- Linux-stable-mirror - lists.linaro.org

[PATCH 4.14.y] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()

by Florian Westphal

From: Taehee Yoo <ap420073(a)gmail.com> commit 360cc79d9d299ce297b205508276285ceffc5fa8 upstream. The table field in nft_obj_filter is not an array. In order to check tablename, we should check if the pointer is set. Test commands: %nft add table ip filter %nft add counter ip filter ct1 %nft reset counters Splat looks like: [ 306.510504] kasan: CONFIG_KASAN_INLINE enabled [ 306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables [ 306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17 [ 306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 [ 306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables] [ 306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246 [ 306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000 [ 306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a [ 306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b [ 306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108 [ 306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860 [ 306.528284] FS: 00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000 [ 306.528284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0 [ 306.528284] Call Trace: [ 306.528284] netlink_dump+0x470/0xa20 [ 306.528284] __netlink_dump_start+0x5ae/0x690 [ 306.528284] ? nf_tables_getobj+0x1b3/0x740 [nf_tables] [ 306.528284] nf_tables_getobj+0x2f5/0x740 [nf_tables] [ 306.528284] ? nft_obj_notify+0x100/0x100 [nf_tables] [ 306.528284] ? nf_tables_getobj+0x740/0x740 [nf_tables] [ 306.528284] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables] [ 306.528284] ? nft_obj_notify+0x100/0x100 [nf_tables] [ 306.528284] nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink] [ 306.528284] ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink] [ 306.528284] netlink_rcv_skb+0x1c9/0x2f0 [ 306.528284] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink] [ 306.528284] ? debug_check_no_locks_freed+0x270/0x270 [ 306.528284] ? netlink_ack+0x7a0/0x7a0 [ 306.528284] ? ns_capable_common+0x6e/0x110 [ ... ] Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars") Signed-off-by: Taehee Yoo <ap420073(a)gmail.com> Acked-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Florian Westphal <fw(a)strlen.de> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 60936bca3181..85b549e84104 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4614,7 +4614,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) if (idx > s_idx) memset(&cb->args[1], 0, sizeof(cb->args) - sizeof(cb->args[0])); - if (filter && filter->table[0] && + if (filter && filter->table && strcmp(filter->table, table->name)) goto cont; if (filter && -- 2.16.4

7 years, 5 months

2
1
0 0

Re: [PATCHES] Networking

by Jiri Slaby

On 09/15/2017, 06:57 AM, David Miller wrote: > Please queue up the following networking bug fixes for v4.9, v4.12, and > v4.13 -stable, respectively. Hi, while walking through some fixes, I wonder, whether backports of 25cc72a33835 (mlxsw: spectrum: Forbid linking to devices that have uppers) to 4.9 and 4.12 are correct. Part of the original commit: --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c @@ -4139,6 +4139,8 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *lower_dev, return -EINVAL; if (!info->linking) break; + if (netdev_has_any_upper_dev(upper_dev)) + return -EINVAL; if (netif_is_lag_master(upper_dev) && !mlxsw_sp_master_lag_check(mlxsw_sp, upper_dev, info->upper_info)) @@ -4258,6 +4260,10 @@ static int mlxsw_sp_netdevice_port_vlan_event(struct net_device *vlan_dev, upper_dev = info->upper_dev; if (!netif_is_bridge_master(upper_dev)) return -EINVAL; + if (!info->linking) + break; + if (netdev_has_any_upper_dev(upper_dev)) + return -EINVAL; break; case NETDEV_CHANGEUPPER: upper_dev = info->upper_dev; It changes mlxsw_sp_netdevice_port_upper_event and mlxsw_sp_netdevice_port_vlan_event. 4.9 backport (73ee5a73e75): --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c @@ -4172,6 +4172,8 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *dev, return -EINVAL; if (!info->linking) break; + if (netdev_has_any_upper_dev(upper_dev)) + return -EINVAL; /* HW limitation forbids to put ports to multiple bridges. */ if (netif_is_bridge_master(upper_dev) && !mlxsw_sp_master_bridge_check(mlxsw_sp, upper_dev)) @@ -4185,6 +4187,10 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *dev, if (netif_is_lag_port(dev) && is_vlan_dev(upper_dev) && !netif_is_lag_master(vlan_dev_real_dev(upper_dev))) return -EINVAL; + if (!info->linking) + break; + if (netdev_has_any_upper_dev(upper_dev)) + return -EINVAL; break; case NETDEV_CHANGEUPPER: upper_dev = info->upper_dev; It changes mlxsw_sp_netdevice_port_upper_event *twice* instead of mlxsw_sp_netdevice_port_vlan_event, which was named mlxsw_sp_netdevice_vport_event in 4.9 yet. 4.12 backport (2f4232ba8001): --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c @@ -4110,6 +4110,8 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *dev, return -EINVAL; if (!info->linking) break; + if (netdev_has_any_upper_dev(upper_dev)) + return -EINVAL; /* HW limitation forbids to put ports to multiple bridges. */ if (netif_is_bridge_master(upper_dev) && !mlxsw_sp_master_bridge_check(mlxsw_sp, upper_dev)) @@ -4274,6 +4276,10 @@ static int mlxsw_sp_netdevice_bridge_event(struct net_device *br_dev, if (is_vlan_dev(upper_dev) && br_dev != mlxsw_sp->master_bridge.dev) return -EINVAL; + if (!info->linking) + break; + if (netdev_has_any_upper_dev(upper_dev)) + return -EINVAL; break; case NETDEV_CHANGEUPPER: upper_dev = info->upper_dev; It changes mlxsw_sp_netdevice_port_upper_event (OK) and mlxsw_sp_netdevice_bridge_event (not OK) instead of mlxsw_sp_netdevice_vport_event. Did I miss something or is this a mistake? thanks, -- js suse labs

7 years, 5 months

3
5
0 0

netfilter stable requests for 4.14, 4.16

by Florian Westphal

Hello, Here is a list of netfilter bug fixes that I'd like to see in 4.16 and 4.14. I've cherry-picked these and with one exception (noted below) all pick cleanly. Patches are listed in top-down order. For v4.16.y and v4.14.y: b8e9dc1c75714ceb53615743e1036f76e00f5a17 ("netfilter: nf_tables: nft_compat: fix refcount leak on xt module") 8bdf164744b2c7f63561846c01cff3db597f282d ("netfilter: nft_compat: prepare for indirect info storage") Necessary to make the fix (next patch below) apply. 732a8049f365f514d0607e03938491bf6cb0d620 ("netfilter: nft_compat: fix handling of large matchinfo size") Without it, some iptables -A will fail when using iptables via nfnetlink (notably the cgroup match). 009240940e84c1c089af88b454f7e804a4c5bd1b ("netfilter: nf_tables: don't assume chain stats are set when jumplabel is set") Fixes null-ptr deref. bb7b40aecbf778c0c83a5bd62b0f03ca9f49a618 ("netfilter: nf_tables: bogus EBUSY in chain deletions") Fixes erroneous reject of some valid rulesets. 97a0549b15a0b466c47f6a0143a490a082c64b4e ("netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval") This fixes a bug where 'nft ... meta nftrace set 0' may set a nonzero value instead. ad9d9e85072b668731f356be0a3750a3ba22a607 ("netfilter: nf_tables: disable preemption in nft_update_chain_stats()") 360cc79d9d299ce297b205508276285ceffc5fa8 ("netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()"), bug added in v4.14-rc1 Applies cleanly to 4.16 but in 4.14 tjis fails as the 2nd location that is patched (nf_tables_dump_flowtable) doesn't exist. So in 4.14 this is a one-line change: - if (filter && filter->table[0] && + if (filter && filter->table && bbb8c61f97e3a2dd91b30d3e57b7964a67569d11 ("netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace()" This fixes underflow of the static_key used for the base chain counters. f0dfd7a2b35b02030949100247d851b793cb275f ("netfilter: nf_tables: fix memory leak on error exit return"), since 4.12 additional change for v4.14.y (its already in 4.16): 467697d289e7e6e1b15910d99096c0da08c56d5b ("netfilter: nf_tables: add missing netlink attrs to policies") If you'd like me to handle such larger requests differently please let me know your preferenced way to handle this. Thanks, Florian

7 years, 5 months

2
2
0 0

[PATCH 4.4 00/56] 4.4.132-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.132 release. There are 56 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:39 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.132-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.132-rc1 Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Yi Zhao <yi.zhao(a)windriver.com> xfrm_user: fix return value from xfrm_user_rcv_msg Wei Fang <fangwei1(a)huawei.com> f2fs: fix a dead loop in f2fs_fiemap() Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread Bin Liu <b-liu(a)ti.com> usb: musb: host: fix potential NULL pointer dereference SZ Lin (林上智) <sz.lin(a)moxa.com> USB: serial: option: adding support for ublox R410M Johan Hovold <johan(a)kernel.org> USB: serial: option: reimplement interface masking Alan Stern <stern(a)rowland.harvard.edu> USB: Accept bulk endpoints with 1024-byte maxpacket Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> USB: serial: visor: handle potential invalid device configuration Ben Hutchings <ben.hutchings(a)codethink.co.uk> test_firmware: fix setting old custom fw path back on exit, second try Thomas Hellstrom <thellstrom(a)vmware.com> drm/vmwgfx: Fix a buffer object leak Danit Goldberg <danitg(a)mellanox.com> IB/mlx5: Use unlimited rate when static rate is not supported SZ Lin (林上智) <sz.lin(a)moxa.com> NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 Leon Romanovsky <leonro(a)mellanox.com> RDMA/mlx5: Protect from shift operand overflow Roland Dreier <roland(a)purestorage.com> RDMA/ucma: Allow resolving address w/o specifying source address Darrick J. Wong <darrick.wong(a)oracle.com> xfs: prevent creating negative-sized file via INSERT_RANGE Vittorio Gambaletta (VittGam) <linuxbugs(a)vittgam.net> Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: leds - fix out of bound access Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> tracepoint: Do not warn on ENOMEM Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Add missing cable lock to ctl API callbacks Robert Rosengren <robert.rosengren(a)axis.com> ALSA: aloop: Mark paused device as inactive Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Check PCM state at xfern compat ioctl Kristian Evensen <kristian.evensen(a)gmail.com> USB: serial: option: Add support for Quectel EP06 Markus Pargmann <mpa(a)pengutronix.de> gpmi-nand: Handle ECC Errors in erased pages Vasanthakumar Thiagarajan <vthiagar(a)qti.qualcomm.com> ath10k: rebuild crypto header in rx data frames Vasanthakumar Thiagarajan <vthiagar(a)qti.qualcomm.com> ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode David Spinadel <david.spinadel(a)intel.com> mac80211: Add RX flag to indicate ICV stripped Sara Sharon <sara.sharon(a)intel.com> mac80211: allow same PN for AMSDU sub-frames Sara Sharon <sara.sharon(a)intel.com> mac80211: allow not sending MIC up from driver for HW crypto Tejun Heo <tj(a)kernel.org> percpu: include linux/sched.h for cond_resched() Alexander Yarygin <yarygin(a)linux.vnet.ibm.com> KVM: s390: Enable all facility bits that are known good for passthrough Teng Qin <qinteng(a)fb.com> bpf: map_get_next_key to return first key on NULL Tan Xiaojun <tanxiaojun(a)huawei.com> perf/core: Fix the perf_cpu_time_max_percent check ------------- Diffstat: Makefile | 4 +- arch/s390/kvm/kvm-s390.c | 4 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel_cstate.c | 2 + arch/x86/kernel/cpu/perf_event_msr.c | 9 +- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/infiniband/core/ucma.c | 2 +- drivers/infiniband/hw/mlx5/qp.c | 22 +- drivers/input/input-leds.c | 8 +- drivers/input/touchscreen/atmel_mxt_ts.c | 9 + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 78 +++- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/ath/ath10k/core.c | 8 + drivers/net/wireless/ath/ath10k/core.h | 4 + drivers/net/wireless/ath/ath10k/htt_rx.c | 100 ++++- drivers/net/wireless/ath/wcn36xx/txrx.c | 2 +- drivers/usb/core/config.c | 4 +- drivers/usb/musb/musb_host.c | 4 +- drivers/usb/serial/option.c | 448 ++++++++-------------- drivers/usb/serial/visor.c | 69 ++-- fs/f2fs/data.c | 2 +- fs/fs-writeback.c | 2 +- fs/xfs/xfs_file.c | 14 +- include/net/inet_timewait_sock.h | 1 + include/net/mac80211.h | 14 +- include/net/nexthop.h | 2 +- kernel/bpf/arraymap.c | 2 +- kernel/bpf/hashtab.c | 9 +- kernel/bpf/syscall.c | 20 +- kernel/events/callchain.c | 10 +- kernel/events/core.c | 2 +- kernel/events/ring_buffer.c | 7 +- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + kernel/tracepoint.c | 4 +- mm/percpu.c | 1 + net/atm/lec.c | 9 +- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/tcp.c | 2 +- net/mac80211/util.c | 5 +- net/mac80211/wep.c | 3 +- net/mac80211/wpa.c | 45 ++- net/netfilter/ipvs/ip_vs_ctl.c | 8 - net/netfilter/ipvs/ip_vs_sync.c | 155 ++++---- net/netlink/af_netlink.c | 2 + net/rfkill/rfkill-gpio.c | 7 +- net/xfrm/xfrm_user.c | 2 +- sound/core/pcm_compat.c | 2 + sound/core/seq/seq_virmidi.c | 4 +- sound/drivers/aloop.c | 29 +- tools/testing/selftests/firmware/fw_filesystem.sh | 6 +- 60 files changed, 656 insertions(+), 531 deletions(-)

7 years, 5 months

7
62
0 0

[PATCH 4.4 00/24] 4.4.138-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.138 release. There are 24 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Jun 16 13:27:15 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.138-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.138-rc1 Michael Ellerman <mpe(a)ellerman.id.au> crypto: vmx - Remove overly verbose printk from AES init routines Johannes Wienke <languitar(a)semipol.de> Input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID Ethan Lee <flibitijibibo(a)gmail.com> Input: goodix - add new ACPI id for GPD Win 2 touch screen Paolo Bonzini <pbonzini(a)redhat.com> kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access Gil Kupfer <gilkup(a)gmail.com> vmw_balloon: fixing double free when batching mode is off Marek Szyprowski <m.szyprowski(a)samsung.com> serial: samsung: fix maxburst parameter for DMA transactions Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: introduce linear_{read,write}_system Linus Torvalds <torvalds(a)linux-foundation.org> Clarify (and fix) MAX_LFS_FILESIZE macros Linus Walleij <linus.walleij(a)linaro.org> gpio: No NULL owner Andy Lutomirski <luto(a)kernel.org> x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c code Kevin Easton <kevin(a)guarana.org> af_key: Always verify length of provided sadb_key Andy Lutomirski <luto(a)kernel.org> x86/fpu: Fix math emulation in eager fpu mode Andy Lutomirski <luto(a)kernel.org> x86/fpu: Fix FNSAVE usage in eagerfpu mode Andy Lutomirski <luto(a)kernel.org> x86/fpu: Hard-disable lazy FPU mode Borislav Petkov <bp(a)alien8.de> x86/fpu: Fix eager-FPU handling on legacy FPU machines Yu-cheng Yu <yu-cheng.yu(a)intel.com> x86/fpu: Revert ("x86/fpu: Disable AVX when eagerfpu is off") Andy Lutomirski <luto(a)kernel.org> x86/fpu: Fix 'no387' regression Andy Lutomirski <luto(a)kernel.org> x86/fpu: Default eagerfpu=on on all CPUs yu-cheng yu <yu-cheng.yu(a)intel.com> x86/fpu: Disable AVX when eagerfpu is off yu-cheng yu <yu-cheng.yu(a)intel.com> x86/fpu: Disable MPX when eagerfpu is off Borislav Petkov <bp(a)suse.de> x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros Juergen Gross <jgross(a)suse.com> x86: Remove unused function cpu_has_ht_siblings() yu-cheng yu <yu-cheng.yu(a)intel.com> x86/fpu: Fix early FPU command-line parsing ------------- Diffstat: Makefile | 4 +- arch/x86/crypto/chacha20_glue.c | 2 +- arch/x86/crypto/crc32c-intel_glue.c | 7 +- arch/x86/include/asm/cmpxchg_32.h | 2 +- arch/x86/include/asm/cmpxchg_64.h | 2 +- arch/x86/include/asm/cpufeature.h | 39 +------ arch/x86/include/asm/fpu/internal.h | 6 +- arch/x86/include/asm/fpu/xstate.h | 2 +- arch/x86/include/asm/kvm_emulate.h | 6 +- arch/x86/include/asm/smp.h | 9 -- arch/x86/include/asm/xor_32.h | 2 +- arch/x86/kernel/cpu/amd.c | 4 +- arch/x86/kernel/cpu/common.c | 4 +- arch/x86/kernel/cpu/intel.c | 3 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 6 +- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/perf_event_amd.c | 4 +- arch/x86/kernel/cpu/perf_event_amd_uncore.c | 11 +- arch/x86/kernel/fpu/core.c | 24 +++- arch/x86/kernel/fpu/init.c | 169 +++++++--------------------- arch/x86/kernel/fpu/xstate.c | 3 +- arch/x86/kernel/hw_breakpoint.c | 6 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/kernel/traps.c | 1 - arch/x86/kernel/vm86_32.c | 4 +- arch/x86/kvm/emulate.c | 72 ++++++------ arch/x86/kvm/vmx.c | 23 ++-- arch/x86/kvm/x86.c | 51 ++++++--- arch/x86/kvm/x86.h | 4 +- arch/x86/mm/setup_nx.c | 4 +- drivers/char/hw_random/via-rng.c | 5 +- drivers/crypto/padlock-aes.c | 2 +- drivers/crypto/padlock-sha.c | 2 +- drivers/crypto/vmx/aes.c | 2 - drivers/crypto/vmx/aes_cbc.c | 2 - drivers/crypto/vmx/aes_ctr.c | 2 - drivers/crypto/vmx/ghash.c | 2 - drivers/gpio/gpiolib.c | 9 +- drivers/input/mouse/elan_i2c_core.c | 1 + drivers/input/touchscreen/goodix.c | 1 + drivers/iommu/intel_irq_remapping.c | 2 +- drivers/misc/vmw_balloon.c | 23 ++-- drivers/tty/serial/samsung.c | 7 +- fs/btrfs/disk-io.c | 2 +- include/linux/fs.h | 4 +- net/key/af_key.c | 45 ++++++-- 47 files changed, 259 insertions(+), 332 deletions(-)

7 years, 5 months

8
38
0 0

FAILED: patch "[PATCH] n_tty: Access echo_* variables carefully." failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From ebec3f8f5271139df618ebdf8427e24ba102ba94 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Date: Sat, 26 May 2018 09:53:14 +0900 Subject: [PATCH] n_tty: Access echo_* variables carefully. syzbot is reporting stalls at __process_echoes() [1]. This is because since ldata->echo_commit < ldata->echo_tail becomes true for some reason, the discard loop is serving as almost infinite loop. This patch tries to avoid falling into ldata->echo_commit < ldata->echo_tail situation by making access to echo_* variables more carefully. Since reset_buffer_flags() is called without output_lock held, it should not touch echo_* variables. And omit a call to reset_buffer_flags() from n_tty_open() by using vzalloc(). Since add_echo_byte() is called without output_lock held, it needs memory barrier between storing into echo_buf[] and incrementing echo_head counter. echo_buf() needs corresponding memory barrier before reading echo_buf[]. Lack of handling the possibility of not-yet-stored multi-byte operation might be the reason of falling into ldata->echo_commit < ldata->echo_tail situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to echo_buf(ldata, tail + 1), the WARN_ON() fires. Also, explicitly masking with buffer for the former "while" loop, and use ldata->echo_commit > tail for the latter "while" loop. [1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf… Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Reported-by: syzbot <syzbot+108696293d7a21ab688f(a)syzkaller.appspotmail.com> Cc: Peter Hurley <peter(a)hurleysoftware.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index b279f8730e04..431742201709 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -143,6 +143,7 @@ static inline unsigned char *read_buf_addr(struct n_tty_data *ldata, size_t i) static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i) { + smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */ return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)]; } @@ -318,9 +319,7 @@ static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata) static void reset_buffer_flags(struct n_tty_data *ldata) { ldata->read_head = ldata->canon_head = ldata->read_tail = 0; - ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0; ldata->commit_head = 0; - ldata->echo_mark = 0; ldata->line_start = 0; ldata->erasing = 0; @@ -619,12 +618,19 @@ static size_t __process_echoes(struct tty_struct *tty) old_space = space = tty_write_room(tty); tail = ldata->echo_tail; - while (ldata->echo_commit != tail) { + while (MASK(ldata->echo_commit) != MASK(tail)) { c = echo_buf(ldata, tail); if (c == ECHO_OP_START) { unsigned char op; int no_space_left = 0; + /* + * Since add_echo_byte() is called without holding + * output_lock, we might see only portion of multi-byte + * operation. + */ + if (MASK(ldata->echo_commit) == MASK(tail + 1)) + goto not_yet_stored; /* * If the buffer byte is the start of a multi-byte * operation, get the next byte, which is either the @@ -636,6 +642,8 @@ static size_t __process_echoes(struct tty_struct *tty) unsigned int num_chars, num_bs; case ECHO_OP_ERASE_TAB: + if (MASK(ldata->echo_commit) == MASK(tail + 2)) + goto not_yet_stored; num_chars = echo_buf(ldata, tail + 2); /* @@ -730,7 +738,8 @@ static size_t __process_echoes(struct tty_struct *tty) /* If the echo buffer is nearly full (so that the possibility exists * of echo overrun before the next commit), then discard enough * data at the tail to prevent a subsequent overrun */ - while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { + while (ldata->echo_commit > tail && + ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { if (echo_buf(ldata, tail) == ECHO_OP_START) { if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB) tail += 3; @@ -740,6 +749,7 @@ static size_t __process_echoes(struct tty_struct *tty) tail++; } + not_yet_stored: ldata->echo_tail = tail; return old_space - space; } @@ -750,6 +760,7 @@ static void commit_echoes(struct tty_struct *tty) size_t nr, old, echoed; size_t head; + mutex_lock(&ldata->output_lock); head = ldata->echo_head; ldata->echo_mark = head; old = ldata->echo_commit - ldata->echo_tail; @@ -758,10 +769,12 @@ static void commit_echoes(struct tty_struct *tty) * is over the threshold (and try again each time another * block is accumulated) */ nr = head - ldata->echo_tail; - if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK)) + if (nr < ECHO_COMMIT_WATERMARK || + (nr % ECHO_BLOCK > old % ECHO_BLOCK)) { + mutex_unlock(&ldata->output_lock); return; + } - mutex_lock(&ldata->output_lock); ldata->echo_commit = head; echoed = __process_echoes(tty); mutex_unlock(&ldata->output_lock); @@ -812,7 +825,9 @@ static void flush_echoes(struct tty_struct *tty) static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata) { - *echo_buf_addr(ldata, ldata->echo_head++) = c; + *echo_buf_addr(ldata, ldata->echo_head) = c; + smp_wmb(); /* Matches smp_rmb() in echo_buf(). */ + ldata->echo_head++; } /** @@ -1881,30 +1896,21 @@ static int n_tty_open(struct tty_struct *tty) struct n_tty_data *ldata; /* Currently a malloc failure here can panic */ - ldata = vmalloc(sizeof(*ldata)); + ldata = vzalloc(sizeof(*ldata)); if (!ldata) - goto err; + return -ENOMEM; ldata->overrun_time = jiffies; mutex_init(&ldata->atomic_read_lock); mutex_init(&ldata->output_lock); tty->disc_data = ldata; - reset_buffer_flags(tty->disc_data); - ldata->column = 0; - ldata->canon_column = 0; - ldata->num_overrun = 0; - ldata->no_room = 0; - ldata->lnext = 0; tty->closing = 0; /* indicate buffer work may resume */ clear_bit(TTY_LDISC_HALTED, &tty->flags); n_tty_set_termios(tty, NULL); tty_unthrottle(tty); - return 0; -err: - return -ENOMEM; } static inline int input_available_p(struct tty_struct *tty, int poll)

7 years, 5 months

3
2
0 0

FAILED: patch "[PATCH] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk" failed to apply to 4.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 0c79f9cb77eae28d48a4f9fc1b3341aacbbd260c Mon Sep 17 00:00:00 2001 From: Michel Thierry <michel.thierry(a)intel.com> Date: Thu, 10 May 2018 13:07:08 -0700 Subject: [PATCH] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk Factor in clear values wherever required while updating destination min/max. References: HSDES#1604444184 Signed-off-by: Michel Thierry <michel.thierry(a)intel.com> Cc: mesa-dev(a)lists.freedesktop.org Cc: Mika Kuoppala <mika.kuoppala(a)linux.intel.com> Cc: Oscar Mateo <oscar.mateo(a)intel.com> Reviewed-by: Mika Kuoppala <mika.kuoppala(a)linux.intel.com> Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Link: https://patchwork.freedesktop.org/patch/msgid/20180510200708.18097-1-michel… Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h index 14491782aa9e..f11bb213ec07 100644 --- a/drivers/gpu/drm/i915/i915_reg.h +++ b/drivers/gpu/drm/i915/i915_reg.h @@ -7259,6 +7259,9 @@ enum { #define SLICE_ECO_CHICKEN0 _MMIO(0x7308) #define PIXEL_MASK_CAMMING_DISABLE (1 << 14) +#define GEN9_WM_CHICKEN3 _MMIO(0x5588) +#define GEN9_FACTOR_IN_CLR_VAL_HIZ (1 << 9) + /* WaCatErrorRejectionIssue */ #define GEN7_SQ_CHICKEN_MBCUNIT_CONFIG _MMIO(0x9030) #define GEN7_SQ_CHICKEN_MBCUNIT_SQINTMOB (1<<11) diff --git a/drivers/gpu/drm/i915/intel_workarounds.c b/drivers/gpu/drm/i915/intel_workarounds.c index 5eec4ce965a5..2df3538ceba5 100644 --- a/drivers/gpu/drm/i915/intel_workarounds.c +++ b/drivers/gpu/drm/i915/intel_workarounds.c @@ -270,6 +270,10 @@ static int gen9_ctx_workarounds_init(struct drm_i915_private *dev_priv) GEN9_PREEMPT_GPGPU_LEVEL_MASK, GEN9_PREEMPT_GPGPU_COMMAND_LEVEL); + /* WaClearHIZ_WM_CHICKEN3:bxt,glk */ + if (IS_GEN9_LP(dev_priv)) + WA_SET_BIT_MASKED(GEN9_WM_CHICKEN3, GEN9_FACTOR_IN_CLR_VAL_HIZ); + return 0; }

7 years, 5 months

3
2
0 0

FAILED: patch "[PATCH] drm/atmel-hlcdc: check stride values in the first plane" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fcf2b3c1c0276650fea537c71b513d27d929b05 Mon Sep 17 00:00:00 2001 From: Stefan Agner <stefan(a)agner.ch> Date: Sun, 17 Jun 2018 10:48:22 +0200 Subject: [PATCH] drm/atmel-hlcdc: check stride values in the first plane The statement always evaluates to true since the struct fields are arrays. This has shown up as a warning when compiling with clang: warning: address of array 'desc->layout.xstride' will always evaluate to 'true' [-Wpointer-bool-conversion] Check for values in the first plane instead. Fixes: 1a396789f65a ("drm: add Atmel HLCDC Display Controller support") Cc: <stable(a)vger.kernel.org> Signed-off-by: Stefan Agner <stefan(a)agner.ch> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180617084826.31885-1-stefan… diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c index e18800ed7cd1..7b8191eae68a 100644 --- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c +++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c @@ -875,7 +875,7 @@ static int atmel_hlcdc_plane_init_properties(struct atmel_hlcdc_plane *plane, drm_object_attach_property(&plane->base.base, props->alpha, 255); - if (desc->layout.xstride && desc->layout.pstride) { + if (desc->layout.xstride[0] && desc->layout.pstride[0]) { int ret; ret = drm_plane_create_rotation_property(&plane->base,

7 years, 5 months

1
0
0 0

FAILED: patch "[PATCH] drm/atmel-hlcdc: check stride values in the first plane" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fcf2b3c1c0276650fea537c71b513d27d929b05 Mon Sep 17 00:00:00 2001 From: Stefan Agner <stefan(a)agner.ch> Date: Sun, 17 Jun 2018 10:48:22 +0200 Subject: [PATCH] drm/atmel-hlcdc: check stride values in the first plane The statement always evaluates to true since the struct fields are arrays. This has shown up as a warning when compiling with clang: warning: address of array 'desc->layout.xstride' will always evaluate to 'true' [-Wpointer-bool-conversion] Check for values in the first plane instead. Fixes: 1a396789f65a ("drm: add Atmel HLCDC Display Controller support") Cc: <stable(a)vger.kernel.org> Signed-off-by: Stefan Agner <stefan(a)agner.ch> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180617084826.31885-1-stefan… diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c index e18800ed7cd1..7b8191eae68a 100644 --- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c +++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c @@ -875,7 +875,7 @@ static int atmel_hlcdc_plane_init_properties(struct atmel_hlcdc_plane *plane, drm_object_attach_property(&plane->base.base, props->alpha, 255); - if (desc->layout.xstride && desc->layout.pstride) { + if (desc->layout.xstride[0] && desc->layout.pstride[0]) { int ret; ret = drm_plane_create_rotation_property(&plane->base,

7 years, 5 months

1
0
0 0

FAILED: patch "[PATCH] drm/amd/pp: initialize result to before or'ing in data" failed to apply to 4.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c4ff91dd40e2253ab6dd028011469c2c694e1e19 Mon Sep 17 00:00:00 2001 From: Colin Ian King <colin.king(a)canonical.com> Date: Wed, 6 Jun 2018 13:18:31 +0100 Subject: [PATCH] drm/amd/pp: initialize result to before or'ing in data The current use of result is or'ing in values and checking for a non-zero result, however, result is not initialized to zero so it potentially contains garbage to start with. Fix this by initializing it to the first return from the call to vega10_program_didt_config_registers. Detected by cppcheck: "(error) Uninitialized variable: result" Fixes: 9b7b8154cdb8 ("drm/amd/powerplay: added didt support for vega10") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Acked-by: Huang Rui <ray.huang(a)amd.com> [Fix the subject as Colin's comment] Signed-off-by: Huang Rui <ray.huang(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_powertune.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_powertune.c index a9efd8554fbc..dbe4b1f66784 100644 --- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_powertune.c +++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_powertune.c @@ -1104,7 +1104,7 @@ static int vega10_enable_psm_gc_edc_config(struct pp_hwmgr *hwmgr) for (count = 0; count < num_se; count++) { data = GRBM_GFX_INDEX__INSTANCE_BROADCAST_WRITES_MASK | GRBM_GFX_INDEX__SH_BROADCAST_WRITES_MASK | ( count << GRBM_GFX_INDEX__SE_INDEX__SHIFT); WREG32_SOC15(GC, 0, mmGRBM_GFX_INDEX, data); - result |= vega10_program_didt_config_registers(hwmgr, PSMSEEDCStallPatternConfig_Vega10, VEGA10_CONFIGREG_DIDT); + result = vega10_program_didt_config_registers(hwmgr, PSMSEEDCStallPatternConfig_Vega10, VEGA10_CONFIGREG_DIDT); result |= vega10_program_didt_config_registers(hwmgr, PSMSEEDCStallDelayConfig_Vega10, VEGA10_CONFIGREG_DIDT); result |= vega10_program_didt_config_registers(hwmgr, PSMSEEDCCtrlResetConfig_Vega10, VEGA10_CONFIGREG_DIDT); result |= vega10_program_didt_config_registers(hwmgr, PSMSEEDCCtrlConfig_Vega10, VEGA10_CONFIGREG_DIDT);

7 years, 5 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror