Kernel
Threads by month
- ----- 2025 -----
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
July 2021
- 15 participants
- 107 discussions
[PATCH 01/17] ima: fix CONFIG_IMA_DIGEST_DB_MEGABYTES in openeuler_defconfig
by Zheng Zengkai 23 Jul '21
by Zheng Zengkai 23 Jul '21
23 Jul '21
From: Zhang Tianxing <zhangtianxing3(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9
CVE: NA
-----------------------------------------------------------------
Commit 7c9d18bcaa ("ima: Add max size for IMA digest database") adds
a new Kconfig for IMA Digest Lists: CONFIG_IMA_DIGEST_DB_MEGABYTES.
However, that commit has typos in openeuler_defconfig. This patch is
to fix that typo.
Fixes: 7c9d18bcaa ("ima: Add max size for IMA digest database")
Signed-off-by: Zhang Tianxing <zhangtianxing3(a)huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu(a)huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com>
---
arch/arm64/configs/openeuler_defconfig | 2 +-
arch/x86/configs/openeuler_defconfig | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig
index 39cb54bcaa49..0ff8e6ce6b78 100644
--- a/arch/arm64/configs/openeuler_defconfig
+++ b/arch/arm64/configs/openeuler_defconfig
@@ -6424,7 +6424,7 @@ CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"
CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y
# CONFIG_IMA_MAX_DIGEST_DB_SIZE is not set
# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set
-CONFIG_IMA_DIGEST_DB_SIZE=16
+CONFIG_IMA_DIGEST_DB_MEGABYTES=16
CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig
index 607d4a7dfcba..e2a7fda97fa3 100644
--- a/arch/x86/configs/openeuler_defconfig
+++ b/arch/x86/configs/openeuler_defconfig
@@ -7792,7 +7792,7 @@ CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"
CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y
# CONFIG_IMA_MAX_DIGEST_DB_SIZE is not set
# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set
-CONFIG_IMA_DIGEST_DB_SIZE=16
+CONFIG_IMA_DIGEST_DB_MEGABYTES=16
CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
--
2.20.1
1
16
23 Jul '21
From: Xiongfeng Wang <wangxiongfeng2(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: NA
CVE: NA
------------------------------------
When I do some aer-inject and sysfs remove stress tests, I got the
following use-after-free Calltrace:
==================================================================
BUG: KASAN: use-after-free in pci_stop_bus_device+0x174/0x178
Read of size 8 at addr fffffc3e2e402218 by task bash/26311
CPU: 38 PID: 26311 Comm: bash Tainted: G W 4.19.105+ #82
Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B161.01 06/10/2021
Call trace:
dump_backtrace+0x0/0x360
show_stack+0x24/0x30
dump_stack+0x130/0x164
print_address_description+0x68/0x278
kasan_report+0x204/0x330
__asan_report_load8_noabort+0x30/0x40
pci_stop_bus_device+0x174/0x178
pci_stop_and_remove_bus_device_locked+0x24/0x40
remove_store+0x1c8/0x1e0
dev_attr_store+0x60/0x80
sysfs_kf_write+0x104/0x170
kernfs_fop_write+0x23c/0x430
__vfs_write+0xec/0x4e0
vfs_write+0x12c/0x3d0
ksys_write+0xe8/0x208
__arm64_sys_write+0x70/0xa0
el0_svc_common+0x10c/0x450
el0_svc_handler+0x50/0xc0
el0_svc+0x10/0x14
Allocated by task 684:
kasan_kmalloc+0xe0/0x190
kmem_cache_alloc_trace+0x110/0x240
pci_alloc_dev+0x4c/0x110
pci_scan_single_device+0x100/0x218
pci_scan_slot+0x8c/0x2d8
pci_scan_child_bus_extend+0x90/0x628
pci_scan_child_bus+0x24/0x30
pci_scan_bridge_extend+0x3b8/0xb28
pci_scan_child_bus_extend+0x350/0x628
pci_rescan_bus+0x24/0x48
pcie_do_fatal_recovery+0x390/0x4b0
handle_error_source+0x124/0x158
aer_isr+0x5a0/0x800
process_one_work+0x598/0x1250
worker_thread+0x384/0xf08
kthread+0x2a4/0x320
ret_from_fork+0x10/0x18
Freed by task 685:
__kasan_slab_free+0x120/0x228
kasan_slab_free+0x10/0x18
kfree+0x88/0x218
pci_release_dev+0xb4/0xd8
device_release+0x6c/0x1c0
kobject_put+0x12c/0x400
put_device+0x24/0x30
pci_dev_put+0x24/0x30
handle_error_source+0x12c/0x158
aer_isr+0x5a0/0x800
process_one_work+0x598/0x1250
worker_thread+0x384/0xf08
kthread+0x2a4/0x320
ret_from_fork+0x10/0x18
The buggy address belongs to the object at fffffc3e2e402200
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 24 bytes inside of
4096-byte region [fffffc3e2e402200, fffffc3e2e403200)
The buggy address belongs to the page:
page:ffff7ff0f8b90000 count:1 mapcount:0 mapping:ffffdc365f016e00 index:0x0 compound_mapcount: 0
flags: 0x6ffffe0000008100(slab|head)
raw: 6ffffe0000008100 ffff7f70d83aae00 0000000300000003 ffffdc365f016e00
raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
fffffc3e2e402100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fffffc3e2e402180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>fffffc3e2e402200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
fffffc3e2e402280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fffffc3e2e402300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
It is caused by the following race condition:
CPU0 CPU1
remove_store() aer_isr()
device_remove_file_self() handle_error_source()
pci_stop_and_remove_bus_device_locked pcie_do_fatal_recovery()
(blocked) pci_lock_rescan_remove() #CPU1 acquire the lock
pci_stop_and_remove_bus_device()
pci_unlock_rescan_remove() #CPU1 release the lock
pci_lock_rescan_remove() #CPU0 acquire the lock
pci_dev_put() #free pci_dev
pci_stop_and_remove_bus_device()
pci_stop_bus_device() #use-after-free
pci_unlock_rescan_remove()
An AER interrupt is triggered on CPU1. CPU1 starts to process it. A work
'aer_isr()' is scheduled on CPU1. It calling into
pcie_do_fatal_recovery(), and aquire lock 'pci_rescan_remove_lock'.
Before it removes the sysfs corresponding to the error pci device, a
sysfs remove operation is executed on CPU0. CPU0 use
device_remove_file_self() to remove the sysfs directory and wait for the
lock to be released. After CPU1 finish pci_stop_and_remove_bus_device(),
it release the lock and free the 'pci_dev' in pci_dev_put(). CPU0 acquire
the lock and access the 'pci_dev'. Then a use-after-free is triggered.
To fix this issue, we increase the reference count in remove_store()
before remove the device and decrease the reference count in the end.
Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com>
Reviewed-by: Hanjun Guo <guohanjun(a)huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
---
drivers/pci/pci-sysfs.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 391a811ba3445..fcc997cbf8438 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -470,7 +470,8 @@ static ssize_t remove_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
unsigned long val;
- struct pci_dev *rpdev = to_pci_dev(dev)->rpdev;
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct pci_dev *rpdev = pdev->rpdev;
if (kstrtoul(buf, 0, &val) < 0)
return -EINVAL;
@@ -490,8 +491,12 @@ static ssize_t remove_store(struct device *dev, struct device_attribute *attr,
if (rpdev)
pci_dev_get(rpdev);
- if (val && device_remove_file_self(dev, attr))
- pci_stop_and_remove_bus_device_locked(to_pci_dev(dev));
+ if (val) {
+ pci_dev_get(pdev);
+ if (device_remove_file_self(dev, attr))
+ pci_stop_and_remove_bus_device_locked(pdev);
+ pci_dev_put(pdev);
+ }
if (rpdev) {
clear_bit(0, &rpdev->slot_being_removed_rescanned);
--
2.25.1
1
0
[PATCH openEuler-1.0-LTS] seq_file: disallow extremely large seq buffer allocations
by Yang Yingliang 23 Jul '21
by Yang Yingliang 23 Jul '21
23 Jul '21
From: Eric Sandeen <sandeen(a)redhat.com>
stable inclusion
from linux-4.19.198
commit 6de9f0bf7cacc772a618699f9ed5c9f6fca58a1d
CVE: CVE-2021-33909
--------------------------------
commit 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b upstream.
There is no reasonable need for a buffer larger than this, and it avoids
int overflow pitfalls.
Fixes: 058504edd026 ("fs/seq_file: fallback to vmalloc allocation")
Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk>
Reported-by: Qualys Security Advisory <qsa(a)qualys.com>
Signed-off-by: Eric Sandeen <sandeen(a)redhat.com>
Cc: stable(a)kernel.org
Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
---
fs/seq_file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 05e58b56f6202..e11f62b29be87 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -29,6 +29,9 @@ static void seq_set_overflow(struct seq_file *m)
static void *seq_buf_alloc(unsigned long size)
{
+ if (unlikely(size > MAX_RW_COUNT))
+ return NULL;
+
return kvmalloc(size, GFP_KERNEL_ACCOUNT);
}
--
2.25.1
1
0
Al Cooper (1):
mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
Al Viro (1):
iov_iter_fault_in_readable() should do nothing in xarray case
Alex Williamson (1):
vfio/pci: Handle concurrent vma faults
Alexander Aring (2):
fs: dlm: cancel work sync othercon
fs: dlm: fix memory leak when fenced
Alexander Larkin (1):
Input: joydev - prevent use of not validated data in JSIOCSBTNMAP
ioctl
Alexander Shishkin (1):
intel_th: Wait until port is in reset before programming it
Alvin Šipraga (2):
brcmfmac: fix setting of station info chains bitmask
brcmfmac: correctly report average RSSI in station info
Andrew Gabbasov (1):
usb: gadget: f_fs: Fix setting of device and driver data
cross-references
Andy Shevchenko (5):
net: mvpp2: Put fwnode in error case during ->probe()
net: pch_gbe: Propagate error from devm_gpio_request_one()
eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()
eeprom: idt_89hpesx: Restore printing the unsupported fwnode name
net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
Anirudh Rayabharam (2):
ext4: fix kernel infoleak via ext4_extent_header
media: pvrusb2: fix warning in pvr2_i2c_core_done
Ard Biesheuvel (1):
crypto: shash - avoid comparing pointers to exported functions under
CFI
Arnaldo Carvalho de Melo (1):
perf llvm: Return -ENOMEM when asprintf() fails
Arnd Bergmann (4):
ia64: mca_drv: fix incorrect array size calculation
mwifiex: re-fix for unaligned accesses
media: subdev: disallow ioctl for saa6588/davinci
mips: always link byteswap helpers into decompressor
Arturo Giusti (1):
udf: Fix NULL pointer dereference in udf_symlink function
Aswath Govindraju (2):
ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema
ARM: dts: am437x: align ti,pindir-d0-out-d1-in property with dt-shema
Athira Rajeev (1):
selftests/powerpc: Fix "no_handler" EBB selftest
Axel Lin (1):
regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
Bean Huo (1):
mmc: block: Disable CMDQ on the ioctl path
Benjamin Drung (1):
media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
Benjamin Herrenschmidt (1):
powerpc/boot: Fixup device-tree on little endian
Bibo Mao (1):
hugetlb: clear huge pte during flush function on mips platform
Bixuan Cui (3):
crypto: nx - add missing MODULE_DEVICE_TABLE
EDAC/ti: Add missing MODULE_DEVICE_TABLE
power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE
Bob Pearson (1):
RDMA/rxe: Fix qp reference counting for atomic ops
Bryan O'Donoghue (1):
wcn36xx: Move hal_buf allocation to devm_kmalloc in probe
Chao Yu (1):
f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs
Charles Keepax (1):
spi: Make of_register_spi_device also set the fwnode
Chris Chiu (1):
ACPI: EC: Make more Asus laptops use ECDT _GPE
Christian Löhle (1):
mmc: core: Allow UHS-I voltage switch for SDSC cards if supported
Christoph Niedermaier (3):
ARM: dts: imx6q-dhcom: Fix ethernet reset time properties
ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems
ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery
Christophe JAILLET (9):
crypto: ccp - Fix a resource leak in an error handling path
media: rc: i2c: Fix an error message
brcmsmac: mac80211_if: Fix a resource leak in an error handling path
tty: nozomi: Fix a resource leak in an error handling function
tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
phy: ti: dm816x: Fix the error handling path in
'dm816x_usb_phy_probe()
leds: ktd2692: Fix an error handling path
tty: serial: 8250: serial_cs: Fix a memory leak in error handling path
scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
Christophe Leroy (1):
btrfs: disable build on platforms having page size 256K
Chung-Chiang Cheng (1):
configfs: fix memleak in configfs_release_bin_file
Codrin Ciubotariu (1):
ASoC: atmel-i2s: Fix usage of capture and playback at the same time
Colin Ian King (2):
drm: qxl: ensure surf.data is ininitialized
fsi: core: Fix return of error values on failures
Corentin Labbe (1):
crypto: ixp4xx - dma_unmap the correct address
Daehwan Jung (1):
ALSA: usb-audio: fix rate on Ozone Z90 USB headset
Dan Carpenter (5):
ocfs2: fix snprintf() checking
staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()
staging: gdm724x: check for overflow in gdm_lte_netif_rx()
rtc: fix snprintf() checking in is_rtc_hctosys()
scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg()
Daniel Vetter (1):
drm/msm/mdp4: Fix modifier support enabling
Dany Madden (1):
Revert "ibmvnic: remove duplicate napi_schedule call in open function"
Dave Hansen (1):
selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really
random
David Sterba (2):
btrfs: clear defrag status of a root if starting transaction fails
btrfs: clear log tree recovering status if starting transaction fails
Desmond Cheong Zhi Xi (1):
ntfs: fix validity check for file name attribute
Dillon Min (1):
media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
Dimitri John Ledkov (1):
lib/decompress_unlz4.c: correctly handle zero-padding around initrds.
Dinghao Liu (1):
i40e: Fix error handling in i40e_vsi_open
Dmitry Osipenko (2):
clk: tegra: Ensure that PLLU configuration is applied properly
ASoC: tegra: Set driver_name=tegra for all machine drivers
Dmitry Torokhov (2):
HID: do not use down_interruptible() when unbinding devices
i2c: core: Disable client irq on reboot/shutdown
Dmytro Laktyushkin (1):
drm/amd/display: fix use_max_lb flag for 420 pixel formats
Dongliang Mu (3):
media: dvd_usb: memory leak in cinergyt2_fe_attach
ieee802154: hwsim: Fix possible memory leak in
hwsim_subscribe_all_others
ieee802154: hwsim: Fix memory leak in hwsim_add_one
Eddie James (1):
fsi: scom: Reset the FSI2PIB engine for any error
Eric Biggers (1):
fscrypt: don't ignore minor_hash when hash is 0
Eric Dumazet (5):
pkt_sched: sch_qfq: fix qfq_change_class() error path
vxlan: add missing rcu_read_lock() in neigh_reduce()
ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl()
ipv6: exthdrs: do not blindly use init_net
ipv6: fix out-of-bound access in ip6_parse_tlv()
Eric Sandeen (1):
seq_file: disallow extremely large seq buffer allocations
Erik Kaneda (1):
ACPICA: Fix memory leak caused by _CID repair function
Evgeny Novikov (1):
media: st-hva: Fix potential NULL pointer dereferences
Fabio Aiuto (1):
staging: rtl8723bs: fix macro value for 2.4Ghz only device
Filipe Manana (1):
btrfs: send: fix invalid path for unlink operations after parent
orphanization
Gao Xiang (1):
nfs: fix acl memory leak of posix_acl_create()
Geert Uytterhoeven (2):
of: Fix truncation of memory sizes on 32-bit platforms
ARM: dts: r8a7779, marzen: Fix DU clock names
Geoff Levand (1):
powerpc/ps3: Add dma_mask to ps3_dma_region
Gerd Rausch (1):
RDMA/cma: Fix rdma_resolve_route() memory leak
Greg Kroah-Hartman (1):
Linux 4.19.198
Guchun Chen (1):
drm/amd/display: fix incorrrect valid irq check
Guenter Roeck (2):
hwmon: (max31722) Remove non-standard ACPI device IDs
hwmon: (max31790) Fix fan speed reporting for fan7..12
Gustavo A. R. Silva (2):
media: siano: Fix out-of-bounds warnings in
smscore_load_firmware_family2()
wireless: wext-spy: Fix out-of-bounds warning
Hanjun Guo (1):
ACPI: bus: Call kobject_put() in acpi_init() error path
Hannes Reinecke (1):
scsi: scsi_dh_alua: Check for negative result value
Hannu Hartikainen (1):
USB: cdc-acm: blacklist Heimann USB Appset device
Hans Verkuil (1):
media: cobalt: fix race condition in setting HPD
Hans de Goede (1):
ACPI: video: Add quirk for the Dell Vostro 3350
Herbert Xu (1):
crypto: nx - Fix RCU warning in nx842_OF_upd_status
Huang Pei (1):
MIPS: add PMD table accounting into MIPS'pmd_alloc_one
Igor Matheus Andrade Torrente (1):
media: em28xx: Fix possible memory leak of em28xx struct
Jack Xu (2):
crypto: qat - check return code of qat_hal_rd_rel_reg()
crypto: qat - remove unused macro in FW loader
Jack Zhang (1):
drm/amd/amdgpu/sriov disable all ip hw status by default
Jakub Kicinski (1):
net: ip: avoid OOM kills with large UDP sends over loopback
James Smart (2):
scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize
the SGLs
Jan Kiszka (1):
watchdog: iTCO_wdt: Account for rebooting on second timeout
Jason Gerecke (1):
HID: wacom: Correct base usage for capacitive ExpressKey status bits
Jay Fang (2):
spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
spi: spi-topcliff-pch: Fix potential double free in
pch_spi_process_messages()
Jeff Layton (1):
ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty
Jesse Brandeburg (1):
e100: handle eeprom as little endian
Jiajun Cao (1):
ALSA: hda: Add IRQ check for platform_get_irq()
Jian Shen (1):
net: fix mistake path for netdev_features_strings
Jian-Hong Pan (1):
net: bcmgenet: Fix attaching to PYH failed on RPi 4B
Jiapeng Chong (3):
platform/x86: toshiba_acpi: Fix missing error code in
toshiba_acpi_setup_keyboard()
RDMA/cxgb4: Fix missing error code in create_qp()
fs/jfs: Fix missing error code in lmLogInit()
Jing Xiangfeng (2):
usb: typec: Add the missed altmode_id_remove() in
typec_register_altmode()
drm/radeon: Add the missed drm_gem_object_put() in
radeon_user_framebuffer_create()
Joachim Fenkes (2):
fsi/sbefifo: Clean up correct FIFO when receiving reset request from
SBE
fsi/sbefifo: Fix reset timeout
Joe Thornber (1):
dm space maps: don't reset space map allocation cursor when committing
Johan Hovold (6):
Input: usbtouchscreen - fix control-request directions
media: gspca/gl860: fix zero-length control requests
mmc: vub3000: fix control-request direction
media: dtv5100: fix control-request directions
media: gspca/sq905: fix control-request direction
media: gspca/sunplus: fix zero-length control requests
Johannes Berg (2):
iwlwifi: mvm: don't change band on bound PHY contexts
iwlwifi: pcie: free IML DMA memory allocation
John Garry (1):
scsi: core: Cap scsi_host cmd_per_lun at can_queue
Jonathan Cameron (21):
iio: accel: bma180: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: accel: bma220: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: accel: hid: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: accel: kxcjk-1013: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: accel: stk8312: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: accel: stk8ba50: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: adc: ti-ads1015: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: adc: vf610: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: gyro: bmg160: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: humidity: am2315: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: prox: srf08: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: prox: pulsed-light: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: prox: as3935: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: light: isl29125: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: light: tcs3414: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: light: tcs3472: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: potentiostat: lmp91000: Fix alignment of buffer in
iio_push_to_buffers_with_timestamp()
iio: adc: hx711: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: adc: mxs-lradc: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
iio: adc: ti-ads8688: Fix alignment of buffer in
iio_push_to_buffers_with_timestamp()
iio: prox: isl29501: Fix buffer alignment in
iio_push_to_buffers_with_timestamp()
Josef Bacik (2):
btrfs: fix error handling in __btrfs_update_delayed_inode
btrfs: abort transaction if we fail to update the delayed inode
Kai-Heng Feng (1):
Bluetooth: Shutdown controller after workqueues are flushed or
cancelled
Kamal Heib (1):
RDMA/rxe: Fix failure during driver load
Konstantin Kharlamov (1):
PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
Krzysztof Kozlowski (8):
power: supply: max17042: Do not enforce (incorrect) interrupt trigger
type
reset: a10sr: add missing of_match_table reference
ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3
ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1
ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4
memory: atmel-ebi: add missing of_node_put for loop iteration
memory: fsl_ifc: fix leak of IO mapping on probe failure
memory: fsl_ifc: fix leak of private memory on probe failure
Krzysztof Wilczyński (2):
ACPI: sysfs: Fix a buffer overrun problem with description_show()
PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
Kuninori Morimoto (2):
ASoC: rsnd: tidyup loop on rsnd_adg_clk_query()
clk: renesas: r8a77995: Add ZA2 clock
Lai Jiangshan (1):
KVM: X86: Disable hardware breakpoints unconditionally before
kvm_x86->run()
Lee Gibson (1):
wl1251: Fix possible buffer overflow in wl1251_cmd_scan
Leon Romanovsky (2):
RDMA/mlx5: Don't add slave port to unaffiliated list
RDMA/mlx5: Don't access NULL-cleared mpi pointer
Liguang Zhang (1):
ACPI: AMBA: Fix resource name in /proc/iomem
Linus Walleij (2):
power: supply: ab8500: Fix an old bug
power: supply: ab8500: Avoid NULL pointers
Linyu Yuan (1):
usb: gadget: eem: fix echo command packet response issue
Liu Shixin (1):
netlabel: Fix memory leak in netlbl_mgmt_add_common
Liwei Song (1):
ice: set the value of global config lock timeout longer
Longpeng(Mike) (1):
vsock: notify server to shutdown when client has pending signal
Ludovic Desroches (1):
ARM: dts: at91: sama5d4: fix pinctrl muxing
Luiz Augusto von Dentz (2):
Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid
Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event
Luiz Sampaio (1):
w1: ds2438: fixing bug that would always get page0
Lv Yunlong (4):
media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
media: exynos4-is: Fix a use after free in isp_video_release
ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
misc/libmasm/module: Fix two use after free in ibmasm_init_one
Maciej W. Rozycki (1):
serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates
Maciej Żenczykowski (1):
bpf: Do not change gso_size during bpf_skb_change_proto()
Marc Kleine-Budde (1):
iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and
PS_DATA as volatile, too
Marcelo Ricardo Leitner (2):
sctp: validate from_addr_param return
sctp: add size validation when walking chunks
Marek Szyprowski (1):
extcon: max8997: Add missing modalias string
Marek Vasut (1):
rsi: Assign beacon rate settings to the correct rate_info descriptor
field
Mario Limonciello (1):
ACPI: processor idle: Fix up C-state latency if not ordered
Martin Fuzzey (2):
rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
rsi: fix AP mode with WPA failure due to encrypted EAPOL
Martin Fäcknitz (1):
MIPS: vdso: Invalid GIC access through VDSO
Mateusz Palczewski (1):
i40e: Fix autoneg disabling for non-10GBaseT links
Mauro Carvalho Chehab (3):
media: dvb_net: avoid speculation from net slot
media: siano: fix device register error path
media: s5p_cec: decrement usage count if disabled
Maximilian Luz (1):
pinctrl/amd: Add device HID for new AMD GPIO controller
Miao Wang (1):
net/ipv4: swap flow ports when validating source
Miaohe Lin (1):
mm/huge_memory.c: don't discard hugepage if other processes are
mapping it
Michael Buesch (1):
ssb: sdio: Don't overwrite const buffer if block_write fails
Michael Ellerman (1):
powerpc/stacktrace: Fix spurious "stale" traces in
raise_backtrace_ipi()
Michael S. Tsirkin (1):
virtio_net: move tx vq operation under tx queue lock
Mike Christie (4):
scsi: iscsi: Add iscsi_cls_conn refcount helpers
scsi: iscsi: Fix conn use after free during resets
scsi: iscsi: Fix shost->max_id use
scsi: qedi: Fix null ref during abort handling
Mike Marshall (1):
orangefs: fix orangefs df output.
Miklos Szeredi (2):
fuse: check connected before queueing on fpq->io
fuse: reject internal errno
Mimi Zohar (1):
evm: fix writing <securityfs>/evm overflow
Minas Harutyunyan (1):
usb: dwc3: Fix debugfs creation flow
Minchan Kim (1):
selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
Miquel Raynal (1):
serial: mvebu-uart: clarify the baud rate derivation
Mirko Vogt (1):
spi: spi-sun6i: Fix chipselect/clock bug
Muchun Song (1):
writeback: fix obtain a reference to a freeing memcg css
Nathan Chancellor (3):
powerpc/barrier: Avoid collision with clang's __lwsync macro
qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
hexagon: use common DISCARDS macro
Nicholas Piggin (1):
powerpc: Offline CPU in stop_this_cpu()
Nick Desaulniers (2):
MIPS: set mips32r5 for virt extensions
ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1
Nikolay Aleksandrov (1):
net: bridge: multicast: fix PIM hello router port marking race
Nuno Sa (1):
iio: adis_buffer: do not return ints in irq handlers
Odin Ugedal (1):
sched/fair: Fix ascii art by relpacing tabs
Oliver Hartkopp (1):
can: gw: synchronize rcu operations before removing gw job entry
Oliver Lang (2):
iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
iio: ltr501: ltr501_read_ps(): add missing endianness conversion
Ondrej Zary (2):
serial_cs: Add Option International GSM-Ready 56K/ISDN modem
serial_cs: remove wrong GLOBETROTTER.cis entry
Pablo Neira Ayuso (3):
netfilter: nft_exthdr: check for IPv6 packet before further processing
netfilter: nft_osf: check for TCP packet before further processing
netfilter: nft_tproxy: restrict support to TCP and UDP transport
protocols
Pali Rohár (6):
ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
serial: mvebu-uart: correctly calculate minimal possible baudrate
arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART
serial: mvebu-uart: fix calculation of clock divisor
PCI: aardvark: Fix checking for PIO Non-posted Request
PCI: aardvark: Fix kernel panic during PIO transfer
Pan Dong (1):
ext4: fix avefreec in find_group_orlov
Pascal Terjan (1):
rtl8xxxu: Fix device info for RTL8192EU devices
Paul Burton (2):
tracing: Simplify & fix saved_tgids logic
tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT
Paul E. McKenney (1):
clocksource: Retry clock read if long delays detected
Pavel Skripkin (10):
media: dvb-usb: fix wrong definition
net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
media: cpia2: fix memory leak in cpia2_usb_probe
net: ethernet: aeroflex: fix UAF in greth_of_remove
net: ethernet: ezchip: fix UAF in nps_enet_remove
net: ethernet: ezchip: fix error handling
net: sched: fix warning in tcindex_alloc_perfect_hash
reiserfs: add check for invalid 1st journal block
media: zr364xx: fix memory leak in zr364xx_start_readpipe
jfs: fix GPF in diFree
Peter Robinson (1):
gpio: pca953x: Add support for the On Semi pca9655
Petr Pavlu (1):
ipmi/watchdog: Stop watchdog timer when the current action is 'none'
Philipp Zabel (1):
reset: bail if try_module_get() fails
Ping-Ke Shih (1):
mac80211: remove iwlwifi specific workaround NDPs of null_response
Po-Hsu Lin (1):
selftests: timers: rtcpie: skip test if default RTC device does not
exist
Quat Le (1):
scsi: core: Retry I/O for Notify (Enable Spinup) Required error
Radim Pavlik (1):
pinctrl: mcp23s08: fix race condition in irq handler
Rafał Miłecki (1):
ARM: dts: BCM5301X: Fixup SPI binding
Randy Dunlap (5):
media: I2C: change 'RST' to "RSET" to fix multiple build errors
wireless: carl9170: fix LEDS build errors & warnings
scsi: FlashPoint: Rename si_flags field
s390: appldata depends on PROC_SYSCTL
mips: disable branch profiling in boot/decompress.o
Remi Pommarel (1):
PCI: aardvark: Don't rely on jiffies while holding spinlock
Richard Fitzgerald (4):
lib: vsprintf: Fix handling of number field widths in vsscanf
random32: Fix implicit truncation warning in prandom_seed_state()
ACPI: tables: Add custom DSDT file as makefile prerequisite
ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK
Roberto Sassu (2):
evm: Execute evm_inode_init_security() only when an HMAC key is loaded
evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
Ruslan Bilovol (1):
usb: gadget: f_hid: fix endianness issue with descriptors
Sai Prakash Ranjan (1):
coresight: tmc-etf: Fix global-out-of-bounds in
tmc_update_etf_buffer()
Samuel Holland (1):
clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround
Sandor Bodo-Merle (2):
PCI: iproc: Fix multi-MSI base vector number allocation
PCI: iproc: Support multi-MSI only on uniprocessor kernel
Sean Christopherson (1):
KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is
enabled
Sean Young (1):
media, bpf: Do not copy more entries than user space requested
Sebastian Andrzej Siewior (1):
net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
Sergey Shtylyov (4):
sata_highbank: fix deferred probing
pata_rb532_cf: fix deferred probing
pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
pata_ep93xx: fix deferred probing
Sergio Paracuellos (1):
staging: mt7621-dts: fix pci address for PCI memory range
Sherry Sun (1):
tty: serial: fsl_lpuart: fix the potential risk of division or modulo
by zero
Srinivas Neeli (1):
gpio: zynq: Check return value of pm_runtime_get_sync
Steffen Klassert (1):
xfrm: Fix error reporting in xfrm_state_construct.
Stephan Gerhold (2):
extcon: sm5502: Drop invalid register write in sm5502_reg_data
power: supply: rt5033_battery: Fix device tree enumeration
Stephane Grosjean (1):
can: peak_pciefd: pucan_handle_status(): fix a potential starvation
issue in TX path
Stephen Brennan (1):
ext4: use ext4_grp_locked_error in mb_find_extent
Steve Longerbeam (1):
media: imx-csi: Skip first few frames from a BT.656 source
Steven Rostedt (VMware) (3):
tracing/histograms: Fix parsing of "sym-offset" modifier
tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing
tracing: Do not reference char * as a string in histograms
Sukadev Bhattiprolu (1):
ibmvnic: free tx_pool if tso_pool alloc fails
Takashi Iwai (2):
ALSA: usb-audio: Fix OOB access at proc output
ALSA: sb: Fix potential double-free of CSP mixer elements
Takashi Sakamoto (2):
Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"
ALSA: bebob: add support for ToneWeal FW66
Tao Ren (1):
watchdog: aspeed: fix hardware timeout calculation
Tetsuo Handa (1):
smackfs: restrict bytes count in smk_set_cipso()
Thomas Gleixner (3):
cpu/hotplug: Cure the cpusets trainwreck
x86/fpu: Return proper error codes from user access functions
x86/fpu: Limit xstate copy size in xstateregs_set()
Thomas Zimmermann (2):
drm/mxsfb: Don't select DRM_KMS_FB_HELPER
drm/zte: Don't select DRM_KMS_FB_HELPER
Tian Tao (1):
spi: omap-100k: Fix the length judgment problem
Tim Jiang (1):
Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca
btsoc.
Timo Sigurdsson (1):
ata: ahci_sunxi: Disable DIPM
Tony Lindgren (1):
wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
Trond Myklebust (3):
NFS: nfs_find_open_context() may only select open files
NFSv4: Initialise connection to the server in nfs4_alloc_client()
NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times
Tyrel Datwyler (1):
scsi: core: Fix bad pointer dereference when ehandler kthread is
invalid
Uwe Kleine-König (3):
backlight: lm3630a: Fix return code of .update_status() callback
pwm: spear: Don't modify HW state in .remove callback
pwm: tegra: Don't modify HW state in .remove callback
Vadim Fedorenko (1):
net: lwtunnel: handle MTU calculation in forwading
Valentin Vidic (1):
s390/sclp_vt220: fix console name to match device
Valentine Barshak (1):
arm64: dts: renesas: v3msk: Fix memory size
Vineeth Vijayan (1):
s390/cio: dont call css_wait_for_slow_path() inside a lock
Wang Hai (1):
samples/bpf: Fix the error return code of xdp_redirect's main()
Willy Tarreau (1):
ipv6: use prandom_u32() for ID generation
Wolfram Sang (1):
mmc: core: clear flags before allowing to retune
Xianting Tian (1):
virtio_net: Remove BUG() to avoid machine dead
Xiao Yang (1):
RDMA/rxe: Don't overwrite errno from ib_umem_get()
Xie Yongji (4):
drm/virtio: Fix double free on probe failure
virtio-blk: Fix memory leak among suspend/resume procedure
virtio_net: Fix error handling in virtnet_restore()
virtio_console: Assure used length from device is limited
Yang Jihong (1):
arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode
Yang Li (1):
ath10k: Fix an error code in ath10k_add_interface()
Yang Yingliang (10):
ext4: return error code when ext4_fill_flex_info() fails
drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on
error in cdn_dp_grf_write()
ASoC: hisilicon: fix missing clk_disable_unprepare() on error in
hi6210_i2s_startup()
mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in
marvell_nfc_resume()
net: bcmgenet: check return value after calling
platform_get_resource()
net: mvpp2: check return value after calling platform_get_resource()
net: micrel: check return value after calling platform_get_resource()
fjes: check return value after calling platform_get_resource()
ALSA: ppc: fix error return code in snd_pmac_probe()
usb: gadget: hid: fix error return code in hid_bind()
Yizhuo Zhai (1):
Input: hideep - fix the uninitialized use in hideep_nvm_unlock()
Yoshihiro Shimoda (1):
serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()
Yu Kuai (1):
char: pcmcia: error out if 'num_bytes_read' is greater than 4 in
set_protocol()
Yu Liu (1):
Bluetooth: Fix the HCI to MGMT status conversion table
YueHaibing (1):
hv_utils: Fix passing zero to 'PTR_ERR' warning
Yufen Yu (1):
ALSA: ac97: fix PM reference leak in ac97_bus_remove()
Yun Zhou (2):
seq_buf: Make trace_seq_putmem_hex() support data longer than 8
seq_buf: Fix overflow in seq_buf_putmem_hex()
Zhang Yi (2):
ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
ext4: remove check for zero nr_to_scan in ext4_es_scan()
Zhangjiantao (Kirin, nanjing) (1):
xhci: solve a double free problem while doing s4
Zhen Lei (13):
crypto: ux500 - Fix error return code in hash_hw_final()
media: tc358743: Fix error return code in tc358743_probe_of()
mmc: usdhi6rol0: fix error return code in usdhi6_probe()
ehea: fix error return code in ehea_restart_qps()
ssb: Fix error return code in ssb_bus_scan()
Input: hil_kbd - fix error return code in hil_dev_connect()
visorbus: fix error return code in visorchipset_init()
scsi: mpt3sas: Fix error return value in _scsih_expander_add()
leds: as3645a: Fix error return code in as3645a_parse_node()
ASoC: soc-core: Fix the error return code in
snd_soc_of_parse_audio_routing()
um: fix error return code in slip_open()
um: fix error return code in winch_tramp()
ALSA: isa: Fix error return code in snd_cmi8330_probe()
Zheyu Ma (4):
media: bt8xx: Fix a missing check bug in bt878_probe
mmc: via-sdmmc: add a check against NULL pointer dereference
atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
atm: nicstar: register the interrupt handler in the right place
Zhihao Cheng (2):
tools/bpftool: Fix error return code in do_batch()
ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode
Zou Wei (13):
regulator: uniphier: Add missing MODULE_DEVICE_TABLE
atm: iphase: fix possible use-after-free in ia_module_exit()
mISDN: fix possible use-after-free in HFC_cleanup()
atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
cw1200: add missing MODULE_DEVICE_TABLE
pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq()
mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE
watchdog: Fix possible use-after-free in wdt_startup()
watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
watchdog: Fix possible use-after-free by calling del_timer_sync()
PCI: tegra: Add missing MODULE_DEVICE_TABLE
power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
power: supply: ab8500: add missing MODULE_DEVICE_TABLE
frank zago (1):
iio: light: tcs3472: do not free unallocated IRQ
Íñigo Huguet (2):
sfc: avoid double pci_remove of VFs
sfc: error code if SRIOV cannot be disabled
Documentation/ABI/testing/evm | 26 +++-
.../admin-guide/kernel-parameters.txt | 6 +
Makefile | 2 +-
arch/arm/boot/dts/am335x-cm-t335.dts | 2 +-
arch/arm/boot/dts/am43x-epos-evm.dts | 4 +-
arch/arm/boot/dts/bcm5301x.dtsi | 18 +--
arch/arm/boot/dts/exynos5422-odroidhc1.dts | 2 +-
arch/arm/boot/dts/exynos5422-odroidxu4.dts | 2 +-
.../boot/dts/exynos54xx-odroidxu-leds.dtsi | 4 +-
arch/arm/boot/dts/imx6q-dhcom-som.dtsi | 41 +++++-
arch/arm/boot/dts/r8a7779-marzen.dts | 2 +-
arch/arm/boot/dts/r8a7779.dtsi | 1 +
arch/arm/boot/dts/sama5d4.dtsi | 2 +-
arch/arm/kernel/perf_event_v7.c | 4 +-
arch/arm/probes/kprobes/test-thumb.c | 10 +-
arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 2 +-
.../arm64/boot/dts/renesas/r8a77970-v3msk.dts | 2 +-
arch/hexagon/kernel/vmlinux.lds.S | 7 +-
arch/ia64/kernel/mca_drv.c | 2 +-
arch/mips/boot/compressed/Makefile | 4 +-
arch/mips/boot/compressed/decompress.c | 2 +
arch/mips/include/asm/hugetlb.h | 8 +-
arch/mips/include/asm/mipsregs.h | 8 +-
arch/mips/include/asm/pgalloc.h | 10 +-
arch/mips/vdso/vdso.h | 2 +-
arch/powerpc/boot/devtree.c | 59 +++++----
arch/powerpc/boot/ns16550.c | 9 +-
arch/powerpc/include/asm/barrier.h | 2 +
arch/powerpc/include/asm/ps3.h | 2 +
arch/powerpc/kernel/smp.c | 11 ++
arch/powerpc/kernel/stacktrace.c | 27 +++-
arch/powerpc/platforms/ps3/mm.c | 12 ++
arch/s390/Kconfig | 2 +-
arch/s390/kernel/setup.c | 2 +-
arch/um/drivers/chan_user.c | 3 +-
arch/um/drivers/slip_user.c | 3 +-
arch/x86/include/asm/fpu/internal.h | 19 ++-
arch/x86/kernel/fpu/regset.c | 2 +-
arch/x86/kvm/cpuid.c | 8 +-
arch/x86/kvm/x86.c | 2 +
crypto/shash.c | 18 ++-
drivers/acpi/Makefile | 5 +
drivers/acpi/acpi_amba.c | 1 +
drivers/acpi/acpi_video.c | 9 ++
drivers/acpi/acpica/nsrepair2.c | 7 +
drivers/acpi/bus.c | 1 +
drivers/acpi/device_sysfs.c | 2 +-
drivers/acpi/ec.c | 16 +++
drivers/acpi/processor_idle.c | 40 ++++++
drivers/ata/ahci_sunxi.c | 2 +-
drivers/ata/pata_ep93xx.c | 2 +-
drivers/ata/pata_octeon_cf.c | 5 +-
drivers/ata/pata_rb532_cf.c | 6 +-
drivers/ata/sata_highbank.c | 6 +-
drivers/atm/iphase.c | 2 +-
drivers/atm/nicstar.c | 26 ++--
drivers/block/virtio_blk.c | 2 +
drivers/bluetooth/btusb.c | 5 +
drivers/char/ipmi/ipmi_watchdog.c | 22 ++--
drivers/char/pcmcia/cm4000_cs.c | 4 +
drivers/char/virtio_console.c | 4 +-
drivers/clk/renesas/r8a77995-cpg-mssr.c | 1 +
drivers/clk/tegra/clk-pll.c | 6 +-
drivers/clocksource/arm_arch_timer.c | 2 +-
drivers/crypto/ccp/sp-pci.c | 6 +-
drivers/crypto/ixp4xx_crypto.c | 2 +-
drivers/crypto/nx/nx-842-pseries.c | 9 +-
drivers/crypto/qat/qat_common/qat_hal.c | 6 +-
drivers/crypto/qat/qat_common/qat_uclo.c | 1 -
drivers/crypto/ux500/hash/hash_core.c | 1 +
drivers/edac/ti_edac.c | 1 +
drivers/extcon/extcon-max8997.c | 1 +
drivers/extcon/extcon-sm5502.c | 1 -
drivers/firmware/qemu_fw_cfg.c | 8 +-
drivers/fsi/fsi-core.c | 4 +-
drivers/fsi/fsi-sbefifo.c | 10 +-
drivers/fsi/fsi-scom.c | 16 ++-
drivers/gpio/gpio-pca953x.c | 1 +
drivers/gpio/gpio-zynq.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
.../drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c | 9 +-
drivers/gpu/drm/amd/display/dc/irq_types.h | 2 +-
drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c | 2 -
drivers/gpu/drm/msm/disp/mdp4/mdp4_plane.c | 8 +-
drivers/gpu/drm/mxsfb/Kconfig | 1 -
drivers/gpu/drm/qxl/qxl_dumb.c | 2 +
drivers/gpu/drm/radeon/radeon_display.c | 1 +
drivers/gpu/drm/rockchip/cdn-dp-core.c | 1 +
drivers/gpu/drm/virtio/virtgpu_kms.c | 1 +
drivers/gpu/drm/zte/Kconfig | 1 -
drivers/hid/hid-core.c | 10 +-
drivers/hid/wacom_wac.h | 2 +-
drivers/hv/hv_util.c | 4 +-
drivers/hwmon/max31722.c | 9 --
drivers/hwmon/max31790.c | 2 +-
.../hwtracing/coresight/coresight-tmc-etf.c | 2 +-
drivers/hwtracing/intel_th/core.c | 17 +++
drivers/hwtracing/intel_th/gth.c | 16 +++
drivers/hwtracing/intel_th/intel_th.h | 3 +
drivers/i2c/i2c-core-base.c | 3 +
drivers/iio/accel/bma180.c | 10 +-
drivers/iio/accel/bma220_spi.c | 10 +-
drivers/iio/accel/hid-sensor-accel-3d.c | 13 +-
drivers/iio/accel/kxcjk-1013.c | 24 ++--
drivers/iio/accel/stk8312.c | 12 +-
drivers/iio/accel/stk8ba50.c | 17 ++-
drivers/iio/adc/hx711.c | 4 +-
drivers/iio/adc/mxs-lradc-adc.c | 3 +-
drivers/iio/adc/ti-ads1015.c | 12 +-
drivers/iio/adc/ti-ads8688.c | 3 +-
drivers/iio/adc/vf610_adc.c | 10 +-
drivers/iio/gyro/bmg160_core.c | 10 +-
drivers/iio/humidity/am2315.c | 16 ++-
drivers/iio/imu/adis_buffer.c | 3 -
drivers/iio/light/isl29125.c | 10 +-
drivers/iio/light/ltr501.c | 15 ++-
drivers/iio/light/tcs3414.c | 10 +-
drivers/iio/light/tcs3472.c | 16 ++-
drivers/iio/potentiostat/lmp91000.c | 4 +-
drivers/iio/proximity/as3935.c | 10 +-
drivers/iio/proximity/isl29501.c | 2 +-
.../iio/proximity/pulsedlight-lidar-lite-v2.c | 10 +-
drivers/iio/proximity/srf08.c | 14 +-
drivers/infiniband/core/cma.c | 3 +-
drivers/infiniband/hw/cxgb4/qp.c | 1 +
drivers/infiniband/hw/mlx5/main.c | 4 +-
drivers/infiniband/sw/rxe/rxe_mr.c | 2 +-
drivers/infiniband/sw/rxe/rxe_net.c | 10 +-
drivers/infiniband/sw/rxe/rxe_qp.c | 1 -
drivers/infiniband/sw/rxe/rxe_resp.c | 2 -
drivers/input/joydev.c | 2 +-
drivers/input/keyboard/hil_kbd.c | 1 +
drivers/input/touchscreen/hideep.c | 13 +-
drivers/input/touchscreen/usbtouchscreen.c | 8 +-
drivers/ipack/carriers/tpci200.c | 5 +-
drivers/isdn/hardware/mISDN/hfcpci.c | 2 +-
drivers/leds/leds-as3645a.c | 1 +
drivers/leds/leds-ktd2692.c | 27 ++--
.../md/persistent-data/dm-space-map-disk.c | 9 +-
.../persistent-data/dm-space-map-metadata.c | 9 +-
drivers/media/common/siano/smscoreapi.c | 22 ++--
drivers/media/common/siano/smscoreapi.h | 4 +-
drivers/media/common/siano/smsdvb-main.c | 4 +
drivers/media/dvb-core/dvb_net.c | 25 +++-
drivers/media/i2c/ir-kbd-i2c.c | 4 +-
drivers/media/i2c/s5c73m3/s5c73m3-core.c | 6 +-
drivers/media/i2c/s5c73m3/s5c73m3.h | 2 +-
drivers/media/i2c/s5k4ecgx.c | 10 +-
drivers/media/i2c/s5k5baf.c | 6 +-
drivers/media/i2c/s5k6aa.c | 10 +-
drivers/media/i2c/saa6588.c | 4 +-
drivers/media/i2c/tc358743.c | 1 +
drivers/media/pci/bt8xx/bt878.c | 3 +
drivers/media/pci/bt8xx/bttv-driver.c | 6 +-
drivers/media/pci/cobalt/cobalt-driver.c | 1 +
drivers/media/pci/cobalt/cobalt-driver.h | 7 +-
drivers/media/pci/saa7134/saa7134-video.c | 6 +-
drivers/media/platform/davinci/vpbe_display.c | 2 +-
drivers/media/platform/davinci/vpbe_venc.c | 6 +-
.../platform/exynos4-is/fimc-isp-video.c | 7 +-
drivers/media/platform/s5p-cec/s5p_cec.c | 2 +-
drivers/media/platform/s5p-g2d/g2d.c | 3 +
drivers/media/platform/sti/hva/hva-hw.c | 3 +-
drivers/media/rc/bpf-lirc.c | 3 +-
drivers/media/usb/cpia2/cpia2.h | 1 +
drivers/media/usb/cpia2/cpia2_core.c | 12 ++
drivers/media/usb/cpia2/cpia2_usb.c | 13 +-
drivers/media/usb/dvb-usb/cinergyT2-core.c | 2 +
drivers/media/usb/dvb-usb/cxusb.c | 2 +-
drivers/media/usb/dvb-usb/dtv5100.c | 7 +-
drivers/media/usb/em28xx/em28xx-input.c | 8 +-
drivers/media/usb/gspca/gl860/gl860.c | 4 +-
drivers/media/usb/gspca/sq905.c | 2 +-
drivers/media/usb/gspca/sunplus.c | 8 +-
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 +-
drivers/media/usb/uvc/uvc_video.c | 27 ++++
drivers/media/usb/zr364xx/zr364xx.c | 1 +
drivers/media/v4l2-core/v4l2-fh.c | 1 +
drivers/memory/atmel-ebi.c | 4 +-
drivers/memory/fsl_ifc.c | 8 +-
drivers/mfd/da9052-i2c.c | 1 +
drivers/mfd/stmpe-i2c.c | 2 +-
drivers/misc/eeprom/idt_89hpesx.c | 8 +-
drivers/misc/ibmasm/module.c | 5 +-
drivers/mmc/core/block.c | 8 ++
drivers/mmc/core/core.c | 7 +-
drivers/mmc/core/sd.c | 10 +-
drivers/mmc/host/sdhci.c | 4 +
drivers/mmc/host/sdhci.h | 1 +
drivers/mmc/host/usdhi6rol0.c | 1 +
drivers/mmc/host/via-sdmmc.c | 3 +
drivers/mmc/host/vub300.c | 2 +-
drivers/mtd/nand/raw/marvell_nand.c | 4 +-
drivers/net/can/peak_canfd/peak_canfd.c | 4 +-
drivers/net/can/usb/ems_usb.c | 3 +-
drivers/net/ethernet/aeroflex/greth.c | 3 +-
.../net/ethernet/broadcom/genet/bcmgenet.c | 1 +
drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 +
drivers/net/ethernet/ezchip/nps_enet.c | 4 +-
drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +-
drivers/net/ethernet/ibm/ibmvnic.c | 10 +-
drivers/net/ethernet/intel/e100.c | 12 +-
.../net/ethernet/intel/i40e/i40e_ethtool.c | 3 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +
drivers/net/ethernet/intel/ice/ice_type.h | 2 +-
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +
drivers/net/ethernet/micrel/ks8842.c | 4 +
.../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 29 ++---
drivers/net/ethernet/sfc/ef10_sriov.c | 25 ++--
drivers/net/fjes/fjes_main.c | 4 +
drivers/net/ieee802154/mac802154_hwsim.c | 11 +-
drivers/net/virtio_net.c | 29 ++++-
drivers/net/vxlan.c | 2 +
drivers/net/wireless/ath/ath10k/mac.c | 1 +
drivers/net/wireless/ath/ath9k/main.c | 5 +
drivers/net/wireless/ath/carl9170/Kconfig | 8 +-
drivers/net/wireless/ath/wcn36xx/main.c | 21 ++-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 37 +++---
.../broadcom/brcm80211/brcmsmac/mac80211_if.c | 8 +-
.../net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 +++-
.../intel/iwlwifi/pcie/ctxt-info-gen3.c | 15 ++-
.../wireless/intel/iwlwifi/pcie/internal.h | 3 +
drivers/net/wireless/marvell/mwifiex/pcie.c | 10 +-
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 11 +-
.../realtek/rtl8xxxu/rtl8xxxu_8192e.c | 59 ++++++++-
drivers/net/wireless/rsi/rsi_91x_hal.c | 6 +-
drivers/net/wireless/rsi/rsi_91x_mac80211.c | 3 -
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 3 +-
drivers/net/wireless/rsi/rsi_main.h | 1 -
drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 +
drivers/net/wireless/ti/wl1251/cmd.c | 9 +-
drivers/net/wireless/ti/wl12xx/main.c | 7 +
drivers/of/fdt.c | 8 +-
drivers/of/of_reserved_mem.c | 8 +-
drivers/pci/controller/pci-aardvark.c | 61 ++++++---
drivers/pci/controller/pci-tegra.c | 1 +
drivers/pci/controller/pcie-iproc-msi.c | 29 +++--
drivers/pci/pci-label.c | 2 +-
drivers/pci/quirks.c | 11 ++
drivers/phy/ti/phy-dm816x-usb.c | 17 ++-
drivers/pinctrl/pinctrl-amd.c | 1 +
drivers/pinctrl/pinctrl-mcp23s08.c | 10 +-
drivers/platform/x86/toshiba_acpi.c | 1 +
drivers/power/reset/gpio-poweroff.c | 1 +
drivers/power/supply/Kconfig | 3 +-
drivers/power/supply/ab8500_btemp.c | 1 +
drivers/power/supply/ab8500_charger.c | 19 ++-
drivers/power/supply/ab8500_fg.c | 1 +
drivers/power/supply/charger-manager.c | 1 +
drivers/power/supply/max17042_battery.c | 2 +-
drivers/power/supply/rt5033_battery.c | 7 +
drivers/pwm/pwm-spear.c | 4 -
drivers/pwm/pwm-tegra.c | 13 --
drivers/regulator/da9052-regulator.c | 3 +-
drivers/regulator/uniphier-regulator.c | 1 +
drivers/reset/core.c | 5 +-
drivers/reset/reset-a10sr.c | 1 +
drivers/rtc/rtc-proc.c | 4 +-
drivers/rtc/rtc-stm32.c | 6 +-
drivers/s390/char/sclp_vt220.c | 4 +-
drivers/s390/cio/chp.c | 3 +
drivers/s390/cio/chsc.c | 2 -
drivers/scsi/FlashPoint.c | 32 ++---
drivers/scsi/be2iscsi/be_main.c | 5 +-
drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 +-
drivers/scsi/cxgbi/libcxgbi.c | 4 +-
drivers/scsi/device_handler/scsi_dh_alua.c | 11 +-
drivers/scsi/hosts.c | 4 +
drivers/scsi/libiscsi.c | 122 ++++++++----------
drivers/scsi/lpfc/lpfc_els.c | 9 ++
drivers/scsi/lpfc/lpfc_sli.c | 5 +-
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +-
drivers/scsi/qedi/qedi_fw.c | 2 +-
drivers/scsi/qedi/qedi_main.c | 2 +-
drivers/scsi/scsi_lib.c | 1 +
drivers/scsi/scsi_transport_iscsi.c | 12 ++
drivers/spi/spi-loopback-test.c | 2 +-
drivers/spi/spi-omap-100k.c | 2 +-
drivers/spi/spi-sun6i.c | 6 +-
drivers/spi/spi-topcliff-pch.c | 4 +-
drivers/spi/spi.c | 1 +
drivers/ssb/scan.c | 1 +
drivers/ssb/sdio.c | 1 -
drivers/staging/gdm724x/gdm_lte.c | 20 ++-
drivers/staging/media/imx/imx-media-csi.c | 14 +-
drivers/staging/mt7621-dts/mt7621.dtsi | 2 +-
drivers/staging/rtl8723bs/hal/odm.h | 5 +-
drivers/tty/nozomi.c | 9 +-
drivers/tty/serial/8250/8250_port.c | 19 ++-
drivers/tty/serial/8250/serial_cs.c | 13 +-
drivers/tty/serial/fsl_lpuart.c | 3 +
drivers/tty/serial/mvebu-uart.c | 33 +++--
drivers/tty/serial/sh-sci.c | 8 ++
drivers/usb/class/cdc-acm.c | 5 +
drivers/usb/dwc3/core.c | 3 +-
drivers/usb/gadget/function/f_eem.c | 43 +++++-
drivers/usb/gadget/function/f_fs.c | 67 +++++-----
drivers/usb/gadget/function/f_hid.c | 2 +-
drivers/usb/gadget/legacy/hid.c | 4 +-
drivers/usb/host/xhci-mem.c | 1 +
drivers/usb/typec/class.c | 4 +-
drivers/vfio/pci/vfio_pci.c | 29 +++--
drivers/video/backlight/lm3630a_bl.c | 12 +-
drivers/visorbus/visorchipset.c | 6 +-
drivers/w1/slaves/w1_ds2438.c | 4 +-
drivers/watchdog/aspeed_wdt.c | 2 +-
drivers/watchdog/iTCO_wdt.c | 12 +-
drivers/watchdog/lpc18xx_wdt.c | 2 +-
drivers/watchdog/sbc60xxwdt.c | 2 +-
drivers/watchdog/sc520_wdt.c | 2 +-
drivers/watchdog/w83877f_wdt.c | 2 +-
fs/btrfs/Kconfig | 2 +
fs/btrfs/delayed-inode.c | 18 ++-
fs/btrfs/send.c | 11 ++
fs/btrfs/transaction.c | 6 +-
fs/btrfs/tree-log.c | 1 +
fs/ceph/addr.c | 10 +-
fs/configfs/file.c | 10 +-
fs/crypto/fname.c | 9 +-
fs/dlm/config.c | 9 ++
fs/dlm/lowcomms.c | 2 +-
fs/ext4/extents.c | 3 +
fs/ext4/extents_status.c | 4 +-
fs/ext4/ialloc.c | 11 +-
fs/ext4/mballoc.c | 9 +-
fs/ext4/super.c | 1 +
fs/f2fs/super.c | 1 +
fs/fs-writeback.c | 9 +-
fs/fuse/dev.c | 11 +-
fs/jfs/inode.c | 3 +-
fs/jfs/jfs_logmgr.c | 1 +
fs/nfs/inode.c | 4 +
fs/nfs/nfs3proc.c | 4 +-
fs/nfs/nfs4client.c | 82 ++++++------
fs/nfs/pnfs_nfs.c | 52 ++++----
fs/ntfs/inode.c | 2 +-
fs/ocfs2/filecheck.c | 6 +-
fs/ocfs2/stackglue.c | 8 +-
fs/orangefs/super.c | 2 +-
fs/reiserfs/journal.c | 14 ++
fs/seq_file.c | 3 +
fs/ubifs/dir.c | 7 +
fs/udf/namei.c | 4 +
include/crypto/internal/hash.h | 8 +-
include/linux/mfd/abx500/ux500_chargalg.h | 2 +-
include/linux/netdev_features.h | 2 +-
include/linux/nfs_fs.h | 1 +
include/linux/prandom.h | 2 +-
include/linux/tracepoint.h | 10 ++
include/media/v4l2-subdev.h | 4 +
include/net/ip.h | 12 +-
include/net/ip6_route.h | 16 ++-
include/net/sctp/structs.h | 2 +-
include/scsi/libiscsi.h | 11 +-
include/scsi/scsi_transport_iscsi.h | 2 +
include/uapi/linux/ethtool.h | 4 +-
kernel/cpu.c | 49 +++++++
kernel/sched/fair.c | 8 +-
kernel/time/clocksource.c | 53 +++++++-
kernel/trace/bpf_trace.c | 3 +-
kernel/trace/trace.c | 91 +++++++------
kernel/trace/trace_events_hist.c | 13 +-
kernel/tracepoint.c | 33 ++++-
lib/decompress_unlz4.c | 8 ++
lib/iov_iter.c | 2 +-
lib/kstrtox.c | 13 +-
lib/kstrtox.h | 2 +
lib/seq_buf.c | 8 +-
lib/vsprintf.c | 82 +++++++-----
mm/huge_memory.c | 2 +-
net/bluetooth/hci_core.c | 16 +--
net/bluetooth/hci_event.c | 13 +-
net/bluetooth/mgmt.c | 6 +
net/bridge/br_multicast.c | 2 +
net/can/gw.c | 3 +
net/core/dev.c | 11 +-
net/core/filter.c | 4 -
net/ipv4/fib_frontend.c | 2 +
net/ipv4/ip_output.c | 32 +++--
net/ipv4/route.c | 3 +-
net/ipv6/exthdrs.c | 31 +++--
net/ipv6/ip6_output.c | 32 ++---
net/ipv6/output_core.c | 28 +---
net/mac80211/sta_info.c | 5 -
net/netfilter/nft_exthdr.c | 3 +
net/netfilter/nft_osf.c | 5 +
net/netfilter/nft_tproxy.c | 9 +-
net/netlabel/netlabel_mgmt.c | 19 +--
net/sched/cls_tcindex.c | 2 +-
net/sched/sch_qfq.c | 8 +-
net/sctp/bind_addr.c | 19 +--
net/sctp/input.c | 8 +-
net/sctp/ipv6.c | 7 +-
net/sctp/protocol.c | 7 +-
net/sctp/sm_make_chunk.c | 29 +++--
net/vmw_vsock/af_vsock.c | 2 +-
net/wireless/wext-spy.c | 14 +-
net/xfrm/xfrm_user.c | 28 ++--
samples/bpf/xdp_redirect_user.c | 2 +-
security/integrity/evm/evm_main.c | 2 +-
security/integrity/evm/evm_secfs.c | 13 +-
security/selinux/avc.c | 13 +-
security/smack/smackfs.c | 2 +
sound/ac97/bus.c | 2 +-
sound/firewire/Kconfig | 5 +-
sound/firewire/bebob/bebob.c | 5 +-
sound/firewire/oxfw/oxfw.c | 2 +-
sound/isa/cmi8330.c | 2 +-
sound/isa/sb/sb16_csp.c | 8 +-
sound/pci/hda/hda_tegra.c | 3 +
sound/ppc/powermac.c | 6 +-
sound/soc/atmel/atmel-i2s.c | 34 +++--
sound/soc/codecs/cs42l42.h | 2 +-
sound/soc/hisilicon/hi6210-i2s.c | 14 +-
sound/soc/sh/rcar/adg.c | 4 +-
sound/soc/soc-core.c | 2 +-
sound/soc/tegra/tegra_alc5632.c | 1 +
sound/soc/tegra/tegra_max98090.c | 1 +
sound/soc/tegra/tegra_rt5640.c | 1 +
sound/soc/tegra/tegra_rt5677.c | 1 +
sound/soc/tegra/tegra_sgtl5000.c | 1 +
sound/soc/tegra/tegra_wm8753.c | 1 +
sound/soc/tegra/tegra_wm8903.c | 1 +
sound/soc/tegra/tegra_wm9712.c | 1 +
sound/soc/tegra/trimslice.c | 1 +
sound/usb/format.c | 2 +
sound/usb/mixer.c | 5 +-
tools/bpf/bpftool/main.c | 4 +-
tools/perf/util/llvm-utils.c | 2 +
.../powerpc/pmu/ebb/no_handler_test.c | 2 -
tools/testing/selftests/timers/rtcpie.c | 10 +-
tools/testing/selftests/x86/protection_keys.c | 3 +-
432 files changed, 2528 insertions(+), 1274 deletions(-)
--
2.25.1
1
403
【Meeting Notice】openEuler kernel 技术分享第八期 & 双周例会 Time: 2021-07-23 14:00-18:00
by Meeting Book 23 Jul '21
by Meeting Book 23 Jul '21
23 Jul '21
1
0
From: Wang Hai <wanghai38(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: 172330
CVE: HWPSIRT-2021-84477
--------------------------------
We can construct some special USB packets that cause kernel
info leak by the following steps of rndis.
1. construct the packet to make rndis call gen_ndis_set_resp().
In gen_ndis_set_resp(), BufOffset comes from the USB packet and
it is not checked so that BufOffset can be any value. Therefore,
if OID is RNDIS_OID_GEN_CURRENT_PACKET_FILTER, then *params->filter
can get data at any address.
2. construct the packet to make rndis call rndis_query_response().
In rndis_query_response(), if OID is RNDIS_OID_GEN_CURRENT_PACKET_FILTER,
then the data of *params->filter is fetched and returned, resulting in
info leak.
Therefore, we need to check the BufOffset to prevent info leak. Here,
buf size is USB_COMP_EP0_BUFSIZ, as long as "8 + BufOffset + BufLength"
is less than USB_COMP_EP0_BUFSIZ, it will be considered legal.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Hai <wanghai38(a)huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1(a)huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com>
---
drivers/usb/gadget/composite.c | 2 +-
drivers/usb/gadget/function/rndis.c | 37 +++++++++++++++++++++++++----
2 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 1a556a628971..7f963bb1c59b 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2157,7 +2157,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite,
if (!cdev->req)
return -ENOMEM;
- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
if (!cdev->req->buf)
goto fail;
diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
index 64de9f1b874c..9ea94215e113 100644
--- a/drivers/usb/gadget/function/rndis.c
+++ b/drivers/usb/gadget/function/rndis.c
@@ -506,6 +506,10 @@ static int gen_ndis_set_resp(struct rndis_params *params, u32 OID,
switch (OID) {
case RNDIS_OID_GEN_CURRENT_PACKET_FILTER:
+ if (buf_len < 2) {
+ pr_err("%s:Not support for buf_len < 2\n", __func__);
+ break;
+ }
/* these NDIS_PACKET_TYPE_* bitflags are shared with
* cdc_filter; it's not RNDIS-specific
@@ -592,6 +596,7 @@ static int rndis_query_response(struct rndis_params *params,
rndis_query_msg_type *buf)
{
rndis_query_cmplt_type *resp;
+ u32 BufOffset, BufLength;
rndis_resp_t *r;
/* pr_debug("%s: OID = %08X\n", __func__, cpu_to_le32(buf->OID)); */
@@ -612,12 +617,25 @@ static int rndis_query_response(struct rndis_params *params,
resp->MessageType = cpu_to_le32(RNDIS_MSG_QUERY_C);
resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
+ BufOffset = le32_to_cpu(buf->InformationBufferOffset);
+ BufLength = le32_to_cpu(buf->InformationBufferLength);
+
+ /*
+ * If the address of the buf to be accessed exceeds the valid
+ * range of the buf, then return RNDIS_STATUS_NOT_SUPPORTED.
+ */
+ if (8 + BufOffset + BufLength >= USB_COMP_EP0_BUFSIZ) {
+ resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
+ resp->MessageLength = cpu_to_le32(sizeof(*resp));
+ resp->InformationBufferLength = cpu_to_le32(0);
+ resp->InformationBufferOffset = cpu_to_le32(0);
+ params->resp_avail(params->v);
+ return 0;
+ }
if (gen_ndis_query_resp(params, le32_to_cpu(buf->OID),
- le32_to_cpu(buf->InformationBufferOffset)
- + 8 + (u8 *)buf,
- le32_to_cpu(buf->InformationBufferLength),
- r)) {
+ BufOffset + 8 + (u8 *)buf, BufLength,
+ r)) {
/* OID not supported */
resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
resp->MessageLength = cpu_to_le32(sizeof *resp);
@@ -660,6 +678,17 @@ static int rndis_set_response(struct rndis_params *params,
resp->MessageType = cpu_to_le32(RNDIS_MSG_SET_C);
resp->MessageLength = cpu_to_le32(16);
resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
+
+ /*
+ * If the address of the buf to be accessed exceeds the valid
+ * range of the buf, then return RNDIS_STATUS_NOT_SUPPORTED.
+ */
+ if (8 + BufOffset + BufLength >= USB_COMP_EP0_BUFSIZ) {
+ resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
+ params->resp_avail(params->v);
+ return 0;
+ }
+
if (gen_ndis_set_resp(params, le32_to_cpu(buf->OID),
((u8 *)buf) + 8 + BufOffset, BufLength, r))
resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
--
2.20.1
1
0
22 Jul '21
crypto: hisilicon - ACC add new feature and bugfix.
Colin Ian King (1):
crypto: hisilicon/sec - Fix spelling mistake "fallbcak" -> "fallback"
Eric Biggers (1):
crypto: sha - split sha.h into sha1.h and sha2.h
Hao Fang (1):
crypto: hisilicon - use the correct HiSilicon copyright
Hui Tang (37):
crypto: hisilicon/hpre - delete ECC 1bit error reported threshold
crypto: hisilicon/hpre - add two RAS correctable errors processing
crypto: hisilicon/hpre - add ecc algorithm inqury for uacce device
crypto: hisilicon/hpre - adapt the number of clusters
crypto: hisilicon/hpre - tiny fix
crypto: hisilicon/hpre - enable Elliptic curve cryptography
crypto: hisilicon/hpre - delete wrap of 'CONFIG_CRYPTO_DH'
crypto: hisilicon/hpre - optimise 'hpre_algs_register' error path
crypto: hisilicon - fix the check on dma address
crypto: hisilicon/hpre - fix "hpre_ctx_init" resource leak
crypto: hisilicon/hpre - fix Kconfig
crypto: hisilicon/hpre - fix PASID setting on kunpeng 920
crypto: hisilicon/hpre - fix a typo and delete redundant blank line
crypto: hisilicon/hpre - delete redundant '\n'
crypto: hisilicon/hpre - delete the rudundant space after return
crypto: hisilicon/hpre - use the correct variable type
crypto: hisilicon/hpre - add debug log
crypto: hisilicon/hpre - delete redundant log and return in advance
crypto: testmgr - fix initialization of 'secret_size'
crypto: ecdh - extend 'cra_driver_name' with curve name
crypto: hisilicon/hpre - extend 'cra_driver_name' with curve name
crypto: hisilicon/hpre - fix unmapping invalid dma address
crypto: hisilicon/hpre - the macro 'HPRE_ADDR' expands
crypto: hisilicon/hpre - init a structure member each line
crypto: hisilicon/hpre - replace macro with inline function
crypto: hisilicon/hpre - remove the macro of 'HPRE_DEV'
crypto: hisilicon/hpre - delete rudundant initialization
crypto: hisilicon/hpre - use 'GENMASK' to generate mask value
crypto: hisilicon/hpre - delete rudundant macro definition
crypto: hisilicon/hpre - add 'default' for switch statement
crypto: ecdh - fix ecdh-nist-p192's entry in testmgr
crypto: ecdh - fix 'ecdh_init'
crypto: ecdh - register NIST P384 tfm
crypto: ecdh - add test suite for NIST P384
crypto: hisilicon/hpre - fix ecdh self test issue
crypto: hisilicon/hpre - add check before gx modulo p
crypto: hisilicon/hpre - register ecdh NIST P384
Kai Ye (36):
crypto: hisilicon/sec2 - Fix aead authentication setting key error
uacce: delete some redundant code.
uacce: modify the module author information.
crypto: hisilicon/qm - SVA bugfixed on Kunpeng920
crypto: hisilicon - add ZIP device using mode parameter
crypto: hisilicon/hpre - register HPRE device to uacce
crypto: hisilicon/sec - register SEC device to uacce
uacce: delete unneeded variable initialization
crypto: hisilicon/sec - fixup checking the 3DES weak key
crypto: hisilicon/qm - delete redundant code
crypto: hisilicon/sec - use the correct print format
crypto: hisilicon/sgl - add a comment for block size initialization
crypto: hisilicon/sgl - delete unneeded variable initialization
crypto: hisilicon/sgl - add some dfx logs
crypto: hisilicon/sgl - fix the soft sg map to hardware sg
crypto: hisilicon/sgl - fix the sg buf unmap
crypto: hisilicon/qm - add dfx log if not use hardware crypto algs
crypto: hisilicon/qm - fix the process of VF's list adding
crypto: hisilicon/sec - add new type of SQE
crypto: hisilicon/sec - driver adapt to new SQE
crypto: hisilicon/sec - add new skcipher mode for SEC
crypto: hisilicon/sec - add fallback tfm supporting for XTS mode
crypto: hisilicon/sec - fixup 3des minimum key size declaration
crypto: hisilicon/sec - add new algorithm mode for AEAD
crypto: hisilicon/sec - add fallback tfm supporting for aeads
crypto: hisilicon/sec - add hardware integrity check value process
crypto: hisilicon/sec - modify the SEC request structure
uacce: add print information if not enable sva
crypto: hisilicon/qm - supports writing QoS int the host
crypto: hisilicon/qm - add the "alg_qos" file node
crypto: hisilicon/qm - merges the work initialization process into a
single function
crypto: hisilicon/qm - add pf ping single vf function
crypto: hisilicon/qm - supports to inquiry each function's QoS
crypto: hisilicon/sec - adds the max shaper type rate
crypto: hisilicon/hpre - adds the max shaper type rate
crypto: hisilicon/zip - adds the max shaper type rate
Lee Jones (1):
crypto: hisilicon/sec - Supply missing description for
'sec_queue_empty()'s 'queue' param
Longfang Liu (7):
crypto: hisilicon - delete unused structure member variables
crypto: hisilicon - fixes some coding style
crypto: hisilicon/sec - fixes some coding style
crypto: hisilicon/sec - fixes some driver coding style
crypto: hisilicon/sec - Fixes AES algorithm mode parameter problem
crypto: hisilicon/sec - Fix a module parameter error
crypto: hisilicon/qm - support address prefetching
Meng Yu (10):
crypto: hisilicon/hpre - add version adapt to new algorithms
crypto: hisilicon/hpre - add algorithm type
crypto: ecdh - move curve_id of ECDH from the key to algorithm name
crypto: ecc - expose ecc curves
crypto: ecc - add curve25519 params and expose them
crypto: hisilicon/hpre - add 'ECDH' algorithm
crypto: hisilicon/hpre - add 'CURVE25519' algorithm
crypto: ecc - Correct an error in the comments
crypto: hisilicon/hpre - Add processing of src_data in 'CURVE25519'
crypto: ecc - delete a useless function declaration
Ruiqi Gong (1):
crypto: hisilicon/hpre - fix a typo in hpre_crypto.c
Saulo Alessandre (3):
crypto: ecc - Add NIST P384 curve parameters
crypto: ecc - Add math to support fast NIST P384
crypto: ecdsa - Register NIST P384 and extend test suite
Shiju Jose (1):
crypto: hisilicon - Fix doc warnings in sgl.c and qm.c
Sihang Chen (1):
crypto: hisilicon/qm - update irqflag
Stefan Berger (2):
oid_registry: Add OIDs for ECDSA with SHA224/256/384/512
crypto: ecdsa - Add support for ECDSA signature verification
Weili Qian (37):
crypto: hisilicon/qm - numbers are replaced by macros
crypto: hisilicon/qm - modify the return type of function
crypto: hisilicon/qm - modify the return type of debugfs interface
crypto: hisilicon/qm - modify return type of 'qm_set_sqctype'
crypto: hisilicon/qm - replace 'sprintf' with 'scnprintf'
crypto: hisilicon/qm - split 'qm_qp_ctx_cfg' into smaller pieces
crypto: hisilicon/qm - split 'qm_eq_ctx_cfg' into smaller pieces
crypto: hisilicon/qm - split 'hisi_qm_init' into smaller pieces
hwrng: hisi - remove HiSilicon TRNG driver
crypto: hisilicon/trng - add HiSilicon TRNG driver support
crypto: hisilicon/trng - add support for PRNG
crypto: hisilicon/qm - fix use of 'dma_map_single'
crypto: hisilicon - PASID fixed on Kunpeng 930
crypto: hisilicon/qm - removing driver after reset
crypto: hisilicon/qm - fix request missing error
crypto: hisilicon/qm - fix the value of 'QM_SQC_VFT_BASE_MASK_V2'
crypto: hisilicon/qm - do not reset hardware when CE happens
crypto: hisilicon/qm - fix printing format issue
crypto: hisilicon/qm - set the total number of queues
crypto: hisilicon/qm - move 'CURRENT_QM' code to qm.c
crypto: hisilicon/qm - set the number of queues for function
crypto: hisilicon/qm - add queue isolation support for Kunpeng930
crypto: hisilicon/qm - add stop queue by hardware
crypto: hisilicon/trng - add version to adapt new algorithm
crypto: hisilicon - dynamic configuration 'err_info'
crypto: hisilicon - support new error types for ZIP
crypto: hisilicon - add new error type for SEC
crypto: hisilicon - enable new error types for QM
crypto: hisilicon/qm - initialize the device before doing tasks
crypto: hisilicon/qm - modify 'QM_RESETTING' clearing error
crypto: hisilicon/qm - adjust order of device error configuration
crypto: hisilicon/qm - enable to close master ooo when NFE occurs
crypto: hisilicon/qm - add MSI detection steps on Kunpeng930
crypto: hisilicon/qm - adjust reset interface
crypto: hisilicon/qm - enable PF and VFs communication
crypto: hisilicon/qm - add callback to support communication
crypto: hisilicon/qm - update reset flow
Wenkai Lin (1):
crypto: hisilicon/qm - implement for querying hardware tasks status.
Yang Shen (5):
crypto: hisilicon/zip - add a work_queue for zip irq
crypto: hisilicon/zip - adjust functions location
crypto: hisilicon/zip - add comments for 'hisi_zip_sqe'
crypto: hisilicon/zip - initialize operations about 'sqe' in
'acomp_alg.init'
crypto: hisilicon/zip - support new 'sqe' type in Kunpeng930
Yejune Deng (1):
crypto: hisilicon/trng - replace atomic_add_return()
Zou Wei (1):
crypto: hisilicon - switch to memdup_user_nul()
arch/arm/crypto/sha1-ce-glue.c | 2 +-
arch/arm/crypto/sha1.h | 2 +-
arch/arm/crypto/sha1_glue.c | 2 +-
arch/arm/crypto/sha1_neon_glue.c | 2 +-
arch/arm/crypto/sha2-ce-glue.c | 2 +-
arch/arm/crypto/sha256_glue.c | 2 +-
arch/arm/crypto/sha256_neon_glue.c | 2 +-
arch/arm/crypto/sha512-glue.c | 2 +-
arch/arm/crypto/sha512-neon-glue.c | 2 +-
arch/arm64/configs/defconfig | 1 +
arch/arm64/crypto/aes-glue.c | 2 +-
arch/arm64/crypto/sha1-ce-glue.c | 2 +-
arch/arm64/crypto/sha2-ce-glue.c | 2 +-
arch/arm64/crypto/sha256-glue.c | 2 +-
arch/arm64/crypto/sha512-ce-glue.c | 2 +-
arch/arm64/crypto/sha512-glue.c | 2 +-
arch/mips/cavium-octeon/crypto/octeon-sha1.c | 2 +-
.../mips/cavium-octeon/crypto/octeon-sha256.c | 2 +-
.../mips/cavium-octeon/crypto/octeon-sha512.c | 2 +-
arch/powerpc/crypto/sha1-spe-glue.c | 2 +-
arch/powerpc/crypto/sha1.c | 2 +-
arch/powerpc/crypto/sha256-spe-glue.c | 2 +-
arch/s390/crypto/sha.h | 3 +-
arch/s390/crypto/sha1_s390.c | 2 +-
arch/s390/crypto/sha256_s390.c | 2 +-
arch/s390/crypto/sha3_256_s390.c | 1 -
arch/s390/crypto/sha3_512_s390.c | 1 -
arch/s390/crypto/sha512_s390.c | 2 +-
arch/s390/purgatory/purgatory.c | 2 +-
arch/sparc/crypto/sha1_glue.c | 2 +-
arch/sparc/crypto/sha256_glue.c | 2 +-
arch/sparc/crypto/sha512_glue.c | 2 +-
arch/x86/crypto/sha1_ssse3_glue.c | 2 +-
arch/x86/crypto/sha256_ssse3_glue.c | 2 +-
arch/x86/crypto/sha512_ssse3_glue.c | 2 +-
arch/x86/purgatory/purgatory.c | 2 +-
crypto/Kconfig | 10 +
crypto/Makefile | 6 +
crypto/asymmetric_keys/asym_tpm.c | 2 +-
crypto/ecc.c | 291 +-
crypto/ecc.h | 49 +-
crypto/ecc_curve_defs.h | 49 +
crypto/ecdh.c | 117 +-
crypto/ecdh_helper.c | 4 +-
crypto/ecdsa.c | 376 +++
crypto/ecdsasignature.asn1 | 4 +
crypto/sha1_generic.c | 2 +-
crypto/sha256_generic.c | 2 +-
crypto/sha512_generic.c | 2 +-
crypto/testmgr.c | 35 +-
crypto/testmgr.h | 527 +++-
drivers/char/hw_random/Kconfig | 13 -
drivers/char/hw_random/Makefile | 1 -
drivers/char/hw_random/hisi-trng-v2.c | 99 -
drivers/char/random.c | 2 +-
drivers/crypto/allwinner/sun4i-ss/sun4i-ss.h | 2 +-
.../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 3 +-
drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 3 +-
.../crypto/allwinner/sun8i-ss/sun8i-ss-hash.c | 3 +-
drivers/crypto/allwinner/sun8i-ss/sun8i-ss.h | 3 +-
drivers/crypto/amcc/crypto4xx_alg.c | 2 +-
drivers/crypto/amcc/crypto4xx_core.c | 2 +-
drivers/crypto/atmel-authenc.h | 3 +-
drivers/crypto/atmel-ecc.c | 28 +-
drivers/crypto/atmel-sha.c | 3 +-
drivers/crypto/axis/artpec6_crypto.c | 3 +-
drivers/crypto/bcm/cipher.c | 3 +-
drivers/crypto/bcm/cipher.h | 3 +-
drivers/crypto/bcm/spu.h | 3 +-
drivers/crypto/caam/compat.h | 3 +-
drivers/crypto/cavium/nitrox/nitrox_aead.c | 1 -
drivers/crypto/ccp/ccp-crypto-sha.c | 3 +-
drivers/crypto/ccp/ccp-crypto.h | 3 +-
drivers/crypto/ccree/cc_driver.h | 3 +-
drivers/crypto/chelsio/chcr_algo.c | 3 +-
drivers/crypto/hisilicon/Kconfig | 10 +
drivers/crypto/hisilicon/Makefile | 1 +
drivers/crypto/hisilicon/hpre/hpre.h | 26 +-
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 1052 ++++++-
drivers/crypto/hisilicon/hpre/hpre_main.c | 489 +--
drivers/crypto/hisilicon/qm.c | 2716 +++++++++++++----
drivers/crypto/hisilicon/qm.h | 81 +-
drivers/crypto/hisilicon/sec/sec_algs.c | 2 +-
drivers/crypto/hisilicon/sec/sec_drv.c | 13 +-
drivers/crypto/hisilicon/sec/sec_drv.h | 2 +-
drivers/crypto/hisilicon/sec2/sec.h | 35 +-
drivers/crypto/hisilicon/sec2/sec_crypto.c | 1170 +++++--
drivers/crypto/hisilicon/sec2/sec_crypto.h | 199 +-
drivers/crypto/hisilicon/sec2/sec_main.c | 415 ++-
drivers/crypto/hisilicon/sgl.c | 39 +-
drivers/crypto/hisilicon/trng/Makefile | 2 +
drivers/crypto/hisilicon/trng/trng.c | 341 +++
drivers/crypto/hisilicon/zip/zip.h | 50 +-
drivers/crypto/hisilicon/zip/zip_crypto.c | 710 +++--
drivers/crypto/hisilicon/zip/zip_main.c | 249 +-
drivers/crypto/img-hash.c | 3 +-
drivers/crypto/inside-secure/safexcel.h | 3 +-
.../crypto/inside-secure/safexcel_cipher.c | 3 +-
drivers/crypto/inside-secure/safexcel_hash.c | 3 +-
drivers/crypto/ixp4xx_crypto.c | 2 +-
drivers/crypto/marvell/cesa/hash.c | 3 +-
.../crypto/marvell/octeontx/otx_cptvf_algs.c | 3 +-
drivers/crypto/mediatek/mtk-sha.c | 3 +-
drivers/crypto/mxs-dcp.c | 3 +-
drivers/crypto/n2_core.c | 3 +-
drivers/crypto/nx/nx-sha256.c | 2 +-
drivers/crypto/nx/nx-sha512.c | 2 +-
drivers/crypto/nx/nx.c | 2 +-
drivers/crypto/omap-sham.c | 3 +-
drivers/crypto/padlock-sha.c | 3 +-
drivers/crypto/picoxcell_crypto.c | 3 +-
drivers/crypto/qat/qat_common/qat_algs.c | 3 +-
drivers/crypto/qce/common.c | 3 +-
drivers/crypto/qce/core.c | 1 -
drivers/crypto/qce/sha.h | 3 +-
drivers/crypto/rockchip/rk3288_crypto.h | 3 +-
drivers/crypto/s5p-sss.c | 3 +-
drivers/crypto/sa2ul.c | 3 +-
drivers/crypto/sa2ul.h | 2 +
drivers/crypto/sahara.c | 3 +-
drivers/crypto/stm32/stm32-hash.c | 3 +-
drivers/crypto/talitos.c | 3 +-
drivers/crypto/ux500/hash/hash_core.c | 3 +-
drivers/firmware/efi/embedded-firmware.c | 2 +-
drivers/misc/uacce/uacce.c | 26 +-
.../inline_crypto/ch_ipsec/chcr_ipsec.c | 3 +-
.../chelsio/inline_crypto/chtls/chtls.h | 3 +-
drivers/nfc/s3fwrn5/firmware.c | 2 +-
drivers/tee/tee_core.c | 2 +-
fs/crypto/fname.c | 2 +-
fs/crypto/hkdf.c | 2 +-
fs/ubifs/auth.c | 1 -
fs/verity/fsverity_private.h | 2 +-
include/crypto/ecc_curve.h | 60 +
include/crypto/ecdh.h | 3 +-
include/crypto/hash_info.h | 3 +-
include/crypto/sha1.h | 46 +
include/crypto/sha1_base.h | 2 +-
include/crypto/{sha.h => sha2.h} | 41 +-
include/crypto/sha256_base.h | 2 +-
include/crypto/sha512_base.h | 2 +-
include/linux/ccp.h | 3 +-
include/linux/filter.h | 2 +-
include/linux/oid_registry.h | 6 +-
include/linux/purgatory.h | 2 +-
include/uapi/misc/uacce/hisi_qm.h | 1 +
kernel/crash_core.c | 2 +-
kernel/kexec_core.c | 1 -
kernel/kexec_file.c | 2 +-
lib/crypto/sha256.c | 2 +-
lib/digsig.c | 2 +-
lib/sha1.c | 2 +-
net/bluetooth/ecdh_helper.c | 2 -
net/bluetooth/selftest.c | 2 +-
net/bluetooth/smp.c | 6 +-
net/ipv6/seg6_hmac.c | 1 -
net/mptcp/crypto.c | 2 +-
net/mptcp/options.c | 2 +-
net/mptcp/subflow.c | 2 +-
security/integrity/integrity.h | 2 +-
security/keys/encrypted-keys/encrypted.c | 2 +-
security/keys/trusted-keys/trusted_tpm1.c | 2 +-
sound/soc/codecs/cros_ec_codec.c | 2 +-
163 files changed, 7589 insertions(+), 2085 deletions(-)
create mode 100644 crypto/ecdsa.c
create mode 100644 crypto/ecdsasignature.asn1
delete mode 100644 drivers/char/hw_random/hisi-trng-v2.c
create mode 100644 drivers/crypto/hisilicon/trng/Makefile
create mode 100644 drivers/crypto/hisilicon/trng/trng.c
create mode 100644 include/crypto/ecc_curve.h
create mode 100644 include/crypto/sha1.h
rename include/crypto/{sha.h => sha2.h} (77%)
--
2.20.1
1
143
[PATCH openEuler-1.0-LTS] ARM: footbridge: remove personal server platform
by Yang Yingliang 21 Jul '21
by Yang Yingliang 21 Jul '21
21 Jul '21
From: Russell King <rmk+kernel(a)armlinux.org.uk>
mainline inclusion
from mainline-v5.13-rc1
commit 298a58e165e447ccfaae35fe9f651f9d7e15166f
category: bugfix
bugzilla: NA
CVE: CVE-2021-32078
--------------------------------
Remove the personal server platform, as that has had an array overrun
issue identified. It is believed that no one is using this code.
Signed-off-by: Russell King <rmk+kernel(a)armlinux.org.uk>
Conflicts:
arch/arm/mach-footbridge/Kconfig
arch/arm/mach-footbridge/personal-pci.c
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
---
arch/arm/configs/footbridge_defconfig | 1 -
arch/arm/mach-footbridge/Kconfig | 21 ---------
arch/arm/mach-footbridge/Makefile | 2 -
arch/arm/mach-footbridge/personal-pci.c | 58 -------------------------
arch/arm/mach-footbridge/personal.c | 25 -----------
5 files changed, 107 deletions(-)
delete mode 100644 arch/arm/mach-footbridge/personal-pci.c
delete mode 100644 arch/arm/mach-footbridge/personal.c
diff --git a/arch/arm/configs/footbridge_defconfig b/arch/arm/configs/footbridge_defconfig
index 3a7938f244e56..2aa3ebeb89d7f 100644
--- a/arch/arm/configs/footbridge_defconfig
+++ b/arch/arm/configs/footbridge_defconfig
@@ -7,7 +7,6 @@ CONFIG_EXPERT=y
CONFIG_MODULES=y
CONFIG_ARCH_FOOTBRIDGE=y
CONFIG_ARCH_CATS=y
-CONFIG_ARCH_PERSONAL_SERVER=y
CONFIG_ARCH_EBSA285_HOST=y
CONFIG_ARCH_NETWINDER=y
CONFIG_LEDS=y
diff --git a/arch/arm/mach-footbridge/Kconfig b/arch/arm/mach-footbridge/Kconfig
index cbbdd84cf49ad..84c400f96aa21 100644
--- a/arch/arm/mach-footbridge/Kconfig
+++ b/arch/arm/mach-footbridge/Kconfig
@@ -15,27 +15,6 @@ config ARCH_CATS
Saying N will reduce the size of the Footbridge kernel.
-config ARCH_PERSONAL_SERVER
- bool "Compaq Personal Server"
- select FOOTBRIDGE_HOST
- select ISA
- select ISA_DMA
- select PCI
- ---help---
- Say Y here if you intend to run this kernel on the Compaq
- Personal Server.
-
- Saying N will reduce the size of the Footbridge kernel.
-
- The Compaq Personal Server is not available for purchase.
- There are no product plans beyond the current research
- prototypes at this time. Information is available at:
-
- <http://www.crl.hpl.hp.com/projects/personalserver/>
-
- If you have any questions or comments about the Compaq Personal
- Server, send e-mail to <skiff(a)crl.dec.com>.
-
config ARCH_EBSA285_ADDIN
bool "EBSA285 (addin mode)"
select ARCH_EBSA285
diff --git a/arch/arm/mach-footbridge/Makefile b/arch/arm/mach-footbridge/Makefile
index a09f1041f1413..6262993c05558 100644
--- a/arch/arm/mach-footbridge/Makefile
+++ b/arch/arm/mach-footbridge/Makefile
@@ -11,12 +11,10 @@ pci-y += dc21285.o
pci-$(CONFIG_ARCH_CATS) += cats-pci.o
pci-$(CONFIG_ARCH_EBSA285_HOST) += ebsa285-pci.o
pci-$(CONFIG_ARCH_NETWINDER) += netwinder-pci.o
-pci-$(CONFIG_ARCH_PERSONAL_SERVER) += personal-pci.o
obj-$(CONFIG_ARCH_CATS) += cats-hw.o isa-timer.o
obj-$(CONFIG_ARCH_EBSA285) += ebsa285.o dc21285-timer.o
obj-$(CONFIG_ARCH_NETWINDER) += netwinder-hw.o isa-timer.o
-obj-$(CONFIG_ARCH_PERSONAL_SERVER) += personal.o dc21285-timer.o
obj-$(CONFIG_PCI) +=$(pci-y)
diff --git a/arch/arm/mach-footbridge/personal-pci.c b/arch/arm/mach-footbridge/personal-pci.c
deleted file mode 100644
index 4391e433a4b2f..0000000000000
--- a/arch/arm/mach-footbridge/personal-pci.c
+++ /dev/null
@@ -1,58 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * linux/arch/arm/mach-footbridge/personal-pci.c
- *
- * PCI bios-type initialisation for PCI machines
- *
- * Bits taken from various places.
- */
-#include <linux/kernel.h>
-#include <linux/pci.h>
-#include <linux/init.h>
-
-#include <asm/irq.h>
-#include <asm/mach/pci.h>
-#include <asm/mach-types.h>
-
-static int irqmap_personal_server[] __initdata = {
- IRQ_IN0, IRQ_IN1, IRQ_IN2, IRQ_IN3, 0, 0, 0,
- IRQ_DOORBELLHOST, IRQ_DMA1, IRQ_DMA2, IRQ_PCI
-};
-
-static int __init personal_server_map_irq(const struct pci_dev *dev, u8 slot,
- u8 pin)
-{
- unsigned char line;
-
- pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &line);
-
- if (line > 0x40 && line <= 0x5f) {
- /* line corresponds to the bit controlling this interrupt
- * in the footbridge. Ignore the first 8 interrupt bits,
- * look up the rest in the map. IN0 is bit number 8
- */
- return irqmap_personal_server[(line & 0x1f) - 8];
- } else if (line == 0) {
- /* no interrupt */
- return 0;
- } else
- return irqmap_personal_server[(line - 1) & 3];
-}
-
-static struct hw_pci personal_server_pci __initdata = {
- .map_irq = personal_server_map_irq,
- .nr_controllers = 1,
- .ops = &dc21285_ops,
- .setup = dc21285_setup,
- .preinit = dc21285_preinit,
- .postinit = dc21285_postinit,
-};
-
-static int __init personal_pci_init(void)
-{
- if (machine_is_personal_server())
- pci_common_init(&personal_server_pci);
- return 0;
-}
-
-subsys_initcall(personal_pci_init);
diff --git a/arch/arm/mach-footbridge/personal.c b/arch/arm/mach-footbridge/personal.c
deleted file mode 100644
index ca715754fc007..0000000000000
--- a/arch/arm/mach-footbridge/personal.c
+++ /dev/null
@@ -1,25 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * linux/arch/arm/mach-footbridge/personal.c
- *
- * Personal server (Skiff) machine fixup
- */
-#include <linux/init.h>
-#include <linux/spinlock.h>
-
-#include <asm/hardware/dec21285.h>
-#include <asm/mach-types.h>
-
-#include <asm/mach/arch.h>
-
-#include "common.h"
-
-MACHINE_START(PERSONAL_SERVER, "Compaq-PersonalServer")
- /* Maintainer: Jamey Hicks / George France */
- .atag_offset = 0x100,
- .map_io = footbridge_map_io,
- .init_irq = footbridge_init_irq,
- .init_time = footbridge_timer_init,
- .restart = footbridge_restart,
-MACHINE_END
-
--
2.25.1
1
0
21 Jul '21
From: Russell King <rmk+kernel(a)armlinux.org.uk>
mainline inclusion
from mainline-v5.13-rc1
commit 298a58e165e447ccfaae35fe9f651f9d7e15166f
category: bugfix
bugzilla: NA
CVE: CVE-2021-32078
--------------------------------
Remove the personal server platform, as that has had an array overrun
issue identified. It is believed that no one is using this code.
Signed-off-by: Russell King <rmk+kernel(a)armlinux.org.uk>
Conflicts:
arch/arm/mach-footbridge/Kconfig
arch/arm/mach-footbridge/personal-pci.c
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
---
arch/arm/configs/footbridge_defconfig | 1 -
arch/arm/mach-footbridge/Kconfig | 21 ---------
arch/arm/mach-footbridge/Makefile | 2 -
arch/arm/mach-footbridge/personal-pci.c | 57 -------------------------
arch/arm/mach-footbridge/personal.c | 25 -----------
5 files changed, 106 deletions(-)
delete mode 100644 arch/arm/mach-footbridge/personal-pci.c
delete mode 100644 arch/arm/mach-footbridge/personal.c
diff --git a/arch/arm/configs/footbridge_defconfig b/arch/arm/configs/footbridge_defconfig
index 3a7938f244e56..2aa3ebeb89d7f 100644
--- a/arch/arm/configs/footbridge_defconfig
+++ b/arch/arm/configs/footbridge_defconfig
@@ -7,7 +7,6 @@ CONFIG_EXPERT=y
CONFIG_MODULES=y
CONFIG_ARCH_FOOTBRIDGE=y
CONFIG_ARCH_CATS=y
-CONFIG_ARCH_PERSONAL_SERVER=y
CONFIG_ARCH_EBSA285_HOST=y
CONFIG_ARCH_NETWINDER=y
CONFIG_LEDS=y
diff --git a/arch/arm/mach-footbridge/Kconfig b/arch/arm/mach-footbridge/Kconfig
index cbbdd84cf49ad..84c400f96aa21 100644
--- a/arch/arm/mach-footbridge/Kconfig
+++ b/arch/arm/mach-footbridge/Kconfig
@@ -15,27 +15,6 @@ config ARCH_CATS
Saying N will reduce the size of the Footbridge kernel.
-config ARCH_PERSONAL_SERVER
- bool "Compaq Personal Server"
- select FOOTBRIDGE_HOST
- select ISA
- select ISA_DMA
- select PCI
- ---help---
- Say Y here if you intend to run this kernel on the Compaq
- Personal Server.
-
- Saying N will reduce the size of the Footbridge kernel.
-
- The Compaq Personal Server is not available for purchase.
- There are no product plans beyond the current research
- prototypes at this time. Information is available at:
-
- <http://www.crl.hpl.hp.com/projects/personalserver/>
-
- If you have any questions or comments about the Compaq Personal
- Server, send e-mail to <skiff(a)crl.dec.com>.
-
config ARCH_EBSA285_ADDIN
bool "EBSA285 (addin mode)"
select ARCH_EBSA285
diff --git a/arch/arm/mach-footbridge/Makefile b/arch/arm/mach-footbridge/Makefile
index a09f1041f1413..6262993c05558 100644
--- a/arch/arm/mach-footbridge/Makefile
+++ b/arch/arm/mach-footbridge/Makefile
@@ -11,12 +11,10 @@ pci-y += dc21285.o
pci-$(CONFIG_ARCH_CATS) += cats-pci.o
pci-$(CONFIG_ARCH_EBSA285_HOST) += ebsa285-pci.o
pci-$(CONFIG_ARCH_NETWINDER) += netwinder-pci.o
-pci-$(CONFIG_ARCH_PERSONAL_SERVER) += personal-pci.o
obj-$(CONFIG_ARCH_CATS) += cats-hw.o isa-timer.o
obj-$(CONFIG_ARCH_EBSA285) += ebsa285.o dc21285-timer.o
obj-$(CONFIG_ARCH_NETWINDER) += netwinder-hw.o isa-timer.o
-obj-$(CONFIG_ARCH_PERSONAL_SERVER) += personal.o dc21285-timer.o
obj-$(CONFIG_PCI) +=$(pci-y)
diff --git a/arch/arm/mach-footbridge/personal-pci.c b/arch/arm/mach-footbridge/personal-pci.c
deleted file mode 100644
index 9d19aa98a663e..0000000000000
--- a/arch/arm/mach-footbridge/personal-pci.c
+++ /dev/null
@@ -1,57 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * linux/arch/arm/mach-footbridge/personal-pci.c
- *
- * PCI bios-type initialisation for PCI machines
- *
- * Bits taken from various places.
- */
-#include <linux/kernel.h>
-#include <linux/pci.h>
-#include <linux/init.h>
-
-#include <asm/irq.h>
-#include <asm/mach/pci.h>
-#include <asm/mach-types.h>
-
-static int irqmap_personal_server[] = {
- IRQ_IN0, IRQ_IN1, IRQ_IN2, IRQ_IN3, 0, 0, 0,
- IRQ_DOORBELLHOST, IRQ_DMA1, IRQ_DMA2, IRQ_PCI
-};
-
-static int personal_server_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
-{
- unsigned char line;
-
- pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &line);
-
- if (line > 0x40 && line <= 0x5f) {
- /* line corresponds to the bit controlling this interrupt
- * in the footbridge. Ignore the first 8 interrupt bits,
- * look up the rest in the map. IN0 is bit number 8
- */
- return irqmap_personal_server[(line & 0x1f) - 8];
- } else if (line == 0) {
- /* no interrupt */
- return 0;
- } else
- return irqmap_personal_server[(line - 1) & 3];
-}
-
-static struct hw_pci personal_server_pci __initdata = {
- .map_irq = personal_server_map_irq,
- .nr_controllers = 1,
- .ops = &dc21285_ops,
- .setup = dc21285_setup,
- .preinit = dc21285_preinit,
- .postinit = dc21285_postinit,
-};
-
-static int __init personal_pci_init(void)
-{
- if (machine_is_personal_server())
- pci_common_init(&personal_server_pci);
- return 0;
-}
-
-subsys_initcall(personal_pci_init);
diff --git a/arch/arm/mach-footbridge/personal.c b/arch/arm/mach-footbridge/personal.c
deleted file mode 100644
index ca715754fc007..0000000000000
--- a/arch/arm/mach-footbridge/personal.c
+++ /dev/null
@@ -1,25 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * linux/arch/arm/mach-footbridge/personal.c
- *
- * Personal server (Skiff) machine fixup
- */
-#include <linux/init.h>
-#include <linux/spinlock.h>
-
-#include <asm/hardware/dec21285.h>
-#include <asm/mach-types.h>
-
-#include <asm/mach/arch.h>
-
-#include "common.h"
-
-MACHINE_START(PERSONAL_SERVER, "Compaq-PersonalServer")
- /* Maintainer: Jamey Hicks / George France */
- .atag_offset = 0x100,
- .map_io = footbridge_map_io,
- .init_irq = footbridge_init_irq,
- .init_time = footbridge_timer_init,
- .restart = footbridge_restart,
-MACHINE_END
-
--
2.25.1
1
0
[PATCH kernel-4.19] mm: slab: fix kmem_cache_create failed when sysfs node not destroyed
by Yang Yingliang 21 Jul '21
by Yang Yingliang 21 Jul '21
21 Jul '21
From: Nanyong Sun <sunnanyong(a)huawei.com>
hulk inclusion
category: bugfix
bugzilla: 174641
CVE: NA
------------------------------------
The commit d38a2b7a9c93 ("mm: memcg/slab: fix memory leak at non-root
kmem_cache destroy") introduced a problem: If one thread destroy a
kmem_cache A and another thread concurrently create a kmem_cache B,
which is mergeable with A and has same size with A, the B may fail to
create due to the duplicate sysfs node.
The scenario in detail:
1) Thread 1 uses kmem_cache_destroy() to destroy kmem_cache A which is
mergeable, it decreases A's refcount and if refcount is 0, then call
memcg_set_kmem_cache_dying() which set A->memcg_params.dying = true,
then unlock the slab_mutex and call flush_memcg_workqueue(), it may cost
a while.
Note: now the sysfs node(like '/kernel/slab/:0000248') of A is still
present, it will be deleted in shutdown_cache() which will be called
after flush_memcg_workqueue() is done and lock the slab_mutex again.
2) Now if thread 2 is coming, it use kmem_cache_create() to create B, which
is mergeable with A(their size is same), it gain the lock of slab_mutex,
then call __kmem_cache_alias() trying to find a mergeable node, because
of the below added code in commit d38a2b7a9c93 ("mm: memcg/slab: fix
memory leak at non-root kmem_cache destroy"), B is not mergeable with
A whose memcg_params.dying is true.
int slab_unmergeable(struct kmem_cache *s)
if (s->refcount < 0)
return 1;
/*
* Skip the dying kmem_cache.
*/
if (s->memcg_params.dying)
return 1;
return 0;
}
So B has to create its own sysfs node by calling:
create_cache->
__kmem_cache_create->
sysfs_slab_add->
kobject_init_and_add
Because B is mergeable itself, its filename of sysfs node is based on its size,
like '/kernel/slab/:0000248', which is duplicate with A, and the sysfs
node of A is still present now, so kobject_init_and_add() will return
fail and result in kmem_cache_create() fail.
Concurrently modprobe and rmmod the two modules below can reproduce the issue
quickly: nf_conntrack_expect, se_sess_cache. See call trace in the end.
LTS versions of v4.19.y and v5.4.y have this problem, whereas linux versions after
v5.9 do not have this problem because the patchset: ("The new cgroup slab memory
controller") almost refactored memcg slab.
A potential solution(this patch belongs): Just let the dying kmem_cache be mergeable,
the slab_mutex lock can prevent the race between alias kmem_cache creating thread
and root kmem_cache destroying thread. In the destroying thread, after
flush_memcg_workqueue() is done, judge the refcount again, if someone
reference it again during un-lock time, we don't need to destroy the kmem_cache
completely, we can reuse it.
Another potential solution: revert the commit d38a2b7a9c93 ("mm: memcg/slab:
fix memory leak at non-root kmem_cache destroy"), compare to the fail of
kmem_cache_create, the memory leak in special scenario seems less harmful.
Call trace:
sysfs: cannot create duplicate filename '/kernel/slab/:0000248'
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
dump_backtrace+0x0/0x198
show_stack+0x24/0x30
dump_stack+0xb0/0x100
sysfs_warn_dup+0x6c/0x88
sysfs_create_dir_ns+0x104/0x120
kobject_add_internal+0xd0/0x378
kobject_init_and_add+0x90/0xd8
sysfs_slab_add+0x16c/0x2d0
__kmem_cache_create+0x16c/0x1d8
create_cache+0xbc/0x1f8
kmem_cache_create_usercopy+0x1a0/0x230
kmem_cache_create+0x50/0x68
init_se_kmem_caches+0x38/0x258 [target_core_mod]
target_core_init_configfs+0x8c/0x390 [target_core_mod]
do_one_initcall+0x54/0x230
do_init_module+0x64/0x1ec
load_module+0x150c/0x16f0
__se_sys_finit_module+0xf0/0x108
__arm64_sys_finit_module+0x24/0x30
el0_svc_common+0x80/0x1c0
el0_svc_handler+0x78/0xe0
el0_svc+0x10/0x260
kobject_add_internal failed for :0000248 with -EEXIST, don't try to register things with the same name in the same directory.
kmem_cache_create(se_sess_cache) failed with error -17
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
dump_backtrace+0x0/0x198
show_stack+0x24/0x30
dump_stack+0xb0/0x100
kmem_cache_create_usercopy+0xa8/0x230
kmem_cache_create+0x50/0x68
init_se_kmem_caches+0x38/0x258 [target_core_mod]
target_core_init_configfs+0x8c/0x390 [target_core_mod]
do_one_initcall+0x54/0x230
do_init_module+0x64/0x1ec
load_module+0x150c/0x16f0
__se_sys_finit_module+0xf0/0x108
__arm64_sys_finit_module+0x24/0x30
el0_svc_common+0x80/0x1c0
el0_svc_handler+0x78/0xe0
el0_svc+0x10/0x260
Fixes: d38a2b7a9c93 ("mm: memcg/slab: fix memory leak at non-root kmem_cache destroy")
Signed-off-by: Nanyong Sun <sunnanyong(a)huawei.com>
Cc: stable(a)vger.kernel.org
Reviewed-by: tong tiangen <tongtiangen(a)huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
---
mm/slab_common.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d208b47e01a8e..acc743315bb5c 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -326,14 +326,6 @@ int slab_unmergeable(struct kmem_cache *s)
if (s->refcount < 0)
return 1;
-#ifdef CONFIG_MEMCG_KMEM
- /*
- * Skip the dying kmem_cache.
- */
- if (s->memcg_params.dying)
- return 1;
-#endif
-
return 0;
}
@@ -947,6 +939,16 @@ void kmem_cache_destroy(struct kmem_cache *s)
get_online_mems();
mutex_lock(&slab_mutex);
+
+ /*
+ *Another thread referenced it again
+ */
+ if (READ_ONCE(s->refcount)) {
+ spin_lock_irq(&memcg_kmem_wq_lock);
+ s->memcg_params.dying = false;
+ spin_unlock_irq(&memcg_kmem_wq_lock);
+ goto out_unlock;
+ }
#endif
err = shutdown_memcg_caches(s);
--
2.25.1
1
0