* [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH
@ 2017-01-27 10:46 Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
` (61 more replies)
0 siblings, 62 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable
Cc: Maor Gottlieb, Daniel Jurgens, Leon Romanovsky, Doug Ledford,
Jiri Slaby
From: Maor Gottlieb <maorg@mellanox.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit af4295c117b82a521b05d0daf39ce879d26e6cb1 upstream.
Set traffic class within sl_tclass_flowlabel when create iboe AH.
Without this the TOS value will be empty when running VLAN tagged
traffic, because the TOS value is taken from the traffic class in the
address handle attributes.
Fixes: 9106c4106974 ('IB/mlx4: Fix SL to 802.1Q priority-bits mapping for IBoE')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/infiniband/hw/mlx4/ah.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
index f55d69500a5f..3a85e7669068 100644
--- a/drivers/infiniband/hw/mlx4/ah.c
+++ b/drivers/infiniband/hw/mlx4/ah.c
@@ -118,7 +118,9 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr
!(1 << ah->av.eth.stat_rate & dev->caps.stat_rate_support))
--ah->av.eth.stat_rate;
}
-
+ ah->av.eth.sl_tclass_flowlabel |=
+ cpu_to_be32((ah_attr->grh.traffic_class << 20) |
+ ah_attr->grh.flow_label);
/*
* HW requires multicast LID so we just choose one.
*/
@@ -126,7 +128,7 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr
ah->av.ib.dlid = cpu_to_be16(0xc000);
memcpy(ah->av.eth.dgid, ah_attr->grh.dgid.raw, 16);
- ah->av.eth.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 29);
+ ah->av.eth.sl_tclass_flowlabel |= cpu_to_be32(ah_attr->sl << 29);
return &ah->ibah;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
` (60 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable
Cc: Saeed Mahameed, Yishai Hadas, Daniel Jurgens, Leon Romanovsky,
Doug Ledford, Jiri Slaby
From: Saeed Mahameed <saeedm@mellanox.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 6fa26208206c406fa529cd73f7ae6bf4181e270b upstream.
Report the correct speed in the port attributes when using a 56Gbps
ethernet link. Without this change the field is incorrectly set to 10.
Fixes: a9c766bb75ee ('IB/mlx4: Fix info returned when querying IBoE ports')
Fixes: 2e96691c31ec ('IB: Use central enum for speed instead of hard-coded values')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/infiniband/hw/mlx4/main.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
index f0612645de99..9407a31afe20 100644
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -335,9 +335,11 @@ static int eth_link_query_port(struct ib_device *ibdev, u8 port,
if (err)
goto out;
- props->active_width = (((u8 *)mailbox->buf)[5] == 0x40) ?
- IB_WIDTH_4X : IB_WIDTH_1X;
- props->active_speed = IB_SPEED_QDR;
+ props->active_width = (((u8 *)mailbox->buf)[5] == 0x40) ||
+ (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+ IB_WIDTH_4X : IB_WIDTH_1X;
+ props->active_speed = (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+ IB_SPEED_FDR : IB_SPEED_QDR;
props->port_cap_flags = IB_PORT_CM_SUP;
props->gid_tbl_len = mdev->dev->caps.gid_table_len[port];
props->max_msg_sz = mdev->dev->caps.max_msg_sz;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] perf scripting: Avoid leaking the scripting_context variable
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
` (59 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable
Cc: Arnaldo Carvalho de Melo, Adrian Hunter, David Ahern,
Frederic Weisbecker, Jiri Olsa, Namhyung Kim, Tom Zanussi,
Wang Nan, Jiri Slaby
From: Arnaldo Carvalho de Melo <acme@redhat.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit cf346d5bd4b9d61656df2f72565c9b354ef3ca0d upstream.
Both register_perl_scripting() and register_python_scripting() allocate
this variable, fix it by checking if it already was.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Tom Zanussi <tzanussi@gmail.com>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 7e4b21b84c43 ("perf/scripts: Add Python scripting engine")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
tools/perf/util/trace-event-scripting.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/trace-event-scripting.c b/tools/perf/util/trace-event-scripting.c
index 95199e4eea97..f928bfc4852f 100644
--- a/tools/perf/util/trace-event-scripting.c
+++ b/tools/perf/util/trace-event-scripting.c
@@ -91,7 +91,8 @@ static void register_python_scripting(struct scripting_ops *scripting_ops)
if (err)
die("error registering py script extension");
- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}
#ifdef NO_LIBPYTHON
@@ -154,7 +155,8 @@ static void register_perl_scripting(struct scripting_ops *scripting_ops)
if (err)
die("error registering pl script extension");
- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}
#ifdef NO_LIBPERL
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
` (58 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Vladimir Zapolskiy, Shawn Guo, Jiri Slaby
From: Vladimir Zapolskiy <vz@mleia.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 2e575cbc930901718cc18e084566ecbb9a4b5ebb upstream.
The type of AVIC interrupt controller found on i.MX31 is one-cell,
namely 31 for CCM DVFS and 53 for CCM, however for clock control
module its interrupts are specified as 3-cells, fix it.
Fixes: ef0e4a606fb6 ("ARM: mx31: Replace clk_register_clkdev with clock DT lookup")
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
Documentation/devicetree/bindings/clock/imx31-clock.txt | 2 +-
arch/arm/boot/dts/imx31.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Documentation/devicetree/bindings/clock/imx31-clock.txt b/Documentation/devicetree/bindings/clock/imx31-clock.txt
index 19df842c694f..8163d565f697 100644
--- a/Documentation/devicetree/bindings/clock/imx31-clock.txt
+++ b/Documentation/devicetree/bindings/clock/imx31-clock.txt
@@ -77,7 +77,7 @@ Examples:
clks: ccm@53f80000{
compatible = "fsl,imx31-ccm";
reg = <0x53f80000 0x4000>;
- interrupts = <0 31 0x04 0 53 0x04>;
+ interrupts = <31>, <53>;
#clock-cells = <1>;
};
diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index c34f82581248..ad166d74551a 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -114,7 +114,7 @@
clks: ccm@53f80000{
compatible = "fsl,imx31-ccm";
reg = <0x53f80000 0x4000>;
- interrupts = <0 31 0x04 0 53 0x04>;
+ interrupts = <31>, <53>;
#clock-cells = <1>;
};
};
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ARM: dts: imx31: move CCM device node to AIPS2 bus devices
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (2 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix AVIC base address Jiri Slaby
` (57 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Vladimir Zapolskiy, Shawn Guo, Jiri Slaby
From: Vladimir Zapolskiy <vz@mleia.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 1f87aee6a2e55eda466a43ba6248a8b75eede153 upstream.
i.MX31 Clock Control Module controller is found on AIPS2 bus, move it
there from SPBA bus to avoid a conflict of device IO space mismatch.
Fixes: ef0e4a606fb6 ("ARM: mx31: Replace clk_register_clkdev with clock DT lookup")
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm/boot/dts/imx31.dtsi | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index ad166d74551a..8ec20b49db7e 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -110,13 +110,6 @@
interrupts = <19>;
clocks = <&clks 25>;
};
-
- clks: ccm@53f80000{
- compatible = "fsl,imx31-ccm";
- reg = <0x53f80000 0x4000>;
- interrupts = <31>, <53>;
- #clock-cells = <1>;
- };
};
aips@53f00000 { /* AIPS2 */
@@ -126,6 +119,13 @@
reg = <0x53f00000 0x100000>;
ranges;
+ clks: ccm@53f80000{
+ compatible = "fsl,imx31-ccm";
+ reg = <0x53f80000 0x4000>;
+ interrupts = <31>, <53>;
+ #clock-cells = <1>;
+ };
+
gpt: timer@53f90000 {
compatible = "fsl,imx31-gpt";
reg = <0x53f90000 0x4000>;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ARM: dts: imx31: fix AVIC base address
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (3 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
` (56 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Vladimir Zapolskiy, Shawn Guo, Jiri Slaby
From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit af92305e567b7f4c9cf48b9e46c1f48ec9ffb1fb upstream.
On i.MX31 AVIC interrupt controller base address is at 0x68000000.
The problem was shadowed by the AVIC driver, which takes the correct
base address from a SoC specific header file.
Fixes: d2a37b3d91f4 ("ARM i.MX31: Add devicetree support")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm/boot/dts/imx31.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index 8ec20b49db7e..626e5e374572 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -30,11 +30,11 @@
};
};
- avic: avic-interrupt-controller@60000000 {
+ avic: interrupt-controller@68000000 {
compatible = "fsl,imx31-avic", "fsl,avic";
interrupt-controller;
#interrupt-cells = <1>;
- reg = <0x60000000 0x100000>;
+ reg = <0x68000000 0x100000>;
};
soc {
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (4 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix AVIC base address Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
` (55 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Bjorn Helgaas, Jiri Slaby
From: Bjorn Helgaas <bhelgaas@google.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 89e9f7bcd8744ea25fcf0ac671b8d72c10d7d790 upstream.
Martin reported that the Supermicro X8DTH-i/6/iF/6F advertises incorrect
host bridge windows via _CRS:
pci_root PNP0A08:00: host bridge window [io 0xf000-0xffff]
pci_root PNP0A08:01: host bridge window [io 0xf000-0xffff]
Both bridges advertise the 0xf000-0xffff window, which cannot be correct.
Work around this by ignoring _CRS on this system. The downside is that we
may not assign resources correctly to hot-added PCI devices (if they are
possible on this system).
Link: https://bugzilla.kernel.org/show_bug.cgi?id=42606
Reported-by: Martin Burnicki <martin.burnicki@meinberg.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/x86/pci/acpi.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
index a24e9c2e95da..a33c61c5e34a 100644
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -118,6 +118,16 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = {
DMI_MATCH(DMI_BIOS_VERSION, "6JET85WW (1.43 )"),
},
},
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42606 */
+ {
+ .callback = set_nouse_crs,
+ .ident = "Supermicro X8DTH",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Supermicro"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X8DTH-i/6/iF/6F"),
+ DMI_MATCH(DMI_BIOS_VERSION, "2.0a"),
+ },
+ },
/* https://bugzilla.kernel.org/show_bug.cgi?id=15362 */
{
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] svcrpc: don't leak contexts on PROC_DESTROY
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (5 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
` (54 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: J. Bruce Fields, Jiri Slaby
From: "J. Bruce Fields" <bfields@redhat.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.
Context expiry times are in units of seconds since boot, not unix time.
The use of get_seconds() here therefore sets the expiry time decades in
the future. This prevents timely freeing of contexts destroyed by
client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually
(when the module is unloaded or the container shut down), but a lot of
contexts could pile up before then.
Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
Reported-by: Andy Adamson <andros@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 9d7e6097ef5b..6d0531a2a5c9 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1485,7 +1485,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
case RPC_GSS_PROC_DESTROY:
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err;
- rsci->h.expiry_time = get_seconds();
+ rsci->h.expiry_time = seconds_since_boot();
set_bit(CACHE_NEGATIVE, &rsci->h.flags);
if (resv->iov_len + 4 > PAGE_SIZE)
goto drop;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] mmc: mxs-mmc: Fix additional cycles after transmission stop
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (6 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] mtd: nand: xway: disable module support Jiri Slaby
` (53 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Stefan Wahren, Ulf Hansson, Jiri Slaby
From: Stefan Wahren <stefan.wahren@i2se.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.
According to the code the intention is to append 8 SCK cycles
instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
will never happened because it's an AC command not an ADTC command.
So fix this by moving the statement into the right function.
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/mmc/host/mxs-mmc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c
index f8aac3044670..f87e6e9ce386 100644
--- a/drivers/mmc/host/mxs-mmc.c
+++ b/drivers/mmc/host/mxs-mmc.c
@@ -315,6 +315,9 @@ static void mxs_mmc_ac(struct mxs_mmc_host *host)
cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
cmd1 = cmd->arg;
+ if (cmd->opcode == MMC_STOP_TRANSMISSION)
+ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+
if (host->sdio_irq_en) {
ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
@@ -423,8 +426,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_host *host)
ssp->base + HW_SSP_BLOCK_SIZE);
}
- if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
- (cmd->opcode == SD_IO_RW_EXTENDED))
+ if (cmd->opcode == SD_IO_RW_EXTENDED)
cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
cmd1 = cmd->arg;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] mtd: nand: xway: disable module support
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (7 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] qla2xxx: Fix crash due to null pointer access Jiri Slaby
` (52 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Hauke Mehrtens, Boris Brezillon, Jiri Slaby
From: Hauke Mehrtens <hauke@hauke-m.de>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream.
The xway_nand driver accesses the ltq_ebu_membase symbol which is not
exported. This also should not get exported and we should handle the
EBU interface in a better way later. This quick fix just deactivated
support for building as module.
Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/mtd/nand/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig
index d88529841d3f..2bb9c04cb2c5 100644
--- a/drivers/mtd/nand/Kconfig
+++ b/drivers/mtd/nand/Kconfig
@@ -531,7 +531,7 @@ config MTD_NAND_FSMC
Flexible Static Memory Controller (FSMC)
config MTD_NAND_XWAY
- tristate "Support for NAND on Lantiq XWAY SoC"
+ bool "Support for NAND on Lantiq XWAY SoC"
depends on LANTIQ && SOC_TYPE_XWAY
select MTD_NAND_PLATFORM
help
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] qla2xxx: Fix crash due to null pointer access
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (8 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] mtd: nand: xway: disable module support Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
` (51 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Quinn Tran, Himanshu Madhani, Bart Van Assche, Jiri Slaby
From: Quinn Tran <quinn.tran@cavium.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream.
During code inspection, while investigating following stack trace
seen on one of the test setup, we found out there was possibility
of memory leak becuase driver was not unwinding the stack properly.
This issue has not been reproduced in a test environment or on a
customer setup.
Here's stack trace that was seen.
[1469877.797315] Call Trace:
[1469877.799940] [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
[1469877.806980] [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
[1469877.814013] [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
[1469877.820265] [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
[1469877.826776] [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
[1469877.833720] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
[1469877.839885] [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
[1469877.846830] [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
[1469877.852562] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
[1469877.858727] [<ffffffff81319c89>] pci_call_probe+0x89/0xb0
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
[ bvanassche: Fixed spelling in patch description ]
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/scsi/qla2xxx/qla_os.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 36d62fd53511..ebc939e85b76 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3384,7 +3384,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
sizeof(struct ct6_dsd), 0,
SLAB_HWCACHE_ALIGN, NULL);
if (!ctx_cachep)
- goto fail_free_gid_list;
+ goto fail_free_srb_mempool;
}
ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
ctx_cachep);
@@ -3537,7 +3537,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
GFP_KERNEL);
if (!ha->loop_id_map)
- goto fail_async_pd;
+ goto fail_loop_id_map;
else {
qla2x00_set_reserved_loop_ids(ha);
ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
@@ -3546,6 +3546,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
return 0;
+fail_loop_id_map:
+ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
fail_async_pd:
dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
fail_ex_init_cb:
@@ -3573,6 +3575,10 @@ fail_free_ms_iocb:
dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
ha->ms_iocb = NULL;
ha->ms_iocb_dma = 0;
+
+ if (ha->sns_cmd)
+ dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
+ ha->sns_cmd, ha->sns_cmd_dma);
fail_dma_pool:
if (IS_QLA82XX(ha) || ql2xenabledif) {
dma_pool_destroy(ha->fcp_cmnd_dma_pool);
@@ -3590,10 +3596,12 @@ fail_free_nvram:
kfree(ha->nvram);
ha->nvram = NULL;
fail_free_ctx_mempool:
- mempool_destroy(ha->ctx_mempool);
+ if (ha->ctx_mempool)
+ mempool_destroy(ha->ctx_mempool);
ha->ctx_mempool = NULL;
fail_free_srb_mempool:
- mempool_destroy(ha->srb_mempool);
+ if (ha->srb_mempool)
+ mempool_destroy(ha->srb_mempool);
ha->srb_mempool = NULL;
fail_free_gid_list:
dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ubifs: Fix journal replay wrt. xattr nodes
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (9 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] qla2xxx: Fix crash due to null pointer access Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] clockevents/drivers/exynos_mct: Remove unneeded container_of() Jiri Slaby
` (50 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Richard Weinberger, Jiri Slaby
From: Richard Weinberger <richard@nod.at>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.
When replaying the journal it can happen that a journal entry points to
a garbage collected node.
This is the case when a power-cut occurred between a garbage collect run
and a commit. In such a case nodes have to be read using the failable
read functions to detect whether the found node matches what we expect.
One corner case was forgotten, when the journal contains an entry to
remove an inode all xattrs have to be removed too. UBIFS models xattr
like directory entries, so the TNC code iterates over
all xattrs of the inode and removes them too. This code re-uses the
functions for walking directories and calls ubifs_tnc_next_ent().
ubifs_tnc_next_ent() expects to be used only after the journal and
aborts when a node does not match the expected result. This behavior can
render an UBIFS volume unmountable after a power-cut when xattrs are
used.
Fix this issue by using failable read functions in ubifs_tnc_next_ent()
too when replaying the journal.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Reported-by: Rock Lee <rockdotlee@gmail.com>
Reviewed-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/ubifs/tnc.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
index 349f31a30f40..fdf2ca1dd771 100644
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -34,6 +34,11 @@
#include <linux/slab.h>
#include "ubifs.h"
+static int try_read_node(const struct ubifs_info *c, void *buf, int type,
+ int len, int lnum, int offs);
+static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
+ struct ubifs_zbranch *zbr, void *node);
+
/*
* Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
* @NAME_LESS: name corresponding to the first argument is less than second
@@ -419,7 +424,19 @@ static int tnc_read_node_nm(struct ubifs_info *c, struct ubifs_zbranch *zbr,
return 0;
}
- err = ubifs_tnc_read_node(c, zbr, node);
+ if (c->replaying) {
+ err = fallible_read_node(c, &zbr->key, zbr, node);
+ /*
+ * When the node was not found, return -ENOENT, 0 otherwise.
+ * Negative return codes stay as-is.
+ */
+ if (err == 0)
+ err = -ENOENT;
+ else if (err == 1)
+ err = 0;
+ } else {
+ err = ubifs_tnc_read_node(c, zbr, node);
+ }
if (err)
return err;
@@ -2783,7 +2800,11 @@ struct ubifs_dent_node *ubifs_tnc_next_ent(struct ubifs_info *c,
if (nm->name) {
if (err) {
/* Handle collisions */
- err = resolve_collision(c, key, &znode, &n, nm);
+ if (c->replaying)
+ err = fallible_resolve_collision(c, key, &znode, &n,
+ nm, 0);
+ else
+ err = resolve_collision(c, key, &znode, &n, nm);
dbg_tnc("rc returned %d, znode %p, n %d",
err, znode, n);
if (unlikely(err < 0))
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] clockevents/drivers/exynos_mct: Remove unneeded container_of()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (10 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` Jiri Slaby
` (49 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Alexey Klimov, Daniel Lezcano, Jiri Slaby
From: Alexey Klimov <klimov.linux@gmail.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 479a932982944786269296a31682e5642f87b89a upstream.
Patch removes unneeded container_of() macro in exynos4_local_timer_setup().
Instead let's pass mevt pointer to setup and stop functions from
exynos4_mct_cpu_notify() and let them get evt pointer.
Tested on odroid-xu3.
Signed-off-by: Alexey Klimov <klimov.linux@gmail.com>
Acked-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/clocksource/exynos_mct.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index fc0e502022de..af994880be72 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -398,13 +398,11 @@ static irqreturn_t exynos4_mct_tick_isr(int irq, void *dev_id)
return IRQ_HANDLED;
}
-static int exynos4_local_timer_setup(struct clock_event_device *evt)
+static int exynos4_local_timer_setup(struct mct_clock_event_device *mevt)
{
- struct mct_clock_event_device *mevt;
+ struct clock_event_device *evt = &mevt->evt;
unsigned int cpu = smp_processor_id();
- mevt = container_of(evt, struct mct_clock_event_device, evt);
-
mevt->base = EXYNOS4_MCT_L_BASE(cpu);
sprintf(mevt->name, "mct_tick%d", cpu);
@@ -433,8 +431,10 @@ static int exynos4_local_timer_setup(struct clock_event_device *evt)
return 0;
}
-static void exynos4_local_timer_stop(struct clock_event_device *evt)
+static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
{
+ struct clock_event_device *evt = &mevt->evt;
+
evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
@@ -456,11 +456,11 @@ static int exynos4_mct_cpu_notify(struct notifier_block *self,
switch (action & ~CPU_TASKS_FROZEN) {
case CPU_STARTING:
mevt = this_cpu_ptr(&percpu_mct_tick);
- exynos4_local_timer_setup(&mevt->evt);
+ exynos4_local_timer_setup(mevt);
break;
case CPU_DYING:
mevt = this_cpu_ptr(&percpu_mct_tick);
- exynos4_local_timer_stop(&mevt->evt);
+ exynos4_local_timer_stop(mevt);
break;
}
@@ -526,7 +526,7 @@ static void __init exynos4_timer_resources(struct device_node *np, void __iomem
goto out_irq;
/* Immediately configure the timer on the boot CPU */
- exynos4_local_timer_setup(&mevt->evt);
+ exynos4_local_timer_setup(mevt);
return;
out_irq:
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] clocksource/exynos_mct: Clear interrupt when cpu is shut down
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
` (59 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable
Cc: linux-samsung-soc, Joonyoung Shim, javier, daniel.lezcano, krzk,
cw00.choi, kgene, Thomas Gleixner, Jiri Slaby, linux-arm-kernel
From: Joonyoung Shim <jy0922.shim@samsung.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.
[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[ 51.289348] task: ee942d00 task.stack: ee960000
[ 51.293861] PC is at tick_periodic+0x38/0xb0
[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
Clear the pending interrupt in the cpu dying path.
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc@vger.kernel.org
Cc: cw00.choi@samsung.com
Cc: daniel.lezcano@linaro.org
Cc: javier@osg.samsung.com
Cc: kgene@kernel.org
Cc: krzk@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/clocksource/exynos_mct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index af994880be72..26bfe09ce0fb 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -439,6 +439,7 @@ static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] clocksource/exynos_mct: Clear interrupt when cpu is shut down
@ 2017-01-27 10:46 ` Jiri Slaby
0 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable
Cc: Joonyoung Shim, linux-samsung-soc, cw00.choi, daniel.lezcano,
javier, kgene, krzk, linux-arm-kernel, Thomas Gleixner,
Jiri Slaby
From: Joonyoung Shim <jy0922.shim@samsung.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.
[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[ 51.289348] task: ee942d00 task.stack: ee960000
[ 51.293861] PC is at tick_periodic+0x38/0xb0
[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
Clear the pending interrupt in the cpu dying path.
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc@vger.kernel.org
Cc: cw00.choi@samsung.com
Cc: daniel.lezcano@linaro.org
Cc: javier@osg.samsung.com
Cc: kgene@kernel.org
Cc: krzk@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/clocksource/exynos_mct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index af994880be72..26bfe09ce0fb 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -439,6 +439,7 @@ static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] clocksource/exynos_mct: Clear interrupt when cpu is shut down
@ 2017-01-27 10:46 ` Jiri Slaby
0 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: linux-arm-kernel
From: Joonyoung Shim <jy0922.shim@samsung.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.
[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[ 51.289348] task: ee942d00 task.stack: ee960000
[ 51.293861] PC is at tick_periodic+0x38/0xb0
[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
Clear the pending interrupt in the cpu dying path.
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc at vger.kernel.org
Cc: cw00.choi at samsung.com
Cc: daniel.lezcano at linaro.org
Cc: javier at osg.samsung.com
Cc: kgene at kernel.org
Cc: krzk at kernel.org
Cc: linux-arm-kernel at lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim at samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/clocksource/exynos_mct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index af994880be72..26bfe09ce0fb 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -439,6 +439,7 @@ static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (12 preceding siblings ...)
2017-01-27 10:46 ` Jiri Slaby
@ 2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
` (47 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:46 UTC (permalink / raw
To: stable; +Cc: Mark Rutland, Russell King, Russell King, Jiri Slaby
From: Mark Rutland <mark.rutland@arm.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit ddc37832a1349f474c4532de381498020ed71d31 upstream.
On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
undefined instruction trap within write_wb_reg. This is because Scorpion
CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
watchpoint registers are treated as undefined.
It's possible to trigger similar crashes later on from userspace, by
requesting the kernel to install a breakpoint or watchpoint, as we can
go idle at any point between the reset of the debug registers and their
later use. This has always been the case.
Given that this has always been broken, no-one has complained until now,
and there is no clear workaround, disable hardware breakpoints and
watchpoints on Scorpion to avoid these issues.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm/include/asm/cputype.h | 3 +++
arch/arm/kernel/hw_breakpoint.c | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/arch/arm/include/asm/cputype.h b/arch/arm/include/asm/cputype.h
index 9672e978d50d..569549079bc7 100644
--- a/arch/arm/include/asm/cputype.h
+++ b/arch/arm/include/asm/cputype.h
@@ -76,6 +76,9 @@
#define ARM_CPU_XSCALE_ARCH_V2 0x4000
#define ARM_CPU_XSCALE_ARCH_V3 0x6000
+/* Qualcomm implemented cores */
+#define ARM_CPU_PART_SCORPION 0x510002d0
+
extern unsigned int processor_id;
#ifdef CONFIG_CPU_CP15
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index 7b95de601357..b3ebae328fac 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -1066,6 +1066,22 @@ static int __init arch_hw_breakpoint_init(void)
return 0;
}
+ /*
+ * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
+ * whenever a WFI is issued, even if the core is not powered down, in
+ * violation of the architecture. When DBGPRSR.SPD is set, accesses to
+ * breakpoint and watchpoint registers are treated as undefined, so
+ * this results in boot time and runtime failures when these are
+ * accessed and we unexpectedly take a trap.
+ *
+ * It's not clear if/how this can be worked around, so we blacklist
+ * Scorpion CPUs to avoid these issues.
+ */
+ if ((read_cpuid_id() & 0xff00fff0) == ARM_CPU_PART_SCORPION) {
+ pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
+ return 0;
+ }
+
has_ossr = core_has_os_save_restore();
/* Determine how many BRPs/WRPs are available. */
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ARM: dts: da850-evm: fix read access to SPI flash
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (13 preceding siblings ...)
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
` (46 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Fabien Parent, Sekhar Nori, Jiri Slaby, Olof Johansson
From: Fabien Parent <fparent@baylibre.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 43849785e1079f6606a31cb7fda92d1200849728 upstream.
Read access to the SPI flash are broken on da850-evm, i.e. the data
read is not what is actually programmed on the flash.
According to the datasheet for the M25P64 part present on the da850-evm,
if the SPI frequency is higher than 20MHz then the READ command is not
usable anymore and only the FAST_READ command can be used to read data.
This commit specifies in the DTS that we should use FAST_READ command
instead of the READ command.
Tested-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Fabien Parent <fparent@baylibre.com>
[nsekhar@ti.com: subject line adjustment]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Olof Johansson <olof@lixom.net>
---
arch/arm/boot/dts/da850-evm.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/da850-evm.dts b/arch/arm/boot/dts/da850-evm.dts
index 588ce58a2959..bd81f1da17a6 100644
--- a/arch/arm/boot/dts/da850-evm.dts
+++ b/arch/arm/boot/dts/da850-evm.dts
@@ -59,6 +59,7 @@
#size-cells = <1>;
compatible = "m25p64";
spi-max-frequency = <30000000>;
+ m25p,fast-read;
reg = <0>;
partition@0 {
label = "U-Boot-SPL";
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] arm64/ptrace: Preserve previous registers for short regset write
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (14 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
` (45 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Dave Martin, Catalin Marinas, Jiri Slaby
From: Dave Martin <Dave.Martin@arm.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream.
Ensure that if userspace supplies insufficient data to
PTRACE_SETREGSET to fill all the registers, the thread's old
registers are preserved.
Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm64/kernel/ptrace.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 9b9d651446ba..076bd41bf5ac 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -487,7 +487,7 @@ static int gpr_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct user_pt_regs newregs;
+ struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
if (ret)
@@ -517,7 +517,8 @@ static int fpr_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct user_fpsimd_state newstate;
+ struct user_fpsimd_state newstate =
+ target->thread.fpsimd_state.user_fpsimd;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
if (ret)
@@ -540,7 +541,7 @@ static int tls_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf)
{
int ret;
- unsigned long tls;
+ unsigned long tls = target->thread.tp_value;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
if (ret)
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (15 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
` (44 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Dave Martin, Catalin Marinas, Jiri Slaby
From: Dave Martin <Dave.Martin@arm.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream.
This patch adds an explicit __reserved[] field to user_fpsimd_state
to replace what was previously unnamed padding.
This ensures that data in this region are propagated across
assignment rather than being left possibly uninitialised at the
destination.
Fixes: 60ffc30d5652 ("arm64: Exception handling")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm64/include/uapi/asm/ptrace.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
index 6913643bbe54..c136fd53c847 100644
--- a/arch/arm64/include/uapi/asm/ptrace.h
+++ b/arch/arm64/include/uapi/asm/ptrace.h
@@ -75,6 +75,7 @@ struct user_fpsimd_state {
__uint128_t vregs[32];
__u32 fpsr;
__u32 fpcr;
+ __u32 __reserved[2];
};
struct user_hwdebug_state {
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (16 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
` (43 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Dave Martin, Catalin Marinas, Jiri Slaby
From: Dave Martin <Dave.Martin@arm.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream.
We cannot preserve partial fields for hardware breakpoints, because
the values written by userspace to the hardware breakpoint
registers can't subsequently be recovered intact from the hardware.
So, just reject attempts to write incomplete fields with -EINVAL.
Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm64/kernel/ptrace.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 076bd41bf5ac..cdf1ec11c015 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -442,6 +442,8 @@ static int hw_break_set(struct task_struct *target,
/* (address, ctrl) registers */
limit = regset->n * regset->size;
while (count && offset < limit) {
+ if (count < PTRACE_HBP_ADDR_SZ)
+ return -EINVAL;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
offset, offset + PTRACE_HBP_ADDR_SZ);
if (ret)
@@ -451,6 +453,8 @@ static int hw_break_set(struct task_struct *target,
return ret;
offset += PTRACE_HBP_ADDR_SZ;
+ if (!count)
+ break;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
offset, offset + PTRACE_HBP_CTRL_SZ);
if (ret)
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (17 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ite-cir: initialize use_demodulator before using it Jiri Slaby
` (42 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Arnd Bergmann, Linus Walleij, Jiri Slaby
From: Arnd Bergmann <arnd@arndb.de>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f0e8faa7a5e894b0fc99d24be1b18685a92ea466 upstream.
This function clearly never worked and always returns true,
as pointed out by gcc-7:
arch/arm/mach-ux500/pm.c: In function 'prcmu_is_cpu_in_wfi':
arch/arm/mach-ux500/pm.c:137:212: error: ?:
using integer constants in boolean context, the expression
will always evaluate to 'true' [-Werror=int-in-bool-context]
With the added braces, the condition actually makes sense.
Fixes: 34fe6f107eab ("mfd : Check if the other db8500 core is in WFI")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/arm/mach-ux500/pm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
index 1a468f0fd22e..9d532568b8b3 100644
--- a/arch/arm/mach-ux500/pm.c
+++ b/arch/arm/mach-ux500/pm.c
@@ -128,8 +128,8 @@ bool prcmu_pending_irq(void)
*/
bool prcmu_is_cpu_in_wfi(int cpu)
{
- return readl(PRCM_ARM_WFI_STANDBY) & cpu ? PRCM_ARM_WFI_STANDBY_WFI1 :
- PRCM_ARM_WFI_STANDBY_WFI0;
+ return readl(PRCM_ARM_WFI_STANDBY) &
+ (cpu ? PRCM_ARM_WFI_STANDBY_WFI1 : PRCM_ARM_WFI_STANDBY_WFI0);
}
/*
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ite-cir: initialize use_demodulator before using it
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (18 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
` (41 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Nicolas Iooss, Mauro Carvalho Chehab, Jiri Slaby
From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 7ec03e60ef81c19b5d3a46dd070ee966774b860f upstream.
Function ite_set_carrier_params() uses variable use_demodulator after
having initialized it to false in some if branches, but this variable is
never set to true otherwise.
This bug has been found using clang -Wsometimes-uninitialized warning
flag.
Fixes: 620a32bba4a2 ("[media] rc: New rc-based ite-cir driver for
several ITE CIRs")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/media/rc/ite-cir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
index 63b42252166a..7a754ec826ac 100644
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -263,6 +263,8 @@ static void ite_set_carrier_params(struct ite_dev *dev)
if (allowance > ITE_RXDCR_MAX)
allowance = ITE_RXDCR_MAX;
+
+ use_demodulator = true;
}
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] posix_acl: Clear SGID bit when setting file permissions
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (19 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] ite-cir: initialize use_demodulator before using it Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
` (40 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Jan Kara, Andreas Gruenbacher, Jiri Slaby
From: Jan Kara <jack@suse.cz>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 073931017b49d9458aa351605b43a7e34598caef upstream.
When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2). Fix that.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/9p/acl.c | 40 +++++++++++++++++-----------------------
fs/btrfs/acl.c | 6 ++----
fs/ext2/acl.c | 12 ++++--------
fs/ext3/acl.c | 10 +++-------
fs/ext4/acl.c | 12 ++++--------
fs/f2fs/acl.c | 6 ++----
fs/gfs2/acl.c | 14 ++++++--------
fs/hfsplus/posix_acl.c | 4 ++--
fs/hfsplus/xattr.c | 5 +++--
fs/jffs2/acl.c | 9 ++++-----
fs/jfs/xattr.c | 5 +++--
fs/ocfs2/acl.c | 20 +++++++-------------
fs/posix_acl.c | 31 +++++++++++++++++++++++++++++++
fs/reiserfs/xattr_acl.c | 8 ++------
fs/xfs/xfs_acl.c | 15 +++++++--------
include/linux/posix_acl.h | 1 +
16 files changed, 98 insertions(+), 100 deletions(-)
diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 7af425f53bee..9686c1f17653 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- retval = posix_acl_equiv_mode(acl, &mode);
- if (retval < 0)
+ struct iattr iattr;
+
+ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+ if (retval)
goto err_out;
- else {
- struct iattr iattr;
- if (retval == 0) {
- /*
- * ACL can be represented
- * by the mode bits. So don't
- * update ACL.
- */
- acl = NULL;
- value = NULL;
- size = 0;
- }
- /* Updte the mode bits */
- iattr.ia_mode = ((mode & S_IALLUGO) |
- (inode->i_mode & ~S_IALLUGO));
- iattr.ia_valid = ATTR_MODE;
- /* FIXME should we update ctime ?
- * What is the following setxattr update the
- * mode ?
+ if (!acl) {
+ /*
+ * ACL can be represented
+ * by the mode bits. So don't
+ * update ACL.
*/
- v9fs_vfs_setattr_dotl(dentry, &iattr);
+ value = NULL;
+ size = 0;
}
+ iattr.ia_valid = ATTR_MODE;
+ /* FIXME should we update ctime ?
+ * What is the following setxattr update the
+ * mode ?
+ */
+ v9fs_vfs_setattr_dotl(dentry, &iattr);
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 0890c83643e9..d6d53e5e7945 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- ret = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (ret < 0)
+ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (ret)
return ret;
- if (ret == 0)
- acl = NULL;
}
ret = 0;
break;
diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
index 110b6b371a4e..48c3c2d7d261 100644
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -206,15 +206,11 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
case ACL_TYPE_ACCESS:
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- mark_inode_dirty(inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ mark_inode_dirty(inode);
}
break;
diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c
index dbb5ad59a7fc..2f994bbf73a7 100644
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -205,15 +205,11 @@ ext3_set_acl(handle_t *handle, struct inode *inode, int type,
case ACL_TYPE_ACCESS:
name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
if (error < 0)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- ext3_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ ext3_mark_inode_dirty(handle, inode);
}
break;
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index 39a54a0e9fe4..c844f1bfb451 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -211,15 +211,11 @@ ext4_set_acl(handle_t *handle, struct inode *inode, int type,
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
}
break;
diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
index b7826ec1b470..f4fefc57ff56 100644
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -223,12 +223,10 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
case ACL_TYPE_ACCESS:
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
set_acl_inode(fi, inode->i_mode);
- if (error == 0)
- acl = NULL;
}
break;
diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
index f69ac0af5496..a61b0c2b57ab 100644
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -268,15 +268,13 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
if (type == ACL_TYPE_ACCESS) {
umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
+ struct posix_acl *old_acl = acl;
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error < 0)
+ goto out_release;
+ if (!acl)
+ posix_acl_release(old_acl);
error = gfs2_set_mode(inode, mode);
if (error)
diff --git a/fs/hfsplus/posix_acl.c b/fs/hfsplus/posix_acl.c
index b609cc14c72e..9f7cc491ffb1 100644
--- a/fs/hfsplus/posix_acl.c
+++ b/fs/hfsplus/posix_acl.c
@@ -72,8 +72,8 @@ static int hfsplus_set_posix_acl(struct inode *inode,
case ACL_TYPE_ACCESS:
xattr_name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- err = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (err < 0)
+ err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (err)
return err;
}
err = 0;
diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index bd8471fb9a6a..889be3fef4bc 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -69,8 +69,9 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
if (IS_ERR(acl))
return PTR_ERR(acl);
if (acl) {
- err = posix_acl_equiv_mode(acl, &inode->i_mode);
- posix_acl_release(acl);
+ struct posix_acl *old_acl = acl;
+ err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ posix_acl_release(old_acl);
if (err < 0)
return err;
mark_inode_dirty(inode);
diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
index 223283c30111..9335b8d3cf52 100644
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -243,9 +243,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
case ACL_TYPE_ACCESS:
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- rc = posix_acl_equiv_mode(acl, &mode);
- if (rc < 0)
+ umode_t mode;
+
+ rc = posix_acl_update_mode(inode, &mode, &acl);
+ if (rc)
return rc;
if (inode->i_mode != mode) {
struct iattr attr;
@@ -257,8 +258,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
if (rc < 0)
return rc;
}
- if (rc == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index d3472f4cd530..8c9b6a06dcbb 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -693,8 +693,9 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
return rc;
}
if (acl) {
- rc = posix_acl_equiv_mode(acl, &inode->i_mode);
- posix_acl_release(acl);
+ struct posix_acl *old_acl = acl;
+ rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ posix_acl_release(old_acl);
if (rc < 0) {
printk(KERN_ERR
"posix_acl_equiv_mode returned %d\n",
diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
index b4f788e0ca31..23095b017752 100644
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -270,20 +270,14 @@ static int ocfs2_set_acl(handle_t *handle,
case ACL_TYPE_ACCESS:
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- ret = posix_acl_equiv_mode(acl, &mode);
- if (ret < 0)
+ umode_t mode;
+ ret = posix_acl_update_mode(inode, &mode, &acl);
+ if (ret)
+ return ret;
+ ret = ocfs2_acl_set_mode(inode, di_bh,
+ handle, mode);
+ if (ret)
return ret;
- else {
- if (ret == 0)
- acl = NULL;
-
- ret = ocfs2_acl_set_mode(inode, di_bh,
- handle, mode);
- if (ret)
- return ret;
-
- }
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 3542f1f814e2..1da000aabb08 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -407,6 +407,37 @@ posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
}
EXPORT_SYMBOL(posix_acl_create);
+/**
+ * posix_acl_update_mode - update mode in set_acl
+ *
+ * Update the file mode when setting an ACL: compute the new file permission
+ * bits based on the ACL. In addition, if the ACL is equivalent to the new
+ * file mode, set *acl to NULL to indicate that no ACL should be set.
+ *
+ * As with chmod, clear the setgit bit if the caller is not in the owning group
+ * or capable of CAP_FSETID (see inode_change_ok).
+ *
+ * Called from set_acl inode operations.
+ */
+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
+ struct posix_acl **acl)
+{
+ umode_t mode = inode->i_mode;
+ int error;
+
+ error = posix_acl_equiv_mode(*acl, &mode);
+ if (error < 0)
+ return error;
+ if (error == 0)
+ *acl = NULL;
+ if (!in_group_p(inode->i_gid) &&
+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ mode &= ~S_ISGID;
+ *mode_p = mode;
+ return 0;
+}
+EXPORT_SYMBOL(posix_acl_update_mode);
+
int
posix_acl_chmod(struct posix_acl **acl, gfp_t gfp, umode_t mode)
{
diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
index 06c04f73da65..a86ad7ec7957 100644
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -288,13 +288,9 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- if (error == 0)
- acl = NULL;
- }
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index 0e2f37efedd0..9c7b5ce06f4f 100644
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -402,16 +402,15 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
goto out_release;
if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
+ umode_t mode;
+ struct posix_acl *old_acl = acl;
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
+ error = posix_acl_update_mode(inode, &mode, &acl);
- if (error < 0)
- return error;
- }
+ if (error)
+ goto out_release;
+ if (!acl)
+ posix_acl_release(old_acl);
error = xfs_set_mode(inode, mode);
if (error)
diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
index 7931efe71175..43cb8d59d0a7 100644
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -89,6 +89,7 @@ extern int posix_acl_permission(struct inode *, const struct posix_acl *, int);
extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
extern struct posix_acl *get_posix_acl(struct inode *, int);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (20 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] vmxnet3: Wake queue from reset work Jiri Slaby
` (39 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Trond Myklebust, Jiri Slaby
From: Trond Myklebust <trond.myklebust@primarydata.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 809fd143de8805970eec02c27c0bc2622a6ecbda upstream.
If the OPEN rpc call to the server fails with an ENOENT call, nfs_atomic_open
will create a negative dentry for that file, however it currently fails
to call nfs_set_verifier(), thus causing the dentry to be immediately
revalidated on the next call to nfs_lookup_revalidate() instead of following
the usual lookup caching rules.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/nfs/dir.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index b9670301d7d3..24e6448b7c80 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1487,6 +1487,7 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
switch (err) {
case -ENOENT:
d_add(dentry, NULL);
+ nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
break;
case -EISDIR:
case -ENOTDIR:
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] vmxnet3: Wake queue from reset work
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (21 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
` (38 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Benjamin Poirier, David S . Miller, Jiri Slaby
From: Benjamin Poirier <bpoirier@suse.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 277964e19e1416ca31301e113edb2580c81a8b66 upstream.
vmxnet3_reset_work() expects tx queues to be stopped (via
vmxnet3_quiesce_dev -> netif_tx_disable). However, this races with the
netif_wake_queue() call in netif_tx_timeout() such that the driver's
start_xmit routine may be called unexpectedly, triggering one of the BUG_ON
in vmxnet3_map_pkt with a stack trace like this:
RIP: 0010:[<ffffffffa00cf4bc>] vmxnet3_map_pkt+0x3ac/0x4c0 [vmxnet3]
[<ffffffffa00cf7e0>] vmxnet3_tq_xmit+0x210/0x4e0 [vmxnet3]
[<ffffffff813ab144>] dev_hard_start_xmit+0x2e4/0x4c0
[<ffffffff813c956e>] sch_direct_xmit+0x17e/0x1e0
[<ffffffff813c96a7>] __qdisc_run+0xd7/0x130
[<ffffffff813a6a7a>] net_tx_action+0x10a/0x200
[<ffffffff810691df>] __do_softirq+0x11f/0x260
[<ffffffff81472fdc>] call_softirq+0x1c/0x30
[<ffffffff81004695>] do_softirq+0x65/0xa0
[<ffffffff81069b89>] local_bh_enable_ip+0x99/0xa0
[<ffffffffa031ff36>] destroy_conntrack+0x96/0x110 [nf_conntrack]
[<ffffffff813d65e2>] nf_conntrack_destroy+0x12/0x20
[<ffffffff8139c6d5>] skb_release_head_state+0xb5/0xf0
[<ffffffff8139d299>] skb_release_all+0x9/0x20
[<ffffffff8139cfe9>] __kfree_skb+0x9/0x90
[<ffffffffa00d0069>] vmxnet3_quiesce_dev+0x209/0x340 [vmxnet3]
[<ffffffffa00d020a>] vmxnet3_reset_work+0x6a/0xa0 [vmxnet3]
[<ffffffff8107d7cc>] process_one_work+0x16c/0x350
[<ffffffff810804fa>] worker_thread+0x17a/0x410
[<ffffffff810848c6>] kthread+0x96/0xa0
[<ffffffff81472ee4>] kernel_thread_helper+0x4/0x10
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/net/vmxnet3/vmxnet3_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index 55d89390b4bc..59dcdfcd0c28 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -2890,7 +2890,6 @@ vmxnet3_tx_timeout(struct net_device *netdev)
netdev_err(adapter->netdev, "tx hang\n");
schedule_work(&adapter->work);
- netif_wake_queue(adapter->netdev);
}
@@ -2917,6 +2916,7 @@ vmxnet3_reset_work(struct work_struct *data)
}
rtnl_unlock();
+ netif_wake_queue(adapter->netdev);
clear_bit(VMXNET3_STATE_BIT_RESETTING, &adapter->state);
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (22 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] vmxnet3: Wake queue from reset work Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-31 10:54 ` Aurélien Aptel
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix memory leaks in cifs_do_mount() Jiri Slaby
` (37 subsequent siblings)
61 siblings, 1 reply; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Aurelien Aptel, Steve French, Jiri Slaby
From: Aurelien Aptel <aaptel@suse.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit a6b5058fafdf508904bbf16c29b24042cef3c496 upstream.
if, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but
not any of the path components above:
- store the /sub/dir/foo prefix in the cifs super_block info
- in the superblock, set root dentry to the subpath dentry (instead of
the share root)
- set a flag in the superblock to remember it
- use prefixpath when building path from a dentry
fixes bso#8950
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/cifs/cifs_fs_sb.h | 4 ++++
fs/cifs/cifsfs.c | 14 +++++++++++++-
fs/cifs/connect.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
fs/cifs/dir.c | 20 ++++++++++++++++++--
fs/cifs/inode.c | 22 ++++++++++++++++++++--
5 files changed, 104 insertions(+), 5 deletions(-)
diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h
index 37e4a72a7d1c..ae4e35bdc2cd 100644
--- a/fs/cifs/cifs_fs_sb.h
+++ b/fs/cifs/cifs_fs_sb.h
@@ -45,6 +45,9 @@
#define CIFS_MOUNT_POSIXACL 0x100000 /* mirror of MS_POSIXACL in mnt_cifs_flags */
#define CIFS_MOUNT_CIFS_BACKUPUID 0x200000 /* backup intent bit for a user */
#define CIFS_MOUNT_CIFS_BACKUPGID 0x400000 /* backup intent bit for a group */
+#define CIFS_MOUNT_USE_PREFIX_PATH 0x1000000 /* make subpath with unaccessible
+ * root mountable
+ */
struct cifs_sb_info {
struct rb_root tlink_tree;
@@ -65,5 +68,6 @@ struct cifs_sb_info {
char *mountdata; /* options received at mount time or via DFS refs */
struct backing_dev_info bdi;
struct delayed_work prune_tlinks;
+ char *prepath;
};
#endif /* _CIFS_FS_SB_H */
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 037b8f7e8a94..259f95121151 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -668,6 +668,14 @@ cifs_do_mount(struct file_system_type *fs_type,
goto out_cifs_sb;
}
+ if (volume_info->prepath) {
+ cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
+ if (cifs_sb->prepath == NULL) {
+ root = ERR_PTR(-ENOMEM);
+ goto out_cifs_sb;
+ }
+ }
+
cifs_setup_cifs_sb(volume_info, cifs_sb);
rc = cifs_mount(cifs_sb, volume_info);
@@ -706,7 +714,11 @@ cifs_do_mount(struct file_system_type *fs_type,
sb->s_flags |= MS_ACTIVE;
}
- root = cifs_get_root(volume_info, sb);
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ root = dget(sb->s_root);
+ else
+ root = cifs_get_root(volume_info, sb);
+
if (IS_ERR(root))
goto out_super;
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index e06790171e89..e4a36223d815 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3437,6 +3437,44 @@ cifs_get_volume_info(char *mount_data, const char *devname)
return volume_info;
}
+static int
+cifs_are_all_path_components_accessible(struct TCP_Server_Info *server,
+ unsigned int xid,
+ struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb,
+ char *full_path)
+{
+ int rc;
+ char *s;
+ char sep, tmp;
+
+ sep = CIFS_DIR_SEP(cifs_sb);
+ s = full_path;
+
+ rc = server->ops->is_path_accessible(xid, tcon, cifs_sb, "");
+ while (rc == 0) {
+ /* skip separators */
+ while (*s == sep)
+ s++;
+ if (!*s)
+ break;
+ /* next separator */
+ while (*s && *s != sep)
+ s++;
+
+ /*
+ * temporarily null-terminate the path at the end of
+ * the current component
+ */
+ tmp = *s;
+ *s = 0;
+ rc = server->ops->is_path_accessible(xid, tcon, cifs_sb,
+ full_path);
+ *s = tmp;
+ }
+ return rc;
+}
+
int
cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info)
{
@@ -3563,6 +3601,16 @@ remote_path_check:
kfree(full_path);
goto mount_fail_check;
}
+
+ rc = cifs_are_all_path_components_accessible(server,
+ xid, tcon, cifs_sb,
+ full_path);
+ if (rc != 0) {
+ cifs_dbg(VFS, "cannot query dirs between root and final path, "
+ "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
+ cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+ rc = 0;
+ }
kfree(full_path);
}
@@ -3819,6 +3867,7 @@ cifs_umount(struct cifs_sb_info *cifs_sb)
bdi_destroy(&cifs_sb->bdi);
kfree(cifs_sb->mountdata);
+ kfree(cifs_sb->prepath);
unload_nls(cifs_sb->local_nls);
kfree(cifs_sb);
}
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 7347f1678fa7..39660990e4b0 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -84,6 +84,7 @@ build_path_from_dentry(struct dentry *direntry)
struct dentry *temp;
int namelen;
int dfsplen;
+ int pplen = 0;
char *full_path;
char dirsep;
struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
@@ -95,8 +96,12 @@ build_path_from_dentry(struct dentry *direntry)
dfsplen = strnlen(tcon->treeName, MAX_TREE_SIZE + 1);
else
dfsplen = 0;
+
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ pplen = cifs_sb->prepath ? strlen(cifs_sb->prepath) + 1 : 0;
+
cifs_bp_rename_retry:
- namelen = dfsplen;
+ namelen = dfsplen + pplen;
seq = read_seqbegin(&rename_lock);
rcu_read_lock();
for (temp = direntry; !IS_ROOT(temp);) {
@@ -137,7 +142,7 @@ cifs_bp_rename_retry:
}
}
rcu_read_unlock();
- if (namelen != dfsplen || read_seqretry(&rename_lock, seq)) {
+ if (namelen != dfsplen + pplen || read_seqretry(&rename_lock, seq)) {
cifs_dbg(FYI, "did not end path lookup where expected. namelen=%ddfsplen=%d\n",
namelen, dfsplen);
/* presumably this is only possible if racing with a rename
@@ -153,6 +158,17 @@ cifs_bp_rename_retry:
those safely to '/' if any are found in the middle of the prepath */
/* BB test paths to Windows with '/' in the midst of prepath */
+ if (pplen) {
+ int i;
+
+ cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+ memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+ full_path[dfsplen] = '\\';
+ for (i = 0; i < pplen-1; i++)
+ if (full_path[dfsplen+1+i] == '/')
+ full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
+ }
+
if (dfsplen) {
strncpy(full_path, tcon->treeName, dfsplen);
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) {
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index ab9f992ca479..518cf900682f 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -937,12 +937,29 @@ struct inode *cifs_root_iget(struct super_block *sb)
struct inode *inode = NULL;
long rc;
struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+ char *path = NULL;
+ int len;
+
+ if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ && cifs_sb->prepath) {
+ len = strlen(cifs_sb->prepath);
+ path = kzalloc(len + 2 /* leading sep + null */, GFP_KERNEL);
+ if (path == NULL)
+ return ERR_PTR(-ENOMEM);
+ path[0] = '/';
+ memcpy(path+1, cifs_sb->prepath, len);
+ } else {
+ path = kstrdup("", GFP_KERNEL);
+ if (path == NULL)
+ return ERR_PTR(-ENOMEM);
+ }
xid = get_xid();
+ convert_delimiter(path, CIFS_DIR_SEP(cifs_sb));
if (tcon->unix_ext)
- rc = cifs_get_inode_info_unix(&inode, "", sb, xid);
+ rc = cifs_get_inode_info_unix(&inode, path, sb, xid);
else
- rc = cifs_get_inode_info(&inode, "", NULL, sb, xid, NULL);
+ rc = cifs_get_inode_info(&inode, path, NULL, sb, xid, NULL);
if (!inode) {
inode = ERR_PTR(rc);
@@ -970,6 +987,7 @@ struct inode *cifs_root_iget(struct super_block *sb)
}
out:
+ kfree(path);
/* can not call macro free_xid here since in a void func
* TODO: This is no longer true
*/
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] Fix memory leaks in cifs_do_mount()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (23 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Compare prepaths when comparing superblocks Jiri Slaby
` (36 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Sachin Prabhu, Steve French, Jiri Slaby
From: Sachin Prabhu <sprabhu@redhat.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 4214ebf4654798309364d0c678b799e402f38288 upstream.
Fix memory leaks introduced by the patch
Fs/cifs: make share unaccessible at root level mountable
Also move allocation of cifs_sb->prepath to cifs_setup_cifs_sb().
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/cifs/cifsfs.c | 20 ++++++++------------
fs/cifs/cifsproto.h | 2 +-
fs/cifs/connect.c | 11 ++++++++++-
3 files changed, 19 insertions(+), 14 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 259f95121151..846b9916fdcd 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -665,26 +665,22 @@ cifs_do_mount(struct file_system_type *fs_type,
cifs_sb->mountdata = kstrndup(data, PAGE_SIZE, GFP_KERNEL);
if (cifs_sb->mountdata == NULL) {
root = ERR_PTR(-ENOMEM);
- goto out_cifs_sb;
+ goto out_free;
}
- if (volume_info->prepath) {
- cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
- if (cifs_sb->prepath == NULL) {
- root = ERR_PTR(-ENOMEM);
- goto out_cifs_sb;
- }
+ rc = cifs_setup_cifs_sb(volume_info, cifs_sb);
+ if (rc) {
+ root = ERR_PTR(rc);
+ goto out_free;
}
- cifs_setup_cifs_sb(volume_info, cifs_sb);
-
rc = cifs_mount(cifs_sb, volume_info);
if (rc) {
if (!(flags & MS_SILENT))
cifs_dbg(VFS, "cifs_mount failed w/return code = %d\n",
rc);
root = ERR_PTR(rc);
- goto out_mountdata;
+ goto out_free;
}
mnt_data.vol = volume_info;
@@ -731,9 +727,9 @@ out:
cifs_cleanup_volume_info(volume_info);
return root;
-out_mountdata:
+out_free:
+ kfree(cifs_sb->prepath);
kfree(cifs_sb->mountdata);
-out_cifs_sb:
kfree(cifs_sb);
out_nls:
unload_nls(volume_info->local_nls);
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index 6421d8b433b1..44d825cdf85e 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -179,7 +179,7 @@ extern int cifs_read_from_socket(struct TCP_Server_Info *server, char *buf,
extern int cifs_readv_from_socket(struct TCP_Server_Info *server,
struct kvec *iov_orig, unsigned int nr_segs,
unsigned int to_read);
-extern void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+extern int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
struct cifs_sb_info *cifs_sb);
extern int cifs_match_super(struct super_block *, void *);
extern void cifs_cleanup_volume_info(struct smb_vol *pvolume_info);
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index e4a36223d815..98c9c867f1b3 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3185,7 +3185,7 @@ void reset_cifs_unix_caps(unsigned int xid, struct cifs_tcon *tcon,
}
}
-void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
struct cifs_sb_info *cifs_sb)
{
INIT_DELAYED_WORK(&cifs_sb->prune_tlinks, cifs_prune_tlinks);
@@ -3267,6 +3267,15 @@ void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
if ((pvolume_info->cifs_acl) && (pvolume_info->dynperm))
cifs_dbg(VFS, "mount option dynperm ignored if cifsacl mount option supported\n");
+
+
+ if (pvolume_info->prepath) {
+ cifs_sb->prepath = kstrdup(pvolume_info->prepath, GFP_KERNEL);
+ if (cifs_sb->prepath == NULL)
+ return -ENOMEM;
+ }
+
+ return 0;
}
static void
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] Compare prepaths when comparing superblocks
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (24 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix memory leaks in cifs_do_mount() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Move check for prefix path to within cifs_get_root() Jiri Slaby
` (35 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Sachin Prabhu, Steve French, Jiri Slaby
From: Sachin Prabhu <sprabhu@redhat.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit c1d8b24d18192764fe82067ec6aa8d4c3bf094e0 upstream.
The patch
Fs/cifs: make share unaccessible at root level mountable
makes use of prepaths when any component of the underlying path is
inaccessible.
When mounting 2 separate shares having different prepaths but are other
wise similar in other respects, we end up sharing superblocks when we
shouldn't be doing so.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/cifs/connect.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 98c9c867f1b3..7491e8445458 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2742,6 +2742,24 @@ compare_mount_options(struct super_block *sb, struct cifs_mnt_data *mnt_data)
return 1;
}
+static int
+match_prepath(struct super_block *sb, struct cifs_mnt_data *mnt_data)
+{
+ struct cifs_sb_info *old = CIFS_SB(sb);
+ struct cifs_sb_info *new = mnt_data->cifs_sb;
+
+ if (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) {
+ if (!(new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH))
+ return 0;
+ /* The prepath should be null terminated strings */
+ if (strcmp(new->prepath, old->prepath))
+ return 0;
+
+ return 1;
+ }
+ return 0;
+}
+
int
cifs_match_super(struct super_block *sb, void *data)
{
@@ -2769,7 +2787,8 @@ cifs_match_super(struct super_block *sb, void *data)
if (!match_server(tcp_srv, volume_info) ||
!match_session(ses, volume_info) ||
- !match_tcon(tcon, volume_info->UNC)) {
+ !match_tcon(tcon, volume_info->UNC) ||
+ !match_prepath(sb, mnt_data)) {
rc = 0;
goto out;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] Move check for prefix path to within cifs_get_root()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (25 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] Compare prepaths when comparing superblocks Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix regression which breaks DFS mounting Jiri Slaby
` (34 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Sachin Prabhu, Steve French, Jiri Slaby
From: Sachin Prabhu <sprabhu@redhat.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 348c1bfa84dfc47da1f1234b7f2bf09fa798edea upstream.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/cifs/cifsfs.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 846b9916fdcd..75aacb731c54 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -586,6 +586,9 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
char *s, *p;
char sep;
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ return dget(sb->s_root);
+
full_path = cifs_build_path_to_root(vol, cifs_sb,
cifs_sb_master_tcon(cifs_sb));
if (full_path == NULL)
@@ -710,11 +713,7 @@ cifs_do_mount(struct file_system_type *fs_type,
sb->s_flags |= MS_ACTIVE;
}
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
- root = dget(sb->s_root);
- else
- root = cifs_get_root(volume_info, sb);
-
+ root = cifs_get_root(volume_info, sb);
if (IS_ERR(root))
goto out_super;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] Fix regression which breaks DFS mounting
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (26 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] Move check for prefix path to within cifs_get_root() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount bug in profile replacement Jiri Slaby
` (33 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Sachin Prabhu, Steve French, Jiri Slaby
From: Sachin Prabhu <sprabhu@redhat.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit d171356ff11ab1825e456dfb979755e01b3c54a1 upstream.
Patch a6b5058 results in -EREMOTE returned by is_path_accessible() in
cifs_mount() to be ignored which breaks DFS mounting.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/cifs/connect.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 7491e8445458..bd54422a260d 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3629,15 +3629,16 @@ remote_path_check:
kfree(full_path);
goto mount_fail_check;
}
-
- rc = cifs_are_all_path_components_accessible(server,
- xid, tcon, cifs_sb,
- full_path);
- if (rc != 0) {
- cifs_dbg(VFS, "cannot query dirs between root and final path, "
- "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
- cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
- rc = 0;
+ if (rc != -EREMOTE) {
+ rc = cifs_are_all_path_components_accessible(server,
+ xid, tcon, cifs_sb,
+ full_path);
+ if (rc != 0) {
+ cifs_dbg(VFS, "cannot query dirs between root and final path, "
+ "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
+ cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+ rc = 0;
+ }
}
kfree(full_path);
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix refcount bug in profile replacement
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (27 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix regression which breaks DFS mounting Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
` (32 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit dcda617a0c5160c73e0aa02813c871339ea08004 upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 705c2879d3a9..222052f64e2c 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1189,12 +1189,12 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
aa_get_profile(newest);
aa_put_profile(parent);
rcu_assign_pointer(ent->new->parent, newest);
- } else
- aa_put_profile(newest);
+ }
/* aafs interface uses replacedby */
rcu_assign_pointer(ent->new->replacedby->profile,
aa_get_profile(ent->new));
__list_add_profile(&parent->base.profiles, ent->new);
+ aa_put_profile(newest);
} else {
/* aafs interface uses replacedby */
rcu_assign_pointer(ent->new->replacedby->profile,
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix replacement bug that adds new child to old parent
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (28 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount bug in profile replacement Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix uninitialized lsm_audit member Jiri Slaby
` (31 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit ec34fa24a934f4c8fd68f39b84abf34c42e5b06a upstream.
When set atomic replacement is used and the parent is updated before the
child, and the child did not exist in the old parent so there is no
direct replacement then the new child is incorrectly added to the old
parent. This results in the new parent not having the child(ren) that
it should and the old parent when being destroyed asserting the
following error.
AppArmor: policy_destroy: internal error, policy '<profile/name>' still
contains profiles
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 222052f64e2c..c92a9f6c1be5 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1193,7 +1193,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
/* aafs interface uses replacedby */
rcu_assign_pointer(ent->new->replacedby->profile,
aa_get_profile(ent->new));
- __list_add_profile(&parent->base.profiles, ent->new);
+ __list_add_profile(&newest->base.profiles, ent->new);
aa_put_profile(newest);
} else {
/* aafs interface uses replacedby */
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix uninitialized lsm_audit member
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (29 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
` (30 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit b6b1b81b3afba922505b57f4c812bba022f7c4a9 upstream.
BugLink: http://bugs.launchpad.net/bugs/1268727
The task field in the lsm_audit struct needs to be initialized if
a change_hat fails, otherwise the following oops will occur
BUG: unable to handle kernel paging request at 0000002fbead7d08
IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
PGD 1e3f35067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu
Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
RIP: 0010:[<ffffffff8171153e>] [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
RSP: 0018:ffff880212987b68 EFLAGS: 00010006
RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
Stack:
ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
Call Trace:
[<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
[<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
[<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
[<ffffffff81075fee>] send_sig_info+0x1e/0x30
[<ffffffff8130242d>] aa_audit+0x13d/0x190
[<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
[<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
[<ffffffff81304cc2>] aa_change_hat+0x202/0x530
[<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
[<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
[<ffffffff812cee56>] security_setprocattr+0x16/0x20
[<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
[<ffffffff811b7604>] vfs_write+0xb4/0x1f0
[<ffffffff811b8039>] SyS_write+0x49/0xa0
[<ffffffff8171a1bf>] tracesys+0xe1/0xe6
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/audit.c | 3 ++-
security/apparmor/file.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 031d2d9dd695..47d0f9ecd3bc 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -212,7 +212,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
if (sa->aad->type == AUDIT_APPARMOR_KILL)
(void)send_sig_info(SIGKILL, NULL,
- sa->aad->tsk ? sa->aad->tsk : current);
+ sa->type == LSM_AUDIT_DATA_TASK && sa->aad->tsk ?
+ sa->aad->tsk : current);
if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
return complain_error(sa->aad->error);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index fdaa50cb1876..a4f7f1a5a798 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
int type = AUDIT_APPARMOR_AUTO;
struct common_audit_data sa;
struct apparmor_audit_data aad = {0,};
- sa.type = LSM_AUDIT_DATA_NONE;
+ sa.type = LSM_AUDIT_DATA_TASK;
+ sa.u.tsk = NULL;
sa.aad = &aad;
aad.op = op,
aad.fs.request = request;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (30 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix uninitialized lsm_audit member Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
` (29 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 9049a7922124d843a2cd26a02b1d00a17596ec0c upstream.
The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0c23888b9816..a59766fe3b7a 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -437,7 +437,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
new_profile = aa_get_newest_profile(ns->unconfined);
info = "ux fallback";
} else {
- error = -ENOENT;
+ error = -EACCES;
info = "profile not found";
/* remove MAY_EXEC to audit as failure */
perms.allow &= ~MAY_EXEC;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix update the mtime of the profile file on replacement
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (31 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
` (28 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit d671e890205a663429da74e1972e652bea4d73ab upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/apparmorfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index b30489856741..a798c75c7726 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -380,6 +380,8 @@ void __aa_fs_profile_migrate_dents(struct aa_profile *old,
for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
new->dents[i] = old->dents[i];
+ if (new->dents[i])
+ new->dents[i]->d_inode->i_mtime = CURRENT_TIME;
old->dents[i] = NULL;
}
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix disconnected bind mnts reconnection
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (32 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: internal paths should be treated as disconnected Jiri Slaby
` (27 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f2e561d190da7ff5ee265fa460e2d7f753dddfda upstream.
Bind mounts can fail to be properly reconnected when PATH_CONNECT is
specified. Ensure that when PATH_CONNECT is specified the path has
a root.
BugLink: http://bugs.launchpad.net/bugs/1319984
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/path.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 35b394a75d76..0f232e5cd18c 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -141,7 +141,10 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
error = -EACCES;
if (*res == '/')
*name = res + 1;
- }
+ } else if (*res != '/')
+ /* CONNECT_PATH with missing root */
+ error = prepend(name, *name - buf, "/", 1);
+
}
out:
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: internal paths should be treated as disconnected
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (33 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
` (26 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 upstream.
Internal mounts are not mounted anywhere and as such should be treated
as disconnected paths.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/path.c | 64 +++++++++++++++++++++++++++---------------------
1 file changed, 36 insertions(+), 28 deletions(-)
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 0f232e5cd18c..5505e0563bc8 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -25,7 +25,6 @@
#include "include/path.h"
#include "include/policy.h"
-
/* modified from dcache.c */
static int prepend(char **buffer, int buflen, const char *str, int namelen)
{
@@ -39,6 +38,38 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
+/* If the path is not connected to the expected root,
+ * check if it is a sysctl and handle specially else remove any
+ * leading / that __d_path may have returned.
+ * Unless
+ * specifically directed to connect the path,
+ * OR
+ * if in a chroot and doing chroot relative paths and the path
+ * resolves to the namespace root (would be connected outside
+ * of chroot) and specifically directed to connect paths to
+ * namespace root.
+ */
+static int disconnect(const struct path *path, char *buf, char **name,
+ int flags)
+{
+ int error = 0;
+
+ if (!(flags & PATH_CONNECT_PATH) &&
+ !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
+ our_mnt(path->mnt))) {
+ /* disconnected path, don't return pathname starting
+ * with '/'
+ */
+ error = -EACCES;
+ if (**name == '/')
+ *name = *name + 1;
+ } else if (**name != '/')
+ /* CONNECT_PATH with missing root */
+ error = prepend(name, *name - buf, "/", 1);
+
+ return error;
+}
+
/**
* d_namespace_path - lookup a name associated with a given path
* @path: path to lookup (NOT NULL)
@@ -74,7 +105,8 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
* control instead of hard coded /proc
*/
return prepend(name, *name - buf, "/proc", 5);
- }
+ } else
+ return disconnect(path, buf, name, flags);
return 0;
}
@@ -120,32 +152,8 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
goto out;
}
- /* If the path is not connected to the expected root,
- * check if it is a sysctl and handle specially else remove any
- * leading / that __d_path may have returned.
- * Unless
- * specifically directed to connect the path,
- * OR
- * if in a chroot and doing chroot relative paths and the path
- * resolves to the namespace root (would be connected outside
- * of chroot) and specifically directed to connect paths to
- * namespace root.
- */
- if (!connected) {
- if (!(flags & PATH_CONNECT_PATH) &&
- !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
- our_mnt(path->mnt))) {
- /* disconnected path, don't return pathname starting
- * with '/'
- */
- error = -EACCES;
- if (*res == '/')
- *name = res + 1;
- } else if (*res != '/')
- /* CONNECT_PATH with missing root */
- error = prepend(name, *name - buf, "/", 1);
-
- }
+ if (!connected)
+ error = disconnect(path, buf, name, flags);
out:
return error;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix put() parent ref after updating the active ref
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (34 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: internal paths should be treated as disconnected Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix log failures for all profiles in a set Jiri Slaby
` (25 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f351841f8d41072e741e45299070d421a5833a4a upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index c92a9f6c1be5..455c9f89f7e2 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1187,8 +1187,8 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
/* parent replaced in this atomic set? */
if (newest != parent) {
aa_get_profile(newest);
- aa_put_profile(parent);
rcu_assign_pointer(ent->new->parent, newest);
+ aa_put_profile(parent);
}
/* aafs interface uses replacedby */
rcu_assign_pointer(ent->new->replacedby->profile,
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix log failures for all profiles in a set
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (35 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix audit full profile hname on successful load Jiri Slaby
` (24 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit bf15cf0c641be8e57d45f110a9d91464f5bb461a upstream.
currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 455c9f89f7e2..db31bc5e459f 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
*/
ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
{
- const char *ns_name, *name = NULL, *info = NULL;
+ const char *ns_name, *info = NULL;
struct aa_namespace *ns = NULL;
struct aa_load_ent *ent, *tmp;
int op = OP_PROF_REPL;
@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
/* released below */
ns = aa_prepare_namespace(ns_name);
if (!ns) {
- info = "failed to prepare namespace";
- error = -ENOMEM;
- name = ns_name;
- goto fail;
+ error = audit_policy(op, GFP_KERNEL, ns_name,
+ "failed to prepare namespace", -ENOMEM);
+ goto free;
}
mutex_lock(&ns->lock);
/* setup parent and ns info */
list_for_each_entry(ent, &lh, list) {
struct aa_policy *policy;
-
- name = ent->new->base.hname;
error = __lookup_replace(ns, ent->new->base.hname, noreplace,
&ent->old, &info);
if (error)
@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
if (!p) {
error = -ENOENT;
info = "parent does not exist";
- name = ent->new->base.hname;
goto fail_lock;
}
rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
@@ -1214,9 +1210,22 @@ out:
fail_lock:
mutex_unlock(&ns->lock);
-fail:
- error = audit_policy(op, GFP_KERNEL, name, info, error);
+ /* audit cause of failure */
+ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+ audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
+ /* audit status that rest of profiles in the atomic set failed too */
+ info = "valid profile in failed atomic policy load";
+ list_for_each_entry(tmp, &lh, list) {
+ if (tmp == ent) {
+ info = "unchecked profile in failed atomic policy load";
+ /* skip entry that caused failure */
+ continue;
+ }
+ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+ audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
+ }
+free:
list_for_each_entry_safe(ent, tmp, &lh, list) {
list_del_init(&ent->list);
aa_load_ent_free(ent);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix audit full profile hname on successful load
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (36 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix log failures for all profiles in a set Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: ensure the target profile name is always audited Jiri Slaby
` (23 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 7ee6da25dcce27b6023a8673fdf8be98dcf7cacf upstream.
Currently logging of a successful profile load only logs the basename
of the profile. This can result in confusion when a child profile has
the same name as the another profile in the set. Logging the hname
will ensure there is no confusion.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index db31bc5e459f..ca402d028db8 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1159,7 +1159,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
list_del_init(&ent->list);
op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
- audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error);
+ audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
if (ent->old) {
__replace_profile(ent->old, ent->new, 1);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: ensure the target profile name is always audited
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (37 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix audit full profile hname on successful load Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: check that xindex is in trans_table bounds Jiri Slaby
` (22 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f7da2de01127b58d93cebeab165136d0998e7b1a upstream.
The target profile name was not being correctly audited in a few
cases because the target variable was not being set and gotos
passed the code to set it at apply:
Since it is always based on new_profile just drop the target var
and conditionally report based on new_profile.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/domain.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index a59766fe3b7a..1c7763766135 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -348,7 +348,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
file_inode(bprm->file)->i_uid,
file_inode(bprm->file)->i_mode
};
- const char *name = NULL, *target = NULL, *info = NULL;
+ const char *name = NULL, *info = NULL;
int error = cap_bprm_set_creds(bprm);
if (error)
return error;
@@ -403,6 +403,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (cxt->onexec) {
struct file_perms cp;
info = "change_profile onexec";
+ new_profile = aa_get_newest_profile(cxt->onexec);
if (!(perms.allow & AA_MAY_ONEXEC))
goto audit;
@@ -417,7 +418,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (!(cp.allow & AA_MAY_ONEXEC))
goto audit;
- new_profile = aa_get_newest_profile(cxt->onexec);
goto apply;
}
@@ -449,10 +449,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (!new_profile) {
error = -ENOMEM;
info = "could not create null profile";
- } else {
+ } else
error = -EACCES;
- target = new_profile->base.hname;
- }
perms.xindex |= AA_X_UNSAFE;
} else
/* fail exec */
@@ -463,7 +461,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
* fail the exec.
*/
if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
- aa_put_profile(new_profile);
error = -EPERM;
goto cleanup;
}
@@ -478,10 +475,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
error = may_change_ptraced_domain(current, new_profile);
- if (error) {
- aa_put_profile(new_profile);
+ if (error)
goto audit;
- }
}
/* Determine if secure exec is needed.
@@ -502,7 +497,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm->unsafe |= AA_SECURE_X_NEEDED;
}
apply:
- target = new_profile->base.hname;
/* when transitioning profiles clear unsafe personality bits */
bprm->per_clear |= PER_CLEAR_ON_SETID;
@@ -510,15 +504,19 @@ x_clear:
aa_put_profile(cxt->profile);
/* transfer new profile reference will be released when cxt is freed */
cxt->profile = new_profile;
+ new_profile = NULL;
/* clear out all temporary/transitional state from the context */
aa_clear_task_cxt_trans(cxt);
audit:
error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
- name, target, cond.uid, info, error);
+ name,
+ new_profile ? new_profile->base.hname : NULL,
+ cond.uid, info, error);
cleanup:
+ aa_put_profile(new_profile);
aa_put_profile(profile);
kfree(buffer);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: check that xindex is in trans_table bounds
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (38 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: ensure the target profile name is always audited Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount race when finding a child profile Jiri Slaby
` (21 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 23ca7b640b4a55f8747301b6bd984dd05545f6a7 upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy_unpack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index a689f10930b5..c841b1268a84 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -676,7 +676,7 @@ static bool verify_xindex(int xindex, int table_size)
int index, xtype;
xtype = xindex & AA_X_TYPE_MASK;
index = xindex & AA_X_INDEX_MASK;
- if (xtype == AA_X_TABLE && index > table_size)
+ if (xtype == AA_X_TABLE && index >= table_size)
return 0;
return 1;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix refcount race when finding a child profile
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (39 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: check that xindex is in trans_table bounds Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: add missing id bounds check on dfa verification Jiri Slaby
` (20 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit de7c4cc947f9f56f61520ee7edaf380434a98c8d upstream.
When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.
Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index ca402d028db8..780712553651 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
struct aa_profile *profile;
rcu_read_lock();
- profile = aa_get_profile(__find_child(&parent->base.profiles, name));
+ do {
+ profile = __find_child(&parent->base.profiles, name);
+ } while (profile && !aa_get_profile_not0(profile));
rcu_read_unlock();
/* refcount released by caller */
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: add missing id bounds check on dfa verification
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (40 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount race when finding a child profile Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
` (19 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 15756178c6a65b261a080e21af4766f59cafc112 upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/include/match.h | 1 +
security/apparmor/match.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 001c43aa0406..a1c04fe86790 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -62,6 +62,7 @@ struct table_set_header {
#define YYTD_ID_ACCEPT2 6
#define YYTD_ID_NXT 7
#define YYTD_ID_TSIZE 8
+#define YYTD_ID_MAX 8
#define YYTD_DATA8 1
#define YYTD_DATA16 2
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 727eb4200d5c..f9f57c626f54 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
* it every time we use td_id as an index
*/
th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+ if (th.td_id > YYTD_ID_MAX)
+ goto out;
th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
blob += sizeof(struct table_header);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: don't check for vmalloc_addr if kvzalloc() failed
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (41 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: add missing id bounds check on dfa verification Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
` (18 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 3197f5adf539a3ee6331f433a51483f8c842f890 upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/match.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index f9f57c626f54..32b72eb3d988 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -75,14 +75,14 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
u32, be32_to_cpu);
else
goto fail;
+ /* if table was vmalloced make sure the page tables are synced
+ * before it is used, as it goes live to all cpus.
+ */
+ if (is_vmalloc_addr(table))
+ vm_unmap_aliases();
}
out:
- /* if table was vmalloced make sure the page tables are synced
- * before it is used, as it goes live to all cpus.
- */
- if (is_vmalloc_addr(table))
- vm_unmap_aliases();
return table;
fail:
kvfree(table);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix oops in profile_unpack() when policy_db is not present
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (42 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
` (17 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 5f20fdfed16bc599a325a145bf0123a8e1c9beea upstream.
BugLink: http://bugs.launchpad.net/bugs/1592547
If unpack_dfa() returns NULL due to the dfa not being present,
profile_unpack() is not checking if the dfa is not present (NULL).
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/policy_unpack.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index c841b1268a84..dac2121bc873 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -583,6 +583,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
error = PTR_ERR(profile->policy.dfa);
profile->policy.dfa = NULL;
goto fail;
+ } else if (!profile->policy.dfa) {
+ error = -EPROTO;
+ goto fail;
}
if (!unpack_u32(e, &profile->policy.start[0], "start"))
/* default start state */
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix module parameters can be changed after policy is locked
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (43 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: do not expose kernel stack Jiri Slaby
` (16 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 58acf9d911c8831156634a44d0b022d683e1e50c upstream.
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.
split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/include/policy.h | 2 ++
security/apparmor/lsm.c | 22 ++++++++++------------
security/apparmor/policy.c | 18 +++++++++++++++++-
3 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index c28b0f20ab53..52275f040a5f 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -403,6 +403,8 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
return profile->audit;
}
+bool policy_view_capable(void);
+bool policy_admin_capable(void);
bool aa_may_manage_policy(int op);
#endif /* __AA_POLICY_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fb99e18123b4..00a92de97c82 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -762,51 +762,49 @@ __setup("apparmor=", apparmor_enabled_setup);
/* set global flag turning off the ability to load policy */
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_admin_capable())
return -EPERM;
- if (aa_g_lock_policy)
- return -EACCES;
return param_set_bool(val, kp);
}
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_view_capable())
return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aabool(const char *val, const struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_admin_capable())
return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_view_capable())
return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aauint(const char *val, const struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_admin_capable())
return -EPERM;
return param_set_uint(val, kp);
}
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_view_capable())
return -EPERM;
return param_get_uint(buffer, kp);
}
static int param_get_audit(char *buffer, struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_view_capable())
return -EPERM;
if (!apparmor_enabled)
@@ -818,7 +816,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
static int param_set_audit(const char *val, struct kernel_param *kp)
{
int i;
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_admin_capable())
return -EPERM;
if (!apparmor_enabled)
@@ -839,7 +837,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
static int param_get_mode(char *buffer, struct kernel_param *kp)
{
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_admin_capable())
return -EPERM;
if (!apparmor_enabled)
@@ -851,7 +849,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
static int param_set_mode(const char *val, struct kernel_param *kp)
{
int i;
- if (!capable(CAP_MAC_ADMIN))
+ if (!policy_admin_capable())
return -EPERM;
if (!apparmor_enabled)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 780712553651..179e68d7dc5f 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
&sa, NULL);
}
+bool policy_view_capable(void)
+{
+ struct user_namespace *user_ns = current_user_ns();
+ bool response = false;
+
+ if (ns_capable(user_ns, CAP_MAC_ADMIN))
+ response = true;
+
+ return response;
+}
+
+bool policy_admin_capable(void)
+{
+ return policy_view_capable() && !aa_g_lock_policy;
+}
+
/**
* aa_may_manage_policy - can the current task manage policy
* @op: the policy manipulation operation being done
@@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op)
return 0;
}
- if (!capable(CAP_MAC_ADMIN)) {
+ if (!policy_admin_capable()) {
audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
return 0;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: do not expose kernel stack
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (44 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
` (15 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Heinrich Schuchardt, John Johansen, Jiri Slaby
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f4ee2def2d70692ccff0d55353df4ee594fd0017 upstream.
Do not copy uninitalized fields th.td_hilen, th.td_data.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/match.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 32b72eb3d988..3f900fcca8fb 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -63,7 +63,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
table = kvzalloc(tsize);
if (table) {
- *table = th;
+ table->td_id = th.td_id;
+ table->td_flags = th.td_flags;
+ table->td_lolen = th.td_lolen;
if (th.td_flags == YYTD_DATA8)
UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
u8, byte_to_byte);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (45 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: do not expose kernel stack Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:54 ` Vegard Nossum
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
` (14 subsequent siblings)
61 siblings, 1 reply; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable
Cc: Vegard Nossum, Al Viro, John Johansen, Paul Moore,
Stephen Smalley, Eric Paris, Casey Schaufler, James Morris,
Jiri Slaby
From: Vegard Nossum <vegard.nossum@oracle.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit e89b8081327ac9efbf273e790b8677e64fd0361a upstream.
When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.
The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.
SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.
Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
modified for the case that apparmor provides null termination.
Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 00a92de97c82..90905af74a8d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -533,34 +533,34 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
{
struct common_audit_data sa;
struct apparmor_audit_data aad = {0,};
- char *command, *args = value;
+ char *command, *largs = NULL, *args = value;
size_t arg_size;
int error;
if (size == 0)
return -EINVAL;
- /* args points to a PAGE_SIZE buffer, AppArmor requires that
- * the buffer must be null terminated or have size <= PAGE_SIZE -1
- * so that AppArmor can null terminate them
- */
- if (args[size - 1] != '\0') {
- if (size == PAGE_SIZE)
- return -EINVAL;
- args[size] = '\0';
- }
-
/* task can only write its own attributes */
if (current != task)
return -EACCES;
- args = value;
+ /* AppArmor requires that the buffer must be null terminated atm */
+ if (args[size - 1] != '\0') {
+ /* null terminate */
+ largs = args = kmalloc(size + 1, GFP_KERNEL);
+ if (!args)
+ return -ENOMEM;
+ memcpy(args, value, size);
+ args[size] = '\0';
+ }
+
+ error = -EINVAL;
args = strim(args);
command = strsep(&args, " ");
if (!args)
- return -EINVAL;
+ goto out;
args = skip_spaces(args);
if (!*args)
- return -EINVAL;
+ goto out;
arg_size = size - (args - (char *) value);
if (strcmp(name, "current") == 0) {
@@ -586,10 +586,12 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
goto fail;
} else
/* only support the "current" and "exec" process attributes */
- return -EINVAL;
+ goto fail;
if (!error)
error = size;
+out:
+ kfree(largs);
return error;
fail:
@@ -598,9 +600,9 @@ fail:
aad.profile = aa_current_profile();
aad.op = OP_SETPROCATTR;
aad.info = name;
- aad.error = -EINVAL;
+ aad.error = error = -EINVAL;
aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
- return -EINVAL;
+ goto out;
}
static int apparmor_task_setrlimit(struct task_struct *task,
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] apparmor: fix arg_size computation for when setprocattr is null terminated
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (46 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
` (13 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: John Johansen, Jiri Slaby
From: John Johansen <john.johansen@canonical.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit d4d03f74a73f3b8b2801d4d02011b6b69778cbcc upstream.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
security/apparmor/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 90905af74a8d..c623e4744f55 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -562,7 +562,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
if (!*args)
goto out;
- arg_size = size - (args - (char *) value);
+ arg_size = size - (args - (largs ? largs : (char *) value));
if (strcmp(name, "current") == 0) {
if (strcmp(command, "changehat") == 0) {
error = aa_setprocattr_changehat(args, arg_size,
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] vfio/pci: Fix integer overflows, bitmask check
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (47 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] bna: Add synchronization for tx ring Jiri Slaby
` (12 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Vlad Tsyrklevich, Alex Williamson, Jiri Slaby
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 05692d7005a364add85c6e25a6c4447ce08f913a upstream.
The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
user-supplied integers, potentially allowing memory corruption. This
patch adds appropriate integer overflow checks, checks the range bounds
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
vfio_pci_set_irqs_ioctl().
Furthermore, a kzalloc is changed to a kcalloc because the use of a
kzalloc with an integer multiplication allowed an integer overflow
condition to be reached without this patch. kcalloc checks for overflow
and should prevent a similar occurrence.
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------
drivers/vfio/pci/vfio_pci_intrs.c | 2 +-
2 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 275aa3fc4087..f636e2eb0dd8 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -468,8 +468,9 @@ static long vfio_pci_ioctl(void *device_data,
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
struct vfio_irq_set hdr;
+ size_t size;
u8 *data = NULL;
- int ret = 0;
+ int max, ret = 0;
minsz = offsetofend(struct vfio_irq_set, count);
@@ -477,23 +478,31 @@ static long vfio_pci_ioctl(void *device_data,
return -EFAULT;
if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
+ hdr.count >= (U32_MAX - hdr.start) ||
hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
VFIO_IRQ_SET_ACTION_TYPE_MASK))
return -EINVAL;
- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
- size_t size;
- int max = vfio_pci_get_irq_count(vdev, hdr.index);
+ max = vfio_pci_get_irq_count(vdev, hdr.index);
+ if (hdr.start >= max || hdr.start + hdr.count > max)
+ return -EINVAL;
- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
- size = sizeof(uint8_t);
- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
- size = sizeof(int32_t);
- else
- return -EINVAL;
+ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
+ case VFIO_IRQ_SET_DATA_NONE:
+ size = 0;
+ break;
+ case VFIO_IRQ_SET_DATA_BOOL:
+ size = sizeof(uint8_t);
+ break;
+ case VFIO_IRQ_SET_DATA_EVENTFD:
+ size = sizeof(int32_t);
+ break;
+ default:
+ return -EINVAL;
+ }
- if (hdr.argsz - minsz < hdr.count * size ||
- hdr.start >= max || hdr.start + hdr.count > max)
+ if (size) {
+ if (hdr.argsz - minsz < hdr.count * size)
return -EINVAL;
data = memdup_user((void __user *)(arg + minsz),
diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
index 641bc87bdb96..05b0834e26e0 100644
--- a/drivers/vfio/pci/vfio_pci_intrs.c
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
@@ -465,7 +465,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
if (!is_irq_none(vdev))
return -EINVAL;
- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
+ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
if (!vdev->ctx)
return -ENOMEM;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] bna: Add synchronization for tx ring.
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (48 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: avoid use after free Jiri Slaby
` (11 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Benjamin Poirier, David S . Miller, Jiri Slaby
From: Benjamin Poirier <bpoirier@suse.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit d667f78514c656a6a8bf0b3d6134a7fe5cd4d317 upstream.
We received two reports of BUG_ON in bnad_txcmpl_process() where
hw_consumer_index appeared to be ahead of producer_index. Out of order
write/read of these variables could explain these reports.
bnad_start_xmit(), as a producer of tx descriptors, has a few memory
barriers sprinkled around writes to producer_index and the device's
doorbell but they're not paired with anything in bnad_txcmpl_process(), a
consumer.
Since we are synchronizing with a device, we must use mandatory barriers,
not smp_*. Also, I didn't see the purpose of the last smp_mb() in
bnad_start_xmit().
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/net/ethernet/brocade/bna/bnad.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c
index 45ce6e2214b3..2deabae1d66e 100644
--- a/drivers/net/ethernet/brocade/bna/bnad.c
+++ b/drivers/net/ethernet/brocade/bna/bnad.c
@@ -193,6 +193,7 @@ bnad_txcmpl_process(struct bnad *bnad, struct bna_tcb *tcb)
return 0;
hw_cons = *(tcb->hw_consumer_index);
+ rmb();
cons = tcb->consumer_index;
q_depth = tcb->q_depth;
@@ -2906,13 +2907,12 @@ bnad_start_xmit(struct sk_buff *skb, struct net_device *netdev)
BNA_QE_INDX_INC(prod, q_depth);
tcb->producer_index = prod;
- smp_mb();
+ wmb();
if (unlikely(!test_bit(BNAD_TXQ_TX_STARTED, &tcb->flags)))
return NETDEV_TX_OK;
bna_txq_prod_indx_doorbell(tcb);
- smp_mb();
return NETDEV_TX_OK;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] [media] xc2028: avoid use after free
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (49 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] bna: Add synchronization for tx ring Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
` (10 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Mauro Carvalho Chehab, Jiri Slaby
From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 upstream.
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:
[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------
[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] ___slab_alloc+0x581/0x5b0
[11009.908014] __slab_alloc+0x51/0x90
[11009.908017] __kmalloc+0x27b/0x350
[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] usb_submit_urb+0xb0e/0x1200
[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] usb_serial_generic_write+0x92/0xc0
[11009.908039] usb_console_write+0x38a/0x560
[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] console_unlock+0x40d/0x900
[11009.908056] vprintk_emit+0x4b4/0x830
[11009.908061] vprintk_default+0x1f/0x30
[11009.908064] printk+0x99/0xb5
[11009.908067] kasan_report_error+0x10a/0x550
[11009.908070] __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] __slab_free+0x2ec/0x460
[11009.908080] kfree+0x266/0x280
[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] do_one_initcall+0x141/0x300
[11009.908111] do_init_module+0x1d0/0x5ad
[11009.908114] load_module+0x6666/0x9ba0
[11009.908117] SyS_finit_module+0x108/0x130
[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162] [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165] [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168] [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171] [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182] [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185] [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189] [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192] [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196] [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200] [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203] [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206] [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211] [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215] [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219] [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222] [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226] [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230] [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233] [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238] [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242] [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245] [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249] [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253] [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260] [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264] [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268] [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275] [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278] [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292] [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299] [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302] [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306] [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309] [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314] [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317] [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320] [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324] [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327] [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346] [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350] [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353] [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356] [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361] [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366] [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369] [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374] [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377] [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379] [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394] [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405] ^
[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================
In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/media/tuners/tuner-xc2028.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index 9771cd83c06e..38afc54ef349 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -1385,11 +1385,12 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
* in order to avoid troubles during device release.
*/
kfree(priv->ctrl.fname);
+ priv->ctrl.fname = NULL;
memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
if (p->fname) {
priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
if (priv->ctrl.fname == NULL)
- rc = -ENOMEM;
+ return -ENOMEM;
}
/*
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] [media] xc2028: unlock on error in xc2028_set_config()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (50 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: avoid use after free Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
` (9 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Dan Carpenter, Mauro Carvalho Chehab, Jiri Slaby
From: Dan Carpenter <dan.carpenter@oracle.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d upstream.
We have to unlock before returning -ENOMEM.
Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/media/tuners/tuner-xc2028.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index 38afc54ef349..ab0bfc46f99f 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -1389,8 +1389,10 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
if (p->fname) {
priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
- if (priv->ctrl.fname == NULL)
- return -ENOMEM;
+ if (priv->ctrl.fname == NULL) {
+ rc = -ENOMEM;
+ goto unlock;
+ }
}
/*
@@ -1422,6 +1424,7 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
} else
priv->state = XC2028_WAITING_FIRMWARE;
}
+unlock:
mutex_unlock(&priv->lock);
return rc;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] block: fix use-after-free in sys_ioprio_get()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (51 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] xc2028: Fix use-after-free bug properly Jiri Slaby
` (8 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Omar Sandoval, Jens Axboe, Jiri Slaby
From: Omar Sandoval <osandov@fb.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 8ba8682107ee2ca3347354e018865d8e1967c5f4 upstream.
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:
int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;
/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);
nproc = sysconf(_SC_NPROCESSORS_ONLN);
for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
return 0;
}
This gets us KASAN dumps like this:
[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------
[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================
Fix it by grabbing the task lock while we poke at the io_context.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/ioprio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/ioprio.c b/fs/ioprio.c
index 31666c92b46a..563435684c3c 100644
--- a/fs/ioprio.c
+++ b/fs/ioprio.c
@@ -149,8 +149,10 @@ static int get_task_ioprio(struct task_struct *p)
if (ret)
goto out;
ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+ task_lock(p);
if (p->io_context)
ret = p->io_context->ioprio;
+ task_unlock(p);
out:
return ret;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] xc2028: Fix use-after-free bug properly
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (52 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
` (7 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Takashi Iwai, Mauro Carvalho Chehab, Jiri Slaby
From: Takashi Iwai <tiwai@suse.de>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 22a1e7783e173ab3d86018eb590107d68df46c11 upstream.
The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.
However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
if (!firmware_name[0] && p->fname &&
priv->fname && strcmp(p->fname, priv->fname))
free_firmware(priv);
where priv->fname points to the previous file name, and this was
already freed by kfree().
For fixing the bug properly, this patch does the following:
- Keep the copy of firmware file name in only priv->fname,
priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly
Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/media/tuners/tuner-xc2028.c | 36 ++++++++++++++++--------------------
1 file changed, 16 insertions(+), 20 deletions(-)
diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index ab0bfc46f99f..3a615e4c4991 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -289,6 +289,14 @@ static void free_firmware(struct xc2028_data *priv)
int i;
tuner_dbg("%s called\n", __func__);
+ /* free allocated f/w string */
+ if (priv->fname != firmware_name)
+ kfree(priv->fname);
+ priv->fname = NULL;
+
+ priv->state = XC2028_NO_FIRMWARE;
+ memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
+
if (!priv->firm)
return;
@@ -299,9 +307,6 @@ static void free_firmware(struct xc2028_data *priv)
priv->firm = NULL;
priv->firm_size = 0;
- priv->state = XC2028_NO_FIRMWARE;
-
- memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
}
static int load_all_firmwares(struct dvb_frontend *fe,
@@ -890,9 +895,9 @@ read_not_reliable:
return 0;
fail:
+ free_firmware(priv);
priv->state = XC2028_SLEEP;
- memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
if (retry_count < 8) {
msleep(50);
retry_count++;
@@ -1314,11 +1319,8 @@ static int xc2028_dvb_release(struct dvb_frontend *fe)
mutex_lock(&xc2028_list_mutex);
/* only perform final cleanup if this is the last instance */
- if (hybrid_tuner_report_instance_count(priv) == 1) {
+ if (hybrid_tuner_report_instance_count(priv) == 1)
free_firmware(priv);
- kfree(priv->ctrl.fname);
- priv->ctrl.fname = NULL;
- }
if (priv)
hybrid_tuner_release_state(priv);
@@ -1381,19 +1383,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
/*
* Copy the config data.
- * For the firmware name, keep a local copy of the string,
- * in order to avoid troubles during device release.
*/
- kfree(priv->ctrl.fname);
- priv->ctrl.fname = NULL;
memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
- if (p->fname) {
- priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
- if (priv->ctrl.fname == NULL) {
- rc = -ENOMEM;
- goto unlock;
- }
- }
/*
* If firmware name changed, frees firmware. As free_firmware will
@@ -1408,10 +1399,15 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
if (priv->state == XC2028_NO_FIRMWARE) {
if (!firmware_name[0])
- priv->fname = priv->ctrl.fname;
+ priv->fname = kstrdup(p->fname, GFP_KERNEL);
else
priv->fname = firmware_name;
+ if (!priv->fname) {
+ rc = -ENOMEM;
+ goto unlock;
+ }
+
rc = request_firmware_nowait(THIS_MODULE, 1,
priv->fname,
priv->i2c_props.adap->dev.parent,
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] sg: Fix double-free when drives detach during SG_IO
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (53 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] xc2028: Fix use-after-free bug properly Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] fuse: do not use iocb after it may have been freed Jiri Slaby
` (6 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Calvin Owens, Martin K . Petersen, Jiri Slaby
From: Calvin Owens <calvinowens@fb.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f3951a3709ff50990bf3e188c27d346792103432 upstream.
In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().
Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.
This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:
------------[ cut here ]------------
kernel BUG at block/blk-core.c:1420!
Call Trace:
[<ffffffff81281eab>] blk_put_request+0x5b/0x80
[<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
[<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
[<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
[<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
[<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
[<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
[<ffffffff81258967>] ? file_has_perm+0x97/0xb0
[<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
[<ffffffff81602afb>] tracesys+0xdd/0xe2
RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.
Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.
KASAN was extremely helpful in finding the root cause of this bug.
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/scsi/sg.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 291791a9be8b..0b27d293dd83 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -769,8 +769,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
return k; /* probably out of space --> ENOMEM */
}
if (sdp->detached) {
- if (srp->bio)
+ if (srp->bio) {
+ if (srp->rq->cmd != srp->rq->__cmd)
+ kfree(srp->rq->cmd);
+
blk_end_request_all(srp->rq, -EIO);
+ srp->rq = NULL;
+ }
+
sg_finish_rem_req(srp);
return -ENODEV;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] fuse: do not use iocb after it may have been freed
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (54 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
` (5 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Robert Doebbelin, Miklos Szeredi, Jan Kara, Jiri Slaby
From: Robert Doebbelin <robert@quobyte.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 upstream.
There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
iocb that could have been freed if async io has already completed. The fix
in this case is simple and obvious: cache the result before starting io.
It was discovered by KASan:
Kernel: ==================================================================
Kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390
Signed-off-by: Robert Doebbelin <robert@quobyte.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/fuse/file.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 8ef52e12cd57..f6314cd3e3b0 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2393,6 +2393,7 @@ fuse_direct_IO(int rw, struct kiocb *iocb, const struct iovec *iov,
loff_t i_size;
size_t count = iov_length(iov, nr_segs);
struct fuse_io_priv *io;
+ bool is_sync = is_sync_kiocb(iocb);
pos = offset;
inode = file->f_mapping->host;
@@ -2428,7 +2429,7 @@ fuse_direct_IO(int rw, struct kiocb *iocb, const struct iovec *iov,
* to wait on real async I/O requests, so we must submit this request
* synchronously.
*/
- if (!is_sync_kiocb(iocb) && (offset + count > i_size) && rw == WRITE)
+ if (!is_sync && (offset + count > i_size) && rw == WRITE)
io->async = false;
if (rw == WRITE)
@@ -2440,7 +2441,7 @@ fuse_direct_IO(int rw, struct kiocb *iocb, const struct iovec *iov,
fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
/* we have a non-extending, async request, so return */
- if (!is_sync_kiocb(iocb))
+ if (!is_sync)
return -EIOCBQUEUED;
ret = wait_on_sync_kiocb(iocb);
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon)
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (55 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] fuse: do not use iocb after it may have been freed Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
` (4 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Al Viro, Jiri Slaby
From: Al Viro <viro@zeniv.linux.org.uk>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 6f18493e541c690169c3b1479d47d95f624161cf upstream.
and lock the right list there
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: NeilBrown <neilb@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/dcache.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index 11ded5b0b853..9a5e9082feb1 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2623,6 +2623,12 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
dentry->d_parent = dentry;
list_del_init(&dentry->d_child);
anon->d_parent = dparent;
+ if (likely(!d_unhashed(anon))) {
+ hlist_bl_lock(&anon->d_sb->s_anon);
+ __hlist_bl_del(&anon->d_hash);
+ anon->d_hash.pprev = NULL;
+ hlist_bl_unlock(&anon->d_sb->s_anon);
+ }
list_move(&anon->d_child, &dparent->d_subdirs);
write_seqcount_end(&dentry->d_seq);
@@ -2677,7 +2683,6 @@ struct dentry *d_materialise_unique(struct dentry *dentry, struct inode *inode)
* could splice into our tree? */
__d_materialise_dentry(dentry, alias);
write_sequnlock(&rename_lock);
- __d_drop(alias);
goto found;
} else {
/* Nope, but we must(!) avoid directory
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (56 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
` (3 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Wanpeng Li, Peter Zijlstra, Thomas Gleixner, Jiri Slaby
From: Wanpeng Li <wanpeng.li@hotmail.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit b0f48706a176b71a6e54f399d7404bbeeaa7cfab upstream.
===============================
[ INFO: suspicious RCU usage. ]
4.8.0-rc6+ #5 Not tainted
-------------------------------
./arch/x86/include/asm/msr-trace.h:47 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
RCU used illegally from idle CPU!
rcu_scheduler_active = 1, debug_locks = 0
RCU used illegally from extended quiescent state!
no locks held by swapper/2/0.
stack backtrace:
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.8.0-rc6+ #5
Hardware name: Dell Inc. OptiPlex 7020/0F5C5X, BIOS A03 01/08/2015
0000000000000000 ffff8d1bd6003f10 ffffffff94446949 ffff8d1bd4a68000
0000000000000001 ffff8d1bd6003f40 ffffffff940e9247 ffff8d1bbdfcf3d0
000000000000080b 0000000000000000 0000000000000000 ffff8d1bd6003f70
Call Trace:
<IRQ> [<ffffffff94446949>] dump_stack+0x99/0xd0
[<ffffffff940e9247>] lockdep_rcu_suspicious+0xe7/0x120
[<ffffffff9448e0d5>] do_trace_write_msr+0x135/0x140
[<ffffffff9406e750>] native_write_msr+0x20/0x30
[<ffffffff9406503d>] native_apic_msr_eoi_write+0x1d/0x30
[<ffffffff9405b17e>] smp_trace_call_function_interrupt+0x1e/0x270
[<ffffffff948cb1d6>] trace_call_function_interrupt+0x96/0xa0
<EOI> [<ffffffff947200f4>] ? cpuidle_enter_state+0xe4/0x360
[<ffffffff947200df>] ? cpuidle_enter_state+0xcf/0x360
[<ffffffff947203a7>] cpuidle_enter+0x17/0x20
[<ffffffff940df008>] cpu_startup_entry+0x338/0x4d0
[<ffffffff9405bfc4>] start_secondary+0x154/0x180
This can be reproduced readily by running ftrace test case of kselftest.
Move the irq_enter() call before ack_APIC_irq(), because irq_enter() tells
the RCU susbstems to end the extended quiescent state, so that the
following trace call in ack_APIC_irq() works correctly. The same applies to
exiting_ack_irq() which calls ack_APIC_irq() after irq_exit().
[ tglx: Massaged changelog ]
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Link: http://lkml.kernel.org/r/1474198491-3738-1-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/x86/include/asm/apic.h | 3 +--
arch/x86/kernel/smp.c | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
index 29559831c94f..43849c3d6275 100644
--- a/arch/x86/include/asm/apic.h
+++ b/arch/x86/include/asm/apic.h
@@ -710,9 +710,8 @@ static inline void exiting_irq(void)
static inline void exiting_ack_irq(void)
{
- irq_exit();
- /* Ack only at the end to avoid potential reentry */
ack_APIC_irq();
+ irq_exit();
}
extern void ioapic_zap_locks(void);
diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
index 7c3a5a61f2e4..e5d895fa1fe0 100644
--- a/arch/x86/kernel/smp.c
+++ b/arch/x86/kernel/smp.c
@@ -267,8 +267,8 @@ __visible void smp_reschedule_interrupt(struct pt_regs *regs)
static inline void smp_entering_irq(void)
{
- ack_APIC_irq();
irq_enter();
+ ack_APIC_irq();
}
__visible void smp_trace_reschedule_interrupt(struct pt_regs *regs)
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] serial: 8250_pci: Detach low-level driver during PCI error recovery
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (57 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
` (2 subsequent siblings)
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Gabriel Krisman Bertazi, Greg Kroah-Hartman, Jiri Slaby
From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit f209fa03fc9d131b3108c2e4936181eabab87416 upstream.
During a PCI error recovery, like the ones provoked by EEH in the ppc64
platform, all IO to the device must be blocked while the recovery is
completed. Current 8250_pci implementation only suspends the port
instead of detaching it, which doesn't prevent incoming accesses like
TIOCMGET and TIOCMSET calls from reaching the device. Those end up
racing with the EEH recovery, crashing it. Similar races were also
observed when opening the device and when shutting it down during
recovery.
This patch implements a more robust IO blockage for the 8250_pci
recovery by unregistering the port at the beginning of the procedure and
re-adding it afterwards. Since the port is detached from the uart
layer, we can be sure that no request will make through to the device
during recovery. This is similar to the solution used by the JSM serial
driver.
I thank Peter Hurley <peter@hurleysoftware.com> for valuable input on
this one over one year ago.
Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/tty/serial/8250/8250_pci.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index 3299168189cc..e93eaea14ccc 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -55,6 +55,7 @@ struct serial_private {
unsigned int nr;
void __iomem *remapped_bar[PCI_NUM_BAR_RESOURCES];
struct pci_serial_quirk *quirk;
+ const struct pciserial_board *board;
int line[0];
};
@@ -3451,6 +3452,7 @@ pciserial_init_ports(struct pci_dev *dev, const struct pciserial_board *board)
}
}
priv->nr = i;
+ priv->board = board;
return priv;
err_deinit:
@@ -3461,7 +3463,7 @@ err_out:
}
EXPORT_SYMBOL_GPL(pciserial_init_ports);
-void pciserial_remove_ports(struct serial_private *priv)
+void pciserial_detach_ports(struct serial_private *priv)
{
struct pci_serial_quirk *quirk;
int i;
@@ -3481,7 +3483,11 @@ void pciserial_remove_ports(struct serial_private *priv)
quirk = find_quirk(priv->dev);
if (quirk->exit)
quirk->exit(priv->dev);
+}
+void pciserial_remove_ports(struct serial_private *priv)
+{
+ pciserial_detach_ports(priv);
kfree(priv);
}
EXPORT_SYMBOL_GPL(pciserial_remove_ports);
@@ -5039,7 +5045,7 @@ static pci_ers_result_t serial8250_io_error_detected(struct pci_dev *dev,
return PCI_ERS_RESULT_DISCONNECT;
if (priv)
- pciserial_suspend_ports(priv);
+ pciserial_detach_ports(priv);
pci_disable_device(dev);
@@ -5064,9 +5070,18 @@ static pci_ers_result_t serial8250_io_slot_reset(struct pci_dev *dev)
static void serial8250_io_resume(struct pci_dev *dev)
{
struct serial_private *priv = pci_get_drvdata(dev);
+ const struct pciserial_board *board;
- if (priv)
- pciserial_resume_ports(priv);
+ if (!priv)
+ return;
+
+ board = priv->board;
+ kfree(priv);
+ priv = pciserial_init_ports(dev, board);
+
+ if (!IS_ERR(priv)) {
+ pci_set_drvdata(dev, priv);
+ }
}
static const struct pci_error_handlers serial8250_err_handler = {
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] bnx2x: Correct ringparam estimate when DOWN
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (58 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Mintz, Yuval, David S . Miller, Jiri Slaby
From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 65870fa77fd7f83d7be4ed924d47ed9e3831f434 upstream.
Until interface is up [and assuming ringparams weren't explicitly
configured] when queried for the size of its rings bnx2x would
claim they're the maximal size by default.
That is incorrect as by default the maximal number of buffers would
be equally divided between the various rx rings.
This prevents the user from actually setting the number of elements
on each rx ring to be of maximal size prior to transitioning the
interface into up state.
To fix this, make a rough estimation about the number of buffers.
It wouldn't always be accurate, but it would be much better than
current estimation and would allow users to increase number of
buffers during early initialization of the interface.
Reported-by: Seymour, Shane <shane.seymour@hpe.com>
Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
index 97fe8e6dba79..5ef133a5a48b 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
@@ -1776,8 +1776,16 @@ static void bnx2x_get_ringparam(struct net_device *dev,
ering->rx_max_pending = MAX_RX_AVAIL;
+ /* If size isn't already set, we give an estimation of the number
+ * of buffers we'll have. We're neglecting some possible conditions
+ * [we couldn't know for certain at this point if number of queues
+ * might shrink] but the number would be correct for the likely
+ * scenario.
+ */
if (bp->rx_ring_size)
ering->rx_pending = bp->rx_ring_size;
+ else if (BNX2X_NUM_RX_QUEUES(bp))
+ ering->rx_pending = MAX_RX_AVAIL / BNX2X_NUM_RX_QUEUES(bp);
else
ering->rx_pending = MAX_RX_AVAIL;
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (59 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable
Cc: Tariq Saeed, Joel Becker, Joseph Qi, Andrew Morton,
Linus Torvalds, Jiri Slaby
From: Tariq Saeed <tariq.x.saeed@oracle.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 3d46a44a0c01b15d385ccaae24b56f619613c256 upstream.
PID: 614 TASK: ffff882a739da580 CPU: 3 COMMAND: "ocfs2dc"
#0 [ffff882ecc3759b0] machine_kexec at ffffffff8103b35d
#1 [ffff882ecc375a20] crash_kexec at ffffffff810b95b5
#2 [ffff882ecc375af0] oops_end at ffffffff815091d8
#3 [ffff882ecc375b20] die at ffffffff8101868b
#4 [ffff882ecc375b50] do_trap at ffffffff81508bb0
#5 [ffff882ecc375ba0] do_invalid_op at ffffffff810165e5
#6 [ffff882ecc375c40] invalid_op at ffffffff815116fb
[exception RIP: ocfs2_ci_checkpointed+208]
RIP: ffffffffa0a7e940 RSP: ffff882ecc375cf0 RFLAGS: 00010002
RAX: 0000000000000001 RBX: 000000000000654b RCX: ffff8812dc83f1f8
RDX: 00000000000017d9 RSI: ffff8812dc83f1f8 RDI: ffffffffa0b2c318
RBP: ffff882ecc375d20 R8: ffff882ef6ecfa60 R9: ffff88301f272200
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffff
R13: ffff8812dc83f4f0 R14: 0000000000000000 R15: ffff8812dc83f1f8
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffff882ecc375d28] ocfs2_check_meta_downconvert at ffffffffa0a7edbd [ocfs2]
#8 [ffff882ecc375d38] ocfs2_unblock_lock at ffffffffa0a84af8 [ocfs2]
#9 [ffff882ecc375dc8] ocfs2_process_blocked_lock at ffffffffa0a85285 [ocfs2]
assert is tripped because the tran is not checkpointed and the lock level is PR.
Some time ago, chmod command had been executed. As result, the following call
chain left the inode cluster lock in PR state, latter on causing the assert.
system_call_fastpath
-> my_chmod
-> sys_chmod
-> sys_fchmodat
-> notify_change
-> ocfs2_setattr
-> posix_acl_chmod
-> ocfs2_iop_set_acl
-> ocfs2_set_acl
-> ocfs2_acl_set_mode
Here is how.
1119 int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
1120 {
1247 ocfs2_inode_unlock(inode, 1); <<< WRONG thing to do.
..
1258 if (!status && attr->ia_valid & ATTR_MODE) {
1259 status = posix_acl_chmod(inode, inode->i_mode);
519 posix_acl_chmod(struct inode *inode, umode_t mode)
520 {
..
539 ret = inode->i_op->set_acl(inode, acl, ACL_TYPE_ACCESS);
287 int ocfs2_iop_set_acl(struct inode *inode, struct posix_acl *acl, ...
288 {
289 return ocfs2_set_acl(NULL, inode, NULL, type, acl, NULL, NULL);
224 int ocfs2_set_acl(handle_t *handle,
225 struct inode *inode, ...
231 {
..
252 ret = ocfs2_acl_set_mode(inode, di_bh,
253 handle, mode);
168 static int ocfs2_acl_set_mode(struct inode *inode, struct buffer_head ...
170 {
183 if (handle == NULL) {
>>> BUG: inode lock not held in ex at this point <<<
184 handle = ocfs2_start_trans(OCFS2_SB(inode->i_sb),
185 OCFS2_INODE_UPDATE_CREDITS);
ocfs2_setattr.#1247 we unlock and at #1259 call posix_acl_chmod. When we reach
ocfs2_acl_set_mode.#181 and do trans, the inode cluster lock is not held in EX
mode (it should be). How this could have happended?
We are the lock master, were holding lock EX and have released it in
ocfs2_setattr.#1247. Note that there are no holders of this lock at
this point. Another node needs the lock in PR, and we downconvert from
EX to PR. So the inode lock is PR when do the trans in
ocfs2_acl_set_mode.#184. The trans stays in core (not flushed to disc).
Now another node want the lock in EX, downconvert thread gets kicked
(the one that tripped assert abovt), finds an unflushed trans but the
lock is not EX (it is PR). If the lock was at EX, it would have flushed
the trans ocfs2_ci_checkpointed -> ocfs2_start_checkpoint before
downconverting (to NULL) for the request.
ocfs2_setattr must not drop inode lock ex in this code path. If it
does, takes it again before the trans, say in ocfs2_set_acl, another
cluster node can get in between, execute another setattr, overwriting
the one in progress on this node, resulting in a mode acl size combo
that is a mix of the two.
Orabug: 20189959
Signed-off-by: Tariq Saeed <tariq.x.saeed@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Joseph Qi <joseph.qi@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/ocfs2/file.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index 54ba0afacf00..7201b56e8f2c 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1100,6 +1100,7 @@ out:
int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
{
int status = 0, size_change;
+ int inode_locked = 0;
struct inode *inode = dentry->d_inode;
struct super_block *sb = inode->i_sb;
struct ocfs2_super *osb = OCFS2_SB(sb);
@@ -1145,6 +1146,7 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
mlog_errno(status);
goto bail_unlock_rw;
}
+ inode_locked = 1;
if (size_change && attr->ia_size != i_size_read(inode)) {
status = inode_newsize_ok(inode, attr->ia_size);
@@ -1225,7 +1227,10 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
bail_commit:
ocfs2_commit_trans(osb, handle);
bail_unlock:
- ocfs2_inode_unlock(inode, 1);
+ if (status) {
+ ocfs2_inode_unlock(inode, 1);
+ inode_locked = 0;
+ }
bail_unlock_rw:
if (size_change)
ocfs2_rw_unlock(inode, 1);
@@ -1241,6 +1246,8 @@ bail:
if (status < 0)
mlog_errno(status);
}
+ if (inode_locked)
+ ocfs2_inode_unlock(inode, 1);
return status;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* [patch added to 3.12-stable] tmpfs: clear S_ISGID when setting posix ACLs
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
` (60 preceding siblings ...)
2017-01-27 10:47 ` [patch added to 3.12-stable] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
@ 2017-01-27 10:47 ` Jiri Slaby
61 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:47 UTC (permalink / raw
To: stable; +Cc: Gu Zheng, Al Viro, Jan Kara, Jiri Slaby
From: Gu Zheng <guzheng1@huawei.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.
This change was missed the tmpfs modification in In CVE-2016-7097
commit 073931017b49 ("posix_acl: Clear SGID bit when setting
file permissions")
It can test by xfstest generic/375, which failed to clear
setgid bit in the following test case on tmpfs:
touch $testfile
chown 100:100 $testfile
chmod 2755 $testfile
_runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
Signed-off-by: Gu Zheng <guzheng1@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/generic_acl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/generic_acl.c b/fs/generic_acl.c
index b3f3676796d3..7855cfb938f6 100644
--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -82,19 +82,21 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
return PTR_ERR(acl);
}
if (acl) {
+ struct posix_acl *old_acl;
+
error = posix_acl_valid(acl);
if (error)
goto failed;
switch (type) {
case ACL_TYPE_ACCESS:
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
+ old_acl = acl;
+ error = posix_acl_update_mode(inode, &inode->i_mode,
+ &acl);
if (error < 0)
goto failed;
+ if (!acl)
+ posix_acl_release(old_acl);
inode->i_ctime = CURRENT_TIME;
- if (error == 0) {
- posix_acl_release(acl);
- acl = NULL;
- }
break;
case ACL_TYPE_DEFAULT:
if (!S_ISDIR(inode->i_mode)) {
--
2.11.0
^ permalink raw reply related [flat|nested] 70+ messages in thread
* Re: [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr()
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
@ 2017-01-27 10:54 ` Vegard Nossum
2017-01-27 12:16 ` Jiri Slaby
0 siblings, 1 reply; 70+ messages in thread
From: Vegard Nossum @ 2017-01-27 10:54 UTC (permalink / raw
To: Jiri Slaby, stable
Cc: Al Viro, John Johansen, Paul Moore, Stephen Smalley, Eric Paris,
Casey Schaufler, James Morris
On 27/01/2017 11:47, Jiri Slaby wrote:
> From: Vegard Nossum <vegard.nossum@oracle.com>
>
> This patch has been added to the 3.12 stable tree. If you have any
> objections, please let us know.
>
> ===============
>
> commit e89b8081327ac9efbf273e790b8677e64fd0361a upstream.
IIRC this fixed a bug introduced in 4.7 or 4.8 or something, so I don't
think it's needed for 3.12, unless...
>
> When proc_pid_attr_write() was changed to use memdup_user apparmor's
> (interface violating) assumption that the setprocattr buffer was always
> a single page was violated.
>
> The size test is not strictly speaking needed as proc_pid_attr_write()
> will reject anything larger, but for the sake of robustness we can keep
> it in.
>
> SMACK and SELinux look safe to me, but somebody else should probably
> have a look just in case.
>
> Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
> modified for the case that apparmor provides null termination.
>
> Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
...unless 3.12 has a backport of this commit?
Or did you find that older kernels are vulnerable too?
Vegard
^ permalink raw reply [flat|nested] 70+ messages in thread
* Re: [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr()
2017-01-27 10:54 ` Vegard Nossum
@ 2017-01-27 12:16 ` Jiri Slaby
0 siblings, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-27 12:16 UTC (permalink / raw
To: Vegard Nossum, stable
Cc: Al Viro, John Johansen, Paul Moore, Stephen Smalley, Eric Paris,
Casey Schaufler, James Morris
On 01/27/2017, 11:54 AM, Vegard Nossum wrote:
> On 27/01/2017 11:47, Jiri Slaby wrote:
>> From: Vegard Nossum <vegard.nossum@oracle.com>
>>
>> This patch has been added to the 3.12 stable tree. If you have any
>> objections, please let us know.
>>
>> ===============
>>
>> commit e89b8081327ac9efbf273e790b8677e64fd0361a upstream.
>
> IIRC this fixed a bug introduced in 4.7 or 4.8 or something, so I don't
> think it's needed for 3.12, unless...
And you're right. I took the patches from SLE12-SP1 (3.12 based). And
this particular one is not needed there too. I am going to drop it from
3.12.
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 70+ messages in thread
* Re: [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable
2017-01-27 10:47 ` [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
@ 2017-01-31 10:54 ` Aurélien Aptel
2017-01-31 10:55 ` Jiri Slaby
2017-10-08 22:15 ` Ben Hutchings
0 siblings, 2 replies; 70+ messages in thread
From: Aurélien Aptel @ 2017-01-31 10:54 UTC (permalink / raw
To: Jiri Slaby, stable; +Cc: Steve French, Jiri Slaby
Hi Jiri,
Jiri Slaby <jslaby@suse.cz> writes:
> From: Aurelien Aptel <aaptel@suse.com>
>
> This patch has been added to the 3.12 stable tree. If you have any
> objections, please let us know.
This patch introduced some regressions. You probably want the following fixes:
a6b5058 fs/cifs: make share unaccessible at root level mountable
4214ebf Fix memory leaks in cifs_do_mount()
c1d8b24 Compare prepaths when comparing superblocks
348c1bf Move check for prefix path to within cifs_get_root()
d171356 Fix regression which breaks DFS mounting
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
^ permalink raw reply [flat|nested] 70+ messages in thread
* Re: [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable
2017-01-31 10:54 ` Aurélien Aptel
@ 2017-01-31 10:55 ` Jiri Slaby
2017-10-08 22:15 ` Ben Hutchings
1 sibling, 0 replies; 70+ messages in thread
From: Jiri Slaby @ 2017-01-31 10:55 UTC (permalink / raw
To: Aurélien Aptel, stable; +Cc: Steve French
On 01/31/2017, 11:54 AM, Aurélien Aptel wrote:
> Hi Jiri,
>
> Jiri Slaby <jslaby@suse.cz> writes:
>> From: Aurelien Aptel <aaptel@suse.com>
>>
>> This patch has been added to the 3.12 stable tree. If you have any
>> objections, please let us know.
>
> This patch introduced some regressions. You probably want the following fixes:
>
> a6b5058 fs/cifs: make share unaccessible at root level mountable
> 4214ebf Fix memory leaks in cifs_do_mount()
> c1d8b24 Compare prepaths when comparing superblocks
> 348c1bf Move check for prefix path to within cifs_get_root()
> d171356 Fix regression which breaks DFS mounting
I have just checked that all are in already. Thanks for heads up.
--
js
suse labs
^ permalink raw reply [flat|nested] 70+ messages in thread
* Re: [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable
2017-01-31 10:54 ` Aurélien Aptel
2017-01-31 10:55 ` Jiri Slaby
@ 2017-10-08 22:15 ` Ben Hutchings
1 sibling, 0 replies; 70+ messages in thread
From: Ben Hutchings @ 2017-10-08 22:15 UTC (permalink / raw
To: Aurélien Aptel, Jiri Slaby, stable; +Cc: Steve French
[-- Attachment #1: Type: text/plain, Size: 899 bytes --]
On Tue, 2017-01-31 at 11:54 +0100, Aurélien Aptel wrote:
> Hi Jiri,
>
> Jiri Slaby <jslaby@suse.cz> writes:
> > From: Aurelien Aptel <aaptel@suse.com>
> >
> > This patch has been added to the 3.12 stable tree. If you have any
> > objections, please let us know.
>
> This patch introduced some regressions. You probably want the
> following fixes:
>
> a6b5058 fs/cifs: make share unaccessible at root level mountable
> 4214ebf Fix memory leaks in cifs_do_mount()
> c1d8b24 Compare prepaths when comparing superblocks
> 348c1bf Move check for prefix path to within cifs_get_root()
> d171356 Fix regression which breaks DFS mounting
I've finally queued up all of these for 3.16. Plus commit cd8c42968ee6
"Fix match_prepath()", which is mising from several other stable
branches.
Ben.
--
Ben Hutchings
compatible: Gracefully accepts erroneous data from any source
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 70+ messages in thread
end of thread, other threads:[~2017-10-08 22:15 UTC | newest]
Thread overview: 70+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix AVIC base address Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] mtd: nand: xway: disable module support Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] qla2xxx: Fix crash due to null pointer access Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] clockevents/drivers/exynos_mct: Remove unneeded container_of() Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] clocksource/exynos_mct: Clear interrupt when cpu is shut down Jiri Slaby
2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ite-cir: initialize use_demodulator before using it Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] vmxnet3: Wake queue from reset work Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
2017-01-31 10:54 ` Aurélien Aptel
2017-01-31 10:55 ` Jiri Slaby
2017-10-08 22:15 ` Ben Hutchings
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix memory leaks in cifs_do_mount() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Compare prepaths when comparing superblocks Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Move check for prefix path to within cifs_get_root() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix regression which breaks DFS mounting Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount bug in profile replacement Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix uninitialized lsm_audit member Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: internal paths should be treated as disconnected Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix log failures for all profiles in a set Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix audit full profile hname on successful load Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: ensure the target profile name is always audited Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: check that xindex is in trans_table bounds Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount race when finding a child profile Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: add missing id bounds check on dfa verification Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: do not expose kernel stack Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
2017-01-27 10:54 ` Vegard Nossum
2017-01-27 12:16 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] bna: Add synchronization for tx ring Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: avoid use after free Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] xc2028: Fix use-after-free bug properly Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] fuse: do not use iocb after it may have been freed Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.