| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.131
wil6210: missing length check in wmi_set_ie
* swiotlb: clean up reporting
lib/swiotlb.c
sr: pass down correctly sized SCSI sense buffer
* posix-timers: Sanitize overrun handling
include/linux/posix-timers.h
kernel/time/posix-cpu-timers.c
kernel/time/posix-timers.c
* ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
include/sound/pcm.h
sound/core/pcm_lib.c
sound/core/pcm_native.c
ALSA: isa/wavefront: prevent some out of bound writes
i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node
* cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)
fs/cifs/Kconfig
ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling
libata: whitelist all SAMSUNG MZ7KM* solid-state disks
Input: omap-keypad - fix keyboard debounce configuration
ide: pmac: add of_node_put()
drivers/tty: add missing of_node_put()
drivers/sbus/char: add of_node_put()
sbus: char: add of_node_put()
SUNRPC: Fix a potential race in xprt_connect()
* bonding: fix 802.3ad state sent to partner when unbinding slave
drivers/net/bonding/bond_3ad.c
x86/earlyprintk/efi: Fix infinite loop on some screen widths
scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload
scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset
powerpc: Look for "stdout-path" when setting up legacy consoles
tracing: Fix memory leak of instance function hash filters
* tracing: Fix memory leak in set_trigger_filter()
kernel/trace/trace_events_trigger.c
MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
powerpc/boot: Fix random libfdt related build errors
* timer/debug: Change /proc/timer_list from 0444 to 0400
kernel/time/timer_list.c
lib/interval_tree_test.c: allow users to limit scope of endpoint
lib/rbtree-test: lower default params
lib/rbtree_test.c: make input module parameters
lib/interval_tree_test.c: allow full tree search
lib/interval_tree_test.c: make test options module parameters
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 7d63fb3af87aa67aa7d24466e792f9d7c57d8e79 upstream.
This removes needless use of '%p', and refactors the printk calls to
use pr_*() helpers instead.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
[bwh: Backported to 4.4:
- Adjust filename
- Remove "swiotlb: " prefix from an additional log message]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit a8ec14d4f6aa8e245efacc992c8ee6ea0464ce2a ]
Add a 'max_endpoint' parameter such that users may easily limit the size
of the intervals that are randomly generated.
Link: http://lkml.kernel.org/r/20170518174936.20265-4-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 0b548e33e6cb2bff240fdaf1783783be15c29080 ]
Fengguang reported soft lockups while running the rbtree and interval
tree test modules. The logic for these tests all occur in init phase,
and we currently are pounding with the default values for number of
nodes and number of iterations of each test. Reduce the latter by two
orders of magnitude. This does not influence the value of the tests in
that one thousand times by default is enough to get the picture.
Link: http://lkml.kernel.org/r/20171109161715.xai2dtwqw2frhkcm@linux-n805
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 223f8911eace60c787f8767c25148b80ece9732a ]
Allows for more flexible debugging.
Link: http://lkml.kernel.org/r/20170719014603.19029-5-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit c46ecce431ebe6b1a9551d1f530eb432dae5c39b ]
... such that a user can specify visiting all the nodes in the tree
(intersects with the world). This is a nice opposite from the very
basic default query which is a single point.
Link: http://lkml.kernel.org/r/20170518174936.20265-5-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit a54dae0338b7f01eb0f9c7571fb9b74f791d1c6b ]
Allows for more flexible debugging.
Link: http://lkml.kernel.org/r/20170518174936.20265-3-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.130
selftests: Move networking/timestamping from Documentation
staging: rts5208: fix gcc-8 logic error warning
vme: ca91cx42: fix LM_CTL address mask
vme: Fix wrong pointer utilization in ca91cx42_slave_get
* exec: avoid gcc-8 warning for get_task_comm
fs/exec.c
include/linux/sched.h
* kconfig: Avoid format overflow warning from GCC 8.1
scripts/kconfig/confdata.c
staging: speakup: Replace strncpy with memcpy
matroxfb: fix size of memcpy
* pstore: Convert console write to use ->write_buf
fs/pstore/platform.c
ocfs2: fix potential use after free
debugobjects: avoid recursive calls with kmemleak
hfsplus: do not free node before using
hfs: do not free node before using
ocfs2: fix deadlock caused by ocfs2_defrag_extent()
fscache, cachefiles: remove redundant variable 'cache'
fscache: fix race between enablement and dropping of object
drm/ast: fixed reading monitor EDID not stable issue
KVM: x86: fix empty-body warnings
USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
USB: omap_udc: fix omap_udc_start() on 15xx machines
USB: omap_udc: fix crashes on probe error and module removal
USB: omap_udc: use devm_request_irq()
exportfs: do not read dentry after free
ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
Btrfs: send, fix infinite loop due to directory rename dependencies
hwmon: (w83795) temp4_type has writable permission
s390/cpum_cf: Reject request for sampling in event initialization
sysv: return 'err' instead of 0 in __sysv_write_inode
ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup
* ipv6: Check available headroom in ip6_xmit() even without options
net/ipv6/ip6_output.c
* neighbour: Avoid writing before skb->head in neigh_hh_output()
include/net/neighbour.h
* tun: forbid iface creation with rtnl ops
drivers/net/tun.c
* rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
net/core/rtnetlink.c
net: Prevent invalid access to skb->prev in __qdisc_drop_all
net: 8139cp: fix a BUG triggered by changing mtu with network traffic
Change-Id: I0f9e64f278de37078e891b54e3f7c3a397e229ad
Signed-off-by: Petri Gynther <pgynther@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ]
CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to
recursive calls.
fill_pool
kmemleak_ignore
make_black_object
put_object
__call_rcu (kernel/rcu/tree.c)
debug_rcu_head_queue
debug_object_activate
debug_object_init
fill_pool
kmemleak_ignore
make_black_object
...
So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly
allocated debug objects at all.
Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us
Signed-off-by: Qian Cai <cai@gmx.us>
Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Waiman Long <longman@redhat.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yang Shi <yang.shi@linux.alibaba.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.129
mac80211: fix reordering of buffered broadcast packets
mac80211: Clear beacon_int in ieee80211_do_stop
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
Staging: lustre: remove two build warnings
USB: serial: option: add device ID for HP lt2523 (Novatel E371)
* xhci: Prevent U1/U2 link pm states if exit latency is too long
drivers/usb/host/xhci.c
SUNRPC: Fix leak of krb5p encode pages
* ALSA: pcm: Fix interval evaluation with openmin/max
include/sound/pcm_params.h
* ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
sound/core/pcm_native.c
ALSA: hda: Add support for AMD Stoney Ridge
* USB: check usb_get_extra_descriptor for proper size
drivers/usb/core/hub.c
drivers/usb/core/usb.c
include/linux/usb.h
usb: appledisplay: Add 27" Apple Cinema Display
* usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
drivers/usb/core/quirks.c
powerpc/vdso64: Use double word compare on pointers
net: amd: add missing of_node_put()
net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts
net/mlx4: Fix UBSAN warning of signed integer overflow
net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
can: rcar_can: Fix erroneous registration
iommu/ipmmu-vmsa: Fix crash on early domain free
usb: gadget: dummy: fix nonsensical comparisons
* mm: cleancache: fix corruption on missed inode invalidation
mm/truncate.c
* Input: xpad - quirk all PDP Xbox One gamepads
drivers/input/joystick/xpad.c
kgdboc: Fix warning with module build
kgdboc: Fix restrict error
scsi: csiostor: Avoid content leaks and casts
ALSA: trident: Suppress gcc string warning
* scsi: scsi_devinfo: cleanly zero-pad devinfo strings
drivers/scsi/scsi_devinfo.c
drm/ast: Fix incorrect free on ioregs
mips: fix mips_get_syscall_arg o32 check
uprobes: Fix handle_swbp() vs. unregister() + register() race once more
iser: set sector for ambiguous mr status errors
kdb: use memmove instead of overlapping memcpy
scsi: bfa: convert to strlcpy/strlcat
drm: gma500: fix logic error
* ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
net/ipv4/ip_tunnel.c
* kernfs: Replace strncpy with memcpy
fs/kernfs/symlink.c
unifdef: use memcpy instead of strncpy
* kobject: Replace strncpy with memcpy
lib/kobject.c
* disable stringop truncation warnings for now
Makefile
* Kbuild: suppress packed-not-aligned warning for default setting only
scripts/Makefile.extrawarn
* usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
drivers/usb/core/quirks.c
* USB: usb-storage: Add new IDs to ums-realtek
drivers/usb/storage/unusual_realtek.h
dmaengine: at_hdmac: fix module unloading
dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
ext2: fix potential use after free
ALSA: sparc: Fix invalid snd_free_pages() at error path
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
ALSA: wss: Fix invalid snd_free_pages() at error path
usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
s390/qeth: fix length check in SNMP processing
rapidio/rionet: do not free skb before reading its length
Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()"
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 77d2a24b6107bd9b3bf2403a65c1428a9da83dd0 upstream.
gcc 8.1.0 complains:
lib/kobject.c:128:3: warning:
'strncpy' output truncated before terminating nul copying as many
bytes from a string as its length [-Wstringop-truncation]
lib/kobject.c: In function 'kobject_get_path':
lib/kobject.c:125:13: note: length computed here
Using strncpy() is indeed less than perfect since the length of data to
be copied has already been determined with strlen(). Replace strncpy()
with memcpy() to address the warning and optimize the code a little.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.127
* HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
drivers/hid/uhid.c
* new helper: uaccess_kernel()
include/linux/uaccess.h
ACPI / platform: Add SMB0001 HID to forbidden_id_list
USB: misc: appledisplay: add 20" Apple Cinema Display
misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
* usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
drivers/usb/core/quirks.c
* USB: quirks: Add no-lpm quirk for Raydium touchscreens
drivers/usb/core/quirks.c
usb: cdc-acm: add entry for Hiro (Conexant) modem
* uio: Fix an Oops on load
drivers/uio/uio.c
* media: v4l: event: Add subscription to list before calling "add" operation
drivers/media/v4l2-core/v4l2-event.c
* Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV"
drivers/bluetooth/Kconfig
SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
Revert "Revert "drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES""
* zram: close udev startup race condition as default groups
drivers/block/zram/zram_drv.c
lib/raid6: Fix arm64 test build
s390/vdso: add missing FORCE to build targets
clk: samsung: exynos5420: Enable PERIS clocks for suspend
fs/exofs: fix potential memory leak in mount option parsing
um: Give start_idle_thread() a return code
hfsplus: prevent btree data loss on root split
hfs: prevent btree data loss on root split
reiserfs: propagate errors from fill_with_dentries() properly
* net-gro: reset skb->pkt_type in napi_reuse_skb()
net/core/dev.c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 313a06e636808387822af24c507cba92703568b1 ]
The lib/raid6/test fails to build the neon objects
on arm64 because the correct machine type is 'aarch64'.
Once this is correctly enabled, the neon recovery objects
need to be added to the build.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.126
hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
* configfs: replace strncpy with memcpy
fs/configfs/symlink.c
* fuse: fix leaked notify reply
fs/fuse/dev.c
sunrpc: correct the computation for page_ptr when truncating
* mount: Prevent MNT_DETACH from disconnecting locked mounts
fs/namespace.c
* mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
fs/namespace.c
* mount: Retest MNT_LOCKED in do_umount
fs/namespace.c
* ext4: fix buffer leak in __ext4_read_dirblock() on error path
fs/ext4/namei.c
* ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
fs/ext4/xattr.c
* ext4: release bs.bh before re-using in ext4_xattr_block_find()
fs/ext4/xattr.c
* ext4: fix possible leak of sbi->s_group_desc_leak in error path
fs/ext4/super.c
* ext4: avoid possible double brelse() in add_new_gdb() on error path
fs/ext4/resize.c
* ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
fs/ext4/resize.c
* ext4: avoid buffer leak in ext4_orphan_add() after prior errors
fs/ext4/namei.c
* ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
fs/ext4/resize.c
* ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
fs/ext4/resize.c
* ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
fs/ext4/resize.c
* ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
fs/ext4/resize.c
* ext4: add missing brelse() update_backups()'s error path
fs/ext4/resize.c
arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
* termios, tty/tty_baudrate.c: fix buffer overrun
drivers/tty/tty_ioctl.c
* mtd: docg3: don't set conflicting BCH_CONST_PARAMS option
drivers/mtd/devices/Kconfig
ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
mach64: fix image corruption due to reading accelerator registers
mach64: fix display corruption on big endian machines
libceph: bump CEPH_MSG_MAX_DATA_LEN
xtensa: fix boot parameters address translation
cdrom: fix improper type cast, which can leat to information leak.
