- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] [PATCH 4.9.y 2/3] ASoC: rsnd: don't call free_irq() on Parent SSI

by Nhan Nguyen

From: Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> commit 1f8754d4daea5f257370a52a30fcb22798c54516 upstream. If SSI uses shared pin, some SSI will be used as parent SSI. Then, normal SSI's remove and Parent SSI's remove (these are same SSI) will be called when unbind or remove timing. In this case, free_irq() will be called twice. This patch solve this issue. Cc: stable(a)vger.kernel.org Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> Tested-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx(a)renesas.com> Reported-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx(a)renesas.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: thongsyho <thong.ho.px(a)rvc.renesas.com> Signed-off-by: Nhan Nguyen <nhan.nguyen.yb(a)renesas.com> --- sound/soc/sh/rcar/ssi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c index 6cb6db0..9472d99 100644 --- a/sound/soc/sh/rcar/ssi.c +++ b/sound/soc/sh/rcar/ssi.c @@ -694,9 +694,14 @@ static int rsnd_ssi_dma_remove(struct rsnd_mod *mod, struct rsnd_priv *priv) { struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod); + struct rsnd_mod *ssi_parent_mod = rsnd_io_to_mod_ssip(io); struct device *dev = rsnd_priv_to_dev(priv); int irq = ssi->irq; + /* Do nothing for SSI parent mod */ + if (ssi_parent_mod == mod) + return 0; + /* PIO will request IRQ again */ devm_free_irq(dev, irq, mod); -- 1.9.1

7 years, 4 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.9.y 1/3] ASoC: simple-card: Fix misleading error message

by Nhan Nguyen

From: Julian Scheel <julian(a)jusst.de> commit 7ac45d1635a4cd2e99a4b11903d4a2815ca1b27b upstream. In case cpu could not be found the error message would always refer to /codec/ not being found in DT. Fix this by catching the cpu node not found case explicitly. Cc: stable(a)vger.kernel.org Signed-off-by: Julian Scheel <julian(a)jusst.de> Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: thongsyho <thong.ho.px(a)rvc.renesas.com> Signed-off-by: Nhan Nguyen <nhan.nguyen.yb(a)renesas.com> --- sound/soc/generic/simple-card.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c index f608f8d2..dd88c2c 100644 --- a/sound/soc/generic/simple-card.c +++ b/sound/soc/generic/simple-card.c @@ -232,13 +232,19 @@ static int asoc_simple_card_dai_link_of(struct device_node *node, snprintf(prop, sizeof(prop), "%scpu", prefix); cpu = of_get_child_by_name(node, prop); + if (!cpu) { + ret = -EINVAL; + dev_err(dev, "%s: Can't find %s DT node\n", __func__, prop); + goto dai_link_of_err; + } + snprintf(prop, sizeof(prop), "%splat", prefix); plat = of_get_child_by_name(node, prop); snprintf(prop, sizeof(prop), "%scodec", prefix); codec = of_get_child_by_name(node, prop); - if (!cpu || !codec) { + if (!codec) { ret = -EINVAL; dev_err(dev, "%s: Can't find %s DT node\n", __func__, prop); goto dai_link_of_err; -- 1.9.1

7 years, 4 months

1
0
0 0

Re: [Linux-stable-mirror] [tip:sched/urgent] sched/rt: Up the root domain ref count when passing it around via IPIs

