- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] [PATCH] drm/fb-helper: Fix of-by-one in setcmap_pseudo_palette

by Daniel Vetter

[Fair warning: This is pure conjecture right now.] In commit b8e2b0199cc377617dc238f5106352c06dcd3fa2 Author: Peter Rosin <peda(a)axentia.se> Date: Tue Jul 4 12:36:57 2017 +0200 drm/fb-helper: factor out pseudo-palette Peter extracted the pseudo palette computation, but seems to have done an off-by-one. I spotted that +1, but then noticed that we've passed start++ to (now gone) setcolreg function, so it seemed to all match up. Except post vs. pre-increment ftw. Result is that the palette is off-by-one, and the forground color (slot 0) ends up black, rendering a fairly unreadable console. What baffles me is that on some systems it still seems to work somehow, which lead us all down a wild goose chase trying to add load_lut calls back in in various places (which was also intentionally removed, but really doesn't seem to be the real root cause). Fixes: b8e2b0199cc3 ("drm/fb-helper: factor out pseudo-palette") Cc: Peter Rosin <peda(a)axenita.se> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Daniel Vetter <daniel.vetter(a)intel.com> Cc: Gustavo Padovan <gustavo(a)padovan.org> Cc: Sean Paul <seanpaul(a)chromium.org> Cc: David Airlie <airlied(a)linux.ie> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.14+ Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198123 Reported-by: Deposite Pirate <dpirate(a)metalpunks.info> Reported-by: Bill Fraser <bill.fraser(a)gmail.com> Cc: Deposite Pirate <dpirate(a)metalpunks.info> Cc: Bill Fraser <bill.fraser(a)gmail.com> Cc: Michel Dänzer <michel(a)daenzer.net> Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> --- drivers/gpu/drm/drm_fb_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 035784ddd133..1c3a200c4a10 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -1295,7 +1295,7 @@ static int setcmap_pseudo_palette(struct fb_cmap *cmap, struct fb_info *info) mask <<= info->var.transp.offset; value |= mask; } - palette[cmap->start + i] = value; + palette[cmap->start] = value; } return 0; -- 2.15.1

6 years, 9 months

2
5
0 0

[Linux-stable-mirror] [PATCH 4.14 000/118] 4.14.14-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.14 release. There are 118 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Jan 17 12:33:32 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.14-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.14-rc1 Thomas Gleixner <tglx(a)linutronix.de> x86/retpoline: Remove compile time warning Peter Zijlstra <peterz(a)infradead.org> x86,perf: Disable intel_bts when PTI W. Trevor King <wking(a)tremily.us> security/Kconfig: Correct the Documentation reference for PTI Thomas Gleixner <tglx(a)linutronix.de> x86/pti: Fix !PCID and sanitize defines Andy Lutomirski <luto(a)kernel.org> selftests/x86: Add test_vsyscall David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline: Fill return stack buffer on vmexit Andi Kleen <ak(a)linux.intel.com> x86/retpoline/irq32: Convert assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/checksum32: Convert assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/xen: Convert Xen hypercall indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/hyperv: Convert assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/ftrace: Convert ftrace assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/entry: Convert entry assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/crypto: Convert crypto assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/spectre: Add boot time option to select Spectre v2 mitigation David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline: Add initial retpoline support Josh Poimboeuf <jpoimboe(a)redhat.com> objtool: Allow alternatives to be ignored Josh Poimboeuf <jpoimboe(a)redhat.com> objtool: Detect jumps to retpoline thunks Dave Hansen <dave.hansen(a)linux.intel.com> x86/pti: Make unpoison of pgd for trusted boot work for real Borislav Petkov <bp(a)suse.de> x86/alternatives: Fix optimize_nops() checking David Woodhouse <dwmw(a)amazon.co.uk> sysfs/cpu: Fix typos in vulnerability documentation Tom Lendacky <thomas.lendacky(a)amd.com> x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC Tom Lendacky <thomas.lendacky(a)amd.com> x86/cpu/AMD: Make LFENCE a serializing instruction Jike Song <albcamus(a)gmail.com> x86/mm/pti: Remove dead logic in pti_user_pagetable_walk*() Dave Hansen <dave.hansen(a)linux.intel.com> x86/tboot: Unbreak tboot with PTI enabled Thomas Gleixner <tglx(a)linutronix.de> x86/cpu: Implement CPU vulnerabilites sysfs functions Thomas Gleixner <tglx(a)linutronix.de> sysfs/cpu: Add vulnerability folder David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] Dave Hansen <dave.hansen(a)linux.intel.com> x86/Documentation: Add PTI description Jiri Kosina <jkosina(a)suse.cz> x86/pti: Unbreak EFI old_memmap Benjamin Poirier <bpoirier(a)suse.com> e1000e: Fix e1000_check_for_copper_link_ich8lan return value. John Johansen <john.johansen(a)canonical.com> apparmor: fix ptrace label match when matching stacked labels Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> kdump: write correct address of mem_section into vmcoreinfo Hans de Goede <hdegoede(a)redhat.com> mux: core: fix double get_device() Icenowy Zheng <icenowy(a)aosc.io> uas: ignore UAS for Norelsys NS1068(X) chips Ben Seri <ben(a)armis.com> Bluetooth: Prevent stack info leak from the EFS element. Viktor Slavkovic <viktors(a)google.com> staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Shuah Khan <shuah(a)kernel.org> usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer Shuah Khan <shuah(a)kernel.org> usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input Shuah Khan <shuah(a)kernel.org> usbip: remove kernel addresses from usb device and urb debug msgs Alan Stern <stern(a)rowland.harvard.edu> USB: UDC core: fix double-free in usb_add_gadget_udc_release Pete Zaitcev <zaitcev(a)redhat.com> USB: fix usbmon BUG trigger Stefan Agner <stefan(a)agner.ch> usb: misc: usb3503: make sure reset is low for at least 100us Christian Holl <cyborgx1(a)gmail.com> USB: serial: cp210x: add new device ID ELV ALC 8xxx Diego Elio Pettenò <flameeyes(a)flameeyes.eu> USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Daniel Borkmann <daniel(a)iogearbox.net> bpf: arsh is not supported in 32 bit alu thus reject it Daniel Borkmann <daniel(a)iogearbox.net> bpf, array: fix overflow in max_entries and undefined behavior in index_mask Alexei Starovoitov <ast(a)kernel.org> bpf: prevent out-of-bounds speculation Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Fix init_clock_gating for resume Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Move init_clock_gating() back to where it was Kenneth Graunke <kenneth(a)whitecape.org> drm/i915: Whitelist SLICE_COMMON_ECO_CHICKEN1 on Geminilake. Zhi Wang <zhi.a.wang(a)intel.com> drm/i915/gvt: Clear the shadow page table entry after post-sync Dan Carpenter <dan.carpenter(a)oracle.com> drm/vmwgfx: Potential off by one in vmw_view_add() Thomas Hellstrom <thellstrom(a)vmware.com> drm/vmwgfx: Don't cache framebuffer maps David Gibson <david(a)gibson.dropbear.id.au> KVM: PPC: Book3S HV: Always flush TLB in kvmppc_alloc_reset_hpt() Serhii Popovych <spopovyc(a)redhat.com> KVM: PPC: Book3S HV: Fix use after free in case of multiple resize requests Serhii Popovych <spopovyc(a)redhat.com> KVM: PPC: Book3S HV: Drop prepare_done from struct kvm_resize_hpt Alexey Kardashevskiy <aik(a)ozlabs.ru> KVM: PPC: Book3S PR: Fix WIMG handling under pHyp Andrew Honig <ahonig(a)google.com> KVM: x86: Add memory barrier on vmcs field lookup Jia Zhang <qianyue.zj(a)alibaba-inc.com> x86/microcode/intel: Extend BDW late-loading with a revision check Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> iwlwifi: pcie: fix DMA memory mapping / unmapping Ilya Dryomov <idryomov(a)gmail.com> rbd: set max_segments to USHRT_MAX Florian Margaine <florian(a)platform.sh> rbd: reacquire lock should update lock owner client id Masaharu Hayakawa <masaharu.hayakawa.ry(a)renesas.com> mmc: renesas_sdhi: Add MODULE_LICENSE Eric Biggers <ebiggers(a)google.com> crypto: algapi - fix NULL dereference in crypto_remove_spawns() Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> membarrier: Disable preemption when calling smp_call_function_many() David S. Miller <davem(a)davemloft.net> Revert "Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find."" Russell King <rmk+kernel(a)armlinux.org.uk> sfp: fix sfp-bus oops when removing socket/upstream Ido Schimmel <idosch(a)mellanox.com> mlxsw: spectrum: Relax sanity checks during enslavement Mathieu Xhonneux <m.xhonneux(a)gmail.com> ipv6: sr: fix TLVs not being copied using setsockopt Roi Dayan <roid(a)mellanox.com> net/sched: Fix update of lastuse in act modules implementing stats_update Ido Schimmel <idosch(a)mellanox.com> mlxsw: spectrum_router: Fix NULL pointer deref Stephen Hemminger <stephen(a)networkplumber.org> ethtool: do not print warning for applications using legacy API Eric Dumazet <edumazet(a)google.com> ipv6: fix possible mem leaks in ipv6_make_skb() Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> sh_eth: fix SH7757 GEther initialization Jerome Brunet <jbrunet(a)baylibre.com> net: stmmac: enable EEE in MII, GMII or RGMII only Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> sh_eth: fix TSU resource handling Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> sctp: fix the handling of ICMP Frag Needed for too small MTUs Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> sctp: do not retransmit upon FragNeeded if PMTU discovery is disabled Fugang Duan <fugang.duan(a)nxp.com> net: fec: free/restore resource in related probe error pathes Fugang Duan <fugang.duan(a)nxp.com> net: fec: defer probe if regulator is not ready Fugang Duan <fugang.duan(a)nxp.com> net: fec: restore dev_id in the cases of probe error Mohamed Ghannam <simo.ghannam(a)gmail.com> RDS: null pointer dereference in rds_atomic_free_op Mohamed Ghannam <simo.ghannam(a)gmail.com> RDS: Heap OOB write in rds_message_alloc_sgs() Russell King <rmk+kernel(a)armlinux.org.uk> phylink: ensure we report link down when LOS asserted Andrii Vladyka <tulup(a)mail.ru> net: core: fix module type in sock_diag_bind Eli Cooper <elicooper(a)gmx.com> ip6_tunnel: disable dst caching if tunnel is dual-stack Cong Wang <xiyou.wangcong(a)gmail.com> 8021q: fix a memory leak for VLAN 0 device Vikas C Sajjan <vikas.cha.sajjan(a)hpe.com> x86/acpi: Reduce code duplication in mp_override_legacy_irq() Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Fix racy hw constraints adjustment Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Fix inconsistent format due to incomplete rule Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Release cable upon open error path Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Allow aborting mutex lock at OSS read/write loops Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Abort properly at pending signal in OSS read/write loops Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Add missing error checks in OSS emulation plugin builder Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Workaround for weird PulseAudio behavior on rewind error Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Remove incorrect snd_BUG_ON() usages Vikas C Sajjan <vikas.cha.sajjan(a)hpe.com> x86/acpi: Handle SCI interrupts above legacy space gracefully Steve Wise <swise(a)opengridcomputing.com> iw_cxgb4: when flushing, complete all wrs in a chain Steve Wise <swise(a)opengridcomputing.com> iw_cxgb4: reflect the original WR opcode in drain cqes Steve Wise <swise(a)opengridcomputing.com> iw_cxgb4: only clear the ARMED bit if a notification is needed Steve Wise <swise(a)opengridcomputing.com> iw_cxgb4: atomically flush the qp Steve Wise <swise(a)opengridcomputing.com> iw_cxgb4: only call the cq comp_handler when the cq is armed Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> platform/x86: wmi: Call acpi_wmi_init() later Jim Mattson <jmattson(a)google.com> kvm: vmx: Scrub hardware GPRs at VM-exit Tejun Heo <tj(a)kernel.org> cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC Maciej W. Rozycki <macro(a)mips.com> MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Maciej W. Rozycki <macro(a)mips.com> MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Maciej W. Rozycki <macro(a)mips.com> MIPS: Consistently handle buffer counter with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Factor out NT_PRFPREG regset access helpers Maciej W. Rozycki <macro(a)mips.com> MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task Bart Van Assche <bart.vanassche(a)wdc.com> IB/srpt: Fix ACL lookup during login Bart Van Assche <bart.vanassche(a)wdc.com> IB/srpt: Disable RDMA access by the initiator Wolfgang Grandegger <wg(a)grandegger.com> can: gs_usb: fix return value of the "set_bittiming" callback Oliver Hartkopp <socketcan(a)hartkopp.net> can: vxcan: improve handling of missing peer name attribute Wanpeng Li <wanpeng.li(a)hotmail.com> KVM: Fix stack-out-of-bounds read in write_mmio Suren Baghdasaryan <surenb(a)google.com> dm bufio: fix shrinker scans when (nr_to_scan < retain_target) ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 16 + Documentation/admin-guide/kernel-parameters.txt | 49 +- Documentation/x86/pti.txt | 186 ++++++++ Makefile | 4 +- arch/mips/kernel/process.c | 12 + arch/mips/kernel/ptrace.c | 147 ++++-- arch/powerpc/kvm/book3s_64_mmu.c | 1 + arch/powerpc/kvm/book3s_64_mmu_hv.c | 90 ++-- arch/powerpc/kvm/book3s_pr.c | 2 + arch/x86/Kconfig | 14 + arch/x86/Makefile | 8 + arch/x86/crypto/aesni-intel_asm.S | 5 +- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +- arch/x86/entry/calling.h | 36 +- arch/x86/entry/entry_32.S | 5 +- arch/x86/entry/entry_64.S | 12 +- arch/x86/events/intel/bts.c | 18 + arch/x86/include/asm/asm-prototypes.h | 25 ++ arch/x86/include/asm/cpufeatures.h | 4 + arch/x86/include/asm/mshyperv.h | 18 +- arch/x86/include/asm/msr-index.h | 3 + arch/x86/include/asm/nospec-branch.h | 214 +++++++++ arch/x86/include/asm/processor-flags.h | 2 +- arch/x86/include/asm/tlbflush.h | 6 +- arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/acpi/boot.c | 61 ++- arch/x86/kernel/alternative.c | 7 +- arch/x86/kernel/cpu/amd.c | 28 +- arch/x86/kernel/cpu/bugs.c | 185 ++++++++ arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/microcode/intel.c | 13 +- arch/x86/kernel/ftrace_32.S | 6 +- arch/x86/kernel/ftrace_64.S | 8 +- arch/x86/kernel/irq_32.c | 9 +- arch/x86/kernel/tboot.c | 11 + arch/x86/kvm/svm.c | 23 + arch/x86/kvm/vmx.c | 30 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lib/Makefile | 1 + arch/x86/lib/checksum_32.S | 7 +- arch/x86/lib/retpoline.S | 48 ++ arch/x86/mm/pti.c | 32 +- arch/x86/platform/efi/efi_64.c | 2 + crypto/algapi.c | 12 + drivers/base/Kconfig | 3 + drivers/base/cpu.c | 48 ++ drivers/block/rbd.c | 18 +- drivers/gpu/drm/i915/gvt/gtt.c | 5 +- drivers/gpu/drm/i915/i915_drv.c | 1 + drivers/gpu/drm/i915/i915_reg.h | 2 + drivers/gpu/drm/i915/intel_display.c | 14 +- drivers/gpu/drm/i915/intel_engine_cs.c | 5 + drivers/gpu/drm/i915/intel_pm.c | 44 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 - drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 41 +- drivers/infiniband/hw/cxgb4/cq.c | 7 +- drivers/infiniband/hw/cxgb4/ev.c | 8 +- drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 - drivers/infiniband/hw/cxgb4/qp.c | 119 +++-- drivers/infiniband/hw/cxgb4/t4.h | 6 + drivers/infiniband/ulp/srpt/ib_srpt.c | 5 +- drivers/md/dm-bufio.c | 8 +- drivers/mmc/host/renesas_sdhi_core.c | 3 + drivers/mux/core.c | 4 +- drivers/net/can/usb/gs_usb.c | 2 +- drivers/net/can/vxcan.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 11 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +- .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 6 + drivers/net/ethernet/renesas/sh_eth.c | 29 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 + drivers/net/phy/phylink.c | 3 +- drivers/net/phy/sfp-bus.c | 6 +- drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 10 +- drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 11 +- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 8 +- drivers/platform/x86/wmi.c | 2 +- drivers/staging/android/ashmem.c | 2 + drivers/usb/gadget/udc/core.c | 28 +- drivers/usb/misc/usb3503.c | 2 + drivers/usb/mon/mon_bin.c | 8 +- drivers/usb/serial/cp210x.c | 2 + drivers/usb/storage/unusual_uas.h | 7 + drivers/usb/usbip/usbip_common.c | 17 +- drivers/usb/usbip/vudc_rx.c | 19 + drivers/usb/usbip/vudc_tx.c | 11 +- include/linux/bpf.h | 2 + include/linux/cpu.h | 7 + include/linux/crash_core.h | 2 + include/linux/sh_eth.h | 1 - include/net/sctp/structs.h | 2 +- include/trace/events/kvm.h | 7 +- kernel/bpf/arraymap.c | 61 ++- kernel/bpf/verifier.c | 41 ++ kernel/cgroup/cgroup.c | 14 +- kernel/crash_core.c | 2 +- kernel/sched/membarrier.c | 2 + net/8021q/vlan.c | 7 +- net/bluetooth/l2cap_core.c | 20 +- net/core/ethtool.c | 15 +- net/core/sock_diag.c | 2 +- net/ipv6/exthdrs.c | 9 + net/ipv6/ip6_output.c | 5 +- net/ipv6/ip6_tunnel.c | 9 +- net/rds/rdma.c | 4 + net/sched/act_gact.c | 2 +- net/sched/act_mirred.c | 2 +- net/sctp/input.c | 28 +- net/sctp/transport.c | 29 +- net/xfrm/xfrm_policy.c | 29 +- security/Kconfig | 2 +- security/apparmor/include/perms.h | 3 + security/apparmor/ipc.c | 53 ++- sound/core/oss/pcm_oss.c | 41 +- sound/core/oss/pcm_plugin.c | 14 +- sound/core/pcm_lib.c | 4 +- sound/core/pcm_native.c | 9 +- sound/drivers/aloop.c | 98 ++-- tools/objtool/check.c | 69 ++- tools/objtool/check.h | 2 +- tools/testing/selftests/bpf/test_verifier.c | 40 ++ tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/test_vsyscall.c | 500 +++++++++++++++++++++ virt/kvm/arm/mmio.c | 6 +- 131 files changed, 2536 insertions(+), 561 deletions(-)

