I'm announcing the release of the 4.9.312 kernel.
All users of the 4.9 kernel series must upgrade.
The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git%3Ba=summa...
thanks,
greg k-h
------------
Makefile | 2 - arch/arc/kernel/entry.S | 1 arch/arm/mach-vexpress/spc.c | 2 - block/compat_ioctl.c | 2 - drivers/ata/pata_marvell.c | 2 + drivers/dma/at_xdmac.c | 12 +++++----- drivers/dma/imx-sdma.c | 4 +-- drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c | 3 ++ drivers/net/ethernet/intel/e1000e/ich8lan.c | 4 +-- drivers/net/vxlan.c | 4 +-- drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 - drivers/platform/x86/samsung-laptop.c | 2 - fs/cifs/cifsfs.c | 2 - fs/ext4/inode.c | 11 ++++++++- fs/ext4/super.c | 19 ++++++++++++---- fs/gfs2/rgrp.c | 9 ++++--- include/linux/etherdevice.h | 5 +--- mm/page_alloc.c | 2 - net/netlink/af_netlink.c | 7 +++++ net/openvswitch/flow_netlink.c | 2 - net/packet/af_packet.c | 13 +++++++--- sound/soc/soc-dapm.c | 6 +---- sound/usb/midi.c | 1 sound/usb/usbaudio.h | 2 - 24 files changed, 78 insertions(+), 41 deletions(-)
Bob Peterson (1): gfs2: assign rgrp glock before compute_bitstructs
Borislav Petkov (2): ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant
David Howells (1): cifs: Check the IOCB_DIRECT flag, not O_DIRECT
Eric Dumazet (1): netlink: reset network and mac headers in netlink_dump()
Greg Kroah-Hartman (1): Linux 4.9.312
Hangbin Liu (1): net/packet: fix packet_sock xmit return value checking
Hongbin Wang (1): vxlan: fix error return code in vxlan_fdb_append
Jiapeng Chong (1): platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative
Kees Cook (2): etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead ARM: vexpress/spc: Avoid negative array index when !SMP
Khazhismel Kumykov (1): block/compat_ioctl: fix range check in BLKGETSIZE
Miaoqian Lin (1): dmaengine: imx-sdma: Fix error checking in sdma_event_remap
Paolo Valerio (1): openvswitch: fix OOB access in reserve_sfa_size()
Sasha Neftin (1): e1000e: Fix possible overflow in LTR decoding
Sergey Matyukevich (1): ARC: entry: fix syscall_trace_exit argument
Tadeusz Struk (1): ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
Takashi Iwai (1): ALSA: usb-audio: Clear MIDI port active flag after draining
Theodore Ts'o (2): ext4: fix overhead calculation to account for the reserved gdt blocks ext4: force overhead calculation if the s_overhead_cluster makes no sense
Xiaoke Wang (1): drm/msm/mdp5: check the return of kzalloc()
Xiaomeng Tong (2): dma: at_xdmac: fix a missing check on list iterator ASoC: soc-dapm: fix two incorrect uses of list iterator
Xiongwei Song (1): mm: page_alloc: fix building error on -Werror=array-compare
Zheyu Ma (1): ata: pata_marvell: Check the 'bmdma_addr' beforing reading
diff --git a/Makefile b/Makefile index c1a20e4a2d13..a9f16c9c9614 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ VERSION = 4 PATCHLEVEL = 9 -SUBLEVEL = 311 +SUBLEVEL = 312 EXTRAVERSION = NAME = Roaring Lionus
diff --git a/arch/arc/kernel/entry.S b/arch/arc/kernel/entry.S index 37ad245cf989..fb458623f386 100644 --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -191,6 +191,7 @@ tracesys_exit: st r0, [sp, PT_r0] ; sys call return value in pt_regs
;POST Sys Call Ptrace Hook + mov r0, sp ; pt_regs needed bl @syscall_trace_exit b ret_from_exception ; NOT ret_from_system_call at is saves r0 which ; we'd done before calling post hook above diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c index 635b0d549487..c16f39614003 100644 --- a/arch/arm/mach-vexpress/spc.c +++ b/arch/arm/mach-vexpress/spc.c @@ -584,7 +584,7 @@ static int __init ve_spc_clk_init(void) }
cluster = topology_physical_package_id(cpu_dev->id); - if (init_opp_table[cluster]) + if (cluster < 0 || init_opp_table[cluster]) continue;
if (ve_init_opp_table(cpu_dev)) diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c index b6e5447d563e..f538bac4ac66 100644 --- a/block/compat_ioctl.c +++ b/block/compat_ioctl.c @@ -394,7 +394,7 @@ long compat_blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg) return 0; case BLKGETSIZE: size = i_size_read(bdev->bd_inode); - if ((size >> 9) > ~0UL) + if ((size >> 9) > ~(compat_ulong_t)0) return -EFBIG; return compat_put_ulong(arg, size >> 9);