by Steven Rostedt

I see this was just applied to Linus's tree. This too probably should be tagged for stable as well. -- Steve On Tue, 6 Feb 2018 03:54:42 -0800 "tip-bot for Steven Rostedt (VMware)" <tipbot(a)zytor.com> wrote: > Commit-ID: 364f56653708ba8bcdefd4f0da2a42904baa8eeb > Gitweb: https://git.kernel.org/tip/364f56653708ba8bcdefd4f0da2a42904baa8eeb > Author: Steven Rostedt (VMware) <rostedt(a)goodmis.org> > AuthorDate: Tue, 23 Jan 2018 20:45:38 -0500 > Committer: Ingo Molnar <mingo(a)kernel.org> > CommitDate: Tue, 6 Feb 2018 10:20:33 +0100 > > sched/rt: Up the root domain ref count when passing it around via IPIs > > When issuing an IPI RT push, where an IPI is sent to each CPU that has more > than one RT task scheduled on it, it references the root domain's rto_mask, > that contains all the CPUs within the root domain that has more than one RT > task in the runable state. The problem is, after the IPIs are initiated, the > rq->lock is released. This means that the root domain that is associated to > the run queue could be freed while the IPIs are going around. > > Add a sched_get_rd() and a sched_put_rd() that will increment and decrement > the root domain's ref count respectively. This way when initiating the IPIs, > the scheduler will up the root domain's ref count before releasing the > rq->lock, ensuring that the root domain does not go away until the IPI round > is complete. > > Reported-by: Pavan Kondeti <pkondeti(a)codeaurora.org> > Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> > Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> > Cc: Andrew Morton <akpm(a)linux-foundation.org> > Cc: Linus Torvalds <torvalds(a)linux-foundation.org> > Cc: Mike Galbraith <efault(a)gmx.de> > Cc: Peter Zijlstra <peterz(a)infradead.org> > Cc: Thomas Gleixner <tglx(a)linutronix.de> > Fixes: 4bdced5c9a292 ("sched/rt: Simplify the IPI based RT balancing logic") > Link: http://lkml.kernel.org/r/CAEU1=PkiHO35Dzna8EQqNSKW1fr1y1zRQ5y66X117MG06sQtN… > Signed-off-by: Ingo Molnar <mingo(a)kernel.org> > --- > kernel/sched/rt.c | 9 +++++++-- > kernel/sched/sched.h | 2 ++ > kernel/sched/topology.c | 13 +++++++++++++ > 3 files changed, 22 insertions(+), 2 deletions(-) > > diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c > index 2fb627d..89a086e 100644 > --- a/kernel/sched/rt.c > +++ b/kernel/sched/rt.c > @@ -1990,8 +1990,11 @@ static void tell_cpu_to_push(struct rq *rq) > > rto_start_unlock(&rq->rd->rto_loop_start); > > - if (cpu >= 0) > + if (cpu >= 0) { > + /* Make sure the rd does not get freed while pushing */ > + sched_get_rd(rq->rd); > irq_work_queue_on(&rq->rd->rto_push_work, cpu); > + } > } > > /* Called from hardirq context */ > @@ -2021,8 +2024,10 @@ void rto_push_irq_work_func(struct irq_work *work) > > raw_spin_unlock(&rd->rto_lock); > > - if (cpu < 0) > + if (cpu < 0) { > + sched_put_rd(rd); > return; > + } > > /* Try the next RT overloaded CPU */ > irq_work_queue_on(&rd->rto_push_work, cpu); > diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h > index 2e95505..fb5fc45 100644 > --- a/kernel/sched/sched.h > +++ b/kernel/sched/sched.h > @@ -691,6 +691,8 @@ extern struct mutex sched_domains_mutex; > extern void init_defrootdomain(void); > extern int sched_init_domains(const struct cpumask *cpu_map); > extern void rq_attach_root(struct rq *rq, struct root_domain *rd); > +extern void sched_get_rd(struct root_domain *rd); > +extern void sched_put_rd(struct root_domain *rd); > > #ifdef HAVE_RT_PUSH_IPI > extern void rto_push_irq_work_func(struct irq_work *work); > diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c > index 034cbed..519b024 100644 > --- a/kernel/sched/topology.c > +++ b/kernel/sched/topology.c > @@ -259,6 +259,19 @@ void rq_attach_root(struct rq *rq, struct root_domain *rd) > call_rcu_sched(&old_rd->rcu, free_rootdomain); > } > > +void sched_get_rd(struct root_domain *rd) > +{ > + atomic_inc(&rd->refcount); > +} > + > +void sched_put_rd(struct root_domain *rd) > +{ > + if (!atomic_dec_and_test(&rd->refcount)) > + return; > + > + call_rcu_sched(&rd->rcu, free_rootdomain); > +} > + > static int init_rootdomain(struct root_domain *rd) > { > if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL))

7 years, 4 months

1
0
0 0

Re: [Linux-stable-mirror] [tip:sched/urgent] sched/rt: Use container_of() to get root domain in rto_push_irq_work_func()

by Steven Rostedt

I see this was just applied to Linus's tree. It probably should be tagged for stable as well. -- Steve On Tue, 6 Feb 2018 03:54:16 -0800 "tip-bot for Steven Rostedt (VMware)" <tipbot(a)zytor.com> wrote: > Commit-ID: ad0f1d9d65938aec72a698116cd73a980916895e > Gitweb: https://git.kernel.org/tip/ad0f1d9d65938aec72a698116cd73a980916895e > Author: Steven Rostedt (VMware) <rostedt(a)goodmis.org> > AuthorDate: Tue, 23 Jan 2018 20:45:37 -0500 > Committer: Ingo Molnar <mingo(a)kernel.org> > CommitDate: Tue, 6 Feb 2018 10:20:33 +0100 > > sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() > > When the rto_push_irq_work_func() is called, it looks at the RT overloaded > bitmask in the root domain via the runqueue (rq->rd). The problem is that > during CPU up and down, nothing here stops rq->rd from changing between > taking the rq->rd->rto_lock and releasing it. That means the lock that is > released is not the same lock that was taken. > > Instead of using this_rq()->rd to get the root domain, as the irq work is > part of the root domain, we can simply get the root domain from the irq work > that is passed to the routine: > > container_of(work, struct root_domain, rto_push_work) > > This keeps the root domain consistent. > > Reported-by: Pavan Kondeti <pkondeti(a)codeaurora.org> > Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> > Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> > Cc: Andrew Morton <akpm(a)linux-foundation.org> > Cc: Linus Torvalds <torvalds(a)linux-foundation.org> > Cc: Mike Galbraith <efault(a)gmx.de> > Cc: Peter Zijlstra <peterz(a)infradead.org> > Cc: Thomas Gleixner <tglx(a)linutronix.de> > Fixes: 4bdced5c9a292 ("sched/rt: Simplify the IPI based RT balancing logic") > Link: http://lkml.kernel.org/r/CAEU1=PkiHO35Dzna8EQqNSKW1fr1y1zRQ5y66X117MG06sQtN… > Signed-off-by: Ingo Molnar <mingo(a)kernel.org> > --- > kernel/sched/rt.c | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) > > diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c > index 862a513..2fb627d 100644 > --- a/kernel/sched/rt.c > +++ b/kernel/sched/rt.c > @@ -1907,9 +1907,8 @@ static void push_rt_tasks(struct rq *rq) > * the rt_loop_next will cause the iterator to perform another scan. > * > */ > -static int rto_next_cpu(struct rq *rq) > +static int rto_next_cpu(struct root_domain *rd) > { > - struct root_domain *rd = rq->rd; > int next; > int cpu; > > @@ -1985,7 +1984,7 @@ static void tell_cpu_to_push(struct rq *rq) > * Otherwise it is finishing up and an ipi needs to be sent. > */ > if (rq->rd->rto_cpu < 0) > - cpu = rto_next_cpu(rq); > + cpu = rto_next_cpu(rq->rd); > > raw_spin_unlock(&rq->rd->rto_lock); > > @@ -1998,6 +1997,8 @@ static void tell_cpu_to_push(struct rq *rq) > /* Called from hardirq context */ > void rto_push_irq_work_func(struct irq_work *work) > { > + struct root_domain *rd = > + container_of(work, struct root_domain, rto_push_work); > struct rq *rq; > int cpu; > > @@ -2013,18 +2014,18 @@ void rto_push_irq_work_func(struct irq_work *work) > raw_spin_unlock(&rq->lock); > } > > - raw_spin_lock(&rq->rd->rto_lock); > + raw_spin_lock(&rd->rto_lock); > > /* Pass the IPI to the next rt overloaded queue */ > - cpu = rto_next_cpu(rq); > + cpu = rto_next_cpu(rd); > > - raw_spin_unlock(&rq->rd->rto_lock); > + raw_spin_unlock(&rd->rto_lock); > > if (cpu < 0) > return; > > /* Try the next RT overloaded CPU */ > - irq_work_queue_on(&rq->rd->rto_push_work, cpu); > + irq_work_queue_on(&rd->rto_push_work, cpu); > } > #endif /* HAVE_RT_PUSH_IPI */ >

7 years, 4 months

1
0
0 0

[Linux-stable-mirror] [PATCH] memremap: fix softlockup reports at teardown

by Dan Williams

The cond_resched() currently in the setup path needs to be duplicated in the teardown path. Rather than require each instance of for_each_device_pfn() to open code the same sequence, embed it in the helper. Link: https://github.com/intel/ixpdimm_sw/issues/11 Cc: "Jérôme Glisse" <jglisse(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: <stable(a)vger.kernel.org> Fixes: 71389703839e ("mm, zone_device: Replace {get, put}_zone_device_page()...") Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- kernel/memremap.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/kernel/memremap.c b/kernel/memremap.c index 4849be5f9b3c..4dd4274cabe2 100644 --- a/kernel/memremap.c +++ b/kernel/memremap.c @@ -275,8 +275,15 @@ static unsigned long pfn_end(struct dev_pagemap *pgmap) return (res->start + resource_size(res)) >> PAGE_SHIFT; } +static unsigned long pfn_next(unsigned long pfn) +{ + if (pfn % 1024 == 0) + cond_resched(); + return pfn + 1; +} + #define for_each_device_pfn(pfn, map) \ - for (pfn = pfn_first(map); pfn < pfn_end(map); pfn++) + for (pfn = pfn_first(map); pfn < pfn_end(map); pfn = pfn_next(pfn)) static void devm_memremap_pages_release(void *data) { @@ -337,10 +344,10 @@ void *devm_memremap_pages(struct device *dev, struct dev_pagemap *pgmap) resource_size_t align_start, align_size, align_end; struct vmem_altmap *altmap = pgmap->altmap_valid ? &pgmap->altmap : NULL; + struct resource *res = &pgmap->res; unsigned long pfn, pgoff, order; pgprot_t pgprot = PAGE_KERNEL; - int error, nid, is_ram, i = 0; - struct resource *res = &pgmap->res; + int error, nid, is_ram; align_start = res->start & ~(SECTION_SIZE - 1); align_size = ALIGN(res->start + resource_size(res), SECTION_SIZE) @@ -409,8 +416,6 @@ void *devm_memremap_pages(struct device *dev, struct dev_pagemap *pgmap) list_del(&page->lru); page->pgmap = pgmap; percpu_ref_get(pgmap->ref); - if (!(++i % 1024)) - cond_resched(); } devm_add_action(dev, devm_memremap_pages_release, pgmap);

7 years, 4 months

1
0
0 0

[Linux-stable-mirror] [PATCH -mm] mm, swap, frontswap: Fix THP swap if frontswap enabled

by Huang, Ying

From: Huang Ying <ying.huang(a)intel.com> It was reported by Sergey Senozhatsky that if THP (Transparent Huge Page) and frontswap (via zswap) are both enabled, when memory goes low so that swap is triggered, segfault and memory corruption will occur in random user space applications as follow, kernel: urxvt[338]: segfault at 20 ip 00007fc08889ae0d sp 00007ffc73a7fc40 error 6 in libc-2.26.so[7fc08881a000+1ae000] #0 0x00007fc08889ae0d _int_malloc (libc.so.6) #1 0x00007fc08889c2f3 malloc (libc.so.6) #2 0x0000560e6004bff7 _Z14rxvt_wcstoutf8PKwi (urxvt) #3 0x0000560e6005e75c n/a (urxvt) #4 0x0000560e6007d9f1 _ZN16rxvt_perl_interp6invokeEP9rxvt_term9hook_typez (urxvt) #5 0x0000560e6003d988 _ZN9rxvt_term9cmd_parseEv (urxvt) #6 0x0000560e60042804 _ZN9rxvt_term6pty_cbERN2ev2ioEi (urxvt) #7 0x0000560e6005c10f _Z17ev_invoke_pendingv (urxvt) #8 0x0000560e6005cb55 ev_run (urxvt) #9 0x0000560e6003b9b9 main (urxvt) #10 0x00007fc08883af4a __libc_start_main (libc.so.6) #11 0x0000560e6003f9da _start (urxvt) After bisection, it was found the first bad commit is bd4c82c22c367e068 ("mm, THP, swap: delay splitting THP after swapped out"). The root cause is as follow. When the pages are written to storage device during swapping out in swap_writepage(), zswap (fontswap) is tried to compress the pages instead to improve the performance. But zswap (frontswap) will treat THP as normal page, so only the head page is saved. After swapping in, tail pages will not be restored to its original contents, so cause the memory corruption in the applications. This is fixed via splitting THP at the begin of swapping out if frontswap is enabled. To avoid frontswap to be enabled at runtime, whether the page is THP is checked before using frontswap during swapping out too. Reported-and-tested-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> Cc: Dan Streetman <ddstreet(a)ieee.org> Cc: Seth Jennings <sjenning(a)redhat.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Cc: Shaohua Li <shli(a)kernel.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Shakeel Butt <shakeelb(a)google.com> Cc: stable(a)vger.kernel.org # 4.14 Fixes: bd4c82c22c367e068 ("mm, THP, swap: delay splitting THP after swapped out") --- mm/page_io.c | 2 +- mm/vmscan.c | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/mm/page_io.c b/mm/page_io.c index b41cf9644585..6dca817ae7a0 100644 --- a/mm/page_io.c +++ b/mm/page_io.c @@ -250,7 +250,7 @@ int swap_writepage(struct page *page, struct writeback_control *wbc) unlock_page(page); goto out; } - if (frontswap_store(page) == 0) { + if (!PageTransHuge(page) && frontswap_store(page) == 0) { set_page_writeback(page); unlock_page(page); end_page_writeback(page); diff --git a/mm/vmscan.c b/mm/vmscan.c index bee53495a829..d1c1e00b08bb 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -55,6 +55,7 @@ #include <linux/swapops.h> #include <linux/balloon_compaction.h> +#include <linux/frontswap.h> #include "internal.h" @@ -1063,14 +1064,23 @@ static unsigned long shrink_page_list(struct list_head *page_list, /* cannot split THP, skip it */ if (!can_split_huge_page(page, NULL)) goto activate_locked; + /* + * Split THP if frontswap enabled, + * because it cannot process THP + */ + if (frontswap_enabled()) { + if (split_huge_page_to_list( + page, page_list)) + goto activate_locked; + } /* * Split pages without a PMD map right * away. Chances are some or all of the * tail pages can be freed without IO. */ - if (!compound_mapcount(page) && - split_huge_page_to_list(page, - page_list)) + else if (!compound_mapcount(page) && + split_huge_page_to_list(page, + page_list)) goto activate_locked; } if (!add_to_swap(page)) { -- 2.15.1

7 years, 4 months

4
8
0 0

[Linux-stable-mirror] [PATCHv2 1/1] ext4: don't put symlink in pagecache into highmem

by Jin Qian

From: Jin Qian <jinqian(a)google.com> partial backport from 21fc61c73c3903c4c312d0802da01ec2b323d174 upstream to v4.4 to prevent virt_to_page on highmem. ext4_encrypted_follow_link uses kmap() for cpage caddr = kmap(cpage); _ext4_fname_disk_to_usr calls virt_to_page on the kmapped address. _ext4_fname_disk_to_usr() ext4_fname_decrypt() sg_init_one() sg_init_one(&src_sg, iname->name, iname->len); sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf)); Cc: stable(a)vger.kernel.org Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Jin Qian <jinqian(a)google.com> Signed-off-by: Jin Qian <jinqian(a)android.com> --- fs/ext4/inode.c | 1 + fs/ext4/namei.c | 1 + fs/ext4/symlink.c | 10 +++------- fs/inode.c | 6 ++++++ include/linux/fs.h | 1 + 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 4df1cb19a243..f0cabc8c96cb 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4417,6 +4417,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) inode->i_op = &ext4_symlink_inode_operations; ext4_set_aops(inode); } + inode_nohighmem(inode); } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { inode->i_op = &ext4_special_inode_operations; diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 4c36dca486cc..32960b3ecd4f 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3151,6 +3151,7 @@ static int ext4_symlink(struct inode *dir, if ((disk_link.len > EXT4_N_BLOCKS * 4)) { if (!encryption_required) inode->i_op = &ext4_symlink_inode_operations; + inode_nohighmem(inode); ext4_set_aops(inode); /* * We cannot call page_symlink() with transaction started diff --git a/fs/ext4/symlink.c b/fs/ext4/symlink.c index e8e7af62ac95..287c3980fa0b 100644 --- a/fs/ext4/symlink.c +++ b/fs/ext4/symlink.c @@ -45,7 +45,7 @@ static const char *ext4_encrypted_follow_link(struct dentry *dentry, void **cook cpage = read_mapping_page(inode->i_mapping, 0, NULL); if (IS_ERR(cpage)) return ERR_CAST(cpage); - caddr = kmap(cpage); + caddr = page_address(cpage); caddr[size] = 0; } @@ -75,16 +75,12 @@ static const char *ext4_encrypted_follow_link(struct dentry *dentry, void **cook /* Null-terminate the name */ if (res <= plen) paddr[res] = '\0'; - if (cpage) { - kunmap(cpage); + if (cpage) page_cache_release(cpage); - } return *cookie = paddr; errout: - if (cpage) { - kunmap(cpage); + if (cpage) page_cache_release(cpage); - } kfree(paddr); return ERR_PTR(res); } diff --git a/fs/inode.c b/fs/inode.c index b0edef500590..b95615f3fc50 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2028,3 +2028,9 @@ void inode_set_flags(struct inode *inode, unsigned int flags, new_flags) != old_flags)); } EXPORT_SYMBOL(inode_set_flags); + +void inode_nohighmem(struct inode *inode) +{ + mapping_set_gfp_mask(inode->i_mapping, GFP_USER); +} +EXPORT_SYMBOL(inode_nohighmem); diff --git a/include/linux/fs.h b/include/linux/fs.h index c8decb7075d6..f746a59fcc88 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3066,5 +3066,6 @@ static inline bool dir_relax(struct inode *inode) } extern bool path_noexec(const struct path *path); +extern void inode_nohighmem(struct inode *inode); #endif /* _LINUX_FS_H */ -- 2.16.0.rc1.238.g530d649a79-goog

7 years, 4 months

4
4
0 0

[Linux-stable-mirror] [PATCH 5/9] X.509: fix NULL dereference when restricting key with unsupported_sig

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> The asymmetric key type allows an X.509 certificate to be added even if its signature's hash algorithm is not available in the crypto API. In that case 'payload.data[asym_auth]' will be NULL. But the key restriction code failed to check for this case before trying to use the signature, resulting in a NULL pointer dereference in key_or_keyring_common() or in restrict_link_by_signature(). Fix this by returning -ENOPKG when the signature is unsupported. Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and keyctl has support for the 'restrict_keyring' command: keyctl new_session keyctl restrict_keyring @s asymmetric builtin_trusted openssl req -new -sha512 -x509 -batch -nodes -outform der \ | keyctl padd asymmetric desc @s Fixes: a511e1af8b12 ("KEYS: Move the point of trust determination to __key_link()") Cc: <stable(a)vger.kernel.org> # v4.7+ Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- crypto/asymmetric_keys/restrict.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 86fb68508952..7c93c7728454 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -67,8 +67,9 @@ __setup("ca_keys=", ca_keys_setup); * * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a * matching parent certificate in the trusted list, -EKEYREJECTED if the - * signature check fails or the key is blacklisted and some other error if - * there is a matching certificate but the signature check cannot be performed. + * signature check fails or the key is blacklisted, -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. */ int restrict_link_by_signature(struct key *dest_keyring, const struct key_type *type, @@ -88,6 +89,8 @@ int restrict_link_by_signature(struct key *dest_keyring, return -EOPNOTSUPP; sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; if (!sig->auth_ids[0] && !sig->auth_ids[1]) return -ENOKEY; @@ -139,6 +142,8 @@ static int key_or_keyring_common(struct key *dest_keyring, return -EOPNOTSUPP; sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; if (!sig->auth_ids[0] && !sig->auth_ids[1]) return -ENOKEY; @@ -222,9 +227,9 @@ static int key_or_keyring_common(struct key *dest_keyring, * * Returns 0 if the new certificate was accepted, -ENOKEY if we * couldn't find a matching parent certificate in the trusted list, - * -EKEYREJECTED if the signature check fails, and some other error if - * there is a matching certificate but the signature check cannot be - * performed. + * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses + * unsupported crypto, or some other error if there is a matching certificate + * but the signature check cannot be performed. */ int restrict_link_by_key_or_keyring(struct key *dest_keyring, const struct key_type *type, @@ -249,9 +254,9 @@ int restrict_link_by_key_or_keyring(struct key *dest_keyring, * * Returns 0 if the new certificate was accepted, -ENOKEY if we * couldn't find a matching parent certificate in the trusted list, - * -EKEYREJECTED if the signature check fails, and some other error if - * there is a matching certificate but the signature check cannot be - * performed. + * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses + * unsupported crypto, or some other error if there is a matching certificate + * but the signature check cannot be performed. */ int restrict_link_by_key_or_keyring_chain(struct key *dest_keyring, const struct key_type *type, -- 2.16.0.rc1.238.g530d649a79-goog

7 years, 4 months

1
0
0 0

[Linux-stable-mirror] [PATCH 2/9] PKCS#7: fix certificate blacklisting

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> If there is a blacklisted certificate in a SignerInfo's certificate chain, then pkcs7_verify_sig_chain() sets sinfo->blacklisted and returns 0. But, pkcs7_verify() fails to handle this case appropriately, as it actually continues on to the line 'actual_ret = 0;', indicating that the SignerInfo has passed verification. Consequently, PKCS#7 signature verification ignores the certificate blacklist. Fix this by not considering blacklisted SignerInfos to have passed verification. Also fix the function comment with regards to when 0 is returned. Fixes: 03bb79315ddc ("PKCS#7: Handle blacklisted certificates") Cc: <stable(a)vger.kernel.org> # v4.12+ Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- crypto/asymmetric_keys/pkcs7_verify.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 2f6a768b91d7..97c77f66b20d 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -366,8 +366,7 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7, * * (*) -EBADMSG if some part of the message was invalid, or: * - * (*) 0 if no signature chains were found to be blacklisted or to contain - * unsupported crypto, or: + * (*) 0 if a signature chain passed verification, or: * * (*) -EKEYREJECTED if a blacklisted key was encountered, or: * @@ -423,8 +422,11 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { ret = pkcs7_verify_one(pkcs7, sinfo); - if (sinfo->blacklisted && actual_ret == -ENOPKG) - actual_ret = -EKEYREJECTED; + if (sinfo->blacklisted) { + if (actual_ret == -ENOPKG) + actual_ret = -EKEYREJECTED; + continue; + } if (ret < 0) { if (ret == -ENOPKG) { sinfo->unsupported_crypto = true; -- 2.16.0.rc1.238.g530d649a79-goog

7 years, 4 months

1
0
0 0

[Linux-stable-mirror] [PATCH 1/9] PKCS#7: fix certificate chain verification

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> When pkcs7_verify_sig_chain() is building the certificate chain for a SignerInfo using the certificates in the PKCS#7 message, it is passing the wrong arguments to public_key_verify_signature(). Consequently, when the next certificate is supposed to be used to verify the previous certificate, the next certificate is actually used to verify itself. An attacker can use this bug to create a bogus certificate chain that has no cryptographic relationship between the beginning and end. Fortunately I couldn't quite find a way to use this to bypass the overall signature verification, though it comes very close. Here's the reasoning: due to the bug, every certificate in the chain beyond the first actually has to be self-signed (where "self-signed" here refers to the actual key and signature; an attacker might still manipulate the certificate fields such that the self_signed flag doesn't actually get set, and thus the chain doesn't end immediately). But to pass trust validation (pkcs7_validate_trust()), either the SignerInfo or one of the certificates has to actually be signed by a trusted key. Since only self-signed certificates can be added to the chain, the only way for an attacker to introduce a trusted signature is to include a self-signed trusted certificate. But, when pkcs7_validate_trust_one() reaches that certificate, instead of trying to verify the signature on that certificate, it will actually look up the corresponding trusted key, which will succeed, and then try to verify the *previous* certificate, which will fail. Thus, disaster is narrowly averted (as far as I could tell). Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") Cc: <stable(a)vger.kernel.org> # v4.7+ Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- crypto/asymmetric_keys/pkcs7_verify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 39e6de0c2761..2f6a768b91d7 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -270,7 +270,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, sinfo->index); return 0; } - ret = public_key_verify_signature(p->pub, p->sig); + ret = public_key_verify_signature(p->pub, x509->sig); if (ret < 0) return ret; x509->signer = p; -- 2.16.0.rc1.238.g530d649a79-goog

7 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror