per_port option Or Gerlitz (1): Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets" Phil Auld (1): sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup Pieter Jansen van Vuuren (2): nfp: flower: replace CFI with vlan present nfp: flower: remove vlan CFI bit from push vlan action Ronnie Sahlberg (1): cifs: fix handle leak in smb2_query_symlink() Sabrina Dubroca (1): bonding: fix event handling for stacked bonds Saeed Mahameed (5): net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded net/mlx5e: Rx, Fixup skb checksum for packets with tail padding net/mlx5e: Rx, Check ip headers sanity net/mlx5: FPGA, tls, hold rcu read lock a bit longer net/mlx5: FPGA, tls, idr remove on flow delete Saurav Kashyap (1): Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" Sean Christopherson (1): KVM: x86: Don't clear EFER during SMM transitions for 32-bit vCPU Sergey Larin (1): iio: gyro: mpu3050: fix chip ID reading Si-Wei Liu (1): failover: allow name change on IFF_UP slave interfaces Stanislaw Gruszka (1): mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency Stephen Suryaputra (1): ipv4: recompile ip options in ipv4_link_failure Suthikulpanit, Suravee (1): Revert "svm: Fix AVIC incomplete IPI emulation" Tadeusz Struk (1): tpm: fix an invalid condition in tpm_common_poll Takashi Iwai (2): ALSA: core: Fix card races between register and disconnect ALSA: info: Fix racy addition/deletion of nodes Thomas Gleixner (1): x86/speculation: Prevent deadlock on ssb_state::lock Toke Høiland-Jørgensen (3): sch_cake: Use tc_skb_protocol() helper for getting packet protocol sch_cake: Make sure we can write the IP header before changing DSCP bits sch_cake: Simplify logic in cake_select_tin() Vijayakumar Durai (1): rt2x00: do not increment sequence number while re-transmitting Vitaly Kuznetsov (1): KVM: x86: svm: make sure NMI is injected after nmi_singlestep Vitor Soares (2): i3c: dw: Fix dw_i3c_master_disable controller by using correct mask i3c: Fix the verification of random PID WANG Chao (1): x86/kvm: move kvm_load/put_guest_xcr0 into atomic context Will Deacon (1): kernel/sysctl.c: fix out-of-bounds access when setting file-max Yue Haibing (1): tpm: Fix the type of the return value in calc_tpm2_event_size() Yuya Kusakabe (1): net: Fix missing meta data in skb with vlan packet ZhangXiaoxu (3): cifs: Fix lease buffer length error cifs: Fix use-after-free in SMB2_write cifs: Fix use-after-free in SMB2_read he, bo (1): io: accel: kxcjk1013: restore the range after resume. zhong jiang (1): mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock

6 years, 4 months

2
2
0 0

Re: [PATCH] power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the blacklist

by Hans de Goede

Hi, On 23-04-19 00:29, Sasha Levin wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v5.0.9, v4.19.36, v4.14.113, v4.9.170, v4.4.178, v3.18.138. > > v5.0.9: Build OK! > v4.19.36: Build OK! > v4.14.113: Failed to apply! Possible dependencies: > b60c75b6a502 ("power: supply: axp288_fuel_gauge: Do not register our psy on (some) HDMI sticks") > > v4.9.170: Failed to apply! Possible dependencies: > b60c75b6a502 ("power: supply: axp288_fuel_gauge: Do not register our psy on (some) HDMI sticks") > > v4.4.178: Failed to apply! Possible dependencies: > b60c75b6a502 ("power: supply: axp288_fuel_gauge: Do not register our psy on (some) HDMI sticks") > > v3.18.138: Failed to apply! Possible dependencies: > 5a5bf49088f4 ("X-Power AXP288 PMIC Fuel Gauge Driver") > b60c75b6a502 ("power: supply: axp288_fuel_gauge: Do not register our psy on (some) HDMI sticks") > c1a281e34dae ("power: Add support for DA9150 Charger") > > > How should we proceed with this patch? Just applying it to 4.19.x and 5.0.x is fine. Regards, Hans

6 years, 4 months

1
0
0 0

Re: [PATCH] brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11 mini PCs

by Hans de Goede

Hi, On 23-04-19 00:29, Sasha Levin wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v5.0.9, v4.19.36, v4.14.113, v4.9.170, v4.4.178, v3.18.138. > > v5.0.9: Build OK! > v4.19.36: Failed to apply! Possible dependencies: > bd1e82bb420a ("brcmfmac: Set board_type from DMI on x86 based machines") > > v4.14.113: Failed to apply! Possible dependencies: > bd1e82bb420a ("brcmfmac: Set board_type from DMI on x86 based machines") > > v4.9.170: Failed to apply! Possible dependencies: > bd1e82bb420a ("brcmfmac: Set board_type from DMI on x86 based machines") > e457a8a01a19 ("brcmfmac: make brcmf_of_probe more generic") > > v4.4.178: Failed to apply! Possible dependencies: > 1119e23edf25 ("brcmfmac: Cleanup roaming configuration.") > 3f5893d1b30a ("brcmfmac: Add get_station support for IBSS") > 44129ed04b2b ("brcmfmac: add arp offload ip address table configuration support") > 46d703a77539 ("brcmfmac: Unify methods to define and map firmware files.") > 48ed16e86b28 ("brcmfmac: Add support for scheduled scan mac randomization") > 4d7928959832 ("brcmfmac: switch to new platform data") > 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code") > 7bf65aa9ad3f ("brcmfmac: Add beamforming support.") > 7d34b0560567 ("brcmfmac: Move all module parameters to one place") > 8abffd8173a1 ("brcmfmac: Add RSDB support.") > 8ea56be0869f ("brcmfmac: move platform data retrieval code to common") > a41286aee42f ("brcmfmac: Move scheduled scan related interface layer structs") > a7b82d474171 ("brcmfmac: Make TDLS a detectable feature") > aeb64225aa8e ("brcmfmac: Add wowl wake indication report.") > bd1e82bb420a ("brcmfmac: Set board_type from DMI on x86 based machines") > c9c0043894cf ("brcmfmac: Simplify and fix usage of brcmf_ifname.") > e457a8a01a19 ("brcmfmac: make brcmf_of_probe more generic") > > v3.18.138: Failed to apply! Possible dependencies: > 063d51776bd6 ("brcmfmac: avoid runtime-pm for sdio host controller") > 4d7928959832 ("brcmfmac: switch to new platform data") > 888bf76e4111 ("brcmfmac: (clean) Rename sdio related files.") > 8ea56be0869f ("brcmfmac: move platform data retrieval code to common") > a8e8ed3446a3 ("brcmfmac: (clean) Rename files dhd_dbg to debug") > bd1e82bb420a ("brcmfmac: Set board_type from DMI on x86 based machines") > d14f78b990ec ("brcmfmac: (clean) Rename dhd_bus.h in bus.h") > e457a8a01a19 ("brcmfmac: make brcmf_of_probe more generic") > > > How should we proceed with this patch? Just applying it to 5.0.x is fine. Regards, Hans

6 years, 4 months

1
0
0 0

✅ PASS: Stable queue: queue-5.0

by CKI Project

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: d3da1f09fff2 - Linux 5.0.10 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out the following commit: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: d3da1f09fff2 - Linux 5.0.10 We then merged the patchset with `git am`: Compile testing --------------- We compiled the kernel for 4 architectures: aarch64: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/aarch64/kernel-stable_queue-aarch6… kernel build: https://artifacts.cki-project.org/builds/aarch64/kernel-stable_queue-aarch6… ppc64le: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/ppc64le/kernel-stable_queue-ppc64l… kernel build: https://artifacts.cki-project.org/builds/ppc64le/kernel-stable_queue-ppc64l… s390x: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/s390x/kernel-stable_queue-s390x-eb… kernel build: https://artifacts.cki-project.org/builds/s390x/kernel-stable_queue-s390x-eb… x86_64: build options: -j20 INSTALL_MOD_STRIP=1 targz-pkg configuration: https://artifacts.cki-project.org/builds/x86_64/kernel-stable_queue-x86_64-… kernel build: https://artifacts.cki-project.org/builds/x86_64/kernel-stable_queue-x86_64-… Hardware testing ---------------- We booted each kernel and ran the following tests: aarch64: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ AMTU (Abstract Machine Test Utility) [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ lvm thinp sanity [7] 🚧 ✅ audit: audit testsuite test [8] 🚧 ✅ stress: stress-ng [9] ppc64le: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ AMTU (Abstract Machine Test Utility) [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ lvm thinp sanity [7] 🚧 ✅ audit: audit testsuite test [8] 🚧 ✅ selinux-policy: serge-testsuite [10] 🚧 ✅ stress: stress-ng [9] s390x: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ lvm thinp sanity [7] 🚧 ✅ audit: audit testsuite test [8] 🚧 ✅ stress: stress-ng [9] x86_64: ✅ Boot test [0] ✅ LTP lite [1] ✅ Loopdev Sanity [2] ✅ AMTU (Abstract Machine Test Utility) [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ iotop: sanity [5] ✅ tuned: tune-processes-through-perf [6] ✅ lvm thinp sanity [7] 🚧 ✅ audit: audit testsuite test [8] 🚧 ✅ selinux-policy: serge-testsuite [10] 🚧 ✅ stress: stress-ng [9] Test source: [0]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [1]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [2]: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… [3]: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu [4]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [5]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/iot… [6]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… [7]: https://github.com/CKI-project/tests-beaker/archive/master.zip#storage/lvm/… [8]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/aud… [9]: https://github.com/CKI-project/tests-beaker/archive/master.zip#stress/stres… [10]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/packages/se… Waived tests (marked with 🚧) ----------------------------- This test run included waived tests. Such tests are executed but their results are not taken into account. Tests are waived when their results are not reliable enough, e.g. when they're just introduced or are being fixed.

6 years, 4 months

1
0
0 0

stable/linux-3.18.y boot: 22 boots: 4 failed, 18 passed (v3.18.139)

by kernelci.org bot

stable/linux-3.18.y boot: 22 boots: 4 failed, 18 passed (v3.18.139) Full Boot Summary: https://kernelci.org/boot/all/job/stable/branch/linux-3.18.y/kernel/v3.18.1… Full Build Summary: https://kernelci.org/build/stable/branch/linux-3.18.y/kernel/v3.18.139/ Tree: stable Branch: linux-3.18.y Git Describe: v3.18.139 Git Commit: dc3e913edf94d54de5678e726cf95b38327e5d09 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git Tested: 10 unique boards, 5 SoC families, 7 builds out of 189 Boot Regressions Detected: arm: multi_v7_defconfig: gcc-7: tegra124-nyan-big: lab-collabora: new failure (last pass: v3.18.134) tegra_defconfig: gcc-7: tegra124-nyan-big: lab-collabora: new failure (last pass: v3.18.134) Boot Failures Detected: arm: multi_v7_defconfig: gcc-7: tegra124-nyan-big: 1 failed lab tegra_defconfig: gcc-7: tegra124-nyan-big: 1 failed lab x86_64: x86_64_defconfig: gcc-7: minnowboard-turbot-E3826: 1 failed lab x86-x5-z8350: 1 failed lab --- For more info write to <info(a)kernelci.org>

6 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror