- Linux-stable-mirror - lists.linaro.org

[merged] mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: use vma_init() to initialize VMAs on stack and data segments has been removed from the -mm tree. Its filename was mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Subject: mm: use vma_init() to initialize VMAs on stack and data segments Make sure to initialize all VMAs properly, not only those which come from vm_area_cachep. Link: http://lkml.kernel.org/r/20180724121139.62570-3-kirill.shutemov@linux.intel… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/arm/kernel/process.c | 1 + arch/arm/mach-rpc/ecard.c | 2 +- arch/arm64/include/asm/tlb.h | 4 +++- arch/arm64/mm/hugetlbpage.c | 7 +++++-- arch/ia64/include/asm/tlb.h | 2 +- arch/ia64/mm/init.c | 2 +- arch/x86/um/mem_32.c | 2 +- fs/hugetlbfs/inode.c | 2 ++ mm/mempolicy.c | 1 + mm/shmem.c | 1 + 10 files changed, 17 insertions(+), 7 deletions(-) --- a/arch/arm64/include/asm/tlb.h~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/arm64/include/asm/tlb.h @@ -37,7 +37,9 @@ static inline void __tlb_remove_table(vo static inline void tlb_flush(struct mmu_gather *tlb) { - struct vm_area_struct vma = { .vm_mm = tlb->mm, }; + struct vm_area_struct vma; + + vma_init(&vma, tlb->mm); /* * The ASID allocator will either invalidate the ASID or mark --- a/arch/arm64/mm/hugetlbpage.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/arm64/mm/hugetlbpage.c @@ -108,11 +108,13 @@ static pte_t get_clear_flush(struct mm_s unsigned long pgsize, unsigned long ncontig) { - struct vm_area_struct vma = { .vm_mm = mm }; + struct vm_area_struct vma; pte_t orig_pte = huge_ptep_get(ptep); bool valid = pte_valid(orig_pte); unsigned long i, saddr = addr; + vma_init(&vma, mm); + for (i = 0; i < ncontig; i++, addr += pgsize, ptep++) { pte_t pte = ptep_get_and_clear(mm, addr, ptep); @@ -145,9 +147,10 @@ static void clear_flush(struct mm_struct unsigned long pgsize, unsigned long ncontig) { - struct vm_area_struct vma = { .vm_mm = mm }; + struct vm_area_struct vma; unsigned long i, saddr = addr; + vma_init(&vma, mm); for (i = 0; i < ncontig; i++, addr += pgsize, ptep++) pte_clear(mm, addr, ptep); --- a/arch/arm/kernel/process.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/arm/kernel/process.c @@ -338,6 +338,7 @@ static struct vm_area_struct gate_vma = static int __init gate_vma_init(void) { + vma_init(&gate_vma, NULL); gate_vma.vm_page_prot = PAGE_READONLY_EXEC; return 0; } --- a/arch/arm/mach-rpc/ecard.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/arm/mach-rpc/ecard.c @@ -237,8 +237,8 @@ static void ecard_init_pgtables(struct m memcpy(dst_pgd, src_pgd, sizeof(pgd_t) * (EASI_SIZE / PGDIR_SIZE)); + vma_init(&vma, mm); vma.vm_flags = VM_EXEC; - vma.vm_mm = mm; flush_tlb_range(&vma, IO_START, IO_START + IO_SIZE); flush_tlb_range(&vma, EASI_START, EASI_START + EASI_SIZE); --- a/arch/ia64/include/asm/tlb.h~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/ia64/include/asm/tlb.h @@ -120,7 +120,7 @@ ia64_tlb_flush_mmu_tlbonly(struct mmu_ga */ struct vm_area_struct vma; - vma.vm_mm = tlb->mm; + vma_init(&vma, tlb->mm); /* flush the address range from the tlb: */ flush_tlb_range(&vma, start, end); /* now flush the virt. page-table area mapping the address range: */ --- a/arch/ia64/mm/init.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/ia64/mm/init.c @@ -273,7 +273,7 @@ static struct vm_area_struct gate_vma; static int __init gate_vma_init(void) { - gate_vma.vm_mm = NULL; + vma_init(&gate_vma, NULL); gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; --- a/arch/x86/um/mem_32.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/arch/x86/um/mem_32.c @@ -16,7 +16,7 @@ static int __init gate_vma_init(void) if (!FIXADDR_USER_START) return 0; - gate_vma.vm_mm = NULL; + vma_init(&gate_vma, NULL); gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; --- a/fs/hugetlbfs/inode.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/fs/hugetlbfs/inode.c @@ -411,6 +411,7 @@ static void remove_inode_hugepages(struc bool truncate_op = (lend == LLONG_MAX); memset(&pseudo_vma, 0, sizeof(struct vm_area_struct)); + vma_init(&pseudo_vma, current->mm); pseudo_vma.vm_flags = (VM_HUGETLB | VM_MAYSHARE | VM_SHARED); pagevec_init(&pvec); next = start; @@ -595,6 +596,7 @@ static long hugetlbfs_fallocate(struct f * as input to create an allocation policy. */ memset(&pseudo_vma, 0, sizeof(struct vm_area_struct)); + vma_init(&pseudo_vma, mm); pseudo_vma.vm_flags = (VM_HUGETLB | VM_MAYSHARE | VM_SHARED); pseudo_vma.vm_file = file; --- a/mm/mempolicy.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/mm/mempolicy.c @@ -2505,6 +2505,7 @@ void mpol_shared_policy_init(struct shar /* Create pseudo-vma that contains just the policy */ memset(&pvma, 0, sizeof(struct vm_area_struct)); + vma_init(&pvma, NULL); pvma.vm_end = TASK_SIZE; /* policy covers entire file */ mpol_set_shared_policy(sp, &pvma, new); /* adds ref */ --- a/mm/shmem.c~mm-use-vma_init-to-initialize-vmas-on-stack-and-data-segments +++ a/mm/shmem.c @@ -1421,6 +1421,7 @@ static void shmem_pseudo_vma_init(struct { /* Create a pseudo vma that just contains the policy */ memset(vma, 0, sizeof(*vma)); + vma_init(vma, NULL); /* Bias interleave by inode number to distribute better across nodes */ vma->vm_pgoff = index + info->vfs_inode.i_ino; vma->vm_policy = mpol_shared_policy_lookup(&info->policy, index); _ Patches currently in -mm which might be from kirill.shutemov(a)linux.intel.com are mm-page_ext-drop-definition-of-unused-page_ext_debug_poison.patch mm-page_ext-constify-lookup_page_ext-argument.patch