6 years, 9 months

11
132
0 0

[Linux-stable-mirror] + proc-fix-coredump-vs-read-proc-stat-race.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: proc: fix coredump vs read /proc/*/stat race has been added to the -mm tree. Its filename is proc-fix-coredump-vs-read-proc-stat-race.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/proc-fix-coredump-vs-read-proc-sta… and later at http://ozlabs.org/~akpm/mmotm/broken-out/proc-fix-coredump-vs-read-proc-sta… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Alexey Dobriyan <adobriyan(a)gmail.com> Subject: proc: fix coredump vs read /proc/*/stat race do_task_stat() accesses IP and SP of a task without bumping reference count of a stack (which became an entity with independent lifetime at some point). Steps to reproduce: #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <sys/wait.h> int main(void) { setrlimit(RLIMIT_CORE, &(struct rlimit){}); while (1) { char buf[64]; char buf2[4096]; pid_t pid; int fd; pid = fork(); if (pid == 0) { *(volatile int *)0 = 0; } snprintf(buf, sizeof(buf), "/proc/%u/stat", pid); fd = open(buf, O_RDONLY); read(fd, buf2, sizeof(buf2)); close(fd); waitpid(pid, NULL, 0); } return 0; } BUG: unable to handle kernel paging request at 0000000000003fd8 IP: do_task_stat+0x8b4/0xaf0 PGD 800000003d73e067 P4D 800000003d73e067 PUD 3d558067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1417 Comm: a.out Not tainted 4.15.0-rc8-dirty #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc27 04/01/2014 RIP: 0010:do_task_stat+0x8b4/0xaf0 RSP: 0018:ffffc90000607cc8 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88003e0e6680 RCX: ffff88003d6bd500 RDX: 0000000000000001 RSI: 000000000000000d RDI: ffff88003c1f8000 RBP: ffff88003c1f8000 R08: 0000000000000001 R09: 0000000000001000 R10: 00007f4d79555460 R11: ffff88003c325800 R12: ffff88003d7643c0 R13: ffffffff81a28f80 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f4d79772700(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003fd8 CR3: 000000003d9c0000 CR4: 00000000000006b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? flush_tlb_mm_range+0x8b/0x100 proc_single_show+0x43/0x70 seq_read+0xe6/0x3b0 __vfs_read+0x1e/0x120 ? __check_object_size+0xa4/0x180 vfs_read+0x84/0x110 SyS_read+0x3d/0xa0 entry_SYSCALL_64_fastpath+0x13/0x6c RIP: 0033:0x7f4d7928cba0 RSP: 002b:00007ffddb245158 EFLAGS: 00000246 Code: 03 b7 a0 01 00 00 4c 8b 4c 24 70 4c 8b 44 24 78 4c 89 74 24 18 e9 91 f9 ff ff f6 45 4d 02 0f 84 fd f7 ff ff 48 8b 45 40 48 89 ef <48> 8b 80 d8 3f 00 00 48 89 44 24 20 e8 9b 97 eb ff 48 89 44 24 RIP: do_task_stat+0x8b4/0xaf0 RSP: ffffc90000607cc8 CR2: 0000000000003fd8 Link: http://lkml.kernel.org/r/20180116175054.GA11513@avx2 Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Reported-by: "Kohli, Gaurav" <gkohli(a)codeaurora.org> Cc: John Ogness <john.ogness(a)linutronix.de> Cc: Peter Zijlstra <a.p.zijlstra(a)chello.nl> Cc: Ingo Molnar <mingo(a)elte.hu> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/array.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff -puN fs/proc/array.c~proc-fix-coredump-vs-read-proc-stat-race fs/proc/array.c --- a/fs/proc/array.c~proc-fix-coredump-vs-read-proc-stat-race +++ a/fs/proc/array.c @@ -430,8 +430,11 @@ static int do_task_stat(struct seq_file * safe because the task has stopped executing permanently. */ if (permitted && (task->flags & PF_DUMPCORE)) { - eip = KSTK_EIP(task); - esp = KSTK_ESP(task); + if (try_get_task_stack(task)) { + eip = KSTK_EIP(task); + esp = KSTK_ESP(task); + put_task_stack(task); + } } } _ Patches currently in -mm which might be from adobriyan(a)gmail.com are proc-fix-coredump-vs-read-proc-stat-race.patch proc-use-%u-for-pid-printing-and-slightly-less-stack.patch proc-dont-use-read_once-write_once-for-proc-fail-nth.patch proc-fix-proc-map_files-lookup.patch proc-simpler-proc-vmcore-cleanup.patch proc-less-memory-for-proc-map_files-readdir.patch proc-delete-children_seq_release.patch proc-rearrange-struct-proc_dir_entry.patch proc-fixup-comment.patch proc-spread-__ro_after_init.patch proc-spread-likely-unlikely-a-bit.patch proc-rearrange-args.patch uuid-cleanup-uapi-linux-uuidh.patch elf-fix-nt_file-integer-overflow.patch seq_file-delete-small-value-optimization.patch cpumask-make-cpumask_size-return-unsigned-int.patch

6 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.9 00/96] 4.9.77-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.77 release. There are 96 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Jan 17 12:33:26 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.77-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.77-rc1 Thomas Gleixner <tglx(a)linutronix.de> x86/retpoline: Remove compile time warning Andy Lutomirski <luto(a)kernel.org> selftests/x86: Add test_vsyscall David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline: Fill return stack buffer on vmexit Andi Kleen <ak(a)linux.intel.com> x86/retpoline/irq32: Convert assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/checksum32: Convert assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/xen: Convert Xen hypercall indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/hyperv: Convert assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/ftrace: Convert ftrace assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/entry: Convert entry assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline/crypto: Convert crypto assembler indirect jumps David Woodhouse <dwmw(a)amazon.co.uk> x86/spectre: Add boot time option to select Spectre v2 mitigation David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline: Add initial retpoline support Andrey Ryabinin <aryabinin(a)virtuozzo.com> x86/asm: Use register variable to get stack pointer value Josh Poimboeuf <jpoimboe(a)redhat.com> objtool: Allow alternatives to be ignored Josh Poimboeuf <jpoimboe(a)redhat.com> objtool: Detect jumps to retpoline thunks Josh Poimboeuf <jpoimboe(a)redhat.com> objtool, modules: Discard objtool annotation sections for modules Andy Lutomirski <luto(a)kernel.org> x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier David Woodhouse <dwmw(a)amazon.co.uk> x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm Borislav Petkov <bp(a)suse.de> x86/alternatives: Fix optimize_nops() checking David Woodhouse <dwmw(a)amazon.co.uk> sysfs/cpu: Fix typos in vulnerability documentation Tom Lendacky <thomas.lendacky(a)amd.com> x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC Tom Lendacky <thomas.lendacky(a)amd.com> x86/cpu/AMD: Make LFENCE a serializing instruction Thomas Gleixner <tglx(a)linutronix.de> x86/cpu: Implement CPU vulnerabilites sysfs functions Thomas Gleixner <tglx(a)linutronix.de> sysfs/cpu: Add vulnerability folder Borislav Petkov <bp(a)suse.de> x86/cpu: Merge bugs.c and bugs_64.c David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] Thomas Gleixner <tglx(a)linutronix.de> x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Add X86_BUG_CPU_INSECURE Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Make CPU bugs sticky Andy Lutomirski <luto(a)kernel.org> x86/cpu: Factor out application of forced CPU caps Dave Hansen <dave.hansen(a)linux.intel.com> x86/Documentation: Add PTI description Benjamin Poirier <bpoirier(a)suse.com> e1000e: Fix e1000_check_for_copper_link_ich8lan return value. Icenowy Zheng <icenowy(a)aosc.io> uas: ignore UAS for Norelsys NS1068(X) chips Ben Seri <ben(a)armis.com> Bluetooth: Prevent stack info leak from the EFS element. Viktor Slavkovic <viktors(a)google.com> staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Shuah Khan <shuah(a)kernel.org> usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer Shuah Khan <shuah(a)kernel.org> usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input Shuah Khan <shuah(a)kernel.org> usbip: remove kernel addresses from usb device and urb debug msgs Pete Zaitcev <zaitcev(a)redhat.com> USB: fix usbmon BUG trigger Stefan Agner <stefan(a)agner.ch> usb: misc: usb3503: make sure reset is low for at least 100us Christian Holl <cyborgx1(a)gmail.com> USB: serial: cp210x: add new device ID ELV ALC 8xxx Diego Elio Pettenò <flameeyes(a)flameeyes.eu> USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Daniel Borkmann <daniel(a)iogearbox.net> bpf, array: fix overflow in max_entries and undefined behavior in index_mask Alexei Starovoitov <ast(a)kernel.org> bpf: prevent out-of-bounds speculation Alexei Starovoitov <ast(a)fb.com> bpf: refactor fixup_bpf_calls() Alexei Starovoitov <ast(a)fb.com> bpf: move fixup_bpf_calls() function Nicholas Bellinger <nab(a)linux-iscsi.org> target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK Nicholas Bellinger <nab(a)linux-iscsi.org> iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref Lepton Wu <ytht.net(a)gmail.com> kaiser: Set _PAGE_NX only if supported Dan Carpenter <dan.carpenter(a)oracle.com> drm/vmwgfx: Potential off by one in vmw_view_add() Andrew Honig <ahonig(a)google.com> KVM: x86: Add memory barrier on vmcs field lookup Jia Zhang <qianyue.zj(a)alibaba-inc.com> x86/microcode/intel: Extend BDW late-loading with a revision check Ilya Dryomov <idryomov(a)gmail.com> rbd: set max_segments to USHRT_MAX Eric Biggers <ebiggers(a)google.com> crypto: algapi - fix NULL dereference in crypto_remove_spawns() Roi Dayan <roid(a)mellanox.com> net/sched: Fix update of lastuse in act modules implementing stats_update Ido Schimmel <idosch(a)mellanox.com> mlxsw: spectrum_router: Fix NULL pointer deref Stephen Hemminger <stephen(a)networkplumber.org> ethtool: do not print warning for applications using legacy API Eric Dumazet <edumazet(a)google.com> ipv6: fix possible mem leaks in ipv6_make_skb() Jerome Brunet <jbrunet(a)baylibre.com> net: stmmac: enable EEE in MII, GMII or RGMII only Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> sh_eth: fix SH7757 GEther initialization Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> sh_eth: fix TSU resource handling Mohamed Ghannam <simo.ghannam(a)gmail.com> RDS: null pointer dereference in rds_atomic_free_op Mohamed Ghannam <simo.ghannam(a)gmail.com> RDS: Heap OOB write in rds_message_alloc_sgs() Andrii Vladyka <tulup(a)mail.ru> net: core: fix module type in sock_diag_bind Eli Cooper <elicooper(a)gmx.com> ip6_tunnel: disable dst caching if tunnel is dual-stack Cong Wang <xiyou.wangcong(a)gmail.com> 8021q: fix a memory leak for VLAN 0 device Ben Hutchings <ben.hutchings(a)codethink.co.uk> xhci: Fix ring leak in failure path of xhci_alloc_virt_device() Eric Dumazet <edumazet(a)google.com> cx82310_eth: use skb_cow_head() to deal with cloned skbs Eric Dumazet <edumazet(a)google.com> smsc75xx: use skb_cow_head() to deal with cloned skbs Eric Dumazet <edumazet(a)google.com> sr9700: use skb_cow_head() to deal with cloned skbs Eric Dumazet <edumazet(a)google.com> lan78xx: use skb_cow_head() to deal with cloned skbs Dan Streetman <ddstreet(a)ieee.org> zswap: don't param_set_charp while holding spinlock Vikas C Sajjan <vikas.cha.sajjan(a)hpe.com> x86/acpi: Reduce code duplication in mp_override_legacy_irq() Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Fix racy hw constraints adjustment Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Fix inconsistent format due to incomplete rule Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Release cable upon open error path Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Allow aborting mutex lock at OSS read/write loops Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Abort properly at pending signal in OSS read/write loops Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Add missing error checks in OSS emulation plugin builder Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Remove incorrect snd_BUG_ON() usages Vikas C Sajjan <vikas.cha.sajjan(a)hpe.com> x86/acpi: Handle SCI interrupts above legacy space gracefully Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> platform/x86: wmi: Call acpi_wmi_init() later Jim Mattson <jmattson(a)google.com> kvm: vmx: Scrub hardware GPRs at VM-exit Maciej W. Rozycki <macro(a)mips.com> MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Maciej W. Rozycki <macro(a)mips.com> MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Maciej W. Rozycki <macro(a)mips.com> MIPS: Consistently handle buffer counter with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Factor out NT_PRFPREG regset access helpers Maciej W. Rozycki <macro(a)mips.com> MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task Bart Van Assche <bart.vanassche(a)wdc.com> IB/srpt: Disable RDMA access by the initiator Wolfgang Grandegger <wg(a)grandegger.com> can: gs_usb: fix return value of the "set_bittiming" callback Wanpeng Li <wanpeng.li(a)hotmail.com> KVM: Fix stack-out-of-bounds read in write_mmio Vasanthakumar Thiagarajan <vthiagar(a)qti.qualcomm.com> ath10k: rebuild crypto header in rx data frames David Spinadel <david.spinadel(a)intel.com> mac80211: Add RX flag to indicate ICV stripped Suren Baghdasaryan <surenb(a)google.com> dm bufio: fix shrinker scans when (nr_to_scan < retain_target) ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 16 + Documentation/kernel-parameters.txt | 49 +- Documentation/x86/pti.txt | 186 ++++++++ Makefile | 4 +- arch/arm/kvm/mmio.c | 6 +- arch/mips/kernel/process.c | 12 + arch/mips/kernel/ptrace.c | 147 ++++-- arch/x86/Kconfig | 14 + arch/x86/Makefile | 8 + arch/x86/crypto/aesni-intel_asm.S | 5 +- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +- arch/x86/entry/entry_32.S | 10 +- arch/x86/entry/entry_64.S | 10 +- arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/asm-prototypes.h | 25 ++ arch/x86/include/asm/asm.h | 11 + arch/x86/include/asm/cpufeature.h | 2 + arch/x86/include/asm/cpufeatures.h | 6 + arch/x86/include/asm/msr-index.h | 3 + arch/x86/include/asm/nospec-branch.h | 214 +++++++++ arch/x86/include/asm/processor.h | 4 +- arch/x86/include/asm/thread_info.h | 11 - arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/acpi/boot.c | 61 ++- arch/x86/kernel/alternative.c | 7 +- arch/x86/kernel/cpu/Makefile | 4 +- arch/x86/kernel/cpu/amd.c | 28 +- arch/x86/kernel/cpu/bugs.c | 219 ++++++++- arch/x86/kernel/cpu/bugs_64.c | 33 -- arch/x86/kernel/cpu/common.c | 39 +- arch/x86/kernel/cpu/microcode/intel.c | 13 +- arch/x86/kernel/irq_32.c | 15 +- arch/x86/kernel/mcount_64.S | 7 +- arch/x86/kernel/traps.c | 2 +- arch/x86/kvm/svm.c | 23 + arch/x86/kvm/vmx.c | 30 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lib/Makefile | 1 + arch/x86/lib/checksum_32.S | 7 +- arch/x86/lib/retpoline.S | 48 ++ arch/x86/mm/kaiser.c | 2 + arch/x86/mm/tlb.c | 2 +- crypto/algapi.c | 12 + drivers/base/Kconfig | 3 + drivers/base/cpu.c | 48 ++ drivers/block/rbd.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 + drivers/hv/hv.c | 11 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +- drivers/md/dm-bufio.c | 7 +- drivers/net/can/usb/gs_usb.c | 2 +- drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 +- .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 4 +- drivers/net/ethernet/renesas/sh_eth.c | 29 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 + drivers/net/usb/cx82310_eth.c | 7 +- drivers/net/usb/lan78xx.c | 9 +- drivers/net/usb/smsc75xx.c | 8 +- drivers/net/usb/sr9700.c | 9 +- drivers/net/wireless/ath/ath10k/htt_rx.c | 105 ++++- drivers/net/wireless/ath/ath10k/rx_desc.h | 3 + drivers/platform/x86/wmi.c | 2 +- drivers/staging/android/ashmem.c | 2 + drivers/target/iscsi/iscsi_target.c | 20 +- drivers/target/target_core_tmr.c | 9 + drivers/target/target_core_transport.c | 2 + drivers/usb/host/xhci-mem.c | 3 +- drivers/usb/misc/usb3503.c | 2 + drivers/usb/mon/mon_bin.c | 8 +- drivers/usb/serial/cp210x.c | 2 + drivers/usb/storage/unusual_uas.h | 7 + drivers/usb/usbip/usbip_common.c | 17 +- drivers/usb/usbip/vudc_rx.c | 19 + drivers/usb/usbip/vudc_tx.c | 11 +- include/linux/bpf.h | 2 + include/linux/bpf_verifier.h | 5 +- include/linux/cpu.h | 7 + include/linux/frame.h | 2 +- include/linux/phy.h | 11 + include/linux/sh_eth.h | 1 - include/net/mac80211.h | 5 +- include/target/target_core_base.h | 1 + include/trace/events/kvm.h | 7 +- kernel/bpf/arraymap.c | 45 +- kernel/bpf/syscall.c | 54 --- kernel/bpf/verifier.c | 89 +++- mm/zswap.c | 12 +- net/8021q/vlan.c | 7 +- net/bluetooth/l2cap_core.c | 20 +- net/core/ethtool.c | 15 +- net/core/sock_diag.c | 2 +- net/ipv6/ip6_output.c | 5 +- net/ipv6/ip6_tunnel.c | 9 +- net/mac80211/wep.c | 3 +- net/mac80211/wpa.c | 3 +- net/rds/rdma.c | 4 + net/sched/act_gact.c | 2 +- net/sched/act_mirred.c | 2 +- scripts/mod/modpost.c | 1 + scripts/module-common.lds | 5 +- sound/core/oss/pcm_oss.c | 41 +- sound/core/oss/pcm_plugin.c | 14 +- sound/core/pcm_lib.c | 4 +- sound/drivers/aloop.c | 98 ++-- tools/objtool/builtin-check.c | 73 ++- tools/testing/selftests/x86/test_vsyscall.c | 500 +++++++++++++++++++++ 108 files changed, 2286 insertions(+), 458 deletions(-)

6 years, 9 months

7
103
0 0

[Linux-stable-mirror] [PATCH 3.18 00/46] 3.18.92-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 3.18.92 release. There are 46 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Jan 17 12:32:57 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.92-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 3.18.92-rc1 Benjamin Poirier <bpoirier(a)suse.com> e1000e: Fix e1000_check_for_copper_link_ich8lan return value. Icenowy Zheng <icenowy(a)aosc.io> uas: ignore UAS for Norelsys NS1068(X) chips Ben Seri <ben(a)armis.com> Bluetooth: Prevent stack info leak from the EFS element. Viktor Slavkovic <viktors(a)google.com> staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Shuah Khan <shuahkh(a)osg.samsung.com> usbip: remove kernel addresses from usb device and urb debug msgs Pete Zaitcev <zaitcev(a)redhat.com> USB: fix usbmon BUG trigger Stefan Agner <stefan(a)agner.ch> usb: misc: usb3503: make sure reset is low for at least 100us Christian Holl <cyborgx1(a)gmail.com> USB: serial: cp210x: add new device ID ELV ALC 8xxx Diego Elio Pettenò <flameeyes(a)flameeyes.eu> USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "can: kvaser_usb: free buf in error paths" Nicholas Bellinger <nab(a)linux-iscsi.org> target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK Nicholas Bellinger <nab(a)linux-iscsi.org> iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref Jia Zhang <qianyue.zj(a)alibaba-inc.com> x86/microcode/intel: Extend BDW late-loading with a revision check Eric Biggers <ebiggers(a)google.com> crypto: algapi - fix NULL dereference in crypto_remove_spawns() Jerome Brunet <jbrunet(a)baylibre.com> net: stmmac: enable EEE in MII, GMII or RGMII only Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> sh_eth: fix SH7757 GEther initialization Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> sh_eth: fix TSU resource handling Mohamed Ghannam <simo.ghannam(a)gmail.com> RDS: null pointer dereference in rds_atomic_free_op Mohamed Ghannam <simo.ghannam(a)gmail.com> RDS: Heap OOB write in rds_message_alloc_sgs() Cong Wang <xiyou.wangcong(a)gmail.com> 8021q: fix a memory leak for VLAN 0 device Vikas C Sajjan <vikas.cha.sajjan(a)hpe.com> x86/acpi: Reduce code duplication in mp_override_legacy_irq() Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Fix racy hw constraints adjustment Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Fix inconsistent format due to incomplete rule Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Release cable upon open error path Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Allow aborting mutex lock at OSS read/write loops Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Abort properly at pending signal in OSS read/write loops Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Add missing error checks in OSS emulation plugin builder Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Remove incorrect snd_BUG_ON() usages Vikas C Sajjan <vikas.cha.sajjan(a)hpe.com> x86/acpi: Handle SCI interrupts above legacy space gracefully Jim Mattson <jmattson(a)google.com> kvm: vmx: Scrub hardware GPRs at VM-exit Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race Maciej W. Rozycki <macro(a)mips.com> MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Maciej W. Rozycki <macro(a)mips.com> MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Maciej W. Rozycki <macro(a)mips.com> MIPS: Consistently handle buffer counter with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Maciej W. Rozycki <macro(a)mips.com> MIPS: Factor out NT_PRFPREG regset access helpers Bart Van Assche <bart.vanassche(a)wdc.com> IB/srpt: Disable RDMA access by the initiator Wolfgang Grandegger <wg(a)grandegger.com> can: gs_usb: fix return value of the "set_bittiming" callback Aaron Ma <aaron.ma(a)canonical.com> Input: elantech - add new icbody type 15 Oleg Nesterov <oleg(a)redhat.com> kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() Oleg Nesterov <oleg(a)redhat.com> kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals Oleg Nesterov <oleg(a)redhat.com> kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL David Howells <dhowells(a)redhat.com> fscache: Fix the default for fscache_maybe_release_page() Jan Engelhardt <jengelh(a)inai.de> crypto: n2 - cure use after free Oleg Nesterov <oleg(a)redhat.com> kernel/acct.c: fix the acct->needcheck check in check_free_space() ------------- Diffstat: Makefile | 4 +- arch/mips/kernel/ptrace.c | 147 ++++++++++++++++++---- arch/x86/kernel/acpi/boot.c | 60 +++++---- arch/x86/kernel/cpu/microcode/intel.c | 13 +- arch/x86/kvm/svm.c | 19 +++ arch/x86/kvm/vmx.c | 14 ++- crypto/algapi.c | 12 ++ drivers/crypto/n2_core.c | 3 + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +- drivers/input/mouse/elantech.c | 2 +- drivers/net/can/usb/gs_usb.c | 2 +- drivers/net/can/usb/kvaser_usb.c | 2 - drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 +- drivers/net/ethernet/renesas/sh_eth.c | 29 ++++- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 + drivers/staging/android/ashmem.c | 2 + drivers/target/iscsi/iscsi_target.c | 21 ++-- drivers/target/target_core_tmr.c | 9 ++ drivers/target/target_core_transport.c | 2 + drivers/usb/misc/usb3503.c | 2 + drivers/usb/mon/mon_bin.c | 8 +- drivers/usb/serial/cp210x.c | 2 + drivers/usb/storage/unusual_uas.h | 7 ++ drivers/usb/usbip/usbip_common.c | 17 +-- include/linux/fscache.h | 2 +- include/linux/phy.h | 11 ++ include/linux/sh_eth.h | 1 - include/target/target_core_base.h | 1 + kernel/acct.c | 2 +- kernel/events/core.c | 61 ++++++++- kernel/signal.c | 18 +-- net/8021q/vlan.c | 7 +- net/bluetooth/l2cap_core.c | 20 +-- net/rds/rdma.c | 4 + sound/core/oss/pcm_oss.c | 41 +++--- sound/core/oss/pcm_plugin.c | 14 ++- sound/core/pcm_lib.c | 4 +- sound/drivers/aloop.c | 98 ++++++++------- 38 files changed, 488 insertions(+), 193 deletions(-)

6 years, 9 months

3
47
0 0

[Linux-stable-mirror] [merged] kdump-write-a-correct-address-of-mem_section-into-vmcoreinfo.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: kdump: write correct address of mem_section into vmcoreinfo has been removed from the -mm tree. Its filename was kdump-write-a-correct-address-of-mem_section-into-vmcoreinfo.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Subject: kdump: write correct address of mem_section into vmcoreinfo Depending on configuration mem_section can now be an array or a pointer to an array allocated dynamically. In most cases, we can continue to refer to it as 'mem_section' regardless of what it is. But there's one exception: '&mem_section' means "address of the array" if mem_section is an array, but if mem_section is a pointer, it would mean "address of the pointer". We've stepped onto this in kdump code. VMCOREINFO_SYMBOL(mem_section) writes down address of pointer into vmcoreinfo, not array as we wanted. Let's introduce VMCOREINFO_SYMBOL_ARRAY() that would handle the situation correctly for both cases. Link: http://lkml.kernel.org/r/20180112162532.35896-1-kirill.shutemov@linux.intel… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: 83e3c48729d9 ("mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y") Acked-by: Baoquan He <bhe(a)redhat.com> Acked-by: Dave Young <dyoung(a)redhat.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Dave Young <dyoung(a)redhat.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/crash_core.h | 2 ++ kernel/crash_core.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff -puN include/linux/crash_core.h~kdump-write-a-correct-address-of-mem_section-into-vmcoreinfo include/linux/crash_core.h --- a/include/linux/crash_core.h~kdump-write-a-correct-address-of-mem_section-into-vmcoreinfo +++ a/include/linux/crash_core.h @@ -42,6 +42,8 @@ phys_addr_t paddr_vmcoreinfo_note(void); vmcoreinfo_append_str("PAGESIZE=%ld\n", value) #define VMCOREINFO_SYMBOL(name) \ vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)&name) +#define VMCOREINFO_SYMBOL_ARRAY(name) \ + vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)name) #define VMCOREINFO_SIZE(name) \ vmcoreinfo_append_str("SIZE(%s)=%lu\n", #name, \ (unsigned long)sizeof(name)) diff -puN kernel/crash_core.c~kdump-write-a-correct-address-of-mem_section-into-vmcoreinfo kernel/crash_core.c --- a/kernel/crash_core.c~kdump-write-a-correct-address-of-mem_section-into-vmcoreinfo +++ a/kernel/crash_core.c @@ -410,7 +410,7 @@ static int __init crash_save_vmcoreinfo_ VMCOREINFO_SYMBOL(contig_page_data); #endif #ifdef CONFIG_SPARSEMEM - VMCOREINFO_SYMBOL(mem_section); + VMCOREINFO_SYMBOL_ARRAY(mem_section); VMCOREINFO_LENGTH(mem_section, NR_SECTION_ROOTS); VMCOREINFO_STRUCT_SIZE(mem_section); VMCOREINFO_OFFSET(mem_section, section_mem_map); _ Patches currently in -mm which might be from kirill.shutemov(a)linux.intel.com are asm-generic-provide-generic_pmdp_establish.patch arc-use-generic_pmdp_establish-as-pmdp_establish.patch arm-mm-provide-pmdp_establish-helper.patch mips-use-generic_pmdp_establish-as-pmdp_establish.patch x86-mm-provide-pmdp_establish-helper.patch mm-do-not-lose-dirty-and-access-bits-in-pmdp_invalidate.patch mm-use-updated-pmdp_invalidate-interface-to-track-dirty-accessed-bits.patch

6 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH v4] brcmfmac: fix CLM load error for legacy chips when user helper is enabled

by Wright Feng

For legacy chips without CLM blob files, kernel with user helper function returns -EAGAIN when we request_firmware(), and then driver got failed when bringing up legacy chips. We expect the CLM blob file for legacy chip is not existence in firmware path, but the -ENOENT error is transferred to -EAGAIN in firmware_class.c with user helper. Because of that, we continue with CLM data currently present in firmware if getting error from doing request_firmware(). Cc: stable(a)vger.kernel.org # v4.15.y Reviewed-by: Arend van Spriel <arend.vanspriel(a)broadcom.com> Signed-off-by: Wright Feng <wright.feng(a)cypress.com> --- v2: remove retry from patch v1 v3: remove redundant log print v4: modify log print --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c index 6a59d06..9be0b05 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c @@ -182,12 +182,9 @@ static int brcmf_c_process_clm_blob(struct brcmf_if *ifp) err = request_firmware(&clm, clm_name, dev); if (err) { - if (err == -ENOENT) { - brcmf_dbg(INFO, "continue with CLM data currently present in firmware\n"); - return 0; - } - brcmf_err("request CLM blob file failed (%d)\n", err); - return err; + brcmf_info("no clm_blob available(err=%d), device may have limited channels available\n", + err); + return 0; } chunk_buf = kzalloc(sizeof(*chunk_buf) + MAX_CHUNK_LEN - 1, GFP_KERNEL); -- 1.9.1

6 years, 9 months

2
2
0 0

[Linux-stable-mirror] [PATCH 1/2] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once

by Marc Kleine-Budde

If an invalid CAN frame is received, from a driver or from a tun interface, a Kernel warning is generated. This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a kernel, bootet with panic_on_warn, does not panic. A printk seems to be more appropriate here. Reported-by: syzbot+4386709c0c1284dca827(a)syzkaller.appspotmail.com Suggested-by: Dmitry Vyukov <dvyukov(a)google.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/af_can.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/net/can/af_can.c b/net/can/af_can.c index 003b2d6d655f..ae835382e678 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -721,20 +721,16 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev, { struct canfd_frame *cfd = (struct canfd_frame *)skb->data; - if (WARN_ONCE(dev->type != ARPHRD_CAN || - skb->len != CAN_MTU || - cfd->len > CAN_MAX_DLEN, - "PF_CAN: dropped non conform CAN skbuf: " - "dev type %d, len %d, datalen %d\n", - dev->type, skb->len, cfd->len)) - goto drop; + if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU || + cfd->len > CAN_MAX_DLEN)) { + pr_warn_once("PF_CAN: dropped non conform CAN skbuf: dev type %d, len %d, datalen %d\n", + dev->type, skb->len, cfd->len); + kfree_skb(skb); + return NET_RX_DROP; + } can_receive(skb, dev); return NET_RX_SUCCESS; - -drop: - kfree_skb(skb); - return NET_RX_DROP; } static int canfd_rcv(struct sk_buff *skb, struct net_device *dev, -- 2.15.1

6 years, 9 months

1
1
0 0

[Linux-stable-mirror] [PULL v2 3/3] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls

by Christoffer Dall

From: Marc Zyngier <marc.zyngier(a)arm.com> KVM doesn't follow the SMCCC when it comes to unimplemented calls, and inject an UNDEF instead of returning an error. Since firmware calls are now used for security mitigation, they are becoming more common, and the undef is counter productive. Instead, let's follow the SMCCC which states that -1 must be returned to the caller when getting an unknown function number. Cc: <stable(a)vger.kernel.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm64/kvm/handle_exit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c index 304203fa9e33..e60494f1eef9 100644 --- a/arch/arm64/kvm/handle_exit.c +++ b/arch/arm64/kvm/handle_exit.c @@ -45,7 +45,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run) ret = kvm_psci_call(vcpu); if (ret < 0) { - kvm_inject_undefined(vcpu); + vcpu_set_reg(vcpu, 0, ~0UL); return 1; } @@ -54,7 +54,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run) static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run) { - kvm_inject_undefined(vcpu); + vcpu_set_reg(vcpu, 0, ~0UL); return 1; } -- 2.14.2

6 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PULL v2 1/3] KVM: arm/arm64: Check pagesize when allocating a hugepage at Stage 2

by Christoffer Dall

From: Punit Agrawal <punit.agrawal(a)arm.com> KVM only supports PMD hugepages at stage 2 but doesn't actually check that the provided hugepage memory pagesize is PMD_SIZE before populating stage 2 entries. In cases where the backing hugepage size is smaller than PMD_SIZE (such as when using contiguous hugepages), KVM can end up creating stage 2 mappings that extend beyond the supplied memory. Fix this by checking for the pagesize of userspace vma before creating PMD hugepage at stage 2. Fixes: 66b3923a1a0f77a ("arm64: hugetlb: add support for PTE contiguous bit") Signed-off-by: Punit Agrawal <punit.agrawal(a)arm.com> Cc: Marc Zyngier <marc.zyngier(a)arm.com> Cc: <stable(a)vger.kernel.org> # v4.5+ Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- virt/kvm/arm/mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c index b4b69c2d1012..9dea96380339 100644 --- a/virt/kvm/arm/mmu.c +++ b/virt/kvm/arm/mmu.c @@ -1310,7 +1310,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, return -EFAULT; } - if (is_vm_hugetlb_page(vma) && !logging_active) { + if (vma_kernel_pagesize(vma) == PMD_SIZE && !logging_active) { hugetlb = true; gfn = (fault_ipa & PMD_MASK) >> PAGE_SHIFT; } else { -- 2.14.2

6 years, 9 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror