This is a note to let you know that I've just added the patch titled
ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From b23af6ad8d2f708c4c3f92dd8f82c233247ba8bf Mon Sep 17 00:00:00 2001
From: Philipp Rossak <embed3d(a)gmail.com>
Date: Wed, 14 Feb 2018 15:10:24 +0100
Subject: ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties
From: Philipp Rossak <embed3d(a)gmail.com>
commit b23af6ad8d2f708c4c3f92dd8f82c233247ba8bf upstream.
The eldoin is supplied from the dcdc1 regulator. The N_VBUSEN pin is
connected to an external power regulator (SY6280AAC).
With this commit we update the pmic binding properties to support
those features.
Fixes: 7daa21370075 ("ARM: dts: sunxi: Add regulators for Sinovoip BPI-M2")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Philipp Rossak <embed3d(a)gmail.com>
Signed-off-by: Maxime Ripard <maxime.ripard(a)bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts
+++ b/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts
@@ -163,6 +163,8 @@
reg = <0x68>;
interrupt-parent = <&nmi_intc>;
interrupts = <0 IRQ_TYPE_LEVEL_LOW>;
+ eldoin-supply = <®_dcdc1>;
+ x-powers,drive-vbus-en;
};
};
Patches currently in stable-queue which might be from embed3d(a)gmail.com are
queue-4.14/arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch
queue-4.14/arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch
This is a note to let you know that I've just added the patch titled
ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a Mon Sep 17 00:00:00 2001
From: Fabio Estevam <festevam(a)gmail.com>
Date: Mon, 22 Jan 2018 12:20:26 +0100
Subject: ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]
From: Fabio Estevam <festevam(a)gmail.com>
commit 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a upstream.
Commit 384b38b66947 ("ARM: 7873/1: vfp: clear vfp_current_hw_state
for dying cpu") fixed the cpu dying notifier by clearing
vfp_current_hw_state[]. However commit e5b61bafe704 ("arm: Convert VFP
hotplug notifiers to state machine") incorrectly used the original
vfp_force_reload() function in the cpu dying notifier.
Fix it by going back to clearing vfp_current_hw_state[].
Fixes: e5b61bafe704 ("arm: Convert VFP hotplug notifiers to state machine")
Cc: linux-stable <stable(a)vger.kernel.org>
Reported-by: Kohji Okuno <okuno.kohji(a)jp.panasonic.com>
Signed-off-by: Fabio Estevam <fabio.estevam(a)nxp.com>
Signed-off-by: Russell King <rmk+kernel(a)armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
arch/arm/vfp/vfpmodule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/vfp/vfpmodule.c
+++ b/arch/arm/vfp/vfpmodule.c
@@ -648,7 +648,7 @@ int vfp_restore_user_hwstate(struct user
*/
static int vfp_dying_cpu(unsigned int cpu)
{
- vfp_force_reload(cpu, current_thread_info());
+ vfp_current_hw_state[cpu] = NULL;
return 0;
}
Patches currently in stable-queue which might be from festevam(a)gmail.com are
queue-4.14/arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch
This is a note to let you know that I've just added the patch titled
ALSA: usb-audio: Add native DSD support for TEAC UD-301
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From b00214865d65100163574ba250008f182cf90869 Mon Sep 17 00:00:00 2001
From: Nobutaka Okabe <nob77413(a)gmail.com>
Date: Fri, 23 Mar 2018 19:49:44 +0900
Subject: ALSA: usb-audio: Add native DSD support for TEAC UD-301
From: Nobutaka Okabe <nob77413(a)gmail.com>
commit b00214865d65100163574ba250008f182cf90869 upstream.
Add native DSD support quirk for TEAC UD-301 DAC,
by adding the PID/VID 0644:804a.
Signed-off-by: Nobutaka Okabe <nob77413(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai(a)suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
sound/usb/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1177,6 +1177,7 @@ static bool is_teac_dsd_dac(unsigned int
switch (id) {
case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
+ case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */
return true;
}
return false;
Patches currently in stable-queue which might be from nob77413(a)gmail.com are
queue-4.14/alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch
This is a note to let you know that I've just added the patch titled
ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001
From: Stefan Roese <sr(a)denx.de>
Date: Mon, 26 Mar 2018 16:10:21 +0200
Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
From: Stefan Roese <sr(a)denx.de>
commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.
When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.
This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.
Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese <sr(a)denx.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai(a)suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
sound/core/pcm_native.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3424,7 +3424,7 @@ int snd_pcm_lib_default_mmap(struct snd_
area,
substream->runtime->dma_area,
substream->runtime->dma_addr,
- area->vm_end - area->vm_start);
+ substream->runtime->dma_bytes);
#endif /* CONFIG_X86 */
/* mmap with fault handler */
area->vm_ops = &snd_pcm_vm_ops_data_fault;
Patches currently in stable-queue which might be from sr(a)denx.de are
queue-4.14/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
This is a note to let you know that I've just added the patch titled
ALSA: pcm: potential uninitialized return values
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
alsa-pcm-potential-uninitialized-return-values.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter(a)oracle.com>
Date: Tue, 27 Mar 2018 16:07:52 +0300
Subject: ALSA: pcm: potential uninitialized return values
From: Dan Carpenter <dan.carpenter(a)oracle.com>
commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
Smatch complains that "tmp" can be uninitialized if we do a zero size
write.
Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai(a)suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
sound/core/oss/pcm_oss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1326,7 +1326,7 @@ static ssize_t snd_pcm_oss_write2(struct
static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
@@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct
static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
Patches currently in stable-queue which might be from dan.carpenter(a)oracle.com are
queue-4.14/alsa-pcm-potential-uninitialized-return-values.patch
This is a note to let you know that I've just added the patch titled
perf/hwbp: Simplify the perf-hwbp code, fix documentation
to the 3.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch
and it can be found in the queue-3.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From f67b15037a7a50c57f72e69a6d59941ad90a0f0f Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds(a)linux-foundation.org>
Date: Mon, 26 Mar 2018 15:39:07 -1000
Subject: perf/hwbp: Simplify the perf-hwbp code, fix documentation
From: Linus Torvalds <torvalds(a)linux-foundation.org>
commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream.
Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
modification of a breakpoint - simplify it and remove the pointless
local variables.
Also update the stale Docbook while at it.
Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org>
Acked-by: Thomas Gleixner <tglx(a)linutronix.de>
Cc: <stable(a)vger.kernel.org>
Cc: Alexander Shishkin <alexander.shishkin(a)linux.intel.com>
Cc: Andy Lutomirski <luto(a)kernel.org>
Cc: Arnaldo Carvalho de Melo <acme(a)redhat.com>
Cc: Frederic Weisbecker <fweisbec(a)gmail.com>
Cc: Jiri Olsa <jolsa(a)redhat.com>
Cc: Peter Zijlstra <peterz(a)infradead.org>
Cc: Stephane Eranian <eranian(a)google.com>
Cc: Vince Weaver <vincent.weaver(a)maine.edu>
Signed-off-by: Ingo Molnar <mingo(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
kernel/events/hw_breakpoint.c | 30 +++++++-----------------------
1 file changed, 7 insertions(+), 23 deletions(-)
--- a/kernel/events/hw_breakpoint.c
+++ b/kernel/events/hw_breakpoint.c
@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break
* modify_user_hw_breakpoint - modify a user-space hardware breakpoint
* @bp: the breakpoint structure to modify
* @attr: new breakpoint attributes
- * @triggered: callback to trigger when we hit the breakpoint
- * @tsk: pointer to 'task_struct' of the process to which the address belongs
*/
int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
{
- u64 old_addr = bp->attr.bp_addr;
- u64 old_len = bp->attr.bp_len;
- int old_type = bp->attr.bp_type;
- int err = 0;
-
/*
* modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
* will not be possible to raise IPIs that invoke __perf_event_disable.
@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per
bp->attr.bp_addr = attr->bp_addr;
bp->attr.bp_type = attr->bp_type;
bp->attr.bp_len = attr->bp_len;
+ bp->attr.disabled = 1;
- if (attr->disabled)
- goto end;
-
- err = validate_hw_breakpoint(bp);
- if (!err)
- perf_event_enable(bp);
+ if (!attr->disabled) {
+ int err = validate_hw_breakpoint(bp);
- if (err) {
- bp->attr.bp_addr = old_addr;
- bp->attr.bp_type = old_type;
- bp->attr.bp_len = old_len;
- if (!bp->attr.disabled)
- perf_event_enable(bp);
+ if (err)
+ return err;
- return err;
+ perf_event_enable(bp);
+ bp->attr.disabled = 0;
}
-end:
- bp->attr.disabled = attr->disabled;
-
return 0;
}
EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
Patches currently in stable-queue which might be from torvalds(a)linux-foundation.org are
queue-3.18/tty-vt-fix-up-tabstops-properly.patch
queue-3.18/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch
queue-3.18/kvm-x86-fix-icebp-instruction-handling.patch
This is a note to let you know that I've just added the patch titled
mtd: jedec_probe: Fix crash in jedec_read_mfr()
to the 3.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch
and it can be found in the queue-3.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 Mon Sep 17 00:00:00 2001
From: Linus Walleij <linus.walleij(a)linaro.org>
Date: Sat, 3 Mar 2018 23:29:03 +0100
Subject: mtd: jedec_probe: Fix crash in jedec_read_mfr()
From: Linus Walleij <linus.walleij(a)linaro.org>
commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:
Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>] lr : [<00000004>] psr: 60000013
sp : c382dd18 ip : 0000ffff fp : 00000000
r10: c0626388 r9 : 00020000 r8 : c0626340
r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70
r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 0000397f Table: 00004000 DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))
Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.
Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/mtd/chips/jedec_probe.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/chips/jedec_probe.c
+++ b/drivers/mtd/chips/jedec_probe.c
@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
do {
uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
mask = (1 << (cfi->device_type * 8)) - 1;
+ if (ofs >= map->size)
+ return 0;
result = map_read(map, base + ofs);
bank++;
} while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
Patches currently in stable-queue which might be from linus.walleij(a)linaro.org are
queue-3.18/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch
This is a note to let you know that I've just added the patch titled
ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
to the 3.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
and it can be found in the queue-3.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001
From: Stefan Roese <sr(a)denx.de>
Date: Mon, 26 Mar 2018 16:10:21 +0200
Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
From: Stefan Roese <sr(a)denx.de>
commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.
When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
area, as the page offset is outside of the VMA range (size), which is
currently used as size parameter in snd_pcm_lib_default_mmap(). By
using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
can be mmapp'ed and the issue is fixed.
This issue was detected on an ARM platform (TI AM57xx) using the RME
HDSP MADI PCIe soundcard.
Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
Signed-off-by: Stefan Roese <sr(a)denx.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai(a)suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
sound/core/pcm_native.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3394,7 +3394,7 @@ int snd_pcm_lib_default_mmap(struct snd_
area,
substream->runtime->dma_area,
substream->runtime->dma_addr,
- area->vm_end - area->vm_start);
+ substream->runtime->dma_bytes);
#elif defined(CONFIG_MIPS) && defined(CONFIG_DMA_NONCOHERENT)
if (substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV &&
!plat_device_is_coherent(substream->dma_buffer.dev.dev))
Patches currently in stable-queue which might be from sr(a)denx.de are
queue-3.18/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
This is a note to let you know that I've just added the patch titled
ALSA: pcm: potential uninitialized return values
to the 3.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
alsa-pcm-potential-uninitialized-return-values.patch
and it can be found in the queue-3.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter(a)oracle.com>
Date: Tue, 27 Mar 2018 16:07:52 +0300
Subject: ALSA: pcm: potential uninitialized return values
From: Dan Carpenter <dan.carpenter(a)oracle.com>
commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
Smatch complains that "tmp" can be uninitialized if we do a zero size
write.
Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai(a)suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
sound/core/oss/pcm_oss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1362,7 +1362,7 @@ static ssize_t snd_pcm_oss_write2(struct
static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
@@ -1469,7 +1469,7 @@ static ssize_t snd_pcm_oss_read2(struct
static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
Patches currently in stable-queue which might be from dan.carpenter(a)oracle.com are
queue-3.18/alsa-pcm-potential-uninitialized-return-values.patch
queue-3.18/staging-ncpfs-memory-corruption-in-ncp_read_kernel.patch
Hi!
4.16-rc7 doesn't seem to be in stable.git yet. Am I too impatient or perhaps having a git-pull-problem here?
Thanks!
Rainer Fiebig
--
The truth always turns out to be simpler than you thought.
Richard Feynman
On 03/31/2018 01:38 PM, Jason Andryuk wrote:
> On Wed, Mar 21, 2018, 5:12 PM Boris Ostrovsky
> <boris.ostrovsky(a)oracle.com <mailto:boris.ostrovsky@oracle.com>> wrote:
>
> On 03/19/2018 12:58 PM, Jason Andryuk wrote:
> > Commit 2cc42bac1c79 ("x86-64/Xen: eliminate W+X mappings")
> introduced a
> > call to get_cpu_cap, which is fstack-protected. This is works on
> x86-64
> > as commit 4f277295e54c ("x86/xen: init %gs very early to avoid page
> > faults with stack protector") ensures the stack protector is
> configured,
> > but it it did not cover x86-32.
> >
> > Delay calling get_cpu_cap until after xen_setup_gdt has
> initialized the
> > stack canary. Without this, a 32bit PV machine crashes early
> > in boot.
> > (XEN) Domain 0 (vcpu#0) crashed on cpu#0:
> > (XEN) ----[ Xen-4.6.6-xc x86_64 debug=n Tainted: C ]----
> > (XEN) CPU: 0
> > (XEN) RIP: e019:[<00000000c10362f8>]
> >
> > And the PV kernel IP corresponds to init_scattered_cpuid_features
> > 0xc10362f8 <+24>: mov %gs:0x14,%eax
> >
> > Fixes 2cc42bac1c79 ("x86-64/Xen: eliminate W+X mappings")
> >
> > Signed-off-by: Jason Andryuk <jandryuk(a)gmail.com
> <mailto:jandryuk@gmail.com>>
> >
>
>
> Applied to for-linus-4.17
>
>
> Thanks. If it's not too late, can this be cc: stable?
We can always try ;-)
This is 4.15 and 4.16 only, I believe.
-boris
> If not, I'll
> submit the request after it is in Linus's tree.
>
> -Jason
>
I'm announcing the release of the 4.4.126 kernel.
All users of the 4.4 kernel series must upgrade.
The updated 4.4.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y
and can be browsed at the normal kernel.org git web browser:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
thanks,
greg k-h
------------
Makefile | 2 -
drivers/net/ethernet/arc/emac_rockchip.c | 6 +++--
drivers/net/ethernet/broadcom/bcmsysport.c | 33 +++++++++++++----------------
drivers/net/ethernet/broadcom/bcmsysport.h | 2 -
drivers/net/ethernet/freescale/fec_main.c | 2 +
drivers/net/ethernet/ti/cpsw.c | 3 +-
drivers/net/team/team.c | 4 +--
drivers/s390/net/qeth_core_main.c | 21 +++++++++++++-----
drivers/s390/net/qeth_l2_main.c | 2 -
drivers/s390/net/qeth_l3_main.c | 2 -
drivers/scsi/sg.c | 5 ++--
kernel/irq/manage.c | 4 ---
net/core/skbuff.c | 2 -
net/dccp/proto.c | 5 ++++
net/ieee802154/6lowpan/core.c | 12 +++++++---
net/ipv4/inet_fragment.c | 3 ++
net/ipv4/ip_sockglue.c | 6 +++--
net/ipv6/ndisc.c | 3 +-
net/iucv/af_iucv.c | 4 ++-
net/l2tp/l2tp_core.c | 8 +++++--
net/netlink/genetlink.c | 2 -
21 files changed, 81 insertions(+), 50 deletions(-)
Alexey Kodanev (1):
dccp: check sk for closed state in dccp_sendmsg()
Arkadi Sharshevsky (1):
team: Fix double free in error path
Arvind Yadav (1):
net/iucv: Free memory obtained by kzalloc
Christophe JAILLET (1):
net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
David Ahern (1):
net: Only honor ifindex in IP_PKTINFO if non-0
Eric Dumazet (2):
l2tp: do not accept arbitrary sockets
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
Florian Fainelli (2):
net: fec: Fix unbalanced PM runtime calls
net: systemport: Rewrite __bcm_sysport_tx_reclaim()
Greg Kroah-Hartman (2):
Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs"
Linux 4.4.126
Johannes Thumshirn (1):
scsi: sg: don't return bogus Sg_requests
Julian Wiedmann (4):
s390/qeth: free netdevice when removing a card
s390/qeth: when thread completes, wake up all waiters
s390/qeth: lock read device while queueing next buffer
s390/qeth: on channel error, reject further cmd requests
Kirill Tkhai (1):
net: Fix hlist corruptions in inet_evict_bucket()
Lorenzo Bianconi (1):
ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
Nicolas Dichtel (1):
netlink: avoid a double skb free in genlmsg_mcast()
SZ Lin (林上智) (1):
net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
Vinicius Costa Gomes (1):
skbuff: Fix not waking applications when errors are enqueued
This is a note to let you know that I've just added the patch titled
[PATCH] Revert "genirq: Use irqd_get_trigger_type to compare the
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
revert-genirq-use-irqd_get_trigger_type-to-compare-the.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From 5512cca5c518c20037b10369a4725327202dd80b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Date: Fri, 30 Mar 2018 10:53:44 +0200
Subject: [PATCH] Revert "genirq: Use irqd_get_trigger_type to compare the
trigger type for shared IRQs"
This reverts commit f2596a9808acfd02ce1ee389f0e1c37e64aec5f6 which is
commit 382bd4de61827dbaaf5fb4fb7b1f4be4a86505e7 upstream.
It causes too many problems with the stable tree, and would require too
many other things to be backported, so just revert it.
Reported-by: Guenter Roeck <linux(a)roeck-us.net>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Hans de Goede <hdegoede(a)redhat.com>
Cc: Marc Zyngier <marc.zyngier(a)arm.com>
Cc: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Sasha Levin <alexander.levin(a)microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
kernel/irq/manage.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -1210,10 +1210,8 @@ __setup_irq(unsigned int irq, struct irq
* set the trigger type must match. Also all must
* agree on ONESHOT.
*/
- unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data);
-
if (!((old->flags & new->flags) & IRQF_SHARED) ||
- (oldtype != (new->flags & IRQF_TRIGGER_MASK)) ||
+ ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) ||
((old->flags ^ new->flags) & IRQF_ONESHOT))
goto mismatch;
Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are
queue-4.9/net-fix-hlist-corruptions-in-inet_evict_bucket.patch
queue-4.9/ppp-avoid-loop-in-xmit-recursion-detection-code.patch
queue-4.9/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
queue-4.9/net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch
queue-4.9/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch
queue-4.9/rhashtable-fix-rhlist-duplicates-insertion.patch
queue-4.9/kcm-lock-lower-socket-in-kcm_attach.patch
queue-4.9/s390-qeth-when-thread-completes-wake-up-all-waiters.patch
queue-4.9/sch_netem-fix-skb-leak-in-netem_enqueue.patch
queue-4.9/s390-qeth-lock-read-device-while-queueing-next-buffer.patch
queue-4.9/net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch
queue-4.9/revert-genirq-use-irqd_get_trigger_type-to-compare-the.patch
queue-4.9/l2tp-do-not-accept-arbitrary-sockets.patch
queue-4.9/netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch
queue-4.9/team-fix-double-free-in-error-path.patch
queue-4.9/net-use-skb_to_full_sk-in-skb_update_prio.patch
queue-4.9/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
queue-4.9/net-hns-fix-a-skb-used-after-free-bug.patch
queue-4.9/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch
queue-4.9/net-iucv-free-memory-obtained-by-kzalloc.patch
queue-4.9/net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch
queue-4.9/s390-qeth-on-channel-error-reject-further-cmd-requests.patch
queue-4.9/scsi-sg-don-t-return-bogus-sg_requests.patch
queue-4.9/dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
queue-4.9/net-fec-fix-unbalanced-pm-runtime-calls.patch
queue-4.9/net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch
queue-4.9/net-sched-actions-return-explicit-error-when-tunnel_key-mode-is-not-specified.patch
queue-4.9/s390-qeth-free-netdevice-when-removing-a-card.patch
This is the start of the stable review cycle for the 4.15.15 release.