9p: clear dangling pointers in p9stat_free
media: tvp5150: fix width alignment during set_selection()
powerpc/boot: Ensure _zimage_start is a weak symbol
MIPS: kexec: Mark CPU offline before disabling local IRQ
media: pci: cx23885: handle adding to list failure
drm/omap: fix memory barrier bug in DMM driver
powerpc/nohash: fix undefined behaviour when testing page size support
* tty: check name length in tty_find_polling_driver()
drivers/tty/tty_io.c
* dm: remove duplicate dm_get_live_table() in __dm_destroy()
drivers/md/dm.c
Cramfs: fix abad comparison when wrap-arounds occur
media: em28xx: make v4l2-compliance happier by starting sequence on zero
media: em28xx: fix input name for Terratec AV 350
media: em28xx: use a default format if TRY_FMT fails
kgdboc: Passing ekgdboc to command line causes panic
TC: Set DMA masks for devices
* dm ioctl: harden copy_params()'s copy_from_user() from malicious users
drivers/md/dm-ioctl.c
lockd: fix access beyond unterminated strings in prints
nfsd: Fix an Oops in free_session()
NFSv4.1: Fix the r/wsize checking
* printk: Fix panic caused by passing log_buf_len to command line
kernel/printk/printk.c
smb3: on kerberos mount if server doesn't specify auth type use krb5
smb3: do not attempt cifs operation in smb3 query info error path
smb3: allow stats which track session and share reconnects to be reset
w1: omap-hdq: fix missing bus unregister at removal
iio: adc: at91: fix wrong channel number in triggered buffer mode
iio: adc: at91: fix acking DRDY irq on simple conversions
* kbuild: fix kernel/bounds.c 'W=1' warning
kernel/bounds.c
ima: fix showing large 'violations' or 'runtime_measurements_count'
crypto: lrw - Fix out-of bounds access on counter overflow
signal/GenWQE: Fix sending of SIGKILL
* ext4: initialize retries variable in ext4_da_write_inline_data_begin()
fs/ext4/inline.c
gfs2_meta: ->mount() can get NULL dev_name
* jbd2: fix use after free in jbd2_log_do_checkpoint()
fs/jbd2/checkpoint.c
net/ipv4: defensive cipso option parsing
* signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init
kernel/signal.c
scsi: lpfc: Correct soft lockup when running mds diagnostics
* uio: ensure class is registered before devices
drivers/uio/uio.c
usb: chipidea: Prevent unbalanced IRQ disable
* ext4: fix argument checking in EXT4_IOC_MOVE_EXT
fs/ext4/move_extent.c
scsi: esp_scsi: Track residual for PIO transfers
ath10k: schedule hardware restart if WMI command times out
kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
x86: boot: Fix EFI stub alignment
mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
perf tools: Cleanup trace-event-info 'tdata' leak
perf tools: Free temporary 'sys' string in read_event_files()
* tun: Consistently configure generic netdev params via rtnetlink
drivers/net/tun.c
swim: fix cleanup on setup error
ataflop: fix error handling during setup
* locking/lockdep: Fix debug_locks off performance problem
lib/debug_locks.c
selftests: ftrace: Add synthetic event syntax testcase
net: qla3xxx: Remove overflowing shift statement
sparc: Throttle perf events properly.
sparc: Fix single-pcr perf event counter management.
x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
jffs2: free jffs2_sb_info through jffs2_kill_sb()
bcache: fix miss key refill->end in writeback
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 9506a7425b094d2f1d9c877ed5a78f416669269b ]
It was found that when debug_locks was turned off because of a problem
found by the lockdep code, the system performance could drop quite
significantly when the lock_stat code was also configured into the
kernel. For instance, parallel kernel build time on a 4-socket x86-64
server nearly doubled.
Further analysis into the cause of the slowdown traced back to the
frequent call to debug_locks_off() from the __lock_acquired() function
probably due to some inconsistent lockdep states with debug_locks
off. The debug_locks_off() function did an unconditional atomic xchg
to write a 0 value into debug_locks which had already been set to 0.
This led to severe cacheline contention in the cacheline that held
debug_locks. As debug_locks is being referenced in quite a few different
places in the kernel, this greatly slow down the system performance.
To prevent that trashing of debug_locks cacheline, lock_acquired()
and lock_contended() now checks the state of debug_locks before
proceeding. The debug_locks_off() function is also modified to check
debug_locks before calling __debug_locks_off().
Signed-off-by: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Link: http://lkml.kernel.org/r/1539913518-15598-1-git-send-email-longman@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 7829fb09a2b4268b30dd9bc782fa5ebee278b137 ]
In commit 0b053c951829 ("lib: memzero_explicit: use barrier instead
of OPTIMIZER_HIDE_VAR"), we made memzero_explicit() more robust in
case LTO would decide to inline memzero_explicit() and eventually
find out it could be elimiated as dead store.
While using barrier() works well for the case of gcc, recent efforts
from LLVMLinux people suggest to use llvm as an alternative to gcc,
and there, Stephan found in a simple stand-alone user space example
that llvm could nevertheless optimize and thus elimitate the memset().
A similar issue has been observed in the referenced llvm bug report,
which is regarded as not-a-bug.
Based on some experiments, icc is a bit special on its own, while it
doesn't seem to eliminate the memset(), it could do so with an own
implementation, and then result in similar findings as with llvm.
The fix in this patch now works for all three compilers (also tested
with more aggressive optimization levels). Arguably, in the current
kernel tree it's more of a theoretical issue, but imho, it's better
to be pedantic about it.
It's clearly visible with gcc/llvm though, with the below code: if we
would have used barrier() only here, llvm would have omitted clearing,
not so with barrier_data() variant:
static inline void memzero_explicit(void *s, size_t count)
{
memset(s, 0, count);
barrier_data(s);
}
int main(void)
{
char buff[20];
memzero_explicit(buff, sizeof(buff));
return 0;
}
$ gcc -O2 test.c
$ gdb a.out
(gdb) disassemble main
Dump of assembler code for function main:
0x0000000000400400 <+0>: lea -0x28(%rsp),%rax
0x0000000000400405 <+5>: movq $0x0,-0x28(%rsp)
0x000000000040040e <+14>: movq $0x0,-0x20(%rsp)
0x0000000000400417 <+23>: movl $0x0,-0x18(%rsp)
0x000000000040041f <+31>: xor %eax,%eax
0x0000000000400421 <+33>: retq
End of assembler dump.
$ clang -O2 test.c
$ gdb a.out
(gdb) disassemble main
Dump of assembler code for function main:
0x00000000004004f0 <+0>: xorps %xmm0,%xmm0
0x00000000004004f3 <+3>: movaps %xmm0,-0x18(%rsp)
0x00000000004004f8 <+8>: movl $0x0,-0x8(%rsp)
0x0000000000400500 <+16>: lea -0x18(%rsp),%rax
0x0000000000400505 <+21>: xor %eax,%eax
0x0000000000400507 <+23>: retq
End of assembler dump.
As gcc, clang, but also icc defines __GNUC__, it's sufficient to define
this in compiler-gcc.h only to be picked up. For a fallback or otherwise
unsupported compiler, we define it as a barrier. Similarly, for ecc which
does not support gcc inline asm.
Reference: https://llvm.org/bugs/show_bug.cgi?id=15495
Reported-by: Stephan Mueller <smueller@chronox.de>
Tested-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Stephan Mueller <smueller@chronox.de>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: mancha security <mancha1@zoho.com>
Cc: Mark Charlebois <charlebm@gmail.com>
Cc: Behan Webster <behanw@converseincode.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.123
USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
* ALSA: pcm: Fix snd_interval_refine first/last with open min/max
sound/core/pcm_lib.c
rtc: bq4802: add error handling for devm_ioremap
parport: sunbpp: fix error return code
ARM: hisi: check of_iomap and fix missing of_node_put
ARM: hisi: handle of_iomap and fix missing of_node_put
MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
mtdchar: fix overflows in adjustment of `count`
* audit: fix use-after-free in audit_add_watch
kernel/audit_watch.c
* binfmt_elf: Respect error return from `regset->active'
fs/binfmt_elf.c
CIFS: fix wrapping bugs in num_entries()
cifs: prevent integer overflow in nxt_dir_entry()
usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
USB: yurex: Fix buffer over-read in yurex_write()
usb: misc: uss720: Fix two sleep-in-atomic-context bugs
USB: serial: io_ti: fix array underflow in completion handler
usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
* usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
drivers/usb/core/message.c
* USB: Add quirk to support DJI CineSSD
drivers/usb/core/quirks.c
drivers/usb/storage/scsiglue.c
drivers/usb/storage/unusual_devs.h
* usb: Don't die twice if PCI xhci host is not responding in resume
drivers/usb/core/hcd-pci.c
Tools: hv: Fix a bug in the key delete code
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
xen/netfront: fix waiting for xenbus state change
* pstore: Fix incorrect persistent ram buffer mapping
fs/pstore/ram_core.c
RDMA/cma: Protect cma dev list with lock
platform/x86: toshiba_acpi: Fix defined but not used build warnings
s390/qeth: reset layer2 attribute on layer switch
s390/qeth: fix race in used-buffer accounting
mac80211: restrict delayed tailroom needed decrement
powerpc/powernv: opal_put_chars partial write fix
* perf powerpc: Fix callchain ip filtering
tools/perf/arch/powerpc/util/skip-callchain-idx.c
* fbdev: Distinguish between interlaced and progressive modes
drivers/video/fbdev/core/modedb.c
* perf powerpc: Fix callchain ip filtering when return address is in a register
tools/perf/arch/powerpc/util/skip-callchain-idx.c
fbdev/via: fix defined but not used warning
video: goldfishfb: fix memory leak on driver remove
fbdev: omapfb: off by one in omapfb_register_client()
mtd/maps: fix solutionengine.c printk format warnings
MIPS: ath79: fix system restart
gfs2: Special-case rindex for gfs2_grow
* xfrm: fix 'passing zero to ERR_PTR()' warning
net/xfrm/xfrm_policy.c
* ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
sound/usb/quirks-table.h
ALSA: msnd: Fix the default sample sizes
* mm: get rid of vmacache_flush_all() entirely
include/linux/mm_types.h
include/linux/sched.h
include/linux/vmacache.h
mm/debug.c
mm/vmacache.c
* netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
net/netfilter/x_tables.c
* xhci: Fix use-after-free in xhci_free_virt_device
drivers/usb/host/xhci.c
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
mfd: ti_am335x_tscadc: Fix struct clk memory leak
partitions/aix: fix usage of uninitialized lv_info and lvname structures
partitions/aix: append null character to print data from disk
net: dcb: For wild-card lookups, use priority -1, not 0
net: mvneta: fix mtu change on port without link
gpio: ml-ioh: Fix buffer underwrite on probe error path
x86/mm: Remove in_nmi() warning from vmalloc_fault()
Bluetooth: hidp: Fix handling of strncpy for hid->name information
scsi: 3ware: fix return 0 on the error path of probe
ata: libahci: Correct setting of DEVSLP register
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ath10k: prevent active scans on potential unusable channels
macintosh/via-pmu: Add missing mmio accessors
tty: rocket: Fix possible buffer overwrite on register_PCI
* uio: potential double frees if __uio_register_device() fails
drivers/uio/uio.c
md/raid5: fix data corruption of replacements after originals dropped
scsi: target: fix __transport_register_session locking
* Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
drivers/bluetooth/Kconfig
staging/rts5208: Fix read overflow in memcpy
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
kthread: fix boot hang (regression) on MIPS/OpenRISC
* kthread: Fix use-after-free if kthread fork fails
kernel/fork.c
* cfq: Give a chance for arming slice idle timer in case of group_idle
block/cfq-iosched.c
i2c: xiic: Make the start and the byte count write atomic
ASoC: wm8994: Fix missing break in switch
Fixes: Commit 86af955d02bb ("mm: numa: avoid waiting on freed migrated pages")
enic: do not call enic_change_mtu in enic_probe
irda: Only insert new objects into the global database via setsockopt
irda: Fix memory leak caused by repeated binds of irda socket
* kbuild: make missing $DEPMOD a Warning instead of an Error
scripts/depmod.sh
debugobjects: Make stack check warning more informative
btrfs: Don't remove block group that still has pinned down bytes
btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
btrfs: replace: Reset on-disk dev stats value after replace
powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
smb3: fix reset of bytes read and written stats
selftests/powerpc: Kill child processes on SIGINT
staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
* dm kcopyd: avoid softlockup in run_complete_job
drivers/md/dm-kcopyd.c
PCI: mvebu: Fix I/O space end address calculation
scsi: aic94xx: fix an error code in aic94xx_init()
s390/dasd: fix hanging offline processing due to canceled worker
powerpc: Fix size calculation using resource_size()
* net/9p: fix error path of p9_virtio_probe
net/9p/trans_virtio.c
platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
mfd: sm501: Set coherent_dma_mask when creating subdevices
ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
* mm/fadvise.c: fix signed overflow UBSAN complaint
mm/fadvise.c
* scripts: modpost: check memory allocation results
scripts/mod/modpost.c
* fat: validate ->i_start before using
fs/fat/cache.c
fs/fat/fat.h
fs/fat/fatent.c
reiserfs: change j_timestamp type to time64_t
* fork: don't copy inconsistent signal handler state to child
kernel/fork.c
hfs: prevent crash on exit from failed search
hfsplus: don't return 0 when fill_super() failed
cifs: check if SMB2 PDU size has been padded and suppress the warning
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit fc91a3c4c27acdca0bc13af6fbb68c35cfd519f2 upstream.
While debugging an issue debugobject tracking warned about an annotation
issue of an object on stack. It turned out that the issue was due to the
object in concern being on a different stack which was due to another
issue.
Thomas suggested to print the pointers and the location of the stack for
the currently running task. This helped to figure out that the object was
on the wrong stack.
As this is general useful information for debugging similar issues, make
the error message more informative by printing the pointers.
[ tglx: Massaged changelog ]
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Waiman Long <longman@redhat.com>
Acked-by: Yang Shi <yang.shi@linux.alibaba.com>
Cc: kernel-team@android.com
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: astrachan@google.com
Link: https://lkml.kernel.org/r/20180723212531.202328-1-joel@joelfernandes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.108
Revert "perf tests: Decompress kernel module before objdump"
libceph: validate con->state at the top of try_write()
ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
* scsi: sd: Defer spinning up drive while SANITIZE is in progress
drivers/scsi/sd.c
* kobject: don't use WARN for registration failures
lib/kobject.c
mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
* ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
sound/core/pcm_native.c
* tty: Use __GFP_NOFAIL for tty_ldisc_get()
drivers/tty/tty_ldisc.c
tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
virtio_console: free buffers after reset
* virtio: add ability to iterate over vqs
include/linux/virtio.h
* ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
sound/usb/mixer_maps.c
* USB: Increment wakeup count on remote wakeup.
drivers/usb/core/hcd.c
drivers/usb/core/hub.c
* usb: core: Add quirk for HP v222w 16GB Mini
drivers/usb/core/quirks.c
USB: serial: cp210x: add ID for NI USB serial console
USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
usbip: vhci_hcd: Fix usb device and sockfd leaks
usbip: usbip_host: fix to hold parent lock for device_attach() calls
* ext4: fix bitmap position validation
fs/ext4/balloc.c
* ext4: add validity checks for bitmap block numbers
fs/ext4/balloc.c
fs/ext4/ialloc.c
* ext4: set h_journal if there is a failure starting a reserved handle
fs/jbd2/transaction.c
Change-Id: Iaf1b40ee7359c5e01892e344b641264f29cd8ce9
Signed-off-by: Petri Gynther <pgynther@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 3e14c6abbfb5c94506edda9d8e2c145d79375798 upstream.
This WARNING proved to be noisy. The function still returns an error
and callers should handle it. That's how most of kernel code works.
Downgrade the WARNING to pr_err() and leave WARNINGs for kernel bugs.
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot+209c0f67f99fec8eb14b@syzkaller.appspotmail.com
Reported-by: syzbot+7fb6d9525a4528104e05@syzkaller.appspotmail.com
Reported-by: syzbot+2e63711063e2d8f9ea27@syzkaller.appspotmail.com
Reported-by: syzbot+de73361ee4971b6e6f75@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux 3.18.100
fixup: sctp: verify size of a new chunk in _sctp_make_chunk()
serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
usb: usbmon: Read text within supplied buffer size
USB: usbmon: remove assignment from IS_ERR argument
* usb: quirks: add control message delay for 1b1c:1b20
* staging: android: ashmem: Fix lockdep issue during llseek
uas: fix comparison for error code
tty/serial: atmel: add new version check for usart
serial: sh-sci: prevent lockup on full TTY buffers
x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
x86/module: Detect and skip invalid relocations
scripts: recordmcount: break hardlinks
ubi: Fix race condition between ubi volume creation and udev
netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
netfilter: bridge: ebt_among: add missing match size checks
* netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
* netfilter: IDLETIMER: be syzkaller friendly
* netfilter: nat: cope with negative port range
netfilter: x_tables: fix missing timer initialization in xt_LED
ALSA: seq: More protection for concurrent write and ioctl races
ALSA: seq: Don't allow resizing pool in use
x86/MCE: Serialize sysfs changes
Input: matrix_keypad - fix race when disabling interrupts
MIPS: BMIPS: Do not mask IPIs during suspend
scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
Linux 3.18.99
* dm io: fix duplicate bio completion due to missing ref count
* fib_semantics: Don't match route with mismatching tclassid
* net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
sctp: verify size of a new chunk in _sctp_make_chunk()
s390/qeth: fix IPA command submission race
s390/qeth: fix SETIP command handling
sctp: fix dst refcnt leak in sctp_v6_get_dst()
* udplite: fix partial checksum initialization
* ppp: prevent unregistered channels from connecting to PPP units
* netlink: ensure to loop over all netns in genlmsg_multicast_allns()
* net: fix race on decreasing number of TX queues
* ipv6 sit: work around bogus gcc-8 -Wrestrict warning
hdlc_ppp: carrier detect ok, don't turn off negotiation
* bridge: check brport attr show in brport_show
* leds: do not overflow sysfs buffer in led_trigger_show
net: fec: introduce fec_ptp_stop and use in probe fail path
ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
* ALSA: usb-audio: Add a quirck for B&W PX headphones
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus
Linux 3.18.98
net: gianfar_ptp: move set_fipers() to spinlock protecting area
sctp: make use of pre-calculated len
xen/gntdev: Fix partial gntdev_mmap() cleanup
xen/gntdev: Fix off-by-one error when unmapping with holes
SolutionEngine771x: fix Ether platform data
mdio-sun4i: Fix a memory leak
xen-netfront: enable device after manual module load
drm/ttm: check the return value of kzalloc
e1000: fix disabling already-disabled warning
xfs: quota: check result of register_shrinker()
xfs: quota: fix missed destroy of qi_tree_lock
s390/dasd: fix wrongly assigned configuration data
* led: core: Fix brightness setting when setting delay_off=0
bnx2x: Improve reliability in case of nested PCI errors
tg3: Enable PHY reset in MTU change path for 5720
tg3: Add workaround to restrict 5762 MRRS to 2048
scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
net: arc_emac: fix arc_emac_rx() error paths
spi: atmel: fixed spin_lock usage inside atmel_spi_remove
* sget(): handle failures of register_shrinker()
* ipv6: icmp6: Allow icmp messages to be looped back
mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
* hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
* ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
Linux 3.18.97
* ASN.1: fix out-of-bounds read when parsing indefinite length item
* usb: gadget: f_fs: Process all descriptors during bind
* usb: dwc3: gadget: Set maxpacket size for ep0 IN
* arm64: Disable unhandled signal log messages by default
* irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
iio: adis_lib: Initialize trigger before requesting interrupt
* iio: buffer: check if a buffer has been set up when poll is called
cfg80211: fix cfg80211_beacon_dup
scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
PCI: keystone: Fix interrupt-controller-node lookup
* netfilter: drop outermost socket lock in getsockopt()
Linux 3.18.96
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously
hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
* xen: XEN_ACPI_PROCESSOR is Dom0-only
x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
* mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
dmaengine: jz4740: disable/unprepare clk if probe fails
* xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
spi: sun4i: disable clocks in the remove function
* 509: fix printing uninitialized stack memory when OID is empty
btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
net_sched: red: Avoid illegal values
net_sched: red: Avoid devision by zero
gianfar: fix a flooded alignment reports because of padding issue.
s390/dasd: prevent prefix I/O error
powerpc/perf: Fix oops when grouping different pmu events
scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none
media: s5k6aa: describe some function parameters
perf bench numa: Fixup discontiguous/sparse numa nodes
perf top: Fix window dimensions change handling
ARM: dts: am4372: Correct the interrupts_properties of McASP
ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
* usb: build drivers/usb/common/ when USB_SUPPORT is set
usbip: keep usbip_device sockfd state in sync with tcp_socket
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
video: fbdev/mmp: add MODULE_LICENSE
ASoC: ux500: add MODULE_LICENSE tag
* selinux: ensure the context is NUL terminated in security_context_to_sid_core()
* Provide a function to create a NUL-terminated string from unterminated data
* net: avoid skb_warn_bad_offload on IS_ERR
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
* netfilter: on sockopt() acquire sock lock only in the required scope
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
* netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
* netfilter: x_tables: fix int overflow in xt_alloc_table_info()
crypto: x86/twofish-3way - Fix %rbp usage
* selinux: skip bounded transition processing if the policy isn't loaded
* xfrm: check id proto in validate_tmpl()
* mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
media: r820t: fix r820t_write_reg for KASAN
ARM: dts: s5pv210: add interrupt-parent for ohci
ALSA: seq: Fix racy pool initializations
Btrfs: fix crash due to not cleaning up tree log block's dirty bits
Btrfs: fix deadlock in run_delalloc_nocow
console/dummy: leave .con_font_get set to NULL
video: fbdev: atmel_lcdfb: fix display-timings lookup
ext4: correct documentation for grpid mount option
* ext4: save error to disk in __ext4_grp_locked_error()
drm/radeon: adjust tested variable
ALSA: seq: Fix regression by incorrect ioctl_mutex usages
arm: spear13xx: Fix spics gpio controller's warning
arm: spear13xx: Fix dmas cells
arm: spear600: Add missing interrupt-parent of rtc
s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
* PM / devfreq: Propagate error from devfreq_add_device()
IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports
Linux 3.18.95
mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy
ACPI: sbshc: remove raw pointer from printk() message
pktcdvd: Fix pkt_setup_dev() error path
EDAC, octeon: Fix an uninitialized variable warning
xtensa: fix futex_atomic_cmpxchg_inatomic
alpha: fix reboot on Avanti platform
alpha: fix crash if pthread_create races with signal delivery
signal/sh: Ensure si_signo is initialized in do_divide_error
signal/openrisc: Fix do_unaligned_access to send the proper signal
* kernel/async.c: revert "async: simplify lowest_in_progress()"
media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
crypto: caam - fix endless loop when DECO acquire fails
* crypto: cryptd - pass through absence of ->setkey()
* crypto: hash - introduce crypto_hash_alg_has_setkey()
* kernfs: fix regression in kernfs_fop_write caused by wrong type
NFS: commit direct writes even if they fail partially
NFS: Add a cond_resched() to nfs_commit_release_pages()
mtd: nand: Fix nand_do_read_oob() return value
media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
dccp: CVE-2017-8824: use-after-free in DCCP code
usbip: vhci: stop printing kernel pointer addresses in messages
usbip: stub: stop printing kernel pointer addresses in messages
usbip: prevent leaking socket pointer address in messages
usbip: vhci-hcd: Add USB3 SuperSpeed support
usb: usbip: Fix possible deadlocks reported by lockdep
usbip: Fix potential format overflow in userspace tools
usbip: prevent vhci_hcd driver from leaking a socket pointer address
usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
usbip: fix stub_rx: get_pipe() to validate endpoint number
* posix-timer: Properly check sigevent->sigev_notify
CIFS: zero sensitive data when freeing
cifs: Fix autonegotiate security settings mismatch
cifs: Fix missing put_xid in cifs_file_strict_mmap
* ipv4: Map neigh lookup keys in __ipv4_neigh_lookup_noref()
* KEYS: encrypted: fix buffer overread in valid_master_desc()
ARM: exynos_defconfig: Enable NFSv4 client
ARM: exynos_defconfig: Enable options to mount a rootfs via NFS
* tcp: release sk_frag.page in tcp_disconnect
r8169: fix RTL8168EP take too long to complete driver initialization.
qlcnic: fix deadlock bug
* net: igmp: add a missing rcu locking section
ip6mr: fix stale iterator
vhost_net: stop device during reset owner
Linux 3.18.94
um: Fix out-of-tree build
ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
spi: imx: do not access registers while clocks disabled
* selinux: general protection fault in sock_has_perm
usb: uas: unconditionally bring back host after reset
* usb: f_fs: Prevent gadget unbind if it is already unbound
* USB: serial: simple: add Motorola Tetra driver
usbip: list: don't list devices attached to vhci_hcd
usbip: prevent bind loops on devices attached to vhci_hcd
USB: serial: io_edgeport: fix possible sleep-in-atomic
CDC-ACM: apply quirk for card reader
USB: cdc-acm: Do not log urb submission errors on disconnect
* USB: serial: pl2303: new device id for Chilitag
staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID
* usb: gadget: don't dereference g until after it has been null checked
media: usbtv: add a new usbid
* scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg
* quota: Check for register_shrinker() failure.
* net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
hwmon: (pmbus) Use 64bit math for DIRECT format values
nfsd: check for use of the closed special stateid
nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0)
xen-netfront: remove warning when unloading module
KVM: VMX: Fix rflags cache during vCPU reset
mac80211: fix the update of path metric for RANN frame
bcache: check return value of register_shrinker
KVM: X86: Fix operand/address-size during instruction decoding
KVM: x86: Don't re-execute instruction when not passing CR2 value
KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure
igb: Free IRQs when device is hotplugged
gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
ALSA: seq: Make ioctls race-free
* loop: fix concurrent lo_open/lo_release
um: Remove copy&paste code from init.h
um: Stop abusing __KERNEL__
um: link vmlinux with -no-pie
* Input: do not emit unneeded EV_SYN when suspending
Linux 3.18.93
* hrtimer: Reset hrtimer cpu base proper on CPU hotplug
* ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
* ipv6: fix udpv6 sendmsg crash caused by too small MTU
* net: Allow neigh contructor functions ability to modify the primary_key
vmxnet3: repair memory leak
sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
sctp: do not allow the v4 socket to bind a v4mapped v6 address
* pppoe: take ->needed_headroom of lower device into account on xmit
* net: qdisc_pkt_len_init() should be more robust
* tcp: __tcp_hdrlen() helper
* net: igmp: fix source address check for IGMPv3 reports
dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
* net: tcp: close sock if net namespace is exiting
x86/microcode/intel: Extend BDW late-loading further with LLC size check
* eventpoll.h: add missing epoll event masks
scsi: libiscsi: fix shifting of DID_REQUEUE host byte
* fs/fcntl: f_setown, avoid undefined behaviour
reiserfs: don't preallocate blocks for extended attributes
reiserfs: fix race in prealloc discard
netfilter: xt_osf: Add missing permission checks
netfilter: nfnetlink_cthelper: Add missing permission checks
netfilter: nf_conntrack_sip: extend request line validation
* netfilter: restart search if moved to other chain
* netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
ipc: msg, make msgrcv work with LONG_MIN
hwpoison, memcg: forcibly uncharge LRU pages
* mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
usbip: Fix implicit fallthrough warning
x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels
MIPS: AR7: ensure the port type's FCR value is used
arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
dm btree: fix serious bug in btree_split_beneath()
ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
* phy: work around 'phys' references to usb-nop-xceiv devices
Input: twl4030-vibra - fix sibling-node lookup
Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning
Input: twl6040-vibra - fix child-node lookup
Input: twl6040-vibra - fix DT node memory management
Input: 88pm860x-ts - fix child-node lookup
* pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
* af_key: fix buffer overread in parse_exthdrs()
* af_key: fix buffer overread in verify_address_len()
ALSA: hda - Apply the existing quirk to iMac 14,1
* ALSA: pcm: Remove yet superfluous WARN_ON()
* futex: Prevent overflow by strengthen input validation
* scsi: sg: disable SET_FORCE_LOW_DMA
* gcov: disable for COMPILE_TEST
Linux 3.18.92
e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
uas: ignore UAS for Norelsys NS1068(X) chips
* Bluetooth: Prevent stack info leak from the EFS element.
* staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
usbip: remove kernel addresses from usb device and urb debug msgs
USB: fix usbmon BUG trigger
usb: misc: usb3503: make sure reset is low for at least 100us
USB: serial: cp210x: add new device ID ELV ALC 8xxx
USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
Revert "can: kvaser_usb: free buf in error paths"
target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
x86/microcode/intel: Extend BDW late-loading with a revision check
* crypto: algapi - fix NULL dereference in crypto_remove_spawns()
* net: stmmac: enable EEE in MII, GMII or RGMII only
sh_eth: fix SH7757 GEther initialization
sh_eth: fix TSU resource handling
RDS: null pointer dereference in rds_atomic_free_op
RDS: Heap OOB write in rds_message_alloc_sgs()
8021q: fix a memory leak for VLAN 0 device
x86/acpi: Reduce code duplication in mp_override_legacy_irq()
ALSA: aloop: Fix racy hw constraints adjustment
ALSA: aloop: Fix inconsistent format due to incomplete rule
ALSA: aloop: Release cable upon open error path
ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
ALSA: pcm: Abort properly at pending signal in OSS read/write loops
ALSA: pcm: Add missing error checks in OSS emulation plugin builder
* ALSA: pcm: Remove incorrect snd_BUG_ON() usages
x86/acpi: Handle SCI interrupts above legacy space gracefully
kvm: vmx: Scrub hardware GPRs at VM-exit
* perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
MIPS: Consistently handle buffer counter with PTRACE_SETREGSET
MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
MIPS: Factor out NT_PRFPREG regset access helpers
IB/srpt: Disable RDMA access by the initiator
can: gs_usb: fix return value of the "set_bittiming" callback
Input: elantech - add new icbody type 15
* kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal()
* kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals
* kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL
fscache: Fix the default for fscache_maybe_release_page()
crypto: n2 - cure use after free
kernel/acct.c: fix the acct->needcheck check in check_free_space()
Linux 3.18.91
* n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)
* usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201
* usb: add RESET_RESUME for ELSA MicroLink 56K
* usb: Add device quirk for Logitech HD Pro Webcam C925e
USB: serial: option: add support for Telit ME910 PID 0x1101
* net: ipv4: fix for a race condition in raw_sendmsg
sctp: Replace use of sockets_allocated with specified macro.
net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case
tg3: Fix rx hang on MTU change with 5717/5719
* tcp md5sig: Use skb's saddr when replying to an incoming segment
net: qmi_wwan: add Sierra EM7565 1199:9091
* netlink: Add netns check on taps
* net: igmp: Use correct source address on IGMPv3 reports
* ipv6: mcast: better catch silly mtu values
* ipv4: igmp: guard against silly MTU values
* kbuild: add '-fno-stack-check' to kernel build options
ASoC: twl4030: fix child-node lookup
* ring-buffer: Mask out the info bits when returning buffer page length
* tracing: Fix crash when it fails to alloc ring buffer
* tracing: Fix possible double free on failure of allocating trace buffer
* tracing: Remove extra zeroing out of the ring buffer page
net: mvneta: clear interface link status on port disable
powerpc/perf: Dereference BHRB entries safely
KVM: X86: Fix load RFLAGS w/o the fixed bit
parisc: Hide Diva-built-in serial aux and graphics card
* PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
* ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
* ALSA: rawmidi: Avoid racy info ioctl via ctl device
mfd: twl6040: Fix child-node lookup
mfd: twl4030-audio: Fix sibling-node lookup
crypto: mcryptd - protect the per-CPU queue with a lock
ACPI: APEI / ERST: Fix missing error handling in erst_reader()
Linux 3.18.90
fm10k: ensure we process SM mbx when processing VF mbx
scsi: lpfc: PLOGI failures during NPIV testing
scsi: lpfc: Fix secure firmware updates
PCI/AER: Report non-fatal errors only to the affected endpoint
igb: check memory allocation failure
PCI: Create SR-IOV virtfn/physfn links before attaching driver
scsi: cxgb4i: fix Tx skb leak
* PCI: Avoid bus reset if bridge itself is broken
net: phy: at803x: Change error to EINVAL for invalid MAC
crypto: crypto4xx - increase context and scatter ring buffer elements
backlight: pwm_bl: Fix overflow condition
cpuidle: powernv: Pass correct drv->cpumask for registration
ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory
* xhci: plat: Register shutdown for xhci_plat
isdn: kcapi: avoid uninitialized data
ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend
netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table
irda: vlsi_ir: fix check for DMA mapping errors
i40e: Do not enable NAPI on q_vectors that have no rings
* net: Do not allow negative values for busy_read and busy_poll sysctl interfaces
s390/qeth: no ETH header for outbound AF_IUCV
* HID: xinmo: fix for out of range for THT 2P arcade controller.
hwmon: (asus_atk0110) fix uninitialized data access
ARM: dts: ti: fix PCI bus dtc warnings
KVM: x86: correct async page present tracepoint
scsi: lpfc: Fix PT2PT PRLI reject
netfilter: nfnl_cthelper: Fix memory leak
netfilter: nfnl_cthelper: fix runtime expectation policy updates
usb: gadget: udc: remove pointer dereference after free
usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4
* crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
* r8152: fix the list rx_done may be used without initialization
* cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
ALSA: hda - add support for docking station for HP 820 G2
* arm64: Initialise high_memory global variable earlier
Linux 3.18.89
usb: musb: da8xx: fix babble condition handling
ath9k: fix tx99 potential info leak
macvlan: Only deliver one copy of the frame to the macvlan interface
udf: Avoid overflow when session starts at large offset
scsi: bfa: integer overflow in debugfs
* scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
raid5: Set R5_Expanded on parity devices as well as data.
* pinctrl: adi2: Fix Kconfig build problem
* tty fix oops when rmmod 8250
* PCI: Detach driver before procfs & sysfs teardown on device remove
xfs: fix log block underflow during recovery cycle verification
bcache: fix wrong cache_misses statistics
bcache: explicitly destroy mutex while exiting
GFS2: Take inode off order_write list when setting jdata flag
* thermal/drivers/step_wise: Fix temperature regulation misbehavior
* ppp: Destroy the mutex when cleanup
clk: tegra: Fix cclk_lp divisor register
* mm: Handle 0 flags in _calc_vm_trans() macro
arm-ccn: perf: Prevent module unload while PMU is in use
target/file: Do not return error for UNMAP if length is zero
target:fix condition return in core_pr_dump_initiator_port()
iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
powerpc/ipic: Fix status get and status clear
powerpc/opal: Fix EBUSY bug in acquiring tokens
powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
PCI/PME: Handle invalid data when reading Root Status
video: fbdev: au1200fb: Return an error code if a memory allocation fails
video: fbdev: au1200fb: Release some resources if a memory allocation fails
video: udlfb: Fix read EDID timeout
fbdev: controlfb: Add missing modes to fix out of bounds access
target: Use system workqueue for ALUA transitions
btrfs: add missing memset while reading compressed inline extents
NFSv4.1 respect server's max size in CREATE_SESSION
perf symbols: Fix symbols__fixup_end heuristic for corner cases
afs: Fix afs_kill_pages()
afs: Fix page leak in afs_write_begin()
afs: Populate and use client modification time
afs: Fix the maths in afs_fs_store_data()
afs: Flush outstanding writes when an fd is closed
afs: Adjust mode bits processing
afs: Populate group ID from vnode status
afs: Fix missing put_page()
drm/radeon: reinstate oland workaround for sclk
* sched/deadline: Use deadline instead of period when calculating overflow
drm/radeon/si: add dpm quirk for Oland
openrisc: fix issue handling 8 byte get_user calls
* net: Resend IGMP memberships upon peer notification.
* dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
net: wimax/i2400m: fix NULL-deref at probe
Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
NFSD: fix nfsd_reset_versions for NFSv4.
NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
net: bcmgenet: Power up the internal PHY before probing the MII
net: bcmgenet: correct MIB access of UniMAC RUNT counters
net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
usb: phy: isp1301: Add OF device ID table
mac80211: Fix addition of mesh configuration element
* KEYS: Don't permit request_key() to construct a new keyring
* Don't leak a key reference if request_key() tries to use a revoked keyring
* ext4: fix crash when a directory's i_size is too small
* xhci: Don't add a virt_dev to the devs array before it's fully allocated
usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
* USB: core: prevent malicious bNumInterfaces overflow
* USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
autofs: fix careless error in recent commit
crypto: salsa20 - fix blkcipher_walk API usage
* crypto: hmac - require that the underlying hash algorithm is unkeyed
Linux 3.18.88
* usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
* audit: ensure that 'audit=1' actually enables audit for PID 1
afs: Connect up the CB.ProbeUuid
IB/mlx5: Assign send CQ and recv CQ of UMR QP
IB/mlx4: Increase maximal message size under UD QP
* xfrm: Copy policy family in clone_policy
atm: horizon: Fix irq release error
sctp: use the right sk after waking up from wait_buf sleep
sctp: do not free asoc when it is already dead in sctp_sendmsg
sparc64/mm: set fields in deferred pages
sunrpc: Fix rpc_task_begin trace point
NFS: Fix a typo in nfs_rename()
dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
* lib/genalloc.c: make the avail variable an atomic_long_t
* route: update fnhe_expires for redirect when the fnhe exists
* route: also update fnhe_genid when updating a route cache
EDAC, i5000, i5400: Fix definition of NRECMEMB register
EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
axonram: Fix gendisk handling
i2c: riic: fix restart condition
crypto: s5p-sss - Fix completing crypto request in IRQ handler
* ipv6: reorder icmpv6_init() and ip6_mr_init()
bnx2x: fix possible overrun of VFPF multicast addresses array
spi_ks8995: fix "BUG: key accdaa28 not in .data!"
arm: KVM: Survive unknown traps from guests
KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
irqchip/crossbar: Fix incorrect type of register size
scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
* workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
libata: drop WARN from protocol error in ata_sff_qc_issue()
USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
usb: gadget: configs: plug memory leak
selftest/powerpc: Fix false failures for skipped tests
Revert "s390/kbuild: enable modversions for symbols exported from asm"
* Revert "drm/armada: Fix compile fail"
* net/packet: fix a race in packet_bind() and packet_notifier()
* sit: update frag_off info
rds: Fix NULL pointer dereference in __rds_rdma_map
* arm64: fpsimd: Prevent registers leaking from dead tasks
KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
* arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
media: dvb: i2c transfers over usb cannot be done from stack
kdb: Fix handling of kallsyms_symbol_next() return value
iommu/vt-d: Fix scatterlist offset handling
* ALSA: usb-audio: Add check return value for usb_string()
* ALSA: usb-audio: Fix out-of-bound error
ALSA: seq: Remove spurious WARN_ON() at timer check
* ALSA: pcm: prevent UAF in snd_pcm_info
x86/PCI: Make broadcom_postcore_init() check acpi_disabled
* X.509: reject invalid BIT STRING for subjectPublicKey
* KEYS: add missing permission check for request_key() destination
* ASN.1: check for error from ASN1_OP_END__ACT actions
* efi: Move some sysfs files to be read-only by root
isa: Prevent NULL dereference in isa_bus driver callbacks
hv: kvp: Avoid reading past allocated blocks from KVP file
virtio: release virtio index when fail to device_register
can: usb_8dev: cancel urb on -EPIPE and -EPROTO
can: esd_usb2: cancel urb on -EPIPE and -EPROTO
can: ems_usb: cancel urb on -EPIPE and -EPROTO
can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
can: kvaser_usb: ratelimit errors if incomplete messages are received
can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
can: kvaser_usb: free buf in error paths
Linux 3.18.87
usb: host: fix incorrect updating of offset
* USB: usbfs: Filter flags passed in from user space
* USB: devio: Prevent integer overflow in proc_do_submiturb()
* USB: Increase usbfs transfer limit
* usb: hub: Cycle HUB power when initialization fails
serial: 8250_pci: Add Amazon PCI serial device ID
* usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
ima: fix hash algorithm initialization
net: fec: fix multicast filtering hardware setup
* mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
tipc: fix cleanup at module unload
net: sctp: fix array overrun read on sctp_timer_tbl
NFSv4: Fix client recovery when server reboots multiple times
net/appletalk: Fix kernel memory disclosure
* vti6: fix device register to report IFLA_INFO_KIND
ARM: OMAP1: DMA: Correct the number of logical channels
perf test attr: Fix ignored test case result
* sysrq : fix Show Regs call trace on ARM
EDAC, sb_edac: Fix missing break in switch
spi: sh-msiof: Fix DMA transfer size check
serial: 8250_fintek: Fix rs485 disablement on invalid ioctl()
bcache: recover data from backing when data is clean
bcache: only permit to recovery read error when cache device is clean
Linux 3.18.86
drm/i915: Prevent zero length "index" write
drm/i915: Don't try indexed reads to alternate slave addresses
NFS: revalidate "." etc correctly on "open".
drm/panel: simple: Add missing panel_simple_unprepare() calls
eeprom: at24: check at24_read/write arguments
KVM: x86: inject exceptions produced by x86_decode_insn
KVM: x86: Exit to user-mode on #UD intercept when emulator requires
btrfs: clear space cache inode generation always
* mm/madvise.c: fix madvise() infinite loop under special circumstances
mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()
* ipsec: Fix aborted xfrm policy dump crash
* netlink: add a start callback for starting a netlink dump
Linux 3.18.85
xen: xenbus driver must not accept invalid transaction ids
s390/kbuild: enable modversions for symbols exported from asm
ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data
btrfs: return the actual error value from from btrfs_uuid_tree_iterate
netfilter: nf_tables: fix oob access
netfilter: nft_queue: use raw_smp_processor_id()
staging: iio: cdc: fix improper return value
mac80211: Suppress NEW_PEER_CANDIDATE event if no room
mac80211: Remove invalid flag operations in mesh TSF synchronization
ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE
* drm/armada: Fix compile fail
net: 3com: typhoon: typhoon_init_one: fix incorrect return values
net: 3com: typhoon: typhoon_init_one: make return values more specific
* PCI: Apply _HPX settings only to relevant devices
RDS: RDMA: return appropriate error on rdma map failures
e1000e: Separate signaling for link check/link up
e1000e: Fix return value test
e1000e: Fix error path in link detection
iio: iio-trig-periodic-rtc: Free trigger resource correctly
* USB: fix buffer overflows with parsing CDC headers
mtd: nand: Fix writing mtdoops to nand flash.
net/9p: Switch to wait_event_killable()
* media: v4l2-ctrl: Fix flags field on Control events
media: rc: check for integer overflow
media: Don't do DMA on stack for firmware upload in the AS102 driver
powerpc/signal: Properly handle return value from uprobe_deny_signal()
parisc: Fix validity check of pointer size argument in new CAS implementation
ixgbe: Fix skb list corruption on Power systems
fm10k: Use smp_rmb rather than read_barrier_depends
i40evf: Use smp_rmb rather than read_barrier_depends
ixgbevf: Use smp_rmb rather than read_barrier_depends
igbvf: Use smp_rmb rather than read_barrier_depends
igb: Use smp_rmb rather than read_barrier_depends
i40e: Use smp_rmb rather than read_barrier_depends
* time: Always make sure wall_to_monotonic isn't positive
NFC: fix device-allocation error return
IB/srpt: Do not accept invalid initiator port names
clk: ti: dra7-atl-clock: fix child-node lookups
clk: ti: dra7-atl-clock: Fix of_node reference counting
KVM: SVM: obey guest PAT
KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
iscsi-target: Fix non-immediate TMR reference leak
fs/9p: Compare qid.path in v9fs_test_inode
* ALSA: timer: Remove kernel warning at compat ioctl error paths
* ALSA: usb-audio: Add sanity checks in v2 clock parsers
* ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
* ALSA: usb-audio: Add sanity checks to FE parser
* ext4: fix interaction between i_size, fallocate, and delalloc after a crash
nfsd: deal with revoked delegations appropriately
nfs: Fix ugly referral attributes
NFS: Fix typo in nomigration mount option
isofs: fix timestamps beyond 2027
bcache: check ca->alloc_thread initialized before wake up it
eCryptfs: use after free in ecryptfs_release_messaging()
nilfs2: fix race condition that causes file system corruption
autofs: don't fail mount for transient error
MIPS: BCM47XX: Fix LED inversion for WRT54GSv1
MIPS: Fix an n32 core file generation regset support regression
* dm: fix race between dm_get_from_kobject() and __dm_destroy()
* dm bufio: fix integer overflow when limiting maximum cache size
ALSA: hda: Add Raven PCI ID
ARM: 8721/1: mm: dump: check hardware RO bit for LPAE
x86/decoder: Add new TEST instruction pattern
* lib/mpi: call cond_resched() from mpi_powm() loop
* sched: Make resched_cpu() unconditional
* ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER
s390/disassembler: increase show_code buffer size
Linux 3.18.84
coda: fix 'kernel memory exposure attempt' in fsync
ipmi: fix unsigned long underflow
ocfs2: should wait dio before inode lock in ocfs2_setattr()
ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
vlan: fix a use-after-free in vlan_device_event()
* af_netlink: ensure that NLMSG_DONE never fails in dumps
fealnx: Fix building error on MIPS
sctp: do not peel off an assoc from one netns to another one
* netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
* tcp: do not mangle skb->cb[] in tcp_make_synack()
net/sctp: Always set scope_id in sctp_inet6_skb_msgname
* ipv6/dccp: do not inherit ipv6_mc_list from parent
Linux 3.18.83
USB: serial: garmin_gps: fix memory leak on probe errors
USB: serial: garmin_gps: fix I/O after failed probe and remove
USB: serial: garmin_gps: fix memory leak on failed URB submit
USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update
* USB: Add delay-init quirk for Corsair K70 LUX keyboards
* USB: usbfs: compute urb->actual_length for isochronous
uapi: fix linux/rds.h userspace compilation errors
uapi: fix linux/rds.h userspace compilation error
Revert "uapi: fix linux/rds.h userspace compilation errors"
* Revert "crypto: xts - Add ECB dependency"
MIPS: Netlogic: Exclude netlogic,xlp-pic code from XLR builds
MIPS: init: Ensure reserved memory regions are not added to bootmem
MIPS: End asm function prologue macros with .insn
ixgbe: handle close/suspend race with netif_device_detach/present
ixgbe: fix AER error handling
gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap
backlight: adp5520: Fix error handling in adp5520_bl_probe()
* backlight: lcd: Fix race condition during register
ALSA: vx: Fix possible transfer overflow
ALSA: vx: Don't try to update capture stream before running
scsi: lpfc: Correct issue leading to oops during link reset
scsi: lpfc: Correct host name in symbolic_name field
scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort
scsi: lpfc: Add missing memory barrier
staging: rtl8188eu: fix incorrect ERROR tags from logs
igb: Fix hw_dbg logging in igb_update_flash_i210
igb: close/suspend race in netif_device_detach
igb: reset the PHY before reading the PHY ID
drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache
* ata: SATA_MV should depend on HAS_DMA
* ata: SATA_HIGHBANK should depend on HAS_DMA
* ata: ATA_BMDMA should depend on HAS_DMA
ARM: dts: Fix omap3 off mode pull defines
ARM: OMAP2+: Fix init for multiple quirks for the same SoC
extcon: palmas: Check the parent instance to prevent the NULL
iscsi-target: Fix iscsi_np reset hung task during parallel delete
media: dib0700: fix invalid dvb_detach argument
media: imon: Fix null-ptr-deref in imon_probe
Linux 3.18.82
target/iscsi: Fix iSCSI task reassignment handling
* security/keys: add CONFIG_KEYS_COMPAT to Kconfig
ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
ipip: only increase err_count for some certain type icmp in ipip_err
* ipv6: flowlabel: do not leave opt->tot_len with garbage
sctp: reset owner sk for data chunks on out queues when migrating a sock
* tun: allow positive return values on dev_get_valid_name() call
net/unix: don't show information about sockets from other namespaces
sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
* tun: call dev_get_valid_name() before register_netdevice()
* l2tp: check ps->sock before running pppol2tp_session_ioctl()
* tcp: fix tcp_mtu_probe() vs highest_sack
* tun/tap: sanitize TUNSETSNDBUF input
Revert "ARM: dts: imx53-qsb-common: fix FEC pinmux config"
Input: ims-psu - check if CDC union descriptor is sane
usb: usbtest: fix NULL pointer dereference
mac80211: don't compare TKIP TX MIC key in reinstall prevention
mac80211: use constant time comparison with keys
mac80211: accept key reinstall without changing anything
Revert "ceph: unlock dangling spinlock in try_flush_caps()"
Linux 3.18.81
x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
can: c_can: don't indicate triple sampling support for D_CAN
rbd: use GFP_NOIO for parent stat and data requests
MIPS: AR7: Ensure that serial ports are properly set up
MIPS: Fix CM region target definitions
MIPS: microMIPS: Fix incorrect mask in insn_table_MM
ALSA: seq: Avoid invalid lockdep class warning
ALSA: seq: Fix OSS sysex delivery in OSS emulation
ARM: 8720/1: ensure dump_instr() checks addr_limit
* KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
crypto: x86/sha1-mb - fix panic due to unaligned access
KEYS: trusted: fix writing past end of buffer in trusted_read()
KEYS: trusted: sanitize all key material
IB/ipoib: Change list_del to list_del_init in the tx object
Input: mpr121 - set missing event capability
Input: mpr121 - handle multiple bits change of status register
* IPsec: do not ignore crypto err in ah4 input
* usb: hcd: initialize hcd->flags to 0 when rm hcd
serial: sh-sci: Fix register offsets for the IRDA serial port
* phy: increase size of MII_BUS_ID_SIZE and bus_id
dt-bindings: Add vendor prefix for LEGO
dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification
iio: trigger: free trigger resource correctly
ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6
drm: drm_minor_register(): Clean up debugfs on failure
ARM: dts: imx53-qsb-common: fix FEC pinmux config
xen/netback: set default upper limit of tx/rx queues to 8
video: fbdev: pmag-ba-fb: Remove bad `__init' annotation
Linux 3.18.80
staging: r8712u: Fix Sparse warning in rtl871x_xmit.c
xen: don't print error message in case of missing Xenstore entry
bt8xx: fix memory leak
s390/dasd: check for device error pointer within state change interrupts
staging: lustre: ptlrpc: skip lock if export failed
staging: lustre: hsm: stack overrun in hai_dump_data_field
platform/x86: intel_mid_thermal: Fix module autoload
xen/manage: correct return value check on xenbus_scanf()
cx231xx: Fix I2C on Internal Master 3 Bus
i2c: riic: correctly finish transfers
* ext4: do not use stripe_width if it is not set
* ext4: fix stripe-unaligned allocations
staging: rtl8712u: Fix endian settings for structs describing network packets
mmc: s3cmci: include linux/interrupt.h for tasklet_struct
x86/microcode/intel: Disable late loading on model 79
drm/msm: fix an integer overflow test
drm/msm: Fix potential buffer overflow issue
ocfs2: fstrim: Fix start offset of first cluster group during fstrim
ARM: 8715/1: add a private asm/unaligned.h
* arm64: ensure __dump_instr() checks addr_limit
ASoC: adau17x1: Workaround for noise bug in ADC
* KEYS: fix out-of-bounds read during ASN.1 parsing
* KEYS: return full count in keyring_read() if buffer is too small
cifs: check MaxPathNameComponentLength != 0 before using it
ALSA: seq: Fix nested rwsem annotation for lockdep splat
* ALSA: timer: Add missing mutex lock for compat ioctls
* blk-mq: fix race between timeout and freeing request
Linux 3.18.79
* ecryptfs: fix dereference of NULL user_key_payload
can: kvaser_usb: Correct return value in printout
* scsi: sg: Re-fix off by one in sg_fill_request_table()
scsi: zfcp: fix erp_action use-before-initialize in REC action trace
* assoc_array: Fix a buggy node-splitting case
Input: gtco - fix potential out-of-bound access
* fuse: fix READDIRPLUS skipping an entry
* spi: uapi: spidev: add missing ioctl header
* usb: xhci: Handle error condition in xhci_stop_device()
ceph: unlock dangling spinlock in try_flush_caps()
Linux 3.18.78
FS-Cache: fix dereference of NULL user_key_payload
* af_packet: don't pass empty blocks for PACKET_V3
parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
parisc: Avoid trashing sr2 and sr3 in LWS code
* cls_api.c: Fix dumping of non-existing actions' stats.
* KEYS: don't let add_key() update an uninstantiated key
lib/digsig: fix dereference of NULL user_key_payload
* KEYS: encrypted: fix dereference of NULL user_key_payload
bus: mbus: fix window size calculation for 4GB windows
brcmsmac: make some local variables 'static const' to reduce stack size
i2c: ismt: Separate I2C block read from SMBus block read
ALSA: hda: Remove superfluous '-' added by printk conversion
ALSA: seq: Enable 'use' locking in all configurations
can: esd_usb2: Fix can_dlc value for received RTR, frames
can: gs_usb: fix busy loop if no more TX context is available
* usb: hub: Allow reset retry for USB2 devices on connect bounce
* usb: quirks: add quirk for WORLDE MINI MIDI keyboard
usb: cdc_acm: Add quirk for Elatec TWN3
USB: serial: metro-usb: add MS7820 device id
* USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
* USB: devio: Revert "USB: devio: Don't corrupt user memory"
Linux 3.18.77
Revert "tty: goldfish: Fix a parameter of a call to free_irq"
target/iscsi: Fix unsolicited data seq_end_offset calculation
* uapi: fix linux/mroute6.h userspace compilation errors
uapi: fix linux/rds.h userspace compilation errors
scsi: scsi_dh_emc: return success in clariion_std_inquiry()
ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
* crypto: xts - Add ECB dependency
net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs
Btrfs: send, fix failure to rename top level inode due to name collision
iio: adc: xilinx: Fix error handling
* netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
irqchip/crossbar: Fix incorrect type of local variables
watchdog: kempld: fix gcc-4.3 build
locking/lockdep: Add nest_lock integrity test
Revert "bsg-lib: don't free job in bsg_prepare_job"
* net: Set sk_prot_creator when cloning sockets to the right proto
* packet: in packet_do_bind, test fanout with bind_lock held
* l2tp: fix race condition in l2tp_tunnel_delete
* l2tp: Avoid schedule while atomic in exit_net
* vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
isdn/i4l: fetch the ppp_write buffer in one shot
* packet: hold bind lock when rebinding to fanout hook
bpf/verifier: reject BPF_ALU64|BPF_END
* sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
* ext4: avoid deadlock when expanding inode size
drm/dp/mst: save vcpi with payloads
x86/mm: Disable preemption during CR3 read+write
Linux 3.18.76
Revert "usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write"
ALSA: seq: Fix missing NULL check at remove_events ioctl
USB: serial: console: fix use-after-free after failed setup
USB: serial: qcserial: add Dell DW5818, DW5819
USB: serial: option: add support for TP-Link LTE module
USB: serial: cp210x: add support for ELV TFD500
* fix unbalanced page refcounting in bio_map_user_iov
* direct-io: Prevent NULL pointer access in submit_page_section
* usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
ALSA: caiaq: Fix stray URB at probe error path
ALSA: seq: Fix copy_from_user() call inside lock
ALSA: seq: Fix use-after-free at creating a port
* ALSA: usb-audio: Kill stray URB at exiting
iommu/amd: Finish TLB flush in amd_iommu_unmap()
usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
* crypto: shash - Fix zero-length shash ahash digest crash
* HID: usbhid: fix out-of-bounds bug
CIFS: Reconnect expired SMB sessions
* ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
Linux 3.18.75
* ext4: fix fencepost in s_first_meta_bg validation
* ext4: validate s_first_meta_bg at mount time
ext4: Don't clear SGID when inheriting ACLs
* ext4: fix data corruption for mmap writes
* fs/super.c: fix race between freeze_super() and thaw_super()
* ext4: only call ext4_truncate when size <= isize
drm/i915/bios: ignore HDMI on port A
HID: i2c-hid: allocate hid buffers for real worst case
* driver core: platform: Don't read past the end of "driver_override" buffer
ALSA: usx2y: Suppress kernel warning at page allocation failures
* lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
uwb: ensure that endpoint is interrupt
uwb: properly check kthread_run return value
iio: adc: mcp320x: Fix oops on module unload
iio: ad7793: Fix the serial interface reset
* iio: core: Return error for failed read_reg
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
iio: ad_sigma_delta: Implement a dedicated reset function
* xhci: fix finding correct bus_state structure for USB 3.1 hosts
* USB: fix out-of-bounds in usb_set_configuration
* usb: Increase quirk delay for USB devices
USB: uas: fix bug in handling of alternate settings
* USB: devio: Don't corrupt user memory
USB: dummy-hcd: fix infinite-loop resubmission bug
USB: dummy-hcd: fix connection failures (wrong speed)
* usb: pci-quirks.c: Corrected timeout values used in handshake
* ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
* usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
USB: gadgetfs: fix copy_to_user while holding spinlock
USB: gadgetfs: Fix crash caused by inadequate synchronization
usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write
Linux 3.18.74
* mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
crypto: algif_skcipher - Load TX SG list after waiting
staging: nvec: remove duplicated const
ttpci: address stringop overflow warning
ALSA: au88x0: avoid theoretical uninitialized access
IB/qib: fix false-postive maybe-uninitialized warning
libata: transport: Remove circular dependency at free time
xfs: remove kmem_zalloc_greedy
md/raid10: submit bio directly to replacement disk
rds: ib: add error handle
parisc: perf: Fix potential NULL pointer dereference
netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
exynos-gsc: Do not swap cb/cr for semi planar formats
* netfilter: invoke synchronize_rcu after set the _hook_ to NULL
* mmc: sdio: fix alignment issue in struct sdio_func
* usb: plusb: Add support for PL-27A1
team: fix memory leaks
* net/packet: check length in getsockopt() called with PACKET_HDRLEN
* net: core: Prevent from dereferencing null pointer when releasing SKB
* audit: log 32-bit socketcalls
* partitions/efi: Fix integer overflow in GPT size calculation
USB: serial: mos7840: fix control-message error handling
USB: serial: mos7720: fix control-message error handling
IB/ipoib: Replace list_del of the neigh->list with list_del_init
IB/ipoib: rtnl_unlock can not come after free_netdev
IB/ipoib: Fix deadlock over vlan_mutex
tty: goldfish: Fix a parameter of a call to free_irq
ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes
sh_eth: use correct name for ECMR_MPDE bit
MIPS: Ensure bss section ends on a long-aligned address
RDS: RDMA: Fix the composite message user notification
drm: bridge: add DT bindings for TI ths8135
Linux 3.18.73
fix xen_swiotlb_dma_mmap prototype
swiotlb-xen: implement xen_swiotlb_dma_mmap callback
video: fbdev: aty: do not leak uninitialized padding in clk to userspace
x86/fpu: Don't let userspace set bogus xcomp_bv
btrfs: prevent to set invalid default subvolid
* PCI: Fix race condition with driver_override
kvm: nVMX: Don't allow L2 to access the hardware CR8
* arm64: Make sure SPsel is always set
bsg-lib: don't free job in bsg_prepare_job
* nl80211: check for the required netlink attributes presence
* vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
SMB: Validate negotiate (to protect against downgrade) even if signing off
powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
* KEYS: prevent KEYCTL_READ on negative key
* KEYS: prevent creating a different user's keyrings
* KEYS: fix writing past end of user-supplied buffer in keyring_read()
crypto: talitos - fix sha224
scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
* tracing: Erase irqsoff trace with empty write
* tracing: Fix trace_pipe behavior for instance traces
KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
mac80211: flush hw_roc_start work before cancelling the ROC
cifs: release auth_key.response for reconnect.
cifs: release cifs root_cred after exit_cifs
Linux 3.18.72
bcache: fix bch_hprint crash and improve output
bcache: fix for gc and write-back race
bcache: Correct return value for sysfs attach errors
bcache: correct cache_dirty_target in __update_writeback_rate()
bcache: Fix leak of bdev reference
bcache: initialize dirty stripes in flash_dev_run()
media: uvcvideo: Prevent heap overflow when accessing mapped controls
* media: v4l2-compat-ioctl32: Fix timespec conversion
PCI: shpchp: Enable bridge bus mastering if MSI is enabled
ARC: Re-enable MMU upon Machine Check exception
* tracing: Apply trace_clock changes to instance max buffer
ftrace: Fix selftest goto location on error
scsi: qla2xxx: Fix an integer overflow in sysfs code
* scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
* scsi: sg: factor out sg_fill_request_table()
* scsi: sg: off by one in sg_ioctl()
* scsi: sg: use standard lists for sg_requests
* scsi: sg: remove 'save_scat_len'
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
skd: Submit requests to firmware before triggering the doorbell
skd: Avoid that module unloading triggers a use-after-free
md/bitmap: disable bitmap_resize for file-backed bitmaps.
