- Linux-stable-mirror - lists.linaro.org

[PATCH 0/1] media: uvc_driver: fix USB Camera ref leak denial of service

by David Fries

The patch in the following e-mail fixes a reference count bug, it seems to me that uvc_unregister_video is a good location to release the final reference, I find it is called once. It may sound like a lot to plug and unplug the USB camera 250 some times, but in my case "disabled by hub (EMI?), re-enabling..." kept unplugging and plugging in the device until days later it ran out of minors and I lost the video security feed. With this patch, now that the device is actually being removed other problems are showing up. Specifically the following if the camera is removed or `rmmod ehci_pci` while an application is getting video from it. It doesn't happen if the camera is not in use. How do I track that down? sysfs group 'power' not found for kobject 'event10' sysfs group 'power' not found for kobject 'input32' sysfs group 'id' not found for kobject 'input32' sysfs group 'capabilities' not found for kobject 'input32' sysfs group 'power' not found for kobject 'media0' -- David Fries <david(a)fries.net>

7 years, 5 months

1
0
0 0

Please apply this XFS patch on 4.4

by Daniel Sangorrin

Subject of the patch: xfs: remove racy hasattr check from attr ops Commit ID: 5a93790d4e2df73e30c965ec6e49be82fc3ccfce Why: It didn't pass LTP getxattr04 test, which is "a regression test for the race between getting an existing xattr and setting/removing a large xattr. This bug leads to that getxattr() fails to get an existing xattr and returns ENOATTR in xfs filesystem." LTP test getxattr04 was FAILing with this error message: tst_device.c:230: INFO: Using test device LTP_DEV='/dev/loop0' tst_mkfs.c:83: INFO: Formatting /dev/loop0 with xfs opts='' extra opts='' tst_test.c:982: INFO: Timeout per run is 0h 05m 00s getxattr04.c:72: FAIL: getxattr() failed to get an existing attribute After patching 4.4.y and running the test again (on x86_64) it PASSes: tst_device.c:230: INFO: Using test device LTP_DEV='/dev/loop0' tst_mkfs.c:83: INFO: Formatting /dev/loop0 with xfs opts='' extra opts='' tst_test.c:982: INFO: Timeout per run is 0h 05m 00s getxattr04.c:82: PASS: getxattr() succeeded to get an existing attribute What kernel version: 4.4.y (Note: 4.9.y already has it applied) Thanks, Daniel Sangorrin

7 years, 5 months

2
1
0 0

Please apply 4ea77014af0d620 ("kernel/signal.c: avoid undefined behaviour in kill_something_info") to v4.9.y and earlier

by Guenter Roeck

Hi Greg, Please apply commit 4ea77014af0d620 ("kernel/signal.c: avoid undefined behaviour in kill_something_info") to v4.9.y and earlier to fix CVE-2018-10124. Thanks, Guenter

7 years, 5 months

2
1
0 0

FAILED: patch "[PATCH] IB/umem: Use the correct mm during ib_umem_release" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 8e907ed4882714fd13cfe670681fc6cb5284c780 Mon Sep 17 00:00:00 2001 From: Lidong Chen <jemmy858585(a)gmail.com> Date: Tue, 8 May 2018 16:50:16 +0800 Subject: [PATCH] IB/umem: Use the correct mm during ib_umem_release User-space may invoke ibv_reg_mr and ibv_dereg_mr in different threads. If ibv_dereg_mr is called after the thread which invoked ibv_reg_mr has exited, get_pid_task will return NULL and ib_umem_release will not decrease mm->pinned_vm. Instead of using threads to locate the mm, use the overall tgid from the ib_ucontext struct instead. This matches the behavior of ODP and disassociate in handling the mm of the process that called ibv_reg_mr. Cc: <stable(a)vger.kernel.org> Fixes: 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm from ib_umem_get") Signed-off-by: Lidong Chen <lidongchen(a)tencent.com> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c index 9a4e899d94b3..2b6c9b516070 100644 --- a/drivers/infiniband/core/umem.c +++ b/drivers/infiniband/core/umem.c @@ -119,7 +119,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, umem->length = size; umem->address = addr; umem->page_shift = PAGE_SHIFT; - umem->pid = get_task_pid(current, PIDTYPE_PID); /* * We ask for writable memory if any of the following * access flags are set. "Local write" and "remote write" @@ -132,7 +131,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); if (access & IB_ACCESS_ON_DEMAND) { - put_pid(umem->pid); ret = ib_umem_odp_get(context, umem, access); if (ret) { kfree(umem); @@ -148,7 +146,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, page_list = (struct page **) __get_free_page(GFP_KERNEL); if (!page_list) { - put_pid(umem->pid); kfree(umem); return ERR_PTR(-ENOMEM); } @@ -231,7 +228,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, if (ret < 0) { if (need_release) __ib_umem_release(context->device, umem, 0); - put_pid(umem->pid); kfree(umem); } else current->mm->pinned_vm = locked; @@ -274,8 +270,7 @@ void ib_umem_release(struct ib_umem *umem) __ib_umem_release(umem->context->device, umem, 1); - task = get_pid_task(umem->pid, PIDTYPE_PID); - put_pid(umem->pid); + task = get_pid_task(umem->context->tgid, PIDTYPE_PID); if (!task) goto out; mm = get_task_mm(task); diff --git a/include/rdma/ib_umem.h b/include/rdma/ib_umem.h index 23159dd5be18..a1fd63871d17 100644 --- a/include/rdma/ib_umem.h +++ b/include/rdma/ib_umem.h @@ -48,7 +48,6 @@ struct ib_umem { int writable; int hugetlb; struct work_struct work; - struct pid *pid; struct mm_struct *mm; unsigned long diff; struct ib_umem_odp *odp_data;

7 years, 5 months

1
0
0 0

FAILED: patch "[PATCH] IB/umem: Use the correct mm during ib_umem_release" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 8e907ed4882714fd13cfe670681fc6cb5284c780 Mon Sep 17 00:00:00 2001 From: Lidong Chen <jemmy858585(a)gmail.com> Date: Tue, 8 May 2018 16:50:16 +0800 Subject: [PATCH] IB/umem: Use the correct mm during ib_umem_release User-space may invoke ibv_reg_mr and ibv_dereg_mr in different threads. If ibv_dereg_mr is called after the thread which invoked ibv_reg_mr has exited, get_pid_task will return NULL and ib_umem_release will not decrease mm->pinned_vm. Instead of using threads to locate the mm, use the overall tgid from the ib_ucontext struct instead. This matches the behavior of ODP and disassociate in handling the mm of the process that called ibv_reg_mr. Cc: <stable(a)vger.kernel.org> Fixes: 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm from ib_umem_get") Signed-off-by: Lidong Chen <lidongchen(a)tencent.com> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c index 9a4e899d94b3..2b6c9b516070 100644 --- a/drivers/infiniband/core/umem.c +++ b/drivers/infiniband/core/umem.c @@ -119,7 +119,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, umem->length = size; umem->address = addr; umem->page_shift = PAGE_SHIFT; - umem->pid = get_task_pid(current, PIDTYPE_PID); /* * We ask for writable memory if any of the following * access flags are set. "Local write" and "remote write" @@ -132,7 +131,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); if (access & IB_ACCESS_ON_DEMAND) { - put_pid(umem->pid); ret = ib_umem_odp_get(context, umem, access); if (ret) { kfree(umem); @@ -148,7 +146,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, page_list = (struct page **) __get_free_page(GFP_KERNEL); if (!page_list) { - put_pid(umem->pid); kfree(umem); return ERR_PTR(-ENOMEM); } @@ -231,7 +228,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, if (ret < 0) { if (need_release) __ib_umem_release(context->device, umem, 0); - put_pid(umem->pid); kfree(umem); } else current->mm->pinned_vm = locked; @@ -274,8 +270,7 @@ void ib_umem_release(struct ib_umem *umem) __ib_umem_release(umem->context->device, umem, 1); - task = get_pid_task(umem->pid, PIDTYPE_PID); - put_pid(umem->pid); + task = get_pid_task(umem->context->tgid, PIDTYPE_PID); if (!task) goto out; mm = get_task_mm(task); diff --git a/include/rdma/ib_umem.h b/include/rdma/ib_umem.h index 23159dd5be18..a1fd63871d17 100644 --- a/include/rdma/ib_umem.h +++ b/include/rdma/ib_umem.h @@ -48,7 +48,6 @@ struct ib_umem { int writable; int hugetlb; struct work_struct work; - struct pid *pid; struct mm_struct *mm; unsigned long diff; struct ib_umem_odp *odp_data;

7 years, 5 months

1
0
0 0

FAILED: patch "[PATCH] powerpc/64s: Clear PCR on boot" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From faf37c44a105f3608115785f17cbbf3500f8bc71 Mon Sep 17 00:00:00 2001 From: Michael Neuling <mikey(a)neuling.org> Date: Fri, 18 May 2018 11:37:42 +1000 Subject: [PATCH] powerpc/64s: Clear PCR on boot Clear the PCR (Processor Compatibility Register) on boot to ensure we are not running in a compatibility mode. We've seen this cause problems when a crash (and kdump) occurs while running compat mode guests. The kdump kernel then runs with the PCR set and causes problems. The symptom in the kdump kernel (also seen in petitboot after fast-reboot) is early userspace programs taking sigills on newer instructions (seen in libc). Signed-off-by: Michael Neuling <mikey(a)neuling.org> Cc: stable(a)vger.kernel.org Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S index 3f30c994e931..458b928dbd84 100644 --- a/arch/powerpc/kernel/cpu_setup_power.S +++ b/arch/powerpc/kernel/cpu_setup_power.S @@ -28,6 +28,7 @@ _GLOBAL(__setup_cpu_power7) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR li r4,(LPCR_LPES1 >> LPCR_LPES_SH) bl __init_LPCR_ISA206 @@ -41,6 +42,7 @@ _GLOBAL(__restore_cpu_power7) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR li r4,(LPCR_LPES1 >> LPCR_LPES_SH) bl __init_LPCR_ISA206 @@ -57,6 +59,7 @@ _GLOBAL(__setup_cpu_power8) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR ori r3, r3, LPCR_PECEDH li r4,0 /* LPES = 0 */ @@ -78,6 +81,7 @@ _GLOBAL(__restore_cpu_power8) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR ori r3, r3, LPCR_PECEDH li r4,0 /* LPES = 0 */ @@ -99,6 +103,7 @@ _GLOBAL(__setup_cpu_power9) mtspr SPRN_PSSCR,r0 mtspr SPRN_LPID,r0 mtspr SPRN_PID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) or r3, r3, r4 @@ -123,6 +128,7 @@ _GLOBAL(__restore_cpu_power9) mtspr SPRN_PSSCR,r0 mtspr SPRN_LPID,r0 mtspr SPRN_PID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) or r3, r3, r4 diff --git a/arch/powerpc/kernel/dt_cpu_ftrs.c b/arch/powerpc/kernel/dt_cpu_ftrs.c index 8ab51f6ca03a..c904477abaf3 100644 --- a/arch/powerpc/kernel/dt_cpu_ftrs.c +++ b/arch/powerpc/kernel/dt_cpu_ftrs.c @@ -101,6 +101,7 @@ static void __restore_cpu_cpufeatures(void) if (hv_mode) { mtspr(SPRN_LPID, 0); mtspr(SPRN_HFSCR, system_registers.hfscr); + mtspr(SPRN_PCR, 0); } mtspr(SPRN_FSCR, system_registers.fscr);

7 years, 5 months

1
0
0 0

FAILED: patch "[PATCH] powerpc/64s: Clear PCR on boot" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From faf37c44a105f3608115785f17cbbf3500f8bc71 Mon Sep 17 00:00:00 2001 From: Michael Neuling <mikey(a)neuling.org> Date: Fri, 18 May 2018 11:37:42 +1000 Subject: [PATCH] powerpc/64s: Clear PCR on boot Clear the PCR (Processor Compatibility Register) on boot to ensure we are not running in a compatibility mode. We've seen this cause problems when a crash (and kdump) occurs while running compat mode guests. The kdump kernel then runs with the PCR set and causes problems. The symptom in the kdump kernel (also seen in petitboot after fast-reboot) is early userspace programs taking sigills on newer instructions (seen in libc). Signed-off-by: Michael Neuling <mikey(a)neuling.org> Cc: stable(a)vger.kernel.org Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S index 3f30c994e931..458b928dbd84 100644 --- a/arch/powerpc/kernel/cpu_setup_power.S +++ b/arch/powerpc/kernel/cpu_setup_power.S @@ -28,6 +28,7 @@ _GLOBAL(__setup_cpu_power7) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR li r4,(LPCR_LPES1 >> LPCR_LPES_SH) bl __init_LPCR_ISA206 @@ -41,6 +42,7 @@ _GLOBAL(__restore_cpu_power7) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR li r4,(LPCR_LPES1 >> LPCR_LPES_SH) bl __init_LPCR_ISA206 @@ -57,6 +59,7 @@ _GLOBAL(__setup_cpu_power8) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR ori r3, r3, LPCR_PECEDH li r4,0 /* LPES = 0 */ @@ -78,6 +81,7 @@ _GLOBAL(__restore_cpu_power8) beqlr li r0,0 mtspr SPRN_LPID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR ori r3, r3, LPCR_PECEDH li r4,0 /* LPES = 0 */ @@ -99,6 +103,7 @@ _GLOBAL(__setup_cpu_power9) mtspr SPRN_PSSCR,r0 mtspr SPRN_LPID,r0 mtspr SPRN_PID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) or r3, r3, r4 @@ -123,6 +128,7 @@ _GLOBAL(__restore_cpu_power9) mtspr SPRN_PSSCR,r0 mtspr SPRN_LPID,r0 mtspr SPRN_PID,r0 + mtspr SPRN_PCR,r0 mfspr r3,SPRN_LPCR LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) or r3, r3, r4 diff --git a/arch/powerpc/kernel/dt_cpu_ftrs.c b/arch/powerpc/kernel/dt_cpu_ftrs.c index 8ab51f6ca03a..c904477abaf3 100644 --- a/arch/powerpc/kernel/dt_cpu_ftrs.c +++ b/arch/powerpc/kernel/dt_cpu_ftrs.c @@ -101,6 +101,7 @@ static void __restore_cpu_cpufeatures(void) if (hv_mode) { mtspr(SPRN_LPID, 0); mtspr(SPRN_HFSCR, system_registers.hfscr); + mtspr(SPRN_PCR, 0); } mtspr(SPRN_FSCR, system_registers.fscr);

7 years, 5 months

1
0
0 0

[PATCH v3 07/16] mtd: rawnand: qcom: wait for desc completion in all BAM channels

by Abhishek Sahu

The BAM has 3 channels - tx, rx and command. command channel is used for register read/writes, tx channel for data writes and rx channel for data reads. Currently, the driver assumes the transfer completion once it gets all the command descriptors completed. Sometimes, there is race condition between data channel (tx/rx) and command channel completion. In these cases, the data present in buffer is not valid during small window between command descriptor completion and data descriptor completion. This patch generates NAND transfer completion when both (Data and Command) DMA channels have completed all its DMA descriptors. It assigns completion callback in last DMA descriptors of that channel and wait for completion. Fixes: 8d6b6d7e135e ("mtd: nand: qcom: support for command descriptor formation") Cc: stable(a)vger.kernel.org Signed-off-by: Abhishek Sahu <absahu(a)codeaurora.org> --- * Changes from v2: 1. Changed commit message and comments slightly 2. Renamed wait_second_completion from first_chan_done and set it before submit desc 3. Mark for stable tree * Changes from v1: NONE drivers/mtd/nand/raw/qcom_nandc.c | 53 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/qcom_nandc.c b/drivers/mtd/nand/raw/qcom_nandc.c index 7377923..7f85ef8 100644 --- a/drivers/mtd/nand/raw/qcom_nandc.c +++ b/drivers/mtd/nand/raw/qcom_nandc.c @@ -213,6 +213,8 @@ #define QPIC_PER_CW_CMD_SGL 32 #define QPIC_PER_CW_DATA_SGL 8 +#define QPIC_NAND_COMPLETION_TIMEOUT msecs_to_jiffies(2000) + /* * Flags used in DMA descriptor preparation helper functions * (i.e. read_reg_dma/write_reg_dma/read_data_dma/write_data_dma) @@ -245,6 +247,11 @@ * @tx_sgl_start - start index in data sgl for tx. * @rx_sgl_pos - current index in data sgl for rx. * @rx_sgl_start - start index in data sgl for rx. + * @wait_second_completion - wait for second DMA desc completion before making + * the NAND transfer completion. + * @txn_done - completion for NAND transfer. + * @last_data_desc - last DMA desc in data channel (tx/rx). + * @last_cmd_desc - last DMA desc in command channel. */ struct bam_transaction { struct bam_cmd_element *bam_ce; @@ -258,6 +265,10 @@ struct bam_transaction { u32 tx_sgl_start; u32 rx_sgl_pos; u32 rx_sgl_start; + bool wait_second_completion; + struct completion txn_done; + struct dma_async_tx_descriptor *last_data_desc; + struct dma_async_tx_descriptor *last_cmd_desc; }; /* @@ -504,6 +515,8 @@ static void free_bam_transaction(struct qcom_nand_controller *nandc) bam_txn->data_sgl = bam_txn_buf; + init_completion(&bam_txn->txn_done); + return bam_txn; } @@ -523,11 +536,33 @@ static void clear_bam_transaction(struct qcom_nand_controller *nandc) bam_txn->tx_sgl_start = 0; bam_txn->rx_sgl_pos = 0; bam_txn->rx_sgl_start = 0; + bam_txn->last_data_desc = NULL; + bam_txn->wait_second_completion = false; sg_init_table(bam_txn->cmd_sgl, nandc->max_cwperpage * QPIC_PER_CW_CMD_SGL); sg_init_table(bam_txn->data_sgl, nandc->max_cwperpage * QPIC_PER_CW_DATA_SGL); + + reinit_completion(&bam_txn->txn_done); +} + +/* Callback for DMA descriptor completion */ +static void qpic_bam_dma_done(void *data) +{ + struct bam_transaction *bam_txn = data; + + /* + * In case of data transfer with NAND, 2 callbacks will be generated. + * One for command channel and another one for data channel. + * If current transaction has data descriptors + * (i.e. wait_second_completion is true), then set this to false + * and wait for second DMA descriptor completion. + */ + if (bam_txn->wait_second_completion) + bam_txn->wait_second_completion = false; + else + complete(&bam_txn->txn_done); } static inline struct qcom_nand_host *to_qcom_nand_host(struct nand_chip *chip) @@ -756,6 +791,12 @@ static int prepare_bam_async_desc(struct qcom_nand_controller *nandc, desc->dma_desc = dma_desc; + /* update last data/command descriptor */ + if (chan == nandc->cmd_chan) + bam_txn->last_cmd_desc = dma_desc; + else + bam_txn->last_data_desc = dma_desc; + list_add_tail(&desc->node, &nandc->desc_list); return 0; @@ -1273,10 +1314,20 @@ static int submit_descs(struct qcom_nand_controller *nandc) cookie = dmaengine_submit(desc->dma_desc); if (nandc->props->is_bam) { + bam_txn->last_cmd_desc->callback = qpic_bam_dma_done; + bam_txn->last_cmd_desc->callback_param = bam_txn; + if (bam_txn->last_data_desc) { + bam_txn->last_data_desc->callback = qpic_bam_dma_done; + bam_txn->last_data_desc->callback_param = bam_txn; + bam_txn->wait_second_completion = true; + } + dma_async_issue_pending(nandc->tx_chan); dma_async_issue_pending(nandc->rx_chan); + dma_async_issue_pending(nandc->cmd_chan); - if (dma_sync_wait(nandc->cmd_chan, cookie) != DMA_COMPLETE) + if (!wait_for_completion_timeout(&bam_txn->txn_done, + QPIC_NAND_COMPLETION_TIMEOUT)) return -ETIMEDOUT; } else { if (dma_sync_wait(nandc->chan, cookie) != DMA_COMPLETE) -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation

7 years, 5 months

2
1
0 0

Linux 4.4.133

by Greg KH

I'm announcing the release of the 4.4.133 kernel. All users of the 4.4 kernel series must upgrade. The updated 4.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/alpha/include/asm/futex.h | 26 -- arch/arc/include/asm/futex.h | 40 ---- arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 arch/arm/include/asm/assembler.h | 10 + arch/arm/include/asm/futex.h | 26 -- arch/arm/kernel/traps.c | 5 arch/arm/lib/getuser.S | 10 + arch/arm/probes/kprobes/opt-arm.c | 4 arch/arm64/Kconfig | 14 + arch/arm64/include/asm/assembler.h | 60 ++++++ arch/arm64/include/asm/cputype.h | 11 + arch/arm64/include/asm/futex.h | 26 -- arch/arm64/mm/proc.S | 5 arch/frv/include/asm/futex.h | 3 arch/frv/kernel/futex.c | 27 -- arch/hexagon/include/asm/futex.h | 38 ---- arch/ia64/include/asm/futex.h | 25 -- arch/microblaze/include/asm/futex.h | 38 ---- arch/mips/include/asm/futex.h | 25 -- arch/parisc/include/asm/futex.h | 25 -- arch/powerpc/include/asm/firmware.h | 5 arch/powerpc/include/asm/futex.h | 26 -- arch/powerpc/kernel/setup-common.c | 11 - arch/powerpc/platforms/powernv/eeh-powernv.c | 4 arch/powerpc/platforms/powernv/idle.c | 2 arch/powerpc/platforms/powernv/opal-nvram.c | 14 + arch/powerpc/platforms/powernv/opal-xscom.c | 2 arch/powerpc/platforms/powernv/opal.c | 36 +-- arch/powerpc/platforms/powernv/pci-ioda.c | 2 arch/powerpc/platforms/powernv/setup.c | 12 - arch/powerpc/platforms/powernv/smp.c | 74 +++----- arch/s390/include/asm/alternative-asm.h | 108 +++++++++++ arch/s390/include/asm/futex.h | 23 -- arch/s390/include/asm/nospec-insn.h | 182 +++++++++++++++++++ arch/s390/kernel/Makefile | 1 arch/s390/kernel/base.S | 24 +- arch/s390/kernel/entry.S | 105 ++--------- arch/s390/kernel/irq.c | 5 arch/s390/kernel/nospec-branch.c | 43 ++-- arch/s390/kernel/nospec-sysfs.c | 21 ++ arch/s390/kernel/perf_cpum_sf.c | 4 arch/s390/kernel/reipl.S | 5 arch/s390/kernel/swsusp.S | 10 - arch/s390/lib/mem.S | 9 arch/s390/net/bpf_jit.S | 16 + arch/s390/net/bpf_jit_comp.c | 63 ++++++ arch/sh/include/asm/futex.h | 26 -- arch/sparc/include/asm/futex_64.h | 26 -- arch/tile/include/asm/futex.h | 40 ---- arch/x86/boot/compressed/eboot.c | 6 arch/x86/include/asm/futex.h | 40 ---- arch/x86/kernel/machine_kexec_32.c | 6 arch/x86/kernel/machine_kexec_64.c | 4 arch/x86/xen/mmu.c | 4 arch/xtensa/include/asm/futex.h | 27 -- drivers/cpufreq/intel_pstate.c | 34 ++- drivers/cpufreq/powernv-cpufreq.c | 2 drivers/cpuidle/coupled.c | 1 drivers/cpuidle/cpuidle-powernv.c | 2 drivers/gpio/gpio-rcar.c | 46 +++++ drivers/net/bonding/bond_alb.c | 2 drivers/net/ethernet/broadcom/tg3.c | 9 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 drivers/net/ethernet/realtek/8139too.c | 2 drivers/net/ethernet/realtek/r8169.c | 3 drivers/net/ethernet/sun/niu.c | 5 drivers/net/usb/qmi_wwan.c | 12 + drivers/s390/cio/qdio_setup.c | 12 - drivers/s390/scsi/zfcp_dbf.c | 23 ++ drivers/s390/scsi/zfcp_ext.h | 5 drivers/s390/scsi/zfcp_scsi.c | 14 - drivers/scsi/libsas/sas_scsi_host.c | 33 +-- drivers/scsi/sg.c | 2 drivers/spi/spi-pxa2xx.h | 2 drivers/usb/usbip/stub.h | 2 drivers/usb/usbip/stub_dev.c | 43 ++-- drivers/usb/usbip/stub_main.c | 105 ++++++++++- fs/btrfs/ctree.c | 6 fs/btrfs/tree-log.c | 7 fs/btrfs/volumes.c | 9 fs/ext2/inode.c | 10 - fs/hfsplus/super.c | 1 fs/lockd/svc.c | 2 fs/pipe.c | 3 fs/proc/base.c | 55 +++++- fs/proc/meminfo.c | 5 include/asm-generic/futex.h | 50 ----- include/linux/dmaengine.h | 20 ++ include/linux/efi.h | 8 include/linux/signal.h | 17 + include/linux/timekeeper_internal.h | 4 include/trace/events/xen.h | 16 - include/uapi/linux/nl80211.h | 2 kernel/auditsc.c | 7 kernel/exit.c | 4 kernel/futex.c | 44 ++++ kernel/signal.c | 7 kernel/time/tick-broadcast.c | 8 kernel/time/timekeeping.c | 20 +- mm/Kconfig | 1 mm/filemap.c | 90 ++++++--- mm/util.c | 16 + mm/vmscan.c | 12 - net/bridge/br_if.c | 4 net/compat.c | 6 net/core/sock.c | 2 net/dccp/ccids/ccid2.c | 14 + net/dccp/timer.c | 2 net/ipv4/ip_output.c | 3 net/ipv4/ping.c | 7 net/ipv4/tcp.c | 2 net/ipv4/tcp_output.c | 7 net/ipv4/udp.c | 7 net/ipv6/ip6_output.c | 3 net/l2tp/l2tp_netlink.c | 2 net/llc/af_llc.c | 3 net/openvswitch/flow_netlink.c | 9 net/packet/af_packet.c | 4 net/sched/sch_fq.c | 37 ++-- net/sctp/associola.c | 30 +++ net/sctp/inqueue.c | 2 net/sctp/ipv6.c | 3 net/sctp/sm_statefuns.c | 89 +++++---- net/wireless/core.c | 3 net/xfrm/xfrm_state.c | 1 sound/core/control_compat.c | 3 sound/core/timer.c | 220 +++++++++++------------- sound/pci/hda/hda_intel.c | 2 sound/usb/mixer.c | 8 131 files changed, 1583 insertions(+), 1103 deletions(-) Al Viro (1): ext2: fix a block leak Alexander Potapenko (1): scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() Anand Jain (1): btrfs: fix crash when trying to resume balance without the resume flag Anders Roxell (1): cpuidle: coupled: remove unused define cpuidle_coupled_lock Andrey Ignatov (1): ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Andy Shevchenko (1): spi: pxa2xx: Allow 64-bit DMA Antony Antony (1): xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Ard Biesheuvel (2): arm64: introduce mov_q macro to move a constant into a 64-bit register efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode Benjamin Herrenschmidt (1): powerpc: Don't preempt_disable() in show_cpuinfo() Bjørn Mork (1): qmi_wwan: do not steal interfaces from class drivers Debabrata Banerjee (1): bonding: do not allow rlb updates to invalid mac Dexuan Cui (1): tick/broadcast: Use for_each_cpu() specially on UP kernels Eric Dumazet (5): dccp: fix tasklet usage llc: better deal with too small mtu net_sched: fq: take care of throttled flows before reuse sock_diag: fix use-after-free read in __sk_free tcp: purge write queue in tcp_connect_init() Federico Cuello (1): ALSA: usb: mixer: volume quirk for CM102-A+/102S+ Filipe Manana (1): Btrfs: fix xattr loss after power failure Geert Uytterhoeven (1): gpio: rcar: Add Runtime PM handling for interrupts Greg Kroah-Hartman (2): Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Linux 4.4.133 Hangbin Liu (1): bridge: check iface upper dev when setting master via ioctl Hans de Goede (1): ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist Heiner Kallweit (1): r8169: fix powering up RTL8168h Hendrik Brueckner (1): s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero Ingo Molnar (1): 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() James Chapman (1): l2tp: revert "l2tp: fix missing print session offset info" Janis Danisevskis (1): procfs: fix pthread cross-thread naming if !PR_DUMPABLE Jason Yan (1): scsi: libsas: defer ata device eh commands to libata Jens Remus (1): scsi: zfcp: fix infinite iteration on ERP ready list Jiri Slaby (2): futex: Remove duplicated code and fix undefined behaviour futex: futex_wake_op, fix sign_extend32 sign bits Johannes Berg (1): cfg80211: limit wiphy names to 128 bytes Johannes Weiner (1): proc: meminfo: estimate available memory more conservatively John Stultz (1): time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting Julian Wiedmann (2): s390/qdio: fix access to uninitialized qdio_q fields s390/qdio: don't release memory in qdio_setup_irq() Lance Richardson (1): net: support compat 64-bit time in {s,g}etsockopt Liu Bo (1): btrfs: fix reading stale metadata blocks after degraded raid1 mounts Martin Schwidefsky (8): s390: remove indirect branch from do_softirq_own_stack s390: add assembler macros for CPU alternatives s390: move expoline assembler macros to a header s390/lib: use expoline for indirect branches s390/kernel: use expoline for indirect branches s390: move spectre sysfs attribute code s390: extend expoline to BC instructions s390: use expoline thunks in the BPF JIT Masami Hiramatsu (4): ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed ARM: 8770/1: kprobes: Prohibit probing on optimized_callback ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions Mateusz Guzik (1): proc read mm's {arg,env}_{start,end} with mmap semaphore taken. Mel Gorman (3): futex: Remove unnecessary warning from get_futex_key mm: filemap: remove redundant code in do_read_cache_page mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read Michael Chan (1): tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Michael Kerrisk (man-pages) (1): pipe: cap initial pipe capacity according to pipe-max-size limit Moshe Shemesh (1): net/mlx4_en: Verify coalescing parameters are in range Nicholas Piggin (1): powerpc/powernv: Fix NVRAM sleep in invalid context when crashing Pavel Tatashin (1): mm: don't allow deferred pages with NEED_PER_CPU_KM Richard Guy Briggs (1): audit: move calcs after alloc and check when logging set loginuid Rob Taglang (1): net: ethernet: sun: niu set correct packet size in skb Shuah Khan (1): usbip: usbip_host: refine probe and disconnect debug msgs to be useful Shuah Khan (Samsung OSG) (4): usbip: usbip_host: delete device from busid_table after rebind usbip: usbip_host: run rebind from exit when module is removed usbip: usbip_host: fix NULL-ptr deref and use-after-free errors usbip: usbip_host: fix bad unlock balance during stub_probe() Srinivas Pandruvada (1): cpufreq: intel_pstate: Enable HWP by default Stefano Brivio (1): openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Steven Rostedt (VMware) (1): tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} Stewart Smith (3): powerpc/powernv: panic() on OPAL < V3 powerpc/powernv: Remove OPALv2 firmware define and references powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL Suzuki K Poulose (1): arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Takashi Iwai (1): ALSA: timer: Call notifier in the same spinlock Tetsuo Handa (2): hfsplus: stop workqueue when fill_super() failed x86/kexec: Avoid double free_page() upon do_kexec_load() failure Vasily Averin (1): lockd: lost rollback of set_grace_period() in lockd_down_net() Vinod Koul (1): dmaengine: ensure dmaengine helpers check valid callback Vladimir Davydov (1): vmscan: do not force-scan file lru if its absolute size is small Waiman Long (1): signals: avoid unnecessary taking of sighand->siglock Wenwen Wang (1): ALSA: control: fix a redundant-copy issue Willem de Bruijn (2): net: test tailroom before appending to linear skb packet: in packet_snd start writing at link layer allocation Xin Long (4): sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr sctp: use the old asoc when making the cookie-ack chunk in dupcook_d sctp: fix the issue that the cookie-ack with auth can't get processed sctp: delay the authentication for the duplicated cookie-echo chunk Yuchung Cheng (1): tcp: ignore Fast Open on repair mode zhongjiang (1): kernel/exit.c: avoid undefined behaviour when calling wait4()

7 years, 5 months

1
1
0 0

[PATCH stable 4.14 00/23] powerpc backports for 4.14

by Michael Ellerman

Hi Greg, Please queue up this series of patches for 4.14 if you have no objections. cheers Mauricio Faria de Oliveira (4): powerpc/rfi-flush: Differentiate enabled and patched flush types powerpc/pseries: Fix clearing of security feature flags powerpc: Move default security feature flags powerpc/pseries: Restore default security feature flags on setup Michael Ellerman (17): powerpc/pseries: Support firmware disable of RFI flush powerpc/powernv: Support firmware disable of RFI flush powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again powerpc/rfi-flush: Always enable fallback flush on pseries powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags powerpc: Add security feature flags for Spectre/Meltdown powerpc/pseries: Set or clear security feature flags powerpc/powernv: Set or clear security feature flags powerpc/64s: Move cpu_show_meltdown() powerpc/64s: Enhance the information in cpu_show_meltdown() powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() powerpc/64s: Wire up cpu_show_spectre_v1() powerpc/64s: Wire up cpu_show_spectre_v2() powerpc/64s: Fix section mismatch warnings from setup_rfi_flush() Nicholas Piggin (2): powerpc/64s: Improve RFI L1-D cache flush fallback powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit arch/powerpc/include/asm/exception-64s.h | 29 ++++ arch/powerpc/include/asm/feature-fixups.h | 19 +++ arch/powerpc/include/asm/hvcall.h | 3 + arch/powerpc/include/asm/paca.h | 3 +- arch/powerpc/include/asm/security_features.h | 85 ++++++++++ arch/powerpc/include/asm/setup.h | 2 +- arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/asm-offsets.c | 3 +- arch/powerpc/kernel/exceptions-64s.S | 95 ++++++----- arch/powerpc/kernel/security.c | 237 +++++++++++++++++++++++++++ arch/powerpc/kernel/setup_64.c | 48 ++---- arch/powerpc/kernel/vmlinux.lds.S | 14 ++ arch/powerpc/lib/feature-fixups.c | 124 +++++++++++++- arch/powerpc/platforms/powernv/setup.c | 92 ++++++++--- arch/powerpc/platforms/pseries/mobility.c | 3 + arch/powerpc/platforms/pseries/pseries.h | 2 + arch/powerpc/platforms/pseries/setup.c | 81 +++++++-- arch/powerpc/xmon/xmon.c | 2 + 18 files changed, 721 insertions(+), 123 deletions(-) create mode 100644 arch/powerpc/include/asm/security_features.h create mode 100644 arch/powerpc/kernel/security.c -- 2.14.1

7 years, 5 months

2
26
0 0

[git:media_tree/master] media: vsp1: Release buffers for each video node

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: vsp1: Release buffers for each video node Author: Kieran Bingham <kieran.bingham+renesas(a)ideasonboard.com> Date: Fri May 18 16:41:54 2018 -0400 Commit 372b2b0399fc ("media: v4l: vsp1: Release buffers in start_streaming error path") introduced a helper to clean up buffers on error paths, but inadvertently changed the code such that only the output WPF buffers were cleaned, rather than the video node being operated on. Since then vsp1_video_cleanup_pipeline() has grown to perform both video node cleanup, as well as pipeline cleanup. Split the implementation into two distinct functions that perform the required work, so that each video node can release its buffers correctly on streamoff. The pipe cleanup that was performed in the vsp1_video_stop_streaming() (releasing the pipe->dl) is moved to the function for clarity. Fixes: 372b2b0399fc ("media: v4l: vsp1: Release buffers in start_streaming error path") Cc: stable(a)vger.kernel.org # v4.14+ Signed-off-by: Kieran Bingham <kieran.bingham+renesas(a)ideasonboard.com> Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/platform/vsp1/vsp1_video.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) --- diff --git a/drivers/media/platform/vsp1/vsp1_video.c b/drivers/media/platform/vsp1/vsp1_video.c index c8c12223a267..ba89dd176a13 100644 --- a/drivers/media/platform/vsp1/vsp1_video.c +++ b/drivers/media/platform/vsp1/vsp1_video.c @@ -842,9 +842,8 @@ static int vsp1_video_setup_pipeline(struct vsp1_pipeline *pipe) return 0; } -static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) +static void vsp1_video_release_buffers(struct vsp1_video *video) { - struct vsp1_video *video = pipe->output->video; struct vsp1_vb2_buffer *buffer; unsigned long flags; @@ -854,12 +853,18 @@ static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) vb2_buffer_done(&buffer->buf.vb2_buf, VB2_BUF_STATE_ERROR); INIT_LIST_HEAD(&video->irqqueue); spin_unlock_irqrestore(&video->irqlock, flags); +} + +static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) +{ + lockdep_assert_held(&pipe->lock); /* Release our partition table allocation */ - mutex_lock(&pipe->lock); kfree(pipe->part_table); pipe->part_table = NULL; - mutex_unlock(&pipe->lock); + + vsp1_dl_list_put(pipe->dl); + pipe->dl = NULL; } static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count) @@ -874,8 +879,9 @@ static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count) if (pipe->stream_count == pipe->num_inputs) { ret = vsp1_video_setup_pipeline(pipe); if (ret < 0) { - mutex_unlock(&pipe->lock); + vsp1_video_release_buffers(video); vsp1_video_cleanup_pipeline(pipe); + mutex_unlock(&pipe->lock); return ret; } @@ -925,13 +931,12 @@ static void vsp1_video_stop_streaming(struct vb2_queue *vq) if (ret == -ETIMEDOUT) dev_err(video->vsp1->dev, "pipeline stop timeout\n"); - vsp1_dl_list_put(pipe->dl); - pipe->dl = NULL; + vsp1_video_cleanup_pipeline(pipe); } mutex_unlock(&pipe->lock); media_pipeline_stop(&video->video.entity); - vsp1_video_cleanup_pipeline(pipe); + vsp1_video_release_buffers(video); vsp1_video_pipeline_put(pipe); }

7 years, 5 months

1
0
0 0

[patch 16/16] kasan: fix memory hotplug during boot

by akpm＠linux-foundation.org

From: David Hildenbrand <david(a)redhat.com> Subject: kasan: fix memory hotplug during boot Using module_init() is wrong. E.g. ACPI adds and onlines memory before our memory notifier gets registered. This makes sure that ACPI memory detected during boot up will not result in a kernel crash. Easily reproducible with QEMU, just specify a DIMM when starting up. Link: http://lkml.kernel.org/r/20180522100756.18478-3-david@redhat.com Fixes: 786a8959912e ("kasan: disable memory hotplug") Signed-off-by: David Hildenbrand <david(a)redhat.com> Acked-by: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN mm/kasan/kasan.c~kasan-fix-memory-hotplug-during-boot mm/kasan/kasan.c --- a/mm/kasan/kasan.c~kasan-fix-memory-hotplug-during-boot +++ a/mm/kasan/kasan.c @@ -898,5 +898,5 @@ static int __init kasan_memhotplug_init( return 0; } -module_init(kasan_memhotplug_init); +core_initcall(kasan_memhotplug_init); #endif _

7 years, 5 months

1
0
0 0

[patch 15/16] kasan: free allocated shadow memory on MEM_CANCEL_ONLINE

by akpm＠linux-foundation.org

From: David Hildenbrand <david(a)redhat.com> Subject: kasan: free allocated shadow memory on MEM_CANCEL_ONLINE We have to free memory again when we cancel onlining, otherwise a later onlining attempt will fail. Link: http://lkml.kernel.org/r/20180522100756.18478-2-david@redhat.com Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") Signed-off-by: David Hildenbrand <david(a)redhat.com> Acked-by: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan.c | 1 + 1 file changed, 1 insertion(+) diff -puN mm/kasan/kasan.c~kasan-free-allocated-shadow-memory-on-mem_cancel_online mm/kasan/kasan.c --- a/mm/kasan/kasan.c~kasan-free-allocated-shadow-memory-on-mem_cancel_online +++ a/mm/kasan/kasan.c @@ -866,6 +866,7 @@ static int __meminit kasan_mem_notifier( kmemleak_ignore(ret); return NOTIFY_OK; } + case MEM_CANCEL_ONLINE: case MEM_OFFLINE: { struct vm_struct *vm; _

7 years, 5 months

1
0
0 0

[patch 12/16] kernel/sys.c: fix potential Spectre v1 issue

by akpm＠linux-foundation.org

From: "Gustavo A. R. Silva" <gustavo(a)embeddedor.com> Subject: kernel/sys.c: fix potential Spectre v1 issue `resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) Fix this by sanitizing *resource* before using it to index current->signal->rlim Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 5 +++++ 1 file changed, 5 insertions(+) diff -puN kernel/sys.c~kernel-sys-fix-potential-spectre-v1 kernel/sys.c --- a/kernel/sys.c~kernel-sys-fix-potential-spectre-v1 +++ a/kernel/sys.c @@ -71,6 +71,9 @@ #include <asm/io.h> #include <asm/unistd.h> +/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + #include "uid16.h" #ifndef SET_UNALIGN_CTL @@ -1453,6 +1456,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned if (resource >= RLIM_NLIMITS) return -EINVAL; + resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); x = current->signal->rlim[resource]; task_unlock(current->group_leader); @@ -1472,6 +1476,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, un if (resource >= RLIM_NLIMITS) return -EINVAL; + resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); r = current->signal->rlim[resource]; task_unlock(current->group_leader); _

7 years, 5 months

1
0
0 0

[patch 07/16] mm/kasan: don't vfree() nonexistent vm_area

by akpm＠linux-foundation.org

From: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Subject: mm/kasan: don't vfree() nonexistent vm_area KASAN uses different routines to map shadow for hot added memory and memory obtained in boot process. Attempt to offline memory onlined by normal boot process leads to this: Trying to vfree() nonexistent vm area (000000005d3b34b9) WARNING: CPU: 2 PID: 13215 at mm/vmalloc.c:1525 __vunmap+0x147/0x190 Call Trace: kasan_mem_notifier+0xad/0xb9 notifier_call_chain+0x166/0x260 __blocking_notifier_call_chain+0xdb/0x140 __offline_pages+0x96a/0xb10 memory_subsys_offline+0x76/0xc0 device_offline+0xb8/0x120 store_mem_state+0xfa/0x120 kernfs_fop_write+0x1d5/0x320 __vfs_write+0xd4/0x530 vfs_write+0x105/0x340 SyS_write+0xb0/0x140 Obviously we can't call vfree() to free memory that wasn't allocated via vmalloc(). Use find_vm_area() to see if we can call vfree(). Unfortunately it's a bit tricky to properly unmap and free shadow allocated during boot, so we'll have to keep it. If memory will come online again that shadow will be reused. Matthew asked: how can you call vfree() on something that isn't a vmalloc address? vfree() is able to free any address returned by __vmalloc_node_range(). And __vmalloc_node_range() gives you any address you ask. It doesn't have to be an address in [VMALLOC_START, VMALLOC_END] range. That's also how the module_alloc()/module_memfree() works on architectures that have designated area for modules. [aryabinin(a)virtuozzo.com: improve comments] Link: http://lkml.kernel.org/r/dabee6ab-3a7a-51cd-3b86-5468718e0390@virtuozzo.com [akpm(a)linux-foundation.org: fix typos, reflow comment] Link: http://lkml.kernel.org/r/20180201163349.8700-1-aryabinin@virtuozzo.com Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") Signed-off-by: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Reported-by: Paul Menzel <pmenzel+linux-kasan-dev(a)molgen.mpg.de> Cc: Alexander Potapenko <glider(a)google.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/kasan.c | 63 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 2 deletions(-) diff -puN mm/kasan/kasan.c~mm-kasan-dont-vfree-nonexistent-vm_area mm/kasan/kasan.c --- a/mm/kasan/kasan.c~mm-kasan-dont-vfree-nonexistent-vm_area +++ a/mm/kasan/kasan.c @@ -792,6 +792,40 @@ DEFINE_ASAN_SET_SHADOW(f5); DEFINE_ASAN_SET_SHADOW(f8); #ifdef CONFIG_MEMORY_HOTPLUG +static bool shadow_mapped(unsigned long addr) +{ + pgd_t *pgd = pgd_offset_k(addr); + p4d_t *p4d; + pud_t *pud; + pmd_t *pmd; + pte_t *pte; + + if (pgd_none(*pgd)) + return false; + p4d = p4d_offset(pgd, addr); + if (p4d_none(*p4d)) + return false; + pud = pud_offset(p4d, addr); + if (pud_none(*pud)) + return false; + + /* + * We can't use pud_large() or pud_huge(), the first one is + * arch-specific, the last one depends on HUGETLB_PAGE. So let's abuse + * pud_bad(), if pud is bad then it's bad because it's huge. + */ + if (pud_bad(*pud)) + return true; + pmd = pmd_offset(pud, addr); + if (pmd_none(*pmd)) + return false; + + if (pmd_bad(*pmd)) + return true; + pte = pte_offset_kernel(pmd, addr); + return !pte_none(*pte); +} + static int __meminit kasan_mem_notifier(struct notifier_block *nb, unsigned long action, void *data) { @@ -813,6 +847,14 @@ static int __meminit kasan_mem_notifier( case MEM_GOING_ONLINE: { void *ret; + /* + * If shadow is mapped already than it must have been mapped + * during the boot. This could happen if we onlining previously + * offlined memory. + */ + if (shadow_mapped(shadow_start)) + return NOTIFY_OK; + ret = __vmalloc_node_range(shadow_size, PAGE_SIZE, shadow_start, shadow_end, GFP_KERNEL, PAGE_KERNEL, VM_NO_GUARD, @@ -824,8 +866,25 @@ static int __meminit kasan_mem_notifier( kmemleak_ignore(ret); return NOTIFY_OK; } - case MEM_OFFLINE: - vfree((void *)shadow_start); + case MEM_OFFLINE: { + struct vm_struct *vm; + + /* + * shadow_start was either mapped during boot by kasan_init() + * or during memory online by __vmalloc_node_range(). + * In the latter case we can use vfree() to free shadow. + * Non-NULL result of the find_vm_area() will tell us if + * that was the second case. + * + * Currently it's not possible to free shadow mapped + * during boot by kasan_init(). It's because the code + * to do that hasn't been written yet. So we'll just + * leak the memory. + */ + vm = find_vm_area((void *)shadow_start); + if (vm) + vfree((void *)shadow_start); + } } return NOTIFY_OK; _

7 years, 5 months

1
0
0 0

[patch 05/16] ipc/shm: fix shmat() nil address after round-down when remapping

by akpm＠linux-foundation.org

From: Davidlohr Bueso <dave(a)stgolabs.net> Subject: ipc/shm: fix shmat() nil address after round-down when remapping shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso <dbueso(a)suse.de> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Joe Lawrence <joe.lawrence(a)redhat.com> Cc: Manfred Spraul <manfred(a)colorfullife.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff -puN ipc/shm.c~ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping ipc/shm.c --- a/ipc/shm.c~ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping +++ a/ipc/shm.c @@ -1363,9 +1363,17 @@ long do_shmat(int shmid, char __user *sh if (addr) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) + if (shmflg & SHM_RND) { addr &= ~(shmlba - 1); /* round down */ - else + + /* + * Ensure that the round-down is non-nil + * when remapping. This can happen for + * cases when addr < shmlba. + */ + if (!addr && (shmflg & SHM_REMAP)) + goto out; + } else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) #endif _

7 years, 5 months

1
0
0 0

[patch 04/16] Revert "ipc/shm: Fix shmat mmap nil-page protection"

by akpm＠linux-foundation.org

From: Davidlohr Bueso <dave(a)stgolabs.net> Subject: Revert "ipc/shm: Fix shmat mmap nil-page protection" Patch series "ipc/shm: shmat() fixes around nil-page". These patches fix two issues reported[1] a while back by Joe and Andrea around how shmat(2) behaves with nil-page. The first reverts a commit that it was incorrectly thought that mapping nil-page (address=0) was a no no with MAP_FIXED. This is not the case, with the exception of SHM_REMAP; which is address in the second patch. I chose two patches because it is easier to backport and it explicitly reverts bogus behaviour. Both patches ought to be in -stable and ltp testcases need updated (the added testcase around the cve can be modified to just test for SHM_RND|SHM_REMAP). [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805 This patch (of 2): 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") worked on the idea that we should not be mapping as root addr=0 and MAP_FIXED. However, it was reported that this scenario is in fact valid, thus making the patch both bogus and breaks userspace as well. For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem initialization[1]. [1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/… Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") Signed-off-by: Davidlohr Bueso <dbueso(a)suse.de> Reported-by: Joe Lawrence <joe.lawrence(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Manfred Spraul <manfred(a)colorfullife.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff -puN ipc/shm.c~revert-ipc-shm-fix-shmat-mmap-nil-page-protection ipc/shm.c --- a/ipc/shm.c~revert-ipc-shm-fix-shmat-mmap-nil-page-protection +++ a/ipc/shm.c @@ -1363,13 +1363,8 @@ long do_shmat(int shmid, char __user *sh if (addr) { if (addr & (shmlba - 1)) { - /* - * Round down to the nearest multiple of shmlba. - * For sane do_mmap_pgoff() parameters, avoid - * round downs that trigger nil-page and MAP_FIXED. - */ - if ((shmflg & SHM_RND) && addr >= shmlba) - addr &= ~(shmlba - 1); + if (shmflg & SHM_RND) + addr &= ~(shmlba - 1); /* round down */ else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) _

7 years, 5 months

1
0
0 0

[patch 03/16] idr: fix invalid ptr dereference on item delete

by akpm＠linux-foundation.org

From: Matthew Wilcox <mawilcox(a)microsoft.com> Subject: idr: fix invalid ptr dereference on item delete If the radix tree underlying the IDR happens to be full and we attempt to remove an id which is larger than any id in the IDR, we will call __radix_tree_delete() with an uninitialised 'slot' pointer, at which point anything could happen. This was easiest to hit with a single entry at id 0 and attempting to remove a non-0 id, but it could have happened with 64 entries and attempting to remove an id >= 64. Roman said: The syzcaller test boils down to opening /dev/kvm, creating an eventfd, and calling a couple of KVM ioctls. None of this requires superuser. And the result is dereferencing an uninitialized pointer which is likely a crash. The specific path caught by syzbot is via KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are other user-triggerable paths, so cc:stable is probably justified. Matthew added: We have around 250 calls to idr_remove() in the kernel today. Many of them pass an ID which is embedded in the object they're removing, so they're safe. Picking a few likely candidates: drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl. drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar drivers/atm/nicstar.c could be taken down by a handcrafted packet Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree") Reported-by: <syzbot+35666cba7f0a337e2e79(a)syzkaller.appspotmail.com> Debugged-by: Roman Kagan <rkagan(a)virtuozzo.com> Signed-off-by: Matthew Wilcox <mawilcox(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/radix-tree.c | 4 +++- tools/testing/radix-tree/idr-test.c | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff -puN lib/radix-tree.c~idr-fix-invalid-ptr-dereference-on-item-delete lib/radix-tree.c --- a/lib/radix-tree.c~idr-fix-invalid-ptr-dereference-on-item-delete +++ a/lib/radix-tree.c @@ -2034,10 +2034,12 @@ void *radix_tree_delete_item(struct radi unsigned long index, void *item) { struct radix_tree_node *node = NULL; - void __rcu **slot; + void __rcu **slot = NULL; void *entry; entry = __radix_tree_lookup(root, index, &node, &slot); + if (!slot) + return NULL; if (!entry && (!is_idr(root) || node_tag_get(root, node, IDR_FREE, get_slot_offset(node, slot)))) return NULL; diff -puN tools/testing/radix-tree/idr-test.c~idr-fix-invalid-ptr-dereference-on-item-delete tools/testing/radix-tree/idr-test.c --- a/tools/testing/radix-tree/idr-test.c~idr-fix-invalid-ptr-dereference-on-item-delete +++ a/tools/testing/radix-tree/idr-test.c @@ -252,6 +252,13 @@ void idr_checks(void) idr_remove(&idr, 3); idr_remove(&idr, 0); + assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == 0); + idr_remove(&idr, 1); + for (i = 1; i < RADIX_TREE_MAP_SIZE; i++) + assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == i); + idr_remove(&idr, 1 << 30); + idr_destroy(&idr); + for (i = INT_MAX - 3UL; i < INT_MAX + 1UL; i++) { struct item *item = item_create(i, 0); assert(idr_alloc(&idr, item, i, i + 10, GFP_KERNEL) == i); _

7 years, 5 months

1
0
0 0

+ mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset has been added to the -mm tree. Its filename is mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-page_alloc-do-not-break-__gfp_t… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-page_alloc-do-not-break-__gfp_t… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Vlastimil Babka <vbabka(a)suse.cz> Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for allocations that can ignore memory policies. The zonelist is obtained from current CPU's node. This is a problem for __GFP_THISNODE allocations that want to allocate on a different node, e.g. because the allocating thread has been migrated to a different CPU. This has been observed to break SLAB in our 4.4-based kernel, because there it relies on __GFP_THISNODE working as intended. If a slab page is put on wrong node's list, then further list manipulations may corrupt the list because page_to_nid() is used to determine which node's list_lock should be locked and thus we may take a wrong lock and race. Current SLAB implementation seems to be immune by luck thanks to commit 511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on arbitrary node") but there may be others assuming that __GFP_THISNODE works as promised. We can fix it by simply removing the zonelist reset completely. There is actually no reason to reset it, because memory policies and cpusets don't affect the zonelist choice in the first place. This was different when commit 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their own restricted zonelists. We might consider this for 4.17 although I don't know if there's anything currently broken. Stable backports should be more important, but will have to be reviewed carefully, as the code went through many changes. BTW I think that also the ac->preferred_zoneref reset is currently useless if we don't also reset ac->nodemask from a mempolicy to NULL first (which we probably should for the OOM victims etc?), but I would leave that for a separate patch. Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff -puN mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset mm/page_alloc.c --- a/mm/page_alloc.c~mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset +++ a/mm/page_alloc.c @@ -4169,7 +4169,6 @@ retry: * orientated. */ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { - ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, ac->high_zoneidx, ac->nodemask); } _ Patches currently in -mm which might be from vbabka(a)suse.cz are mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch

7 years, 5 months

1
0
0 0

patch "phy: qcom-qusb2: Fix crash if nvmem cell not specified" added to usb-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled phy: qcom-qusb2: Fix crash if nvmem cell not specified to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 0b4555e776ba0712c6fafb98b226b21fd05d2427 Mon Sep 17 00:00:00 2001 From: Manu Gautam <mgautam(a)codeaurora.org> Date: Thu, 3 May 2018 02:36:10 +0530 Subject: phy: qcom-qusb2: Fix crash if nvmem cell not specified Driver currently crashes due to NULL pointer deference while updating PHY tune register if nvmem cell is NULL. Since, fused value for Tune1/2 register is optional, we'd rather bail out. Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") Reviewed-by: Vivek Gautam <vivek.gautam(a)codeaurora.org> Reviewed-by: Evan Green <evgreen(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> # 4.14+ Signed-off-by: Manu Gautam <mgautam(a)codeaurora.org> Signed-off-by: Kishon Vijay Abraham I <kishon(a)ti.com> --- drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c index 94afeac1a19e..40fdef8b5b75 100644 --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c @@ -315,6 +315,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) const struct qusb2_phy_cfg *cfg = qphy->cfg; u8 *val; + /* efuse register is optional */ + if (!qphy->cell) + return; + /* * Read efuse register having TUNE2/1 parameter's high nibble. * If efuse register shows value as 0x0, or if we fail to find -- 2.17.0

7 years, 5 months

1
0
0 0

[PATCH] ext4: Forbid overflowing inode count when resizing

by Jan Kara

ext4_resize_fs() has an off-by-one bug when checking whether growing of a filesystem will not overflow inode count. As a result it allows a filesystem with 8192 inodes per group to grow to 64TB which overflows inode count to 0 and makes filesystem unusable. Fix it. CC: stable(a)vger.kernel.org Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b Reported-by: Jaco Kroon <jaco(a)uls.co.za> Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/resize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index b6bec270a8e4..d792b7689d92 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -1933,7 +1933,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) return 0; n_group = ext4_get_group_number(sb, n_blocks_count - 1); - if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { + if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { ext4_warning(sb, "resize would cause inodes_count overflow"); return -EINVAL; } -- 2.13.6

7 years, 5 months

4
4
0 0

[PATCH] usb: core: message: remove extra endianness conversion in usb_set_isoch_delay

by Ruslan Bilovol

No need to do extra endianness conversion in usb_set_isoch_delay because it is already done in usb_control_msg() Fixes: 886ee36e7205 ("usb: core: add support for USB_REQ_SET_ISOCH_DELAY") Cc: Dmytro Panchenko <dmytro.panchenko(a)globallogic.com> Cc: Felipe Balbi <felipe.balbi(a)linux.intel.com> Cc: stable <stable(a)vger.kernel.org> # v4.16+ Signed-off-by: Ruslan Bilovol <ruslan.bilovol(a)gmail.com> --- drivers/usb/core/message.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 0c11d40..7b13700 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -940,7 +940,7 @@ int usb_set_isoch_delay(struct usb_device *dev) return usb_control_msg(dev, usb_sndctrlpipe(dev, 0), USB_REQ_SET_ISOCH_DELAY, USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_DEVICE, - cpu_to_le16(dev->hub_delay), 0, NULL, 0, + dev->hub_delay, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); } -- 1.9.1

7 years, 5 months

1
0
0 0

patch "phy: qcom-qusb2: Fix crash if nvmem cell not specified" added to usb-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled phy: qcom-qusb2: Fix crash if nvmem cell not specified to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the usb-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 0b4555e776ba0712c6fafb98b226b21fd05d2427 Mon Sep 17 00:00:00 2001 From: Manu Gautam <mgautam(a)codeaurora.org> Date: Thu, 3 May 2018 02:36:10 +0530 Subject: phy: qcom-qusb2: Fix crash if nvmem cell not specified Driver currently crashes due to NULL pointer deference while updating PHY tune register if nvmem cell is NULL. Since, fused value for Tune1/2 register is optional, we'd rather bail out. Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") Reviewed-by: Vivek Gautam <vivek.gautam(a)codeaurora.org> Reviewed-by: Evan Green <evgreen(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> # 4.14+ Signed-off-by: Manu Gautam <mgautam(a)codeaurora.org> Signed-off-by: Kishon Vijay Abraham I <kishon(a)ti.com> --- drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c index 94afeac1a19e..40fdef8b5b75 100644 --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c @@ -315,6 +315,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) const struct qusb2_phy_cfg *cfg = qphy->cfg; u8 *val; + /* efuse register is optional */ + if (!qphy->cell) + return; + /* * Read efuse register having TUNE2/1 parameter's high nibble. * If efuse register shows value as 0x0, or if we fail to find -- 2.17.0

7 years, 5 months

1
0
0 0

Linux 4.16.12

by Greg KH

I'm announcing the release of the 4.16.12 kernel. All users of the 4.16 kernel series must upgrade. The updated 4.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.16.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/powerpc/include/asm/exception-64s.h | 29 + arch/powerpc/include/asm/feature-fixups.h | 19 + arch/powerpc/include/asm/hvcall.h | 3 arch/powerpc/include/asm/security_features.h | 85 +++++ arch/powerpc/kernel/Makefile | 2 arch/powerpc/kernel/exceptions-64s.S | 19 + arch/powerpc/kernel/security.c | 237 +++++++++++++++ arch/powerpc/kernel/setup_64.c | 8 arch/powerpc/kernel/vmlinux.lds.S | 14 arch/powerpc/lib/feature-fixups.c | 115 +++++++ arch/powerpc/platforms/powernv/setup.c | 96 ++++-- arch/powerpc/platforms/pseries/setup.c | 71 +++- arch/s390/Kconfig | 3 arch/s390/Makefile | 2 arch/s390/crypto/crc32be-vx.S | 5 arch/s390/crypto/crc32le-vx.S | 4 arch/s390/include/asm/alternative-asm.h | 108 ++++++ arch/s390/include/asm/nospec-branch.h | 7 arch/s390/include/asm/nospec-insn.h | 196 ++++++++++++ arch/s390/kernel/Makefile | 5 arch/s390/kernel/alternative.c | 24 - arch/s390/kernel/asm-offsets.c | 1 arch/s390/kernel/base.S | 24 - arch/s390/kernel/entry.S | 105 +----- arch/s390/kernel/mcount.S | 14 arch/s390/kernel/module.c | 15 arch/s390/kernel/nospec-branch.c | 123 ++++++- arch/s390/kernel/nospec-sysfs.c | 21 + arch/s390/kernel/reipl.S | 7 arch/s390/kernel/setup.c | 3 arch/s390/kernel/swsusp.S | 10 arch/s390/lib/mem.S | 19 - arch/s390/net/bpf_jit.S | 16 - arch/s390/net/bpf_jit_comp.c | 63 +++- arch/sparc/kernel/vio.c | 2 arch/x86/kernel/machine_kexec_32.c | 6 arch/x86/kernel/machine_kexec_64.c | 5 drivers/block/loop.c | 71 ++-- drivers/bluetooth/btusb.c | 13 drivers/clk/clk.c | 3 drivers/clk/hisilicon/crg-hi3516cv300.c | 2 drivers/clk/meson/axg.c | 7 drivers/clk/rockchip/clk-mmc-phase.c | 23 + drivers/clk/rockchip/clk-rk3228.c | 2 drivers/clk/samsung/clk-exynos3250.c | 4 drivers/clk/samsung/clk-exynos5250.c | 8 drivers/clk/samsung/clk-exynos5260.c | 2 drivers/clk/samsung/clk-exynos5433.c | 12 drivers/clk/samsung/clk-exynos7.c | 2 drivers/clk/samsung/clk-s3c2410.c | 16 - drivers/clk/tegra/clk-pll.c | 2 drivers/crypto/atmel-aes.c | 2 drivers/crypto/ccp/ccp-debugfs.c | 7 drivers/crypto/inside-secure/safexcel.c | 12 drivers/crypto/inside-secure/safexcel_cipher.c | 2 drivers/crypto/inside-secure/safexcel_hash.c | 38 +- drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 drivers/media/common/videobuf2/videobuf2-vmalloc.c | 2 drivers/media/dvb-frontends/lgdt3306a.c | 10 drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 drivers/media/i2c/ov5645.c | 5 drivers/media/pci/cx23885/cx23885-cards.c | 4 drivers/media/pci/cx23885/cx23885-core.c | 10 drivers/media/pci/cx25821/cx25821-core.c | 7 drivers/media/platform/s3c-camif/camif-capture.c | 7 drivers/media/platform/vivid/vivid-ctrls.c | 2 drivers/media/platform/vsp1/vsp1_drm.c | 9 drivers/media/usb/em28xx/em28xx-cards.c | 22 + drivers/media/usb/em28xx/em28xx.h | 2 drivers/net/dsa/bcm_sf2_cfp.c | 36 +- drivers/net/ethernet/3com/3c59x.c | 104 +++--- drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h | 28 - drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 88 +---- drivers/net/ethernet/mellanox/mlx4/main.c | 4 drivers/net/ethernet/qlogic/qed/qed_ll2.c | 61 +++ drivers/net/tun.c | 27 - drivers/net/vmxnet3/vmxnet3_drv.c | 72 +++- drivers/net/vmxnet3/vmxnet3_int.h | 8 drivers/rtc/hctosys.c | 5 drivers/rtc/rtc-goldfish.c | 2 drivers/rtc/rtc-m41t80.c | 18 - drivers/rtc/rtc-rk808.c | 14 drivers/rtc/rtc-rp5c01.c | 12 drivers/rtc/rtc-snvs.c | 15 drivers/rtc/rtc-tx4939.c | 6 drivers/s390/scsi/zfcp_dbf.c | 23 + drivers/s390/scsi/zfcp_ext.h | 5 drivers/s390/scsi/zfcp_scsi.c | 14 drivers/scsi/aacraid/commsup.c | 4 drivers/scsi/aacraid/linit.c | 1 drivers/scsi/lpfc/lpfc_attr.c | 5 drivers/scsi/lpfc/lpfc_hbadisc.c | 5 drivers/scsi/lpfc/lpfc_nportdisc.c | 15 drivers/scsi/lpfc/lpfc_nvme.c | 28 - drivers/scsi/lpfc/lpfc_nvme.h | 2 drivers/scsi/lpfc/lpfc_sli.c | 2 drivers/scsi/mvsas/mv_94xx.c | 23 - drivers/scsi/scsi_devinfo.c | 1 drivers/scsi/scsi_lib.c | 11 drivers/scsi/sg.c | 2 drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 16 - drivers/staging/ks7010/ks_hostif.c | 31 - drivers/staging/ks7010/ks_hostif.h | 1 drivers/staging/lustre/lustre/include/obd.h | 2 drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 drivers/staging/lustre/lustre/osc/osc_cache.c | 2 drivers/staging/rtl8192u/r8192U_core.c | 2 drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 +-- drivers/tty/serial/8250/8250_port.c | 3 drivers/tty/serial/altera_uart.c | 12 drivers/tty/serial/arc_uart.c | 5 drivers/tty/serial/fsl_lpuart.c | 4 drivers/tty/serial/imx.c | 6 drivers/tty/serial/mvebu-uart.c | 2 drivers/tty/serial/mxs-auart.c | 4 drivers/tty/serial/samsung.c | 4 drivers/tty/serial/sh-sci.c | 4 drivers/tty/serial/xilinx_uartps.c | 2 drivers/usb/dwc2/core.h | 2 drivers/usb/dwc2/hcd.c | 32 +- drivers/usb/dwc3/Makefile | 2 drivers/usb/dwc3/core.c | 13 drivers/usb/dwc3/core.h | 2 drivers/usb/gadget/composite.c | 40 +- drivers/usb/gadget/function/f_fs.c | 6 drivers/usb/gadget/udc/goku_udc.h | 2 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci.c | 14 drivers/usb/usbip/Kconfig | 2 fs/ext2/inode.c | 10 fs/hfsplus/super.c | 1 include/linux/mlx5/driver.h | 12 include/linux/usb/composite.h | 3 include/scsi/scsi.h | 2 include/uapi/linux/nl80211.h | 2 net/core/dev.c | 2 net/core/sock.c | 2 net/dsa/dsa2.c | 9 net/ipv4/ip_output.c | 3 net/ipv4/tcp_output.c | 7 net/ipv6/ip6_gre.c | 281 ++++++++++++++---- net/ipv6/ip6_output.c | 3 net/packet/af_packet.c | 4 net/sched/act_vlan.c | 2 net/sched/sch_red.c | 5 net/sched/sch_tbf.c | 5 net/smc/smc_pnet.c | 71 ++-- net/wireless/core.c | 3 sound/soc/rockchip/Kconfig | 3 sound/soc/samsung/i2s.c | 13 sound/soc/samsung/odroid.c | 11 sound/soc/soc-topology.c | 3 sound/usb/quirks.c | 29 + 154 files changed, 2355 insertions(+), 845 deletions(-) Akinobu Mita (1): media: ov5645: add missing of_node_put() in error path Al Viro (1): ext2: fix a block leak Alexander Potapenko (1): scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() Alexandre Belloni (4): rtc: hctosys: Ensure system time doesn't overflow time_t rtc: rk808: fix possible race condition rtc: m41t80: fix race conditions rtc: rp5c01: fix possible race condition Amritha Nambiar (1): net: Fix a bug in removing queues from XPS map Andrzej Hajda (6): clk: samsung: s3c2410: Fix PLL rates clk: samsung: exynos7: Fix PLL rates clk: samsung: exynos5260: Fix PLL rates clk: samsung: exynos5433: Fix PLL rates clk: samsung: exynos5250: Fix PLL rates clk: samsung: exynos3250: Fix PLL rates Antoine Tenart (8): crypto: inside-secure - move the digest to the request context crypto: inside-secure - wait for the request to complete if in the backlog crypto: atmel-aes - fix the keys zeroing on errors crypto: inside-secure - do not process request if no command was issued crypto: inside-secure - fix the cache_len computation crypto: inside-secure - fix the extra cache computation crypto: inside-secure - do not overwrite the threshold value crypto: inside-secure - fix the invalidation step during cra_exit Arnd Bergmann (2): clk: hisilicon: mark wdt_mux_p[] as const media: s3c-camif: fix out-of-bounds array access Arvind Yadav (1): sparc: vio: use put_device() instead of kfree() Ben Hutchings (1): usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS Brad Love (6): media: lgdt3306a: Fix module count mismatch on usb unplug media: em28xx: USB bulk packet size fix media: cx23885: Override 888 ImpactVCBe crystal frequency media: cx23885: Set subdev host data to clk_freq pointer media: lgdt3306a: Fix a double kfree on i2c device remove media: em28xx: Add Hauppauge SoloHD/DualHD bulk models Bryan O'Donoghue (1): rtc: snvs: Fix usage of snvs_rtc_enable Chris Dickens (1): usb: gadget: composite: fix incorrect handling of OS desc requests Christoph Hellwig (1): 3c59x: convert to generic DMA API Colin Ian King (3): staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr media: cx25821: prevent out-of-bounds read on array card rtc: tx4939: avoid unintended sign extension on a 24 bit shift Dave Carroll (1): scsi: aacraid: Insure command thread is not recursively stopped Davide Caratti (1): net/sched: fix refcnt leak in the error path of tcf_vlan_init() Douglas Gilbert (1): scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD Eric Biggers (1): net/smc: check for missing nlattrs in SMC_PNETID messages Eric Dumazet (2): sock_diag: fix use-after-free read in __sk_free tcp: purge write queue in tcp_connect_init() Ezequiel Garcia (1): ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs Felipe Balbi (1): usb: dwc3: Makefile: fix link error on randconfig Florian Fainelli (4): net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule net: dsa: Do not register devlink for unused ports net: dsa: bcm_sf2: Fix IPv6 rules and chain ID net: dsa: bcm_sf2: Fix IPv6 rule half deletion Gabriel Matni (1): serial: mvebu-uart: fix tx lost characters Geert Uytterhoeven (7): serial: xuartps: Fix out-of-bounds access through DT alias serial: sh-sci: Fix out-of-bounds access through DT alias serial: samsung: Fix out-of-bounds access through serial port index serial: mxs-auart: Fix out-of-bounds access through serial port index serial: imx: Fix out-of-bounds access through serial port index serial: fsl_lpuart: Fix out-of-bounds access through DT alias serial: arc_uart: Fix out-of-bounds access through DT alias Greg Kroah-Hartman (1): Linux 4.16.12 Grigor Tovmasyan (1): usb: dwc2: Fix interval type issue Hans Verkuil (1): media: vivid: fix incorrect capabilities for radio Ioana Radulescu (2): staging: fsl-dpaa2/eth: Fix incorrect kfree staging: fsl-dpaa2/eth: Fix incorrect casts James Hogan (1): rtc: goldfish: Add missing MODULE_LICENSE James Smart (6): scsi: lpfc: Fix NVME Initiator FirstBurst scsi: lpfc: Fix issue_lip if link is disabled scsi: lpfc: Fix nonrecovery of NVME controller after cable swap. scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing scsi: lpfc: Fix IO failure during hba reset testing with nvme io. scsi: lpfc: Fix frequency of Release WQE CQEs Jason Wang (2): tun: fix use after free for ptr_ring tuntap: fix use after free during release Jens Remus (1): scsi: zfcp: fix infinite iteration on ERP ready list Jerome Brunet (1): clk: meson: axg: add the fractional part of the fixed_pll Johannes Berg (1): cfg80211: limit wiphy names to 128 bytes Kieran Bingham (1): media: i2c: adv748x: fix HDMI field heights Kirill Marinushkin (1): staging: bcm2835-audio: Release resources on module_exit() Kumar Sanghvi (1): cxgb4: Correct ntuple mask validation for hash filters Larry Finger (1): Bluetooth: btusb: Add device ID for RTL8822BE Lars-Peter Clausen (2): usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS usb: gadget: ffs: Execute copy_to_user() with USER_DS set Laurent Pinchart (1): media: v4l: vsp1: Fix display stalls when requesting too many inputs Marcel Ziswiler (1): clk: tegra: Fix pll_u rate configuration Martin Schwidefsky (15): s390: move nobp parameter functions to nospec-branch.c s390: add automatic detection of the spectre defense s390: report spectre mitigation via syslog s390: add sysfs attributes for spectre s390: add assembler macros for CPU alternatives s390: correct nospec auto detection init order s390: correct module section names for expoline code revert s390: move expoline assembler macros to a header s390/crc32-vx: use expoline for indirect branches s390/lib: use expoline for indirect branches s390/ftrace: use expoline for indirect branches s390/kernel: use expoline for indirect branches s390: move spectre sysfs attribute code s390: extend expoline to BC instructions s390: use expoline thunks in the BPF JIT Masami Hiramatsu (1): media: vb2: Fix videobuf2 to map correct area Mathias Nyman (2): xhci: zero usb device slot_id member when disabling and freeing a xhci slot xhci: Show what USB release number the xHC supports from protocol capablity Mauricio Faria de Oliveira (2): powerpc/pseries: Fix clearing of security feature flags powerpc: Move default security feature flags Michael Ellerman (11): powerpc/rfi-flush: Always enable fallback flush on pseries powerpc: Add security feature flags for Spectre/Meltdown powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags powerpc/pseries: Set or clear security feature flags powerpc/powernv: Set or clear security feature flags powerpc/64s: Move cpu_show_meltdown() powerpc/64s: Enhance the information in cpu_show_meltdown() powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() powerpc/64s: Wire up cpu_show_spectre_v1() powerpc/64s: Wire up cpu_show_spectre_v2() Michal Kalderon (3): qed: LL2 flush isles when connection is closed qed: Fix possibility of list corruption during rmmod flows qed: Fix LL2 race during connection terminate Minas Harutyunyan (2): usb: dwc2: hcd: Fix host channel halt flow usb: dwc2: host: Fix transaction errors in host mode NeilBrown (2): staging: lustre: fix bug in osc_enter_cache_try staging: lustre: lmv: correctly iput lmo_root Nicholas Piggin (1): powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit Nobutaka Okabe (1): ALSA: usb-audio: Add native DSD support for Luxman DA-06 Omar Sandoval (2): loop: don't call into filesystem while holding lo_ctl_mutex loop: fix LOOP_GET_STATUS lock imbalance Paolo Abeni (1): net: sched: red: avoid hashing NULL child Peter Robinson (1): crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss Petr Machata (7): net: ip6_gre: Request headroom in __gre6_xmit() net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit() net: ip6_gre: Split up ip6gre_tnl_link_config() net: ip6_gre: Split up ip6gre_tnl_change() net: ip6_gre: Split up ip6gre_newlink() net: ip6_gre: Split up ip6gre_changelink() net: ip6_gre: Fix ip6erspan hlen calculation Quytelda Kahja (1): staging: ks7010: Use constants from ieee80211_eid instead of literal ints. Rahul Lakkireddy (1): cxgb4: fix offset in collecting TX rate limit info Ranjani Sridharan (1): ASoC: topology: create TLV data for dapm widgets Saeed Mahameed (1): net/mlx5: Fix build break when CONFIG_SMP=n Sebastian Andrzej Siewior (1): crypto: ccp - don't disable interrupts while setting up debugfs Shawn Lin (3): clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 clk: Don't show the incorrect clock phase clk: rockchip: Prevent calculating mmc phase if clock rate is zero Sylwester Nawrocki (2): ASoC: samsung: odroid: Fix 32000 sample rate handling ASoC: samsung: i2s: Ensure the RCLK rate is properly determined Tarick Bedeir (1): net/mlx4_core: Fix error handling in mlx4_init_port_info. Tedd Ho-Jeong An (1): Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026] Tetsuo Handa (2): hfsplus: stop workqueue when fill_super() failed x86/kexec: Avoid double free_page() upon do_kexec_load() failure Thinh Nguyen (2): usb: dwc3: Add SoftReset PHY synchonization delay usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields Uwe Kleine-König (1): serial: altera: ensure port->regshift is honored consistently Vicente Bergas (1): Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB Vignesh R (1): serial: 8250: Don't service RX FIFO if interrupts are disabled Wilfried Weissmann (1): scsi: mvsas: fix wrong endianness of sgpio api Willem de Bruijn (2): net: test tailroom before appending to linear skb packet: in packet_snd start writing at link layer allocation William Tu (1): net: ip6_gre: fix tunnel metadata device sharing. Wolfram Sang (1): usb: gadget: udc: change comparison to bitshift when dealing with a mask Xose Vazquez Perez (1): scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays Yixun Lan (1): clk: meson: axg: fix the od shift of the sys_pll hpreg(a)vmware.com (2): vmxnet3: set the DMA mask before the first DMA map operation vmxnet3: use DMA memory barriers where required

7 years, 5 months

1
1
0 0

Linux 4.14.44

by Greg KH

I'm announcing the release of the 4.14.44 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/imx7d-sdb.dts | 2 arch/s390/crypto/crc32be-vx.S | 5 arch/s390/crypto/crc32le-vx.S | 4 arch/s390/include/asm/alternative-asm.h | 108 ++++++ arch/s390/include/asm/nospec-insn.h | 195 +++++++++++ arch/s390/kernel/Makefile | 1 arch/s390/kernel/asm-offsets.c | 1 arch/s390/kernel/base.S | 24 - arch/s390/kernel/entry.S | 105 +----- arch/s390/kernel/mcount.S | 14 arch/s390/kernel/nospec-branch.c | 43 +- arch/s390/kernel/nospec-sysfs.c | 21 + arch/s390/kernel/reipl.S | 7 arch/s390/kernel/swsusp.S | 10 arch/s390/lib/mem.S | 13 arch/s390/net/bpf_jit.S | 16 arch/s390/net/bpf_jit_comp.c | 63 +++ arch/sparc/kernel/vio.c | 2 arch/x86/kernel/machine_kexec_32.c | 6 arch/x86/kernel/machine_kexec_64.c | 5 drivers/block/loop.c | 71 ++-- drivers/bluetooth/btusb.c | 6 drivers/clk/clk.c | 3 drivers/clk/hisilicon/crg-hi3516cv300.c | 2 drivers/clk/rockchip/clk-mmc-phase.c | 23 + drivers/clk/rockchip/clk-rk3228.c | 2 drivers/clk/samsung/clk-exynos3250.c | 4 drivers/clk/samsung/clk-exynos5250.c | 8 drivers/clk/samsung/clk-exynos5260.c | 2 drivers/clk/samsung/clk-exynos5433.c | 12 drivers/clk/samsung/clk-exynos7.c | 2 drivers/clk/samsung/clk-s3c2410.c | 16 drivers/clk/tegra/clk-pll.c | 2 drivers/crypto/atmel-aes.c | 2 drivers/crypto/ccp/ccp-debugfs.c | 7 drivers/crypto/inside-secure/safexcel.c | 9 drivers/crypto/inside-secure/safexcel_cipher.c | 2 drivers/crypto/inside-secure/safexcel_hash.c | 8 drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 drivers/media/dvb-core/dmxdev.c | 2 drivers/media/dvb-frontends/lgdt3306a.c | 10 drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 drivers/media/i2c/ov5645.c | 5 drivers/media/i2c/tvp5150.c | 88 ++--- drivers/media/pci/cx23885/cx23885-cards.c | 4 drivers/media/pci/cx23885/cx23885-core.c | 10 drivers/media/pci/cx25821/cx25821-core.c | 7 drivers/media/platform/s3c-camif/camif-capture.c | 7 drivers/media/platform/vivid/vivid-ctrls.c | 2 drivers/media/platform/vsp1/vsp1_drm.c | 9 drivers/media/usb/em28xx/em28xx-cards.c | 22 - drivers/media/usb/em28xx/em28xx.h | 2 drivers/media/v4l2-core/videobuf2-vmalloc.c | 2 drivers/message/fusion/mptctl.c | 2 drivers/net/ethernet/mellanox/mlx4/main.c | 4 drivers/net/hyperv/hyperv_net.h | 11 drivers/net/hyperv/netvsc.c | 203 ++++++----- drivers/net/hyperv/netvsc_drv.c | 310 ++++++++++-------- drivers/net/hyperv/rndis_filter.c | 210 ++++++------ drivers/net/usb/qmi_wwan.c | 4 drivers/net/usb/usbnet.c | 10 drivers/net/vmxnet3/vmxnet3_drv.c | 72 ++-- drivers/rtc/hctosys.c | 5 drivers/rtc/rtc-goldfish.c | 2 drivers/rtc/rtc-m41t80.c | 18 - drivers/rtc/rtc-rk808.c | 14 drivers/rtc/rtc-rp5c01.c | 12 drivers/rtc/rtc-snvs.c | 15 drivers/rtc/rtc-tx4939.c | 6 drivers/s390/scsi/zfcp_dbf.c | 23 + drivers/s390/scsi/zfcp_ext.h | 5 drivers/s390/scsi/zfcp_scsi.c | 14 drivers/scsi/aacraid/commsup.c | 4 drivers/scsi/aacraid/linit.c | 5 drivers/scsi/bnx2fc/bnx2fc_io.c | 1 drivers/scsi/iscsi_tcp.c | 8 drivers/scsi/libsas/sas_scsi_host.c | 33 - drivers/scsi/lpfc/lpfc_attr.c | 5 drivers/scsi/lpfc/lpfc_hbadisc.c | 5 drivers/scsi/lpfc/lpfc_sli.c | 2 drivers/scsi/mpt3sas/mpt3sas_base.c | 5 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 drivers/scsi/mvsas/mv_94xx.c | 23 - drivers/scsi/qedi/qedi_fw.c | 5 drivers/scsi/qedi/qedi_main.c | 24 - drivers/scsi/qla2xxx/qla_isr.c | 6 drivers/scsi/qla2xxx/qla_os.c | 2 drivers/scsi/qla4xxx/ql4_def.h | 2 drivers/scsi/qla4xxx/ql4_os.c | 46 ++ drivers/scsi/scsi_lib.c | 11 drivers/scsi/sd.c | 3 drivers/scsi/sg.c | 2 drivers/scsi/storvsc_drv.c | 2 drivers/scsi/sym53c8xx_2/sym_hipd.c | 2 drivers/scsi/ufs/ufshcd.c | 2 drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 6 drivers/staging/ks7010/ks_hostif.c | 31 - drivers/staging/ks7010/ks_hostif.h | 1 drivers/staging/lustre/lustre/include/obd.h | 2 drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 drivers/staging/lustre/lustre/osc/osc_cache.c | 2 drivers/staging/rtl8192u/r8192U_core.c | 2 drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 +-- drivers/tty/serial/8250/8250_port.c | 3 drivers/tty/serial/altera_uart.c | 12 drivers/tty/serial/arc_uart.c | 5 drivers/tty/serial/fsl_lpuart.c | 4 drivers/tty/serial/imx.c | 6 drivers/tty/serial/mxs-auart.c | 4 drivers/tty/serial/samsung.c | 4 drivers/tty/serial/sh-sci.c | 4 drivers/tty/serial/xilinx_uartps.c | 2 drivers/usb/class/cdc-acm.c | 9 drivers/usb/dwc2/core.h | 2 drivers/usb/dwc2/gadget.c | 12 drivers/usb/dwc2/hcd.c | 32 + drivers/usb/dwc3/Makefile | 2 drivers/usb/dwc3/core.c | 16 drivers/usb/dwc3/core.h | 2 drivers/usb/dwc3/dwc3-omap.c | 16 drivers/usb/gadget/composite.c | 40 +- drivers/usb/gadget/function/f_fs.c | 6 drivers/usb/gadget/function/f_uac2.c | 2 drivers/usb/gadget/udc/core.c | 2 drivers/usb/gadget/udc/fsl_udc_core.c | 4 drivers/usb/gadget/udc/goku_udc.h | 2 drivers/usb/host/ohci-hcd.c | 3 drivers/usb/host/xhci-mem.c | 2 drivers/usb/host/xhci-plat.c | 11 drivers/usb/host/xhci.c | 14 drivers/usb/usbip/Kconfig | 2 fs/ext2/inode.c | 10 fs/hfsplus/super.c | 1 include/linux/u64_stats_sync.h | 22 + include/linux/usb/composite.h | 3 include/scsi/scsi.h | 2 include/uapi/linux/nl80211.h | 2 net/core/dev.c | 2 net/core/sock.c | 2 net/ipv4/ip_output.c | 3 net/ipv4/tcp_output.c | 7 net/ipv6/ip6_output.c | 3 net/packet/af_packet.c | 4 net/sched/act_vlan.c | 2 net/sched/sch_red.c | 5 net/sched/sch_tbf.c | 5 net/smc/smc_pnet.c | 71 ++-- net/wireless/core.c | 3 sound/soc/codecs/hdmi-codec.c | 7 sound/soc/rockchip/Kconfig | 3 sound/soc/samsung/i2s.c | 13 sound/soc/samsung/odroid.c | 11 sound/soc/soc-topology.c | 3 sound/usb/quirks.c | 29 - 155 files changed, 1784 insertions(+), 894 deletions(-) Akinobu Mita (1): media: ov5645: add missing of_node_put() in error path Al Viro (1): ext2: fix a block leak Alexander Potapenko (1): scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() Alexandre Belloni (4): rtc: hctosys: Ensure system time doesn't overflow time_t rtc: rk808: fix possible race condition rtc: m41t80: fix race conditions rtc: rp5c01: fix possible race condition Amritha Nambiar (1): net: Fix a bug in removing queues from XPS map Andrew Vasquez (1): scsi: qedi: Fix truncation of CHAP name and secret Andrzej Hajda (6): clk: samsung: s3c2410: Fix PLL rates clk: samsung: exynos7: Fix PLL rates clk: samsung: exynos5260: Fix PLL rates clk: samsung: exynos5433: Fix PLL rates clk: samsung: exynos5250: Fix PLL rates clk: samsung: exynos3250: Fix PLL rates Antoine Tenart (6): crypto: inside-secure - wait for the request to complete if in the backlog crypto: atmel-aes - fix the keys zeroing on errors crypto: inside-secure - do not process request if no command was issued crypto: inside-secure - fix the cache_len computation crypto: inside-secure - fix the extra cache computation crypto: inside-secure - fix the invalidation step during cra_exit Arnd Bergmann (2): clk: hisilicon: mark wdt_mux_p[] as const media: s3c-camif: fix out-of-bounds array access Arvind Yadav (1): sparc: vio: use put_device() instead of kfree() Bart Van Assche (1): scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() Ben Hutchings (1): usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS Brad Love (6): media: lgdt3306a: Fix module count mismatch on usb unplug media: em28xx: USB bulk packet size fix media: cx23885: Override 888 ImpactVCBe crystal frequency media: cx23885: Set subdev host data to clk_freq pointer media: lgdt3306a: Fix a double kfree on i2c device remove media: em28xx: Add Hauppauge SoloHD/DualHD bulk models Brian Norris (1): usb: dwc3: Undo PHY init if soft reset fails Bryan O'Donoghue (1): rtc: snvs: Fix usage of snvs_rtc_enable Chad Dupuis (1): scsi: bnx2fc: Fix check in SCSI completion handler for timed out request Chris Dickens (1): usb: gadget: composite: fix incorrect handling of OS desc requests Colin Ian King (3): staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr media: cx25821: prevent out-of-bounds read on array card rtc: tx4939: avoid unintended sign extension on a 24 bit shift Dan Carpenter (2): scsi: sym53c8xx_2: iterator underflow in sym_getsync() scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() Dave Carroll (1): scsi: aacraid: Insure command thread is not recursively stopped Davide Caratti (1): net/sched: fix refcnt leak in the error path of tcf_vlan_init() Dominik Bozek (1): usb: cdc_acm: prevent race at write to acm while system resumes Douglas Gilbert (1): scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD Eric Biggers (1): net/smc: check for missing nlattrs in SMC_PNETID messages Eric Dumazet (3): sock_diag: fix use-after-free read in __sk_free tcp: purge write queue in tcp_connect_init() net: usbnet: fix potential deadlock on 32bit hosts Ezequiel Garcia (1): ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs Felipe Balbi (1): usb: dwc3: Makefile: fix link error on randconfig Fredrik Noring (1): USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM Geert Uytterhoeven (7): serial: xuartps: Fix out-of-bounds access through DT alias serial: sh-sci: Fix out-of-bounds access through DT alias serial: samsung: Fix out-of-bounds access through serial port index serial: mxs-auart: Fix out-of-bounds access through serial port index serial: imx: Fix out-of-bounds access through serial port index serial: fsl_lpuart: Fix out-of-bounds access through DT alias serial: arc_uart: Fix out-of-bounds access through DT alias Giuseppe Lippolis (1): net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 Greg Kroah-Hartman (1): Linux 4.14.44 Grigor Tovmasyan (1): usb: dwc2: Fix interval type issue Haiyang Zhang (6): hv_netvsc: Fix the real number of queues of non-vRSS cases hv_netvsc: Rename ind_table to rx_table hv_netvsc: Rename tx_send_table to tx_table hv_netvsc: Add initialization of tx_table in netvsc_device_add() hv_netvsc: Set tx_table to equal weight after subchannels open hv_netvsc: Use the num_online_cpus() for channel limit Hannes Reinecke (1): scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM Hans Verkuil (1): media: vivid: fix incorrect capabilities for radio Ioana Radulescu (1): staging: fsl-dpaa2/eth: Fix incorrect casts James Hogan (1): rtc: goldfish: Add missing MODULE_LICENSE James Smart (3): scsi: lpfc: Fix issue_lip if link is disabled scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing scsi: lpfc: Fix frequency of Release WQE CQEs Jason Yan (1): scsi: libsas: defer ata device eh commands to libata Jens Remus (1): scsi: zfcp: fix infinite iteration on ERP ready list Jeremy Cline (1): scsi: sd: Keep disk read-only when re-reading partition Jianchao Wang (1): scsi: iscsi_tcp: set BDI_CAP_STABLE_WRITES when data digest enabled Johannes Berg (1): cfg80211: limit wiphy names to 128 bytes John Keeping (1): usb: gadget: f_uac2: fix bFirstInterface in composite gadget Kieran Bingham (1): media: i2c: adv748x: fix HDMI field heights Kirill Marinushkin (1): staging: bcm2835-audio: Release resources on module_exit() Larry Finger (1): Bluetooth: btusb: Add device ID for RTL8822BE Lars-Peter Clausen (2): usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS usb: gadget: ffs: Execute copy_to_user() with USER_DS set Laurent Pinchart (1): media: v4l: vsp1: Fix display stalls when requesting too many inputs Leonard Crestez (1): ARM: dts: imx7d-sdb: Fix regulator-usb-otg2-vbus node name Manish Rangankar (2): scsi: qla4xxx: skip error recovery in case of register disconnect. scsi: qedi: Fix kernel crash during port toggle Manu Gautam (1): usb: gadget: core: Fix use-after-free of usb_request Marcel Ziswiler (1): clk: tegra: Fix pll_u rate configuration Martin Schwidefsky (9): s390: add assembler macros for CPU alternatives s390: move expoline assembler macros to a header s390/crc32-vx: use expoline for indirect branches s390/lib: use expoline for indirect branches s390/ftrace: use expoline for indirect branches s390/kernel: use expoline for indirect branches s390: move spectre sysfs attribute code s390: extend expoline to BC instructions s390: use expoline thunks in the BPF JIT Masami Hiramatsu (1): media: vb2: Fix videobuf2 to map correct area Mathias Nyman (2): xhci: zero usb device slot_id member when disabling and freeing a xhci slot xhci: Show what USB release number the xHC supports from protocol capablity Mauro Carvalho Chehab (2): media: dmxdev: fix error code for invalid ioctls media: Don't let tvp5150_get_vbi() go out of vbi_ram_default array Meelis Roos (1): scsi: aacraid: fix shutdown crash when init fails Michael Kelley (EOSG) (1): scsi: storvsc: Increase cmd_per_lun for higher speed devices Minas Harutyunyan (2): usb: dwc2: hcd: Fix host channel halt flow usb: dwc2: host: Fix transaction errors in host mode Mohammed Gamal (4): hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() hv_netvsc: Ensure correct teardown message sequence order hv_netvsc: Fix net device attach on older Windows hosts NeilBrown (2): staging: lustre: fix bug in osc_enter_cache_try staging: lustre: lmv: correctly iput lmo_root Nobutaka Okabe (1): ALSA: usb-audio: Add native DSD support for Luxman DA-06 Omar Sandoval (2): loop: don't call into filesystem while holding lo_ctl_mutex loop: fix LOOP_GET_STATUS lock imbalance Paolo Abeni (1): net: sched: red: avoid hashing NULL child Peter Robinson (1): crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss Peter Ujfalusi (1): ASoC: hdmi-codec: Fix module unloading caused kernel crash Quinn Tran (1): scsi: qla2xxx: Fix memory corruption during hba reset test Quytelda Kahja (1): staging: ks7010: Use constants from ieee80211_eid instead of literal ints. Ranjani Sridharan (1): ASoC: topology: create TLV data for dapm widgets Roger Quadros (1): usb: dwc3: omap: don't miss events during suspend/resume Sebastian Andrzej Siewior (1): crypto: ccp - don't disable interrupts while setting up debugfs Shawn Lin (3): clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 clk: Don't show the incorrect clock phase clk: rockchip: Prevent calculating mmc phase if clock rate is zero Stefan Agner (1): usb: gadget: fsl_udc_core: fix ep valid checks Stephen Hemminger (11): hv_netvsc: empty current transmit aggregation if flow blocked hv_netvsc: avoid retry on send during shutdown hv_netvsc: only wake transmit queue if link is up hv_netvsc: fix error unwind handling if vmbus_open fails hv_netvsc: cancel subchannel setup before halting device hv_netvsc: fix race in napi poll when rescheduling hv_netvsc: defer queue selection to VF hv_netvsc: disable NAPI before channel close hv_netvsc: use RCU to fix concurrent rx and queue changes hv_netvsc: change GPAD teardown order on older versions hv_netvsc: common detach logic Sujit Reddy Thumma (1): scsi: ufs: Enable quirk to ignore sending WRITE_SAME command Sylwester Nawrocki (2): ASoC: samsung: odroid: Fix 32000 sample rate handling ASoC: samsung: i2s: Ensure the RCLK rate is properly determined Tarick Bedeir (1): net/mlx4_core: Fix error handling in mlx4_init_port_info. Tetsuo Handa (2): hfsplus: stop workqueue when fill_super() failed x86/kexec: Avoid double free_page() upon do_kexec_load() failure Thinh Nguyen (2): usb: dwc3: Add SoftReset PHY synchonization delay usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields Tomas Henzl (1): scsi: mpt3sas: fix an out of bound write Torsten Hilbrich (1): net/usb/qmi_wwan.c: Add USB id for lt4120 modem Uwe Kleine-König (1): serial: altera: ensure port->regshift is honored consistently Vardan Mikayelyan (1): usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() Vicente Bergas (1): Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB Vignesh R (1): serial: 8250: Don't service RX FIFO if interrupts are disabled Vitaly Kuznetsov (2): hv_netvsc: netvsc_teardown_gpadl() split hv_netvsc: preserve hw_features on mtu/channels/ringparam changes Wilfried Weissmann (1): scsi: mvsas: fix wrong endianness of sgpio api Willem de Bruijn (2): net: test tailroom before appending to linear skb packet: in packet_snd start writing at link layer allocation Wolfram Sang (1): usb: gadget: udc: change comparison to bitshift when dealing with a mask Yoshihiro Shimoda (1): usb: host: xhci-plat: revert "usb: host: xhci-plat: enable clk in resume timing" hpreg(a)vmware.com (2): vmxnet3: set the DMA mask before the first DMA map operation vmxnet3: use DMA memory barriers where required

7 years, 5 months

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror