- Linux-stable-mirror - lists.linaro.org

by Greg KH

diff --git a/Makefile b/Makefile index 5e66a3704705..786deb6599f1 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ VERSION = 3 PATCHLEVEL = 18 -SUBLEVEL = 81 +SUBLEVEL = 82 EXTRAVERSION = NAME = Diseased Newt diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi index 53e81589368a..1f55187ed9ce 100644 --- a/arch/arm/boot/dts/imx53-qsb-common.dtsi +++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi @@ -215,16 +215,16 @@ pinctrl_fec: fecgrp { fsl,pins = < - MX53_PAD_FEC_MDC__FEC_MDC 0x4 - MX53_PAD_FEC_MDIO__FEC_MDIO 0x1fc - MX53_PAD_FEC_REF_CLK__FEC_TX_CLK 0x180 - MX53_PAD_FEC_RX_ER__FEC_RX_ER 0x180 - MX53_PAD_FEC_CRS_DV__FEC_RX_DV 0x180 - MX53_PAD_FEC_RXD1__FEC_RDATA_1 0x180 - MX53_PAD_FEC_RXD0__FEC_RDATA_0 0x180 - MX53_PAD_FEC_TX_EN__FEC_TX_EN 0x4 - MX53_PAD_FEC_TXD1__FEC_TDATA_1 0x4 - MX53_PAD_FEC_TXD0__FEC_TDATA_0 0x4 + MX53_PAD_FEC_MDC__FEC_MDC 0x80000000 + MX53_PAD_FEC_MDIO__FEC_MDIO 0x80000000 + MX53_PAD_FEC_REF_CLK__FEC_TX_CLK 0x80000000 + MX53_PAD_FEC_RX_ER__FEC_RX_ER 0x80000000 + MX53_PAD_FEC_CRS_DV__FEC_RX_DV 0x80000000 + MX53_PAD_FEC_RXD1__FEC_RDATA_1 0x80000000 + MX53_PAD_FEC_RXD0__FEC_RDATA_0 0x80000000 + MX53_PAD_FEC_TX_EN__FEC_TX_EN 0x80000000 + MX53_PAD_FEC_TXD1__FEC_TDATA_1 0x80000000 + MX53_PAD_FEC_TXD0__FEC_TDATA_0 0x80000000 >; }; diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 88eace4e28c3..22e64fd346ad 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -1070,11 +1070,6 @@ source "arch/powerpc/Kconfig.debug" source "security/Kconfig" -config KEYS_COMPAT - bool - depends on COMPAT && KEYS - default y - source "crypto/Kconfig" config PPC_LIB_RHEAP diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index f2cf1f90295b..1d814b527924 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -332,9 +332,6 @@ config COMPAT config SYSVIPC_COMPAT def_bool y if COMPAT && SYSVIPC -config KEYS_COMPAT - def_bool y if COMPAT && KEYS - config SMP def_bool y prompt "Symmetric multi-processing support" diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig index 96ac69c5eba0..e51b50af6373 100644 --- a/arch/sparc/Kconfig +++ b/arch/sparc/Kconfig @@ -542,9 +542,6 @@ config SYSVIPC_COMPAT depends on COMPAT && SYSVIPC default y -config KEYS_COMPAT - def_bool y if COMPAT && KEYS - endmenu source "net/Kconfig" diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index c9148e268512..a5d100cf8ed6 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2471,10 +2471,6 @@ config COMPAT_FOR_U64_ALIGNMENT config SYSVIPC_COMPAT def_bool y depends on SYSVIPC - -config KEYS_COMPAT - def_bool y - depends on KEYS endif endmenu diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c index 25bd4d701722..063898d429c7 100644 --- a/drivers/input/misc/ims-pcu.c +++ b/drivers/input/misc/ims-pcu.c @@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf) return NULL; } - while (buflen > 0) { + while (buflen >= sizeof(*union_desc)) { union_desc = (struct usb_cdc_union_desc *)buf; + if (union_desc->bLength > buflen) { + dev_err(&intf->dev, "Too large descriptor\n"); + return NULL; + } + if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE && union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) { dev_dbg(&intf->dev, "Found union header\n"); - return union_desc; + + if (union_desc->bLength >= sizeof(*union_desc)) + return union_desc; + + dev_err(&intf->dev, + "Union descriptor to short (%d vs %zd\n)", + union_desc->bLength, sizeof(*union_desc)); + return NULL; } buflen -= union_desc->bLength; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c index 91120f0ed98c..d058c35b4985 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -1047,6 +1047,8 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, case TUNSETSNDBUF: if (get_user(u, up)) return -EFAULT; + if (u <= 0) + return -EINVAL; q->sk.sk_sndbuf = u; return 0; diff --git a/drivers/net/tun.c b/drivers/net/tun.c index a4685a22f665..3067f840210e 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1656,6 +1656,9 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) if (!dev) return -ENOMEM; + err = dev_get_valid_name(net, dev, name); + if (err < 0) + goto err_free_dev; dev_net_set(dev, net); dev->rtnl_link_ops = &tun_link_ops; @@ -2054,6 +2057,10 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, ret = -EFAULT; break; } + if (sndbuf <= 0) { + ret = -EINVAL; + break; + } tun->sndbuf = sndbuf; tun_set_sndbuf(tun); diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index ce844e980990..801369f882b3 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1749,7 +1749,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, struct iscsi_tm *hdr; int out_of_order_cmdsn = 0, ret; bool sess_ref = false; - u8 function; + u8 function, tcm_function = TMR_UNKNOWN; hdr = (struct iscsi_tm *) buf; hdr->flags &= ~ISCSI_FLAG_CMD_FINAL; @@ -1795,10 +1795,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, * LIO-Target $FABRIC_MOD */ if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { - - u8 tcm_function; - int ret; - transport_init_se_cmd(&cmd->se_cmd, &lio_target_fabric_configfs->tf_ops, conn->sess->se_sess, 0, DMA_NONE, @@ -1835,15 +1831,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, return iscsit_add_reject_cmd(cmd, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); } - - ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, - tcm_function, GFP_KERNEL); - if (ret < 0) - return iscsit_add_reject_cmd(cmd, + } + ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function, + GFP_KERNEL); + if (ret < 0) + return iscsit_add_reject_cmd(cmd, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); - cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; - } + cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; cmd->iscsi_opcode = ISCSI_OP_SCSI_TMFUNC; cmd->i_state = ISTATE_SEND_TASKMGTRSP; diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 58b4c2828ee9..9176837442e9 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -183,12 +183,13 @@ found: return tmp; } - if (in) { + if (in) dev->in_pipe = usb_rcvbulkpipe(udev, in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); + if (out) dev->out_pipe = usb_sndbulkpipe(udev, out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); - } + if (iso_in) { dev->iso_in = &iso_in->desc; dev->in_iso_pipe = usb_rcvisocpipe(udev, diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 45692e8a9397..cefca661464b 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -1748,7 +1748,6 @@ static int try_flush_caps(struct inode *inode, unsigned *flush_tid) retry: spin_lock(&ci->i_ceph_lock); if (ci->i_ceph_flags & CEPH_I_NOFLUSH) { - spin_unlock(&ci->i_ceph_lock); dout("try_flush_caps skipping %p I_NOFLUSH set\n", inode); goto out; } @@ -1766,10 +1765,8 @@ retry: mutex_lock(&session->s_mutex); goto retry; } - if (cap->session->s_state < CEPH_MDS_SESSION_OPEN) { - spin_unlock(&ci->i_ceph_lock); + if (cap->session->s_state < CEPH_MDS_SESSION_OPEN) goto out; - } flushing = __mark_caps_flushing(inode, session); diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 49ac10f99da0..de98fd0fc5b0 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -3245,6 +3245,9 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name, unsigned char name_assign_type, void (*setup)(struct net_device *), unsigned int txqs, unsigned int rxqs); +int dev_get_valid_name(struct net *net, struct net_device *dev, + const char *name); + #define alloc_netdev(sizeof_priv, name, name_assign_type, setup) \ alloc_netdev_mqs(sizeof_priv, name, name_assign_type, setup, 1, 1) diff --git a/include/net/tcp.h b/include/net/tcp.h index 7219b8f38cef..2cd7003a8a19 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1532,12 +1532,12 @@ static inline void tcp_highest_sack_reset(struct sock *sk) tcp_sk(sk)->highest_sack = tcp_write_queue_head(sk); } -/* Called when old skb is about to be deleted (to be combined with new skb) */ -static inline void tcp_highest_sack_combine(struct sock *sk, +/* Called when old skb is about to be deleted and replaced by new skb */ +static inline void tcp_highest_sack_replace(struct sock *sk, struct sk_buff *old, struct sk_buff *new) { - if (tcp_sk(sk)->sacked_out && (old == tcp_sk(sk)->highest_sack)) + if (old == tcp_highest_sack(sk)) tcp_sk(sk)->highest_sack = new; } diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h index d1e7cb952168..ab4bff088898 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h @@ -231,6 +231,7 @@ enum tcm_tmreq_table { TMR_LUN_RESET = 5, TMR_TARGET_WARM_RESET = 6, TMR_TARGET_COLD_RESET = 7, + TMR_UNKNOWN = 0xff, }; /* fabric independent task management response values */ diff --git a/net/core/dev.c b/net/core/dev.c index 21b0bd976699..93e36e9102e9 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1059,9 +1059,8 @@ static int dev_alloc_name_ns(struct net *net, return ret; } -static int dev_get_valid_name(struct net *net, - struct net_device *dev, - const char *name) +int dev_get_valid_name(struct net *net, struct net_device *dev, + const char *name) { BUG_ON(!net); @@ -1077,6 +1076,7 @@ static int dev_get_valid_name(struct net *net, return 0; } +EXPORT_SYMBOL(dev_get_valid_name); /** * dev_change_name - change name of a device diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c index 37096d64730e..1dac2436b4d5 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c @@ -128,43 +128,68 @@ static struct rtnl_link_ops ipip_link_ops __read_mostly; static int ipip_err(struct sk_buff *skb, u32 info) { - -/* All the routers (except for Linux) return only - 8 bytes of packet payload. It means, that precise relaying of - ICMP in the real Internet is absolutely infeasible. - */ + /* All the routers (except for Linux) return only + 8 bytes of packet payload. It means, that precise relaying of + ICMP in the real Internet is absolutely infeasible. + */ struct net *net = dev_net(skb->dev); struct ip_tunnel_net *itn = net_generic(net, ipip_net_id); const