* block: Relax a check in blk_start_queue()
powerpc: Fix DAR reporting when alignment handler faults
* ext4: fix incorrect quotaoff if the quota feature is enabled
crypto: AF_ALG - remove SGL terminator indicator when chaining
Input: i8042 - add Gigabyte P57 to the keyboard reset table
ip6_gre: fix endianness errors in ip6gre_err
Revert "usb: musb: fix tx fifo flush handling again"
f2fs: check hot_data for roll-forward recovery
* ipv6: fix typo in fib6_net_exit()
* ipv6: fix memory leak with multiple tables during netns destruction
* tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
* Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
qlge: avoid memcpy buffer overflow
* ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
Linux 3.18.71
xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
ARM: 8692/1: mm: abort uaccess retries upon fatal signal
* Bluetooth: Properly check L2CAP config option output buffer length
ALSA: msnd: Optimize / harden DSP and MIDI loops
locktorture: Fix potential memory leak with rw lock test
btrfs: resume qgroup rescan on rw remount
* scsi: sg: recheck MMAP_IO request length with lock held
* scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
* cs5536: add support for IDE controller variant
* workqueue: Fix flag collision
* cma: fix calculation of aligned offset
dlm: avoid double-free on error path in dlm_device_{register,unregister}
Input: trackpoint - assume 3 buttons when buttons detection fails
* driver core: bus: Fix a potential double free
staging/rts5208: fix incorrect shift to extract upper nybble
* USB: core: Avoid race of async_completed() w/ usbdev_release()
* usb:xhci:Fix regression when ATI chipsets detected
* usb: Add device quirk for Logitech HD Pro Webcam C920-C
USB: serial: option: add support for D-Link DWM-157 C1
* usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard
Conflicts:
drivers/input/input.c
drivers/media/v4l2-core/v4l2-compat-ioctl32.c
drivers/scsi/sg.c
drivers/usb/dwc3/gadget.c
drivers/usb/gadget/function/f_fs.c
drivers/usb/host/xhci-hub.c
net/ipv4/raw.c
net/packet/af_packet.c
sound/usb/card.c
sound/usb/mixer.c
Change-Id: I4ca2d8f23d99e69b73d055262327f4c71da20a7c
Signed-off-by: Thierry Strudel <tstrudel@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.
In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
to the action functions before their lengths had been computed, using
the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in
reading data past the end of the input buffer, when given a specially
crafted message.
Fix it by rearranging the code so that the indefinite length is resolved
before the action is called.
This bug was originally found by fuzzing the X.509 parser in userspace
using libFuzzer from the LLVM project.
KASAN report (cleaned up slightly):
BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
Read of size 128 at addr ffff880035dd9eaf by task keyctl/195
CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xd1/0x175 lib/dump_stack.c:53
print_address_description+0x78/0x260 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x23f/0x350 mm/kasan/report.c:409
memcpy+0x1f/0x50 mm/kasan/kasan.c:302
memcpy ./include/linux/string.h:341 [inline]
x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0x96
Allocated by task 195:
__do_kmalloc_node mm/slab.c:3675 [inline]
__kmalloc_node+0x47/0x60 mm/slab.c:3682
kvmalloc ./include/linux/mm.h:540 [inline]
SYSC_add_key security/keys/keyctl.c:104 [inline]
SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0x96
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org> # v3.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 ]
Callers of sprint_oid() do not check its return value before printing
the result. In the case where the OID is zero-length, -EBADMSG was
being returned without anything being written to the buffer, resulting
in uninitialized stack memory being printed. Fix this by writing
"(bad)" to the buffer in the cases where -EBADMSG is returned.
Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
instead of 0
[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]
line-range is supposed to treat "1-" as "1-endoffile", so
handle the special case by setting last_lineno to UINT_MAX.
Fixes this error:
dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
dynamic_debug:ddebug_exec_query: query parse failed
Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]
If the amount of resources allocated to a gen_pool exceeds 2^32 then the
avail atomic overflows and this causes problems when clients try and
borrow resources from the pool. This is only expected to be an issue on
64 bit systems.
Add the <linux/atomic.h> header to pull in atomic_long* operations. So
that 32 bit systems continue to use atomic32_t but 64 bit systems can
use atomic64_t.
Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
Signed-off-by: Stephen Bates <sbates@raithlin.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Daniel Mentz <danielmentz@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.
asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes). Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.
This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest. But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 1d9ddde12e3c9bab7f3d3484eb9446315e3571ca upstream.
On a non-preemptible kernel, if KEYCTL_DH_COMPUTE is called with the
largest permitted inputs (16384 bits), the kernel spends 10+ seconds
doing modular exponentiation in mpi_powm() without rescheduling. If all
threads do it, it locks up the system. Moreover, it can cause
rcu_sched-stall warnings.
Notwithstanding the insanity of doing this calculation in kernel mode
rather than in userspace, fix it by calling cond_resched() as each bit
from the exponent is processed. It's still noninterruptible, but at
least it's preemptible now.
Do the cond_resched() once per bit rather than once per MPI limb because
each limb might still easily take 100+ milliseconds on slow CPUs.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 624f5ab8720b3371367327a822c267699c1823b8 upstream.
syzkaller reported a NULL pointer dereference in asn1_ber_decoder(). It
can be reproduced by the following command, assuming
CONFIG_PKCS7_TEST_KEY=y:
keyctl add pkcs7_test desc '' @s
The bug is that if the data buffer is empty, an integer underflow occurs
in the following check:
if (unlikely(dp >= datalen - 1))
goto data_overrun_error;
This results in the NULL data pointer being dereferenced.
Fix it by checking for 'datalen - dp < 2' instead.
Also fix the similar check for 'dp >= datalen - n' later in the same
function. That one possibly could result in a buffer overread.
The NULL pointer dereference was reproducible using the "pkcs7_test" key
type but not the "asymmetric" key type because the "asymmetric" key type
checks for a 0-length payload before calling into the ASN.1 decoder but
the "pkcs7_test" key type does not.
The bug report was:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
task: ffff9b6b3798c040 task.stack: ffff9b6b37970000
RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c
RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0
RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0
Call Trace:
pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139
verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216
pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63
key_create_or_update+0x180/0x530 security/keys/key.c:855
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4585c9
RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9
RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000
RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae
R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000
Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff
RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78
CR2: 0000000000000000
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 2eb9eabf1e868fda15808954fb29b0f105ed65f1 upstream.
syzkaller with KASAN reported an out-of-bounds read in
asn1_ber_decoder(). It can be reproduced by the following command,
assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y:
keyctl add asymmetric desc $'\x30\x30' @s
The bug is that the length of an ASN.1 data value isn't validated in the
case where it is encoded using the short form, causing the decoder to
read past the end of the input buffer. Fix it by validating the length.
The bug report was:
BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818
CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0xb3/0x10b lib/dump_stack.c:52
print_address_description+0x79/0x2a0 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x236/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233
x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89
x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x347/0xb20 security/keys/key.c:855
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89
RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5
RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream.
This fixes CVE-2017-12193.
Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.
What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.
The code that tries to do this gets this wrong in two ways:
(1) The pointer that should've pointed from N0 to N1 is set to point
recursively to N0 instead.
(2) The backpointer from N0 needs to be set correctly in the case N0 is
either the root node or reached through a shortcut.
Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).
The problem manifests itself as:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: assoc_array_apply_edit+0x59/0xe5
Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.
digsig_verify() requests a user key, then accesses its payload.
However, a revoked key has a NULL payload, and we failed to check for
this. request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
Fixes: 051dbb918c7f ("crypto: digital signature verification support")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit f5527fffff3f002b0a6b376163613b82f69de073 upstream.
This fixes CVE-2016-8650.
If mpi_powm() is given a zero exponent, it wants to immediately return
either 1 or 0, depending on the modulus. However, if the result was
initalised with zero limb space, no limbs space is allocated and a
NULL-pointer exception ensues.
Fix this by allocating a minimal amount of limb space for the result when
the 0-exponent case when the result is 1 and not touching the limb space
when the result is 0.
This affects the use of RSA keys and X.509 certificates that carry them.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
PGD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
task: ffff8804011944c0 task.stack: ffff880401294000
RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
RSP: 0018:ffff880401297ad8 EFLAGS: 00010212
RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
Stack:
ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
Call Trace:
[<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
[<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
[<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
[<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
[<ffffffff8132a95c>] rsa_verify+0x9d/0xee
[<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
[<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
[<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
[<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
[<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
[<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
[<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
[<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
[<ffffffff812fe227>] SyS_add_key+0x154/0x19e
[<ffffffff81001c2b>] do_syscall_64+0x80/0x191
[<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
RSP <ffff880401297ad8>
CR2: 0000000000000000
---[ end trace d82015255d4a5d8d ]---
Basically, this is a backport of a libgcrypt patch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
cc: linux-ima-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
clock_gettime(CLOCK_BOOTTIME,) slows down after significant
accumulation of suspend time creating a large offset between it and
CLOCK_MONOTONIC time. The __iter_div_u64_rem() is only for the usage
of adding a few second+nanosecond times and saving cycles on more
expensive remainder and division operations, but iterates one second
at a time which quickly goes out of scale in CLOCK_BOOTTIME's case
since it was specified as nanoseconds only.
The fix is to split off seconds from the boot time and cap the
nanoseconds so that __iter_div_u64_rem does not iterate.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 72406285
Change-Id: Ia647ef1e76b7ba3b0c003028d4b3b955635adabb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Permit vdso to be enabled or disabled at will to manage performance
experiments on the dogfood population. Parameters are accessible
from user space at /sys/module/vdso/parameters/enable_{32|64}:
enable_64=0 -> 64 bit vdso disabled
enable_32=0 -> 32 bit vdso disabled
Overhead appears to be ~2ns to perform the checking on every call.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Test: manual, bionic-benchmarks --bionic_xml=vdso.xml to confirm.
Bug: 70518189
Change-Id: Ic0fefa61919c93ad809eb20c5a8c8c1590b4cfc3
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry pick from url https://patchwork.kernel.org/patch/10053549/)
Add time() vdso support to match up with existing support in the x86's
vdso. Currently benefitting arm and arm64 which uses the common
vgettimeofday.c implementation. On arm provides about a ~14 fold
improvement in speed over the straight syscall, and about a ~5 fold
improvement in speed over an alternate library implementation that
relies on the vdso call to gettimeofday to fulfill the request.
We can provide __vdso_time even if we can not provide a speed
enhanced __vdso_gettimeofday.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Bug: 63737556
Bug: 20045882
Change-Id: I0bb3c6bafe57f9ed69350e2dd54edaae58316e8f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
supported timer
(cherry pick from url https://patchwork.kernel.org/patch/10044539/)
Take an effort to recode the arm64 vdso code from assembler to C
previously submitted by Andrew Pinski <apinski@cavium.com>, rework
it for use in both arm and arm64, overlapping any optimizations
for each architecture. But instead of landing it in arm64, land the
result into lib/vdso and unify both implementations to simplify
future maintenance.
If ARCH_PROVIDES_TIMER is not defined, do not expose gettimeofday.
libc will default directly to syscall. Also ifdef clock_gettime
switch cases and stubs if not supported and other unused components.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: James Morse <james.morse@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andy Gross <andy.gross@linaro.org>
Cc: Kevin Brodsky <kevin.brodsky@arm.com>
Cc: Andrew Pinski <apinski@cavium.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Bug: 63737556
Bug: 20045882
Change-Id: I362a7114db0aac800e16eb90d14a8739e18f42e4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry pick from url https://patchwork.kernel.org/patch/10044503/)
Take an effort to recode the arm64 vdso code from assembler to C
previously submitted by Andrew Pinski <apinski@cavium.com>, rework
it for use in both arm and arm64, overlapping any optimizations
for each architecture. But instead of landing it in arm64, land the
result into lib/vdso and unify both implementations to simplify
future maintenance.
Add a case for CLOCK_BOOTTIME as it is popular for measuring
relative time on systems expected to suspend() or hibernate().
Android uses CLOCK_BOOTTIME for all relative time measurements
and timeouts. Switching to vdso reduced CPU utilization and improves
accuracy. There is also a desire by some partners to switch all
logging over to CLOCK_BOOTTIME, and thus this operation alone would
contribute to a near percentile CPU load.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: James Morse <james.morse@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andy Gross <andy.gross@linaro.org>
Cc: Kevin Brodsky <kevin.brodsky@arm.com>
Cc: Andrew Pinski <apinski@cavium.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Bug: 63737556
Bug: 20045882
Change-Id: I76c26b054baf7f1100e03c65d6b16fe649b883b1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry pick from url https://patchwork.kernel.org/patch/10044497/)
Take an effort to recode the arm64 vdso code from assembler to C
previously submitted by Andrew Pinski <apinski@cavium.com>, rework
it for use in both arm and arm64, overlapping any optimizations
for each architecture. But instead of landing it in arm64, land the
result into lib/vdso and unify both implementations to simplify
future maintenance.
Declare arch/arm/vdso/vgettimeofday.c to be a candidate for a global
implementation of the vdso timer calls. The hope is that new
architectures can take advantage of the current unification of
arm and arm64 implementations.
We urge future efforts to merge their implementations into the
global vgettimeofday.c file and thus provide functional parity.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: James Morse <james.morse@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andy Gross <andy.gross@linaro.org>
Cc: Kevin Brodsky <kevin.brodsky@arm.com>
Cc: Andrew Pinski <apinski@cavium.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Bug: 63737556
Bug: 20045882
Change-Id: If7da1d8144684d52ed9520a581e6023c623df931
|
| |\|
| |
| |
| |
| | |
Change-Id: Ifbed5d4275df07fa37f66c873eab5740228e422a
Signed-off-by: Thierry Strudel <tstrudel@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 5e19b013f55a884c59a14391b22138899d1cc4cc upstream.
Add a bitmap_find_next_zero_area_off() function which works like
bitmap_find_next_zero_area() function except it allows an offset to be
specified when alignment is checked. This lets caller request a bit such
that its number plus the offset is aligned according to the mask.
[gregory.0xf0@gmail.com: Retrieved from https://patchwork.linuxtv.org/patch/6254/ and updated documentation]
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Gregory Fong <gregory.0xf0@gmail.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kukjin Kim <kgene.kim@samsung.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ Upstream commit da0510c47519fe0999cffe316e1d370e29f952be ]
The build of frv allmodconfig was failing with the errors like:
/tmp/cc0JSPc3.s: Assembler messages:
/tmp/cc0JSPc3.s:1839: Error: symbol `.LSLT0' is already defined
/tmp/cc0JSPc3.s:1842: Error: symbol `.LASLTP0' is already defined
/tmp/cc0JSPc3.s:1969: Error: symbol `.LELTP0' is already defined
/tmp/cc0JSPc3.s:1970: Error: symbol `.LELT0' is already defined
Commit 866ced950bcd ("kbuild: Support split debug info v4") introduced
splitting the debug info and keeping that in a separate file. Somehow,
the frv-linux gcc did not like that and I am guessing that instead of
splitting it started copying. The first report about this is at:
https://lists.01.org/pipermail/kbuild-all/2015-July/010527.html.
I will try and see if this can work with frv and if still fails I will
open a bug report with gcc. But meanwhile this is the easiest option to
solve build failure of frv.
Fixes: 866ced950bcd ("kbuild: Support split debug info v4")
Link: http://lkml.kernel.org/r/1482062348-5352-1-git-send-email-sudipm.mukherjee@gmail.com
Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 990486c8af044f89bddfbde1d1cf9fde449bedbf upstream.
It's possible that the destination can be shadowed in userspace
(as, for example, the perf buffers are now). So we should take
care not to leak data that could be inspected by userspace.
Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 30035e45753b708e7d47a98398500ca005e02b86 upstream.
The strscpy() API is intended to be used instead of strlcpy(),
and instead of most uses of strncpy().
- Unlike strlcpy(), it doesn't read from memory beyond (src + size).
- Unlike strlcpy() or strncpy(), the API provides an easy way to check
for destination buffer overflow: an -E2BIG error return value.
- The provided implementation is robust in the face of the source
buffer being asynchronously changed during the copy, unlike the
current implementation of strlcpy().
- Unlike strncpy(), the destination buffer will be NUL-terminated
if the string in the source buffer is too long.
- Also unlike strncpy(), the destination buffer will not be updated
beyond the NUL termination, avoiding strncpy's behavior of zeroing
the entire tail end of the destination buffer. (A memset() after
the strscpy() can be used if this behavior is desired.)
- The implementation should be reasonably performant on all
platforms since it uses the asm/word-at-a-time.h API rather than
simple byte copy. Kernel-to-kernel string copy is not considered
to be performance critical in any case.
Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add %paP and %padP for physical address that need to always be shown
regardless of kptr restrictions.
Bug: 37723342
Bug: 30368199
Change-Id: I4884854d9465be89f366d4d7b56c825918b91599
Signed-off-by: Chris Fries <cfries@google.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes in 3.18.59
fs/exec.c: account for argv/envp pointers
autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
lib/cmdline.c: fix get_options() overflow while parsing ranges
KVM: PPC: Book3S HV: Preserve userspace HTM state properly
CIFS: Improve readdir verbosity
signal: Only reschedule timers on signals timers have sent
powerpc/kprobes: Pause function_graph tracing during jprobes handling
Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
target: Fix kref->refcount underflow in transport_cmd_finish_abort
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
of: Add check to of_scan_flat_dt() before accessing initial_boot_params
mtd: spi-nor: fix spansion quad enable
powerpc/slb: Force a full SLB flush when we insert for a bad EA
usb: gadget: f_fs: avoid out of bounds access on comp_desc
net: phy: fix marvell phy status reading
mac80211/wpa: use constant time memory comparison for MACs
Linux 3.18.59
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream.
When using get_options() it's possible to specify a range of numbers,
like 1-100500. The problem is that it doesn't track array size while
calling internally to get_range() which iterates over the range and
fills the memory with numbers.
Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@gmail.com
Signed-off-by: Ilya V. Matveychikov <matvejchikov@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes in 3.18.57
bnx2x: Fix Multi-Cos
ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
cxgb4: avoid enabling napi twice to the same queue
tcp: disallow cwnd undo when switching congestion control
ipv6: Fix leak in ipv6_gso_segment().
net: ping: do not abuse udp_poll()
net: ethoc: enable NAPI before poll may be scheduled
serial: ifx6x60: fix use-after-free on module unload
KEYS: fix dereferencing NULL payload with nonzero length
KEYS: fix freeing uninitialized memory in key_update()
crypto: gcm - wait for crypto op not signal safe
nfsd4: fix null dereference on replay
kvm: async_pf: fix rcu_irq_enter() with irqs enabled
KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation
arm: KVM: Allow unaligned accesses at HYP
dmaengine: ep93xx: Always start from BASE0
ext4: fix SEEK_HOLE
ext4: keep existing extra fields when inode expands
usb: gadget: f_mass_storage: Serialize wake and sleep execution
usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
usb: chipidea: debug: check before accessing ci_role
staging/lustre/lov: remove set_fs() call from lov_getstripe()
iio: proximity: as3935: fix AS3935_INT mask
drivers: char: random: add get_random_long()
random: properly align get_random_int_hash
stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms
btrfs: use correct types for page indices in btrfs_page_exists_in_range
btrfs: fix memory leak in update_space_info failure path
scsi: qla2xxx: don't disable a not previously enabled PCI device
powerpc/eeh: Avoid use after free in eeh_handle_special_event()
powerpc/numa: Fix percpu allocations to be NUMA aware
perf/core: Drop kernel samples even though :u is specified
drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
ASoC: Fix use-after-free at card unregistration
drivers: char: mem: Fix wraparound check to allow mappings up to the end
serial: sh-sci: Fix panic when serial console and DMA are enabled
arm64: hw_breakpoint: fix watchpoint matching for tagged pointers
arm64: entry: improve data abort handling of tagged pointers
RDMA/qib,hfi1: Fix MR reference count leak on write with immediate
usercopy: Adjust tests to deal with SMAP/PAN
arm64: ensure extension of smp_store_release value
mlx5: stop including <asm-generic/kmap_types.h>
ALSA: timer: Fix race between read and ioctl
Linux 3.18.57
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit f5f893c57e37ca730808cb2eee3820abd05e7507 upstream.
Under SMAP/PAN/etc, we cannot write directly to userspace memory, so
this rearranges the test bytes to get written through copy_to_user().
Additionally drops the bad copy_from_user() test that would trigger a
memcpy() against userspace on failure.
[arnd: the test module was added in 3.14, and this backported patch
should apply cleanly on all version from 3.14 to 4.10.
The original patch was in 4.11 on top of a context change
I saw the bug triggered with kselftest on a 4.4.y stable kernel]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.
This fixes CVE-2016-0758.
In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor. With a sufficiently large size indicated, the check:
datalen - dp < 2
may then fail due to integer overflow.
Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.
Whilst we're at it, make the following changes:
(1) Check the maximum size of extended length does not exceed the capacity
of the variable it's being stored in (len) rather than the type that
variable is assumed to be (size_t).
(2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
integer 0.
(3) To reduce confusion, move the initialisation of len outside of:
for (len = 0; n > 0; n--) {
since it doesn't have anything to do with the loop counter n.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.
If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.
This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.
This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers. Currently, it skips the last
integer if there is insufficient data.
Without the fix, #defining DEBUG in asn1_decoder.c will show something
like:
next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270
The next_op line for pc=8/13 should be followed by a match line.
This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:
(1) The relevant records being built up are cleared before use.
(2) If the message is shortened sufficiently to remove the public key, the
ASN.1 parse of the RSA key will fail quickly due to a lack of data.
(3) Extracted signature data is either turned into MPIs (which cope with a
0 length) or is simpler integers specifying algoritms and suchlike
(which can validly be 0); and
(4) The AKID and SKID extensions are optional and their removal is handled
without risking passing a NULL to asymmetric_key_generate_id().
(5) If the certificate is truncated sufficiently to remove the subject,
issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
stack underflow' return.
This is not exploitable for PKCS#7 messages by means of removal of elements
from such a message from the tail end of a sequence:
(1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
as detailed above.
(2) The message digest content isn't used if it shows a NULL pointer,
similarly, the authattrs aren't used if that shows a NULL pointer.
(3) A missing signature results in a NULL MPI - which the MPI routines deal
with.
(4) If data is NULL, it is expected that the message has detached content and
that is handled appropriately.
(5) If the serialNumber is excised, the unconditional action associated
with it will pick up the containing SEQUENCE instead, so no NULL
pointer will be seen here.
If both the issuer and the serialNumber are excised, the ASN.1 decode
will fail with an 'Unexpected tag' return.
In either case, there's no way to get to asymmetric_key_generate_id()
with a NULL pointer.
(6) Other fields are decoded to simple integers. Shortening the message
to omit an algorithm ID field will cause checks on this to fail early
in the verification process.
This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be
produced. Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.
Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches
Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
