- Linux-stable-mirror - lists.linaro.org

Regression: x86/tsc: Fix mark_tsc_unstable()

by Jeremy Cline

Hi folks, A few Fedora users have reported[0] a regression starting in v4.16.8 where the boot will hang ~1/3 of the time with the following RCU stall warning: INFO: rcu_sched detected stalls on CPUs/tasks: o1-...!: (0 ticks this GP) idle=688/0/0 softirq=171/171 fqs=0 o(detected by 0, t=60002 jiffies, g=-142, c=-143, q=9) Sending NMI from CPU 0 to CPU 1: NMI backtrace for cpu 1 skipped: idling at acpi_processor_ffh_cstate_enter+0x65/0xb0 rcu_sched kthread starved for 60002 jiffies! g18446744073709551474 c1844674407370955143 f0x0 RCU_GP_WAIT_FQS(3) ->state=0x402 -> cpu=1 RCU grace-period kthread stack dump: rcu_sched I 0 9 2 0x80000000 Call Trace: ? __schedule+0x234/0x850 schedule+0x28/0x80 schedule_timeout+0x166/0x380 ? __next_timer_interrupt+0xc0/0xc0 rcu_gp_kthread+0x368/0x830 ? rcu_process_callbacks+0x4f0/0x4f0 kthread+0x112/0x130 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x35/0x40 A user has bisected the problem to the v4.16 commit 1ab4ca7c59d4 ("x86/tsc: Fix mark_tsc_unstable()"). According to the reporter, explicitly setting "tsc=" on the kernel command line causes the boot to always succeed. All the users have Thinkpad T500s or T400s (Core 2 Duos) [0] https://bugzilla.redhat.com/show_bug.cgi?id=1579925 Thanks, Jeremy

7 years, 2 months

3
8
0 0

[PATCH 4.17 00/15] 4.17.1-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.17.1 release. There are 15 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon Jun 11 14:59:48 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.17.1-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.17.1-rc1 Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not wait forever on a device that has disappeared Sabrina Dubroca <sd(a)queasysnail.net> ipmr: fix error path when ipmr_new_table fails Arun Parameswaran <arun.parameswaran(a)broadcom.com> net: dsa: b53: Fix for brcm tag issue in Cygnus SoC Stephen Suryaputra <ssuryaextr(a)gmail.com> vrf: check the original netdevice for generating redirect Dan Carpenter <dan.carpenter(a)oracle.com> team: use netdev_features_t instead of u32 Xin Long <lucien.xin(a)gmail.com> sctp: not allow transport timeout value less than HZ/5 for hb_timer Eric Dumazet <edumazet(a)google.com> rtnetlink: validate attributes in do_setlink() Eric Dumazet <edumazet(a)google.com> net/packet: refine check for priv area size Eric Dumazet <edumazet(a)google.com> net: metrics: add proper netlink validation Cong Wang <xiyou.wangcong(a)gmail.com> netdev-FAQ: clarify DaveM's position for stable backports Guillaume Nault <g.nault(a)alphalink.fr> l2tp: fix refcount leakage on PPPoL2TP sockets Michal Kubecek <mkubecek(a)suse.cz> ipv6: omit traffic class when calculating flow hash Sabrina Dubroca <sd(a)queasysnail.net> ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Julia Lawall <Julia.Lawall(a)lip6.fr> bnx2x: use the right constant Jason A. Donenfeld <Jason(a)zx2c4.com> netfilter: nf_flow_table: attach dst to skbs ------------- Diffstat: Documentation/networking/netdev-FAQ.txt | 9 +++++ Makefile | 4 +-- drivers/net/dsa/b53/b53_common.c | 15 +++++++- drivers/net/dsa/b53/b53_priv.h | 2 ++ drivers/net/dsa/b53/b53_srab.c | 4 +-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +- drivers/net/team/team.c | 3 +- drivers/pci/host/pci-hyperv.c | 46 +++++++++++++++++------- include/linux/mroute_base.h | 10 ------ include/net/ipv6.h | 5 +++ net/core/flow_dissector.c | 2 +- net/core/rtnetlink.c | 8 ++--- net/ipv4/fib_semantics.c | 4 +++ net/ipv4/ipmr_base.c | 8 +++-- net/ipv4/netfilter/nf_flow_table_ipv4.c | 5 +-- net/ipv6/ip6_output.c | 3 +- net/ipv6/ip6mr.c | 21 +++++++---- net/ipv6/ndisc.c | 6 ++++ net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 + net/ipv6/route.c | 4 +-- net/l2tp/l2tp_ppp.c | 35 +++++++++--------- net/packet/af_packet.c | 2 +- net/sctp/transport.c | 2 +- 23 files changed, 132 insertions(+), 69 deletions(-)

7 years, 2 months

4
20
0 0

[PATCH 4.14 00/41] 4.14.49-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.49 release. There are 41 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon Jun 11 15:29:07 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.49-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.49-rc1 Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not wait forever on a device that has disappeared Paul Blakey <paulb(a)mellanox.com> cls_flower: Fix incorrect idr release when failing to modify rule Eric Dumazet <edumazet(a)google.com> rtnetlink: validate attributes in do_setlink() Jason Wang <jasowang(a)redhat.com> virtio-net: fix leaking page for gso packet during mergeable XDP Eran Ben Elisha <eranbe(a)mellanox.com> net/mlx5e: When RXFCS is set, add FCS data into checksum calculation Jason Wang <jasowang(a)redhat.com> virtio-net: correctly check num_buf during err path Toshiaki Makita <makita.toshiaki(a)lab.ntt.co.jp> tun: Fix NULL pointer dereference in XDP redirect Jack Morgenstein <jackm(a)dev.mellanox.co.il> net/mlx4: Fix irq-unsafe spinlock usage Jason Wang <jasowang(a)redhat.com> virtio-net: correctly transmit XDP buff after linearizing Alexander Duyck <alexander.h.duyck(a)intel.com> net-sysfs: Fix memory leak in XPS configuration Florian Fainelli <f.fainelli(a)gmail.com> net: phy: broadcom: Fix auxiliary control register reads Mathieu Xhonneux <m.xhonneux(a)gmail.com> ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline Stephen Suryaputra <ssuryaextr(a)gmail.com> vrf: check the original netdevice for generating redirect Jason Wang <jasowang(a)redhat.com> vhost: synchronize IOTLB message with dev cleanup Dan Carpenter <dan.carpenter(a)oracle.com> team: use netdev_features_t instead of u32 Xin Long <lucien.xin(a)gmail.com> sctp: not allow transport timeout value less than HZ/5 for hb_timer Shahed Shaikh <shahed.shaikh(a)cavium.com> qed: Fix mask for physical address in ILT entry Willem de Bruijn <willemb(a)google.com> packet: fix reserve calculation Daniele Palmas <dnlplm(a)gmail.com> net: usb: cdc_mbim: add flag FLAG_SEND_ZLP Florian Fainelli <f.fainelli(a)gmail.com> net: phy: broadcom: Fix bcm_write_exp() Eric Dumazet <edumazet(a)google.com> net/packet: refine check for priv area size Eric Dumazet <edumazet(a)google.com> net: metrics: add proper netlink validation Roopa Prabhu <roopa(a)cumulusnetworks.com> net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Cong Wang <xiyou.wangcong(a)gmail.com> netdev-FAQ: clarify DaveM's position for stable backports Kirill Tkhai <ktkhai(a)virtuozzo.com> kcm: Fix use-after-free caused by clonned sockets Wenwen Wang <wang6495(a)umn.edu> isdn: eicon: fix a missing-check bug Michal Kubecek <mkubecek(a)suse.cz> ipv6: omit traffic class when calculating flow hash Willem de Bruijn <willemb(a)google.com> ipv4: remove warning in ip_recv_error Eric Dumazet <edumazet(a)google.com> ipmr: properly check rhltable_init() return value Nicolas Dichtel <nicolas.dichtel(a)6wind.com> ip6_tunnel: remove magic mtu value 0xFFF8 Sabrina Dubroca <sd(a)queasysnail.net> ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Govindarajulu Varadarajan <gvaradar(a)cisco.com> enic: set DMA mask to 47 bit Alexey Kodanev <alexey.kodanev(a)oracle.com> dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() Julia Lawall <Julia.Lawall(a)lip6.fr> bnx2x: use the right constant Suresh Reddy <suresh.reddy(a)broadcom.com> be2net: Fix error detection logic for BE3 Nathan Chancellor <natechancellor(a)gmail.com> kconfig: Avoid format overflow warning from GCC 8.1 Anand Jain <Anand.Jain(a)oracle.com> btrfs: define SUPER_FLAG_METADUMP_V2 Linus Torvalds <torvalds(a)linux-foundation.org> mmap: relax file size limit for regular files Linus Torvalds <torvalds(a)linux-foundation.org> mmap: introduce sane default mmap limits Bart Van Assche <bart.vanassche(a)wdc.com> scsi: sd_zbc: Avoid that resetting a zone fails sporadically Damien Le Moal <damien.lemoal(a)wdc.com> scsi: sd_zbc: Fix potential memory leak ------------- Diffstat: Documentation/networking/netdev-FAQ.txt | 9 ++ Makefile | 4 +- drivers/isdn/hardware/eicon/diva.c | 22 ++-- drivers/isdn/hardware/eicon/diva.h | 5 +- drivers/isdn/hardware/eicon/divasmain.c | 18 ++-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 8 +- drivers/net/ethernet/emulex/benet/be_main.c | 4 +- drivers/net/ethernet/mellanox/mlx4/qp.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 42 ++++++++ drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +- drivers/net/phy/bcm-cygnus.c | 6 +- drivers/net/phy/bcm-phy-lib.c | 2 +- drivers/net/phy/bcm-phy-lib.h | 7 ++ drivers/net/phy/bcm7xxx.c | 4 +- drivers/net/team/team.c | 3 +- drivers/net/tun.c | 15 +-- drivers/net/usb/cdc_mbim.c | 2 +- drivers/net/virtio_net.c | 19 ++-- drivers/pci/host/pci-hyperv.c | 46 +++++--- drivers/scsi/sd_zbc.c | 128 ++++++++++++++--------- drivers/vhost/vhost.c | 3 + fs/btrfs/disk-io.c | 3 +- include/net/ipv6.h | 5 + include/uapi/linux/btrfs_tree.h | 1 + mm/mmap.c | 32 ++++++ net/core/flow_dissector.c | 2 +- net/core/net-sysfs.c | 6 +- net/core/rtnetlink.c | 8 +- net/dccp/proto.c | 2 - net/ipv4/fib_frontend.c | 1 + net/ipv4/fib_semantics.c | 4 + net/ipv4/ip_sockglue.c | 2 - net/ipv4/ipmr.c | 7 +- net/ipv6/ip6_output.c | 3 +- net/ipv6/ip6_tunnel.c | 11 +- net/ipv6/ip6mr.c | 3 +- net/ipv6/ndisc.c | 6 ++ net/ipv6/route.c | 2 +- net/ipv6/seg6_iptunnel.c | 4 +- net/ipv6/sit.c | 5 +- net/kcm/kcmsock.c | 2 +- net/packet/af_packet.c | 4 +- net/sched/cls_flower.c | 2 +- net/sctp/transport.c | 2 +- scripts/kconfig/confdata.c | 2 +- 46 files changed, 329 insertions(+), 145 deletions(-)

7 years, 2 months

4
42
0 0

[PATCH 4.16 00/48] 4.16.15-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.16.15 release. There are 48 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon Jun 11 14:59:28 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.16.15-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.16.15-rc1 Dexuan Cui <decui(a)microsoft.com> PCI: hv: Do not wait forever on a device that has disappeared Jason Wang <jasowang(a)redhat.com> vhost_net: flush batched heads before trying to busy polling Ard Biesheuvel <ard.biesheuvel(a)linaro.org> net: netsec: reduce DMA mask to 40 bits Nicolas Dichtel <nicolas.dichtel(a)6wind.com> ip_tunnel: restore binding to ifaces with a large mtu Jason Wang <jasowang(a)redhat.com> virtio-net: correctly redirect linearized packet Or Gerlitz <ogerlitz(a)mellanox.com> net : sched: cls_api: deal with egdev path only if needed Arun Parameswaran <arun.parameswaran(a)broadcom.com> net: dsa: b53: Fix for brcm tag issue in Cygnus SoC Jason Wang <jasowang(a)redhat.com> virtio-net: correctly check num_buf during err path Toshiaki Makita <makita.toshiaki(a)lab.ntt.co.jp> tun: Fix NULL pointer dereference in XDP redirect Eran Ben Elisha <eranbe(a)mellanox.com> net/mlx5e: When RXFCS is set, add FCS data into checksum calculation Jack Morgenstein <jackm(a)dev.mellanox.co.il> net/mlx4: Fix irq-unsafe spinlock usage Jason Wang <jasowang(a)redhat.com> virtio-net: fix leaking page for gso packet during mergeable XDP Jason Wang <jasowang(a)redhat.com> virtio-net: correctly transmit XDP buff after linearizing Alexander Duyck <alexander.h.duyck(a)intel.com> net-sysfs: Fix memory leak in XPS configuration Florian Fainelli <f.fainelli(a)gmail.com> net: phy: broadcom: Fix auxiliary control register reads Mathieu Xhonneux <m.xhonneux(a)gmail.com> ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline Stephen Suryaputra <ssuryaextr(a)gmail.com> vrf: check the original netdevice for generating redirect Jason Wang <jasowang(a)redhat.com> vhost: synchronize IOTLB message with dev cleanup Dan Carpenter <dan.carpenter(a)oracle.com> team: use netdev_features_t instead of u32 Xin Long <lucien.xin(a)gmail.com> sctp: not allow transport timeout value less than HZ/5 for hb_timer Eric Dumazet <edumazet(a)google.com> rtnetlink: validate attributes in do_setlink() Shahed Shaikh <shahed.shaikh(a)cavium.com> qed: Fix mask for physical address in ILT entry Willem de Bruijn <willemb(a)google.com> packet: fix reserve calculation Daniele Palmas <dnlplm(a)gmail.com> net: usb: cdc_mbim: add flag FLAG_SEND_ZLP Florian Fainelli <f.fainelli(a)gmail.com> net: phy: broadcom: Fix bcm_write_exp() Eric Dumazet <edumazet(a)google.com> net/packet: refine check for priv area size Eric Dumazet <edumazet(a)google.com> net: metrics: add proper netlink validation Roopa Prabhu <roopa(a)cumulusnetworks.com> net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Dan Carpenter <dan.carpenter(a)oracle.com> net: ethernet: davinci_emac: fix error handling in probe() Cong Wang <xiyou.wangcong(a)gmail.com> netdev-FAQ: clarify DaveM's position for stable backports Petr Machata <petrm(a)mellanox.com> mlxsw: spectrum: Forbid creation of VLAN 1 over port/LAG Guillaume Nault <g.nault(a)alphalink.fr> l2tp: fix refcount leakage on PPPoL2TP sockets Kirill Tkhai <ktkhai(a)virtuozzo.com> kcm: Fix use-after-free caused by clonned sockets Wenwen Wang <wang6495(a)umn.edu> isdn: eicon: fix a missing-check bug Michal Kubecek <mkubecek(a)suse.cz> ipv6: omit traffic class when calculating flow hash Willem de Bruijn <willemb(a)google.com> ipv4: remove warning in ip_recv_error Eric Dumazet <edumazet(a)google.com> ipmr: properly check rhltable_init() return value Nicolas Dichtel <nicolas.dichtel(a)6wind.com> ip6_tunnel: remove magic mtu value 0xFFF8 Sabrina Dubroca <sd(a)queasysnail.net> ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Govindarajulu Varadarajan <gvaradar(a)cisco.com> enic: set DMA mask to 47 bit Alexey Kodanev <alexey.kodanev(a)oracle.com> dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() Paul Blakey <paulb(a)mellanox.com> cls_flower: Fix incorrect idr release when failing to modify rule Julia Lawall <Julia.Lawall(a)lip6.fr> bnx2x: use the right constant Suresh Reddy <suresh.reddy(a)broadcom.com> be2net: Fix error detection logic for BE3 Nathan Chancellor <natechancellor(a)gmail.com> kconfig: Avoid format overflow warning from GCC 8.1 Jason A. Donenfeld <Jason(a)zx2c4.com> netfilter: nf_flow_table: attach dst to skbs Linus Torvalds <torvalds(a)linux-foundation.org> mmap: relax file size limit for regular files Linus Torvalds <torvalds(a)linux-foundation.org> mmap: introduce sane default mmap limits ------------- Diffstat: Documentation/networking/netdev-FAQ.txt | 9 +++++ Makefile | 4 +-- drivers/isdn/hardware/eicon/diva.c | 22 ++++++++---- drivers/isdn/hardware/eicon/diva.h | 5 +-- drivers/isdn/hardware/eicon/divasmain.c | 18 ++++++---- drivers/net/dsa/b53/b53_common.c | 15 +++++++- drivers/net/dsa/b53/b53_priv.h | 2 ++ drivers/net/dsa/b53/b53_srab.c | 4 +-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 8 ++--- drivers/net/ethernet/emulex/benet/be_main.c | 4 ++- drivers/net/ethernet/mellanox/mlx4/qp.c | 4 +-- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 42 ++++++++++++++++++++++ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 5 +++ drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 +- drivers/net/ethernet/socionext/netsec.c | 4 +-- drivers/net/ethernet/ti/davinci_emac.c | 22 ++++++------ drivers/net/phy/bcm-cygnus.c | 6 ++-- drivers/net/phy/bcm-phy-lib.c | 2 +- drivers/net/phy/bcm-phy-lib.h | 7 ++++ drivers/net/phy/bcm7xxx.c | 4 +-- drivers/net/team/team.c | 3 +- drivers/net/tun.c | 15 ++++---- drivers/net/usb/cdc_mbim.c | 2 +- drivers/net/virtio_net.c | 21 ++++++----- drivers/pci/host/pci-hyperv.c | 46 +++++++++++++++++------- drivers/vhost/net.c | 37 ++++++++++++------- drivers/vhost/vhost.c | 3 ++ include/net/ipv6.h | 5 +++ mm/mmap.c | 32 +++++++++++++++++ net/core/flow_dissector.c | 2 +- net/core/net-sysfs.c | 6 ++-- net/core/rtnetlink.c | 8 ++--- net/dccp/proto.c | 2 -- net/ipv4/fib_frontend.c | 1 + net/ipv4/fib_semantics.c | 4 +++ net/ipv4/ip_sockglue.c | 2 -- net/ipv4/ip_tunnel.c | 8 ++--- net/ipv4/ipmr.c | 7 +++- net/ipv4/netfilter/nf_flow_table_ipv4.c | 5 +-- net/ipv6/ip6_output.c | 3 +- net/ipv6/ip6_tunnel.c | 11 ++++-- net/ipv6/ip6mr.c | 3 +- net/ipv6/ndisc.c | 6 ++++ net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 + net/ipv6/route.c | 2 +- net/ipv6/seg6_iptunnel.c | 4 +-- net/ipv6/sit.c | 5 +-- net/kcm/kcmsock.c | 2 +- net/l2tp/l2tp_ppp.c | 35 +++++++++--------- net/packet/af_packet.c | 4 +-- net/sched/cls_api.c | 2 +- net/sched/cls_flower.c | 2 +- net/sctp/transport.c | 2 +- scripts/kconfig/confdata.c | 2 +- 55 files changed, 338 insertions(+), 146 deletions(-)

7 years, 2 months

4
50
0 0

[net 5/5] ixgbe: Fix bit definitions and add support for testing for ipsec support

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> This patch addresses two issues. First it adds the correct bit definitions for the SECTXSTAT and SECRXSTAT registers. Then it makes use of those definitions to test for if IPsec has been disabled on the part and if so we do not enable it. CC: stable <stable(a)vger.kernel.org> Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Reported-by: Andre Tomt <andre(a)tomt.net> Acked-by: Shannon Nelson <shannon.nelson(a)oracle.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 14 +++++++++++++- drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 6 ++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c index 7b23fb0c2d07..c116f459945d 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c @@ -975,10 +975,22 @@ void ixgbe_ipsec_rx(struct ixgbe_ring *rx_ring, **/ void ixgbe_init_ipsec_offload(struct ixgbe_adapter *adapter) { + struct ixgbe_hw *hw = &adapter->hw; struct ixgbe_ipsec *ipsec; + u32 t_dis, r_dis; size_t size; - if (adapter->hw.mac.type == ixgbe_mac_82598EB) + if (hw->mac.type == ixgbe_mac_82598EB) + return; + + /* If there is no support for either Tx or Rx offload + * we should not be advertising support for IPsec. + */ + t_dis = IXGBE_READ_REG(hw, IXGBE_SECTXSTAT) & + IXGBE_SECTXSTAT_SECTX_OFF_DIS; + r_dis = IXGBE_READ_REG(hw, IXGBE_SECRXSTAT) & + IXGBE_SECRXSTAT_SECRX_OFF_DIS; + if (t_dis || r_dis) return; ipsec = kzalloc(sizeof(*ipsec), GFP_KERNEL); diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h index e8ed37749ab1..44cfb2021145 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h @@ -599,13 +599,15 @@ struct ixgbe_nvm_version { #define IXGBE_SECTXCTRL_STORE_FORWARD 0x00000004 #define IXGBE_SECTXSTAT_SECTX_RDY 0x00000001 -#define IXGBE_SECTXSTAT_ECC_TXERR 0x00000002 +#define IXGBE_SECTXSTAT_SECTX_OFF_DIS 0x00000002 +#define IXGBE_SECTXSTAT_ECC_TXERR 0x00000004 #define IXGBE_SECRXCTRL_SECRX_DIS 0x00000001 #define IXGBE_SECRXCTRL_RX_DIS 0x00000002 #define IXGBE_SECRXSTAT_SECRX_RDY 0x00000001 -#define IXGBE_SECRXSTAT_ECC_RXERR 0x00000002 +#define IXGBE_SECRXSTAT_SECRX_OFF_DIS 0x00000002 +#define IXGBE_SECRXSTAT_ECC_RXERR 0x00000004 /* LinkSec (MacSec) Registers */ #define IXGBE_LSECTXCAP 0x08A00 -- 2.17.1

7 years, 2 months

1
0
0 0

[net 4/5] ixgbe: Avoid loopback and fix boolean logic in ipsec_stop_data

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> This patch fixes two issues. First we add an early test for the Tx and Rx security block ready bits. By doing this we can avoid the need for waits or loopback in the event that the security block is already flushed out. Secondly we fix the boolean logic that was testing for the Tx OR Rx ready bits being set and change it so that we only exit if the Tx AND Rx ready bits are both set. CC: stable <stable(a)vger.kernel.org> Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Acked-by: Shannon Nelson <shannon.nelson(a)oracle.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c index 38d8cf75e9ad..7b23fb0c2d07 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c @@ -158,7 +158,16 @@ static void ixgbe_ipsec_stop_data(struct ixgbe_adapter *adapter) reg |= IXGBE_SECRXCTRL_RX_DIS; IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, reg); - IXGBE_WRITE_FLUSH(hw); + /* If both Tx and Rx are ready there are no packets + * that we need to flush so the loopback configuration + * below is not necessary. + */ + t_rdy = IXGBE_READ_REG(hw, IXGBE_SECTXSTAT) & + IXGBE_SECTXSTAT_SECTX_RDY; + r_rdy = IXGBE_READ_REG(hw, IXGBE_SECRXSTAT) & + IXGBE_SECRXSTAT_SECRX_RDY; + if (t_rdy && r_rdy) + return; /* If the tx fifo doesn't have link, but still has data, * we can't clear the tx sec block. Set the MAC loopback @@ -185,7 +194,7 @@ static void ixgbe_ipsec_stop_data(struct ixgbe_adapter *adapter) IXGBE_SECTXSTAT_SECTX_RDY; r_rdy = IXGBE_READ_REG(hw, IXGBE_SECRXSTAT) & IXGBE_SECRXSTAT_SECRX_RDY; - } while (!t_rdy && !r_rdy && limit--); + } while (!(t_rdy && r_rdy) && limit--); /* undo loopback if we played with it earlier */ if (!link) { -- 2.17.1

7 years, 2 months

1
0
0 0

[net 3/5] ixgbe: Move ipsec init function to before reset call

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> This patch moves the IPsec init function in ixgbe_sw_init. This way it is a bit more consistent with the placement of similar initialization functions and is placed before the reset_hw call which should allow us to clean up any link issues that may be introduced by the fact that we force the link up if somehow the device had IPsec still enabled before the driver was loaded. In addition to the function move it is necessary to change the assignment of netdev->features. The easiest way to do this is to just test for the existence of adapter->ipsec and if it is present we set the feature bits. CC: stable <stable(a)vger.kernel.org> Fixes: 49a94d74d948 ("ixgbe: add ipsec engine start and stop routines") Reported-by: Andre Tomt <andre(a)tomt.net> Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Acked-by: Shannon Nelson <shannon.nelson(a)oracle.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 7 ------- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 11 +++++++++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c index 344a1f213a5f..38d8cf75e9ad 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c @@ -1001,13 +1001,6 @@ void ixgbe_init_ipsec_offload(struct ixgbe_adapter *adapter) adapter->netdev->xfrmdev_ops = &ixgbe_xfrmdev_ops; -#define IXGBE_ESP_FEATURES (NETIF_F_HW_ESP | \ - NETIF_F_HW_ESP_TX_CSUM | \ - NETIF_F_GSO_ESP) - - adapter->netdev->features |= IXGBE_ESP_FEATURES; - adapter->netdev->hw_enc_features |= IXGBE_ESP_FEATURES; - return; err2: diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index a925f05ec342..8d061af276d3 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -6117,6 +6117,7 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapter, #ifdef CONFIG_IXGBE_DCB ixgbe_init_dcb(adapter); #endif + ixgbe_init_ipsec_offload(adapter); /* default flow control settings */ hw->fc.requested_mode = ixgbe_fc_full; @@ -10429,6 +10430,14 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) if (hw->mac.type >= ixgbe_mac_82599EB) netdev->features |= NETIF_F_SCTP_CRC; +#ifdef CONFIG_XFRM_OFFLOAD +#define IXGBE_ESP_FEATURES (NETIF_F_HW_ESP | \ + NETIF_F_HW_ESP_TX_CSUM | \ + NETIF_F_GSO_ESP) + + if (adapter->ipsec) + netdev->features |= IXGBE_ESP_FEATURES; +#endif /* copy netdev features into list of user selectable features */ netdev->hw_features |= netdev->features | NETIF_F_HW_VLAN_CTAG_FILTER | @@ -10491,8 +10500,6 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) NETIF_F_FCOE_MTU; } #endif /* IXGBE_FCOE */ - ixgbe_init_ipsec_offload(adapter); - if (adapter->flags2 & IXGBE_FLAG2_RSC_CAPABLE) netdev->hw_features |= NETIF_F_LRO; if (adapter->flags2 & IXGBE_FLAG2_RSC_ENABLED) -- 2.17.1

7 years, 2 months

1
0
0 0

[net 2/5] ixgbe: Use CONFIG_XFRM_OFFLOAD instead of CONFIG_XFRM

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> There is no point in adding code if CONFIG_XFRM is defined that we won't use unless CONFIG_XFRM_OFFLOAD is defined. So instead of leaving this code floating around I am replacing the ifdef with what I believe is the correct one so that we only include the code and variables if they will actually be used. CC: stable <stable(a)vger.kernel.org> Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Acked-by: Shannon Nelson <shannon.nelson(a)oracle.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 4 ++-- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h index fc534e91c6b2..144d5fe6b944 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -760,9 +760,9 @@ struct ixgbe_adapter { #define IXGBE_RSS_KEY_SIZE 40 /* size of RSS Hash Key in bytes */ u32 *rss_key; -#ifdef CONFIG_XFRM +#ifdef CONFIG_XFRM_OFFLOAD struct ixgbe_ipsec *ipsec; -#endif /* CONFIG_XFRM */ +#endif /* CONFIG_XFRM_OFFLOAD */ }; static inline u8 ixgbe_max_rss_indices(struct ixgbe_adapter *adapter) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index f9e0dc041cfb..a925f05ec342 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -9896,7 +9896,7 @@ ixgbe_features_check(struct sk_buff *skb, struct net_device *dev, * the TSO, so it's the exception. */ if (skb->encapsulation && !(features & NETIF_F_TSO_MANGLEID)) { -#ifdef CONFIG_XFRM +#ifdef CONFIG_XFRM_OFFLOAD if (!skb->sp) #endif features &= ~NETIF_F_TSO; -- 2.17.1

7 years, 2 months

1
0
0 0

[net 1/5] ixgbe: Fix setting of TC configuration for macvlan case

by Jeff Kirsher

From: Alexander Duyck <alexander.h.duyck(a)intel.com> When we were enabling macvlan interfaces we weren't correctly configuring things until ixgbe_setup_tc was called a second time either by tweaking the number of queues or increasing the macvlan count past 15. The issue came down to the fact that num_rx_pools is not populated until after the queues and interrupts are reinitialized. Instead of trying to set it sooner we can just move the call to setup at least 1 traffic class to the SR-IOV/VMDq setup function so that we just set it for this one case. We already had a spot that was configuring the queues for TC 0 in the code here anyway so it makes sense to also set the number of TCs here as well. CC: stable <stable(a)vger.kernel.org> Fixes: 49cfbeb7a95c ("ixgbe: Fix handling of macvlan Tx offload") Signed-off-by: Alexander Duyck <alexander.h.duyck(a)intel.com> Tested-by: Andrew Bowers <andrewx.bowers(a)intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher(a)intel.com> --- drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c | 8 ++++++++ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 8 -------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c index 893a9206e718..d361f570ca37 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c @@ -593,6 +593,14 @@ static bool ixgbe_set_sriov_queues(struct ixgbe_adapter *adapter) } #endif + /* To support macvlan offload we have to use num_tc to + * restrict the queues that can be used by the device. + * By doing this we can avoid reporting a false number of + * queues. + */ + if (vmdq_i > 1) + netdev_set_num_tc(adapter->netdev, 1); + /* populate TC0 for use by pool 0 */ netdev_set_tc_queue(adapter->netdev, 0, adapter->num_rx_queues_per_pool, 0); diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index 4929f7265598..f9e0dc041cfb 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -8822,14 +8822,6 @@ int ixgbe_setup_tc(struct net_device *dev, u8 tc) } else { netdev_reset_tc(dev); - /* To support macvlan offload we have to use num_tc to - * restrict the queues that can be used by the device. - * By doing this we can avoid reporting a false number of - * queues. - */ - if (!tc && adapter->num_rx_pools > 1) - netdev_set_num_tc(dev, 1); - if (adapter->hw.mac.type == ixgbe_mac_82598EB) adapter->hw.fc.requested_mode = adapter->last_lfc_mode; -- 2.17.1

7 years, 2 months

1
0
0 0

Re: [PATCH 4.16 01/48] mmap: introduce sane default mmap limits

by Greg Kroah-Hartman

On Mon, Jun 11, 2018 at 08:12:45AM +1000, David Airlie wrote: > Can you make sure you pull in > > 76ef6b28ea4f81c3d511866a9b31392caa833126 (tag: > drm-fixes-for-v4.17-rc6-urgent) > Author: Dave Airlie <airlied(a)redhat.com> > Date: Tue May 15 13:38:15 2018 +1000 > > drm: set FMODE_UNSIGNED_OFFSET for drm files > > Into anywhere this first patch goes? Thanks for pointing this out, now queued up. greg k-h

7 years, 2 months

1
0
0 0

[PATCH] mm: Fix devmem_is_allowed() for sub-page System RAM intersections

by Dan Williams

Hussam reports: I was poking around and for no real reason, I did cat /dev/mem and strings /dev/mem. Then I saw the following warning in dmesg. I saved it and rebooted immediately. memremap attempted on mixed range 0x000000000009c000 size: 0x1000 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11810 at kernel/memremap.c:98 memremap+0x104/0x170 [..] Call Trace: xlate_dev_mem_ptr+0x25/0x40 read_mem+0x89/0x1a0 __vfs_read+0x36/0x170 The memremap() implementation checks for attempts to remap System RAM with MEMREMAP_WB and instead redirects those mapping attempts to the linear map. However, that only works if the physical address range being remapped is page aligned. In low memory we have situations like the following: 00000000-00000fff : Reserved 00001000-0009fbff : System RAM 0009fc00-0009ffff : Reserved ...where System RAM intersects Reserved ranges on a sub-page page granularity. Given that devmem_is_allowed() special cases any attempt to map System RAM in the first 1MB of memory, replace page_is_ram() with the more precise region_intersects() to trap attempts to map disallowed ranges. Link: https://bugzilla.kernel.org/show_bug.cgi?id=199999 Fixes: 92281dee825f ("arch: introduce memremap()") Cc: <stable(a)vger.kernel.org> Cc: Christoph Hellwig <hch(a)lst.de> Reported-by: Hussam Al-Tayeb <me(a)hussam.eu.org> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- arch/x86/mm/init.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index fec82b577c18..cee58a972cb2 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -706,7 +706,9 @@ void __init init_mem_mapping(void) */ int devmem_is_allowed(unsigned long pagenr) { - if (page_is_ram(pagenr)) { + if (region_intersects(PFN_PHYS(pagenr), PAGE_SIZE, + IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE) + != REGION_DISJOINT) { /* * For disallowed memory regions in the low 1MB range, * request that the page be shown as all zeros.

7 years, 2 months

1
0
0 0

Please apply this commit to v4.14.y, 4.16.y and 4.17.y: c3635da2a336 ("PCI: hv: Do not wait forever on a device that has disappeared")

by Dexuan Cui

Hi, The patch has been in the mainline, and I have verified the commit can be cherry-picked cleanly to these 3 stable branches. The issue fixed by the patch also exists in 4.14, 4.16 and 4.17. It looks I forgot to add a "Cc: stable(a)vger.kernel.org" tag. Sorry. Thanks, -- Dexuan

7 years, 2 months

2
1
0 0

[PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

by Amit Pundir

From: Suren Baghdasaryan <surenb(a)google.com> Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. cc: Stable <stable(a)vger.kernel.org> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Signed-off-by: Amit Pundir <amit.pundir(a)linaro.org> Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> --- v3..v1: Resend. No changes. drivers/nfc/st21nfca/dep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2917e6..3420c5104c94 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; } -- 2.7.4

7 years, 2 months

2
3
0 0

Re: [PATCH] xfs: fix incorrect log_flushed on fsync

by Amir Goldstein

On Tue, Sep 19, 2017 at 9:32 AM, Greg KH <greg(a)kroah.com> wrote: > On Mon, Sep 18, 2017 at 10:29:25PM +0300, Amir Goldstein wrote: >> On Mon, Sep 18, 2017 at 9:35 PM, Greg KH <greg(a)kroah.com> wrote: >> > On Mon, Sep 18, 2017 at 09:00:30PM +0300, Amir Goldstein wrote: >> >> On Mon, Sep 18, 2017 at 8:11 PM, Darrick J. Wong >> >> <darrick.wong(a)oracle.com> wrote: >> >> > On Fri, Sep 15, 2017 at 03:40:24PM +0300, Amir Goldstein wrote: >> >> >> On Wed, Aug 30, 2017 at 4:38 PM, Amir Goldstein <amir73il(a)gmail.com> wrote: >> >> >> > When calling into _xfs_log_force{,_lsn}() with a pointer >> >> >> > to log_flushed variable, log_flushed will be set to 1 if: >> >> >> > 1. xlog_sync() is called to flush the active log buffer >> >> >> > AND/OR >> >> >> > 2. xlog_wait() is called to wait on a syncing log buffers >> >> >> > >> >> >> > xfs_file_fsync() checks the value of log_flushed after >> >> >> > _xfs_log_force_lsn() call to optimize away an explicit >> >> >> > PREFLUSH request to the data block device after writing >> >> >> > out all the file's pages to disk. >> >> >> > >> >> >> > This optimization is incorrect in the following sequence of events: >> >> >> > >> >> >> > Task A Task B >> >> >> > ------------------------------------------------------- >> >> >> > xfs_file_fsync() >> >> >> > _xfs_log_force_lsn() >> >> >> > xlog_sync() >> >> >> > [submit PREFLUSH] >> >> >> > xfs_file_fsync() >> >> >> > file_write_and_wait_range() >> >> >> > [submit WRITE X] >> >> >> > [endio WRITE X] >> >> >> > _xfs_log_force_lsn() >> >> >> > xlog_wait() >> >> >> > [endio PREFLUSH] >> >> >> > >> >> >> > The write X is not guarantied to be on persistent storage >> >> >> > when PREFLUSH request in completed, because write A was submitted >> >> >> > after the PREFLUSH request, but xfs_file_fsync() of task A will >> >> >> > be notified of log_flushed=1 and will skip explicit flush. >> >> >> > >> >> >> > If the system crashes after fsync of task A, write X may not be >> >> >> > present on disk after reboot. >> >> >> > >> >> >> > This bug was discovered and demonstrated using Josef Bacik's >> >> >> > dm-log-writes target, which can be used to record block io operations >> >> >> > and then replay a subset of these operations onto the target device. >> >> >> > The test goes something like this: >> >> >> > - Use fsx to execute ops of a file and record ops on log device >> >> >> > - Every now and then fsync the file, store md5 of file and mark >> >> >> > the location in the log >> >> >> > - Then replay log onto device for each mark, mount fs and compare >> >> >> > md5 of file to stored value >> >> >> > >> >> >> > Cc: Christoph Hellwig <hch(a)lst.de> >> >> >> > Cc: Josef Bacik <jbacik(a)fb.com> >> >> >> > Cc: <stable(a)vger.kernel.org> >> >> >> > Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> >> >> >> > --- >> >> >> > >> >> >> > Christoph, Dave, >> >> >> > >> >> >> > It's hard to believe, but I think the reported bug has been around >> >> >> > since 2005 f538d4da8d52 ("[XFS] write barrier support"), but I did >> >> >> > not try to test old kernels. >> >> >> >> >> >> Forgot to tag commit message with: >> >> >> Fixes: f538d4da8d52 ("[XFS] write barrier support") >> >> >> >> >> >> Maybe the tag could be added when applying to recent stables, >> >> >> so distros and older downstream stables can see the tag. >> >> >> >> >> >> The disclosure of the security bug fix (commit b31ff3cdf5) made me wonder >> >> >> if possible data loss bug should also be disclosed in some distros forum? >> >> >> I bet some users would care more about the latter than the former. >> >> >> Coincidentally, both data loss and security bugs fix the same commit.. >> >> > >> >> > Yes the the patch ought to get sent on to stable w/ fixes tag. One >> >> > would hope that the distros will pick up the stable fixes from there. >> >> >> >> >> >> Greg, for your consideration, please add >> >> Fixes: f538d4da8d52 ("[XFS] write barrier support") >> >> If not pushed yet. >> > >> > Add it to what? >> >> Sorry, add that tag when applying commit 47c7d0b1950258312 >> to stable trees, since I missed adding the tag before it was merged >> to master. > > Nah, as the tag is just needed to let me know where to backport stuff > to, I don't think it matters when I add it to the stable tree itself, so > I'll leave it as-is. > Greg, Related or not to above Fixes discussion, I now noticed that you never picked the patch for kernel 4.4. Ben did take it to 3.2 and 3.16 BTW. This is a very critical bug fix IMO. Were you waiting for an ACK from xfs maintainers or just an oversight? Or was it me who had to check up on that? Thanks, Amir.

7 years, 2 months

2
1
0 0

Linux 4.9.107 is not available on www.kernel.org

by Pavlos Parissis

Hi, Linux 4.9.107 was released on Jun 7th and www.kernel.org still points to 4.9.106 as latest version for 4.9 tree. I have seen delays before, but not for more than an hour. Is something broken? Cheers, Pavlos

7 years, 2 months

2
2
0 0

[merged] fs-binfmt_miscc-do-not-allow-offset-overflow.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: fs/binfmt_misc.c: do not allow offset overflow has been removed from the -mm tree. Its filename was fs-binfmt_miscc-do-not-allow-offset-overflow.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Subject: fs/binfmt_misc.c: do not allow offset overflow WHen registering a new binfmt_misc handler, it is possible to overflow the offset to get a negative value, which might crash the system, or possibly leak kernel data. Here is a crash log when 2500000000 was used as an offset: [ 6050.251552] BUG: unable to handle kernel paging request at ffff989cfd6edca0 [ 6050.252053] IP: load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] PGD 1ef3e067 P4D 1ef3e067 PUD 0 [ 6050.252053] Oops: 0000 [#1] SMP NOPTI [ 6050.252053] Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy [ 6050.252053] CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu [ 6050.252053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 [ 6050.252053] RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] RSP: 0018:ffffb6e383017e18 EFLAGS: 00010202 [ 6050.252053] RAX: 0000000000000003 RBX: ffff989d74a47100 RCX: ffff989cfd6edca0 [ 6050.252053] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff989d7d2e95e5 [ 6050.252053] RBP: ffffb6e383017e48 R08: 0000000000000001 R09: 0000000000000000 [ 6050.252053] R10: 0000000000000000 R11: fefefefefefefeff R12: 0000000000000001 [ 6050.252053] R13: ffff989d7d2e9580 R14: 0000000000000000 R15: ffffffffc0592160 [ 6050.252053] FS: 00007fa424c89740(0000) GS:ffff989d7fc00000(0000) knlGS:0000000000000000 [ 6050.252053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6050.252053] CR2: ffff989cfd6edca0 CR3: 000000003db08000 CR4: 00000000000006f0 [ 6050.252053] Call Trace: [ 6050.252053] search_binary_handler+0x97/0x1d0 [ 6050.252053] do_execveat_common.isra.34+0x667/0x810 [ 6050.252053] SyS_execve+0x31/0x40 [ 6050.252053] do_syscall_64+0x73/0x130 [ 6050.252053] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Use kstrtoint instead of simple_strtoul. It will work as the code already set the delimiter byte to '\0' and we only do it when the field is not empty. Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested with examples documented at Documentation/admin-guide/binfmt-misc.rst and other registrations from packages on Ubuntu. Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/binfmt_misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff -puN fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow +++ a/fs/binfmt_misc.c @@ -387,8 +387,13 @@ static Node *create_entry(const char __u s = strchr(p, del); if (!s) goto einval; - *s++ = '\0'; - e->offset = simple_strtoul(p, &p, 10); + *s = '\0'; + if (p != s) { + int r = kstrtoint(p, 10, &e->offset); + if (r != 0 || e->offset < 0) + goto einval; + } + p = s; if (*p++) goto einval; pr_debug("register: offset: %#x\n", e->offset); @@ -428,7 +433,8 @@ static Node *create_entry(const char __u if (e->mask && string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) goto einval; - if (e->size + e->offset > BINPRM_BUF_SIZE) + if (e->size > BINPRM_BUF_SIZE || + BINPRM_BUF_SIZE - e->size < e->offset) goto einval; pr_debug("register: magic/mask length: %i\n", e->size); if (USE_DEBUG) { _ Patches currently in -mm which might be from cascardo(a)canonical.com are

7 years, 2 months

1
0
0 0

[merged] mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset has been removed from the -mm tree. Its filename was mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. SLAB is currently not affected, but in kernels older than 4.7 that don't yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") it is. That's at least 4.4 LTS. Older ones I'll have to check. So stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Acked-by: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _ Patches currently in -mm which might be from vbabka(a)suse.cz are

7 years, 2 months

1
0
0 0

[PATCH] arm64: Fix syscall restarting around signal suppressed by tracer

by Dave Martin

Commit 17c2895 ("arm64: Abstract syscallno manipulation") abstracts out the pt_regs.syscallno value for a syscall cancelled by a tracer as NO_SYSCALL, and provides helpers to set and check for this condition. However, the way this was implemented has the unintended side-effect of disabling part of the syscall restart logic. This comes about because the second in_syscall() check in do_signal() re-evaluates the "in a syscall" condition based on the updated pt_regs instead of the original pt_regs. forget_syscall() is explicitly called prior to the second check in order to prevent restart logic in the ret_to_user path being spuriously triggered, which means that the second in_syscall() check always yields false. This triggers a failure in tools/testing/selftests/seccomp/seccomp_bpf.c, when using ptrace to suppress a signal that interrups a nanosleep() syscall. Misbehaviour of this type is only expected in the case where a tracer suppresses a signal and the target process is either being single-stepped or the interrupted syscall attempts to restart via -ERESTARTBLOCK. This patch restores the old behaviour by performing the in_syscall() check only once at the start of the function. Fixes: 17c289586009 ("arm64: Abstract syscallno manipulation") Signed-off-by: Dave Martin <Dave.Martin(a)arm.com> Reported-by: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: Will Deacon <will.deacon(a)arm.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: <stable(a)vger.kernel.org> # 4.14.x- --- arch/arm64/kernel/signal.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 154b7d3..f212090 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -830,11 +830,12 @@ static void do_signal(struct pt_regs *regs) unsigned long continue_addr = 0, restart_addr = 0; int retval = 0; struct ksignal ksig; + bool syscall = in_syscall(regs); /* * If we were from a system call, check for system call restarting... */ - if (in_syscall(regs)) { + if (syscall) { continue_addr = regs->pc; restart_addr = continue_addr - (compat_thumb_mode(regs) ? 2 : 4); retval = regs->regs[0]; @@ -886,7 +887,7 @@ static void do_signal(struct pt_regs *regs) * Handle restarting a different system call. As above, if a debugger * has chosen to restart at a different PC, ignore the restart. */ - if (in_syscall(regs) && regs->pc == restart_addr) { + if (syscall && regs->pc == restart_addr) { if (retval == -ERESTART_RESTARTBLOCK) setup_restart_syscall(regs); user_rewind_single_step(current); -- 2.1.4

7 years, 2 months

2
1
0 0

[v3 PATCH 0/5] powerpc/pseries: Machien check handler improvements.

by Mahesh J Salgaonkar

This patch series includes some improvement to Machine check handler for pseries. Patch 1 fixes an issue where machine check handler crashes kernel while accessing vmalloc-ed buffer while in nmi context. Patch 2 fixes endain bug while restoring of r3 in MCE handler. Patch 4 dumps the SLB contents on SLB MCE errors to improve the debugability. Patch 5 display's the MCE error details on console. CHange in V3: - Moved patch 5 to patch 2 Change in V2: - patch 3: Display additional info (NIP and task info) in MCE error details. - patch 5: Fix endain bug while restoring of r3 in MCE handler. --- Mahesh Salgaonkar (5): powerpc/pseries: convert rtas_log_buf to linear allocation. powerpc/pseries: Fix endainness while restoring of r3 in MCE handler. powerpc/pseries: Define MCE error event section. powerpc/pseries: Dump and flush SLB contents on SLB MCE errors. powerpc/pseries: Display machine check error details. arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 arch/powerpc/include/asm/rtas.h | 109 ++++++++++++++++++ arch/powerpc/kernel/rtasd.c | 2 arch/powerpc/mm/slb.c | 35 ++++++ arch/powerpc/platforms/pseries/ras.c | 155 +++++++++++++++++++++++++ 5 files changed, 299 insertions(+), 3 deletions(-) -- Signature

7 years, 2 months

4
7
0 0

[PATCH] dm bufio: avoid false-positive Wmaybe-uninitialized warning

by Nathan Chancellor

From: Arnd Bergmann <arnd(a)arndb.de> commit 590347e4000356f55eb10b03ced2686bd74dab40 upstream. gcc-6.3 and earlier show a new warning after a seemingly unrelated change to the arm64 PAGE_KERNEL definition: In file included from drivers/md/dm-bufio.c:14:0: drivers/md/dm-bufio.c: In function 'alloc_buffer': include/linux/sched/mm.h:182:56: warning: 'noio_flag' may be used uninitialized in this function [-Wmaybe-uninitialized] current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; ^ The same warning happened earlier on linux-3.18 for MIPS and I did a workaround for that, but now it's come back. gcc-7 and newer are apparently smart enough to figure this out, and other architectures don't show it, so the best I could come up with is to rework the caller slightly in a way that makes it obvious enough to all arm64 compilers what is happening here. Fixes: 41acec624087 ("arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()") Link: https://patchwork.kernel.org/patch/9692829/ Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> [snitzer: moved declarations inside conditional, altered vmalloc return] Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> [nc: Backport to 4.9, adjust context for lack of 19809c2da28a] Signed-off-by: Nathan Chancellor <natechancellor(a)gmail.com> --- drivers/md/dm-bufio.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c index 3ec647e8b9c6..35fd57fdeba9 100644 --- a/drivers/md/dm-bufio.c +++ b/drivers/md/dm-bufio.c @@ -373,9 +373,6 @@ static void __cache_size_refresh(void) static void *alloc_buffer_data(struct dm_bufio_client *c, gfp_t gfp_mask, enum data_mode *data_mode) { - unsigned noio_flag; - void *ptr; - if (c->block_size <= DM_BUFIO_BLOCK_SIZE_SLAB_LIMIT) { *data_mode = DATA_MODE_SLAB; return kmem_cache_alloc(DM_BUFIO_CACHE(c), gfp_mask); @@ -399,16 +396,16 @@ static void *alloc_buffer_data(struct dm_bufio_client *c, gfp_t gfp_mask, * all allocations done by this process (including pagetables) are done * as if GFP_NOIO was specified. */ + if (gfp_mask & __GFP_NORETRY) { + unsigned noio_flag = memalloc_noio_save(); + void *ptr = __vmalloc(c->block_size, gfp_mask | __GFP_HIGHMEM, + PAGE_KERNEL); - if (gfp_mask & __GFP_NORETRY) - noio_flag = memalloc_noio_save(); - - ptr = __vmalloc(c->block_size, gfp_mask | __GFP_HIGHMEM, PAGE_KERNEL); - - if (gfp_mask & __GFP_NORETRY) memalloc_noio_restore(noio_flag); + return ptr; + } - return ptr; + return __vmalloc(c->block_size, gfp_mask | __GFP_HIGHMEM, PAGE_KERNEL); } /* -- 2.17.1

7 years, 2 months

1
1
0 0

[PATCHES] Networking

by David Miller

Please queue up the following netwokring bug fixes for v4.16 and v4.17 -stable, respectively. Thank you.

7 years, 2 months

2
1
0 0

[GIT PULL] commits for Linux 4.14

by Sasha Levin

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Greg, Pleae pull commits for Linux 4.14 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit 3e496be2038a100fc53627238fe120dc4c948719: Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" (2018-05-30 22:32:31 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.14-05062018 for you to fetch changes up to a128744e79b872a66bdd0d1183d871c01b84eb9c: ARM: kexec: fix kdump register saving on panic() (2018-06-04 22:11:36 -0400) - ---------------------------------------------------------------- for-greg-4.14-05062018 - ---------------------------------------------------------------- Adam Ford (2): ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues ARM: dts: logicpd-som-lv: Fix Audio Mute Alexey Dobriyan (1): proc: revalidate kernel thread inodes to root:root Amir Goldstein (2): fsnotify: fix ignore mask logic in send_to_group() <linux/stringhash.h>: fix end_name_hash() for 64bit long Andres Rodriguez (1): drm/amdkfd: fix clock counter retrieval for node without GPU Andy Lutomirski (1): x86/selftests: Add mov_to_ss test Anson Huang (1): clocksource/drivers/imx-tpm: Correct some registers operation flow Arnaldo Carvalho de Melo (1): perf report: Fix switching to another perf.data file Arnd Bergmann (2): hexagon: add memset_io() helper hexagon: export csum_partial_copy_nocheck Arvind Yadav (2): HID: wacom: Release device resource data obtained by devres_alloc() HID: intel-ish-hid: use put_device() instead of kfree() Ashish Samant (1): ocfs2: take inode cluster lock before moving reflinked inode from orphan dir Balbir Singh (1): powerpc/powernv/memtrace: Let the arch hotunplug code flush cache Baolin Wang (3): parisc: time: Convert read_persistent_clock() to read_persistent_clock64() i2c: sprd: Prevent i2c accesses after suspend is called i2c: sprd: Fix the i2c count issue Ben Hutchings (2): drm/msm: Fix possible null dereference on failure of get_pages() mtd: Fix comparison in map_word_andequal() Bhadram Varka (1): arm64: tegra: Make BCM89610 PHY interrupt as active low Changbin Du (1): iommu/vt-d: fix shift-out-of-bounds in bug checking Chen Yu (1): ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016) Chengguang Xu (2): isofs: fix potential memory leak in mount option parsing nvme: fix potential memory leak in option parsing Chris Leech (1): scsi: iscsi: respond to netlink with unicast when appropriate Christophe JAILLET (1): Input: synaptics-rmi4 - fix an unchecked out of memory error path Clément Péron (1): ARM: dts: cygnus: fix irq type for arm global timer Colin Ian King (2): scsi: isci: Fix infinite loop in while loop RDMA/iwpm: fix memory leak on map_info Dag Moxnes (1): rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp Dan Carpenter (2): drm/omap: silence unititialized variable warning drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() Daniel Borkmann (1): bpf, x64: fix memleak when not converging after image Daniel Glöckner (1): usb: musb: fix remote wakeup racing with suspend Dave Hansen (10): x86/pkeys/selftests: Give better unexpected fault error messages x86/pkeys/selftests: Stop using assert() x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal x86/pkeys/selftests: Allow faults on unknown keys x86/pkeys/selftests: Factor out "instruction page" x86/pkeys/selftests: Add PROT_EXEC test x86/pkeys/selftests: Fix pkey exhaustion test off-by-one x86/pkeys/selftests: Fix pointer math x86/pkeys/selftests: Save off 'prot' for allocations x86/pkeys/selftests: Add a test for pkey 0 Dave Young (1): kexec_file: do not add extra alignment to efi memmap David Gilhooley (1): arm64: Add MIDR encoding for NVIDIA CPUs David Howells (4): vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion rxrpc: Fix error reception on AF_INET6 sockets rxrpc: Fix the min security level for kernel calls afs: Fix the non-encryption of calls Emil Tantilov (1): ixgbe: return error on unsupported SFP module when resetting Emil Velikov (1): drm/msm: don't deref error pointer in the msm_fbdev_create error path Etienne Carriere (1): tee: check shm references are consistent in offset/size Evan Wang (2): libahci: Allow drivers to override stop_engine ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI Florian Fainelli (2): soc: bcm: raspberrypi-power: Fix use of __packed net: ethtool: Add missing kernel doc for FEC parameters Geert Uytterhoeven (3): soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/ dt-bindings: panel: lvds: Fix path to display timing bindings Greg Thelen (5): nvme: depend on INFINIBAND_ADDR_TRANS nvmet-rdma: depend on INFINIBAND_ADDR_TRANS ib_srpt: depend on INFINIBAND_ADDR_TRANS ib_srp: depend on INFINIBAND_ADDR_TRANS IB: make INFINIBAND_ADDR_TRANS configurable Hans de Goede (1): thermal: int3403_thermal: Fix NULL pointer deref on module load / probe Helge Deller (2): parisc: drivers.c: Fix section mismatches parisc: Move setup_profiling_timer() out of init section Huang Ying (1): mm, pagemap: fix swap offset value for PMD migration entry Håkon Bugge (1): IB/core: Make ib_mad_client_id atomic Igor Russkikh (1): net: aquantia: driver should correctly declare vlan_features bits Ilan Peer (1): mac80211: Adjust SAE authentication timeout Ingo Molnar (3): objtool, kprobes/x86: Sync the latest <asm/insn.h> header with tools/objtool/arch/x86/include/asm/insn.h x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI Jacopo Mondi (2): dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF dt-bindings: dmaengine: rcar-dmac: document R8A77965 support Jakob Unterwurzacher (1): can: dev: increase bus-off message severity Jakub Kicinski (1): nfp: ignore signals when communicating with management FW Janusz Krzysztofik (1): ARM: OMAP1: ams-delta: fix deferred_fiq handler Jeffrey Hugo (1): init: fix false positives in W+X checking Jerome Brunet (1): clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux Jianchao Wang (1): IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV Jiang Biao (2): blkcg: don't hold blkcg lock when deactivating policy blkcg: init root blkcg_gq under lock Jim Gill (1): scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts Jingju Hou (1): net: phy: marvell: clear wol event before setting it John Fastabend (1): bpf: fix uninitialized variable in bpf tools Jon Maloy (1): tipc: fix bug in function tipc_nl_node_dump_monitor Josh Poimboeuf (5): objtool: Fix "noreturn" detection for recursive sibling calls objtool: Support GCC 8's cold subfunctions objtool: Support GCC 8 switch tables objtool: Detect RIP-relative switch table references objtool: Detect RIP-relative switch table references, part 2 Julian Wiedmann (1): s390/qeth: use Read device to query hypervisor for MAC Kan Liang (1): perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1 Keith Busch (1): nvme: Set integrity flag for user passthrough commands Kevin Easton (1): af_key: Always verify length of provided sadb_key Krish Sadhukhan (1): x86: Add check for APIC access address for vmentry of L2 guests Laura Abbott (1): proc/kcore: don't bounds check against address 0 Liam Girdwood (1): ASoC: topology: Check widget kcontrols before deref. Loic Poulain (1): PCI: kirin: Fix reset gpio name Long Li (1): scsi: storvsc: Set up correct queue depth values for IDE devices Lukasz Majewski (1): doc: Add vendor prefix for Kieback & Peter GmbH Marian Rotariu (1): x86: Delay skip of emulated hypercall instruction Mark Rutland (4): arm64: ptrace: remove addr_limit manipulation arm64: fix possible spectre-v1 in ptrace_hbp_get_event() KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr() efi/libstub/arm64: Handle randomized TEXT_OFFSET Martin Schwidefsky (1): s390/smsgiucv: disable SMSG on module unload Masami Hiramatsu (3): selftests: ftrace: Add a testcase for multiple actions on trigger kprobes/x86: Prohibit probing on exception masking instructions uprobes/x86: Prohibit probing on MOV SS instruction Matan Barak (1): IB/uverbs: Fix validating mandatory attributes Matheus Castello (1): dt-bindings: pinctrl: sunxi: Fix reference to driver Mathieu Malaterre (4): driver core: add __printf verification to __ata_ehi_pushv_desc agp: uninorth: make two functions static sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h sched/deadline: Make the grub_reclaim() function static Matt Redfearn (1): MIPS: dts: Boston: Fix PCI bus dtc warnings: Michael J. Ruhl (1): IB/hfi1 Use correct type for num_user_context Michal Kalderon (2): qed: Fix l2 initializations over iWARP personality qede: Fix gfp flags sent to rdma event node allocation Mika Westerberg (1): ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 Minchan Kim (1): mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create() Ming Lei (1): scsi: target: fix crash with iscsi target and dvd Naveen N. Rao (2): powerpc/trace/syscalls: Update syscall name matching logic powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix Nick Dyer (1): Input: atmel_mxt_ts - fix the firmware update Omar Sandoval (1): blk-mq: fix sysfs inflight counter Pablo Neira Ayuso (1): netfilter: nf_tables: NAT chain and extensions require NF_TABLES Parav Pandit (2): RDMA/cma: Fix use after destroy access to net namespace for IPoIB RDMA/cma: Do not query GID during QP state transition to RTR Paulo Alcantara (1): cifs: smb2ops: Fix listxattr() when there are no EAs Peter Rosin (3): i2c: pmcmsp: return message count on master_xfer success i2c: pmcmsp: fix error return from master_xfer i2c: viperboard: return message count on master_xfer success Peter Zijlstra (3): stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock kthread, sched/wait: Fix kthread_parkme() wait-loop sched/core: Introduce set_special_state() Ramon Fried (1): rpmsg: added MODULE_ALIAS for rpmsg_char Rich Felker (1): sh: fix build failure for J2 cpu with SMP disabled Rob Herring (1): spi: bcm2835aux: ensure interrupts are enabled for shared handler Roman Mashak (1): net sched actions: fix invalid pointer dereferencing if skbedit flags missing Russell King (2): ARM: keystone: fix platform_domain_notifier array overrun ARM: kexec: fix kdump register saving on panic() Sara Sharon (1): mac80211: use timeout from the AddBA response instead of the request Sebastian Sanchez (1): IB/hfi1: Fix memory leak in exception path in get_irq_affinity() Sekhar Nori (8): ARM: dts: da850: fix W=1 warnings with pinmux node ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup ARM: davinci: board-dm355-evm: fix broken networking ARM: davinci: dm646x: fix timer interrupt generation ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF ARM: davinci: board-dm646x-evm: set VPIF capture card name Simon Gaiser (1): xen: xenbus_dev_frontend: Really return response string Sinan Kaya (2): MIPS: io: Prevent compiler reordering writeX() MIPS: io: Add barrier after register read in readX() Srinivas Kandagatla (1): ASoC: msm8916-wcd-analog: use threaded context for mbhc events Stefan Agner (2): drm/msm/dsi: use correct enum in dsi_get_cmd_fmt clk: imx6ull: use OSC clock during AXI rate change Stefan Raspl (1): smc: fix sendpage() call Taehee Yoo (1): netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update Tero Kristo (1): ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace Tobias Jordan (1): remoteproc: qcom: Fix potential device node leaks Tobias Regnery (1): usb: typec: ucsi: fix tracepoint related build error Tomi Valkeinen (4): drm/omap: fix uninitialized ret variable drm/omap: fix possible NULL ref issue in tiler_reserve_2d drm/omap: check return value from soc_device_match drm/omap: handle alloc failures in omap_connector Tung Nguyen (1): tipc: fix infinite loop when dumping link monitor summary Tyler Hicks (1): eCryptfs: don't pass up plaintext names when using filename encryption Vinson Lee (1): scsi: megaraid_sas: Do not log an error if FW successfully initializes. Vladimir Zapolskiy (1): spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR Waiman Long (2): locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN Wanpeng Li (1): KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs Yan Wang (1): ASoC: topology: Fix bugs of freeing soc topology Ying Xue (1): tipc: eliminate KMSAN uninit-value in strcmp complaint Zhu Yanjun (1): IB/rxe: avoid double kfree_skb dann frazier (1): net: hns: Avoid action name truncation hu huajun (1): KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update jacek.tomaka(a)poczta.fm (1): x86/cpu/intel: Add missing TLB cpuid values oder_chiou(a)realtek.com (1): ASoC: rt5514: Add the missing register in the readable table pgzh (1): HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice sxauwsk (1): spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() van der Linden, Frank (1): x86/xen: Reset VCPU0 info pointer after shared_info remap Łukasz Stelmach (2): ARM: 8753/1: decompressor: add a missing parameter to the addruart macro ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel .../bindings/display/panel/panel-common.txt | 2 +- .../devicetree/bindings/dma/renesas,rcar-dmac.txt | 1 + .../bindings/pinctrl/allwinner,sunxi-pinctrl.txt | 6 +- .../bindings/serial/amlogic,meson-uart.txt | 2 +- .../bindings/serial/renesas,sci-serial.txt | 2 + .../devicetree/bindings/vendor-prefixes.txt | 1 + arch/arm/boot/compressed/head.S | 20 +- arch/arm/boot/dts/bcm-cygnus.dtsi | 2 +- arch/arm/boot/dts/da850.dtsi | 2 - arch/arm/boot/dts/logicpd-som-lv.dtsi | 11 +- arch/arm/kernel/machine_kexec.c | 34 ++- arch/arm/mach-davinci/board-da830-evm.c | 9 +- arch/arm/mach-davinci/board-da850-evm.c | 9 +- arch/arm/mach-davinci/board-dm355-evm.c | 6 + arch/arm/mach-davinci/board-dm646x-evm.c | 5 +- arch/arm/mach-davinci/board-omapl138-hawk.c | 10 +- arch/arm/mach-davinci/dm646x.c | 3 +- arch/arm/mach-keystone/pm_domain.c | 1 + arch/arm/mach-omap1/ams-delta-fiq.c | 28 +- arch/arm/mach-omap2/powerdomain.c | 4 +- arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi | 2 +- arch/arm64/include/asm/cputype.h | 6 + arch/arm64/kernel/ptrace.c | 20 +- arch/hexagon/include/asm/io.h | 6 + arch/hexagon/lib/checksum.c | 1 + arch/mips/boot/dts/img/boston.dts | 6 + arch/mips/include/asm/io.h | 4 +- arch/parisc/kernel/drivers.c | 7 +- arch/parisc/kernel/smp.c | 3 +- arch/parisc/kernel/time.c | 2 +- arch/powerpc/include/asm/ftrace.h | 29 ++- arch/powerpc/platforms/powernv/memtrace.c | 17 -- arch/sh/kernel/cpu/sh2/probe.c | 4 + arch/x86/events/intel/core.c | 9 +- arch/x86/include/asm/insn.h | 18 ++ arch/x86/kernel/cpu/intel.c | 3 + arch/x86/kernel/kexec-bzimage64.c | 5 +- arch/x86/kernel/kprobes/core.c | 4 + arch/x86/kernel/uprobes.c | 4 + arch/x86/kvm/hyperv.c | 2 +- arch/x86/kvm/svm.c | 5 +- arch/x86/kvm/vmx.c | 15 +- arch/x86/kvm/x86.c | 19 +- arch/x86/net/bpf_jit_comp.c | 4 +- arch/x86/xen/enlighten_hvm.c | 13 + block/blk-cgroup.c | 22 +- block/blk-mq.c | 19 ++ block/blk-mq.h | 4 +- block/genhd.c | 12 + block/partition-generic.c | 10 +- drivers/acpi/acpi_watchdog.c | 59 ++++- drivers/acpi/sleep.c | 13 + drivers/ata/ahci.c | 6 +- drivers/ata/ahci.h | 7 + drivers/ata/ahci_mvebu.c | 56 ++++ drivers/ata/ahci_qoriq.c | 2 +- drivers/ata/ahci_xgene.c | 4 +- drivers/ata/libahci.c | 20 +- drivers/ata/libata-eh.c | 4 +- drivers/ata/sata_highbank.c | 2 +- drivers/char/agp/uninorth-agp.c | 4 +- drivers/clk/clk-mux.c | 10 +- drivers/clk/clk.c | 7 +- drivers/clk/imx/clk-imx6ul.c | 2 +- drivers/clocksource/timer-imx-tpm.c | 8 +- drivers/firmware/efi/libstub/arm64-stub.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 13 +- drivers/gpu/drm/drm_dumb_buffers.c | 7 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/msm/msm_fbdev.c | 11 +- drivers/gpu/drm/msm/msm_gem.c | 20 +- drivers/gpu/drm/omapdrm/dss/hdmi4.c | 2 +- drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 7 +- drivers/gpu/drm/omapdrm/dss/hdmi5.c | 2 +- drivers/gpu/drm/omapdrm/omap_connector.c | 10 + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 +- drivers/gpu/drm/omapdrm/tcm-sita.c | 2 +- drivers/hid/Kconfig | 7 +- drivers/hid/hid-ids.h | 8 + drivers/hid/hid-lenovo.c | 36 +++ drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +- drivers/hid/wacom_sys.c | 4 +- drivers/i2c/busses/i2c-pmcmsp.c | 4 +- drivers/i2c/busses/i2c-sprd.c | 22 +- drivers/i2c/busses/i2c-viperboard.c | 2 +- drivers/infiniband/Kconfig | 5 +- drivers/infiniband/core/cma.c | 60 +++-- drivers/infiniband/core/iwpm_util.c | 5 +- drivers/infiniband/core/mad.c | 4 +- drivers/infiniband/core/uverbs_ioctl.c | 9 + drivers/infiniband/hw/hfi1/affinity.c | 11 +- drivers/infiniband/hw/hfi1/init.c | 4 +- drivers/infiniband/sw/rxe/rxe_opcode.c | 2 +- drivers/infiniband/sw/rxe/rxe_req.c | 1 - drivers/infiniband/sw/rxe/rxe_resp.c | 6 +- drivers/infiniband/ulp/srp/Kconfig | 2 +- drivers/infiniband/ulp/srpt/Kconfig | 2 +- drivers/input/rmi4/rmi_spi.c | 7 +- drivers/input/touchscreen/atmel_mxt_ts.c | 186 ++++++++------ drivers/iommu/dmar.c | 2 +- drivers/net/can/dev.c | 2 +- drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 + drivers/net/ethernet/hisilicon/hns/hnae.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 + .../net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 3 +- drivers/net/ethernet/qlogic/qed/qed_l2.c | 6 +- drivers/net/ethernet/qlogic/qede/qede_rdma.c | 2 +- drivers/net/phy/marvell.c | 9 + drivers/nvme/host/Kconfig | 2 +- drivers/nvme/host/core.c | 1 + drivers/nvme/host/fabrics.c | 6 + drivers/nvme/target/Kconfig | 2 +- drivers/pci/dwc/pcie-kirin.c | 2 +- drivers/remoteproc/qcom_q6v5_pil.c | 2 + drivers/rpmsg/rpmsg_char.c | 2 + drivers/s390/net/qeth_core_main.c | 2 +- drivers/s390/net/smsgiucv.c | 2 +- drivers/scsi/isci/port_config.c | 3 +- drivers/scsi/megaraid/megaraid_sas_fusion.c | 6 +- drivers/scsi/scsi_transport_iscsi.c | 29 ++- drivers/scsi/storvsc_drv.c | 7 +- drivers/scsi/vmw_pvscsi.c | 2 +- drivers/soc/bcm/raspberrypi-power.c | 2 +- drivers/spi/spi-bcm2835aux.c | 5 + drivers/spi/spi-cadence.c | 8 + drivers/spi/spi-sh-msiof.c | 1 + drivers/target/target_core_pscsi.c | 2 + drivers/tee/tee_core.c | 11 + drivers/thermal/int340x_thermal/int3403_thermal.c | 3 +- drivers/usb/musb/musb_host.c | 5 +- drivers/usb/musb/musb_host.h | 7 +- drivers/usb/musb/musb_virthub.c | 25 +- drivers/usb/typec/ucsi/Makefile | 2 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 3 +- fs/afs/rxrpc.c | 7 + fs/cifs/smb2ops.c | 6 + fs/ecryptfs/crypto.c | 41 ++- fs/ecryptfs/file.c | 21 +- fs/isofs/inode.c | 3 + fs/namespace.c | 2 +- fs/notify/fsnotify.c | 25 +- fs/ocfs2/refcounttree.c | 14 +- fs/proc/base.c | 6 + fs/proc/kcore.c | 23 +- fs/proc/task_mmu.c | 6 +- include/linux/clk-provider.h | 3 + include/linux/ethtool.h | 2 + include/linux/genhd.h | 4 +- include/linux/kvm_host.h | 8 +- include/linux/mtd/map.h | 2 +- include/linux/percpu-rwsem.h | 6 +- include/linux/rwsem.h | 6 + include/linux/sched.h | 50 +++- include/linux/sched/signal.h | 2 +- include/linux/stringhash.h | 4 +- include/soc/bcm2835/raspberrypi-firmware.h | 4 +- init/main.c | 7 + kernel/kthread.c | 7 +- kernel/locking/rwsem-xadd.c | 19 +- kernel/locking/rwsem.c | 2 - kernel/locking/rwsem.h | 30 ++- kernel/module.c | 5 + kernel/sched/core.c | 17 +- kernel/sched/deadline.c | 4 +- kernel/sched/rt.c | 2 - kernel/sched/sched.h | 5 +- kernel/signal.c | 17 +- kernel/stop_machine.c | 19 +- mm/memcontrol.c | 2 +- net/ipv6/netfilter/Kconfig | 55 ++-- net/key/af_key.c | 45 +++- net/mac80211/agg-tx.c | 4 + net/mac80211/mlme.c | 25 +- net/mac80211/tx.c | 3 +- net/netfilter/nf_tables_api.c | 2 +- net/rds/ib_cm.c | 3 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/local_object.c | 57 +++-- net/sched/act_skbedit.c | 3 +- net/smc/af_smc.c | 6 +- net/tipc/monitor.c | 2 +- net/tipc/node.c | 28 +- sound/soc/codecs/msm8916-wcd-analog.c | 9 +- sound/soc/codecs/rt5514.c | 3 + sound/soc/soc-topology.c | 6 +- tools/net/bpf_dbg.c | 7 +- tools/objtool/arch/x86/include/asm/insn.h | 18 ++ tools/objtool/check.c | 167 ++++++------ tools/objtool/elf.c | 42 ++- tools/objtool/elf.h | 2 + tools/perf/util/symbol.c | 8 +- .../inter-event/trigger-multi-actions-accept.tc | 44 ++++ tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/mov_ss_trap.c | 285 +++++++++++++++++++++ tools/testing/selftests/x86/mpx-mini-test.c | 7 +- tools/testing/selftests/x86/protection_keys.c | 254 ++++++++++++------ virt/kvm/arm/vgic/vgic-mmio-v2.c | 5 + 197 files changed, 2023 insertions(+), 743 deletions(-) create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc create mode 100644 tools/testing/selftests/x86/mov_ss_trap.c -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAlsYhUwACgkQ3qZv95d3 LNwvAA/7B6rEh6KBvJ5c3uklyLNuYAPfyDqqKErxQufYU6oZ+fVnxrSXSPEPiKjZ XZ13wR4v/+4LE8/a3bKTlfplyrs9CD5Ty+o9GTTwQ9lbtymu/aEOYqkYd4QW0VgV /jIEY+o/stGW5nPdKYxZVe7g3KYSmSYqWumoHIqzhrxa1eWd6s84+zo72h+QuWXI ahM2b14bDqc4Ku6JoCj7qLq6HJvfQyKLGZwn1QcGKbHjfmX+j1/ccBEVlxlSjGHu YuMlqbzD9YSB+J7js2H6ZMcFcGRMqh0QM9QZOvod0sOdP3o3HtZjmDRn2nyrxWd1 DLyQz1acj6bsnJhsEKRGJ2NGKRgcwPVGhJCUjhjOCb/wbfPOxNsJF4NOVAISJm3Z e6GHN3HWQq4F1JPqGArqa7kphFqLoOTZ/V4pE/iRw9PUq6wu+6vbB05CXBUiMc7t WvPtT37EnYMZwVK4Sto3wAjV9h8On4tY1KRZxv94rSDQpyupLP3KhxQF+XnBs6np XMY6A3Avq3M+giOT1BpZbZsHb5l7WhoTcpD75jUW9gT1pTxuArXdI2VYl2AsULqj 5KmV7JB6d7xHxH+/hoAbORREIFnyEXV6ib8NDDaUrZo5KN09jzwXKMgJU99wTJ8u U9v9kjv7P9fJeTdR8yfxTx0PpXHYKsOPU1Fqj54/6WWYd/gGjZA= =UirW -----END PGP SIGNATURE-----

7 years, 2 months

3
2
0 0

[patch 105/118] fs/binfmt_misc.c: do not allow offset overflow

by akpm＠linux-foundation.org

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Subject: fs/binfmt_misc.c: do not allow offset overflow WHen registering a new binfmt_misc handler, it is possible to overflow the offset to get a negative value, which might crash the system, or possibly leak kernel data. Here is a crash log when 2500000000 was used as an offset: [ 6050.251552] BUG: unable to handle kernel paging request at ffff989cfd6edca0 [ 6050.252053] IP: load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] PGD 1ef3e067 P4D 1ef3e067 PUD 0 [ 6050.252053] Oops: 0000 [#1] SMP NOPTI [ 6050.252053] Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy [ 6050.252053] CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu [ 6050.252053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 [ 6050.252053] RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] RSP: 0018:ffffb6e383017e18 EFLAGS: 00010202 [ 6050.252053] RAX: 0000000000000003 RBX: ffff989d74a47100 RCX: ffff989cfd6edca0 [ 6050.252053] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff989d7d2e95e5 [ 6050.252053] RBP: ffffb6e383017e48 R08: 0000000000000001 R09: 0000000000000000 [ 6050.252053] R10: 0000000000000000 R11: fefefefefefefeff R12: 0000000000000001 [ 6050.252053] R13: ffff989d7d2e9580 R14: 0000000000000000 R15: ffffffffc0592160 [ 6050.252053] FS: 00007fa424c89740(0000) GS:ffff989d7fc00000(0000) knlGS:0000000000000000 [ 6050.252053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6050.252053] CR2: ffff989cfd6edca0 CR3: 000000003db08000 CR4: 00000000000006f0 [ 6050.252053] Call Trace: [ 6050.252053] search_binary_handler+0x97/0x1d0 [ 6050.252053] do_execveat_common.isra.34+0x667/0x810 [ 6050.252053] SyS_execve+0x31/0x40 [ 6050.252053] do_syscall_64+0x73/0x130 [ 6050.252053] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Use kstrtoint instead of simple_strtoul. It will work as the code already set the delimiter byte to '\0' and we only do it when the field is not empty. Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested with examples documented at Documentation/admin-guide/binfmt-misc.rst and other registrations from packages on Ubuntu. Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/binfmt_misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff -puN fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow +++ a/fs/binfmt_misc.c @@ -387,8 +387,13 @@ static Node *create_entry(const char __u s = strchr(p, del); if (!s) goto einval; - *s++ = '\0'; - e->offset = simple_strtoul(p, &p, 10); + *s = '\0'; + if (p != s) { + int r = kstrtoint(p, 10, &e->offset); + if (r != 0 || e->offset < 0) + goto einval; + } + p = s; if (*p++) goto einval; pr_debug("register: offset: %#x\n", e->offset); @@ -428,7 +433,8 @@ static Node *create_entry(const char __u if (e->mask && string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) goto einval; - if (e->size + e->offset > BINPRM_BUF_SIZE) + if (e->size > BINPRM_BUF_SIZE || + BINPRM_BUF_SIZE - e->size < e->offset) goto einval; pr_debug("register: magic/mask length: %i\n", e->size); if (USE_DEBUG) { _

7 years, 2 months

1
0
0 0

[patch 079/118] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset

by akpm＠linux-foundation.org

From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. SLAB is currently not affected, but in kernels older than 4.7 that don't yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") it is. That's at least 4.4 LTS. Older ones I'll have to check. So stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Acked-by: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _

7 years, 2 months

1
0
0 0

[patch 105/118] fs/binfmt_misc.c: do not allow offset overflow

by akpm＠linux-foundation.org

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Subject: fs/binfmt_misc.c: do not allow offset overflow WHen registering a new binfmt_misc handler, it is possible to overflow the offset to get a negative value, which might crash the system, or possibly leak kernel data. Here is a crash log when 2500000000 was used as an offset: [ 6050.251552] BUG: unable to handle kernel paging request at ffff989cfd6edca0 [ 6050.252053] IP: load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] PGD 1ef3e067 P4D 1ef3e067 PUD 0 [ 6050.252053] Oops: 0000 [#1] SMP NOPTI [ 6050.252053] Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy [ 6050.252053] CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu [ 6050.252053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 [ 6050.252053] RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] [ 6050.252053] RSP: 0018:ffffb6e383017e18 EFLAGS: 00010202 [ 6050.252053] RAX: 0000000000000003 RBX: ffff989d74a47100 RCX: ffff989cfd6edca0 [ 6050.252053] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff989d7d2e95e5 [ 6050.252053] RBP: ffffb6e383017e48 R08: 0000000000000001 R09: 0000000000000000 [ 6050.252053] R10: 0000000000000000 R11: fefefefefefefeff R12: 0000000000000001 [ 6050.252053] R13: ffff989d7d2e9580 R14: 0000000000000000 R15: ffffffffc0592160 [ 6050.252053] FS: 00007fa424c89740(0000) GS:ffff989d7fc00000(0000) knlGS:0000000000000000 [ 6050.252053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6050.252053] CR2: ffff989cfd6edca0 CR3: 000000003db08000 CR4: 00000000000006f0 [ 6050.252053] Call Trace: [ 6050.252053] search_binary_handler+0x97/0x1d0 [ 6050.252053] do_execveat_common.isra.34+0x667/0x810 [ 6050.252053] SyS_execve+0x31/0x40 [ 6050.252053] do_syscall_64+0x73/0x130 [ 6050.252053] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Use kstrtoint instead of simple_strtoul. It will work as the code already set the delimiter byte to '\0' and we only do it when the field is not empty. Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested with examples documented at Documentation/admin-guide/binfmt-misc.rst and other registrations from packages on Ubuntu. Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/binfmt_misc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff -puN fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~fs-binfmt_miscc-do-not-allow-offset-overflow +++ a/fs/binfmt_misc.c @@ -387,8 +387,13 @@ static Node *create_entry(const char __u s = strchr(p, del); if (!s) goto einval; - *s++ = '\0'; - e->offset = simple_strtoul(p, &p, 10); + *s = '\0'; + if (p != s) { + int r = kstrtoint(p, 10, &e->offset); + if (r != 0 || e->offset < 0) + goto einval; + } + p = s; if (*p++) goto einval; pr_debug("register: offset: %#x\n", e->offset); @@ -428,7 +433,8 @@ static Node *create_entry(const char __u if (e->mask && string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) goto einval; - if (e->size + e->offset > BINPRM_BUF_SIZE) + if (e->size > BINPRM_BUF_SIZE || + BINPRM_BUF_SIZE - e->size < e->offset) goto einval; pr_debug("register: magic/mask length: %i\n", e->size); if (USE_DEBUG) { _

7 years, 2 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror