This is the start of the stable review cycle for the 4.4.216 release.
There are 72 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.216-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.4.216-rc1
yangerkun <[email protected]>
crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
Mikulas Patocka <[email protected]>
dm cache: fix a crash due to incorrect work item cancelling
Desnes A. Nunes do Rosario <[email protected]>
powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
Dan Carpenter <[email protected]>
dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
Dan Carpenter <[email protected]>
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
Ahmad Fatoum <[email protected]>
ARM: imx: build v7_cpu_resume() unconditionally
Jason Gunthorpe <[email protected]>
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
Bernard Metzler <[email protected]>
RDMA/iwcm: Fix iwcm work deallocation
Charles Keepax <[email protected]>
ASoC: dapm: Correct DAPM handling of active widgets during shutdown
Matthias Reichl <[email protected]>
ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
Takashi Iwai <[email protected]>
ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
Dmitry Osipenko <[email protected]>
dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
Dmitry Osipenko <[email protected]>
dmaengine: tegra-apb: Fix use-after-free
Jiri Slaby <[email protected]>
vt: selection, push sel_lock up
Jiri Slaby <[email protected]>
vt: selection, push console lock down
Jiri Slaby <[email protected]>
vt: selection, close sel_buffer race
OGAWA Hirofumi <[email protected]>
fat: fix uninit-memory access for partial initialized inode
Zhang Xiaoxu <[email protected]>
vgacon: Fix a UAF in vgacon_invert_region
Eugeniu Rosca <[email protected]>
usb: core: port: do error out if usb_autopm_get_interface() fails
Eugeniu Rosca <[email protected]>
usb: core: hub: do error out if usb_autopm_get_interface() fails
Dan Lazewatsky <[email protected]>
usb: quirks: add NO_LPM quirk for Logitech Screen Share
Jim Lin <[email protected]>
usb: storage: Add quirk for Samsung Fit flash
Ronnie Sahlberg <[email protected]>
cifs: don't leak -EAGAIN for stat() during reconnect
Vasily Averin <[email protected]>
s390/cio: cio_ignore_proc_seq_next should increase position index
Marco Felsch <[email protected]>
watchdog: da9062: do not ping the hw during stop()
Marek Vasut <[email protected]>
net: ks8851-ml: Fix 16-bit IO operation
Marek Vasut <[email protected]>
net: ks8851-ml: Fix 16-bit data access
Marek Vasut <[email protected]>
net: ks8851-ml: Remove 8-bit bus accessors
Harigovindan P <[email protected]>
drm/msm/dsi: save pll state before dsi host is powered off
John Stultz <[email protected]>
drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
Sergey Organov <[email protected]>
usb: gadget: serial: fix Tx stall after buffer overflow
Lars-Peter Clausen <[email protected]>
usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
Daniel Golle <[email protected]>
serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
Paul Moore <[email protected]>
audit: always check the netlink payload length in audit_receive_msg()
Matthew Wilcox <[email protected]>
fs: prevent page refcount overflow in pipe_buf_get
Miklos Szeredi <[email protected]>
pipe: add pipe_buf_get() helper
Linus Torvalds <[email protected]>
mm: prevent get_user_pages() from overflowing page refcount
Punit Agrawal <[email protected]>
mm, gup: ensure real head page is ref-counted when using hugepages
Will Deacon <[email protected]>
mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
Linus Torvalds <[email protected]>
mm: add 'try_get_page()' helper function
Linus Torvalds <[email protected]>
mm: make page ref count overflow check tighter and more explicit
yangerkun <[email protected]>
slip: stop double free sl->dev in slip_open
Sean Christopherson <[email protected]>
KVM: Check for a bad hva before dropping into the ghc slow path
Aleksa Sarai <[email protected]>
namei: only return -ECHILD from follow_dotdot_rcu()
Nikolay Aleksandrov <[email protected]>
net: netlink: cap max groups which will be considered in netlink_bind()
Chris Wilson <[email protected]>
include/linux/bitops.h: introduce BITS_PER_TYPE
Nathan Chancellor <[email protected]>
ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66
Wolfram Sang <[email protected]>
i2c: jz4780: silence log flood on txabrt
Christophe JAILLET <[email protected]>
MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
[email protected] <[email protected]>
HID: hiddev: Fix race in in hiddev_disconnect()
Johan Korsnes <[email protected]>
HID: core: increase HID report buffer size to 8KiB
Johan Korsnes <[email protected]>
HID: core: fix off-by-one memset in hid_report_raw_event()
Paul Moore <[email protected]>
audit: fix error handling in audit_data_to_entry()
Dan Carpenter <[email protected]>
ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
Jason Baron <[email protected]>
net: sched: correct flower port blocking
Dmitry Osipenko <[email protected]>
nfc: pn544: Fix occasional HW initialization failure
Xin Long <[email protected]>
sctp: move the format error check out of __sctp_sf_do_9_1_abort
Benjamin Poirier <[email protected]>
ipv6: Fix route replacement with dev-only route
Benjamin Poirier <[email protected]>
ipv6: Fix nlmsg_flags when splitting a multipath route
Arun Parameswaran <[email protected]>
net: phy: restore mdio regs in the iproc mdio driver
Jethro Beekman <[email protected]>
net: fib_rules: Correctly set table field when table number exceeds 8 bits
Petr Mladek <[email protected]>
sysrq: Remove duplicated sysrq message
Petr Mladek <[email protected]>
sysrq: Restore original console_loglevel when sysrq disabled
Sergey Matyukevich <[email protected]>
cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
Frank Sorenson <[email protected]>
cifs: Fix mode output in debugging statements
Sergey Matyukevich <[email protected]>
cfg80211: check wiphy driver existence for drvinfo report
Johannes Berg <[email protected]>
mac80211: consider more elements in parsing CRC
Corey Minyard <[email protected]>
ipmi:ssif: Handle a possible NULL pointer reference
Suraj Jitindar Singh <[email protected]>
ext4: fix potential race between s_group_info online resizing and access
Suraj Jitindar Singh <[email protected]>
ext4: fix potential race between s_flex_groups online resizing and access
Theodore Ts'o <[email protected]>
ext4: fix potential race between online resizing and write operations
Johannes Berg <[email protected]>
iwlwifi: pcie: fix rb_allocator workqueue allocation
-------------
Diffstat:
Makefile | 4 +-
arch/arm/mach-imx/Makefile | 2 +
arch/arm/mach-imx/common.h | 4 +-
arch/arm/mach-imx/resume-imx6.S | 24 +++++++
arch/arm/mach-imx/suspend-imx6.S | 14 -----
arch/mips/kernel/vpe.c | 2 +-
arch/powerpc/kernel/cputable.c | 4 +-
arch/s390/mm/gup.c | 6 +-
arch/x86/mm/gup.c | 9 ++-
crypto/algif_skcipher.c | 2 +-
drivers/char/ipmi/ipmi_ssif.c | 10 ++-
drivers/dma/coh901318.c | 4 --
drivers/dma/tegra20-apb-dma.c | 6 +-
drivers/gpu/drm/msm/dsi/dsi_manager.c | 7 ++-
drivers/hid/hid-core.c | 4 +-
drivers/hid/usbhid/hiddev.c | 2 +-
drivers/hwmon/adt7462.c | 2 +-
drivers/i2c/busses/i2c-jz4780.c | 36 +----------
drivers/infiniband/core/cm.c | 1 +
drivers/infiniband/core/iwcm.c | 4 +-
drivers/md/dm-cache-target.c | 4 +-
drivers/net/ethernet/micrel/ks8851_mll.c | 53 +++-------------
drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++
drivers/net/slip/slip.c | 1 -
drivers/net/wireless/iwlwifi/pcie/rx.c | 6 +-
drivers/nfc/pn544/i2c.c | 1 +
drivers/s390/cio/blacklist.c | 5 +-
drivers/tty/serial/ar933x_uart.c | 8 +++
drivers/tty/sysrq.c | 8 +--
drivers/tty/vt/selection.c | 24 ++++++-
drivers/tty/vt/vt.c | 2 -
drivers/usb/core/hub.c | 6 +-
drivers/usb/core/port.c | 10 ++-
drivers/usb/core/quirks.c | 3 +
drivers/usb/gadget/function/f_fs.c | 5 +-
drivers/usb/gadget/function/u_serial.c | 4 +-
drivers/usb/storage/unusual_devs.h | 6 ++
drivers/video/console/vgacon.c | 3 +
drivers/watchdog/da9062_wdt.c | 7 ---
fs/cifs/cifsacl.c | 4 +-
fs/cifs/connect.c | 2 +-
fs/cifs/inode.c | 8 ++-
fs/ecryptfs/keystore.c | 4 +-
fs/ext4/balloc.c | 14 ++++-
fs/ext4/ext4.h | 30 +++++++--
fs/ext4/ialloc.c | 23 ++++---
fs/ext4/mballoc.c | 61 ++++++++++++------
fs/ext4/resize.c | 62 +++++++++++++++----
fs/ext4/super.c | 103 +++++++++++++++++++++----------
fs/fat/inode.c | 19 +++---
fs/fuse/dev.c | 12 ++--
fs/namei.c | 2 +-
fs/pipe.c | 4 +-
fs/splice.c | 12 +++-
include/linux/bitops.h | 3 +-
include/linux/hid.h | 2 +-
include/linux/mm.h | 23 ++++++-
include/linux/pipe_fs_i.h | 17 ++++-
include/net/flow_dissector.h | 9 +++
kernel/audit.c | 40 ++++++------
kernel/auditfilter.c | 71 +++++++++++----------
kernel/trace/trace.c | 6 +-
mm/gup.c | 51 ++++++++++-----
mm/hugetlb.c | 16 ++++-
mm/internal.h | 28 ++++++++-
net/core/fib_rules.c | 2 +-
net/ipv6/ip6_fib.c | 7 ++-
net/ipv6/route.c | 1 +
net/mac80211/util.c | 18 ++++--
net/netlink/af_netlink.c | 5 +-
net/sched/cls_flower.c | 1 +
net/sctp/sm_statefuns.c | 27 +++++---
net/wireless/ethtool.c | 8 ++-
net/wireless/nl80211.c | 1 +
sound/soc/codecs/pcm512x.c | 8 ++-
sound/soc/soc-dapm.c | 2 +-
sound/soc/soc-pcm.c | 16 ++---
virt/kvm/kvm_main.c | 12 ++--
78 files changed, 684 insertions(+), 373 deletions(-)
From: Suraj Jitindar Singh <[email protected]>
[ Upstream commit df3da4ea5a0fc5d115c90d5aa6caa4dd433750a7 ]
During an online resize an array of pointers to s_group_info gets replaced
so it can get enlarged. If there is a concurrent access to the array in
ext4_get_group_info() and this memory has been reused then this can lead to
an invalid memory access.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Suraj Jitindar Singh <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Reviewed-by: Balbir Singh <[email protected]>
Cc: [email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
fs/ext4/ext4.h | 8 ++++----
fs/ext4/mballoc.c | 52 +++++++++++++++++++++++++++++++----------------
2 files changed, 39 insertions(+), 21 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index e1f2d0499080e..ab0f08c89d5f1 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1363,7 +1363,7 @@ struct ext4_sb_info {
#endif
/* for buddy allocator */
- struct ext4_group_info ***s_group_info;
+ struct ext4_group_info ** __rcu *s_group_info;
struct inode *s_buddy_cache;
spinlock_t s_md_lock;
unsigned short *s_mb_offsets;
@@ -2813,13 +2813,13 @@ static inline
struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
ext4_group_t group)
{
- struct ext4_group_info ***grp_info;
+ struct ext4_group_info **grp_info;
long indexv, indexh;
BUG_ON(group >= EXT4_SB(sb)->s_groups_count);
- grp_info = EXT4_SB(sb)->s_group_info;
indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb));
indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1);
- return grp_info[indexv][indexh];
+ grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv);
+ return grp_info[indexh];
}
/*
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index e15a5c5ddc096..fda49f4c5a8eb 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2378,7 +2378,7 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
unsigned size;
- struct ext4_group_info ***new_groupinfo;
+ struct ext4_group_info ***old_groupinfo, ***new_groupinfo;
size = (ngroups + EXT4_DESC_PER_BLOCK(sb) - 1) >>
EXT4_DESC_PER_BLOCK_BITS(sb);
@@ -2391,13 +2391,16 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups)
ext4_msg(sb, KERN_ERR, "can't allocate buddy meta group");
return -ENOMEM;
}
- if (sbi->s_group_info) {
- memcpy(new_groupinfo, sbi->s_group_info,
+ rcu_read_lock();
+ old_groupinfo = rcu_dereference(sbi->s_group_info);
+ if (old_groupinfo)
+ memcpy(new_groupinfo, old_groupinfo,
sbi->s_group_info_size * sizeof(*sbi->s_group_info));
- kvfree(sbi->s_group_info);
- }
- sbi->s_group_info = new_groupinfo;
+ rcu_read_unlock();
+ rcu_assign_pointer(sbi->s_group_info, new_groupinfo);
sbi->s_group_info_size = size / sizeof(*sbi->s_group_info);
+ if (old_groupinfo)
+ ext4_kvfree_array_rcu(old_groupinfo);
ext4_debug("allocated s_groupinfo array for %d meta_bg's\n",
sbi->s_group_info_size);
return 0;
@@ -2409,6 +2412,7 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
{
int i;
int metalen = 0;
+ int idx = group >> EXT4_DESC_PER_BLOCK_BITS(sb);
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_group_info **meta_group_info;
struct kmem_cache *cachep = get_groupinfo_cache(sb->s_blocksize_bits);
@@ -2427,12 +2431,12 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
"for a buddy group");
goto exit_meta_group_info;
}
- sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)] =
- meta_group_info;
+ rcu_read_lock();
+ rcu_dereference(sbi->s_group_info)[idx] = meta_group_info;
+ rcu_read_unlock();
}
- meta_group_info =
- sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)];
+ meta_group_info = sbi_array_rcu_deref(sbi, s_group_info, idx);
i = group & (EXT4_DESC_PER_BLOCK(sb) - 1);
meta_group_info[i] = kmem_cache_zalloc(cachep, GFP_NOFS);
@@ -2480,8 +2484,13 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
exit_group_info:
/* If a meta_group_info table has been allocated, release it now */
if (group % EXT4_DESC_PER_BLOCK(sb) == 0) {
- kfree(sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)]);
- sbi->s_group_info[group >> EXT4_DESC_PER_BLOCK_BITS(sb)] = NULL;
+ struct ext4_group_info ***group_info;
+
+ rcu_read_lock();
+ group_info = rcu_dereference(sbi->s_group_info);
+ kfree(group_info[idx]);
+ group_info[idx] = NULL;
+ rcu_read_unlock();
}
exit_meta_group_info:
return -ENOMEM;
@@ -2494,6 +2503,7 @@ static int ext4_mb_init_backend(struct super_block *sb)
struct ext4_sb_info *sbi = EXT4_SB(sb);
int err;
struct ext4_group_desc *desc;
+ struct ext4_group_info ***group_info;
struct kmem_cache *cachep;
err = ext4_mb_alloc_groupinfo(sb, ngroups);
@@ -2528,11 +2538,16 @@ err_freebuddy:
while (i-- > 0)
kmem_cache_free(cachep, ext4_get_group_info(sb, i));
i = sbi->s_group_info_size;
+ rcu_read_lock();
+ group_info = rcu_dereference(sbi->s_group_info);
while (i-- > 0)
- kfree(sbi->s_group_info[i]);
+ kfree(group_info[i]);
+ rcu_read_unlock();
iput(sbi->s_buddy_cache);
err_freesgi:
- kvfree(sbi->s_group_info);
+ rcu_read_lock();
+ kvfree(rcu_dereference(sbi->s_group_info));
+ rcu_read_unlock();
return -ENOMEM;
}
@@ -2720,7 +2735,7 @@ int ext4_mb_release(struct super_block *sb)
ext4_group_t ngroups = ext4_get_groups_count(sb);
ext4_group_t i;
int num_meta_group_infos;
- struct ext4_group_info *grinfo;
+ struct ext4_group_info *grinfo, ***group_info;
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct kmem_cache *cachep = get_groupinfo_cache(sb->s_blocksize_bits);
@@ -2738,9 +2753,12 @@ int ext4_mb_release(struct super_block *sb)
num_meta_group_infos = (ngroups +
EXT4_DESC_PER_BLOCK(sb) - 1) >>
EXT4_DESC_PER_BLOCK_BITS(sb);
+ rcu_read_lock();
+ group_info = rcu_dereference(sbi->s_group_info);
for (i = 0; i < num_meta_group_infos; i++)
- kfree(sbi->s_group_info[i]);
- kvfree(sbi->s_group_info);
+ kfree(group_info[i]);
+ kvfree(group_info);
+ rcu_read_unlock();
}
kfree(sbi->s_mb_offsets);
kfree(sbi->s_mb_maxs);
--
2.20.1
From: Linus Torvalds <[email protected]>
commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream.
If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it. One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times. This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.
Reported-by: Jann Horn <[email protected]>
Acked-by: Matthew Wilcox <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>
[ 4.4.y backport notes:
Ajay: - Added local variable 'err' with-in follow_hugetlb_page()
from 2be7cfed995e, to resolve compilation error
- Added page_ref_count()
- Added missing refcount overflow checks on x86 and s390
(Vlastimil, thanks for this change)
Srivatsa: - Replaced call to get_page_foll() with try_get_page_foll() ]
Signed-off-by: Srivatsa S. Bhat (VMware) <[email protected]>
Signed-off-by: Ajay Kaher <[email protected]>
Signed-off-by: Vlastimil Babka <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/s390/mm/gup.c | 6 ++++--
arch/x86/mm/gup.c | 9 ++++++++-
include/linux/mm.h | 5 +++++
mm/gup.c | 42 +++++++++++++++++++++++++++++++++---------
mm/hugetlb.c | 16 +++++++++++++++-
5 files changed, 65 insertions(+), 13 deletions(-)
--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -37,7 +37,8 @@ static inline int gup_pte_range(pmd_t *p
return 0;
VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
page = pte_page(pte);
- if (!page_cache_get_speculative(page))
+ if (WARN_ON_ONCE(page_ref_count(page) < 0)
+ || !page_cache_get_speculative(page))
return 0;
if (unlikely(pte_val(pte) != pte_val(*ptep))) {
put_page(page);
@@ -76,7 +77,8 @@ static inline int gup_huge_pmd(pmd_t *pm
refs++;
} while (addr += PAGE_SIZE, addr != end);
- if (!page_cache_add_speculative(head, refs)) {
+ if (WARN_ON_ONCE(page_ref_count(head) < 0)
+ || !page_cache_add_speculative(head, refs)) {
*nr -= refs;
return 0;
}
--- a/arch/x86/mm/gup.c
+++ b/arch/x86/mm/gup.c
@@ -95,7 +95,10 @@ static noinline int gup_pte_range(pmd_t
}
VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
page = pte_page(pte);
- get_page(page);
+ if (unlikely(!try_get_page(page))) {
+ pte_unmap(ptep);
+ return 0;
+ }
SetPageReferenced(page);
pages[*nr] = page;
(*nr)++;
@@ -132,6 +135,8 @@ static noinline int gup_huge_pmd(pmd_t p
refs = 0;
head = pmd_page(pmd);
+ if (WARN_ON_ONCE(page_ref_count(head) <= 0))
+ return 0;
page = head + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
do {
VM_BUG_ON_PAGE(compound_head(page) != head, page);
@@ -208,6 +213,8 @@ static noinline int gup_huge_pud(pud_t p
refs = 0;
head = pud_page(pud);
+ if (WARN_ON_ONCE(page_ref_count(head) <= 0))
+ return 0;
page = head + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
do {
VM_BUG_ON_PAGE(compound_head(page) != head, page);
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -488,6 +488,11 @@ static inline void get_huge_page_tail(st
extern bool __get_page_tail(struct page *page);
+static inline int page_ref_count(struct page *page)
+{
+ return atomic_read(&page->_count);
+}
+
/* 127: arbitrary random number, small enough to assemble well */
#define page_ref_zero_or_close_to_overflow(page) \
((unsigned int) atomic_read(&page->_count) + 127u <= 127u)
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -126,8 +126,12 @@ retry:
}
}
- if (flags & FOLL_GET)
- get_page_foll(page);
+ if (flags & FOLL_GET) {
+ if (unlikely(!try_get_page_foll(page))) {
+ page = ERR_PTR(-ENOMEM);
+ goto out;
+ }
+ }
if (flags & FOLL_TOUCH) {
if ((flags & FOLL_WRITE) &&
!pte_dirty(pte) && !PageDirty(page))
@@ -289,7 +293,10 @@ static int get_gate_page(struct mm_struc
goto unmap;
*page = pte_page(*pte);
}
- get_page(*page);
+ if (unlikely(!try_get_page(*page))) {
+ ret = -ENOMEM;
+ goto unmap;
+ }
out:
ret = 0;
unmap:
@@ -1053,6 +1060,20 @@ struct page *get_dump_page(unsigned long
*/
#ifdef CONFIG_HAVE_GENERIC_RCU_GUP
+/*
+ * Return the compund head page with ref appropriately incremented,
+ * or NULL if that failed.
+ */
+static inline struct page *try_get_compound_head(struct page *page, int refs)
+{
+ struct page *head = compound_head(page);
+ if (WARN_ON_ONCE(atomic_read(&head->_count) < 0))
+ return NULL;
+ if (unlikely(!page_cache_add_speculative(head, refs)))
+ return NULL;
+ return head;
+}
+
#ifdef __HAVE_ARCH_PTE_SPECIAL
static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
int write, struct page **pages, int *nr)
@@ -1083,6 +1104,9 @@ static int gup_pte_range(pmd_t pmd, unsi
VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
page = pte_page(pte);
+ if (WARN_ON_ONCE(page_ref_count(page) < 0))
+ goto pte_unmap;
+
if (!page_cache_get_speculative(page))
goto pte_unmap;
@@ -1139,8 +1163,8 @@ static int gup_huge_pmd(pmd_t orig, pmd_
refs++;
} while (addr += PAGE_SIZE, addr != end);
- head = compound_head(pmd_page(orig));
- if (!page_cache_add_speculative(head, refs)) {
+ head = try_get_compound_head(pmd_page(orig), refs);
+ if (!head) {
*nr -= refs;
return 0;
}
@@ -1185,8 +1209,8 @@ static int gup_huge_pud(pud_t orig, pud_
refs++;
} while (addr += PAGE_SIZE, addr != end);
- head = compound_head(pud_page(orig));
- if (!page_cache_add_speculative(head, refs)) {
+ head = try_get_compound_head(pud_page(orig), refs);
+ if (!head) {
*nr -= refs;
return 0;
}
@@ -1227,8 +1251,8 @@ static int gup_huge_pgd(pgd_t orig, pgd_
refs++;
} while (addr += PAGE_SIZE, addr != end);
- head = compound_head(pgd_page(orig));
- if (!page_cache_add_speculative(head, refs)) {
+ head = try_get_compound_head(pgd_page(orig), refs);
+ if (!head) {
*nr -= refs;
return 0;
}
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3886,6 +3886,7 @@ long follow_hugetlb_page(struct mm_struc
unsigned long vaddr = *position;
unsigned long remainder = *nr_pages;
struct hstate *h = hstate_vma(vma);
+ int err = -EFAULT;
while (vaddr < vma->vm_end && remainder) {
pte_t *pte;
@@ -3957,6 +3958,19 @@ long follow_hugetlb_page(struct mm_struc
pfn_offset = (vaddr & ~huge_page_mask(h)) >> PAGE_SHIFT;
page = pte_page(huge_ptep_get(pte));
+
+ /*
+ * Instead of doing 'try_get_page_foll()' below in the same_page
+ * loop, just check the count once here.
+ */
+ if (unlikely(page_count(page) <= 0)) {
+ if (pages) {
+ spin_unlock(ptl);
+ remainder = 0;
+ err = -ENOMEM;
+ break;
+ }
+ }
same_page:
if (pages) {
pages[i] = mem_map_offset(page, pfn_offset);
@@ -3983,7 +3997,7 @@ same_page:
*nr_pages = remainder;
*position = vaddr;
- return i ? i : -EFAULT;
+ return i ? i : err;
}
unsigned long hugetlb_change_protection(struct vm_area_struct *vma,
From: Suraj Jitindar Singh <[email protected]>
commit 7c990728b99ed6fbe9c75fc202fce1172d9916da upstream.
During an online resize an array of s_flex_groups structures gets replaced
so it can get enlarged. If there is a concurrent access to the array and
this memory has been reused then this can lead to an invalid memory access.
The s_flex_group array has been converted into an array of pointers rather
than an array of structures. This is to ensure that the information
contained in the structures cannot get out of sync during a resize due to
an accessor updating the value in the old structure after it has been
copied but before the array pointer is updated. Since the structures them-
selves are no longer copied but only the pointers to them this case is
mitigated.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Suraj Jitindar Singh <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Cc: [email protected] # 4.4.x
Cc: [email protected] # 4.9.x
Signed-off-by: Sasha Levin <[email protected]>
---
fs/ext4/ext4.h | 2 +-
fs/ext4/ialloc.c | 23 +++++++++------
fs/ext4/mballoc.c | 9 ++++--
fs/ext4/resize.c | 7 +++--
fs/ext4/super.c | 72 ++++++++++++++++++++++++++++++++---------------
5 files changed, 76 insertions(+), 37 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 1f5622c7adc56..e1f2d0499080e 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1410,7 +1410,7 @@ struct ext4_sb_info {
unsigned int s_extent_max_zeroout_kb;
unsigned int s_log_groups_per_flex;
- struct flex_groups *s_flex_groups;
+ struct flex_groups * __rcu *s_flex_groups;
ext4_group_t s_flex_groups_allocated;
/* workqueue for reserved extent conversions (buffered io) */
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index 0963213e9cd36..c31b05f0bd691 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -331,11 +331,13 @@ void ext4_free_inode(handle_t *handle, struct inode *inode)
percpu_counter_inc(&sbi->s_freeinodes_counter);
if (sbi->s_log_groups_per_flex) {
- ext4_group_t f = ext4_flex_group(sbi, block_group);
+ struct flex_groups *fg;
- atomic_inc(&sbi->s_flex_groups[f].free_inodes);
+ fg = sbi_array_rcu_deref(sbi, s_flex_groups,
+ ext4_flex_group(sbi, block_group));
+ atomic_inc(&fg->free_inodes);
if (is_directory)
- atomic_dec(&sbi->s_flex_groups[f].used_dirs);
+ atomic_dec(&fg->used_dirs);
}
BUFFER_TRACE(bh2, "call ext4_handle_dirty_metadata");
fatal = ext4_handle_dirty_metadata(handle, NULL, bh2);
@@ -376,12 +378,13 @@ static void get_orlov_stats(struct super_block *sb, ext4_group_t g,
int flex_size, struct orlov_stats *stats)
{
struct ext4_group_desc *desc;
- struct flex_groups *flex_group = EXT4_SB(sb)->s_flex_groups;
if (flex_size > 1) {
- stats->free_inodes = atomic_read(&flex_group[g].free_inodes);
- stats->free_clusters = atomic64_read(&flex_group[g].free_clusters);
- stats->used_dirs = atomic_read(&flex_group[g].used_dirs);
+ struct flex_groups *fg = sbi_array_rcu_deref(EXT4_SB(sb),
+ s_flex_groups, g);
+ stats->free_inodes = atomic_read(&fg->free_inodes);
+ stats->free_clusters = atomic64_read(&fg->free_clusters);
+ stats->used_dirs = atomic_read(&fg->used_dirs);
return;
}
@@ -981,7 +984,8 @@ got:
if (sbi->s_log_groups_per_flex) {
ext4_group_t f = ext4_flex_group(sbi, group);
- atomic_inc(&sbi->s_flex_groups[f].used_dirs);
+ atomic_inc(&sbi_array_rcu_deref(sbi, s_flex_groups,
+ f)->used_dirs);
}
}
if (ext4_has_group_desc_csum(sb)) {
@@ -1004,7 +1008,8 @@ got:
if (sbi->s_log_groups_per_flex) {
flex_group = ext4_flex_group(sbi, group);
- atomic_dec(&sbi->s_flex_groups[flex_group].free_inodes);
+ atomic_dec(&sbi_array_rcu_deref(sbi, s_flex_groups,
+ flex_group)->free_inodes);
}
inode->i_ino = ino + group * EXT4_INODES_PER_GROUP(sb);
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 828b4c080c381..e15a5c5ddc096 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2995,7 +2995,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
ext4_group_t flex_group = ext4_flex_group(sbi,
ac->ac_b_ex.fe_group);
atomic64_sub(ac->ac_b_ex.fe_len,
- &sbi->s_flex_groups[flex_group].free_clusters);
+ &sbi_array_rcu_deref(sbi, s_flex_groups,
+ flex_group)->free_clusters);
}
err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
@@ -4887,7 +4888,8 @@ do_more:
if (sbi->s_log_groups_per_flex) {
ext4_group_t flex_group = ext4_flex_group(sbi, block_group);
atomic64_add(count_clusters,
- &sbi->s_flex_groups[flex_group].free_clusters);
+ &sbi_array_rcu_deref(sbi, s_flex_groups,
+ flex_group)->free_clusters);
}
if (!(flags & EXT4_FREE_BLOCKS_NO_QUOT_UPDATE))
@@ -5032,7 +5034,8 @@ int ext4_group_add_blocks(handle_t *handle, struct super_block *sb,
if (sbi->s_log_groups_per_flex) {
ext4_group_t flex_group = ext4_flex_group(sbi, block_group);
atomic64_add(EXT4_NUM_B2C(sbi, blocks_freed),
- &sbi->s_flex_groups[flex_group].free_clusters);
+ &sbi_array_rcu_deref(sbi, s_flex_groups,
+ flex_group)->free_clusters);
}
ext4_mb_unload_buddy(&e4b);
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 31b05884f7b00..f5b6667b0ab06 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1422,11 +1422,14 @@ static void ext4_update_super(struct super_block *sb,
percpu_counter_read(&sbi->s_freeclusters_counter));
if (ext4_has_feature_flex_bg(sb) && sbi->s_log_groups_per_flex) {
ext4_group_t flex_group;
+ struct flex_groups *fg;
+
flex_group = ext4_flex_group(sbi, group_data[0].group);
+ fg = sbi_array_rcu_deref(sbi, s_flex_groups, flex_group);
atomic64_add(EXT4_NUM_B2C(sbi, free_blocks),
- &sbi->s_flex_groups[flex_group].free_clusters);
+ &fg->free_clusters);
atomic_add(EXT4_INODES_PER_GROUP(sb) * flex_gd->count,
- &sbi->s_flex_groups[flex_group].free_inodes);
+ &fg->free_inodes);
}
/*
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 567830f41f797..fe015becceea9 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -795,6 +795,7 @@ static void ext4_put_super(struct super_block *sb)
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
struct buffer_head **group_desc;
+ struct flex_groups **flex_groups;
int aborted = 0;
int i, err;
@@ -832,8 +833,13 @@ static void ext4_put_super(struct super_block *sb)
for (i = 0; i < sbi->s_gdb_count; i++)
brelse(group_desc[i]);
kvfree(group_desc);
+ flex_groups = rcu_dereference(sbi->s_flex_groups);
+ if (flex_groups) {
+ for (i = 0; i < sbi->s_flex_groups_allocated; i++)
+ kvfree(flex_groups[i]);
+ kvfree(flex_groups);
+ }
rcu_read_unlock();
- kvfree(sbi->s_flex_groups);
percpu_counter_destroy(&sbi->s_freeclusters_counter);
percpu_counter_destroy(&sbi->s_freeinodes_counter);
percpu_counter_destroy(&sbi->s_dirs_counter);
@@ -1982,8 +1988,8 @@ done:
int ext4_alloc_flex_bg_array(struct super_block *sb, ext4_group_t ngroup)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- struct flex_groups *new_groups;
- int size;
+ struct flex_groups **old_groups, **new_groups;
+ int size, i;
if (!sbi->s_log_groups_per_flex)
return 0;
@@ -1992,22 +1998,37 @@ int ext4_alloc_flex_bg_array(struct super_block *sb, ext4_group_t ngroup)
if (size <= sbi->s_flex_groups_allocated)
return 0;
- size = roundup_pow_of_two(size * sizeof(struct flex_groups));
- new_groups = ext4_kvzalloc(size, GFP_KERNEL);
+ new_groups = ext4_kvzalloc(roundup_pow_of_two(size *
+ sizeof(*sbi->s_flex_groups)), GFP_KERNEL);
if (!new_groups) {
- ext4_msg(sb, KERN_ERR, "not enough memory for %d flex groups",
- size / (int) sizeof(struct flex_groups));
+ ext4_msg(sb, KERN_ERR,
+ "not enough memory for %d flex group pointers", size);
return -ENOMEM;
}
-
- if (sbi->s_flex_groups) {
- memcpy(new_groups, sbi->s_flex_groups,
- (sbi->s_flex_groups_allocated *
- sizeof(struct flex_groups)));
- kvfree(sbi->s_flex_groups);
+ for (i = sbi->s_flex_groups_allocated; i < size; i++) {
+ new_groups[i] = ext4_kvzalloc(roundup_pow_of_two(
+ sizeof(struct flex_groups)),
+ GFP_KERNEL);
+ if (!new_groups[i]) {
+ for (i--; i >= sbi->s_flex_groups_allocated; i--)
+ kvfree(new_groups[i]);
+ kvfree(new_groups);
+ ext4_msg(sb, KERN_ERR,
+ "not enough memory for %d flex groups", size);
+ return -ENOMEM;
+ }
}
- sbi->s_flex_groups = new_groups;
- sbi->s_flex_groups_allocated = size / sizeof(struct flex_groups);
+ rcu_read_lock();
+ old_groups = rcu_dereference(sbi->s_flex_groups);
+ if (old_groups)
+ memcpy(new_groups, old_groups,
+ (sbi->s_flex_groups_allocated *
+ sizeof(struct flex_groups *)));
+ rcu_read_unlock();
+ rcu_assign_pointer(sbi->s_flex_groups, new_groups);
+ sbi->s_flex_groups_allocated = size;
+ if (old_groups)
+ ext4_kvfree_array_rcu(old_groups);
return 0;
}
@@ -2015,6 +2036,7 @@ static int ext4_fill_flex_info(struct super_block *sb)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_group_desc *gdp = NULL;
+ struct flex_groups *fg;
ext4_group_t flex_group;
int i, err;
@@ -2032,12 +2054,11 @@ static int ext4_fill_flex_info(struct super_block *sb)
gdp = ext4_get_group_desc(sb, i, NULL);
flex_group = ext4_flex_group(sbi, i);
- atomic_add(ext4_free_inodes_count(sb, gdp),
- &sbi->s_flex_groups[flex_group].free_inodes);
+ fg = sbi_array_rcu_deref(sbi, s_flex_groups, flex_group);
+ atomic_add(ext4_free_inodes_count(sb, gdp), &fg->free_inodes);
atomic64_add(ext4_free_group_clusters(sb, gdp),
- &sbi->s_flex_groups[flex_group].free_clusters);
- atomic_add(ext4_used_dirs_count(sb, gdp),
- &sbi->s_flex_groups[flex_group].used_dirs);
+ &fg->free_clusters);
+ atomic_add(ext4_used_dirs_count(sb, gdp), &fg->used_dirs);
}
return 1;
@@ -3243,6 +3264,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
struct buffer_head *bh, **group_desc;
struct ext4_super_block *es = NULL;
struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
+ struct flex_groups **flex_groups;
ext4_fsblk_t block;
ext4_fsblk_t sb_block = get_sb_block(&data);
ext4_fsblk_t logical_sb_block;
@@ -4159,8 +4181,14 @@ failed_mount7:
ext4_unregister_li_request(sb);
failed_mount6:
ext4_mb_release(sb);
- if (sbi->s_flex_groups)
- kvfree(sbi->s_flex_groups);
+ rcu_read_lock();
+ flex_groups = rcu_dereference(sbi->s_flex_groups);
+ if (flex_groups) {
+ for (i = 0; i < sbi->s_flex_groups_allocated; i++)
+ kvfree(flex_groups[i]);
+ kvfree(flex_groups);
+ }
+ rcu_read_unlock();
percpu_counter_destroy(&sbi->s_freeclusters_counter);
percpu_counter_destroy(&sbi->s_freeinodes_counter);
percpu_counter_destroy(&sbi->s_dirs_counter);
--
2.20.1
From: Marek Vasut <[email protected]>
[ Upstream commit 69233bba6543a37755158ca3382765387b8078df ]
This driver is mixing 8-bit and 16-bit bus accessors for reasons unknown,
however the speculation is that this was some sort of attempt to support
the 8-bit bus mode.
As per the KS8851-16MLL documentation, all two registers accessed via the
8-bit accessors are internally 16-bit registers, so reading them using
16-bit accessors is fine. The KS_CCR read can be converted to 16-bit read
outright, as it is already a concatenation of two 8-bit reads of that
register. The KS_RXQCR accesses are 8-bit only, however writing the top
8 bits of the register is OK as well, since the driver caches the entire
16-bit register value anyway.
Finally, the driver is not used by any hardware in the kernel right now.
The only hardware available to me is one with 16-bit bus, so I have no
way to test the 8-bit bus mode, however it is unlikely this ever really
worked anyway. If the 8-bit bus mode is ever required, it can be easily
added by adjusting the 16-bit accessors to do 2 consecutive accesses,
which is how this should have been done from the beginning.
Signed-off-by: Marek Vasut <[email protected]>
Cc: David S. Miller <[email protected]>
Cc: Lukas Wunner <[email protected]>
Cc: Petr Stetiar <[email protected]>
Cc: YueHaibing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/micrel/ks8851_mll.c | 45 +++---------------------
1 file changed, 5 insertions(+), 40 deletions(-)
diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
index 8dc1f0277117d..721f851674531 100644
--- a/drivers/net/ethernet/micrel/ks8851_mll.c
+++ b/drivers/net/ethernet/micrel/ks8851_mll.c
@@ -474,24 +474,6 @@ static int msg_enable;
* chip is busy transferring packet data (RX/TX FIFO accesses).
*/
-/**
- * ks_rdreg8 - read 8 bit register from device
- * @ks : The chip information
- * @offset: The register address
- *
- * Read a 8bit register from the chip, returning the result
- */
-static u8 ks_rdreg8(struct ks_net *ks, int offset)
-{
- u16 data;
- u8 shift_bit = offset & 0x03;
- u8 shift_data = (offset & 1) << 3;
- ks->cmd_reg_cache = (u16) offset | (u16)(BE0 << shift_bit);
- iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
- data = ioread16(ks->hw_addr);
- return (u8)(data >> shift_data);
-}
-
/**
* ks_rdreg16 - read 16 bit register from device
* @ks : The chip information
@@ -507,22 +489,6 @@ static u16 ks_rdreg16(struct ks_net *ks, int offset)
return ioread16(ks->hw_addr);
}
-/**
- * ks_wrreg8 - write 8bit register value to chip
- * @ks: The chip information
- * @offset: The register address
- * @value: The value to write
- *
- */
-static void ks_wrreg8(struct ks_net *ks, int offset, u8 value)
-{
- u8 shift_bit = (offset & 0x03);
- u16 value_write = (u16)(value << ((offset & 1) << 3));
- ks->cmd_reg_cache = (u16)offset | (BE0 << shift_bit);
- iowrite16(ks->cmd_reg_cache, ks->hw_addr_cmd);
- iowrite16(value_write, ks->hw_addr);
-}
-
/**
* ks_wrreg16 - write 16bit register value to chip
* @ks: The chip information
@@ -642,8 +608,7 @@ static void ks_read_config(struct ks_net *ks)
u16 reg_data = 0;
/* Regardless of bus width, 8 bit read should always work.*/
- reg_data = ks_rdreg8(ks, KS_CCR) & 0x00FF;
- reg_data |= ks_rdreg8(ks, KS_CCR+1) << 8;
+ reg_data = ks_rdreg16(ks, KS_CCR);
/* addr/data bus are multiplexed */
ks->sharedbus = (reg_data & CCR_SHARED) == CCR_SHARED;
@@ -747,7 +712,7 @@ static inline void ks_read_qmu(struct ks_net *ks, u16 *buf, u32 len)
/* 1. set sudo DMA mode */
ks_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI);
- ks_wrreg8(ks, KS_RXQCR, (ks->rc_rxqcr | RXQCR_SDA) & 0xff);
+ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
/* 2. read prepend data */
/**
@@ -764,7 +729,7 @@ static inline void ks_read_qmu(struct ks_net *ks, u16 *buf, u32 len)
ks_inblk(ks, buf, ALIGN(len, 4));
/* 4. reset sudo DMA Mode */
- ks_wrreg8(ks, KS_RXQCR, ks->rc_rxqcr);
+ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
}
/**
@@ -997,13 +962,13 @@ static void ks_write_qmu(struct ks_net *ks, u8 *pdata, u16 len)
ks->txh.txw[1] = cpu_to_le16(len);
/* 1. set sudo-DMA mode */
- ks_wrreg8(ks, KS_RXQCR, (ks->rc_rxqcr | RXQCR_SDA) & 0xff);
+ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
/* 2. write status/lenth info */
ks_outblk(ks, ks->txh.txw, 4);
/* 3. write pkt data */
ks_outblk(ks, (u16 *)pdata, ALIGN(len, 4));
/* 4. reset sudo-DMA mode */
- ks_wrreg8(ks, KS_RXQCR, ks->rc_rxqcr);
+ ks_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
/* 5. Enqueue Tx(move the pkt from TX buffer into TXQ) */
ks_wrreg16(ks, KS_TXQCR, TXQCR_METFE);
/* 6. wait until TXQCR_METFE is auto-cleared */
--
2.20.1
From: Nikolay Aleksandrov <[email protected]>
commit 3a20773beeeeadec41477a5ba872175b778ff752 upstream.
Since nl_groups is a u32 we can't bind more groups via ->bind
(netlink_bind) call, but netlink has supported more groups via
setsockopt() for a long time and thus nlk->ngroups could be over 32.
Recently I added support for per-vlan notifications and increased the
groups to 33 for NETLINK_ROUTE which exposed an old bug in the
netlink_bind() code causing out-of-bounds access on archs where unsigned
long is 32 bits via test_bit() on a local variable. Fix this by capping the
maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively
capping them at 32 which is the minimum of allocated groups and the
maximum groups which can be bound via netlink_bind().
CC: Christophe Leroy <[email protected]>
CC: Richard Guy Briggs <[email protected]>
Fixes: 4f520900522f ("netlink: have netlink per-protocol bind function return an error code.")
Reported-by: Erhard F. <[email protected]>
Signed-off-by: Nikolay Aleksandrov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/netlink/af_netlink.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1003,7 +1003,8 @@ static int netlink_bind(struct socket *s
if (nlk->netlink_bind && groups) {
int group;
- for (group = 0; group < nlk->ngroups; group++) {
+ /* nl_groups is a u32, so cap the maximum groups we can bind */
+ for (group = 0; group < BITS_PER_TYPE(u32); group++) {
if (!test_bit(group, &groups))
continue;
err = nlk->netlink_bind(net, group + 1);
@@ -1022,7 +1023,7 @@ static int netlink_bind(struct socket *s
netlink_insert(sk, nladdr->nl_pid) :
netlink_autobind(sock);
if (err) {
- netlink_undo_bind(nlk->ngroups, groups, sk);
+ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk);
return err;
}
}
From: Xin Long <[email protected]>
[ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ]
When T2 timer is to be stopped, the asoc should also be deleted,
otherwise, there will be no chance to call sctp_association_free
and the asoc could last in memory forever.
However, in sctp_sf_shutdown_sent_abort(), after adding the cmd
SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the
format error from __sctp_sf_do_9_1_abort() and miss adding
SCTP_CMD_ASSOC_FAILED where the asoc will be deleted.
This patch is to fix it by moving the format error check out of
__sctp_sf_do_9_1_abort(), and do it before adding the cmd
SCTP_CMD_TIMER_STOP for T2 timer.
Thanks Hangbin for reporting this issue by the fuzz testing.
v1->v2:
- improve the comment in the code as Marcelo's suggestion.
Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause")
Reported-by: Hangbin Liu <[email protected]>
Acked-by: Marcelo Ricardo Leitner <[email protected]>
Signed-off-by: Xin Long <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sctp/sm_statefuns.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -177,6 +177,16 @@ sctp_chunk_length_valid(struct sctp_chun
return 1;
}
+/* Check for format error in an ABORT chunk */
+static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
+{
+ struct sctp_errhdr *err;
+
+ sctp_walk_errors(err, chunk->chunk_hdr);
+
+ return (void *)err == (void *)chunk->chunk_end;
+}
+
/**********************************************************
* These are the state functions for handling chunk events.
**********************************************************/
@@ -2159,6 +2169,9 @@ sctp_disposition_t sctp_sf_shutdown_pend
sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+ if (!sctp_err_chunk_valid(chunk))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
}
@@ -2201,6 +2214,9 @@ sctp_disposition_t sctp_sf_shutdown_sent
sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+ if (!sctp_err_chunk_valid(chunk))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* Stop the T2-shutdown timer. */
sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
@@ -2466,6 +2482,9 @@ sctp_disposition_t sctp_sf_do_9_1_abort(
sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+ if (!sctp_err_chunk_valid(chunk))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
}
@@ -2482,15 +2501,9 @@ static sctp_disposition_t __sctp_sf_do_9
/* See if we have an error cause code in the chunk. */
len = ntohs(chunk->chunk_hdr->length);
- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
-
- sctp_errhdr_t *err;
- sctp_walk_errors(err, chunk->chunk_hdr);
- if ((void *)err != (void *)chunk->chunk_end)
- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
- }
sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
/* ASSOC_FAILED will DELETE_TCB. */
From: Lars-Peter Clausen <[email protected]>
[ Upstream commit 43d565727a3a6fd24e37c7c2116475106af71806 ]
ffs_aio_cancel() can be called from both interrupt and thread context. Make
sure that the current IRQ state is saved and restored by using
spin_{un,}lock_irq{save,restore}().
Otherwise undefined behavior might occur.
Acked-by: Michal Nazarewicz <[email protected]>
Signed-off-by: Lars-Peter Clausen <[email protected]>
Signed-off-by: Alexandru Ardelean <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/usb/gadget/function/f_fs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 4cb1355271ec4..9536c409a90d5 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -888,18 +888,19 @@ static int ffs_aio_cancel(struct kiocb *kiocb)
{
struct ffs_io_data *io_data = kiocb->private;
struct ffs_epfile *epfile = kiocb->ki_filp->private_data;
+ unsigned long flags;
int value;
ENTER();
- spin_lock_irq(&epfile->ffs->eps_lock);
+ spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
if (likely(io_data && io_data->ep && io_data->req))
value = usb_ep_dequeue(io_data->ep, io_data->req);
else
value = -EINVAL;
- spin_unlock_irq(&epfile->ffs->eps_lock);
+ spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
return value;
}
--
2.20.1
From: Mikulas Patocka <[email protected]>
commit 7cdf6a0aae1cccf5167f3f04ecddcf648b78e289 upstream.
The crash can be reproduced by running the lvm2 testsuite test
lvconvert-thin-external-cache.sh for several minutes, e.g.:
while :; do make check T=shell/lvconvert-thin-external-cache.sh; done
The crash happens in this call chain:
do_waker -> policy_tick -> smq_tick -> end_hotspot_period -> clear_bitset
-> memset -> __memset -- which accesses an invalid pointer in the vmalloc
area.
The work entry on the workqueue is executed even after the bitmap was
freed. The problem is that cancel_delayed_work doesn't wait for the
running work item to finish, so the work item can continue running and
re-submitting itself even after cache_postsuspend. In order to make sure
that the work item won't be running, we must use cancel_delayed_work_sync.
Also, change flush_workqueue to drain_workqueue, so that if some work item
submits itself or another work item, we are properly waiting for both of
them.
Fixes: c6b4fcbad044 ("dm: add cache target")
Cc: [email protected] # v3.9
Signed-off-by: Mikulas Patocka <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/md/dm-cache-target.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2193,8 +2193,8 @@ static void wait_for_migrations(struct c
static void stop_worker(struct cache *cache)
{
- cancel_delayed_work(&cache->waker);
- flush_workqueue(cache->wq);
+ cancel_delayed_work_sync(&cache->waker);
+ drain_workqueue(cache->wq);
}
static void requeue_deferred_cells(struct cache *cache)
On 10/03/2020 12:38, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.216 release.
> There are 72 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.216-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests are passing for Tegra ...
Test results for stable-v4.4:
6 builds: 6 pass, 0 fail
12 boots: 12 pass, 0 fail
19 tests: 19 pass, 0 fail
Linux version: 4.4.216-rc1-g836f82655232
Boards tested: tegra124-jetson-tk1, tegra20-ventana,
tegra30-cardhu-a04
Cheers
Jon
--
nvpublic
On 3/10/20 5:38 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.216 release.
> There are 72 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 170 pass: 170 fail: 0
Qemu test results:
total: 335 pass: 335 fail: 0
Guenter
On 3/10/20 6:38 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.216 release.
> There are 72 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.216-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
On Tue, 10 Mar 2020 at 18:11, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.4.216 release.
> There are 72 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.216-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 4.4.216-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: 836f82655232ea02028bb5857f19bfd950b33c33
git describe: v4.4.215-73-g836f82655232
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.215-73-g836f82655232
No regressions (compared to build v4.4.215)
No fixes (compared to build v4.4.215)
Ran 21137 total tests in the following environments and test suites.
Environments
--------------
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
Test Suites
-----------
* build
* kselftest
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* ltp-cap_bounds-64k-page_size-tests
* ltp-cap_bounds-kasan-tests
* ltp-commands-64k-page_size-tests
* ltp-commands-kasan-tests
* ltp-containers-64k-page_size-tests
* ltp-containers-kasan-tests
* ltp-cpuhotplug-64k-page_size-tests
* ltp-cpuhotplug-kasan-tests
* ltp-crypto-64k-page_size-tests
* ltp-crypto-kasan-tests
* ltp-cve-64k-page_size-tests
* ltp-cve-kasan-tests
* ltp-dio-64k-page_size-tests
* ltp-dio-kasan-tests
* ltp-fcntl-locktests-64k-page_size-tests
* ltp-fcntl-locktests-kasan-tests
* ltp-filecaps-64k-page_size-tests
* ltp-filecaps-kasan-tests
* ltp-fs-64k-page_size-tests
* ltp-fs-kasan-tests
* ltp-fs_bind-64k-page_size-tests
* ltp-fs_bind-kasan-tests
* ltp-fs_perms_simple-64k-page_size-tests
* ltp-fs_perms_simple-kasan-tests
* ltp-fsx-64k-page_size-tests
* ltp-fsx-kasan-tests
* ltp-hugetlb-64k-page_size-tests
* ltp-hugetlb-kasan-tests
* ltp-io-64k-page_size-tests
* ltp-io-kasan-tests
* ltp-ipc-64k-page_size-tests
* ltp-ipc-kasan-tests
* ltp-math-64k-page_size-tests
* ltp-math-kasan-tests
* ltp-mm-64k-page_size-tests
* ltp-mm-kasan-tests
* ltp-nptl-64k-page_size-tests
* ltp-nptl-kasan-tests
* ltp-pty-64k-page_size-tests
* ltp-pty-kasan-tests
* ltp-sched-64k-page_size-tests
* ltp-sched-kasan-tests
* ltp-securebits-64k-page_size-tests
* ltp-securebits-kasan-tests
* ltp-syscalls-64k-page_size-tests
* ltp-syscalls-compat-tests
* ltp-syscalls-kasan-tests
* install-android-platform-tools-r2600
* ltp-open-posix-tests
* kselftest-vsyscall-mode-none
Summary
------------------------------------------------------------------------
kernel: 4.4.216-rc1
git repo: https://git.linaro.org/lkft/arm64-stable-rc.git
git branch: 4.4.216-rc1-hikey-20200310-664
git commit: ac3d5b19a0a5c40aaa3436bb63d6b0098eb7ce7b
git describe: 4.4.216-rc1-hikey-20200310-664
Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.216-rc1-hikey-20200310-664
No regressions (compared to build 4.4.216-rc1-hikey-20200309-663)
No fixes (compared to build 4.4.216-rc1-hikey-20200309-663)
Ran 1682 total tests in the following environments and test suites.
Environments
--------------
- hi6220-hikey - arm64
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
--
Linaro LKFT
https://lkft.linaro.org
Hello Greg,
> From: [email protected] <[email protected]> On
> Behalf Of Greg Kroah-Hartman
> Sent: 10 March 2020 12:38
>
> This is the start of the stable review cycle for the 4.4.216 release.
> There are 72 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
No build issues seen for CIP configs for Linux 4.4.216-rc1 (836f82655232).
Build logs: https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/pipelines/124878979
Pipeline: https://gitlab.com/cip-project/cip-testing/linux-cip-pipelines/-/blob/master/trees/linux-4.4.y.yml
Kind regards, Chris
>
> Responses should be made by Thu, 12 Mar 2020 12:34:10 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-
> 4.4.216-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <[email protected]>
> Linux 4.4.216-rc1
>
> yangerkun <[email protected]>
> crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
>
> Mikulas Patocka <[email protected]>
> dm cache: fix a crash due to incorrect work item cancelling
>
> Desnes A. Nunes do Rosario <[email protected]>
> powerpc: fix hardware PMU exception bug on PowerVM compatibility mode
> systems
>
> Dan Carpenter <[email protected]>
> dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
>
> Dan Carpenter <[email protected]>
> hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
>
> Ahmad Fatoum <[email protected]>
> ARM: imx: build v7_cpu_resume() unconditionally
>
> Jason Gunthorpe <[email protected]>
> RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
>
> Bernard Metzler <[email protected]>
> RDMA/iwcm: Fix iwcm work deallocation
>
> Charles Keepax <[email protected]>
> ASoC: dapm: Correct DAPM handling of active widgets during shutdown
>
> Matthias Reichl <[email protected]>
> ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
>
> Takashi Iwai <[email protected]>
> ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
>
> Dmitry Osipenko <[email protected]>
> dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
>
> Dmitry Osipenko <[email protected]>
> dmaengine: tegra-apb: Fix use-after-free
>
> Jiri Slaby <[email protected]>
> vt: selection, push sel_lock up
>
> Jiri Slaby <[email protected]>
> vt: selection, push console lock down
>
> Jiri Slaby <[email protected]>
> vt: selection, close sel_buffer race
>
> OGAWA Hirofumi <[email protected]>
> fat: fix uninit-memory access for partial initialized inode
>
> Zhang Xiaoxu <[email protected]>
> vgacon: Fix a UAF in vgacon_invert_region
>
> Eugeniu Rosca <[email protected]>
> usb: core: port: do error out if usb_autopm_get_interface() fails
>
> Eugeniu Rosca <[email protected]>
> usb: core: hub: do error out if usb_autopm_get_interface() fails
>
> Dan Lazewatsky <[email protected]>
> usb: quirks: add NO_LPM quirk for Logitech Screen Share
>
> Jim Lin <[email protected]>
> usb: storage: Add quirk for Samsung Fit flash
>
> Ronnie Sahlberg <[email protected]>
> cifs: don't leak -EAGAIN for stat() during reconnect
>
> Vasily Averin <[email protected]>
> s390/cio: cio_ignore_proc_seq_next should increase position index
>
> Marco Felsch <[email protected]>
> watchdog: da9062: do not ping the hw during stop()
>
> Marek Vasut <[email protected]>
> net: ks8851-ml: Fix 16-bit IO operation
>
> Marek Vasut <[email protected]>
> net: ks8851-ml: Fix 16-bit data access
>
> Marek Vasut <[email protected]>
> net: ks8851-ml: Remove 8-bit bus accessors
>
> Harigovindan P <[email protected]>
> drm/msm/dsi: save pll state before dsi host is powered off
>
> John Stultz <[email protected]>
> drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
>
> Sergey Organov <[email protected]>
> usb: gadget: serial: fix Tx stall after buffer overflow
>
> Lars-Peter Clausen <[email protected]>
> usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
>
> Daniel Golle <[email protected]>
> serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
>
> Paul Moore <[email protected]>
> audit: always check the netlink payload length in audit_receive_msg()
>
> Matthew Wilcox <[email protected]>
> fs: prevent page refcount overflow in pipe_buf_get
>
> Miklos Szeredi <[email protected]>
> pipe: add pipe_buf_get() helper
>
> Linus Torvalds <[email protected]>
> mm: prevent get_user_pages() from overflowing page refcount
>
> Punit Agrawal <[email protected]>
> mm, gup: ensure real head page is ref-counted when using hugepages
>
> Will Deacon <[email protected]>
> mm, gup: remove broken VM_BUG_ON_PAGE compound check for
> hugepages
>
> Linus Torvalds <[email protected]>
> mm: add 'try_get_page()' helper function
>
> Linus Torvalds <[email protected]>
> mm: make page ref count overflow check tighter and more explicit
>
> yangerkun <[email protected]>
> slip: stop double free sl->dev in slip_open
>
> Sean Christopherson <[email protected]>
> KVM: Check for a bad hva before dropping into the ghc slow path
>
> Aleksa Sarai <[email protected]>
> namei: only return -ECHILD from follow_dotdot_rcu()
>
> Nikolay Aleksandrov <[email protected]>
> net: netlink: cap max groups which will be considered in netlink_bind()
>
> Chris Wilson <[email protected]>
> include/linux/bitops.h: introduce BITS_PER_TYPE
>
> Nathan Chancellor <[email protected]>
> ecryptfs: Fix up bad backport of
> fe2e082f5da5b4a0a92ae32978f81507ef37ec66
>
> Wolfram Sang <[email protected]>
> i2c: jz4780: silence log flood on txabrt
>
> Christophe JAILLET <[email protected]>
> MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
>
> [email protected] <[email protected]>
> HID: hiddev: Fix race in in hiddev_disconnect()
>
> Johan Korsnes <[email protected]>
> HID: core: increase HID report buffer size to 8KiB
>
> Johan Korsnes <[email protected]>
> HID: core: fix off-by-one memset in hid_report_raw_event()
>
> Paul Moore <[email protected]>
> audit: fix error handling in audit_data_to_entry()
>
> Dan Carpenter <[email protected]>
> ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
>
> Jason Baron <[email protected]>
> net: sched: correct flower port blocking
>
> Dmitry Osipenko <[email protected]>
> nfc: pn544: Fix occasional HW initialization failure
>
> Xin Long <[email protected]>
> sctp: move the format error check out of __sctp_sf_do_9_1_abort
>
> Benjamin Poirier <[email protected]>
> ipv6: Fix route replacement with dev-only route
>
> Benjamin Poirier <[email protected]>
> ipv6: Fix nlmsg_flags when splitting a multipath route
>
> Arun Parameswaran <[email protected]>
> net: phy: restore mdio regs in the iproc mdio driver
>
> Jethro Beekman <[email protected]>
> net: fib_rules: Correctly set table field when table number exceeds 8 bits
>
> Petr Mladek <[email protected]>
> sysrq: Remove duplicated sysrq message
>
> Petr Mladek <[email protected]>
> sysrq: Restore original console_loglevel when sysrq disabled
>
> Sergey Matyukevich <[email protected]>
> cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
>
> Frank Sorenson <[email protected]>
> cifs: Fix mode output in debugging statements
>
> Sergey Matyukevich <[email protected]>
> cfg80211: check wiphy driver existence for drvinfo report
>
> Johannes Berg <[email protected]>
> mac80211: consider more elements in parsing CRC
>
> Corey Minyard <[email protected]>
> ipmi:ssif: Handle a possible NULL pointer reference
>
> Suraj Jitindar Singh <[email protected]>
> ext4: fix potential race between s_group_info online resizing and access
>
> Suraj Jitindar Singh <[email protected]>
> ext4: fix potential race between s_flex_groups online resizing and access
>
> Theodore Ts'o <[email protected]>
> ext4: fix potential race between online resizing and write operations
>
> Johannes Berg <[email protected]>
> iwlwifi: pcie: fix rb_allocator workqueue allocation
>
>
> -------------
>
> Diffstat:
>
> Makefile | 4 +-
> arch/arm/mach-imx/Makefile | 2 +
> arch/arm/mach-imx/common.h | 4 +-
> arch/arm/mach-imx/resume-imx6.S | 24 +++++++
> arch/arm/mach-imx/suspend-imx6.S | 14 -----
> arch/mips/kernel/vpe.c | 2 +-
> arch/powerpc/kernel/cputable.c | 4 +-
> arch/s390/mm/gup.c | 6 +-
> arch/x86/mm/gup.c | 9 ++-
> crypto/algif_skcipher.c | 2 +-
> drivers/char/ipmi/ipmi_ssif.c | 10 ++-
> drivers/dma/coh901318.c | 4 --
> drivers/dma/tegra20-apb-dma.c | 6 +-
> drivers/gpu/drm/msm/dsi/dsi_manager.c | 7 ++-
> drivers/hid/hid-core.c | 4 +-
> drivers/hid/usbhid/hiddev.c | 2 +-
> drivers/hwmon/adt7462.c | 2 +-
> drivers/i2c/busses/i2c-jz4780.c | 36 +----------
> drivers/infiniband/core/cm.c | 1 +
> drivers/infiniband/core/iwcm.c | 4 +-
> drivers/md/dm-cache-target.c | 4 +-
> drivers/net/ethernet/micrel/ks8851_mll.c | 53 +++-------------
> drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++
> drivers/net/slip/slip.c | 1 -
> drivers/net/wireless/iwlwifi/pcie/rx.c | 6 +-
> drivers/nfc/pn544/i2c.c | 1 +
> drivers/s390/cio/blacklist.c | 5 +-
> drivers/tty/serial/ar933x_uart.c | 8 +++
> drivers/tty/sysrq.c | 8 +--
> drivers/tty/vt/selection.c | 24 ++++++-
> drivers/tty/vt/vt.c | 2 -
> drivers/usb/core/hub.c | 6 +-
> drivers/usb/core/port.c | 10 ++-
> drivers/usb/core/quirks.c | 3 +
> drivers/usb/gadget/function/f_fs.c | 5 +-
> drivers/usb/gadget/function/u_serial.c | 4 +-
> drivers/usb/storage/unusual_devs.h | 6 ++
> drivers/video/console/vgacon.c | 3 +
> drivers/watchdog/da9062_wdt.c | 7 ---
> fs/cifs/cifsacl.c | 4 +-
> fs/cifs/connect.c | 2 +-
> fs/cifs/inode.c | 8 ++-
> fs/ecryptfs/keystore.c | 4 +-
> fs/ext4/balloc.c | 14 ++++-
> fs/ext4/ext4.h | 30 +++++++--
> fs/ext4/ialloc.c | 23 ++++---
> fs/ext4/mballoc.c | 61 ++++++++++++------
> fs/ext4/resize.c | 62 +++++++++++++++----
> fs/ext4/super.c | 103 +++++++++++++++++++++----------
> fs/fat/inode.c | 19 +++---
> fs/fuse/dev.c | 12 ++--
> fs/namei.c | 2 +-
> fs/pipe.c | 4 +-
> fs/splice.c | 12 +++-
> include/linux/bitops.h | 3 +-
> include/linux/hid.h | 2 +-
> include/linux/mm.h | 23 ++++++-
> include/linux/pipe_fs_i.h | 17 ++++-
> include/net/flow_dissector.h | 9 +++
> kernel/audit.c | 40 ++++++------
> kernel/auditfilter.c | 71 +++++++++++----------
> kernel/trace/trace.c | 6 +-
> mm/gup.c | 51 ++++++++++-----
> mm/hugetlb.c | 16 ++++-
> mm/internal.h | 28 ++++++++-
> net/core/fib_rules.c | 2 +-
> net/ipv6/ip6_fib.c | 7 ++-
> net/ipv6/route.c | 1 +
> net/mac80211/util.c | 18 ++++--
> net/netlink/af_netlink.c | 5 +-
> net/sched/cls_flower.c | 1 +
> net/sctp/sm_statefuns.c | 27 +++++---
> net/wireless/ethtool.c | 8 ++-
> net/wireless/nl80211.c | 1 +
> sound/soc/codecs/pcm512x.c | 8 ++-
> sound/soc/soc-dapm.c | 2 +-
> sound/soc/soc-pcm.c | 16 ++---
> virt/kvm/kvm_main.c | 12 ++--
> 78 files changed, 684 insertions(+), 373 deletions(-)
>