7 years, 4 months

1
0
0 0

[merged] mm-introduce-vma_init.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: introduce vma_init() has been removed from the -mm tree. Its filename was mm-introduce-vma_init.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Subject: mm: introduce vma_init() Not all VMAs allocated with vm_area_alloc(). Some of them allocated on stack or in data segment. The new helper can be use to initialize VMA properly regardless where it was allocated. Link: http://lkml.kernel.org/r/20180724121139.62570-2-kirill.shutemov@linux.intel… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mm.h | 6 ++++++ kernel/fork.c | 6 ++---- 2 files changed, 8 insertions(+), 4 deletions(-) --- a/include/linux/mm.h~mm-introduce-vma_init +++ a/include/linux/mm.h @@ -452,6 +452,12 @@ struct vm_operations_struct { unsigned long addr); }; +static inline void vma_init(struct vm_area_struct *vma, struct mm_struct *mm) +{ + vma->vm_mm = mm; + INIT_LIST_HEAD(&vma->anon_vma_chain); +} + struct mmu_gather; struct inode; --- a/kernel/fork.c~mm-introduce-vma_init +++ a/kernel/fork.c @@ -312,10 +312,8 @@ struct vm_area_struct *vm_area_alloc(str { struct vm_area_struct *vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); - if (vma) { - vma->vm_mm = mm; - INIT_LIST_HEAD(&vma->anon_vma_chain); - } + if (vma) + vma_init(vma, mm); return vma; } _ Patches currently in -mm which might be from kirill.shutemov(a)linux.intel.com are mm-page_ext-drop-definition-of-unused-page_ext_debug_poison.patch mm-page_ext-constify-lookup_page_ext-argument.patch

7 years, 4 months

1
0
0 0

[merged] mm-disallow-mapping-that-conflict-for-devm_memremap_pages.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: disallow mappings that conflict for devm_memremap_pages() has been removed from the -mm tree. Its filename was mm-disallow-mapping-that-conflict-for-devm_memremap_pages.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Dave Jiang <dave.jiang(a)intel.com> Subject: mm: disallow mappings that conflict for devm_memremap_pages() When pmem namespaces created are smaller than section size, this can cause an issue during removal and gpf was observed: [ 249.613597] general protection fault: 0000 1 SMP PTI [ 249.725203] CPU: 36 PID: 3941 Comm: ndctl Tainted: G W 4.14.28-1.el7uek.x86_64 #2 [ 249.745495] task: ffff88acda150000 task.stack: ffffc900233a4000 [ 249.752107] RIP: 0010:__put_page+0x56/0x79 [ 249.844675] Call Trace: [ 249.847410] devm_memremap_pages_release+0x155/0x23a [ 249.852953] release_nodes+0x21e/0x260 [ 249.857138] devres_release_all+0x3c/0x48 [ 249.861606] device_release_driver_internal+0x15c/0x207 [ 249.867439] device_release_driver+0x12/0x14 [ 249.872204] unbind_store+0xba/0xd8 [ 249.876098] drv_attr_store+0x27/0x31 [ 249.880186] sysfs_kf_write+0x3f/0x46 [ 249.884266] kernfs_fop_write+0x10f/0x18b [ 249.888734] __vfs_write+0x3a/0x16d [ 249.892628] ? selinux_file_permission+0xe5/0x116 [ 249.897881] ? security_file_permission+0x41/0xbb [ 249.903133] vfs_write+0xb2/0x1a1 [ 249.906835] ? syscall_trace_enter+0x1ce/0x2b8 [ 249.911795] SyS_write+0x55/0xb9 [ 249.915397] do_syscall_64+0x79/0x1ae [ 249.919485] entry_SYSCALL_64_after_hwframe+0x3d/0x0 Add code to check whether we have a mapping already in the same section and prevent additional mappings from being created if that is the case. Link: http://lkml.kernel.org/r/152909478401.50143.312364396244072931.stgit@djiang… Signed-off-by: Dave Jiang <dave.jiang(a)intel.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Robert Elliott <elliott(a)hpe.com> Cc: Jeff Moyer <jmoyer(a)redhat.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/memremap.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) --- a/kernel/memremap.c~mm-disallow-mapping-that-conflict-for-devm_memremap_pages +++ a/kernel/memremap.c @@ -176,10 +176,27 @@ void *devm_memremap_pages(struct device unsigned long pfn, pgoff, order; pgprot_t pgprot = PAGE_KERNEL; int error, nid, is_ram; + struct dev_pagemap *conflict_pgmap; align_start = res->start & ~(SECTION_SIZE - 1); align_size = ALIGN(res->start + resource_size(res), SECTION_SIZE) - align_start; + align_end = align_start + align_size - 1; + + conflict_pgmap = get_dev_pagemap(PHYS_PFN(align_start), NULL); + if (conflict_pgmap) { + dev_WARN(dev, "Conflicting mapping in same section\n"); + put_dev_pagemap(conflict_pgmap); + return ERR_PTR(-ENOMEM); + } + + conflict_pgmap = get_dev_pagemap(PHYS_PFN(align_end), NULL); + if (conflict_pgmap) { + dev_WARN(dev, "Conflicting mapping in same section\n"); + put_dev_pagemap(conflict_pgmap); + return ERR_PTR(-ENOMEM); + } + is_ram = region_intersects(align_start, align_size, IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE); @@ -199,7 +216,6 @@ void *devm_memremap_pages(struct device mutex_lock(&pgmap_lock); error = 0; - align_end = align_start + align_size - 1; foreach_order_pgoff(res, order, pgoff) { error = __radix_tree_insert(&pgmap_radix, _ Patches currently in -mm which might be from dave.jiang(a)intel.com are dax-remove-vm_mixedmap-for-fsdax-and-device-dax.patch

7 years, 4 months

1
0
0 0

[merged] delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: delayacct: fix crash in delayacct_blkio_end() after delayacct init failure has been removed from the -mm tree. Its filename was delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Tejun Heo <tj(a)kernel.org> Subject: delayacct: fix crash in delayacct_blkio_end() after delayacct init failure While forking, if delayacct init fails due to memory shortage, it continues expecting all delayacct users to check task->delays pointer against NULL before dereferencing it, which all of them used to do. c96f5471ce7d ("delayacct: Account blkio completion on the correct task"), while updating delayacct_blkio_end() to take the target task instead of always using %current, made the function test NULL on %current->delays and then continue to operated on @p->delays. If %current succeeded init while @p didn't, it leads to the following crash. BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: __delayacct_blkio_end+0xc/0x40 PGD 8000001fd07e1067 P4D 8000001fd07e1067 PUD 1fcffbb067 PMD 0 Oops: 0000 [#1] SMP PTI CPU: 4 PID: 25774 Comm: QIOThread0 Not tainted 4.16.0-9_fbk1_rc2_1180_g6b593215b4d7 #9 Hardware name: Quanta Leopard ORv2-DDR4/Leopard ORv2-DDR4, BIOS F06_3B12 08/17/2017 RIP: 0010:__delayacct_blkio_end+0xc/0x40 RSP: 0000:ffff881fff703bf8 EFLAGS: 00010086 RAX: ffff881f1ec8b800 RBX: ffff8804f735cd54 RCX: ffff881fff703cb0 RDX: 0000000000000002 RSI: 0000000000000003 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff881fff703cc0 R10: 0000000000001000 R11: ffff881fd3f73d00 R12: ffff8804f735c600 R13: 0000000000000000 R14: 000000000000001d R15: ffff881fff703cb0 FS: 00007f5003f7d700(0000) GS:ffff881fff700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 0000001f401a6006 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> try_to_wake_up+0x2c0/0x600 autoremove_wake_function+0xe/0x30 __wake_up_common+0x74/0x120 wake_up_page_bit+0x9c/0xe0 mpage_end_io+0x27/0x70 blk_update_request+0x78/0x2c0 scsi_end_request+0x2c/0x1e0 scsi_io_completion+0x20b/0x5f0 blk_mq_complete_request+0xa2/0x100 ata_scsi_qc_complete+0x79/0x400 ata_qc_complete_multiple+0x86/0xd0 ahci_handle_port_interrupt+0xc9/0x5c0 ahci_handle_port_intr+0x54/0xb0 ahci_single_level_irq_intr+0x3b/0x60 __handle_irq_event_percpu+0x43/0x190 handle_irq_event_percpu+0x20/0x50 handle_irq_event+0x2a/0x50 handle_edge_irq+0x80/0x1c0 handle_irq+0xaf/0x120 do_IRQ+0x41/0xc0 common_interrupt+0xf/0xf </IRQ> Fix it by updating delayacct_blkio_end() check @p->delays instead. Link: http://lkml.kernel.org/r/20180724175542.GP1934745@devbig577.frc2.facebook.c… Fixes: c96f5471ce7d ("delayacct: Account blkio completion on the correct task") Signed-off-by: Tejun Heo <tj(a)kernel.org> Reported-by: Dave Jones <dsj(a)fb.com> Debugged-by: Dave Jones <dsj(a)fb.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Josh Snyder <joshs(a)netflix.com> Cc: <stable(a)vger.kernel.org> [4.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/delayacct.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/delayacct.h~delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure +++ a/include/linux/delayacct.h @@ -124,7 +124,7 @@ static inline void delayacct_blkio_start static inline void delayacct_blkio_end(struct task_struct *p) { - if (current->delays) + if (p->delays) __delayacct_blkio_end(p); delayacct_clear_flag(DELAYACCT_PF_BLKIO); } _ Patches currently in -mm which might be from tj(a)kernel.org are