There are 47 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Mar 31 17:57:05 UTC 2018.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.15.15-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.15.15-rc1
Arkadi Sharshevsky <arkadis(a)mellanox.com>
team: Fix double free in error path
Vinicius Costa Gomes <vinicius.gomes(a)intel.com>
skbuff: Fix not waking applications when errors are enqueued
Michal Kalderon <Michal.Kalderon(a)cavium.com>
qede: Fix qedr link update
Florian Fainelli <f.fainelli(a)gmail.com>
net: systemport: Rewrite __bcm_sysport_tx_reclaim()
David Ahern <dsahern(a)gmail.com>
net: Only honor ifindex in IP_PKTINFO if non-0
Nicolas Dichtel <nicolas.dichtel(a)6wind.com>
netlink: avoid a double skb free in genlmsg_mcast()
Arvind Yadav <arvind.yadav.cs(a)gmail.com>
net/iucv: Free memory obtained by kzalloc
Florian Fainelli <f.fainelli(a)gmail.com>
net: fec: Fix unbalanced PM runtime calls
SZ Lin (林上智) <sz.lin(a)moxa.com>
net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
Christophe JAILLET <christophe.jaillet(a)wanadoo.fr>
net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
Eric Dumazet <edumazet(a)google.com>
l2tp: do not accept arbitrary sockets
Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com>
ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
Alexey Kodanev <alexey.kodanev(a)oracle.com>
dccp: check sk for closed state in dccp_sendmsg()
Camelia Groza <camelia.groza(a)nxp.com>
dpaa_eth: remove duplicate increment of the tx_errors counter
Camelia Groza <camelia.groza(a)nxp.com>
dpaa_eth: increment the RX dropped counter when needed
Camelia Groza <camelia.groza(a)nxp.com>
dpaa_eth: remove duplicate initialization
Madalin Bucur <madalin.bucur(a)nxp.com>
dpaa_eth: fix error in dpaa_remove()
Madalin Bucur <madalin.bucur(a)nxp.com>
soc/fsl/qbman: fix issue in qman_delete_cgr_safe()
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: on channel error, reject further cmd requests
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: lock read device while queueing next buffer
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: when thread completes, wake up all waiters
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: free netdevice when removing a card
Kirill Tkhai <ktkhai(a)virtuozzo.com>
net: Fix hlist corruptions in inet_evict_bucket()
Eric Dumazet <edumazet(a)google.com>
net: use skb_to_full_sk() in skb_update_prio()
Eric Dumazet <edumazet(a)google.com>
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
Alexey Kodanev <alexey.kodanev(a)oracle.com>
sch_netem: fix skb leak in netem_enqueue()
Tom Herbert <tom(a)quantonium.net>
kcm: lock lower socket in kcm_attach
Paul Blakey <paulb(a)mellanox.com>
test_rhashtable: add test case for rhltable with duplicate objects
Paul Blakey <paulb(a)mellanox.com>
rhashtable: Fix rhlist duplicates insertion
Guillaume Nault <g.nault(a)alphalink.fr>
ppp: avoid loop in xmit recursion detection code
Roman Mashak <mrv(a)mojatatu.com>
net sched actions: return explicit error when tunnel_key mode is not specified
Stefano Brivio <sbrivio(a)redhat.com>
ipv6: Reflect MTU changes on PMTU of exceptions for MTU-less routes
Brad Mouring <brad.mouring(a)ni.com>
net: phy: Tell caller result of phy_change()
Ido Schimmel <idosch(a)mellanox.com>
mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic
David Lebrun <dlebrun(a)google.com>
ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state
David Lebrun <dlebrun(a)google.com>
ipv6: sr: fix NULL pointer dereference when setting encap source address
Stefano Brivio <sbrivio(a)redhat.com>
ipv6: old_dport should be a __be16 in __ip6_datagram_connect()
Paolo Abeni <pabeni(a)redhat.com>
net: ipv6: keep sk status consistent after datagram connect failure
Shannon Nelson <shannon.nelson(a)oracle.com>
macvlan: filter out unsupported feature flags
Arkadi Sharshevsky <arkadis(a)mellanox.com>
devlink: Remove redundant free on error path
Grygorii Strashko <grygorii.strashko(a)ti.com>
net: phy: relax error checking when creating sysfs link netdev->phydev
Grygorii Strashko <grygorii.strashko(a)ti.com>
sysfs: symlink: export sysfs_create_link_nowarn()
Michal Kalderon <Michal.Kalderon(a)cavium.com>
qed: Fix non TCP packets should be dropped on iWARP ll2 connection
Soheil Hassas Yeganeh <soheil(a)google.com>
tcp: purge write queue upon aborting the connection
Michal Kalderon <Michal.Kalderon(a)cavium.com>
qed: Fix MPA unalign flow in case header is split across two packets.
zhangliping <zhangliping02(a)baidu.com>
openvswitch: meter: fix the incorrect calculation of max delta_t
Florian Fainelli <f.fainelli(a)gmail.com>
net: dsa: Fix dsa_is_user_port() test inversion
-------------
Diffstat:
Makefile | 4 +-
drivers/net/ethernet/arc/emac_rockchip.c | 6 +-
drivers/net/ethernet/broadcom/bcmsysport.c | 33 ++--
drivers/net/ethernet/broadcom/bcmsysport.h | 2 +-
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 8 +-
drivers/net/ethernet/freescale/fec_main.c | 2 +
.../net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 12 +-
drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 17 +-
drivers/net/ethernet/qlogic/qede/qede_main.c | 4 +-
drivers/net/ethernet/ti/cpsw.c | 3 +-
drivers/net/macvlan.c | 2 +-
drivers/net/phy/phy.c | 173 ++++++++++-----------
drivers/net/phy/phy_device.c | 15 +-
drivers/net/ppp/ppp_generic.c | 26 ++--
drivers/net/team/team.c | 4 +-
drivers/s390/net/qeth_core_main.c | 21 ++-
drivers/s390/net/qeth_l2_main.c | 2 +-
drivers/s390/net/qeth_l3_main.c | 2 +-
drivers/soc/fsl/qbman/qman.c | 28 +---
fs/sysfs/symlink.c | 1 +
include/linux/cgroup-defs.h | 4 +-
include/linux/phy.h | 1 -
include/linux/rhashtable.h | 4 +-
include/net/sch_generic.h | 19 +++
lib/rhashtable.c | 4 +-
lib/test_rhashtable.c | 134 ++++++++++++++++
net/core/dev.c | 22 ++-
net/core/devlink.c | 16 +-
net/core/skbuff.c | 2 +-
net/dccp/proto.c | 5 +
net/dsa/legacy.c | 2 +-
net/ieee802154/6lowpan/core.c | 12 +-
net/ipv4/inet_fragment.c | 3 +
net/ipv4/ip_sockglue.c | 6 +-
net/ipv4/tcp.c | 1 +
net/ipv4/tcp_timer.c | 1 +
net/ipv6/datagram.c | 21 ++-
net/ipv6/ndisc.c | 3 +-
net/ipv6/route.c | 71 +++++----
net/ipv6/seg6_iptunnel.c | 7 +-
net/iucv/af_iucv.c | 4 +-
net/kcm/kcmsock.c | 33 ++--
net/l2tp/l2tp_core.c | 8 +-
net/netlink/genetlink.c | 2 +-
net/openvswitch/meter.c | 12 +-
net/sched/act_tunnel_key.c | 1 +
net/sched/sch_netem.c | 2 +-
47 files changed, 501 insertions(+), 264 deletions(-)
This is the start of the stable review cycle for the 4.4.126 release.
There are 20 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Mar 31 17:57:30 UTC 2018.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.126-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.4.126-rc1
Florian Fainelli <f.fainelli(a)gmail.com>
net: systemport: Rewrite __bcm_sysport_tx_reclaim()
Florian Fainelli <f.fainelli(a)gmail.com>
net: fec: Fix unbalanced PM runtime calls
Eric Dumazet <edumazet(a)google.com>
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: on channel error, reject further cmd requests
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: lock read device while queueing next buffer
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: when thread completes, wake up all waiters
Julian Wiedmann <jwi(a)linux.vnet.ibm.com>
s390/qeth: free netdevice when removing a card
Arkadi Sharshevsky <arkadis(a)mellanox.com>
team: Fix double free in error path
Vinicius Costa Gomes <vinicius.gomes(a)intel.com>
skbuff: Fix not waking applications when errors are enqueued
David Ahern <dsahern(a)gmail.com>
net: Only honor ifindex in IP_PKTINFO if non-0
Nicolas Dichtel <nicolas.dichtel(a)6wind.com>
netlink: avoid a double skb free in genlmsg_mcast()
Arvind Yadav <arvind.yadav.cs(a)gmail.com>
net/iucv: Free memory obtained by kzalloc
SZ Lin (林上智) <sz.lin(a)moxa.com>
net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
Christophe JAILLET <christophe.jaillet(a)wanadoo.fr>
net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
Eric Dumazet <edumazet(a)google.com>
l2tp: do not accept arbitrary sockets
Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com>
ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
Alexey Kodanev <alexey.kodanev(a)oracle.com>
dccp: check sk for closed state in dccp_sendmsg()
Kirill Tkhai <ktkhai(a)virtuozzo.com>
net: Fix hlist corruptions in inet_evict_bucket()
Marc Zyngier <marc.zyngier(a)arm.com>
genirq: Track whether the trigger type has been set
Johannes Thumshirn <jthumshirn(a)suse.de>
scsi: sg: don't return bogus Sg_requests
-------------
Diffstat:
Makefile | 4 ++--
drivers/net/ethernet/arc/emac_rockchip.c | 6 ++++--
drivers/net/ethernet/broadcom/bcmsysport.c | 33 ++++++++++++++----------------
drivers/net/ethernet/broadcom/bcmsysport.h | 2 +-
drivers/net/ethernet/freescale/fec_main.c | 2 ++
drivers/net/ethernet/ti/cpsw.c | 3 ++-
drivers/net/team/team.c | 4 ++--
drivers/s390/net/qeth_core_main.c | 21 +++++++++++++------
drivers/s390/net/qeth_l2_main.c | 2 +-
drivers/s390/net/qeth_l3_main.c | 2 +-
drivers/scsi/sg.c | 5 +++--
include/linux/irq.h | 11 +++++++++-
kernel/irq/manage.c | 13 +++++++++++-
net/core/skbuff.c | 2 +-
net/dccp/proto.c | 5 +++++
net/ieee802154/6lowpan/core.c | 12 +++++++----
net/ipv4/inet_fragment.c | 3 +++
net/ipv4/ip_sockglue.c | 6 ++++--
net/ipv6/ndisc.c | 3 ++-
net/iucv/af_iucv.c | 4 +++-
net/l2tp/l2tp_core.c | 8 ++++++--
net/netlink/genetlink.c | 2 +-
22 files changed, 103 insertions(+), 50 deletions(-)
From: Eric Biggers <ebiggers(a)google.com>
ext4 isn't validating the sizes of xattrs. This is problematic
because ->e_value_size is a u32, but ext4_xattr_get() returns an int.
A very large size is misinterpreted as an error code, which
ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR()
returns false, causing a crash.
Fix this by validating that all xattrs are <= INT_MAX bytes. Also add
explicit checks in ext4_xattr_block_get() and ext4_xattr_ibody_get()
just in case the xattr block is corrupted in memory.
Also if the xattr block is corrupted, mark the file system as
containing an error.
This issue has been assigned CVE-2018-1095.
https://bugzilla.kernel.org/show_bug.cgi?id=199185https://bugzilla.redhat.com/show_bug.cgi?id=1560793
Reported-by: Wen Xu <wen.xu(a)gatech.edu>
Signed-off-by: Eric Biggers <ebiggers(a)google.com>
Signed-off-by: Theodore Ts'o <tytso(a)mit.edu>
Cc: stable(a)vger.kernel.org
---
fs/ext4/xattr.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 63656dbafdc4..d2a9b078e121 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,10 +195,14 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
/* Check the values */
while (!IS_LAST_ENTRY(entry)) {
+ u32 size = le32_to_cpu(entry->e_value_size);
+
+ if (size > INT_MAX)
+ return -EFSCORRUPTED;
+
if (entry->e_value_size != 0 &&
entry->e_value_inum == 0) {
u16 offs = le16_to_cpu(entry->e_value_offs);
- u32 size = le32_to_cpu(entry->e_value_size);
void *value;
/*
@@ -523,8 +527,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name,
if (error)
goto cleanup;
size = le32_to_cpu(entry->e_value_size);
+ error = -ERANGE;
+ if (unlikely(size > INT_MAX))
+ goto cleanup;
if (buffer) {
- error = -ERANGE;
if (size > buffer_size)
goto cleanup;
if (entry->e_value_inum) {
@@ -572,8 +578,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
if (error)
goto cleanup;
size = le32_to_cpu(entry->e_value_size);
+ error = -ERANGE;
+ if (unlikely(size > INT_MAX))
+ goto cleanup;
if (buffer) {
- error = -ERANGE;
if (size > buffer_size)
goto cleanup;
if (entry->e_value_inum) {
--
2.16.1.72.g5be1f00a9a
The patch titled
Subject: hugetlbfs: fix bug in pgoff overflow checking
has been added to the -mm tree. Its filename is
hugetlbfs-fix-bug-in-pgoff-overflow-checking.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/hugetlbfs-fix-bug-in-pgoff-overflo…
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/hugetlbfs-fix-bug-in-pgoff-overflo…
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Mike Kravetz <mike.kravetz(a)oracle.com>
Subject: hugetlbfs: fix bug in pgoff overflow checking
This is a fix for a regression in 32 bit kernels caused by an invalid
check for pgoff overflow in hugetlbfs mmap setup. The check incorrectly
specified that the size of a loff_t was the same as the size of a long.
The regression prevents mapping hugetlbfs files at offsets greater than
4GB on 32 bit kernels.
On 32 bit kernels conversion from a page based unsigned long can not
overflow a loff_t byte offset. Therefore, skip this check if
sizeof(unsigned long) != sizeof(loff_t).
Link: http://lkml.kernel.org/r/20180330145402.5053-1-mike.kravetz@oracle.com
Fixes: 63489f8e8211 ("hugetlbfs: check for pgoff value overflow")
Reported-by: Dan Rue <dan.rue(a)linaro.org>
Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com>
Cc: Michal Hocko <mhocko(a)kernel.org>
Cc: Yisheng Xie <xieyisheng1(a)huawei.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov(a)linux.intel.com>
Cc: Nic Losby <blurbdust(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
fs/hugetlbfs/inode.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff -puN fs/hugetlbfs/inode.c~hugetlbfs-fix-bug-in-pgoff-overflow-checking fs/hugetlbfs/inode.c
--- a/fs/hugetlbfs/inode.c~hugetlbfs-fix-bug-in-pgoff-overflow-checking
+++ a/fs/hugetlbfs/inode.c
@@ -138,10 +138,14 @@ static int hugetlbfs_file_mmap(struct fi
/*
* page based offset in vm_pgoff could be sufficiently large to
- * overflow a (l)off_t when converted to byte offset.
+ * overflow a loff_t when converted to byte offset. This can
+ * only happen on architectures where sizeof(loff_t) ==
+ * sizeof(unsigned long). So, only check in those instances.
*/
- if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
- return -EINVAL;
+ if (sizeof(unsigned long) == sizeof(loff_t)) {
+ if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
+ return -EINVAL;
+ }
/* must be huge page aligned */
if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
_
Patches currently in -mm which might be from mike.kravetz(a)oracle.com are
hugetlbfs-fix-bug-in-pgoff-overflow-checking.patch
mm-hugetlbfs-move-hugetlbfs_i-outside-ifdef-config_hugetlbfs.patch
mm-memfd-split-out-memfd-for-use-by-multiple-filesystems.patch
mm-memfd-remove-memfd-code-from-shmem-files-and-use-new-memfd-files.patch
mm-make-start_isolate_page_range-fail-if-already-isolated.patch
The patch titled
Subject: mm/memblock: fix potential issue in memblock_search_pfn_nid()
has been added to the -mm tree. Its filename is
mm-memblock-fix-potential-issue-in-memblock_search_pfn_nid.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/mm-memblock-fix-potential-issue-in…
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/mm-memblock-fix-potential-issue-in…
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Wei Yang <richard.weiyang(a)gmail.com>
Subject: mm/memblock: fix potential issue in memblock_search_pfn_nid()
memblock_search_pfn_nid() returns the nid and the [start|end]_pfn of the
memory region where pfn sits in. While the calculation of start_pfn has
potential issue when the regions base is not page aligned.
For example, we assume PAGE_SHIFT is 12 and base is 0x1234. Current
implementation would return 1 while this is not correct.
This patch fixes this by using PFN_UP().
The original commit is commit e76b63f80d93 ("memblock, numa: binary search
node id") and merged in v3.12.
Link: http://lkml.kernel.org/r/20180330033055.22340-1-richard.weiyang@gmail.com
Fixes: e76b63f80d93 ("memblock, numa: binary search node id")
Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com>
Cc: Michal Hocko <mhocko(a)suse.com>
Cc: Yinghai Lu <yinghai(a)kernel.org>
Cc: Jia He <hejianet(a)gmail.com>
Cc: <stable(a)vger.kernel.org> [3.12+]
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/memblock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN mm/memblock.c~mm-memblock-fix-potential-issue-in-memblock_search_pfn_nid mm/memblock.c
--- a/mm/memblock.c~mm-memblock-fix-potential-issue-in-memblock_search_pfn_nid
+++ a/mm/memblock.c
@@ -1646,7 +1646,7 @@ int __init_memblock memblock_search_pfn_
if (mid == -1)
return -1;
- *start_pfn = PFN_DOWN(type->regions[mid].base);
+ *start_pfn = PFN_UP(type->regions[mid].base);
*end_pfn = PFN_DOWN(type->regions[mid].base + type->regions[mid].size);
return type->regions[mid].nid;
_
Patches currently in -mm which might be from richard.weiyang(a)gmail.com are
mm-check-__highest_present_sectioin_nr-directly-in-memory_dev_init.patch
mm-memblock-fix-potential-issue-in-memblock_search_pfn_nid.patch
The patch titled
Subject: ipc/shm.c: add split function to shm_vm_ops
has been removed from the -mm tree. Its filename was
shm-add-split-function-to-shm_vm_ops.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Mike Kravetz <mike.kravetz(a)oracle.com>
Subject: ipc/shm.c: add split function to shm_vm_ops
If System V shmget/shmat operations are used to create a hugetlbfs backed
mapping, it is possible to munmap part of the mapping and split the
underlying vma such that it is not huge page aligned. This will
untimately result in the following BUG:
kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310!
Oops: Exception in kernel mode, sig: 5 [#1]
LE SMP NR_CPUS=2048 NUMA PowerNV
Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt
8<--8<--8<--8< snip 8<--8<--8<--8<
CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G C E
4.15.0-10-generic #11-Ubuntu
NIP: c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009
REGS: c000003fbcdcf810 TRAP: 0700 Tainted: G C E
(4.15.0-10-generic)
MSR: 9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24002222 XER:
20040000
CFAR: c00000000036ee44 SOFTE: 1
GPR00: c00000000036ee48 c000003fbcdcfa90 c0000000016ea600 c000003fbcdcfc40
GPR04: c000003fd9858950 00007115e4e00000 00007115e4e10000 0000000000000000
GPR08: 0000000000000010 0000000000010000 0000000000000000 0000000000000000
GPR12: 0000000000002000 c000000007a2c600 00000fe3985954d0 00007115e4e00000
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 00000fe398595a94 000000000000a6fc c000003fd9858950 0000000000018554
GPR24: c000003fdcd84500 c0000000019acd00 00007115e4e10000 c000003fbcdcfc40
GPR28: 0000000000200000 00007115e4e00000 c000003fbc9ac600 c000003fd9858950
NIP [c00000000036e764] __unmap_hugepage_range+0xa4/0x760
LR [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50
Call Trace:
[c000003fbcdcfa90] [00007115e4e00000] 0x7115e4e00000 (unreliable)
[c000003fbcdcfb50] [c00000000036ee48]
__unmap_hugepage_range_final+0x28/0x50
[c000003fbcdcfb80] [c00000000033497c] unmap_single_vma+0x11c/0x190
[c000003fbcdcfbd0] [c000000000334e14] unmap_vmas+0x94/0x140
[c000003fbcdcfc20] [c00000000034265c] exit_mmap+0x9c/0x1d0
[c000003fbcdcfce0] [c000000000105448] mmput+0xa8/0x1d0
[c000003fbcdcfd10] [c00000000010fad0] do_exit+0x360/0xc80
[c000003fbcdcfdd0] [c0000000001104c0] do_group_exit+0x60/0x100
[c000003fbcdcfe10] [c000000000110584] SyS_exit_group+0x24/0x30
[c000003fbcdcfe30] [c00000000000b184] system_call+0x58/0x6c
Instruction dump:
552907fe e94a0028 e94a0408 eb2a0018 81590008 7f9c5036 0b090000 e9390010
7d2948f8 7d2a2838 0b0a0000 7d293038 <0b090000> e9230086 2fa90000 419e0468
---[ end trace ee88f958a1c62605 ]---
This bug was introduced by 31383c6865a5 ("mm, hugetlbfs: introduce
->split() to vm_operations_struct"). A split function was added to
vm_operations_struct to determine if a mapping can be split. This was
mostly for device-dax and hugetlbfs mappings which have specific alignment
constraints.
Mappings initiated via shmget/shmat have their original vm_ops overwritten
with shm_vm_ops. shm_vm_ops functions will call back to the original
vm_ops if needed. Add such a split function to shm_vm_ops.
Link: http://lkml.kernel.org/r/20180321161314.7711-1-mike.kravetz@oracle.com
Fixes: 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct")
Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com>
Reported-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com>
Reviewed-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com>
Tested-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com>
Reviewed-by: Dan Williams <dan.j.williams(a)intel.com>
Acked-by: Michal Hocko <mhocko(a)suse.com>
Cc: Davidlohr Bueso <dave(a)stgolabs.net>
Cc: Manfred Spraul <manfred(a)colorfullife.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
ipc/shm.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff -puN ipc/shm.c~shm-add-split-function-to-shm_vm_ops ipc/shm.c
--- a/ipc/shm.c~shm-add-split-function-to-shm_vm_ops
+++ a/ipc/shm.c
@@ -386,6 +386,17 @@ static int shm_fault(struct vm_fault *vm
return sfd->vm_ops->fault(vmf);
}
+static int shm_split(struct vm_area_struct *vma, unsigned long addr)
+{
+ struct file *file = vma->vm_file;
+ struct shm_file_data *sfd = shm_file_data(file);
+
+ if (sfd->vm_ops && sfd->vm_ops->split)
+ return sfd->vm_ops->split(vma, addr);
+
+ return 0;
+}
+
#ifdef CONFIG_NUMA
static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
{
@@ -510,6 +521,7 @@ static const struct vm_operations_struct
.open = shm_open, /* callback for a new vm-area open */
.close = shm_close, /* callback for when the vm-area is released */
.fault = shm_fault,
+ .split = shm_split,
#if defined(CONFIG_NUMA)
.set_policy = shm_set_policy,
.get_policy = shm_get_policy,
_
Patches currently in -mm which might be from mike.kravetz(a)oracle.com are
mm-hugetlbfs-move-hugetlbfs_i-outside-ifdef-config_hugetlbfs.patch
mm-memfd-split-out-memfd-for-use-by-multiple-filesystems.patch
mm-memfd-remove-memfd-code-from-shmem-files-and-use-new-memfd-files.patch
mm-make-start_isolate_page_range-fail-if-already-isolated.patch