- Linux-stable-mirror - lists.linaro.org

by Greg KH

I'm announcing the release of the 4.9.123 kernel. All users of the 4.9 kernel series must upgrade. The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/x86/include/asm/pgtable.h | 13 ++++++++----- drivers/acpi/sleep.c | 8 ++++++++ drivers/isdn/i4l/isdn_common.c | 8 +------- drivers/tty/serial/8250/8250_dw.c | 3 ++- drivers/tty/serial/8250/8250_port.c | 3 +-- drivers/usb/serial/option.c | 4 ++++ drivers/usb/serial/sierra.c | 4 ++-- include/net/af_vsock.h | 4 ++-- include/net/llc.h | 5 +++++ net/bluetooth/sco.c | 3 ++- net/dccp/ccids/ccid2.c | 6 ++++-- net/ipv6/ip6_tunnel.c | 8 ++------ net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 ++-- net/sched/cls_matchall.c | 2 ++ net/sched/cls_tcindex.c | 8 +++----- net/vmw_vsock/af_vsock.c | 15 ++++++++------- net/vmw_vsock/vmci_transport.c | 3 +-- sound/core/memalloc.c | 8 ++------ sound/core/seq/seq_virmidi.c | 10 ++++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 +++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +++- sound/pci/vx222/vx222_ops.c | 8 ++++---- sound/pcmcia/vx/vxp_ops.c | 10 +++++----- 27 files changed, 89 insertions(+), 68 deletions(-) Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations Greg Kroah-Hartman (1): Linux 4.9.123 Hangbin Liu (3): net_sched: Fix missing res info when create new tc_index filter net_sched: fix NULL pointer dereference when delete tcindex filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (5): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions Tom Lendacky (1): x86/mm: Simplify p[g4um]d_page() macros Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xin Long (1): ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit

7 years

1
1
0 0

Linux 4.14.66

by Greg KH

I'm announcing the release of the 4.14.66 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - drivers/acpi/sleep.c | 8 +++++++ drivers/isdn/i4l/isdn_common.c | 8 ------- drivers/misc/sram.c | 9 +++++++- drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 2 - drivers/tty/serial/8250/8250_dw.c | 3 +- drivers/tty/serial/8250/8250_exar.c | 6 ++++- drivers/tty/serial/8250/8250_port.c | 3 -- drivers/usb/serial/option.c | 4 +++ drivers/usb/serial/pl2303.c | 2 + drivers/usb/serial/pl2303.h | 1 drivers/usb/serial/sierra.c | 4 +-- drivers/vhost/vhost.c | 9 +++++--- include/net/af_vsock.h | 4 +-- include/net/llc.h | 5 ++++ net/bluetooth/sco.c | 3 +- net/dccp/ccids/ccid2.c | 6 +++-- net/ipv6/ip6_tunnel.c | 8 +------ net/l2tp/l2tp_core.c | 2 - net/llc/llc_core.c | 4 +-- net/sched/cls_matchall.c | 2 + net/sched/cls_tcindex.c | 8 ++----- net/vmw_vsock/af_vsock.c | 15 +++++++------- net/vmw_vsock/vmci_transport.c | 3 -- sound/core/memalloc.c | 8 +------ sound/core/seq/seq_virmidi.c | 10 +++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 ++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 +-- sound/pci/hda/hda_intel.c | 2 - sound/pci/hda/patch_conexant.c | 4 ++- sound/pci/vx222/vx222_ops.c | 8 +++---- sound/pcmcia/vx/vxp_ops.c | 10 ++++----- 32 files changed, 104 insertions(+), 69 deletions(-) Aaron Sierra (1): serial: 8250_exar: Read INT0 from slave device, too Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations Dmitry Bogdanov (1): net: aquantia: Fix IFF_ALLMULTI flag functionality Greg Kroah-Hartman (1): Linux 4.14.66 Hangbin Liu (3): net_sched: fix NULL pointer dereference when delete tcindex filter net_sched: Fix missing res info when create new tc_index filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Jason Wang (1): vhost: reset metadata cache when initializing new IOTLB Johan Hovold (1): misc: sram: fix resource leaks in probe error path John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Movie Song (1): USB: serial: pl2303: add a new device id for ATEN Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (5): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xin Long (1): ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit

7 years

1
1
0 0

Linux 4.17.18

by Greg KH

I'm announcing the release of the 4.17.18 kernel. All users of the 4.17 kernel series must upgrade. The updated 4.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.17.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/acpi/sleep.c | 8 drivers/isdn/i4l/isdn_common.c | 8 drivers/misc/sram.c | 9 drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 2 drivers/net/ethernet/marvell/mvneta.c | 53 ++-- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 51 ++- drivers/net/ethernet/realtek/r8169.c | 12 drivers/tty/serial/8250/8250_dw.c | 3 drivers/tty/serial/8250/8250_exar.c | 6 drivers/tty/serial/8250/8250_port.c | 3 drivers/usb/serial/option.c | 4 drivers/usb/serial/pl2303.c | 2 drivers/usb/serial/pl2303.h | 1 drivers/usb/serial/sierra.c | 4 drivers/vhost/vhost.c | 9 include/net/af_vsock.h | 4 include/net/llc.h | 5 net/bluetooth/sco.c | 3 net/core/sock_diag.c | 2 net/dccp/ccids/ccid2.c | 6 net/ipv4/ip_vti.c | 3 net/ipv6/ip6_tunnel.c | 8 net/l2tp/l2tp_core.c | 2 net/llc/llc_core.c | 4 net/rxrpc/ar-internal.h | 8 net/rxrpc/conn_event.c | 4 net/rxrpc/net_ns.c | 6 net/rxrpc/output.c | 12 net/rxrpc/peer_event.c | 156 ++++++------ net/rxrpc/peer_object.c | 8 net/rxrpc/rxkad.c | 4 net/sched/cls_matchall.c | 2 net/sched/cls_tcindex.c | 8 net/socket.c | 3 net/vmw_vsock/af_vsock.c | 15 - net/vmw_vsock/vmci_transport.c | 3 sound/core/memalloc.c | 8 sound/core/seq/oss/seq_oss.c | 2 sound/core/seq/seq_clientmgr.c | 2 sound/core/seq/seq_virmidi.c | 10 sound/pci/cs5535audio/cs5535audio.h | 6 sound/pci/cs5535audio/cs5535audio_pcm.c | 4 sound/pci/hda/hda_intel.c | 2 sound/pci/hda/patch_conexant.c | 4 sound/pci/vx222/vx222_ops.c | 8 sound/pcmcia/vx/vxp_ops.c | 10 48 files changed, 295 insertions(+), 212 deletions(-) Aaron Sierra (1): serial: 8250_exar: Read INT0 from slave device, too Aleksander Morgado (1): USB: option: add support for DW5821e Alexey Kodanev (1): dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Andrew Lunn (1): net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Cong Wang (2): llc: use refcount_inc_not_zero() for llc_sap_find() vsock: split dwork to avoid reinitializations David Howells (1): rxrpc: Fix the keepalive generator [ver #2] Dmitry Bogdanov (1): net: aquantia: Fix IFF_ALLMULTI flag functionality Greg Kroah-Hartman (1): Linux 4.17.18 Haishuang Yan (1): ip_vti: fix a null pointer deferrence when create vti fallback tunnel Hangbin Liu (3): net_sched: fix NULL pointer dereference when delete tcindex filter net_sched: Fix missing res info when create new tc_index filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Heiner Kallweit (1): r8169: don't use MSI-X on RTL8168g Jason Wang (1): vhost: reset metadata cache when initializing new IOTLB Jeremy Cline (1): net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Jian-Hong Pan (1): r8169: don't use MSI-X on RTL8106e Jisheng Zhang (1): net: mvneta: fix mvneta_config_rss on armada 3700 Johan Hovold (1): misc: sram: fix resource leaks in probe error path John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Movie Song (1): USB: serial: pl2303: add a new device id for ATEN Nir Dotan (4): mlxsw: core_acl_flex_actions: Return error for conflicting actions mlxsw: core_acl_flex_actions: Remove redundant resource destruction mlxsw: core_acl_flex_actions: Remove redundant counter destruction mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction Or Gerlitz (1): net/mlx5e: Properly check if hairpin is possible between two functions Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (6): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions ALSA: seq: Fix poll() error return Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xin Long (1): ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit

7 years

1
1
0 0

Linux 4.18.4

by Greg KH

I'm announcing the release of the 4.18.4 kernel. All users of the 4.18 kernel series must upgrade. The updated 4.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.18.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - drivers/acpi/sleep.c | 8 ++++ drivers/isdn/i4l/isdn_common.c | 8 ---- drivers/media/usb/dvb-usb-v2/gl861.c | 21 ++++++------ drivers/misc/sram.c | 9 ++++- drivers/net/ethernet/marvell/mvneta.c | 53 +++++++++++++++++++------------- drivers/net/ethernet/realtek/r8169.c | 12 ++++++- drivers/net/hyperv/rndis_filter.c | 2 - drivers/tty/serial/8250/8250_dw.c | 3 + drivers/tty/serial/8250/8250_exar.c | 6 +++ drivers/tty/serial/8250/8250_port.c | 3 - drivers/uio/uio.c | 10 +----- drivers/usb/serial/option.c | 4 ++ drivers/usb/serial/pl2303.c | 2 + drivers/usb/serial/pl2303.h | 1 drivers/usb/serial/sierra.c | 4 +- net/bluetooth/sco.c | 3 + net/core/sock_diag.c | 2 + net/ipv4/ip_vti.c | 3 + net/l2tp/l2tp_core.c | 2 - net/sched/cls_matchall.c | 2 + net/sched/cls_tcindex.c | 8 +--- net/socket.c | 3 - sound/core/memalloc.c | 8 +--- sound/core/seq/oss/seq_oss.c | 2 - sound/core/seq/seq_clientmgr.c | 2 - sound/core/seq/seq_virmidi.c | 10 ++++++ sound/firewire/dice/dice-alesis.c | 2 - sound/pci/cs5535audio/cs5535audio.h | 6 +-- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 +- sound/pci/hda/hda_intel.c | 2 - sound/pci/hda/patch_conexant.c | 4 +- sound/pci/vx222/vx222_ops.c | 8 ++-- sound/pcmcia/vx/vxp_ops.c | 10 +++--- 34 files changed, 137 insertions(+), 92 deletions(-) Aaron Sierra (1): serial: 8250_exar: Read INT0 from slave device, too Aleksander Morgado (1): USB: option: add support for DW5821e Andrew Lunn (1): net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Chen Hu (1): serial: 8250_dw: always set baud rate in dw8250_set_termios Greg Kroah-Hartman (1): Linux 4.18.4 Hailong Liu (1): uio: fix wrong return value from uio_mmap() Haishuang Yan (1): ip_vti: fix a null pointer deferrence when create vti fallback tunnel Hangbin Liu (3): net_sched: fix NULL pointer dereference when delete tcindex filter net_sched: Fix missing res info when create new tc_index filter cls_matchall: fix tcf_unbind_filter missing Hans de Goede (1): ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Heiner Kallweit (1): r8169: don't use MSI-X on RTL8168g Jeremy Cline (1): net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Jian-Hong Pan (1): r8169: don't use MSI-X on RTL8106e Jisheng Zhang (1): net: mvneta: fix mvneta_config_rss on armada 3700 Johan Hovold (1): misc: sram: fix resource leaks in probe error path John Ogness (1): USB: serial: sierra: fix potential deadlock at close Kees Cook (1): isdn: Disable IIOCDBGVAR Mark (1): tty: serial: 8250: Revert NXP SC16C2552 workaround Mika Båtsman (1): media: gl861: fix probe of dvb_usb_gl861 Movie Song (1): USB: serial: pl2303: add a new device id for ATEN Park Ju Hyung (2): ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs ALSA: hda - Turn CX8200 into D3 as well upon reboot Srinath Mannam (1): serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Sudip Mukherjee (1): Bluetooth: avoid killing an already killed socket Takashi Iwai (7): ALSA: vx222: Fix invalid endian conversions ALSA: virmidi: Fix too long output trigger loop ALSA: cs5535audio: Fix invalid endian conversion ALSA: memalloc: Don't exceed over the requested size ALSA: vxpocket: Fix invalid endian conversions ALSA: seq: Fix poll() error return hv/netvsc: Fix NULL dereference at single queue mode fallback Takashi Sakamoto (1): ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 Wei Wang (1): l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Willy Tarreau (1): ACPI / PM: save NVS memory for ASUS 1025C laptop Xiubo Li (1): Revert "uio: use request_threaded_irq instead"

7 years

1
1
0 0

Re: [PATCH] crypto: vmx - Fix sleep-in-atomic bugs

by Marcelo Henrique Cerri

On Tue, Aug 21, 2018 at 05:24:45PM +0200, Ondrej Mosnáček wrote: > CC: Paulo Flabiano Smorigo <pfsmorigo(a)linux.vnet.ibm.com>, > linuxppc-dev(a)lists.ozlabs.org > > (Sorry, sent this before reading new e-mails in the thread...) > > ut 21. 8. 2018 o 17:18 Ondrej Mosnacek <omosnace(a)redhat.com> napísal(a): > > > > This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX > > implementations. The problem is that the blkcipher_* functions should > > not be called in atomic context. > > > > The bugs can be reproduced via the AF_ALG interface by trying to > > encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the > > VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then > > trigger BUG in crypto_yield(): > > > > [ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424 > > [ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc > > [ 891.864739] 1 lock held by kcapi-enc/12347: > > [ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530 > > [ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1 > > [ 891.865251] Call Trace: > > [ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable) > > [ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310 > > [ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0 > > [ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto] > > [ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80 > > [ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530 > > [ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0 > > [ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0 > > [ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0 > > [ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70 > > > > Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") > > Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") > > Cc: stable(a)vger.kernel.org > > Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com> > > --- > > This patch should fix the issue, but I didn't test it. (I'll see if I > > can find some time tomorrow to try and recompile the kernel on a PPC > > machine... in the meantime please review :) > > > > drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++---------------- > > drivers/crypto/vmx/aes_xts.c | 19 ++++++++++++------- > > 2 files changed, 26 insertions(+), 23 deletions(-) > > > > diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c > > index 5285ece4f33a..b71895871be3 100644 > > --- a/drivers/crypto/vmx/aes_cbc.c > > +++ b/drivers/crypto/vmx/aes_cbc.c > > @@ -107,24 +107,23 @@ static int p8_aes_cbc_encrypt(struct blkcipher_desc *desc, > > ret = crypto_skcipher_encrypt(req); > > skcipher_request_zero(req); > > } else { > > - preempt_disable(); > > - pagefault_disable(); > > - enable_kernel_vsx(); > > - > > blkcipher_walk_init(&walk, dst, src, nbytes); > > ret = blkcipher_walk_virt(desc, &walk); > > while ((nbytes = walk.nbytes)) { > > + preempt_disable(); > > + pagefault_disable(); > > + enable_kernel_vsx(); > > aes_p8_cbc_encrypt(walk.src.virt.addr, > > walk.dst.virt.addr, > > nbytes & AES_BLOCK_MASK, > > &ctx->enc_key, walk.iv, 1); > > + disable_kernel_vsx(); > > + pagefault_enable(); > > + preempt_enable(); > > + > > nbytes &= AES_BLOCK_SIZE - 1; > > ret = blkcipher_walk_done(desc, &walk, nbytes); > > } > > - > > - disable_kernel_vsx(); > > - pagefault_enable(); > > - preempt_enable(); > > } > > > > return ret; > > @@ -147,24 +146,23 @@ static int p8_aes_cbc_decrypt(struct blkcipher_desc *desc, > > ret = crypto_skcipher_decrypt(req); > > skcipher_request_zero(req); > > } else { > > - preempt_disable(); > > - pagefault_disable(); > > - enable_kernel_vsx(); > > - > > blkcipher_walk_init(&walk, dst, src, nbytes); > > ret = blkcipher_walk_virt(desc, &walk); > > while ((nbytes = walk.nbytes)) { > > + preempt_disable(); > > + pagefault_disable(); > > + enable_kernel_vsx(); > > aes_p8_cbc_encrypt(walk.src.virt.addr, > > walk.dst.virt.addr, > > nbytes & AES_BLOCK_MASK, > > &ctx->dec_key, walk.iv, 0); > > + disable_kernel_vsx(); > > + pagefault_enable(); > > + preempt_enable(); > > + > > nbytes &= AES_BLOCK_SIZE - 1; > > ret = blkcipher_walk_done(desc, &walk, nbytes); > > } > > - > > - disable_kernel_vsx(); > > - pagefault_enable(); > > - preempt_enable(); > > } > > > > return ret; > > diff --git a/drivers/crypto/vmx/aes_xts.c b/drivers/crypto/vmx/aes_xts.c > > index 8bd9aff0f55f..016ef52390c9 100644 > > --- a/drivers/crypto/vmx/aes_xts.c > > +++ b/drivers/crypto/vmx/aes_xts.c > > @@ -116,13 +116,14 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc, > > ret = enc? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req); > > skcipher_request_zero(req); > > } else { > > + blkcipher_walk_init(&walk, dst, src, nbytes); > > + > > + ret = blkcipher_walk_virt(desc, &walk); > > + > > preempt_disable(); > > pagefault_disable(); > > enable_kernel_vsx(); > > > > - blkcipher_walk_init(&walk, dst, src, nbytes); > > - > > - ret = blkcipher_walk_virt(desc, &walk); > > iv = walk.iv; > > memset(tweak, 0, AES_BLOCK_SIZE); > > aes_p8_encrypt(iv, tweak, &ctx->tweak_key); > > @@ -135,13 +136,17 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc, > > aes_p8_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr, > > nbytes & AES_BLOCK_MASK, &ctx->dec_key, NULL, tweak); > > > > + disable_kernel_vsx(); > > + pagefault_enable(); > > + preempt_enable(); > > + > > nbytes &= AES_BLOCK_SIZE - 1; > > ret = blkcipher_walk_done(desc, &walk, nbytes); > > - } > > > > - disable_kernel_vsx(); > > - pagefault_enable(); > > - preempt_enable(); > > + preempt_disable(); > > + pagefault_disable(); > > + enable_kernel_vsx(); > > + } That doesn't seem right. It would leave preemption disabled when leaving the function. > > } > > return ret; > > } > > -- > > 2.17.1 > > -- Regards, Marcelo

7 years

2
1
0 0

[patch 129/167] reiserfs: fix broken xattr handling (heap corruption, bad retval)

by akpm＠linux-foundation.org

From: Jann Horn <jannh(a)google.com> Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval) This fixes the following issues: - When a buffer size is supplied to reiserfs_listxattr() such that each individual name fits, but the concatenation of all names doesn't fit, reiserfs_listxattr() overflows the supplied buffer. This leads to a kernel heap overflow (verified using KASAN) followed by an out-of-bounds usercopy and is therefore a security bug. - When a buffer size is supplied to reiserfs_listxattr() such that a name doesn't fit, -ERANGE should be returned. But reiserfs instead just truncates the list of names; I have verified that if the only xattr on a file has a longer name than the supplied buffer length, listxattr() incorrectly returns zero. With my patch applied, -ERANGE is returned in both cases and the memory corruption doesn't happen anymore. Credit for making me clean this code up a bit goes to Al Viro, who pointed out that the ->actor calling convention is suboptimal and should be changed. Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers") Signed-off-by: Jann Horn <jannh(a)google.com> Acked-by: Jeff Mahoney <jeffm(a)suse.com> Cc: Eric Biggers <ebiggers(a)google.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/reiserfs/xattr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/reiserfs/xattr.c~reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval +++ a/fs/reiserfs/xattr.c @@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_c return 0; size = namelen + 1; if (b->buf) { - if (size > b->size) + if (b->pos + size > b->size) { + b->pos = -ERANGE; return -ERANGE; + } memcpy(b->buf + b->pos, name, namelen); b->buf[b->pos + namelen] = 0; } _

7 years

1
0
0 0

[patch 037/167] drivers/block/zram/zram_drv.c: fix bug storing backing_dev

by akpm＠linux-foundation.org

From: Peter Kalauskas <peskal(a)google.com> Subject: drivers/block/zram/zram_drv.c: fix bug storing backing_dev The call to strlcpy in backing_dev_store is incorrect. It should take the size of the destination buffer instead of the size of the source buffer. Additionally, ignore the newline character (\n) when reading the new file_name buffer. This makes it possible to set the backing_dev as follows: echo /dev/sdX > /sys/block/zram0/backing_dev The reason it worked before was the fact that strlcpy() copies 'len - 1' bytes, which is strlen(buf) - 1 in our case, so it accidentally didn't copy the trailing new line symbol. Which also means that "echo -n /dev/sdX" most likely was broken. Signed-off-by: Peter Kalauskas <peskal(a)google.com> Link: http://lkml.kernel.org/r/20180813061623.GC64836@rodete-desktop-imager.corp.… Acked-by: Minchan Kim <minchan(a)kernel.org> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: <stable(a)vger.kernel.org> [4.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/block/zram/zram_drv.c~zram-fix-bug-storing-backing_dev +++ a/drivers/block/zram/zram_drv.c @@ -337,6 +337,7 @@ static ssize_t backing_dev_store(struct struct device_attribute *attr, const char *buf, size_t len) { char *file_name; + size_t sz; struct file *backing_dev = NULL; struct inode *inode; struct address_space *mapping; @@ -357,7 +358,11 @@ static ssize_t backing_dev_store(struct goto out; } - strlcpy(file_name, buf, len); + strlcpy(file_name, buf, PATH_MAX); + /* ignore trailing newline */ + sz = strlen(file_name); + if (sz > 0 && file_name[sz - 1] == '\n') + file_name[sz - 1] = 0x00; backing_dev = filp_open(file_name, O_RDWR|O_LARGEFILE, 0); if (IS_ERR(backing_dev)) { _

7 years

1
0
0 0

[PATCH v5] spi: spi-mem: Adjust op len based on message/transfer size limitations

by Chuanhua Han

We need that to adjust the len of the 2nd transfer (called data in spi-mem) if it's too long to fit in a SPI message or SPI transfer. Fixes: c36ff266dc82 ("spi: Extend the core to ease integration of SPI memory controllers") Cc: <stable(a)vger.kernel.org> Signed-off-by: Chuanhua Han <chuanhua.han(a)nxp.com> Suggested-by: Boris Brezillon <boris.brezillon(a)bootlin.com> --- Changes in v5: -Add the validation check after the op->data.nbytes assignment -Assign the "len" variable after defining it Changes in v4: -Rename variable name "opcode_addr_dummy_sum" to "len". -The comparison of "spi_max_message_size(mem->spi)" and "len" was removed. -Adjust their order when comparing the sizes of "spi_max_message_size(mem->spi)" and "len" -Changing the "unsigned long" type in the code to "size_t" Changes in v3: -Rename variable name "val" to "opcode_addr_dummy_sum". -Place the legitimacy of the transfer size(i.e., "spi_max_message_size(mem->spi)" and -"opcode_addr_dummy_sum") into "if (! ctlr - > mem_ops | |! ctlr-> mem_ops->exec_op) {" structure and add "spi_max_transfer_size(mem->spi) and opcode_addr_dummy_sum". -Adjust the formatting alignment of the code. -"(unsigned long)op->data.nbytes" was modified to "(unsigned long)(op->data.nbytes)". Changes in v2: -Place the adjusted transfer bytes code in spi_mem_adjust_op_size() and check spi_max_message_size(mem->spi) value before subtracting opcode, addr and dummy bytes. -Change the code from fsl-espi controller to generic code(The adjustment of spi transmission length was originally modified in the "drivers/spi/spi-fsl-espi.c" file, and now the adjustment of transfer length is made in the "drivers/spi/spi-mem.c" file) drivers/spi/spi-mem.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/spi/spi-mem.c b/drivers/spi/spi-mem.c index 990770d..6184fa1 100644 --- a/drivers/spi/spi-mem.c +++ b/drivers/spi/spi-mem.c @@ -328,10 +328,26 @@ EXPORT_SYMBOL_GPL(spi_mem_exec_op); int spi_mem_adjust_op_size(struct spi_mem *mem, struct spi_mem_op *op) { struct spi_controller *ctlr = mem->spi->controller; + size_t len; + + len = sizeof(op->cmd.opcode) + op->addr.nbytes + op->dummy.nbytes; if (ctlr->mem_ops && ctlr->mem_ops->adjust_op_size) return ctlr->mem_ops->adjust_op_size(mem, op); + if (!ctlr->mem_ops || !ctlr->mem_ops->exec_op) { + if (len > spi_max_transfer_size(mem->spi)) + return -EINVAL; + + op->data.nbytes = min3((size_t)(op->data.nbytes), + spi_max_transfer_size(mem->spi), + spi_max_message_size(mem->spi) - + len); + + if (!op->data.nbytes) + return -EINVAL; + } + return 0; } EXPORT_SYMBOL_GPL(spi_mem_adjust_op_size); -- 2.7.4

7 years

1
0
0 0

[PATCH v2] mm: shmem: Correctly annotate new inodes for lockdep

by Joel Fernandes

From: "Joel Fernandes (Google)" <joel(a)joelfernandes.org> Directories and inodes don't necessarily need to be in the same lockdep class. For ex, hugetlbfs splits them out too to prevent false positives in lockdep. Annotate correctly after new inode creation. If its a directory inode, it will be put into a different class. This should fix a lockdep splat reported by syzbot: > ====================================================== > WARNING: possible circular locking dependency detected > 4.18.0-rc8-next-20180810+ #36 Not tainted > ------------------------------------------------------ > syz-executor900/4483 is trying to acquire lock: > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: inode_lock > include/linux/fs.h:765 [inline] > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: > shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602 > > but task is already holding lock: > 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630 > drivers/staging/android/ashmem.c:448 > > which lock already depends on the new lock. > > -> #2 (ashmem_mutex){+.+.}: > __mutex_lock_common kernel/locking/mutex.c:925 [inline] > __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073 > mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 > ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361 > call_mmap include/linux/fs.h:1844 [inline] > mmap_region+0xf27/0x1c50 mm/mmap.c:1762 > do_mmap+0xa10/0x1220 mm/mmap.c:1535 > do_mmap_pgoff include/linux/mm.h:2298 [inline] > vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357 > ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585 > __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] > __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] > __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > -> #1 (&mm->mmap_sem){++++}: > __might_fault+0x155/0x1e0 mm/memory.c:4568 > _copy_to_user+0x30/0x110 lib/usercopy.c:25 > copy_to_user include/linux/uaccess.h:155 [inline] > filldir+0x1ea/0x3a0 fs/readdir.c:196 > dir_emit_dot include/linux/fs.h:3464 [inline] > dir_emit_dots include/linux/fs.h:3475 [inline] > dcache_readdir+0x13a/0x620 fs/libfs.c:193 > iterate_dir+0x48b/0x5d0 fs/readdir.c:51 > __do_sys_getdents fs/readdir.c:231 [inline] > __se_sys_getdents fs/readdir.c:212 [inline] > __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > -> #0 (&sb->s_type->i_mutex_key#9){++++}: > lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 > down_write+0x8f/0x130 kernel/locking/rwsem.c:70 > inode_lock include/linux/fs.h:765 [inline] > shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602 > ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455 > ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:501 [inline] > do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685 > ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702 > __do_sys_ioctl fs/ioctl.c:709 [inline] > __se_sys_ioctl fs/ioctl.c:707 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > other info that might help us debug this: > > Chain exists of: > &sb->s_type->i_mutex_key#9 --> &mm->mmap_sem --> ashmem_mutex > > Possible unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > lock(ashmem_mutex); > lock(&mm->mmap_sem); > lock(ashmem_mutex); > lock(&sb->s_type->i_mutex_key#9); > > *** DEADLOCK *** > > 1 lock held by syz-executor900/4483: > #0: 0000000025208078 (ashmem_mutex){+.+.}, at: > ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448 Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: willy(a)infradead.org Cc: stable(a)vger.kernel.org Cc: peterz(a)infradead.org Cc: Andrew Morton <akpm(a)linux-foundation.org> Reviewed-by: NeilBrown <neilb(a)suse.com> Suggested-by: NeilBrown <neilb(a)suse.com> Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> --- v1->v2: Added Reviewed-by of NeilBrown and CC Andrew. mm/shmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/shmem.c b/mm/shmem.c index 41b9bbf24e16..8264bbdbb6a5 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2226,6 +2226,8 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode mpol_shared_policy_init(&info->policy, NULL); break; } + + lockdep_annotate_inode_mutex_key(inode); } else shmem_free_inode(sb); return inode; -- 2.18.0.1017.ga543ac7ca45-goog

7 years

1
0
0 0

[PATCH] mm: shmem: Correctly annotate new inodes

by Joel Fernandes (Google)

Directories and inodes don't necessarily need to be in the same lockdep class. For ex, hugetlbfs splits them out too to prevent false positives in lockdep. Annotate correctly after new inode creation. If its a directory inode, it will be put into a different class. This should fix a lockdep splat reported by syzbot: > ====================================================== > WARNING: possible circular locking dependency detected > 4.18.0-rc8-next-20180810+ #36 Not tainted > ------------------------------------------------------ > syz-executor900/4483 is trying to acquire lock: > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: inode_lock > include/linux/fs.h:765 [inline] > 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: > shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602 > > but task is already holding lock: > 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630 > drivers/staging/android/ashmem.c:448 > > which lock already depends on the new lock. > > -> #2 (ashmem_mutex){+.+.}: > __mutex_lock_common kernel/locking/mutex.c:925 [inline] > __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073 > mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 > ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361 > call_mmap include/linux/fs.h:1844 [inline] > mmap_region+0xf27/0x1c50 mm/mmap.c:1762 > do_mmap+0xa10/0x1220 mm/mmap.c:1535 > do_mmap_pgoff include/linux/mm.h:2298 [inline] > vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357 > ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585 > __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] > __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] > __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > -> #1 (&mm->mmap_sem){++++}: > __might_fault+0x155/0x1e0 mm/memory.c:4568 > _copy_to_user+0x30/0x110 lib/usercopy.c:25 > copy_to_user include/linux/uaccess.h:155 [inline] > filldir+0x1ea/0x3a0 fs/readdir.c:196 > dir_emit_dot include/linux/fs.h:3464 [inline] > dir_emit_dots include/linux/fs.h:3475 [inline] > dcache_readdir+0x13a/0x620 fs/libfs.c:193 > iterate_dir+0x48b/0x5d0 fs/readdir.c:51 > __do_sys_getdents fs/readdir.c:231 [inline] > __se_sys_getdents fs/readdir.c:212 [inline] > __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > -> #0 (&sb->s_type->i_mutex_key#9){++++}: > lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 > down_write+0x8f/0x130 kernel/locking/rwsem.c:70 > inode_lock include/linux/fs.h:765 [inline] > shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602 > ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455 > ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:501 [inline] > do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685 > ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702 > __do_sys_ioctl fs/ioctl.c:709 [inline] > __se_sys_ioctl fs/ioctl.c:707 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707 > do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > other info that might help us debug this: > > Chain exists of: > &sb->s_type->i_mutex_key#9 --> &mm->mmap_sem --> ashmem_mutex > > Possible unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > lock(ashmem_mutex); > lock(&mm->mmap_sem); > lock(ashmem_mutex); > lock(&sb->s_type->i_mutex_key#9); > > *** DEADLOCK *** > > 1 lock held by syz-executor900/4483: > #0: 0000000025208078 (ashmem_mutex){+.+.}, at: > ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448 Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: willy(a)infradead.org Cc: stable(a)vger.kernel.org Cc: peterz(a)infradead.org Suggested-by: Neil Brown <neilb(a)suse.com> Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org> --- mm/shmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/shmem.c b/mm/shmem.c index 2cab84403055..4429a8fd932d 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2225,6 +2225,8 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode mpol_shared_policy_init(&info->policy, NULL); break; } + + lockdep_annotate_inode_mutex_key(inode); } else shmem_free_inode(sb); return inode; -- 2.18.0.597.ga71716f1ad-goog

7 years

2
1
0 0

[PATCH 4.4 00/22] 4.4.151-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.151 release. There are 22 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Aug 23 05:51:31 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.151-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.151-rc1 Kees Cook <keescook(a)chromium.org> isdn: Disable IIOCDBGVAR Sudip Mukherjee <sudipm.mukherjee(a)gmail.com> Bluetooth: avoid killing an already killed socket Tom Lendacky <thomas.lendacky(a)amd.com> x86/mm: Simplify p[g4um]d_page() macros Chen Hu <hu1.chen(a)intel.com> serial: 8250_dw: always set baud rate in dw8250_set_termios Willy Tarreau <w(a)1wt.eu> ACPI / PM: save NVS memory for ASUS 1025C laptop Zhang Rui <rui.zhang(a)intel.com> ACPI: save NVS memory for Lenovo G50-45 Aleksander Morgado <aleksander(a)aleksander.es> USB: option: add support for DW5821e John Ogness <john.ogness(a)linutronix.de> USB: serial: sierra: fix potential deadlock at close Takashi Iwai <tiwai(a)suse.de> ALSA: vxpocket: Fix invalid endian conversions Takashi Iwai <tiwai(a)suse.de> ALSA: memalloc: Don't exceed over the requested size Hans de Goede <hdegoede(a)redhat.com> ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Takashi Iwai <tiwai(a)suse.de> ALSA: cs5535audio: Fix invalid endian conversion Takashi Iwai <tiwai(a)suse.de> ALSA: virmidi: Fix too long output trigger loop Takashi Iwai <tiwai(a)suse.de> ALSA: vx222: Fix invalid endian conversions Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Turn CX8200 into D3 as well upon reboot Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Hangbin Liu <liuhangbin(a)gmail.com> net_sched: fix NULL pointer dereference when delete tcindex filter Cong Wang <xiyou.wangcong(a)gmail.com> vsock: split dwork to avoid reinitializations Hangbin Liu <liuhangbin(a)gmail.com> net_sched: Fix missing res info when create new tc_index filter Cong Wang <xiyou.wangcong(a)gmail.com> llc: use refcount_inc_not_zero() for llc_sap_find() Wei Wang <weiwan(a)google.com> l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Alexey Kodanev <alexey.kodanev(a)oracle.com> dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() ------------- Diffstat: Makefile | 4 ++-- arch/x86/include/asm/pgtable.h | 13 ++++++++----- drivers/acpi/sleep.c | 27 +++++++++++++++++++++++++++ drivers/isdn/i4l/isdn_common.c | 8 +------- drivers/tty/serial/8250/8250_dw.c | 2 +- drivers/usb/serial/option.c | 4 ++++ drivers/usb/serial/sierra.c | 4 ++-- include/net/af_vsock.h | 4 ++-- include/net/llc.h | 5 +++++ net/bluetooth/sco.c | 3 ++- net/dccp/ccids/ccid2.c | 6 ++++-- net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 ++-- net/sched/cls_tcindex.c | 8 +++----- net/vmw_vsock/af_vsock.c | 15 ++++++++------- net/vmw_vsock/vmci_transport.c | 3 +-- sound/core/memalloc.c | 8 ++------ sound/core/seq/seq_virmidi.c | 10 ++++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 +++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +++- sound/pci/vx222/vx222_ops.c | 8 ++++---- sound/pcmcia/vx/vxp_ops.c | 10 +++++----- 24 files changed, 103 insertions(+), 61 deletions(-)

7 years

4
24
0 0

[PATCH 4.9 00/25] 4.9.123-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.123 release. There are 25 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Aug 23 05:51:15 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.123-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.123-rc1 Sudip Mukherjee <sudipm.mukherjee(a)gmail.com> Bluetooth: avoid killing an already killed socket Tom Lendacky <thomas.lendacky(a)amd.com> x86/mm: Simplify p[g4um]d_page() macros Srinath Mannam <srinath.mannam(a)broadcom.com> serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Chen Hu <hu1.chen(a)intel.com> serial: 8250_dw: always set baud rate in dw8250_set_termios Mark <dmarkh(a)cfl.rr.com> tty: serial: 8250: Revert NXP SC16C2552 workaround Willy Tarreau <w(a)1wt.eu> ACPI / PM: save NVS memory for ASUS 1025C laptop Aleksander Morgado <aleksander(a)aleksander.es> USB: option: add support for DW5821e John Ogness <john.ogness(a)linutronix.de> USB: serial: sierra: fix potential deadlock at close Hangbin Liu <liuhangbin(a)gmail.com> cls_matchall: fix tcf_unbind_filter missing Kees Cook <keescook(a)chromium.org> isdn: Disable IIOCDBGVAR Takashi Iwai <tiwai(a)suse.de> ALSA: vxpocket: Fix invalid endian conversions Takashi Iwai <tiwai(a)suse.de> ALSA: memalloc: Don't exceed over the requested size Hans de Goede <hdegoede(a)redhat.com> ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Takashi Iwai <tiwai(a)suse.de> ALSA: cs5535audio: Fix invalid endian conversion Takashi Iwai <tiwai(a)suse.de> ALSA: virmidi: Fix too long output trigger loop Takashi Iwai <tiwai(a)suse.de> ALSA: vx222: Fix invalid endian conversions Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Turn CX8200 into D3 as well upon reboot Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Hangbin Liu <liuhangbin(a)gmail.com> net_sched: fix NULL pointer dereference when delete tcindex filter Hangbin Liu <liuhangbin(a)gmail.com> net_sched: Fix missing res info when create new tc_index filter Xin Long <lucien.xin(a)gmail.com> ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit Cong Wang <xiyou.wangcong(a)gmail.com> vsock: split dwork to avoid reinitializations Cong Wang <xiyou.wangcong(a)gmail.com> llc: use refcount_inc_not_zero() for llc_sap_find() Wei Wang <weiwan(a)google.com> l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Alexey Kodanev <alexey.kodanev(a)oracle.com> dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() ------------- Diffstat: Makefile | 4 ++-- arch/x86/include/asm/pgtable.h | 13 ++++++++----- drivers/acpi/sleep.c | 8 ++++++++ drivers/isdn/i4l/isdn_common.c | 8 +------- drivers/tty/serial/8250/8250_dw.c | 3 ++- drivers/tty/serial/8250/8250_port.c | 3 +-- drivers/usb/serial/option.c | 4 ++++ drivers/usb/serial/sierra.c | 4 ++-- include/net/af_vsock.h | 4 ++-- include/net/llc.h | 5 +++++ net/bluetooth/sco.c | 3 ++- net/dccp/ccids/ccid2.c | 6 ++++-- net/ipv6/ip6_tunnel.c | 8 ++------ net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 ++-- net/sched/cls_matchall.c | 2 ++ net/sched/cls_tcindex.c | 8 +++----- net/vmw_vsock/af_vsock.c | 15 ++++++++------- net/vmw_vsock/vmci_transport.c | 3 +-- sound/core/memalloc.c | 8 ++------ sound/core/seq/seq_virmidi.c | 10 ++++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 +++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +++- sound/pci/vx222/vx222_ops.c | 8 ++++---- sound/pcmcia/vx/vxp_ops.c | 10 +++++----- 27 files changed, 90 insertions(+), 69 deletions(-)

7 years

5
29
0 0

[BUG] madvise05 leads kernel panic on 4.9.122

by Yang Shi

Hi folks, I just ran some regression test on stable 4.9.122 with LTP. madvise05 triggers the below kernel panic: [ 6785.089994] BUG: unable to handle kernel paging request at ffffeaff44488020 [ 6785.097952] IP: [] page_remove_rmap+0x27/0x580 [ 6785.104810] PGD 0 [ 6785.106859] [ 6785.108526] Oops: 0000 [#1] SMP [ 6785.112029] Modules linked in: mptctl(E) mptbase(E) tun(E) fuse(E) vfat(E) fat(E) btrfs(E) xor(E) raid6_pq(E) xfs(E) [ 6785.123905] CPU: 14 PID: 77983 Comm: madvise05 Tainted: G E 4.9.122-001.ali3000_nightly_cov_20180820_193.test.alios7.x86_64 #1 [ 6785.137880] Hardware name: Dell Inc. PowerEdge R720xd/0X6FFV, BIOS 1.3.6 09/11/2012 [ 6785.146425] task: ffff882daeb78000 task.stack: ffffc9001b438000 [ 6785.153031] RIP: 0010:[] [] page_remove_rmap+0x27/0x580 [ 6785.162461] RSP: 0018:ffffc9001b43bc50 EFLAGS: 00010246 [ 6785.168388] RAX: 0000000000000000 RBX: ffffeaff44488000 RCX: 0000000000000080 [ 6785.176351] RDX: ffffeaff44488000 RSI: 0000000000000001 RDI: ffffeaff44488000 [ 6785.184315] RBP: ffffc9001b43bc80 R08: ffff882f9d4a6540 R09: ffffffff84bcdf60 [ 6785.192277] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 6785.200241] R13: ffff882db6996910 R14: ffffea00b6da65b0 R15: 00003fffffe00000 [ 6785.208205] FS: 00002ae5a3dfbb80(0000) GS:ffff882fbf180000(0000) knlGS:0000000000000000 [ 6785.217234] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6785.223646] CR2: ffffeaff44488020 CR3: 0000002f9d51c000 CR4: 00000000000606f0 [ 6785.231610] Stack: [ 6785.233851] 0000000000000000 00003ffffd6b3320 0434f9415ac47f2c ffffeaff44488000 [ 6785.242143] ffffc9001b43bdd8 ffff882db6996910 ffffc9001b43bcc0 ffffffff81355aaa [ 6785.250438] ffff882f9d4a6540 00002ae5a4400000 00002ae5a4600000 ffffffff84bcd7a0 [ 6785.258728] Call Trace: [ 6785.261460] [] zap_huge_pmd+0x28a/0x640 [ 6785.267585] [] unmap_page_range+0x532/0x630 [ 6785.274087] [] unmap_single_vma+0xa9/0x160 [ 6785.280501] [] unmap_vmas+0x5f/0xe0 [ 6785.286236] [] unmap_region+0xe4/0x1e0 [ 6785.292263] [] ? blk_finish_plug+0x3c/0x60 [ 6785.298669] [] ? SYSC_madvise+0x69b/0xed0 [ 6785.304985] [] do_munmap+0x39b/0x5b0 [ 6785.310818] [] SyS_munmap+0x78/0xb0 [ 6785.316552] [] do_syscall_64+0xf4/0x350 [ 6785.322676] [] entry_SYSCALL_64_after_swapgs+0x58/0xca [ 6785.330244] Code: 00 00 00 00 66 66 66 66 90 55 <48> 8b 57 20 48 89 f8 f6 c2 01 0f [ 6785.339011] RIP [] page_remove_rmap+0x27/0x580 [ 6785.345825] RSP [ 6785.349715] CR2: ffffeaff44488020 The same test case works well on both 4.9.119 and the latest Linus's tree. So, it looks it is caused by the L1TF patches on the stable tree. And, the madvise05 test case can be simplified to the below test program: #include <sys/mman.h> #include <stdio.h> void main() { void *addr; int err; addr = mmap(NULL, 32 * 1024 * 1024, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0); if (addr == MAP_FAILED) { printf("mmap failed\n"); return; } err = mprotect(addr, 32 * 1024 * 1024, PROT_NONE); if (err < 0) { printf("mprotect failed\n"); return; } munmap(addr, 32 * 1024 * 1024); } You may be already aware of this problem or any hint is appreciated. Thanks, Yang

7 years

3
4
0 0

[PATCH v2] staging: android: ion: check for kref overflow

by Daniel Rosenberg

Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg <drosen(a)google.com> --- v2: Fixed patch corruption :( This patch is against 4.4. It does not apply to master due to a large rework of ion in 4.12 which removed the affected functions altogther. 4c23cbff073f3b9b ("staging: android: ion: Remove import interface") It applies from 3.18 to 4.11, although with a trivial conflict resolution for the later branches. drivers/staging/android/ion/ion.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index 374f840f31a48..47cb163da9a07 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -15,6 +15,7 @@ * */ +#include <linux/atomic.h> #include <linux/device.h> #include <linux/err.h> #include <linux/file.h> @@ -387,6 +388,16 @@ static void ion_handle_get(struct ion_handle *handle) kref_get(&handle->ref); } +/* Must hold the client lock */ +static struct ion_handle *ion_handle_get_check_overflow( + struct ion_handle *handle) +{ + if (atomic_read(&handle->ref.refcount) + 1 == 0) + return ERR_PTR(-EOVERFLOW); + ion_handle_get(handle); + return handle; +} + static int ion_handle_put_nolock(struct ion_handle *handle) { int ret; @@ -433,9 +444,9 @@ static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, handle = idr_find(&client->idr, id); if (handle) - ion_handle_get(handle); + return ion_handle_get_check_overflow(handle); - return handle ? handle : ERR_PTR(-EINVAL); + return ERR_PTR(-EINVAL); } struct ion_handle *ion_handle_get_by_id(struct ion_client *client, @@ -1202,7 +1213,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd) /* if a handle exists for this buffer just take a reference to it */ handle = ion_handle_lookup(client, buffer); if (!IS_ERR(handle)) { - ion_handle_get(handle); + handle = ion_handle_get_check_overflow(handle); mutex_unlock(&client->lock); goto end; } -- 2.18.0.865.gffc8e1a3cd6-goog

7 years

1
0
0 0

[PATCH 4.18 00/35] 4.18.4-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.18.4 release. There are 35 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Aug 23 05:50:07 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.18.4-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.18.4-rc1 Hangbin Liu <liuhangbin(a)gmail.com> cls_matchall: fix tcf_unbind_filter missing Jisheng Zhang <Jisheng.Zhang(a)synaptics.com> net: mvneta: fix mvneta_config_rss on armada 3700 Andrew Lunn <andrew(a)lunn.ch> net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Haishuang Yan <yanhaishuang(a)cmss.chinamobile.com> ip_vti: fix a null pointer deferrence when create vti fallback tunnel Jian-Hong Pan <jian-hong(a)endlessm.com> r8169: don't use MSI-X on RTL8106e Takashi Iwai <tiwai(a)suse.de> hv/netvsc: Fix NULL dereference at single queue mode fallback Jeremy Cline <jcline(a)redhat.com> net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Kees Cook <keescook(a)chromium.org> isdn: Disable IIOCDBGVAR Sudip Mukherjee <sudipm.mukherjee(a)gmail.com> Bluetooth: avoid killing an already killed socket Xiubo Li <xiubli(a)redhat.com> Revert "uio: use request_threaded_irq instead" Johan Hovold <johan(a)kernel.org> misc: sram: fix resource leaks in probe error path Hailong Liu <liu.hailong6(a)zte.com.cn> uio: fix wrong return value from uio_mmap() Srinath Mannam <srinath.mannam(a)broadcom.com> serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Chen Hu <hu1.chen(a)intel.com> serial: 8250_dw: always set baud rate in dw8250_set_termios Aaron Sierra <asierra(a)xes-inc.com> serial: 8250_exar: Read INT0 from slave device, too Mark <dmarkh(a)cfl.rr.com> tty: serial: 8250: Revert NXP SC16C2552 workaround Willy Tarreau <w(a)1wt.eu> ACPI / PM: save NVS memory for ASUS 1025C laptop Aleksander Morgado <aleksander(a)aleksander.es> USB: option: add support for DW5821e Movie Song <MovieSong(a)aten-itlab.cn> USB: serial: pl2303: add a new device id for ATEN John Ogness <john.ogness(a)linutronix.de> USB: serial: sierra: fix potential deadlock at close Mika Båtsman <mika.batsman(a)gmail.com> media: gl861: fix probe of dvb_usb_gl861 Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix poll() error return Takashi Iwai <tiwai(a)suse.de> ALSA: vxpocket: Fix invalid endian conversions Takashi Iwai <tiwai(a)suse.de> ALSA: memalloc: Don't exceed over the requested size Hans de Goede <hdegoede(a)redhat.com> ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 Takashi Iwai <tiwai(a)suse.de> ALSA: cs5535audio: Fix invalid endian conversion Takashi Iwai <tiwai(a)suse.de> ALSA: virmidi: Fix too long output trigger loop Takashi Iwai <tiwai(a)suse.de> ALSA: vx222: Fix invalid endian conversions Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Turn CX8200 into D3 as well upon reboot Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Heiner Kallweit <hkallweit1(a)gmail.com> r8169: don't use MSI-X on RTL8168g Hangbin Liu <liuhangbin(a)gmail.com> net_sched: Fix missing res info when create new tc_index filter Hangbin Liu <liuhangbin(a)gmail.com> net_sched: fix NULL pointer dereference when delete tcindex filter Wei Wang <weiwan(a)google.com> l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache ------------- Diffstat: Makefile | 4 +-- drivers/acpi/sleep.c | 8 +++++ drivers/isdn/i4l/isdn_common.c | 8 +---- drivers/media/usb/dvb-usb-v2/gl861.c | 21 +++++++------ drivers/misc/sram.c | 9 +++++- drivers/net/ethernet/marvell/mvneta.c | 53 ++++++++++++++++++++------------- drivers/net/ethernet/realtek/r8169.c | 12 ++++++-- drivers/net/hyperv/rndis_filter.c | 2 +- drivers/tty/serial/8250/8250_dw.c | 3 +- drivers/tty/serial/8250/8250_exar.c | 6 +++- drivers/tty/serial/8250/8250_port.c | 3 +- drivers/uio/uio.c | 10 ++----- drivers/usb/serial/option.c | 4 +++ drivers/usb/serial/pl2303.c | 2 ++ drivers/usb/serial/pl2303.h | 1 + drivers/usb/serial/sierra.c | 4 +-- net/bluetooth/sco.c | 3 +- net/core/sock_diag.c | 2 ++ net/ipv4/ip_vti.c | 3 +- net/l2tp/l2tp_core.c | 2 +- net/sched/cls_matchall.c | 2 ++ net/sched/cls_tcindex.c | 8 ++--- net/socket.c | 3 +- sound/core/memalloc.c | 8 ++--- sound/core/seq/oss/seq_oss.c | 2 +- sound/core/seq/seq_clientmgr.c | 2 +- sound/core/seq/seq_virmidi.c | 10 +++++++ sound/firewire/dice/dice-alesis.c | 2 +- sound/pci/cs5535audio/cs5535audio.h | 6 ++-- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 +-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 ++- sound/pci/vx222/vx222_ops.c | 8 ++--- sound/pcmcia/vx/vxp_ops.c | 10 +++---- 34 files changed, 138 insertions(+), 93 deletions(-)

7 years

4
40
0 0

[PATCH 4.14 00/29] 4.14.66-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.66 release. There are 29 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Aug 23 05:50:58 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.66-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.66-rc1 Hangbin Liu <liuhangbin(a)gmail.com> cls_matchall: fix tcf_unbind_filter missing Kees Cook <keescook(a)chromium.org> isdn: Disable IIOCDBGVAR Sudip Mukherjee <sudipm.mukherjee(a)gmail.com> Bluetooth: avoid killing an already killed socket Johan Hovold <johan(a)kernel.org> misc: sram: fix resource leaks in probe error path Srinath Mannam <srinath.mannam(a)broadcom.com> serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Chen Hu <hu1.chen(a)intel.com> serial: 8250_dw: always set baud rate in dw8250_set_termios Aaron Sierra <asierra(a)xes-inc.com> serial: 8250_exar: Read INT0 from slave device, too Mark <dmarkh(a)cfl.rr.com> tty: serial: 8250: Revert NXP SC16C2552 workaround Willy Tarreau <w(a)1wt.eu> ACPI / PM: save NVS memory for ASUS 1025C laptop Aleksander Morgado <aleksander(a)aleksander.es> USB: option: add support for DW5821e Movie Song <MovieSong(a)aten-itlab.cn> USB: serial: pl2303: add a new device id for ATEN John Ogness <john.ogness(a)linutronix.de> USB: serial: sierra: fix potential deadlock at close Takashi Iwai <tiwai(a)suse.de> ALSA: vxpocket: Fix invalid endian conversions Takashi Iwai <tiwai(a)suse.de> ALSA: memalloc: Don't exceed over the requested size Hans de Goede <hdegoede(a)redhat.com> ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Takashi Iwai <tiwai(a)suse.de> ALSA: cs5535audio: Fix invalid endian conversion Takashi Iwai <tiwai(a)suse.de> ALSA: virmidi: Fix too long output trigger loop Takashi Iwai <tiwai(a)suse.de> ALSA: vx222: Fix invalid endian conversions Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Turn CX8200 into D3 as well upon reboot Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Dmitry Bogdanov <dmitry.bogdanov(a)aquantia.com> net: aquantia: Fix IFF_ALLMULTI flag functionality Xin Long <lucien.xin(a)gmail.com> ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit Jason Wang <jasowang(a)redhat.com> vhost: reset metadata cache when initializing new IOTLB Hangbin Liu <liuhangbin(a)gmail.com> net_sched: Fix missing res info when create new tc_index filter Cong Wang <xiyou.wangcong(a)gmail.com> vsock: split dwork to avoid reinitializations Hangbin Liu <liuhangbin(a)gmail.com> net_sched: fix NULL pointer dereference when delete tcindex filter Cong Wang <xiyou.wangcong(a)gmail.com> llc: use refcount_inc_not_zero() for llc_sap_find() Wei Wang <weiwan(a)google.com> l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Alexey Kodanev <alexey.kodanev(a)oracle.com> dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() ------------- Diffstat: Makefile | 4 ++-- drivers/acpi/sleep.c | 8 ++++++++ drivers/isdn/i4l/isdn_common.c | 8 +------- drivers/misc/sram.c | 9 ++++++++- drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 2 +- drivers/tty/serial/8250/8250_dw.c | 3 ++- drivers/tty/serial/8250/8250_exar.c | 6 +++++- drivers/tty/serial/8250/8250_port.c | 3 +-- drivers/usb/serial/option.c | 4 ++++ drivers/usb/serial/pl2303.c | 2 ++ drivers/usb/serial/pl2303.h | 1 + drivers/usb/serial/sierra.c | 4 ++-- drivers/vhost/vhost.c | 9 ++++++--- include/net/af_vsock.h | 4 ++-- include/net/llc.h | 5 +++++ net/bluetooth/sco.c | 3 ++- net/dccp/ccids/ccid2.c | 6 ++++-- net/ipv6/ip6_tunnel.c | 8 ++------ net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 ++-- net/sched/cls_matchall.c | 2 ++ net/sched/cls_tcindex.c | 8 +++----- net/vmw_vsock/af_vsock.c | 15 ++++++++------- net/vmw_vsock/vmci_transport.c | 3 +-- sound/core/memalloc.c | 8 ++------ sound/core/seq/seq_virmidi.c | 10 ++++++++++ sound/pci/cs5535audio/cs5535audio.h | 6 +++--- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 ++-- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +++- sound/pci/vx222/vx222_ops.c | 8 ++++---- sound/pcmcia/vx/vxp_ops.c | 10 +++++----- 32 files changed, 105 insertions(+), 70 deletions(-)

7 years

4
32
0 0

[PATCH 4.17 00/42] 4.17.18-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.17.18 release. There are 42 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Aug 23 05:50:04 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.17.18-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.17.18-rc1 Jisheng Zhang <Jisheng.Zhang(a)synaptics.com> net: mvneta: fix mvneta_config_rss on armada 3700 Andrew Lunn <andrew(a)lunn.ch> net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Hangbin Liu <liuhangbin(a)gmail.com> cls_matchall: fix tcf_unbind_filter missing Haishuang Yan <yanhaishuang(a)cmss.chinamobile.com> ip_vti: fix a null pointer deferrence when create vti fallback tunnel Jian-Hong Pan <jian-hong(a)endlessm.com> r8169: don't use MSI-X on RTL8106e Jeremy Cline <jcline(a)redhat.com> net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Kees Cook <keescook(a)chromium.org> isdn: Disable IIOCDBGVAR Sudip Mukherjee <sudipm.mukherjee(a)gmail.com> Bluetooth: avoid killing an already killed socket Johan Hovold <johan(a)kernel.org> misc: sram: fix resource leaks in probe error path Srinath Mannam <srinath.mannam(a)broadcom.com> serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Chen Hu <hu1.chen(a)intel.com> serial: 8250_dw: always set baud rate in dw8250_set_termios Aaron Sierra <asierra(a)xes-inc.com> serial: 8250_exar: Read INT0 from slave device, too Mark <dmarkh(a)cfl.rr.com> tty: serial: 8250: Revert NXP SC16C2552 workaround Willy Tarreau <w(a)1wt.eu> ACPI / PM: save NVS memory for ASUS 1025C laptop Aleksander Morgado <aleksander(a)aleksander.es> USB: option: add support for DW5821e Movie Song <MovieSong(a)aten-itlab.cn> USB: serial: pl2303: add a new device id for ATEN John Ogness <john.ogness(a)linutronix.de> USB: serial: sierra: fix potential deadlock at close Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix poll() error return Takashi Iwai <tiwai(a)suse.de> ALSA: vxpocket: Fix invalid endian conversions Takashi Iwai <tiwai(a)suse.de> ALSA: memalloc: Don't exceed over the requested size Hans de Goede <hdegoede(a)redhat.com> ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Takashi Iwai <tiwai(a)suse.de> ALSA: cs5535audio: Fix invalid endian conversion Takashi Iwai <tiwai(a)suse.de> ALSA: virmidi: Fix too long output trigger loop Takashi Iwai <tiwai(a)suse.de> ALSA: vx222: Fix invalid endian conversions Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Turn CX8200 into D3 as well upon reboot Park Ju Hyung <qkrwngud825(a)gmail.com> ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs David Howells <dhowells(a)redhat.com> rxrpc: Fix the keepalive generator [ver #2] Heiner Kallweit <hkallweit1(a)gmail.com> r8169: don't use MSI-X on RTL8168g Or Gerlitz <ogerlitz(a)mellanox.com> net/mlx5e: Properly check if hairpin is possible between two functions Nir Dotan <nird(a)mellanox.com> mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction Nir Dotan <nird(a)mellanox.com> mlxsw: core_acl_flex_actions: Remove redundant counter destruction Nir Dotan <nird(a)mellanox.com> mlxsw: core_acl_flex_actions: Remove redundant resource destruction Xin Long <lucien.xin(a)gmail.com> ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit Dmitry Bogdanov <dmitry.bogdanov(a)aquantia.com> net: aquantia: Fix IFF_ALLMULTI flag functionality Nir Dotan <nird(a)mellanox.com> mlxsw: core_acl_flex_actions: Return error for conflicting actions Jason Wang <jasowang(a)redhat.com> vhost: reset metadata cache when initializing new IOTLB Hangbin Liu <liuhangbin(a)gmail.com> net_sched: Fix missing res info when create new tc_index filter Cong Wang <xiyou.wangcong(a)gmail.com> vsock: split dwork to avoid reinitializations Hangbin Liu <liuhangbin(a)gmail.com> net_sched: fix NULL pointer dereference when delete tcindex filter Cong Wang <xiyou.wangcong(a)gmail.com> llc: use refcount_inc_not_zero() for llc_sap_find() Wei Wang <weiwan(a)google.com> l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Alexey Kodanev <alexey.kodanev(a)oracle.com> dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() ------------- Diffstat: Makefile | 4 +- drivers/acpi/sleep.c | 8 ++ drivers/isdn/i4l/isdn_common.c | 8 +- drivers/misc/sram.c | 9 +- .../ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 2 +- drivers/net/ethernet/marvell/mvneta.c | 53 ++++--- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 +- .../mellanox/mlxsw/core_acl_flex_actions.c | 51 ++++--- drivers/net/ethernet/realtek/r8169.c | 12 +- drivers/tty/serial/8250/8250_dw.c | 3 +- drivers/tty/serial/8250/8250_exar.c | 6 +- drivers/tty/serial/8250/8250_port.c | 3 +- drivers/usb/serial/option.c | 4 + drivers/usb/serial/pl2303.c | 2 + drivers/usb/serial/pl2303.h | 1 + drivers/usb/serial/sierra.c | 4 +- drivers/vhost/vhost.c | 9 +- include/net/af_vsock.h | 4 +- include/net/llc.h | 5 + net/bluetooth/sco.c | 3 +- net/core/sock_diag.c | 2 + net/dccp/ccids/ccid2.c | 6 +- net/ipv4/ip_vti.c | 3 +- net/ipv6/ip6_tunnel.c | 8 +- net/l2tp/l2tp_core.c | 2 +- net/llc/llc_core.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/conn_event.c | 4 +- net/rxrpc/net_ns.c | 6 +- net/rxrpc/output.c | 12 +- net/rxrpc/peer_event.c | 156 ++++++++++++--------- net/rxrpc/peer_object.c | 8 +- net/rxrpc/rxkad.c | 4 +- net/sched/cls_matchall.c | 2 + net/sched/cls_tcindex.c | 8 +- net/socket.c | 3 +- net/vmw_vsock/af_vsock.c | 15 +- net/vmw_vsock/vmci_transport.c | 3 +- sound/core/memalloc.c | 8 +- sound/core/seq/oss/seq_oss.c | 2 +- sound/core/seq/seq_clientmgr.c | 2 +- sound/core/seq/seq_virmidi.c | 10 ++ sound/pci/cs5535audio/cs5535audio.h | 6 +- sound/pci/cs5535audio/cs5535audio_pcm.c | 4 +- sound/pci/hda/hda_intel.c | 2 +- sound/pci/hda/patch_conexant.c | 4 +- sound/pci/vx222/vx222_ops.c | 8 +- sound/pcmcia/vx/vxp_ops.c | 10 +- 48 files changed, 296 insertions(+), 213 deletions(-)

7 years

4
45
0 0

[PATCH] MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7

by Paul Burton

Some versions of GCC suboptimally generate calls to the __multi3() intrinsic for MIPS64r6 builds, resulting in link failures due to the missing function: LD vmlinux.o MODPOST vmlinux.o kernel/bpf/verifier.o: In function `kmalloc_array': include/linux/slab.h:631: undefined reference to `__multi3' fs/select.o: In function `kmalloc_array': include/linux/slab.h:631: undefined reference to `__multi3' ... We already have a workaround for this in which we provide the instrinsic, but we do so selectively for GCC 7 only. Unfortunately the issue occurs with older GCC versions too - it has been observed with both GCC 5.4.0 & GCC 6.4.0. MIPSr6 support was introduced in GCC 5, so all major GCC versions prior to GCC 8 are affected and we extend our workaround accordingly to all MIPS64r6 builds using GCC versions older than GCC 8. Signed-off-by: Paul Burton <paul.burton(a)mips.com> Reported-by: Vladimir Kondratiev <vladimir.kondratiev(a)intel.com> Fixes: ebabcf17bcd7 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds") Cc: James Hogan <jhogan(a)kernel.org> Cc: Ralf Baechle <ralf(a)linux-mips.org> Cc: linux-mips(a)linux-mips.org Cc: stable(a)vger.kernel.org # 4.15+ --- arch/mips/lib/multi3.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/mips/lib/multi3.c b/arch/mips/lib/multi3.c index 111ad475aa0c..4c2483f410c2 100644 --- a/arch/mips/lib/multi3.c +++ b/arch/mips/lib/multi3.c @@ -4,12 +4,12 @@ #include "libgcc.h" /* - * GCC 7 suboptimally generates __multi3 calls for mips64r6, so for that - * specific case only we'll implement it here. + * GCC 7 & older can suboptimally generate __multi3 calls for mips64r6, so for + * that specific case only we implement that intrinsic here. * * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981 */ -#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ == 7) +#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 8) /* multiply 64-bit values, low 64-bits returned */ static inline long long notrace dmulu(long long a, long long b) -- 2.18.0

7 years

1
0
0 0

[PATCH 2/2] drm/nouveau: Fix GM107 disp dmac chan init on ThinkPad P50

by Lyude Paul

Just like how the P50 will occasionally leave the disp's core channel on before nouveau starts initializing, it will occasionally do the same thing with the rest of the dmac channel in addition to the core channel. Example: [ 1.604375] nouveau 0000:01:00.0: disp: outp 04:0006:0f81: no heads (0 3 4) [ 1.604858] nouveau 0000:01:00.0: disp: outp 04:0006:0f81: aux power -> always [ 1.605354] nouveau 0000:01:00.0: disp: outp 04:0006:0f81: aux power -> demand [ 1.605815] nouveau 0000:01:00.0: disp: outp 05:0002:0f81: no heads (0 3 2) [ 1.607289] nouveau 0000:01:00.0: disp: chid 0 mthd 0000 data 00000400 00001000 00000002 [ 1.608818] nouveau 0000:01:00.0: disp: chid 1 mthd 0000 data 00000400 00001000 00000002 [ 1.609500] nouveau 0000:01:00.0: disp: chid 2 mthd 0000 data 00000400 00001000 00000002 Which of course, later causes other parts of the card to start timing out and failing. Closer inspection shows the same thing happening as with our core channel; 0x610490 + (ctrl * 0x10) always has the same unknown 0x000a0000 mask set when the phantom mthd failures start appearing. So, implement the same workaround we use for the core disp channel to the rest of the disp channels. This along with the previous patch fix random initialization failures observed with the Thinkpad P50. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Cc: Karol Herbst <karolherbst(a)gmail.com> Cc: stable(a)vger.kernel.org --- .../drm/nouveau/nvkm/engine/disp/dmacgf119.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dmacgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dmacgf119.c index edf7dd0d931d..7bc91f260e27 100644 --- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dmacgf119.c +++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dmacgf119.c @@ -35,8 +35,8 @@ gf119_disp_dmac_bind(struct nv50_disp_chan *chan, chan->chid.user << 27 | 0x00000001); } -void -gf119_disp_dmac_fini(struct nv50_disp_chan *chan) +static bool +gf119_disp_dmac_deactivate(struct nv50_disp_chan *chan) { struct nvkm_subdev *subdev = &chan->disp->base.engine.subdev; struct nvkm_device *device = subdev->device; @@ -52,7 +52,16 @@ gf119_disp_dmac_fini(struct nv50_disp_chan *chan) ) < 0) { nvkm_error(subdev, "ch %d fini: %08x\n", user, nvkm_rd32(device, 0x610490 + (ctrl * 0x10))); + return false; } + + return true; +} + +void +gf119_disp_dmac_fini(struct nv50_disp_chan *chan) +{ + gf119_disp_dmac_deactivate(chan); } static int @@ -63,6 +72,12 @@ gf119_disp_dmac_init(struct nv50_disp_chan *chan) int ctrl = chan->chid.ctrl; int user = chan->chid.user; + /* shut down the channel if it was left on, probably by the VBIOS */ + if ((nvkm_rd32(device, 0x610490 + (ctrl * 0x10)) & 0x000a0000) == 0x000a0000 && + WARN_ON(!gf119_disp_dmac_deactivate(chan))) { + return -EBUSY; + } + /* initialise channel for dma command submission */ nvkm_wr32(device, 0x610494 + (ctrl * 0x0010), chan->push); nvkm_wr32(device, 0x610498 + (ctrl * 0x0010), 0x00010000); -- 2.17.1

7 years

1
1
0 0

[PATCH] crypto: vmx - Fix sleep-in-atomic bugs

by Ondrej Mosnacek

This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX implementations. The problem is that the blkcipher_* functions should not be called in atomic context. The bugs can be reproduced via the AF_ALG interface by trying to encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then trigger BUG in crypto_yield(): [ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424 [ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc [ 891.864739] 1 lock held by kcapi-enc/12347: [ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530 [ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1 [ 891.865251] Call Trace: [ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable) [ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310 [ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0 [ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto] [ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80 [ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530 [ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0 [ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0 [ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0 [ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70 Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") Cc: stable(a)vger.kernel.org Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com> --- This patch should fix the issue, but I didn't test it. (I'll see if I can find some time tomorrow to try and recompile the kernel on a PPC machine... in the meantime please review :) drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++---------------- drivers/crypto/vmx/aes_xts.c | 19 ++++++++++++------- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c index 5285ece4f33a..b71895871be3 100644 --- a/drivers/crypto/vmx/aes_cbc.c +++ b/drivers/crypto/vmx/aes_cbc.c @@ -107,24 +107,23 @@ static int p8_aes_cbc_encrypt(struct blkcipher_desc *desc, ret = crypto_skcipher_encrypt(req); skcipher_request_zero(req); } else { - preempt_disable(); - pagefault_disable(); - enable_kernel_vsx(); - blkcipher_walk_init(&walk, dst, src, nbytes); ret = blkcipher_walk_virt(desc, &walk); while ((nbytes = walk.nbytes)) { + preempt_disable(); + pagefault_disable(); + enable_kernel_vsx(); aes_p8_cbc_encrypt(walk.src.virt.addr, walk.dst.virt.addr, nbytes & AES_BLOCK_MASK, &ctx->enc_key, walk.iv, 1); + disable_kernel_vsx(); + pagefault_enable(); + preempt_enable(); + nbytes &= AES_BLOCK_SIZE - 1; ret = blkcipher_walk_done(desc, &walk, nbytes); } - - disable_kernel_vsx(); - pagefault_enable(); - preempt_enable(); } return ret; @@ -147,24 +146,23 @@ static int p8_aes_cbc_decrypt(struct blkcipher_desc *desc, ret = crypto_skcipher_decrypt(req); skcipher_request_zero(req); } else { - preempt_disable(); - pagefault_disable(); - enable_kernel_vsx(); - blkcipher_walk_init(&walk, dst, src, nbytes); ret = blkcipher_walk_virt(desc, &walk); while ((nbytes = walk.nbytes)) { + preempt_disable(); + pagefault_disable(); + enable_kernel_vsx(); aes_p8_cbc_encrypt(walk.src.virt.addr, walk.dst.virt.addr, nbytes & AES_BLOCK_MASK, &ctx->dec_key, walk.iv, 0); + disable_kernel_vsx(); + pagefault_enable(); + preempt_enable(); + nbytes &= AES_BLOCK_SIZE - 1; ret = blkcipher_walk_done(desc, &walk, nbytes); } - - disable_kernel_vsx(); - pagefault_enable(); - preempt_enable(); } return ret; diff --git a/drivers/crypto/vmx/aes_xts.c b/drivers/crypto/vmx/aes_xts.c index 8bd9aff0f55f..016ef52390c9 100644 --- a/drivers/crypto/vmx/aes_xts.c +++ b/drivers/crypto/vmx/aes_xts.c @@ -116,13 +116,14 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc, ret = enc? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req); skcipher_request_zero(req); } else { + blkcipher_walk_init(&walk, dst, src, nbytes); + + ret = blkcipher_walk_virt(desc, &walk); + preempt_disable(); pagefault_disable(); enable_kernel_vsx(); - blkcipher_walk_init(&walk, dst, src, nbytes); - - ret = blkcipher_walk_virt(desc, &walk); iv = walk.iv; memset(tweak, 0, AES_BLOCK_SIZE); aes_p8_encrypt(iv, tweak, &ctx->tweak_key); @@ -135,13 +136,17 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc, aes_p8_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr, nbytes & AES_BLOCK_MASK, &ctx->dec_key, NULL, tweak); + disable_kernel_vsx(); + pagefault_enable(); + preempt_enable(); + nbytes &= AES_BLOCK_SIZE - 1; ret = blkcipher_walk_done(desc, &walk, nbytes); - } - disable_kernel_vsx(); - pagefault_enable(); - preempt_enable(); + preempt_disable(); + pagefault_disable(); + enable_kernel_vsx(); + } } return ret; } -- 2.17.1

7 years

1
0
0 0

[PATCH] arm64: fix for bad_mode() handler to always result in panic

by Hari Vyas

bad_mode() handler is called for invalid or undefined instruction in el1 level or when irq,fiq,sync or error situation happen in el1 or el0 level. As per latest code, above abnormal situation may not result in panic always due to die() call if user mode is determined at that moment. That will just result in kill of current process and panic will be avoided which it must not. Link: https://bugzilla.kernel.org/show_bug.cgi?id=200637 Signed-off-by: Hari Vyas <hari.vyas(a)broadcom.com> --- arch/arm64/kernel/traps.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c index d399d45..716ee73 100644 --- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -621,7 +621,6 @@ asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr) handler[reason], smp_processor_id(), esr, esr_get_class_string(esr)); - die("Oops - bad mode", regs, 0); local_daif_mask(); panic("bad mode"); } -- 1.9.1

7 years

3
5
0 0

[PATCH 2/2] udf: Fix mounting of Win7 created UDF filesystems

by Jan Kara

Win7 is creating UDF filesystems with single partition with number 8192. Current partition descriptor scanning code does not handle this well as it incorrectly assumes that partition numbers will form mostly contiguous space of small numbers. This results in unmountable media due to errors like: UDF-fs: error (device dm-1): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0 UDF-fs: warning (device dm-1): udf_fill_super: No fileset found Fix the problem by handling partition descriptors in a way that sparse partition numbering does not matter. Reported-by: jean-luc malet <jeanluc.malet(a)gmail.com> CC: stable(a)vger.kernel.org Fixes: 7b78fd02fb19530fd101ae137a1f46aa466d9bb6 Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/udf/super.c | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index 68d57b61f3af..6f515651a2c2 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -1510,10 +1510,16 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_ */ #define PART_DESC_ALLOC_STEP 32 +struct part_desc_seq_scan_data { + struct udf_vds_record rec; + u32 partnum; +}; + struct desc_seq_scan_data { struct udf_vds_record vds[VDS_POS_LENGTH]; unsigned int size_part_descs; - struct udf_vds_record *part_descs_loc; + unsigned int num_part_descs; + struct part_desc_seq_scan_data *part_descs_loc; }; static struct udf_vds_record *handle_partition_descriptor( @@ -1522,10 +1528,14 @@ static struct udf_vds_record *handle_partition_descriptor( { struct partitionDesc *desc = (struct partitionDesc *)bh->b_data; int partnum; + int i; partnum = le16_to_cpu(desc->partitionNumber); - if (partnum >= data->size_part_descs) { - struct udf_vds_record *new_loc; + for (i = 0; i < data->num_part_descs; i++) + if (partnum == data->part_descs_loc[i].partnum) + return &(data->part_descs_loc[i].rec); + if (data->num_part_descs >= data->size_part_descs) { + struct part_desc_seq_scan_data *new_loc; unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP); new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL); @@ -1537,7 +1547,7 @@ static struct udf_vds_record *handle_partition_descriptor( data->part_descs_loc = new_loc; data->size_part_descs = new_size; } - return &(data->part_descs_loc[partnum]); + return &(data->part_descs_loc[data->num_part_descs++].rec); } @@ -1587,6 +1597,7 @@ static noinline int udf_process_sequence( memset(data.vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH); data.size_part_descs = PART_DESC_ALLOC_STEP; + data.num_part_descs = 0; data.part_descs_loc = kcalloc(data.size_part_descs, sizeof(*data.part_descs_loc), GFP_KERNEL); @@ -1598,7 +1609,6 @@ static noinline int udf_process_sequence( * are in it. */ for (; (!done && block <= lastblock); block++) { - bh = udf_read_tagged(sb, block, block, &ident); if (!bh) break; @@ -1670,13 +1680,10 @@ static noinline int udf_process_sequence( } /* Now handle prevailing Partition Descriptors */ - for (i = 0; i < data.size_part_descs; i++) { - if (data.part_descs_loc[i].block) { - ret = udf_load_partdesc(sb, - data.part_descs_loc[i].block); - if (ret < 0) - return ret; - } + for (i = 0; i < data.num_part_descs; i++) { + ret = udf_load_partdesc(sb, data.part_descs_loc[i].rec.block); + if (ret < 0) + return ret; } return 0; -- 2.16.4

7 years

1
0
0 0

[PATCH 1/2] USB: serial: io_ti: fix array underflow in completion handler

by Johan Hovold

As reported by Dan Carpenter, a malicious USB device could set port_number to -3 and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable(a)vger.kernel.org> Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/serial/io_ti.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/serial/io_ti.h b/drivers/usb/serial/io_ti.h index e53c68261017..9bbcee37524e 100644 --- a/drivers/usb/serial/io_ti.h +++ b/drivers/usb/serial/io_ti.h @@ -173,7 +173,7 @@ struct ump_interrupt { } __attribute__((packed)); -#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 4) - 3) +#define TIUMP_GET_PORT_FROM_CODE(c) (((c) >> 6) & 0x01) #define TIUMP_GET_FUNC_FROM_CODE(c) ((c) & 0x0f) #define TIUMP_INTERRUPT_CODE_LSR 0x03 #define TIUMP_INTERRUPT_CODE_MSR 0x04 -- 2.18.0

7 years

1
1
0 0

[PATCH v4] mtd: spi-mem: Add the default transfer length adjustments

by Chuanhua Han

We need that to adjust the len of the 2nd transfer (called data in spi-mem) if it's too long to fit in a SPI message or SPI transfer. Fixes: c36ff266dc82 ("spi: Extend the core to ease integration of SPI memory controllers") Cc: <stable(a)vger.kernel.org> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Signed-off-by: Chuanhua Han <chuanhua.han(a)nxp.com> --- Changes in v4: -Rename variable name "opcode_addr_dummy_sum" to "len". -The comparison of "spi_max_message_size(mem->spi)" and "len" was removed. -Adjust their order when comparing the sizes of "spi_max_message_size(mem->spi)" and "len". -Changing the "unsigned long" type in the code to "size_t". Changes in v3: -Rename variable name "val" to "opcode_addr_dummy_sum". -Place the legitimacy of the transfer size(i.e., "spi_max_message_size(mem->spi)" and -"opcode_addr_dummy_sum") into "if (! ctlr - > mem_ops | |! ctlr-> mem_ops->exec_op) {" structure and add "spi_max_transfer_size(mem->spi) and opcode_addr_dummy_sum". -Adjust the formatting alignment of the code. -"(unsigned long)op->data.nbytes" was modified to "(unsigned long)(op->data.nbytes)". Changes in v2: -Place the adjusted transfer bytes code in spi_mem_adjust_op_size() and check spi_max_message_size(mem->spi) value before subtracting opcode, addr and dummy bytes. -Change the code from fsl-espi controller to generic code(The adjustment of spi transmission length was originally modified in the "drivers/spi/spi-fsl-espi.c" file, and now the adjustment of transfer length is made in the "drivers/spi/spi-mem.c" file). drivers/spi/spi-mem.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/spi/spi-mem.c b/drivers/spi/spi-mem.c index 990770d..5374606 100644 --- a/drivers/spi/spi-mem.c +++ b/drivers/spi/spi-mem.c @@ -328,10 +328,23 @@ EXPORT_SYMBOL_GPL(spi_mem_exec_op); int spi_mem_adjust_op_size(struct spi_mem *mem, struct spi_mem_op *op) { struct spi_controller *ctlr = mem->spi->controller; + size_t len = sizeof(op->cmd.opcode) + + op->addr.nbytes + + op->dummy.nbytes; if (ctlr->mem_ops && ctlr->mem_ops->adjust_op_size) return ctlr->mem_ops->adjust_op_size(mem, op); + if (!ctlr->mem_ops || !ctlr->mem_ops->exec_op) { + if (len > spi_max_transfer_size(mem->spi)) + return -EINVAL; + + op->data.nbytes = min3((size_t)(op->data.nbytes), + spi_max_transfer_size(mem->spi), + spi_max_message_size(mem->spi) - + len); + } + return 0; } EXPORT_SYMBOL_GPL(spi_mem_adjust_op_size); -- 2.7.4

7 years

2
1
0 0

[PATCH v4] mtd: spi-mem: Add the default transfer length adjustments

by Chuanhua Han

We need that to adjust the len of the 2nd transfer (called data in spi-mem) if it's too long to fit in a SPI message or SPI transfer. Fixes: c36ff266dc82 ("spi: Extend the core to ease integration of SPI memory controllers") Cc: <stable(a)vger.kernel.org> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Signed-off-by: Chuanhua Han <chuanhua.han(a)nxp.com> --- Changes in v4: -Rename variable name "opcode_addr_dummy_sum" to "len". -The comparison of "spi_max_message_size(mem->spi)" and "len" was removed. -Adjust their order when comparing the sizes of "spi_max_message_size(mem->spi)" and "len". -Changing the "unsigned long" type in the code to "size_t". Changes in v3: -Rename variable name "val" to "opcode_addr_dummy_sum". -Place the legitimacy of the transfer size(i.e., "spi_max_message_size(mem->spi)" and -"opcode_addr_dummy_sum") into "if (! ctlr - > mem_ops | |! ctlr-> mem_ops->exec_op) {" structure and add "spi_max_transfer_size(mem->spi) and opcode_addr_dummy_sum". -Adjust the formatting alignment of the code. -"(unsigned long)op->data.nbytes" was modified to "(unsigned long)(op->data.nbytes)". Changes in v2: -Place the adjusted transfer bytes code in spi_mem_adjust_op_size() and check spi_max_message_size(mem->spi) value before subtracting opcode, addr and dummy bytes. -Change the code from fsl-espi controller to generic code(The adjustment of spi transmission length was originally modified in the "drivers/spi/spi-fsl-espi.c" file, and now the adjustment of transfer length is made in the "drivers/spi/spi-mem.c" file). drivers/spi/spi-mem.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/spi/spi-mem.c b/drivers/spi/spi-mem.c index 990770d..5374606 100644 --- a/drivers/spi/spi-mem.c +++ b/drivers/spi/spi-mem.c @@ -328,10 +328,23 @@ EXPORT_SYMBOL_GPL(spi_mem_exec_op); int spi_mem_adjust_op_size(struct spi_mem *mem, struct spi_mem_op *op) { struct spi_controller *ctlr = mem->spi->controller; + size_t len = sizeof(op->cmd.opcode) + + op->addr.nbytes + + op->dummy.nbytes; if (ctlr->mem_ops && ctlr->mem_ops->adjust_op_size) return ctlr->mem_ops->adjust_op_size(mem, op); + if (!ctlr->mem_ops || !ctlr->mem_ops->exec_op) { + if (len > spi_max_transfer_size(mem->spi)) + return -EINVAL; + + op->data.nbytes = min3((size_t)(op->data.nbytes), + spi_max_transfer_size(mem->spi), + spi_max_message_size(mem->spi) - + len); + } + return 0; } EXPORT_SYMBOL_GPL(spi_mem_adjust_op_size); -- 2.7.4

7 years

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror