Re: [PATCH] kbuild: deb-pkg: change the source package name to 'linux'
On Mon, 2021-04-19 at 16:01 +0900, Masahiro Yamada wrote:
> Change the source package name from 'linux-$(KERNELRELEASE)' to 'linux',
> which is aligned with the source package from the Debian community.
I would prefer that the source package name is *not* the same, so that
it is clearly distinguished from distribution packages.
Before commit 3716001bcb7f "deb-pkg: add source package" the binary
packages used to claim that the source package was "linux-upstream"
(although no such source package existed). Could we use that instead?
Ben.
> The filenames will be changed as follows:
>
> [before]
> linux-5.12.0-rc3+_5.12.0-rc3+-1.dsc
> linux-5.12.0-rc3+_5.12.0-rc3+.orig.tar.gz
> linux-5.12.0-rc3+_5.12.0-rc3+-1.diff.gz
>
> [After]
> linux_5.12.0-rc3+-1.dsc
> linux_5.12.0-rc3+.orig.tar.gz
> linux_5.12.0-rc3+-1.diff.gz
>
> Commit 3716001bcb7f ("deb-pkg: add source package") introduced
> KDEB_SOURCENAME. If you are unhappy with the default name, you can
> override it via KDEB_SOURCENAME.
>
> Signed-off-by: Masahiro Yamada
> ---
>
> scripts/Makefile.package | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/Makefile.package b/scripts/Makefile.package
> index f952fb64789d..c5834a480545 100644
> --- a/scripts/Makefile.package
> +++ b/scripts/Makefile.package
> @@ -25,7 +25,7 @@ include $(srctree)/scripts/Kbuild.include
>
> # Remove hyphens since they have special meaning in RPM filenames
> KERNELPATH := kernel-$(subst -,_,$(KERNELRELEASE))
> -KDEB_SOURCENAME ?= linux-$(KERNELRELEASE)
> +KDEB_SOURCENAME ?= linux
> KBUILD_PKG_ROOTCMD ?="fakeroot -u"
> export KDEB_SOURCENAME
> # Include only those top-level files that are needed by make, plus the GPL
> copy
--
Ben Hutchings
Humour is the best antidote to reality.
signature.asc
Description: This is a digitally signed message part
Re: [PATCH 4.9 00/78] 4.9.262-rc1 review
On Mon, 2021-03-15 at 13:42 -0700, Florian Fainelli wrote: > > > On 3/15/2021 6:51 AM, gre...@linuxfoundation.org wrote: > > From: Greg Kroah-Hartman > > > > This is the start of the stable review cycle for the 4.9.262 > > release. > > There are 78 patches in this series, all will be posted as a > > response > > to this one. If anyone has any issues with these being applied, > > please > > let me know. > > > > Responses should be made by Wed, 17 Mar 2021 13:51:58 +. > > Anything received after that time might be too late. > > > > The whole patch series can be found in one patch at: > > > > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.262-rc1.gz > > or in the git tree and branch at: > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux- > > stable-rc.git linux-4.9.y > > and the diffstat can be found below. > > > > thanks, > > > > greg k-h > > On ARCH_BRCMSTB using 32-bit and 64-bit kernels, still seeing the > following futex warning, unfortunately simply running the function > tracers does not allow me to trigger the warning, so I am having a > hard > time coming up with a simple reproducer: [...] I've now also seen this warning on x86_64 when running Firefox. I don't know why it didn't show up in my earlier testing. I remain sceptical that a cherry-picking approach is going to work for fixing futexes on 4.9. But I now have an additional patch series that seems to fix this warning (and some other older bugs that I didn't reproduce) and continues to pass the self-tests. I'll send that along shortly. Ben. -- Ben Hutchings It is a miracle that curiosity survives formal education. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: [PATCH] x86/tlb: Flush global mappings when KAISER is disabled
On Thu, 2021-03-25 at 19:19 -0400, Sasha Levin wrote: > On Thu, Mar 25, 2021 at 04:36:55PM -0400, Sasha Levin wrote: > > On Thu, Mar 25, 2021 at 09:09:42PM +0100, Borislav Petkov wrote: > > > Hi stable folks, > > > > > > the patch below fixes kernels 4.4 and 4.9 booting on AMD platforms with > > > PCID support. It doesn't have an upstream counterpart because it patches > > > the KAISER code which didn't go upstream. It applies fine to both of the > > > aforementioned kernels - please pick it up. > > > > Queued up for 4.9 and 4.4, thanks! > > > > > Jim Mattson reported that Debian 9 guests using a 4.9-stable kernel > > > are exploding during alternatives patching: > > > > (Cc Ben & Salvatore) > > > > I'm not sure if 4.9 or Debian is still alive or not, but FYI... > *on > > :) We're supporting both 4.9 and 4.19 in Debian 9. The general rule is we carry on with the same stable kernel branch for the whole 5 year support period, but add the option of using the kernel version from the next stable release. Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else. signature.asc Description: This is a digitally signed message part
Re: futex breakage in 4.9 stable branch
On Mon, Mar 01, 2021 at 09:07:03AM +0100, Greg Kroah-Hartman wrote: > On Mon, Mar 01, 2021 at 01:13:08AM +0100, Ben Hutchings wrote: > > On Tue, 2021-02-23 at 15:00 +0100, Greg Kroah-Hartman wrote: > > > I'm announcing the release of the 4.9.258 kernel. > > > > > > All users of the 4.9 kernel series must upgrade. > > > > > > The updated 4.9.y git tree can be found at: > > > > > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git > > > linux-4.9.y > > > and can be browsed at the normal kernel.org git web browser: > > > > > > > The backported futex fixes are still incomplete/broken in this version. > > If I enable lockdep and run the futex self-tests (from 5.10): > > > > - on 4.9.246, they pass with no lockdep output > > - on 4.9.257 and 4.9.258, they pass but futex_requeue_pi trigers a > > lockdep splat > > > > I have a local branch that essentially updates futex and rtmutex in > > 4.9-stable to match 4.14-stable. With this, the tests pass and lockdep > > is happy. > > > > Unfortunately, that branch has about another 60 commits. I have now rebased that on top of 4.9.258, and there are "only" 39 commits. > > Further, the > > more we change futex in 4.9, the more difficult it is going to be to > > update the 4.9-rt branch. But I don't see any better option available > > at the moment. > > > > Thoughts? > > There were some posted futex fixes for 4.9 (and 4.4) on the stable list > that I have not gotten to yet. > > Hopefully after these are merged (this week), these issues will be > resolved. I'm afraid they are not sufficient. > If not, then yes, they need to be fixed and any help you can provide > would be appreciated. > > As for "difficulty", yes, it's rough, but the changes backported were > required, for obvious reasons :( I had another look at the locking bug and I was able to make a series of 7 commits (on top of the 2 already queued) that is sufficient to make lockdep happy. But I am not very confident that there won't be other regressions. I'll send that over shortly. Ben. -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett signature.asc Description: PGP signature
futex breakage in 4.9 stable branch
On Tue, 2021-02-23 at 15:00 +0100, Greg Kroah-Hartman wrote: > I'm announcing the release of the 4.9.258 kernel. > > All users of the 4.9 kernel series must upgrade. > > The updated 4.9.y git tree can be found at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git > linux-4.9.y > and can be browsed at the normal kernel.org git web browser: > The backported futex fixes are still incomplete/broken in this version. If I enable lockdep and run the futex self-tests (from 5.10): - on 4.9.246, they pass with no lockdep output - on 4.9.257 and 4.9.258, they pass but futex_requeue_pi trigers a lockdep splat I have a local branch that essentially updates futex and rtmutex in 4.9-stable to match 4.14-stable. With this, the tests pass and lockdep is happy. Unfortunately, that branch has about another 60 commits. Further, the more we change futex in 4.9, the more difficult it is going to be to update the 4.9-rt branch. But I don't see any better option available at the moment. Thoughts? Ben. -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett signature.asc Description: This is a digitally signed message part
Re: Pass modules to Linux kernel without initrd
On Tue, 2020-12-08 at 10:24 +0100, Paul Menzel wrote: Dear Linux folks, Trying to reduce the boot time of standard distributions, I would like to get rid of the initrd. The initrd is for mounting the root file system and on most end user systems with standard distributions that means loading the bus driver for the drive and the file system driver. [...] I would expect most end user systems to use at least one of LVM and cryptsetup, which need user-space to configure them. Debian has the "tiny-initramfs" package that covers the simple cases you're targetting, and can be used instead of initramfs-tools or dracut. The upstream of that is: <https://github.com/chris-se/tiny-initramfs/>. But I don't anticipate that we would change the default initramfs builder any time soon. Ben. -- Ben Hutchings The world is coming to an end. Please log off. signature.asc Description: This is a digitally signed message part
Re: drivers/accessibility/speakup/serialio.c:48:19: warning: variable 'quot' set but not used
On Mon, 2020-11-16 at 21:33 +0100, Samuel Thibault wrote: > Ben Hutchings, le lun. 16 nov. 2020 19:51:23 +, a ecrit: > > On Mon, 2020-11-16 at 20:01 +0100, Samuel Thibault wrote: > > > Perhaps we should rather use > > > > > > depends on ISA || (X86 && COMPILE_TEST) > > > > > > ? > > > so that we have compile testing on x86 only (where the inb/outb macros > > > always behave fine) to avoid such issues on other archs? > > > > That seems reasonable though unusual. > > > > > Or we tell the architecture maintainers to fix their out macros into > > > consuming their parameters? > > [...] > > > > It does seem odd for parisc to define the I/O functions this way. I > > don't know if it's really a bug. > > Sorry I wasn't clear: the problem here is when CONFIG_EISA is disabled, > the eisa_in/out calls are replaced by BUG() stubs, and the stubs do not > consume their input: Yes, I did see that. Ben. > arch/parisc/include/asm/io.h > > #if defined(CONFIG_PCI) > extern void outb(unsigned char b, int addr); > #elif defined(CONFIG_EISA) > #define outb eisa_out8 > #else > #define outb(x, y)BUG() > #endif > > Samuel -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: drivers/accessibility/speakup/serialio.c:48:19: warning: variable 'quot' set but not used
On Mon, 2020-11-16 at 20:01 +0100, Samuel Thibault wrote: > Hello Ben, > > A long time ago you added a dependency for speakup drivers on > CONFIG_ISA, and you also added || COMPILE_TEST as an alternative. > > It seems that some platform portability tests then think they should > be able to build it, even if they don't enable ISA, but then we are > getting warnings, or even errors, depending on the compatibility macros > in in the !ISA case (here, the parisc compatibility macros do > not consume their parameter). > > Perhaps we should rather use > > depends on ISA || (X86 && COMPILE_TEST) > > ? > so that we have compile testing on x86 only (where the inb/outb macros > always behave fine) to avoid such issues on other archs? That seems reasonable though unusual. > Or we tell the architecture maintainers to fix their out macros into > consuming their parameters? [...] It does seem odd for parisc to define the I/O functions this way. I don't know if it's really a bug. Ben. -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: [PATCH 4.19 19/71] btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io()
On Wed, 2020-11-11 at 13:44 +0100, Pavel Machek wrote:
> Hi!
>
> > Thankfully it's handled by the only caller, btree_write_cache_pages(),
> > as later write_one_eb() call will trigger submit_one_bio(). So there
> > shouldn't be any problem.
>
> This explains there should not be any problem in _the
> mainline_. AFAICT this talks about this code. Mainline version is:
>
> prev_eb = eb;
> ret = lock_extent_buffer_for_io(eb, );
> if (!ret) {
> free_extent_buffer(eb);
> continue;
> } else if (ret < 0) {
> done = 1;
> free_extent_buffer(eb);
> break;
> }
>
> But 4.19 has:
>
> ret = lock_extent_buffer_for_io(eb, fs_info, );
> if (!ret) {
> free_extent_buffer(eb);
> continue;
> }
That was changed in mainline two releases after this commit, though.
> IOW missing the code mentioned in the changelog. Is 0607eb1d452d4
> prerequisite for this patch?
I think it's a separate fix, but probably worth picking too.
Ben.
> Best regards,
> Pavel
>
> > +/*
> > + * Lock eb pages and flush the bio if we can't the locks
> > + *
> > + * Return 0 if nothing went wrong
> > + * Return >0 is same as 0, except bio is not submitted
> > + * Return <0 if something went wrong, no page is locked
> > + */
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
Re: [PATCH 5.4 00/57] 5.4.70-rc1 review
On Tue, 2020-10-06 at 13:55 +0530, Naresh Kamboju wrote: [...] > NOTE: > While running LTP containers test suite, > I noticed this kernel panic on arm64 Juno-r2 devices. > Not easily reproducible and not seen on any other arm64 devices. > > steps to reproduce: > --- > # boot stable rc 5.4.70 kernel on juno-r2 machine > # cd /opt/ltp > # ./runltp -f containers > > Crash log, > --- > pidns13 0 TINFO : cinit2: writing some data in pipe > pidns13 0 TINFO : cinit1: setup handler for async I/O on pipe > pidns13 1 TPASS : cinit1: si_fd is 6, si_code is 1 > [ 122.275627] Internal error: synchronous external abort: 96000210 > [#1] PREEMPT SMP [...] > [ 122.399545] Call trace: > [ 122.401995] sil24_interrupt+0x28/0x5f0 [...] > [ 122.467321] Code: d503201f f9400ac0 f9400014 91011294 (b9400294) [...] This corresponds to the statement: status = readl(host_base + HOST_IRQ_STAT); So it looks like the PCI device stopped responding to MMIO for some reason. It could be faulty hardware. I don't see any sign of run-time power management in that driver that might explain it. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
Re: process '/usr/bin/rsync' started with executable stack
On Thu, 2020-06-25 at 13:20 -0700, Kees Cook wrote: > On Thu, Jun 25, 2020 at 01:04:29PM +0300, Dan Carpenter wrote: > > On Wed, Jun 24, 2020 at 12:39:24PM -0700, Kees Cook wrote: > > > On Wed, Jun 24, 2020 at 07:51:48PM +0300, Dan Carpenter wrote: > > > > In Debian testing the initrd triggers the warning. > > > > > > > > [ 34.529809] process '/usr/bin/fstype' started with executable stack > > > > > > Where does fstype come from there? I am going to guess it is either > > > busybox or linked against klibc? > > > > > > klibc has known problems with executable stacks due to its trampoline > > > implementation: > > > https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks > > > > Yeah. It comes from klibc-utils. > > This is exactly what I was worried about back in Feb: > https://lore.kernel.org/lkml/202002251341.48BC06E@keescook/ > > This warning, combined with klibc-based initrds, makes the whole thing > pointless because it will always warn once on boot for the klibc stack, > and then not warn about anything else after that. > > It looks like upstream klibc hasn't been touched in about 4 years, and > it's been up to Ben to keep it alive in Debian. > > A couple ideas, in order of my preference: > > 1) stop using klibc-utils[1]. initramfs-tools-core is the only thing with a >dependency on klibc-utils. Only a few things are missing from busybox. > > 2) make the warning rate-limited instead? > > 3) fix the use of trampolines in klibc It only uses trampolines on alpha, m68k, parisc, s390, and sparc32. As of today, the master branch should correctly enable executable stacks on these and only these architecture. I have a development branch that sets sa_restorer and disables executable stacks on alpha, s390, and sparc32: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/log/?h=execstack-fixes But I haven't yet tested those changes other than on qemu-user. The m68k and parisc kernel ports still don't support any alternatives to trampolines for signal return, or they didn't when I reviewed this a few months ago. Ben. > Thoughts? > > -Kees > > > [1] Ben appears well aware of this idea, as he suggested it in 2018. :) > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887159 > -- Ben Hutchings Anthony's Law of Force: Don't force it, get a larger hammer. signature.asc Description: This is a digitally signed message part
Linux 3.16.85
I'm announcing the release of the 3.16.85 kernel. This is probably the last release in the 3.16 stable series, unless some critical fix comes up later this month. All users of the 3.16 kernel series should upgrade. The updated 3.16.y git tree can be found at: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git The diff from 3.16.84 is attached to this message. Ben. Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + .../special-register-buffer-data-sampling.rst | 149 Documentation/kernel-parameters.txt| 20 + Makefile | 2 +- arch/x86/include/asm/acpi.h| 2 +- arch/x86/include/asm/cpu_device_id.h | 27 + arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/processor.h | 2 +- arch/x86/include/uapi/asm/msr-index.h | 4 + arch/x86/kernel/amd_nb.c | 2 +- arch/x86/kernel/asm-offsets_32.c | 2 +- arch/x86/kernel/cpu/amd.c | 28 +- arch/x86/kernel/cpu/bugs.c | 106 +++ arch/x86/kernel/cpu/centaur.c | 4 +- arch/x86/kernel/cpu/common.c | 62 +- arch/x86/kernel/cpu/cpu.h | 1 + arch/x86/kernel/cpu/cyrix.c| 2 +- arch/x86/kernel/cpu/intel.c| 18 +- arch/x86/kernel/cpu/match.c| 7 +- arch/x86/kernel/cpu/microcode/intel.c | 4 +- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- arch/x86/kernel/cpu/mtrr/main.c| 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_lbr.c | 2 +- arch/x86/kernel/cpu/perf_event_p6.c| 2 +- arch/x86/kernel/cpu/proc.c | 4 +- arch/x86/kernel/head_32.S | 4 +- arch/x86/kernel/mpparse.c | 2 +- drivers/base/cpu.c | 8 + drivers/char/hw_random/via-rng.c | 2 +- drivers/char/random.c | 3 - drivers/cpufreq/acpi-cpufreq.c | 2 +- drivers/cpufreq/longhaul.c | 6 +- drivers/cpufreq/p4-clockmod.c | 2 +- drivers/cpufreq/powernow-k7.c | 2 +- drivers/cpufreq/speedstep-centrino.c | 4 +- drivers/cpufreq/speedstep-lib.c| 6 +- drivers/crypto/padlock-aes.c | 2 +- drivers/edac/amd64_edac.c | 2 +- drivers/edac/mce_amd.c | 2 +- drivers/hwmon/coretemp.c | 6 +- drivers/hwmon/hwmon-vid.c | 2 +- drivers/hwmon/k10temp.c| 2 +- drivers/hwmon/k8temp.c | 2 +- drivers/message/fusion/mptctl.c| 215 ++ drivers/net/can/slcan.c| 4 + drivers/net/slip/slip.c| 4 + drivers/net/wireless/mwifiex/scan.c| 7 + drivers/net/wireless/mwifiex/wmm.c | 4 + drivers/scsi/sg.c | 758 +++-- drivers/usb/core/message.c | 53 +- drivers/usb/gadget/configfs.c | 3 + drivers/video/fbdev/geode/video_gx.c | 2 +- fs/binfmt_elf.c| 2 +- fs/exec.c | 2 +- fs/ext4/block_validity.c | 57 ++ fs/ext4/ext4.h | 19 +- fs/ext4/extents.c | 13 +- fs/ext4/inode.c| 5 + include/linux/mod_devicetable.h| 6 + include/linux/sched.h | 4 +- include/scsi/sg.h | 1 - kernel/signal.c| 2 +- net/core/net-sysfs.c | 39 +- security/selinux/hooks.c | 70 +- 65 files changed, 1102 insertions(+), 688 deletions(-) Akinobu Mita (1): sg: prevent integer overflow when converting from sectors to bytes Alan Stern (1): USB: core: Fix free-while-in-use bug in the USB S-Glibrary Alexander Potapenko (1): fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Ben Hutchings (3): scsi: sg: Change next_cmd_len handling to mirror upstream scsi: sg: Re-fix off by one
Re: [PATCH 3.16 00/61] 3.16.85-rc1 review
On Wed, 2020-06-10 at 12:08 -0700, Guenter Roeck wrote: > On Tue, Jun 09, 2020 at 07:03:51PM +0100, Ben Hutchings wrote: > > This is the start of the stable review cycle for the 3.16.85 release. > > There are 61 patches in this series, which will be posted as responses > > to this one. If anyone has any issues with these being applied, please > > let me know. > > > > Responses should be made by Thu Jun 11 18:03:51 UTC 2020. > > Anything received after that time might be too late. > > > > Build results: > total: 135 pass: 135 fail: 0 > Qemu test results: > total: 229 pass: 229 fail: 0 Thanks for testing, Ben. -- Ben Hutchings Life would be so much easier if we could look at the source code. signature.asc Description: This is a digitally signed message part
Re: [PATCH AUTOSEL 5.6 080/606] i2c: dev: Fix the race between the release of i2c_dev and cdev
On Mon, 2020-06-08 at 19:03 -0400, Sasha Levin wrote: > From: Kevin Hao > > commit 1413ef638abae4ab5621901cf4d8ef08a4a48ba6 upstream. [...] This was already applied in 5.6.15. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
Re: [PATCH 3.16 42/61] scsi: sg: don't return bogus Sg_requests
On Tue, 2020-06-09 at 14:28 -0400, Tony Battersby wrote:
> On 6/9/20 2:04 PM, Ben Hutchings wrote:
> > 3.16.85-rc1 review patch. If anyone has any objections, please let me know.
> >
> > --
> >
> > From: Johannes Thumshirn
> >
> > commit 48ae8484e9fc324b4968d33c585e54bc98e44d61 upstream.
> >
> > If the list search in sg_get_rq_mark() fails to find a valid request, we
> > return a bogus element. This then can later lead to a GPF in
> > sg_remove_scat().
> >
> > So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
> > the list search doesn't find a valid request.
> >
> > Signed-off-by: Johannes Thumshirn
> > Reported-by: Andrey Konovalov
> > Cc: Hannes Reinecke
> > Cc: Christoph Hellwig
> > Cc: Doug Gilbert
> > Reviewed-by: Hannes Reinecke
> > Acked-by: Doug Gilbert
> > Signed-off-by: Martin K. Petersen
> > Cc: Tony Battersby
> > Signed-off-by: Greg Kroah-Hartman
> > Signed-off-by: Ben Hutchings
> > ---
> > drivers/scsi/sg.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > --- a/drivers/scsi/sg.c
> > +++ b/drivers/scsi/sg.c
> > @@ -2085,11 +2085,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
> > if ((1 == resp->done) && (!resp->sg_io_owned) &&
> > ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
> > resp->done = 2; /* guard against other readers */
> > - break;
> > + write_unlock_irqrestore(>rq_list_lock, iflags);
> > + return resp;
> > }
> > }
> > write_unlock_irqrestore(>rq_list_lock, iflags);
> > - return resp;
> > + return NULL;
> > }
> >
> > /* always adds to end of list */
> >
> The following "cleanup" commit to the sg driver introduced a number of bugs:
>
> 109bade9c625 ("scsi: sg: use standard lists for sg_requests") (v4.12-rc1)
>
> This one bad commit requires all of the following fixes:
>
> 48ae8484e9fc ("scsi: sg: don't return bogus Sg_requests") (v4.12-rc1)
> bd46fc406b30 ("scsi: sg: off by one in sg_ioctl()") (v4.13-rc7)
> 4759df905a47 ("scsi: sg: factor out sg_fill_request_table()") (v4.14-rc1)
> 3e0097499839 ("scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE")
> (v4.14-rc1)
> 587c3c9f286c ("scsi: sg: Re-fix off by one in sg_fill_request_table()")
> (v4.14-rc6)
>
> AFAIK, there is no reason to backport any of these changes to -stable,
> but if for some reason you do need to backport any one of these patches,
> then make sure you get all of them.
I couldn't see how to backport some of the more recent fixes without
applying this change first. For this review cycle I've picked all of
the bug fixes that were on the 4.4-stable and 4.9-stable branches and
not yet in 3.16-stable, so I do have all the fixes you identified
above.
Ben.
> My guess is that the initial buggy patch was backported to other -stable
> trees because the fixes for it looked important, and of course the fixes
> depended on the patch that introduced all of the problems to begin with.
--
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.
signature.asc
Description: This is a digitally signed message part
[PATCH 3.16 05/61] slip: Fix use-after-free Read in slip_open
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jouni Hogander
commit e58c1912418980f57ba2060017583067f5f71e52 upstream.
Slip_open doesn't clean-up device which registration failed from the
slip_devs device list. On next open after failure this list is iterated
and freed device is accessed. Fix this by calling sl_free_netdev in error
path.
Here is the trace from the Syzbot:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
Reported-by: syzbot+4d5170758f3762109...@syzkaller.appspotmail.com
Cc: David Miller
Cc: Oliver Hartkopp
Cc: Lukas Bulwahn
Signed-off-by: Jouni Hogander
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: sl_free_netdev() calls free_netdev() here, so
delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings
---
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -867,7 +867,7 @@ err_free_chan:
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, >flags);
- free_netdev(sl->dev);
+ sl_free_netdev(sl->dev);
err_exit:
rtnl_unlock();
[PATCH 3.16 03/61] slcan: not call free_netdev before rtnl_unlock in slcan_open
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Oliver Hartkopp
commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.
As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.
This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
("slip: not call free_netdev before rtnl_unlock in slip_open").
Reported-by: yangerkun
Signed-off-by: Oliver Hartkopp
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/net/can/slcan.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -620,7 +620,10 @@ err_free_chan:
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, >flags);
+ /* do not call free_netdev before rtnl_unlock */
+ rtnl_unlock();
slc_free_netdev(sl->dev);
+ return err;
err_exit:
rtnl_unlock();
[PATCH 3.16 07/61] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jouni Hogander
commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.
kobject_init_and_add takes reference even when it fails. This has
to be given up by the caller in error handling. Otherwise memory
allocated by kobject_init_and_add is never freed. Originally found
by Syzkaller:
BUG: memory leak
unreferenced object 0x8880679f8b08 (size 8):
comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
hex dump (first 8 bytes):
72 78 2d 30 00 36 20 d4 rx-0.6 .
backtrace:
[<8c93818e>] __kmalloc_track_caller+0x16e/0x290
[<1f2e4e49>] kvasprintf+0xb1/0x140
[<7f313394>] kvasprintf_const+0x56/0x160
[<aeca11c8>] kobject_set_name_vargs+0x5b/0x140
[<73a0367c>] kobject_init_and_add+0xd8/0x170
[<88838e4b>] net_rx_queue_update_kobjects+0x152/0x560
[<6be5f104>] netdev_register_kobject+0x210/0x380
[<e31dab9d>] register_netdevice+0xa1b/0xf00
[<f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
[<4c50599f>] tun_chr_ioctl+0x2f/0x40
[<bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
[<d4c59e8f>] ksys_ioctl+0x99/0xb0
[<946aea81>] __x64_sys_ioctl+0x78/0xb0
[<38d946e5>] do_syscall_64+0x16f/0x580
[<e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<285b3d1a>] 0x
Cc: David Miller
Cc: Lukas Bulwahn
Signed-off-by: Jouni Hogander
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/core/net-sysfs.c | 24 +---
1 file changed, 13 insertions(+), 11 deletions(-)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -786,21 +786,23 @@ static int rx_queue_add_kobject(struct n
error = kobject_init_and_add(kobj, _queue_ktype, NULL,
"rx-%u", index);
if (error)
- return error;
+ goto err;
dev_hold(queue->dev);
if (net->sysfs_rx_queue_group) {
error = sysfs_create_group(kobj, net->sysfs_rx_queue_group);
- if (error) {
- kobject_put(kobj);
- return error;
- }
+ if (error)
+ goto err;
}
kobject_uevent(kobj, KOBJ_ADD);
return error;
+
+err:
+ kobject_put(kobj);
+ return error;
}
#endif /* CONFIG_SYSFS */
@@ -1145,21 +1147,21 @@ static int netdev_queue_add_kobject(stru
error = kobject_init_and_add(kobj, _queue_ktype, NULL,
"tx-%u", index);
if (error)
- return error;
+ goto err;
dev_hold(queue->dev);
#ifdef CONFIG_BQL
error = sysfs_create_group(kobj, _group);
- if (error) {
- kobject_put(kobj);
- return error;
- }
+ if (error)
+ goto err;
#endif
kobject_uevent(kobj, KOBJ_ADD);
- return 0;
+err:
+ kobject_put(kobj);
+ return error;
}
#endif /* CONFIG_SYSFS */
[PATCH 3.16 02/61] can: slcan: Fix use-after-free Read in slcan_open
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jouni Hogander
commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.
Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.
Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger
Cc: Marc Kleine-Budde
Cc: David Miller
Cc: Oliver Hartkopp
Cc: Lukas Bulwahn
Signed-off-by: Jouni Hogander
Acked-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde
[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so
delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings
---
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -620,7 +620,7 @@ err_free_chan:
sl->tty = NULL;
tty->disc_data = NULL;
clear_bit(SLF_INUSE, >flags);
- free_netdev(sl->dev);
+ slc_free_netdev(sl->dev);
err_exit:
rtnl_unlock();
[PATCH 3.16 01/61] slcan: Fix memory leak in error path
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Jouni Hogander commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream. This patch is fixing memory leak reported by Syzkaller: BUG: memory leak unreferenced object 0x888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<a06eec0d>] __kmalloc+0x18b/0x2c0 [<83306e66>] kvmalloc_node+0x3a/0xc0 [<6ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<61a996c9>] slcan_open+0x3ae/0x9a0 [<1226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<19289631>] tty_set_ldisc+0x28c/0x5f0 [<4de5a617>] tty_ioctl+0x48d/0x1590 [<daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<59068dbc>] ksys_ioctl+0x99/0xb0 [<9a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<53d0332e>] do_syscall_64+0x16f/0x580 [<21b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<8ea75434>] 0x Cc: Wolfgang Grandegger Cc: Marc Kleine-Budde Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: Marc Kleine-Budde Signed-off-by: Ben Hutchings --- drivers/net/can/slcan.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/can/slcan.c +++ b/drivers/net/can/slcan.c @@ -620,6 +620,7 @@ err_free_chan: sl->tty = NULL; tty->disc_data = NULL; clear_bit(SLF_INUSE, >flags); + free_netdev(sl->dev); err_exit: rtnl_unlock();
[PATCH 3.16 06/61] slip: not call free_netdev before rtnl_unlock in slip_open
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: yangerkun commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream. As the description before netdev_run_todo, we cannot call free_netdev before rtnl_unlock, fix it by reorder the code. Signed-off-by: yangerkun Reviewed-by: Oliver Hartkopp Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/net/slip/slip.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/net/slip/slip.c +++ b/drivers/net/slip/slip.c @@ -867,7 +867,10 @@ err_free_chan: sl->tty = NULL; tty->disc_data = NULL; clear_bit(SLF_INUSE, >flags); + /* do not call free_netdev before rtnl_unlock */ + rtnl_unlock(); sl_free_netdev(sl->dev); + return err; err_exit: rtnl_unlock();
[PATCH 3.16 17/61] drivers: usb: core: Minimize irq disabling in usb_sg_cancel()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Mosberger
commit 5f2e5fb873e269fcb806165715d237f0de4ecf1d upstream.
Restructure usb_sg_cancel() so we don't have to disable interrupts
while cancelling the URBs.
Suggested-by: Alan Stern
Signed-off-by: David Mosberger
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/message.c | 37 +
1 file changed, 17 insertions(+), 20 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -581,31 +581,28 @@ EXPORT_SYMBOL_GPL(usb_sg_wait);
void usb_sg_cancel(struct usb_sg_request *io)
{
unsigned long flags;
+ int i, retval;
spin_lock_irqsave(>lock, flags);
+ if (io->status) {
+ spin_unlock_irqrestore(>lock, flags);
+ return;
+ }
+ /* shut everything down */
+ io->status = -ECONNRESET;
+ spin_unlock_irqrestore(>lock, flags);
- /* shut everything down, if it didn't already */
- if (!io->status) {
- int i;
-
- io->status = -ECONNRESET;
- spin_unlock(>lock);
- for (i = 0; i < io->entries; i++) {
- int retval;
-
- usb_block_urb(io->urbs[i]);
+ for (i = io->entries - 1; i >= 0; --i) {
+ usb_block_urb(io->urbs[i]);
- retval = usb_unlink_urb(io->urbs[i]);
- if (retval != -EINPROGRESS
- && retval != -ENODEV
- && retval != -EBUSY
- && retval != -EIDRM)
- dev_warn(>dev->dev, "%s, unlink --> %d\n",
- __func__, retval);
- }
- spin_lock(>lock);
+ retval = usb_unlink_urb(io->urbs[i]);
+ if (retval != -EINPROGRESS
+ && retval != -ENODEV
+ && retval != -EBUSY
+ && retval != -EIDRM)
+ dev_warn(>dev->dev, "%s, unlink --> %d\n",
+__func__, retval);
}
- spin_unlock_irqrestore(>lock, flags);
}
EXPORT_SYMBOL_GPL(usb_sg_cancel);
[PATCH 3.16 04/61] slip: Fix memory leak in slip_open error path
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Jouni Hogander commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa upstream. Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected by Syzkaller in slcan. Same issue exists in slip.c and this patch is addressing the leak in slip.c. Here is the slcan memory leak trace reported by Syzkaller: BUG: memory leak unreferenced object 0x888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<a06eec0d>] __kmalloc+0x18b/0x2c0 [<83306e66>] kvmalloc_node+0x3a/0xc0 [<6ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<61a996c9>] slcan_open+0x3ae/0x9a0 [<1226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<19289631>] tty_set_ldisc+0x28c/0x5f0 [<4de5a617>] tty_ioctl+0x48d/0x1590 [<daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<59068dbc>] ksys_ioctl+0x99/0xb0 [<9a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<53d0332e>] do_syscall_64+0x16f/0x580 [<21b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<8ea75434>] 0xfff Cc: "David S. Miller" Cc: Oliver Hartkopp Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- drivers/net/slip/slip.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/slip/slip.c +++ b/drivers/net/slip/slip.c @@ -867,6 +867,7 @@ err_free_chan: sl->tty = NULL; tty->disc_data = NULL; clear_bit(SLF_INUSE, >flags); + free_netdev(sl->dev); err_exit: rtnl_unlock();
[PATCH 3.16 12/61] selinux: convert WARN_ONCE() to printk() in selinux_nlmsg_perm()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Richard Guy Briggs
commit d950f84c1c6658faec2ecbf5b09f7e7191953394 upstream.
Convert WARN_ONCE() to printk() in selinux_nlmsg_perm().
After conversion from audit_log() in commit e173fb26, WARN_ONCE() was
deemed too alarmist, so switch it to printk().
Signed-off-by: Richard Guy Briggs
[PM: Changed to printk(WARNING) so we catch all of the different
invalid netlink messages. In Richard's defense, he brought this
point up earlier, but I didn't understand his point at the time.]
Signed-off-by: Paul Moore
Signed-off-by: Ben Hutchings
---
security/selinux/hooks.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4683,9 +4683,10 @@ static int selinux_nlmsg_perm(struct soc
err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, );
if (err) {
if (err == -EINVAL) {
- WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink
message:"
- " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
- sk->sk_protocol, nlh->nlmsg_type,
sksec->sclass);
+ printk(KERN_WARNING
+ "SELinux: unrecognized netlink message:"
+ " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
+ sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
[PATCH 3.16 11/61] selinux: cleanup error reporting in selinux_nlmsg_perm()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Richard Guy Briggs
commit e173fb2646a832b424c80904c306b816760ce477 upstream.
Convert audit_log() call to WARN_ONCE().
Rename "type=" to nlmsg_type=" to avoid confusion with the audit record
type.
Added "protocol=" to help track down which protocol (NETLINK_AUDIT?) was used
within the netlink protocol family.
Signed-off-by: Richard Guy Briggs
[Rewrote the patch subject line]
Signed-off-by: Paul Moore
Signed-off-by: Ben Hutchings
---
security/selinux/hooks.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4683,10 +4683,9 @@ static int selinux_nlmsg_perm(struct soc
err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, );
if (err) {
if (err == -EINVAL) {
- audit_log(current->audit_context, GFP_KERNEL,
AUDIT_SELINUX_ERR,
- "SELinux: unrecognized netlink message"
- " type=%hu for sclass=%hu\n",
- nlh->nlmsg_type, sksec->sclass);
+ WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink
message:"
+ " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
+ sk->sk_protocol, nlh->nlmsg_type,
sksec->sclass);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
[PATCH 3.16 21/61] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Qing Xu
commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d upstream.
mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Qing Xu
Signed-off-by: Kalle Valo
[bwh: Backported to 3.16:
- Use dev_info() instead of mwifiex_dbg()
- Adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/net/wireless/mwifiex/scan.c | 7 +++
1 file changed, 7 insertions(+)
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -2267,6 +2267,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifi
vs_param_set->header.len =
cpu_to_le16u16) priv->vs_ie[id].ie[1])
& 0x00FF) + 2);
+ if (le16_to_cpu(vs_param_set->header.len) >
+ MWIFIEX_MAX_VSIE_LEN) {
+ dev_info(priv->adapter->dev,
+"Invalid param length!\n");
+ break;
+ }
+
memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
le16_to_cpu(vs_param_set->header.len));
*buffer += le16_to_cpu(vs_param_set->header.len) +
[PATCH 3.16 15/61] selinux: properly handle multiple messages in selinux_netlink_send()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Paul Moore
commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
Fix the SELinux netlink_send hook to properly handle multiple netlink
messages in a single sk_buff; each message is parsed and subject to
SELinux access control. Prior to this patch, SELinux only inspected
the first message in the sk_buff.
Cc: sta...@vger.kernel.org
Reported-by: Dmitry Vyukov
Reviewed-by: Stephen Smalley
Signed-off-by: Paul Moore
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4669,39 +4669,59 @@ static int selinux_tun_dev_open(void *se
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
{
- int err = 0;
- u32 perm;
+ int rc = 0;
+ unsigned int msg_len;
+ unsigned int data_len = skb->len;
+ unsigned char *data = skb->data;
struct nlmsghdr *nlh;
struct sk_security_struct *sksec = sk->sk_security;
+ u16 sclass = sksec->sclass;
+ u32 perm;
- if (skb->len < NLMSG_HDRLEN) {
- err = -EINVAL;
- goto out;
- }
- nlh = nlmsg_hdr(skb);
+ while (data_len >= nlmsg_total_size(0)) {
+ nlh = (struct nlmsghdr *)data;
- err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, );
- if (err) {
- if (err == -EINVAL) {
+ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
+* users which means we can't reject skb's with bogus
+* length fields; our solution is to follow what
+* netlink_rcv_skb() does and simply skip processing at
+* messages with length fields that are clearly junk
+*/
+ if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
+ return 0;
+
+ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, );
+ if (rc == 0) {
+ rc = sock_has_perm(current, sk, perm);
+ if (rc)
+ return rc;
+ } else if (rc == -EINVAL) {
+ /* -EINVAL is a missing msg/perm mapping */
pr_warn_ratelimited("SELinux: unrecognized netlink"
- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
- " pig=%d comm=%s\n",
- sk->sk_protocol, nlh->nlmsg_type,
- secclass_map[sksec->sclass - 1].name,
- task_pid_nr(current), current->comm);
- if (!selinux_enforcing || security_get_allow_unknown())
- err = 0;
+ " message: protocol=%hu nlmsg_type=%hu
sclass=%s"
+ " pid=%d comm=%s\n",
+ sk->sk_protocol, nlh->nlmsg_type,
+ secclass_map[sclass - 1].name,
+ task_pid_nr(current), current->comm);
+ if (selinux_enforcing && !security_get_allow_unknown())
+ return rc;
+ rc = 0;
+ } else if (rc == -ENOENT) {
+ /* -ENOENT is a missing socket/class mapping, ignore */
+ rc = 0;
+ } else {
+ return rc;
}
- /* Ignore */
- if (err == -ENOENT)
- err = 0;
- goto out;
+ /* move to the next message after applying netlink padding */
+ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
+ if (msg_len >= data_len)
+ return 0;
+ data_len -= msg_len;
+ data += msg_len;
}
- err = sock_has_perm(current, sk, perm);
-out:
- return err;
+ return rc;
}
#ifdef CONFIG_NETFILTER
[PATCH 3.16 08/61] net-sysfs: fix netdev_queue_add_kobject() breakage
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 upstream.
kobject_put() should only be called in error path.
Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
rx|netdev_queue_add_kobject")
Signed-off-by: Eric Dumazet
Cc: Jouni Hogander
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/core/net-sysfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1158,6 +1158,7 @@ static int netdev_queue_add_kobject(stru
#endif
kobject_uevent(kobj, KOBJ_ADD);
+ return 0;
err:
kobject_put(kobj);
[PATCH 3.16 19/61] scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter commit a7043e9529f3c367cc4d82997e00be034cbe57ca upstream. My static checker complains about an out of bounds read: drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() error: buffer overflow 'hd->sel_timeout' 255 <= u32max. It's true that we probably should have a bounds check here. Signed-off-by: Dan Carpenter Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings --- drivers/message/fusion/mptctl.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/message/fusion/mptctl.c +++ b/drivers/message/fusion/mptctl.c @@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg) __FILE__, __LINE__, iocnum); return -ENODEV; } + if (karg.hdr.id >= MPT_MAX_FC_DEVICES) + return -EINVAL; dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n", ioc->name));
[PATCH 3.16 22/61] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Qing Xu commit 3a9b153c5591548612c3955c9600a98150c81875 upstream. mwifiex_ret_wmm_get_status() calls memcpy() without checking the destination size.Since the source is given from remote AP which contains illegal wmm elements , this may trigger a heap buffer overflow. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/mwifiex/wmm.c | 4 1 file changed, 4 insertions(+) --- a/drivers/net/wireless/mwifiex/wmm.c +++ b/drivers/net/wireless/mwifiex/wmm.c @@ -791,6 +791,10 @@ int mwifiex_ret_wmm_get_status(struct mw wmm_param_ie->qos_info_bitmap & IEEE80211_WMM_IE_AP_QOSINFO_PARAM_SET_CNT_MASK); + if (wmm_param_ie->vend_hdr.len + 2 > + sizeof(struct ieee_types_wmm_parameter)) + break; + memcpy((u8 *) >curr_bss_params.bss_descriptor. wmm_ie, wmm_param_ie, wmm_param_ie->vend_hdr.len + 2);
[PATCH 3.16 24/61] sg: prevent integer overflow when converting from sectors to bytes
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Akinobu Mita
commit 46f69e6a6bbbf3858617c8729e31895846c15a79 upstream.
This prevents integer overflow when converting the request queue's
max_sectors from sectors to bytes. However, this is a preparation for
extending the data type of max_sectors in struct Scsi_Host and
scsi_host_template. So, it is impossible to happen this integer
overflow for now, because SCSI low-level drivers can not specify
max_sectors greater than 0x due to the data type limitation.
Signed-off-by: Akinobu Mita
Acked by: Douglas Gilbert
Signed-off-by: Christoph Hellwig
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 17 +
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -865,6 +865,15 @@ static int srp_done(Sg_fd *sfp, Sg_reque
return ret;
}
+static int max_sectors_bytes(struct request_queue *q)
+{
+ unsigned int max_sectors = queue_max_sectors(q);
+
+ max_sectors = min_t(unsigned int, max_sectors, INT_MAX >> 9);
+
+ return max_sectors << 9;
+}
+
static long
sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
{
@@ -1004,7 +1013,7 @@ sg_ioctl(struct file *filp, unsigned int
if (val < 0)
return -EINVAL;
val = min_t(int, val,
- queue_max_sectors(sdp->device->request_queue) *
512);
+ max_sectors_bytes(sdp->device->request_queue));
if (val != sfp->reserve.bufflen) {
if (sg_res_in_use(sfp) || sfp->mmap_called)
return -EBUSY;
@@ -1014,7 +1023,7 @@ sg_ioctl(struct file *filp, unsigned int
return 0;
case SG_GET_RESERVED_SIZE:
val = min_t(int, sfp->reserve.bufflen,
- queue_max_sectors(sdp->device->request_queue) *
512);
+ max_sectors_bytes(sdp->device->request_queue));
return put_user(val, ip);
case SG_SET_COMMAND_Q:
result = get_user(val, ip);
@@ -1154,7 +1163,7 @@ sg_ioctl(struct file *filp, unsigned int
return -ENODEV;
return scsi_ioctl(sdp->device, cmd_in, p);
case BLKSECTGET:
- return put_user(queue_max_sectors(sdp->device->request_queue) *
512,
+ return put_user(max_sectors_bytes(sdp->device->request_queue),
ip);
case BLKTRACESETUP:
return blk_trace_setup(sdp->device->request_queue,
@@ -2170,7 +2179,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
sg_big_buff = def_reserved_size;
bufflen = min_t(int, sg_big_buff,
- queue_max_sectors(sdp->device->request_queue) * 512);
+ max_sectors_bytes(sdp->device->request_queue));
sg_build_reserve(sfp, bufflen);
SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n",
sfp->reserve.bufflen, sfp->reserve.k_use_sg));
[PATCH 3.16 20/61] scsi: mptfusion: Fix double fetch bug in ioctl
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream.
Tom Hatskevich reported that we look up "iocp" then, in the called
functions we do a second copy_from_user() and look it up again.
The problem that could cause is:
drivers/message/fusion/mptctl.c
674 /* All of these commands require an interrupt or
675 * are unknown/illegal.
676 */
677 if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0)
We take this lock.
678 return ret;
679
680 if (cmd == MPTFWDOWNLOAD)
681 ret = mptctl_fw_download(arg);
^^^
Then the user memory changes and we look up "iocp" again but a different
one so now we are holding the incorrect lock and have a race condition.
682 else if (cmd == MPTCOMMAND)
683 ret = mptctl_mpt_command(arg);
The security impact of this bug is not as bad as it could have been
because these operations are all privileged and root already has
enormous destructive power. But it's still worth fixing.
This patch passes the "iocp" pointer to the functions to avoid the
second lookup. That deletes 100 lines of code from the driver so
it's a nice clean up as well.
Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam
Reported-by: Tom Hatskevich
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Dan Carpenter
Signed-off-by: Martin K. Petersen
Signed-off-by: Ben Hutchings
---
drivers/message/fusion/mptctl.c | 213
1 file changed, 50 insertions(+), 163 deletions(-)
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -100,19 +100,19 @@ struct buflist {
* Function prototypes. Called from OS entry point mptctl_ioctl.
* arg contents specific to function.
*/
-static int mptctl_fw_download(unsigned long arg);
-static int mptctl_getiocinfo(unsigned long arg, unsigned int cmd);
-static int mptctl_gettargetinfo(unsigned long arg);
-static int mptctl_readtest(unsigned long arg);
-static int mptctl_mpt_command(unsigned long arg);
-static int mptctl_eventquery(unsigned long arg);
-static int mptctl_eventenable(unsigned long arg);
-static int mptctl_eventreport(unsigned long arg);
-static int mptctl_replace_fw(unsigned long arg);
-
-static int mptctl_do_reset(unsigned long arg);
-static int mptctl_hp_hostinfo(unsigned long arg, unsigned int cmd);
-static int mptctl_hp_targetinfo(unsigned long arg);
+static int mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_getiocinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned
int cmd);
+static int mptctl_gettargetinfo(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_readtest(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_mpt_command(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventquery(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventenable(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_eventreport(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_replace_fw(MPT_ADAPTER *iocp, unsigned long arg);
+
+static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg);
+static int mptctl_hp_hostinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned
int cmd);
+static int mptctl_hp_targetinfo(MPT_ADAPTER *iocp, unsigned long arg);
static int mptctl_probe(struct pci_dev *, const struct pci_device_id *);
static void mptctl_remove(struct pci_dev *);
@@ -123,8 +123,8 @@ static long compat_mpctl_ioctl(struct fi
/*
* Private function calls.
*/
-static int mptctl_do_mpt_command(struct mpt_ioctl_command karg, void __user
*mfPtr);
-static int mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen);
+static int mptctl_do_mpt_command(MPT_ADAPTER *iocp, struct mpt_ioctl_command
karg, void __user *mfPtr);
+static int mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf,
size_t fwlen);
static MptSge_t *kbuf_alloc_2_sgl(int bytes, u32 dir, int sge_offset, int
*frags,
struct buflist **blp, dma_addr_t *sglbuf_dma, MPT_ADAPTER *ioc);
static void kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_dma,
@@ -656,19 +656,19 @@ __mptctl_ioctl(struct file *file, unsign
* by TM and FW reloads.
*/
if ((cmd & ~IOCSIZE_MASK) == (MPTIOCINFO & ~IOCSIZE_MASK)) {
- return mptctl_getiocinfo(arg, _IOC_SIZE(cmd));
+ return mptctl_getiocinfo(iocp, arg, _IOC_SIZE(cmd));
} else if (cmd == MPTTARGETINFO) {
- return mptctl_gettargetinfo(arg);
+ return mptctl_gettargetinfo(iocp, arg);
} else if (cmd == MPTTEST) {
- return mptctl_readtest(arg);
+ return mptctl_readtest(iocp, arg);
} else if (cmd == M
[PATCH 3.16 32/61] scsi: sg: off by one in sg_ioctl()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit bd46fc406b30d1db1aff8dabaff8d18bb423fdcf upstream.
If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
"rinfo" array so the > should be >=.
Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
Signed-off-by: Dan Carpenter
Acked-by: Douglas Gilbert
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1072,7 +1072,7 @@ sg_ioctl(struct file *filp, unsigned int
read_lock_irqsave(>rq_list_lock, iflags);
val = 0;
list_for_each_entry(srp, >rq_list, entry) {
- if (val > SG_MAX_QUEUE)
+ if (val >= SG_MAX_QUEUE)
break;
memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;
[PATCH 3.16 45/61] scsi: sg: add sg_remove_request in sg_write
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Wu Bo
commit 83c6f2390040f188cc25b270b4befeb5628c1aee upstream.
If the __copy_from_user function failed we need to call sg_remove_request
in sg_write.
Link: https://lore.kernel.org/r/610618d9-e983-fd56-ed0f-639428343...@huawei.com
Acked-by: Douglas Gilbert
Signed-off-by: Wu Bo
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
[groeck: Backport to v5.4.y and older kernels]
Signed-off-by: Guenter Roeck
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -696,8 +696,10 @@ sg_write(struct file *filp, const char _
hp->flags = input_size; /* structure abuse ... */
hp->pack_id = old_hdr.pack_id;
hp->usr_ptr = NULL;
- if (__copy_from_user(cmnd, buf, cmd_size))
+ if (__copy_from_user(cmnd, buf, cmd_size)) {
+ sg_remove_request(sfp, srp);
return -EFAULT;
+ }
/*
* SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
* but is is possible that the app intended SG_DXFER_TO_DEV, because
there
[PATCH 3.16 29/61] scsi: sg: recheck MMAP_IO request length with lock held
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Todd Poynor
commit 8d26f491116feaa0b16de370b6a7ba40a40fa0b4 upstream.
Commit 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page
array") adds needed concurrency protection for the "reserve" buffer.
Some checks that are initially made outside the lock are replicated once
the lock is taken to ensure the checks and resulting decisions are made
using consistent state.
The check that a request with flag SG_FLAG_MMAP_IO set fits in the
reserve buffer also needs to be performed again under the lock to ensure
the reserve buffer length compared against matches the value in effect
when the request is linked to the reserve buffer. An -ENOMEM should be
returned in this case, instead of switching over to an indirect buffer
as for non-MMAP_IO requests.
Signed-off-by: Todd Poynor
Acked-by: Douglas Gilbert
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1772,9 +1772,12 @@ sg_start_req(Sg_request *srp, unsigned c
!sfp->res_in_use) {
sfp->res_in_use = 1;
sg_link_reserve(sfp, srp, dxfer_len);
- } else if ((hp->flags & SG_FLAG_MMAP_IO) && sfp->res_in_use) {
+ } else if (hp->flags & SG_FLAG_MMAP_IO) {
+ res = -EBUSY; /* sfp->res_in_use == 1 */
+ if (dxfer_len > rsv_schp->bufflen)
+ res = -ENOMEM;
mutex_unlock(>f_mutex);
- return -EBUSY;
+ return res;
} else {
res = sg_build_indirect(req_schp, sfp, dxfer_len);
if (res) {
[PATCH 3.16 48/61] ext4: Make checks for metadata_csum feature safer
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tahsin Erdogan
This is just a small part of commit dec214d00e0d7 "ext4: xattr inode
deduplication" that makes checks for metadata_csum feature safer and is
actually needed by following fixes.
Signed-off-by: Tahsin Erdogan
Acked-by: Jan Kara
[bwh: Ported to 3.16: Use EXT4_HAS_RO_COMPAT_FEATURE()]
Signed-off-by: Ben Hutchings
---
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2411,21 +2411,24 @@ extern void ext4_group_desc_csum_set(str
extern int ext4_register_li_request(struct super_block *sb,
ext4_group_t first_not_zeroed);
-static inline int ext4_has_group_desc_csum(struct super_block *sb)
-{
- return EXT4_HAS_RO_COMPAT_FEATURE(sb,
- EXT4_FEATURE_RO_COMPAT_GDT_CSUM) ||
- (EXT4_SB(sb)->s_chksum_driver != NULL);
-}
-
static inline int ext4_has_metadata_csum(struct super_block *sb)
{
WARN_ON_ONCE(EXT4_HAS_RO_COMPAT_FEATURE(sb,
EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) &&
!EXT4_SB(sb)->s_chksum_driver);
- return (EXT4_SB(sb)->s_chksum_driver != NULL);
+ return EXT4_HAS_RO_COMPAT_FEATURE(sb,
+ EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) &&
+ (EXT4_SB(sb)->s_chksum_driver != NULL);
+}
+
+static inline int ext4_has_group_desc_csum(struct super_block *sb)
+{
+ return EXT4_HAS_RO_COMPAT_FEATURE(sb,
+ EXT4_FEATURE_RO_COMPAT_GDT_CSUM) ||
+ ext4_has_metadata_csum(sb);
}
+
static inline ext4_fsblk_t ext4_blocks_count(struct ext4_super_block *es)
{
return ((ext4_fsblk_t)le32_to_cpu(es->s_blocks_count_hi) << 32) |
[PATCH 3.16 50/61] ext4: unsigned int compared against zero
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit fd2f28aec991f3fbc248df211550fbdfd58c upstream.
There are two cases where u32 variables n and err are being checked
for less than zero error values, the checks is always false because
the variables are not signed. Fix this by making the variables ints.
Addresses-Coverity: ("Unsigned compared against 0")
Fixes: 345c0dbf3a30 ("ext4: protect journal inode's blocks using
block_validity")
Signed-off-by: Colin Ian King
Signed-off-by: Theodore Ts'o
Signed-off-by: Ben Hutchings
---
fs/ext4/block_validity.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -142,7 +142,8 @@ static int ext4_protect_reserved_inode(s
struct inode *inode;
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_map_blocks map;
- u32 i = 0, err = 0, num, n;
+ u32 i = 0, num;
+ int err = 0, n;
if ((ino < EXT4_ROOT_INO) ||
(ino > le32_to_cpu(sbi->s_es->s_inodes_count)))
[PATCH 3.16 56/61] x86/cpu: Add 'table' argument to cpu_matches()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mark Gross
commit 93920f61c2ad7edb01e63323832585796af75fc9 upstream.
To make cpu_matches() reusable for other matching tables, have it take a
pointer to a x86_cpu_id table as an argument.
[ bp: Flip arguments order. ]
Signed-off-by: Mark Gross
Signed-off-by: Borislav Petkov
Signed-off-by: Thomas Gleixner
Reviewed-by: Josh Poimboeuf
Signed-off-by: Ben Hutchings
---
arch/x86/kernel/cpu/common.c | 23 +--
1 file changed, 13 insertions(+), 10 deletions(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -872,9 +872,9 @@ static const __initconst struct x86_cpu_
{}
};
-static bool __init cpu_matches(unsigned long which)
+static bool __init cpu_matches(const struct x86_cpu_id *table, unsigned long
which)
{
- const struct x86_cpu_id *m = x86_match_cpu(cpu_vuln_whitelist);
+ const struct x86_cpu_id *m = x86_match_cpu(table);
return m && !!(m->driver_data & which);
}
@@ -894,29 +894,32 @@ static void __init cpu_set_bug_bits(stru
u64 ia32_cap = x86_read_arch_cap_msr();
/* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not
mitigated */
- if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap &
ARCH_CAP_PSCHANGE_MC_NO))
+ if (!cpu_matches(cpu_vuln_whitelist, NO_ITLB_MULTIHIT) &&
+ !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO))
setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT);
- if (cpu_matches(NO_SPECULATION))
+ if (cpu_matches(cpu_vuln_whitelist, NO_SPECULATION))
return;
setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
- if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) &&
+ if (!cpu_matches(cpu_vuln_whitelist, NO_SSB) &&
+ !(ia32_cap & ARCH_CAP_SSB_NO) &&
!cpu_has(c, X86_FEATURE_AMD_SSB_NO))
setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
if (ia32_cap & ARCH_CAP_IBRS_ALL)
setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
- if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) {
+ if (!cpu_matches(cpu_vuln_whitelist, NO_MDS) &&
+ !(ia32_cap & ARCH_CAP_MDS_NO)) {
setup_force_cpu_bug(X86_BUG_MDS);
- if (cpu_matches(MSBDS_ONLY))
+ if (cpu_matches(cpu_vuln_whitelist, MSBDS_ONLY))
setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
}
- if (!cpu_matches(NO_SWAPGS))
+ if (!cpu_matches(cpu_vuln_whitelist, NO_SWAPGS))
setup_force_cpu_bug(X86_BUG_SWAPGS);
/*
@@ -934,7 +937,7 @@ static void __init cpu_set_bug_bits(stru
(ia32_cap & ARCH_CAP_TSX_CTRL_MSR)))
setup_force_cpu_bug(X86_BUG_TAA);
- if (cpu_matches(NO_MELTDOWN))
+ if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
return;
/* Rogue Data Cache Load? No! */
@@ -943,7 +946,7 @@ static void __init cpu_set_bug_bits(stru
setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
- if (cpu_matches(NO_L1TF))
+ if (cpu_matches(cpu_vuln_whitelist, NO_L1TF))
return;
setup_force_cpu_bug(X86_BUG_L1TF);
[PATCH 3.16 25/61] scsi: sg: Change next_cmd_len handling to mirror upstream
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ben Hutchings
Change the type of next_cmd_len to unsigned char, done in upstream
commit 65c26a0f3969 "sg: relax 16 byte cdb restriction".
Move the range check from sg_write() to sg_ioctl(), which was done by
that commit and commit bf33f87dd04c "scsi: sg: check length passed to
SG_NEXT_CMD_LEN". Continue limiting the command length to
MAX_COMMAND_SIZE (16).
Signed-off-by: Ben Hutchings
---
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -160,7 +160,7 @@ typedef struct sg_fd { /* holds the sta
char low_dma; /* as in parent but possibly overridden to 1 */
char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */
char cmd_q; /* 1 -> allow command queuing, 0 -> don't */
- char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next
write() */
+ unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read()
*/
char mmap_called; /* 0 -> mmap() never called on this fd */
struct kref f_ref;
@@ -653,12 +653,6 @@ sg_write(struct file *filp, const char _
buf += SZ_SG_HEADER;
__get_user(opcode, buf);
if (sfp->next_cmd_len > 0) {
- if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
- SCSI_LOG_TIMEOUT(1, printk("sg_write: command length
too long\n"));
- sfp->next_cmd_len = 0;
- sg_remove_request(sfp, srp);
- return -EIO;
- }
cmd_size = sfp->next_cmd_len;
sfp->next_cmd_len = 0; /* reset so only this write() effected
*/
} else {
@@ -1045,6 +1039,8 @@ sg_ioctl(struct file *filp, unsigned int
result = get_user(val, ip);
if (result)
return result;
+ if (val > MAX_COMMAND_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
[PATCH 3.16 28/61] scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Todd Poynor
commit 6a8dadcca81fceff9976e8828cceb072873b7bd5 upstream.
Take f_mutex around mmap() processing to protect against races with the
SG_SET_RESERVED_SIZE ioctl. Ensure the reserve buffer length remains
consistent during the mapping operation, and set the "mmap called" flag
to prevent further changes to the reserved buffer size as an atomic
operation with the mapping.
[mkp: fixed whitespace]
Signed-off-by: Todd Poynor
Acked-by: Douglas Gilbert
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1310,6 +1310,7 @@ sg_mmap(struct file *filp, struct vm_are
unsigned long req_sz, len, sa;
Sg_scatter_hold *rsv_schp;
int k, length;
+ int ret = 0;
if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data)))
return -ENXIO;
@@ -1319,8 +1320,11 @@ sg_mmap(struct file *filp, struct vm_are
if (vma->vm_pgoff)
return -EINVAL; /* want no offset */
rsv_schp = >reserve;
- if (req_sz > rsv_schp->bufflen)
- return -ENOMEM; /* cannot map more than reserved buffer */
+ mutex_lock(>f_mutex);
+ if (req_sz > rsv_schp->bufflen) {
+ ret = -ENOMEM; /* cannot map more than reserved buffer */
+ goto out;
+ }
sa = vma->vm_start;
length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
@@ -1334,7 +1338,9 @@ sg_mmap(struct file *filp, struct vm_are
vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP;
vma->vm_private_data = sfp;
vma->vm_ops = _mmap_vm_ops;
- return 0;
+out:
+ mutex_unlock(>f_mutex);
+ return ret;
}
static void
[PATCH 3.16 59/61] x86/speculation: Add Ivy Bridge to affected list
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Josh Poimboeuf commit 3798cc4d106e91382bfe016caa2edada27c2bb3f upstream. Make the docs match the code. Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Signed-off-by: Ben Hutchings --- .../hw-vuln/special-register-buffer-data-sampling.rst | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/Documentation/hw-vuln/special-register-buffer-data-sampling.rst +++ b/Documentation/hw-vuln/special-register-buffer-data-sampling.rst @@ -27,6 +27,8 @@ by software using TSX_CTRL_MSR otherwise = common nameFamily_Model Stepping = + IvyBridge 06_3AHAll + Haswell06_3CHAll Haswell_L 06_45HAll Haswell_G 06_46HAll @@ -37,9 +39,8 @@ by software using TSX_CTRL_MSR otherwise Skylake_L 06_4EHAll Skylake06_5EHAll - Kabylake_L 06_8EH<=0xC - - Kabylake 06_9EH<=0xD + Kabylake_L 06_8EH<= 0xC + Kabylake 06_9EH<= 0xD = Related CVEs
[PATCH 3.16 55/61] x86/cpu: Add a steppings field to struct x86_cpu_id
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mark Gross
commit e9d7144597b10ff13ff2264c059f7d4a7fbc89ac upstream.
Intel uses the same family/model for several CPUs. Sometimes the
stepping must be checked to tell them apart.
On x86 there can be at most 16 steppings. Add a steppings bitmask to
x86_cpu_id and a X86_MATCH_VENDOR_FAMILY_MODEL_STEPPING_FEATURE macro
and support for matching against family/model/stepping.
[ bp: Massage.
tglx: Lightweight variant for backporting ]
Signed-off-by: Mark Gross
Signed-off-by: Borislav Petkov
Signed-off-by: Thomas Gleixner
Reviewed-by: Tony Luck
Reviewed-by: Josh Poimboeuf
Signed-off-by: Ben Hutchings
---
arch/x86/include/asm/cpu_device_id.h | 27 +++
arch/x86/kernel/cpu/match.c | 7 ++-
include/linux/mod_devicetable.h | 6 ++
3 files changed, 39 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/cpu_device_id.h
+++ b/arch/x86/include/asm/cpu_device_id.h
@@ -8,6 +8,33 @@
#include
+#define X86_STEPPINGS(mins, maxs)GENMASK(maxs, mins)
+
+/**
+ * X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE - Base macro for CPU matching
+ * @_vendor: The vendor name, e.g. INTEL, AMD, HYGON, ..., ANY
+ * The name is expanded to X86_VENDOR_@_vendor
+ * @_family: The family number or X86_FAMILY_ANY
+ * @_model:The model number, model constant or X86_MODEL_ANY
+ * @_steppings:Bitmask for steppings, stepping constant or
X86_STEPPING_ANY
+ * @_feature: A X86_FEATURE bit or X86_FEATURE_ANY
+ * @_data: Driver specific data or NULL. The internal storage
+ * format is unsigned long. The supplied value, pointer
+ * etc. is casted to unsigned long internally.
+ *
+ * Backport version to keep the SRBDS pile consistant. No shorter variants
+ * required for this.
+ */
+#define X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(_vendor, _family, _model,
\
+ _steppings, _feature,
_data) { \
+ .vendor = X86_VENDOR_##_vendor, \
+ .family = _family, \
+ .model = _model, \
+ .steppings = _steppings, \
+ .feature= _feature, \
+ .driver_data= (unsigned long) _data \
+}
+
extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
#endif
--- a/arch/x86/kernel/cpu/match.c
+++ b/arch/x86/kernel/cpu/match.c
@@ -33,13 +33,18 @@ const struct x86_cpu_id *x86_match_cpu(c
const struct x86_cpu_id *m;
struct cpuinfo_x86 *c = _cpu_data;
- for (m = match; m->vendor | m->family | m->model | m->feature; m++) {
+ for (m = match;
+m->vendor | m->family | m->model | m->steppings | m->feature;
+m++) {
if (m->vendor != X86_VENDOR_ANY && c->x86_vendor != m->vendor)
continue;
if (m->family != X86_FAMILY_ANY && c->x86 != m->family)
continue;
if (m->model != X86_MODEL_ANY && c->x86_model != m->model)
continue;
+ if (m->steppings != X86_STEPPING_ANY &&
+ !(BIT(c->x86_stepping) & m->steppings))
+ continue;
if (m->feature != X86_FEATURE_ANY && !cpu_has(c, m->feature))
continue;
return m;
--- a/include/linux/mod_devicetable.h
+++ b/include/linux/mod_devicetable.h
@@ -559,6 +559,10 @@ struct amba_id {
/*
* MODULE_DEVICE_TABLE expects this struct to be called x86cpu_device_id.
* Although gcc seems to ignore this error, clang fails without this define.
+ *
+ * Note: The ordering of the struct is different from upstream because the
+ * static initializers in kernels < 5.7 still use C89 style while upstream
+ * has been converted to proper C99 initializers.
*/
#define x86cpu_device_id x86_cpu_id
struct x86_cpu_id {
@@ -567,6 +571,7 @@ struct x86_cpu_id {
__u16 model;
__u16 feature; /* bit index */
kernel_ulong_t driver_data;
+ __u16 steppings;
};
#define X86_FEATURE_MATCH(x) \
@@ -575,6 +580,7 @@ struct x86_cpu_id {
#define X86_VENDOR_ANY 0x
#define X86_FAMILY_ANY 0
#define X86_MODEL_ANY 0
+#define X86_STEPPING_ANY 0
#define X86_FEATURE_ANY 0 /* Same as FPU, you can't test for that */
/*
[PATCH 3.16 53/61] ext4: add cond_resched() to ext4_protect_reserved_inode
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shijie Luo
commit af133ade9a40794a37104ecbcc2827c0ea373a3c upstream.
When journal size is set too big by "mkfs.ext4 -J size=", or when
we mount a crafted image to make journal inode->i_size too big,
the loop, "while (i < num)", holds cpu too long. This could cause
soft lockup.
[ 529.357541] Call trace:
[ 529.357551] dump_backtrace+0x0/0x198
[ 529.357555] show_stack+0x24/0x30
[ 529.357562] dump_stack+0xa4/0xcc
[ 529.357568] watchdog_timer_fn+0x300/0x3e8
[ 529.357574] __hrtimer_run_queues+0x114/0x358
[ 529.357576] hrtimer_interrupt+0x104/0x2d8
[ 529.357580] arch_timer_handler_virt+0x38/0x58
[ 529.357584] handle_percpu_devid_irq+0x90/0x248
[ 529.357588] generic_handle_irq+0x34/0x50
[ 529.357590] __handle_domain_irq+0x68/0xc0
[ 529.357593] gic_handle_irq+0x6c/0x150
[ 529.357595] el1_irq+0xb8/0x140
[ 529.357599] __ll_sc_atomic_add_return_acquire+0x14/0x20
[ 529.357668] ext4_map_blocks+0x64/0x5c0 [ext4]
[ 529.357693] ext4_setup_system_zone+0x330/0x458 [ext4]
[ 529.357717] ext4_fill_super+0x2170/0x2ba8 [ext4]
[ 529.357722] mount_bdev+0x1a8/0x1e8
[ 529.357746] ext4_mount+0x44/0x58 [ext4]
[ 529.357748] mount_fs+0x50/0x170
[ 529.357752] vfs_kern_mount.part.9+0x54/0x188
[ 529.357755] do_mount+0x5ac/0xd78
[ 529.357758] ksys_mount+0x9c/0x118
[ 529.357760] __arm64_sys_mount+0x28/0x38
[ 529.357764] el0_svc_common+0x78/0x130
[ 529.357766] el0_svc_handler+0x38/0x78
[ 529.357769] el0_svc+0x8/0xc
[ 541.356516] watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [mount:18674]
Link: https://lore.kernel.org/r/20200211011752.29242-1-luoshij...@huawei.com
Reviewed-by: Jan Kara
Signed-off-by: Shijie Luo
Signed-off-by: Theodore Ts'o
Cc: sta...@kernel.org
Signed-off-by: Ben Hutchings
---
fs/ext4/block_validity.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -153,6 +153,7 @@ static int ext4_protect_reserved_inode(s
return PTR_ERR(inode);
num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits;
while (i < num) {
+ cond_resched();
map.m_lblk = i;
map.m_len = num - i;
n = ext4_map_blocks(NULL, inode, , 0);
[PATCH 3.16 52/61] ext4: don't perform block validity checks on the journal inode
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Theodore Ts'o
commit 0a944e8a6c66ca04c7afbaa17e22bf208a8b37f0 upstream.
Since the journal inode is already checked when we added it to the
block validity's system zone, if we check it again, we'll just trigger
a failure.
This was causing failures like this:
[ 53.897001] EXT4-fs error (device sda): ext4_find_extent:909: inode
#8: comm jbd2/sda-8: pblk 121667583 bad header/extent: invalid extent entries -
magic f30a, entries 8, max 340(340), depth 0(0)
[ 53.931430] jbd2_journal_bmap: journal block not found at offset 49 on sda-8
[ 53.938480] Aborting journal on device sda-8.
... but only if the system was under enough memory pressure that
logical->physical mapping for the journal inode gets pushed out of the
extent cache. (This is why it wasn't noticed earlier.)
Fixes: 345c0dbf3a30 ("ext4: protect journal inode's blocks using
block_validity")
Reported-by: Dan Rue
Signed-off-by: Theodore Ts'o
Tested-by: Naresh Kamboju
[bwh: Backported to 3.16: Use EXT4_HAS_COMPAT_FEATURE()]
Signed-off-by: Ben Hutchings
---
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -503,10 +503,15 @@ __read_extent_tree_block(const char *fun
}
if (buffer_verified(bh) && !(flags & EXT4_EX_FORCE_CACHE))
return bh;
- err = __ext4_ext_check(function, line, inode,
- ext_block_hdr(bh), depth, pblk);
- if (err)
- goto errout;
+ if (!EXT4_HAS_COMPAT_FEATURE(inode->i_sb,
+EXT4_FEATURE_COMPAT_HAS_JOURNAL) ||
+ (inode->i_ino !=
+le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) {
+ err = __ext4_ext_check(function, line, inode,
+ ext_block_hdr(bh), depth, pblk);
+ if (err)
+ goto errout;
+ }
set_buffer_verified(bh);
/*
* If this is a leaf block, cache all of its entries
[PATCH 3.16 40/61] scsi: sg: fix static checker warning in sg_is_valid_dxfer
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Johannes Thumshirn commit 14074aba4bcda3764c9a702b276308b89901d5b6 upstream. dxfer_len is an unsigned int and we always assign a value > 0 to it, so it doesn't make any sense to check if it is < 0. We can't really check dxferp as well as we have both NULL and not NULL cases in the possible call paths. So just return true for SG_DXFER_FROM_DEV transfer in sg_is_valid_dxfer(). Signed-off-by: Johannes Thumshirn Reported-by: Colin Ian King Reported-by: Dan Carpenter Cc: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/scsi/sg.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -796,8 +796,11 @@ static bool sg_is_valid_dxfer(sg_io_hdr_ return false; return true; case SG_DXFER_FROM_DEV: - if (hp->dxfer_len < 0) - return false; + /* +* for SG_DXFER_FROM_DEV we always set dxfer_len to > 0. dxferp +* can either be NULL or != NULL so there's no point in checking +* it either. So just return true. +*/ return true; case SG_DXFER_TO_DEV: case SG_DXFER_TO_FROM_DEV:
[PATCH 3.16 36/61] scsi: sg: disable SET_FORCE_LOW_DMA
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 745dfa0d8ec26b24f3304459ff6e9eacc5c8351b upstream.
The ioctl SET_FORCE_LOW_DMA has never worked since the initial git
check-in, and the respective setting is nowadays handled correctly. So
disable it entirely.
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 30 +-
include/scsi/sg.h | 1 -
2 files changed, 9 insertions(+), 22 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -157,7 +157,6 @@ typedef struct sg_fd { /* holds the sta
struct list_head rq_list; /* head of request list */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE]; /* used as singly-linked list */
- char low_dma; /* as in parent but possibly overridden to 1 */
char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */
char cmd_q; /* 1 -> allow command queuing, 0 -> don't */
unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
@@ -963,24 +962,14 @@ sg_ioctl(struct file *filp, unsigned int
/* strange ..., for backward compatibility */
return sfp->timeout_user;
case SG_SET_FORCE_LOW_DMA:
- result = get_user(val, ip);
- if (result)
- return result;
- if (val) {
- sfp->low_dma = 1;
- if ((0 == sfp->low_dma) && !sfp->res_in_use) {
- val = (int) sfp->reserve.bufflen;
- sg_remove_scat(>reserve);
- sg_build_reserve(sfp, val);
- }
- } else {
- if (atomic_read(>detaching))
- return -ENODEV;
- sfp->low_dma = sdp->device->host->unchecked_isa_dma;
- }
+ /*
+* N.B. This ioctl never worked properly, but failed to
+* return an error value. So returning '0' to keep compability
+* with legacy applications.
+*/
return 0;
case SG_GET_LOW_DMA:
- return put_user((int) sfp->low_dma, ip);
+ return put_user((int) sdp->device->host->unchecked_isa_dma, ip);
case SG_GET_SCSI_ID:
if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t)))
return -EFAULT;
@@ -1890,6 +1879,7 @@ sg_build_indirect(Sg_scatter_hold * schp
int sg_tablesize = sfp->parentdp->sg_tablesize;
int blk_size = buff_size, order;
gfp_t gfp_mask = GFP_ATOMIC | __GFP_COMP | __GFP_NOWARN;
+ struct sg_device *sdp = sfp->parentdp;
if (blk_size < 0)
return -EFAULT;
@@ -1914,7 +1904,7 @@ sg_build_indirect(Sg_scatter_hold * schp
scatter_elem_sz_prev = num;
}
- if (sfp->low_dma)
+ if (sdp->device->host->unchecked_isa_dma)
gfp_mask |= GFP_DMA;
if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
@@ -2168,8 +2158,6 @@ sg_add_sfp(Sg_device * sdp, int dev)
sfp->timeout = SG_DEFAULT_TIMEOUT;
sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
sfp->force_packid = SG_DEF_FORCE_PACK_ID;
- sfp->low_dma = (SG_DEF_FORCE_LOW_DMA == 0) ?
- sdp->device->host->unchecked_isa_dma : 1;
sfp->cmd_q = SG_DEF_COMMAND_Q;
sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
sfp->parentdp = sdp;
@@ -2627,7 +2615,7 @@ static void sg_proc_debug_helper(struct
jiffies_to_msecs(fp->timeout),
fp->reserve.bufflen,
(int) fp->reserve.k_use_sg,
- (int) fp->low_dma);
+ (int) sdp->device->host->unchecked_isa_dma);
seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=0\n",
(int) fp->cmd_q, (int) fp->force_packid,
(int) fp->keep_orphan);
--- a/include/scsi/sg.h
+++ b/include/scsi/sg.h
@@ -234,7 +234,6 @@ typedef struct sg_req_info { /* used by
#define SG_DEFAULT_RETRIES 0
/* Defaults, commented if they differ from original sg driver */
-#define SG_DEF_FORCE_LOW_DMA 0 /* was 1 -> memory below 16MB on i386 */
#define SG_DEF_FORCE_PACK_ID 0
#define SG_DEF_KEEP_ORPHAN 0
#define SG_DEF_RESERVED_SIZE SG_SCATTER_SZ /* load time option */
[PATCH 3.16 23/61] sg: O_EXCL and other lock handling
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Douglas Gilbert
commit cc833acbee9db5ca8c6162b015b4c93863c6f821 upstream.
This addresses a problem reported by Vaughan Cao concerning
the correctness of the O_EXCL logic in the sg driver. POSIX
doesn't defined O_EXCL semantics on devices but "allow only
one open file descriptor at a time per sg device" is a rough
definition. The sg driver's semantics have been to wait
on an open() when O_NONBLOCK is not given and there are
O_EXCL headwinds. Nasty things can happen during that wait
such as the device being detached (removed). So multiple
locks are reworked in this patch making it large and hard
to break down into digestible bits.
This patch is against Linus's current git repository which
doesn't include any sg patches sent in the last few weeks.
Hence this patch touches as little as possible that it
doesn't need to and strips out most SCSI_LOG_TIMEOUT()
changes in v3 because Hannes said he was going to rework all
that stuff.
The sg3_utils package has several test programs written to
test this patch. See examples/sg_tst_excl*.cpp .
Not all the locks and flags in sg have been re-worked in
this patch, notably sg_request::done . That can wait for
a follow-up patch if this one meets with approval.
Signed-off-by: Douglas Gilbert
Reviewed-by: Hannes Reinecke
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 424 +-
1 file changed, 230 insertions(+), 194 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -51,6 +51,7 @@ static int sg_version_num = 30534;/* 2
#include
#include
#include
+#include
#include
#include /* for sg_check_file_access() */
@@ -103,18 +104,16 @@ static int scatter_elem_sz_prev = SG_SCA
#define SG_SECTOR_SZ 512
-static int sg_add(struct device *, struct class_interface *);
-static void sg_remove(struct device *, struct class_interface *);
-
-static DEFINE_SPINLOCK(sg_open_exclusive_lock);
+static int sg_add_device(struct device *, struct class_interface *);
+static void sg_remove_device(struct device *, struct class_interface *);
static DEFINE_IDR(sg_index_idr);
static DEFINE_RWLOCK(sg_index_lock); /* Also used to lock
file descriptor list
for device */
static struct class_interface sg_interface = {
- .add_dev= sg_add,
- .remove_dev = sg_remove,
+ .add_dev= sg_add_device,
+ .remove_dev = sg_remove_device,
};
typedef struct sg_scatter_hold { /* holding area for scsi scatter gather info
*/
@@ -147,8 +146,7 @@ typedef struct sg_request { /* SG_MAX_QU
} Sg_request;
typedef struct sg_fd { /* holds the state of a file descriptor */
- /* sfd_siblings is protected by sg_index_lock */
- struct list_head sfd_siblings;
+ struct list_head sfd_siblings; /* protected by device's sfd_lock */
struct sg_device *parentdp; /* owning device */
wait_queue_head_t read_wait;/* queue read until command done */
rwlock_t rq_list_lock; /* protect access to list in req_arr */
@@ -171,14 +169,15 @@ typedef struct sg_fd {/* holds the sta
typedef struct sg_device { /* holds the state of each scsi generic device */
struct scsi_device *device;
- wait_queue_head_t o_excl_wait; /* queue open() when O_EXCL in use */
+ wait_queue_head_t open_wait;/* queue open() when O_EXCL present */
+ struct mutex open_rel_lock; /* held when in open() or release() */
int sg_tablesize; /* adapter's max scatter-gather table size */
u32 index; /* device index number */
- /* sfds is protected by sg_index_lock */
struct list_head sfds;
- volatile char detached; /* 0->attached, 1->detached pending removal */
- /* exclude protected by sg_open_exclusive_lock */
- char exclude; /* opened for exclusive access */
+ rwlock_t sfd_lock; /* protect access to sfd list */
+ atomic_t detaching; /* 0->device usable, 1->device detaching */
+ bool exclude; /* 1->open(O_EXCL) succeeded and is active */
+ int open_cnt; /* count of opens (perhaps < num(sfds) ) */
char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs
*/
struct gendisk *disk;
struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg] */
@@ -209,7 +208,7 @@ static Sg_request *sg_add_request(Sg_fd
static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
static int sg_res_in_use(Sg_fd * sfp);
static Sg_device *sg_get_dev(int dev);
-static void sg_put_dev(Sg_device *sdp);
+static void sg_device_destroy(struct kref *kref);
#define SZ_SG_HEADER sizeof(struct sg_header)
#define SZ_SG_IO_HDR sizeof(sg_io_hdr_t)
@@ -253,38 +252,43 @@ static int sg_a
[PATCH 3.16 09/61] net-sysfs: Call dev_hold always in netdev_queue_add_kobject
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jouni Hogander
commit e0b60903b434a7ee21ba8d8659f207ed84101e89 upstream.
Dev_hold has to be called always in netdev_queue_add_kobject.
Otherwise usage count drops below 0 in case of failure in
kobject_init_and_add.
Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
rx|netdev_queue_add_kobject")
Reported-by: Hulk Robot
Cc: Tetsuo Handa
Cc: David Miller
Cc: Lukas Bulwahn
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/core/net-sysfs.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1143,14 +1143,17 @@ static int netdev_queue_add_kobject(stru
struct kobject *kobj = >kobj;
int error = 0;
+ /* Kobject_put later will trigger netdev_queue_release call
+* which decreases dev refcount: Take that reference here
+*/
+ dev_hold(queue->dev);
+
kobj->kset = net->queues_kset;
error = kobject_init_and_add(kobj, _queue_ktype, NULL,
"tx-%u", index);
if (error)
goto err;
- dev_hold(queue->dev);
-
#ifdef CONFIG_BQL
error = sysfs_create_group(kobj, _group);
if (error)
[PATCH 3.16 51/61] ext4: fix block validity checks for journal inodes using indirect blocks
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Theodore Ts'o
commit 170417c8c7bb2cbbdd949bf5c443c0c8f24a203b upstream.
Commit 345c0dbf3a30 ("ext4: protect journal inode's blocks using
block_validity") failed to add an exception for the journal inode in
ext4_check_blockref(), which is the function used by ext4_get_branch()
for indirect blocks. This caused attempts to read from the ext3-style
journals to fail with:
[ 848.968550] EXT4-fs error (device sdb7): ext4_get_branch:171: inode #8:
block 30343695: comm jbd2/sdb7-8: invalid block
Fix this by adding the missing exception check.
Fixes: 345c0dbf3a30 ("ext4: protect journal inode's blocks using
block_validity")
Reported-by: Arthur Marsh
Signed-off-by: Theodore Ts'o
[bwh: Backported to 3.16: Use EXT4_HAS_COMPAT_FEATURE]
Signed-off-by: Ben Hutchings
---
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -277,6 +277,12 @@ int ext4_check_blockref(const char *func
__le32 *bref = p;
unsigned int blk;
+ if (EXT4_HAS_COMPAT_FEATURE(inode->i_sb,
+ EXT4_FEATURE_COMPAT_HAS_JOURNAL) &&
+ (inode->i_ino ==
+le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ return 0;
+
while (bref < p+max) {
blk = le32_to_cpu(*bref++);
if (blk &&
[PATCH 3.16 35/61] scsi: sg: Re-fix off by one in sg_fill_request_table()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ben Hutchings
commit 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b upstream.
Commit 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
introduced an off-by-one error in sg_ioctl(), which was fixed by commit
bd46fc406b30 ("scsi: sg: off by one in sg_ioctl()").
Unfortunately commit 4759df905a47 ("scsi: sg: factor out
sg_fill_request_table()") moved that code, and reintroduced the
bug (perhaps due to a botched rebase). Fix it again.
Fixes: 4759df905a47 ("scsi: sg: factor out sg_fill_request_table()")
Signed-off-by: Ben Hutchings
Acked-by: Douglas Gilbert
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -879,7 +879,7 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
val = 0;
list_for_each_entry(srp, >rq_list, entry) {
- if (val > SG_MAX_QUEUE)
+ if (val >= SG_MAX_QUEUE)
break;
rinfo[val].req_state = srp->done + 1;
rinfo[val].problem =
[PATCH 3.16 47/61] USB: gadget: fix illegal array access in binding with UDC
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Kyungtae Kim commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream. FuzzUSB (a variant of syzkaller) found an illegal array access using an incorrect index while binding a gadget with UDC. Reference: https://www.spinics.net/lists/linux-usb/msg194331.html This bug occurs when a size variable used for a buffer is misused to access its strcpy-ed buffer. Given a buffer along with its size variable (taken from user input), from which, a new buffer is created using kstrdup(). Due to the original buffer containing 0 value in the middle, the size of the kstrdup-ed buffer becomes smaller than that of the original. So accessing the kstrdup-ed buffer with the same size variable triggers memory access violation. The fix makes sure no zero value in the buffer, by comparing the strlen() of the orignal buffer with the size variable, so that the access to the kstrdup-ed buffer is safe. BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 Read of size 1 at addr 88806a55dd7e by task syz-executor.0/17208 CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 flush_write_buffer fs/configfs/file.c:251 [inline] configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 __vfs_write+0x85/0x110 fs/read_write.c:494 vfs_write+0x1cd/0x510 fs/read_write.c:558 ksys_write+0x18a/0x220 fs/read_write.c:611 __do_sys_write fs/read_write.c:623 [inline] __se_sys_write fs/read_write.c:620 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:620 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Kyungtae Kim Reported-and-tested-by: Kyungtae Kim Cc: Felipe Balbi Cc: stable Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01 Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/gadget/configfs.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -254,6 +254,9 @@ static ssize_t gadget_dev_desc_UDC_store char *name; int ret; + if (strlen(page) < len) + return -EOVERFLOW; + name = kstrdup(page, GFP_KERNEL); if (!name) return -ENOMEM;
[PATCH 3.16 27/61] scsi: sg: reset 'res_in_use' after unlinking reserved array
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit e791ce27c3f6a1d3c746fd6a8f8e36c9540ec6f9 upstream.
Once the reserved page array is unused we can reset the 'res_in_use'
state; here we can do a lazy update without holding the mutex as we only
need to check against concurrent access, not concurrent release.
[mkp: checkpatch]
Fixes: 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Cc: Todd Poynor
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2062,6 +2062,8 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_reques
req_schp->sglist_len = 0;
sfp->save_scat_len = 0;
srp->res_used = 0;
+ /* Called without mutex lock to avoid deadlock */
+ sfp->res_in_use = 0;
}
static Sg_request *
[PATCH 3.16 10/61] net-sysfs: Call dev_hold always in rx_queue_add_kobject
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jouni Hogander
commit ddd9b5e3e765d8ed5a35786a6cb00111713fe161 upstream.
Dev_hold has to be called always in rx_queue_add_kobject.
Otherwise usage count drops below 0 in case of failure in
kobject_init_and_add.
Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in
rx|netdev_queue_add_kobject")
Reported-by: syzbot
Cc: Tetsuo Handa
Cc: David Miller
Cc: Lukas Bulwahn
Signed-off-by: Jouni Hogander
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/core/net-sysfs.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -782,14 +782,17 @@ static int rx_queue_add_kobject(struct n
struct kobject *kobj = >kobj;
int error = 0;
+ /* Kobject_put later will trigger rx_queue_release call which
+* decreases dev refcount: Take that reference here
+*/
+ dev_hold(queue->dev);
+
kobj->kset = net->queues_kset;
error = kobject_init_and_add(kobj, _queue_ktype, NULL,
"rx-%u", index);
if (error)
goto err;
- dev_hold(queue->dev);
-
if (net->sysfs_rx_queue_group) {
error = sysfs_create_group(kobj, net->sysfs_rx_queue_group);
if (error)
[PATCH 3.16 42/61] scsi: sg: don't return bogus Sg_requests
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johannes Thumshirn
commit 48ae8484e9fc324b4968d33c585e54bc98e44d61 upstream.
If the list search in sg_get_rq_mark() fails to find a valid request, we
return a bogus element. This then can later lead to a GPF in
sg_remove_scat().
So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
the list search doesn't find a valid request.
Signed-off-by: Johannes Thumshirn
Reported-by: Andrey Konovalov
Cc: Hannes Reinecke
Cc: Christoph Hellwig
Cc: Doug Gilbert
Reviewed-by: Hannes Reinecke
Acked-by: Doug Gilbert
Signed-off-by: Martin K. Petersen
Cc: Tony Battersby
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2085,11 +2085,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
if ((1 == resp->done) && (!resp->sg_io_owned) &&
((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
resp->done = 2; /* guard against other readers */
- break;
+ write_unlock_irqrestore(>rq_list_lock, iflags);
+ return resp;
}
}
write_unlock_irqrestore(>rq_list_lock, iflags);
- return resp;
+ return NULL;
}
/* always adds to end of list */
[PATCH 3.16 44/61] scsi: sg: add sg_remove_request in sg_common_write
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Li Bin
commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream.
If the dxfer_len is greater than 256M then the request is invalid and we
need to call sg_remove_request in sg_common_write.
Link:
https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.li...@huawei.com
Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M")
Acked-by: Douglas Gilbert
Signed-off-by: Li Bin
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -808,8 +808,10 @@ sg_common_write(Sg_fd * sfp, Sg_request
SCSI_LOG_TIMEOUT(4, printk("sg_common_write: scsi opcode=0x%02x,
cmd_size=%d\n",
(int) cmnd[0], (int) hp->cmd_len));
- if (hp->dxfer_len >= SZ_256M)
+ if (hp->dxfer_len >= SZ_256M) {
+ sg_remove_request(sfp, srp);
return -EINVAL;
+ }
k = sg_start_req(srp, cmnd);
if (k) {
[PATCH 3.16 46/61] signal: Extend exec_id to 64bits
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Eric W. Biederman"
commit d1e7fd6462ca9fc76650fbe6ca800e35b24267da upstream.
Replace the 32bit exec_id with a 64bit exec_id to make it impossible
to wrap the exec_id counter. With care an attacker can cause exec_id
wrap and send arbitrary signals to a newly exec'd parent. This
bypasses the signal sending checks if the parent changes their
credentials during exec.
The severity of this problem can been seen that in my limited testing
of a 32bit exec_id it can take as little as 19s to exec 65536 times.
Which means that it can take as little as 14 days to wrap a 32bit
exec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7
days. Even my slower timing is in the uptime of a typical server.
Which means self_exec_id is simply a speed bump today, and if exec
gets noticably faster self_exec_id won't even be a speed bump.
Extending self_exec_id to 64bits introduces a problem on 32bit
architectures where reading self_exec_id is no longer atomic and can
take two read instructions. Which means that is is possible to hit
a window where the read value of exec_id does not match the written
value. So with very lucky timing after this change this still
remains expoiltable.
I have updated the update of exec_id on exec to use WRITE_ONCE
and the read of exec_id in do_notify_parent to use READ_ONCE
to make it clear that there is no locking between these two
locations.
Link: https://lore.kernel.org/kernel-hardening/20200324215049.ga3...@pi3.com.pl
Fixes: 2.3.23pre2
Cc: sta...@vger.kernel.org
Signed-off-by: "Eric W. Biederman"
[bwh: Backported to 3.16:
- Use ACCESS_ONCE()
- Adjust context]
Signed-off-by: Ben Hutchings
---
fs/exec.c | 2 +-
include/linux/sched.h | 4 ++--
kernel/signal.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1182,7 +1182,7 @@ void setup_new_exec(struct linux_binprm
/* An exec changes our domain. We are no longer part of the thread
group */
- current->self_exec_id++;
+ ACCESS_ONCE(current->self_exec_id) = current->self_exec_id + 1;
flush_signal_handlers(current, 0);
}
EXPORT_SYMBOL(setup_new_exec);
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1427,8 +1427,8 @@ struct task_struct {
struct seccomp seccomp;
/* Thread group tracking */
- u32 parent_exec_id;
- u32 self_exec_id;
+ u64 parent_exec_id;
+ u64 self_exec_id;
/* Protection of (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed,
* mempolicy */
spinlock_t alloc_lock;
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1679,7 +1679,7 @@ bool do_notify_parent(struct task_struct
* This is only possible if parent == real_parent.
* Check if it has changed security domain.
*/
- if (tsk->parent_exec_id != tsk->parent->self_exec_id)
+ if (tsk->parent_exec_id !=
ACCESS_ONCE(tsk->parent->self_exec_id))
sig = SIGCHLD;
}
[PATCH 3.16 33/61] scsi: sg: factor out sg_fill_request_table()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 4759df905a474d245752c9dc94288e779b8734dd upstream.
Factor out sg_fill_request_table() for better readability.
[mkp: typos, applied by hand]
Signed-off-by: Hannes Reinecke
Reviewed-by: Bart Van Assche
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 61 +++
1 file changed, 35 insertions(+), 26 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -870,6 +870,40 @@ static int max_sectors_bytes(struct requ
return max_sectors << 9;
}
+static void
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
+{
+ Sg_request *srp;
+ int val;
+ unsigned int ms;
+
+ val = 0;
+ list_for_each_entry(srp, >rq_list, entry) {
+ if (val > SG_MAX_QUEUE)
+ break;
+ memset([val], 0, SZ_SG_REQ_INFO);
+ rinfo[val].req_state = srp->done + 1;
+ rinfo[val].problem =
+ srp->header.masked_status &
+ srp->header.host_status &
+ srp->header.driver_status;
+ if (srp->done)
+ rinfo[val].duration =
+ srp->header.duration;
+ else {
+ ms = jiffies_to_msecs(jiffies);
+ rinfo[val].duration =
+ (ms > srp->header.duration) ?
+ (ms - srp->header.duration) : 0;
+ }
+ rinfo[val].orphan = srp->orphan;
+ rinfo[val].sg_io_owned = srp->sg_io_owned;
+ rinfo[val].pack_id = srp->header.pack_id;
+ rinfo[val].usr_ptr = srp->header.usr_ptr;
+ val++;
+ }
+}
+
static long
sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
{
@@ -1063,38 +1097,13 @@ sg_ioctl(struct file *filp, unsigned int
return -EFAULT;
else {
sg_req_info_t *rinfo;
- unsigned int ms;
rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
GFP_KERNEL);
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
- val = 0;
- list_for_each_entry(srp, >rq_list, entry) {
- if (val >= SG_MAX_QUEUE)
- break;
- memset([val], 0, SZ_SG_REQ_INFO);
- rinfo[val].req_state = srp->done + 1;
- rinfo[val].problem =
- srp->header.masked_status &
- srp->header.host_status &
- srp->header.driver_status;
- if (srp->done)
- rinfo[val].duration =
- srp->header.duration;
- else {
- ms = jiffies_to_msecs(jiffies);
- rinfo[val].duration =
- (ms > srp->header.duration) ?
- (ms - srp->header.duration) : 0;
- }
- rinfo[val].orphan = srp->orphan;
- rinfo[val].sg_io_owned = srp->sg_io_owned;
- rinfo[val].pack_id = srp->header.pack_id;
- rinfo[val].usr_ptr = srp->header.usr_ptr;
- val++;
- }
+ sg_fill_request_table(sfp, rinfo);
read_unlock_irqrestore(>rq_list_lock, iflags);
result = __copy_to_user(p, rinfo,
SZ_SG_REQ_INFO * SG_MAX_QUEUE);
[PATCH 3.16 58/61] x86/speculation: Add SRBDS vulnerability and mitigation documentation
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Mark Gross commit 7222a1b5b87417f22265c92deea76a6aecd0fb0f upstream. Add documentation for the SRBDS vulnerability and its mitigation. [ bp: Massage. jpoimboe: sysfs table strings. ] Signed-off-by: Mark Gross Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Ben Hutchings --- .../special-register-buffer-data-sampling.rst | 148 ++ 1 file changed, 148 insertions(+) create mode 100644 Documentation/hw-vuln/special-register-buffer-data-sampling.rst --- /dev/null +++ b/Documentation/hw-vuln/special-register-buffer-data-sampling.rst @@ -0,0 +1,148 @@ +.. SPDX-License-Identifier: GPL-2.0 + +SRBDS - Special Register Buffer Data Sampling += + +SRBDS is a hardware vulnerability that allows MDS :doc:`mds` techniques to +infer values returned from special register accesses. Special register +accesses are accesses to off core registers. According to Intel's evaluation, +the special register reads that have a security expectation of privacy are +RDRAND, RDSEED and SGX EGETKEY. + +When RDRAND, RDSEED and EGETKEY instructions are used, the data is moved +to the core through the special register mechanism that is susceptible +to MDS attacks. + +Affected processors + +Core models (desktop, mobile, Xeon-E3) that implement RDRAND and/or RDSEED may +be affected. + +A processor is affected by SRBDS if its Family_Model and stepping is +in the following list, with the exception of the listed processors +exporting MDS_NO while Intel TSX is available yet not enabled. The +latter class of processors are only affected when Intel TSX is enabled +by software using TSX_CTRL_MSR otherwise they are not affected. + + = + common nameFamily_Model Stepping + = + Haswell06_3CHAll + Haswell_L 06_45HAll + Haswell_G 06_46HAll + + Broadwell_G06_47HAll + Broadwell 06_3DHAll + + Skylake_L 06_4EHAll + Skylake06_5EHAll + + Kabylake_L 06_8EH<=0xC + + Kabylake 06_9EH<=0xD + = + +Related CVEs + + +The following CVE entry is related to this SRBDS issue: + +== = = +CVE-2020-0543 SRBDS Special Register Buffer Data Sampling +== = = + +Attack scenarios + +An unprivileged user can extract values returned from RDRAND and RDSEED +executed on another core or sibling thread using MDS techniques. + + +Mitigation mechanism +--- +Intel will release microcode updates that modify the RDRAND, RDSEED, and +EGETKEY instructions to overwrite secret special register data in the shared +staging buffer before the secret data can be accessed by another logical +processor. + +During execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core +accesses from other logical processors will be delayed until the special +register read is complete and the secret data in the shared staging buffer is +overwritten. + +This has three effects on performance: + +#. RDRAND, RDSEED, or EGETKEY instructions have higher latency. + +#. Executing RDRAND at the same time on multiple logical processors will be + serialized, resulting in an overall reduction in the maximum RDRAND + bandwidth. + +#. Executing RDRAND, RDSEED or EGETKEY will delay memory accesses from other + logical processors that miss their core caches, with an impact similar to + legacy locked cache-line-split accesses. + +The microcode updates provide an opt-out mechanism (RNGDS_MITG_DIS) to disable +the mitigation for RDRAND and RDSEED instructions executed outside of Intel +Software Guard Extensions (Intel SGX) enclaves. On logical processors that +disable the mitigation using this opt-out mechanism, RDRAND and RDSEED do not +take longer to execute and do not impact performance of sibling logical +processors memory accesses. The opt-out mechanism does not affect Intel SGX +enclaves (including execution of RDRAND or RDSEED inside an enclave, as well +as EGETKEY execution). + +IA32_MCU_OPT_CTRL MSR Definition + +Along with the mitigation for this issue, Intel added a new thread-scope +IA32_MCU_OPT_CTRL MSR, (address 0x123). The presence of this MSR and +RNGDS_MITG_DIS (bit 0) is enumerated by CPUID.(EAX=07H,ECX=0).EDX[SRBDS_CTRL = +9]==1. This MSR is introduced through the microcode update. + +Setting IA32_MCU_OPT_CTRL[0] (RNGDS_MITG_DIS) to 1 for a logical processor +disables the mitigation for RDRAND and RDSEED executed outside of an Intel SGX +enclave on that logical processor. Opting out of the mitigation for a +part
[PATCH 3.16 37/61] scsi: sg: check for valid direction before starting the request
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johannes Thumshirn
commit 28676d869bbb5257b5f14c0c95ad3af3a7019dd5 upstream.
Check for a valid direction before starting the request, otherwise we
risk running into an assertion in the scsi midlayer checking for valid
requests.
[mkp: fixed typo]
Signed-off-by: Johannes Thumshirn
Link: http://www.spinics.net/lists/linux-scsi/msg104400.html
Reported-by: Dmitry Vyukov
Signed-off-by: Hannes Reinecke
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 46 ++
1 file changed, 34 insertions(+), 12 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -701,18 +701,14 @@ sg_write(struct file *filp, const char _
* is a non-zero input_size, so emit a warning.
*/
if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) {
- static char cmd[TASK_COMM_LEN];
- if (strcmp(current->comm, cmd)) {
- printk_ratelimited(KERN_WARNING
- "sg_write: data in/out %d/%d bytes "
- "for SCSI command 0x%x-- guessing "
- "data in;\n program %s not setting
"
- "count and/or reply_len properly\n",
- old_hdr.reply_len -
(int)SZ_SG_HEADER,
- input_size, (unsigned int) cmnd[0],
- current->comm);
- strcpy(cmd, current->comm);
- }
+ printk_ratelimited(KERN_WARNING
+ "sg_write: data in/out %d/%d bytes "
+ "for SCSI command 0x%x-- guessing "
+ "data in;\n program %s not setting "
+ "count and/or reply_len properly\n",
+ old_hdr.reply_len - (int)SZ_SG_HEADER,
+ input_size, (unsigned int) cmnd[0],
+ current->comm);
}
k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking);
return (k < 0) ? k : count;
@@ -790,6 +786,29 @@ sg_new_write(Sg_fd *sfp, struct file *fi
return count;
}
+static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
+{
+ switch (hp->dxfer_direction) {
+ case SG_DXFER_NONE:
+ if (hp->dxferp || hp->dxfer_len > 0)
+ return false;
+ return true;
+ case SG_DXFER_TO_DEV:
+ case SG_DXFER_FROM_DEV:
+ case SG_DXFER_TO_FROM_DEV:
+ if (!hp->dxferp || hp->dxfer_len == 0)
+ return false;
+ return true;
+ case SG_DXFER_UNKNOWN:
+ if ((!hp->dxferp && hp->dxfer_len) ||
+ (hp->dxferp && hp->dxfer_len == 0))
+ return false;
+ return true;
+ default:
+ return false;
+ }
+}
+
static int
sg_common_write(Sg_fd * sfp, Sg_request * srp,
unsigned char *cmnd, int timeout, int blocking)
@@ -809,6 +828,9 @@ sg_common_write(Sg_fd * sfp, Sg_request
SCSI_LOG_TIMEOUT(4, printk("sg_common_write: scsi opcode=0x%02x,
cmd_size=%d\n",
(int) cmnd[0], (int) hp->cmd_len));
+ if (!sg_is_valid_dxfer(hp))
+ return -EINVAL;
+
k = sg_start_req(srp, cmnd);
if (k) {
SCSI_LOG_TIMEOUT(1, printk("sg_common_write: start_req
err=%d\n", k));
[PATCH 3.16 39/61] scsi: sg: fix SG_DXFER_FROM_DEV transfers
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johannes Thumshirn
commit 68c59fcea1f2c6a54c62aa896cc623c1b5bc9b47 upstream.
SG_DXFER_FROM_DEV transfers do not necessarily have a dxferp as we set
it to NULL for the old sg_io read/write interface, but must have a
length bigger than 0. This fixes a regression introduced by commit
28676d869bbb ("scsi: sg: check for valid direction before starting the
request")
Signed-off-by: Johannes Thumshirn
Fixes: 28676d869bbb ("scsi: sg: check for valid direction before starting the
request")
Reported-by: Chris Clayton
Tested-by: Chris Clayton
Cc: Douglas Gilbert
Reviewed-by: Hannes Reinecke
Tested-by: Chris Clayton
Acked-by: Douglas Gilbert
Signed-off-by: Martin K. Petersen
Cc: Cristian Crinteanu
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -795,8 +795,11 @@ static bool sg_is_valid_dxfer(sg_io_hdr_
if (hp->dxferp || hp->dxfer_len > 0)
return false;
return true;
- case SG_DXFER_TO_DEV:
case SG_DXFER_FROM_DEV:
+ if (hp->dxfer_len < 0)
+ return false;
+ return true;
+ case SG_DXFER_TO_DEV:
case SG_DXFER_TO_FROM_DEV:
if (!hp->dxferp || hp->dxfer_len == 0)
return false;
[PATCH 3.16 26/61] scsi: sg: protect accesses to 'reserved' page array
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 1bc0eb0446158cc76562176b80623aa119afee5b upstream.
The 'reserved' page array is used as a short-cut for mapping data,
saving us to allocate pages per request. However, the 'reserved' array
is only capable of holding one request, so this patch introduces a mutex
for protect 'sg_fd' against concurrent accesses.
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
[toddpoy...@google.com: backport to 3.18-4.9, fixup for bad ioctl
SG_SET_FORCE_LOW_DMA code removed in later versions and not modified by
the original patch.]
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Todd Poynor
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 47 ++-
1 file changed, 26 insertions(+), 21 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -150,6 +150,7 @@ typedef struct sg_fd { /* holds the sta
struct sg_device *parentdp; /* owning device */
wait_queue_head_t read_wait;/* queue read until command done */
rwlock_t rq_list_lock; /* protect access to list in req_arr */
+ struct mutex f_mutex; /* protect against changes in this fd */
int timeout;/* defaults to SG_DEFAULT_TIMEOUT */
int timeout_user; /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor
*/
@@ -163,6 +164,7 @@ typedef struct sg_fd { /* holds the sta
unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read()
*/
char mmap_called; /* 0 -> mmap() never called on this fd */
+ char res_in_use;/* 1 -> 'reserve' array in use */
struct kref f_ref;
struct execute_work ew;
} Sg_fd;
@@ -206,7 +208,6 @@ static void sg_remove_sfp(struct kref *)
static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
static Sg_request *sg_add_request(Sg_fd * sfp);
static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
-static int sg_res_in_use(Sg_fd * sfp);
static Sg_device *sg_get_dev(int dev);
static void sg_device_destroy(struct kref *kref);
@@ -652,6 +653,7 @@ sg_write(struct file *filp, const char _
}
buf += SZ_SG_HEADER;
__get_user(opcode, buf);
+ mutex_lock(>f_mutex);
if (sfp->next_cmd_len > 0) {
cmd_size = sfp->next_cmd_len;
sfp->next_cmd_len = 0; /* reset so only this write() effected
*/
@@ -660,6 +662,7 @@ sg_write(struct file *filp, const char _
if ((opcode >= 0xc0) && old_hdr.twelve_byte)
cmd_size = 12;
}
+ mutex_unlock(>f_mutex);
SCSI_LOG_TIMEOUT(4, printk(
"sg_write: scsi opcode=0x%02x, cmd_size=%d\n", (int) opcode,
cmd_size));
/* Determine buffer size. */
@@ -758,7 +761,7 @@ sg_new_write(Sg_fd *sfp, struct file *fi
sg_remove_request(sfp, srp);
return -EINVAL; /* either MMAP_IO or DIRECT_IO (not
both) */
}
- if (sg_res_in_use(sfp)) {
+ if (sfp->res_in_use) {
sg_remove_request(sfp, srp);
return -EBUSY; /* reserve buffer already being used */
}
@@ -933,7 +936,7 @@ sg_ioctl(struct file *filp, unsigned int
return result;
if (val) {
sfp->low_dma = 1;
- if ((0 == sfp->low_dma) && (0 == sg_res_in_use(sfp))) {
+ if ((0 == sfp->low_dma) && !sfp->res_in_use) {
val = (int) sfp->reserve.bufflen;
sg_remove_scat(>reserve);
sg_build_reserve(sfp, val);
@@ -1008,12 +1011,18 @@ sg_ioctl(struct file *filp, unsigned int
return -EINVAL;
val = min_t(int, val,
max_sectors_bytes(sdp->device->request_queue));
+ mutex_lock(>f_mutex);
if (val != sfp->reserve.bufflen) {
- if (sg_res_in_use(sfp) || sfp->mmap_called)
+ if (sfp->mmap_called ||
+ sfp->res_in_use) {
+ mutex_unlock(>f_mutex);
return -EBUSY;
+
[PATCH 3.16 57/61] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
3.16.85-rc1 review patch. If anyone has any objections, please let me know. -- From: Mark Gross commit 7e5b3c267d256822407a22fdce6afdf9cd13f9fb upstream. SRBDS is an MDS-like speculative side channel that can leak bits from the random number generator (RNG) across cores and threads. New microcode serializes the processor access during the execution of RDRAND and RDSEED. This ensures that the shared buffer is overwritten before it is released for reuse. While it is present on all affected CPU models, the microcode mitigation is not needed on models that enumerate ARCH_CAPABILITIES[MDS_NO] in the cases where TSX is not supported or has been disabled with TSX_CTRL. The mitigation is activated by default on affected processors and it increases latency for RDRAND and RDSEED instructions. Among other effects this will reduce throughput from /dev/urandom. * Enable administrator to configure the mitigation off when desired using either mitigations=off or srbds=off. * Export vulnerability status via sysfs * Rename file-scoped macros to apply for non-whitelist table initializations. [ bp: Massage, - s/VULNBL_INTEL_STEPPING/VULNBL_INTEL_STEPPINGS/g, - do not read arch cap MSR a second time in tsx_fused_off() - just pass it in, - flip check in cpu_set_bug_bits() to save an indentation level, - reflow comments. jpoimboe: s/Mitigated/Mitigation/ in user-visible strings tglx: Dropped the fused off magic for now ] Signed-off-by: Mark Gross Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Tony Luck Reviewed-by: Pawan Gupta Reviewed-by: Josh Poimboeuf Tested-by: Neelima Krishnan [bwh: Backported to 3.16: - CPU feature words and bugs are numbered differently - Adjust filename for ] Signed-off-by: Ben Hutchings --- .../ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/kernel-parameters.txt | 20 arch/x86/include/asm/cpufeatures.h| 2 + arch/x86/include/uapi/asm/msr-index.h | 4 + arch/x86/kernel/cpu/bugs.c| 106 ++ arch/x86/kernel/cpu/common.c | 31 + arch/x86/kernel/cpu/cpu.h | 1 + drivers/base/cpu.c| 8 ++ 8 files changed, 173 insertions(+) --- a/Documentation/ABI/testing/sysfs-devices-system-cpu +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu @@ -232,6 +232,7 @@ What: /sys/devices/system/cpu/vulnerabi /sys/devices/system/cpu/vulnerabilities/spec_store_bypass /sys/devices/system/cpu/vulnerabilities/l1tf /sys/devices/system/cpu/vulnerabilities/mds + /sys/devices/system/cpu/vulnerabilities/srbds /sys/devices/system/cpu/vulnerabilities/tsx_async_abort /sys/devices/system/cpu/vulnerabilities/itlb_multihit Date: January 2018 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -3356,6 +3356,26 @@ bytes respectively. Such letter suffixes spia_pedr= spia_peddr= + srbds= [X86,INTEL] + Control the Special Register Buffer Data Sampling + (SRBDS) mitigation. + + Certain CPUs are vulnerable to an MDS-like + exploit which can leak bits from the random + number generator. + + By default, this issue is mitigated by + microcode. However, the microcode fix can cause + the RDRAND and RDSEED instructions to become + much slower. Among other effects, this will + result in reduced throughput from /dev/urandom. + + The microcode mitigation can be disabled with + the following option: + + off:Disable mitigation and remove + performance impact to RDRAND and RDSEED + stack_guard_gap=[MM] override the default stack gap protection. The value is in page units and it defines how many pages prior --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -247,6 +247,7 @@ #define X86_FEATURE_AVX512CD ( 9*32+28) /* AVX-512 Conflict Detection */ /* Intel-defined CPU features, CPUID level 0x0007:0 (EDX), word 10 */ +#define X86_FEATURE_SRBDS_CTRL (10*32+ 9) /* "" SRBDS mitigation MSR available */ #define X86_FEATURE_MD_CLEAR (10*32+10) /* VERW clears CPU buffers */ #define X86_FEATURE_SPEC_CTRL (10*32+26) /* "" Speculation Control (IBRS + IBPB) */ #define X86_FEATURE_INTEL_STIBP(10*32+27) /* "" Single Thread Indirect Branch Predictors */ @@ -281,5 +282,6 @@ #define X86_BUG_SWAPGS X86_BUG(12) /* CPU is affected
[PATCH 3.16 60/61] random: always use batched entropy for get_random_u{32,64}
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Jason A. Donenfeld"
commit 69efea712f5b0489e67d07565aad5c94e09a3e52 upstream.
It turns out that RDRAND is pretty slow. Comparing these two
constructions:
for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret))
arch_get_random_long();
and
long buf[CHACHA_BLOCK_SIZE / sizeof(long)];
extract_crng((u8 *)buf);
it amortizes out to 352 cycles per long for the top one and 107 cycles
per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.
And importantly, the top one has the drawback of not benefiting from the
real rng, whereas the bottom one has all the nice benefits of using our
own chacha rng. As get_random_u{32,64} gets used in more places (perhaps
beyond what it was originally intended for when it was introduced as
get_random_{int,long} back in the md5 monstrosity era), it seems like it
might be a good thing to strengthen its posture a tiny bit. Doing this
should only be stronger and not any weaker because that pool is already
initialized with a bunch of rdrand data (when available). This way, we
get the benefits of the hardware rng as well as our own rng.
Another benefit of this is that we no longer hit pitfalls of the recent
stream of AMD bugs in RDRAND. One often used code pattern for various
things is:
do {
val = get_random_u32();
} while (hash_table_contains_key(val));
That recent AMD bug rendered that pattern useless, whereas we're really
very certain that chacha20 output will give pretty distributed numbers,
no matter what.
So, this simplification seems better both from a security perspective
and from a performance perspective.
Signed-off-by: Jason A. Donenfeld
Reviewed-by: Greg Kroah-Hartman
Link: https://lore.kernel.org/r/20200221201037.30231-1-ja...@zx2c4.com
Signed-off-by: Theodore Ts'o
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16: Only get_random_int() exists here]
Signed-off-by: Ben Hutchings
---
drivers/char/random.c | 6 --
1 file changed, 6 deletions(-)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1700,9 +1700,6 @@ unsigned int get_random_int(void)
__u32 *hash;
unsigned int ret;
- if (arch_get_random_int())
- return ret;
-
hash = get_cpu_var(get_random_int_hash);
hash[0] += current->pid + jiffies + random_get_entropy();
[PATCH 3.16 61/61] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alexander Potapenko
commit 1d605416fb7175e1adf094251466caa52093b413 upstream.
KMSAN reported uninitialized data being written to disk when dumping
core. As a result, several kilobytes of kmalloc memory may be written
to the core file and then read by a non-privileged user.
Reported-by: sam
Signed-off-by: Alexander Potapenko
Signed-off-by: Andrew Morton
Acked-by: Kees Cook
Cc: Al Viro
Cc: Alexey Dobriyan
Link: http://lkml.kernel.org/r/20200419100848.63472-1-gli...@google.com
Link: https://github.com/google/kmsan/issues/76
Signed-off-by: Linus Torvalds
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/binfmt_elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1575,7 +1575,7 @@ static int fill_thread_core_info(struct
(!regset->active || regset->active(t->task, regset) > 0)) {
int ret;
size_t size = regset->n * regset->size;
- void *data = kmalloc(size, GFP_KERNEL);
+ void *data = kzalloc(size, GFP_KERNEL);
if (unlikely(!data))
return 0;
ret = regset->get(t->task, regset,
[PATCH 3.16 49/61] ext4: protect journal inode's blocks using block_validity
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Theodore Ts'o
commit 345c0dbf3a30872d9b204db96b5857cd00808cae upstream.
Add the blocks which belong to the journal inode to block_validity's
system zone so attempts to deallocate or overwrite the journal due a
corrupted file system where the journal blocks are also claimed by
another inode.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202879
Signed-off-by: Theodore Ts'o
Cc: sta...@kernel.org
[bwh: Backported to 3.16:
- Use EXT4_HAS_COMPAT_FEATURE()
- Use EIO instead of EFSCORRUPTED]
Signed-off-by: Ben Hutchings
---
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -137,6 +137,48 @@ static void debug_print_tree(struct ext4
printk("\n");
}
+static int ext4_protect_reserved_inode(struct super_block *sb, u32 ino)
+{
+ struct inode *inode;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct ext4_map_blocks map;
+ u32 i = 0, err = 0, num, n;
+
+ if ((ino < EXT4_ROOT_INO) ||
+ (ino > le32_to_cpu(sbi->s_es->s_inodes_count)))
+ return -EINVAL;
+ inode = ext4_iget(sb, ino, EXT4_IGET_SPECIAL);
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
+ num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits;
+ while (i < num) {
+ map.m_lblk = i;
+ map.m_len = num - i;
+ n = ext4_map_blocks(NULL, inode, , 0);
+ if (n < 0) {
+ err = n;
+ break;
+ }
+ if (n == 0) {
+ i++;
+ } else {
+ if (!ext4_data_block_valid(sbi, map.m_pblk, n)) {
+ ext4_error(sb, "blocks %llu-%llu from inode %u "
+ "overlap system zone", map.m_pblk,
+ map.m_pblk + map.m_len - 1, ino);
+ err = -EIO;
+ break;
+ }
+ err = add_system_zone(sbi, map.m_pblk, n);
+ if (err < 0)
+ break;
+ i += n;
+ }
+ }
+ iput(inode);
+ return err;
+}
+
int ext4_setup_system_zone(struct super_block *sb)
{
ext4_group_t ngroups = ext4_get_groups_count(sb);
@@ -171,6 +213,13 @@ int ext4_setup_system_zone(struct super_
if (ret)
return ret;
}
+ if (EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_HAS_JOURNAL) &&
+ sbi->s_es->s_journal_inum) {
+ ret = ext4_protect_reserved_inode(sb,
+ le32_to_cpu(sbi->s_es->s_journal_inum));
+ if (ret)
+ return ret;
+ }
if (test_opt(sb, DEBUG))
debug_print_tree(EXT4_SB(sb));
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -411,6 +411,11 @@ static int __check_block_validity(struct
unsigned int line,
struct ext4_map_blocks *map)
{
+ if (EXT4_HAS_COMPAT_FEATURE(inode->i_sb,
+ EXT4_FEATURE_COMPAT_HAS_JOURNAL) &&
+ (inode->i_ino ==
+le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ return 0;
if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
map->m_len)) {
ext4_error_inode(inode, func, line, map->m_pblk,
[PATCH 3.16 38/61] scsi: sg: close race condition in sg_remove_sfp_usercontext()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 97d27b0dd015e980ade63fda111fd1353276e28b upstream.
sg_remove_sfp_usercontext() is clearing any sg requests, but needs to
take 'rq_list_lock' when modifying the list.
Reported-by: Christoph Hellwig
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -561,6 +561,7 @@ sg_read(struct file *filp, char __user *
} else
count = (old_hdr->result == 0) ? 0 : -EIO;
sg_finish_rem_req(srp);
+ sg_remove_request(sfp, srp);
retval = count;
free_old_hdr:
kfree(old_hdr);
@@ -601,6 +602,7 @@ sg_new_read(Sg_fd * sfp, char __user *bu
}
err_out:
err2 = sg_finish_rem_req(srp);
+ sg_remove_request(sfp, srp);
return err ? : err2 ? : count;
}
@@ -835,6 +837,7 @@ sg_common_write(Sg_fd * sfp, Sg_request
if (k) {
SCSI_LOG_TIMEOUT(1, printk("sg_common_write: start_req
err=%d\n", k));
sg_finish_rem_req(srp);
+ sg_remove_request(sfp, srp);
return k; /* probably out of space --> ENOMEM */
}
if (atomic_read(>detaching)) {
@@ -844,6 +847,7 @@ sg_common_write(Sg_fd * sfp, Sg_request
}
sg_finish_rem_req(srp);
+ sg_remove_request(sfp, srp);
return -ENODEV;
}
@@ -1367,6 +1371,7 @@ sg_rq_end_io_usercontext(struct work_str
struct sg_fd *sfp = srp->parentfp;
sg_finish_rem_req(srp);
+ sg_remove_request(sfp, srp);
kref_put(>f_ref, sg_remove_sfp);
}
@@ -1876,8 +1881,6 @@ sg_finish_rem_req(Sg_request *srp)
else
sg_remove_scat(req_schp);
- sg_remove_request(sfp, srp);
-
return ret;
}
@@ -2211,12 +2214,17 @@ sg_remove_sfp_usercontext(struct work_st
struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
struct sg_device *sdp = sfp->parentdp;
Sg_request *srp;
+ unsigned long iflags;
/* Cleanup any responses which were never read(). */
+ write_lock_irqsave(>rq_list_lock, iflags);
while (!list_empty(>rq_list)) {
srp = list_first_entry(>rq_list, Sg_request, entry);
sg_finish_rem_req(srp);
+ list_del(>entry);
+ srp->parentfp = NULL;
}
+ write_unlock_irqrestore(>rq_list_lock, iflags);
if (sfp->reserve.bufflen > 0) {
SCSI_LOG_TIMEOUT(6,
[PATCH 3.16 30/61] scsi: sg: remove 'save_scat_len'
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 136e57bf43dc4babbfb8783abbf707d483cacbe3 upstream.
Unused.
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -154,7 +154,6 @@ typedef struct sg_fd { /* holds the sta
int timeout;/* defaults to SG_DEFAULT_TIMEOUT */
int timeout_user; /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor
*/
- unsigned save_scat_len; /* original length of trunc. scat. element */
Sg_request *headrp; /* head of request slist, NULL->empty */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE]; /* used as singly-linked list */
@@ -2069,7 +2068,6 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_reques
req_schp->pages = NULL;
req_schp->page_order = 0;
req_schp->sglist_len = 0;
- sfp->save_scat_len = 0;
srp->res_used = 0;
/* Called without mutex lock to avoid deadlock */
sfp->res_in_use = 0;
[PATCH 3.16 16/61] drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit.
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Mosberger
commit 98b74b0ee57af1bcb6e8b2e76e707a71c5ef8ec9 upstream.
usb_submit_urb() may take quite long to execute. For example, a
single sg list may have 30 or more entries, possibly leading to that
many calls to DMA-map pages. This can cause interrupt latency of
several hundred micro-seconds.
Avoid the problem by releasing the io->lock spinlock and re-enabling
interrupts before calling usb_submit_urb(). This opens races with
usb_sg_cancel() and sg_complete(). Handle those races by using
usb_block_urb() to stop URBs from being submitted after
usb_sg_cancel() or sg_complete() with error.
Note that usb_unlink_urb() is guaranteed to return -ENODEV if
!io->urbs[i]->dev and since the -ENODEV case is already handled,
we don't have to check for !io->urbs[i]->dev explicitly.
Before this change, reading 512MB from an ext3 filesystem on a USB
memory stick showed a throughput of 12 MB/s with about 500 missed
deadlines.
With this change, reading the same file gave the same throughput but
only one or two missed deadlines.
Signed-off-by: David Mosberger
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/message.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -306,9 +306,10 @@ static void sg_complete(struct urb *urb)
*/
spin_unlock(>lock);
for (i = 0, found = 0; i < io->entries; i++) {
- if (!io->urbs[i] || !io->urbs[i]->dev)
+ if (!io->urbs[i])
continue;
if (found) {
+ usb_block_urb(io->urbs[i]);
retval = usb_unlink_urb(io->urbs[i]);
if (retval != -EINPROGRESS &&
retval != -ENODEV &&
@@ -519,12 +520,10 @@ void usb_sg_wait(struct usb_sg_request *
int retval;
io->urbs[i]->dev = io->dev;
- retval = usb_submit_urb(io->urbs[i], GFP_ATOMIC);
-
- /* after we submit, let completions or cancellations fire;
-* we handshake using io->status.
-*/
spin_unlock_irq(>lock);
+
+ retval = usb_submit_urb(io->urbs[i], GFP_NOIO);
+
switch (retval) {
/* maybe we retrying will recover */
case -ENXIO:/* hc didn't queue this one */
@@ -594,8 +593,8 @@ void usb_sg_cancel(struct usb_sg_request
for (i = 0; i < io->entries; i++) {
int retval;
- if (!io->urbs[i]->dev)
- continue;
+ usb_block_urb(io->urbs[i]);
+
retval = usb_unlink_urb(io->urbs[i]);
if (retval != -EINPROGRESS
&& retval != -ENODEV
[PATCH 3.16 34/61] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 3e0097499839e0fe3af380410eababe5a47c4cf9 upstream.
When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information. This patch zeroes out the entire table to avoid this
issue.
Signed-off-by: Hannes Reinecke
Reviewed-by: Bart Van Assche
Reviewed-by: Christoph Hellwig
Reviewed-by: Eric Dumazet
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -881,7 +881,6 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
list_for_each_entry(srp, >rq_list, entry) {
if (val > SG_MAX_QUEUE)
break;
- memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;
rinfo[val].problem =
srp->header.masked_status &
@@ -1098,8 +1097,8 @@ sg_ioctl(struct file *filp, unsigned int
else {
sg_req_info_t *rinfo;
- rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
- GFP_KERNEL);
+ rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+ GFP_KERNEL);
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
[PATCH 3.16 54/61] x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jia Zhang
commit b399151cb48db30ad1e0e93dd40d68c6d007b637 upstream.
x86_mask is a confusing name which is hard to associate with the
processor's stepping.
Additionally, correct an indent issue in lib/cpu.c.
Signed-off-by: Jia Zhang
[ Updated it to more recent kernels. ]
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: b...@alien8.de
Cc: tony.l...@intel.com
Link:
http://lkml.kernel.org/r/1514771530-70829-1-git-send-email-qianyue...@alibaba-inc.com
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16:
- Drop changes in arch/x86/lib/cpu.c
- Adjust filenames, context]
Signed-off-by: Ben Hutchings
---
arch/x86/include/asm/acpi.h| 2 +-
arch/x86/include/asm/processor.h | 2 +-
arch/x86/kernel/amd_nb.c | 2 +-
arch/x86/kernel/asm-offsets_32.c | 2 +-
arch/x86/kernel/cpu/amd.c | 28 +++---
arch/x86/kernel/cpu/centaur.c | 4 ++--
arch/x86/kernel/cpu/common.c | 8 +++
arch/x86/kernel/cpu/cyrix.c| 2 +-
arch/x86/kernel/cpu/intel.c| 18 +++---
arch/x86/kernel/cpu/microcode/intel.c | 4 ++--
arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
arch/x86/kernel/cpu/mtrr/main.c| 4 ++--
arch/x86/kernel/cpu/perf_event_intel.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_lbr.c | 2 +-
arch/x86/kernel/cpu/perf_event_p6.c| 2 +-
arch/x86/kernel/cpu/proc.c | 4 ++--
arch/x86/kernel/head_32.S | 4 ++--
arch/x86/kernel/mpparse.c | 2 +-
drivers/char/hw_random/via-rng.c | 2 +-
drivers/cpufreq/acpi-cpufreq.c | 2 +-
drivers/cpufreq/longhaul.c | 6 ++---
drivers/cpufreq/p4-clockmod.c | 2 +-
drivers/cpufreq/powernow-k7.c | 2 +-
drivers/cpufreq/speedstep-centrino.c | 4 ++--
drivers/cpufreq/speedstep-lib.c| 6 ++---
drivers/crypto/padlock-aes.c | 2 +-
drivers/edac/amd64_edac.c | 2 +-
drivers/edac/mce_amd.c | 2 +-
drivers/hwmon/coretemp.c | 6 ++---
drivers/hwmon/hwmon-vid.c | 2 +-
drivers/hwmon/k10temp.c| 2 +-
drivers/hwmon/k8temp.c | 2 +-
drivers/video/fbdev/geode/video_gx.c | 2 +-
33 files changed, 69 insertions(+), 69 deletions(-)
--- a/arch/x86/include/asm/acpi.h
+++ b/arch/x86/include/asm/acpi.h
@@ -87,7 +87,7 @@ static inline unsigned int acpi_processo
if (boot_cpu_data.x86 == 0x0F &&
boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
boot_cpu_data.x86_model <= 0x05 &&
- boot_cpu_data.x86_mask < 0x0A)
+ boot_cpu_data.x86_stepping < 0x0A)
return 1;
else if (amd_e400_c1e_detected)
return 1;
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -82,7 +82,7 @@ struct cpuinfo_x86 {
__u8x86;/* CPU family */
__u8x86_vendor; /* CPU vendor */
__u8x86_model;
- __u8x86_mask;
+ __u8x86_stepping;
#ifdef CONFIG_X86_32
charwp_works_ok;/* It doesn't on 386's */
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -116,7 +116,7 @@ int amd_cache_northbridges(void)
if (boot_cpu_data.x86 == 0x10 &&
boot_cpu_data.x86_model >= 0x8 &&
(boot_cpu_data.x86_model > 0x9 ||
-boot_cpu_data.x86_mask >= 0x1))
+boot_cpu_data.x86_stepping >= 0x1))
amd_northbridges.flags |= AMD_NB_L3_INDEX_DISABLE;
if (boot_cpu_data.x86 == 0x15)
--- a/arch/x86/kernel/asm-offsets_32.c
+++ b/arch/x86/kernel/asm-offsets_32.c
@@ -27,7 +27,7 @@ void foo(void)
OFFSET(CPUINFO_x86, cpuinfo_x86, x86);
OFFSET(CPUINFO_x86_vendor, cpuinfo_x86, x86_vendor);
OFFSET(CPUINFO_x86_model, cpuinfo_x86, x86_model);
- OFFSET(CPUINFO_x86_mask, cpuinfo_x86, x86_mask);
+ OFFSET(CPUINFO_x86_stepping, cpuinfo_x86, x86_stepping);
OFFSET(CPUINFO_cpuid_level, cpuinfo_x86, cpuid_level);
OFFSET(CPUINFO_x86_capability, cpuinfo_x86, x86_capability);
OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -101,7 +101,7 @@ static void init_amd_k6(struct cpuinfo_x
return;
}
- if (c->x86_model == 6 && c->x86_mask == 1) {
+ if (c->x86_model == 6 && c->x86_stepping == 1) {
const int K6_BUG_LOOP = 100;
[PATCH 3.16 13/61] selinux: Print 'sclass' as string when unrecognized netlink message occurs
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Marek Milkovic
commit cded3fffbeab777e6ad2ec05d4a3b62c5caca0f3 upstream.
This prints the 'sclass' field as string instead of index in unrecognized
netlink message.
The textual representation makes it easier to distinguish the right class.
Signed-off-by: Marek Milkovic
Acked-by: Stephen Smalley
[PM: 80-char width fixes]
Signed-off-by: Paul Moore
Signed-off-by: Ben Hutchings
---
security/selinux/hooks.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4685,8 +4685,9 @@ static int selinux_nlmsg_perm(struct soc
if (err == -EINVAL) {
printk(KERN_WARNING
"SELinux: unrecognized netlink message:"
- " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
- sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
+ " protocol=%hu nlmsg_type=%hu sclass=%s\n",
+ sk->sk_protocol, nlh->nlmsg_type,
+ secclass_map[sksec->sclass - 1].name);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
[PATCH 3.16 00/61] 3.16.85-rc1 review
This is the start of the stable review cycle for the 3.16.85 release.
There are 61 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu Jun 11 18:03:51 UTC 2020.
Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.
Ben.
-
Akinobu Mita (1):
sg: prevent integer overflow when converting from sectors to bytes
[46f69e6a6bbbf3858617c8729e31895846c15a79]
Alan Stern (1):
USB: core: Fix free-while-in-use bug in the USB S-Glibrary
[056ad39ee9253873522f6469c3364964a322912b]
Alexander Potapenko (1):
fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
[1d605416fb7175e1adf094251466caa52093b413]
Ben Hutchings (2):
scsi: sg: Change next_cmd_len handling to mirror upstream
[65c26a0f39695ba01d9693754f27ca76cc8a3ab5,
bf33f87dd04c371ea33feb821b60d63d754e3124]
scsi: sg: Re-fix off by one in sg_fill_request_table()
[587c3c9f286cee5c9cac38d28c8ae1875f4ec85b]
Colin Ian King (1):
ext4: unsigned int compared against zero
[fd2f28aec991f3fbc248df211550fbdfd58c]
Dan Carpenter (3):
scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
[a7043e9529f3c367cc4d82997e00be034cbe57ca]
scsi: mptfusion: Fix double fetch bug in ioctl
[28d76df18f0ad5bcf5fa48510b225f0ed262a99b]
scsi: sg: off by one in sg_ioctl()
[bd46fc406b30d1db1aff8dabaff8d18bb423fdcf]
David Mosberger (2):
drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit.
[98b74b0ee57af1bcb6e8b2e76e707a71c5ef8ec9]
drivers: usb: core: Minimize irq disabling in usb_sg_cancel()
[5f2e5fb873e269fcb806165715d237f0de4ecf1d]
Douglas Gilbert (1):
sg: O_EXCL and other lock handling
[cc833acbee9db5ca8c6162b015b4c93863c6f821]
Eric Dumazet (1):
net-sysfs: fix netdev_queue_add_kobject() breakage
[48a322b6f9965b2f1e4ce81af972f0e287b07ed0]
Eric W. Biederman (1):
signal: Extend exec_id to 64bits
[d1e7fd6462ca9fc76650fbe6ca800e35b24267da]
Hannes Reinecke (8):
scsi: sg: close race condition in sg_remove_sfp_usercontext()
[97d27b0dd015e980ade63fda111fd1353276e28b]
scsi: sg: disable SET_FORCE_LOW_DMA
[745dfa0d8ec26b24f3304459ff6e9eacc5c8351b]
scsi: sg: factor out sg_fill_request_table()
[4759df905a474d245752c9dc94288e779b8734dd]
scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
[3e0097499839e0fe3af380410eababe5a47c4cf9]
scsi: sg: protect accesses to 'reserved' page array
[1bc0eb0446158cc76562176b80623aa119afee5b]
scsi: sg: remove 'save_scat_len'
[136e57bf43dc4babbfb8783abbf707d483cacbe3]
scsi: sg: reset 'res_in_use' after unlinking reserved array
[e791ce27c3f6a1d3c746fd6a8f8e36c9540ec6f9]
scsi: sg: use standard lists for sg_requests
[109bade9c625c89bb5ea753aaa1a0a97e6fbb548]
Jason A. Donenfeld (1):
random: always use batched entropy for get_random_u{32,64}
[69efea712f5b0489e67d07565aad5c94e09a3e52]
Jia Zhang (1):
x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
[b399151cb48db30ad1e0e93dd40d68c6d007b637]
Johannes Thumshirn (5):
scsi: sg: check for valid direction before starting the request
[28676d869bbb5257b5f14c0c95ad3af3a7019dd5]
scsi: sg: don't return bogus Sg_requests
[48ae8484e9fc324b4968d33c585e54bc98e44d61]
scsi: sg: fix SG_DXFER_FROM_DEV transfers
[68c59fcea1f2c6a54c62aa896cc623c1b5bc9b47]
scsi: sg: fix static checker warning in sg_is_valid_dxfer
[14074aba4bcda3764c9a702b276308b89901d5b6]
scsi: sg: only check for dxfer_len greater than 256M
[f930c7043663188429cd9b254e9d761edfc101ce]
Josh Poimboeuf (1):
x86/speculation: Add Ivy Bridge to affected list
[3798cc4d106e91382bfe016caa2edada27c2bb3f]
Jouni Hogander (7):
can: slcan: Fix use-after-free Read in slcan_open
[9ebd796e24008f33f06ebea5a5e6aceb68b51794]
net-sysfs: Call dev_hold always in netdev_queue_add_kobject
[e0b60903b434a7ee21ba8d8659f207ed84101e89]
net-sysfs: Call dev_hold always in rx_queue_add_kobject
[ddd9b5e3e765d8ed5a35786a6cb00111713fe161]
net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
[b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b]
slcan: Fix memory leak in error path
[ed50e1600b4483c049ce76e6bd3b665a6a9300ed]
slip: Fix memory leak in slip_open error path
[3b5a39979dafea9d0cd69c7ae06088f7a84cdafa]
slip: Fix use-after-free Read in slip_open
[PATCH 3.16 41/61] scsi: sg: only check for dxfer_len greater than 256M
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johannes Thumshirn
commit f930c7043663188429cd9b254e9d761edfc101ce upstream.
Don't make any assumptions on the sg_io_hdr_t::dxfer_direction or the
sg_io_hdr_t::dxferp in order to determine if it is a valid request. The
only way we can check for bad requests is by checking if the length
exceeds 256M.
Signed-off-by: Johannes Thumshirn
Fixes: 28676d869bbb (scsi: sg: check for valid direction before starting the
request)
Reported-by: Jason L Tibbitts III
Tested-by: Jason L Tibbitts III
Suggested-by: Doug Gilbert
Cc: Doug Gilbert
Cc:
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16: Include ]
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 31 +--
1 file changed, 1 insertion(+), 30 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -54,6 +54,7 @@ static int sg_version_num = 30534;/* 2
#include
#include
#include /* for sg_check_file_access() */
+#include
#include "scsi.h"
#include
@@ -788,35 +789,6 @@ sg_new_write(Sg_fd *sfp, struct file *fi
return count;
}
-static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
-{
- switch (hp->dxfer_direction) {
- case SG_DXFER_NONE:
- if (hp->dxferp || hp->dxfer_len > 0)
- return false;
- return true;
- case SG_DXFER_FROM_DEV:
- /*
-* for SG_DXFER_FROM_DEV we always set dxfer_len to > 0. dxferp
-* can either be NULL or != NULL so there's no point in checking
-* it either. So just return true.
-*/
- return true;
- case SG_DXFER_TO_DEV:
- case SG_DXFER_TO_FROM_DEV:
- if (!hp->dxferp || hp->dxfer_len == 0)
- return false;
- return true;
- case SG_DXFER_UNKNOWN:
- if ((!hp->dxferp && hp->dxfer_len) ||
- (hp->dxferp && hp->dxfer_len == 0))
- return false;
- return true;
- default:
- return false;
- }
-}
-
static int
sg_common_write(Sg_fd * sfp, Sg_request * srp,
unsigned char *cmnd, int timeout, int blocking)
@@ -836,7 +808,7 @@ sg_common_write(Sg_fd * sfp, Sg_request
SCSI_LOG_TIMEOUT(4, printk("sg_common_write: scsi opcode=0x%02x,
cmd_size=%d\n",
(int) cmnd[0], (int) hp->cmd_len));
- if (!sg_is_valid_dxfer(hp))
+ if (hp->dxfer_len >= SZ_256M)
return -EINVAL;
k = sg_start_req(srp, cmnd);
[PATCH 3.16 18/61] USB: core: Fix free-while-in-use bug in the USB S-Glibrary
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alan Stern
commit 056ad39ee9253873522f6469c3364964a322912b upstream.
FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug
in the USB scatter-gather library:
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170
drivers/usb/core/hcd.c:1607
Read of size 4 at addr 888065379610 by task kworker/u4:1/27
CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Workqueue: scsi_tmf_2 scmd_eh_abort_handler
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xce/0x128 lib/dump_stack.c:118
print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
__kasan_report+0x153/0x1cb mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192
__kasan_check_read+0x11/0x20 mm/kasan/common.c:95
atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607
usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657
usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602
usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937
This bug occurs when cancellation of the S-G transfer races with
transfer completion. When that happens, usb_sg_cancel() may continue
to access the transfer's URBs after usb_sg_wait() has freed them.
The bug is caused by the fact that usb_sg_cancel() does not take any
sort of reference to the transfer, and so there is nothing to prevent
the URBs from being deallocated while the routine is trying to use
them. The fix is to take such a reference by incrementing the
transfer's io->count field while the cancellation is in progres and
decrementing it afterward. The transfer's URBs are not deallocated
until io->complete is triggered, which happens when io->count reaches
zero.
Signed-off-by: Alan Stern
Reported-and-tested-by: Kyungtae Kim
CC:
Link:
https://lore.kernel.org/r/pine.lnx.4.44l0.2003281615140.14837-100...@netrider.rowland.org
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/message.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -584,12 +584,13 @@ void usb_sg_cancel(struct usb_sg_request
int i, retval;
spin_lock_irqsave(>lock, flags);
- if (io->status) {
+ if (io->status || io->count == 0) {
spin_unlock_irqrestore(>lock, flags);
return;
}
/* shut everything down */
io->status = -ECONNRESET;
+ io->count++;/* Keep the request alive until we're done */
spin_unlock_irqrestore(>lock, flags);
for (i = io->entries - 1; i >= 0; --i) {
@@ -603,6 +604,12 @@ void usb_sg_cancel(struct usb_sg_request
dev_warn(>dev->dev, "%s, unlink --> %d\n",
__func__, retval);
}
+
+ spin_lock_irqsave(>lock, flags);
+ io->count--;
+ if (!io->count)
+ complete(>complete);
+ spin_unlock_irqrestore(>lock, flags);
}
EXPORT_SYMBOL_GPL(usb_sg_cancel);
[PATCH 3.16 31/61] scsi: sg: use standard lists for sg_requests
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 109bade9c625c89bb5ea753aaa1a0a97e6fbb548 upstream.
'Sg_request' is using a private list implementation; convert it to
standard lists.
Signed-off-by: Hannes Reinecke
Reviewed-by: Johannes Thumshirn
Tested-by: Johannes Thumshirn
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 147 +++---
1 file changed, 61 insertions(+), 86 deletions(-)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -130,7 +130,7 @@ struct sg_device; /* forward declaratio
struct sg_fd;
typedef struct sg_request {/* SG_MAX_QUEUE requests outstanding per file */
- struct sg_request *nextrp; /* NULL -> tail request (slist) */
+ struct list_head entry; /* list entry */
struct sg_fd *parentfp; /* NULL -> not in use */
Sg_scatter_hold data; /* hold buffer, perhaps scatter list */
sg_io_hdr_t header; /* scsi command+info, see */
@@ -154,7 +154,7 @@ typedef struct sg_fd { /* holds the sta
int timeout;/* defaults to SG_DEFAULT_TIMEOUT */
int timeout_user; /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor
*/
- Sg_request *headrp; /* head of request slist, NULL->empty */
+ struct list_head rq_list; /* head of request list */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE]; /* used as singly-linked list */
char low_dma; /* as in parent but possibly overridden to 1 */
@@ -981,7 +981,7 @@ sg_ioctl(struct file *filp, unsigned int
if (!access_ok(VERIFY_WRITE, ip, sizeof (int)))
return -EFAULT;
read_lock_irqsave(>rq_list_lock, iflags);
- for (srp = sfp->headrp; srp; srp = srp->nextrp) {
+ list_for_each_entry(srp, >rq_list, entry) {
if ((1 == srp->done) && (!srp->sg_io_owned)) {
read_unlock_irqrestore(>rq_list_lock,
iflags);
@@ -994,7 +994,8 @@ sg_ioctl(struct file *filp, unsigned int
return 0;
case SG_GET_NUM_WAITING:
read_lock_irqsave(>rq_list_lock, iflags);
- for (val = 0, srp = sfp->headrp; srp; srp = srp->nextrp) {
+ val = 0;
+ list_for_each_entry(srp, >rq_list, entry) {
if ((1 == srp->done) && (!srp->sg_io_owned))
++val;
}
@@ -1069,35 +1070,33 @@ sg_ioctl(struct file *filp, unsigned int
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
- for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
-++val, srp = srp ? srp->nextrp : srp) {
+ val = 0;
+ list_for_each_entry(srp, >rq_list, entry) {
+ if (val > SG_MAX_QUEUE)
+ break;
memset([val], 0, SZ_SG_REQ_INFO);
- if (srp) {
- rinfo[val].req_state = srp->done + 1;
- rinfo[val].problem =
- srp->header.masked_status &
- srp->header.host_status &
- srp->header.driver_status;
- if (srp->done)
- rinfo[val].duration =
- srp->header.duration;
- else {
- ms = jiffies_to_msecs(jiffies);
- rinfo[val].duration =
- (ms > srp->header.duration)
?
- (ms - srp->header.duration)
: 0;
- }
- rinfo[val].orphan = srp->orphan;
- rinfo[val].sg_io_owned =
- srp->sg_io_owned;
- rinfo[val].pack_id =
- srp->header.pack_id;
-
[PATCH 3.16 14/61] selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Vladis Dronov
commit 76319946f321e30872dd72af7de867cb26e7a373 upstream.
Any process is able to send netlink messages with invalid types.
Make the warning rate-limited to prevent too much log spam.
The warning is supposed to help to find misbehaving programs, so
print the triggering command name and pid.
Reported-by: Florian Weimer
Signed-off-by: Vladis Dronov
[PM: subject line tweak to make checkpatch.pl happy]
Signed-off-by: Paul Moore
Signed-off-by: Ben Hutchings
---
security/selinux/hooks.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4683,11 +4683,12 @@ static int selinux_nlmsg_perm(struct soc
err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, );
if (err) {
if (err == -EINVAL) {
- printk(KERN_WARNING
- "SELinux: unrecognized netlink message:"
- " protocol=%hu nlmsg_type=%hu sclass=%s\n",
+ pr_warn_ratelimited("SELinux: unrecognized netlink"
+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+ " pig=%d comm=%s\n",
sk->sk_protocol, nlh->nlmsg_type,
- secclass_map[sksec->sclass - 1].name);
+ secclass_map[sksec->sclass - 1].name,
+ task_pid_nr(current), current->comm);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
[PATCH 3.16 43/61] scsi: sg: fix minor memory leak in error path
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tony Battersby
commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.
Fix a minor memory leak when there is an error opening a /dev/sg device.
Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
Cc:
Reviewed-by: Ewan D. Milne
Signed-off-by: Tony Battersby
Reviewed-by: Bart Van Assche
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/scsi/sg.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2168,6 +2168,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
write_lock_irqsave(>sfd_lock, iflags);
if (atomic_read(>detaching)) {
write_unlock_irqrestore(>sfd_lock, iflags);
+ kfree(sfp);
return ERR_PTR(-ENODEV);
}
list_add_tail(>sfd_siblings, >sfds);
Linux 3.16.84
+- fs/nfs/Kconfig | 2 +- fs/nfs/dir.c | 104 ++- fs/pnode.c | 9 +- fs/reiserfs/super.c| 4 +- fs/ubifs/file.c| 5 +- include/linux/padata.h | 13 +- include/linux/usb/irda.h | 13 +- kernel/padata.c| 142 - kernel/time/clocksource.c | 11 +- kernel/trace/trace_stat.c | 31 +++-- mm/mempolicy.c | 6 +- net/ipv4/tcp.c | 1 + net/sched/cls_rsvp.h | 6 +- net/sched/ematch.c | 3 + net/sunrpc/auth_gss/svcauth_gss.c | 4 + scripts/kconfig/confdata.c | 2 +- sound/drivers/dummy.c | 2 +- sound/sh/aica.c| 4 +- virt/kvm/ioapic.c | 15 ++- virt/kvm/kvm_main.c| 12 +- 94 files changed, 713 insertions(+), 443 deletions(-) Al Viro (1): propagate_one(): mnt_set_mountpoint() needs mount_lock Alexandre Belloni (2): ARM: dts: at91: sama5d3: fix maximum peripheral clock rates ARM: dts: at91: sama5d3: define clock rate range for tcb1 Ard Biesheuvel (1): efi/x86: Map the entire EFI vendor string before copying it Arnd Bergmann (2): sparc32: fix struct ipc64_perm type definition x86: kvm: avoid unused variable warning Ben Hutchings (1): Linux 3.16.84 Bin Liu (1): usb: dwc3: turn off VBUS when leaving host mode Bryan O'Donoghue (2): usb: gadget: f_ncm: Use atomic_t to track in-flight request usb: gadget: f_ecm: Use atomic_t to track in-flight request Chen Yucong (1): kvm: x86: use macros to compute bank MSRs Christoffer Dall (1): KVM: arm64: Only sign-extend MMIO up to register width Christophe JAILLET (1): pxa168fb: Fix the function used to release some memory in an error handling path Chuhong Yuan (1): crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Colin Ian King (2): staging: wlan-ng: ensure error return is actually returned iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Dan Carpenter (3): brcmfmac: Fix use after free in brcmf_sdio_readframes() power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity() mm/mempolicy.c: fix out of bounds write in mpol_parse_str() Daniel Jordan (3): padata: initialize pd->cpu with effective cpumask padata: purge get_cpu and reorder_via_wq from padata_do_serial padata: always acquire cpu_hotplug_lock before pinst->lock Daniel Kiper (2): arch/ia64: Define early_memunmap() efi: Use early_mem*() instead of early_io*() Eric Dumazet (4): net_sched: ematch: reject invalid TCF_EM_SIMPLE tcp: clear tp->total_retrans in tcp_disconnect() cls_rsvp: fix rsvp_policy bonding/alb: properly access headers in bond_alb_xmit() Fabian Frederick (1): nfs: use kmap/kunmap directly Filipe Manana (1): Btrfs: fix race between adding and putting tree mod seq elements and nodes Geert Uytterhoeven (1): nfs: NFS_SWAP should depend on SWAP Guenter Roeck (1): brcmfmac: abort and release host after error Herbert Xu (7): padata: Replace delayed timer with immediate workqueue in padata_reorder padata: Remove broken queue flushing crypto: pcrypt - Fix user-after-free on module unload crypto: pcrypt - Do not clear MAY_SLEEP flag in original request crypto: af_alg - Use bh_lock_sock in sk_destruct crypto: api - Check spawn->alg under lock in crypto_drop_spawn crypto: api - Fix race condition in crypto_spawn_alg Jan Kara (2): reiserfs: Fix memory leak of journal device string reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling Jason A. Donenfeld (2): padata: avoid race in reordering padata: get_next is never NULL Joe Thornber (1): dm space map common: fix to ensure new block isn't already in use Johan Hovold (10): ath9k: fix storage endpoint lookup rsi: fix use-after-free on failed probe and unbind brcmfmac: fix interface sanity check orinoco_usb: fix interface sanity check rsi_91x_usb: fix interface sanity check zd1211rw: fix storage endpoint lookup media: iguanair: fix endpoint sanity check USB: serial: ir-usb: add missing endpoint sanity check USB: serial: ir-usb: fix link-speed handling USB: serial: ir-usb: fix IrLAP framing John Hubbard (1): media/v4l2-core: set pages dirty upon r
Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
On Thu, 2020-05-21 at 15:37 -0700, Guenter Roeck wrote: > On 5/21/20 1:20 PM, Ben Hutchings wrote: > > On Wed, 2020-05-20 at 14:23 -0700, Guenter Roeck wrote: > > > On 5/20/20 7:13 AM, Ben Hutchings wrote: > > > > This is the start of the stable review cycle for the 3.16.84 release. > > > > There are 99 patches in this series, which will be posted as responses > > > > to this one. If anyone has any issues with these being applied, please > > > > let me know. > > > > > > > > Responses should be made by Fri May 22 20:00:00 UTC 2020. > > > > Anything received after that time might be too late. > > > > > > > Build results: > > > total: 135 pass: 135 fail: 0 > > > Qemu test results: > > > total: 230 pass: 227 fail: 3 > > > Failed tests: > > > arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd > > > arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs > > > > > > arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs > > > > > > The arm tests fail due to a compile error. > > > > > > drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' > > > undeclared here (not in a function); did you mean 'CLK_IS_BASIC'? > > > > I already looked at your first test results and dropped the patch that > > uses CLK_IS_CRITICAL, so there's something else going wrong there... > > > > Ah yes. Sorry, I didn't notice that there was a rebuild. > > Images are fine; the three failing tests should not have been > tested in the first place (they never did, but I didn't update > the blacklist when I increased the qemu memory size to 512MB). OK, thanks for checking. Ben. -- Ben Hutchings Logic doesn't apply to the real world. - Marvin Minsky signature.asc Description: This is a digitally signed message part
Re: [PATCH 3.16 35/99] pxa168fb: Fix the function used to release some memory in an error handling path
On Thu, 2020-05-21 at 16:31 +0200, Marion & Christophe JAILLET wrote:
> Hi,
>
> sorry for the noise, I have messed up my
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ usage.
> I thought I was looking at the 3.16.83 branch, but I was not.
>
> The patch looks good to me.
Thanks for reviewing,
Ben.
> CJ
>
> Le 21/05/2020 à 16:09, Marion & Christophe JAILLET a écrit :
> > Hi,
> >
> > I don't think that this one is applicable to 3.16.x
> >
> > The remove function and the error handling path of the probe function
> > both use 'dma_free_wc'.
> > I've not look in details, but it looks consistent and the patch would
> > not apply as-is anyway.
> >
> > just my 2c.
> >
> > CJ
> >
> > Le 20/05/2020 à 16:14, Ben Hutchings a écrit :
> > > 3.16.84-rc1 review patch. If anyone has any objections, please let
> > > me know.
> > >
> > > --
> > >
> > > From: Christophe JAILLET
> > >
> > > commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream.
> > >
> > > In the probe function, some resources are allocated using
> > > 'dma_alloc_wc()',
> > > they should be released with 'dma_free_wc()', not 'dma_free_coherent()'.
> > >
> > > We already use 'dma_free_wc()' in the remove function, but not in the
> > > error handling path of the probe function.
> > >
> > > Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already
> > > PAGE_ALIGNed.
> > >
> > > Fixes: 638772c7553f ("fb: add support of LCD display controller on
> > > pxa168/910 (base layer)")
> > > Signed-off-by: Christophe JAILLET
> > > Reviewed-by: Lubomir Rintel
> > > CC: YueHaibing
> > > Signed-off-by: Bartlomiej Zolnierkiewicz
> > > Link:
> > > https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jail...@wanadoo.fr
> > > [bwh: Backported to 3.16: Use dma_free_writecombine().]
> > > Signed-off-by: Ben Hutchings
> > > ---
> > > drivers/video/fbdev/pxa168fb.c | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > --- a/drivers/video/fbdev/pxa168fb.c
> > > +++ b/drivers/video/fbdev/pxa168fb.c
> > > @@ -772,8 +772,8 @@ failed_free_cmap:
> > > failed_free_clk:
> > > clk_disable(fbi->clk);
> > > failed_free_fbmem:
> > > -dma_free_coherent(fbi->dev, info->fix.smem_len,
> > > -info->screen_base, fbi->fb_start_dma);
> > > +dma_free_writecombine(fbi->dev, info->fix.smem_len,
> > > + info->screen_base, fbi->fb_start_dma);
> > > failed_free_info:
> > > kfree(info);
> > > failed_put_clk:
> > > @@ -809,7 +809,7 @@ static int pxa168fb_remove(struct platfo
> > > irq = platform_get_irq(pdev, 0);
> > > -dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
> > > +dma_free_writecombine(fbi->dev, info->fix.smem_len,
> > > info->screen_base, info->fix.smem_start);
> > > clk_disable(fbi->clk);
> > >
--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
signature.asc
Description: This is a digitally signed message part
Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
On Thu, 2020-05-21 at 00:40 -0700, Guenter Roeck wrote:
> On 5/20/20 7:47 PM, Chen-Yu Tsai wrote:
> > On Thu, May 21, 2020 at 5:23 AM Guenter Roeck wrote:
> > > On 5/20/20 7:13 AM, Ben Hutchings wrote:
> > > > This is the start of the stable review cycle for the 3.16.84 release.
> > > > There are 99 patches in this series, which will be posted as responses
> > > > to this one. If anyone has any issues with these being applied, please
> > > > let me know.
> > > >
> > > > Responses should be made by Fri May 22 20:00:00 UTC 2020.
> > > > Anything received after that time might be too late.
> > > >
> > > Build results:
> > > total: 135 pass: 135 fail: 0
> > > Qemu test results:
> > > total: 230 pass: 227 fail: 3
> > > Failed tests:
> > >
> > > arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd
> > >
> > > arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs
> > >
> > > arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs
> > >
> > > The arm tests fail due to a compile error.
> > >
> > > drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL'
> > > undeclared here (not in a function); did you mean 'CLK_IS_BASIC'?
> >
> > This looks like a result of having
> >
> > clk: tegra: Mark fuse clock as critical
> > [bf83b96f87ae2abb1e535306ea53608e8de5dfbb]
> >
> > In which case you probably need to add
> >
> > 32b9b1096186 clk: Allow clocks to be marked as CRITICAL
> >
>
> Then you might also need commit ef56b79b66f ("clk: fix critical
> clock locking") which fixes it.
At this stage I don't think it makes sense to add the feature to 3.16.
Ben.
--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
signature.asc
Description: This is a digitally signed message part
Re: [PATCH 3.16 00/99] 3.16.84-rc1 review
On Wed, 2020-05-20 at 14:23 -0700, Guenter Roeck wrote: > On 5/20/20 7:13 AM, Ben Hutchings wrote: > > This is the start of the stable review cycle for the 3.16.84 release. > > There are 99 patches in this series, which will be posted as responses > > to this one. If anyone has any issues with these being applied, please > > let me know. > > > > Responses should be made by Fri May 22 20:00:00 UTC 2020. > > Anything received after that time might be too late. > > > Build results: > total: 135 pass: 135 fail: 0 > Qemu test results: > total: 230 pass: 227 fail: 3 > Failed tests: > arm:cubieboard:multi_v7_defconfig:mem512:sun4i-a10-cubieboard:initrd > arm:cubieboard:multi_v7_defconfig:usb:mem512:sun4i-a10-cubieboard:rootfs > > arm:cubieboard:multi_v7_defconfig:sata:mem512:sun4i-a10-cubieboard:rootfs > > The arm tests fail due to a compile error. > > drivers/clk/tegra/clk-tegra-periph.c:524:65: error: 'CLK_IS_CRITICAL' > undeclared here (not in a function); did you mean 'CLK_IS_BASIC'? I already looked at your first test results and dropped the patch that uses CLK_IS_CRITICAL, so there's something else going wrong there... Ben. -- Ben Hutchings Reality is just a crutch for people who can't handle science fiction. signature.asc Description: This is a digitally signed message part
Re: [PATCH 3.16 43/99] efi: Use early_mem*() instead of early_io*()
On Wed, 2020-05-20 at 15:14 +0100, Ben Hutchings wrote:
> 3.16.84-rc1 review patch. If anyone has any objections, please let me know.
>
> --
>
> From: Daniel Kiper
>
> commit abc93f8eb6e46a480485f19256bdbda36ec78a84 upstream.
I've now seen that this depends on the preceding commit 4fa62481e231
"arch/ia64: Define early_memunmap()". I've queued that up as well.
Ben.
> Use early_mem*() instead of early_io*() because all mapped EFI regions
> are memory (usually RAM but they could also be ROM, EPROM, EEPROM, flash,
> etc.) not I/O regions. Additionally, I/O family calls do not work correctly
> under Xen in our case. early_ioremap() skips the PFN to MFN conversion
> when building the PTE. Using it for memory will attempt to map the wrong
> machine frame. However, all artificial EFI structures created under Xen
> live in dom0 memory and should be mapped/unmapped using early_mem*() family
> calls which map domain memory.
>
> Signed-off-by: Daniel Kiper
> Cc: Leif Lindholm
> Cc: Mark Salter
> Signed-off-by: Matt Fleming
> Signed-off-by: Ben Hutchings
> ---
> arch/x86/platform/efi/efi.c | 28 ++--
> drivers/firmware/efi/efi.c | 4 ++--
> 2 files changed, 16 insertions(+), 16 deletions(-)
>
> --- a/arch/x86/platform/efi/efi.c
> +++ b/arch/x86/platform/efi/efi.c
> @@ -435,7 +435,7 @@ void __init efi_unmap_memmap(void)
> {
> clear_bit(EFI_MEMMAP, );
> if (memmap.map) {
> - early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size);
> + early_memunmap(memmap.map, memmap.nr_map * memmap.desc_size);
> memmap.map = NULL;
> }
> }
> @@ -475,12 +475,12 @@ static int __init efi_systab_init(void *
> if (!data)
> return -ENOMEM;
> }
> - systab64 = early_ioremap((unsigned long)phys,
> + systab64 = early_memremap((unsigned long)phys,
>sizeof(*systab64));
> if (systab64 == NULL) {
> pr_err("Couldn't map the system table!\n");
> if (data)
> - early_iounmap(data, sizeof(*data));
> + early_memunmap(data, sizeof(*data));
> return -ENOMEM;
> }
>
> @@ -512,9 +512,9 @@ static int __init efi_systab_init(void *
> systab64->tables;
> tmp |= data ? data->tables : systab64->tables;
>
> - early_iounmap(systab64, sizeof(*systab64));
> + early_memunmap(systab64, sizeof(*systab64));
> if (data)
> - early_iounmap(data, sizeof(*data));
> + early_memunmap(data, sizeof(*data));
> #ifdef CONFIG_X86_32
> if (tmp >> 32) {
> pr_err("EFI data located above 4GB, disabling EFI.\n");
> @@ -524,7 +524,7 @@ static int __init efi_systab_init(void *
> } else {
> efi_system_table_32_t *systab32;
>
> - systab32 = early_ioremap((unsigned long)phys,
> + systab32 = early_memremap((unsigned long)phys,
>sizeof(*systab32));
> if (systab32 == NULL) {
> pr_err("Couldn't map the system table!\n");
> @@ -545,7 +545,7 @@ static int __init efi_systab_init(void *
> efi_systab.nr_tables = systab32->nr_tables;
> efi_systab.tables = systab32->tables;
>
> - early_iounmap(systab32, sizeof(*systab32));
> + early_memunmap(systab32, sizeof(*systab32));
> }
>
> efi.systab = _systab;
> @@ -571,7 +571,7 @@ static int __init efi_runtime_init32(voi
> {
> efi_runtime_services_32_t *runtime;
>
> - runtime = early_ioremap((unsigned long)efi.systab->runtime,
> + runtime = early_memremap((unsigned long)efi.systab->runtime,
> sizeof(efi_runtime_services_32_t));
> if (!runtime) {
> pr_err("Could not map the runtime service table!\n");
> @@ -586,7 +586,7 @@ static int __init efi_runtime_init32(voi
> efi_phys.set_virtual_address_map =
> (efi_set_virtual_address_map_t *)
> (unsigned long)runtime->set_virtual_address_map;
> - early_iounmap(runtime, sizeof(efi_runtime_services_32_t));
> + early_memunmap(runtime, sizeof(efi_runtime_services_32_t));
>
> return 0;
> }
> @@ -595,7 +595,7 @@ static int __init efi_runtime_init64(voi
> {
> efi_
Re: [PATCH 3.16 37/99] clk: tegra: Mark fuse clock as critical
On Wed, 2020-05-20 at 15:14 +0100, Ben Hutchings wrote:
> 3.16.84-rc1 review patch. If anyone has any objections, please let me know.
>
> --
>
> From: Stephen Warren
>
> commit bf83b96f87ae2abb1e535306ea53608e8de5dfbb upstream.
I've now dropped this, as CLK_IS_CRITICAL is not implemented on 3.16.
Ben.
> For a little over a year, U-Boot on Tegra124 has configured the flow
> controller to perform automatic RAM re-repair on off->on power
> transitions of the CPU rail[1]. This is mandatory for correct operation
> of Tegra124. However, RAM re-repair relies on certain clocks, which the
> kernel must enable and leave running. The fuse clock is one of those
> clocks. Mark this clock as critical so that LP1 power mode (system
> suspend) operates correctly.
>
> [1] 3cc7942a4ae5 ARM: tegra: implement RAM repair
>
> Reported-by: Jonathan Hunter
> Signed-off-by: Stephen Warren
> Signed-off-by: Thierry Reding
> Signed-off-by: Ben Hutchings
> ---
> drivers/clk/tegra/clk-tegra-periph.c | 6 +-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> --- a/drivers/clk/tegra/clk-tegra-periph.c
> +++ b/drivers/clk/tegra/clk-tegra-periph.c
> @@ -517,7 +517,11 @@ static struct tegra_periph_init_data gat
> GATE("vcp", "clk_m", 29, 0, tegra_clk_vcp, 0),
> GATE("apbdma", "clk_m", 34, 0, tegra_clk_apbdma, 0),
> GATE("kbc", "clk_32k", 36, TEGRA_PERIPH_ON_APB | TEGRA_PERIPH_NO_RESET,
> tegra_clk_kbc, 0),
> - GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, 0),
> + /*
> + * Critical for RAM re-repair operation, which must occur on resume
> + * from LP1 system suspend and as part of CCPLEX cluster switching.
> + */
> + GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse,
> CLK_IS_CRITICAL),
> GATE("fuse_burn", "clk_m", 39, TEGRA_PERIPH_ON_APB,
> tegra_clk_fuse_burn, 0),
> GATE("kfuse", "clk_m", 40, TEGRA_PERIPH_ON_APB, tegra_clk_kfuse, 0),
> GATE("apbif", "clk_m", 107, TEGRA_PERIPH_ON_APB, tegra_clk_apbif, 0),
>
--
Ben Hutchings
All the simple programs have been written, and all the good names taken
signature.asc
Description: This is a digitally signed message part
[PATCH 3.16 01/99] fs/namespace.c: fix mountpoint reference counter race
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Piotr Krysiuk
A race condition between threads updating mountpoint reference counter
affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118.
The mountpoint reference counter corruption may occur when:
* one thread increments m_count member of struct mountpoint
[under namespace_sem, but not holding mount_lock]
pivot_root()
* another thread simultaneously decrements the same m_count
[under mount_lock, but not holding namespace_sem]
put_mountpoint()
unhash_mnt()
umount_mnt()
mntput_no_expire()
To fix this race condition, grab mount_lock before updating m_count in
pivot_root().
Reference: CVE-2020-12114
Cc: Al Viro
Signed-off-by: Piotr Krysiuk
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
fs/namespace.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2937,8 +2937,8 @@ SYSCALL_DEFINE2(pivot_root, const char _
/* make certain new is below the root */
if (!is_path_reachable(new_mnt, new.dentry, ))
goto out4;
- root_mp->m_count++; /* pin it so it won't go away */
lock_mount_hash();
+ root_mp->m_count++; /* pin it so it won't go away */
detach_mnt(new_mnt, _path);
detach_mnt(root_mnt, _parent);
if (root_mnt->mnt.mnt_flags & MNT_LOCKED) {
[PATCH 3.16 00/99] 3.16.84-rc1 review
ata/dm-space-map-disk.c | 6 +- drivers/md/persistent-data/dm-space-map-metadata.c | 5 +- drivers/media/rc/iguanair.c| 15 ++- drivers/media/usb/uvc/uvc_driver.c | 12 ++ drivers/media/v4l2-core/videobuf-dma-sg.c | 5 +- drivers/mmc/host/mmc_spi.c | 11 +- drivers/net/bonding/bond_alb.c | 44 +-- drivers/net/ethernet/freescale/gianfar.c | 10 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +- drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 3 + drivers/net/wireless/brcm80211/brcmfmac/usb.c | 3 +- drivers/net/wireless/iwlegacy/common.c | 2 +- drivers/net/wireless/orinoco/orinoco_usb.c | 4 +- drivers/net/wireless/rsi/rsi_91x_usb.c | 12 +- drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/of/Kconfig | 4 + drivers/of/address.c | 6 +- drivers/pci/setup-bus.c| 20 ++- drivers/power/sbs-battery.c| 2 +- drivers/rtc/rtc-hym8563.c | 2 +- drivers/scsi/qla2xxx/qla_mbx.c | 3 +- drivers/spi/spi-dw.c | 14 ++- drivers/spi/spi-dw.h | 1 + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- drivers/usb/dwc3/core.c| 3 + drivers/usb/gadget/f_ecm.c | 16 ++- drivers/usb/gadget/f_ncm.c | 17 ++- drivers/usb/serial/ir-usb.c| 136 - drivers/video/fbdev/pxa168fb.c | 6 +- fs/btrfs/ctree.c | 8 +- fs/btrfs/ctree.h | 6 +- fs/btrfs/delayed-ref.c | 8 +- fs/btrfs/disk-io.c | 1 - fs/btrfs/tests/btrfs-tests.c | 1 - fs/cifs/cifsglob.h | 1 + fs/cifs/smb2pdu.c | 10 +- fs/cifs/smb2transport.c| 2 + fs/cifs/transport.c| 4 + fs/jbd2/checkpoint.c | 2 +- fs/jbd2/commit.c | 4 +- fs/jbd2/journal.c | 21 ++-- fs/namespace.c | 2 +- fs/nfs/Kconfig | 2 +- fs/nfs/dir.c | 104 +++- fs/pnode.c | 9 +- fs/reiserfs/super.c| 4 +- fs/ubifs/file.c| 5 +- include/linux/padata.h | 13 +- include/linux/usb/irda.h | 13 +- kernel/padata.c| 134 +++- kernel/time/clocksource.c | 11 +- kernel/trace/trace_stat.c | 31 ++--- mm/mempolicy.c | 6 +- net/ipv4/tcp.c | 1 + net/sched/cls_rsvp.h | 6 +- net/sched/ematch.c | 3 + net/sunrpc/auth_gss/svcauth_gss.c | 4 + scripts/kconfig/confdata.c | 2 +- sound/drivers/dummy.c | 2 +- sound/sh/aica.c| 4 +- virt/kvm/ioapic.c | 15 ++- virt/kvm/kvm_main.c| 12 +- 94 files changed, 711 insertions(+), 444 deletions(-) -- Ben Hutchings All the simple programs have been written, and all the good names taken
[PATCH 3.16 06/99] padata: get_next is never NULL
3.16.84-rc1 review patch. If anyone has any objections, please let me know. -- From: "Jason A. Donenfeld" commit 69b348449bda0f9588737539cfe135774c9939a7 upstream. Per Dan's static checker warning, the code that returns NULL was removed in 2010, so this patch updates the comments and fixes the code assumptions. Signed-off-by: Jason A. Donenfeld Reported-by: Dan Carpenter Acked-by: Steffen Klassert Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- kernel/padata.c | 13 - 1 file changed, 4 insertions(+), 9 deletions(-) --- a/kernel/padata.c +++ b/kernel/padata.c @@ -153,8 +153,6 @@ EXPORT_SYMBOL(padata_do_parallel); * A pointer to the control struct of the next object that needs * serialization, if present in one of the percpu reorder queues. * - * NULL, if all percpu reorder queues are empty. - * * -EINPROGRESS, if the next object that needs serialization will * be parallel processed by another cpu and is not yet present in * the cpu's reorder queue. @@ -181,8 +179,6 @@ static struct padata_priv *padata_get_ne cpu = padata_index_to_cpu(pd, next_index); next_queue = per_cpu_ptr(pd->pqueue, cpu); - padata = NULL; - reorder = _queue->reorder; spin_lock(>lock); @@ -234,12 +230,11 @@ static void padata_reorder(struct parall padata = padata_get_next(pd); /* -* All reorder queues are empty, or the next object that needs -* serialization is parallel processed by another cpu and is -* still on it's way to the cpu's reorder queue, nothing to -* do for now. +* If the next object that needs serialization is parallel +* processed by another cpu and is still on it's way to the +* cpu's reorder queue, nothing to do for now. */ - if (!padata || PTR_ERR(padata) == -EINPROGRESS) + if (PTR_ERR(padata) == -EINPROGRESS) break; /*
[PATCH 3.16 11/99] padata: Remove broken queue flushing
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Herbert Xu
commit 07928d9bfc81640bab36f5190e8725894d93b659 upstream.
The function padata_flush_queues is fundamentally broken because
it cannot force padata users to complete the request that is
underway. IOW padata has to passively wait for the completion
of any outstanding work.
As it stands flushing is used in two places. Its use in padata_stop
is simply unnecessary because nothing depends on the queues to
be flushed afterwards.
The other use in padata_replace is more substantial as we depend
on it to free the old pd structure. This patch instead uses the
pd->refcnt to dynamically free the pd structure once all requests
are complete.
Fixes: 2b73b07ab8a4 ("padata: Flush the padata queues actively")
Signed-off-by: Herbert Xu
Reviewed-by: Daniel Jordan
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -33,6 +33,8 @@
#define MAX_OBJ_NUM 1000
+static void padata_free_pd(struct parallel_data *pd);
+
static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index)
{
int cpu, target_cpu;
@@ -281,6 +283,7 @@ static void padata_serial_worker(struct
struct padata_serial_queue *squeue;
struct parallel_data *pd;
LIST_HEAD(local_list);
+ int cnt;
local_bh_disable();
squeue = container_of(serial_work, struct padata_serial_queue, work);
@@ -290,6 +293,8 @@ static void padata_serial_worker(struct
list_replace_init(>serial.list, _list);
spin_unlock(>serial.lock);
+ cnt = 0;
+
while (!list_empty(_list)) {
struct padata_priv *padata;
@@ -299,9 +304,12 @@ static void padata_serial_worker(struct
list_del_init(>list);
padata->serial(padata);
- atomic_dec(>refcnt);
+ cnt++;
}
local_bh_enable();
+
+ if (atomic_sub_and_test(cnt, >refcnt))
+ padata_free_pd(pd);
}
/**
@@ -432,7 +440,7 @@ static struct parallel_data *padata_allo
padata_init_squeues(pd);
atomic_set(>seq_nr, -1);
atomic_set(>reorder_objects, 0);
- atomic_set(>refcnt, 0);
+ atomic_set(>refcnt, 1);
pd->pinst = pinst;
spin_lock_init(>lock);
pd->cpu = cpumask_first(pd->cpumask.pcpu);
@@ -459,29 +467,6 @@ static void padata_free_pd(struct parall
kfree(pd);
}
-/* Flush all objects out of the padata queues. */
-static void padata_flush_queues(struct parallel_data *pd)
-{
- int cpu;
- struct padata_parallel_queue *pqueue;
- struct padata_serial_queue *squeue;
-
- for_each_cpu(cpu, pd->cpumask.pcpu) {
- pqueue = per_cpu_ptr(pd->pqueue, cpu);
- flush_work(>work);
- }
-
- if (atomic_read(>reorder_objects))
- padata_reorder(pd);
-
- for_each_cpu(cpu, pd->cpumask.cbcpu) {
- squeue = per_cpu_ptr(pd->squeue, cpu);
- flush_work(>work);
- }
-
- BUG_ON(atomic_read(>refcnt) != 0);
-}
-
static void __padata_start(struct padata_instance *pinst)
{
pinst->flags |= PADATA_INIT;
@@ -495,10 +480,6 @@ static void __padata_stop(struct padata_
pinst->flags &= ~PADATA_INIT;
synchronize_rcu();
-
- get_online_cpus();
- padata_flush_queues(pinst->pd);
- put_online_cpus();
}
/* Replace the internal control structure with a new one. */
@@ -519,8 +500,8 @@ static void padata_replace(struct padata
if (!cpumask_equal(pd_old->cpumask.cbcpu, pd_new->cpumask.cbcpu))
notification_mask |= PADATA_CPU_SERIAL;
- padata_flush_queues(pd_old);
- padata_free_pd(pd_old);
+ if (atomic_dec_and_test(_old->refcnt))
+ padata_free_pd(pd_old);
if (notification_mask)
blocking_notifier_call_chain(>cpumask_change_notifier,
[PATCH 3.16 08/99] padata: ensure padata_do_serial() runs on the correct CPU
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mathias Krause
commit 350ef88e7e922354f82a931897ad4a4ce6c686ff upstream.
If the algorithm we're parallelizing is asynchronous we might change
CPUs between padata_do_parallel() and padata_do_serial(). However, we
don't expect this to happen as we need to enqueue the padata object into
the per-cpu reorder queue we took it from, i.e. the same-cpu's parallel
queue.
Ensure we're not switching CPUs for a given padata object by tracking
the CPU within the padata object. If the serial callback gets called on
the wrong CPU, defer invoking padata_reorder() via a kernel worker on
the CPU we're expected to run on.
Signed-off-by: Mathias Krause
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
include/linux/padata.h | 2 ++
kernel/padata.c| 20 +++-
2 files changed, 21 insertions(+), 1 deletion(-)
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -37,6 +37,7 @@
* @list: List entry, to attach to the padata lists.
* @pd: Pointer to the internal control structure.
* @cb_cpu: Callback cpu for serializatioon.
+ * @cpu: Cpu for parallelization.
* @seq_nr: Sequence number of the parallelized data object.
* @info: Used to pass information from the parallel to the serial function.
* @parallel: Parallel execution function.
@@ -46,6 +47,7 @@ struct padata_priv {
struct list_headlist;
struct parallel_data*pd;
int cb_cpu;
+ int cpu;
int info;
void(*parallel)(struct padata_priv *padata);
void(*serial)(struct padata_priv *padata);
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -130,6 +130,7 @@ int padata_do_parallel(struct padata_ins
padata->cb_cpu = cb_cpu;
target_cpu = padata_cpu_hash(pd);
+ padata->cpu = target_cpu;
queue = per_cpu_ptr(pd->pqueue, target_cpu);
spin_lock(>parallel.lock);
@@ -367,10 +368,21 @@ void padata_do_serial(struct padata_priv
int cpu;
struct padata_parallel_queue *pqueue;
struct parallel_data *pd;
+ int reorder_via_wq = 0;
pd = padata->pd;
cpu = get_cpu();
+
+ /* We need to run on the same CPU padata_do_parallel(.., padata, ..)
+* was called on -- or, at least, enqueue the padata object into the
+* correct per-cpu queue.
+*/
+ if (cpu != padata->cpu) {
+ reorder_via_wq = 1;
+ cpu = padata->cpu;
+ }
+
pqueue = per_cpu_ptr(pd->pqueue, cpu);
spin_lock(>reorder.lock);
@@ -387,7 +399,13 @@ void padata_do_serial(struct padata_priv
put_cpu();
- padata_reorder(pd);
+ /* If we're running on the wrong CPU, call padata_reorder() via a
+* kernel worker.
+*/
+ if (reorder_via_wq)
+ queue_work_on(cpu, pd->pinst->wq, >reorder_work);
+ else
+ padata_reorder(pd);
}
EXPORT_SYMBOL(padata_do_serial);
[PATCH 3.16 16/99] crypto: af_alg - Use bh_lock_sock in sk_destruct
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Herbert Xu
commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.
As af_alg_release_parent may be called from BH context (most notably
due to an async request that only completes after socket closure,
or as reported here because of an RCU-delayed sk_destruct call), we
must use bh_lock_sock instead of lock_sock.
Reported-by: syzbot+c2f1558d49e25cc36...@syzkaller.appspotmail.com
Reported-by: Eric Dumazet
Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
crypto/af_alg.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -136,11 +136,13 @@ void af_alg_release_parent(struct sock *
sk = ask->parent;
ask = alg_sk(sk);
- lock_sock(sk);
+ local_bh_disable();
+ bh_lock_sock(sk);
ask->nokey_refcnt -= nokey;
if (!last)
last = !--ask->refcnt;
- release_sock(sk);
+ bh_unlock_sock(sk);
+ local_bh_enable();
if (last)
sock_put(sk);
[PATCH 3.16 04/99] padata: Remove unused but set variables
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tobias Klauser
commit 119a0798dc42ed4c4f96d39b8b676efcea73aec6 upstream.
Remove the unused but set variable pinst in padata_parallel_worker to
fix the following warning when building with 'W=1':
kernel/padata.c: In function ‘padata_parallel_worker’:
kernel/padata.c:68:26: warning: variable ‘pinst’ set but not used
[-Wunused-but-set-variable]
Also remove the now unused variable pd which is only used to set pinst.
Signed-off-by: Tobias Klauser
Acked-by: Steffen Klassert
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
kernel/padata.c | 4
1 file changed, 4 deletions(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -63,15 +63,11 @@ static int padata_cpu_hash(struct parall
static void padata_parallel_worker(struct work_struct *parallel_work)
{
struct padata_parallel_queue *pqueue;
- struct parallel_data *pd;
- struct padata_instance *pinst;
LIST_HEAD(local_list);
local_bh_disable();
pqueue = container_of(parallel_work,
struct padata_parallel_queue, work);
- pd = pqueue->pd;
- pinst = pd->pinst;
spin_lock(>parallel.lock);
list_replace_init(>parallel.list, _list);
[PATCH 3.16 10/99] padata: initialize pd->cpu with effective cpumask
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Daniel Jordan
commit ec9c7d19336ee98ecba8de80128aa405c45feebb upstream.
Exercising CPU hotplug on a 5.2 kernel with recent padata fixes from
cryptodev-2.6.git in an 8-CPU kvm guest...
# modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
# echo 0 > /sys/devices/system/cpu/cpu1/online
# echo c > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
# modprobe tcrypt mode=215
...caused the following crash:
BUG: kernel NULL pointer dereference, address:
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD 0 P4D 0
Oops: [#1] SMP PTI
CPU: 2 PID: 134 Comm: kworker/2:2 Not tainted 5.2.0-padata-base+ #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-
Workqueue: pencrypt padata_parallel_worker
RIP: 0010:padata_reorder+0xcb/0x180
...
Call Trace:
padata_do_serial+0x57/0x60
pcrypt_aead_enc+0x3a/0x50 [pcrypt]
padata_parallel_worker+0x9b/0xe0
process_one_work+0x1b5/0x3f0
worker_thread+0x4a/0x3c0
...
In padata_alloc_pd, pd->cpu is set using the user-supplied cpumask
instead of the effective cpumask, and in this case cpumask_first picked
an offline CPU.
The offline CPU's reorder->list.next is NULL in padata_reorder because
the list wasn't initialized in padata_init_pqueues, which only operates
on CPUs in the effective mask.
Fix by using the effective mask in padata_alloc_pd.
Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in
padata_reorder")
Signed-off-by: Daniel Jordan
Cc: Herbert Xu
Cc: Steffen Klassert
Cc: linux-cry...@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
kernel/padata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -435,7 +435,7 @@ static struct parallel_data *padata_allo
atomic_set(>refcnt, 0);
pd->pinst = pinst;
spin_lock_init(>lock);
- pd->cpu = cpumask_first(pcpumask);
+ pd->cpu = cpumask_first(pd->cpumask.pcpu);
INIT_WORK(>reorder_work, invoke_padata_reorder);
return pd;
[PATCH 3.16 13/99] crypto: pcrypt - Fix user-after-free on module unload
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Herbert Xu
commit 07bfd9bdf568a38d9440c607b72342036011f727 upstream.
On module unload of pcrypt we must unregister the crypto algorithms
first and then tear down the padata structure. As otherwise the
crypto algorithms are still alive and can be used while the padata
structure is being freed.
Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
Signed-off-by: Herbert Xu
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
crypto/pcrypt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -552,11 +552,12 @@ err:
static void __exit pcrypt_exit(void)
{
+ crypto_unregister_template(_tmpl);
+
pcrypt_fini_padata();
pcrypt_fini_padata();
kset_unregister(pcrypt_kset);
- crypto_unregister_template(_tmpl);
}
module_init(pcrypt_init);
[PATCH 3.16 21/99] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jan Kara
commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 upstream.
When we fail to allocate string for journal device name we jump to
'error' label which tries to unlock reiserfs write lock which is not
held. Jump to 'error_unlocked' instead.
Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal
initialization")
Signed-off-by: Jan Kara
Signed-off-by: Ben Hutchings
---
fs/reiserfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -1901,7 +1901,7 @@ static int reiserfs_fill_super(struct su
if (!sbi->s_jdev) {
SWARN(silent, s, "", "Cannot allocate memory for "
"journal device name");
- goto error;
+ goto error_unlocked;
}
}
#ifdef CONFIG_QUOTA
[PATCH 3.16 07/99] padata: ensure the reorder timer callback runs on the correct CPU
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mathias Krause
commit cf5868c8a22dc2854b96e9569064bb92365549ca upstream.
The reorder timer function runs on the CPU where the timer interrupt was
handled which is not necessarily one of the CPUs of the 'pcpu' CPU mask
set.
Ensure the padata_reorder() callback runs on the correct CPU, which is
one in the 'pcpu' CPU mask set and, preferrably, the next expected one.
Do so by comparing the current CPU with the expected target CPU. If they
match, call padata_reorder() right away. If they differ, schedule a work
item on the target CPU that does the padata_reorder() call for us.
Signed-off-by: Mathias Krause
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
include/linux/padata.h | 2 ++
kernel/padata.c| 43 +-
2 files changed, 44 insertions(+), 1 deletion(-)
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -85,6 +85,7 @@ struct padata_serial_queue {
* @swork: work struct for serialization.
* @pd: Backpointer to the internal control structure.
* @work: work struct for parallelization.
+ * @reorder_work: work struct for reordering.
* @num_obj: Number of objects that are processed by this cpu.
* @cpu_index: Index of the cpu.
*/
@@ -93,6 +94,7 @@ struct padata_parallel_queue {
struct padata_listreorder;
struct parallel_data *pd;
struct work_structwork;
+ struct work_structreorder_work;
atomic_t num_obj;
int cpu_index;
};
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -279,11 +279,51 @@ static void padata_reorder(struct parall
return;
}
+static void invoke_padata_reorder(struct work_struct *work)
+{
+ struct padata_parallel_queue *pqueue;
+ struct parallel_data *pd;
+
+ local_bh_disable();
+ pqueue = container_of(work, struct padata_parallel_queue, reorder_work);
+ pd = pqueue->pd;
+ padata_reorder(pd);
+ local_bh_enable();
+}
+
static void padata_reorder_timer(unsigned long arg)
{
struct parallel_data *pd = (struct parallel_data *)arg;
+ unsigned int weight;
+ int target_cpu, cpu;
- padata_reorder(pd);
+ cpu = get_cpu();
+
+ /* We don't lock pd here to not interfere with parallel processing
+* padata_reorder() calls on other CPUs. We just need any CPU out of
+* the cpumask.pcpu set. It would be nice if it's the right one but
+* it doesn't matter if we're off to the next one by using an outdated
+* pd->processed value.
+*/
+ weight = cpumask_weight(pd->cpumask.pcpu);
+ target_cpu = padata_index_to_cpu(pd, pd->processed % weight);
+
+ /* ensure to call the reorder callback on the correct CPU */
+ if (cpu != target_cpu) {
+ struct padata_parallel_queue *pqueue;
+ struct padata_instance *pinst;
+
+ /* The timer function is serialized wrt itself -- no locking
+* needed.
+*/
+ pinst = pd->pinst;
+ pqueue = per_cpu_ptr(pd->pqueue, target_cpu);
+ queue_work_on(target_cpu, pinst->wq, >reorder_work);
+ } else {
+ padata_reorder(pd);
+ }
+
+ put_cpu();
}
static void padata_serial_worker(struct work_struct *serial_work)
@@ -404,6 +444,7 @@ static void padata_init_pqueues(struct p
__padata_list_init(>reorder);
__padata_list_init(>parallel);
INIT_WORK(>work, padata_parallel_worker);
+ INIT_WORK(>reorder_work, invoke_padata_reorder);
atomic_set(>num_obj, 0);
}
}
[PATCH 3.16 18/99] crypto: api - Fix race condition in crypto_spawn_alg
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Herbert Xu
commit 73669cc556462f4e50376538d77ee312142e8a8a upstream.
The function crypto_spawn_alg is racy because it drops the lock
before shooting the dying algorithm. The algorithm could disappear
altogether before we shoot it.
This patch fixes it by moving the shooting into the locked section.
Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
crypto/algapi.c | 16 +---
crypto/api.c | 3 +--
crypto/internal.h | 1 -
3 files changed, 6 insertions(+), 14 deletions(-)
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -628,22 +628,16 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn)
{
struct crypto_alg *alg;
- struct crypto_alg *alg2;
down_read(_alg_sem);
alg = spawn->alg;
- alg2 = alg;
- if (alg2)
- alg2 = crypto_mod_get(alg2);
- up_read(_alg_sem);
-
- if (!alg2) {
- if (alg)
- crypto_shoot_alg(alg);
- return ERR_PTR(-EAGAIN);
+ if (alg && !crypto_mod_get(alg)) {
+ alg->cra_flags |= CRYPTO_ALG_DYING;
+ alg = NULL;
}
+ up_read(_alg_sem);
- return alg;
+ return alg ?: ERR_PTR(-EAGAIN);
}
struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type,
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -345,13 +345,12 @@ static unsigned int crypto_ctxsize(struc
return len;
}
-void crypto_shoot_alg(struct crypto_alg *alg)
+static void crypto_shoot_alg(struct crypto_alg *alg)
{
down_write(_alg_sem);
alg->cra_flags |= CRYPTO_ALG_DYING;
up_write(_alg_sem);
}
-EXPORT_SYMBOL_GPL(crypto_shoot_alg);
struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
u32 mask)
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -88,7 +88,6 @@ void crypto_alg_tested(const char *name,
void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
struct crypto_alg *nalg);
void crypto_remove_final(struct list_head *list);
-void crypto_shoot_alg(struct crypto_alg *alg);
struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
u32 mask);
void *crypto_create_tfm(struct crypto_alg *alg,
[PATCH 3.16 03/99] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: "wuxu.wu"
commit 19b61392c5a852b4e8a0bf35aecb969983c5932d upstream.
dw_spi_irq() and dw_spi_transfer_one concurrent calls.
I find a panic in dw_writer(): txw = *(u8 *)(dws->tx), when dw->tx==null,
dw->len==4, and dw->tx_end==1.
When tpm driver's message overtime dw_spi_irq() and dw_spi_transfer_one
may concurrent visit dw_spi, so I think dw_spi structure lack of protection.
Otherwise dw_spi_transfer_one set dw rx/tx buffer and then open irq,
store dw rx/tx instructions and other cores handle irq load dw rx/tx
instructions may out of order.
[ 1025.321302] Call trace:
...
[ 1025.321319] __crash_kexec+0x98/0x148
[ 1025.321323] panic+0x17c/0x314
[ 1025.321329] die+0x29c/0x2e8
[ 1025.321334] die_kernel_fault+0x68/0x78
[ 1025.321337] __do_kernel_fault+0x90/0xb0
[ 1025.321346] do_page_fault+0x88/0x500
[ 1025.321347] do_translation_fault+0xa8/0xb8
[ 1025.321349] do_mem_abort+0x68/0x118
[ 1025.321351] el1_da+0x20/0x8c
[ 1025.321362] dw_writer+0xc8/0xd0
[ 1025.321364] interrupt_transfer+0x60/0x110
[ 1025.321365] dw_spi_irq+0x48/0x70
...
Signed-off-by: wuxu.wu
Link:
https://lore.kernel.org/r/1577849981-31489-1-git-send-email-wuxu...@huawei.com
Signed-off-by: Mark Brown
[iwamatsu: Backported to 3.16: adjut context]
Signed-off-by: Nobuhiro Iwamatsu (CIP)
Signed-off-by: Ben Hutchings
---
drivers/spi/spi-dw.c | 14 --
drivers/spi/spi-dw.h | 1 +
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-dw.c
+++ b/drivers/spi/spi-dw.c
@@ -182,9 +182,11 @@ static inline u32 rx_max(struct dw_spi *
static void dw_writer(struct dw_spi *dws)
{
- u32 max = tx_max(dws);
+ u32 max;
u16 txw = 0;
+ spin_lock(>buf_lock);
+ max = tx_max(dws);
while (max--) {
/* Set the tx word if the transfer's original "tx" is not null
*/
if (dws->tx_end - dws->len) {
@@ -196,13 +198,16 @@ static void dw_writer(struct dw_spi *dws
dw_writew(dws, DW_SPI_DR, txw);
dws->tx += dws->n_bytes;
}
+ spin_unlock(>buf_lock);
}
static void dw_reader(struct dw_spi *dws)
{
- u32 max = rx_max(dws);
+ u32 max;
u16 rxw;
+ spin_lock(>buf_lock);
+ max = rx_max(dws);
while (max--) {
rxw = dw_readw(dws, DW_SPI_DR);
/* Care rx only if the transfer's original "rx" is not null */
@@ -214,6 +219,7 @@ static void dw_reader(struct dw_spi *dws
}
dws->rx += dws->n_bytes;
}
+ spin_unlock(>buf_lock);
}
static void *next_transfer(struct dw_spi *dws)
@@ -368,6 +374,7 @@ static void pump_transfers(unsigned long
struct spi_transfer *previous = NULL;
struct spi_device *spi = NULL;
struct chip_data *chip = NULL;
+ unsigned long flags;
u8 bits = 0;
u8 imask = 0;
u8 cs_change = 0;
@@ -406,6 +413,7 @@ static void pump_transfers(unsigned long
dws->dma_width = chip->dma_width;
dws->cs_control = chip->cs_control;
+ spin_lock_irqsave(>buf_lock, flags);
dws->rx_dma = transfer->rx_dma;
dws->tx_dma = transfer->tx_dma;
dws->tx = (void *)transfer->tx_buf;
@@ -415,6 +423,7 @@ static void pump_transfers(unsigned long
dws->len = dws->cur_transfer->len;
if (chip != dws->prev_chip)
cs_change = 1;
+ spin_unlock_irqrestore(>buf_lock, flags);
cr0 = chip->cr0;
@@ -651,6 +660,7 @@ int dw_spi_add_host(struct device *dev,
dws->dma_addr = (dma_addr_t)(dws->paddr + 0x60);
snprintf(dws->name, sizeof(dws->name), "dw_spi%d",
dws->bus_num);
+ spin_lock_init(>buf_lock);
ret = request_irq(dws->irq, dw_spi_irq, IRQF_SHARED, dws->name, dws);
if (ret < 0) {
--- a/drivers/spi/spi-dw.h
+++ b/drivers/spi/spi-dw.h
@@ -116,6 +116,7 @@ struct dw_spi {
size_t len;
void*tx;
void*tx_end;
+ spinlock_t buf_lock;
void*rx;
void*rx_end;
int dma_mapped;
[PATCH 3.16 09/99] padata: Replace delayed timer with immediate workqueue in padata_reorder
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Herbert Xu
commit 6fc4dbcf0276279d488c5fbbfabe94734134f4fa upstream.
The function padata_reorder will use a timer when it cannot progress
while completed jobs are outstanding (pd->reorder_objects > 0). This
is suboptimal as if we do end up using the timer then it would have
introduced a gratuitous delay of one second.
In fact we can easily distinguish between whether completed jobs
are outstanding and whether we can make progress. All we have to
do is look at the next pqueue list.
This patch does that by replacing pd->processed with pd->cpu so
that the next pqueue is more accessible.
A work queue is used instead of the original try_again to avoid
hogging the CPU.
Note that we don't bother removing the work queue in
padata_flush_queues because the whole premise is broken. You
cannot flush async crypto requests so it makes no sense to even
try. A subsequent patch will fix it by replacing it with a ref
counting scheme.
Signed-off-by: Herbert Xu
[bwh: Backported to 3.16:
- Deleted code used the old timer API here
- Adjust context]
Signed-off-by: Ben Hutchings
---
include/linux/padata.h | 13 ++
kernel/padata.c| 97 --
2 files changed, 22 insertions(+), 88 deletions(-)
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -24,7 +24,6 @@
#include
#include
#include
-#include
#include
#include
@@ -85,18 +84,14 @@ struct padata_serial_queue {
* @serial: List to wait for serialization after reordering.
* @pwork: work struct for parallelization.
* @swork: work struct for serialization.
- * @pd: Backpointer to the internal control structure.
* @work: work struct for parallelization.
- * @reorder_work: work struct for reordering.
* @num_obj: Number of objects that are processed by this cpu.
* @cpu_index: Index of the cpu.
*/
struct padata_parallel_queue {
struct padata_listparallel;
struct padata_listreorder;
- struct parallel_data *pd;
struct work_structwork;
- struct work_structreorder_work;
atomic_t num_obj;
int cpu_index;
};
@@ -122,10 +117,10 @@ struct padata_cpumask {
* @reorder_objects: Number of objects waiting in the reorder queues.
* @refcnt: Number of objects holding a reference on this parallel_data.
* @max_seq_nr: Maximal used sequence number.
+ * @cpu: Next CPU to be processed.
* @cpumask: The cpumasks in use for parallel and serial workers.
+ * @reorder_work: work struct for reordering.
* @lock: Reorder lock.
- * @processed: Number of already processed objects.
- * @timer: Reorder timer.
*/
struct parallel_data {
struct padata_instance *pinst;
@@ -134,10 +129,10 @@ struct parallel_data {
atomic_treorder_objects;
atomic_trefcnt;
atomic_tseq_nr;
+ int cpu;
struct padata_cpumask cpumask;
+ struct work_struct reorder_work;
spinlock_t lock cacheline_aligned;
- unsigned intprocessed;
- struct timer_list timer;
};
/**
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -163,23 +163,12 @@ EXPORT_SYMBOL(padata_do_parallel);
*/
static struct padata_priv *padata_get_next(struct parallel_data *pd)
{
- int cpu, num_cpus;
- unsigned int next_nr, next_index;
struct padata_parallel_queue *next_queue;
struct padata_priv *padata;
struct padata_list *reorder;
+ int cpu = pd->cpu;
- num_cpus = cpumask_weight(pd->cpumask.pcpu);
-
- /*
-* Calculate the percpu reorder queue and the sequence
-* number of the next object.
-*/
- next_nr = pd->processed;
- next_index = next_nr % num_cpus;
- cpu = padata_index_to_cpu(pd, next_index);
next_queue = per_cpu_ptr(pd->pqueue, cpu);
-
reorder = _queue->reorder;
spin_lock(>lock);
@@ -190,7 +179,8 @@ static struct padata_priv *padata_get_ne
list_del_init(>list);
atomic_dec(>reorder_objects);
- pd->processed++;
+ pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1,
+ false);
spin_unlock(>lock);
goto out;
@@ -213,6 +203,7 @@ static void padata_reorder(struct parall
struct padata_priv *padata;
struct padata_serial_queue *squeue;
struct padata_instance *pinst = pd->pinst;
+ struct padata_parallel_queue *next_queue;
/*
* We need to ensure that only one cpu can work on dequeueing of
@@ -244,7 +235,6 @@ static void padata_reorder(s
[PATCH 3.16 15/99] padata: always acquire cpu_hotplug_lock before pinst->lock
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Daniel Jordan
commit 38228e8848cd7dd86ccb90406af32de0cad24be3 upstream.
lockdep complains when padata's paths to update cpumasks via CPU hotplug
and sysfs are both taken:
# echo 0 > /sys/devices/system/cpu/cpu1/online
# echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
==
WARNING: possible circular locking dependency detected
5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted
--
bash/205 is trying to acquire lock:
8286bcd0 (cpu_hotplug_lock.rw_sem){}, at:
padata_set_cpumask+0x2b/0x120
but task is already holding lock:
8880001abfa0 (>lock){+.+.}, at: padata_set_cpumask+0x26/0x120
which lock already depends on the new lock.
padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent
order. Which should be first? CPU hotplug calls into padata with
cpu_hotplug_lock already held, so it should have priority.
Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus")
Signed-off-by: Daniel Jordan
Cc: Eric Biggers
Cc: Herbert Xu
Cc: Steffen Klassert
Cc: linux-cry...@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
kernel/padata.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -614,8 +614,8 @@ int padata_set_cpumask(struct padata_ins
struct cpumask *serial_mask, *parallel_mask;
int err = -EINVAL;
- mutex_lock(>lock);
get_online_cpus();
+ mutex_lock(>lock);
switch (cpumask_type) {
case PADATA_CPU_PARALLEL:
@@ -633,8 +633,8 @@ int padata_set_cpumask(struct padata_ins
err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask);
out:
- put_online_cpus();
mutex_unlock(>lock);
+ put_online_cpus();
return err;
}
[PATCH 3.16 24/99] brcmfmac: Fix use after free in brcmf_sdio_readframes()
3.16.84-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit 216b44000ada87a63891a8214c347e05a4aea8fe upstream.
The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
static checker warning:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974
brcmf_sdio_readframes()
error: dereferencing freed memory 'pkt'
It looks like there was supposed to be a continue after we free "pkt".
Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
Signed-off-by: Dan Carpenter
Acked-by: Franky Lin
Signed-off-by: Kalle Valo
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -1972,6 +1972,7 @@ static uint brcmf_sdio_readframes(struct
BRCMF_SDIO_FT_NORMAL)) {
rd->len = 0;
brcmu_pkt_buf_free_skb(pkt);
+ continue;
}
bus->sdcnt.rx_readahead_cnt++;
if (rd->len != roundup(rd_new.len, 16)) {