7 years, 4 months

1
0
0 0

[PATCH 3.18 00/27] 3.18.117-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 3.18.117 release. There are 27 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Jul 29 10:26:38 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.117-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 3.18.117-rc1 Arnd Bergmann <arnd(a)arndb.de> turn off -Wattribute-alias Arnd Bergmann <arnd(a)arndb.de> ARM: fix put_user() for gcc-8 Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: fix RX overflow interrupt not being enabled Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: fix device dropping off bus on RX overrun Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK Jerry Zhang <zhangjerry(a)google.com> usb: gadget: f_fs: Only return delayed status when len is 0 Bin Liu <b-liu(a)ti.com> usb: core: handle hub C_PORT_OVER_CURRENT condition Lubomir Rintel <lkundrak(a)v3.sk> usb: cdc_acm: Add quirk for Castles VEGA3000 Eric Dumazet <edumazet(a)google.com> tcp: detect malicious patterns in tcp_collapse_ofo_queue() Eric Dumazet <edumazet(a)google.com> tcp: avoid collapses in tcp_prune_queue() if possible Yuchung Cheng <ycheng(a)google.com> tcp: do not delay ACK in DCTCP upon CE status change Yuchung Cheng <ycheng(a)google.com> tcp: do not cancel delay-AcK on DCTCP special ACK Yuchung Cheng <ycheng(a)google.com> tcp: helpers to send special DCTCP ack Yuchung Cheng <ycheng(a)google.com> tcp: fix dctcp delayed ACK schedule Roopa Prabhu <roopa(a)cumulusnetworks.com> rtnetlink: add rtnl_link_state check in rtnl_configure_link Jack Morgenstein <jackm(a)dev.mellanox.co.il> net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper Paolo Abeni <pabeni(a)redhat.com> ip: hash fragments consistently Stefano Brivio <sbrivio(a)redhat.com> skbuff: Unconditionally copy pfmemalloc in __skb_clone() Stefano Brivio <sbrivio(a)redhat.com> net: Don't copy pfmemalloc flag in __copy_skb_header() Gustavo A. R. Silva <gustavo(a)embeddedor.com> ptp: fix missing break in switch Tyler Hicks <tyhicks(a)canonical.com> ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns Vineet Gupta <vgupta(a)synopsys.com> ARC: mm: allow mprotect to make stack mappings executable Alexey Brodkin <abrodkin(a)synopsys.com> ARC: Fix CONFIG_SWAP Takashi Iwai <tiwai(a)suse.de> ALSA: rawmidi: Change resized buffers atomically OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix memory allocation failure handling of match_strdup() Dewet Thibaut <thibaut.dewet(a)nokia.com> x86/MCE: Remove min interval polling limitation ------------- Diffstat: Makefile | 5 +- arch/arc/include/asm/page.h | 2 +- arch/arc/include/asm/pgtable.h | 2 +- arch/arm/include/asm/uaccess.h | 2 +- arch/x86/kernel/cpu/mcheck/mce.c | 3 - drivers/net/can/xilinx_can.c | 98 ++++++++++++++++------ .../net/ethernet/mellanox/mlx4/resource_tracker.c | 2 +- drivers/ptp/ptp_chardev.c | 1 + drivers/usb/class/cdc-acm.c | 3 + drivers/usb/core/hub.c | 8 +- drivers/usb/gadget/function/f_fs.c | 2 +- fs/fat/inode.c | 20 +++-- include/linux/skbuff.h | 12 +-- include/net/tcp.h | 2 + net/core/rtnetlink.c | 9 +- net/core/skbuff.c | 1 + net/ipv4/ip_output.c | 2 + net/ipv4/sysctl_net_ipv4.c | 5 +- net/ipv4/tcp_dctcp.c | 50 ++++------- net/ipv4/tcp_input.c | 21 ++++- net/ipv4/tcp_output.c | 33 ++++++-- net/ipv6/ip6_output.c | 2 + sound/core/rawmidi.c | 20 +++-- 23 files changed, 198 insertions(+), 107 deletions(-)

7 years, 4 months

4
31
0 0

[PATCH 3/3] ext4: mballoc: Fix spectre gadget in ext4_mb_simple_scan_group

by Jeremy Cline

'ac->ac_2order' is a user-controlled value used to index into 'grp->bb_counters' and based on the value at that index, 'ac->ac_found' is written to. Clamp the value right after the bounds check to avoid a speculative out-of-bounds read of 'grp->bb_counters'. This also protects the access of the s_mb_offsets and s_mb_maxs arrays inside mb_find_buddy(). These gadgets were discovered with the help of smatch: * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential spectre issue 'grp->bb_counters' [w] (local cap) * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue 'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap) * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue 'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap) Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jeremy Cline <jcline(a)redhat.com> --- fs/ext4/mballoc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index f7ab34088162..c0866007a949 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -14,6 +14,7 @@ #include <linux/log2.h> #include <linux/module.h> #include <linux/slab.h> +#include <linux/nospec.h> #include <linux/backing-dev.h> #include <trace/events/ext4.h> @@ -1893,6 +1894,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, BUG_ON(ac->ac_2order <= 0); for (i = ac->ac_2order; i <= sb->s_blocksize_bits + 1; i++) { + i = array_index_nospec(i, sb->s_blocksize_bits + 2); if (grp->bb_counters[i] == 0) continue; -- 2.17.1

7 years, 4 months

2
1
0 0

[PATCH 2/3] ext4: super: Fix spectre gadgets in ext4_quota_{read, write, off}

by Jeremy Cline

'type' is a user-controlled value used to index 'sb_dqopt(sb)->files'. Clamp 'type' to the size of the array to avoid a speculative out-of-bounds read. These gadgets were found with the help of smatch: * fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue 'sb_dqopt(sb)->files' [r] * fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue 'sb_dqopt(sb)->files' [r] Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jeremy Cline <jcline(a)redhat.com> --- fs/ext4/super.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index c04a09b51742..de358eba024a 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5693,10 +5693,13 @@ static int ext4_enable_quotas(struct super_block *sb) static int ext4_quota_off(struct super_block *sb, int type) { - struct inode *inode = sb_dqopt(sb)->files[type]; + struct inode *inode; handle_t *handle; int err; + type = array_index_nospec(type, MAXQUOTAS); + inode = sb_dqopt(sb)->files[type]; + /* Force all delayed allocation blocks to be allocated. * Caller already holds s_umount sem */ if (test_opt(sb, DELALLOC)) @@ -5740,13 +5743,17 @@ static int ext4_quota_off(struct super_block *sb, int type) static ssize_t ext4_quota_read(struct super_block *sb, int type, char *data, size_t len, loff_t off) { - struct inode *inode = sb_dqopt(sb)->files[type]; + struct inode *inode; ext4_lblk_t blk = off >> EXT4_BLOCK_SIZE_BITS(sb); int offset = off & (sb->s_blocksize - 1); int tocopy; size_t toread; struct buffer_head *bh; - loff_t i_size = i_size_read(inode); + loff_t i_size; + + type = array_index_nospec(type, MAXQUOTAS); + inode = sb_dqopt(sb)->files[type]; + i_size = i_size_read(inode); if (off > i_size) return 0; @@ -5777,13 +5784,16 @@ static ssize_t ext4_quota_read(struct super_block *sb, int type, char *data, static ssize_t ext4_quota_write(struct super_block *sb, int type, const char *data, size_t len, loff_t off) { - struct inode *inode = sb_dqopt(sb)->files[type]; + struct inode *inode; ext4_lblk_t blk = off >> EXT4_BLOCK_SIZE_BITS(sb); int err, offset = off & (sb->s_blocksize - 1); int retries = 0; struct buffer_head *bh; handle_t *handle = journal_current_handle(); + type = array_index_nospec(type, MAXQUOTAS); + inode = sb_dqopt(sb)->files[type]; + if (EXT4_SB(sb)->s_journal && !handle) { ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)" " cancelled because transaction is not started", -- 2.17.1

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] can: m_can.c: fix setup of CCCR register: clear CCCR NISO bit" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 393753b217f05474e714aea36c37501546ed1202 Mon Sep 17 00:00:00 2001 From: Roman Fietze <roman.fietze(a)telemotive.de> Date: Wed, 11 Jul 2018 15:36:14 +0200 Subject: [PATCH] can: m_can.c: fix setup of CCCR register: clear CCCR NISO bit before checking can.ctrlmode Inside m_can_chip_config(), when setting up the new value of the CCCR, the CCCR_NISO bit is not cleared like the others, CCCR_TEST, CCCR_MON, CCCR_BRSE and CCCR_FDOE, before checking the can.ctrlmode bits for CAN_CTRLMODE_FD_NON_ISO. This way once the controller was configured for CAN_CTRLMODE_FD_NON_ISO, this mode could never be cleared again. This fix is only relevant for controllers with version 3.1.x or 3.2.x. Older versions do not support NISO. Signed-off-by: Roman Fietze <roman.fietze(a)telemotive.de> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c index b397a33f3d32..8e2b7f873c4d 100644 --- a/drivers/net/can/m_can/m_can.c +++ b/drivers/net/can/m_can/m_can.c @@ -1109,7 +1109,8 @@ static void m_can_chip_config(struct net_device *dev) } else { /* Version 3.1.x or 3.2.x */ - cccr &= ~(CCCR_TEST | CCCR_MON | CCCR_BRSE | CCCR_FDOE); + cccr &= ~(CCCR_TEST | CCCR_MON | CCCR_BRSE | CCCR_FDOE | + CCCR_NISO); /* Only 3.2.x has NISO Bit implemented */ if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO)

7 years, 4 months

3
2
0 0

company photos

by Jeremy

I would like to contact the person who manages your images for your company? We services such as background image cut out, clipping path, shadow adding (drop shadow, reflection shadow, natural shadow, mirror effect), image masking, product image editing. The following are the kind of services together: Clipping Path Service Cut out image,Image Clipping, Clip image Photo Masking Service Crop image, Photo cut out Beauty Retouching, Model retouching We can give you editing test on your photos. Also, we also use the most recent application as well as techniques such as Adobe Photoshop. Thanks, Jeremy

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] can: xilinx_can: fix incorrect clear of non-processed" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2f4f0f338cf453bfcdbcf089e177c16f35f023c8 Mon Sep 17 00:00:00 2001 From: Anssi Hannula <anssi.hannula(a)bitwise.fi> Date: Mon, 26 Feb 2018 14:39:59 +0200 Subject: [PATCH] can: xilinx_can: fix incorrect clear of non-processed interrupts xcan_interrupt() clears ERROR|RXOFLV|BSOFF|ARBLST interrupts if any of them is asserted. This does not take into account that some of them could have been asserted between interrupt status read and interrupt clear, therefore clearing them without handling them. Fix the code to only clear those interrupts that it knows are asserted and therefore going to be processed in xcan_err_interrupt(). Fixes: b1201e44f50b ("can: xilinx CAN controller support") Signed-off-by: Anssi Hannula <anssi.hannula(a)bitwise.fi> Cc: Michal Simek <michal.simek(a)xilinx.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c index ea9f9d1a5ba7..cb80a9aa7281 100644 --- a/drivers/net/can/xilinx_can.c +++ b/drivers/net/can/xilinx_can.c @@ -938,6 +938,7 @@ static irqreturn_t xcan_interrupt(int irq, void *dev_id) struct net_device *ndev = (struct net_device *)dev_id; struct xcan_priv *priv = netdev_priv(ndev); u32 isr, ier; + u32 isr_errors; /* Get the interrupt status from Xilinx CAN */ isr = priv->read_reg(priv, XCAN_ISR_OFFSET); @@ -956,11 +957,10 @@ static irqreturn_t xcan_interrupt(int irq, void *dev_id) xcan_tx_interrupt(ndev, isr); /* Check for the type of error interrupt and Processing it */ - if (isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK | - XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK)) { - priv->write_reg(priv, XCAN_ICR_OFFSET, (XCAN_IXR_ERROR_MASK | - XCAN_IXR_RXOFLW_MASK | XCAN_IXR_BSOFF_MASK | - XCAN_IXR_ARBLST_MASK)); + isr_errors = isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK | + XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK); + if (isr_errors) { + priv->write_reg(priv, XCAN_ICR_OFFSET, isr_errors); xcan_err_interrupt(ndev, isr); }

7 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror