- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] Patch "ARM: 8657/1: uaccess: consistently check object sizes" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ARM: 8657/1: uaccess: consistently check object sizes to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: arm-8657-1-uaccess-consistently-check-object-sizes.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:26:17 CET 2017 From: Kees Cook <keescook(a)chromium.org> Date: Thu, 16 Feb 2017 01:43:58 +0100 Subject: ARM: 8657/1: uaccess: consistently check object sizes From: Kees Cook <keescook(a)chromium.org> [ Upstream commit 32b143637e8180f5d5cea54320c769210dea4f19 ] In commit 76624175dcae ("arm64: uaccess: consistently check object sizes"), the object size checks are moved outside the access_ok() so that bad destinations are detected before hitting the "memset(dest, 0, size)" in the copy_from_user() failure path. This makes the same change for arm, with attention given to possibly extracting the uaccess routines into a common header file for all architectures in the future. Suggested-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Russell King <rmk+kernel(a)armlinux.org.uk> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm/include/asm/uaccess.h | 44 +++++++++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 12 deletions(-) --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -478,11 +478,10 @@ extern unsigned long __must_check arm_copy_from_user(void *to, const void __user *from, unsigned long n); static inline unsigned long __must_check -__copy_from_user(void *to, const void __user *from, unsigned long n) +__arch_copy_from_user(void *to, const void __user *from, unsigned long n) { unsigned int __ua_flags; - check_object_size(to, n, false); __ua_flags = uaccess_save_and_enable(); n = arm_copy_from_user(to, from, n); uaccess_restore(__ua_flags); @@ -495,18 +494,15 @@ extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n); static inline unsigned long __must_check -__copy_to_user(void __user *to, const void *from, unsigned long n) +__arch_copy_to_user(void __user *to, const void *from, unsigned long n) { #ifndef CONFIG_UACCESS_WITH_MEMCPY unsigned int __ua_flags; - - check_object_size(from, n, true); __ua_flags = uaccess_save_and_enable(); n = arm_copy_to_user(to, from, n); uaccess_restore(__ua_flags); return n; #else - check_object_size(from, n, true); return arm_copy_to_user(to, from, n); #endif } @@ -526,25 +522,49 @@ __clear_user(void __user *addr, unsigned } #else -#define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0) -#define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0) +#define __arch_copy_from_user(to, from, n) \ + (memcpy(to, (void __force *)from, n), 0) +#define __arch_copy_to_user(to, from, n) \ + (memcpy((void __force *)to, from, n), 0) #define __clear_user(addr, n) (memset((void __force *)addr, 0, n), 0) #endif -static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) +static inline unsigned long __must_check +__copy_from_user(void *to, const void __user *from, unsigned long n) +{ + check_object_size(to, n, false); + return __arch_copy_from_user(to, from, n); +} + +static inline unsigned long __must_check +copy_from_user(void *to, const void __user *from, unsigned long n) { unsigned long res = n; + + check_object_size(to, n, false); + if (likely(access_ok(VERIFY_READ, from, n))) - res = __copy_from_user(to, from, n); + res = __arch_copy_from_user(to, from, n); if (unlikely(res)) memset(to + (n - res), 0, res); return res; } -static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) +static inline unsigned long __must_check +__copy_to_user(void __user *to, const void *from, unsigned long n) { + check_object_size(from, n, true); + + return __arch_copy_to_user(to, from, n); +} + +static inline unsigned long __must_check +copy_to_user(void __user *to, const void *from, unsigned long n) +{ + check_object_size(from, n, true); + if (access_ok(VERIFY_WRITE, to, n)) - n = __copy_to_user(to, from, n); + n = __arch_copy_to_user(to, from, n); return n; } Patches currently in stable-queue which might be from keescook(a)chromium.org are queue-4.9/arm-8657-1-uaccess-consistently-check-object-sizes.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "afs: Connect up the CB.ProbeUuid" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled afs: Connect up the CB.ProbeUuid to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: afs-connect-up-the-cb.probeuuid.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:26:17 CET 2017 From: David Howells <dhowells(a)redhat.com> Date: Thu, 2 Nov 2017 15:27:48 +0000 Subject: afs: Connect up the CB.ProbeUuid From: David Howells <dhowells(a)redhat.com> [ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ] The handler for the CB.ProbeUuid operation in the cache manager is implemented, but isn't listed in the switch-statement of operation selection, so won't be used. Fix this by adding it. Signed-off-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/afs/cmservice.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/afs/cmservice.c +++ b/fs/afs/cmservice.c @@ -106,6 +106,9 @@ bool afs_cm_incoming_call(struct afs_cal case CBProbe: call->type = &afs_SRXCBProbe; return true; + case CBProbeUuid: + call->type = &afs_SRXCBProbeUuid; + return true; case CBTellMeAboutYourself: call->type = &afs_SRXCBTellMeAboutYourself; return true; Patches currently in stable-queue which might be from dhowells(a)redhat.com are queue-4.9/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.9/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.9/keys-add-missing-permission-check-for-request_key-destination.patch queue-4.9/afs-connect-up-the-cb.probeuuid.patch queue-4.9/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.9/x.509-fix-comparisons-of-pkey_algo.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] patch "USB: core: only clean up what we allocated" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: core: only clean up what we allocated to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov <andreyknvl(a)google.com> Date: Mon, 11 Dec 2017 22:48:41 +0100 Subject: USB: core: only clean up what we allocated When cleaning up the configurations, make sure we only free the number of configurations and interfaces that we could have allocated. Reported-by: Andrey Konovalov <andreyknvl(a)google.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/config.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 55b198ba629b..93b38471754e 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -764,18 +764,21 @@ void usb_destroy_configuration(struct usb_device *dev) return; if (dev->rawdescriptors) { - for (i = 0; i < dev->descriptor.bNumConfigurations; i++) + for (i = 0; i < dev->descriptor.bNumConfigurations && + i < USB_MAXCONFIG; i++) kfree(dev->rawdescriptors[i]); kfree(dev->rawdescriptors); dev->rawdescriptors = NULL; } - for (c = 0; c < dev->descriptor.bNumConfigurations; c++) { + for (c = 0; c < dev->descriptor.bNumConfigurations && + c < USB_MAXCONFIG; c++) { struct usb_host_config *cf = &dev->config[c]; kfree(cf->string); - for (i = 0; i < cf->desc.bNumInterfaces; i++) { + for (i = 0; i < cf->desc.bNumInterfaces && + i < USB_MAXINTERFACES; i++) { if (cf->intf_cache[i]) kref_put(&cf->intf_cache[i]->ref, usb_release_interface_cache); -- 2.15.1

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "drm: extra printk() wrapper macros" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled drm: extra printk() wrapper macros to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: drm-extra-printk-wrapper-macros.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 30b0da8d556e65ff935a56cd82c05ba0516d3e4a Mon Sep 17 00:00:00 2001 From: Dave Gordon <david.s.gordon(a)intel.com> Date: Thu, 18 Aug 2016 18:17:22 +0100 Subject: drm: extra printk() wrapper macros From: Dave Gordon <david.s.gordon(a)intel.com> commit 30b0da8d556e65ff935a56cd82c05ba0516d3e4a upstream. We had only DRM_INFO() and DRM_ERROR(), whereas the underlying printk() provides several other useful intermediate levels such as NOTICE and WARNING. So this patch fills out the set by providing both regular and once-only macros for each of the levels INFO, NOTICE, and WARNING, using a common underlying macro that does all the token-pasting. DRM_ERROR is unchanged, as it's not just a printk wrapper. v2: Fix whitespace, missing ## (Eric Engestrom) Signed-off-by: Dave Gordon <david.s.gordon(a)intel.com> Reviewed-by: Eric Engestrom <eric.engestrom(a)imgtec.com> Cc: dri-devel(a)lists.freedesktop.org Acked-by: Dave Airlie <airlied(a)redhat.com> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/drm/drmP.h | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) --- a/include/drm/drmP.h +++ b/include/drm/drmP.h @@ -158,6 +158,26 @@ void drm_err(const char *format, ...); /** \name Macros to make printk easier */ /*@{*/ +#define _DRM_PRINTK(once, level, fmt, ...) \ + do { \ + printk##once(KERN_##level "[" DRM_NAME "] " fmt, \ + ##__VA_ARGS__); \ + } while (0) + +#define DRM_INFO(fmt, ...) \ + _DRM_PRINTK(, INFO, fmt, ##__VA_ARGS__) +#define DRM_NOTE(fmt, ...) \ + _DRM_PRINTK(, NOTICE, fmt, ##__VA_ARGS__) +#define DRM_WARN(fmt, ...) \ + _DRM_PRINTK(, WARNING, fmt, ##__VA_ARGS__) + +#define DRM_INFO_ONCE(fmt, ...) \ + _DRM_PRINTK(_once, INFO, fmt, ##__VA_ARGS__) +#define DRM_NOTE_ONCE(fmt, ...) \ + _DRM_PRINTK(_once, NOTICE, fmt, ##__VA_ARGS__) +#define DRM_WARN_ONCE(fmt, ...) \ + _DRM_PRINTK(_once, WARNING, fmt, ##__VA_ARGS__) + /** * Error output. * @@ -183,12 +203,6 @@ void drm_err(const char *format, ...); drm_err(fmt, ##__VA_ARGS__); \ }) -#define DRM_INFO(fmt, ...) \ - printk(KERN_INFO "[" DRM_NAME "] " fmt, ##__VA_ARGS__) - -#define DRM_INFO_ONCE(fmt, ...) \ - printk_once(KERN_INFO "[" DRM_NAME "] " fmt, ##__VA_ARGS__) - /** * Debug output. * Patches currently in stable-queue which might be from david.s.gordon(a)intel.com are queue-4.4/drm-extra-printk-wrapper-macros.patch

7 years, 1 month

1
0
0 0

Re: [Linux-stable-mirror] stable-rc/linux-4.4.y build: 178 builds: 3 failed, 175 passed, 3 errors, 3 warnings (v4.4.105-33-g60c2da397c68)

by Arnd Bergmann

On Tue, Dec 12, 2017 at 12:38 AM, kernelci.org bot <bot(a)kernelci.org> wrote: > Build Failures Detected: > > > Errors and Warnings Detected: > > arm64: gcc version 5.3.1 20160412 (Linaro GCC 5.3-2016.05) > defconfig 1 error 1 warning > arm: gcc version 5.3.1 20160412 (Linaro GCC 5.3-2016.05) > exynos_defconfig 1 error 1 warning > multi_v7_defconfig 1 error 1 warning > Errors summary: > 2 drivers/gpu/drm/exynos/exynos_drm_gem.c:254:3: error: implicit declaration of function 'DRM_WARN' [-Werror=implicit-function-declaration] Backporting commit 120a264f9c27 ("drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU") depends on commit 30b0da8d556e ("drm: extra printk() wrapper macros") which was merged into linux-4.9. > 1 drivers/firmware/efi/esrt.c:445:2: error: implicit declaration of function 'memunmap' [-Werror=implicit-function-declaration] Backporting commit 89c5a2d34bda ("efi/esrt: Use memunmap() instead of kfree() to free the remapping") depends on commit f58a37b2e01f ("efi/esrt: Use memremap not ioremap to access ESRT table in memory") which was also merged into linux-4.9. To backport those to into kernels earlier than v4.3, you'd also need commit 92281dee825f ("arch: introduce memremap()"), which is probably too invasive to backport. Arnd

7 years, 1 month

2
2
0 0

[Linux-stable-mirror] [GIT PULL] commits for Linux 4.14

by alexander.levin＠verizon.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Greg, Pleae pull commits for Linux 4.14 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit 64138f0adb25ca8f34baa57af33260b05efe2874: Linux 4.14.5 (2017-12-10 13:40:45 +0100) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.14-11122017 for you to fetch changes up to b3ba2e1ad223f53af892a09142cf9ecada07c576: x86/intel_rdt: Fix potential deadlock during resctrl unmount (2017-12-11 19:32:06 -0500) - ---------------------------------------------------------------- for-greg-4.14-11122017 - ---------------------------------------------------------------- Alexey Kodanev (1): gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Arvind Yadav (1): atm: horizon: Fix irq release error Bart Van Assche (1): blk-mq: Avoid that request queue removal can trigger list corruption Ben Hutchings (1): mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Chao Yu (1): f2fs: fix to clear FI_NO_PREALLOC Christophe JAILLET (1): drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()' Chuck Lever (1): sunrpc: Fix rpc_task_begin trace point Colin Ian King (2): irqchip/qcom: Fix u32 comparison with value less than zero rsi: fix memory leak on buf and usb_reg_buf Darrick J. Wong (1): xfs: fix forgotten rcu read unlock when skipping inode reclaim Dave Hansen (1): x86/mpx/selftests: Fix up weird arrays David Ahern (1): net: ipv6: Fixup device for anycast routes during copy David Howells (2): afs: Fix total-length calculation for multiple-page send afs: Connect up the CB.ProbeUuid Dirk van der Merwe (1): nfp: inherit the max_mtu from the PF netdev Eric Dumazet (1): bpf: fix lockdep splat Gabriel Fernandez (1): clk: stm32h7: fix test of clock config Hangbin Liu (1): geneve: fix fill_info when link down Heinz Mauelshagen (1): dm raid: fix panic when attempting to force a raid to sync Herbert Xu (1): xfrm: Copy policy family in clone_policy Hongxu Jia (1): ide: ide-atapi: fix compile error with defining macro DEBUG Ilya Lesokhin (1): tls: Use kzalloc for aead_request allocation Israel Rukshin (1): nvmet-rdma: update queue list during ib_device removal Jason Baron (1): jump_label: Invoke jump_label_test() via early_initcall() Jeff Layton (1): fcntl: don't leak fd reference when fixup_compat_flock fails Joe Lawrence (1): pipe: match pipe_max_size data type with procfs Johan Hovold (2): dt-bindings: usb: fix reg-property port-number range clk: qcom: common: fix legacy board-clock registration John Johansen (1): apparmor: fix leak of null profile name if profile allocation fails Keefe Liu (1): ipvlan: fix ipv6 outbound device Leon Romanovsky (1): RDMA/cxgb4: Annotate r2 and stag as __be32 Madhavan Srinivasan (1): powerpc/perf: Fix pmu_count to count only nest imc pmus Majd Dibbiny (1): IB/mlx5: Assign send CQ and recv CQ of UMR QP Mark Bloch (1): IB/mlx4: Increase maximal message size under UD QP Masahiro Yamada (5): kbuild: pkg: use --transform option to prefix paths in tar coccinelle: fix parallel build with CHECK=scripts/coccicheck clk: uniphier: fix DAPLL2 clock rate of Pro5 kbuild: rpm-pkg: fix jobserver unavailable warning kbuild: do not call cc-option before KBUILD_CFLAGS initialization Miles Chen (1): slub: fix sysfs duplicate filename creation when slub_debug=O Ming Lei (1): block: wake up all tasks blocked in get_request() Mylene JOSSERAND (1): clk: sunxi-ng: a83t: Fix i2c buses bits Neal Cardwell (1): tcp: when scheduling TLP, time of RTO should account for current ACK Nicolas Dichtel (1): ipv6: set all.accept_dad to 0 by default Paul Moore (1): audit: ensure that 'audit=1' actually enables audit for PID 1 Pavel Tatashin (1): sparc64/mm: set fields in deferred pages Pieter Jansen van Vuuren (1): nfp: fix flower offload metadata flag usage Randy Dunlap (1): dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Reinette Chatre (1): x86/intel_rdt: Fix potential deadlock during resctrl unmount Sebastian Sjoholm (1): net: qmi_wwan: add Quectel BG96 2c7c:0296 Sergey Senozhatsky (1): zsmalloc: calling zs_map_object() from irq is a bug Sriharsha Basavapatna (1): bnxt_re: changing the ip address shouldn't affect new connections Stephen Bates (1): lib/genalloc.c: make the avail variable an atomic_long_t Steve Grubb (1): audit: Allow auditd to set pid to 0 to end auditing Sudeep Holla (1): mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready Trond Myklebust (1): NFS: Fix a typo in nfs_rename() Ursula Braun (1): net/smc: use sk_rcvbuf as start for rmb creation Vaidyanathan Srinivasan (1): powerpc/powernv/idle: Round up latency and residency values Xin Long (5): tun: fix rcu_read_lock imbalance in tun_build_skb route: also update fnhe_genid when updating a route cache route: update fnhe_expires for redirect when the fnhe exists sctp: do not free asoc when it is already dead in sctp_sendmsg sctp: use the right sk after waking up from wait_buf sleep Zdenek Kabelac (1): md: free unused memory after bitmap resize Zhong Kaihua (1): clk: hi3660: fix incorrect uart3 clock freqency .../devicetree/bindings/usb/usb-device.txt | 2 +- Makefile | 21 ++++++------ arch/powerpc/platforms/powernv/opal-imc.c | 6 ++-- arch/sparc/mm/init_64.c | 9 ++++- arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 10 +++--- block/blk-core.c | 5 +-- drivers/atm/horizon.c | 2 +- drivers/clk/clk-stm32h7.c | 4 +-- drivers/clk/hisilicon/clk-hi3660.c | 2 +- drivers/clk/qcom/common.c | 6 ++-- drivers/clk/sunxi-ng/ccu-sun8i-a83t.c | 4 +-- drivers/clk/uniphier/clk-uniphier-sys.c | 2 +- drivers/cpuidle/cpuidle-powernv.c | 4 +-- drivers/ide/ide-atapi.c | 6 ++-- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + drivers/infiniband/hw/cxgb4/t4fw_ri_api.h | 4 +-- drivers/infiniband/hw/mlx4/qp.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 2 ++ drivers/irqchip/qcom-irq-combiner.c | 2 +- drivers/mailbox/mailbox-test.c | 11 +++--- drivers/md/bitmap.c | 9 +++++ drivers/md/dm-raid.c | 21 ++++++------ drivers/net/ethernet/netronome/nfp/flower/main.h | 3 +- .../net/ethernet/netronome/nfp/flower/metadata.c | 7 ++-- drivers/net/ethernet/netronome/nfp/nfp_net_repr.c | 2 ++ drivers/net/geneve.c | 24 ++++++------- drivers/net/ipvlan/ipvlan_core.c | 2 +- drivers/net/tun.c | 3 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/mac80211_hwsim.c | 5 ++- drivers/net/wireless/rsi/rsi_91x_usb.c | 12 +++---- drivers/nvme/target/rdma.c | 6 ++-- drivers/rapidio/devices/rio_mport_cdev.c | 3 +- fs/afs/cmservice.c | 3 ++ fs/afs/rxrpc.c | 13 ++++++-- fs/f2fs/file.c | 1 + fs/fcntl.c | 5 ++- fs/nfs/dir.c | 2 +- fs/pipe.c | 2 +- fs/xfs/xfs_inode.c | 1 + include/linux/genalloc.h | 3 +- include/net/tcp.h | 2 +- kernel/audit.c | 39 ++++++++++++---------- kernel/bpf/percpu_freelist.c | 8 +++-- kernel/jump_label.c | 2 +- kernel/sysctl.c | 2 +- lib/dynamic_debug.c | 4 +++ lib/genalloc.c | 10 +++--- mm/slub.c | 4 +++ mm/zsmalloc.c | 2 +- net/ipv4/route.c | 14 +++++--- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_output.c | 8 +++-- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/route.c | 2 +- net/sctp/socket.c | 38 +++++++++++++-------- net/smc/smc_core.c | 2 +- net/sunrpc/sched.c | 3 +- net/tls/tls_sw.c | 2 +- net/xfrm/xfrm_policy.c | 1 + scripts/coccicheck | 15 +++++---- scripts/package/Makefile | 9 +++-- security/apparmor/policy.c | 3 +- tools/testing/selftests/x86/mpx-hw.h | 4 +-- 65 files changed, 249 insertions(+), 164 deletions(-) -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJaLynNAAoJEN6mb/eXdyzc8JsP/1f2Vq8RSADQ2lNCldP7KolP auxs9CxCRXkQInD8S7jEq+K0ulzc8C80fCKxBNgSP6EmtldHRaK9xtiIx0zXAFti 4jcBdDjau+bBqU987xmOJHfS9NegczPvlpPGs9AdC/Rf5yNfxDJwZUIFUjW8QYpQ L4nqKcuUcH4oe0GPD08J8dwtOVJzLcptdx9CkHXXxl4i9xJDLE+XukIetNfubDeJ HyJZbzwG8PrfEDuPtBFDD7Q0k/Q6//Jdu7A3cyhAxkBawmDlpBSxVXfcG6heolSY nplbdNz7ybRq0i0bd8D8DAEE83er+3EQHkwus5uKiH4OXt6/ikmEGkkleDuyTTjR FWTeRW7OxQmJU1rcz7U0BsvXa8MyVYOwvG9dl4/otbxmMnXIWT+OL3lYtpXWBfYP kmcq+vEbRFkOb7V+at7dF0QZDjVlbvB+jmUs3ZtXblWPWY/pn42Y8+b0G36SvoSA cGBFV/weijxYBFdxreLV47sGpaeWWEi3dqFbgetwB91PEAQ9/XGp3VK5dyWF8+Ex zjaYJQ8x22/yaVZqg7pAqX7DgK7jUwaLoVIfjwi8Rm8UXlYEMA9/OnHWqiiucUxC 4qtRSCRHQbUvCNzGKULdz8N5y0R4h0hPePB5TlvUF2QTFFkebhIefEQZmEEYHXob sYHTPh7WrZlUQleo8Qrk =TBw0 -----END PGP SIGNATURE-----

7 years, 1 month

2
1
0 0

[Linux-stable-mirror] [christophe.leroy@c-s.fr: [PATCH 01/18] crypto: talitos - fix AEAD test failures]

by Herbert Xu

commit ec8c7d14acc0a477429d3a6fade5dab72c996c82 For kernels 4.9+. -- Email: Herbert Xu <herbert(a)gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

7 years, 1 month

2
2
0 0

[Linux-stable-mirror] [PATCH 1/6] blk-mq: quiesce queue before freeing queue

by Ming Lei

After queue is frozen, dispatch still may happen, for example: 1) requests are submitted from several contexts 2) requests from all these contexts are inserted to queue, but may dispatch to LLD in one of these paths, but other paths sill need to move on even all these requests are completed(that means blk_mq_freeze_queue_wait() returns at that time) 3) dispatch after queue freezing still moves on and causes use-after-free, because request queue is freed This patch quiesces queue after it is frozen, and makes sure all in-progress dispatch are completed. This patch fixes the following kernel crash when running heavy IOs vs. deleting device: [ 36.719251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 36.720318] IP: kyber_has_work+0x14/0x40 [ 36.720847] PGD 254bf5067 P4D 254bf5067 PUD 255e6a067 PMD 0 [ 36.721584] Oops: 0000 [#1] PREEMPT SMP [ 36.722105] Dumping ftrace buffer: [ 36.722570] (ftrace buffer empty) [ 36.723057] Modules linked in: scsi_debug ebtable_filter ebtables ip6table_filter ip6_tables tcm_loop iscsi_target_mod target_core_file target_core_iblock target_core_pscsi target_core_mod xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c bridge stp llc fuse iptable_filter ip_tables sd_mod sg btrfs xor zstd_decompress zstd_compress xxhash raid6_pq mptsas mptscsih bcache crc32c_intel ahci mptbase libahci serio_raw scsi_transport_sas nvme libata shpchp lpc_ich virtio_scsi nvme_core binfmt_misc dm_mod iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi null_blk configs [ 36.733438] CPU: 2 PID: 2374 Comm: fio Not tainted 4.15.0-rc2.blk_mq_quiesce+ #714 [ 36.735143] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-1.fc25 04/01/2014 [ 36.736688] RIP: 0010:kyber_has_work+0x14/0x40 [ 36.737515] RSP: 0018:ffffc9000209bca0 EFLAGS: 00010202 [ 36.738431] RAX: 0000000000000008 RBX: ffff88025578bfc8 RCX: ffff880257bf4ed0 [ 36.739581] RDX: 0000000000000038 RSI: ffffffff81a98c6d RDI: ffff88025578bfc8 [ 36.740730] RBP: ffff880253cebfc8 R08: ffffc9000209bda0 R09: ffff8802554f3480 [ 36.741885] R10: ffffc9000209be60 R11: ffff880263f72538 R12: ffff88025573e9e8 [ 36.743036] R13: ffff88025578bfd0 R14: 0000000000000001 R15: 0000000000000000 [ 36.744189] FS: 00007f9b9bee67c0(0000) GS:ffff88027fc80000(0000) knlGS:0000000000000000 [ 36.746617] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.748483] CR2: 0000000000000008 CR3: 0000000254bf4001 CR4: 00000000003606e0 [ 36.750164] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 36.751455] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 36.752796] Call Trace: [ 36.753992] blk_mq_do_dispatch_sched+0x7f/0xe0 [ 36.755110] blk_mq_sched_dispatch_requests+0x119/0x190 [ 36.756179] __blk_mq_run_hw_queue+0x83/0x90 [ 36.757144] __blk_mq_delay_run_hw_queue+0xaf/0x110 [ 36.758046] blk_mq_run_hw_queue+0x24/0x70 [ 36.758845] blk_mq_flush_plug_list+0x1e7/0x270 [ 36.759676] blk_flush_plug_list+0xd6/0x240 [ 36.760463] blk_finish_plug+0x27/0x40 [ 36.761195] do_io_submit+0x19b/0x780 [ 36.761921] ? entry_SYSCALL_64_fastpath+0x1a/0x7d [ 36.762788] entry_SYSCALL_64_fastpath+0x1a/0x7d [ 36.763639] RIP: 0033:0x7f9b9699f697 [ 36.764352] RSP: 002b:00007ffc10f991b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000d1 [ 36.765773] RAX: ffffffffffffffda RBX: 00000000008f6f00 RCX: 00007f9b9699f697 [ 36.766965] RDX: 0000000000a5e6c0 RSI: 0000000000000001 RDI: 00007f9b8462a000 [ 36.768377] RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000008f6420 [ 36.769649] R10: 00007f9b846e5000 R11: 0000000000000206 R12: 00007f9b795d6a70 [ 36.770807] R13: 00007f9b795e4140 R14: 00007f9b795e3fe0 R15: 0000000100000000 [ 36.771955] Code: 83 c7 10 e9 3f 68 d1 ff 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 97 b0 00 00 00 48 8d 42 08 48 83 c2 38 <48> 3b 00 74 06 b8 01 00 00 00 c3 48 3b 40 08 75 f4 48 83 c0 10 [ 36.775004] RIP: kyber_has_work+0x14/0x40 RSP: ffffc9000209bca0 [ 36.776012] CR2: 0000000000000008 [ 36.776690] ---[ end trace 4045cbce364ff2a4 ]--- [ 36.777527] Kernel panic - not syncing: Fatal exception [ 36.778526] Dumping ftrace buffer: [ 36.779313] (ftrace buffer empty) [ 36.780081] Kernel Offset: disabled [ 36.780877] ---[ end Kernel panic - not syncing: Fatal exception Cc: stable(a)vger.kernel.org Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- block/blk-core.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/block/blk-core.c b/block/blk-core.c index b8881750a3ac..071a0fb29597 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -694,6 +694,15 @@ void blk_cleanup_queue(struct request_queue *q) queue_flag_set(QUEUE_FLAG_DEAD, q); spin_unlock_irq(lock); + /* + * make sure all in-progress dispatch are completed because + * blk_freeze_queue() can only complete all requests, and + * dispatch may still be in-progress since we dispatch requests + * from more than one contexts + */ + if (q->mq_ops) + blk_mq_quiesce_queue(q); + /* for synchronous bio-based driver finish in-flight integrity i/o */ blk_flush_integrity(); -- 2.9.5

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "zsmalloc: calling zs_map_object() from irq is a bug" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled zsmalloc: calling zs_map_object() from irq is a bug to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: zsmalloc-calling-zs_map_object-from-irq-is-a-bug.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 10:32:42 CET 2017 From: Sergey Senozhatsky <sergey.senozhatsky.work(a)gmail.com> Date: Wed, 15 Nov 2017 17:34:03 -0800 Subject: zsmalloc: calling zs_map_object() from irq is a bug From: Sergey Senozhatsky <sergey.senozhatsky.work(a)gmail.com> [ Upstream commit 1aedcafbf32b3f232c159b14cd0d423fcfe2b861 ] Use BUG_ON(in_interrupt()) in zs_map_object(). This is not a new BUG_ON(), it's always been there, but was recently changed to VM_BUG_ON(). There are several problems there. First, we use use per-CPU mappings both in zsmalloc and in zram, and interrupt may easily corrupt those buffers. Second, and more importantly, we believe it's possible to start leaking sensitive information. Consider the following case: -> process P swap out zram per-cpu mapping CPU1 compress page A -> IRQ swap out zram per-cpu mapping CPU1 compress page B write page from per-cpu mapping CPU1 to zsmalloc pool iret -> process P write page from per-cpu mapping CPU1 to zsmalloc pool [*] return * so we store overwritten data that actually belongs to another page (task) and potentially contains sensitive data. And when process P will page fault it's going to read (swap in) that other task's data. Link: http://lkml.kernel.org/r/20170929045140.4055-1-sergey.senozhatsky@gmail.com Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Acked-by: Minchan Kim <minchan(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- mm/zsmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -1349,7 +1349,7 @@ void *zs_map_object(struct zs_pool *pool * pools/users, we can't allow mapping in interrupt context * because it can corrupt another users mappings. */ - WARN_ON_ONCE(in_interrupt()); + BUG_ON(in_interrupt()); /* From now on, migration cannot move the object */ pin_tag(handle); Patches currently in stable-queue which might be from sergey.senozhatsky.work(a)gmail.com are queue-4.14/zsmalloc-calling-zs_map_object-from-irq-is-a-bug.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "xfs: fix forgotten rcu read unlock when skipping inode reclaim" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xfs: fix forgotten rcu read unlock when skipping inode reclaim to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xfs-fix-forgotten-rcu-read-unlock-when-skipping-inode-reclaim.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 10:32:42 CET 2017 From: "Darrick J. Wong" <darrick.wong(a)oracle.com> Date: Tue, 14 Nov 2017 16:34:44 -0800 Subject: xfs: fix forgotten rcu read unlock when skipping inode reclaim From: "Darrick J. Wong" <darrick.wong(a)oracle.com> [ Upstream commit 962cc1ad6caddb5abbb9f0a43e5abe7131a71f18 ] In commit f2e9ad21 ("xfs: check for race with xfs_reclaim_inode"), we skip an inode if we're racing with freeing the inode via xfs_reclaim_inode, but we forgot to release the rcu read lock when dumping the inode, with the result that we exit to userspace with a lock held. Don't do that; generic/320 with a 1k block size fails this very occasionally. ================================================ WARNING: lock held when returning to user space! 4.14.0-rc6-djwong #4 Tainted: G W ------------------------------------------------ rm/30466 is leaving the kernel with locks still held! 1 lock held by rm/30466: #0: (rcu_read_lock){....}, at: [<ffffffffa01364d3>] xfs_ifree_cluster.isra.17+0x2c3/0x6f0 [xfs] ------------[ cut here ]------------ WARNING: CPU: 1 PID: 30466 at kernel/rcu/tree_plugin.h:329 rcu_note_context_switch+0x71/0x700 Modules linked in: deadline_iosched dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey xfs libcrc32c dax_pmem device_dax nd_pmem sch_fq_codel af_packet [last unloaded: scsi_debug] CPU: 1 PID: 30466 Comm: rm Tainted: G W 4.14.0-rc6-djwong #4 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1djwong0 04/01/2014 task: ffff880037680000 task.stack: ffffc90001064000 RIP: 0010:rcu_note_context_switch+0x71/0x700 RSP: 0000:ffffc90001067e50 EFLAGS: 00010002 RAX: 0000000000000001 RBX: ffff880037680000 RCX: ffff88003e73d200 RDX: 0000000000000002 RSI: ffffffff819e53e9 RDI: ffffffff819f4375 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff880062c900d0 R10: 0000000000000000 R11: 0000000000000000 R12: ffff880037680000 R13: 0000000000000000 R14: ffffc90001067eb8 R15: ffff880037680690 FS: 00007fa3b8ce8700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f69bf77c000 CR3: 000000002450a000 CR4: 00000000000006e0 Call Trace: __schedule+0xb8/0xb10 schedule+0x40/0x90 exit_to_usermode_loop+0x6b/0xa0 prepare_exit_to_usermode+0x7a/0x90 retint_user+0x8/0x20 RIP: 0033:0x7fa3b87fda87 RSP: 002b:00007ffe41206568 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02 RAX: 0000000000000000 RBX: 00000000010e88c0 RCX: 00007fa3b87fda87 RDX: 0000000000000000 RSI: 00000000010e89c8 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 000000000000015e R11: 0000000000000246 R12: 00000000010c8060 R13: 00007ffe41206690 R14: 0000000000000000 R15: 0000000000000000 ---[ end trace e88f83bf0cfbd07d ]--- Fixes: f2e9ad212def50bcf4c098c6288779dd97fff0f0 Cc: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Darrick J. Wong <darrick.wong(a)oracle.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/xfs/xfs_inode.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/xfs/xfs_inode.c +++ b/fs/xfs/xfs_inode.c @@ -2378,6 +2378,7 @@ retry: */ if (ip->i_ino != inum + i) { xfs_iunlock(ip, XFS_ILOCK_EXCL); + rcu_read_unlock(); continue; } } Patches currently in stable-queue which might be from darrick.wong(a)oracle.com are queue-4.14/xfs-fix-forgotten-rcu-read-unlock-when-skipping-inode-reclaim.patch

7 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror