- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] platform/x86: dell-laptop: Allocate buffer on heap rather than globally

by Mario.Limonciello＠dell.com

commit 9862b43624 upstream There has been a race condition identified with initialization of the dell-laptop driver due to changes in 4.15. This commit has been shown to resolve the race condition. I'd like to see this brought back to 4.15 stable. It doesn't apply to anything earlier. Thanks,

7 years, 3 months

2
2
0 0

[Linux-stable-mirror] [PATCH] Revert "usb: musb: host: don't start next rx urb if current one failed"

by Bin Liu

This reverts commit dbac5d07d13e330e6706813c9fde477140fb5d80. commit dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") along with commit b5801212229f ("usb: musb: host: clear rxcsr error bit if set") try to solve the issue described in [1], but the latter alone is sufficient, and the former causes the issue as in [2], so now revert it. [1] https://marc.info/?l=linux-usb&m=146173995117456&w=2 [2] https://marc.info/?l=linux-usb&m=151689238420622&w=2 Signed-off-by: Bin Liu <b-liu(a)ti.com> --- drivers/usb/musb/musb_host.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c index 394b4ac86161..45ed32c2cba9 100644 --- a/drivers/usb/musb/musb_host.c +++ b/drivers/usb/musb/musb_host.c @@ -391,13 +391,7 @@ static void musb_advance_schedule(struct musb *musb, struct urb *urb, } } - /* - * The pipe must be broken if current urb->status is set, so don't - * start next urb. - * TODO: to minimize the risk of regression, only check urb->status - * for RX, until we have a test case to understand the behavior of TX. - */ - if ((!status || !is_in) && qh && qh->is_ready) { + if (qh != NULL && qh->is_ready) { musb_dbg(musb, "... next ep%d %cX urb %p", hw_ep->epnum, is_in ? 'R' : 'T', next_urb(qh)); musb_start_urb(musb, is_in, qh); -- 1.9.1

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] [to-be-updated] fontswap-thp-fix.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: fontswap: thp fix has been removed from the -mm tree. Its filename was fontswap-thp-fix.patch This patch was dropped because an updated version will be merged ------------------------------------------------------ From: Huang Ying <huang.ying.caritas(a)gmail.com> Subject: mm: fontswap: thp fix Link: http://lkml.kernel.org/r/87d11j4pdy.fsf@yhuang-dev.intel.com Fixes: bd4c82c22c367e068 ("mm, THP, swap: delay splitting THP after swapped out") Reported-by: Sergey Senozhatsky <sergey.senozhatsky.work(a)gmail.com> Tested-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Seth Jennings <sjenning(a)redhat.com> Cc: Dan Streetman <ddstreet(a)ieee.org> Cc: "Kirill A . Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_io.c | 2 +- mm/vmscan.c | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff -puN mm/page_io.c~fontswap-thp-fix mm/page_io.c --- a/mm/page_io.c~fontswap-thp-fix +++ a/mm/page_io.c @@ -250,7 +250,7 @@ int swap_writepage(struct page *page, st unlock_page(page); goto out; } - if (frontswap_store(page) == 0) { + if (!PageTransHuge(page) && frontswap_store(page) == 0) { set_page_writeback(page); unlock_page(page); end_page_writeback(page); diff -puN mm/vmscan.c~fontswap-thp-fix mm/vmscan.c --- a/mm/vmscan.c~fontswap-thp-fix +++ a/mm/vmscan.c @@ -55,6 +55,7 @@ #include <linux/swapops.h> #include <linux/balloon_compaction.h> +#include <linux/frontswap.h> #include "internal.h" @@ -1121,13 +1122,22 @@ static unsigned long shrink_page_list(st if (!can_split_huge_page(page, NULL)) goto activate_locked; /* + * Split THP if frontswap enabled, + * because it cannot process THP + */ + if (frontswap_enabled()) { + if (split_huge_page_to_list( + page, page_list)) + goto activate_locked; + } + /* * Split pages without a PMD map right * away. Chances are some or all of the * tail pages can be freed without IO. */ - if (!compound_mapcount(page) && - split_huge_page_to_list(page, - page_list)) + else if (!compound_mapcount(page) && + split_huge_page_to_list(page, + page_list)) goto activate_locked; } if (!add_to_swap(page)) { _ Patches currently in -mm which might be from huang.ying.caritas(a)gmail.com are mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] + mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, swap, frontswap: Fix THP swap if frontswap enabled has been added to the -mm tree. Its filename is mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-swap-frontswap-fix-thp-swap-if-… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-swap-frontswap-fix-thp-swap-if-… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Huang Ying <huang.ying.caritas(a)gmail.com> Subject: mm, swap, frontswap: Fix THP swap if frontswap enabled It was reported by Sergey Senozhatsky that if THP (Transparent Huge Page) and frontswap (via zswap) are both enabled, when memory goes low so that swap is triggered, segfault and memory corruption will occur in random user space applications as follow, kernel: urxvt[338]: segfault at 20 ip 00007fc08889ae0d sp 00007ffc73a7fc40 error 6 in libc-2.26.so[7fc08881a000+1ae000] #0 0x00007fc08889ae0d _int_malloc (libc.so.6) #1 0x00007fc08889c2f3 malloc (libc.so.6) #2 0x0000560e6004bff7 _Z14rxvt_wcstoutf8PKwi (urxvt) #3 0x0000560e6005e75c n/a (urxvt) #4 0x0000560e6007d9f1 _ZN16rxvt_perl_interp6invokeEP9rxvt_term9hook_typez (urxvt) #5 0x0000560e6003d988 _ZN9rxvt_term9cmd_parseEv (urxvt) #6 0x0000560e60042804 _ZN9rxvt_term6pty_cbERN2ev2ioEi (urxvt) #7 0x0000560e6005c10f _Z17ev_invoke_pendingv (urxvt) #8 0x0000560e6005cb55 ev_run (urxvt) #9 0x0000560e6003b9b9 main (urxvt) #10 0x00007fc08883af4a __libc_start_main (libc.so.6) #11 0x0000560e6003f9da _start (urxvt) After bisection, it was found the first bad commit is bd4c82c22c367e068 ("mm, THP, swap: delay splitting THP after swapped out"). The root cause is as follows: When the pages are written to swap device during swapping out in swap_writepage(), zswap (fontswap) is tried to compress the pages instead to improve the performance. But zswap (frontswap) will treat THP as normal page, so only the head page is saved. After swapping in, tail pages will not be restored to its original contents, so cause the memory corruption in the applications. This is fixed via splitting THP before writing the page to swap device if frontswap is enabled. To deal with the situation where frontswap is enabled at runtime, whether the page is THP is checked before using frontswap during swapping out too. Link: http://lkml.kernel.org/r/20180207070035.30302-1-ying.huang@intel.com Fixes: bd4c82c22c367e068 ("mm, THP, swap: delay splitting THP after swapped out") Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Reported-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Tested-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> Cc: Dan Streetman <ddstreet(a)ieee.org> Cc: Seth Jennings <sjenning(a)redhat.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Cc: Shaohua Li <shli(a)kernel.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Shakeel Butt <shakeelb(a)google.com> Cc: <stable(a)vger.kernel.org> [4.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_io.c | 2 +- mm/swapfile.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff -puN mm/page_io.c~mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled mm/page_io.c --- a/mm/page_io.c~mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled +++ a/mm/page_io.c @@ -250,7 +250,7 @@ int swap_writepage(struct page *page, st unlock_page(page); goto out; } - if (frontswap_store(page) == 0) { + if (!PageTransHuge(page) && frontswap_store(page) == 0) { set_page_writeback(page); unlock_page(page); end_page_writeback(page); diff -puN mm/swapfile.c~mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled mm/swapfile.c --- a/mm/swapfile.c~mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled +++ a/mm/swapfile.c @@ -934,6 +934,9 @@ int get_swap_pages(int n_goal, bool clus /* Only single cluster request supported */ WARN_ON_ONCE(n_goal > 1 && cluster); + /* Frontswap doesn't support THP */ + if (frontswap_enabled() && cluster) + goto noswap; avail_pgs = atomic_long_read(&nr_swap_pages) / nr_pages; if (avail_pgs <= 0) _ Patches currently in -mm which might be from huang.ying.caritas(a)gmail.com are mm-swap-frontswap-fix-thp-swap-if-frontswap-enabled.patch fontswap-thp-fix.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] Patch "KEYS: encrypted: fix buffer overread in valid_master_desc()" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled KEYS: encrypted: fix buffer overread in valid_master_desc() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 794b4bc292f5d31739d89c0202c54e7dc9bc3add Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)google.com> Date: Thu, 8 Jun 2017 14:48:18 +0100 Subject: KEYS: encrypted: fix buffer overread in valid_master_desc() From: Eric Biggers <ebiggers(a)google.com> commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream. With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: Mimi Zohar <zohar(a)linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Signed-off-by: James Morris <james.l.morris(a)oracle.com> Signed-off-by: Jin Qian <jinqian(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- security/keys/encrypted-keys/encrypted.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const cha */ static int valid_master_desc(const char *new_desc, const char *orig_desc) { - if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN)) - goto out; - } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_USER_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN)) - goto out; - } else - goto out; + int prefix_len; + + if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) + prefix_len = KEY_TRUSTED_PREFIX_LEN; + else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) + prefix_len = KEY_USER_PREFIX_LEN; + else + return -EINVAL; + + if (!new_desc[prefix_len]) + return -EINVAL; + + if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) + return -EINVAL; + return 0; -out: - return -EINVAL; } /* Patches currently in stable-queue which might be from ebiggers(a)google.com are queue-4.9/keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] Patch "media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 5331aec1bf9c9da557668174e0a4bfcee39f1121 Mon Sep 17 00:00:00 2001 From: Jesse Chan <jc(a)linux.com> Date: Mon, 20 Nov 2017 15:56:28 -0500 Subject: media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE From: Jesse Chan <jc(a)linux.com> commit 5331aec1bf9c9da557668174e0a4bfcee39f1121 upstream. This change resolves a new compile-time warning when built as a loadable module: WARNING: modpost: missing MODULE_LICENSE() in drivers/media/platform/soc_camera/soc_scale_crop.o see include/linux/module.h for more information This adds the license as "GPL", which matches the header of the file. MODULE_DESCRIPTION and MODULE_AUTHOR are also added. Signed-off-by: Jesse Chan <jc(a)linux.com> Signed-off-by: Hans Verkuil <hans.verkuil(a)cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)s-opensource.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/media/platform/soc_camera/soc_scale_crop.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/media/platform/soc_camera/soc_scale_crop.c +++ b/drivers/media/platform/soc_camera/soc_scale_crop.c @@ -418,3 +418,7 @@ void soc_camera_calc_client_output(struc mf->height = soc_camera_shift_scale(rect->height, shift, scale_v); } EXPORT_SYMBOL(soc_camera_calc_client_output); + +MODULE_DESCRIPTION("soc-camera scaling-cropping functions"); +MODULE_AUTHOR("Guennadi Liakhovetski <kernel(a)pengutronix.de>"); +MODULE_LICENSE("GPL"); Patches currently in stable-queue which might be from jc(a)linux.com are queue-4.9/media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch queue-4.9/auxdisplay-img-ascii-lcd-add-missing-module_description-author-license.patch queue-4.9/asoc-pcm512x-add-missing-module_description-author-license.patch queue-4.9/pinctrl-pxa-pxa2xx-add-missing-module_description-author-license.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] Patch "b43: Add missing MODULE_FIRMWARE()" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled b43: Add missing MODULE_FIRMWARE() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: b43-add-missing-module_firmware.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 3c89a72ad80c64bdbd5ff851ee9c328a191f7e01 Mon Sep 17 00:00:00 2001 From: Takashi Iwai <tiwai(a)suse.de> Date: Thu, 4 May 2017 11:27:52 +0200 Subject: b43: Add missing MODULE_FIRMWARE() From: Takashi Iwai <tiwai(a)suse.de> commit 3c89a72ad80c64bdbd5ff851ee9c328a191f7e01 upstream. Some firmware entries were forgotten to be added via MODULE_FIRMWARE(), which may result in the non-functional state when the driver is loaded in initrd. Link: http://bugzilla.opensuse.org/show_bug.cgi?id=1037344 Fixes: 15be8e89cdd9 ("b43: add more bcma cores") Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Kalle Valo <kvalo(a)codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/wireless/broadcom/b43/main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/drivers/net/wireless/broadcom/b43/main.c +++ b/drivers/net/wireless/broadcom/b43/main.c @@ -71,8 +71,18 @@ MODULE_FIRMWARE("b43/ucode11.fw"); MODULE_FIRMWARE("b43/ucode13.fw"); MODULE_FIRMWARE("b43/ucode14.fw"); MODULE_FIRMWARE("b43/ucode15.fw"); +MODULE_FIRMWARE("b43/ucode16_lp.fw"); MODULE_FIRMWARE("b43/ucode16_mimo.fw"); +MODULE_FIRMWARE("b43/ucode24_lcn.fw"); +MODULE_FIRMWARE("b43/ucode25_lcn.fw"); +MODULE_FIRMWARE("b43/ucode25_mimo.fw"); +MODULE_FIRMWARE("b43/ucode26_mimo.fw"); +MODULE_FIRMWARE("b43/ucode29_mimo.fw"); +MODULE_FIRMWARE("b43/ucode33_lcn40.fw"); +MODULE_FIRMWARE("b43/ucode30_mimo.fw"); MODULE_FIRMWARE("b43/ucode5.fw"); +MODULE_FIRMWARE("b43/ucode40.fw"); +MODULE_FIRMWARE("b43/ucode42.fw"); MODULE_FIRMWARE("b43/ucode9.fw"); static int modparam_bad_frames_preempt; Patches currently in stable-queue which might be from tiwai(a)suse.de are queue-4.9/b43-add-missing-module_firmware.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] Patch "media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 5331aec1bf9c9da557668174e0a4bfcee39f1121 Mon Sep 17 00:00:00 2001 From: Jesse Chan <jc(a)linux.com> Date: Mon, 20 Nov 2017 15:56:28 -0500 Subject: media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE From: Jesse Chan <jc(a)linux.com> commit 5331aec1bf9c9da557668174e0a4bfcee39f1121 upstream. This change resolves a new compile-time warning when built as a loadable module: WARNING: modpost: missing MODULE_LICENSE() in drivers/media/platform/soc_camera/soc_scale_crop.o see include/linux/module.h for more information This adds the license as "GPL", which matches the header of the file. MODULE_DESCRIPTION and MODULE_AUTHOR are also added. Signed-off-by: Jesse Chan <jc(a)linux.com> Signed-off-by: Hans Verkuil <hans.verkuil(a)cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)s-opensource.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/media/platform/soc_camera/soc_scale_crop.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/media/platform/soc_camera/soc_scale_crop.c +++ b/drivers/media/platform/soc_camera/soc_scale_crop.c @@ -405,3 +405,7 @@ void soc_camera_calc_client_output(struc mf->height = soc_camera_shift_scale(rect->height, shift, scale_v); } EXPORT_SYMBOL(soc_camera_calc_client_output); + +MODULE_DESCRIPTION("soc-camera scaling-cropping functions"); +MODULE_AUTHOR("Guennadi Liakhovetski <kernel(a)pengutronix.de>"); +MODULE_LICENSE("GPL"); Patches currently in stable-queue which might be from jc(a)linux.com are queue-4.4/media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch queue-4.4/asoc-pcm512x-add-missing-module_description-author-license.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] Patch "KEYS: encrypted: fix buffer overread in valid_master_desc()" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled KEYS: encrypted: fix buffer overread in valid_master_desc() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 794b4bc292f5d31739d89c0202c54e7dc9bc3add Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)google.com> Date: Thu, 8 Jun 2017 14:48:18 +0100 Subject: KEYS: encrypted: fix buffer overread in valid_master_desc() From: Eric Biggers <ebiggers(a)google.com> commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream. With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: Mimi Zohar <zohar(a)linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Signed-off-by: James Morris <james.l.morris(a)oracle.com> Signed-off-by: Jin Qian <jinqian(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- security/keys/encrypted-keys/encrypted.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const cha */ static int valid_master_desc(const char *new_desc, const char *orig_desc) { - if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN)) - goto out; - } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) { - if (strlen(new_desc) == KEY_USER_PREFIX_LEN) - goto out; - if (orig_desc) - if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN)) - goto out; - } else - goto out; + int prefix_len; + + if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) + prefix_len = KEY_TRUSTED_PREFIX_LEN; + else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) + prefix_len = KEY_USER_PREFIX_LEN; + else + return -EINVAL; + + if (!new_desc[prefix_len]) + return -EINVAL; + + if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) + return -EINVAL; + return 0; -out: - return -EINVAL; } /* Patches currently in stable-queue which might be from ebiggers(a)google.com are queue-4.4/keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] Patch "don't put symlink bodies in pagecache into highmem" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled don't put symlink bodies in pagecache into highmem to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: don-t-put-symlink-bodies-in-pagecache-into-highmem.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 21fc61c73c3903c4c312d0802da01ec2b323d174 Mon Sep 17 00:00:00 2001 From: Al Viro <viro(a)zeniv.linux.org.uk> Date: Tue, 17 Nov 2015 01:07:57 -0500 Subject: don't put symlink bodies in pagecache into highmem From: Al Viro <viro(a)zeniv.linux.org.uk> commit 21fc61c73c3903c4c312d0802da01ec2b323d174 upstream. kmap() in page_follow_link_light() needed to go - allowing to hold an arbitrary number of kmaps for long is a great way to deadlocking the system. new helper (inode_nohighmem(inode)) needs to be used for pagecache symlinks inodes; done for all in-tree cases. page_follow_link_light() instrumented to yell about anything missed. Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Jin Qian <jinqian(a)google.com> Signed-off-by: Jin Qian <jinqian(a)android.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/ext4/inode.c | 1 + fs/ext4/namei.c | 1 + fs/ext4/symlink.c | 10 +++------- fs/f2fs/inode.c | 1 + fs/f2fs/namei.c | 5 ++--- fs/inode.c | 6 ++++++ include/linux/fs.h | 1 + 7 files changed, 15 insertions(+), 10 deletions(-) --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4417,6 +4417,7 @@ struct inode *ext4_iget(struct super_blo inode->i_op = &ext4_symlink_inode_operations; ext4_set_aops(inode); } + inode_nohighmem(inode); } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { inode->i_op = &ext4_special_inode_operations; --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3151,6 +3151,7 @@ static int ext4_symlink(struct inode *di if ((disk_link.len > EXT4_N_BLOCKS * 4)) { if (!encryption_required) inode->i_op = &ext4_symlink_inode_operations; + inode_nohighmem(inode); ext4_set_aops(inode); /* * We cannot call page_symlink() with transaction started --- a/fs/ext4/symlink.c +++ b/fs/ext4/symlink.c @@ -45,7 +45,7 @@ static const char *ext4_encrypted_follow cpage = read_mapping_page(inode->i_mapping, 0, NULL); if (IS_ERR(cpage)) return ERR_CAST(cpage); - caddr = kmap(cpage); + caddr = page_address(cpage); caddr[size] = 0; } @@ -75,16 +75,12 @@ static const char *ext4_encrypted_follow /* Null-terminate the name */ if (res <= plen) paddr[res] = '\0'; - if (cpage) { - kunmap(cpage); + if (cpage) page_cache_release(cpage); - } return *cookie = paddr; errout: - if (cpage) { - kunmap(cpage); + if (cpage) page_cache_release(cpage); - } kfree(paddr); return ERR_PTR(res); } --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -202,6 +202,7 @@ make_now: inode->i_op = &f2fs_encrypted_symlink_inode_operations; else inode->i_op = &f2fs_symlink_inode_operations; + inode_nohighmem(inode); inode->i_mapping->a_ops = &f2fs_dblock_aops; } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -351,6 +351,7 @@ static int f2fs_symlink(struct inode *di inode->i_op = &f2fs_encrypted_symlink_inode_operations; else inode->i_op = &f2fs_symlink_inode_operations; + inode_nohighmem(inode); inode->i_mapping->a_ops = &f2fs_dblock_aops; f2fs_lock_op(sbi); @@ -942,7 +943,7 @@ static const char *f2fs_encrypted_follow cpage = read_mapping_page(inode->i_mapping, 0, NULL); if (IS_ERR(cpage)) return ERR_CAST(cpage); - caddr = kmap(cpage); + caddr = page_address(cpage); caddr[size] = 0; /* Symlink is encrypted */ @@ -982,13 +983,11 @@ static const char *f2fs_encrypted_follow /* Null-terminate the name */ paddr[res] = '\0'; - kunmap(cpage); page_cache_release(cpage); return *cookie = paddr; errout: kfree(cstr.name); f2fs_fname_crypto_free_buffer(&pstr); - kunmap(cpage); page_cache_release(cpage); return ERR_PTR(res); } --- a/fs/inode.c +++ b/fs/inode.c @@ -2028,3 +2028,9 @@ void inode_set_flags(struct inode *inode new_flags) != old_flags)); } EXPORT_SYMBOL(inode_set_flags); + +void inode_nohighmem(struct inode *inode) +{ + mapping_set_gfp_mask(inode->i_mapping, GFP_USER); +} +EXPORT_SYMBOL(inode_nohighmem); --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3066,5 +3066,6 @@ static inline bool dir_relax(struct inod } extern bool path_noexec(const struct path *path); +extern void inode_nohighmem(struct inode *inode); #endif /* _LINUX_FS_H */ Patches currently in stable-queue which might be from viro(a)zeniv.linux.org.uk are queue-4.4/don-t-put-symlink-bodies-in-pagecache-into-highmem.patch

7 years, 3 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror