This is the start of the stable review cycle for the 4.9.233 release.
There are 212 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.233-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.9.233-rc1
Denis Efremov <[email protected]>
drm/radeon: fix fb_div check in ni_init_smc_spll_table()
Oscar Salvador <[email protected]>
mm: Avoid calling build_all_zonelists_init under hotplug context
Hugh Dickins <[email protected]>
khugepaged: retract_page_tables() remember to test exit
Geert Uytterhoeven <[email protected]>
sh: landisk: Add missing initialization of sh_io_port_base
Dinghao Liu <[email protected]>
ALSA: echoaudio: Fix potential Oops in snd_echo_resume()
Andy Shevchenko <[email protected]>
mfd: dln2: Run event handler loop under spinlock
Colin Ian King <[email protected]>
fs/ufs: avoid potential u32 multiplication overflow
Jeffrey Mitchell <[email protected]>
nfs: Fix getxattr kernel panic and memory overflow
Wang Hai <[email protected]>
net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init
Dan Carpenter <[email protected]>
drm/vmwgfx: Fix two list_for_each loop exit tests
Colin Ian King <[email protected]>
Input: sentelic - fix error return when fsp_reg_write fails
Rayagonda Kokatanur <[email protected]>
pwm: bcm-iproc: handle clk_get_rate() return
Xu Wang <[email protected]>
clk: clk-atlas6: fix return value check in atlas6_clk_init()
Wolfram Sang <[email protected]>
i2c: rcar: slave: only send STOP event when we have been addressed
Liu Yi L <[email protected]>
iommu/vt-d: Enforce PASID devTLB field mask
Colin Ian King <[email protected]>
iommu/omap: Check for failure of a call to omap_iommu_dump_ctx
Steve Longerbeam <[email protected]>
gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers
Johan Hovold <[email protected]>
USB: serial: ftdi_sio: fix break and sysrq handling
Johan Hovold <[email protected]>
USB: serial: ftdi_sio: clean up receive processing
Johan Hovold <[email protected]>
USB: serial: ftdi_sio: make process-packet buffer unsigned
Charles Keepax <[email protected]>
mfd: arizona: Ensure 32k clock is put on driver unbind and error
Anton Blanchard <[email protected]>
pseries: Fix 64 bit logical memory block panic
Ahmad Fatoum <[email protected]>
watchdog: f71808e_wdt: clear watchdog timeout occurred flag
Ahmad Fatoum <[email protected]>
watchdog: f71808e_wdt: remove use of wrong watchdog_info option
Ahmad Fatoum <[email protected]>
watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options
Muchun Song <[email protected]>
kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
Chengming Zhou <[email protected]>
ftrace: Setup correct FTRACE_FL_REGS flags for module
Junxiao Bi <[email protected]>
ocfs2: change slot number type s16 to u16
Mikulas Patocka <[email protected]>
ext2: fix missing percpu_counter_inc
Huacai Chen <[email protected]>
MIPS: CPU#0 is not hotpluggable
Johannes Berg <[email protected]>
mac80211: fix misplaced while instead of if
Coly Li <[email protected]>
bcache: allocate meta data pages as compound pages
ChangSyun Peng <[email protected]>
md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
Kees Cook <[email protected]>
net/compat: Add missing sock updates for SCM_RIGHTS
Jonathan McDowell <[email protected]>
net: stmmac: dwmac1000: provide multicast filter fallback
Jonathan McDowell <[email protected]>
net: ethernet: stmmac: Disable hardware multicast filter
Michael Ellerman <[email protected]>
powerpc: Fix circular dependency between percpu.h and mmu.h
Max Filippov <[email protected]>
xtensa: fix xtensa_pmu_setup prototype
Alexandru Ardelean <[email protected]>
iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
Filipe Manana <[email protected]>
btrfs: fix memory leaks after failure to lookup checksums during inode logging
Josef Bacik <[email protected]>
btrfs: only search for left_info if there is no right_info in try_merge_free_space
Qu Wenruo <[email protected]>
btrfs: don't allocate anonymous block device for user invisible roots
Rafael J. Wysocki <[email protected]>
PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
Steve French <[email protected]>
smb3: warn on confusing error scenario with sec=krb5
Roger Pau Monne <[email protected]>
xen/balloon: make the balloon wait interruptible
Roger Pau Monne <[email protected]>
xen/balloon: fix accounting in alloc_xenballooned_pages error path
Nathan Huckleberry <[email protected]>
ARM: 8992/1: Fix unwind_frame for clang-built kernels
Sven Schnelle <[email protected]>
parisc: mask out enable and reserved bits from sba imask
Zheng Bin <[email protected]>
9p: Fix memory leak in v9fs_mount
Hector Martin <[email protected]>
ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
Eric Biggers <[email protected]>
fs/minix: reject too-large maximum file size
Eric Biggers <[email protected]>
fs/minix: don't allow getting deleted inodes
Eric Biggers <[email protected]>
fs/minix: check return value of sb_getblk()
John Allen <[email protected]>
crypto: ccp - Fix use of merged scatterlists
Tom Rix <[email protected]>
crypto: qat - fix double free in qat_uclo_create_batch_init_list
Hector Martin <[email protected]>
ALSA: usb-audio: add quirk for Pioneer DDJ-RB
Hector Martin <[email protected]>
ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
Mirko Dietrich <[email protected]>
ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
Brant Merryman <[email protected]>
USB: serial: cp210x: enable usb generic throttle/unthrottle
Brant Merryman <[email protected]>
USB: serial: cp210x: re-enable auto-RTS on open
Miaohe Lin <[email protected]>
net: Set fput_needed iff FDPUT_FPUT is set
Qingyu Li <[email protected]>
net/nfc/rawsock.c: add CAP_NET_RAW check.
Xie He <[email protected]>
drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
Drew Fustini <[email protected]>
pinctrl-single: fix pcs_parse_pinconf() return value
Wang Hai <[email protected]>
dlm: Fix kobject memleak
Florinel Iordache <[email protected]>
fsl/fman: fix eth hash table allocation
Florinel Iordache <[email protected]>
fsl/fman: check dereferencing null pointer
Florinel Iordache <[email protected]>
fsl/fman: fix unreachable code
Florinel Iordache <[email protected]>
fsl/fman: fix dereference null return value
Florinel Iordache <[email protected]>
fsl/fman: use 32-bit unsigned integer
Christophe JAILLET <[email protected]>
net: spider_net: Fix the size used in a 'dma_free_coherent()' call
Wang Hai <[email protected]>
wl1251: fix always return 0 error
Julian Wiedmann <[email protected]>
s390/qeth: don't process empty bridge port events
Sandipan Das <[email protected]>
selftests/powerpc: Fix online CPU selection
Harish <[email protected]>
selftests/powerpc: Fix CPU affinity for child process
Tom Rix <[email protected]>
power: supply: check if calc_soc succeeded in pm860x_init_battery
Dan Carpenter <[email protected]>
Smack: prevent underflow in smk_set_cipso()
Dan Carpenter <[email protected]>
Smack: fix another vsscanf out of bounds
Finn Thain <[email protected]>
scsi: mesh: Fix panic after host or bus reset
Marek Szyprowski <[email protected]>
usb: dwc2: Fix error path in gadget registration
Johan Hovold <[email protected]>
USB: serial: iuu_phoenix: fix led-activity helpers
Marco Felsch <[email protected]>
drm/imx: tve: fix regulator_disable error path
Xiongfeng Wang <[email protected]>
PCI/ASPM: Add missing newline in sysfs 'policy'
Colin Ian King <[email protected]>
staging: rtl8192u: fix a dubious looking mask before a shift
Milton Miller <[email protected]>
powerpc/vdso: Fix vdso cpu truncation
Dan Carpenter <[email protected]>
mwifiex: Prevent memory corruption handling keys
John Garry <[email protected]>
scsi: scsi_debug: Add check for sdebug_max_queue during module init
Laurent Pinchart <[email protected]>
drm: panel: simple: Fix bpc for LG LB070WV8 panel
Kai-Heng Feng <[email protected]>
leds: core: Flush scheduled work for system suspend
Bjorn Helgaas <[email protected]>
PCI: Fix pci_cfg_wait queue locking problem
Darrick J. Wong <[email protected]>
xfs: fix reflink quota reservation accounting error
Chuhong Yuan <[email protected]>
media: exynos4-is: Add missed check for pinctrl_lookup_state()
Dan Carpenter <[email protected]>
media: firewire: Using uninitialized values in node_probe()
Christophe JAILLET <[email protected]>
scsi: eesox: Fix different dev_id between request_irq() and free_irq()
Christophe JAILLET <[email protected]>
scsi: powertec: Fix different dev_id between request_irq() and free_irq()
Colin Ian King <[email protected]>
drm/radeon: fix array out-of-bounds read and write issues
Wang Hai <[email protected]>
cxl: Fix kobject memleak
Emil Velikov <[email protected]>
drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
Christophe JAILLET <[email protected]>
scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
Chuhong Yuan <[email protected]>
media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()
Arnd Bergmann <[email protected]>
leds: lm355x: avoid enum conversion warning
Tomasz Duszynski <[email protected]>
iio: improve IIO_CONCENTRATION channel type description
Christophe JAILLET <[email protected]>
video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
Dejin Zheng <[email protected]>
console: newport_con: fix an issue about leak related system resources
Dejin Zheng <[email protected]>
video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
Qiushi Wu <[email protected]>
agp/intel: Fix a memory leak on module initialisation failure
Erik Kaneda <[email protected]>
ACPICA: Do not increment operation_region reference counts for field units
Coly Li <[email protected]>
bcache: fix super block seq numbers comparision in register_cache_set()
Jim Cromie <[email protected]>
dyndbg: fix a BUG_ON in ddebug_describe_flags
Sasi Kumar <[email protected]>
bdc: Fix bug causing crash after multiple disconnects
Evgeny Novikov <[email protected]>
usb: gadget: net2280: fix memory leak on probe error handling paths
Bolarinwa Olayemi Saheed <[email protected]>
iwlegacy: Check the return value of pcie_capability_read_*()
Prasanna Kerekoppa <[email protected]>
brcmfmac: To fix Bss Info flag definition Bug
Paul E. McKenney <[email protected]>
mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
Michael Tretter <[email protected]>
drm/debugfs: fix plain echo to connector "force" attribute
Aditya Pakki <[email protected]>
drm/nouveau: fix multiple instances of reference count leaks
Zhao Heming <[email protected]>
md-cluster: fix wild pointer of unlock_all_bitmaps()
Evgeny Novikov <[email protected]>
video: fbdev: neofb: fix memory leak in neo_scan_monitor()
Aditya Pakki <[email protected]>
drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
Paul E. McKenney <[email protected]>
fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
Lihong Kou <[email protected]>
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
Tomi Valkeinen <[email protected]>
drm/tilcdc: fix leak & null ref in panel_connector_get_modes
Yu Kuai <[email protected]>
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
yu kuai <[email protected]>
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
Lu Wei <[email protected]>
platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
Lu Wei <[email protected]>
platform/x86: intel-hid: Fix return value check in check_acpi_dev()
Finn Thain <[email protected]>
m68k: mac: Fix IOP status/control register writes
Finn Thain <[email protected]>
m68k: mac: Don't send IOP message until channel is idle
Alim Akhtar <[email protected]>
arm64: dts: exynos: Fix silent hang after boot on Espresso
Stephan Gerhold <[email protected]>
arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
Qiushi Wu <[email protected]>
EDAC: Fix reference count leaks
Yang Yingliang <[email protected]>
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
Uwe Kleine-König <[email protected]>
gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...)
Nick Desaulniers <[email protected]>
tracepoint: Mark __tracepoint_string's __used
Eric Biggers <[email protected]>
Smack: fix use-after-free in smk_write_relabel_self()
Rustam Kovhaev <[email protected]>
usb: hso: check for return value in hso_serial_common_create()
Hangbin Liu <[email protected]>
Revert "vxlan: fix tos value before xmit"
Johan Hovold <[email protected]>
net: lan78xx: replace bogus endpoint lookup
Ido Schimmel <[email protected]>
vxlan: Ensure FDB dump is performed under RCU
Cong Wang <[email protected]>
ipv6: fix memory leaks on IPV6_ADDRFORM path
Ido Schimmel <[email protected]>
ipv4: Silence suspicious RCU usage warning
Jann Horn <[email protected]>
binder: Prevent context manager from incrementing ref 0
Frank van der Linden <[email protected]>
xattr: break delegations in {set,remove}xattr
Philippe Duplessis-Guindon <[email protected]>
tools lib traceevent: Fix memory leak in process_dynamic_array_len
Xin Xiong <[email protected]>
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
Francesco Ruggeri <[email protected]>
igb: reinit_locked() should be called with rtnl_lock
Julian Squires <[email protected]>
cfg80211: check vendor command doit pointer before use
Ben Skeggs <[email protected]>
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
Christoph Hellwig <[email protected]>
net/9p: validate fds in p9_fd_open
Johan Hovold <[email protected]>
leds: 88pm860x: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: lm3533: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: da903x: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: wm831x-status: fix use-after-free on unbind
Greg Kroah-Hartman <[email protected]>
mtd: properly check all write ioctls for permissions
Yunhai Zhang <[email protected]>
vgacon: Fix for missing check in scrollback handling
Adam Ford <[email protected]>
omapfb: dss: Fix max fclk divider for omap36xx
Peilin Ye <[email protected]>
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
Peilin Ye <[email protected]>
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
Peilin Ye <[email protected]>
Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
Takashi Iwai <[email protected]>
ALSA: seq: oss: Serialize ioctls
Roi Dayan <[email protected]>
net/mlx5e: Don't support phys switch id if not in switchdev mode
Erik Ekman <[email protected]>
USB: serial: qcserial: add EM7305 QDL product ID
Jiang Ying <[email protected]>
ext4: fix direct I/O read error
Linus Torvalds <[email protected]>
random32: move the pseudo-random 32-bit definitions to prandom.h
Linus Torvalds <[email protected]>
random32: remove net_rand_state from the latent entropy gcc plugin
Willy Tarreau <[email protected]>
random: fix circular include dependency on arm64 after addition of percpu.h
Grygorii Strashko <[email protected]>
ARM: percpu.h: fix build error
Willy Tarreau <[email protected]>
random32: update the net random state on interrupt and activity
Thomas Gleixner <[email protected]>
x86/i8259: Use printk_deferred() to prevent deadlock
Wanpeng Li <[email protected]>
KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled
Andrea Righi <[email protected]>
xen-netfront: fix potential deadlock in xennet_remove()
Raviteja Narayanam <[email protected]>
Revert "i2c: cadence: Fix the hold bit setting"
Yoshihiro Shimoda <[email protected]>
net: ethernet: ravb: exit if re-initialization fails in tx timeout
Liam Beguin <[email protected]>
parisc: add support for cmpxchg on u8 pointers
Navid Emamdoost <[email protected]>
nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
Laurence Oberman <[email protected]>
qed: Disable "MFW indication via attention" SPAM every 5 minutes
Geert Uytterhoeven <[email protected]>
usb: hso: Fix debug compile warning on sparc32
Robin Murphy <[email protected]>
arm64: csum: Fix handling of bad packets
Remi Pommarel <[email protected]>
mac80211: mesh: Free pending skb when destroying a mpath
Remi Pommarel <[email protected]>
mac80211: mesh: Free ie data when leaving mesh
Thomas Falcon <[email protected]>
ibmvnic: Fix IRQ mapping disposal in error path
Ido Schimmel <[email protected]>
mlxsw: core: Free EMAD transactions using kfree_rcu()
Ido Schimmel <[email protected]>
mlxsw: core: Increase scope of RCU read-side critical section
Jakub Kicinski <[email protected]>
mlx4: disable device on shutdown
Johan Hovold <[email protected]>
net: lan78xx: fix transfer-buffer memory leak
Johan Hovold <[email protected]>
net: lan78xx: add missing endpoint sanity check
Michael Karcher <[email protected]>
sh: Fix validation of system call number
YueHaibing <[email protected]>
net/x25: Fix null-ptr-deref in x25_disconnect
Xiyu Yang <[email protected]>
net/x25: Fix x25_neigh refcnt leak when x25 disconnect
Rolf Eike Beer <[email protected]>
install several missing uapi headers
Nicolas Dichtel <[email protected]>
uapi: includes linux/types.h before exporting files
Rik van Riel <[email protected]>
xfs: fix missed wakeup on l_flush_wait
Peilin Ye <[email protected]>
rds: Prevent kernel-infoleak in rds_notify_queue_get()
Tetsuo Handa <[email protected]>
fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
Joerg Roedel <[email protected]>
x86, vmlinux.lds: Page-align end of ..page_aligned sections
Sami Tolvanen <[email protected]>
x86/build/lto: Fix truncated .bss with -fdata-sections
Wang Hai <[email protected]>
9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
Dominique Martinet <[email protected]>
9p/trans_fd: abort p9_read_work if req status changed
Sheng Yong <[email protected]>
f2fs: check if file namelen exceeds max value
Jaegeuk Kim <[email protected]>
f2fs: check memory boundary by insane namelen
Steve Cohen <[email protected]>
drm: hold gem reference until object is no longer accessed
Peilin Ye <[email protected]>
drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
Will Deacon <[email protected]>
ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
Robert Hancock <[email protected]>
PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge
Navid Emamdoost <[email protected]>
ath9k: release allocated buffer if timed out
Navid Emamdoost <[email protected]>
ath9k_htc: release allocated buffer if timed out
Navid Emamdoost <[email protected]>
media: rc: prevent memory leak in cx23888_ir_probe
Navid Emamdoost <[email protected]>
crypto: ccp - Release all allocated memory if sha type is invalid
Wei Yongjun <[email protected]>
net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe()
Eric Sandeen <[email protected]>
xfs: don't call xfs_da_shrink_inode with NULL bp
Dave Chinner <[email protected]>
xfs: validate cached inodes are free when allocated
Dave Chinner <[email protected]>
xfs: catch inode allocation state mismatch corruption
-------------
Diffstat:
Documentation/ABI/testing/sysfs-bus-iio | 3 +-
Makefile | 4 +-
arch/arm/include/asm/percpu.h | 2 +
arch/arm/kernel/hw_breakpoint.c | 27 ++++-
arch/arm/kernel/stacktrace.c | 24 +++++
arch/arm/mach-at91/pm.c | 11 +-
arch/arm/mach-socfpga/pm.c | 8 +-
arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 +
arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +-
arch/arm64/include/asm/checksum.h | 5 +-
arch/m68k/mac/iop.c | 21 ++--
arch/mips/include/uapi/asm/Kbuild | 3 +
arch/mips/kernel/topology.c | 2 +-
arch/parisc/include/asm/cmpxchg.h | 2 +
arch/parisc/lib/bitops.c | 12 +++
arch/powerpc/include/asm/percpu.h | 4 +-
arch/powerpc/include/uapi/asm/Kbuild | 1 +
arch/powerpc/kernel/vdso.c | 2 +-
arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +-
arch/sh/boards/mach-landisk/setup.c | 3 +
arch/sh/kernel/entry-common.S | 6 +-
arch/x86/kernel/i8259.c | 2 +-
arch/x86/kernel/vmlinux.lds.S | 3 +-
arch/x86/kvm/lapic.c | 2 +-
arch/xtensa/kernel/perf_event.c | 2 +-
drivers/acpi/acpica/exprep.c | 4 -
drivers/acpi/acpica/utdelete.c | 6 +-
drivers/android/binder.c | 9 ++
drivers/atm/atmtcp.c | 10 +-
drivers/char/agp/intel-gtt.c | 4 +-
drivers/char/random.c | 1 +
drivers/clk/sirf/clk-atlas6.c | 2 +-
drivers/crypto/ccp/ccp-dev.h | 1 +
drivers/crypto/ccp/ccp-ops.c | 40 +++++---
drivers/crypto/qat/qat_common/qat_uclo.c | 9 +-
drivers/edac/edac_device_sysfs.c | 1 +
drivers/edac/edac_pci_sysfs.c | 2 +-
drivers/gpio/gpiolib-of.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 +-
drivers/gpu/drm/drm_debugfs.c | 8 +-
drivers/gpu/drm/drm_gem.c | 10 +-
drivers/gpu/drm/drm_mipi_dsi.c | 6 +-
drivers/gpu/drm/imx/imx-tve.c | 20 ++--
drivers/gpu/drm/nouveau/nouveau_drm.c | 8 +-
drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 +
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
drivers/gpu/drm/panel/panel-simple.c | 2 +-
drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
drivers/gpu/drm/radeon/ni_dpm.c | 2 +-
drivers/gpu/drm/radeon/radeon_display.c | 4 +-
drivers/gpu/drm/radeon/radeon_drv.c | 4 +-
drivers/gpu/drm/radeon/radeon_kms.c | 4 +-
drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 +-
drivers/gpu/ipu-v3/ipu-image-convert.c | 58 ++++-------
drivers/i2c/busses/i2c-cadence.c | 9 +-
drivers/i2c/busses/i2c-rcar.c | 7 +-
drivers/iio/dac/ad5592r-base.c | 4 +-
drivers/input/mouse/sentelic.c | 2 +-
drivers/iommu/omap-iommu-debug.c | 3 +
drivers/leds/led-class.c | 1 +
drivers/leds/leds-88pm860x.c | 14 ++-
drivers/leds/leds-da903x.c | 14 ++-
drivers/leds/leds-lm3533.c | 12 ++-
drivers/leds/leds-lm355x.c | 7 +-
drivers/leds/leds-wm831x-status.c | 14 ++-
drivers/md/bcache/bset.c | 2 +-
drivers/md/bcache/btree.c | 2 +-
drivers/md/bcache/journal.c | 4 +-
drivers/md/bcache/super.c | 11 +-
drivers/md/md-cluster.c | 1 +
drivers/md/raid5.c | 3 +-
drivers/media/firewire/firedtv-fw.c | 2 +
drivers/media/pci/cx23885/cx23888-ir.c | 5 +-
drivers/media/platform/exynos4-is/media-dev.c | 3 +
drivers/media/platform/omap3isp/isppreview.c | 4 +-
drivers/mfd/arizona-core.c | 18 ++++
drivers/mfd/dln2.c | 4 +
drivers/misc/cxl/sysfs.c | 2 +-
drivers/mtd/mtdchar.c | 56 ++++++++--
drivers/net/ethernet/freescale/fman/fman.c | 3 +-
drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 +-
drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +-
drivers/net/ethernet/freescale/fman/fman_memac.c | 3 +-
drivers/net/ethernet/freescale/fman/fman_port.c | 9 +-
drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +-
drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
drivers/net/ethernet/intel/igb/igb_main.c | 9 ++
drivers/net/ethernet/mellanox/mlx4/main.c | 2 +
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
drivers/net/ethernet/mellanox/mlxsw/core.c | 8 +-
drivers/net/ethernet/qlogic/qed/qed_int.c | 3 +-
drivers/net/ethernet/qualcomm/emac/emac.c | 17 +++-
drivers/net/ethernet/renesas/ravb_main.c | 26 ++++-
.../net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 +
.../net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +
drivers/net/ethernet/toshiba/spider_net.c | 4 +-
drivers/net/phy/mdio-bcm-unimac.c | 2 +
drivers/net/usb/hso.c | 10 +-
drivers/net/usb/lan78xx.c | 113 ++++++---------------
drivers/net/vxlan.c | 10 +-
drivers/net/wan/lapbether.c | 10 +-
drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +
drivers/net/wireless/ath/ath9k/wmi.c | 1 +
.../broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +-
drivers/net/wireless/intel/iwlegacy/common.c | 4 +-
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 22 ++--
drivers/net/wireless/ti/wl1251/event.c | 2 +-
drivers/net/xen-netfront.c | 64 ++++++++----
drivers/nfc/s3fwrn5/core.c | 1 +
drivers/parisc/sba_iommu.c | 2 +-
drivers/pci/access.c | 8 +-
drivers/pci/hotplug/acpiphp_glue.c | 14 ++-
drivers/pci/pcie/aspm.c | 1 +
drivers/pci/quirks.c | 13 +++
drivers/pinctrl/pinctrl-single.c | 11 +-
drivers/platform/x86/intel-hid.c | 2 +-
drivers/platform/x86/intel-vbtn.c | 2 +-
drivers/power/supply/88pm860x_battery.c | 6 +-
drivers/pwm/pwm-bcm-iproc.c | 9 +-
drivers/s390/net/qeth_l2_main.c | 4 +
drivers/scsi/arm/cumana_2.c | 2 +-
drivers/scsi/arm/eesox.c | 2 +-
drivers/scsi/arm/powertec.c | 2 +-
drivers/scsi/mesh.c | 8 +-
drivers/scsi/scsi_debug.c | 6 ++
drivers/staging/rtl8192u/r8192U_core.c | 2 +-
drivers/usb/dwc2/platform.c | 4 +-
drivers/usb/gadget/udc/bdc/bdc_core.c | 4 +
drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 +--
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/serial/cp210x.c | 19 ++++
drivers/usb/serial/ftdi_sio.c | 57 ++++++-----
drivers/usb/serial/iuu_phoenix.c | 14 +--
drivers/usb/serial/qcserial.c | 1 +
drivers/video/console/bitblit.c | 4 +-
drivers/video/console/fbcon_ccw.c | 4 +-
drivers/video/console/fbcon_cw.c | 4 +-
drivers/video/console/fbcon_ud.c | 4 +-
drivers/video/console/newport_con.c | 12 ++-
drivers/video/console/vgacon.c | 4 +
drivers/video/fbdev/neofb.c | 1 +
drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +-
drivers/video/fbdev/pxafb.c | 4 +-
drivers/video/fbdev/sm712fb.c | 2 +
drivers/watchdog/f71808e_wdt.c | 13 ++-
drivers/xen/balloon.c | 12 ++-
fs/9p/v9fs.c | 5 +-
fs/btrfs/disk-io.c | 13 ++-
fs/btrfs/extent_io.c | 2 +
fs/btrfs/free-space-cache.c | 4 +-
fs/btrfs/tree-log.c | 8 +-
fs/cifs/smb2pdu.c | 2 +
fs/dlm/lockspace.c | 6 +-
fs/ext2/ialloc.c | 3 +-
fs/ext4/inode.c | 5 +
fs/f2fs/dir.c | 12 ++-
fs/minix/inode.c | 36 ++++++-
fs/minix/itree_common.c | 8 +-
fs/nfs/nfs4proc.c | 2 -
fs/nfs/nfs4xdr.c | 6 +-
fs/ocfs2/ocfs2.h | 4 +-
fs/ocfs2/suballoc.c | 4 +-
fs/ocfs2/super.c | 4 +-
fs/ufs/super.c | 2 +-
fs/xattr.c | 84 +++++++++++++--
fs/xfs/libxfs/xfs_attr_leaf.c | 5 +-
fs/xfs/xfs_icache.c | 58 +++++++++--
fs/xfs/xfs_log.c | 9 +-
fs/xfs/xfs_reflink.c | 21 ++--
include/asm-generic/vmlinux.lds.h | 5 +-
include/linux/intel-iommu.h | 4 +-
include/linux/mmzone.h | 3 +-
include/linux/prandom.h | 78 ++++++++++++++
include/linux/random.h | 63 +-----------
include/linux/tracepoint.h | 2 +-
include/linux/xattr.h | 2 +
include/net/addrconf.h | 1 +
include/net/sock.h | 4 +
include/uapi/drm/Kbuild | 3 +
include/uapi/linux/Kbuild | 20 ++++
include/uapi/linux/bcache.h | 2 +-
include/uapi/linux/btrfs_tree.h | 2 +
include/uapi/linux/cifs/Kbuild | 1 +
include/uapi/linux/cryptouser.h | 2 +
include/uapi/linux/genwqe/Kbuild | 1 +
include/uapi/linux/pr.h | 2 +
include/uapi/linux/qrtr.h | 1 +
init/main.c | 2 +-
kernel/cgroup.c | 2 +
kernel/kprobes.c | 7 ++
kernel/time/timer.c | 8 ++
kernel/trace/ftrace.c | 11 +-
lib/dynamic_debug.c | 23 ++---
lib/random32.c | 2 +-
mm/khugepaged.c | 22 ++--
mm/memory_hotplug.c | 10 +-
mm/mmap.c | 1 +
mm/page_alloc.c | 7 +-
net/9p/trans_fd.c | 56 +++++++---
net/bluetooth/6lowpan.c | 5 +
net/bluetooth/hci_event.c | 11 +-
net/compat.c | 1 +
net/core/sock.c | 21 ++++
net/ipv4/fib_trie.c | 2 +-
net/ipv6/anycast.c | 17 +++-
net/ipv6/ipv6_sockglue.c | 1 +
net/mac80211/cfg.c | 1 +
net/mac80211/mesh_pathtbl.c | 1 +
net/mac80211/sta_info.c | 2 +-
net/nfc/rawsock.c | 7 +-
net/rds/recv.c | 3 +-
net/socket.c | 2 +-
net/wireless/nl80211.c | 6 +-
net/x25/x25_subr.c | 6 ++
security/smack/smackfs.c | 19 +++-
sound/core/seq/oss/seq_oss.c | 8 +-
sound/pci/echoaudio/echoaudio.c | 2 -
sound/usb/card.h | 1 +
sound/usb/mixer_quirks.c | 1 +
sound/usb/pcm.c | 6 ++
sound/usb/quirks-table.h | 64 +++++++++++-
sound/usb/quirks.c | 3 +
sound/usb/stream.c | 1 +
tools/lib/traceevent/event-parse.c | 1 +
.../selftests/powerpc/benchmarks/context_switch.c | 21 +++-
tools/testing/selftests/powerpc/utils.c | 37 ++++---
227 files changed, 1495 insertions(+), 635 deletions(-)
From: Remi Pommarel <[email protected]>
[ Upstream commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 ]
At ieee80211_join_mesh() some ie data could have been allocated (see
copy_mesh_setup()) and need to be cleaned up when leaving the mesh.
This fixes the following kmemleak report:
unreferenced object 0xffff0000116bc600 (size 128):
comm "wpa_supplicant", pid 608, jiffies 4294898983 (age 293.484s)
hex dump (first 32 bytes):
30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0...............
00 0f ac 08 00 00 00 00 c4 65 40 00 00 00 00 00 .........e@.....
backtrace:
[<00000000bebe439d>] __kmalloc_track_caller+0x1c0/0x330
[<00000000a349dbe1>] kmemdup+0x28/0x50
[<0000000075d69baa>] ieee80211_join_mesh+0x6c/0x3b8 [mac80211]
[<00000000683bb98b>] __cfg80211_join_mesh+0x1e8/0x4f0 [cfg80211]
[<0000000072cb507f>] nl80211_join_mesh+0x520/0x6b8 [cfg80211]
[<0000000077e9bcf9>] genl_family_rcv_msg+0x374/0x680
[<00000000b1bd936d>] genl_rcv_msg+0x78/0x108
[<0000000022c53788>] netlink_rcv_skb+0xb0/0x1c0
[<0000000011af8ec9>] genl_rcv+0x34/0x48
[<0000000069e41f53>] netlink_unicast+0x268/0x2e8
[<00000000a7517316>] netlink_sendmsg+0x320/0x4c0
[<0000000069cba205>] ____sys_sendmsg+0x354/0x3a0
[<00000000e06bab0f>] ___sys_sendmsg+0xd8/0x120
[<0000000037340728>] __sys_sendmsg+0xa4/0xf8
[<000000004fed9776>] __arm64_sys_sendmsg+0x44/0x58
[<000000001c1e5647>] el0_svc_handler+0xd0/0x1a0
Fixes: c80d545da3f7 (mac80211: Let userspace enable and configure vendor specific path selection.)
Signed-off-by: Remi Pommarel <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/mac80211/cfg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 88dd5d218fe30..1a13715b9a591 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1964,6 +1964,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev)
ieee80211_stop_mesh(sdata);
mutex_lock(&sdata->local->mtx);
ieee80211_vif_release_channel(sdata);
+ kfree(sdata->u.mesh.ie);
mutex_unlock(&sdata->local->mtx);
return 0;
--
2.25.1
From: Michael Karcher <[email protected]>
[ Upstream commit 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 ]
The slow path for traced system call entries accessed a wrong memory
location to get the number of the maximum allowed system call number.
Renumber the numbered "local" label for the correct location to avoid
collisions with actual local labels.
Signed-off-by: Michael Karcher <[email protected]>
Tested-by: John Paul Adrian Glaubitz <[email protected]>
Fixes: f3a8308864f920d2 ("sh: Add a few missing irqflags tracing markers.")
Signed-off-by: Rich Felker <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/sh/kernel/entry-common.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S
index 28cc61216b649..ed5b758c650d7 100644
--- a/arch/sh/kernel/entry-common.S
+++ b/arch/sh/kernel/entry-common.S
@@ -203,7 +203,7 @@ syscall_trace_entry:
mov.l @(OFF_R7,r15), r7 ! arg3
mov.l @(OFF_R3,r15), r3 ! syscall_nr
!
- mov.l 2f, r10 ! Number of syscalls
+ mov.l 6f, r10 ! Number of syscalls
cmp/hs r10, r3
bf syscall_call
mov #-ENOSYS, r0
@@ -357,7 +357,7 @@ ENTRY(system_call)
tst r9, r8
bf syscall_trace_entry
!
- mov.l 2f, r8 ! Number of syscalls
+ mov.l 6f, r8 ! Number of syscalls
cmp/hs r8, r3
bt syscall_badsys
!
@@ -396,7 +396,7 @@ syscall_exit:
#if !defined(CONFIG_CPU_SH2)
1: .long TRA
#endif
-2: .long NR_syscalls
+6: .long NR_syscalls
3: .long sys_call_table
7: .long do_syscall_trace_enter
8: .long do_syscall_trace_leave
--
2.25.1
From: Navid Emamdoost <[email protected]>
[ Upstream commit 128c66429247add5128c03dc1e144ca56f05a4e2 ]
Release all allocated memory if sha type is invalid:
In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
hmac_buf should be released.
v2: fix the goto.
Signed-off-by: Navid Emamdoost <[email protected]>
Acked-by: Gary R Hook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/crypto/ccp/ccp-ops.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index 7d4cd518e6022..723f0a0cb2b5b 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -1216,8 +1216,9 @@ static int ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
digest_size);
break;
default:
+ kfree(hmac_buf);
ret = -EINVAL;
- goto e_ctx;
+ goto e_data;
}
memset(&hmac_cmd, 0, sizeof(hmac_cmd));
--
2.25.1
From: Johan Hovold <[email protected]>
[ Upstream commit 8d8e95fd6d69d774013f51e5f2ee10c6e6d1fc14 ]
Add the missing endpoint sanity check to prevent a NULL-pointer
dereference should a malicious device lack the expected endpoints.
Note that the driver has a broken endpoint-lookup helper,
lan78xx_get_endpoints(), which can end up accepting interfaces in an
altsetting without endpoints as long as *some* altsetting has a bulk-in
and a bulk-out endpoint.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: [email protected] <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/usb/lan78xx.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index 65e94dffaabc9..fd144a513e1fe 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3392,6 +3392,11 @@ static int lan78xx_probe(struct usb_interface *intf,
netdev->mtu = dev->hard_mtu - netdev->hard_header_len;
netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER);
+ if (intf->cur_altsetting->desc.bNumEndpoints < 3) {
+ ret = -ENODEV;
+ goto out3;
+ }
+
dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0;
dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1;
dev->ep_intr = (intf->cur_altsetting)->endpoint + 2;
--
2.25.1
From: Rik van Riel <[email protected]>
commit cdea5459ce263fbc963657a7736762ae897a8ae6 upstream.
The code in xlog_wait uses the spinlock to make adding the task to
the wait queue, and setting the task state to UNINTERRUPTIBLE atomic
with respect to the waker.
Doing the wakeup after releasing the spinlock opens up the following
race condition:
Task 1 task 2
add task to wait queue
wake up task
set task state to UNINTERRUPTIBLE
This issue was found through code inspection as a result of kworkers
being observed stuck in UNINTERRUPTIBLE state with an empty
wait queue. It is rare and largely unreproducable.
Simply moving the spin_unlock to after the wake_up_all results
in the waker not being able to see a task on the waitqueue before
it has set its state to UNINTERRUPTIBLE.
This bug dates back to the conversion of this code to generic
waitqueue infrastructure from a counting semaphore back in 2008
which didn't place the wakeups consistently w.r.t. to the relevant
spin locks.
[dchinner: Also fix a similar issue in the shutdown path on
xc_commit_wait. Update commit log with more details of the issue.]
Fixes: d748c62367eb ("[XFS] Convert l_flushsema to a sv_t")
Reported-by: Chris Mason <[email protected]>
Signed-off-by: Rik van Riel <[email protected]>
Signed-off-by: Dave Chinner <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Cc: [email protected] # 4.9.x-4.19.x
[modified for contextual change near xlog_state_do_callback()]
Signed-off-by: Samuel Mendoza-Jonas <[email protected]>
Reviewed-by: Frank van der Linden <[email protected]>
Reviewed-by: Suraj Jitindar Singh <[email protected]>
Reviewed-by: Benjamin Herrenschmidt <[email protected]>
Reviewed-by: Anchal Agarwal <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/xfs/xfs_log.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -2634,7 +2634,6 @@ xlog_state_do_callback(
int funcdidcallbacks; /* flag: function did callbacks */
int repeats; /* for issuing console warnings if
* looping too many times */
- int wake = 0;
spin_lock(&log->l_icloglock);
first_iclog = iclog = log->l_iclog;
@@ -2836,11 +2835,9 @@ xlog_state_do_callback(
#endif
if (log->l_iclog->ic_state & (XLOG_STATE_ACTIVE|XLOG_STATE_IOERROR))
- wake = 1;
- spin_unlock(&log->l_icloglock);
-
- if (wake)
wake_up_all(&log->l_flush_wait);
+
+ spin_unlock(&log->l_icloglock);
}
@@ -4002,7 +3999,9 @@ xfs_log_force_umount(
* item committed callback functions will do this again under lock to
* avoid races.
*/
+ spin_lock(&log->l_cilp->xc_push_lock);
wake_up_all(&log->l_cilp->xc_commit_wait);
+ spin_unlock(&log->l_cilp->xc_push_lock);
xlog_state_do_callback(log, XFS_LI_ABORTED, NULL);
#ifdef XFSERRORDEBUG
From: Joerg Roedel <[email protected]>
[ Upstream commit de2b41be8fcccb2f5b6c480d35df590476344201 ]
On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is
page-aligned, but the end of the .bss..page_aligned section is not
guaranteed to be page-aligned.
As a result, objects from other .bss sections may end up on the same 4k
page as the idt_table, and will accidentially get mapped read-only during
boot, causing unexpected page-faults when the kernel writes to them.
This could be worked around by making the objects in the page aligned
sections page sized, but that's wrong.
Explicit sections which store only page aligned objects have an implicit
guarantee that the object is alone in the page in which it is placed. That
works for all objects except the last one. That's inconsistent.
Enforcing page sized objects for these sections would wreckage memory
sanitizers, because the object becomes artificially larger than it should
be and out of bound access becomes legit.
Align the end of the .bss..page_aligned and .data..page_aligned section on
page-size so all objects places in these sections are guaranteed to have
their own page.
[ tglx: Amended changelog ]
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/kernel/vmlinux.lds.S | 1 +
include/asm-generic/vmlinux.lds.h | 5 ++++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 0df44e4fe7cb1..a1082dc61bb96 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -329,6 +329,7 @@ SECTIONS
.bss : AT(ADDR(.bss) - LOAD_OFFSET) {
__bss_start = .;
*(.bss..page_aligned)
+ . = ALIGN(PAGE_SIZE);
*(BSS_MAIN)
. = ALIGN(PAGE_SIZE);
__bss_stop = .;
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 1462071a19bf2..4fdb1d9848444 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -250,7 +250,8 @@
#define PAGE_ALIGNED_DATA(page_align) \
. = ALIGN(page_align); \
- *(.data..page_aligned)
+ *(.data..page_aligned) \
+ . = ALIGN(page_align);
#define READ_MOSTLY_DATA(align) \
. = ALIGN(align); \
@@ -625,7 +626,9 @@
. = ALIGN(bss_align); \
.bss : AT(ADDR(.bss) - LOAD_OFFSET) { \
BSS_FIRST_SECTIONS \
+ . = ALIGN(PAGE_SIZE); \
*(.bss..page_aligned) \
+ . = ALIGN(PAGE_SIZE); \
*(.dynbss) \
*(BSS_MAIN) \
*(COMMON) \
--
2.25.1
From: Peilin Ye <[email protected]>
commit bbc8a99e952226c585ac17477a85ef1194501762 upstream.
rds_notify_queue_get() is potentially copying uninitialized kernel stack
memory to userspace since the compiler may leave a 4-byte hole at the end
of `cmsg`.
In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
unfortunately does not always initialize that 4-byte hole. Fix it by using
memset() instead.
Cc: [email protected]
Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
Fixes: bdbe6fbc6a2f ("RDS: recv.c")
Suggested-by: Dan Carpenter <[email protected]>
Signed-off-by: Peilin Ye <[email protected]>
Acked-by: Santosh Shilimkar <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/rds/recv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -405,12 +405,13 @@ static int rds_still_queued(struct rds_s
int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
{
struct rds_notifier *notifier;
- struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
+ struct rds_rdma_notify cmsg;
unsigned int count = 0, max_messages = ~0U;
unsigned long flags;
LIST_HEAD(copy);
int err = 0;
+ memset(&cmsg, 0, sizeof(cmsg)); /* fill holes with zero */
/* put_cmsg copies to user space and thus may sleep. We can't do this
* with rs_lock held, so first grab as many notifications as we can stuff
From: Jakub Kicinski <[email protected]>
[ Upstream commit 3cab8c65525920f00d8f4997b3e9bb73aecb3a8e ]
It appears that not disabling a PCI device on .shutdown may lead to
a Hardware Error with particular (perhaps buggy) BIOS versions:
mlx4_en: eth0: Close port called
mlx4_en 0000:04:00.0: removed PHC
reboot: Restarting system
{1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
{1}[Hardware Error]: event severity: fatal
{1}[Hardware Error]: Error 0, type: fatal
{1}[Hardware Error]: section_type: PCIe error
{1}[Hardware Error]: port_type: 4, root port
{1}[Hardware Error]: version: 1.16
{1}[Hardware Error]: command: 0x4010, status: 0x0143
{1}[Hardware Error]: device_id: 0000:00:02.2
{1}[Hardware Error]: slot: 0
{1}[Hardware Error]: secondary_bus: 0x04
{1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2f06
{1}[Hardware Error]: class_code: 000604
{1}[Hardware Error]: bridge: secondary_status: 0x2000, control: 0x0003
{1}[Hardware Error]: aer_uncor_status: 0x00100000, aer_uncor_mask: 0x00000000
{1}[Hardware Error]: aer_uncor_severity: 0x00062030
{1}[Hardware Error]: TLP Header: 40000018 040000ff 791f4080 00000000
[hw error repeats]
Kernel panic - not syncing: Fatal hardware error!
CPU: 0 PID: 2189 Comm: reboot Kdump: loaded Not tainted 5.6.x-blabla #1
Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 05/05/2017
Fix the mlx4 driver.
This is a very similar problem to what had been fixed in:
commit 0d98ba8d70b0 ("scsi: hpsa: disable device during shutdown")
to address https://bugzilla.kernel.org/show_bug.cgi?id=199779.
Fixes: 2ba5fbd62b25 ("net/mlx4_core: Handle AER flow properly")
Reported-by: Jake Lawrence <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Reviewed-by: Saeed Mahameed <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
index 751aac54f2d55..9b6a96074df80 100644
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -4176,12 +4176,14 @@ end:
static void mlx4_shutdown(struct pci_dev *pdev)
{
struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev);
+ struct mlx4_dev *dev = persist->dev;
mlx4_info(persist->dev, "mlx4_shutdown was called\n");
mutex_lock(&persist->interface_state_mutex);
if (persist->interface_state & MLX4_INTERFACE_STATE_UP)
mlx4_unload_one(pdev);
mutex_unlock(&persist->interface_state_mutex);
+ mlx4_pci_disable_device(dev);
}
static const struct pci_error_handlers mlx4_err_handler = {
--
2.25.1
From: Ido Schimmel <[email protected]>
[ Upstream commit 3c8ce24b037648a5a15b85888b259a74b05ff97d ]
The lifetime of EMAD transactions (i.e., 'struct mlxsw_reg_trans') is
managed using RCU. They are freed using kfree_rcu() once the transaction
ends.
However, in case the transaction failed it is freed immediately after being
removed from the active transactions list. This is problematic because it is
still possible for a different CPU to dereference the transaction from an RCU
read-side critical section while traversing the active transaction list in
mlxsw_emad_rx_listener_func(). In which case, a use-after-free is triggered
[1].
Fix this by freeing the transaction after a grace period by calling
kfree_rcu().
[1]
BUG: KASAN: use-after-free in mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
Read of size 8 at addr ffff88800b7964e8 by task syz-executor.2/2881
CPU: 0 PID: 2881 Comm: syz-executor.2 Not tainted 5.8.0-rc4+ #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xf6/0x16e lib/dump_stack.c:118
print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
mlxsw_core_skb_receive+0x571/0x700 drivers/net/ethernet/mellanox/mlxsw/core.c:2061
mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline]
mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651
tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550
__do_softirq+0x223/0x964 kernel/softirq.c:292
asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
do_softirq_own_stack+0x109/0x140 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:387 [inline]
__irq_exit_rcu kernel/softirq.c:417 [inline]
irq_exit_rcu+0x16f/0x1a0 kernel/softirq.c:429
sysvec_apic_timer_interrupt+0x4e/0xd0 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:587
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 2a c3 f4 fc 48 89 ef e8 12 96 f5 fc f6 c7 02 75 11 53 9d e8 d6 db 11 fd 65 ff 0d 1f 21 b3 56 5b 5d c3 e8 a7 d7 11 fd 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 05 21 b3 56 ff 74 24 08 48 8d
RSP: 0018:ffff8880446ffd80 EFLAGS: 00000286
RAX: 0000000000000006 RBX: 0000000000000286 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa94ecea9
RBP: ffff888012934408 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: fffffbfff57be301 R12: 1ffff110088dffc1
R13: ffff888037b817c0 R14: ffff88802442415a R15: ffff888024424000
__do_sys_perf_event_open+0x1b5d/0x2bd0 kernel/events/core.c:11874
do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x473dbd
Code: Bad RIP value.
RSP: 002b:00007f21e5e9cc28 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 000000000057bf00 RCX: 0000000000473dbd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040
RBP: 000000000057bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 000000000057bf0c
R13: 00007ffd0493503f R14: 00000000004d0f46 R15: 00007f21e5e9cd80
Allocated by task 871:
save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc mm/kasan/common.c:494 [inline]
__kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
mlxsw_core_reg_access_emad+0x70/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1812
mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
kthread+0x355/0x470 kernel/kthread.c:291
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
Freed by task 871:
save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455
slab_free_hook mm/slub.c:1474 [inline]
slab_free_freelist_hook mm/slub.c:1507 [inline]
slab_free mm/slub.c:3072 [inline]
kfree+0xe6/0x320 mm/slub.c:4052
mlxsw_core_reg_access_emad+0xd45/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1819
mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
kthread+0x355/0x470 kernel/kthread.c:291
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
The buggy address belongs to the object at ffff88800b796400
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 232 bytes inside of
512-byte region [ffff88800b796400, ffff88800b796600)
The buggy address belongs to the page:
page:ffffea00002de500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00002de500 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c402500
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800b796380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800b796400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88800b796480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88800b796500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800b796580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access")
Signed-off-by: Ido Schimmel <[email protected]>
Reviewed-by: Jiri Pirko <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
index 6ebe88deab62a..808d924dbe21e 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
@@ -1370,7 +1370,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core,
err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans,
bulk_list, cb, cb_priv, tid);
if (err) {
- kfree(trans);
+ kfree_rcu(trans, rcu);
return err;
}
return 0;
--
2.25.1
From: Wang Hai <[email protected]>
[ Upstream commit 74d6a5d5662975aed7f25952f62efbb6f6dadd29 ]
p9_read_work and p9_fd_cancelled may be called concurrently.
In some cases, req->req_list may be deleted by both p9_read_work
and p9_fd_cancelled.
We can fix it by ignoring replies associated with a cancelled
request and ignoring cancelled request if message has been received
before lock.
Link: http://lkml.kernel.org/r/[email protected]
Fixes: 60ff779c4abb ("9p: client: remove unused code and any reference to "cancelled" function")
Cc: <[email protected]> # v3.12+
Reported-by: [email protected]
Signed-off-by: Wang Hai <[email protected]>
Signed-off-by: Dominique Martinet <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/9p/trans_fd.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 91f71958c2e16..b0f47563f0bf3 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -377,6 +377,10 @@ static void p9_read_work(struct work_struct *work)
if (m->req->status == REQ_STATUS_SENT) {
list_del(&m->req->req_list);
p9_client_cb(m->client, m->req, REQ_STATUS_RCVD);
+ } else if (m->req->status == REQ_STATUS_FLSHD) {
+ /* Ignore replies associated with a cancelled request. */
+ p9_debug(P9_DEBUG_TRANS,
+ "Ignore replies associated with a cancelled request\n");
} else {
spin_unlock(&m->client->lock);
p9_debug(P9_DEBUG_ERROR,
@@ -717,11 +721,20 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req)
{
p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
+ spin_lock(&client->lock);
+ /* Ignore cancelled request if message has been received
+ * before lock.
+ */
+ if (req->status == REQ_STATUS_RCVD) {
+ spin_unlock(&client->lock);
+ return 0;
+ }
+
/* we haven't received a response for oldreq,
* remove it from the list.
*/
- spin_lock(&client->lock);
list_del(&req->req_list);
+ req->status = REQ_STATUS_FLSHD;
spin_unlock(&client->lock);
return 0;
--
2.25.1
From: Will Deacon <[email protected]>
commit eec13b42d41b0f3339dcf0c4da43734427c68620 upstream.
Unprivileged memory accesses generated by the so-called "translated"
instructions (e.g. LDRT) in kernel mode can cause user watchpoints to fire
unexpectedly. In such cases, the hw_breakpoint logic will invoke the user
overflow handler which will typically raise a SIGTRAP back to the current
task. This is futile when returning back to the kernel because (a) the
signal won't have been delivered and (b) userspace can't handle the thing
anyway.
Avoid invoking the user overflow handler for watchpoints triggered by
kernel uaccess routines, and instead single-step over the faulting
instruction as we would if no overflow handler had been installed.
Cc: <[email protected]>
Fixes: f81ef4a920c8 ("ARM: 6356/1: hw-breakpoint: add ARM backend for the hw-breakpoint framework")
Reported-by: Luis Machado <[email protected]>
Tested-by: Luis Machado <[email protected]>
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Russell King <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm/kernel/hw_breakpoint.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -688,6 +688,12 @@ static void disable_single_step(struct p
arch_install_hw_breakpoint(bp);
}
+static int watchpoint_fault_on_uaccess(struct pt_regs *regs,
+ struct arch_hw_breakpoint *info)
+{
+ return !user_mode(regs) && info->ctrl.privilege == ARM_BREAKPOINT_USER;
+}
+
static void watchpoint_handler(unsigned long addr, unsigned int fsr,
struct pt_regs *regs)
{
@@ -747,16 +753,27 @@ static void watchpoint_handler(unsigned
}
pr_debug("watchpoint fired: address = 0x%x\n", info->trigger);
+
+ /*
+ * If we triggered a user watchpoint from a uaccess routine,
+ * then handle the stepping ourselves since userspace really
+ * can't help us with this.
+ */
+ if (watchpoint_fault_on_uaccess(regs, info))
+ goto step;
+
perf_bp_event(wp, regs);
/*
- * If no overflow handler is present, insert a temporary
- * mismatch breakpoint so we can single-step over the
- * watchpoint trigger.
+ * Defer stepping to the overflow handler if one is installed.
+ * Otherwise, insert a temporary mismatch breakpoint so that
+ * we can single-step over the watchpoint trigger.
*/
- if (is_default_overflow_handler(wp))
- enable_single_step(wp, instruction_pointer(regs));
+ if (!is_default_overflow_handler(wp))
+ goto unlock;
+step:
+ enable_single_step(wp, instruction_pointer(regs));
unlock:
rcu_read_unlock();
}
From: Dominique Martinet <[email protected]>
[ Upstream commit e4ca13f7d075e551dc158df6af18fb412a1dba0a ]
p9_read_work would try to handle an errored req even if it got put to
error state by another thread between the lookup (that worked) and the
time it had been fully read.
The request itself is safe to use because we hold a ref to it from the
lookup (for m->rreq, so it was safe to read into the request data buffer
until this point), but the req_list has been deleted at the same time
status changed, and client_cb already has been called as well, so we
should not do either.
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Dominique Martinet <[email protected]>
Reported-by: [email protected]
Cc: Eric Van Hensbergen <[email protected]>
Cc: Latchesar Ionkov <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/9p/trans_fd.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index aa4586672cee9..91f71958c2e16 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -295,7 +295,6 @@ static void p9_read_work(struct work_struct *work)
{
int n, err;
struct p9_conn *m;
- int status = REQ_STATUS_ERROR;
m = container_of(work, struct p9_conn, rq);
@@ -375,11 +374,17 @@ static void p9_read_work(struct work_struct *work)
if ((m->req) && (m->rc.offset == m->rc.capacity)) {
p9_debug(P9_DEBUG_TRANS, "got new packet\n");
spin_lock(&m->client->lock);
- if (m->req->status != REQ_STATUS_ERROR)
- status = REQ_STATUS_RCVD;
- list_del(&m->req->req_list);
- /* update req->status while holding client->lock */
- p9_client_cb(m->client, m->req, status);
+ if (m->req->status == REQ_STATUS_SENT) {
+ list_del(&m->req->req_list);
+ p9_client_cb(m->client, m->req, REQ_STATUS_RCVD);
+ } else {
+ spin_unlock(&m->client->lock);
+ p9_debug(P9_DEBUG_ERROR,
+ "Request tag %d errored out while we were reading the reply\n",
+ m->rc.tag);
+ err = -EIO;
+ goto error;
+ }
spin_unlock(&m->client->lock);
m->rc.sdata = NULL;
m->rc.offset = 0;
--
2.25.1
From: Johan Hovold <[email protected]>
[ Upstream commit 63634aa679ba8b5e306ad0727120309ae6ba8a8e ]
The interrupt URB transfer-buffer was never freed on disconnect or after
probe errors.
Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: [email protected] <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/usb/lan78xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index fd144a513e1fe..7e57aabe95545 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3421,6 +3421,7 @@ static int lan78xx_probe(struct usb_interface *intf,
usb_fill_int_urb(dev->urb_intr, dev->udev,
dev->pipe_intr, buf, maxp,
intr_complete, dev, period);
+ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
}
}
--
2.25.1
From: Dave Chinner <[email protected]>
[ Upstream commit ee457001ed6c6f31ddad69c24c1da8f377d8472d ]
We recently came across a V4 filesystem causing memory corruption
due to a newly allocated inode being setup twice and being added to
the superblock inode list twice. From code inspection, the only way
this could happen is if a newly allocated inode was not marked as
free on disk (i.e. di_mode wasn't zero).
Running the metadump on an upstream debug kernel fails during inode
allocation like so:
XFS: Assertion failed: ip->i_d.di_nblocks == 0, file: fs/xfs/xfs_inod=
e.c, line: 838
------------[ cut here ]------------
kernel BUG at fs/xfs/xfs_message.c:114!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 11 PID: 3496 Comm: mkdir Not tainted 4.16.0-rc5-dgc #442
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/0=
1/2014
RIP: 0010:assfail+0x28/0x30
RSP: 0018:ffffc9000236fc80 EFLAGS: 00010202
RAX: 00000000ffffffea RBX: 0000000000004000 RCX: 0000000000000000
RDX: 00000000ffffffc0 RSI: 000000000000000a RDI: ffffffff8227211b
RBP: ffffc9000236fce8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000bec R11: f000000000000000 R12: ffffc9000236fd30
R13: ffff8805c76bab80 R14: ffff8805c77ac800 R15: ffff88083fb12e10
FS: 00007fac8cbff040(0000) GS:ffff88083fd00000(0000) knlGS:0000000000000=
000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffa6783ff8 CR3: 00000005c6e2b003 CR4: 00000000000606e0
Call Trace:
xfs_ialloc+0x383/0x570
xfs_dir_ialloc+0x6a/0x2a0
xfs_create+0x412/0x670
xfs_generic_create+0x1f7/0x2c0
? capable_wrt_inode_uidgid+0x3f/0x50
vfs_mkdir+0xfb/0x1b0
SyS_mkdir+0xcf/0xf0
do_syscall_64+0x73/0x1a0
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Extracting the inode number we crashed on from an event trace and
looking at it with xfs_db:
xfs_db> inode 184452204
xfs_db> p
core.magic = 0x494e
core.mode = 0100644
core.version = 2
core.format = 2 (extents)
core.nlinkv2 = 1
core.onlink = 0
.....
Confirms that it is not a free inode on disk. xfs_repair
also trips over this inode:
.....
zero length extent (off = 0, fsbno = 0) in ino 184452204
correcting nextents for inode 184452204
bad attribute fork in inode 184452204, would clear attr fork
bad nblocks 1 for inode 184452204, would reset to 0
bad anextents 1 for inode 184452204, would reset to 0
imap claims in-use inode 184452204 is free, would correct imap
would have cleared inode 184452204
.....
disconnected inode 184452204, would move to lost+found
And so we have a situation where the directory structure and the
inobt thinks the inode is free, but the inode on disk thinks it is
still in use. Where this corruption came from is not possible to
diagnose, but we can detect it and prevent the kernel from oopsing
on lookup. The reproducer now results in:
$ sudo mkdir /mnt/scratch/{0,1,2,3,4,5}{0,1,2,3,4,5}
mkdir: cannot create directory =E2=80=98/mnt/scratch/00=E2=80=99: File ex=
ists
mkdir: cannot create directory =E2=80=98/mnt/scratch/01=E2=80=99: File ex=
ists
mkdir: cannot create directory =E2=80=98/mnt/scratch/03=E2=80=99: Structu=
re needs cleaning
mkdir: cannot create directory =E2=80=98/mnt/scratch/04=E2=80=99: Input/o=
utput error
mkdir: cannot create directory =E2=80=98/mnt/scratch/05=E2=80=99: Input/o=
utput error
....
And this corruption shutdown:
[ 54.843517] XFS (loop0): Corruption detected! Free inode 0xafe846c not=
marked free on disk
[ 54.845885] XFS (loop0): Internal error xfs_trans_cancel at line 1023 =
of file fs/xfs/xfs_trans.c. Caller xfs_create+0x425/0x670
[ 54.848994] CPU: 10 PID: 3541 Comm: mkdir Not tainted 4.16.0-rc5-dgc #=
443
[ 54.850753] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIO=
S 1.10.2-1 04/01/2014
[ 54.852859] Call Trace:
[ 54.853531] dump_stack+0x85/0xc5
[ 54.854385] xfs_trans_cancel+0x197/0x1c0
[ 54.855421] xfs_create+0x425/0x670
[ 54.856314] xfs_generic_create+0x1f7/0x2c0
[ 54.857390] ? capable_wrt_inode_uidgid+0x3f/0x50
[ 54.858586] vfs_mkdir+0xfb/0x1b0
[ 54.859458] SyS_mkdir+0xcf/0xf0
[ 54.860254] do_syscall_64+0x73/0x1a0
[ 54.861193] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 54.862492] RIP: 0033:0x7fb73bddf547
[ 54.863358] RSP: 002b:00007ffdaa553338 EFLAGS: 00000246 ORIG_RAX: 0000=
000000000053
[ 54.865133] RAX: ffffffffffffffda RBX: 00007ffdaa55449a RCX: 00007fb73=
bddf547
[ 54.866766] RDX: 0000000000000001 RSI: 00000000000001ff RDI: 00007ffda=
a55449a
[ 54.868432] RBP: 00007ffdaa55449a R08: 00000000000001ff R09: 00005623a=
8670dd0
[ 54.870110] R10: 00007fb73be72d5b R11: 0000000000000246 R12: 000000000=
00001ff
[ 54.871752] R13: 00007ffdaa5534b0 R14: 0000000000000000 R15: 00007ffda=
a553500
[ 54.873429] XFS (loop0): xfs_do_force_shutdown(0x8) called from line 1=
024 of file fs/xfs/xfs_trans.c. Return address = ffffffff814cd050
[ 54.882790] XFS (loop0): Corruption of in-memory data detected. Shutt=
ing down filesystem
[ 54.884597] XFS (loop0): Please umount the filesystem and rectify the =
problem(s)
Note that this crash is only possible on v4 filesystemsi or v5
filesystems mounted with the ikeep mount option. For all other V5
filesystems, this problem cannot occur because we don't read inodes
we are allocating from disk - we simply overwrite them with the new
inode information.
Signed-Off-By: Dave Chinner <[email protected]>
Reviewed-by: Carlos Maiolino <[email protected]>
Tested-by: Carlos Maiolino <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/xfs_icache.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
index 86a4911520cc5..57ec10809f4bf 100644
--- a/fs/xfs/xfs_icache.c
+++ b/fs/xfs/xfs_icache.c
@@ -471,7 +471,28 @@ xfs_iget_cache_miss(
trace_xfs_iget_miss(ip);
- if ((VFS_I(ip)->i_mode == 0) && !(flags & XFS_IGET_CREATE)) {
+
+ /*
+ * If we are allocating a new inode, then check what was returned is
+ * actually a free, empty inode. If we are not allocating an inode,
+ * the check we didn't find a free inode.
+ */
+ if (flags & XFS_IGET_CREATE) {
+ if (VFS_I(ip)->i_mode != 0) {
+ xfs_warn(mp,
+"Corruption detected! Free inode 0x%llx not marked free on disk",
+ ino);
+ error = -EFSCORRUPTED;
+ goto out_destroy;
+ }
+ if (ip->i_d.di_nblocks != 0) {
+ xfs_warn(mp,
+"Corruption detected! Free inode 0x%llx has blocks allocated!",
+ ino);
+ error = -EFSCORRUPTED;
+ goto out_destroy;
+ }
+ } else if (VFS_I(ip)->i_mode == 0) {
error = -ENOENT;
goto out_destroy;
}
--
2.25.1
From: Dave Chinner <[email protected]>
[ Upstream commit afca6c5b2595fc44383919fba740c194b0b76aff ]
A recent fuzzed filesystem image cached random dcache corruption
when the reproducer was run. This often showed up as panics in
lookup_slow() on a null inode->i_ops pointer when doing pathwalks.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
....
Call Trace:
lookup_slow+0x44/0x60
walk_component+0x3dd/0x9f0
link_path_walk+0x4a7/0x830
path_lookupat+0xc1/0x470
filename_lookup+0x129/0x270
user_path_at_empty+0x36/0x40
path_listxattr+0x98/0x110
SyS_listxattr+0x13/0x20
do_syscall_64+0xf5/0x280
entry_SYSCALL_64_after_hwframe+0x42/0xb7
but had many different failure modes including deadlocks trying to
lock the inode that was just allocated or KASAN reports of
use-after-free violations.
The cause of the problem was a corrupt INOBT on a v4 fs where the
root inode was marked as free in the inobt record. Hence when we
allocated an inode, it chose the root inode to allocate, found it in
the cache and re-initialised it.
We recently fixed a similar inode allocation issue caused by inobt
record corruption problem in xfs_iget_cache_miss() in commit
ee457001ed6c ("xfs: catch inode allocation state mismatch
corruption"). This change adds similar checks to the cache-hit path
to catch it, and turns the reproducer into a corruption shutdown
situation.
Reported-by: Wen Xu <[email protected]>
Signed-Off-By: Dave Chinner <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Reviewed-by: Carlos Maiolino <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
[darrick: fix typos in comment]
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/xfs_icache.c | 73 +++++++++++++++++++++++++++++----------------
1 file changed, 48 insertions(+), 25 deletions(-)
diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
index 57ec10809f4bf..69c112ddb544d 100644
--- a/fs/xfs/xfs_icache.c
+++ b/fs/xfs/xfs_icache.c
@@ -307,6 +307,46 @@ xfs_reinit_inode(
return error;
}
+/*
+ * If we are allocating a new inode, then check what was returned is
+ * actually a free, empty inode. If we are not allocating an inode,
+ * then check we didn't find a free inode.
+ *
+ * Returns:
+ * 0 if the inode free state matches the lookup context
+ * -ENOENT if the inode is free and we are not allocating
+ * -EFSCORRUPTED if there is any state mismatch at all
+ */
+static int
+xfs_iget_check_free_state(
+ struct xfs_inode *ip,
+ int flags)
+{
+ if (flags & XFS_IGET_CREATE) {
+ /* should be a free inode */
+ if (VFS_I(ip)->i_mode != 0) {
+ xfs_warn(ip->i_mount,
+"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)",
+ ip->i_ino, VFS_I(ip)->i_mode);
+ return -EFSCORRUPTED;
+ }
+
+ if (ip->i_d.di_nblocks != 0) {
+ xfs_warn(ip->i_mount,
+"Corruption detected! Free inode 0x%llx has blocks allocated!",
+ ip->i_ino);
+ return -EFSCORRUPTED;
+ }
+ return 0;
+ }
+
+ /* should be an allocated inode */
+ if (VFS_I(ip)->i_mode == 0)
+ return -ENOENT;
+
+ return 0;
+}
+
/*
* Check the validity of the inode we just found it the cache
*/
@@ -356,12 +396,12 @@ xfs_iget_cache_hit(
}
/*
- * If lookup is racing with unlink return an error immediately.
+ * Check the inode free state is valid. This also detects lookup
+ * racing with unlinks.
*/
- if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) {
- error = -ENOENT;
+ error = xfs_iget_check_free_state(ip, flags);
+ if (error)
goto out_error;
- }
/*
* If IRECLAIMABLE is set, we've torn down the VFS inode already.
@@ -473,29 +513,12 @@ xfs_iget_cache_miss(
/*
- * If we are allocating a new inode, then check what was returned is
- * actually a free, empty inode. If we are not allocating an inode,
- * the check we didn't find a free inode.
+ * Check the inode free state is valid. This also detects lookup
+ * racing with unlinks.
*/
- if (flags & XFS_IGET_CREATE) {
- if (VFS_I(ip)->i_mode != 0) {
- xfs_warn(mp,
-"Corruption detected! Free inode 0x%llx not marked free on disk",
- ino);
- error = -EFSCORRUPTED;
- goto out_destroy;
- }
- if (ip->i_d.di_nblocks != 0) {
- xfs_warn(mp,
-"Corruption detected! Free inode 0x%llx has blocks allocated!",
- ino);
- error = -EFSCORRUPTED;
- goto out_destroy;
- }
- } else if (VFS_I(ip)->i_mode == 0) {
- error = -ENOENT;
+ error = xfs_iget_check_free_state(ip, flags);
+ if (error)
goto out_destroy;
- }
/*
* Preload the radix tree so we can insert safely under the
--
2.25.1
From: Sheng Yong <[email protected]>
[ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ]
Dentry bitmap is not enough to detect incorrect dentries. So this patch
also checks the namelen value of a dentry.
Signed-off-by: Gong Chen <[email protected]>
Signed-off-by: Sheng Yong <[email protected]>
Reviewed-by: Chao Yu <[email protected]>
Signed-off-by: Jaegeuk Kim <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/f2fs/dir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
index 79d138756acb5..9a11b48e55ca2 100644
--- a/fs/f2fs/dir.c
+++ b/fs/f2fs/dir.c
@@ -845,7 +845,8 @@ bool f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
/* check memory boundary before moving forward */
bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
- if (unlikely(bit_pos > d->max)) {
+ if (unlikely(bit_pos > d->max ||
+ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING,
"%s: corrupted namelen=%d, run fsck to fix.",
__func__, le16_to_cpu(de->name_len));
--
2.25.1
From: Tetsuo Handa <[email protected]>
[ Upstream commit 033724d6864245a11f8e04c066002e6ad22b3fd0 ]
syzbot is reporting general protection fault in bitfill_aligned() [1]
caused by integer underflow in bit_clear_margins(). The cause of this
problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
try to overrun the __iomem region and causes general protection fault.
Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
new_cols = (cols ? cols : vc->vc_cols);
new_rows = (lines ? lines : vc->vc_rows);
exception. Since cols and lines are calculated as
cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
vc_resize(vc, cols, rows);
in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
and var.yres < vc->vc_font.height makes rows = 0. This means that
const int fd = open("/dev/fb0", O_ACCMODE);
struct fb_var_screeninfo var = { };
ioctl(fd, FBIOGET_VSCREENINFO, &var);
var.xres = var.yres = 1;
ioctl(fd, FBIOPUT_VSCREENINFO, &var);
easily reproduces integer underflow bug explained above.
Of course, callers of vc_resize() are not handling vc_do_resize() failure
is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
as a band-aid workaround, this patch checks integer underflow in
"struct fbcon_ops"->clear_margins call, assuming that
vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
cause integer overflow.
[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
Reported-and-tested-by: syzbot <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Daniel Vetter <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/video/console/bitblit.c | 4 ++--
drivers/video/console/fbcon_ccw.c | 4 ++--
drivers/video/console/fbcon_cw.c | 4 ++--
drivers/video/console/fbcon_ud.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c
index dbfe4eecf12e5..05d1d36a56654 100644
--- a/drivers/video/console/bitblit.c
+++ b/drivers/video/console/bitblit.c
@@ -216,7 +216,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
region.color = 0;
region.rop = ROP_COPY;
- if (rw && !bottom_only) {
+ if ((int) rw > 0 && !bottom_only) {
region.dx = info->var.xoffset + rs;
region.dy = 0;
region.width = rw;
@@ -224,7 +224,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
info->fbops->fb_fillrect(info, ®ion);
}
- if (bh) {
+ if ((int) bh > 0) {
region.dx = info->var.xoffset;
region.dy = info->var.yoffset + bs;
region.width = rs;
diff --git a/drivers/video/console/fbcon_ccw.c b/drivers/video/console/fbcon_ccw.c
index 5a3cbf6dff4d9..34da8bba9273a 100644
--- a/drivers/video/console/fbcon_ccw.c
+++ b/drivers/video/console/fbcon_ccw.c
@@ -201,7 +201,7 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info,
region.color = 0;
region.rop = ROP_COPY;
- if (rw && !bottom_only) {
+ if ((int) rw > 0 && !bottom_only) {
region.dx = 0;
region.dy = info->var.yoffset;
region.height = rw;
@@ -209,7 +209,7 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info,
info->fbops->fb_fillrect(info, ®ion);
}
- if (bh) {
+ if ((int) bh > 0) {
region.dx = info->var.xoffset + bs;
region.dy = 0;
region.height = info->var.yres_virtual;
diff --git a/drivers/video/console/fbcon_cw.c b/drivers/video/console/fbcon_cw.c
index e7ee44db4e98b..0b552b3fc22ab 100644
--- a/drivers/video/console/fbcon_cw.c
+++ b/drivers/video/console/fbcon_cw.c
@@ -184,7 +184,7 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info,
region.color = 0;
region.rop = ROP_COPY;
- if (rw && !bottom_only) {
+ if ((int) rw > 0 && !bottom_only) {
region.dx = 0;
region.dy = info->var.yoffset + rs;
region.height = rw;
@@ -192,7 +192,7 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info,
info->fbops->fb_fillrect(info, ®ion);
}
- if (bh) {
+ if ((int) bh > 0) {
region.dx = info->var.xoffset;
region.dy = info->var.yoffset;
region.height = info->var.yres;
diff --git a/drivers/video/console/fbcon_ud.c b/drivers/video/console/fbcon_ud.c
index 19e3714abfe8f..7f62efe2da526 100644
--- a/drivers/video/console/fbcon_ud.c
+++ b/drivers/video/console/fbcon_ud.c
@@ -231,7 +231,7 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info,
region.color = 0;
region.rop = ROP_COPY;
- if (rw && !bottom_only) {
+ if ((int) rw > 0 && !bottom_only) {
region.dy = 0;
region.dx = info->var.xoffset;
region.width = rw;
@@ -239,7 +239,7 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info,
info->fbops->fb_fillrect(info, ®ion);
}
- if (bh) {
+ if ((int) bh > 0) {
region.dy = info->var.yoffset;
region.dx = info->var.xoffset;
region.height = bh;
--
2.25.1
From: Sami Tolvanen <[email protected]>
[ Upstream commit 6a03469a1edc94da52b65478f1e00837add869a3 ]
With CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y, we compile the kernel with
-fdata-sections, which also splits the .bss section.
The new section, with a new .bss.* name, which pattern gets missed by the
main x86 linker script which only expects the '.bss' name. This results
in the discarding of the second part and a too small, truncated .bss
section and an unhappy, non-working kernel.
Use the common BSS_MAIN macro in the linker script to properly capture
and merge all the generated BSS sections.
Signed-off-by: Sami Tolvanen <[email protected]>
Reviewed-by: Nick Desaulniers <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Nicholas Piggin <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
[ Extended the changelog. ]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/kernel/vmlinux.lds.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 097268f85e4ee..0df44e4fe7cb1 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -329,7 +329,7 @@ SECTIONS
.bss : AT(ADDR(.bss) - LOAD_OFFSET) {
__bss_start = .;
*(.bss..page_aligned)
- *(.bss)
+ *(BSS_MAIN)
. = ALIGN(PAGE_SIZE);
__bss_stop = .;
}
--
2.25.1
On Thu, Aug 20, 2020 at 11:19:33AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.233 release.
> There are 212 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 171 pass: 171 fail: 0
Qemu test results:
total: 386 pass: 386 fail: 0
Guenter
On 8/20/20 3:19 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.233 release.
> There are 212 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.233-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
On Thu, 20 Aug 2020 at 15:28, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.9.233 release.
> There are 212 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.233-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 4.9.233-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: 1a1baeef1d3674ffce6cf9dfa5b5778c60555587
git describe: v4.9.232-213-g1a1baeef1d36
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.232-213-g1a1baeef1d36
No regressions (compared to build v4.9.232)
No fixes (compared to build v4.9.232)
Ran 34241 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest
* kselftest/drivers
* kselftest/filesystems
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* perf
* v4l2-compliance
* network-basic-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* ssuite
--
Linaro LKFT
https://lkft.linaro.org