)]}' { "log": [ { "commit": "16f3f0d74b2069038a24f69952f0c19ad7c48d9a", "tree": "aeed50cdfaf3e659c9eb81dd9821bbecb2343dd3", "parents": [ "d03daec2e50aa2a0b6de2c3572af5e1d61f9d132" ], "author": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:06:00 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:06:00 2020 +0100" }, "message": "Linux 3.16.85\n" }, { "commit": "d03daec2e50aa2a0b6de2c3572af5e1d61f9d132", "tree": "ec44108ac701d6788c6cf42c484a09aed40e33cb", "parents": [ "493b4e7e4ed9cb671788d886bbc0f8d26ae10dba" ], "author": { "name": "Alexander Potapenko", "email": "glider@google.com", "time": "Wed May 27 22:20:52 2020 -0700" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:58 2020 +0100" }, "message": "fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()\n\ncommit 1d605416fb7175e1adf094251466caa52093b413 upstream.\n\nKMSAN reported uninitialized data being written to disk when dumping\ncore. As a result, several kilobytes of kmalloc memory may be written\nto the core file and then read by a non-privileged user.\n\nReported-by: sam \u003csunhaoyl@outlook.com\u003e\nSigned-off-by: Alexander Potapenko \u003cglider@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nLink: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com\nLink: https://github.com/google/kmsan/issues/76\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "493b4e7e4ed9cb671788d886bbc0f8d26ae10dba", "tree": "ae7b823a387f99539a2c7faae538b859d31fe33a", "parents": [ "948cfe9d8a2e3f0465340d5dea9d61f282df00e7" ], "author": { "name": "Jason A. Donenfeld", "email": "Jason@zx2c4.com", "time": "Fri Feb 21 21:10:37 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:58 2020 +0100" }, "message": "random: always use batched entropy for get_random_u{32,64}\n\ncommit 69efea712f5b0489e67d07565aad5c94e09a3e52 upstream.\n\nIt turns out that RDRAND is pretty slow. Comparing these two\nconstructions:\n\n for (i \u003d 0; i \u003c CHACHA_BLOCK_SIZE; i +\u003d sizeof(ret))\n arch_get_random_long(\u0026ret);\n\nand\n\n long buf[CHACHA_BLOCK_SIZE / sizeof(long)];\n extract_crng((u8 *)buf);\n\nit amortizes out to 352 cycles per long for the top one and 107 cycles\nper long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.\n\nAnd importantly, the top one has the drawback of not benefiting from the\nreal rng, whereas the bottom one has all the nice benefits of using our\nown chacha rng. As get_random_u{32,64} gets used in more places (perhaps\nbeyond what it was originally intended for when it was introduced as\nget_random_{int,long} back in the md5 monstrosity era), it seems like it\nmight be a good thing to strengthen its posture a tiny bit. Doing this\nshould only be stronger and not any weaker because that pool is already\ninitialized with a bunch of rdrand data (when available). This way, we\nget the benefits of the hardware rng as well as our own rng.\n\nAnother benefit of this is that we no longer hit pitfalls of the recent\nstream of AMD bugs in RDRAND. One often used code pattern for various\nthings is:\n\n do {\n \tval \u003d get_random_u32();\n } while (hash_table_contains_key(val));\n\nThat recent AMD bug rendered that pattern useless, whereas we\u0027re really\nvery certain that chacha20 output will give pretty distributed numbers,\nno matter what.\n\nSo, this simplification seems better both from a security perspective\nand from a performance perspective.\n\nSigned-off-by: Jason A. Donenfeld \u003cJason@zx2c4.com\u003e\nReviewed-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nLink: https://lore.kernel.org/r/20200221201037.30231-1-Jason@zx2c4.com\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[bwh: Backported to 3.16: Only get_random_int() exists here]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "948cfe9d8a2e3f0465340d5dea9d61f282df00e7", "tree": "217febc091efad5d4406770f904340b314d8d435", "parents": [ "0d314e817a11e62ab223b27166de0c6b3859e0e7" ], "author": { "name": "Josh Poimboeuf", "email": "jpoimboe@redhat.com", "time": "Mon Apr 27 20:46:13 2020 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:58 2020 +0100" }, "message": "x86/speculation: Add Ivy Bridge to affected list\n\ncommit 3798cc4d106e91382bfe016caa2edada27c2bb3f upstream.\n\nMake the docs match the code.\n\nSigned-off-by: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "0d314e817a11e62ab223b27166de0c6b3859e0e7", "tree": "bc21ba8bf880151a9c672a984ec4eee4aa422075", "parents": [ "8c95356f8493c164c8878134d25f30cbd6d7ae5c" ], "author": { "name": "Mark Gross", "email": "mgross@linux.intel.com", "time": "Tue Apr 28 16:58:21 2020 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:57 2020 +0100" }, "message": "x86/speculation: Add SRBDS vulnerability and mitigation documentation\n\ncommit 7222a1b5b87417f22265c92deea76a6aecd0fb0f upstream.\n\nAdd documentation for the SRBDS vulnerability and its mitigation.\n\n [ bp: Massage.\n jpoimboe: sysfs table strings. ]\n\nSigned-off-by: Mark Gross \u003cmgross@linux.intel.com\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nReviewed-by: Tony Luck \u003ctony.luck@intel.com\u003e\nReviewed-by: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "8c95356f8493c164c8878134d25f30cbd6d7ae5c", "tree": "f9f90f49a8254276f5fe5672771715dda55a1bf6", "parents": [ "98a637c406eefe95f2428739c1397f250bb7fadd" ], "author": { "name": "Mark Gross", "email": "mgross@linux.intel.com", "time": "Tue Apr 28 16:58:20 2020 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:57 2020 +0100" }, "message": "x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation\n\ncommit 7e5b3c267d256822407a22fdce6afdf9cd13f9fb upstream.\n\nSRBDS is an MDS-like speculative side channel that can leak bits from the\nrandom number generator (RNG) across cores and threads. New microcode\nserializes the processor access during the execution of RDRAND and\nRDSEED. This ensures that the shared buffer is overwritten before it is\nreleased for reuse.\n\nWhile it is present on all affected CPU models, the microcode mitigation\nis not needed on models that enumerate ARCH_CAPABILITIES[MDS_NO] in the\ncases where TSX is not supported or has been disabled with TSX_CTRL.\n\nThe mitigation is activated by default on affected processors and it\nincreases latency for RDRAND and RDSEED instructions. Among other\neffects this will reduce throughput from /dev/urandom.\n\n* Enable administrator to configure the mitigation off when desired using\n either mitigations\u003doff or srbds\u003doff.\n\n* Export vulnerability status via sysfs\n\n* Rename file-scoped macros to apply for non-whitelist table initializations.\n\n [ bp: Massage,\n - s/VULNBL_INTEL_STEPPING/VULNBL_INTEL_STEPPINGS/g,\n - do not read arch cap MSR a second time in tsx_fused_off() - just pass it in,\n - flip check in cpu_set_bug_bits() to save an indentation level,\n - reflow comments.\n jpoimboe: s/Mitigated/Mitigation/ in user-visible strings\n tglx: Dropped the fused off magic for now\n ]\n\nSigned-off-by: Mark Gross \u003cmgross@linux.intel.com\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Tony Luck \u003ctony.luck@intel.com\u003e\nReviewed-by: Pawan Gupta \u003cpawan.kumar.gupta@linux.intel.com\u003e\nReviewed-by: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nTested-by: Neelima Krishnan \u003cneelima.krishnan@intel.com\u003e\n[bwh: Backported to 3.16:\n - CPU feature words and bugs are numbered differently\n - Adjust filename for \u003casm/msr-index.h\u003e]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "98a637c406eefe95f2428739c1397f250bb7fadd", "tree": "5d111cc07fca83cf762789119bff96e63530ece2", "parents": [ "bed86e750bb02981a5efe110b7e9ae3d989a2e73" ], "author": { "name": "Mark Gross", "email": "mgross@linux.intel.com", "time": "Tue Apr 28 16:58:20 2020 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:56 2020 +0100" }, "message": "x86/cpu: Add \u0027table\u0027 argument to cpu_matches()\n\ncommit 93920f61c2ad7edb01e63323832585796af75fc9 upstream.\n\nTo make cpu_matches() reusable for other matching tables, have it take a\npointer to a x86_cpu_id table as an argument.\n\n [ bp: Flip arguments order. ]\n\nSigned-off-by: Mark Gross \u003cmgross@linux.intel.com\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "bed86e750bb02981a5efe110b7e9ae3d989a2e73", "tree": "c6a95a7a11bb4ad237a695d841359885d7c4f46a", "parents": [ "582f3009d4511bdd12a4d88ae52da46359cd88aa" ], "author": { "name": "Mark Gross", "email": "mgross@linux.intel.com", "time": "Tue Apr 28 16:58:20 2020 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:56 2020 +0100" }, "message": "x86/cpu: Add a steppings field to struct x86_cpu_id\n\ncommit e9d7144597b10ff13ff2264c059f7d4a7fbc89ac upstream.\n\nIntel uses the same family/model for several CPUs. Sometimes the\nstepping must be checked to tell them apart.\n\nOn x86 there can be at most 16 steppings. Add a steppings bitmask to\nx86_cpu_id and a X86_MATCH_VENDOR_FAMILY_MODEL_STEPPING_FEATURE macro\nand support for matching against family/model/stepping.\n\n [ bp: Massage.\n tglx: Lightweight variant for backporting ]\n\nSigned-off-by: Mark Gross \u003cmgross@linux.intel.com\u003e\nSigned-off-by: Borislav Petkov \u003cbp@suse.de\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nReviewed-by: Tony Luck \u003ctony.luck@intel.com\u003e\nReviewed-by: Josh Poimboeuf \u003cjpoimboe@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "582f3009d4511bdd12a4d88ae52da46359cd88aa", "tree": "265989723b1b6139639c2fe1ac324249ebbe2aac", "parents": [ "53b7a2eb6f94f439bce973593ce177592d34c63f" ], "author": { "name": "Jia Zhang", "email": "qianyue.zj@alibaba-inc.com", "time": "Mon Jan 01 09:52:10 2018 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:55 2020 +0100" }, "message": "x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping\n\ncommit b399151cb48db30ad1e0e93dd40d68c6d007b637 upstream.\n\nx86_mask is a confusing name which is hard to associate with the\nprocessor\u0027s stepping.\n\nAdditionally, correct an indent issue in lib/cpu.c.\n\nSigned-off-by: Jia Zhang \u003cqianyue.zj@alibaba-inc.com\u003e\n[ Updated it to more recent kernels. ]\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: bp@alien8.de\nCc: tony.luck@intel.com\nLink: http://lkml.kernel.org/r/1514771530-70829-1-git-send-email-qianyue.zj@alibaba-inc.com\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[bwh: Backported to 3.16:\n - Drop changes in arch/x86/lib/cpu.c\n - Adjust filenames, context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "53b7a2eb6f94f439bce973593ce177592d34c63f", "tree": "66850350109e98947018edc13be936c5f01909fd", "parents": [ "71bfaf9e30125ec5b408fd328e412abf3b23214d" ], "author": { "name": "Shijie Luo", "email": "luoshijie1@huawei.com", "time": "Mon Feb 10 20:17:52 2020 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:55 2020 +0100" }, "message": "ext4: add cond_resched() to ext4_protect_reserved_inode\n\ncommit af133ade9a40794a37104ecbcc2827c0ea373a3c upstream.\n\nWhen journal size is set too big by \"mkfs.ext4 -J size\u003d\", or when\nwe mount a crafted image to make journal inode-\u003ei_size too big,\nthe loop, \"while (i \u003c num)\", holds cpu too long. This could cause\nsoft lockup.\n\n[ 529.357541] Call trace:\n[ 529.357551] dump_backtrace+0x0/0x198\n[ 529.357555] show_stack+0x24/0x30\n[ 529.357562] dump_stack+0xa4/0xcc\n[ 529.357568] watchdog_timer_fn+0x300/0x3e8\n[ 529.357574] __hrtimer_run_queues+0x114/0x358\n[ 529.357576] hrtimer_interrupt+0x104/0x2d8\n[ 529.357580] arch_timer_handler_virt+0x38/0x58\n[ 529.357584] handle_percpu_devid_irq+0x90/0x248\n[ 529.357588] generic_handle_irq+0x34/0x50\n[ 529.357590] __handle_domain_irq+0x68/0xc0\n[ 529.357593] gic_handle_irq+0x6c/0x150\n[ 529.357595] el1_irq+0xb8/0x140\n[ 529.357599] __ll_sc_atomic_add_return_acquire+0x14/0x20\n[ 529.357668] ext4_map_blocks+0x64/0x5c0 [ext4]\n[ 529.357693] ext4_setup_system_zone+0x330/0x458 [ext4]\n[ 529.357717] ext4_fill_super+0x2170/0x2ba8 [ext4]\n[ 529.357722] mount_bdev+0x1a8/0x1e8\n[ 529.357746] ext4_mount+0x44/0x58 [ext4]\n[ 529.357748] mount_fs+0x50/0x170\n[ 529.357752] vfs_kern_mount.part.9+0x54/0x188\n[ 529.357755] do_mount+0x5ac/0xd78\n[ 529.357758] ksys_mount+0x9c/0x118\n[ 529.357760] __arm64_sys_mount+0x28/0x38\n[ 529.357764] el0_svc_common+0x78/0x130\n[ 529.357766] el0_svc_handler+0x38/0x78\n[ 529.357769] el0_svc+0x8/0xc\n[ 541.356516] watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [mount:18674]\n\nLink: https://lore.kernel.org/r/20200211011752.29242-1-luoshijie1@huawei.com\nReviewed-by: Jan Kara \u003cjack@suse.cz\u003e\nSigned-off-by: Shijie Luo \u003cluoshijie1@huawei.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: stable@kernel.org\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "71bfaf9e30125ec5b408fd328e412abf3b23214d", "tree": "7284ad5c8914b6f9bee6de0d6e45151fb66052c3", "parents": [ "a8a1d01018f66c5cc3cb2a4c194e55edcf0e50ec" ], "author": { "name": "Theodore Ts\u0027o", "email": "tytso@mit.edu", "time": "Wed May 22 10:27:01 2019 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:55 2020 +0100" }, "message": "ext4: don\u0027t perform block validity checks on the journal inode\n\ncommit 0a944e8a6c66ca04c7afbaa17e22bf208a8b37f0 upstream.\n\nSince the journal inode is already checked when we added it to the\nblock validity\u0027s system zone, if we check it again, we\u0027ll just trigger\na failure.\n\nThis was causing failures like this:\n\n[ 53.897001] EXT4-fs error (device sda): ext4_find_extent:909: inode\n#8: comm jbd2/sda-8: pblk 121667583 bad header/extent: invalid extent entries - magic f30a, entries 8, max 340(340), depth 0(0)\n[ 53.931430] jbd2_journal_bmap: journal block not found at offset 49 on sda-8\n[ 53.938480] Aborting journal on device sda-8.\n\n... but only if the system was under enough memory pressure that\nlogical-\u003ephysical mapping for the journal inode gets pushed out of the\nextent cache. (This is why it wasn\u0027t noticed earlier.)\n\nFixes: 345c0dbf3a30 (\"ext4: protect journal inode\u0027s blocks using block_validity\")\nReported-by: Dan Rue \u003cdan.rue@linaro.org\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nTested-by: Naresh Kamboju \u003cnaresh.kamboju@linaro.org\u003e\n[bwh: Backported to 3.16: Use EXT4_HAS_COMPAT_FEATURE()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "a8a1d01018f66c5cc3cb2a4c194e55edcf0e50ec", "tree": "a0b5d1ff6aa561757ad3506900186fc06b2cc560", "parents": [ "310dac05e090433b1de043eff9d0b0c389ba843f" ], "author": { "name": "Theodore Ts\u0027o", "email": "tytso@mit.edu", "time": "Wed May 15 00:51:19 2019 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:54 2020 +0100" }, "message": "ext4: fix block validity checks for journal inodes using indirect blocks\n\ncommit 170417c8c7bb2cbbdd949bf5c443c0c8f24a203b upstream.\n\nCommit 345c0dbf3a30 (\"ext4: protect journal inode\u0027s blocks using\nblock_validity\") failed to add an exception for the journal inode in\next4_check_blockref(), which is the function used by ext4_get_branch()\nfor indirect blocks. This caused attempts to read from the ext3-style\njournals to fail with:\n\n[ 848.968550] EXT4-fs error (device sdb7): ext4_get_branch:171: inode #8: block 30343695: comm jbd2/sdb7-8: invalid block\n\nFix this by adding the missing exception check.\n\nFixes: 345c0dbf3a30 (\"ext4: protect journal inode\u0027s blocks using block_validity\")\nReported-by: Arthur Marsh \u003carthur.marsh@internode.on.net\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\n[bwh: Backported to 3.16: Use EXT4_HAS_COMPAT_FEATURE]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "310dac05e090433b1de043eff9d0b0c389ba843f", "tree": "2a324600f5edf8ca42847fb71716c76ac32fc40d", "parents": [ "51890201da4d654f6ca131bc45a0e892bb10de1d" ], "author": { "name": "Colin Ian King", "email": "colin.king@canonical.com", "time": "Fri May 10 22:06:38 2019 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:54 2020 +0100" }, "message": "ext4: unsigned int compared against zero\n\ncommit fbbbbd2f28aec991f3fbc248df211550fbdfd58c upstream.\n\nThere are two cases where u32 variables n and err are being checked\nfor less than zero error values, the checks is always false because\nthe variables are not signed. Fix this by making the variables ints.\n\nAddresses-Coverity: (\"Unsigned compared against 0\")\nFixes: 345c0dbf3a30 (\"ext4: protect journal inode\u0027s blocks using block_validity\")\nSigned-off-by: Colin Ian King \u003ccolin.king@canonical.com\u003e\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "51890201da4d654f6ca131bc45a0e892bb10de1d", "tree": "18bcbfe09da40210dced818d0d2e2ff379311181", "parents": [ "f9c6ffd9190290d3d2502c297e3df4aef3d034c0" ], "author": { "name": "Theodore Ts\u0027o", "email": "tytso@mit.edu", "time": "Tue Apr 09 23:37:08 2019 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:53 2020 +0100" }, "message": "ext4: protect journal inode\u0027s blocks using block_validity\n\ncommit 345c0dbf3a30872d9b204db96b5857cd00808cae upstream.\n\nAdd the blocks which belong to the journal inode to block_validity\u0027s\nsystem zone so attempts to deallocate or overwrite the journal due a\ncorrupted file system where the journal blocks are also claimed by\nanother inode.\n\nBugzilla: https://bugzilla.kernel.org/show_bug.cgi?id\u003d202879\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: stable@kernel.org\n[bwh: Backported to 3.16:\n - Use EXT4_HAS_COMPAT_FEATURE()\n - Use EIO instead of EFSCORRUPTED]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f9c6ffd9190290d3d2502c297e3df4aef3d034c0", "tree": "47c9e6e85e76da36c6bcce262707ea398a8c47a6", "parents": [ "d126cf46f829d146dde3e6a8963e095ac6cfcd1c" ], "author": { "name": "Tahsin Erdogan", "email": "tahsin@google.com", "time": "Thu May 17 18:23:04 2018 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:53 2020 +0100" }, "message": "ext4: Make checks for metadata_csum feature safer\n\nThis is just a small part of commit dec214d00e0d7 \"ext4: xattr inode\ndeduplication\" that makes checks for metadata_csum feature safer and is\nactually needed by following fixes.\n\nSigned-off-by: Tahsin Erdogan \u003ctahsin@google.com\u003e\nAcked-by: Jan Kara \u003cjack@suse.cz\u003e\n[bwh: Ported to 3.16: Use EXT4_HAS_RO_COMPAT_FEATURE()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "d126cf46f829d146dde3e6a8963e095ac6cfcd1c", "tree": "42876fc8e2acca85985f1e831d3c73616bdd9ae2", "parents": [ "303c5366d664e0b860041e0647952dafcd71c5a1" ], "author": { "name": "Kyungtae Kim", "email": "kt0755@gmail.com", "time": "Sun May 10 05:43:34 2020 +0000" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:53 2020 +0100" }, "message": "USB: gadget: fix illegal array access in binding with UDC\n\ncommit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream.\n\nFuzzUSB (a variant of syzkaller) found an illegal array access\nusing an incorrect index while binding a gadget with UDC.\n\nReference: https://www.spinics.net/lists/linux-usb/msg194331.html\n\nThis bug occurs when a size variable used for a buffer\nis misused to access its strcpy-ed buffer.\nGiven a buffer along with its size variable (taken from user input),\nfrom which, a new buffer is created using kstrdup().\nDue to the original buffer containing 0 value in the middle,\nthe size of the kstrdup-ed buffer becomes smaller than that of the original.\nSo accessing the kstrdup-ed buffer with the same size variable\ntriggers memory access violation.\n\nThe fix makes sure no zero value in the buffer,\nby comparing the strlen() of the orignal buffer with the size variable,\nso that the access to the kstrdup-ed buffer is safe.\n\nBUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200\ndrivers/usb/gadget/configfs.c:266\nRead of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208\n\nCPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x131/0x1b0 mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:641\n __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132\n gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266\n flush_write_buffer fs/configfs/file.c:251 [inline]\n configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283\n __vfs_write+0x85/0x110 fs/read_write.c:494\n vfs_write+0x1cd/0x510 fs/read_write.c:558\n ksys_write+0x18a/0x220 fs/read_write.c:611\n __do_sys_write fs/read_write.c:623 [inline]\n __se_sys_write fs/read_write.c:620 [inline]\n __x64_sys_write+0x73/0xb0 fs/read_write.c:620\n do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nSigned-off-by: Kyungtae Kim \u003ckt0755@gmail.com\u003e\nReported-and-tested-by: Kyungtae Kim \u003ckt0755@gmail.com\u003e\nCc: Felipe Balbi \u003cbalbi@kernel.org\u003e\nCc: stable \u003cstable@vger.kernel.org\u003e\nLink: https://lore.kernel.org/r/20200510054326.GA19198@pizza01\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "303c5366d664e0b860041e0647952dafcd71c5a1", "tree": "6babfd6f0af7d6695b10404a1046698f9884be42", "parents": [ "f5eb337df20a24a9f9c7f96181ace9d61b590def" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Mar 30 19:01:04 2020 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:52 2020 +0100" }, "message": "signal: Extend exec_id to 64bits\n\ncommit d1e7fd6462ca9fc76650fbe6ca800e35b24267da upstream.\n\nReplace the 32bit exec_id with a 64bit exec_id to make it impossible\nto wrap the exec_id counter. With care an attacker can cause exec_id\nwrap and send arbitrary signals to a newly exec\u0027d parent. This\nbypasses the signal sending checks if the parent changes their\ncredentials during exec.\n\nThe severity of this problem can been seen that in my limited testing\nof a 32bit exec_id it can take as little as 19s to exec 65536 times.\nWhich means that it can take as little as 14 days to wrap a 32bit\nexec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7\ndays. Even my slower timing is in the uptime of a typical server.\nWhich means self_exec_id is simply a speed bump today, and if exec\ngets noticably faster self_exec_id won\u0027t even be a speed bump.\n\nExtending self_exec_id to 64bits introduces a problem on 32bit\narchitectures where reading self_exec_id is no longer atomic and can\ntake two read instructions. Which means that is is possible to hit\na window where the read value of exec_id does not match the written\nvalue. So with very lucky timing after this change this still\nremains expoiltable.\n\nI have updated the update of exec_id on exec to use WRITE_ONCE\nand the read of exec_id in do_notify_parent to use READ_ONCE\nto make it clear that there is no locking between these two\nlocations.\n\nLink: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl\nFixes: 2.3.23pre2\nCc: stable@vger.kernel.org\nSigned-off-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\n[bwh: Backported to 3.16:\n - Use ACCESS_ONCE()\n - Adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f5eb337df20a24a9f9c7f96181ace9d61b590def", "tree": "40e0c98b7f54e6b8c087433b7e0e755aa6a1af32", "parents": [ "d3f4ead8e811140787bf39052a4bd2893fbf56b2" ], "author": { "name": "Wu Bo", "email": "wubo40@huawei.com", "time": "Tue Apr 14 10:13:28 2020 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:52 2020 +0100" }, "message": "scsi: sg: add sg_remove_request in sg_write\n\ncommit 83c6f2390040f188cc25b270b4befeb5628c1aee upstream.\n\nIf the __copy_from_user function failed we need to call sg_remove_request\nin sg_write.\n\nLink: https://lore.kernel.org/r/610618d9-e983-fd56-ed0f-639428343af7@huawei.com\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Wu Bo \u003cwubo40@huawei.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n[groeck: Backport to v5.4.y and older kernels]\nSigned-off-by: Guenter Roeck \u003clinux@roeck-us.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "d3f4ead8e811140787bf39052a4bd2893fbf56b2", "tree": "53408d2559454323a51dc2d841cf2598e146bbca", "parents": [ "ed1c1e63c58ed1f7067f8bb5c439c958dc1c2d18" ], "author": { "name": "Li Bin", "email": "huawei.libin@huawei.com", "time": "Mon Apr 13 19:29:21 2020 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:51 2020 +0100" }, "message": "scsi: sg: add sg_remove_request in sg_common_write\n\ncommit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream.\n\nIf the dxfer_len is greater than 256M then the request is invalid and we\nneed to call sg_remove_request in sg_common_write.\n\nLink: https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.libin@huawei.com\nFixes: f930c7043663 (\"scsi: sg: only check for dxfer_len greater than 256M\")\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Li Bin \u003chuawei.libin@huawei.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "ed1c1e63c58ed1f7067f8bb5c439c958dc1c2d18", "tree": "475ca65aee999d0bcd4d7c6a5733d1257ab2cbff", "parents": [ "8ffd761c97a83a5eb2ff500afd50a5bb9c3711ed" ], "author": { "name": "Tony Battersby", "email": "tonyb@cybernetics.com", "time": "Thu Jul 12 16:30:45 2018 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:51 2020 +0100" }, "message": "scsi: sg: fix minor memory leak in error path\n\ncommit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.\n\nFix a minor memory leak when there is an error opening a /dev/sg device.\n\nFixes: cc833acbee9d (\"sg: O_EXCL and other lock handling\")\nCc: \u003cstable@vger.kernel.org\u003e\nReviewed-by: Ewan D. Milne \u003cemilne@redhat.com\u003e\nSigned-off-by: Tony Battersby \u003ctonyb@cybernetics.com\u003e\nReviewed-by: Bart Van Assche \u003cbart.vanassche@wdc.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "8ffd761c97a83a5eb2ff500afd50a5bb9c3711ed", "tree": "0e91a49c13db92b884a55f18ba525657551e4556", "parents": [ "fd3206b7f195b5bdbbf9a535e4fbcbc88c12c9e3" ], "author": { "name": "Johannes Thumshirn", "email": "jthumshirn@suse.de", "time": "Wed May 10 09:53:40 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:50 2020 +0100" }, "message": "scsi: sg: don\u0027t return bogus Sg_requests\n\ncommit 48ae8484e9fc324b4968d33c585e54bc98e44d61 upstream.\n\nIf the list search in sg_get_rq_mark() fails to find a valid request, we\nreturn a bogus element. This then can later lead to a GPF in\nsg_remove_scat().\n\nSo don\u0027t return bogus Sg_requests in sg_get_rq_mark() but NULL in case\nthe list search doesn\u0027t find a valid request.\n\nSigned-off-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReported-by: Andrey Konovalov \u003candreyknvl@google.com\u003e\nCc: Hannes Reinecke \u003chare@suse.de\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Doug Gilbert \u003cdgilbert@interlog.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@suse.de\u003e\nAcked-by: Doug Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nCc: Tony Battersby \u003ctonyb@cybernetics.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "fd3206b7f195b5bdbbf9a535e4fbcbc88c12c9e3", "tree": "dddff6987c5961fe4cb43201670e2e5317d54e54", "parents": [ "99b6d6fb8a7e74d56d17808556995822b7ae8eed" ], "author": { "name": "Johannes Thumshirn", "email": "jthumshirn@suse.de", "time": "Thu Jul 27 09:11:26 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:50 2020 +0100" }, "message": "scsi: sg: only check for dxfer_len greater than 256M\n\ncommit f930c7043663188429cd9b254e9d761edfc101ce upstream.\n\nDon\u0027t make any assumptions on the sg_io_hdr_t::dxfer_direction or the\nsg_io_hdr_t::dxferp in order to determine if it is a valid request. The\nonly way we can check for bad requests is by checking if the length\nexceeds 256M.\n\nSigned-off-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nFixes: 28676d869bbb (scsi: sg: check for valid direction before starting the request)\nReported-by: Jason L Tibbitts III \u003ctibbs@math.uh.edu\u003e\nTested-by: Jason L Tibbitts III \u003ctibbs@math.uh.edu\u003e\nSuggested-by: Doug Gilbert \u003cdgilbert@interlog.com\u003e\nCc: Doug Gilbert \u003cdgilbert@interlog.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nReviewed-by: Hannes Reinecke \u003chare@suse.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[bwh: Backported to 3.16: Include \u003clinux/sizes.h\u003e]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "99b6d6fb8a7e74d56d17808556995822b7ae8eed", "tree": "c9dabb0e5cab2a12d588a727fd196628339a21a7", "parents": [ "341068a66ab680ab19b4938253b872ca00ec8121" ], "author": { "name": "Johannes Thumshirn", "email": "jthumshirn@suse.de", "time": "Mon Jul 17 15:11:42 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:50 2020 +0100" }, "message": "scsi: sg: fix static checker warning in sg_is_valid_dxfer\n\ncommit 14074aba4bcda3764c9a702b276308b89901d5b6 upstream.\n\ndxfer_len is an unsigned int and we always assign a value \u003e 0 to it, so\nit doesn\u0027t make any sense to check if it is \u003c 0. We can\u0027t really check\ndxferp as well as we have both NULL and not NULL cases in the possible\ncall paths.\n\nSo just return true for SG_DXFER_FROM_DEV transfer in\nsg_is_valid_dxfer().\n\nSigned-off-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReported-by: Colin Ian King \u003ccolin.king@canonical.com\u003e\nReported-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nCc: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "341068a66ab680ab19b4938253b872ca00ec8121", "tree": "1c3466e399dee233e43b4284fdd0272247c9960a", "parents": [ "8d1f3b474a89b42f957ba3bae959dd3cd16531ca" ], "author": { "name": "Johannes Thumshirn", "email": "jthumshirn@suse.de", "time": "Fri Jul 07 10:56:38 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:49 2020 +0100" }, "message": "scsi: sg: fix SG_DXFER_FROM_DEV transfers\n\ncommit 68c59fcea1f2c6a54c62aa896cc623c1b5bc9b47 upstream.\n\nSG_DXFER_FROM_DEV transfers do not necessarily have a dxferp as we set\nit to NULL for the old sg_io read/write interface, but must have a\nlength bigger than 0. This fixes a regression introduced by commit\n28676d869bbb (\"scsi: sg: check for valid direction before starting the\nrequest\")\n\nSigned-off-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nFixes: 28676d869bbb (\"scsi: sg: check for valid direction before starting the request\")\nReported-by: Chris Clayton \u003cchris2553@googlemail.com\u003e\nTested-by: Chris Clayton \u003cchris2553@googlemail.com\u003e\nCc: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@suse.com\u003e\nTested-by: Chris Clayton \u003cchris2553@googlemail.com\u003e\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nCc: Cristian Crinteanu \u003ccrinteanu.cristian@gmail.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "8d1f3b474a89b42f957ba3bae959dd3cd16531ca", "tree": "19aaa1639129b48311072bfeb21a0ef7a9e9bf79", "parents": [ "ab869b0a8741852d36c9a37709bbed40f0d324b5" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Apr 07 09:34:17 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:49 2020 +0100" }, "message": "scsi: sg: close race condition in sg_remove_sfp_usercontext()\n\ncommit 97d27b0dd015e980ade63fda111fd1353276e28b upstream.\n\nsg_remove_sfp_usercontext() is clearing any sg requests, but needs to\ntake \u0027rq_list_lock\u0027 when modifying the list.\n\nReported-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@microsoft.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "ab869b0a8741852d36c9a37709bbed40f0d324b5", "tree": "3d1acaac7c279fda050def0874fc44a1640b028d", "parents": [ "0e8d9ca262840625610449e05cac4a2c9d7be83a" ], "author": { "name": "Johannes Thumshirn", "email": "jthumshirn@suse.de", "time": "Fri Apr 07 09:34:15 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:47 2020 +0100" }, "message": "scsi: sg: check for valid direction before starting the request\n\ncommit 28676d869bbb5257b5f14c0c95ad3af3a7019dd5 upstream.\n\nCheck for a valid direction before starting the request, otherwise we\nrisk running into an assertion in the scsi midlayer checking for valid\nrequests.\n\n[mkp: fixed typo]\n\nSigned-off-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nLink: http://www.spinics.net/lists/linux-scsi/msg104400.html\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Sasha Levin \u003calexander.levin@microsoft.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "0e8d9ca262840625610449e05cac4a2c9d7be83a", "tree": "9f69e20cedc949e2114df215bcbeb79f54dbee70", "parents": [ "6d391ab54157b36331528d526957688f458a11bf" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Apr 07 09:34:12 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:47 2020 +0100" }, "message": "scsi: sg: disable SET_FORCE_LOW_DMA\n\ncommit 745dfa0d8ec26b24f3304459ff6e9eacc5c8351b upstream.\n\nThe ioctl SET_FORCE_LOW_DMA has never worked since the initial git\ncheck-in, and the respective setting is nowadays handled correctly. So\ndisable it entirely.\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "6d391ab54157b36331528d526957688f458a11bf", "tree": "1e3e6628238bc10055aa1d9454386b9def964489", "parents": [ "f37de82d22dc41e9748b788655fab4bfea465a02" ], "author": { "name": "Ben Hutchings", "email": "ben.hutchings@codethink.co.uk", "time": "Sun Oct 15 18:16:33 2017 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:47 2020 +0100" }, "message": "scsi: sg: Re-fix off by one in sg_fill_request_table()\n\ncommit 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b upstream.\n\nCommit 109bade9c625 (\"scsi: sg: use standard lists for sg_requests\")\nintroduced an off-by-one error in sg_ioctl(), which was fixed by commit\nbd46fc406b30 (\"scsi: sg: off by one in sg_ioctl()\").\n\nUnfortunately commit 4759df905a47 (\"scsi: sg: factor out\nsg_fill_request_table()\") moved that code, and reintroduced the\nbug (perhaps due to a botched rebase). Fix it again.\n\nFixes: 4759df905a47 (\"scsi: sg: factor out sg_fill_request_table()\")\nSigned-off-by: Ben Hutchings \u003cben.hutchings@codethink.co.uk\u003e\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f37de82d22dc41e9748b788655fab4bfea465a02", "tree": "cb486c8f2a4f8577e779e566b6a4b7133d2cb9f9", "parents": [ "72e47c58b24aef8c687cbaaffa3aa5f9fe88612c" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Sep 15 14:05:16 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:46 2020 +0100" }, "message": "scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE\n\ncommit 3e0097499839e0fe3af380410eababe5a47c4cf9 upstream.\n\nWhen calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is\nreturned; the remaining part will then contain stale kernel memory\ninformation. This patch zeroes out the entire table to avoid this\nissue.\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Bart Van Assche \u003cbart.vanassche@wdc.com\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "72e47c58b24aef8c687cbaaffa3aa5f9fe88612c", "tree": "fc838115b04d9f2b78401e5e5422cb37e3ac342f", "parents": [ "af9c32ce054200da0275a735c451b7335b8f14b4" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Sep 15 14:05:15 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:46 2020 +0100" }, "message": "scsi: sg: factor out sg_fill_request_table()\n\ncommit 4759df905a474d245752c9dc94288e779b8734dd upstream.\n\nFactor out sg_fill_request_table() for better readability.\n\n[mkp: typos, applied by hand]\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Bart Van Assche \u003cbart.vanassche@wdc.com\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "af9c32ce054200da0275a735c451b7335b8f14b4", "tree": "b902b04cafe4e39e3648eff5245c01d6fa47e044", "parents": [ "c9a4746fe451335767c42762b7a659e8f264210e" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Thu Aug 17 10:09:54 2017 +0300" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:45 2020 +0100" }, "message": "scsi: sg: off by one in sg_ioctl()\n\ncommit bd46fc406b30d1db1aff8dabaff8d18bb423fdcf upstream.\n\nIf \"val\" is SG_MAX_QUEUE then we are one element beyond the end of the\n\"rinfo\" array so the \u003e should be \u003e\u003d.\n\nFixes: 109bade9c625 (\"scsi: sg: use standard lists for sg_requests\")\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "c9a4746fe451335767c42762b7a659e8f264210e", "tree": "fa83590c44fe30c224c79fbb5700502b2f5a635a", "parents": [ "b732e51155580eea241c4c014306cb16e7d5aa59" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Apr 07 09:34:16 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:45 2020 +0100" }, "message": "scsi: sg: use standard lists for sg_requests\n\ncommit 109bade9c625c89bb5ea753aaa1a0a97e6fbb548 upstream.\n\n\u0027Sg_request\u0027 is using a private list implementation; convert it to\nstandard lists.\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "b732e51155580eea241c4c014306cb16e7d5aa59", "tree": "feac986603f5515276433f86b745cafccc59e79a", "parents": [ "4eda02ad92142ebdf011218540e1c8d2399fd4e5" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Apr 07 09:34:13 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:45 2020 +0100" }, "message": "scsi: sg: remove \u0027save_scat_len\u0027\n\ncommit 136e57bf43dc4babbfb8783abbf707d483cacbe3 upstream.\n\nUnused.\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "4eda02ad92142ebdf011218540e1c8d2399fd4e5", "tree": "95c2eb9eaef39f00bb7231dca2301371abbce3fe", "parents": [ "faf0e0de9c4f9ab9b80e1396128c9c804af09fe2" ], "author": { "name": "Todd Poynor", "email": "toddpoynor@google.com", "time": "Tue Aug 15 21:48:43 2017 -0700" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:44 2020 +0100" }, "message": "scsi: sg: recheck MMAP_IO request length with lock held\n\ncommit 8d26f491116feaa0b16de370b6a7ba40a40fa0b4 upstream.\n\nCommit 1bc0eb044615 (\"scsi: sg: protect accesses to \u0027reserved\u0027 page\narray\") adds needed concurrency protection for the \"reserve\" buffer.\nSome checks that are initially made outside the lock are replicated once\nthe lock is taken to ensure the checks and resulting decisions are made\nusing consistent state.\n\nThe check that a request with flag SG_FLAG_MMAP_IO set fits in the\nreserve buffer also needs to be performed again under the lock to ensure\nthe reserve buffer length compared against matches the value in effect\nwhen the request is linked to the reserve buffer. An -ENOMEM should be\nreturned in this case, instead of switching over to an indirect buffer\nas for non-MMAP_IO requests.\n\nSigned-off-by: Todd Poynor \u003ctoddpoynor@google.com\u003e\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "faf0e0de9c4f9ab9b80e1396128c9c804af09fe2", "tree": "bcac57b81812f7c0f4b941c5114fa0efd2396666", "parents": [ "6c9fe95373f5ac073c657d31beb369df0f14db60" ], "author": { "name": "Todd Poynor", "email": "toddpoynor@google.com", "time": "Tue Aug 15 22:41:08 2017 -0700" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:44 2020 +0100" }, "message": "scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE\n\ncommit 6a8dadcca81fceff9976e8828cceb072873b7bd5 upstream.\n\nTake f_mutex around mmap() processing to protect against races with the\nSG_SET_RESERVED_SIZE ioctl. Ensure the reserve buffer length remains\nconsistent during the mapping operation, and set the \"mmap called\" flag\nto prevent further changes to the reserved buffer size as an atomic\noperation with the mapping.\n\n[mkp: fixed whitespace]\n\nSigned-off-by: Todd Poynor \u003ctoddpoynor@google.com\u003e\nAcked-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "6c9fe95373f5ac073c657d31beb369df0f14db60", "tree": "6321efcf979349645721af2c16ea7619e49ee89f", "parents": [ "5bb6526728fd517cae788fc90008fd1f614f31a7" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Mon Apr 24 10:26:36 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:44 2020 +0100" }, "message": "scsi: sg: reset \u0027res_in_use\u0027 after unlinking reserved array\n\ncommit e791ce27c3f6a1d3c746fd6a8f8e36c9540ec6f9 upstream.\n\nOnce the reserved page array is unused we can reset the \u0027res_in_use\u0027\nstate; here we can do a lazy update without holding the mutex as we only\nneed to check against concurrent access, not concurrent release.\n\n[mkp: checkpatch]\n\nFixes: 1bc0eb044615 (\"scsi: sg: protect accesses to \u0027reserved\u0027 page array\")\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nCc: Todd Poynor \u003ctoddpoynor@google.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "5bb6526728fd517cae788fc90008fd1f614f31a7", "tree": "f481961782073b2624d7cb0f7c446a46d1d2dc7b", "parents": [ "f4c55b72c7d3d87945acdee027d7b07cdbc2f8b7" ], "author": { "name": "Hannes Reinecke", "email": "hare@suse.de", "time": "Fri Apr 07 09:34:14 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:43 2020 +0100" }, "message": "scsi: sg: protect accesses to \u0027reserved\u0027 page array\n\ncommit 1bc0eb0446158cc76562176b80623aa119afee5b upstream.\n\nThe \u0027reserved\u0027 page array is used as a short-cut for mapping data,\nsaving us to allocate pages per request. However, the \u0027reserved\u0027 array\nis only capable of holding one request, so this patch introduces a mutex\nfor protect \u0027sg_fd\u0027 against concurrent accesses.\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n[toddpoynor@google.com: backport to 3.18-4.9, fixup for bad ioctl\nSG_SET_FORCE_LOW_DMA code removed in later versions and not modified by\nthe original patch.]\n\nSigned-off-by: Hannes Reinecke \u003chare@suse.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nTested-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Todd Poynor \u003ctoddpoynor@google.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f4c55b72c7d3d87945acdee027d7b07cdbc2f8b7", "tree": "573b41927e8fcece2823ba4c39394421fcb36873", "parents": [ "fc23502b1025b597c6cf4b479b52a466724944a1" ], "author": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu May 28 18:54:25 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:43 2020 +0100" }, "message": "scsi: sg: Change next_cmd_len handling to mirror upstream\n\nChange the type of next_cmd_len to unsigned char, done in upstream\ncommit 65c26a0f3969 \"sg: relax 16 byte cdb restriction\".\n\nMove the range check from sg_write() to sg_ioctl(), which was done by\nthat commit and commit bf33f87dd04c \"scsi: sg: check length passed to\nSG_NEXT_CMD_LEN\". Continue limiting the command length to\nMAX_COMMAND_SIZE (16).\n\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "fc23502b1025b597c6cf4b479b52a466724944a1", "tree": "d35b30afbfdcdb0be08dad0e7156ac3e627815ba", "parents": [ "3a27c0defb0315760100f8b1adc7c4acbe04c884" ], "author": { "name": "Akinobu Mita", "email": "akinobu.mita@gmail.com", "time": "Mon Jun 02 22:56:46 2014 +0900" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:42 2020 +0100" }, "message": "sg: prevent integer overflow when converting from sectors to bytes\n\ncommit 46f69e6a6bbbf3858617c8729e31895846c15a79 upstream.\n\nThis prevents integer overflow when converting the request queue\u0027s\nmax_sectors from sectors to bytes. However, this is a preparation for\nextending the data type of max_sectors in struct Scsi_Host and\nscsi_host_template. So, it is impossible to happen this integer\noverflow for now, because SCSI low-level drivers can not specify\nmax_sectors greater than 0xffff due to the data type limitation.\n\nSigned-off-by: Akinobu Mita \u003cakinobu.mita@gmail.com\u003e\nAcked by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "3a27c0defb0315760100f8b1adc7c4acbe04c884", "tree": "09336329d2ce6112c533e234828160bf6293c0ee", "parents": [ "60a613dc22ee9932c3ba67eadb08de357e36f01f" ], "author": { "name": "Douglas Gilbert", "email": "dgilbert@interlog.com", "time": "Wed Jun 25 14:08:03 2014 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:42 2020 +0100" }, "message": "sg: O_EXCL and other lock handling\n\ncommit cc833acbee9db5ca8c6162b015b4c93863c6f821 upstream.\n\nThis addresses a problem reported by Vaughan Cao concerning\nthe correctness of the O_EXCL logic in the sg driver. POSIX\ndoesn\u0027t defined O_EXCL semantics on devices but \"allow only\none open file descriptor at a time per sg device\" is a rough\ndefinition. The sg driver\u0027s semantics have been to wait\non an open() when O_NONBLOCK is not given and there are\nO_EXCL headwinds. Nasty things can happen during that wait\nsuch as the device being detached (removed). So multiple\nlocks are reworked in this patch making it large and hard\nto break down into digestible bits.\n\nThis patch is against Linus\u0027s current git repository which\ndoesn\u0027t include any sg patches sent in the last few weeks.\nHence this patch touches as little as possible that it\ndoesn\u0027t need to and strips out most SCSI_LOG_TIMEOUT()\nchanges in v3 because Hannes said he was going to rework all\nthat stuff.\n\nThe sg3_utils package has several test programs written to\ntest this patch. See examples/sg_tst_excl*.cpp .\n\nNot all the locks and flags in sg have been re-worked in\nthis patch, notably sg_request::done . That can wait for\na follow-up patch if this one meets with approval.\n\nSigned-off-by: Douglas Gilbert \u003cdgilbert@interlog.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@suse.de\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "60a613dc22ee9932c3ba67eadb08de357e36f01f", "tree": "086c36eef812740fcdb234d2ceab1c3e2d2b2a79", "parents": [ "f0c210c885dbc5000d3c3e27723beedda5988cee" ], "author": { "name": "Qing Xu", "email": "m1s5p6688@gmail.com", "time": "Thu Jan 02 10:39:26 2020 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:42 2020 +0100" }, "message": "mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()\n\ncommit 3a9b153c5591548612c3955c9600a98150c81875 upstream.\n\nmwifiex_ret_wmm_get_status() calls memcpy() without checking the\ndestination size.Since the source is given from remote AP which\ncontains illegal wmm elements , this may trigger a heap buffer\noverflow.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Qing Xu \u003cm1s5p6688@gmail.com\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@codeaurora.org\u003e\n[bwh: Backported to 3.16: adjust filename]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f0c210c885dbc5000d3c3e27723beedda5988cee", "tree": "a581a48e9a9865fcf036ae408c8ed9f6eb3c7cdf", "parents": [ "a226f907bd999713e9349bc35aa133cf519a864e" ], "author": { "name": "Qing Xu", "email": "m1s5p6688@gmail.com", "time": "Thu Jan 02 10:39:27 2020 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:41 2020 +0100" }, "message": "mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()\n\ncommit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d upstream.\n\nmwifiex_cmd_append_vsie_tlv() calls memcpy() without checking\nthe destination size may trigger a buffer overflower,\nwhich a local user could use to cause denial of service\nor the execution of arbitrary code.\nFix it by putting the length check before calling memcpy().\n\nSigned-off-by: Qing Xu \u003cm1s5p6688@gmail.com\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@codeaurora.org\u003e\n[bwh: Backported to 3.16:\n - Use dev_info() instead of mwifiex_dbg()\n - Adjust filename]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "a226f907bd999713e9349bc35aa133cf519a864e", "tree": "6b45e141bdc1d604b9212c1dd100f6e0000bfbec", "parents": [ "b79b2c774d18d9f742c6dee7c8af3d8fd75d1852" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Tue Jan 14 15:34:14 2020 +0300" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:41 2020 +0100" }, "message": "scsi: mptfusion: Fix double fetch bug in ioctl\n\ncommit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream.\n\nTom Hatskevich reported that we look up \"iocp\" then, in the called\nfunctions we do a second copy_from_user() and look it up again.\nThe problem that could cause is:\n\ndrivers/message/fusion/mptctl.c\n 674 /* All of these commands require an interrupt or\n 675 * are unknown/illegal.\n 676 */\n 677 if ((ret \u003d mptctl_syscall_down(iocp, nonblock)) !\u003d 0)\n ^^^^\nWe take this lock.\n\n 678 return ret;\n 679\n 680 if (cmd \u003d\u003d MPTFWDOWNLOAD)\n 681 ret \u003d mptctl_fw_download(arg);\n ^^^\nThen the user memory changes and we look up \"iocp\" again but a different\none so now we are holding the incorrect lock and have a race condition.\n\n 682 else if (cmd \u003d\u003d MPTCOMMAND)\n 683 ret \u003d mptctl_mpt_command(arg);\n\nThe security impact of this bug is not as bad as it could have been\nbecause these operations are all privileged and root already has\nenormous destructive power. But it\u0027s still worth fixing.\n\nThis patch passes the \"iocp\" pointer to the functions to avoid the\nsecond lookup. That deletes 100 lines of code from the driver so\nit\u0027s a nice clean up as well.\n\nLink: https://lore.kernel.org/r/20200114123414.GA7957@kadam\nReported-by: Tom Hatskevich \u003ctom2001tom.23@gmail.com\u003e\nReviewed-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "b79b2c774d18d9f742c6dee7c8af3d8fd75d1852", "tree": "0ccf1d252b7c55ace7c3fc6c40f2635d8a86f67b", "parents": [ "575f200adca1fe48df15063b1a5673a9b5f713bd" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Thu Jan 25 17:27:27 2018 +0300" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:41 2020 +0100" }, "message": "scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()\n\ncommit a7043e9529f3c367cc4d82997e00be034cbe57ca upstream.\n\nMy static checker complains about an out of bounds read:\n\n drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo()\n error: buffer overflow \u0027hd-\u003esel_timeout\u0027 255 \u003c\u003d u32max.\n\nIt\u0027s true that we probably should have a bounds check here.\n\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nReviewed-by: Johannes Thumshirn \u003cjthumshirn@suse.de\u003e\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "575f200adca1fe48df15063b1a5673a9b5f713bd", "tree": "72b479d72ef29395d344b248c18ce11223e6622f", "parents": [ "07d5d558e8711be09caa3783a8514514b3308e0f" ], "author": { "name": "Alan Stern", "email": "stern@rowland.harvard.edu", "time": "Sat Mar 28 16:18:11 2020 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:40 2020 +0100" }, "message": "USB: core: Fix free-while-in-use bug in the USB S-Glibrary\n\ncommit 056ad39ee9253873522f6469c3364964a322912b upstream.\n\nFuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug\nin the USB scatter-gather library:\n\nBUG: KASAN: use-after-free in atomic_read\ninclude/asm-generic/atomic-instrumented.h:26 [inline]\nBUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170\ndrivers/usb/core/hcd.c:1607\nRead of size 4 at addr ffff888065379610 by task kworker/u4:1/27\n\nCPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.10.2-1ubuntu1 04/01/2014\nWorkqueue: scsi_tmf_2 scmd_eh_abort_handler\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xce/0x128 lib/dump_stack.c:118\n print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374\n __kasan_report+0x153/0x1cb mm/kasan/report.c:506\n kasan_report+0x12/0x20 mm/kasan/common.c:639\n check_memory_region_inline mm/kasan/generic.c:185 [inline]\n check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192\n __kasan_check_read+0x11/0x20 mm/kasan/common.c:95\n atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]\n usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607\n usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657\n usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602\n usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937\n\nThis bug occurs when cancellation of the S-G transfer races with\ntransfer completion. When that happens, usb_sg_cancel() may continue\nto access the transfer\u0027s URBs after usb_sg_wait() has freed them.\n\nThe bug is caused by the fact that usb_sg_cancel() does not take any\nsort of reference to the transfer, and so there is nothing to prevent\nthe URBs from being deallocated while the routine is trying to use\nthem. The fix is to take such a reference by incrementing the\ntransfer\u0027s io-\u003ecount field while the cancellation is in progres and\ndecrementing it afterward. The transfer\u0027s URBs are not deallocated\nuntil io-\u003ecomplete is triggered, which happens when io-\u003ecount reaches\nzero.\n\nSigned-off-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nReported-and-tested-by: Kyungtae Kim \u003ckt0755@gmail.com\u003e\nCC: \u003cstable@vger.kernel.org\u003e\n\nLink: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "07d5d558e8711be09caa3783a8514514b3308e0f", "tree": "9564d868b3f8790330f635a5d351b1a84d1df6f0", "parents": [ "371262ec7bbf0ffc4b2a66c3f7c9230ee5e6a2c5" ], "author": { "name": "David Mosberger", "email": "davidm@egauge.net", "time": "Tue Mar 08 14:42:49 2016 -0700" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:40 2020 +0100" }, "message": "drivers: usb: core: Minimize irq disabling in usb_sg_cancel()\n\ncommit 5f2e5fb873e269fcb806165715d237f0de4ecf1d upstream.\n\nRestructure usb_sg_cancel() so we don\u0027t have to disable interrupts\nwhile cancelling the URBs.\n\nSuggested-by: Alan Stern \u003cstern@rowland.harvard.edu\u003e\nSigned-off-by: David Mosberger \u003cdavidm@egauge.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "371262ec7bbf0ffc4b2a66c3f7c9230ee5e6a2c5", "tree": "ed1cbf54dceddaf20e5819a4090833abfe550145", "parents": [ "9592b90cdc99f58e0674e64037c422ea7e9aa367" ], "author": { "name": "David Mosberger", "email": "davidm@egauge.net", "time": "Tue Mar 08 14:42:48 2016 -0700" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:39 2020 +0100" }, "message": "drivers: usb: core: Don\u0027t disable irqs in usb_sg_wait() during URB submit.\n\ncommit 98b74b0ee57af1bcb6e8b2e76e707a71c5ef8ec9 upstream.\n\nusb_submit_urb() may take quite long to execute. For example, a\nsingle sg list may have 30 or more entries, possibly leading to that\nmany calls to DMA-map pages. This can cause interrupt latency of\nseveral hundred micro-seconds.\n\nAvoid the problem by releasing the io-\u003elock spinlock and re-enabling\ninterrupts before calling usb_submit_urb(). This opens races with\nusb_sg_cancel() and sg_complete(). Handle those races by using\nusb_block_urb() to stop URBs from being submitted after\nusb_sg_cancel() or sg_complete() with error.\n\nNote that usb_unlink_urb() is guaranteed to return -ENODEV if\n!io-\u003eurbs[i]-\u003edev and since the -ENODEV case is already handled,\nwe don\u0027t have to check for !io-\u003eurbs[i]-\u003edev explicitly.\n\nBefore this change, reading 512MB from an ext3 filesystem on a USB\nmemory stick showed a throughput of 12 MB/s with about 500 missed\ndeadlines.\n\nWith this change, reading the same file gave the same throughput but\nonly one or two missed deadlines.\n\nSigned-off-by: David Mosberger \u003cdavidm@egauge.net\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "9592b90cdc99f58e0674e64037c422ea7e9aa367", "tree": "754df8d4d3b1c25c0630292a8fb77c6b30b3251f", "parents": [ "976dc007c4fde824b46cd40d001a17734ce9e333" ], "author": { "name": "Paul Moore", "email": "paul@paul-moore.com", "time": "Tue Apr 28 09:59:02 2020 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:39 2020 +0100" }, "message": "selinux: properly handle multiple messages in selinux_netlink_send()\n\ncommit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.\n\nFix the SELinux netlink_send hook to properly handle multiple netlink\nmessages in a single sk_buff; each message is parsed and subject to\nSELinux access control. Prior to this patch, SELinux only inspected\nthe first message in the sk_buff.\n\nCc: stable@vger.kernel.org\nReported-by: Dmitry Vyukov \u003cdvyukov@google.com\u003e\nReviewed-by: Stephen Smalley \u003cstephen.smalley.work@gmail.com\u003e\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "976dc007c4fde824b46cd40d001a17734ce9e333", "tree": "964dd7a4968a4209da7de94e956b9088f6d51049", "parents": [ "b122516be7a9cccceb48dc7ee6ff1717b39e6ae2" ], "author": { "name": "Vladis Dronov", "email": "vdronov@redhat.com", "time": "Thu Dec 24 11:09:41 2015 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:39 2020 +0100" }, "message": "selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()\n\ncommit 76319946f321e30872dd72af7de867cb26e7a373 upstream.\n\nAny process is able to send netlink messages with invalid types.\nMake the warning rate-limited to prevent too much log spam.\n\nThe warning is supposed to help to find misbehaving programs, so\nprint the triggering command name and pid.\n\nReported-by: Florian Weimer \u003cfweimer@redhat.com\u003e\nSigned-off-by: Vladis Dronov \u003cvdronov@redhat.com\u003e\n[PM: subject line tweak to make checkpatch.pl happy]\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "b122516be7a9cccceb48dc7ee6ff1717b39e6ae2", "tree": "46f83be7acb1252cae460532f7b5f2ee263f8b39", "parents": [ "68c46f7a2891110c582a94a807018d231e81eefe" ], "author": { "name": "Marek Milkovic", "email": "mmilkovi@redhat.com", "time": "Thu Jun 04 16:22:16 2015 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:39 2020 +0100" }, "message": "selinux: Print \u0027sclass\u0027 as string when unrecognized netlink message occurs\n\ncommit cded3fffbeab777e6ad2ec05d4a3b62c5caca0f3 upstream.\n\nThis prints the \u0027sclass\u0027 field as string instead of index in unrecognized netlink message.\nThe textual representation makes it easier to distinguish the right class.\n\nSigned-off-by: Marek Milkovic \u003cmmilkovi@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n[PM: 80-char width fixes]\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "68c46f7a2891110c582a94a807018d231e81eefe", "tree": "50566e1c724dd3f568c161817be4e56ee1ab5a1d", "parents": [ "bf5cabe51a6441f354d19f5048a6f0aa9f3c9787" ], "author": { "name": "Richard Guy Briggs", "email": "rgb@redhat.com", "time": "Wed Nov 12 14:01:34 2014 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:38 2020 +0100" }, "message": "selinux: convert WARN_ONCE() to printk() in selinux_nlmsg_perm()\n\ncommit d950f84c1c6658faec2ecbf5b09f7e7191953394 upstream.\n\nConvert WARN_ONCE() to printk() in selinux_nlmsg_perm().\n\nAfter conversion from audit_log() in commit e173fb26, WARN_ONCE() was\ndeemed too alarmist, so switch it to printk().\n\nSigned-off-by: Richard Guy Briggs \u003crgb@redhat.com\u003e\n[PM: Changed to printk(WARNING) so we catch all of the different\n invalid netlink messages. In Richard\u0027s defense, he brought this\n point up earlier, but I didn\u0027t understand his point at the time.]\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "bf5cabe51a6441f354d19f5048a6f0aa9f3c9787", "tree": "e6e22a263b2a738e531549d1b38e3f682f023b6d", "parents": [ "fd394f42092fe81e28e2564265311b995ec4f5dc" ], "author": { "name": "Richard Guy Briggs", "email": "rgb@redhat.com", "time": "Thu Sep 18 20:50:17 2014 -0400" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:38 2020 +0100" }, "message": "selinux: cleanup error reporting in selinux_nlmsg_perm()\n\ncommit e173fb2646a832b424c80904c306b816760ce477 upstream.\n\nConvert audit_log() call to WARN_ONCE().\n\nRename \"type\u003d\" to nlmsg_type\u003d\" to avoid confusion with the audit record\ntype.\n\nAdded \"protocol\u003d\" to help track down which protocol (NETLINK_AUDIT?) was used\nwithin the netlink protocol family.\n\nSigned-off-by: Richard Guy Briggs \u003crgb@redhat.com\u003e\n[Rewrote the patch subject line]\nSigned-off-by: Paul Moore \u003cpmoore@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "fd394f42092fe81e28e2564265311b995ec4f5dc", "tree": "41075ec2e82a06225b72fa372f732839d75c9600", "parents": [ "a7750e90935c481ba6188fb282d87a3368cfcfac" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Tue Dec 17 13:46:34 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:38 2020 +0100" }, "message": "net-sysfs: Call dev_hold always in rx_queue_add_kobject\n\ncommit ddd9b5e3e765d8ed5a35786a6cb00111713fe161 upstream.\n\nDev_hold has to be called always in rx_queue_add_kobject.\nOtherwise usage count drops below 0 in case of failure in\nkobject_init_and_add.\n\nFixes: b8eb718348b8 (\"net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject\")\nReported-by: syzbot \u003csyzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "a7750e90935c481ba6188fb282d87a3368cfcfac", "tree": "9fa5410547e04a0f7bd73035981fddd2e397eddd", "parents": [ "6b07736e72bc1546400d085485d92c256408c5ea" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Thu Dec 05 15:57:07 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:37 2020 +0100" }, "message": "net-sysfs: Call dev_hold always in netdev_queue_add_kobject\n\ncommit e0b60903b434a7ee21ba8d8659f207ed84101e89 upstream.\n\nDev_hold has to be called always in netdev_queue_add_kobject.\nOtherwise usage count drops below 0 in case of failure in\nkobject_init_and_add.\n\nFixes: b8eb718348b8 (\"net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject\")\nReported-by: Hulk Robot \u003chulkci@huawei.com\u003e\nCc: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "6b07736e72bc1546400d085485d92c256408c5ea", "tree": "2dc09d5a830672342910931fab5ecb54c4202851", "parents": [ "3bae3560840ee30c9f2262b69196ba4dbc6086f6" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Wed Nov 20 19:19:07 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:37 2020 +0100" }, "message": "net-sysfs: fix netdev_queue_add_kobject() breakage\n\ncommit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 upstream.\n\nkobject_put() should only be called in error path.\n\nFixes: b8eb718348b8 (\"net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "3bae3560840ee30c9f2262b69196ba4dbc6086f6", "tree": "5b4b1ef80c2e648e6ef727e29e447c110b524154", "parents": [ "78c31fa288ee2f58f84c792cc75d93efd073f4cf" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Wed Nov 20 09:08:16 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:37 2020 +0100" }, "message": "net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject\n\ncommit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.\n\nkobject_init_and_add takes reference even when it fails. This has\nto be given up by the caller in error handling. Otherwise memory\nallocated by kobject_init_and_add is never freed. Originally found\nby Syzkaller:\n\nBUG: memory leak\nunreferenced object 0xffff8880679f8b08 (size 8):\n comm \"netdev_register\", pid 269, jiffies 4294693094 (age 12.132s)\n hex dump (first 8 bytes):\n 72 78 2d 30 00 36 20 d4 rx-0.6 .\n backtrace:\n [\u003c000000008c93818e\u003e] __kmalloc_track_caller+0x16e/0x290\n [\u003c000000001f2e4e49\u003e] kvasprintf+0xb1/0x140\n [\u003c000000007f313394\u003e] kvasprintf_const+0x56/0x160\n [\u003c00000000aeca11c8\u003e] kobject_set_name_vargs+0x5b/0x140\n [\u003c0000000073a0367c\u003e] kobject_init_and_add+0xd8/0x170\n [\u003c0000000088838e4b\u003e] net_rx_queue_update_kobjects+0x152/0x560\n [\u003c000000006be5f104\u003e] netdev_register_kobject+0x210/0x380\n [\u003c00000000e31dab9d\u003e] register_netdevice+0xa1b/0xf00\n [\u003c00000000f68b2465\u003e] __tun_chr_ioctl+0x20d5/0x3dd0\n [\u003c000000004c50599f\u003e] tun_chr_ioctl+0x2f/0x40\n [\u003c00000000bbd4c317\u003e] do_vfs_ioctl+0x1c7/0x1510\n [\u003c00000000d4c59e8f\u003e] ksys_ioctl+0x99/0xb0\n [\u003c00000000946aea81\u003e] __x64_sys_ioctl+0x78/0xb0\n [\u003c0000000038d946e5\u003e] do_syscall_64+0x16f/0x580\n [\u003c00000000e0aa5d8f\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n [\u003c00000000285b3d1a\u003e] 0xffffffffffffffff\n\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "78c31fa288ee2f58f84c792cc75d93efd073f4cf", "tree": "fdf6770bae181519cdfdf632e01264e11ebb0a4c", "parents": [ "e143aa385d0d7bd954fe97d4719f8dce933e67f8" ], "author": { "name": "yangerkun", "email": "yangerkun@huawei.com", "time": "Wed Feb 26 11:54:35 2020 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:36 2020 +0100" }, "message": "slip: not call free_netdev before rtnl_unlock in slip_open\n\ncommit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream.\n\nAs the description before netdev_run_todo, we cannot call free_netdev\nbefore rtnl_unlock, fix it by reorder the code.\n\nSigned-off-by: yangerkun \u003cyangerkun@huawei.com\u003e\nReviewed-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "e143aa385d0d7bd954fe97d4719f8dce933e67f8", "tree": "b53ef7dcb95a921e2c226d15c73058e871981574", "parents": [ "103921f069ae9189806fe5913beb40c1def7ae56" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Mon Nov 25 14:23:43 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:36 2020 +0100" }, "message": "slip: Fix use-after-free Read in slip_open\n\ncommit e58c1912418980f57ba2060017583067f5f71e52 upstream.\n\nSlip_open doesn\u0027t clean-up device which registration failed from the\nslip_devs device list. On next open after failure this list is iterated\nand freed device is accessed. Fix this by calling sl_free_netdev in error\npath.\n\nHere is the trace from the Syzbot:\n\n__dump_stack lib/dump_stack.c:77 [inline]\ndump_stack+0x197/0x210 lib/dump_stack.c:118\nprint_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374\n__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506\nkasan_report+0x12/0x20 mm/kasan/common.c:634\n__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132\nsl_sync drivers/net/slip/slip.c:725 [inline]\nslip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801\ntty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469\ntty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596\ntiocsetd drivers/tty/tty_io.c:2334 [inline]\ntty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594\nvfs_ioctl fs/ioctl.c:46 [inline]\nfile_ioctl fs/ioctl.c:509 [inline]\ndo_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696\nksys_ioctl+0xab/0xd0 fs/ioctl.c:713\n__do_sys_ioctl fs/ioctl.c:720 [inline]\n__se_sys_ioctl fs/ioctl.c:718 [inline]\n__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718\ndo_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290\nentry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFixes: 3b5a39979daf (\"slip: Fix memory leak in slip_open error path\")\nReported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: sl_free_netdev() calls free_netdev() here, so\n delete the direct call to free_netdev()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "103921f069ae9189806fe5913beb40c1def7ae56", "tree": "d2bae8fa8757316018c53037805de5695d939325", "parents": [ "8262bc14b32853532c2fba0649524afa951c983b" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Wed Nov 13 13:45:02 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:36 2020 +0100" }, "message": "slip: Fix memory leak in slip_open error path\n\ncommit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa upstream.\n\nDriver/net/can/slcan.c is derived from slip.c. Memory leak was detected\nby Syzkaller in slcan. Same issue exists in slip.c and this patch is\naddressing the leak in slip.c.\n\nHere is the slcan memory leak trace reported by Syzkaller:\n\nBUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):\n comm \"syz-executor043\", pid 454, jiffies 4294759719 (age 11.930s)\n hex dump (first 32 bytes):\n 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000a06eec0d\u003e] __kmalloc+0x18b/0x2c0\n [\u003c0000000083306e66\u003e] kvmalloc_node+0x3a/0xc0\n [\u003c000000006ac27f87\u003e] alloc_netdev_mqs+0x17a/0x1080\n [\u003c0000000061a996c9\u003e] slcan_open+0x3ae/0x9a0\n [\u003c000000001226f0f9\u003e] tty_ldisc_open.isra.1+0x76/0xc0\n [\u003c0000000019289631\u003e] tty_set_ldisc+0x28c/0x5f0\n [\u003c000000004de5a617\u003e] tty_ioctl+0x48d/0x1590\n [\u003c00000000daef496f\u003e] do_vfs_ioctl+0x1c7/0x1510\n [\u003c0000000059068dbc\u003e] ksys_ioctl+0x99/0xb0\n [\u003c000000009a6eb334\u003e] __x64_sys_ioctl+0x78/0xb0\n [\u003c0000000053d0332e\u003e] do_syscall_64+0x16f/0x580\n [\u003c0000000021b83b99\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n [\u003c000000008ea75434\u003e] 0xfffffffffffffff\n\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "8262bc14b32853532c2fba0649524afa951c983b", "tree": "cc66bc2b6acfa9ab7209148af43826c235abe5f9", "parents": [ "fc32a080b625b4e9f997468eafbacc537229c7ef" ], "author": { "name": "Oliver Hartkopp", "email": "socketcan@hartkopp.net", "time": "Sat Mar 21 14:08:29 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:35 2020 +0100" }, "message": "slcan: not call free_netdev before rtnl_unlock in slcan_open\n\ncommit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.\n\nAs the description before netdev_run_todo, we cannot call free_netdev\nbefore rtnl_unlock, fix it by reorder the code.\n\nThis patch is a 1:1 copy of upstream slip.c commit f596c87005f7\n(\"slip: not call free_netdev before rtnl_unlock in slip_open\").\n\nReported-by: yangerkun \u003cyangerkun@huawei.com\u003e\nSigned-off-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "fc32a080b625b4e9f997468eafbacc537229c7ef", "tree": "98d278b7454efb976fdc479498bd897fb155dcd5", "parents": [ "ff41ac4dd357b10010949dc50e640c9eb5d5f052" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Wed Nov 27 08:40:26 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:35 2020 +0100" }, "message": "can: slcan: Fix use-after-free Read in slcan_open\n\ncommit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.\n\nSlcan_open doesn\u0027t clean-up device which registration failed from the\nslcan_devs device list. On next open this list is iterated and freed\ndevice is accessed. Fix this by calling slc_free_netdev in error path.\n\nDriver/net/can/slcan.c is derived from slip.c. Use-after-free error was\nidentified in slip_open by syzboz. Same bug is in slcan.c. Here is the\ntrace from the Syzbot slip report:\n\n__dump_stack lib/dump_stack.c:77 [inline]\ndump_stack+0x197/0x210 lib/dump_stack.c:118\nprint_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374\n__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506\nkasan_report+0x12/0x20 mm/kasan/common.c:634\n__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132\nsl_sync drivers/net/slip/slip.c:725 [inline]\nslip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801\ntty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469\ntty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596\ntiocsetd drivers/tty/tty_io.c:2334 [inline]\ntty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594\nvfs_ioctl fs/ioctl.c:46 [inline]\nfile_ioctl fs/ioctl.c:509 [inline]\ndo_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696\nksys_ioctl+0xab/0xd0 fs/ioctl.c:713\n__do_sys_ioctl fs/ioctl.c:720 [inline]\n__se_sys_ioctl fs/ioctl.c:718 [inline]\n__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718\ndo_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290\nentry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nFixes: ed50e1600b44 (\"slcan: Fix memory leak in error path\")\nCc: Wolfgang Grandegger \u003cwg@grandegger.com\u003e\nCc: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nCc: David Miller \u003cdavem@davemloft.net\u003e\nCc: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nAcked-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\n[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so\n delete the direct call to free_netdev()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "ff41ac4dd357b10010949dc50e640c9eb5d5f052", "tree": "f29a59bd3972f151c778e54e09e075749eed5bc7", "parents": [ "babf7e4a11200d94219dcebd64f50e6304bbde2e" ], "author": { "name": "Jouni Hogander", "email": "jouni.hogander@unikie.com", "time": "Wed Nov 13 12:08:01 2019 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Thu Jun 11 19:05:35 2020 +0100" }, "message": "slcan: Fix memory leak in error path\n\ncommit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.\n\nThis patch is fixing memory leak reported by Syzkaller:\n\nBUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):\n comm \"syz-executor043\", pid 454, jiffies 4294759719 (age 11.930s)\n hex dump (first 32 bytes):\n 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000a06eec0d\u003e] __kmalloc+0x18b/0x2c0\n [\u003c0000000083306e66\u003e] kvmalloc_node+0x3a/0xc0\n [\u003c000000006ac27f87\u003e] alloc_netdev_mqs+0x17a/0x1080\n [\u003c0000000061a996c9\u003e] slcan_open+0x3ae/0x9a0\n [\u003c000000001226f0f9\u003e] tty_ldisc_open.isra.1+0x76/0xc0\n [\u003c0000000019289631\u003e] tty_set_ldisc+0x28c/0x5f0\n [\u003c000000004de5a617\u003e] tty_ioctl+0x48d/0x1590\n [\u003c00000000daef496f\u003e] do_vfs_ioctl+0x1c7/0x1510\n [\u003c0000000059068dbc\u003e] ksys_ioctl+0x99/0xb0\n [\u003c000000009a6eb334\u003e] __x64_sys_ioctl+0x78/0xb0\n [\u003c0000000053d0332e\u003e] do_syscall_64+0x16f/0x580\n [\u003c0000000021b83b99\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n [\u003c000000008ea75434\u003e] 0xffffffffffffffff\n\nCc: Wolfgang Grandegger \u003cwg@grandegger.com\u003e\nCc: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nCc: Lukas Bulwahn \u003clukas.bulwahn@gmail.com\u003e\nSigned-off-by: Jouni Hogander \u003cjouni.hogander@unikie.com\u003e\nSigned-off-by: Marc Kleine-Budde \u003cmkl@pengutronix.de\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "babf7e4a11200d94219dcebd64f50e6304bbde2e", "tree": "0346bda69db1a35972518b495d20410c6fa1bdb9", "parents": [ "4d91d2ab7288808df5e434a93f12d26de86d4101" ], "author": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:45 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:45 2020 +0100" }, "message": "Linux 3.16.84\n" }, { "commit": "4d91d2ab7288808df5e434a93f12d26de86d4101", "tree": "b9dcf0de747f72d155606d90d2f2efd76e7772b9", "parents": [ "888865cfee84dbf800fb174cfa70ec58bf326578" ], "author": { "name": "Roberto Bergantinos Corpas", "email": "rbergant@redhat.com", "time": "Tue Feb 04 11:32:56 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:44 2020 +0100" }, "message": "sunrpc: expiry_time should be seconds not timeval\n\ncommit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream.\n\nWhen upcalling gssproxy, cache_head.expiry_time is set as a\ntimeval, not seconds since boot. As such, RPC cache expiry\nlogic will not clean expired objects created under\nauth.rpcsec.context cache.\n\nThis has proven to cause kernel memory leaks on field. Using\n64 bit variants of getboottime/timespec\n\nExpiration times have worked this way since 2010\u0027s c5b29f885afe \"sunrpc:\nuse seconds since boot in expiry cache\". The gssproxy code introduced\nin 2012 added gss_proxy_save_rsc and introduced the bug. That\u0027s a while\nfor this to lurk, but it required a bit of an extreme case to make it\nobvious.\n\nSigned-off-by: Roberto Bergantinos Corpas \u003crbergant@redhat.com\u003e\nFixes: 030d794bf498 \"SUNRPC: Use gssproxy upcall for server...\"\nTested-By: Frank Sorenson \u003csorenson@redhat.com\u003e\nSigned-off-by: J. Bruce Fields \u003cbfields@redhat.com\u003e\n[bwh: Backported to 3.16: Use struct timespec and getboottime()]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "888865cfee84dbf800fb174cfa70ec58bf326578", "tree": "0677fa012000a371ab1ce36f64e8d12af5fd1efc", "parents": [ "8fe6bfcbae5af3b611ab258a65b299dcaa33ff80" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue Feb 04 19:26:05 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:43 2020 +0100" }, "message": "bonding/alb: properly access headers in bond_alb_xmit()\n\ncommit 38f88c45404293bbc027b956def6c10cbd45c616 upstream.\n\nsyzbot managed to send an IPX packet through bond_alb_xmit()\nand af_packet and triggered a use-after-free.\n\nFirst, bond_alb_xmit() was using ipx_hdr() helper to reach\nthe IPX header, but ipx_hdr() was using the transport offset\ninstead of the network offset. In the particular syzbot\nreport transport offset was 0xFFFF\n\nThis patch removes ipx_hdr() since it was only (mis)used from bonding.\n\nThen we need to make sure IPv4/IPv6/IPX headers are pulled\nin skb-\u003ehead before dereferencing anything.\n\nBUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452\nRead of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108\n (if (ipx_hdr(skb)-\u003eipx_checksum !\u003d IPX_NO_CHECKSUM) ...)\n\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n [\u003cffffffff8441fc42\u003e] __dump_stack lib/dump_stack.c:17 [inline]\n [\u003cffffffff8441fc42\u003e] dump_stack+0x14d/0x20b lib/dump_stack.c:53\n [\u003cffffffff81a7dec4\u003e] print_address_description+0x6f/0x20b mm/kasan/report.c:282\n [\u003cffffffff81a7e0ec\u003e] kasan_report_error mm/kasan/report.c:380 [inline]\n [\u003cffffffff81a7e0ec\u003e] kasan_report mm/kasan/report.c:438 [inline]\n [\u003cffffffff81a7e0ec\u003e] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422\n [\u003cffffffff81a7dc4f\u003e] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469\n [\u003cffffffff82c8c00a\u003e] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452\n [\u003cffffffff82c60c74\u003e] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]\n [\u003cffffffff82c60c74\u003e] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224\n [\u003cffffffff83baa558\u003e] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]\n [\u003cffffffff83baa558\u003e] netdev_start_xmit include/linux/netdevice.h:4539 [inline]\n [\u003cffffffff83baa558\u003e] xmit_one net/core/dev.c:3611 [inline]\n [\u003cffffffff83baa558\u003e] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627\n [\u003cffffffff83bacf35\u003e] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238\n [\u003cffffffff83bae3a8\u003e] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278\n [\u003cffffffff84339189\u003e] packet_snd net/packet/af_packet.c:3226 [inline]\n [\u003cffffffff84339189\u003e] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252\n [\u003cffffffff83b1ac0c\u003e] sock_sendmsg_nosec net/socket.c:673 [inline]\n [\u003cffffffff83b1ac0c\u003e] sock_sendmsg+0x12c/0x160 net/socket.c:684\n [\u003cffffffff83b1f5a2\u003e] __sys_sendto+0x262/0x380 net/socket.c:1996\n [\u003cffffffff83b1f700\u003e] SYSC_sendto net/socket.c:2008 [inline]\n [\u003cffffffff83b1f700\u003e] SyS_sendto+0x40/0x60 net/socket.c:2004\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: syzbot \u003csyzkaller@googlegroups.com\u003e\nCc: Jay Vosburgh \u003cj.vosburgh@gmail.com\u003e\nCc: Veaceslav Falico \u003cvfalico@gmail.com\u003e\nCc: Andy Gospodarek \u003candy@greyhouse.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16:\n - Don\u0027t delete ipx_hdr() as it\u0027s still used by net/ipx here\n - Adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "8fe6bfcbae5af3b611ab258a65b299dcaa33ff80", "tree": "e1c33bca4e575297671c977da6b05b7b6f86103f", "parents": [ "4a6b1c75bceade9ece26918bb448d42b15afd29b" ], "author": { "name": "Ronnie Sahlberg", "email": "lsahlber@redhat.com", "time": "Wed Feb 05 11:08:01 2020 +1000" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:43 2020 +0100" }, "message": "cifs: fail i/o on soft mounts if sessionsetup errors out\n\ncommit b0dd940e582b6a60296b9847a54012a4b080dc72 upstream.\n\nRHBZ: 1579050\n\nIf we have a soft mount we should fail commands for session-setup\nfailures (such as the password having changed/ account being deleted/ ...)\nand return an error back to the application.\n\nSigned-off-by: Ronnie Sahlberg \u003clsahlber@redhat.com\u003e\nSigned-off-by: Steve French \u003cstfrench@microsoft.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "4a6b1c75bceade9ece26918bb448d42b15afd29b", "tree": "6006af66305e6e2a3be6bcea0be741e783364a78", "parents": [ "b2b6bbf8c801fa2f9756b095e10c232418f7cddd" ], "author": { "name": "Trond Myklebust", "email": "trondmy@gmail.com", "time": "Sun Feb 02 17:53:54 2020 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:43 2020 +0100" }, "message": "NFS: Directory page cache pages need to be locked when read\n\ncommit 114de38225d9b300f027e2aec9afbb6e0def154b upstream.\n\nWhen a NFS directory page cache page is removed from the page cache,\nits contents are freed through a call to nfs_readdir_clear_array().\nTo prevent the removal of the page cache entry until after we\u0027ve\nfinished reading it, we must take the page lock.\n\nFixes: 11de3b11e08c (\"NFS: Fix a memory leak in nfs_readdir\")\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@hammerspace.com\u003e\nReviewed-by: Benjamin Coddington \u003cbcodding@redhat.com\u003e\nSigned-off-by: Anna Schumaker \u003cAnna.Schumaker@Netapp.com\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "b2b6bbf8c801fa2f9756b095e10c232418f7cddd", "tree": "ca2c57bae7cbc8de86442440b3e43ee3fedeb320", "parents": [ "1680400380bde60cc95a782eb90490302b6f9e2a" ], "author": { "name": "Trond Myklebust", "email": "trondmy@gmail.com", "time": "Sun Feb 02 17:53:53 2020 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:42 2020 +0100" }, "message": "NFS: Fix memory leaks and corruption in readdir\n\ncommit 4b310319c6a8ce708f1033d57145e2aa027a883c upstream.\n\nnfs_readdir_xdr_to_array() must not exit without having initialised\nthe array, so that the page cache deletion routines can safely\ncall nfs_readdir_clear_array().\nFurthermore, we should ensure that if we exit nfs_readdir_filler()\nwith an error, we free up any page contents to prevent a leak\nif we try to fill the page again.\n\nFixes: 11de3b11e08c (\"NFS: Fix a memory leak in nfs_readdir\")\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@hammerspace.com\u003e\nReviewed-by: Benjamin Coddington \u003cbcodding@redhat.com\u003e\nSigned-off-by: Anna Schumaker \u003cAnna.Schumaker@Netapp.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "1680400380bde60cc95a782eb90490302b6f9e2a", "tree": "ce52df00f394c347f0a22167546b081a10e24d76", "parents": [ "b4664db5bbd36a178b75ea8b51bab921738f79b3" ], "author": { "name": "Fabian Frederick", "email": "fabf@skynet.be", "time": "Wed May 03 20:52:21 2017 +0200" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:42 2020 +0100" }, "message": "nfs: use kmap/kunmap directly\n\ncommit 0795bf8357c1887e2a95e6e4f5b89d0896a0d929 upstream.\n\nThis patch removes useless nfs_readdir_get_array() and\nnfs_readdir_release_array() as suggested by Trond Myklebust\n\nnfs_readdir() calls nfs_revalidate_mapping() before\nreaddir_search_pagecache() , nfs_do_filldir(), uncached_readdir()\nso mapping should be correct.\n\nWhile kmap() can\u0027t fail, all subsequent error checks were removed\nas well as unused labels.\n\nSigned-off-by: Fabian Frederick \u003cfabf@skynet.be\u003e\nSigned-off-by: Trond Myklebust \u003ctrond.myklebust@primarydata.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "b4664db5bbd36a178b75ea8b51bab921738f79b3", "tree": "4c7692be78e9779c923b2a5117e78cac48251243", "parents": [ "3a9dbf8feb3ee7ebea4c833e519f12ea3505f1e0" ], "author": { "name": "Masahiro Yamada", "email": "masahiroy@kernel.org", "time": "Sat Feb 01 14:03:11 2020 +0900" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:42 2020 +0100" }, "message": "kconfig: fix broken dependency in randconfig-generated .config\n\ncommit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 upstream.\n\nRunning randconfig on arm64 using KCONFIG_SEED\u003d0x40C5E904 (e.g. on v5.5)\nproduces the .config with CONFIG_EFI\u003dy and CONFIG_CPU_BIG_ENDIAN\u003dy,\nwhich does not meet the !CONFIG_CPU_BIG_ENDIAN dependency.\n\nThis is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs\nCONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the\nvalue of CONFIG_EFI is calculated.\n\nWhen this happens, the has_changed flag should be set.\n\nCurrently, it takes the result from the last iteration. It should\naccumulate all the results of the loop.\n\nFixes: 3b9a19e08960 (\"kconfig: loop as long as we changed some symbols in randconfig\")\nReported-by: Vincenzo Frascino \u003cvincenzo.frascino@arm.com\u003e\nSigned-off-by: Masahiro Yamada \u003cmasahiroy@kernel.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "3a9dbf8feb3ee7ebea4c833e519f12ea3505f1e0", "tree": "5a5b5442fd10376eb58b2a46e2b5f980677956ec", "parents": [ "6b8135e7d35add8c2497c0d2053261361b92d92d" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Fri Jan 31 15:27:04 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:41 2020 +0100" }, "message": "cls_rsvp: fix rsvp_policy\n\ncommit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 upstream.\n\nNLA_BINARY can be confusing, since .len value represents\nthe max size of the blob.\n\ncls_rsvp really wants user space to provide long enough data\nfor TCA_RSVP_DST and TCA_RSVP_SRC attributes.\n\nBUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]\nBUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]\nBUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572\nCPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1c9/0x220 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n rsvp_get net/sched/cls_rsvp.h:258 [inline]\n gen_handle net/sched/cls_rsvp.h:402 [inline]\n rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572\n tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104\n rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415\n netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477\n rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442\n netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]\n netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328\n netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917\n sock_sendmsg_nosec net/socket.c:639 [inline]\n sock_sendmsg net/socket.c:659 [inline]\n ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330\n ___sys_sendmsg net/socket.c:2384 [inline]\n __sys_sendmsg+0x451/0x5f0 net/socket.c:2417\n __do_sys_sendmsg net/socket.c:2426 [inline]\n __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424\n __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424\n do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\nRIP: 0033:0x45b349\nCode: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349\nRDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003\nRBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff\nR13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4\n\nUninit was created at:\n kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]\n kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127\n kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82\n slab_alloc_node mm/slub.c:2774 [inline]\n __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382\n __kmalloc_reserve net/core/skbuff.c:141 [inline]\n __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209\n alloc_skb include/linux/skbuff.h:1049 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]\n netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:639 [inline]\n sock_sendmsg net/socket.c:659 [inline]\n ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330\n ___sys_sendmsg net/socket.c:2384 [inline]\n __sys_sendmsg+0x451/0x5f0 net/socket.c:2417\n __do_sys_sendmsg net/socket.c:2426 [inline]\n __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424\n __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424\n do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nFixes: 6fa8c0144b77 (\"[NET_SCHED]: Use nla_policy for attribute validation in classifiers\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: syzbot \u003csyzkaller@googlegroups.com\u003e\nAcked-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "6b8135e7d35add8c2497c0d2053261361b92d92d", "tree": "8642422eac849c787f592e0e34986b2687945eeb", "parents": [ "fc42eca6bdd59bd2c84fc841b178b2d60c60634e" ], "author": { "name": "Konstantin Khlebnikov", "email": "khlebnikov@yandex-team.ru", "time": "Fri Jan 31 19:08:59 2020 +0300" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:41 2020 +0100" }, "message": "clocksource: Prevent double add_timer_on() for watchdog_timer\n\ncommit febac332a819f0e764aa4da62757ba21d18c182b upstream.\n\nKernel crashes inside QEMU/KVM are observed:\n\n kernel BUG at kernel/time/timer.c:1154!\n BUG_ON(timer_pending(timer) || !timer-\u003efunction) in add_timer_on().\n\nAt the same time another cpu got:\n\n general protection fault: 0000 [#1] SMP PTI of poinson pointer 0xdead000000000200 in:\n\n __hlist_del at include/linux/list.h:681\n (inlined by) detach_timer at kernel/time/timer.c:818\n (inlined by) expire_timers at kernel/time/timer.c:1355\n (inlined by) __run_timers at kernel/time/timer.c:1686\n (inlined by) run_timer_softirq at kernel/time/timer.c:1699\n\nUnfortunately kernel logs are badly scrambled, stacktraces are lost.\n\nPrinting the timer-\u003efunction before the BUG_ON() pointed to\nclocksource_watchdog().\n\nThe execution of clocksource_watchdog() can race with a sequence of\nclocksource_stop_watchdog() .. clocksource_start_watchdog():\n\nexpire_timers()\n detach_timer(timer, true);\n timer-\u003eentry.pprev \u003d NULL;\n raw_spin_unlock_irq(\u0026base-\u003elock);\n call_timer_fn\n clocksource_watchdog()\n\n\t\t\t\t\tclocksource_watchdog_kthread() or\n\t\t\t\t\tclocksource_unbind()\n\n\t\t\t\t\tspin_lock_irqsave(\u0026watchdog_lock, flags);\n\t\t\t\t\tclocksource_stop_watchdog();\n\t\t\t\t\t del_timer(\u0026watchdog_timer);\n\t\t\t\t\t watchdog_running \u003d 0;\n\t\t\t\t\tspin_unlock_irqrestore(\u0026watchdog_lock, flags);\n\n\t\t\t\t\tspin_lock_irqsave(\u0026watchdog_lock, flags);\n\t\t\t\t\tclocksource_start_watchdog();\n\t\t\t\t\t add_timer_on(\u0026watchdog_timer, ...);\n\t\t\t\t\t watchdog_running \u003d 1;\n\t\t\t\t\tspin_unlock_irqrestore(\u0026watchdog_lock, flags);\n\n spin_lock(\u0026watchdog_lock);\n add_timer_on(\u0026watchdog_timer, ...);\n BUG_ON(timer_pending(timer) || !timer-\u003efunction);\n timer_pending() -\u003e true\n BUG()\n\nI.e. inside clocksource_watchdog() watchdog_timer could be already armed.\n\nCheck timer_pending() before calling add_timer_on(). This is sufficient as\nall operations are synchronized by watchdog_lock.\n\nFixes: 75c5158f70c0 (\"timekeeping: Update clocksource with stop_machine\")\nSigned-off-by: Konstantin Khlebnikov \u003ckhlebnikov@yandex-team.ru\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nLink: https://lore.kernel.org/r/158048693917.4378.13823603769948933793.stgit@buzz\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "fc42eca6bdd59bd2c84fc841b178b2d60c60634e", "tree": "4d8dc62770eebbdb7ec726dbccd6744d008e4b57", "parents": [ "8da4e542bec5de40ceb7b6f429bbce466f9286f8" ], "author": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Sat Feb 01 09:05:30 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:41 2020 +0100" }, "message": "ALSA: dummy: Fix PCM format loop in proc output\n\ncommit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream.\n\nThe loop termination for iterating over all formats should contain\nSNDRV_PCM_FORMAT_LAST, not less than it.\n\nFixes: 9b151fec139d (\"ALSA: dummy - Add debug proc file\")\nLink: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "8da4e542bec5de40ceb7b6f429bbce466f9286f8", "tree": "09e5d478692ab69450f8fda2293ca1c4046cac73", "parents": [ "bb0e937f14db6304bb5f57cf2083310c15bbada3" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Fri Jan 31 09:14:47 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:40 2020 +0100" }, "message": "tcp: clear tp-\u003etotal_retrans in tcp_disconnect()\n\ncommit c13c48c00a6bc1febc73902505bdec0967bd7095 upstream.\n\ntotal_retrans needs to be cleared in tcp_disconnect().\n\ntcp_disconnect() is rarely used, but it is worth fixing it.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: SeongJae Park \u003csjpark@amazon.de\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "bb0e937f14db6304bb5f57cf2083310c15bbada3", "tree": "713595270d09569529d7e4125fbcfb476642bc94", "parents": [ "ee0ea94e91498b2c1f57749280d57752326f5928" ], "author": { "name": "John Hubbard", "email": "jhubbard@nvidia.com", "time": "Thu Jan 30 22:12:50 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:40 2020 +0100" }, "message": "media/v4l2-core: set pages dirty upon releasing DMA buffers\n\ncommit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream.\n\nAfter DMA is complete, and the device and CPU caches are synchronized,\nit\u0027s still required to mark the CPU pages as dirty, if the data was\ncoming from the device. However, this driver was just issuing a bare\nput_page() call, without any set_page_dirty*() call.\n\nFix the problem, by calling set_page_dirty_lock() if the CPU pages were\npotentially receiving data from the device.\n\nLink: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com\nSigned-off-by: John Hubbard \u003cjhubbard@nvidia.com\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nAcked-by: Hans Verkuil \u003chverkuil-cisco@xs4all.nl\u003e\nCc: Mauro Carvalho Chehab \u003cmchehab@kernel.org\u003e\nCc: Alex Williamson \u003calex.williamson@redhat.com\u003e\nCc: Aneesh Kumar K.V \u003caneesh.kumar@linux.ibm.com\u003e\nCc: Björn Töpel \u003cbjorn.topel@intel.com\u003e\nCc: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nCc: Dan Williams \u003cdan.j.williams@intel.com\u003e\nCc: Ira Weiny \u003cira.weiny@intel.com\u003e\nCc: Jan Kara \u003cjack@suse.cz\u003e\nCc: Jason Gunthorpe \u003cjgg@mellanox.com\u003e\nCc: Jason Gunthorpe \u003cjgg@ziepe.ca\u003e\nCc: Jens Axboe \u003caxboe@kernel.dk\u003e\nCc: Jerome Glisse \u003cjglisse@redhat.com\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Kirill A. Shutemov \u003ckirill@shutemov.name\u003e\nCc: Leon Romanovsky \u003cleonro@mellanox.com\u003e\nCc: Mike Rapoport \u003crppt@linux.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "ee0ea94e91498b2c1f57749280d57752326f5928", "tree": "3582e4884c2b73b34638ebc5c2fe5341fa33f4c8", "parents": [ "dd18bacf6d75ae5d84641d30409b3b397d0412ca" ], "author": { "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com", "time": "Thu Jan 30 22:11:07 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:40 2020 +0100" }, "message": "mm/mempolicy.c: fix out of bounds write in mpol_parse_str()\n\ncommit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream.\n\nWhat we are trying to do is change the \u0027\u003d\u0027 character to a NUL terminator\nand then at the end of the function we restore it back to an \u0027\u003d\u0027. The\nproblem is there are two error paths where we jump to the end of the\nfunction before we have replaced the \u0027\u003d\u0027 with NUL.\n\nWe end up putting the \u0027\u003d\u0027 in the wrong place (possibly one element\nbefore the start of the buffer).\n\nLink: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain\nReported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com\nFixes: 095f1fc4ebf3 (\"mempolicy: rework shmem mpol parsing and display\")\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nAcked-by: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nDmitry Vyukov \u003cdvyukov@google.com\u003e\nCc: Michal Hocko \u003cmhocko@kernel.org\u003e\nCc: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nCc: Lee Schermerhorn \u003clee.schermerhorn@hp.com\u003e\nCc: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nCc: Hugh Dickins \u003chughd@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "dd18bacf6d75ae5d84641d30409b3b397d0412ca", "tree": "f4c80a85c8d69a3b9188a1532c3765e8fe239476", "parents": [ "a2c6b58efa791d183019781e7b66f42a0c72fe9f" ], "author": { "name": "Filipe Manana", "email": "fdmanana@suse.com", "time": "Wed Jan 22 12:23:20 2020 +0000" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:39 2020 +0100" }, "message": "Btrfs: fix race between adding and putting tree mod seq elements and nodes\n\ncommit 7227ff4de55d931bbdc156c8ef0ce4f100c78a5b upstream.\n\nThere is a race between adding and removing elements to the tree mod log\nlist and rbtree that can lead to use-after-free problems.\n\nConsider the following example that explains how/why the problems happens:\n\n1) Task A has mod log element with sequence number 200. It currently is\n the only element in the mod log list;\n\n2) Task A calls btrfs_put_tree_mod_seq() because it no longer needs to\n access the tree mod log. When it enters the function, it initializes\n \u0027min_seq\u0027 to (u64)-1. Then it acquires the lock \u0027tree_mod_seq_lock\u0027\n before checking if there are other elements in the mod seq list.\n Since the list it empty, \u0027min_seq\u0027 remains set to (u64)-1. Then it\n unlocks the lock \u0027tree_mod_seq_lock\u0027;\n\n3) Before task A acquires the lock \u0027tree_mod_log_lock\u0027, task B adds\n itself to the mod seq list through btrfs_get_tree_mod_seq() and gets a\n sequence number of 201;\n\n4) Some other task, name it task C, modifies a btree and because there\n elements in the mod seq list, it adds a tree mod elem to the tree\n mod log rbtree. That node added to the mod log rbtree is assigned\n a sequence number of 202;\n\n5) Task B, which is doing fiemap and resolving indirect back references,\n calls btrfs get_old_root(), with \u0027time_seq\u0027 \u003d\u003d 201, which in turn\n calls tree_mod_log_search() - the search returns the mod log node\n from the rbtree with sequence number 202, created by task C;\n\n6) Task A now acquires the lock \u0027tree_mod_log_lock\u0027, starts iterating\n the mod log rbtree and finds the node with sequence number 202. Since\n 202 is less than the previously computed \u0027min_seq\u0027, (u64)-1, it\n removes the node and frees it;\n\n7) Task B still has a pointer to the node with sequence number 202, and\n it dereferences the pointer itself and through the call to\n __tree_mod_log_rewind(), resulting in a use-after-free problem.\n\nThis issue can be triggered sporadically with the test case generic/561\nfrom fstests, and it happens more frequently with a higher number of\nduperemove processes. When it happens to me, it either freezes the VM or\nit produces a trace like the following before crashing:\n\n [ 1245.321140] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n [ 1245.321200] CPU: 1 PID: 26997 Comm: pool Not tainted 5.5.0-rc6-btrfs-next-52 #1\n [ 1245.321235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014\n [ 1245.321287] RIP: 0010:rb_next+0x16/0x50\n [ 1245.321307] Code: ....\n [ 1245.321372] RSP: 0018:ffffa151c4d039b0 EFLAGS: 00010202\n [ 1245.321388] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8ae221363c80 RCX: 6b6b6b6b6b6b6b6b\n [ 1245.321409] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8ae221363c80\n [ 1245.321439] RBP: ffff8ae20fcc4688 R08: 0000000000000002 R09: 0000000000000000\n [ 1245.321475] R10: ffff8ae20b120910 R11: 00000000243f8bb1 R12: 0000000000000038\n [ 1245.321506] R13: ffff8ae221363c80 R14: 000000000000075f R15: ffff8ae223f762b8\n [ 1245.321539] FS: 00007fdee1ec7700(0000) GS:ffff8ae236c80000(0000) knlGS:0000000000000000\n [ 1245.321591] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 1245.321614] CR2: 00007fded4030c48 CR3: 000000021da16003 CR4: 00000000003606e0\n [ 1245.321642] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 1245.321668] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [ 1245.321706] Call Trace:\n [ 1245.321798] __tree_mod_log_rewind+0xbf/0x280 [btrfs]\n [ 1245.321841] btrfs_search_old_slot+0x105/0xd00 [btrfs]\n [ 1245.321877] resolve_indirect_refs+0x1eb/0xc60 [btrfs]\n [ 1245.321912] find_parent_nodes+0x3dc/0x11b0 [btrfs]\n [ 1245.321947] btrfs_check_shared+0x115/0x1c0 [btrfs]\n [ 1245.321980] ? extent_fiemap+0x59d/0x6d0 [btrfs]\n [ 1245.322029] extent_fiemap+0x59d/0x6d0 [btrfs]\n [ 1245.322066] do_vfs_ioctl+0x45a/0x750\n [ 1245.322081] ksys_ioctl+0x70/0x80\n [ 1245.322092] ? trace_hardirqs_off_thunk+0x1a/0x1c\n [ 1245.322113] __x64_sys_ioctl+0x16/0x20\n [ 1245.322126] do_syscall_64+0x5c/0x280\n [ 1245.322139] entry_SYSCALL_64_after_hwframe+0x49/0xbe\n [ 1245.322155] RIP: 0033:0x7fdee3942dd7\n [ 1245.322177] Code: ....\n [ 1245.322258] RSP: 002b:00007fdee1ec6c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n [ 1245.322294] RAX: ffffffffffffffda RBX: 00007fded40210d8 RCX: 00007fdee3942dd7\n [ 1245.322314] RDX: 00007fded40210d8 RSI: 00000000c020660b RDI: 0000000000000004\n [ 1245.322337] RBP: 0000562aa89e7510 R08: 0000000000000000 R09: 00007fdee1ec6d44\n [ 1245.322369] R10: 0000000000000073 R11: 0000000000000246 R12: 00007fdee1ec6d48\n [ 1245.322390] R13: 00007fdee1ec6d40 R14: 00007fded40210d0 R15: 00007fdee1ec6d50\n [ 1245.322423] Modules linked in: ....\n [ 1245.323443] ---[ end trace 01de1e9ec5dff3cd ]---\n\nFix this by ensuring that btrfs_put_tree_mod_seq() computes the minimum\nsequence number and iterates the rbtree while holding the lock\n\u0027tree_mod_log_lock\u0027 in write mode. Also get rid of the \u0027tree_mod_seq_lock\u0027\nlock, since it is now redundant.\n\nFixes: bd989ba359f2ac (\"Btrfs: add tree modification log functions\")\nFixes: 097b8a7c9e48e2 (\"Btrfs: join tree mod log code with the code holding back delayed refs\")\nReviewed-by: Josef Bacik \u003cjosef@toxicpanda.com\u003e\nReviewed-by: Nikolay Borisov \u003cnborisov@suse.com\u003e\nSigned-off-by: Filipe Manana \u003cfdmanana@suse.com\u003e\nSigned-off-by: David Sterba \u003cdsterba@suse.com\u003e\n[bwh: Backported to 3.16:\n - Use tree_mod_log_write_{,un}lock() in ctree.c for consistency\n - Adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "a2c6b58efa791d183019781e7b66f42a0c72fe9f", "tree": "724aa31cf6bc79851a5d6916351779c58c69944a", "parents": [ "22c07c029579ce468d3677a0953af3bf2a04e059" ], "author": { "name": "Michael Ellerman", "email": "mpe@ellerman.id.au", "time": "Sun Jan 26 22:52:47 2020 +1100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:39 2020 +0100" }, "message": "of: Add OF_DMA_DEFAULT_COHERENT \u0026 select it on powerpc\n\ncommit dabf6b36b83a18d57e3d4b9d50544ed040d86255 upstream.\n\nThere\u0027s an OF helper called of_dma_is_coherent(), which checks if a\ndevice has a \"dma-coherent\" property to see if the device is coherent\nfor DMA.\n\nBut on some platforms devices are coherent by default, and on some\nplatforms it\u0027s not possible to update existing device trees to add the\n\"dma-coherent\" property.\n\nSo add a Kconfig symbol to allow arch code to tell\nof_dma_is_coherent() that devices are coherent by default, regardless\nof the presence of the property.\n\nSelect that symbol on powerpc when NOT_COHERENT_CACHE is not set, ie.\nwhen the system has a coherent cache.\n\nFixes: 92ea637edea3 (\"of: introduce of_dma_is_coherent() helper\")\nReported-by: Christian Zigotzky \u003cchzigotzky@xenosoft.de\u003e\nTested-by: Christian Zigotzky \u003cchzigotzky@xenosoft.de\u003e\nSigned-off-by: Michael Ellerman \u003cmpe@ellerman.id.au\u003e\nReviewed-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Rob Herring \u003crobh@kernel.org\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "22c07c029579ce468d3677a0953af3bf2a04e059", "tree": "ad7fa4422d209b5dddf8c104c0e31728ee681123", "parents": [ "f29a947a928e9464e177c97bb7b4bea0f4f0f765" ], "author": { "name": "Sean Christopherson", "email": "sean.j.christopherson@intel.com", "time": "Thu Jan 09 15:56:18 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:39 2020 +0100" }, "message": "KVM: Check for a bad hva before dropping into the ghc slow path\n\ncommit fcfbc617547fc6d9552cb6c1c563b6a90ee98085 upstream.\n\nWhen reading/writing using the guest/host cache, check for a bad hva\nbefore checking for a NULL memslot, which triggers the slow path for\nhanding cross-page accesses. Because the memslot is nullified on error\nby __kvm_gfn_to_hva_cache_init(), if the bad hva is encountered after\ncrossing into a new page, then the kvm_{read,write}_guest() slow path\ncould potentially write/access the first chunk prior to detecting the\nbad hva.\n\nArguably, performing a partial access is semantically correct from an\narchitectural perspective, but that behavior is certainly not intended.\nIn the original implementation, memslot was not explicitly nullified\nand therefore the partial access behavior varied based on whether the\nmemslot itself was null, or if the hva was simply bad. The current\nbehavior was introduced as a seemingly unintentional side effect in\ncommit f1b9dd5eb86c (\"kvm: Disallow wraparound in\nkvm_gfn_to_hva_cache_init\"), which justified the change with \"since some\ncallers don\u0027t check the return code from this function, it sit seems\nprudent to clear ghc-\u003ememslot in the event of an error\".\n\nRegardless of intent, the partial access is dependent on _not_ checking\nthe result of the cache initialization, which is arguably a bug in its\nown right, at best simply weird.\n\nFixes: 8f964525a121 (\"KVM: Allow cross page reads and writes from cached translations.\")\nCc: Jim Mattson \u003cjmattson@google.com\u003e\nCc: Andrew Honig \u003cahonig@google.com\u003e\nSigned-off-by: Sean Christopherson \u003csean.j.christopherson@intel.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f29a947a928e9464e177c97bb7b4bea0f4f0f765", "tree": "e3098c8ec0505ab9d2634220fddb419faec550d4", "parents": [ "37d1c23edefc176c5b54fb5447f94ae2b5c06105" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:52 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:38 2020 +0100" }, "message": "KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks\n\ncommit ea740059ecb37807ba47b84b33d1447435a8d868 upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and\nkvm_get_dr().\nBoth kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are\nexported symbols so KVM should tream them conservatively from a security\nperspective.\n\nFixes: 020df0794f57 (\"KVM: move DR register access handling into generic code\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "37d1c23edefc176c5b54fb5447f94ae2b5c06105", "tree": "24f3bb68e98db7e7d2ecd3dff6fb001a232a1ed3", "parents": [ "528bb39449961c9177b540931a1e39fb6c427707" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:49 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:38 2020 +0100" }, "message": "KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c\n\ncommit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and\nget_msr_mce().\nBoth functions contain index computations based on the\n(attacker-controlled) MSR number.\n\nFixes: 890ca9aefa78 (\"KVM: Add MCE support\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: Add #include \u003clinux/nospec.h\u003e]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "528bb39449961c9177b540931a1e39fb6c427707", "tree": "8e7edeeaec6357eda409f97b9aa9ce071e60c1be", "parents": [ "64c977f360f25b60c25fce462d8634386935e796" ], "author": { "name": "Chen Yucong", "email": "slaoub@gmail.com", "time": "Tue Sep 23 10:44:35 2014 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:38 2020 +0100" }, "message": "kvm: x86: use macros to compute bank MSRs\n\ncommit 81760dccf8d1fe5b128b58736fe3f56a566133cb upstream.\n\nAvoid open coded calculations for bank MSRs by using well-defined\nmacros that hide the index of higher bank MSRs.\n\nNo semantic changes.\n\nSigned-off-by: Chen Yucong \u003cslaoub@gmail.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "64c977f360f25b60c25fce462d8634386935e796", "tree": "d5a1070080a405336cd7c2b4cd662a32ba314087", "parents": [ "56b51e25ffb93ae142652400c35ea43f0899d0c2" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:46 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:37 2020 +0100" }, "message": "KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks\n\ncommit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().\nThis function contains index computations based on the\n(attacker-controlled) MSR number.\n\nFixes: 0105d1a52640 (\"KVM: x2apic interface to lapic\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16:\n - Add #include \u003clinux/nospec.h\u003e\n - Adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "56b51e25ffb93ae142652400c35ea43f0899d0c2", "tree": "08c64717cc09a4dfb277754eb327b63de8bb19b0", "parents": [ "dfe2282f8e4de99b37b13aa52720a9b3646ea857" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:45 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:37 2020 +0100" }, "message": "KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks\n\ncommit 670564559ca35b439c8d8861fc399451ddf95137 upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect().\nThis function contains index computations based on the\n(attacker-controlled) IOREGSEL register.\n\nThis patch depends on patch\n\"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks\".\n\nFixes: 70f93dae32ac (\"KVM: Use temporary variable to shorten lines.\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: adjust filename]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "dfe2282f8e4de99b37b13aa52720a9b3646ea857", "tree": "80ea6e0225071a03498e725fb2100b356d7d7bcc", "parents": [ "6356cde8b18ae7eb06a93d001e996168fce3efce" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:44 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:37 2020 +0100" }, "message": "KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks\n\ncommit 8c86405f606ca8508b8d9280680166ca26723695 upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect().\nThis function contains index computations based on the\n(attacker-controlled) IOREGSEL register.\n\nFixes: a2c118bfab8b (\"KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: adjust filename]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "6356cde8b18ae7eb06a93d001e996168fce3efce", "tree": "6b5697a81c21c66241e37f9f6484e5e5a829ef95", "parents": [ "db929cc57463b056ff9aaaca6ed309464c029e01" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:43 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:37 2020 +0100" }, "message": "KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks\n\ncommit 14e32321f3606e4b0970200b6e5e47ee6f1e6410 upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in picdev_write().\nIt replaces index computations based on the (attacked-controlled) port\nnumber with constants through a minor refactoring.\n\nFixes: 85f455f7ddbe (\"KVM: Add support for in-kernel PIC emulation\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: pic_{,un}lock() are called outside the switch]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "db929cc57463b056ff9aaaca6ed309464c029e01", "tree": "dac4f53e2bec5f1f3ee6ece914567713454fe49c", "parents": [ "d9dc0fd7792fec52cb7cdf7ca39c734733e8b57e" ], "author": { "name": "Marios Pomonis", "email": "pomonis@google.com", "time": "Wed Dec 11 12:47:41 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:36 2020 +0100" }, "message": "KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks\n\ncommit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.\n\nThis fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().\nkvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported\nsymbol, so KVM should treat it conservatively from a security perspective.\n\nFixes: 045a282ca415 (\"KVM: emulator: implement fninit, fnstsw, fnstcw\")\n\nSigned-off-by: Nick Finco \u003cnifi@google.com\u003e\nSigned-off-by: Marios Pomonis \u003cpomonis@google.com\u003e\nReviewed-by: Andrew Honig \u003cahonig@google.com\u003e\nReviewed-by: Jim Mattson \u003cjmattson@google.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: Add #include \u003clinux/nospec.h\u003e]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "d9dc0fd7792fec52cb7cdf7ca39c734733e8b57e", "tree": "0c2dc7d2ff938f0f41096c5fe392ad03ce1777fe", "parents": [ "1b1fddb80c89f4baaa1c68c954d71379f781b257" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Fri Jan 24 14:57:20 2020 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:36 2020 +0100" }, "message": "net_sched: ematch: reject invalid TCF_EM_SIMPLE\n\ncommit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 upstream.\n\nIt is possible for malicious userspace to set TCF_EM_SIMPLE bit\neven for matches that should not have this bit set.\n\nThis can fool two places using tcf_em_is_simple()\n\n1) tcf_em_tree_destroy() -\u003e memory leak of em-\u003edata\n if ops-\u003edestroy() is NULL\n\n2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes\n of a kernel pointer.\n\nBUG: memory leak\nunreferenced object 0xffff888121850a40 (size 32):\n comm \"syz-executor927\", pid 7193, jiffies 4294941655 (age 19.840s)\n hex dump (first 32 bytes):\n 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000f67036ea\u003e] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]\n [\u003c00000000f67036ea\u003e] slab_post_alloc_hook mm/slab.h:586 [inline]\n [\u003c00000000f67036ea\u003e] slab_alloc mm/slab.c:3320 [inline]\n [\u003c00000000f67036ea\u003e] __do_kmalloc mm/slab.c:3654 [inline]\n [\u003c00000000f67036ea\u003e] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671\n [\u003c00000000fab0cc8e\u003e] kmemdup+0x27/0x60 mm/util.c:127\n [\u003c00000000d9992e0a\u003e] kmemdup include/linux/string.h:453 [inline]\n [\u003c00000000d9992e0a\u003e] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32\n [\u003c000000007e04f711\u003e] tcf_em_validate net/sched/ematch.c:241 [inline]\n [\u003c000000007e04f711\u003e] tcf_em_tree_validate net/sched/ematch.c:359 [inline]\n [\u003c000000007e04f711\u003e] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300\n [\u003c000000007a769204\u003e] basic_set_parms net/sched/cls_basic.c:157 [inline]\n [\u003c000000007a769204\u003e] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219\n [\u003c00000000e57a5997\u003e] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104\n [\u003c0000000074b68559\u003e] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415\n [\u003c00000000b7fe53fb\u003e] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477\n [\u003c00000000e83a40d0\u003e] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442\n [\u003c00000000d62ba933\u003e] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]\n [\u003c00000000d62ba933\u003e] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328\n [\u003c0000000088070f72\u003e] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917\n [\u003c00000000f70b15ea\u003e] sock_sendmsg_nosec net/socket.c:639 [inline]\n [\u003c00000000f70b15ea\u003e] sock_sendmsg+0x54/0x70 net/socket.c:659\n [\u003c00000000ef95a9be\u003e] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330\n [\u003c00000000b650f1ab\u003e] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384\n [\u003c0000000055bfa74a\u003e] __sys_sendmsg+0x80/0xf0 net/socket.c:2417\n [\u003c000000002abac183\u003e] __do_sys_sendmsg net/socket.c:2426 [inline]\n [\u003c000000002abac183\u003e] __se_sys_sendmsg net/socket.c:2424 [inline]\n [\u003c000000002abac183\u003e] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com\nCc: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nAcked-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "1b1fddb80c89f4baaa1c68c954d71379f781b257", "tree": "e3cc999833e002d3e7cb225705a8884527686f80", "parents": [ "c3a7e44bf63360b68c70078125f457cb90a54c64" ], "author": { "name": "Vincent Whitchurch", "email": "vincent.whitchurch@axis.com", "time": "Thu Jan 23 17:09:06 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:36 2020 +0100" }, "message": "CIFS: Fix task struct use-after-free on reconnect\n\ncommit f1f27ad74557e39f67a8331a808b860f89254f2d upstream.\n\nThe task which created the MID may be gone by the time cifsd attempts to\ncall the callbacks on MIDs from cifs_reconnect().\n\nThis leads to a use-after-free of the task struct in cifs_wake_up_task:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n BUG: KASAN: use-after-free in __lock_acquire+0x31a0/0x3270\n Read of size 8 at addr ffff8880103e3a68 by task cifsd/630\n\n CPU: 0 PID: 630 Comm: cifsd Not tainted 5.5.0-rc6+ #119\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\n Call Trace:\n dump_stack+0x8e/0xcb\n print_address_description.constprop.5+0x1d3/0x3c0\n ? __lock_acquire+0x31a0/0x3270\n __kasan_report+0x152/0x1aa\n ? __lock_acquire+0x31a0/0x3270\n ? __lock_acquire+0x31a0/0x3270\n kasan_report+0xe/0x20\n __lock_acquire+0x31a0/0x3270\n ? __wake_up_common+0x1dc/0x630\n ? _raw_spin_unlock_irqrestore+0x4c/0x60\n ? mark_held_locks+0xf0/0xf0\n ? _raw_spin_unlock_irqrestore+0x39/0x60\n ? __wake_up_common_lock+0xd5/0x130\n ? __wake_up_common+0x630/0x630\n lock_acquire+0x13f/0x330\n ? try_to_wake_up+0xa3/0x19e0\n _raw_spin_lock_irqsave+0x38/0x50\n ? try_to_wake_up+0xa3/0x19e0\n try_to_wake_up+0xa3/0x19e0\n ? cifs_compound_callback+0x178/0x210\n ? set_cpus_allowed_ptr+0x10/0x10\n cifs_reconnect+0xa1c/0x15d0\n ? generic_ip_connect+0x1860/0x1860\n ? rwlock_bug.part.0+0x90/0x90\n cifs_readv_from_socket+0x479/0x690\n cifs_read_from_socket+0x9d/0xe0\n ? cifs_readv_from_socket+0x690/0x690\n ? mempool_resize+0x690/0x690\n ? rwlock_bug.part.0+0x90/0x90\n ? memset+0x1f/0x40\n ? allocate_buffers+0xff/0x340\n cifs_demultiplex_thread+0x388/0x2a50\n ? cifs_handle_standard+0x610/0x610\n ? rcu_read_lock_held_common+0x120/0x120\n ? mark_lock+0x11b/0xc00\n ? __lock_acquire+0x14ed/0x3270\n ? __kthread_parkme+0x78/0x100\n ? lockdep_hardirqs_on+0x3e8/0x560\n ? lock_downgrade+0x6a0/0x6a0\n ? lockdep_hardirqs_on+0x3e8/0x560\n ? _raw_spin_unlock_irqrestore+0x39/0x60\n ? cifs_handle_standard+0x610/0x610\n kthread+0x2bb/0x3a0\n ? kthread_create_worker_on_cpu+0xc0/0xc0\n ret_from_fork+0x3a/0x50\n\n Allocated by task 649:\n save_stack+0x19/0x70\n __kasan_kmalloc.constprop.5+0xa6/0xf0\n kmem_cache_alloc+0x107/0x320\n copy_process+0x17bc/0x5370\n _do_fork+0x103/0xbf0\n __x64_sys_clone+0x168/0x1e0\n do_syscall_64+0x9b/0xec0\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\n Freed by task 0:\n save_stack+0x19/0x70\n __kasan_slab_free+0x11d/0x160\n kmem_cache_free+0xb5/0x3d0\n rcu_core+0x52f/0x1230\n __do_softirq+0x24d/0x962\n\n The buggy address belongs to the object at ffff8880103e32c0\n which belongs to the cache task_struct of size 6016\n The buggy address is located 1960 bytes inside of\n 6016-byte region [ffff8880103e32c0, ffff8880103e4a40)\n The buggy address belongs to the page:\n page:ffffea000040f800 refcount:1 mapcount:0 mapping:ffff8880108da5c0\n index:0xffff8880103e4c00 compound_mapcount: 0\n raw: 4000000000010200 ffffea00001f2208 ffffea00001e3408 ffff8880108da5c0\n raw: ffff8880103e4c00 0000000000050003 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8880103e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880103e3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003effff8880103e3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880103e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880103e3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nThis can be reliably reproduced by adding the below delay to\ncifs_reconnect(), running find(1) on the mount, restarting the samba\nserver while find is running, and killing find during the delay:\n\n \tspin_unlock(\u0026GlobalMid_Lock);\n \tmutex_unlock(\u0026server-\u003esrv_mutex);\n\n +\tmsleep(10000);\n +\n \tcifs_dbg(FYI, \"%s: issuing mid callbacks\\n\", __func__);\n \tlist_for_each_safe(tmp, tmp2, \u0026retry_list) {\n \t\tmid_entry \u003d list_entry(tmp, struct mid_q_entry, qhead);\n\nFix this by holding a reference to the task struct until the MID is\nfreed.\n\nSigned-off-by: Vincent Whitchurch \u003cvincent.whitchurch@axis.com\u003e\nSigned-off-by: Steve French \u003cstfrench@microsoft.com\u003e\nReviewed-by: Paulo Alcantara (SUSE) \u003cpc@cjr.nz\u003e\nReviewed-by: Pavel Shilovsky \u003cpshilov@microsoft.com\u003e\n[bwh: Backported to 3.16:\n - In _cifs_mid_q_entry_release(), use mid instead of midEntry\n - Adjust context, indentation]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "c3a7e44bf63360b68c70078125f457cb90a54c64", "tree": "af31161ff28af6b608eb8a24235294126e568a2e", "parents": [ "7c4b6b13e3e9625c70aa646c756abef1453cc657" ], "author": { "name": "Colin Ian King", "email": "colin.king@canonical.com", "time": "Sun Jan 26 00:09:54 2020 +0000" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:35 2020 +0100" }, "message": "iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop\n\ncommit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 upstream.\n\nThe loop counter addr is a u16 where as the upper limit of the loop\nis an int. In the unlikely event that the il-\u003ecfg-\u003eeeprom_size is\ngreater than 64K then we end up with an infinite loop since addr will\nwrap around an never reach upper loop limit. Fix this by making addr\nan int.\n\nAddresses-Coverity: (\"Infinite loop\")\nFixes: be663ab67077 (\"iwlwifi: split the drivers for agn and legacy devices 3945/4965\")\nSigned-off-by: Colin Ian King \u003ccolin.king@canonical.com\u003e\nAcked-by: Stanislaw Gruszka \u003cstf_xl@wp.pl\u003e\nSigned-off-by: Kalle Valo \u003ckvalo@codeaurora.org\u003e\n[bwh: Backported to 3.16: adjust filename]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "7c4b6b13e3e9625c70aa646c756abef1453cc657", "tree": "d27a0a4b285c05439aafc370093684b098a5ad8c", "parents": [ "592eef925e593e2a9a542f3e6ae176f4c1b8379e" ], "author": { "name": "zhangyi (F)", "email": "yi.zhang@huawei.com", "time": "Wed Dec 04 20:46:12 2019 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:35 2020 +0100" }, "message": "ext4, jbd2: ensure panic when aborting with zero errno\n\ncommit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 upstream.\n\nJBD2_REC_ERR flag used to indicate the errno has been updated when jbd2\naborted, and then __ext4_abort() and ext4_handle_error() can invoke\npanic if ERRORS_PANIC is specified. But if the journal has been aborted\nwith zero errno, jbd2_journal_abort() didn\u0027t set this flag so we can\nno longer panic. Fix this by always record the proper errno in the\njournal superblock.\n\nFixes: 4327ba52afd03 (\"ext4, jbd2: ensure entering into panic after recording an error in superblock\")\nSigned-off-by: zhangyi (F) \u003cyi.zhang@huawei.com\u003e\nReviewed-by: Jan Kara \u003cjack@suse.cz\u003e\nLink: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "592eef925e593e2a9a542f3e6ae176f4c1b8379e", "tree": "1c985c7bd0343dd0a5fe3d4878b5b3e9e00a1f3e", "parents": [ "f9f06c52359ad1acb7ac4c81466d652c9f06fc64" ], "author": { "name": "zhangyi (F)", "email": "yi.zhang@huawei.com", "time": "Wed Dec 04 20:46:11 2019 +0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:34 2020 +0100" }, "message": "jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record\n\ncommit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 upstream.\n\nWe invoke jbd2_journal_abort() to abort the journal and record errno\nin the jbd2 superblock when committing journal transaction besides the\nfailure on submitting the commit record. But there is no need for the\ncase and we can also invoke jbd2_journal_abort() instead of\n__jbd2_journal_abort_hard().\n\nFixes: 818d276ceb83a (\"ext4: Add the journal checksum feature\")\nSigned-off-by: zhangyi (F) \u003cyi.zhang@huawei.com\u003e\nReviewed-by: Jan Kara \u003cjack@suse.cz\u003e\nLink: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com\nSigned-off-by: Theodore Ts\u0027o \u003ctytso@mit.edu\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "f9f06c52359ad1acb7ac4c81466d652c9f06fc64", "tree": "b101115af97ed0b7b193e36c04a03fb31eb3b5ff", "parents": [ "153e1d6d38d491ada8f0a0205c51bdd790ccac2c" ], "author": { "name": "Luis Henriques", "email": "luis.henriques@canonical.com", "time": "Tue Sep 09 22:49:41 2014 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:34 2020 +0100" }, "message": "tracing: Fix tracing_stat return values in error handling paths\n\ncommit afccc00f75bbbee4e4ae833a96c2d29a7259c693 upstream.\n\ntracing_stat_init() was always returning \u00270\u0027, even on the error paths. It\nnow returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails\nto created the \u0027trace_stat\u0027 debugfs directory.\n\nLink: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com\n\nFixes: ed6f1c996bfe4 (\"tracing: Check return value of tracing_init_dentry()\")\nSigned-off-by: Luis Henriques \u003cluis.henriques@canonical.com\u003e\n[ Pulled from the archeological digging of my INBOX ]\nSigned-off-by: Steven Rostedt (VMware) \u003crostedt@goodmis.org\u003e\n[bwh: Backported to 3.16: adjust context]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "153e1d6d38d491ada8f0a0205c51bdd790ccac2c", "tree": "b3e329fea419f1f580f3a4dc74d8786f04df3d68", "parents": [ "22725fee3d79718feccb5eee32beeb40583cc086" ], "author": { "name": "Steven Rostedt (VMware)", "email": "rostedt@goodmis.org", "time": "Fri Jan 24 17:47:49 2020 -0500" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:34 2020 +0100" }, "message": "tracing: Fix very unlikely race of registering two stat tracers\n\ncommit dfb6cd1e654315168e36d947471bd2a0ccd834ae upstream.\n\nLooking through old emails in my INBOX, I came across a patch from Luis\nHenriques that attempted to fix a race of two stat tracers registering the\nsame stat trace (extremely unlikely, as this is done in the kernel, and\nprobably doesn\u0027t even exist). The submitted patch wasn\u0027t quite right as it\nneeded to deal with clean up a bit better (if two stat tracers were the\nsame, it would have the same files).\n\nBut to make the code cleaner, all we needed to do is to keep the\nall_stat_sessions_mutex held for most of the registering function.\n\nLink: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com\n\nFixes: 002bb86d8d42f (\"tracing/ftrace: separate events tracing and stats tracing engine\")\nReported-by: Luis Henriques \u003cluis.henriques@canonical.com\u003e\nSigned-off-by: Steven Rostedt (VMware) \u003crostedt@goodmis.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "22725fee3d79718feccb5eee32beeb40583cc086", "tree": "aa2ab876d0c12cc8b265b88b82448f2e3374a848", "parents": [ "9c98c4926b6d5dbabfa3ee9df1083c88709aca8b" ], "author": { "name": "Sean Christopherson", "email": "sean.j.christopherson@intel.com", "time": "Wed Dec 18 13:54:48 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:34 2020 +0100" }, "message": "KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails\n\ncommit 16be9ddea268ad841457a59109963fff8c9de38d upstream.\n\nFree the vCPU\u0027s wbinvd_dirty_mask if vCPU creation fails after\nkvm_arch_vcpu_init(), e.g. when installing the vCPU\u0027s file descriptor.\nDo the freeing by calling kvm_arch_vcpu_free() instead of open coding\nthe freeing. This adds a likely superfluous, but ultimately harmless,\ncall to kvmclock_reset(), which only clears vcpu-\u003earch.pv_time_enabled.\nUsing kvm_arch_vcpu_free() allows for additional cleanup in the future.\n\nFixes: f5f48ee15c2ee (\"KVM: VMX: Execute WBINVD to keep data consistency with assigned devices\")\nSigned-off-by: Sean Christopherson \u003csean.j.christopherson@intel.com\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\n[bwh: Backported to 3.16: Also delete the preceding fx_free(), since\n kvm_arch_vcpu_free() calls it.]\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "9c98c4926b6d5dbabfa3ee9df1083c88709aca8b", "tree": "129df38abc2b6fe3f981846086cf5aa548a07730", "parents": [ "ad2b2732831389253b464b197f674b0cc6f3baa5" ], "author": { "name": "Sean Christopherson", "email": "sean.j.christopherson@intel.com", "time": "Wed Dec 18 13:54:47 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:33 2020 +0100" }, "message": "KVM: PPC: Book3S PR: Free shared page if mmu initialization fails\n\ncommit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream.\n\nExplicitly free the shared page if kvmppc_mmu_init() fails during\nkvmppc_core_vcpu_create(), as the page is freed only in\nkvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit().\n\nFixes: 96bc451a15329 (\"KVM: PPC: Introduce shared page\")\nReviewed-by: Greg Kurz \u003cgroug@kaod.org\u003e\nSigned-off-by: Sean Christopherson \u003csean.j.christopherson@intel.com\u003e\nAcked-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "ad2b2732831389253b464b197f674b0cc6f3baa5", "tree": "36e49d06a52fa0e38345dbc4a1a8fc278988fb05", "parents": [ "320230e4875672908b1ec29251b13548e16af1ef" ], "author": { "name": "Sean Christopherson", "email": "sean.j.christopherson@intel.com", "time": "Wed Dec 18 13:54:46 2019 -0800" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:33 2020 +0100" }, "message": "KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails\n\ncommit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream.\n\nCall kvm_vcpu_uninit() if vcore creation fails to avoid leaking any\nresources allocated by kvm_vcpu_init(), i.e. the vcpu-\u003erun page.\n\nFixes: 371fefd6f2dc4 (\"KVM: PPC: Allow book3s_hv guests to use SMT processor modes\")\nReviewed-by: Greg Kurz \u003cgroug@kaod.org\u003e\nSigned-off-by: Sean Christopherson \u003csean.j.christopherson@intel.com\u003e\nAcked-by: Paul Mackerras \u003cpaulus@ozlabs.org\u003e\nSigned-off-by: Paolo Bonzini \u003cpbonzini@redhat.com\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "320230e4875672908b1ec29251b13548e16af1ef", "tree": "a3976ec2f35479f0206e6e5dceb89ecea54d6168", "parents": [ "c4f3f87537f698436b4c79817df3b58b1c81dc6f" ], "author": { "name": "Will Deacon", "email": "will@kernel.org", "time": "Fri Nov 08 16:48:38 2019 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:33 2020 +0100" }, "message": "media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors\n\ncommit 68035c80e129c4cfec659aac4180354530b26527 upstream.\n\nWay back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked\nup the following WARNING from the UVC chain scanning code:\n\n | list_add double add: new\u003dffff880069084010, prev\u003dffff880069084010,\n | next\u003dffff880067d22298.\n | ------------[ cut here ]------------\n | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0\n | Modules linked in:\n | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted\n | 4.14.0-rc2-42613-g1488251d1a98 #238\n | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011\n | Workqueue: usb_hub_wq hub_event\n | task: ffff88006b01ca40 task.stack: ffff880064358000\n | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29\n | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286\n | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000\n | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac\n | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000\n | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010\n | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0\n | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000\n | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0\n | Call Trace:\n | __list_add ./include/linux/list.h:59\n | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92\n | uvc_scan_chain_forward.isra.8+0x373/0x416\n | drivers/media/usb/uvc/uvc_driver.c:1471\n | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585\n | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769\n | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104\n\nLooking into the output from usbmon, the interesting part is the\nfollowing data packet:\n\n ffff880069c63e00 30710169 C Ci:1:002:0 0 143 \u003d 09028f00 01030080\n 00090403 00000e01 00000924 03000103 7c003328 010204db\n\nIf we drop the lead configuration and interface descriptors, we\u0027re left\nwith an output terminal descriptor describing a generic display:\n\n /* Output terminal descriptor */\n buf[0]\t09\n buf[1]\t24\n buf[2]\t03\t/* UVC_VC_OUTPUT_TERMINAL */\n buf[3]\t00\t/* ID */\n buf[4]\t01\t/* type \u003d\u003d 0x0301 (UVC_OTT_DISPLAY) */\n buf[5]\t03\n buf[6]\t7c\n buf[7]\t00\t/* source ID refers to self! */\n buf[8]\t33\n\nThe problem with this descriptor is that it is self-referential: the\nsource ID of 0 matches itself! This causes the \u0027struct uvc_entity\u0027\nrepresenting the display to be added to its chain list twice during\n\u0027uvc_scan_chain()\u0027: once via \u0027uvc_scan_chain_entity()\u0027 when it is\nprocessed directly from the \u0027dev-\u003eentities\u0027 list and then again\nimmediately afterwards when trying to follow the source ID in\n\u0027uvc_scan_chain_forward()\u0027\n\nAdd a check before adding an entity to a chain list to ensure that the\nentity is not already part of a chain.\n\nLink: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/\n\nFixes: c0efd232929c (\"V4L/DVB (8145a): USB Video Class driver\")\nReported-by: Andrey Konovalov \u003candreyknvl@google.com\u003e\nSigned-off-by: Will Deacon \u003cwill@kernel.org\u003e\nSigned-off-by: Laurent Pinchart \u003claurent.pinchart@ideasonboard.com\u003e\nSigned-off-by: Mauro Carvalho Chehab \u003cmchehab+huawei@kernel.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "c4f3f87537f698436b4c79817df3b58b1c81dc6f", "tree": "16c94de304c5a2d297cb05c95ae91ed2f22a5dbf", "parents": [ "482735dac9aacba0638bf0562b9c37068c695880" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Wed Jan 22 11:15:28 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:32 2020 +0100" }, "message": "USB: serial: ir-usb: fix IrLAP framing\n\ncommit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream.\n\nCommit f4a4cbb2047e (\"USB: ir-usb: reimplement using generic framework\")\nswitched to using the generic write implementation which may combine\nmultiple write requests into larger transfers. This can break the IrLAP\nprotocol where end-of-frame is determined using the USB short packet\nmechanism, for example, if multiple frames are sent in rapid succession.\n\nFixes: f4a4cbb2047e (\"USB: ir-usb: reimplement using generic framework\")\nReviewed-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" }, { "commit": "482735dac9aacba0638bf0562b9c37068c695880", "tree": "b73aaf6fec5fc199e31e00d9d87851f71ab440ec", "parents": [ "4b9dcdf2264b073cacef03f6ab4e3d5ca817bbb1" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Wed Jan 22 11:15:27 2020 +0100" }, "committer": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Fri May 22 21:19:32 2020 +0100" }, "message": "USB: serial: ir-usb: fix link-speed handling\n\ncommit 17a0184ca17e288decdca8b2841531e34d49285f upstream.\n\nCommit e0d795e4f36c (\"usb: irda: cleanup on ir-usb module\") added a USB\nIrDA header with common defines, but mistakingly switched to using the\nclass-descriptor baud-rate bitmask values for the outbound header.\n\nThis broke link-speed handling for rates above 9600 baud, but a device\nwould also be able to operate at the default 9600 baud until a\nlink-speed request was issued (e.g. using the TCGETS ioctl).\n\nFixes: e0d795e4f36c (\"usb: irda: cleanup on ir-usb module\")\nCc: Felipe Balbi \u003cbalbi@kernel.org\u003e\nReviewed-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Ben Hutchings \u003cben@decadent.org.uk\u003e\n" } ], "next": "4b9dcdf2264b073cacef03f6ab4e3d5ca817bbb1" }