struct iphdr *iph = (const struct iphdr *)skb->data; - struct ip_tunnel *t; - int err; const int type = icmp_hdr(skb)->type; const int code = icmp_hdr(skb)->code; + struct ip_tunnel *t; + int err = 0; + + switch (type) { + case ICMP_DEST_UNREACH: + switch (code) { + case ICMP_SR_FAILED: + /* Impossible event. */ + goto out; + default: + /* All others are translated to HOST_UNREACH. + * rfc2003 contains "deep thoughts" about NET_UNREACH, + * I believe they are just ether pollution. --ANK + */ + break; + } + break; + + case ICMP_TIME_EXCEEDED: + if (code != ICMP_EXC_TTL) + goto out; + break; + + case ICMP_REDIRECT: + break; + + default: + goto out; + } - err = -ENOENT; t = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, iph->daddr, iph->saddr, 0); - if (t == NULL) + if (!t) { + err = -ENOENT; goto out; + } if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) { - ipv4_update_pmtu(skb, dev_net(skb->dev), info, - t->parms.link, 0, IPPROTO_IPIP, 0); - err = 0; + ipv4_update_pmtu(skb, net, info, t->parms.link, 0, + iph->protocol, 0); goto out; } if (type == ICMP_REDIRECT) { - ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0, - IPPROTO_IPIP, 0); - err = 0; + ipv4_redirect(skb, net, t->parms.link, 0, iph->protocol, 0); goto out; } - if (t->parms.iph.daddr == 0) + if (t->parms.iph.daddr == 0) { + err = -ENOENT; goto out; + } - err = 0; if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED) goto out; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 2adfa23285be..ff47e881e205 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1870,6 +1870,7 @@ static int tcp_mtu_probe(struct sock *sk) nskb->ip_summed = skb->ip_summed; tcp_insert_write_queue_before(nskb, skb, sk); + tcp_highest_sack_replace(sk, skb, nskb); len = 0; tcp_for_write_queue_from_safe(skb, next, sk) { @@ -2374,7 +2375,7 @@ static void tcp_collapse_retrans(struct sock *sk, struct sk_buff *skb) BUG_ON(tcp_skb_pcount(skb) != 1 || tcp_skb_pcount(next_skb) != 1); - tcp_highest_sack_combine(sk, next_skb, skb); + tcp_highest_sack_replace(sk, next_skb, skb); tcp_unlink_write_queue(next_skb, sk); diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c index a837f2065d2a..1a83031bcddd 100644 --- a/net/ipv6/ip6_flowlabel.c +++ b/net/ipv6/ip6_flowlabel.c @@ -316,6 +316,7 @@ struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, } opt_space->dst1opt = fopt->dst1opt; opt_space->opt_flen = fopt->opt_flen; + opt_space->tot_len = fopt->tot_len; return opt_space; } EXPORT_SYMBOL_GPL(fl6_merge_options); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index 77adf255d238..a97e74023e34 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -409,13 +409,16 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, case ICMPV6_DEST_UNREACH: net_warn_ratelimited("%s: Path to destination invalid or inactive!\n", t->parms.name); - break; + if (code != ICMPV6_PORT_UNREACH) + break; + return; case ICMPV6_TIME_EXCEED: if (code == ICMPV6_EXC_HOPLIMIT) { net_warn_ratelimited("%s: Too small hop limit or routing loop in tunnel!\n", t->parms.name); + break; } - break; + return; case ICMPV6_PARAMPROB: teli = 0; if (code == ICMPV6_HDR_FIELD) @@ -431,13 +434,13 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, net_warn_ratelimited("%s: Recipient unable to parse tunneled packet!\n", t->parms.name); } - break; + return; case ICMPV6_PKT_TOOBIG: mtu = be32_to_cpu(info) - offset; if (mtu < IPV6_MIN_MTU) mtu = IPV6_MIN_MTU; t->dev->mtu = mtu; - break; + return; } if (time_before(jiffies, t->err_time + IP6TUNNEL_ERR_TIMEO)) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index f71de459139f..6db1f8ad8ac3 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1177,11 +1177,11 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, if (WARN_ON(np->cork.opt)) return -EINVAL; - np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); + np->cork.opt = kzalloc(sizeof(*opt), sk->sk_allocation); if (unlikely(np->cork.opt == NULL)) return -ENOBUFS; - np->cork.opt->tot_len = opt->tot_len; + np->cork.opt->tot_len = sizeof(*opt); np->cork.opt->opt_flen = opt->opt_flen; np->cork.opt->opt_nflen = opt->opt_nflen; diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 5a234fbe2fec..447843b24d7d 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -1017,6 +1017,9 @@ static int pppol2tp_session_ioctl(struct l2tp_session *session, session->name, cmd, arg); sk = ps->sock; + if (!sk) + return -EBADR; + sock_hold(sk); switch (cmd) { diff --git a/net/mac80211/key.c b/net/mac80211/key.c index 94368404744b..375ff902a142 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -4,6 +4,7 @@ * Copyright 2006-2007 Jiri Benc <jbenc(a)suse.cz> * Copyright 2007-2008 Johannes Berg <johannes(a)sipsolutions.net> * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright 2017 Intel Deutschland GmbH * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -18,6 +19,7 @@ #include <linux/slab.h> #include <linux/export.h> #include <net/mac80211.h> +#include <crypto/algapi.h> #include <asm/unaligned.h> #include "ieee80211_i.h" #include "driver-ops.h" @@ -474,6 +476,39 @@ void ieee80211_key_free_unused(struct ieee80211_key *key) ieee80211_key_free_common(key); } +static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata, + struct ieee80211_key *old, + struct ieee80211_key *new) +{ + u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP]; + u8 *tk_old, *tk_new; + + if (!old || new->conf.keylen != old->conf.keylen) + return false; + + tk_old = old->conf.key; + tk_new = new->conf.key; + + /* + * In station mode, don't compare the TX MIC key, as it's never used + * and offloaded rekeying may not care to send it to the host. This + * is the case in iwlwifi, for example. + */ + if (sdata->vif.type == NL80211_IFTYPE_STATION && + new->conf.cipher == WLAN_CIPHER_SUITE_TKIP && + new->conf.keylen == WLAN_KEY_LEN_TKIP && + !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { + memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP); + memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP); + memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); + memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); + tk_old = tkip_old; + tk_new = tkip_new; + } + + return !crypto_memneq(tk_old, tk_new, new->conf.keylen); +} + int ieee80211_key_link(struct ieee80211_key *key, struct ieee80211_sub_if_data *sdata, struct sta_info *sta) @@ -485,9 +520,6 @@ int ieee80211_key_link(struct ieee80211_key *key, pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; idx = key->conf.keyidx; - key->local = sdata->local; - key->sdata = sdata; - key->sta = sta; mutex_lock(&sdata->local->key_mtx); @@ -498,6 +530,20 @@ int ieee80211_key_link(struct ieee80211_key *key, else old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); + /* + * Silently accept key re-installation without really installing the + * new version of the key to avoid nonce reuse or replay issues. + */ + if (ieee80211_key_identical(sdata, old_key, key)) { + ieee80211_key_free_unused(key); + ret = 0; + goto out; + } + + key->local = sdata->local; + key->sdata = sdata; + key->sta = sta; + increment_tailroom_need_count(sdata); ieee80211_key_replace(sdata, sta, pairwise, old_key, key); @@ -513,6 +559,7 @@ int ieee80211_key_link(struct ieee80211_key *key, ret = 0; } + out: mutex_unlock(&sdata->local->key_mtx); return ret; diff --git a/net/sctp/input.c b/net/sctp/input.c index 2d7859c03fd2..71c2ef84c5b0 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -420,7 +420,7 @@ void sctp_icmp_redirect(struct sock *sk, struct sctp_transport *t, { struct dst_entry *dst; - if (!t) + if (sock_owned_by_user(sk) || !t) return; dst = sctp_transport_dst_check(t); if (dst) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 92c6eac72ea6..07324ca1df1d 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -173,6 +173,36 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk) sk_mem_charge(sk, chunk->skb->truesize); } +static void sctp_clear_owner_w(struct sctp_chunk *chunk) +{ + skb_orphan(chunk->skb); +} + +static void sctp_for_each_tx_datachunk(struct sctp_association *asoc, + void (*cb)(struct sctp_chunk *)) + +{ + struct sctp_outq *q = &asoc->outqueue; + struct sctp_transport *t; + struct sctp_chunk *chunk; + + list_for_each_entry(t, &asoc->peer.transport_addr_list, transports) + list_for_each_entry(chunk, &t->transmitted, transmitted_list) + cb(chunk); + + list_for_each_entry(chunk, &q->retransmit, list) + cb(chunk); + + list_for_each_entry(chunk, &q->sacked, list) + cb(chunk); + + list_for_each_entry(chunk, &q->abandoned, list) + cb(chunk); + + list_for_each_entry(chunk, &q->out_chunk_list, list) + cb(chunk); +} + /* Verify that this is a valid address. */ static inline int sctp_verify_addr(struct sock *sk, union sctp_addr *addr, int len) @@ -7367,7 +7397,9 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, * paths won't try to lock it and then oldsk. */ lock_sock_nested(newsk, SINGLE_DEPTH_NESTING); + sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w); sctp_assoc_migrate(assoc, newsk); + sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w); /* If the association on the newsk is already closed before accept() * is called, set RCV_SHUTDOWN flag. diff --git a/net/unix/diag.c b/net/unix/diag.c index 9d4218fc0a61..c4e4e2f664e8 100644 --- a/net/unix/diag.c +++ b/net/unix/diag.c @@ -256,6 +256,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, err = -ENOENT; if (sk == NULL) goto out_nosk; + if (!net_eq(sock_net(sk), net)) + goto out; err = sock_diag_check_cookie(sk, req->udiag_cookie); if (err) diff --git a/security/keys/Kconfig b/security/keys/Kconfig index a4f3f8c48d6e..d7734b53b3a8 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -20,6 +20,10 @@ config KEYS If you are unsure as to whether this is required, answer N. +config KEYS_COMPAT + def_bool y + depends on COMPAT && KEYS + config PERSISTENT_KEYRINGS bool "Enable register of persistent per-UID keyrings" depends on KEYS

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [nfsd4] potentially hardware breaking regression in 4.14-rc and 4.13.11

by Patrick McLean

As of 4.13.11 (and also with 4.14-rc) we have an issue where when serving nfs4 sometimes we get the following BUG. When this bug happens, it usually also causes the motherboard to no longer POST until we externally re-flash the BIOS (using the BMC web interface). If a motherboard does not have an external way to flash the BIOS, this would brick the hardware. The issue was introduced somewhere between 4.13.8 and 4.13.11 in the stable series 4.13 kernels. It seems to be much easier to trigger on 4.14 kernels than 4.13 kernels. We are working on bisecting it, but it is slow going since it often takes several reboots to trigger the issue. The taint is caused by the "gkuart" an out-of-kernel driver which is a fork of the cp210x driver with GPIO lines added to it, we can provide the source for this if needed. When the BIOS is gets broke, we see these messages in the shutdown logs: > [ 2206.698884] kvm: exiting hardware virtualization > [ 2206.700160] e1000e: EEE TX LPI TIMER: 00t > [ 2206.743126] ACPI MEMORY or I/O RESET_REG. Here is the BUG we are getting: > [ 58.962528] BUG: unable to handle kernel NULL pointer dereference at 0000000000000230 > [ 58.963918] IP: vfs_statfs+0x73/0xb0 > [ 58.964597] PGD 0 P4D 0 > [ 58.965208] Oops: 0000 [#1] SMP > [ 58.965847] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_multiport xt_addrtype iptable_mangle iptable_raw iptable_nat nf_nat_ipv4 nf_nat gkuart(O) usbserial x86_pkg_temp_thermal ipmi_ssif tpm_tis tpm_tis_core ie31200_edac ext4 mbcache jbd2 e1000e crc32c_intel > [ 58.969163] CPU: 0 PID: 3970 Comm: nfsd Tainted: G O 4.14.0-rc8-git-kratos-1-00012-gd6a2cf07f0c9 #1 > [ 58.970693] Hardware name: TYAN S5510/S5510, BIOS V2.02 03/12/2013 > [ 58.971685] task: ffff88040b286200 task.stack: ffffc90002c94000 > [ 58.972576] RIP: 0010:vfs_statfs+0x73/0xb0 > [ 58.973329] RSP: 0018:ffffc90002c97b30 EFLAGS: 00010202 > [ 58.974188] RAX: 0000000000000000 RBX: ffffc90002c97bf8 RCX: 0000000000001c00 > [ 58.975253] RDX: 0000000000000c00 RSI: 0000000000000020 RDI: 0000000000000000 > [ 58.976213] RBP: ffffc90002c97bc8 R08: 0000000000000000 R09: 00000000000000ff > [ 58.977161] R10: 000000000038be3a R11: ffff88040ec440c8 R12: ffff88040c5ba000 > [ 58.978107] R13: ffff88040a86e000 R14: ffff88040c5c1000 R15: ffffc90002c97bf8 > [ 58.979051] FS: 0000000000000000(0000) GS:ffff88041fc00000(0000) knlGS:0000000000000000 > [ 58.980448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 58.981419] CR2: 0000000000000230 CR3: 0000000001e0a002 CR4: 00000000001606f0 > [ 58.982483] Call Trace: > [ 58.983108] nfsd4_encode_fattr+0x1f3/0x2070 > [ 58.983873] ? find_inode_fast+0x52/0x90 > [ 58.984587] ? get_acl+0x17/0xf0 > [ 58.985258] ? generic_permission+0x122/0x1a0 > [ 58.986019] nfsd4_encode_getattr+0x25/0x30 > [ 58.986746] nfsd4_encode_operation+0x98/0x1a0 > [ 58.987485] nfsd4_proc_compound+0x3eb/0x5c0 > [ 58.988206] nfsd_dispatch+0xa8/0x230 > [ 58.988891] svc_process_common+0x347/0x640 > [ 58.989619] svc_process+0x100/0x1b0 > [ 58.990334] nfsd+0xe3/0x150 > [ 58.990988] kthread+0xfc/0x130 > [ 58.991651] ? nfsd_destroy+0x60/0x60 > [ 58.992364] ? kthread_create_on_node+0x40/0x40 > [ 58.993153] ret_from_fork+0x25/0x30 > [ 58.993858] Code: d1 83 c9 08 40 f6 c6 04 0f 45 d1 89 d1 80 cd 04 40 f6 c6 08 0f 45 d1 89 d1 80 cd 08 40 f6 c6 10 0f 45 d1 89 d1 80 cd 10 83 e6 20 <48> 8b b7 30 02 00 00 0f 45 d1 83 ca 20 89 f1 83 e1 10 89 cf 83 > [ 58.996592] RIP: vfs_statfs+0x73/0xb0 RSP: ffffc90002c97b30 > [ 58.997474] CR2: 0000000000000230 > [ 58.998147] ---[ end trace c3a6e976d53aaa00 ]--- > [ 107.669217] random: crng init done > [ 210.170059] BUG: unable to handle kernel NULL pointer dereference at 0000000000000230 > [ 210.176363] IP: vfs_statfs+0x73/0xb0 > [ 210.177032] PGD 0 P4D 0 > [ 210.177633] Oops: 0000 [#2] SMP > [ 210.178286] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_multiport xt_addrtype iptable_mangle iptable_raw iptable_nat nf_nat_ipv4 nf_nat gkuart(O) usbserial x86_pkg_temp_thermal ipmi_ssif tpm_tis tpm_tis_core ie31200_edac ext4 mbcache jbd2 e1000e crc32c_intel > [ 210.192120] CPU: 0 PID: 3969 Comm: nfsd Tainted: G D O 4.14.0-rc8-git-kratos-1-00012-gd6a2cf07f0c9 #1 > [ 210.203168] Hardware name: TYAN S5510/S5510, BIOS V2.02 03/12/2013 > [ 210.204140] task: ffff880409a7aa00 task.stack: ffffc90002c8c000 > [ 210.205168] RIP: 0010:vfs_statfs+0x73/0xb0 > [ 210.205893] RSP: 0018:ffffc90002c8fb30 EFLAGS: 00010202 > [ 210.206708] RAX: 0000000000000000 RBX: ffffc90002c8fbf8 RCX: 0000000000001c00 > [ 210.218314] RDX: 0000000000000c00 RSI: 0000000000000020 RDI: 0000000000000000 > [ 210.219364] RBP: ffffc90002c8fbc8 R08: 0000000000000000 R09: 00000000000000ff > [ 210.220426] R10: 000000000038be3a R11: ffff88040ec440c8 R12: ffff88040c5b8000 > [ 210.221455] R13: ffff88040a86e000 R14: ffff88040c5c4000 R15: ffffc90002c8fbf8 > [ 210.222484] FS: 0000000000000000(0000) GS:ffff88041fc00000(0000) knlGS:0000000000000000 > [ 210.223894] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 210.224938] CR2: 0000000000000230 CR3: 0000000001e0a003 CR4: 00000000001606f0 > [ 210.226020] Call Trace: > [ 210.226615] nfsd4_encode_fattr+0x1f3/0x2070 > [ 210.227348] ? find_inode_fast+0x52/0x90 > [ 210.238225] ? get_acl+0x17/0xf0 > [ 210.238890] ? generic_permission+0x122/0x1a0 > [ 210.239637] nfsd4_encode_getattr+0x25/0x30 > [ 210.240365] nfsd4_encode_operation+0x98/0x1a0 > [ 210.241127] nfsd4_proc_compound+0x3eb/0x5c0 > [ 210.241868] nfsd_dispatch+0xa8/0x230 > [ 210.242564] svc_process_common+0x347/0x640 > [ 210.243294] svc_process+0x100/0x1b0 > [ 210.243969] nfsd+0xe3/0x150 > [ 210.244582] kthread+0xfc/0x130 > [ 210.255467] ? nfsd_destroy+0x60/0x60 > [ 210.256153] ? kthread_create_on_node+0x40/0x40 > [ 210.256892] ret_from_fork+0x25/0x30 > [ 210.257570] Code: d1 83 c9 08 40 f6 c6 04 0f 45 d1 89 d1 80 cd 04 40 f6 c6 08 0f 45 d1 89 d1 80 cd 08 40 f6 c6 10 0f 45 d1 89 d1 80 cd 10 83 e6 20 <48> 8b b7 30 02 00 00 0f 45 d1 83 ca 20 89 f1 83 e1 10 89 cf 83 > [ 210.260340] RIP: vfs_statfs+0x73/0xb0 RSP: ffffc90002c8fb30 > [ 210.261157] CR2: 0000000000000230 > [ 210.261810] ---[ end trace c3a6e976d53aaa01 ]---

7 years, 7 months

9
36
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.9 01/56] ACPICA: Resources: Not a valid resource if buffer length too long

by alexander.levin＠verizon.com

From: Bob Moore <robert.moore(a)intel.com> [ Upstream commit 57707a9a7780fab426b8ae9b4c7b65b912a748b3 ] ACPICA commit 9f76de2d249b18804e35fb55d14b1c2604d627a1 ACPICA commit b2e89d72ef1e9deefd63c3fd1dee90f893575b3a ACPICA commit 23b5bbe6d78afd3c5abf3adb91a1b098a3000b2e The declared buffer length must be the same as the length of the byte initializer list, otherwise not a valid resource descriptor. Link: https://github.com/acpica/acpica/commit/9f76de2d Link: https://github.com/acpica/acpica/commit/b2e89d72 Link: https://github.com/acpica/acpica/commit/23b5bbe6 Signed-off-by: Bob Moore <robert.moore(a)intel.com> Signed-off-by: Lv Zheng <lv.zheng(a)intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/acpi/acpica/utresrc.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/acpi/acpica/utresrc.c b/drivers/acpi/acpica/utresrc.c index 1de3376da66a..2ad99ea3d496 100644 --- a/drivers/acpi/acpica/utresrc.c +++ b/drivers/acpi/acpica/utresrc.c @@ -421,8 +421,10 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state, ACPI_FUNCTION_TRACE(ut_walk_aml_resources); - /* The absolute minimum resource template is one end_tag descriptor */ - + /* + * The absolute minimum resource template is one end_tag descriptor. + * However, we will treat a lone end_tag as just a simple buffer. + */ if (aml_length < sizeof(struct aml_resource_end_tag)) { return_ACPI_STATUS(AE_AML_NO_RESOURCE_END_TAG); } @@ -454,9 +456,8 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state, /* Invoke the user function */ if (user_function) { - status = - user_function(aml, length, offset, resource_index, - context); + status = user_function(aml, length, offset, + resource_index, context); if (ACPI_FAILURE(status)) { return_ACPI_STATUS(status); } @@ -480,6 +481,12 @@ acpi_ut_walk_aml_resources(struct acpi_walk_state *walk_state, *context = aml; } + /* Check if buffer is defined to be longer than the resource length */ + + if (aml_length > (offset + length)) { + return_ACPI_STATUS(AE_AML_NO_RESOURCE_END_TAG); + } + /* Normal exit */ return_ACPI_STATUS(AE_OK); -- 2.11.0

7 years, 7 months

5
67
0 0

Re: [Linux-stable-mirror] [PATCH 4.13 00/44] 4.13.14-stable review

by Greg Kroah-Hartman

On Thu, Nov 16, 2017 at 04:02:28PM -0800, kernelci.org bot wrote: > stable-rc/linux-4.13.y boot: 241 boots: 10 failed, 225 passed with 5 offline, 1 conflict (v4.13.13-45-gff52a5099e0b) > > Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.13.y/kernel/v4.1… > Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.13.y/kernel/v4.13.13-45… > > Tree: stable-rc > Branch: linux-4.13.y > Git Describe: v4.13.13-45-gff52a5099e0b > Git Commit: ff52a5099e0b6063a807ff017528b0b3fa78ad58 > Git URL: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > Tested: 88 unique boards, 24 SoC families, 21 builds out of 188 > > Boot Regressions Detected: > > arm: > > at91_dt_defconfig: > at91sam9261ek: > lab-free-electrons: new failure (last pass: v4.13.13) Hm, is this something to worry about? > exynos_defconfig: > exynos4412-odroidx2_rootfs:nfs: > lab-collabora: failing since 7 days (last pass: v4.13.11-37-g2295c8345797 - first fail: v4.13.12) > exynos5250-snow_rootfs:nfs: > lab-collabora: failing since 7 days (last pass: v4.13.11-37-g2295c8345797 - first fail: v4.13.12) > exynos5422-odroidxu3_rootfs:nfs: > lab-collabora: failing since 7 days (last pass: v4.13.5 - first fail: v4.13.12) > > omap2plus_defconfig: > am335x-boneblack_rootfs:nfs: > lab-collabora: failing since 7 days (last pass: v4.13.11-37-g2295c8345797 - first fail: v4.13.12) > > tegra_defconfig: > tegra124-jetson-tk1_rootfs:nfs: > lab-collabora: failing since 7 days (last pass: v4.13.11-37-g2295c8345797 - first fail: v4.13.12) For these I'm just guessing the collabora lab fell off the map :) thanks, greg k-h

7 years, 7 months

2
1
0 0

[Linux-stable-mirror] [patch 57/94] nilfs2: fix race condition that causes file system corruption

by akpm＠linux-foundation.org

From: Andreas Rohner <andreas.rohner(a)gmx.net> Subject: nilfs2: fix race condition that causes file system corruption There is a race condition between nilfs_dirty_inode() and nilfs_set_file_dirty(). When a file is opened, nilfs_dirty_inode() is called to update the access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a separate transaction. __nilfs_mark_inode_dirty() caches the ifile buffer_head in the i_bh field of the inode info structure and marks it as dirty. After some data was written to the file in another transaction, the function nilfs_set_file_dirty() is called, which adds the inode to the ns_dirty_files list. Then the segment construction calls nilfs_segctor_collect_dirty_files(), which goes through the ns_dirty_files list and checks the i_bh field. If there is a cached buffer_head in i_bh it is not marked as dirty again. Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate transactions, it is possible that a segment construction that writes out the ifile occurs in-between the two. If this happens the inode is not on the ns_dirty_files list, but its ifile block is still marked as dirty and written out. In the next segment construction, the data for the file is written out and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root is written into the i_bh block, which is not dirty, because it was written out in another segment construction. As a result the bmap update can be lost, which leads to file system corruption. Either the virtual block address points to an unallocated DAT block, or the DAT entry will be reused for something different. The error can remain undetected for a long time. A typical error message would be one of the "bad btree" errors or a warning that a DAT entry could not be found. This bug can be reproduced reliably by a simple benchmark that creates and overwrites millions of 4k files. Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@l… Signed-off-by: Andreas Rohner <andreas.rohner(a)gmx.net> Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)lab.ntt.co.jp> Tested-by: Andreas Rohner <andreas.rohner(a)gmx.net> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)lab.ntt.co.jp> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/segment.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff -puN fs/nilfs2/segment.c~nilfs2-fix-race-condition-that-causes-file-system-corruption fs/nilfs2/segment.c --- a/fs/nilfs2/segment.c~nilfs2-fix-race-condition-that-causes-file-system-corruption +++ a/fs/nilfs2/segment.c @@ -1954,8 +1954,6 @@ static int nilfs_segctor_collect_dirty_f err, ii->vfs_inode.i_ino); return err; } - mark_buffer_dirty(ibh); - nilfs_mdt_mark_dirty(ifile); spin_lock(&nilfs->ns_inode_lock); if (likely(!ii->i_bh)) ii->i_bh = ibh; @@ -1964,6 +1962,10 @@ static int nilfs_segctor_collect_dirty_f goto retry; } + // Always redirty the buffer to avoid race condition + mark_buffer_dirty(ii->i_bh); + nilfs_mdt_mark_dirty(ifile); + clear_bit(NILFS_I_QUEUED, &ii->i_state); set_bit(NILFS_I_BUSY, &ii->i_state); list_move_tail(&ii->i_dirty, &sci->sc_dirty_files); _

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [patch 51/94] autofs: don't fail mount for transient error

by akpm＠linux-foundation.org

From: NeilBrown <neilb(a)suse.com> Subject: autofs: don't fail mount for transient error Currently if the autofs kernel module gets an error when writing to the pipe which links to the daemon, then it marks the whole moutpoint as catatonic, and it will stop working. It is possible that the error is transient. This can happen if the daemon is slow and more than 16 requests queue up. If a subsequent process tries to queue a request, and is then signalled, the write to the pipe will return -ERESTARTSYS and autofs will take that as total failure. So change the code to assess -ERESTARTSYS and -ENOMEM as transient failures which only abort the current request, not the whole mountpoint. It isn't a crash or a data corruption, but having autofs mountpoints suddenly stop working is rather inconvenient. Ian said: : And given the problems with a half dozen (or so) user space applications : consuming large amounts of CPU under heavy mount and umount activity this : could happen more easily than we expect. Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name Signed-off-by: NeilBrown <neilb(a)suse.com> Acked-by: Ian Kent <raven(a)themaw.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/autofs4/waitq.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff -puN fs/autofs4/waitq.c~autofs-dont-fail-mount-for-transient-error fs/autofs4/waitq.c --- a/fs/autofs4/waitq.c~autofs-dont-fail-mount-for-transient-error +++ a/fs/autofs4/waitq.c @@ -81,7 +81,8 @@ static int autofs4_write(struct autofs_s spin_unlock_irqrestore(&current->sighand->siglock, flags); } - return (bytes > 0); + /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */ + return bytes == 0 ? 0 : wr < 0 ? wr : -EIO; } static void autofs4_notify_daemon(struct autofs_sb_info *sbi, @@ -95,6 +96,7 @@ static void autofs4_notify_daemon(struct } pkt; struct file *pipe = NULL; size_t pktsz; + int ret; pr_debug("wait id = 0x%08lx, name = %.*s, type=%d\n", (unsigned long) wq->wait_queue_token, @@ -169,7 +171,18 @@ static void autofs4_notify_daemon(struct mutex_unlock(&sbi->wq_mutex); if (autofs4_write(sbi, pipe, &pkt, pktsz)) + switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { + case 0: + break; + case -ENOMEM: + case -ERESTARTSYS: + /* Just fail this one */ + autofs4_wait_release(sbi, wq->wait_queue_token, ret); + break; + default: autofs4_catatonic_mode(sbi); + break; + } fput(pipe); } _

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [patch 02/94] mm/z3fold.c: use kref to prevent page free/compact race

by akpm＠linux-foundation.org

From: Vitaly Wool <vitalywool(a)gmail.com> Subject: mm/z3fold.c: use kref to prevent page free/compact race There is a race in the current z3fold implementation between do_compact() called in a work queue context and the page release procedure when page's kref goes to 0. do_compact() may be waiting for page lock, which is released by release_z3fold_page_locked right before putting the page onto the "stale" list, and then the page may be freed as do_compact() modifies its contents. The mechanism currently implemented to handle that (checking the PAGE_STALE flag) is not reliable enough. Instead, we'll use page's kref counter to guarantee that the page is not released if its compaction is scheduled. It then becomes compaction function's responsibility to decrease the counter and quit immediately if the page was actually freed. Link: http://lkml.kernel.org/r/20171117092032.00ea56f42affbed19f4fcc6c@gmail.com Signed-off-by: Vitaly Wool <vitaly.wool(a)sonymobile.com> Cc: <Oleksiy.Avramchenko(a)sony.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/z3fold.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff -puN mm/z3fold.c~z3fold-use-kref-to-prevent-page-free-compact-race mm/z3fold.c --- a/mm/z3fold.c~z3fold-use-kref-to-prevent-page-free-compact-race +++ a/mm/z3fold.c @@ -404,8 +404,7 @@ static void do_compact_page(struct z3fol WARN_ON(z3fold_page_trylock(zhdr)); else z3fold_page_lock(zhdr); - if (test_bit(PAGE_STALE, &page->private) || - !test_and_clear_bit(NEEDS_COMPACTING, &page->private)) { + if (WARN_ON(!test_and_clear_bit(NEEDS_COMPACTING, &page->private))) { z3fold_page_unlock(zhdr); return; } @@ -413,6 +412,11 @@ static void do_compact_page(struct z3fol list_del_init(&zhdr->buddy); spin_unlock(&pool->lock); + if (kref_put(&zhdr->refcount, release_z3fold_page_locked)) { + atomic64_dec(&pool->pages_nr); + return; + } + z3fold_compact_page(zhdr); unbuddied = get_cpu_ptr(pool->unbuddied); fchunks = num_free_chunks(zhdr); @@ -753,9 +757,11 @@ static void z3fold_free(struct z3fold_po list_del_init(&zhdr->buddy); spin_unlock(&pool->lock); zhdr->cpu = -1; + kref_get(&zhdr->refcount); do_compact_page(zhdr, true); return; } + kref_get(&zhdr->refcount); queue_work_on(zhdr->cpu, pool->compact_wq, &zhdr->work); z3fold_page_unlock(zhdr); } _

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] + z3fold-use-kref-to-prevent-page-free-compact-race.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/z3fold.c: use kref to prevent page free/compact race has been added to the -mm tree. Its filename is z3fold-use-kref-to-prevent-page-free-compact-race.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/z3fold-use-kref-to-prevent-page-fr… and later at http://ozlabs.org/~akpm/mmotm/broken-out/z3fold-use-kref-to-prevent-page-fr… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Vitaly Wool <vitalywool(a)gmail.com> Subject: mm/z3fold.c: use kref to prevent page free/compact race There is a race in the current z3fold implementation between do_compact() called in a work queue context and the page release procedure when page's kref goes to 0. do_compact() may be waiting for page lock, which is released by release_z3fold_page_locked right before putting the page onto the "stale" list, and then the page may be freed as do_compact() modifies its contents. The mechanism currently implemented to handle that (checking the PAGE_STALE flag) is not reliable enough. Instead, we'll use page's kref counter to guarantee that the page is not released if its compaction is scheduled. It then becomes compaction function's responsibility to decrease the counter and quit immediately if the page was actually freed. Link: http://lkml.kernel.org/r/20171117092032.00ea56f42affbed19f4fcc6c@gmail.com Signed-off-by: Vitaly Wool <vitaly.wool(a)sonymobile.com> Cc: <Oleksiy.Avramchenko(a)sony.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/z3fold.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff -puN mm/z3fold.c~z3fold-use-kref-to-prevent-page-free-compact-race mm/z3fold.c --- a/mm/z3fold.c~z3fold-use-kref-to-prevent-page-free-compact-race +++ a/mm/z3fold.c @@ -404,8 +404,7 @@ static void do_compact_page(struct z3fol WARN_ON(z3fold_page_trylock(zhdr)); else z3fold_page_lock(zhdr); - if (test_bit(PAGE_STALE, &page->private) || - !test_and_clear_bit(NEEDS_COMPACTING, &page->private)) { + if (WARN_ON(!test_and_clear_bit(NEEDS_COMPACTING, &page->private))) { z3fold_page_unlock(zhdr); return; } @@ -413,6 +412,11 @@ static void do_compact_page(struct z3fol list_del_init(&zhdr->buddy); spin_unlock(&pool->lock); + if (kref_put(&zhdr->refcount, release_z3fold_page_locked)) { + atomic64_dec(&pool->pages_nr); + return; + } + z3fold_compact_page(zhdr); unbuddied = get_cpu_ptr(pool->unbuddied); fchunks = num_free_chunks(zhdr); @@ -753,9 +757,11 @@ static void z3fold_free(struct z3fold_po list_del_init(&zhdr->buddy); spin_unlock(&pool->lock); zhdr->cpu = -1; + kref_get(&zhdr->refcount); do_compact_page(zhdr, true); return; } + kref_get(&zhdr->refcount); queue_work_on(zhdr->cpu, pool->compact_wq, &zhdr->work); z3fold_page_unlock(zhdr); } _ Patches currently in -mm which might be from vitalywool(a)gmail.com are z3fold-use-kref-to-prevent-page-free-compact-race.patch

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [PATCH] bio: ensure __bio_clone_fast copies bi_partno

by Michael Lyle

A new field was introduced in 74d46992e0d9dee7f1f376de0d56d31614c8a17a, bi_partno, instead of using bdev->bd_contains and encoding the partition information in the bi_bdev field. __bio_clone_fast was changed to copy the disk information, but not the partition information. At minimum, this regressed bcache and caused data corruption. Signed-off-by: Michael Lyle <mlyle(a)lyle.org> Fixes: 74d46992e0d9dee7f1f376de0d56d31614c8a17a Reported-by: Pavel Goran <via-bcache(a)pvgoran.name> Reported-by: Campbell Steven <casteven(a)gmail.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: <stable(a)vger.kernel.org> --- block/bio.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/bio.c b/block/bio.c index 101c2a9b5481..33fa6b4af312 100644 --- a/block/bio.c +++ b/block/bio.c @@ -597,6 +597,7 @@ void __bio_clone_fast(struct bio *bio, struct bio *bio_src) * so we don't set nor calculate new physical/hw segment counts here */ bio->bi_disk = bio_src->bi_disk; + bio->bi_partno = bio_src->bi_partno; bio_set_flag(bio, BIO_CLONED); bio->bi_opf = bio_src->bi_opf; bio->bi_write_hint = bio_src->bi_write_hint; -- 2.14.1

7 years, 7 months

8
8
0 0

[Linux-stable-mirror] [PATCH 0/7] [RESEND] [net] intel: Use smp_rmb rather than read_barrier_depends

by Brian King

Resending as the first attempt is not showing up in the list archive. This patch converts several network drivers to use smp_rmb rather than read_barrier_depends. The initial issue was discovered with ixgbe on a Power machine which resulted in skb list corruption due to fetching a stale skb pointer. More details can be found in the ixgbe patch description. Brian King (7): ixgbe: Fix skb list corruption on Power systems i40e: Use smp_rmb rather than read_barrier_depends ixgbevf: Use smp_rmb rather than read_barrier_depends igbvf: Use smp_rmb rather than read_barrier_depends igb: Use smp_rmb rather than read_barrier_depends fm10k: Use smp_rmb rather than read_barrier_depends i40evf: Use smp_rmb rather than read_barrier_depends drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 2 +- drivers/net/ethernet/intel/igb/igb_main.c | 2 +- drivers/net/ethernet/intel/igbvf/netdev.c | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 +- 8 files changed, 9 insertions(+), 8 deletions(-) -- 1.8.3.1

7 years, 7 months

4
14
0 0

[Linux-stable-mirror] [PATCH] omapdrm: hdmi4: Correct the SoC revision matching

by Peter Ujfalusi

I believe the intention of the commit 2c9fc9bf45f8 ("drm: omapdrm: Move FEAT_HDMI_* features to hdmi4 driver") was to identify omap4430 ES1.x, omap4430 ES2.x and other OMAP4 revisions, like omap4460. By using family=OMAP4 in the match the code will treat omap4460 ES1.x in a same way as it would treat omap4430 ES1.x This breaks HDMI audio on OMAP4460 devices (PandaES for example). Correct the match rule so we are not going to get false positive match. Fixes: 2c9fc9bf45f8 ("drm: omapdrm: Move FEAT_HDMI_* features to hdmi4 driver") CC: stable(a)vger.kernel.org # 4.14 Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)ti.com> --- drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c index 62e451162d96..07945a40c33a 100644 --- a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c +++ b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c @@ -902,9 +902,20 @@ static const struct hdmi4_features hdmi4_es3_features = { }; static const struct soc_device_attribute hdmi4_soc_devices[] = { - { .family = "OMAP4", .revision = "ES1.?", .data = &hdmi4_es1_features }, - { .family = "OMAP4", .revision = "ES2.?", .data = &hdmi4_es2_features }, - { .family = "OMAP4", .data = &hdmi4_es3_features }, + { + .machine = "OMAP4430", + .revision = "ES1.?", + .data = &hdmi4_es1_features, + }, + { + .machine = "OMAP4430", + .revision = "ES2.?", + .data = &hdmi4_es2_features, + }, + { + .family = "OMAP4", + .data = &hdmi4_es3_features, + }, { /* sentinel */ } }; -- Peter Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki. Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki

7 years, 7 months

2
2
0 0

[Linux-stable-mirror] [PATCH] PCI: keystone: fix interrupt-controller-node lookup

by Johan Hovold

Fix child-node lookup during initialisation, which ended up searching the whole device tree depth-first starting at the parent rather than just matching on its children. To make things worse, the parent pci node was prematurely freed, while the child interrupt-controller node was leaked. Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") Cc: stable <stable(a)vger.kernel.org> # 3.18 Cc: Murali Karicheri <m-karicheri2(a)ti.com> --- drivers/pci/dwc/pci-keystone.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c index 5bee3af47588..39405598b22d 100644 --- a/drivers/pci/dwc/pci-keystone.c +++ b/drivers/pci/dwc/pci-keystone.c @@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, } /* interrupt controller is in a child node */ - *np_temp = of_find_node_by_name(np_pcie, controller); + *np_temp = of_get_child_by_name(np_pcie, controller); if (!(*np_temp)) { dev_err(dev, "Node for %s is absent\n", controller); return -EINVAL; @@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, temp = of_irq_count(*np_temp); if (!temp) { dev_err(dev, "No IRQ entries in %s\n", controller); + of_node_put(*np_temp); return -EINVAL; } @@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, break; } + of_node_put(*np_temp); + if (temp) { *num_irqs = temp; return 0; -- 2.15.0

7 years, 7 months

3
6
0 0

[Linux-stable-mirror] [PATCH 4.9 00/39] 4.9.63-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.63 release. There are 39 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Nov 18 17:42:01 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.63-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.63-rc1 Willy Tarreau <w(a)1wt.eu> misc: panel: properly restore atomic counter on error path Nicholas Bellinger <nab(a)linux-iscsi.org> qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) Bart Van Assche <bart.vanassche(a)sandisk.com> target/iscsi: Fix iSCSI task reassignment handling Chi-hsien Lin <Chi-Hsien.Lin(a)cypress.com> brcmfmac: remove setting IBSS mode when stopping AP Bilal Amarni <bilal.amarni(a)gmail.com> security/keys: add CONFIG_KEYS_COMPAT to Kconfig Florian Westphal <fw(a)strlen.de> netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" Florian Westphal <fw(a)strlen.de> netfilter: nat: avoid use of nf_conn_nat extension Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: imx53-qsb-common: fix FEC pinmux config" Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Cancel pending autoload work at unbinding device Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: ims-psu - check if CDC union descriptor is sane Alan Stern <stern(a)rowland.harvard.edu> usb: usbtest: fix NULL pointer dereference Johannes Berg <johannes.berg(a)intel.com> mac80211: don't compare TKIP TX MIC key in reinstall prevention Jason A. Donenfeld <Jason(a)zx2c4.com> mac80211: use constant time comparison with keys Johannes Berg <johannes.berg(a)intel.com> mac80211: accept key reinstall without changing anything Guillaume Nault <g.nault(a)alphalink.fr> ppp: fix race in ppp device destruction Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: avoid matching qdisc with zero handle Xin Long <lucien.xin(a)gmail.com> sctp: reset owner sk for data chunks on out queues when migrating a sock Julien Gomes <julien(a)arista.com> tun: allow positive return values on dev_get_valid_name() call Xin Long <lucien.xin(a)gmail.com> ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit Xin Long <lucien.xin(a)gmail.com> ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Xin Long <lucien.xin(a)gmail.com> ipip: only increase err_count for some certain type icmp in ipip_err Girish Moodalbail <girish.moodalbail(a)oracle.com> tap: double-free in error path in tap_open() Andrei Vagin <avagin(a)openvz.org> net/unix: don't show information about sockets from other namespaces Eric Dumazet <edumazet(a)google.com> tcp/dccp: fix other lockdep splats accessing ireq_opt Eric Dumazet <edumazet(a)google.com> tcp/dccp: fix lockdep splat in inet_csk_route_req() Laszlo Toth <laszlth(a)gmail.com> sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND Eric Dumazet <edumazet(a)google.com> ipv6: flowlabel: do not leave opt->tot_len with garbage Craig Gallek <kraig(a)google.com> soreuseport: fix initialization race Eric Dumazet <edumazet(a)google.com> packet: avoid panic in packet_getsockopt() Eric Dumazet <edumazet(a)google.com> tcp/dccp: fix ireq->opt races Xin Long <lucien.xin(a)gmail.com> sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Cong Wang <xiyou.wangcong(a)gmail.com> tun: call dev_get_valid_name() before register_netdevice() Guillaume Nault <g.nault(a)alphalink.fr> l2tp: check ps->sock before running pppol2tp_session_ioctl() Eric Dumazet <edumazet(a)google.com> tcp: fix tcp_mtu_probe() vs highest_sack Eric Dumazet <edumazet(a)google.com> net: call cgroup_sk_alloc() earlier in sk_clone_lock() Jason A. Donenfeld <Jason(a)zx2c4.com> netlink: do not set cb_running if dump's start() errs Eric Dumazet <edumazet(a)google.com> ipv6: addrconf: increment ifp refcount before ipv6_del_addr() Craig Gallek <kraig(a)google.com> tun/tap: sanitize TUNSETSNDBUF input Alexey Kodanev <alexey.kodanev(a)oracle.com> gso: fix payload length when gso_size is zero ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx53-qsb-common.dtsi | 20 +-- arch/powerpc/Kconfig | 5 - arch/s390/Kconfig | 3 - arch/sparc/Kconfig | 3 - arch/x86/Kconfig | 4 - drivers/input/misc/ims-pcu.c | 16 ++- drivers/misc/panel.c | 23 +++- drivers/net/macvtap.c | 20 +-- drivers/net/ppp/ppp_generic.c | 20 +++ drivers/net/tun.c | 7 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 3 - drivers/scsi/qla2xxx/tcm_qla2xxx.c | 33 ----- drivers/target/iscsi/iscsi_target.c | 19 +-- drivers/usb/misc/usbtest.c | 5 +- include/linux/netdevice.h | 3 + include/net/inet_sock.h | 8 +- include/net/netfilter/nf_conntrack.h | 3 +- include/net/netfilter/nf_nat.h | 1 - include/net/tcp.h | 6 +- include/target/target_core_base.h | 1 + net/core/dev.c | 6 +- net/core/sock.c | 3 +- net/core/sock_reuseport.c | 12 +- net/dccp/ipv4.c | 13 +- net/ipv4/cipso_ipv4.c | 24 +--- net/ipv4/gre_offload.c | 2 +- net/ipv4/inet_connection_sock.c | 9 +- net/ipv4/inet_hashtables.c | 5 +- net/ipv4/ipip.c | 59 ++++++--- net/ipv4/syncookies.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_ipv4.c | 21 +-- net/ipv4/tcp_output.c | 3 +- net/ipv4/udp.c | 5 +- net/ipv4/udp_offload.c | 2 +- net/ipv6/addrconf.c | 1 + net/ipv6/ip6_flowlabel.c | 1 + net/ipv6/ip6_gre.c | 20 ++- net/ipv6/ip6_offload.c | 2 +- net/ipv6/ip6_output.c | 4 +- net/l2tp/l2tp_ppp.c | 3 + net/mac80211/key.c | 54 +++++++- net/netfilter/nf_conntrack_core.c | 2 +- net/netfilter/nf_nat_core.c | 146 ++++++++------------- net/netlink/af_netlink.c | 13 +- net/packet/af_packet.c | 24 ++-- net/sched/sch_api.c | 2 + net/sctp/input.c | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/socket.c | 32 +++++ net/unix/diag.c | 2 + security/keys/Kconfig | 4 + sound/core/seq/seq_device.c | 3 + 54 files changed, 403 insertions(+), 293 deletions(-)

7 years, 7 months

4
40
0 0

[Linux-stable-mirror] [PATCH] Revert "drm/radeon: dont switch vt on suspend"

by Alex Deucher

Fixes distorted colors on some cards on resume from suspend. This reverts commit b9729b17a414f99c61f4db9ac9f9ed987fa0cbfe. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98832 Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/radeon/radeon_fb.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/radeon_fb.c b/drivers/gpu/drm/radeon/radeon_fb.c index 2fcf805d3a16..33b821d6d018 100644 --- a/drivers/gpu/drm/radeon/radeon_fb.c +++ b/drivers/gpu/drm/radeon/radeon_fb.c @@ -245,7 +245,6 @@ static int radeonfb_create(struct drm_fb_helper *helper, } info->par = rfbdev; - info->skip_vt_switch = true; ret = radeon_framebuffer_init(rdev->ddev, &rfbdev->rfb, &mode_cmd, gobj); if (ret) { -- 2.13.6

7 years, 7 months

2
2
0 0

[Linux-stable-mirror] [PATCH 4.4 00/28] 4.4.99-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.99 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Nov 18 17:41:29 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.99-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.99-rc1 Willy Tarreau <w(a)1wt.eu> misc: panel: properly restore atomic counter on error path Nicholas Bellinger <nab(a)linux-iscsi.org> target: Fix node_acl demo-mode + uncached dynamic shutdown regression Bart Van Assche <bart.vanassche(a)sandisk.com> target/iscsi: Fix iSCSI task reassignment handling Chi-hsien Lin <Chi-Hsien.Lin(a)cypress.com> brcmfmac: remove setting IBSS mode when stopping AP Richard Alpe <richard.alpe(a)ericsson.com> tipc: fix link attribute propagation bug Bilal Amarni <bilal.amarni(a)gmail.com> security/keys: add CONFIG_KEYS_COMPAT to Kconfig Eric Dumazet <edumazet(a)google.com> tcp/dccp: fix other lockdep splats accessing ireq_opt Eric Dumazet <edumazet(a)google.com> tcp/dccp: fix lockdep splat in inet_csk_route_req() Eric Dumazet <edumazet(a)google.com> tcp/dccp: fix ireq->opt races Xin Long <lucien.xin(a)gmail.com> ipip: only increase err_count for some certain type icmp in ipip_err Guillaume Nault <g.nault(a)alphalink.fr> ppp: fix race in ppp device destruction Xin Long <lucien.xin(a)gmail.com> sctp: reset owner sk for data chunks on out queues when migrating a sock Julien Gomes <julien(a)arista.com> tun: allow positive return values on dev_get_valid_name() call Xin Long <lucien.xin(a)gmail.com> ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Andrei Vagin <avagin(a)openvz.org> net/unix: don't show information about sockets from other namespaces Eric Dumazet <edumazet(a)google.com> ipv6: flowlabel: do not leave opt->tot_len with garbage Eric Dumazet <edumazet(a)google.com> packet: avoid panic in packet_getsockopt() Xin Long <lucien.xin(a)gmail.com> sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Cong Wang <xiyou.wangcong(a)gmail.com> tun: call dev_get_valid_name() before register_netdevice() Guillaume Nault <g.nault(a)alphalink.fr> l2tp: check ps->sock before running pppol2tp_session_ioctl() Eric Dumazet <edumazet(a)google.com> tcp: fix tcp_mtu_probe() vs highest_sack Craig Gallek <kraig(a)google.com> tun/tap: sanitize TUNSETSNDBUF input Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Cancel pending autoload work at unbinding device Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: ims-psu - check if CDC union descriptor is sane Alan Stern <stern(a)rowland.harvard.edu> usb: usbtest: fix NULL pointer dereference Johannes Berg <johannes.berg(a)intel.com> mac80211: don't compare TKIP TX MIC key in reinstall prevention Jason A. Donenfeld <Jason(a)zx2c4.com> mac80211: use constant time comparison with keys Johannes Berg <johannes.berg(a)intel.com> mac80211: accept key reinstall without changing anything ------------- Diffstat: Makefile | 4 +- arch/powerpc/Kconfig | 5 -- arch/s390/Kconfig | 3 -- arch/sparc/Kconfig | 3 -- arch/x86/Kconfig | 4 -- drivers/input/misc/ims-pcu.c | 16 +++++- drivers/net/macvtap.c | 2 + drivers/net/ppp/ppp_generic.c | 20 ++++++++ drivers/net/tun.c | 7 +++ drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 3 -- drivers/staging/panel/panel.c | 23 +++++++-- drivers/target/iscsi/iscsi_target.c | 19 +++---- drivers/target/target_core_tpg.c | 4 +- drivers/target/target_core_transport.c | 4 +- drivers/usb/misc/usbtest.c | 5 +- include/linux/netdevice.h | 3 ++ include/net/inet_sock.h | 8 ++- include/net/tcp.h | 6 +-- include/target/target_core_base.h | 1 + net/core/dev.c | 6 +-- net/dccp/ipv4.c | 13 +++-- net/ipv4/cipso_ipv4.c | 24 +++------ net/ipv4/inet_connection_sock.c | 9 ++-- net/ipv4/ipip.c | 58 ++++++++++++++++------ net/ipv4/syncookies.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_ipv4.c | 21 ++++---- net/ipv4/tcp_output.c | 3 +- net/ipv6/ip6_flowlabel.c | 1 + net/ipv6/ip6_gre.c | 11 ++-- net/ipv6/ip6_output.c | 4 +- net/l2tp/l2tp_ppp.c | 3 ++ net/mac80211/key.c | 53 ++++++++++++++++++-- net/packet/af_packet.c | 24 ++++++--- net/sctp/input.c | 2 +- net/sctp/socket.c | 32 ++++++++++++ net/tipc/link.c | 28 +++-------- net/tipc/link.h | 1 - net/unix/diag.c | 2 + security/keys/Kconfig | 4 ++ sound/core/seq/seq_device.c | 3 ++ 41 files changed, 299 insertions(+), 147 deletions(-)

7 years, 7 months

5
33
0 0

Re: [Linux-stable-mirror] Bug#881830: linux: cherry-pick "security/keys: add CONFIG_KEYS_COMPAT to Kconfig" to stretch kernel

by Greg Kroah-Hartman

On Thu, Nov 16, 2017 at 08:28:28PM +0000, James Cowgill wrote: > Hi, > > On 16/11/17 19:04, Ben Hutchings wrote: > > On Wed, 2017-11-15 at 16:50 +0000, James Cowgill wrote: > >> Since I was a little puzzled as to why keyutils built previously on > >> mips, I found this commit to 4.8 which caused the need for KEYS_COMPAT: > >> > >> commit 20f06ed9f61a185c6dabd662c310bed6189470df > >> Author: David Howells <dhowells(a)redhat.com> > >> Date: Wed Jul 27 11:43:37 2016 +0100 > >> > >> KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace > >> > >> MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than > >> calling sys_keyctl. The latter will work in a lot of cases, thereby hiding > >> the issue. > >> > >> Now I'm thinking maybe this can be argued as a bugfix for the above > >> commit and put in upstream 4.9? > > > > Greg, please queue up these two for 4.9: > > > > 5c2a625937ba arm64: support keyctl() system call in 32-bit mode > > 47b2c3fff493 security/keys: add CONFIG_KEYS_COMPAT to Kconfig > > Sorry, I asked for this in two places. I think it's already queued up > for 4.9 now. Well, close, but not quite. The second patch there reverts the first patch, and adds the "generic" work. As I already handled that in the merge of the second patch, the first one is not needed, and the end result should be the same. So all is good. Or at least I think so, someone verifying I got this all right would be appreciated :) thanks, greg k-h

7 years, 7 months

1
0
0 0

Re: [Linux-stable-mirror] [PATCH 4.9 086/104] arm64: kasan: avoid bad virt_to_pfn()

by Josh Hunt

On Tue, Oct 10, 2017 at 10:31 AM, Julia Lawall <julia.lawall(a)lip6.fr> wrote: > > > On Tue, 10 Oct 2017, Levin, Alexander (Sasha Levin) wrote: > >> (Cc'ed Julia) >> >> On Mon, Oct 09, 2017 at 09:33:01AM -0700, Laura Abbott wrote: >> >On 10/06/2017 08:10 PM, Levin, Alexander (Sasha Levin) wrote: >> >> We are experimenting with using neural network to aid with patch >> >> selection for stable kernel trees. There are quite a few commits that >> >> were not marked for stable, but are stable material, and we're trying >> >> to get them into their appropriate kernel trees. >> >> >> > >> >Apart from the practical which has been covered, I'd be interested >> >in hearing about the details of how this works if you can share >> >them. >> >> This work is based on Julia's work >> (https://soarsmu.github.io/papers/icse12-patch.pdf) to identify >> commits that fix bugs. >> >> Essentially, my approach to this is to extract as much information as >> possbile form the commit, including things such as: >> >> - How many times a certain word appeared in the message >> - Who is the author >> - Code metrics >> - etc >> >> In my case, I end up with about 30,000 of these "inputs", and train a >> neural network based on whether a given commit was included in a >> stable tree or not. >> >> This approach has a few drawbacks compared to the one Julia >> described in her paper: >> >> - Not every bug fixing commit ends up in stable (some end up in -rc >> fixing a bug from the current merge window). >> - Same as above, but for commits we miss and fail to add to stable. >> - Sometimes commits get added to stable even though they don't follow >> the rules at all (security fixes are a simple example). >> >> But it does seem to be effective at finding bug fixing commits that >> should be in stable. >> >> At this stage we are still trying to figure out what a "bug fixing" >> commit really is. For example, an observation we recently made was >> that the code metrics actually don't have much weight in determining >> whether a commit should be in stable or not. >> >> As we just started, I'm still experimenting with a few approaches, and >> I belive Julia is waiting for a new student to take over this, so we >> don't have any big insights to share just yet :) > > That's a good summary of the current status. Thanks! > > julia I just started noticing the AUTOSEL tags yesterday and I think that's a great idea to tag patches, but was there any thought to also putting something in the commit message this way they're easily identifiable in the git logs? I think it would be useful if there was some metadata in the commit message which identified that it was selected through some automated system. That way if I find a regression and it identifies one of these commits I can know that maybe it was chosen incorrectly, and also would allow me to alert the owner of the selection script to better help refine its selection process. Otherwise I'd have to track back through the mailing lists to see how it landed in the stable release. Just a thought. Also, thank you for trying to improve the stable kernels! -- Josh

7 years, 7 months

3
3
0 0

[Linux-stable-mirror] [PATCH 4.4 00/56] 4.4.98-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.98 release. There are 56 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Nov 15 12:55:32 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.98-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.98-rc1 Colin Ian King <colin.king(a)canonical.com> PKCS#7: fix unitialized boolean 'want' Borislav Petkov <bp(a)suse.de> x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context Richard Schütz <rschuetz(a)uni-koblenz.de> can: c_can: don't indicate triple sampling support for D_CAN Gerhard Bertelsmann <info(a)gerhard-bertelsmann.de> can: sun4i: handle overrun in RX FIFO Ilya Dryomov <idryomov(a)gmail.com> rbd: use GFP_NOIO for parent stat and data requests Sinclair Yeh <syeh(a)vmware.com> drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue Kai-Heng Feng <kai.heng.feng(a)canonical.com> Input: elan_i2c - add ELAN060C to the ACPI table Oswald Buddenhagen <oswald.buddenhagen(a)gmx.de> MIPS: AR7: Ensure that serial ports are properly set up Jonas Gorski <jonas.gorski(a)gmail.com> MIPS: AR7: Defer registration of GPIO Luis R. Rodriguez <mcgrof(a)kernel.org> tools: firmware: check for distro fallback udev cancel rule Luis R. Rodriguez <mcgrof(a)kernel.org> selftests: firmware: send expected errors to /dev/null Brian Norris <computersforpeace(a)gmail.com> selftests: firmware: add empty string and async tests Brian Norris <computersforpeace(a)gmail.com> test: firmware_class: report errors properly on failure Matt Redfearn <matt.redfearn(a)imgtec.com> MIPS: SMP: Fix deadlock & online race Matija Glavinic Pecotic <matija.glavinic-pecotic.ext(a)nokia.com> MIPS: Fix race on setting and getting cpu_online_mask Matt Redfearn <matt.redfearn(a)imgtec.com> MIPS: SMP: Use a completion event to signal CPU up Paul Burton <paul.burton(a)mips.com> MIPS: Fix CM region target definitions Gustavo A. R. Silva <garsilva(a)embeddedor.com> MIPS: microMIPS: Fix incorrect mask in insn_table_MM Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Avoid invalid lockdep class warning Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix OSS sysex delivery in OSS emulation Mark Rutland <mark.rutland(a)arm.com> ARM: 8720/1: ensure dump_instr() checks addr_limit Eric Biggers <ebiggers(a)google.com> KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] Andrey Ryabinin <aryabinin(a)virtuozzo.com> crypto: x86/sha1-mb - fix panic due to unaligned access Li Bin <huawei.libin(a)huawei.com> workqueue: Fix NULL pointer dereference Peter Zijlstra <peterz(a)infradead.org> x86/uaccess, sched/preempt: Verify access_ok() context Carlo Caione <carlo(a)endlessm.com> platform/x86: hp-wmi: Do not shadow error values Carlo Caione <carlo(a)endlessm.com> platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state Eric Biggers <ebiggers(a)google.com> KEYS: trusted: fix writing past end of buffer in trusted_read() Eric Biggers <ebiggers(a)google.com> KEYS: trusted: sanitize all key material Enrico Mioso <mrkiko.rs(a)gmail.com> cdc_ncm: Set NTB format again after altsetting switch for Huawei devices Carlo Caione <carlo(a)endlessm.com> platform/x86: hp-wmi: Fix detection for dock and tablet mode Vivien Didelot <vivien.didelot(a)savoirfairelinux.com> net: dsa: select NET_SWITCHDEV Julian Wiedmann <jwi(a)linux.vnet.ibm.com> s390/qeth: issue STARTLAN as first IPA command Feras Daoud <ferasda(a)mellanox.com> IB/ipoib: Change list_del to list_del_init in the tx object Akinobu Mita <akinobu.mita(a)gmail.com> Input: mpr121 - set missing event capability Akinobu Mita <akinobu.mita(a)gmail.com> Input: mpr121 - handle multiple bits change of status register Gilad Ben-Yossef <gilad(a)benyossef.com> IPsec: do not ignore crypto err in ah4 input Liping Zhang <zlpnobody(a)gmail.com> netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family William wu <wulf(a)rock-chips.com> usb: hcd: initialize hcd->flags to 0 when rm hcd Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> serial: sh-sci: Fix register offsets for the IRDA serial port Volodymyr Bendiuga <volodymyr.bendiuga(a)gmail.com> phy: increase size of MII_BUS_ID_SIZE and bus_id David Lechner <david(a)lechnology.com> dt-bindings: Add vendor prefix for LEGO David Lechner <david(a)lechnology.com> dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification Alison Schofield <amsfield22(a)gmail.com> iio: trigger: free trigger resource correctly Li Zhong <zhong(a)linux.vnet.ibm.com> crypto: vmx - disable preemption to enable vsx in aes_ctr.c Tony Lindgren <tony(a)atomide.com> ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6 Valentin Longchamp <valentin.longchamp(a)keymile.com> powerpc/corenet: explicitly disable the SDHC controller on kmcoge4 Nate Watterson <nwatters(a)codeaurora.org> iommu/arm-smmu-v3: Clear prior settings when updating STEs Li Zhong <zhong(a)linux.vnet.ibm.com> KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter Noralf Trønnes <noralf(a)tronnes.org> drm: drm_minor_register(): Clean up debugfs on failure Harninder Rai <harninder.rai(a)nxp.com> dt-bindings: clockgen: Add compatible string for LS1012A Patrick Bruenn <p.bruenn(a)beckhoff.com> ARM: dts: imx53-qsb-common: fix FEC pinmux config Juergen Gross <jgross(a)suse.com> xen/netback: set default upper limit of tx/rx queues to 8 Jason Gunthorpe <jgunthorpe(a)obsidianresearch.com> PCI: mvebu: Handle changes to the bridge windows while enabled Maciej W. Rozycki <macro(a)linux-mips.org> video: fbdev: pmag-ba-fb: Remove bad `__init' annotation Lars-Peter Clausen <lars(a)metafoo.de> adv7604: Initialize drive strength to default when using DT ------------- Diffstat: Documentation/devicetree/bindings/arm/davinci.txt | 4 + .../devicetree/bindings/clock/qoriq-clock.txt | 1 + .../devicetree/bindings/vendor-prefixes.txt | 1 + Makefile | 4 +- arch/arm/boot/dts/imx53-qsb-common.dtsi | 20 ++-- arch/arm/configs/omap2plus_defconfig | 1 + arch/arm/kernel/traps.c | 28 ++++-- arch/mips/ar7/platform.c | 5 + arch/mips/ar7/prom.c | 2 - arch/mips/include/asm/mips-cm.h | 4 +- arch/mips/kernel/process.c | 4 +- arch/mips/kernel/smp.c | 29 ++++-- arch/mips/mm/uasm-micromips.c | 2 +- arch/powerpc/boot/dts/fsl/kmcoge4.dts | 4 + arch/powerpc/kvm/book3s_hv_rm_xics.c | 5 +- arch/sh/kernel/cpu/sh3/setup-sh770x.c | 1 - arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S | 12 +-- arch/x86/include/asm/uaccess.h | 14 ++- arch/x86/oprofile/op_model_ppro.c | 4 +- crypto/asymmetric_keys/pkcs7_parser.c | 2 +- drivers/block/rbd.c | 4 +- drivers/crypto/vmx/aes_ctr.c | 6 ++ drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 2 +- drivers/iio/trigger/iio-trig-interrupt.c | 8 +- drivers/iio/trigger/iio-trig-sysfs.c | 2 +- drivers/infiniband/ulp/ipoib/ipoib_cm.c | 2 +- drivers/input/keyboard/mpr121_touchkey.c | 24 +++-- drivers/input/mouse/elan_i2c_core.c | 1 + drivers/iommu/arm-smmu-v3.c | 10 +- drivers/media/i2c/adv7604.c | 3 + drivers/net/can/c_can/c_can_pci.c | 1 - drivers/net/can/c_can/c_can_platform.c | 1 - drivers/net/can/sun4i_can.c | 12 ++- drivers/net/usb/cdc_ncm.c | 28 ++++++ drivers/net/usb/huawei_cdc_ncm.c | 6 ++ drivers/net/xen-netback/netback.c | 6 +- drivers/pci/host/pci-mvebu.c | 101 ++++++++++++--------- drivers/platform/x86/hp-wmi.c | 60 +++++++----- drivers/s390/net/qeth_core.h | 1 - drivers/s390/net/qeth_core_main.c | 21 ++++- drivers/s390/net/qeth_l2_main.c | 15 --- drivers/s390/net/qeth_l3_main.c | 15 --- drivers/staging/iio/trigger/iio-trig-bfin-timer.c | 4 +- drivers/tty/serial/sh-sci.c | 17 ++-- drivers/usb/core/hcd.c | 1 + drivers/video/fbdev/pmag-ba-fb.c | 2 +- include/linux/phy.h | 8 +- include/linux/preempt.h | 21 +++-- include/linux/usb/cdc_ncm.h | 1 + include/sound/seq_kernel.h | 3 +- kernel/workqueue_internal.h | 3 +- lib/asn1_decoder.c | 4 +- lib/test_firmware.c | 11 ++- net/dsa/Kconfig | 5 +- net/ipv4/ah4.c | 3 + net/netfilter/nft_meta.c | 28 +++++- security/keys/trusted.c | 71 +++++++-------- sound/core/seq/oss/seq_oss_midi.c | 4 +- sound/core/seq/oss/seq_oss_readq.c | 29 ++++++ sound/core/seq/oss/seq_oss_readq.h | 2 + tools/testing/selftests/firmware/fw_filesystem.sh | 10 +- tools/testing/selftests/firmware/fw_userhelper.sh | 28 +++++- 63 files changed, 468 insertions(+), 265 deletions(-)

7 years, 7 months

12
78
0 0

Re: [Linux-stable-mirror] 4.1 EOL

by alexander.levin＠verizon.com

I've cc'ed some folks in hopes to get this resolved upstream. Either way, 4.1's EoL was previously moved to about 6 months from now, so hopefully we'll have more than enough time to get this resolved. On Sat, Nov 11, 2017 at 10:13:55PM +0000, Tuncer Ayaz wrote: >The predicament I'm in on my machines is that ever since drm-intel has >implemented atomic modesetting, there's a list regressions caused by >those fundamental architecture changes and the code churn it implied. >This means 4.1 is (from what I can tell) the last kernel before atomic >modesetting was added and the only kernel free of all those issues >which necessitate trying out various combinations of flags on the >kernel cmdline. > >For instance, right now I'm trying 4.13.12 with these flags: >video=SVIDEO-1:d >i915.semaphores=1 >i915.enable_rc6=0 >i915.enable_psr=0 >intel_iommu=igfx_off > >PS: I'm kinda confused how anyone uses DMAR with VT-d when it's known >to be buggy. > >The flags seem to decrease the chances of provoking the bugs, but after a >day of running Xorg, it's possible to still hit the RCS0 GPU hangs. > >If you don't pass video=SVIDEO-1:d, then atomic's flip_done times out >on boot or exit to VT console. It's good that other people have the same >issues and have been following the bugzilla tickets, and con confirm >the results. > >I'm kinda glad I don't have a machine that's newer than Sandybridge >since that means I can use 4.1, though it's not a long-term solution, >and the plan is for the reported bugzilla tickets to be resolved at >some point, or me switching away from Intel GPUs, which might be >doable if I save money and get an AMD APU laptop next summer and >switch my desktop to a discrete GPU. > >For example: >https://bugs.freedesktop.org/show_bug.cgi?id=101237 >https://bugs.freedesktop.org/show_bug.cgi?id=103076 >https://bbs.archlinux.org/viewtopic.php?id=218581&p=3 >https://bugs.archlinux.org/task/51703 > >So, since 4.4, 4.9 and 4.12, drm-tip are still regressive, >I wanted to ask if you considered pushing back 4.1's EOL. > >Given a look at bugzilla, I have the impression that those issues will >need at least another year before they're fixed, since most of them >have been sitting there for many, many months. I suspect the Intel DRM >team doesn't have the bandwidth to address the issues in a timely >fashion while still adding upbringing for new GPUs and features >(fences, etc.). > >The generic modesetting DDX and Wayland are less susceptible to the >GPU hangs, but can be made to provoke it if tried long enough. >However, the modesetting DDX tears heavily and is about to gain atomic >modesetting in the next Xorg release, so will suffer from the same >easy GPU hang likelihood. > >Prior to SandyBridge there was zero tearing but beginning with >SandyBridge xf86-video-intel's TearFree=TRUE is the only reliable way >to fix Xorg tearing. > >I do appreciate you maintaining 4.1 so far and hate to admit that I'm >reliant on it on more than two machines, before and after Sandybridge, >exluding those machines which need a newer kernel. I also understand >how much work this is and since I'm not using Linux professionally for >a product, I can't offer compensation for your time. I can only offer >to collect and point you at a list of DRM bugs for validation of my >claims. -- Thanks, Sasha

7 years, 7 months

3
6
0 0

[Linux-stable-mirror] [PATCH V10 4/4] libsas: Align sata_device's rps_resp on a cacheline

by Huacai Chen

The rps_resp buffer in ata_device is a DMA target, but it isn't explicitly cacheline aligned. Due to this, adjacent fields can be overwritten with stale data from memory on non-coherent architectures. As a result, the kernel is sometimes unable to communicate with an SATA device behind a SAS expander. Fix this by ensuring that the rps_resp buffer is cacheline aligned. This issue is similar to that fixed by Commit 84bda12af31f93 ("libata: align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align ata_device's id on a cacheline"). Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhc(a)lemote.com> --- include/scsi/libsas.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/scsi/libsas.h b/include/scsi/libsas.h index 0f9cbf9..6df6fe0 100644 --- a/include/scsi/libsas.h +++ b/include/scsi/libsas.h @@ -159,11 +159,11 @@ struct expander_device { struct sata_device { unsigned int class; - struct smp_resp rps_resp; /* report_phy_sata_resp */ u8 port_no; /* port number, if this is a PM (Port) */ struct ata_port *ap; struct ata_host ata_host; + struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */ u8 fis[ATA_RESP_FIS_SIZE]; }; -- 2.7.0

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [PATCH 7.x ubsan fix 1/6] cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()

by Kefeng Wang

From: zengtao <prime.zeng(a)huawei.com> mainline inclusion from mainline-4.5 commit 0f26922fe5dc5724b1adbbd54b21bad03590b4f3 category: bugfix bugzilla: 3214 DTS: NA CVE: NA ------------------------------------------------- The datatype __kernel_time_t is u32 on 32bit platform, so its subject to overflows in the timeval/timespec to cputime conversion. Currently the following functions are affected: 1. setitimer() 2. timer_create/timer_settime() 3. sys_clock_nanosleep This can happen on MIPS32 and ARM32 with "Full dynticks CPU time accounting" enabled, which is required for CONFIG_NO_HZ_FULL. Enforce u64 conversion to prevent the overflow. Fixes: 31c1fc818715 ("ARM: Kconfig: allow full nohz CPU accounting") Signed-off-by: zengtao <prime.zeng(a)huawei.com> Reviewed-by: Arnd Bergmann <arnd(a)arndb.de> Cc: <fweisbec(a)gmail.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/1454384314-154784-1-git-send-email-prime.zeng@huaw… Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> (cherry picked from commit 0f26922fe5dc5724b1adbbd54b21bad03590b4f3) Signed-off-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> --- include/asm-generic/cputime_nsecs.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/asm-generic/cputime_nsecs.h b/include/asm-generic/cputime_nsecs.h index bf97df3..903285b 100644 --- a/include/asm-generic/cputime_nsecs.h +++ b/include/asm-generic/cputime_nsecs.h @@ -72,7 +72,7 @@ typedef u64 __nocast cputime64_t; */ static inline cputime_t timespec_to_cputime(const struct timespec *val) { - u64 ret = val->tv_sec * NSEC_PER_SEC + val->tv_nsec; + u64 ret = (u64)val->tv_sec * NSEC_PER_SEC + val->tv_nsec; return (__force cputime_t) ret; } static inline void cputime_to_timespec(const cputime_t ct, struct timespec *val) @@ -88,7 +88,8 @@ static inline void cputime_to_timespec(const cputime_t ct, struct timespec *val) */ static inline cputime_t timeval_to_cputime(const struct timeval *val) { - u64 ret = val->tv_sec * NSEC_PER_SEC + val->tv_usec * NSEC_PER_USEC; + u64 ret = (u64)val->tv_sec * NSEC_PER_SEC + + val->tv_usec * NSEC_PER_USEC; return (__force cputime_t) ret; } static inline void cputime_to_timeval(const cputime_t ct, struct timeval *val) -- 1.8.3.1

7 years, 7 months

1
1
0 0

[Linux-stable-mirror] [merged] mm-page_ext-check-if-page_ext-is-not-prepared.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/page_ext.c: check if page_ext is not prepared has been removed from the -mm tree. Its filename was mm-page_ext-check-if-page_ext-is-not-prepared.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Jaewon Kim <jaewon31.kim(a)samsung.com> Subject: mm/page_ext.c: check if page_ext is not prepared online_page_ext() and page_ext_init() allocate page_ext for each section, but they do not allocate if the first PFN is !pfn_present(pfn) or !pfn_valid(pfn). Then section->page_ext remains as NULL. lookup_page_ext checks NULL only if CONFIG_DEBUG_VM is enabled. For a valid PFN, __set_page_owner will try to get page_ext through lookup_page_ext. Without CONFIG_DEBUG_VM lookup_page_ext will misuse NULL pointer as value 0. This incurrs invalid address access. This is the panic example when PFN 0x100000 is not valid but PFN 0x13FC00 is being used for page_ext. section->page_ext is NULL, get_entry returned invalid page_ext address as 0x1DFA000 for a PFN 0x13FC00. To avoid this panic, CONFIG_DEBUG_VM should be removed so that page_ext will be checked at all times. <1>[ 11.618085] Unable to handle kernel paging request at virtual address 01dfa014 <1>[ 11.618140] pgd = ffffffc0c6dc9000 <1>[ 11.618174] [01dfa014] *pgd=0000000000000000, *pud=0000000000000000 <4>[ 11.618240] ------------[ cut here ]------------ <2>[ 11.618278] Kernel BUG at ffffff80082371e0 [verbose debug info unavailable] <0>[ 11.618338] Internal error: Oops: 96000045 [#1] PREEMPT SMP <4>[ 11.618381] Modules linked in: <4>[ 11.618524] task: ffffffc0c6ec9180 task.stack: ffffffc0c6f40000 <4>[ 11.618569] PC is at __set_page_owner+0x48/0x78 <4>[ 11.618607] LR is at __set_page_owner+0x44/0x78 <4>[ 11.626025] [<ffffff80082371e0>] __set_page_owner+0x48/0x78 <4>[ 11.626071] [<ffffff80081df9f0>] get_page_from_freelist+0x880/0x8e8 <4>[ 11.626118] [<ffffff80081e00a4>] __alloc_pages_nodemask+0x14c/0xc48 <4>[ 11.626165] [<ffffff80081e610c>] __do_page_cache_readahead+0xdc/0x264 <4>[ 11.626214] [<ffffff80081d8824>] filemap_fault+0x2ac/0x550 <4>[ 11.626259] [<ffffff80082e5cf8>] ext4_filemap_fault+0x3c/0x58 <4>[ 11.626305] [<ffffff800820a2f8>] __do_fault+0x80/0x120 <4>[ 11.626347] [<ffffff800820eb4c>] handle_mm_fault+0x704/0xbb0 <4>[ 11.626393] [<ffffff800809ba70>] do_page_fault+0x2e8/0x394 <4>[ 11.626437] [<ffffff8008080be4>] do_mem_abort+0x88/0x124 Pre-4.7 kernels also need f86e427197 ("mm: check the return value of lookup_page_ext for all call sites"). Link: http://lkml.kernel.org/r/20171107094131.14621-1-jaewon31.kim@samsung.com Fixes: eefa864b701d ("mm/page_ext: resurrect struct page extending code for debugging") Signed-off-by: Jaewon Kim <jaewon31.kim(a)samsung.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Joonsoo Kim <js1304(a)gmail.com> Cc: <stable(a)vger.kernel.org> [depends on f86e427197, see above] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_ext.c | 4 ---- 1 file changed, 4 deletions(-) diff -puN mm/page_ext.c~mm-page_ext-check-if-page_ext-is-not-prepared mm/page_ext.c --- a/mm/page_ext.c~mm-page_ext-check-if-page_ext-is-not-prepared +++ a/mm/page_ext.c @@ -125,7 +125,6 @@ struct page_ext *lookup_page_ext(struct struct page_ext *base; base = NODE_DATA(page_to_nid(page))->node_page_ext; -#if defined(CONFIG_DEBUG_VM) /* * The sanity checks the page allocator does upon freeing a * page can reach here before the page_ext arrays are @@ -134,7 +133,6 @@ struct page_ext *lookup_page_ext(struct */ if (unlikely(!base)) return NULL; -#endif index = pfn - round_down(node_start_pfn(page_to_nid(page)), MAX_ORDER_NR_PAGES); return get_entry(base, index); @@ -199,7 +197,6 @@ struct page_ext *lookup_page_ext(struct { unsigned long pfn = page_to_pfn(page); struct mem_section *section = __pfn_to_section(pfn); -#if defined(CONFIG_DEBUG_VM) /* * The sanity checks the page allocator does upon freeing a * page can reach here before the page_ext arrays are @@ -208,7 +205,6 @@ struct page_ext *lookup_page_ext(struct */ if (!section->page_ext) return NULL; -#endif return get_entry(section->page_ext, pfn); } _ Patches currently in -mm which might be from jaewon31.kim(a)samsung.com are

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [merged] mm-broken-deferred-calculation.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/page_alloc.c: broken deferred calculation has been removed from the -mm tree. Its filename was mm-broken-deferred-calculation.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Pavel Tatashin <pasha.tatashin(a)oracle.com> Subject: mm/page_alloc.c: broken deferred calculation In reset_deferred_meminit() we determine number of pages that must not be deferred. We initialize pages for at least 2G of memory, but also pages for reserved memory in this node. The reserved memory is determined in this function: memblock_reserved_memory_within(), which operates over physical addresses, and returns size in bytes. However, reset_deferred_meminit() assumes that that this function operates with pfns, and returns page count. The result is that in the best case machine boots slower than expected due to initializing more pages than needed in single thread, and in the worst case panics because fewer than needed pages are initialized early. Link: http://lkml.kernel.org/r/20171021011707.15191-1-pasha.tatashin@oracle.com Fixes: 864b9a393dcb ("mm: consider memblock reservations for deferred memory initialization sizing") Signed-off-by: Pavel Tatashin <pasha.tatashin(a)oracle.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/mmzone.h | 3 ++- mm/page_alloc.c | 27 ++++++++++++++++++--------- 2 files changed, 20 insertions(+), 10 deletions(-) diff -puN include/linux/mmzone.h~mm-broken-deferred-calculation include/linux/mmzone.h --- a/include/linux/mmzone.h~mm-broken-deferred-calculation +++ a/include/linux/mmzone.h @@ -700,7 +700,8 @@ typedef struct pglist_data { * is the first PFN that needs to be initialised. */ unsigned long first_deferred_pfn; - unsigned long static_init_size; + /* Number of non-deferred pages */ + unsigned long static_init_pgcnt; #endif /* CONFIG_DEFERRED_STRUCT_PAGE_INIT */ #ifdef CONFIG_TRANSPARENT_HUGEPAGE diff -puN mm/page_alloc.c~mm-broken-deferred-calculation mm/page_alloc.c --- a/mm/page_alloc.c~mm-broken-deferred-calculation +++ a/mm/page_alloc.c @@ -291,28 +291,37 @@ EXPORT_SYMBOL(nr_online_nodes); int page_group_by_mobility_disabled __read_mostly; #ifdef CONFIG_DEFERRED_STRUCT_PAGE_INIT + +/* + * Determine how many pages need to be initialized durig early boot + * (non-deferred initialization). + * The value of first_deferred_pfn will be set later, once non-deferred pages + * are initialized, but for now set it ULONG_MAX. + */ static inline void reset_deferred_meminit(pg_data_t *pgdat) { - unsigned long max_initialise; - unsigned long reserved_lowmem; + phys_addr_t start_addr, end_addr; + unsigned long max_pgcnt; + unsigned long reserved; /* * Initialise at least 2G of a node but also take into account that * two large system hashes that can take up 1GB for 0.25TB/node. */ - max_initialise = max(2UL << (30 - PAGE_SHIFT), - (pgdat->node_spanned_pages >> 8)); + max_pgcnt = max(2UL << (30 - PAGE_SHIFT), + (pgdat->node_spanned_pages >> 8)); /* * Compensate the all the memblock reservations (e.g. crash kernel) * from the initial estimation to make sure we will initialize enough * memory to boot. */ - reserved_lowmem = memblock_reserved_memory_within(pgdat->node_start_pfn, - pgdat->node_start_pfn + max_initialise); - max_initialise += reserved_lowmem; + start_addr = PFN_PHYS(pgdat->node_start_pfn); + end_addr = PFN_PHYS(pgdat->node_start_pfn + max_pgcnt); + reserved = memblock_reserved_memory_within(start_addr, end_addr); + max_pgcnt += PHYS_PFN(reserved); - pgdat->static_init_size = min(max_initialise, pgdat->node_spanned_pages); + pgdat->static_init_pgcnt = min(max_pgcnt, pgdat->node_spanned_pages); pgdat->first_deferred_pfn = ULONG_MAX; } @@ -339,7 +348,7 @@ static inline bool update_defer_init(pg_ if (zone_end < pgdat_end_pfn(pgdat)) return true; (*nr_initialised)++; - if ((*nr_initialised > pgdat->static_init_size) && + if ((*nr_initialised > pgdat->static_init_pgcnt) && (pfn & (PAGES_PER_SECTION - 1)) == 0) { pgdat->first_deferred_pfn = pfn; return false; _ Patches currently in -mm which might be from pasha.tatashin(a)oracle.com are sparc64-ng4-memset-32-bits-overflow.patch

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [merged] mm-swap-fix-false-error-message-in-__swp_swapcount.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, swap: fix false error message in __swp_swapcount() has been removed from the -mm tree. Its filename was mm-swap-fix-false-error-message-in-__swp_swapcount.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Huang Ying <huang.ying.caritas(a)gmail.com> Subject: mm, swap: fix false error message in __swp_swapcount() When a page fault occurs for a swap entry, the physical swap readahead (not the VMA base swap readahead) may readahead several swap entries after the fault swap entry. The readahead algorithm calculates some of the swap entries to readahead via increasing the offset of the fault swap entry without checking whether they are beyond the end of the swap device and it relys on the __swp_swapcount() and swapcache_prepare() to check it. Although __swp_swapcount() checks for the swap entry passed in, it will complain with the error message as follow for the expected invalid swap entry. This may make the end users confused. swap_info_get: Bad swap offset entry 0200f8a7 To fix the false error message, the swap entry checking is added in swapin_readahead() to avoid to pass the out-of-bound swap entries and the swap entry reserved for the swap header to __swp_swapcount() and swapcache_prepare(). Link: http://lkml.kernel.org/r/20171102054225.22897-1-ying.huang@intel.com Fixes: e8c26ab60598 ("mm/swap: skip readahead for unreferenced swap slots") Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Reported-by: Christian Kujau <lists(a)nerdbynature.de> Acked-by: Minchan Kim <minchan(a)kernel.org> Suggested-by: Minchan Kim <minchan(a)kernel.org> Cc: Tim Chen <tim.c.chen(a)linux.intel.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> [4.11+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap_state.c | 3 +++ 1 file changed, 3 insertions(+) diff -puN mm/swap_state.c~mm-swap-fix-false-error-message-in-__swp_swapcount mm/swap_state.c --- a/mm/swap_state.c~mm-swap-fix-false-error-message-in-__swp_swapcount +++ a/mm/swap_state.c @@ -559,6 +559,7 @@ struct page *swapin_readahead(swp_entry_ unsigned long offset = entry_offset; unsigned long start_offset, end_offset; unsigned long mask; + struct swap_info_struct *si = swp_swap_info(entry); struct blk_plug plug; bool do_poll = true, page_allocated; @@ -572,6 +573,8 @@ struct page *swapin_readahead(swp_entry_ end_offset = offset | mask; if (!start_offset) /* First page is swap header. */ start_offset++; + if (end_offset >= si->max) + end_offset = si->max - 1; blk_start_plug(&plug); for (offset = start_offset; offset <= end_offset ; offset++) { _ Patches currently in -mm which might be from huang.ying.caritas(a)gmail.com are

7 years, 7 months

1
0
0 0

[Linux-stable-mirror] [merged] ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: ocfs2: should wait dio before inode lock in ocfs2_setattr() has been removed from the -mm tree. Its filename was ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: alex chen <alex.chen(a)huawei.com> Subject: ocfs2: should wait dio before inode lock in ocfs2_setattr() we should wait dio requests to finish before inode lock in ocfs2_setattr(), otherwise the following deadlock will happen: process 1 process 2 process 3 truncate file 'A' end_io of writing file 'A' receiving the bast messages ocfs2_setattr ocfs2_inode_lock_tracker ocfs2_inode_lock_full inode_dio_wait __inode_dio_wait -->waiting for all dio requests finish dlm_proxy_ast_handler dlm_do_local_bast ocfs2_blocking_ast ocfs2_generic_handle_bast set OCFS2_LOCK_BLOCKED flag dio_end_io dio_bio_end_aio dio_complete ocfs2_dio_end_io ocfs2_dio_end_io_write ocfs2_inode_lock __ocfs2_cluster_lock ocfs2_wait_for_mask -->waiting for OCFS2_LOCK_BLOCKED flag to be cleared, that is waiting for 'process 1' unlocking the inode lock inode_dio_end -->here dec the i_dio_count, but will never be called, so a deadlock happened. Link: http://lkml.kernel.org/r/59F81636.70508@huawei.com Signed-off-by: Alex Chen <alex.chen(a)huawei.com> Reviewed-by: Jun Piao <piaojun(a)huawei.com> Reviewed-by: Joseph Qi <jiangqi903(a)gmail.com> Acked-by: Changwei Ge <ge.changwei(a)h3c.com> Cc: Mark Fasheh <mfasheh(a)versity.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/file.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff -puN fs/ocfs2/file.c~ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr fs/ocfs2/file.c --- a/fs/ocfs2/file.c~ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr +++ a/fs/ocfs2/file.c @@ -1161,6 +1161,13 @@ int ocfs2_setattr(struct dentry *dentry, } size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE; if (size_change) { + /* + * Here we should wait dio to finish before inode lock + * to avoid a deadlock between ocfs2_setattr() and + * ocfs2_dio_end_io_write() + */ + inode_dio_wait(inode); + status = ocfs2_rw_lock(inode, 1); if (status < 0) { mlog_errno(status); @@ -1200,8 +1207,6 @@ int ocfs2_setattr(struct dentry *dentry, if (status) goto bail_unlock; - inode_dio_wait(inode); - if (i_size_read(inode) >= attr->ia_size) { if (ocfs2_should_order_data(inode)) { status = ocfs2_begin_ordered_truncate(inode, _ Patches currently in -mm which might be from alex.chen(a)huawei.com are

7 years, 7 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror