- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] [PATCH] USB: core: Fix misuse of USB_DT_USB_SSP_CAP_SIZE()

by Masakazu Mokuno

As USB_DT_USB_SSP_CAP_SIZE() takes SSAC value as an argument, the low bound of the size for struct usb_ssp_cap_descriptor should be described by USB_DT_USB_SSP_CAP_SIZE(0), not by USB_DT_USB_SSP_CAP_SIZE(1) The type-specific length check patch was added to stable and needs to be fixed as well. Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors") Cc: linux-stable <stable(a)vger.kernel.org> Cc: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> -- drivers/usb/core/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 78e92d2..33a3ab7 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -911,7 +911,7 @@ void usb_release_bos_descriptor(struct usb_device *dev) [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE, [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE, [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE, - [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(1), + [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(0), [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE, [USB_PTM_CAP_TYPE] = USB_DT_USB_PTM_ID_SIZE, }; -- Masakazu Mokuno

7 years, 1 month

3
2
0 0

[Linux-stable-mirror] [PATCH] phy: work around 'phys' references to usb-phy devices

by Arnd Bergmann

Stefan Wahren reports a problem with a warning fix that was merged for v4.15: we had lots of device nodes with a 'phys' property pointing to a device node that is not compliant with the binding documented in Documentation/devicetree/bindings/phy/phy-bindings.txt This generally works because USB HCD drivers that support both the generic phy subsystem and the older usb-phy subsystem ignore most errors from phy_get() and related calls and then use the usb-phy driver instead. However, usb_add_hcd() (along with the respective functions in dwc2 and dwc3) propagate the EPROBE_DEFER return code so we can try again whenever the driver gets loaded. In case the driver is written for the usb-phy subsystem (like usb-generic-phy aka usb-nop-xceiv), we will never load a generic-phy driver for it, and keep failing here. There is only a small number of remaining usb-phy drivers that support device tree, so this adds a workaround by providing a full list of the potentially affected drivers, and always failing the probe with -ENODEV here, which is the same behavior that we used to get with incorrect device tree files. Since we generally want older kernels to also want to work with the fixed devicetree files, it would be good to backport the patch into stable kernels as well (3.13+ are possibly affected). Reverting back to the DTS sources that work would in theory fix USB support for now, but in the long run we'd run into the same problem again when the drivers get ported from usb-phy to generic-phy. Fixes: 014d6da6cb25 ("ARM: dts: bcm283x: Fix DTC warnings about missing phy-cells") Link: https://marc.info/?l=linux-usb&m=151518314314753&w=2 Cc: stable(a)vger.kernel.org Cc: Stefan Wahren <stefan.wahren(a)i2se.com> Cc: Felipe Balbi <balbi(a)kernel.org> Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- This obviously needs to be tested, I wrote this up as a reply to Stefan's bug report. I'm fairly sure that I covered all usb-phy driver strings here. My goal is to have a fix merged into 4.15 rather than reverting all the DT fixes. --- drivers/phy/phy-core.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c index b4964b067aec..bb4dd2a2de2d 100644 --- a/drivers/phy/phy-core.c +++ b/drivers/phy/phy-core.c @@ -387,6 +387,24 @@ int phy_calibrate(struct phy *phy) } EXPORT_SYMBOL_GPL(phy_calibrate); +static struct of_device_id __maybe_unused legacy_usbphy[] = { + { .compatible = "fsl,imx23-usbphy" }, + { .compatible = "fsl,imx6q-usbphy" }, + { .compatible = "fsl,imx6sl-usbphy" }, + { .compatible = "fsl,imx6sx-usbphy" }, + { .compatible = "fsl,imx6ul-usbphy" }, + { .compatible = "fsl,vf610-usbphy" }, + { .compatible = "nvidia,tegra20-usb-phy" }, + { .compatible = "nvidia,tegra30-usb-phy" }, + { .compatible = "nxp,isp1301" }, + { .compatible = "ti,am335x-usb-ctrl-module" }, + { .compatible = "ti,am335x-usb-phy" }, + { .compatible = "ti,keystone-usbphy" }, + { .compatible = "ti,twl6030-usb" }, + { .compatible = "usb-nop-xceiv" }, + {}, +}; + /** * _of_phy_get() - lookup and obtain a reference to a phy by phandle * @np: device_node for which to get the phy @@ -410,6 +428,15 @@ static struct phy *_of_phy_get(struct device_node *np, int index) if (ret) return ERR_PTR(-ENODEV); + /* + * Some USB host controllers use a "phys" property to refer to + * a device that does not have a generic phy driver but that + * has a driver for the older usb-phy framework. + * We must not return -EPROBE_DEFER for those, so bail out early. + */ + if (of_match_node(legacy_usbphy, args.np)) + return ERR_PTR(-ENODEV); + mutex_lock(&phy_provider_mutex); phy_provider = of_phy_provider_lookup(args.np); if (IS_ERR(phy_provider) || !try_module_get(phy_provider->owner)) { -- 2.9.0

7 years, 1 month

2
4
0 0

[Linux-stable-mirror] [PATCH 3.18] MIPS: Factor out NT_PRFPREG regset access helpers

by Maciej W. Rozycki

In preparation to fix a commit 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset") FCSR access regression factor out NT_PRFPREG regset access helpers for the non-MSA and the MSA variants respectively, to avoid having to deal with excessive indentation in the actual fix. No functional change, however use `target->thread.fpu.fpr[0]' rather than `target->thread.fpu.fpr[i]' for FGR holding type size determination as there's no `i' variable to refer to anymore, and for the factored out `i' variable declaration use `unsigned int' rather than `unsigned' as its type, following the common style. Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset") Cc: James Hogan <james.hogan(a)mips.com> Cc: Paul Burton <Paul.Burton(a)mips.com> Cc: Alex Smith <alex(a)alex-smith.me.uk> Cc: Dave Martin <Dave.Martin(a)arm.com> Cc: linux-mips(a)linux-mips.org Cc: linux-kernel(a)vger.kernel.org Cc: stable(a)vger.kernel.org # v3.15+ Patchwork: https://patchwork.linux-mips.org/patch/17925/ Signed-off-by: Ralf Baechle <ralf(a)linux-mips.org> --- Hi, This is a (mechanically regenerated) version of commit a03fe72572c1 for 3.18-stable and before. No functional changes. Please apply. Maciej --- arch/mips/kernel/ptrace.c | 106 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 82 insertions(+), 24 deletions(-) linux-mips-nt-prfpreg-factor-out.diff Index: linux-stable-el/arch/mips/kernel/ptrace.c =================================================================== --- linux-stable-el.orig/arch/mips/kernel/ptrace.c 2018-01-10 18:16:16.000000000 +0000 +++ linux-stable-el/arch/mips/kernel/ptrace.c 2018-01-10 20:00:49.092601000 +0000 @@ -400,25 +400,36 @@ static int gpr64_set(struct task_struct #endif /* CONFIG_64BIT */ -static int fpr_get(struct task_struct *target, - const struct user_regset *regset, - unsigned int pos, unsigned int count, - void *kbuf, void __user *ubuf) +/* + * Copy the floating-point context to the supplied NT_PRFPREG buffer, + * !CONFIG_CPU_HAS_MSA variant. FP context's general register slots + * correspond 1:1 to buffer slots. + */ +static int fpr_get_fpa(struct task_struct *target, + unsigned int *pos, unsigned int *count, + void **kbuf, void __user **ubuf) { - unsigned i; - int err; - u64 fpr_val; - - /* XXX fcr31 */ + return user_regset_copyout(pos, count, kbuf, ubuf, + &target->thread.fpu, + 0, sizeof(elf_fpregset_t)); +} - if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t)) - return user_regset_copyout(&pos, &count, &kbuf, &ubuf, - &target->thread.fpu, - 0, sizeof(elf_fpregset_t)); +/* + * Copy the floating-point context to the supplied NT_PRFPREG buffer, + * CONFIG_CPU_HAS_MSA variant. Only lower 64 bits of FP context's + * general register slots are copied to buffer slots. + */ +static int fpr_get_msa(struct task_struct *target, + unsigned int *pos, unsigned int *count, + void **kbuf, void __user **ubuf) +{ + unsigned int i; + u64 fpr_val; + int err; for (i = 0; i < NUM_FPU_REGS; i++) { fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0); - err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, + err = user_regset_copyout(pos, count, kbuf, ubuf, &fpr_val, i * sizeof(elf_fpreg_t), (i + 1) * sizeof(elf_fpreg_t)); if (err) @@ -428,25 +439,54 @@ static int fpr_get(struct task_struct *t return 0; } -static int fpr_set(struct task_struct *target, +/* Copy the floating-point context to the supplied NT_PRFPREG buffer. */ +static int fpr_get(struct task_struct *target, const struct user_regset *regset, unsigned int pos, unsigned int count, - const void *kbuf, const void __user *ubuf) + void *kbuf, void __user *ubuf) { - unsigned i; int err; - u64 fpr_val; /* XXX fcr31 */ - if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t)) - return user_regset_copyin(&pos, &count, &kbuf, &ubuf, - &target->thread.fpu, - 0, sizeof(elf_fpregset_t)); + if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) + err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf); + else + err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf); + + return err; +} + +/* + * Copy the supplied NT_PRFPREG buffer to the floating-point context, + * !CONFIG_CPU_HAS_MSA variant. Buffer slots correspond 1:1 to FP + * context's general register slots. + */ +static int fpr_set_fpa(struct task_struct *target, + unsigned int *pos, unsigned int *count, + const void **kbuf, const void __user **ubuf) +{ + return user_regset_copyin(pos, count, kbuf, ubuf, + &target->thread.fpu, + 0, sizeof(elf_fpregset_t)); +} + +/* + * Copy the supplied NT_PRFPREG buffer to the floating-point context, + * CONFIG_CPU_HAS_MSA variant. Buffer slots are copied to lower 64 + * bits only of FP context's general register slots. + */ +static int fpr_set_msa(struct task_struct *target, + unsigned int *pos, unsigned int *count, + const void **kbuf, const void __user **ubuf) +{ + unsigned int i; + u64 fpr_val; + int err; BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); - for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) { - err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + for (i = 0; i < NUM_FPU_REGS && *count >= sizeof(elf_fpreg_t); i++) { + err = user_regset_copyin(pos, count, kbuf, ubuf, &fpr_val, i * sizeof(elf_fpreg_t), (i + 1) * sizeof(elf_fpreg_t)); if (err) @@ -457,6 +497,24 @@ static int fpr_set(struct task_struct *t return 0; } +/* Copy the supplied NT_PRFPREG buffer to the floating-point context. */ +static int fpr_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) +{ + int err; + + /* XXX fcr31 */ + + if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) + err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf); + else + err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf); + + return err; +} + enum mips_regset { REGSET_GPR, REGSET_FPR,

7 years, 1 month

2
2
0 0

[Linux-stable-mirror] Patch "lan78xx: use skb_cow_head() to deal with cloned skbs" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled lan78xx: use skb_cow_head() to deal with cloned skbs to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d4ca73591916b760478d2b04334d5dcadc028e9c Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Wed, 19 Apr 2017 09:59:24 -0700 Subject: lan78xx: use skb_cow_head() to deal with cloned skbs From: Eric Dumazet <edumazet(a)google.com> commit d4ca73591916b760478d2b04334d5dcadc028e9c upstream. We need to ensure there is enough headroom to push extra header, but we also need to check if we are allowed to change headers. skb_cow_head() is the proper helper to deal with this. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: James Hughes <james.hughes(a)raspberrypi.org> Cc: Woojung Huh <woojung.huh(a)microchip.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/usb/lan78xx.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -2419,14 +2419,9 @@ static struct sk_buff *lan78xx_tx_prep(s { u32 tx_cmd_a, tx_cmd_b; - if (skb_headroom(skb) < TX_OVERHEAD) { - struct sk_buff *skb2; - - skb2 = skb_copy_expand(skb, TX_OVERHEAD, 0, flags); + if (skb_cow_head(skb, TX_OVERHEAD)) { dev_kfree_skb_any(skb); - skb = skb2; - if (!skb) - return NULL; + return NULL; } if (lan78xx_linearize(skb) < 0) Patches currently in stable-queue which might be from edumazet(a)google.com are queue-4.9/lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "smsc75xx: use skb_cow_head() to deal with cloned skbs" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled smsc75xx: use skb_cow_head() to deal with cloned skbs to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From b7c6d2675899cfff0180412c63fc9cbd5bacdb4d Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Wed, 19 Apr 2017 09:59:21 -0700 Subject: smsc75xx: use skb_cow_head() to deal with cloned skbs From: Eric Dumazet <edumazet(a)google.com> commit b7c6d2675899cfff0180412c63fc9cbd5bacdb4d upstream. We need to ensure there is enough headroom to push extra header, but we also need to check if we are allowed to change headers. skb_cow_head() is the proper helper to deal with this. Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: James Hughes <james.hughes(a)raspberrypi.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/usb/smsc75xx.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/drivers/net/usb/smsc75xx.c +++ b/drivers/net/usb/smsc75xx.c @@ -2205,13 +2205,9 @@ static struct sk_buff *smsc75xx_tx_fixup { u32 tx_cmd_a, tx_cmd_b; - if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) { - struct sk_buff *skb2 = - skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags); + if (skb_cow_head(skb, SMSC75XX_TX_OVERHEAD)) { dev_kfree_skb_any(skb); - skb = skb2; - if (!skb) - return NULL; + return NULL; } tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN) | TX_CMD_A_FCS; Patches currently in stable-queue which might be from edumazet(a)google.com are queue-4.9/lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "sr9700: use skb_cow_head() to deal with cloned skbs" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled sr9700: use skb_cow_head() to deal with cloned skbs to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d532c1082f68176363ed766d09bf187616e282fe Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Wed, 19 Apr 2017 09:59:23 -0700 Subject: sr9700: use skb_cow_head() to deal with cloned skbs From: Eric Dumazet <edumazet(a)google.com> commit d532c1082f68176363ed766d09bf187616e282fe upstream. We need to ensure there is enough headroom to push extra header, but we also need to check if we are allowed to change headers. skb_cow_head() is the proper helper to deal with this. Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: James Hughes <james.hughes(a)raspberrypi.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/usb/sr9700.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) --- a/drivers/net/usb/sr9700.c +++ b/drivers/net/usb/sr9700.c @@ -456,14 +456,9 @@ static struct sk_buff *sr9700_tx_fixup(s len = skb->len; - if (skb_headroom(skb) < SR_TX_OVERHEAD) { - struct sk_buff *skb2; - - skb2 = skb_copy_expand(skb, SR_TX_OVERHEAD, 0, flags); + if (skb_cow_head(skb, SR_TX_OVERHEAD)) { dev_kfree_skb_any(skb); - skb = skb2; - if (!skb) - return NULL; + return NULL; } __skb_push(skb, SR_TX_OVERHEAD); Patches currently in stable-queue which might be from edumazet(a)google.com are queue-4.9/lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "cx82310_eth: use skb_cow_head() to deal with cloned skbs" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled cx82310_eth: use skb_cow_head() to deal with cloned skbs to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From a9e840a2081ed28c2b7caa6a9a0041c950b3c37d Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Wed, 19 Apr 2017 09:59:22 -0700 Subject: cx82310_eth: use skb_cow_head() to deal with cloned skbs From: Eric Dumazet <edumazet(a)google.com> commit a9e840a2081ed28c2b7caa6a9a0041c950b3c37d upstream. We need to ensure there is enough headroom to push extra header, but we also need to check if we are allowed to change headers. skb_cow_head() is the proper helper to deal with this. Fixes: cc28a20e77b2 ("introduce cx82310_eth: Conexant CX82310-based ADSL router USB ethernet driver") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: James Hughes <james.hughes(a)raspberrypi.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/usb/cx82310_eth.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) --- a/drivers/net/usb/cx82310_eth.c +++ b/drivers/net/usb/cx82310_eth.c @@ -293,12 +293,9 @@ static struct sk_buff *cx82310_tx_fixup( { int len = skb->len; - if (skb_headroom(skb) < 2) { - struct sk_buff *skb2 = skb_copy_expand(skb, 2, 0, flags); + if (skb_cow_head(skb, 2)) { dev_kfree_skb_any(skb); - skb = skb2; - if (!skb) - return NULL; + return NULL; } skb_push(skb, 2); Patches currently in stable-queue which might be from edumazet(a)google.com are queue-4.9/lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.9/smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "x86/mm/pat, /dev/mem: Remove superfluous error message" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/mm/pat, /dev/mem: Remove superfluous error message to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86-mm-pat-dev-mem-remove-superfluous-error-message.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 39380b80d72723282f0ea1d1bbf2294eae45013e Mon Sep 17 00:00:00 2001 From: Jiri Kosina <jkosina(a)suse.cz> Date: Fri, 8 Jul 2016 11:38:28 +0200 Subject: x86/mm/pat, /dev/mem: Remove superfluous error message From: Jiri Kosina <jkosina(a)suse.cz> commit 39380b80d72723282f0ea1d1bbf2294eae45013e upstream. Currently it's possible for broken (or malicious) userspace to flood a kernel log indefinitely with messages a-la Program dmidecode tried to access /dev/mem between f0000->100000 because range_is_allowed() is case of CONFIG_STRICT_DEVMEM being turned on dumps this information each and every time devmem_is_allowed() fails. Reportedly userspace that is able to trigger contignuous flow of these messages exists. It would be possible to rate limit this message, but that'd have a questionable value; the administrator wouldn't get information about all the failing accessess, so then the information would be both superfluous and incomplete at the same time :) Returning EPERM (which is what is actually happening) is enough indication for userspace what has happened; no need to log this particular error as some sort of special condition. Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Luis R. Rodriguez <mcgrof(a)suse.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Link: http://lkml.kernel.org/r/alpine.LNX.2.00.1607081137020.24757@cbobk.fhfr.pm Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/mm/pat.c | 5 +---- drivers/char/mem.c | 6 +----- 2 files changed, 2 insertions(+), 9 deletions(-) --- a/arch/x86/mm/pat.c +++ b/arch/x86/mm/pat.c @@ -750,11 +750,8 @@ static inline int range_is_allowed(unsig return 1; while (cursor < to) { - if (!devmem_is_allowed(pfn)) { - pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx], PAT prevents it\n", - current->comm, from, to - 1); + if (!devmem_is_allowed(pfn)) return 0; - } cursor += PAGE_SIZE; pfn++; } --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -70,12 +70,8 @@ static inline int range_is_allowed(unsig u64 cursor = from; while (cursor < to) { - if (!devmem_is_allowed(pfn)) { - printk(KERN_INFO - "Program %s tried to access /dev/mem between %Lx->%Lx.\n", - current->comm, from, to); + if (!devmem_is_allowed(pfn)) return 0; - } cursor += PAGE_SIZE; pfn++; } Patches currently in stable-queue which might be from jkosina(a)suse.cz are queue-4.4/x86-mm-pat-dev-mem-remove-superfluous-error-message.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled [media] usbvision fix overflow of interfaces array to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usbvision-fix-overflow-of-interfaces-array.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Tue, 27 Oct 2015 09:51:34 -0200 Subject: [media] usbvision fix overflow of interfaces array From: Oliver Neukum <oneukum(a)suse.com> commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream. This fixes the crash reported in: http://seclists.org/bugtraq/2015/Oct/35 The interface number needs a sanity check. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Cc: Vladis Dronov <vdronov(a)redhat.com> Signed-off-by: Hans Verkuil <hans.verkuil(a)cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/media/usb/usbvision/usbvision-video.c +++ b/drivers/media/usb/usbvision/usbvision-video.c @@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in printk(KERN_INFO "%s: %s found\n", __func__, usbvision_device_data[model].model_string); + /* + * this is a security check. + * an exploit using an incorrect bInterfaceNumber is known + */ + if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) + return -ENODEV; + if (usbvision_device_data[model].interface >= 0) interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; else if (ifnum < dev->actconfig->desc.bNumInterfaces) Patches currently in stable-queue which might be from oneukum(a)suse.com are queue-4.4/lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.4/cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.4/r8152-fix-the-wake-event.patch queue-4.4/sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.4/r8152-adjust-aldps-function.patch queue-4.4/smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch queue-4.4/r8152-use-test_and_clear_bit.patch queue-4.4/usb-musb-ux500-fix-null-pointer-dereference-at-system-pm.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "sysrq: Fix warning in sysrq generated crash." has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled sysrq: Fix warning in sysrq generated crash. to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: sysrq-fix-warning-in-sysrq-generated-crash.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 984cf355aeaa8f2eda3861b50d0e8d3e3f77e83b Mon Sep 17 00:00:00 2001 From: Ani Sinha <ani(a)arista.com> Date: Thu, 17 Dec 2015 17:15:10 -0800 Subject: sysrq: Fix warning in sysrq generated crash. From: Ani Sinha <ani(a)arista.com> commit 984cf355aeaa8f2eda3861b50d0e8d3e3f77e83b upstream. Commit 984d74a72076a1 ("sysrq: rcu-ify __handle_sysrq") replaced spin_lock_irqsave() calls with rcu_read_lock() calls in sysrq. Since rcu_read_lock() does not disable preemption, faulthandler_disabled() in __do_page_fault() in x86/fault.c returns false. When the code later calls might_sleep() in the pagefault handler, we get the following warning: BUG: sleeping function called from invalid context at ../arch/x86/mm/fault.c:1187 in_atomic(): 0, irqs_disabled(): 0, pid: 4706, name: bash Preemption disabled at:[<ffffffff81484339>] printk+0x48/0x4a To fix this, we release the RCU read lock before we crash. Tested this patch on linux 3.18 by booting off one of our boards. Fixes: 984d74a72076a1 ("sysrq: rcu-ify __handle_sysrq") Signed-off-by: Ani Sinha <ani(a)arista.com> Reviewed-by: Rik van Riel <riel(a)redhat.com> Signed-off-by: Paul E. McKenney <paulmck(a)linux.vnet.ibm.com> Signed-off-by: Davidlohr Bueso <dbueso(a)suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/sysrq.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c @@ -133,6 +133,12 @@ static void sysrq_handle_crash(int key) { char *killer = NULL; + /* we need to release the RCU read lock here, + * otherwise we get an annoying + * 'BUG: sleeping function called from invalid context' + * complaint from the kernel before the panic. + */ + rcu_read_unlock(); panic_on_oops = 1; /* force panic */ wmb(); *killer = 1; Patches currently in stable-queue which might be from ani(a)arista.com are queue-4.4/sysrq-fix-warning-in-sysrq-generated-crash.patch

7 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror