- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] [patch 05/17] autofs: fix careless error in recent commit

by akpm＠linux-foundation.org

From: NeilBrown <neilb(a)suse.com> Subject: autofs: fix careless error in recent commit ecc0c469f277 ("autofs: don't fail mount for transient error") was meant to replace an 'if' with a 'switch', but instead added the 'switch' leaving the case in place. Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name Fixes: ecc0c469f277 ("autofs: don't fail mount for transient error") Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Signed-off-by: NeilBrown <neilb(a)suse.com> Cc: Ian Kent <raven(a)themaw.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/autofs4/waitq.c | 1 - 1 file changed, 1 deletion(-) diff -puN fs/autofs4/waitq.c~autofs-fix-careless-error-in-recent-commit fs/autofs4/waitq.c --- a/fs/autofs4/waitq.c~autofs-fix-careless-error-in-recent-commit +++ a/fs/autofs4/waitq.c @@ -170,7 +170,6 @@ static void autofs4_notify_daemon(struct mutex_unlock(&sbi->wq_mutex); - if (autofs4_write(sbi, pipe, &pkt, pktsz)) switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { case 0: break; _

7 years, 2 months

1
0
0 0

[Linux-stable-mirror] [patch 04/17] string.h: workaround for increased stack usage

by akpm＠linux-foundation.org

From: Arnd Bergmann <arnd(a)arndb.de> Subject: string.h: workaround for increased stack usage The hardened strlen() function causes rather large stack usage in at least one file in the kernel, in particular when CONFIG_KASAN is enabled: drivers/media/usb/em28xx/em28xx-dvb.c: In function 'em28xx_dvb_init': drivers/media/usb/em28xx/em28xx-dvb.c:2062:1: error: the frame size of 3256 bytes is larger than 204 bytes [-Werror=frame-larger-than=] Analyzing this problem led to the discovery that gcc fails to merge the stack slots for the i2c_board_info[] structures after we strlcpy() into them, due to the 'noreturn' attribute on the source string length check. I reported this as a gcc bug, but it is unlikely to get fixed for gcc-8, since it is relatively easy to work around, and it gets triggered rarely. An earlier workaround I did added an empty inline assembly statement before the call to fortify_panic(), which works surprisingly well, but is really ugly and unintuitive. This is a new approach to the same problem, this time addressing it by not calling the 'extern __real_strnlen()' function for string constants where __builtin_strlen() is a compile-time constant and therefore known to be safe. We do this by checking if the last character in the string is a compile-time constant '\0'. If it is, we can assume that strlen() of the string is also constant. As a side-effect, this should also improve the object code output for any other call of strlen() on a string constant. [akpm(a)linux-foundation.org: add comment] Link: http://lkml.kernel.org/r/20171205215143.3085755-1-arnd@arndb.de Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365 Link: https://patchwork.kernel.org/patch/9980413/ Link: https://patchwork.kernel.org/patch/9974047/ Fixes: 6974f0c4555 ("include/linux/string.h: add the option of fortified string.h functions") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Cc: Kees Cook <keescook(a)chromium.org> Cc: Mauro Carvalho Chehab <mchehab(a)kernel.org> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Cc: Daniel Micay <danielmicay(a)gmail.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Martin Wilck <mwilck(a)suse.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/string.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff -puN include/linux/string.h~stringh-work-around-for-increased-stack-usage include/linux/string.h --- a/include/linux/string.h~stringh-work-around-for-increased-stack-usage +++ a/include/linux/string.h @@ -259,7 +259,10 @@ __FORTIFY_INLINE __kernel_size_t strlen( { __kernel_size_t ret; size_t p_size = __builtin_object_size(p, 0); - if (p_size == (size_t)-1) + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || + (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) return __builtin_strlen(p); ret = strnlen(p, p_size); if (p_size <= ret) _

7 years, 2 months

1
0
0 0

Re: [Linux-stable-mirror] Linux 4.9.69

by Sebastian Gottschall

this happend with the rc1 version. dont know if it still applies, will check now. 4.9.68 works [ 2.523730] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.69-rc1 #16 [ 2.523823] Hardware name: Qualcomm (Flattened Device Tree) [ 2.530247] task: dd41a9c0 task.stack: dd434000 [ 2.535548] PC is at llc_sap_open+0x34/0xf8 [ 2.540053] LR is at llc_sap_open+0x28/0xf8 [ 2.544220] pc : [<c063c554>] lr : [<c063c548>] psr: a0000013 [ 2.544220] sp : dd435e80 ip : dd435e80 fp : dd435e9c [ 2.548396] r10: c0a344c8 r9 : c0a00628 r8 : c0a29834 [ 2.559844] r7 : c0b47000 r6 : c063d84c r5 : 00000042 r4 : c0b3fbf0 [ 2.565059] r3 : ffffffec r2 : 00000000 r1 : 00000000 r0 : c0b975e4 [ 2.571655] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 2.578165] Control: 10c5787d Table: 4220406a DAC: 00000055 [ 2.585368] Process swapper/0 (pid: 1, stack limit = 0xdd434210) [ 2.591099] Stack: (0xdd435e80 to 0xdd436000) [ 2.597175] 5e80: c0a21f70 c0846820 ffffe000 c0b47000 dd435eb4 dd435ea0 c063d7e4 c063c52c [ 2.601433] 5ea0: c0a21f70 00000000 dd435ecc dd435eb8 c0a21f88 c063d794 c0a21f70 00000000 [ 2.609592] 5ec0: dd435f4c dd435ed0 c03016fc c0a21f7c dd435ef4 dd435ee0 c033ca1c c04be99c [ 2.617753] 5ee0: 00000000 c0906768 dd435f4c dd435ef8 c033cd30 c0a00634 c089bbc0 c089bc0c [ 2.625912] 5f00: 00000000 c089b5d8 00000006 00000006 c08c4424 c0905d40 ddffcedc 00000000 [ 2.634073] 5f20: 00000000 c0b47000 c0905d40 00000007 c0b47000 c0a29834 c0a00628 c0a344c8 [ 2.642231] 5f40: dd435f94 dd435f50 c0a00dec c030164c 00000006 00000006 00000000 c0a00628 [ 2.650393] 5f60: ffbfb8e3 00000082 dd435f94 00000000 c073fa10 00000000 00000000 00000000 [ 2.658550] 5f80: 00000000 00000000 dd435fac dd435f98 c073fa20 c0a00ca4 00000000 c073fa10 [ 2.666711] 5fa0: 00000000 dd435fb0 c0307c60 c073fa1c 00000000 00000000 00000000 00000000 [ 2.674869] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 2.683029] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 f3f7bff7 f6ffd7fb [ 2.691184] Backtrace: [ 2.701603] [<c063c520>] (llc_sap_open) from [<c063d7e4>] (stp_proto_register+0x5c/0xc4) [ 2.701783] r7:c0b47000 r6:ffffe000 r5:c0846820 r4:c0a21f70 [ 2.709944] [<c063d788>] (stp_proto_register) from [<c0a21f88>] (br_init+0x18/0xb8) [ 2.715578] r5:00000000 r4:c0a21f70 [ 2.722959] [<' - try 'help'_init) from [<c03016fc>] (do_one_initcall+0xbc/0x138) (IPQ) # command '5:00000000 r4:c0a21f70 Unknown command 'c0301640>] (do_one_initcall) from [<c0a00dec>] (kernel_init_freeable+0x154/0x1f0) [ 2.737806] r10:c0a344c8 r9:c0a00628 r8:c0a29834 r7:c0b47000 r6:00000007 r5:c0905d40 [ 2.746220] r4:c0b47000 Am 14.12.2017 um 10:29 schrieb Greg KH: > I'm announcing the release of the 4.9.69 kernel. > > All users of the 4.9 kernel series must upgrade. > > The updated 4.9.y git tree can be found at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y > and can be browsed at the normal kernel.org git web browser: > http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary > > thanks, > > greg k-h > > ------------ > > Documentation/devicetree/bindings/usb/usb-device.txt | 2 > Makefile | 2 > arch/arm/include/asm/assembler.h | 18 ++ > arch/arm/include/asm/kvm_arm.h | 4 > arch/arm/include/asm/uaccess.h | 44 ++++-- > arch/arm/kernel/entry-header.S | 6 > arch/arm/kvm/handle_exit.c | 19 +- > arch/arm/mach-omap2/gpmc-onenand.c | 10 - > arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 25 ++- > arch/arm64/include/asm/kvm_arm.h | 3 > arch/arm64/kernel/process.c | 9 + > arch/arm64/kvm/handle_exit.c | 19 +- > arch/powerpc/Makefile | 11 + > arch/powerpc/include/asm/checksum.h | 2 > arch/powerpc/kernel/cpu_setup_power.S | 2 > arch/powerpc/mm/pgtable-radix.c | 4 > arch/powerpc/platforms/powernv/pci-ioda.c | 3 > arch/powerpc/sysdev/axonram.c | 5 > arch/s390/kernel/syscalls.S | 6 > arch/s390/kvm/priv.c | 11 + > arch/sparc/mm/init_64.c | 9 + > arch/x86/include/asm/kvm_host.h | 3 > arch/x86/kernel/hpet.c | 2 > arch/x86/kvm/vmx.c | 31 +--- > arch/x86/kvm/x86.c | 14 ++ > arch/x86/pci/broadcom_bus.c | 2 > arch/x86/platform/uv/tlb_uv.c | 1 > block/blk-core.c | 4 > block/blk-mq-sysfs.c | 4 > block/blk-mq.c | 4 > block/blk-mq.h | 1 > crypto/asymmetric_keys/pkcs7_verify.c | 2 > crypto/asymmetric_keys/x509_cert_parser.c | 2 > crypto/asymmetric_keys/x509_public_key.c | 2 > drivers/ata/libata-sff.c | 1 > drivers/atm/horizon.c | 2 > drivers/base/isa.c | 10 - > drivers/block/zram/zram_drv.c | 2 > drivers/bus/arm-cci.c | 7 - > drivers/bus/arm-ccn.c | 11 + > drivers/clk/uniphier/clk-uniphier-sys.c | 2 > drivers/crypto/s5p-sss.c | 5 > drivers/crypto/talitos.c | 66 ++++++--- > drivers/edac/i5000_edac.c | 8 - > drivers/edac/i5400_edac.c | 9 - > drivers/firmware/efi/efi.c | 3 > drivers/firmware/efi/esrt.c | 17 +- > drivers/firmware/efi/runtime-map.c | 10 - > drivers/gpio/gpio-altera.c | 26 +-- > drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 > drivers/gpu/drm/armada/Makefile | 2 > drivers/gpu/drm/exynos/exynos_drm_gem.c | 9 + > drivers/hid/Kconfig | 4 > drivers/hid/hid-chicony.c | 1 > drivers/hid/hid-core.c | 1 > drivers/hid/hid-ids.h | 1 > drivers/i2c/busses/i2c-riic.c | 6 > drivers/infiniband/hw/mlx4/qp.c | 2 > drivers/infiniband/hw/mlx5/main.c | 2 > drivers/iommu/intel-iommu.c | 8 - > drivers/irqchip/irq-crossbar.c | 8 - > drivers/media/rc/lirc_dev.c | 4 > drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++ > drivers/memory/omap-gpmc.c | 4 > drivers/net/can/ti_hecc.c | 3 > drivers/net/can/usb/ems_usb.c | 2 > drivers/net/can/usb/esd_usb2.c | 2 > drivers/net/can/usb/kvaser_usb.c | 13 + > drivers/net/can/usb/usb_8dev.c | 2 > drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 36 ++++- > drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 8 + > drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 > drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +-- > drivers/net/ethernet/ibm/ibmvnic.c | 43 ++++-- > drivers/net/ethernet/ibm/ibmvnic.h | 1 > drivers/net/phy/spi_ks8995.c | 3 > drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 > drivers/net/wireless/mac80211_hwsim.c | 5 > drivers/rapidio/devices/rio_mport_cdev.c | 3 > drivers/scsi/lpfc/lpfc_els.c | 14 +- > drivers/scsi/qla2xxx/qla_dbg.c | 12 - > drivers/scsi/scsi_lib.c | 10 - > drivers/spi/Kconfig | 1 > drivers/usb/dwc3/gadget.c | 7 - > drivers/usb/gadget/configfs.c | 1 > drivers/usb/gadget/function/f_fs.c | 13 + > drivers/usb/gadget/legacy/inode.c | 4 > drivers/usb/gadget/udc/net2280.c | 25 +-- > drivers/usb/gadget/udc/pxa27x_udc.c | 5 > drivers/usb/gadget/udc/renesas_usb3.c | 2 > drivers/virtio/virtio.c | 2 > fs/afs/cmservice.c | 3 > fs/btrfs/extent-tree.c | 1 > fs/nfs/dir.c | 2 > fs/xfs/xfs_inode.c | 1 > include/linux/dma-mapping.h | 2 > include/linux/genalloc.h | 3 > include/linux/mmu_notifier.h | 13 - > include/linux/omap-gpmc.h | 5 > include/linux/sysfs.h | 6 > include/scsi/libsas.h | 2 > kernel/bpf/percpu_freelist.c | 8 - > kernel/cpu.c | 10 - > kernel/debug/kdb/kdb_io.c | 2 > kernel/jump_label.c | 2 > kernel/sched/fair.c | 2 > kernel/sched/features.h | 5 > kernel/workqueue.c | 1 > lib/asn1_decoder.c | 49 ++++--- > lib/dynamic_debug.c | 4 > lib/genalloc.c | 10 - > mm/huge_memory.c | 84 ++++++++---- > mm/zsmalloc.c | 2 > net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 > net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 > net/ipv4/route.c | 14 +- > net/ipv6/af_inet6.c | 10 - > net/ipv6/ip6_gre.c | 2 > net/ipv6/ip6_vti.c | 8 - > net/rds/tcp.c | 15 +- > net/rds/tcp.h | 2 > net/rds/tcp_listen.c | 9 + > net/sctp/socket.c | 38 +++-- > net/sunrpc/sched.c | 3 > net/xfrm/xfrm_policy.c | 1 > scripts/coccicheck | 15 +- > scripts/module-common.lds | 2 > scripts/package/Makefile | 5 > security/keys/request_key.c | 46 +++++- > sound/core/pcm.c | 2 > sound/core/seq/seq_timer.c | 2 > sound/soc/sh/rcar/ssiu.c | 6 > sound/usb/mixer.c | 13 + > tools/hv/hv_kvp_daemon.c | 70 ++-------- > tools/testing/selftests/powerpc/harness.c | 6 > tools/testing/selftests/x86/fsgsbase.c | 2 > tools/testing/selftests/x86/ldt_gdt.c | 16 +- > tools/testing/selftests/x86/mpx-hw.h | 4 > tools/testing/selftests/x86/ptrace_syscall.c | 3 > tools/testing/selftests/x86/single_step_syscall.c | 5 > virt/kvm/arm/hyp/vgic-v2-sr.c | 4 > virt/kvm/arm/vgic/vgic-irqfd.c | 3 > virt/kvm/arm/vgic/vgic-its.c | 111 +++++++++------- > virt/kvm/kvm_main.c | 8 + > 144 files changed, 906 insertions(+), 526 deletions(-) > > Alexey Kardashevskiy (1): > powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested > > Alexey Kodanev (1): > gre6: use log_ecn_error module parameter in ip6_tnl_rcv() > > Andre Przywara (1): > KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled > > Andrew Banman (1): > x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register > > Andrew Honig (1): > KVM: VMX: remove I/O port 0x80 bypass on Intel hosts > > Arend Van Spriel (1): > brcmfmac: change driver unbind order of the sdio function devices > > Arvind Yadav (1): > atm: horizon: Fix irq release error > > Ben Hutchings (1): > mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() > > Blomme, Maarten (2): > spi_ks8995: fix "BUG: key accdaa28 not in .data!" > spi_ks8995: regs_size incorrect for some devices > > Chris Brandt (1): > i2c: riic: fix restart condition > > Christoffer Dall (1): > KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion > > Christoph Hellwig (1): > scsi: dma-mapping: always provide dma_get_cache_alignment > > Christophe JAILLET (3): > bus: arm-ccn: Check memory allocation failure > USB: gadgetfs: Fix a potential memory leak in 'dev_config()' > drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()' > > Chuck Lever (1): > sunrpc: Fix rpc_task_begin trace point > > Daniel Drake (1): > HID: chicony: Add support for another ASUS Zen AiO keyboard > > Daniel Thompson (1): > kdb: Fix handling of kallsyms_symbol_next() return value > > Darrick J. Wong (1): > xfs: fix forgotten rcu read unlock when skipping inode reclaim > > Dave Hansen (1): > x86/mpx/selftests: Fix up weird arrays > > Dave Martin (1): > arm64: fpsimd: Prevent registers leaking from dead tasks > > David Daney (1): > module: set __jump_table alignment to 8 > > David Howells (1): > afs: Connect up the CB.ProbeUuid > > Dmitry Safonov (1): > x86/selftests: Add clobbers for int80 on x86_64 > > Eric Biggers (5): > ASN.1: fix out-of-bounds read when parsing indefinite length item > ASN.1: check for error from ASN1_OP_END__ACT actions > KEYS: add missing permission check for request_key() destination > X.509: reject invalid BIT STRING for subjectPublicKey > X.509: fix comparisons of ->pkey_algo > > Eric Dumazet (1): > bpf: fix lockdep splat > > Florian Westphal (1): > netfilter: don't track fragmented packets > > Franck Demathieu (1): > irqchip/crossbar: Fix incorrect type of register size > > Greg Kroah-Hartman (2): > efi: Move some sysfs files to be read-only by root > Linux 4.9.69 > > Guenter Roeck (2): > ARM: OMAP2+: Fix device node reference counts > ARM: OMAP2+: Release device node after it is no longer needed. > > Heiko Carstens (1): > s390: fix compat system call table > > Herbert Xu (1): > xfrm: Copy policy family in clone_policy > > Huacai Chen (2): > scsi: use dma_get_cache_alignment() as minimum DMA alignment > scsi: libsas: align sata_device's rps_resp on a cacheline > > Jaejoong Kim (2): > ALSA: usb-audio: Fix out-of-bound error > ALSA: usb-audio: Add check return value for usb_string() > > James Smart (1): > scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters > > Jan Kara (1): > axonram: Fix gendisk handling > > Janosch Frank (1): > KVM: s390: Fix skey emulation permission check > > Jason Baron (1): > jump_label: Invoke jump_label_test() via early_initcall() > > Jeff Mahoney (1): > btrfs: fix missing error return in btrfs_drop_snapshot > > Jim Mattson (1): > kvm: nVMX: VMCLEAR should not cause the vCPU to shut down > > Jim Qu (1): > drm/amd/amdgpu: fix console deadlock if late init failed > > Jimmy Assarsson (3): > can: kvaser_usb: free buf in error paths > can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() > can: kvaser_usb: ratelimit errors if incomplete messages are received > > Joe Perches (1): > scsi: qla2xxx: Fix ql_dump_buffer > > Johan Hovold (1): > dt-bindings: usb: fix reg-property port-number range > > Johannes Thumshirn (1): > zram: set physical queue limits to avoid array out of bounds accesses > > John Keeping (2): > usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT > usb: gadget: configs: plug memory leak > > Jérémy Lefaure (2): > EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro > EDAC, i5000, i5400: Fix definition of NRECMEMB register > > Kees Cook (1): > ARM: 8657/1: uaccess: consistently check object sizes > > Kim Phillips (1): > bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left. > > Kirill A. Shutemov (3): > thp: reduce indentation level in change_huge_pmd() > thp: fix MADV_DONTNEED vs. numa balancing race > mm: drop unused pmdp_huge_get_and_clear_notify() > > Kristina Martsenko (1): > arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one > > Krzysztof Kozlowski (1): > crypto: s5p-sss - Fix completing crypto request in IRQ handler > > Kuninori Morimoto (1): > ASoC: rcar: avoid SSI_MODEx settings for SSI8 > > LEROY Christophe (6): > crypto: talitos - fix AEAD test failures > crypto: talitos - fix memory corruption on SEC2 > crypto: talitos - fix setkey to check key weakness > crypto: talitos - fix AEAD for sha224 on non sha224 capable chips > crypto: talitos - fix use of sg_link_tbl_len > crypto: talitos - fix ctr-aes-talitos > > Ladislav Michl (1): > ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure > > Lai Jiangshan (1): > smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place > > Laurent Caumont (1): > media: dvb: i2c transfers over usb cannot be done from stack > > Majd Dibbiny (1): > IB/mlx5: Assign send CQ and recv CQ of UMR QP > > Marc Zyngier (5): > arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one > KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation > KVM: arm/arm64: vgic-its: Check result of allocation before use > bus: arm-cci: Fix use of smp_processor_id() in preemptible context > bus: arm-ccn: Fix use of smp_processor_id() in preemptible context > > Marek Szyprowski (1): > drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU > > Mark Bloch (1): > IB/mlx4: Increase maximal message size under UD QP > > Mark Rutland (2): > arm: KVM: Survive unknown traps from guests > arm64: KVM: Survive unknown traps from guests > > Martin Kelly (4): > can: kvaser_usb: cancel urb on -EPIPE and -EPROTO > can: ems_usb: cancel urb on -EPIPE and -EPROTO > can: esd_usb2: cancel urb on -EPIPE and -EPROTO > can: usb_8dev: cancel urb on -EPIPE and -EPROTO > > Masahiro Yamada (3): > kbuild: pkg: use --transform option to prefix paths in tar > coccinelle: fix parallel build with CHECK=scripts/coccicheck > clk: uniphier: fix DAPLL2 clock rate of Pro5 > > Michal Schmidt (4): > bnx2x: prevent crash when accessing PTP with interface down > bnx2x: fix possible overrun of VFPF multicast addresses array > bnx2x: fix detection of VLAN filtering feature for VF > bnx2x: do not rollback VF MAC/VLAN filters we did not configure > > Ming Lei (2): > blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() > block: wake up all tasks blocked in get_request() > > Nicholas Piggin (2): > powerpc/64s: Initialize ISAv3 MMU registers before setting partition table > powerpc: Fix compiling a BE kernel with a powerpc64le toolchain > > Oliver Stäbler (1): > can: ti_hecc: Fix napi poll return value for repoll > > Pan Bian (1): > efi/esrt: Use memunmap() instead of kfree() to free the remapping > > Paul Mackerras (1): > powerpc/64: Invalidate process table caching after setting process table > > Paul Meyer (1): > hv: kvp: Avoid reading past allocated blocks from KVP file > > Pavel Tatashin (1): > sparc64/mm: set fields in deferred pages > > Peter Zijlstra (1): > sched/fair: Make select_idle_cpu() more aggressive > > Petr Cvek (1): > usb: gadget: pxa27x: Test for a valid argument pointer > > Phil Reid (1): > gpio: altera: Use handle_level_irq when configured as a level_high > > Radim Krčmář (1): > KVM: x86: fix APIC page invalidation > > Rafael J. Wysocki (1): > x86/PCI: Make broadcom_postcore_init() check acpi_disabled > > Randy Dunlap (1): > dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 > > Raz Manor (1): > usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver > > Robb Glasser (1): > ALSA: pcm: prevent UAF in snd_pcm_info > > Robin Murphy (1): > iommu/vt-d: Fix scatterlist offset handling > > Roger Quadros (1): > usb: dwc3: gadget: Fix system suspend/resume on TI platforms > > Russell King (2): > ARM: BUG if jumping to usermode address in kernel mode > ARM: avoid faulting on qemu > > Sachin Sant (1): > selftest/powerpc: Fix false failures for skipped tests > > Sasha Levin (2): > Revert "drm/armada: Fix compile fail" > Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" > > Sean Young (1): > lirc: fix dead lock between open and wakeup_filter > > Sergey Senozhatsky (1): > zsmalloc: calling zs_map_object() from irq is a bug > > Shile Zhang (1): > powerpc/64: Fix checksum folding in csum_add() > > Sowmini Varadhan (1): > rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races > > Steffen Klassert (1): > vti6: Don't report path MTU below IPV6_MIN_MTU. > > Stephen Bates (1): > lib/genalloc.c: make the avail variable an atomic_long_t > > Takashi Iwai (1): > ALSA: seq: Remove spurious WARN_ON() at timer check > > Tejun Heo (2): > libata: drop WARN from protocol error in ata_sff_qc_issue() > workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq > > Thomas Falcon (2): > ibmvnic: Fix overflowing firmware/hardware TX queue > ibmvnic: Allocate number of rx/tx buffers agreed on by firmware > > Thomas Gleixner (1): > x86/hpet: Prevent might sleep splat on resume > > Trond Myklebust (1): > NFS: Fix a typo in nfs_rename() > > WANG Cong (1): > ipv6: reorder icmpv6_init() and ip6_mr_init() > > Wanpeng Li (1): > KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset > > William Breathitt Gray (1): > isa: Prevent NULL dereference in isa_bus driver callbacks > > Xin Long (4): > route: also update fnhe_genid when updating a route cache > route: update fnhe_expires for redirect when the fnhe exists > sctp: do not free asoc when it is already dead in sctp_sendmsg > sctp: use the right sk after waking up from wait_buf sleep > > Yoshihiro Shimoda (1): > usb: gadget: udc: renesas_usb3: fix number of the pipes > > weiping zhang (1): > virtio: release virtio index when fail to device_register > -- Mit freundlichen Grüssen / Regards Sebastian Gottschall / CTO NewMedia-NET GmbH - DD-WRT Firmensitz: Stubenwaldallee 21a, 64625 Bensheim Registergericht: Amtsgericht Darmstadt, HRB 25473 Geschäftsführer: Peter Steinhäuser, Christian Scheele http://www.dd-wrt.com email: s.gottschall(a)dd-wrt.com Tel.: +496251-582650 / Fax: +496251-5826565

7 years, 2 months

2
3
0 0

[Linux-stable-mirror] Patch "usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba Mon Sep 17 00:00:00 2001 From: Vincent Pelletier <plr.vincent(a)gmail.com> Date: Sun, 26 Nov 2017 06:52:53 +0000 Subject: usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping From: Vincent Pelletier <plr.vincent(a)gmail.com> commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba upstream. Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation: [ 100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421 [ 100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python [ 100.867954] 2 locks held by python/1880: [ 100.867961] #0: (&epfile->mutex){....}, at: [<f8188627>] ffs_mutex_lock+0x27/0x30 [usb_f_fs] [ 100.868020] #1: (&(&ffs->eps_lock)->rlock){....}, at: [<f818ad4b>] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs] [ 100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118 [ 100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 [ 100.868093] Call Trace: [ 100.868122] dump_stack+0x47/0x62 [ 100.868156] ___might_sleep+0xfd/0x110 [ 100.868182] __might_sleep+0x68/0x70 [ 100.868217] kmem_cache_alloc_trace+0x4b/0x200 [ 100.868248] ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868302] dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868343] usb_ep_alloc_request+0x16/0xc0 [udc_core] [ 100.868386] ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs] [ 100.868424] ? _raw_spin_unlock_irqrestore+0x27/0x40 [ 100.868457] ? kiocb_set_cancel_fn+0x57/0x60 [ 100.868477] ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs] [ 100.868512] ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs] [ 100.868551] ? security_file_permission+0x9c/0xd0 [ 100.868587] ? rw_verify_area+0xac/0x120 [ 100.868633] aio_read+0x9d/0x100 [ 100.868692] ? __fget+0xa2/0xd0 [ 100.868727] ? __might_sleep+0x68/0x70 [ 100.868763] SyS_io_submit+0x471/0x680 [ 100.868878] do_int80_syscall_32+0x4e/0xd0 [ 100.868921] entry_INT80_32+0x2a/0x2a [ 100.868932] EIP: 0xb7fbb676 [ 100.868941] EFLAGS: 00000292 CPU: 1 [ 100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368 [ 100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638 [ 100.868973] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b Signed-off-by: Vincent Pelletier <plr.vincent(a)gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Siqi Lin <siqilin(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -791,7 +791,7 @@ static ssize_t ffs_epfile_io(struct file } if (io_data->aio) { - req = usb_ep_alloc_request(ep->ep, GFP_KERNEL); + req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC); if (unlikely(!req)) goto error_lock; Patches currently in stable-queue which might be from plr.vincent(a)gmail.com are queue-4.4/usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch

7 years, 2 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba Mon Sep 17 00:00:00 2001 From: Vincent Pelletier <plr.vincent(a)gmail.com> Date: Sun, 26 Nov 2017 06:52:53 +0000 Subject: usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping From: Vincent Pelletier <plr.vincent(a)gmail.com> commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba upstream. Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation: [ 100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421 [ 100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python [ 100.867954] 2 locks held by python/1880: [ 100.867961] #0: (&epfile->mutex){....}, at: [<f8188627>] ffs_mutex_lock+0x27/0x30 [usb_f_fs] [ 100.868020] #1: (&(&ffs->eps_lock)->rlock){....}, at: [<f818ad4b>] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs] [ 100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118 [ 100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 [ 100.868093] Call Trace: [ 100.868122] dump_stack+0x47/0x62 [ 100.868156] ___might_sleep+0xfd/0x110 [ 100.868182] __might_sleep+0x68/0x70 [ 100.868217] kmem_cache_alloc_trace+0x4b/0x200 [ 100.868248] ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868302] dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868343] usb_ep_alloc_request+0x16/0xc0 [udc_core] [ 100.868386] ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs] [ 100.868424] ? _raw_spin_unlock_irqrestore+0x27/0x40 [ 100.868457] ? kiocb_set_cancel_fn+0x57/0x60 [ 100.868477] ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs] [ 100.868512] ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs] [ 100.868551] ? security_file_permission+0x9c/0xd0 [ 100.868587] ? rw_verify_area+0xac/0x120 [ 100.868633] aio_read+0x9d/0x100 [ 100.868692] ? __fget+0xa2/0xd0 [ 100.868727] ? __might_sleep+0x68/0x70 [ 100.868763] SyS_io_submit+0x471/0x680 [ 100.868878] do_int80_syscall_32+0x4e/0xd0 [ 100.868921] entry_INT80_32+0x2a/0x2a [ 100.868932] EIP: 0xb7fbb676 [ 100.868941] EFLAGS: 00000292 CPU: 1 [ 100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368 [ 100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638 [ 100.868973] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b Signed-off-by: Vincent Pelletier <plr.vincent(a)gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Siqi Lin <siqilin(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -816,7 +816,7 @@ static ssize_t ffs_epfile_io(struct file } if (io_data->aio) { - req = usb_ep_alloc_request(ep->ep, GFP_KERNEL); + req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC); if (unlikely(!req)) goto error_lock; Patches currently in stable-queue which might be from plr.vincent(a)gmail.com are queue-3.18/usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch

7 years, 2 months

1
0
0 0

[Linux-stable-mirror] [PATCH] usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping

by Siqi Lin

From: Vincent Pelletier <plr.vincent(a)gmail.com> Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation: [ 100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421 [ 100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python [ 100.867954] 2 locks held by python/1880: [ 100.867961] #0: (&epfile->mutex){....}, at: [<f8188627>] ffs_mutex_lock+0x27/0x30 [usb_f_fs] [ 100.868020] #1: (&(&ffs->eps_lock)->rlock){....}, at: [<f818ad4b>] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs] [ 100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118 [ 100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 [ 100.868093] Call Trace: [ 100.868122] dump_stack+0x47/0x62 [ 100.868156] ___might_sleep+0xfd/0x110 [ 100.868182] __might_sleep+0x68/0x70 [ 100.868217] kmem_cache_alloc_trace+0x4b/0x200 [ 100.868248] ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868302] dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868343] usb_ep_alloc_request+0x16/0xc0 [udc_core] [ 100.868386] ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs] [ 100.868424] ? _raw_spin_unlock_irqrestore+0x27/0x40 [ 100.868457] ? kiocb_set_cancel_fn+0x57/0x60 [ 100.868477] ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs] [ 100.868512] ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs] [ 100.868551] ? security_file_permission+0x9c/0xd0 [ 100.868587] ? rw_verify_area+0xac/0x120 [ 100.868633] aio_read+0x9d/0x100 [ 100.868692] ? __fget+0xa2/0xd0 [ 100.868727] ? __might_sleep+0x68/0x70 [ 100.868763] SyS_io_submit+0x471/0x680 [ 100.868878] do_int80_syscall_32+0x4e/0xd0 [ 100.868921] entry_INT80_32+0x2a/0x2a [ 100.868932] EIP: 0xb7fbb676 [ 100.868941] EFLAGS: 00000292 CPU: 1 [ 100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368 [ 100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638 [ 100.868973] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b Signed-off-by: Vincent Pelletier <plr.vincent(a)gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Siqi Lin <siqilin(a)google.com> --- This is a backport of commit 30bf90ccdec1da9c ('usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping') to 4.4 and 3.18. drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 732e6ed5d7b4..39bb65265bff 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -791,7 +791,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) } if (io_data->aio) { - req = usb_ep_alloc_request(ep->ep, GFP_KERNEL); + req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC); if (unlikely(!req)) goto error_lock; -- 2.15.1.504.g5279b80103-goog

7 years, 2 months

2
1
0 0

[Linux-stable-mirror] [PATCH v4.14 backport] KVM: arm/arm64: vgic-its: Preserve the revious read from the pending table

by Christoffer Dall

From: Marc Zyngier <marc.zyngier(a)arm.com> Commit 64afe6e9eb4841f35317da4393de21a047a883b3 upstream. The current pending table parsing code assumes that we keep the previous read of the pending bits, but keep that variable in the current block, making sure it is discarded on each loop. We end-up using whatever is on the stack. Who knows, it might just be the right thing... Fixes: 33d3bc9556a7d ("KVM: arm64: vgic-its: Read initial LPI pending table") Cc: <stable(a)vger.kernel.org> # 4.8 Reported-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- virt/kvm/arm/vgic/vgic-its.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 547f12dc4d54..d5a8bfe78bc4 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -393,6 +393,7 @@ static int its_sync_lpi_pending_table(struct kvm_vcpu *vcpu) int ret = 0; u32 *intids; int nr_irqs, i; + u8 pendmask; nr_irqs = vgic_copy_lpi_list(vcpu, &intids); if (nr_irqs < 0) @@ -400,7 +401,6 @@ static int its_sync_lpi_pending_table(struct kvm_vcpu *vcpu) for (i = 0; i < nr_irqs; i++) { int byte_offset, bit_nr; - u8 pendmask; byte_offset = intids[i] / BITS_PER_BYTE; bit_nr = intids[i] % BITS_PER_BYTE; -- 2.14.2

7 years, 2 months

2
4
0 0

[Linux-stable-mirror] Patch "arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 5553b142be11e794ebc0805950b2e8313f93d718 Mon Sep 17 00:00:00 2001 From: Marc Zyngier <marc.zyngier(a)arm.com> Date: Thu, 16 Nov 2017 17:58:21 +0000 Subject: arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one From: Marc Zyngier <marc.zyngier(a)arm.com> commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 39-bit addresses (instead of 40-bit) and also insufficiently checking the alignment. This patch fixes it. This patch is the 32bit pendent of Kristina's arm64 fix, and she deserves the actual kudos for pinpointing that one. Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation") Cc: <stable(a)vger.kernel.org> # 3.9 Reported-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/arch/arm/include/asm/kvm_arm.h +++ b/arch/arm/include/asm/kvm_arm.h @@ -161,8 +161,7 @@ #else #define VTTBR_X (5 - KVM_T0SZ) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (48LLU) #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT) Patches currently in stable-queue which might be from marc.zyngier(a)arm.com are queue-4.4/arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch

7 years, 2 months

1
0
0 0

[Linux-stable-mirror] [PATCH v3.18 backport] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one

by Christoffer Dall

From: Marc Zyngier <marc.zyngier(a)arm.com> Commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 39-bit addresses (instead of 40-bit) and also insufficiently checking the alignment. This patch fixes it. This patch is the 32bit pendent of Kristina's arm64 fix, and she deserves the actual kudos for pinpointing that one. Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation") Cc: <stable(a)vger.kernel.org> # 3.9 Reported-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm/include/asm/kvm_arm.h b/arch/arm/include/asm/kvm_arm.h index 816db0bf2dd8..46b336df4ec1 100644 --- a/arch/arm/include/asm/kvm_arm.h +++ b/arch/arm/include/asm/kvm_arm.h @@ -161,8 +161,7 @@ #else #define VTTBR_X (5 - KVM_T0SZ) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (48LLU) #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT) -- 2.14.2

7 years, 2 months

2
1
0 0

[Linux-stable-mirror] Patch "arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 5553b142be11e794ebc0805950b2e8313f93d718 Mon Sep 17 00:00:00 2001 From: Marc Zyngier <marc.zyngier(a)arm.com> Date: Thu, 16 Nov 2017 17:58:21 +0000 Subject: arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one From: Marc Zyngier <marc.zyngier(a)arm.com> commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 39-bit addresses (instead of 40-bit) and also insufficiently checking the alignment. This patch fixes it. This patch is the 32bit pendent of Kristina's arm64 fix, and she deserves the actual kudos for pinpointing that one. Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation") Reported-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/arch/arm/include/asm/kvm_arm.h +++ b/arch/arm/include/asm/kvm_arm.h @@ -161,8 +161,7 @@ #else #define VTTBR_X (5 - KVM_T0SZ) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (48LLU) #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT) Patches currently in stable-queue which might be from marc.zyngier(a)arm.com are queue-3.18/arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch queue-3.18/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch

7 years, 2 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror