This is the start of the stable review cycle for the 3.18.127 release. There are 24 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed Nov 28 10:50:13 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.127-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 3.18.127-rc1
Eric Biggers ebiggers@google.com HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
Al Viro viro@zeniv.linux.org.uk new helper: uaccess_kernel()
Hans de Goede hdegoede@redhat.com ACPI / platform: Add SMB0001 HID to forbidden_id_list
Mattias Jacobsson 2pi@mok.nu USB: misc: appledisplay: add 20" Apple Cinema Display
Nathan Chancellor natechancellor@gmail.com misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
Emmanuel Pescosta emmanuelpescosta099@gmail.com usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
Kai-Heng Feng kai.heng.feng@canonical.com USB: quirks: Add no-lpm quirk for Raydium touchscreens
Maarten Jacobs maarten256@outlook.com usb: cdc-acm: add entry for Hiro (Conexant) modem
Dan Carpenter dan.carpenter@oracle.com uio: Fix an Oops on load
Sakari Ailus sakari.ailus@linux.intel.com media: v4l: event: Add subscription to list before calling "add" operation
Greg Kroah-Hartman gregkh@linuxfoundation.org Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV"
YueHaibing yuehaibing@huawei.com SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
Sasha Levin sashal@kernel.org Revert "Revert "drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES""
Minchan Kim minchan@kernel.org zram: close udev startup race condition as default groups
Vignesh R vigneshr@ti.com i2c: omap: Enable for ARCH_K3
Jeremy Linton jeremy.linton@arm.com lib/raid6: Fix arm64 test build
Vasily Gorbik gor@linux.ibm.com s390/vdso: add missing FORCE to build targets
Marek Szyprowski m.szyprowski@samsung.com clk: samsung: exynos5420: Enable PERIS clocks for suspend
Chengguang Xu cgxu519@gmx.com fs/exofs: fix potential memory leak in mount option parsing
Richard Weinberger richard@nod.at um: Give start_idle_thread() a return code
Ernesto A. Fernández ernesto.mnd.fernandez@gmail.com hfsplus: prevent btree data loss on root split
Ernesto A. Fernández ernesto.mnd.fernandez@gmail.com hfs: prevent btree data loss on root split
Jann Horn jannh@google.com reiserfs: propagate errors from fill_with_dentries() properly
Eric Dumazet edumazet@google.com net-gro: reset skb->pkt_type in napi_reuse_skb()
-------------
Diffstat:
Makefile | 4 ++-- arch/s390/kernel/vdso32/Makefile | 6 ++--- arch/s390/kernel/vdso64/Makefile | 6 ++--- arch/um/os-Linux/skas/process.c | 5 +++++ drivers/acpi/acpi_platform.c | 1 + drivers/block/zram/zram_drv.c | 18 +++++---------- drivers/bluetooth/Kconfig | 1 - drivers/clk/samsung/clk-exynos5420.c | 1 + drivers/gpu/drm/i915/i915_gem.c | 2 +- drivers/hid/uhid.c | 13 +++++++++++ drivers/i2c/busses/Kconfig | 2 +- drivers/media/v4l2-core/v4l2-event.c | 43 ++++++++++++++++++++---------------- drivers/misc/atmel-ssc.c | 2 +- drivers/uio/uio.c | 7 ++++-- drivers/usb/class/cdc-acm.c | 3 +++ drivers/usb/core/quirks.c | 8 +++++++ drivers/usb/misc/appledisplay.c | 1 + fs/exofs/super.c | 5 ++++- fs/hfs/brec.c | 4 ++++ fs/hfsplus/brec.c | 4 ++++ fs/reiserfs/xattr.c | 7 ++++++ include/linux/uaccess.h | 3 +++ lib/raid6/test/Makefile | 4 ++-- net/core/dev.c | 4 ++++ net/sunrpc/xdr.c | 2 +- 25 files changed, 107 insertions(+), 49 deletions(-)
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
[ Upstream commit 33d9a2c72f086cbf1087b2fd2d1a15aa9df14a7f ]
eth_type_trans() assumes initial value for skb->pkt_type is PACKET_HOST.
This is indeed the value right after a fresh skb allocation.
However, it is possible that GRO merged a packet with a different value (like PACKET_OTHERHOST in case macvlan is used), so we need to make sure napi->skb will have pkt_type set back to PACKET_HOST.
Otherwise, valid packets might be dropped by the stack because their pkt_type is not PACKET_HOST.
napi_reuse_skb() was added in commit 96e93eab2033 ("gro: Add internal interfaces for VLAN"), but this bug always has been there.
Fixes: 96e93eab2033 ("gro: Add internal interfaces for VLAN") Signed-off-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/core/dev.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/net/core/dev.c +++ b/net/core/dev.c @@ -4201,6 +4201,10 @@ static void napi_reuse_skb(struct napi_s skb->vlan_tci = 0; skb->dev = napi->dev; skb->skb_iif = 0; + + /* eth_type_trans() assumes pkt_type is PACKET_HOST */ + skb->pkt_type = PACKET_HOST; + skb->encapsulation = 0; skb_shinfo(skb)->gso_type = 0; skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit b10298d56c9623f9b173f19959732d3184b35f4f ]
fill_with_dentries() failed to propagate errors up to reiserfs_for_each_xattr() properly. Plumb them through.
Note that reiserfs_for_each_xattr() is only used by reiserfs_delete_xattrs() and reiserfs_chown_xattrs(). The result of reiserfs_delete_xattrs() is discarded anyway, the only difference there is whether a warning is printed to dmesg. The result of reiserfs_chown_xattrs() does matter because it can block chowning of the file to which the xattrs belong; but either way, the resulting state can have misaligned ownership, so my patch doesn't improve things greatly.
Credit for making me look at this code goes to Al Viro, who pointed out that the ->actor calling convention is suboptimal and should be changed.
Link: http://lkml.kernel.org/r/20180802163335.83312-1-jannh@google.com Signed-off-by: Jann Horn jannh@google.com Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Jeff Mahoney jeffm@suse.com Cc: Eric Biggers ebiggers@google.com Cc: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/reiserfs/xattr.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c index 59b29acb6419..0ec755043174 100644 --- a/fs/reiserfs/xattr.c +++ b/fs/reiserfs/xattr.c @@ -184,6 +184,7 @@ struct reiserfs_dentry_buf { struct dir_context ctx; struct dentry *xadir; int count; + int err; struct dentry *dentries[8]; };
@@ -205,6 +206,7 @@ fill_with_dentries(void *buf, const char *name, int namelen, loff_t offset,
dentry = lookup_one_len(name, dbuf->xadir, namelen); if (IS_ERR(dentry)) { + dbuf->err = PTR_ERR(dentry); return PTR_ERR(dentry); } else if (!dentry->d_inode) { /* A directory entry exists, but no file? */ @@ -213,6 +215,7 @@ fill_with_dentries(void *buf, const char *name, int namelen, loff_t offset, "not found for file %s.\n", dentry->d_name.name, dbuf->xadir->d_name.name); dput(dentry); + dbuf->err = -EIO; return -EIO; }
@@ -260,6 +263,10 @@ static int reiserfs_for_each_xattr(struct inode *inode, err = reiserfs_readdir_inode(dir->d_inode, &buf.ctx); if (err) break; + if (buf.err) { + err = buf.err; + break; + } if (!buf.count) break; for (i = 0; !err && i < buf.count && buf.dentries[i]; i++) {
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit d057c036672f33d43a5f7344acbb08cf3a8a0c09 ]
This bug is triggered whenever hfs_brec_update_parent() needs to split the root node. The height of the btree is not increased, which leaves the new node orphaned and its records lost. It is not possible for this to happen on a valid hfs filesystem because the index nodes have fixed length keys.
For reasons I ignore, the hfs module does have support for a number of hfsplus features. A corrupt btree header may report variable length keys and trigger this bug, so it's better to fix it.
Link: http://lkml.kernel.org/r/9750b1415685c4adca10766895f6d5ef12babdb0.1535682463... Signed-off-by: Ernesto A. Fernández ernesto.mnd.fernandez@gmail.com Cc: Christoph Hellwig hch@infradead.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/hfs/brec.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c index 2a6f3c67cb3f..2e713673df42 100644 --- a/fs/hfs/brec.c +++ b/fs/hfs/brec.c @@ -424,6 +424,10 @@ skip: if (new_node) { __be32 cnid;
+ if (!new_node->parent) { + hfs_btree_inc_height(tree); + new_node->parent = tree->root; + } fd->bnode = hfs_bnode_find(tree, new_node->parent); /* create index key and entry */ hfs_bnode_read_key(new_node, fd->search_key, 14);
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 0a3021d4f5295aa073c7bf5c5e4de60a2e292578 ]
Creating, renaming or deleting a file may cause catalog corruption and data loss. This bug is randomly triggered by xfstests generic/027, but here is a faster reproducer:
truncate -s 50M fs.iso mkfs.hfsplus fs.iso mount fs.iso /mnt i=100 while [ $i -le 150 ]; do touch /mnt/$i &>/dev/null ((++i)) done i=100 while [ $i -le 150 ]; do mv /mnt/$i /mnt/$(perl -e "print $i x82") &>/dev/null ((++i)) done umount /mnt fsck.hfsplus -n fs.iso
The bug is triggered whenever hfs_brec_update_parent() needs to split the root node. The height of the btree is not increased, which leaves the new node orphaned and its records lost.
Link: http://lkml.kernel.org/r/26d882184fc43043a810114258f45277752186c7.1535682461... Signed-off-by: Ernesto A. Fernández ernesto.mnd.fernandez@gmail.com Cc: Christoph Hellwig hch@infradead.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/hfsplus/brec.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c index 754fdf8c6356..1002a0c08319 100644 --- a/fs/hfsplus/brec.c +++ b/fs/hfsplus/brec.c @@ -427,6 +427,10 @@ skip: if (new_node) { __be32 cnid;
+ if (!new_node->parent) { + hfs_btree_inc_height(tree); + new_node->parent = tree->root; + } fd->bnode = hfs_bnode_find(tree, new_node->parent); /* create index key and entry */ hfs_bnode_read_key(new_node, fd->search_key, 14);
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 7ff1e34bbdc15acab823b1ee4240e94623d50ee8 ]
Fixes: arch/um/os-Linux/skas/process.c:613:1: warning: control reaches end of non-void function [-Wreturn-type]
longjmp() never returns but gcc still warns that the end of the function can be reached. Add a return code and debug aid to detect this impossible case.
Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin sashal@kernel.org --- arch/um/os-Linux/skas/process.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/um/os-Linux/skas/process.c b/arch/um/os-Linux/skas/process.c index 908579f2b0ab..258e741f61a8 100644 --- a/arch/um/os-Linux/skas/process.c +++ b/arch/um/os-Linux/skas/process.c @@ -694,6 +694,11 @@ int start_idle_thread(void *stack, jmp_buf *switch_buf) fatal_sigsegv(); } longjmp(*switch_buf, 1); + + /* unreachable */ + printk(UM_KERN_ERR "impossible long jump!"); + fatal_sigsegv(); + return 0; }
void initial_thread_cb_skas(void (*proc)(void *), void *arg)
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 515f1867addaba49c1c6ac73abfaffbc192c1db4 ]
There are some cases can cause memory leak when parsing option 'osdname'.
Signed-off-by: Chengguang Xu cgxu519@gmx.com Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Sasha Levin sashal@kernel.org --- fs/exofs/super.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/exofs/super.c b/fs/exofs/super.c index 95965503afcb..e3f9cf332304 100644 --- a/fs/exofs/super.c +++ b/fs/exofs/super.c @@ -100,6 +100,7 @@ static int parse_options(char *options, struct exofs_mountopt *opts) token = match_token(p, tokens, args); switch (token) { case Opt_name: + kfree(opts->dev_name); opts->dev_name = match_strdup(&args[0]); if (unlikely(!opts->dev_name)) { EXOFS_ERR("Error allocating dev_name"); @@ -868,8 +869,10 @@ static struct dentry *exofs_mount(struct file_system_type *type, int ret;
ret = parse_options(data, &opts); - if (ret) + if (ret) { + kfree(opts.dev_name); return ERR_PTR(ret); + }
if (!opts.dev_name) opts.dev_name = dev_name;
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit b33228029d842269e17bba591609e83ed422005d ]
Ensure that clocks for core SoC modules (including TZPC0..9 modules) are enabled for suspend/resume cycle. This fixes suspend/resume support on Exynos5422-based Odroid XU3/XU4 boards.
Suggested-by: Joonyoung Shim jy0922.shim@samsung.com Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com Signed-off-by: Sylwester Nawrocki snawrocki@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/clk/samsung/clk-exynos5420.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/clk/samsung/clk-exynos5420.c b/drivers/clk/samsung/clk-exynos5420.c index 848d602efc06..c810b3be6b48 100644 --- a/drivers/clk/samsung/clk-exynos5420.c +++ b/drivers/clk/samsung/clk-exynos5420.c @@ -273,6 +273,7 @@ static const struct samsung_clk_reg_dump exynos5420_set_clksrc[] = { { .offset = SRC_MASK_ISP, .value = 0x11111000, }, { .offset = GATE_BUS_DISP1, .value = 0xffffffff, }, { .offset = GATE_IP_PERIC, .value = 0xffffffff, }, + { .offset = GATE_IP_PERIS, .value = 0xffffffff, }, };
static int exynos5420_clk_suspend(void)
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit b44b136a3773d8a9c7853f8df716bd1483613cbb ]
According to Documentation/kbuild/makefiles.txt all build targets using if_changed should use FORCE as well. Add missing FORCE to make sure vdso targets are rebuild properly when not just immediate prerequisites have changed but also when build command differs.
Reviewed-by: Philipp Rudo prudo@linux.ibm.com Signed-off-by: Vasily Gorbik gor@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/s390/kernel/vdso32/Makefile | 6 +++--- arch/s390/kernel/vdso64/Makefile | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile index 8ad2b34ad151..6661bfc2b3b4 100644 --- a/arch/s390/kernel/vdso32/Makefile +++ b/arch/s390/kernel/vdso32/Makefile @@ -29,7 +29,7 @@ GCOV_PROFILE := n $(obj)/vdso32_wrapper.o : $(obj)/vdso32.so
# link rule for the .so file, .lds has to be first -$(obj)/vdso32.so.dbg: $(src)/vdso32.lds $(obj-vdso32) +$(obj)/vdso32.so.dbg: $(src)/vdso32.lds $(obj-vdso32) FORCE $(call if_changed,vdso32ld)
# strip rule for the .so file @@ -38,12 +38,12 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE $(call if_changed,objcopy)
# assembly rules for the .S files -$(obj-vdso32): %.o: %.S +$(obj-vdso32): %.o: %.S FORCE $(call if_changed_dep,vdso32as)
# actual build commands quiet_cmd_vdso32ld = VDSO32L $@ - cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ + cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ quiet_cmd_vdso32as = VDSO32A $@ cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile index 2a8ddfd12a5b..5b7712f8eb4f 100644 --- a/arch/s390/kernel/vdso64/Makefile +++ b/arch/s390/kernel/vdso64/Makefile @@ -29,7 +29,7 @@ GCOV_PROFILE := n $(obj)/vdso64_wrapper.o : $(obj)/vdso64.so
# link rule for the .so file, .lds has to be first -$(obj)/vdso64.so.dbg: $(src)/vdso64.lds $(obj-vdso64) +$(obj)/vdso64.so.dbg: $(src)/vdso64.lds $(obj-vdso64) FORCE $(call if_changed,vdso64ld)
# strip rule for the .so file @@ -38,12 +38,12 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE $(call if_changed,objcopy)
# assembly rules for the .S files -$(obj-vdso64): %.o: %.S +$(obj-vdso64): %.o: %.S FORCE $(call if_changed_dep,vdso64as)
# actual build commands quiet_cmd_vdso64ld = VDSO64L $@ - cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ + cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter %.lds %.o,$^) -o $@ quiet_cmd_vdso64as = VDSO64A $@ cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 313a06e636808387822af24c507cba92703568b1 ]
The lib/raid6/test fails to build the neon objects on arm64 because the correct machine type is 'aarch64'.
Once this is correctly enabled, the neon recovery objects need to be added to the build.
Reviewed-by: Ard Biesheuvel ard.biesheuvel@linaro.org Signed-off-by: Jeremy Linton jeremy.linton@arm.com Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Sasha Levin sashal@kernel.org --- lib/raid6/test/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/raid6/test/Makefile b/lib/raid6/test/Makefile index 29090f3db677..28c089cb13f1 100644 --- a/lib/raid6/test/Makefile +++ b/lib/raid6/test/Makefile @@ -26,7 +26,7 @@ ifeq ($(ARCH),arm) CFLAGS += -I../../../arch/arm/include -mfpu=neon HAS_NEON = yes endif -ifeq ($(ARCH),arm64) +ifeq ($(ARCH),aarch64) CFLAGS += -I../../../arch/arm64/include HAS_NEON = yes endif @@ -37,7 +37,7 @@ ifeq ($(IS_X86),yes) gcc -c -x assembler - >&/dev/null && \ rm ./-.o && echo -DCONFIG_AS_AVX2=1) else ifeq ($(HAS_NEON),yes) - OBJS += neon.o neon1.o neon2.o neon4.o neon8.o + OBJS += neon.o neon1.o neon2.o neon4.o neon8.o recov_neon.o recov_neon_inner.o CFLAGS += -DCONFIG_KERNEL_MODE_NEON=1 else HAS_ALTIVEC := $(shell printf '#include <altivec.h>\nvector int a;\n' |\
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 5b277402deac0691226a947df71c581686bd4020 ]
Allow I2C_OMAP to be built for K3 platforms.
Signed-off-by: Vignesh R vigneshr@ti.com Reviewed-by: Grygorii Strashko grygorii.strashko@ti.com Signed-off-by: Wolfram Sang wsa@the-dreams.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/i2c/busses/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig index 06e99eb64295..6ced9382bf02 100644 --- a/drivers/i2c/busses/Kconfig +++ b/drivers/i2c/busses/Kconfig @@ -607,7 +607,7 @@ config I2C_OCORES
config I2C_OMAP tristate "OMAP I2C adapter" - depends on ARCH_OMAP + depends on ARCH_OMAP || ARCH_K3 default y if MACH_OMAP_H3 || MACH_OMAP_OSK help If you say yes to this option, support will be included for the
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
commit fef912bf860e upstream. commit 98af4d4df889 upstream.
I got a report from Howard Chen that he saw zram and sysfs race(ie, zram block device file is created but sysfs for it isn't yet) when he tried to create new zram devices via hotadd knob.
v4.20 kernel fixes it by [1, 2] but it's too large size to merge into -stable so this patch fixes the problem by registering defualt group by Greg KH's approach[3].
This patch should be applied to every stable tree [3.16+] currently existing from kernel.org because the problem was introduced at 2.6.37 by [4].
[1] fef912bf860e, block: genhd: add 'groups' argument to device_add_disk [2] 98af4d4df889, zram: register default groups with device_add_disk() [3] http://kroah.com/log/blog/2013/06/26/how-to-create-a-sysfs-file-correctly/ [4] 33863c21e69e9, Staging: zram: Replace ioctls with sysfs interface
Cc: Sergey Senozhatsky sergey.senozhatsky@gmail.com Cc: Hannes Reinecke hare@suse.com Tested-by: Howard Chen howardsoc@google.com Signed-off-by: Minchan Kim minchan@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/block/zram/zram_drv.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 7e94459a489a..5f4e6a3c2dde 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -999,6 +999,11 @@ static struct attribute_group zram_disk_attr_group = { .attrs = zram_disk_attrs, };
+static const struct attribute_group *zram_disk_attr_groups[] = { + &zram_disk_attr_group, + NULL, +}; + static int create_device(struct zram *zram, int device_id) { int ret = -ENOMEM; @@ -1060,22 +1065,14 @@ static int create_device(struct zram *zram, int device_id) zram->disk->queue->limits.discard_zeroes_data = 0; queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, zram->disk->queue);
+ disk_to_dev(zram->disk)->groups = zram_disk_attr_groups; add_disk(zram->disk);
- ret = sysfs_create_group(&disk_to_dev(zram->disk)->kobj, - &zram_disk_attr_group); - if (ret < 0) { - pr_warn("Error creating sysfs group"); - goto out_free_disk; - } strlcpy(zram->compressor, default_compressor, sizeof(zram->compressor)); zram->meta = NULL; zram->max_comp_streams = 1; return 0;
-out_free_disk: - del_gendisk(zram->disk); - put_disk(zram->disk); out_free_queue: blk_cleanup_queue(zram->queue); out: @@ -1084,9 +1081,6 @@ out:
static void destroy_device(struct zram *zram) { - sysfs_remove_group(&disk_to_dev(zram->disk)->kobj, - &zram_disk_attr_group); - del_gendisk(zram->disk); put_disk(zram->disk);
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit bc07ee33284ac6e6872d5efad1b321ec0b7b46a4. Which is upstream commit a50940510e94f5fb65ffd79877a60592d85598a9.
This revert relies on upstream commit a63b03e2d24 ("mutex: Always clear owner field upon mutex_unlock()") being in the tree, but that commit should not be backported.
Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/i915/i915_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index d0f0a7943d88..d88dbedeaa77 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -5144,7 +5144,7 @@ static bool mutex_is_locked_by(struct mutex *mutex, struct task_struct *task) if (!mutex_is_locked(mutex)) return false;
-#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_MUTEXES) +#if defined(CONFIG_SMP) && !defined(CONFIG_DEBUG_MUTEXES) return mutex->owner == task; #else /* Since UP may be pre-empted, we cannot assume that we own the lock */
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 025911a5f4e36955498ed50806ad1b02f0f76288 ]
There is no need to have the '__be32 *p' variable static since new value always be assigned before use it.
Signed-off-by: YueHaibing yuehaibing@huawei.com Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields bfields@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/sunrpc/xdr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index 6de975ae7f5b..3cdd34d2a9fc 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -512,7 +512,7 @@ EXPORT_SYMBOL_GPL(xdr_commit_encode); static __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, size_t nbytes) { - static __be32 *p; + __be32 *p; int space_left; int frag1bytes, frag2bytes;
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman gregkh@linuxfoundation.org
This reverts commit 209c27b04ccc679bd7da0b84c2144733ce79c8a3 which is commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df upstream.
You Ling writes that this config option isn't even in 3.18.y yet, so it causes a regression. Revert the patch because of this.
Reported-by: youling 257 youling257@gmail.com Cc: Johan Hedberg johan.hedberg@intel.com Cc: Marcel Holtmann marcel@holtmann.org Cc: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/bluetooth/Kconfig | 1 - 1 file changed, 1 deletion(-)
--- a/drivers/bluetooth/Kconfig +++ b/drivers/bluetooth/Kconfig @@ -85,7 +85,6 @@ config BT_HCIUART_LL config BT_HCIUART_3WIRE bool "Three-wire UART (H5) protocol support" depends on BT_HCIUART - depends on BT_HCIUART_SERDEV help The HCI Three-wire UART Transport Layer makes it possible to user the Bluetooth HCI over a serial port interface. The HCI
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus sakari.ailus@linux.intel.com
commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream.
Patch ad608fbcf166 changed how events were subscribed to address an issue elsewhere. As a side effect of that change, the "add" callback was called before the event subscription was added to the list of subscribed events, causing the first event queued by the add callback (and possibly other events arriving soon afterwards) to be lost.
Fix this by adding the subscription to the list before calling the "add" callback, and clean up afterwards if that fails.
Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed")
Reported-by: Dave Stevenson dave.stevenson@raspberrypi.org Signed-off-by: Sakari Ailus sakari.ailus@linux.intel.com Tested-by: Dave Stevenson dave.stevenson@raspberrypi.org Reviewed-by: Hans Verkuil hans.verkuil@cisco.com Tested-by: Hans Verkuil hans.verkuil@cisco.com Cc: stable@vger.kernel.org (for 4.14 and up) Signed-off-by: Mauro Carvalho Chehab mchehab+samsung@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/media/v4l2-core/v4l2-event.c | 43 +++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 19 deletions(-)
--- a/drivers/media/v4l2-core/v4l2-event.c +++ b/drivers/media/v4l2-core/v4l2-event.c @@ -194,6 +194,22 @@ int v4l2_event_pending(struct v4l2_fh *f } EXPORT_SYMBOL_GPL(v4l2_event_pending);
+static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev) +{ + struct v4l2_fh *fh = sev->fh; + unsigned int i; + + lockdep_assert_held(&fh->subscribe_lock); + assert_spin_locked(&fh->vdev->fh_lock); + + /* Remove any pending events for this subscription */ + for (i = 0; i < sev->in_use; i++) { + list_del(&sev->events[sev_pos(sev, i)].list); + fh->navailable--; + } + list_del(&sev->list); +} + int v4l2_event_subscribe(struct v4l2_fh *fh, const struct v4l2_event_subscription *sub, unsigned elems, const struct v4l2_subscribed_event_ops *ops) @@ -225,27 +241,23 @@ int v4l2_event_subscribe(struct v4l2_fh
spin_lock_irqsave(&fh->vdev->fh_lock, flags); found_ev = v4l2_event_subscribed(fh, sub->type, sub->id); + if (!found_ev) + list_add(&sev->list, &fh->subscribed); spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
if (found_ev) { /* Already listening */ kfree(sev); - goto out_unlock; - } - - if (sev->ops && sev->ops->add) { + } else if (sev->ops && sev->ops->add) { ret = sev->ops->add(sev, elems); if (ret) { + spin_lock_irqsave(&fh->vdev->fh_lock, flags); + __v4l2_event_unsubscribe(sev); + spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); kfree(sev); - goto out_unlock; } }
- spin_lock_irqsave(&fh->vdev->fh_lock, flags); - list_add(&sev->list, &fh->subscribed); - spin_unlock_irqrestore(&fh->vdev->fh_lock, flags); - -out_unlock: mutex_unlock(&fh->subscribe_lock);
return ret; @@ -280,7 +292,6 @@ int v4l2_event_unsubscribe(struct v4l2_f { struct v4l2_subscribed_event *sev; unsigned long flags; - int i;
if (sub->type == V4L2_EVENT_ALL) { v4l2_event_unsubscribe_all(fh); @@ -292,14 +303,8 @@ int v4l2_event_unsubscribe(struct v4l2_f spin_lock_irqsave(&fh->vdev->fh_lock, flags);
sev = v4l2_event_subscribed(fh, sub->type, sub->id); - if (sev != NULL) { - /* Remove any pending events for this subscription */ - for (i = 0; i < sev->in_use; i++) { - list_del(&sev->events[sev_pos(sev, i)].list); - fh->navailable--; - } - list_del(&sev->list); - } + if (sev != NULL) + __v4l2_event_unsubscribe(sev);
spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.
I was trying to solve a double free but I introduced a more serious NULL dereference bug. The problem is that if there is an IRQ which triggers immediately, then we need "info->uio_dev" but it's not set yet.
This patch puts the original initialization back to how it was and just sets info->uio_dev to NULL on the error path so it should solve both the Oops and the double free.
Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") Reported-by: Mathias Thore Mathias.Thore@infinera.com Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Cc: stable stable@vger.kernel.org Tested-by: Mathias Thore Mathias.Thore@infinera.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/uio/uio.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -841,14 +841,17 @@ int __uio_register_device(struct module if (ret) goto err_uio_dev_add_attributes;
+ info->uio_dev = idev; + if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { ret = devm_request_irq(idev->dev, info->irq, uio_interrupt, info->irq_flags, info->name, idev); - if (ret) + if (ret) { + info->uio_dev = NULL; goto err_request_irq; + } }
- info->uio_dev = idev; return 0;
err_request_irq:
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Jacobs maarten256@outlook.com
commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream.
The cdc-acm kernel module currently does not support the Hiro (Conexant) H05228 USB modem. The patch below adds the device specific information: idVendor 0x0572 idProduct 0x1349
Signed-off-by: Maarten Jacobs maarten256@outlook.com Acked-by: Oliver Neukum oneukum@suse.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/class/cdc-acm.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1730,6 +1730,9 @@ static const struct usb_device_id acm_id { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ }, + { USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, { USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */ .driver_info = QUIRK_CONTROL_LINE_STATE, }, { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng kai.heng.feng@canonical.com
commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream.
Raydium USB touchscreen fails to set config if LPM is enabled: [ 2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119 [ 2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 2.030660] usb 1-8: Product: Raydium Touch System [ 2.030661] usb 1-8: Manufacturer: Raydium Corporation [ 7.132209] usb 1-8: can't set config #1, error -110
Same behavior can be observed on 2386:3114.
Raydium claims the touchscreen supports LPM under Windows, so I used Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows that the LPM doesn't work under Windows, either. So let's just disable LPM for Raydium touchscreens.
[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-to...
Signed-off-by: Kai-Heng Feng kai.heng.feng@canonical.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/core/quirks.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -249,6 +249,11 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x2040, 0x7200), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
+ /* Raydium Touchscreen */ + { USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM }, + + { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM }, + /* DJI CineSSD */ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Pescosta emmanuelpescosta099@gmail.com
commit a77112577667cbda7c6292c52d909636aef31fd9 upstream.
Following on from this patch: https://lkml.org/lkml/2017/11/3/516, Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to start correctly at boot.
Dmesg output: usb 1-6: string descriptor 0 read error: -110 usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33 usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-6: can't set config #1, error -110
Signed-off-by: Emmanuel Pescosta emmanuelpescosta099@gmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -229,6 +229,9 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | USB_QUIRK_DELAY_CTRL_MSG },
+ /* Corsair K70 LUX RGB */ + { USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT }, + /* Corsair K70 LUX */ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor natechancellor@gmail.com
commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream.
After building the kernel with Clang, the following section mismatch warning appears:
WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from the function ssc_probe() to the function .init.text:atmel_ssc_get_driver_data() The function ssc_probe() references the function __init atmel_ssc_get_driver_data(). This is often because ssc_probe lacks a __init annotation or the annotation of atmel_ssc_get_driver_data is wrong.
Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch.
Signed-off-by: Nathan Chancellor natechancellor@gmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/misc/atmel-ssc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/atmel-ssc.c +++ b/drivers/misc/atmel-ssc.c @@ -129,7 +129,7 @@ static const struct of_device_id atmel_s MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids); #endif
-static inline const struct atmel_ssc_platform_data * __init +static inline const struct atmel_ssc_platform_data * atmel_ssc_get_driver_data(struct platform_device *pdev) { if (pdev->dev.of_node) {
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mattias Jacobsson 2pi@mok.nu
commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream.
Add another Apple Cinema Display to the list of supported displays
Signed-off-by: Mattias Jacobsson 2pi@mok.nu Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/misc/appledisplay.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/misc/appledisplay.c +++ b/drivers/usb/misc/appledisplay.c @@ -63,6 +63,7 @@ static const struct usb_device_id appled { APPLEDISPLAY_DEVICE(0x9219) }, { APPLEDISPLAY_DEVICE(0x921c) }, { APPLEDISPLAY_DEVICE(0x921d) }, + { APPLEDISPLAY_DEVICE(0x9222) }, { APPLEDISPLAY_DEVICE(0x9236) },
/* Terminating entry */
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede hdegoede@redhat.com
commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream.
Many HP AMD based laptops contain an SMB0001 device like this:
Device (SMBD) { Name (_HID, "SMB0001") // _HID: Hardware ID Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings { IO (Decode16, 0x0B20, // Range Minimum 0x0B20, // Range Maximum 0x20, // Alignment 0x20, // Length ) IRQ (Level, ActiveLow, Shared, ) {7} }) }
The legacy style IRQ resource here causes acpi_dev_get_irqresource() to be called with legacy=true and this message to show in dmesg: ACPI: IRQ 7 override to edge, high
This causes issues when later on the AMD0030 GPIO device gets enumerated:
Device (GPIO) { Name (_HID, "AMDI0030") // _HID: Hardware ID Name (_CID, "AMDI0030") // _CID: Compatible ID Name (_UID, Zero) // _UID: Unique ID Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings { Name (RBUF, ResourceTemplate () { Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, ) { 0x00000007, } Memory32Fixed (ReadWrite, 0xFED81500, // Address Base 0x00000400, // Address Length ) }) Return (RBUF) /* _SB_.GPIO._CRS.RBUF */ } }
Now acpi_dev_get_irqresource() gets called with legacy=false, but because of the earlier override of the trigger-type acpi_register_gsi() returns -EBUSY (because we try to register the same interrupt with a different trigger-type) and we end up setting IORESOURCE_DISABLED in the flags.
The setting of IORESOURCE_DISABLED causes platform_get_irq() to call acpi_irq_get() which is not implemented on x86 and returns -EINVAL. resulting in the following in dmesg:
amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22 amd_gpio: probe of AMDI0030:00 failed with error -22
The SMB0001 is a "virtual" device in the sense that the only way the OS interacts with it is through calling a couple of methods to do SMBus transfers. As such it is weird that it has IO and IRQ resources at all, because the driver for it is not expected to ever access the hardware directly.
The Linux driver for the SMB0001 device directly binds to the acpi_device through the acpi_bus, so we do not need to instantiate a platform_device for this ACPI device. This commit adds the SMB0001 HID to the forbidden_id_list, avoiding the instantiating of a platform_device for it. Not instantiating a platform_device means we will no longer call acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of the AMDI0030 device failing.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013 BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715 BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523 Reported-by: Lukas Kahnert openproggerfreak@gmail.com Tested-by: Marc suaefar@googlemail.com Cc: All applicable stable@vger.kernel.org Signed-off-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/acpi/acpi_platform.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/acpi/acpi_platform.c +++ b/drivers/acpi/acpi_platform.c @@ -29,6 +29,7 @@ static const struct acpi_device_id forbi {"PNP0200", 0}, /* AT DMA Controller */ {"ACPI0009", 0}, /* IOxAPIC */ {"ACPI000A", 0}, /* IOAPIC */ + {"SMB0001", 0}, /* ACPI SMBUS virtual device */ {"", 0}, };
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit db68ce10c4f0a27c1ff9fa0e789e5c41f8c4ea63 upstream.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk [only take the include/linux/uaccess.h portion - gregkh] Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/uaccess.h | 3 +++ 1 file changed, 3 insertions(+)
--- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -2,6 +2,9 @@ #define __LINUX_UACCESS_H__
#include <linux/preempt.h> + +#define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS) + #include <asm/uaccess.h>
/*
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream.
When a UHID_CREATE command is written to the uhid char device, a copy_from_user() is done from a user pointer embedded in the command. When the address limit is KERNEL_DS, e.g. as is the case during sys_sendfile(), this can read from kernel memory. Alternatively, information can be leaked from a setuid binary that is tricked to write to the file descriptor. Therefore, forbid UHID_CREATE in these cases.
No other commands in uhid_char_write() are affected by this bug and UHID_CREATE is marked as "obsolete", so apply the restriction to UHID_CREATE only rather than to uhid_char_write() entirely.
Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses"), allowing this bug to be found.
Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events") Cc: stable@vger.kernel.org # v3.6+ Cc: Jann Horn jannh@google.com Cc: Andy Lutomirski luto@kernel.org Signed-off-by: Eric Biggers ebiggers@google.com Reviewed-by: Jann Horn jannh@google.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/hid/uhid.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
--- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -12,6 +12,7 @@
#include <linux/atomic.h> #include <linux/compat.h> +#include <linux/cred.h> #include <linux/device.h> #include <linux/fs.h> #include <linux/hid.h> @@ -24,6 +25,7 @@ #include <linux/spinlock.h> #include <linux/uhid.h> #include <linux/wait.h> +#include <linux/uaccess.h>
#define UHID_NAME "uhid" #define UHID_BUFSIZE 32 @@ -721,6 +723,17 @@ static ssize_t uhid_char_write(struct fi
switch (uhid->input_buf.type) { case UHID_CREATE: + /* + * 'struct uhid_create_req' contains a __user pointer which is + * copied from, so it's unsafe to allow this with elevated + * privileges (e.g. from a setuid binary) or via kernel_write(). + */ + if (file->f_cred != current_cred() || uaccess_kernel()) { + pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n", + task_tgid_vnr(current), current->comm); + ret = -EACCES; + goto unlock; + } ret = uhid_dev_create(uhid, &uhid->input_buf); break; case UHID_CREATE2:
stable-rc/linux-3.18.y boot: 48 boots: 3 failed, 45 passed (v3.18.126-25-g370f85bf6ea2)
Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-3.18.y/kernel/v3.18... Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-3.18.y/kernel/v3.18.126-25...
Tree: stable-rc Branch: linux-3.18.y Git Describe: v3.18.126-25-g370f85bf6ea2 Git Commit: 370f85bf6ea241301c2e85819c289778fada9162 Git URL: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 23 unique boards, 12 SoC families, 14 builds out of 185
Boot Failures Detected:
x86:
x86_64_defconfig qemu: 2 failed labs x86-atom330: 1 failed lab
--- For more info write to info@kernelci.org
On 26 November 2018 4:20:54 PM IST, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 3.18.127 release. There are 24 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed Nov 28 10:50:13 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.127-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below.
thanks,
greg k-h
Built and booted on the OnePlus 3T, no immediate regressions.
On Mon, Nov 26, 2018 at 11:23:31PM +0530, Harsh Shandilya wrote:
On 26 November 2018 4:20:54 PM IST, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 3.18.127 release. There are 24 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed Nov 28 10:50:13 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.127-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below.
thanks,
greg k-h
Built and booted on the OnePlus 3T, no immediate regressions.
Great! Thanks for testing and letting me know.
greg k-h
On Mon, Nov 26, 2018 at 11:50:54AM +0100, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 3.18.127 release. There are 24 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed Nov 28 10:50:13 UTC 2018. Anything received after that time might be too late.
Build results: total: 138 pass: 138 fail: 0 Qemu test results: total: 223 pass: 223 fail: 0
Details are available at https://kerneltests.org/builders/.
Guenter
On 11/26/18 3:50 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 3.18.127 release. There are 24 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed Nov 28 10:50:13 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.127-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
thanks, -- Shuah
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Guenter Roeck -
Harsh Shandilya -
kernelci.org bot -
shuah