diff --git a/drivers/ata/pata_marvell.c b/drivers/ata/pata_marvell.c index ff468a6fd8dd..677f582cf3d6 100644 --- a/drivers/ata/pata_marvell.c +++ b/drivers/ata/pata_marvell.c @@ -82,6 +82,8 @@ static int marvell_cable_detect(struct ata_port *ap) switch(ap->port_no) { case 0: + if (!ap->ioaddr.bmdma_addr) + return ATA_CBL_PATA_UNK; if (ioread8(ap->ioaddr.bmdma_addr + 1) & 1) return ATA_CBL_PATA40; return ATA_CBL_PATA80; diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c index c15ca560fe60..ca266fcca186 100644 --- a/drivers/dma/at_xdmac.c +++ b/drivers/dma/at_xdmac.c @@ -1392,7 +1392,7 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie, { struct at_xdmac_chan *atchan = to_at_xdmac_chan(chan); struct at_xdmac *atxdmac = to_at_xdmac(atchan->chan.device); - struct at_xdmac_desc *desc, *_desc; + struct at_xdmac_desc *desc, *_desc, *iter; struct list_head *descs_list; enum dma_status ret; int residue, retry; @@ -1507,11 +1507,13 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie, * microblock. */ descs_list = &desc->descs_list; - list_for_each_entry_safe(desc, _desc, descs_list, desc_node) { - dwidth = at_xdmac_get_dwidth(desc->lld.mbr_cfg); - residue -= (desc->lld.mbr_ubc & 0xffffff) << dwidth; - if ((desc->lld.mbr_nda & 0xfffffffc) == cur_nda) + list_for_each_entry_safe(iter, _desc, descs_list, desc_node) { + dwidth = at_xdmac_get_dwidth(iter->lld.mbr_cfg); + residue -= (iter->lld.mbr_ubc & 0xffffff) << dwidth; + if ((iter->lld.mbr_nda & 0xfffffffc) == cur_nda) { + desc = iter; break; + } } residue += cur_ubc << dwidth;
diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c index 558d509b7d85..4337cf9defc2 100644 --- a/drivers/dma/imx-sdma.c +++ b/drivers/dma/imx-sdma.c @@ -1528,7 +1528,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) u32 reg, val, shift, num_map, i; int ret = 0;
- if (IS_ERR(np) || IS_ERR(gpr_np)) + if (IS_ERR(np) || !gpr_np) goto out;
event_remap = of_find_property(np, propname, NULL); @@ -1576,7 +1576,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) }
out: - if (!IS_ERR(gpr_np)) + if (gpr_np) of_node_put(gpr_np);
return ret; diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c index 83bf997dda03..e14bfbdbaf2b 100644 --- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c +++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c @@ -192,7 +192,10 @@ static void mdp5_plane_reset(struct drm_plane *plane) drm_framebuffer_unreference(plane->state->fb);
kfree(to_mdp5_plane_state(plane->state)); + plane->state = NULL; mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL); + if (!mdp5_state) + return;
/* assign default blend parameters */ mdp5_state->alpha = 255; diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c index 500016209ae0..3ed40bde796b 100644 --- a/drivers/net/ethernet/intel/e1000e/ich8lan.c +++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c @@ -1010,8 +1010,8 @@ static s32 e1000_platform_pm_pch_lpt(struct e1000_hw *hw, bool link) { u32 reg = link << (E1000_LTRV_REQ_SHIFT + E1000_LTRV_NOSNOOP_SHIFT) | link << E1000_LTRV_REQ_SHIFT | E1000_LTRV_SEND; - u16 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */ - u16 lat_enc_d = 0; /* latency decoded */ + u32 max_ltr_enc_d = 0; /* maximum LTR decoded by platform */ + u32 lat_enc_d = 0; /* latency decoded */ u16 lat_enc = 0; /* latency encoded */
if (link) { diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 0bfadec8b79c..d59cb381e80b 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -490,11 +490,11 @@ static int vxlan_fdb_append(struct vxlan_fdb *f,
rd = kmalloc(sizeof(*rd), GFP_ATOMIC); if (rd == NULL) - return -ENOBUFS; + return -ENOMEM;
if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { kfree(rd); - return -ENOBUFS; + return -ENOMEM; }
rd->remote_ip = *ip; diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c index 998a4bd6db78..d8f34883c096 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c @@ -547,7 +547,7 @@ enum brcmf_sdio_frmtype { BRCMF_SDIO_FT_SUB, };
-#define SDIOD_DRVSTR_KEY(chip, pmu) (((chip) << 16) | (pmu)) +#define SDIOD_DRVSTR_KEY(chip, pmu) (((unsigned int)(chip) << 16) | (pmu))
/* SDIO Pad drive strength to select value mappings */ struct sdiod_drive_str { diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c index 8c146e2b6727..4664d3e191c8 100644 --- a/drivers/platform/x86/samsung-laptop.c +++ b/drivers/platform/x86/samsung-laptop.c @@ -1125,8 +1125,6 @@ static void kbd_led_set(struct led_classdev *led_cdev,
if (value > samsung->kbd_led.max_brightness) value = samsung->kbd_led.max_brightness; - else if (value < 0) - value = 0;
samsung->kbd_led_wk = value; queue_work(samsung->led_workqueue, &samsung->kbd_led_work); diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 95e4f074b766..b85c283ad08b 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -766,7 +766,7 @@ cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter) ssize_t rc; struct inode *inode = file_inode(iocb->ki_filp);
- if (iocb->ki_filp->f_flags & O_DIRECT) + if (iocb->ki_flags & IOCB_DIRECT) return cifs_user_readv(iocb, iter);
rc = cifs_revalidate_mapping(inode); diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index e66aa8918dee..754b33828853 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3980,7 +3980,8 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length) struct super_block *sb = inode->i_sb; ext4_lblk_t first_block, stop_block; struct address_space *mapping = inode->i_mapping; - loff_t first_block_offset, last_block_offset; + loff_t first_block_offset, last_block_offset, max_length; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); handle_t *handle; unsigned int credits; int ret = 0; @@ -4026,6 +4027,14 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length) offset; }
+ /* + * For punch hole the length + offset needs to be within one block + * before last range. Adjust the length if it goes beyond that limit. + */ + max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize; + if (offset + length > max_length) + length = max_length - offset; + if (offset & (sb->s_blocksize - 1) || (offset + length) & (sb->s_blocksize - 1)) { /* diff --git a/fs/ext4/super.c b/fs/ext4/super.c index e17a6396bde6..c50ba683a570 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3241,9 +3241,11 @@ static int count_overhead(struct super_block *sb, ext4_group_t grp, ext4_fsblk_t first_block, last_block, b; ext4_group_t i, ngroups = ext4_get_groups_count(sb); int s, j, count = 0; + int has_super = ext4_bg_has_super(sb, grp);
if (!ext4_has_feature_bigalloc(sb)) - return (ext4_bg_has_super(sb, grp) + ext4_bg_num_gdb(sb, grp) + + return (has_super + ext4_bg_num_gdb(sb, grp) + + (has_super ? le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) : 0) + sbi->s_itb_per_group + 2);
first_block = le32_to_cpu(sbi->s_es->s_first_data_block) + @@ -4162,9 +4164,18 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) * Get the # of file system overhead blocks from the * superblock if present. */ - if (es->s_overhead_clusters) - sbi->s_overhead = le32_to_cpu(es->s_overhead_clusters); - else { + sbi->s_overhead = le32_to_cpu(es->s_overhead_clusters); + /* ignore the precalculated value if it is ridiculous */ + if (sbi->s_overhead > ext4_blocks_count(es)) + sbi->s_overhead = 0; + /* + * If the bigalloc feature is not enabled recalculating the + * overhead doesn't take long, so we might as well just redo + * it to make sure we are using the correct value. + */ + if (!ext4_has_feature_bigalloc(sb)) + sbi->s_overhead = 0; + if (sbi->s_overhead == 0) { err = ext4_calculate_overhead(sb); if (err) goto failed_mount_wq; diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c index a4182b150bb0..9f83a4c602f9 100644 --- a/fs/gfs2/rgrp.c +++ b/fs/gfs2/rgrp.c @@ -917,15 +917,15 @@ static int read_rindex_entry(struct gfs2_inode *ip) rgd->rd_bitbytes = be32_to_cpu(buf.ri_bitbytes); spin_lock_init(&rgd->rd_rsspin);
- error = compute_bitstructs(rgd); - if (error) - goto fail; - error = gfs2_glock_get(sdp, rgd->rd_addr, &gfs2_rgrp_glops, CREATE, &rgd->rd_gl); if (error) goto fail;
+ error = compute_bitstructs(rgd); + if (error) + goto fail_glock; + rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr; rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED); if (rgd->rd_data > sdp->sd_max_rg_data) @@ -942,6 +942,7 @@ static int read_rindex_entry(struct gfs2_inode *ip) }
error = 0; /* someone else read in the rgrp; free it and ignore it */ +fail_glock: gfs2_glock_put(rgd->rd_gl);
fail: diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h index 6fec9e81bd70..1979298fdca9 100644 --- a/include/linux/etherdevice.h +++ b/include/linux/etherdevice.h @@ -125,7 +125,7 @@ static inline bool is_multicast_ether_addr(const u8 *addr) #endif }
-static inline bool is_multicast_ether_addr_64bits(const u8 addr[6+2]) +static inline bool is_multicast_ether_addr_64bits(const u8 *addr) { #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 #ifdef __BIG_ENDIAN @@ -339,8 +339,7 @@ static inline bool ether_addr_equal(const u8 *addr1, const u8 *addr2) * Please note that alignment of addr1 & addr2 are only guaranteed to be 16 bits. */
-static inline bool ether_addr_equal_64bits(const u8 addr1[6+2], - const u8 addr2[6+2]) +static inline bool ether_addr_equal_64bits(const u8 *addr1, const u8 *addr2) { #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 u64 fold = (*(const u64 *)addr1) ^ (*(const u64 *)addr2); diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 25c21aa398f8..a6e682569e5b 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -6504,7 +6504,7 @@ void __init mem_init_print_info(const char *str) */ #define adj_init_size(start, end, size, pos, adj) \ do { \ - if (start <= pos && pos < end && size > adj) \ + if (&start[0] <= &pos[0] && &pos[0] < &end[0] && size > adj) \ size -= adj; \ } while (0)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 8aef475fef31..a8674e9ff37b 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2194,6 +2194,13 @@ static int netlink_dump(struct sock *sk) * single netdev. The outcome is MSG_TRUNC error. */ skb_reserve(skb, skb_tailroom(skb) - alloc_size); + + /* Make sure malicious BPF programs can not read unitialized memory + * from skb->head -> skb->data + */ + skb_reset_network_header(skb); + skb_reset_mac_header(skb); + netlink_skb_set_owner_r(skb, sk);
if (nlk->dump_done_errno > 0) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 28471cfad922..26921f755f3a 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -1863,7 +1863,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2);
if (new_acts_size > MAX_ACTIONS_BUFSIZE) { - if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { + if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { OVS_NLERR(log, "Flow action size exceeds max %u", MAX_ACTIONS_BUFSIZE); return ERR_PTR(-EMSGSIZE); diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index e79d6881a97e..2ae2801dd7be 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2808,8 +2808,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
status = TP_STATUS_SEND_REQUEST; err = po->xmit(skb); - if (unlikely(err > 0)) { - err = net_xmit_errno(err); + if (unlikely(err != 0)) { + if (err > 0) + err = net_xmit_errno(err); if (err && __packet_get_status(po, ph) == TP_STATUS_AVAILABLE) { /* skb was destructed already */ @@ -3009,8 +3010,12 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) skb->no_fcs = 1;
err = po->xmit(skb); - if (err > 0 && (err = net_xmit_errno(err)) != 0) - goto out_unlock; + if (unlikely(err != 0)) { + if (err > 0) + err = net_xmit_errno(err); + if (err) + goto out_unlock; + }
dev_put(dev);
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 21b0368c2a3b..878a4fc97f04 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -1569,8 +1569,7 @@ static void dapm_seq_run(struct snd_soc_card *card, switch (w->id) { case snd_soc_dapm_pre: if (!w->event) - list_for_each_entry_safe_continue(w, n, list, - power_list); + continue;
if (event == SND_SOC_DAPM_STREAM_START) ret = w->event(w, @@ -1582,8 +1581,7 @@ static void dapm_seq_run(struct snd_soc_card *card,
case snd_soc_dapm_post: if (!w->event) - list_for_each_entry_safe_continue(w, n, list, - power_list); + continue;
if (event == SND_SOC_DAPM_STREAM_START) ret = w->event(w, diff --git a/sound/usb/midi.c b/sound/usb/midi.c index f0b41fee7130..83da676519a8 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1210,6 +1210,7 @@ static void snd_usbmidi_output_drain(struct snd_rawmidi_substream *substream) } while (drain_urbs && timeout); finish_wait(&ep->drain_wait, &wait); } + port->active = 0; spin_unlock_irq(&ep->buffer_lock); }
diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h index 62456a806bb4..4b8f1c46420d 100644 --- a/sound/usb/usbaudio.h +++ b/sound/usb/usbaudio.h @@ -22,7 +22,7 @@ */
/* handling of USB vendor/product ID pairs as 32-bit numbers */ -#define USB_ID(vendor, product) (((vendor) << 16) | (product)) +#define USB_ID(vendor, product) (((unsigned int)(vendor) << 16) | (product)) #define USB_ID_VENDOR(id) ((id) >> 16) #define USB_ID_PRODUCT(id) ((u16)(id))
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman