- Linux-stable-mirror - lists.linaro.org

Patch "arm64: define BUG() instruction without CONFIG_BUG" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled arm64: define BUG() instruction without CONFIG_BUG to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: arm64-define-bug-instruction-without-config_bug.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From f13d52cb3fad03c237572be2ee691e1fe2d1d7bb Mon Sep 17 00:00:00 2001 From: Arnd Bergmann <arnd(a)arndb.de> Date: Tue, 14 Mar 2017 22:39:21 +0100 Subject: arm64: define BUG() instruction without CONFIG_BUG From: Arnd Bergmann <arnd(a)arndb.de> commit f13d52cb3fad03c237572be2ee691e1fe2d1d7bb upstream. This mirrors commit e9c38ceba8d9 ("ARM: 8455/1: define __BUG as asm(BUG_INSTR) without CONFIG_BUG") to make the behavior of arm64 consistent with arm and x86, and avoids lots of warnings in randconfig builds, such as: kernel/seccomp.c: In function '__seccomp_filter': kernel/seccomp.c:666:1: error: no return statement in function returning non-void [-Werror=return-type] Acked-by: Will Deacon <will.deacon(a)arm.com> Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm64/include/asm/bug.h | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) --- a/arch/arm64/include/asm/bug.h +++ b/arch/arm64/include/asm/bug.h @@ -20,9 +20,6 @@ #include <asm/brk-imm.h> -#ifdef CONFIG_GENERIC_BUG -#define HAVE_ARCH_BUG - #ifdef CONFIG_DEBUG_BUGVERBOSE #define _BUGVERBOSE_LOCATION(file, line) __BUGVERBOSE_LOCATION(file, line) #define __BUGVERBOSE_LOCATION(file, line) \ @@ -36,28 +33,36 @@ #define _BUGVERBOSE_LOCATION(file, line) #endif -#define _BUG_FLAGS(flags) __BUG_FLAGS(flags) +#ifdef CONFIG_GENERIC_BUG -#define __BUG_FLAGS(flags) asm volatile ( \ +#define __BUG_ENTRY(flags) \ ".pushsection __bug_table,\"a\"\n\t" \ ".align 2\n\t" \ "0: .long 1f - 0b\n\t" \ _BUGVERBOSE_LOCATION(__FILE__, __LINE__) \ ".short " #flags "\n\t" \ ".popsection\n" \ - \ - "1: brk %[imm]" \ - :: [imm] "i" (BUG_BRK_IMM) \ -) - -#define BUG() do { \ - _BUG_FLAGS(0); \ - unreachable(); \ + "1: " +#else +#define __BUG_ENTRY(flags) "" +#endif + +#define __BUG_FLAGS(flags) \ + asm volatile ( \ + __BUG_ENTRY(flags) \ + "brk %[imm]" :: [imm] "i" (BUG_BRK_IMM) \ + ); + + +#define BUG() do { \ + __BUG_FLAGS(0); \ + unreachable(); \ } while (0) -#define __WARN_TAINT(taint) _BUG_FLAGS(BUGFLAG_TAINT(taint)) +#define __WARN_TAINT(taint) \ + __BUG_FLAGS(BUGFLAG_TAINT(taint)) -#endif /* ! CONFIG_GENERIC_BUG */ +#define HAVE_ARCH_BUG #include <asm-generic/bug.h> Patches currently in stable-queue which might be from arnd(a)arndb.de are queue-4.9/kasan-rework-kconfig-settings.patch queue-4.9/tw5864-use-dev_warn-instead-of-warn-to-shut-up-warning.patch queue-4.9/perf-x86-shut-up-false-positive-wmaybe-uninitialized-warning.patch queue-4.9/go7007-add-media_camera_support-dependency.patch queue-4.9/scsi-advansys-fix-build-warning-for-pci-n.patch queue-4.9/video-fbdev-via-remove-possibly-unused-variables.patch queue-4.9/drm-exynos-mark-pm-functions-as-__maybe_unused.patch queue-4.9/binfmt_elf-compat-avoid-unused-function-warning.patch queue-4.9/idle-i7300-add-pci-dependency.patch queue-4.9/cw1200-fix-bogus-maybe-uninitialized-warning.patch queue-4.9/x86-build-silence-the-build-with-make-s.patch queue-4.9/gpio-xgene-mark-pm-functions-as-__maybe_unused.patch queue-4.9/kvm-add-x86_local_apic-dependency.patch queue-4.9/reiserfs-avoid-a-wmaybe-uninitialized-warning.patch queue-4.9/scsi-advansys-fix-uninitialized-data-access.patch queue-4.9/drm-i915-fix-intel_backlight_device_register-declaration.patch queue-4.9/spi-bcm-qspi-shut-up-warning-about-cfi-header-inclusion.patch queue-4.9/asoc-ux500-add-module_license-tag.patch queue-4.9/x86-microcode-amd-change-load_microcode_amd-s-param-to-bool-to-fix-preemptibility-bug.patch queue-4.9/video-fbdev-mmp-add-module_license.patch queue-4.9/usb-phy-msm-add-regulator-dependency.patch queue-4.9/arm64-dts-add-cooling-cells-to-cpu-nodes.patch queue-4.9/vmxnet3-prevent-building-with-64k-pages.patch queue-4.9/x86-platform-add-pci-dependency-for-punit_atom_debug.patch queue-4.9/alsa-hda-ca0132-fix-possible-null-pointer-use.patch queue-4.9/thermal-fix-intel_soc_dts_iosf_core-dependencies.patch queue-4.9/arm64-define-bug-instruction-without-config_bug.patch queue-4.9/arm64-sunxi-always-enable-reset-controller.patch queue-4.9/tc358743-fix-register-i2c_rd-wr-functions.patch queue-4.9/security-keys-big_key-requires-config_crypto.patch queue-4.9/drm-i915-hide-unused-intel_panel_set_backlight-function.patch queue-4.9/x86-fpu-math-emu-fix-possible-uninitialized-variable-use.patch queue-4.9/arm-8743-1-bl_switcher-add-module_license-tag.patch queue-4.9/em28xx-only-use-mt9v011-if-camera-support-is-enabled.patch queue-4.9/arm64-fix-warning-about-swapper_pg_dir-overflow.patch queue-4.9/shmem-avoid-maybe-uninitialized-warning.patch queue-4.9/input-tca8418_keypad-hide-gcc-4.9-wmaybe-uninitialized-warning.patch queue-4.9/drm-nouveau-hide-gcc-4.9-wmaybe-uninitialized.patch queue-4.9/x86-add-multiuser-dependency-for-kvm.patch queue-4.9/isdn-eicon-reduce-stack-size-of-sig_ind-function.patch

7 years, 4 months

1
0
0 0

[Linux-stable-mirror] [GIT PULL] arm64 spectre and meltdown mitigations for v4.14-stable

by Ard Biesheuvel

Hi Greg, As mentioned by Will, I have created the v4.14 counterpart of his stable backport of the arm64/ARM Spectre/Meltdown mitigations that have been pulled into v4.16-rc1. Given that this is the v4.15 version backported to v4.14, I have removed any mention of 'conflicts' from the commit logs as they are now ambiguous. The patches applied surprisingly cleanly, I only needed to drop two patches that are already in (the same ones Will mentioned in his PR), and drop another one dealing with SPE, support for which did not exist yet in v4.14. I also included the patch arm64: move TASK_* definitions to <asm/processor.h> from v4.15 to make Robin's Spectre v1 patches apply more cleanly. Thanks, Ard. -------------8<---------------- The following changes since commit 81d0cc85caabe062991ea45ddada814835d47fb0: Linux 4.14.18 (2018-02-07 11:12:26 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git tags/arm64-spectre-meltdown-for-4.14-stable for you to fetch changes up to 2cfc4ce33abf38e3ae369e209c2de31a5008c4bf: [Variant 2/Spectre-v2] arm64: Kill PSCI_GET_VERSION as a variant-2 workaround (2018-02-09 16:20:15 +0000) ---------------------------------------------------------------- arm64 Spectre and Meltdown mitigations based on v4.14 ---------------------------------------------------------------- Catalin Marinas (1): [Variant 3/Meltdown] arm64: kpti: Fix the interaction between ASID switching and software PAN James Morse (1): [Variant 2/Spectre-v2] arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early Jayachandran C (3): [Variant 3/Meltdown] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs [Variant 3/Meltdown] arm64: Turn on KPTI only on CPUs that need it [Variant 2/Spectre-v2] arm64: Branch predictor hardening for Cavium ThunderX2 Marc Zyngier (20): [Variant 3/Meltdown] arm64: Force KPTI to be disabled on Cavium ThunderX [Variant 2/Spectre-v2] arm64: Move post_ttbr_update_workaround to C code [Variant 2/Spectre-v2] arm64: Move BP hardening to check_and_switch_context [Variant 2/Spectre-v2] arm64: KVM: Use per-CPU vector when BP hardening is enabled [Variant 2/Spectre-v2] arm64: KVM: Increment PC after handling an SMC trap [Variant 2/Spectre-v2] arm/arm64: KVM: Consolidate the PSCI include files [Variant 2/Spectre-v2] arm/arm64: KVM: Add PSCI_VERSION helper [Variant 2/Spectre-v2] arm/arm64: KVM: Add smccc accessors to PSCI code [Variant 2/Spectre-v2] arm/arm64: KVM: Implement PSCI 1.0 support [Variant 2/Spectre-v2] arm/arm64: KVM: Advertise SMCCC v1.1 [Variant 2/Spectre-v2] arm64: KVM: Make PSCI_VERSION a fast path [Variant 2/Spectre-v2] arm/arm64: KVM: Turn kvm_psci_version into a static inline [Variant 2/Spectre-v2] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support [Variant 2/Spectre-v2] arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling [Variant 2/Spectre-v2] firmware/psci: Expose PSCI conduit [Variant 2/Spectre-v2] firmware/psci: Expose SMCCC version through psci_ops [Variant 2/Spectre-v2] arm/arm64: smccc: Make function identifiers an unsigned quantity [Variant 2/Spectre-v2] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive [Variant 2/Spectre-v2] arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support [Variant 2/Spectre-v2] arm64: Kill PSCI_GET_VERSION as a variant-2 workaround Robin Murphy (3): [Variant 1/Spectre-v1] arm64: Implement array_index_mask_nospec() [Variant 1/Spectre-v1] arm64: Make USER_DS an inclusive limit [Variant 1/Spectre-v1] arm64: Use pointer masking to limit uaccess speculation Shanker Donthineni (1): [Variant 2/Spectre-v2] arm64: Implement branch predictor hardening for Falkor Stephen Boyd (1): [Variant 3/Meltdown] arm64: cpu_errata: Add Kryo to Falkor 1003 errata Suzuki K Poulose (2): [Variant 3/Meltdown] arm64: capabilities: Handle duplicate entries for a capability [Variant 2/Spectre-v2] arm64: Run enable method for errata work arounds on late CPUs Will Deacon (40): [Variant 3/Meltdown] arm64: mm: Use non-global mappings for kernel space [Variant 3/Meltdown] arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN [Variant 3/Meltdown] arm64: mm: Move ASID from TTBR0 to TTBR1 [Variant 3/Meltdown] arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum #E1003 [Variant 3/Meltdown] arm64: mm: Rename post_ttbr0_update_workaround [Variant 3/Meltdown] arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN [Variant 3/Meltdown] arm64: mm: Allocate ASIDs in pairs [Variant 3/Meltdown] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper [Variant 3/Meltdown] arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI [Variant 3/Meltdown] arm64: entry: Add exception trampoline page for exceptions from EL0 [Variant 3/Meltdown] arm64: mm: Map entry trampoline into trampoline and kernel page tables [Variant 3/Meltdown] arm64: entry: Explicitly pass exception level to kernel_ventry macro [Variant 3/Meltdown] arm64: entry: Hook up entry trampoline to exception vectors [Variant 3/Meltdown] arm64: erratum: Work around Falkor erratum #E1003 in trampoline code [Variant 3/Meltdown] arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks [Variant 3/Meltdown] arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 [Variant 3/Meltdown] arm64: kaslr: Put kernel vectors address in separate data page [Variant 3/Meltdown] arm64: use RET instruction for exiting the trampoline [Variant 3/Meltdown] arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 [Variant 3/Meltdown] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry [Variant 3/Meltdown] arm64: Take into account ID_AA64PFR0_EL1.CSV3 [Variant 3/Meltdown] arm64: mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR [Variant 3/Meltdown] arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() [Variant 3/Meltdown] arm64: mm: Permit transitioning from Global to Non-Global without BBM [Variant 3/Meltdown] arm64: kpti: Add ->enable callback to remap swapper using nG mappings [Variant 3/Meltdown] arm64: entry: Reword comment about post_ttbr_update_workaround [Variant 3/Meltdown] arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives [Variant 1/Spectre-v1] arm64: barrier: Add CSDB macros to control data-value prediction [Variant 1/Spectre-v1] arm64: entry: Ensure branch through syscall table is bounded under speculation [Variant 1/Spectre-v1] arm64: uaccess: Prevent speculative use of the current addr_limit [Variant 1/Spectre-v1] arm64: uaccess: Don't bother eliding access_ok checks in __{get, put}_user [Variant 1/Spectre-v1] arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user [Variant 1/Spectre-v1] arm64: futex: Mask __user pointers prior to dereference [Variant 2/Spectre-v2] arm64: cpufeature: Pass capability structure to ->enable callback [Variant 2/Spectre-v2] drivers/firmware: Expose psci_get_version through psci_ops structure [Variant 2/Spectre-v2] arm64: Add skeleton to harden the branch predictor against aliasing attacks [Variant 2/Spectre-v2] arm64: entry: Apply BP hardening for high-priority synchronous exceptions [Variant 2/Spectre-v2] arm64: entry: Apply BP hardening for suspicious interrupts from EL0 [Variant 2/Spectre-v2] arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 [Variant 2/Spectre-v2] arm64: Implement branch predictor hardening for affected Cortex-A CPUs Yury Norov (1): arm64: move TASK_* definitions to <asm/processor.h> Documentation/arm64/silicon-errata.txt | 2 +- arch/arm/include/asm/kvm_host.h | 6 + arch/arm/include/asm/kvm_mmu.h | 10 ++ arch/arm/include/asm/kvm_psci.h | 27 ---- arch/arm/kvm/handle_exit.c | 4 +- arch/arm64/Kconfig | 46 +++++-- arch/arm64/include/asm/asm-uaccess.h | 36 +++-- arch/arm64/include/asm/assembler.h | 54 +++----- arch/arm64/include/asm/barrier.h | 23 ++++ arch/arm64/include/asm/cpucaps.h | 5 +- arch/arm64/include/asm/cputype.h | 9 ++ arch/arm64/include/asm/efi.h | 12 +- arch/arm64/include/asm/fixmap.h | 5 + arch/arm64/include/asm/futex.h | 9 +- arch/arm64/include/asm/kvm_asm.h | 2 + arch/arm64/include/asm/kvm_host.h | 5 + arch/arm64/include/asm/kvm_mmu.h | 38 ++++++ arch/arm64/include/asm/kvm_psci.h | 27 ---- arch/arm64/include/asm/memory.h | 15 --- arch/arm64/include/asm/mmu.h | 48 +++++++ arch/arm64/include/asm/mmu_context.h | 12 +- arch/arm64/include/asm/pgtable-hwdef.h | 1 + arch/arm64/include/asm/pgtable-prot.h | 35 +++-- arch/arm64/include/asm/pgtable.h | 1 + arch/arm64/include/asm/proc-fns.h | 6 - arch/arm64/include/asm/processor.h | 24 ++++ arch/arm64/include/asm/sysreg.h | 2 + arch/arm64/include/asm/tlbflush.h | 16 ++- arch/arm64/include/asm/uaccess.h | 181 +++++++++++++++++-------- arch/arm64/kernel/Makefile | 4 + arch/arm64/kernel/arm64ksyms.c | 4 +- arch/arm64/kernel/asm-offsets.c | 6 +- arch/arm64/kernel/bpi.S | 83 ++++++++++++ arch/arm64/kernel/cpu-reset.S | 2 +- arch/arm64/kernel/cpu_errata.c | 239 ++++++++++++++++++++++++++++++++- arch/arm64/kernel/cpufeature.c | 138 +++++++++++++++---- arch/arm64/kernel/entry.S | 230 ++++++++++++++++++++++++++----- arch/arm64/kernel/head.S | 2 +- arch/arm64/kernel/process.c | 12 +- arch/arm64/kernel/sleep.S | 2 +- arch/arm64/kernel/vmlinux.lds.S | 22 ++- arch/arm64/kvm/handle_exit.c | 14 +- arch/arm64/kvm/hyp/entry.S | 12 ++ arch/arm64/kvm/hyp/hyp-entry.S | 20 ++- arch/arm64/kvm/hyp/switch.c | 13 +- arch/arm64/lib/clear_user.S | 10 +- arch/arm64/lib/copy_from_user.S | 4 +- arch/arm64/lib/copy_in_user.S | 9 +- arch/arm64/lib/copy_to_user.S | 4 +- arch/arm64/mm/cache.S | 4 +- arch/arm64/mm/context.c | 48 ++++--- arch/arm64/mm/fault.c | 36 ++++- arch/arm64/mm/mmu.c | 35 +++++ arch/arm64/mm/proc.S | 223 +++++++++++++++++++++++++++--- arch/arm64/xen/hypercall.S | 4 +- drivers/firmware/psci.c | 57 +++++++- include/kvm/arm_psci.h | 51 +++++++ include/linux/arm-smccc.h | 165 ++++++++++++++++++++++- include/linux/psci.h | 14 ++ include/uapi/linux/psci.h | 3 + virt/kvm/arm/arm.c | 10 +- virt/kvm/arm/psci.c | 143 ++++++++++++++++---- 62 files changed, 1899 insertions(+), 385 deletions(-) delete mode 100644 arch/arm/include/asm/kvm_psci.h delete mode 100644 arch/arm64/include/asm/kvm_psci.h create mode 100644 arch/arm64/kernel/bpi.S create mode 100644 include/kvm/arm_psci.h

7 years, 4 months

3
10
0 0

[PATCH] virtio_ring: fix num_free handling in error case

by Tiwei Bie

The vq->vq.num_free hasn't been changed when error happens, so it shouldn't be changed when handling the error. Fixes: 780bc7903a32 ("virtio_ring: Support DMA APIs") Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Michael S. Tsirkin <mst(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Tiwei Bie <tiwei.bie(a)intel.com> --- drivers/virtio/virtio_ring.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index eb30f3e09a47..71458f493cf8 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -428,8 +428,6 @@ static inline int virtqueue_add(struct virtqueue *_vq, i = virtio16_to_cpu(_vq->vdev, vq->vring.desc[i].next); } - vq->vq.num_free += total_sg; - if (indirect) kfree(desc); -- 2.11.0

7 years, 4 months

2
1
0 0

Patch "xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0) to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xfrm-fix-xfrm_input-to-verify-state-is-valid-when-encap_type-0.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Aviv Heller <avivh(a)mellanox.com> Date: Tue, 28 Nov 2017 19:55:40 +0200 Subject: xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0) From: Aviv Heller <avivh(a)mellanox.com> [ Upstream commit 4ce3dbe397d7b6b15f272ae757c78c35e9e4b61d ] Code path when (encap_type < 0) does not verify the state is valid before progressing. This will result in a crash if, for instance, x->km.state == XFRM_STATE_ACQ. Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Signed-off-by: Aviv Heller <avivh(a)mellanox.com> Signed-off-by: Yevgeny Kliteynik <kliteyn(a)mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/xfrm/xfrm_input.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -207,7 +207,7 @@ int xfrm_input(struct sk_buff *skb, int xfrm_address_t *daddr; struct xfrm_mode *inner_mode; u32 mark = skb->mark; - unsigned int family; + unsigned int family = AF_UNSPEC; int decaps = 0; int async = 0; bool xfrm_gro = false; @@ -216,6 +216,16 @@ int xfrm_input(struct sk_buff *skb, int if (encap_type < 0) { x = xfrm_input_state(skb); + + if (unlikely(x->km.state != XFRM_STATE_VALID)) { + if (x->km.state == XFRM_STATE_ACQ) + XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR); + else + XFRM_INC_STATS(net, + LINUX_MIB_XFRMINSTATEINVALID); + goto drop; + } + family = x->outer_mode->afinfo->family; /* An encap_type of -1 indicates async resumption. */ Patches currently in stable-queue which might be from avivh(a)mellanox.com are queue-4.14/xfrm-fix-xfrm_input-to-verify-state-is-valid-when-encap_type-0.patch

7 years, 4 months

1
0
0 0

Patch "xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies." has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Steffen Klassert <steffen.klassert(a)secunet.com> Date: Fri, 8 Dec 2017 08:07:25 +0100 Subject: xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. From: Steffen Klassert <steffen.klassert(a)secunet.com> [ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ] On policies with a transport mode template, we pass the addresses from the flowi to xfrm_state_find(), assuming that the IP addresses (and address family) don't change during transformation. Unfortunately our policy template validation is not strict enough. It is possible to configure policies with transport mode template where the address family of the template does not match the selectors address family. This lead to stack-out-of-bound reads because we compare arddesses of the wrong family. Fix this by refusing such a configuration, address family can not change on transport mode. We use the assumption that, on transport mode, the first templates address family must match the address family of the policy selector. Subsequent transport mode templates must mach the address family of the previous template. Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/xfrm/xfrm_user.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1417,11 +1417,14 @@ static void copy_templates(struct xfrm_p static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) { + u16 prev_family; int i; if (nr > XFRM_MAX_DEPTH) return -EINVAL; + prev_family = family; + for (i = 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1433,6 +1436,12 @@ static int validate_tmpl(int nr, struct if (!ut[i].family) ut[i].family = family; + if ((ut[i].mode == XFRM_MODE_TRANSPORT) && + (ut[i].family != prev_family)) + return -EINVAL; + + prev_family = ut[i].family; + switch (ut[i].family) { case AF_INET: break; Patches currently in stable-queue which might be from steffen.klassert(a)secunet.com are queue-4.14/xfrm-fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch queue-4.14/xfrm-skip-policies-marked-as-dead-while-rehashing.patch queue-4.14/xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch queue-4.14/xfrm-fix-xfrm_input-to-verify-state-is-valid-when-encap_type-0.patch queue-4.14/xfrm-fix-rcu-usage-in-xfrm_get_type_offload.patch queue-4.14/esp-fix-gro-when-the-headers-not-fully-in-the-linear-part-of-the-skb.patch queue-4.14/xfrm-don-t-call-xfrm_policy_cache_flush-while-holding-spinlock.patch queue-4.14/xfrm-check-id-proto-in-validate_tmpl.patch

7 years, 4 months

1
0
0 0

Patch "x86/mm/kmmio: Fix mmiotrace for page unaligned addresses" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/mm/kmmio: Fix mmiotrace for page unaligned addresses to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Karol Herbst <kherbst(a)redhat.com> Date: Mon, 27 Nov 2017 08:51:39 +0100 Subject: x86/mm/kmmio: Fix mmiotrace for page unaligned addresses From: Karol Herbst <kherbst(a)redhat.com> [ Upstream commit 6d60ce384d1d5ca32b595244db4077a419acc687 ] If something calls ioremap() with an address not aligned to PAGE_SIZE, the returned address might be not aligned as well. This led to a probe registered on exactly the returned address, but the entire page was armed for mmiotracing. On calling iounmap() the address passed to unregister_kmmio_probe() was PAGE_SIZE aligned by the caller leading to a complete freeze of the machine. We should always page align addresses while (un)registerung mappings, because the mmiotracer works on top of pages, not mappings. We still keep track of the probes based on their real addresses and lengths though, because the mmiotrace still needs to know what are mapped memory regions. Also move the call to mmiotrace_iounmap() prior page aligning the address, so that all probes are unregistered properly, otherwise the kernel ends up failing memory allocations randomly after disabling the mmiotracer. Tested-by: Lyude <lyude(a)redhat.com> Signed-off-by: Karol Herbst <kherbst(a)redhat.com> Acked-by: Pekka Paalanen <ppaalanen(a)gmail.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: nouveau(a)lists.freedesktop.org Link: http://lkml.kernel.org/r/20171127075139.4928-1-kherbst@redhat.com Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/mm/ioremap.c | 4 ++-- arch/x86/mm/kmmio.c | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c @@ -349,11 +349,11 @@ void iounmap(volatile void __iomem *addr return; } + mmiotrace_iounmap(addr); + addr = (volatile void __iomem *) (PAGE_MASK & (unsigned long __force)addr); - mmiotrace_iounmap(addr); - /* Use the vm area unlocked, assuming the caller ensures there isn't another iounmap for the same address in parallel. Reuse of the virtual address is prevented by --- a/arch/x86/mm/kmmio.c +++ b/arch/x86/mm/kmmio.c @@ -435,17 +435,18 @@ int register_kmmio_probe(struct kmmio_pr unsigned long flags; int ret = 0; unsigned long size = 0; + unsigned long addr = p->addr & PAGE_MASK; const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); unsigned int l; pte_t *pte; spin_lock_irqsave(&kmmio_lock, flags); - if (get_kmmio_probe(p->addr)) { + if (get_kmmio_probe(addr)) { ret = -EEXIST; goto out; } - pte = lookup_address(p->addr, &l); + pte = lookup_address(addr, &l); if (!pte) { ret = -EINVAL; goto out; @@ -454,7 +455,7 @@ int register_kmmio_probe(struct kmmio_pr kmmio_count++; list_add_rcu(&p->list, &kmmio_probes); while (size < size_lim) { - if (add_kmmio_fault_page(p->addr + size)) + if (add_kmmio_fault_page(addr + size)) pr_err("Unable to set page fault.\n"); size += page_level_size(l); } @@ -528,19 +529,20 @@ void unregister_kmmio_probe(struct kmmio { unsigned long flags; unsigned long size = 0; + unsigned long addr = p->addr & PAGE_MASK; const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); struct kmmio_fault_page *release_list = NULL; struct kmmio_delayed_release *drelease; unsigned int l; pte_t *pte; - pte = lookup_address(p->addr, &l); + pte = lookup_address(addr, &l); if (!pte) return; spin_lock_irqsave(&kmmio_lock, flags); while (size < size_lim) { - release_kmmio_fault_page(p->addr + size, &release_list); + release_kmmio_fault_page(addr + size, &release_list); size += page_level_size(l); } list_del_rcu(&p->list); Patches currently in stable-queue which might be from kherbst(a)redhat.com are queue-4.14/x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch

7 years, 4 months

1
0
0 0

Patch "xen: XEN_ACPI_PROCESSOR is Dom0-only" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xen: XEN_ACPI_PROCESSOR is Dom0-only to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xen-xen_acpi_processor-is-dom0-only.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Jan Beulich <JBeulich(a)suse.com> Date: Tue, 12 Dec 2017 03:18:11 -0700 Subject: xen: XEN_ACPI_PROCESSOR is Dom0-only From: Jan Beulich <JBeulich(a)suse.com> [ Upstream commit c4f9d9cb2c29ff04c6b4bb09b72802d8aedfc7cb ] Add a respective dependency. Signed-off-by: Jan Beulich <jbeulich(a)suse.com> Reviewed-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/xen/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/xen/Kconfig +++ b/drivers/xen/Kconfig @@ -258,7 +258,7 @@ config XEN_ACPI_HOTPLUG_CPU config XEN_ACPI_PROCESSOR tristate "Xen ACPI processor" - depends on XEN && X86 && ACPI_PROCESSOR && CPU_FREQ + depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ default m help This ACPI processor uploads Power Management information to the Xen Patches currently in stable-queue which might be from JBeulich(a)suse.com are queue-4.14/xen-xen_acpi_processor-is-dom0-only.patch

7 years, 4 months

1
0
0 0

Patch "VSOCK: fix outdated sk_state value in hvs_release()" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled VSOCK: fix outdated sk_state value in hvs_release() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: vsock-fix-outdated-sk_state-value-in-hvs_release.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Stefan Hajnoczi <stefanha(a)redhat.com> Date: Tue, 5 Dec 2017 11:31:14 +0000 Subject: VSOCK: fix outdated sk_state value in hvs_release() From: Stefan Hajnoczi <stefanha(a)redhat.com> [ Upstream commit c9d3fe9da094a9a7a3d3cd365b334b822e05f5e8 ] Since commit 3b4477d2dcf2709d0be89e2a8dced3d0f4a017f2 ("VSOCK: use TCP state constants for sk_state") VSOCK has used TCP_* constants for sk_state. Commit b4562ca7925a3bedada87a3dd072dd5bad043288 ("hv_sock: add locking in the open/close/release code paths") reintroduced the SS_DISCONNECTING constant. This patch replaces the old SS_DISCONNECTING with the new TCP_CLOSING constant. CC: Dexuan Cui <decui(a)microsoft.com> CC: Cathy Avery <cavery(a)redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha(a)redhat.com> Reviewed-by: Jorgen Hansen <jhansen(a)vmware.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/vmw_vsock/hyperv_transport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/vmw_vsock/hyperv_transport.c +++ b/net/vmw_vsock/hyperv_transport.c @@ -488,7 +488,7 @@ static void hvs_release(struct vsock_soc lock_sock(sk); - sk->sk_state = SS_DISCONNECTING; + sk->sk_state = TCP_CLOSING; vsock_remove_sock(vsk); release_sock(sk); Patches currently in stable-queue which might be from stefanha(a)redhat.com are queue-4.14/vsock-fix-outdated-sk_state-value-in-hvs_release.patch

7 years, 4 months

1
0
0 0

Patch "virtio_net: fix return value check in receive_mergeable()" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled virtio_net: fix return value check in receive_mergeable() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: virtio_net-fix-return-value-check-in-receive_mergeable.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Yunjian Wang <wangyunjian(a)huawei.com> Date: Mon, 4 Dec 2017 14:02:19 +0800 Subject: virtio_net: fix return value check in receive_mergeable() From: Yunjian Wang <wangyunjian(a)huawei.com> [ Upstream commit 03e9f8a05bce7330bcd9c5cc54c8e42d0fcbf993 ] The function virtqueue_get_buf_ctx() could return NULL, the return value 'buf' need to be checked with NULL, not value 'ctx'. Signed-off-by: Yunjian Wang <wangyunjian(a)huawei.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/virtio_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -714,7 +714,7 @@ static struct sk_buff *receive_mergeable int num_skb_frags; buf = virtqueue_get_buf_ctx(rq->vq, &len, &ctx); - if (unlikely(!ctx)) { + if (unlikely(!buf)) { pr_debug("%s: rx error: %d buffers out of %d missing\n", dev->name, num_buf, virtio16_to_cpu(vi->vdev, Patches currently in stable-queue which might be from wangyunjian(a)huawei.com are queue-4.14/virtio_net-fix-return-value-check-in-receive_mergeable.patch

7 years, 4 months

1
0
0 0

Patch "usb: dwc3: of-simple: fix missing clk_disable_unprepare" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: dwc3: of-simple: fix missing clk_disable_unprepare to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-dwc3-of-simple-fix-missing-clk_disable_unprepare.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Fri Feb 23 11:45:09 CET 2018 From: Andreas Platschek <andreas.platschek(a)opentech.at> Date: Thu, 7 Dec 2017 11:32:20 +0100 Subject: usb: dwc3: of-simple: fix missing clk_disable_unprepare From: Andreas Platschek <andreas.platschek(a)opentech.at> [ Upstream commit ded600ea9fb51a495d2fcd21e90351df876488e8 ] If of_clk_get() fails, the clean-up of already initialized clocks should be the same as when clk_prepare_enable() fails. Thus a clk_disable_unprepare() for each clock should be called before the clk_put(). Found by Linux Driver Verification project (linuxtesting.org). Fixes: 16adc674d0d6 ("usb: dwc3: ep0: fix setup_packet_pending initialization") Signed-off-by: Andreas Platschek <andreas.platschek(a)opentech.at> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/dwc3/dwc3-of-simple.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/usb/dwc3/dwc3-of-simple.c +++ b/drivers/usb/dwc3/dwc3-of-simple.c @@ -57,8 +57,10 @@ static int dwc3_of_simple_clk_init(struc clk = of_clk_get(np, i); if (IS_ERR(clk)) { - while (--i >= 0) + while (--i >= 0) { + clk_disable_unprepare(simple->clks[i]); clk_put(simple->clks[i]); + } return PTR_ERR(clk); } Patches currently in stable-queue which might be from andreas.platschek(a)opentech.at are queue-4.14/usb-dwc3-of-simple-fix-missing-clk_disable_unprepare.patch

7 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror