- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2d204ee9d671327915260071c19350d84344e096 Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)oracle.com> Date: Mon, 10 Sep 2018 14:12:07 +0300 Subject: [PATCH] cifs: integer overflow in in SMB2_ioctl() The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Reviewed-by: Aurelien Aptel <aaptel(a)suse.com> CC: Stable <stable(a)vger.kernel.org> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6f0e6b42599c..f54d07bda067 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, /* We check for obvious errors in the output buffer length and offset */ if (*plen == 0) goto ioctl_exit; /* server returned no data */ - else if (*plen > 0xFF00) { + else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) { cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen); *plen = 0; rc = -EIO; goto ioctl_exit; } - if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) { + if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) { cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen, le32_to_cpu(rsp->OutputOffset)); *plen = 0;

7 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] cifs: integer overflow in in SMB2_ioctl()" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2d204ee9d671327915260071c19350d84344e096 Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)oracle.com> Date: Mon, 10 Sep 2018 14:12:07 +0300 Subject: [PATCH] cifs: integer overflow in in SMB2_ioctl() The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and wrap around to a smaller value which looks like it would lead to an information leak. Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Reviewed-by: Aurelien Aptel <aaptel(a)suse.com> CC: Stable <stable(a)vger.kernel.org> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6f0e6b42599c..f54d07bda067 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2459,14 +2459,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, /* We check for obvious errors in the output buffer length and offset */ if (*plen == 0) goto ioctl_exit; /* server returned no data */ - else if (*plen > 0xFF00) { + else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) { cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen); *plen = 0; rc = -EIO; goto ioctl_exit; } - if (rsp_iov.iov_len < le32_to_cpu(rsp->OutputOffset) + *plen) { + if (rsp_iov.iov_len - *plen < le32_to_cpu(rsp->OutputOffset)) { cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen, le32_to_cpu(rsp->OutputOffset)); *plen = 0;

7 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL" failed to apply to 4.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 432061b3da64e488be3403124a72a9250bbe96d4 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka <mpatocka(a)redhat.com> Date: Wed, 5 Sep 2018 09:17:45 -0400 Subject: [PATCH] dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL recursion deadlock There's a XFS on dm-crypt deadlock, recursing back to itself due to the crypto subsystems use of GFP_KERNEL, reported here: https://bugzilla.kernel.org/show_bug.cgi?id=200835 * dm-crypt calls crypt_convert in xts mode * init_crypt from xts.c calls kmalloc(GFP_KERNEL) * kmalloc(GFP_KERNEL) recurses into the XFS filesystem, the filesystem tries to submit some bios and wait for them, causing a deadlock Fix this by updating both the DM crypt and integrity targets to no longer use the CRYPTO_TFM_REQ_MAY_SLEEP flag, which will change the crypto allocations from GFP_KERNEL to GFP_ATOMIC, therefore they can't recurse into a filesystem. A GFP_ATOMIC allocation can fail, but init_crypt() in xts.c handles the allocation failure gracefully - it will fall back to preallocated buffer if the allocation fails. The crypto API maintainer says that the crypto API only needs to allocate memory when dealing with unaligned buffers and therefore turning CRYPTO_TFM_REQ_MAY_SLEEP off is safe (see this discussion: https://www.redhat.com/archives/dm-devel/2018-August/msg00195.html ) Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index f266c81f396f..0481223b1deb 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -332,7 +332,7 @@ static int crypt_iv_essiv_init(struct crypt_config *cc) int err; desc->tfm = essiv->hash_tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; err = crypto_shash_digest(desc, cc->key, cc->key_size, essiv->salt); shash_desc_zero(desc); @@ -606,7 +606,7 @@ static int crypt_iv_lmk_one(struct crypt_config *cc, u8 *iv, int i, r; desc->tfm = lmk->hash_tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; r = crypto_shash_init(desc); if (r) @@ -768,7 +768,7 @@ static int crypt_iv_tcw_whitening(struct crypt_config *cc, /* calculate crc32 for every 32bit part and xor it */ desc->tfm = tcw->crc32_tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; for (i = 0; i < 4; i++) { r = crypto_shash_init(desc); if (r) @@ -1251,7 +1251,7 @@ static void crypt_alloc_req_skcipher(struct crypt_config *cc, * requests if driver request queue is full. */ skcipher_request_set_callback(ctx->r.req, - CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + CRYPTO_TFM_REQ_MAY_BACKLOG, kcryptd_async_done, dmreq_of_req(cc, ctx->r.req)); } @@ -1268,7 +1268,7 @@ static void crypt_alloc_req_aead(struct crypt_config *cc, * requests if driver request queue is full. */ aead_request_set_callback(ctx->r.req_aead, - CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + CRYPTO_TFM_REQ_MAY_BACKLOG, kcryptd_async_done, dmreq_of_req(cc, ctx->r.req_aead)); } diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index 378878599466..89ccb64342de 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -532,7 +532,7 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result unsigned j, size; desc->tfm = ic->journal_mac; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; r = crypto_shash_init(desc); if (unlikely(r)) { @@ -676,7 +676,7 @@ static void complete_journal_encrypt(struct crypto_async_request *req, int err) static bool do_crypt(bool encrypt, struct skcipher_request *req, struct journal_completion *comp) { int r; - skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, complete_journal_encrypt, comp); if (likely(encrypt)) r = crypto_skcipher_encrypt(req);

7 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] mmc: omap_hsmmc: fix wakeirq handling on removal" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 3c398f3c3bef21961eaaeb93227fa66d440dc83d Mon Sep 17 00:00:00 2001 From: Andreas Kemnade <andreas(a)kemnade.info> Date: Sun, 2 Sep 2018 09:30:58 +0200 Subject: [PATCH] mmc: omap_hsmmc: fix wakeirq handling on removal after unbinding mmc I get things like this: [ 185.294067] mmc1: card 0001 removed [ 185.305206] omap_hsmmc 480b4000.mmc: wake IRQ with no resume: -13 The wakeirq stays in /proc-interrupts rebinding shows this: [ 289.795959] genirq: Flags mismatch irq 112. 0000200a (480b4000.mmc:wakeup) vs. 0000200a (480b4000.mmc:wakeup) [ 289.808959] omap_hsmmc 480b4000.mmc: Unable to request wake IRQ [ 289.815338] omap_hsmmc 480b4000.mmc: no SDIO IRQ support, falling back to polling That bug seems to be introduced by switching from devm_request_irq() to generic wakeirq handling. So let us cleanup at removal. Signed-off-by: Andreas Kemnade <andreas(a)kemnade.info> Fixes: 5b83b2234be6 ("mmc: omap_hsmmc: Change wake-up interrupt to use generic wakeirq") Cc: stable(a)vger.kernel.org # v4.2+ Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c index 071693ebfe18..68760d4a5d3d 100644 --- a/drivers/mmc/host/omap_hsmmc.c +++ b/drivers/mmc/host/omap_hsmmc.c @@ -2177,6 +2177,7 @@ static int omap_hsmmc_remove(struct platform_device *pdev) dma_release_channel(host->tx_chan); dma_release_channel(host->rx_chan); + dev_pm_clear_wake_irq(host->dev); pm_runtime_dont_use_autosuspend(host->dev); pm_runtime_put_sync(host->dev); pm_runtime_disable(host->dev);

7 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] iw_cxgb4: only allow 1 flush on user qps" failed to apply to 4.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 308aa2b8f7b7db3332a7d41099fd37851fb793b2 Mon Sep 17 00:00:00 2001 From: Steve Wise <swise(a)opengridcomputing.com> Date: Fri, 31 Aug 2018 07:15:56 -0700 Subject: [PATCH] iw_cxgb4: only allow 1 flush on user qps Once the qp has been flushed, it cannot be flushed again. The user qp flush logic wasn't enforcing it however. The bug can cause touch-after-free crashes like: Unable to handle kernel paging request for data at address 0x000001ec Faulting instruction address: 0xc008000016069100 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4] LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] Call Trace: [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4] [c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4] [c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core] [c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core] [c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm] [c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm] [c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm] [c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm] [c000000000444da4] __fput+0xe4/0x2f0 So fix flush_qp() to only flush the wq once. Cc: stable(a)vger.kernel.org Signed-off-by: Steve Wise <swise(a)opengridcomputing.com> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c index b3203afa3b1d..347fe18b1a41 100644 --- a/drivers/infiniband/hw/cxgb4/qp.c +++ b/drivers/infiniband/hw/cxgb4/qp.c @@ -1685,6 +1685,12 @@ static void flush_qp(struct c4iw_qp *qhp) schp = to_c4iw_cq(qhp->ibqp.send_cq); if (qhp->ibqp.uobject) { + + /* for user qps, qhp->wq.flushed is protected by qhp->mutex */ + if (qhp->wq.flushed) + return; + + qhp->wq.flushed = 1; t4_set_wq_in_error(&qhp->wq, 0); t4_set_cq_in_error(&rchp->cq); spin_lock_irqsave(&rchp->comp_handler_lock, flag);

7 years, 1 month

1
0
0 0

[char-misc v4.18.y] mei: bus: type promotion bug in mei_nfc_if_version()

by Tomas Winkler

From: Dan Carpenter <dan.carpenter(a)oracle.com> commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream We accidentally removed the check for negative returns without considering the issue of type promotion. The "if_version_length" variable is type size_t so if __mei_cl_recv() returns a negative then "bytes_recv" is type promoted to a high positive value and treated as success. Cc: <stable(a)vger.kernel.org> v4.18 Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/misc/mei/bus-fixup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/bus-fixup.c b/drivers/misc/mei/bus-fixup.c index 0208c4b027c5..fa0236a5e59a 100644 --- a/drivers/misc/mei/bus-fixup.c +++ b/drivers/misc/mei/bus-fixup.c @@ -267,7 +267,7 @@ static int mei_nfc_if_version(struct mei_cl *cl, ret = 0; bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0); - if (bytes_recv < if_version_length) { + if (bytes_recv < 0 || bytes_recv < if_version_length) { dev_err(bus->dev, "Could not read IF version\n"); ret = -EIO; goto err; -- 2.14.4

7 years, 1 month

1
0
0 0

[char-misc v4.14.y] mei: bus: type promotion bug in mei_nfc_if_version()

by Tomas Winkler

From: Dan Carpenter <dan.carpenter(a)oracle.com> commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream We accidentally removed the check for negative returns without considering the issue of type promotion. The "if_version_length" variable is type size_t so if __mei_cl_recv() returns a negative then "bytes_recv" is type promoted to a high positive value and treated as success. Cc: <stable(a)vger.kernel.org> # 4.14 Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/misc/mei/bus-fixup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/bus-fixup.c b/drivers/misc/mei/bus-fixup.c index 0208c4b027c5..fa0236a5e59a 100644 --- a/drivers/misc/mei/bus-fixup.c +++ b/drivers/misc/mei/bus-fixup.c @@ -267,7 +267,7 @@ static int mei_nfc_if_version(struct mei_cl *cl, ret = 0; bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0); - if (bytes_recv < if_version_length) { + if (bytes_recv < 0 || bytes_recv < if_version_length) { dev_err(bus->dev, "Could not read IF version\n"); ret = -EIO; goto err; -- 2.14.4

7 years, 1 month

1
0
0 0

[char-misc v4.9.y] mei: bus: type promotion bug in mei_nfc_if_version()

by Tomas Winkler

From: Dan Carpenter <dan.carpenter(a)oracle.com> commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream We accidentally removed the check for negative returns without considering the issue of type promotion. The "if_version_length" variable is type size_t so if __mei_cl_recv() returns a negative then "bytes_recv" is type promoted to a high positive value and treated as success. Cc: <stable(a)vger.kernel.org> # 4.9 Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/misc/mei/bus-fixup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/bus-fixup.c b/drivers/misc/mei/bus-fixup.c index 75b9d4ac8b1e..371f5f66a9d6 100644 --- a/drivers/misc/mei/bus-fixup.c +++ b/drivers/misc/mei/bus-fixup.c @@ -178,7 +178,7 @@ static int mei_nfc_if_version(struct mei_cl *cl, ret = 0; bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length); - if (bytes_recv < if_version_length) { + if (bytes_recv < 0 || bytes_recv < if_version_length) { dev_err(bus->dev, "Could not read IF version\n"); ret = -EIO; goto err; -- 2.14.4

7 years, 1 month

1
0
0 0

[PATCH 3.16 00/63] 3.16.58-rc1 review

by Ben Hutchings

This is the start of the stable review cycle for the 3.16.58 release. There are 63 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon Sep 24 00:15:41 UTC 2018. Anything received after that time might be too late. All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. ------------- Alexander Potapenko (1): scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() [a45b599ad808c3c982fdcdc12b0b8611c2f92824] Alexey Khoroshilov (1): usbip: fix error handling in stub_probe() [3ff67445750a84de67faaf52c6e1895cb09f2c56] Andy Lutomirski (1): x86/entry/64: Remove %ebx handling from error_entry/exit [b3681dd548d06deb2e1573890829dff4b15abf46] Ben Hutchings (2): Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" [not upstream; the reverted commit was correct for upstream] x86/fpu: Default eagerfpu if FPU and FXSR are enabled [58122bf1d856a4ea9581d62a07c557d997d46a19] Borislav Petkov (1): x86/cpu/AMD: Fix erratum 1076 (CPB bit) [f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9] Christoph Paasch (1): net: Set sk_prot_creator when cloning sockets to the right proto [9d538fa60bad4f7b23193c89e843797a1cf71ef3] Cong Wang (1): infiniband: fix a possible use-after-free bug [cb2595c1393b4a5211534e6f0a0fbad369e21ad8] Dave Chinner (2): xfs: catch inode allocation state mismatch corruption [ee457001ed6c6f31ddad69c24c1da8f377d8472d] xfs: validate cached inodes are free when allocated [afca6c5b2595fc44383919fba740c194b0b76aff] Eric Sandeen (2): xfs: don't call xfs_da_shrink_inode with NULL bp [bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a] xfs: set format back to extents if xfs_bmap_extents_to_btree [2c4306f719b083d17df2963bc761777576b8ad1b] Ernesto A . Fernández (1): hfsplus: fix NULL dereference in hfsplus_lookup() [a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4] Ingo Molnar (2): x86/fpu: Fix the 'nofxsr' boot parameter to also clear X86_FEATURE_FXSR_OPT [d364a7656c1855c940dfa4baf4ebcc3c6a9e6fd2] x86/speculation: Clean up various Spectre related details [21e433bdb95bdf3aa48226fd3d33af608437f293] Jann Horn (1): USB: yurex: fix out-of-bounds uaccess in read handler [f1e255d60ae66a9f672ff9a207ee6cd8e33d2679] Jason Yan (1): scsi: libsas: defer ata device eh commands to libata [318aaf34f1179b39fa9c30fa0f3288b645beee39] Jens Axboe (1): sr: pass down correctly sized SCSI sense buffer [f7068114d45ec55996b9040e98111afa56e010fe] Jiri Kosina (1): x86/speculation: Protect against userspace-userspace spectreRSB [fdf82a7856b32d905c39afc85e34364491e46346] Kees Cook (5): seccomp: add "seccomp" syscall [48dc92b9fc3926844257316e75ba11eb5c742b2c] seccomp: create internal mode-setting function [d78ab02c2c194257a03355fbb79eb721b381d105] seccomp: extract check/assign mode helpers [1f41b450416e689b9b7c8bfb750a98604f687a9b] seccomp: split mode setting routines [3b23dd12846215eff4afb073366b80c0c4d7543e] video: uvesafb: Fix integer overflow in allocation [9f645bcc566a1e9f921bdae7528a01ced5bc3713] Kyle Huey (2): x86/process: Correct and optimize TIF_BLOCKSTEP switch [b9894a2f5bd18b1691cb6872c9afe32b148d0132] x86/process: Optimize TIF checks in __switch_to_xtra() [af8b3cd3934ec60f4c2a420d19a9d416554f140b] Linus Torvalds (2): Fix up non-directory creation in SGID directories [0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7] mm: get rid of vmacache_flush_all() entirely [7a9cdebdcc17e426fb5287e4a82db1dfe86339b2] Mark Salyzyn (1): Bluetooth: hidp: buffer overflow in hidp_process_report [7992c18810e568b95c869b227137a2215702a805] Mel Gorman (2): futex: Remove requirement for lock_page() in get_futex_key() [65d8fc777f6dcfee12785c057a6b57f679641c90] futex: Remove unnecessary warning from get_futex_key [48fb6f4db940e92cfb16cd878cddd59ea6120d06] Nadav Amit (1): KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR [e37a75a13cdae5deaa2ea2cbf8d55b5dd08638b6] Paolo Bonzini (4): KVM: x86: introduce linear_{read,write}_system [79367a65743975e5cac8d24d08eccc7fdae832b0] KVM: x86: introduce num_emulated_msrs [62ef68bb4d00f1a662e487f3fc44ce8521c416aa] KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system [ce14e868a54edeb2e30cb7a7b104a2fc4b9d76ca] kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access [3c9fa24ca7c9c47605672916491f79e8ccacb9e6] Peter Zijlstra (1): x86/paravirt: Fix spectre-v2 mitigations for paravirt guests [5800dc5c19f34e6e03b5adab1282535cb102fafd] Piotr Luc (1): x86/cpu/intel: Add Knights Mill to Intel family [0047f59834e5947d45f34f5f12eb330d158f700b] Qu Wenruo (1): btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized [389305b2aa68723c754f88d9dbd268a400e10664] Sanjeev Sharma (1): uas: replace WARN_ON_ONCE() with lockdep_assert_held() [ab945eff8396bc3329cc97274320e8d2c6585077] Scott Bauer (1): cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status [8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4] Shankara Pailoor (1): jfs: Fix inconsistency between memory allocation and ea_buf->max_size [92d34134193e5b129dc24f8d79cb9196626e8d7a] Shuah Khan (6): usbip: usbip_host: delete device from busid_table after rebind [1e180f167d4e413afccbbb4a421b48b2de832549] usbip: usbip_host: fix NULL-ptr deref and use-after-free errors [22076557b07c12086eeb16b8ce2b0b735f7a27e7] usbip: usbip_host: fix bad unlock balance during stub_probe() [c171654caa875919be3c533d3518da8be5be966e] usbip: usbip_host: fix to hold parent lock for device_attach() calls [4bfb141bc01312a817d36627cc47c93f801c216d] usbip: usbip_host: refine probe and disconnect debug msgs to be useful [28b68acc4a88dcf91fd1dcf2577371dc9bf574cc] usbip: usbip_host: run rebind from exit when module is removed [7510df3f29d44685bab7b1918b61a8ccd57126a9] Takashi Iwai (1): ALSA: rawmidi: Change resized buffers atomically [39675f7a7c7e7702f7d5341f1e0d01db746543a0] Theodore Ts'o (14): ext4: add corruption check in ext4_xattr_set_entry() [5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d] ext4: add more inode number paranoia checks [c37e9e013469521d9adb932d17a1795c139b36db] ext4: always check block group bounds in ext4_init_block_bitmap() [819b23f1c501b17b9694325471789e6b5cc2d0d2] ext4: always verify the magic number in xattr blocks [513f86d73855ce556ea9522b6bfd79f87356dc3a] ext4: avoid running out of journal credits when appending to an inline file [8bc1379b82b8e809eef77a9fedbb75c6c297be19] ext4: clear i_data in ext4_inode_info when removing inline data [6e8ab72a812396996035a37e5ca4b3b99b5d214b] ext4: don't allow r/w mounts if metadata blocks overlap the superblock [18db4b4e6fc31eda838dd1c1296d67dbcb3dc957] ext4: fix check to prevent initializing reserved inodes [5012284700775a4e6e3fbe7eac4c543c4874b559] ext4: fix false negatives *and* false positives in ext4_check_descriptors() [44de022c4382541cebdd6de4465d1f4f465ff1dd] ext4: make sure bitmaps and the inode table don't overlap with bg descriptors [77260807d1170a8cf35dbb06e07461a655f67eee] ext4: never move the system.data xattr out of the inode body [8cdb5240ec5928b20490a2bb34cb87e9a5f40226] ext4: only look at the bg_flags field if it is valid [8844618d8aa7a9973e7b527d038a2a589665002c] ext4: verify the depth of extent tree in ext4_find_extent() [bc890a60247171294acc0bd67d211fa4b88d40ba] jbd2: don't mark block as modified if the handle is out of credits [e09463f220ca9a1a1ecfda84fcda658f99a1f12a] Makefile | 4 +- arch/Kconfig | 1 + arch/x86/include/asm/intel-family.h | 1 + arch/x86/include/asm/kvm_emulate.h | 6 +- arch/x86/include/uapi/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 13 +++ arch/x86/kernel/cpu/bugs.c | 59 ++++---------- arch/x86/kernel/cpu/common.c | 17 ++-- arch/x86/kernel/entry_64.S | 13 +-- arch/x86/kernel/i387.c | 24 ++++++ arch/x86/kernel/paravirt.c | 14 +++- arch/x86/kernel/process.c | 62 +++++++++------ arch/x86/kernel/xsave.c | 24 +----- arch/x86/kvm/emulate.c | 76 ++++++++++-------- arch/x86/kvm/vmx.c | 20 +++-- arch/x86/kvm/x86.c | 91 ++++++++++++++------- arch/x86/kvm/x86.h | 4 +- arch/x86/syscalls/syscall_32.tbl | 1 + arch/x86/syscalls/syscall_64.tbl | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/infiniband/core/ucma.c | 6 +- drivers/scsi/libsas/sas_scsi_host.c | 33 +++----- drivers/scsi/sg.c | 2 +- drivers/scsi/sr_ioctl.c | 21 ++--- drivers/staging/usbip/stub.h | 2 + drivers/staging/usbip/stub_dev.c | 69 +++++++++------- drivers/staging/usbip/stub_main.c | 100 +++++++++++++++++++++-- drivers/usb/misc/yurex.c | 23 ++---- drivers/usb/storage/uas.c | 8 +- drivers/video/fbdev/uvesafb.c | 3 +- fs/btrfs/relocation.c | 23 +++--- fs/ext4/balloc.c | 21 +++-- fs/ext4/ext4.h | 8 -- fs/ext4/ext4_extents.h | 1 + fs/ext4/extents.c | 6 ++ fs/ext4/ialloc.c | 19 ++++- fs/ext4/inline.c | 39 +-------- fs/ext4/inode.c | 3 +- fs/ext4/mballoc.c | 6 +- fs/ext4/super.c | 41 +++++++++- fs/ext4/xattr.c | 49 ++++++------ fs/hfsplus/dir.c | 4 +- fs/inode.c | 6 ++ fs/jbd2/transaction.c | 2 +- fs/jfs/xattr.c | 10 ++- fs/xfs/xfs_attr_leaf.c | 5 +- fs/xfs/xfs_bmap.c | 2 + fs/xfs/xfs_icache.c | 58 ++++++++++++-- include/linux/mm_types.h | 2 +- include/linux/sched.h | 2 +- include/linux/syscalls.h | 2 + include/linux/vmacache.h | 5 -- include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/seccomp.h | 4 + kernel/futex.c | 99 +++++++++++++++++++++-- kernel/seccomp.c | 146 ++++++++++++++++++++++++++++------ kernel/sys_ni.c | 3 + mm/vmacache.c | 36 --------- net/bluetooth/hidp/core.c | 4 +- net/core/sock.c | 2 + net/ipv4/ip_vti.c | 1 + sound/core/rawmidi.c | 20 +++-- 62 files changed, 847 insertions(+), 487 deletions(-) -- Ben Hutchings Any sufficiently advanced bug is indistinguishable from a feature.

7 years, 1 month

4
70
0 0

[PATCH] w1: omap-hdq: fix missing bus unregister at removal

by Andreas Kemnade

The bus master was not removed after unloading the module or unbinding the driver. That lead to oopses like this [ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c [ 127.850646] pgd = 70e3cd9a [ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000 [ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM [ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq] [ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12 [ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree) [ 127.890441] PC is at 0xbf01d04c [ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc [ 127.898956] pc : [<bf01d04c>] lr : [<c05f9580>] psr: a0070013 [ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c [ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040 [ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c [ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10 [ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051 [ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f) [ 127.951171] Stack: (0xcf885f48 to 0xcf886000) [ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00 [ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000 [ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000 [ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 [ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [ 128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118) [ 128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148) [ 128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c) [ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8) [ 128.037017] 5fa0: 00000000 00000000 00000000 00000000 [ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 128.061340] Code: bad PC value [ 128.064697] ---[ end trace af066e33c0e14119 ]--- Cc: <stable(a)vger.kernel.org> Signed-off-by: Andreas Kemnade <andreas(a)kemnade.info> --- drivers/w1/masters/omap_hdq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/w1/masters/omap_hdq.c b/drivers/w1/masters/omap_hdq.c index 83fc9aab34e8..3099052e1243 100644 --- a/drivers/w1/masters/omap_hdq.c +++ b/drivers/w1/masters/omap_hdq.c @@ -763,6 +763,8 @@ static int omap_hdq_remove(struct platform_device *pdev) /* remove module dependency */ pm_runtime_disable(&pdev->dev); + w1_remove_master_device(&omap_w1_master); + return 0; } -- 2.11.0

7 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror