Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

80 participants
123768 discussions

by Greg KH

I'm announcing the release of the 4.9.118 kernel. All users of the 4.9 kernel series must upgrade. The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/kvm/vmx.c | 7 +-- drivers/crypto/padlock-aes.c | 8 ++- drivers/gpu/drm/vc4/vc4_plane.c | 3 + drivers/net/bonding/bond_main.c | 14 +++++- drivers/net/can/usb/ems_usb.c | 1 drivers/net/ethernet/amazon/ena/ena_com.c | 1 drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 - drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 40 +++++++++++++++++- drivers/net/phy/mdio-mux-bcm-iproc.c | 2 drivers/net/usb/lan78xx.c | 2 drivers/net/xen-netfront.c | 6 ++ drivers/pinctrl/intel/pinctrl-intel.c | 7 ++- drivers/scsi/sg.c | 1 drivers/virtio/virtio_balloon.c | 2 fs/squashfs/block.c | 2 fs/squashfs/fragment.c | 13 ++++- fs/squashfs/squashfs_fs_sb.h | 1 fs/squashfs/super.c | 5 +- include/net/tcp.h | 2 kernel/sched/swait.c | 6 -- net/dsa/slave.c | 6 ++ net/ipv4/fib_frontend.c | 4 - net/ipv4/inet_fragment.c | 10 ++-- net/ipv4/ip_fragment.c | 5 ++ net/ipv4/tcp_bbr.c | 4 + net/ipv4/tcp_dctcp.c | 4 - net/ipv4/tcp_input.c | 48 +++++++++++----------- net/netlink/af_netlink.c | 2 net/socket.c | 2 31 files changed, 155 insertions(+), 61 deletions(-) Andy Shevchenko (1): pinctrl: intel: Read back TX buffer state Anton Vasilyev (2): net: mdio-mux: bcm-iproc: fix wrong getter and setter pair can: ems_usb: Fix memory leak on ems_usb_disconnect() Boqun Feng (1): sched/wait: Remove the lockless swait_active() check in swake_up*() Boris Brezillon (1): drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats Eric Dumazet (7): tcp: do not force quickack when receiving out-of-order packets tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode tcp: do not aggressively quick ack after ECN events tcp: add one more quick ack after after ECN events bonding: avoid lockdep confusion in bond_get_stats() inet: frag: enforce memory limits earlier ipv4: frags: handle possible skb truesize change Eugeniy Paltsev (1): NET: stmmac: align DMA stuff to largest cache line length Florian Fainelli (1): net: dsa: Do not suspend/resume closed slave_dev Gal Pressman (1): net: ena: Fix use of uninitialized DMA address bits field Greg Kroah-Hartman (1): Linux 4.9.118 Herbert Xu (1): crypto: padlock-aes - Fix Nano workaround data corruption Jeremy Cline (2): netlink: Fix spectre v1 gadget in netlink_create() net: socket: fix potential spectre v1 gadget in socketcall Jiang Biao (1): virtio_balloon: fix another race between migration and ballooning Jose Abreu (1): net: stmmac: Fix WoL for PCI-based setups Linus Torvalds (2): squashfs: more metadata hardening squashfs: more metadata hardenings Lorenzo Bianconi (1): ipv4: remove BUG_ON() from fib_compute_spec_dst Neal Cardwell (1): tcp_bbr: fix bw probing to raise in-flight data for very small BDPs Roman Kagan (1): kvm: x86: vmx: fix vpid leak Stefan Wahren (1): net: lan78xx: fix rx handling before first packet is send Tony Battersby (1): scsi: sg: fix minor memory leak in error path Xiao Liang (1): xen-netfront: wait xenbus state change when load module manually Yousuk Seung (1): tcp: refactor tcp_ecn_check_ce to remove sk type cast tangpengpeng (1): net: fix amd-xgbe flow-control issue

7 years, 5 months

Linux 4.14.61

by Greg KH

I'm announcing the release of the 4.14.61 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/entry/entry_64.S | 18 +---- arch/x86/kernel/apic/apic.c | 3 arch/x86/kvm/vmx.c | 7 -- drivers/crypto/padlock-aes.c | 8 +- drivers/gpu/drm/vc4/vc4_plane.c | 3 drivers/infiniband/core/uverbs_cmd.c | 59 +++++++++++++++++- drivers/net/bonding/bond_main.c | 14 +++- drivers/net/can/usb/ems_usb.c | 1 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 - drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 40 ++++++++++++ drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 ++++++++++++++++++++++ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 5 + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++++++ drivers/scsi/sg.c | 1 drivers/virtio/virtio_balloon.c | 2 fs/squashfs/block.c | 2 fs/squashfs/fragment.c | 13 ++-- fs/squashfs/squashfs_fs_sb.h | 1 fs/squashfs/super.c | 5 - fs/userfaultfd.c | 4 - kernel/auditsc.c | 13 ++-- net/dsa/slave.c | 6 + net/ipv4/inet_fragment.c | 10 +-- net/ipv4/ip_fragment.c | 5 + net/netlink/af_netlink.c | 2 net/rxrpc/call_accept.c | 4 - net/socket.c | 2 28 files changed, 275 insertions(+), 50 deletions(-) Andy Lutomirski (1): x86/entry/64: Remove %ebx handling from error_entry/exit Anton Vasilyev (1): can: ems_usb: Fix memory leak on ems_usb_disconnect() Boris Brezillon (1): drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats Eli Cohen (1): net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager Emmanuel Grumbach (1): iwlwifi: add more card IDs for 9000 series Eric Dumazet (3): bonding: avoid lockdep confusion in bond_get_stats() inet: frag: enforce memory limits earlier ipv4: frags: handle possible skb truesize change Florian Fainelli (1): net: dsa: Do not suspend/resume closed slave_dev Greg Kroah-Hartman (1): Linux 4.14.61 Herbert Xu (1): crypto: padlock-aes - Fix Nano workaround data corruption Jack Morgenstein (1): RDMA/uverbs: Expand primary and alt AV port checks Jeremy Cline (2): netlink: Fix spectre v1 gadget in netlink_create() net: socket: fix potential spectre v1 gadget in socketcall Jiang Biao (1): virtio_balloon: fix another race between migration and ballooning Jose Abreu (1): net: stmmac: Fix WoL for PCI-based setups Len Brown (1): x86/apic: Future-proof the TSC_DEADLINE quirk for SKX Linus Torvalds (2): squashfs: more metadata hardening squashfs: more metadata hardenings Mike Rapoport (1): userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails Roman Kagan (1): kvm: x86: vmx: fix vpid leak Tony Battersby (1): scsi: sg: fix minor memory leak in error path Yi Wang (1): audit: fix potential null dereference 'context->module.name' YueHaibing (1): rxrpc: Fix user call ID check in rxrpc_service_prealloc_one

7 years, 5 months

Linux 4.17.13

by Greg KH

I'm announcing the release of the 4.17.13 kernel. All users of the 4.17 kernel series must upgrade. The updated 4.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.17.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/entry/entry_64.S | 18 ---- arch/x86/kernel/apic/apic.c | 3 arch/x86/kvm/vmx.c | 7 - arch/x86/platform/efi/efi_64.c | 2 drivers/crypto/padlock-aes.c | 8 + drivers/gpu/drm/drm_atomic_helper.c | 8 + drivers/gpu/drm/vc4/vc4_plane.c | 3 drivers/infiniband/core/uverbs_cmd.c | 59 ++++++++++++- drivers/net/bonding/bond_main.c | 14 ++- drivers/net/can/usb/ems_usb.c | 1 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 2 drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 4 drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 40 ++++++++- drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 3 drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 ++++++++++++++++ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 5 + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++++ drivers/scsi/sg.c | 1 drivers/virtio/virtio_balloon.c | 2 fs/squashfs/block.c | 2 fs/squashfs/fragment.c | 13 ++- fs/squashfs/squashfs_fs_sb.h | 1 fs/squashfs/super.c | 5 - fs/userfaultfd.c | 4 ipc/shm.c | 12 ++ kernel/auditsc.c | 13 ++- mm/hugetlb.c | 7 + net/dsa/slave.c | 6 + net/ipv4/inet_fragment.c | 6 - net/ipv4/ip_fragment.c | 5 + net/netlink/af_netlink.c | 2 net/rxrpc/call_accept.c | 4 net/socket.c | 5 - 35 files changed, 308 insertions(+), 54 deletions(-) Andy Lutomirski (1): x86/entry/64: Remove %ebx handling from error_entry/exit Anton Vasilyev (1): can: ems_usb: Fix memory leak on ems_usb_disconnect() Boris Brezillon (3): drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check() drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make gcc happy Brijesh Singh (1): x86/efi: Access EFI MMIO data as unencrypted when SEV is active Eli Cohen (1): net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager Emmanuel Grumbach (1): iwlwifi: add more card IDs for 9000 series Eric Dumazet (3): bonding: avoid lockdep confusion in bond_get_stats() inet: frag: enforce memory limits earlier ipv4: frags: handle possible skb truesize change Feras Daoud (1): net/mlx5e: IPoIB, Set the netdevice sw mtu in ipoib enhanced flow Florian Fainelli (1): net: dsa: Do not suspend/resume closed slave_dev Greg Kroah-Hartman (1): Linux 4.17.13 Herbert Xu (1): crypto: padlock-aes - Fix Nano workaround data corruption Jack Morgenstein (1): RDMA/uverbs: Expand primary and alt AV port checks Jane Chu (1): ipc/shm.c add ->pagesize function to shm_vm_ops Jeremy Cline (3): netlink: Fix spectre v1 gadget in netlink_create() net: socket: fix potential spectre v1 gadget in socketcall net: socket: Fix potential spectre v1 gadget in sock_is_registered Jiang Biao (1): virtio_balloon: fix another race between migration and ballooning Jose Abreu (1): net: stmmac: Fix WoL for PCI-based setups Len Brown (1): x86/apic: Future-proof the TSC_DEADLINE quirk for SKX Linus Torvalds (2): squashfs: more metadata hardening squashfs: more metadata hardenings Mike Rapoport (1): userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails Or Gerlitz (1): net/mlx5e: Set port trust mode to PCP as default Rafał Miłecki (1): brcmfmac: fix regression in parsing NVRAM for multiple devices Roman Kagan (1): kvm: x86: vmx: fix vpid leak Tony Battersby (1): scsi: sg: fix minor memory leak in error path Yi Wang (1): audit: fix potential null dereference 'context->module.name' YueHaibing (1): rxrpc: Fix user call ID check in rxrpc_service_prealloc_one

7 years, 5 months

we do the editing

by Jason James

Want to follow up the email sent last week. Do you have needs for photo editing? We can edit 400 images within 24 hours. We are working on all kinds of ecommerce photos, jewelry photos, and the portrait images. We do cutting out and clipping path and others, and also we provide retouching for your photos, You can throw us a photo and we will do testing for you to check our quality. Thanks, Jason

7 years, 5 months

[char-misc-next] mei: ignore not found client in the enumeration

by Tomas Winkler

From: Alexander Usyskin <alexander.usyskin(a)intel.com> Some of the ME clients are available only for BIOS operation and are removed during hand off to an OS. However the removal is not instant. A client may be visible on the client list when the mei driver requests for enumeration, while the subsequent request for properties will be answered with client not found error value. The default behavior for an error is to perform client reset while this error is harmless and the link reset should be prevented. This issue started to be visible due to suspend/resume timing changes. Currently reported only on the Haswell based system. Fixes: [33.564957] mei_me 0000:00:16.0: hbm: properties response: wrong status = 1 CLIENT_NOT_FOUND [33.564978] mei_me 0000:00:16.0: mei_irq_read_handler ret = -71. [33.565270] mei_me 0000:00:16.0: unexpected reset: dev_state = INIT_CLIENTS fw status = 1E000255 60002306 00000200 00004401 00000000 00000010 Cc: <stable(a)vger.kernel.org> Reported-by: Heiner Kallweit <hkallweit1(a)gmail.com> Signed-off-by: Alexander Usyskin <alexander.usyskin(a)intel.com> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> --- drivers/misc/mei/hbm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c index f15d44bda28e..fa0f8e91e86f 100644 --- a/drivers/misc/mei/hbm.c +++ b/drivers/misc/mei/hbm.c @@ -1244,15 +1244,18 @@ int mei_hbm_dispatch(struct mei_device *dev, struct mei_msg_hdr *hdr) props_res = (struct hbm_props_response *)mei_msg; - if (props_res->status) { + if (props_res->status == MEI_HBMS_CLIENT_NOT_FOUND) { + dev_dbg(dev->dev, "hbm: properties response: %d CLIENT_NOT_FOUND\n", + props_res->me_addr); + } else if (props_res->status) { dev_err(dev->dev, "hbm: properties response: wrong status = %d %s\n", props_res->status, mei_hbm_status_str(props_res->status)); return -EPROTO; + } else { + mei_hbm_me_cl_add(dev, props_res); } - mei_hbm_me_cl_add(dev, props_res); - /* request property for the next client */ if (mei_hbm_prop_req(dev, props_res->me_addr + 1)) return -EIO; -- 2.14.4

7 years, 5 months

[PATCH] ARC: AXS10x/HSDK: Allow U-Boot to pass MAC-address to the kernel

by Alexey Brodkin

Otherwise kernel uses random MAC which is not very conveniet. With that change in place use might set desired MAC in U-Boot with "setenv ethaddr 11:22:33:44:55:66", save environment and then from boot to boot the same MAC will be used by the kernel. One other note for this to happen it's required to pass board's .dtb in U-Boot's "bootm" command like that: ------------------->8----------------- bootm 0x82000000 - 0x84000000 ------------------->8----------------- Here 0x82000000 is location of uImage while 0x80000000 is location of either axs10x.dtb or hsdk.dtb previously loaded from SD-card, USB storage or TFTP server. Signed-off-by: Alexey Brodkin <abrodkin(a)synopsys.com> Cc: Rob Herring <robh+dt(a)kernel.org> Cc: stable(a)vger.kernel.org # 4.14 Cc: devicetree(a)vger.kernel.org --- arch/arc/boot/dts/axs10x_mb.dtsi | 7 ++++++- arch/arc/boot/dts/hsdk.dts | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/arch/arc/boot/dts/axs10x_mb.dtsi b/arch/arc/boot/dts/axs10x_mb.dtsi index 47b74fbc403c..37bafd44e36d 100644 --- a/arch/arc/boot/dts/axs10x_mb.dtsi +++ b/arch/arc/boot/dts/axs10x_mb.dtsi @@ -9,6 +9,10 @@ */ / { + aliases { + ethernet = &gmac; + }; + axs10x_mb { compatible = "simple-bus"; #address-cells = <1>; @@ -68,7 +72,7 @@ }; }; - ethernet@0x18000 { + gmac: ethernet@0x18000 { #interrupt-cells = <1>; compatible = "snps,dwmac"; reg = < 0x18000 0x2000 >; @@ -81,6 +85,7 @@ max-speed = <100>; resets = <&creg_rst 5>; reset-names = "stmmaceth"; + mac-address = [00 00 00 00 00 00]; /* Filled in by U-Boot */ }; ehci@0x40000 { diff --git a/arch/arc/boot/dts/hsdk.dts b/arch/arc/boot/dts/hsdk.dts index 006aa3de5348..d00f283094d3 100644 --- a/arch/arc/boot/dts/hsdk.dts +++ b/arch/arc/boot/dts/hsdk.dts @@ -25,6 +25,10 @@ bootargs = "earlycon=uart8250,mmio32,0xf0005000,115200n8 console=ttyS0,115200n8 debug print-fatal-signals=1"; }; + aliases { + ethernet = &gmac; + }; + cpus { #address-cells = <1>; #size-cells = <0>; @@ -163,7 +167,7 @@ #clock-cells = <0>; }; - ethernet@8000 { + gmac: ethernet@8000 { #interrupt-cells = <1>; compatible = "snps,dwmac"; reg = <0x8000 0x2000>; @@ -176,6 +180,7 @@ phy-handle = <&phy0>; resets = <&cgu_rst HSDK_ETH_RESET>; reset-names = "stmmaceth"; + mac-address = [00 00 00 00 00 00]; /* Filled in by U-Boot */ mdio { #address-cells = <1>; -- 2.17.1

7 years, 5 months

[PATCH] x86/irqflags: provide a declaration for native_save_fl

by Nick Desaulniers

Fixes commit d0a8d9378d16 ("x86/paravirt: Make native_save_fl() extern inline"). It was reported that the above commit was causing users of gcc < 4.9 to observe -Werror=missing-prototypes errors. Indeed, it seems that: extern inline unsigned long native_save_fl(void) { return 0; } compiled with -Werror=missing-prototypes produces this warning in gcc < 4.9, but not gcc >= 4.9. Cc: stable(a)vger.kernel.org # 4.17, 4.14, 4.9, 4.4 Reported-by: David Laight <david.laight(a)aculab.com> Reported-by: Jean Delvare <jdelvare(a)suse.de> Signed-off-by: Nick Desaulniers <ndesaulniers(a)google.com> --- arch/x86/include/asm/irqflags.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h index c4fc17220df9..c14f2a74b2be 100644 --- a/arch/x86/include/asm/irqflags.h +++ b/arch/x86/include/asm/irqflags.h @@ -13,6 +13,8 @@ * Interrupt control: */ +/* Declaration required for gcc < 4.9 to prevent -Werror=missing-prototypes */ +extern inline unsigned long native_save_fl(void); extern inline unsigned long native_save_fl(void) { unsigned long flags; -- 2.18.0.597.ga71716f1ad-goog

7 years, 5 months

Dear Beneficiary, FINAL NOTICE..28

by Paul

Attention: stable(a)vger.kernel.org, FINAL NOTICE We have been instructed to arrange your funds/payment via Online Banking & Loaded ATM Cards delivery to you. Your response very urgent for more details! Sincerely yours, Eddie. P.

7 years, 5 months

[PATCH RT 03/22] futex: Avoid violating the 10th rule of futex

by Julia Cartwright

From: Peter Zijlstra <peterz(a)infradead.org> 4.9.115-rt94-rc1 stable review patch. If you have any objection to the inclusion of this patch, let me know. --- 8< --- 8< --- 8< --- [ Upstream commit c1e2f0eaf015fb7076d51a339011f2383e6dd389 ] Julia reported futex state corruption in the following scenario: waiter waker stealer (prio > waiter) futex(WAIT_REQUEUE_PI, uaddr, uaddr2, timeout=[N ms]) futex_wait_requeue_pi() futex_wait_queue_me() freezable_schedule() <scheduled out> futex(LOCK_PI, uaddr2) futex(CMP_REQUEUE_PI, uaddr, uaddr2, 1, 0) /* requeues waiter to uaddr2 */ futex(UNLOCK_PI, uaddr2) wake_futex_pi() cmp_futex_value_locked(uaddr2, waiter) wake_up_q() <woken by waker> <hrtimer_wakeup() fires, clears sleeper->task> futex(LOCK_PI, uaddr2) __rt_mutex_start_proxy_lock() try_to_take_rt_mutex() /* steals lock */ rt_mutex_set_owner(lock, stealer) <preempted> <scheduled in> rt_mutex_wait_proxy_lock() __rt_mutex_slowlock() try_to_take_rt_mutex() /* fails, lock held by stealer */ if (timeout && !timeout->task) return -ETIMEDOUT; fixup_owner() /* lock wasn't acquired, so, fixup_pi_state_owner skipped */ return -ETIMEDOUT; /* At this point, we've returned -ETIMEDOUT to userspace, but the * futex word shows waiter to be the owner, and the pi_mutex has * stealer as the owner */ futex_lock(LOCK_PI, uaddr2) -> bails with EDEADLK, futex word says we're owner. And suggested that what commit: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state") removes from fixup_owner() looks to be just what is needed. And indeed it is -- I completely missed that requeue_pi could also result in this case. So we need to restore that, except that subsequent patches, like commit: 16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock") changed all the locking rules. Even without that, the sequence: - if (rt_mutex_futex_trylock(&q->pi_state->pi_mutex)) { - locked = 1; - goto out; - } - raw_spin_lock_irq(&q->pi_state->pi_mutex.wait_lock); - owner = rt_mutex_owner(&q->pi_state->pi_mutex); - if (!owner) - owner = rt_mutex_next_owner(&q->pi_state->pi_mutex); - raw_spin_unlock_irq(&q->pi_state->pi_mutex.wait_lock); - ret = fixup_pi_state_owner(uaddr, q, owner); already suggests there were races; otherwise we'd never have to look at next_owner. So instead of doing 3 consecutive wait_lock sections with who knows what races, we do it all in a single section. Additionally, the usage of pi_state->owner in fixup_owner() was only safe because only the rt_mutex owner would modify it, which this additional case wrecks. Luckily the values can only change away and not to the value we're testing, this means we can do a speculative test and double check once we have the wait_lock. Fixes: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state") Reported-by: Julia Cartwright <julia(a)ni.com> Reported-by: Gratian Crisan <gratian.crisan(a)ni.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Tested-by: Julia Cartwright <julia(a)ni.com> Tested-by: Gratian Crisan <gratian.crisan(a)ni.com> Cc: Darren Hart <dvhart(a)infradead.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20171208124939.7livp7no2ov65rrc@hirez.programming… Signed-off-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Julia Cartwright <julia(a)ni.com> --- kernel/futex.c | 83 ++++++++++++++++++++++++++------- kernel/locking/rtmutex.c | 26 ++++++++--- kernel/locking/rtmutex_common.h | 1 + 3 files changed, 87 insertions(+), 23 deletions(-) diff --git a/kernel/futex.c b/kernel/futex.c index 270148be5647..cdd68ba6e3a6 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -2287,21 +2287,17 @@ static void unqueue_me_pi(struct futex_q *q) spin_unlock(q->lock_ptr); } -/* - * Fixup the pi_state owner with the new owner. - * - * Must be called with hash bucket lock held and mm->sem held for non - * private futexes. - */ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, - struct task_struct *newowner) + struct task_struct *argowner) { - u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS; struct futex_pi_state *pi_state = q->pi_state; u32 uval, uninitialized_var(curval), newval; - struct task_struct *oldowner; + struct task_struct *oldowner, *newowner; + u32 newtid; int ret; + lockdep_assert_held(q->lock_ptr); + raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); oldowner = pi_state->owner; @@ -2310,11 +2306,17 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, newtid |= FUTEX_OWNER_DIED; /* - * We are here either because we stole the rtmutex from the - * previous highest priority waiter or we are the highest priority - * waiter but have failed to get the rtmutex the first time. + * We are here because either: + * + * - we stole the lock and pi_state->owner needs updating to reflect + * that (@argowner == current), * - * We have to replace the newowner TID in the user space variable. + * or: + * + * - someone stole our lock and we need to fix things to point to the + * new owner (@argowner == NULL). + * + * Either way, we have to replace the TID in the user space variable. * This must be atomic as we have to preserve the owner died bit here. * * Note: We write the user space value _before_ changing the pi_state @@ -2327,6 +2329,42 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q, * in the PID check in lookup_pi_state. */ retry: + if (!argowner) { + if (oldowner != current) { + /* + * We raced against a concurrent self; things are + * already fixed up. Nothing to do. + */ + ret = 0; + goto out_unlock; + } + + if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) { + /* We got the lock after all, nothing to fix. */ + ret = 0; + goto out_unlock; + } + + /* + * Since we just failed the trylock; there must be an owner. + */ + newowner = rt_mutex_owner(&pi_state->pi_mutex); + BUG_ON(!newowner); + } else { + WARN_ON_ONCE(argowner != current); + if (oldowner == current) { + /* + * We raced against a concurrent self; things are + * already fixed up. Nothing to do. + */ + ret = 0; + goto out_unlock; + } + newowner = argowner; + } + + newtid = task_pid_vnr(newowner) | FUTEX_WAITERS; + if (get_futex_value_locked(&uval, uaddr)) goto handle_fault; @@ -2427,15 +2465,28 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked) * Got the lock. We might not be the anticipated owner if we * did a lock-steal - fix up the PI-state in that case: * - * We can safely read pi_state->owner without holding wait_lock - * because we now own the rt_mutex, only the owner will attempt - * to change it. + * Speculative pi_state->owner read (we don't hold wait_lock); + * since we own the lock pi_state->owner == current is the + * stable state, anything else needs more attention. */ if (q->pi_state->owner != current) ret = fixup_pi_state_owner(uaddr, q, current); goto out; } + /* + * If we didn't get the lock; check if anybody stole it from us. In + * that case, we need to fix up the uval to point to them instead of + * us, otherwise bad things happen. [10] + * + * Another speculative read; pi_state->owner == current is unstable + * but needs our attention. + */ + if (q->pi_state->owner == current) { + ret = fixup_pi_state_owner(uaddr, q, NULL); + goto out; + } + /* * Paranoia check. If we did not take the lock, then we should not be * the owner of the rt_mutex. diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c index 3a8b5d44aaf8..57361d631749 100644 --- a/kernel/locking/rtmutex.c +++ b/kernel/locking/rtmutex.c @@ -1849,6 +1849,19 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state, return ret; } +static inline int __rt_mutex_slowtrylock(struct rt_mutex *lock) +{ + int ret = try_to_take_rt_mutex(lock, current, NULL); + + /* + * try_to_take_rt_mutex() sets the lock waiters bit + * unconditionally. Clean this up. + */ + fixup_rt_mutex_waiters(lock); + + return ret; +} + /* * Slow path try-lock function: */ @@ -1871,13 +1884,7 @@ static inline int rt_mutex_slowtrylock(struct rt_mutex *lock) */ raw_spin_lock_irqsave(&lock->wait_lock, flags); - ret = try_to_take_rt_mutex(lock, current, NULL); - - /* - * try_to_take_rt_mutex() sets the lock waiters bit - * unconditionally. Clean this up. - */ - fixup_rt_mutex_waiters(lock); + ret = __rt_mutex_slowtrylock(lock); raw_spin_unlock_irqrestore(&lock->wait_lock, flags); @@ -2102,6 +2109,11 @@ int __sched rt_mutex_futex_trylock(struct rt_mutex *lock) return rt_mutex_slowtrylock(lock); } +int __sched __rt_mutex_futex_trylock(struct rt_mutex *lock) +{ + return __rt_mutex_slowtrylock(lock); +} + /** * rt_mutex_timed_lock - lock a rt_mutex interruptible * the timeout structure is provided diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h index 64d89d780059..50c0a1043556 100644 --- a/kernel/locking/rtmutex_common.h +++ b/kernel/locking/rtmutex_common.h @@ -122,6 +122,7 @@ extern bool rt_mutex_cleanup_proxy_lock(struct rt_mutex *lock, struct rt_mutex_waiter *waiter); extern int rt_mutex_futex_trylock(struct rt_mutex *l); +extern int __rt_mutex_futex_trylock(struct rt_mutex *l); extern void rt_mutex_futex_unlock(struct rt_mutex *lock); extern bool __rt_mutex_futex_unlock(struct rt_mutex *lock, -- 2.18.0

7 years, 5 months

[PATCH RT 02/22] futex: Fix more put_pi_state() vs. exit_pi_state_list() races

by Julia Cartwright

From: Peter Zijlstra <peterz(a)infradead.org> 4.9.115-rt94-rc1 stable review patch. If you have any objection to the inclusion of this patch, let me know. --- 8< --- 8< --- 8< --- [ Upstream commit 51d00899f7e6ded15c89cb4e2cb11a35283bac81 ] Dmitry (through syzbot) reported being able to trigger the WARN in get_pi_state() and a use-after-free on: raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); Both are due to this race: exit_pi_state_list() put_pi_state() lock(&curr->pi_lock) while() { pi_state = list_first_entry(head); hb = hash_futex(&pi_state->key); unlock(&curr->pi_lock); dec_and_test(&pi_state->refcount); lock(&hb->lock) lock(&pi_state->pi_mutex.wait_lock) // uaf if pi_state free'd lock(&curr->pi_lock); .... unlock(&curr->pi_lock); get_pi_state(); // WARN; refcount==0 The problem is we take the reference count too late, and don't allow it being 0. Fix it by using inc_not_zero() and simply retrying the loop when we fail to get a refcount. In that case put_pi_state() should remove the entry from the list. Reported-by: Dmitry Vyukov <dvyukov(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Reviewed-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Gratian Crisan <gratian.crisan(a)ni.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: dvhart(a)infradead.org Cc: syzbot <bot+2af19c9e1ffe4d4ee1d16c56ae7580feaee75765(a)syzkaller.appspotmail.com> Cc: syzkaller-bugs(a)googlegroups.com Cc: <stable(a)vger.kernel.org> Fixes: c74aef2d06a9 ("futex: Fix pi_state->owner serialization") Link: http://lkml.kernel.org/r/20171031101853.xpfh72y643kdfhjs@hirez.programming.… Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Signed-off-by: Julia Cartwright <julia(a)ni.com> --- kernel/futex.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/kernel/futex.c b/kernel/futex.c index 47e42faad6c5..270148be5647 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -899,11 +899,27 @@ void exit_pi_state_list(struct task_struct *curr) */ raw_spin_lock_irq(&curr->pi_lock); while (!list_empty(head)) { - next = head->next; pi_state = list_entry(next, struct futex_pi_state, list); key = pi_state->key; hb = hash_futex(&key); + + /* + * We can race against put_pi_state() removing itself from the + * list (a waiter going away). put_pi_state() will first + * decrement the reference count and then modify the list, so + * its possible to see the list entry but fail this reference + * acquire. + * + * In that case; drop the locks to let put_pi_state() make + * progress and retry the loop. + */ + if (!atomic_inc_not_zero(&pi_state->refcount)) { + raw_spin_unlock_irq(&curr->pi_lock); + cpu_relax(); + raw_spin_lock_irq(&curr->pi_lock); + continue; + } raw_spin_unlock_irq(&curr->pi_lock); spin_lock(&hb->lock); @@ -914,10 +930,12 @@ void exit_pi_state_list(struct task_struct *curr) * task still owns the PI-state: */ if (head->next != next) { + /* retain curr->pi_lock for the loop invariant */ raw_spin_unlock(&curr->pi_lock); raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); spin_unlock(&hb->lock); raw_spin_lock_irq(&curr->pi_lock); + put_pi_state(pi_state); continue; } @@ -925,9 +943,8 @@ void exit_pi_state_list(struct task_struct *curr) WARN_ON(list_empty(&pi_state->list)); list_del_init(&pi_state->list); pi_state->owner = NULL; - raw_spin_unlock(&curr->pi_lock); - get_pi_state(pi_state); + raw_spin_unlock(&curr->pi_lock); raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); spin_unlock(&hb->lock); -- 2.18.0

7 years, 5 months

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror