From bf9f0884fe92f1ed70575ab71d1c4113728a12b4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 9 Sep 2016 13:32:42 +0200 Subject: [PATCH 01/12] Revert "can: fix handling of unmodifiable configuration options fix" This reverts commit 6f8f768a3586b6fbd50e249e7fe4f964a6994685 which was bce271f255dae8335dc4d2ee2c4531e09cc67f5a upstream. It was applied incorrectly, and isn't needed for 3.14-stable. Reported-by: Willy Tarreau Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/can/dev.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c index fa78e45a2bee..de333c740203 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c @@ -665,9 +665,6 @@ static int can_changelink(struct net_device *dev, } } - if (!data) - return 0; - if (data[IFLA_CAN_CTRLMODE]) { struct can_ctrlmode *cm; From 399a950315eb2de1db72a2f01cf41ccf59541996 Mon Sep 17 00:00:00 2001 From: Tim Gardner Date: Fri, 30 Oct 2015 12:22:58 -0600 Subject: [PATCH 02/12] be2iscsi: Fix bogus WARN_ON length check commit dd29dae00d39186890a5eaa2fe4ad8768bfd41a9 upstream. drivers/scsi/be2iscsi/be_main.c: In function 'be_sgl_create_contiguous': drivers/scsi/be2iscsi/be_main.c:3187:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] WARN_ON(!length > 0); gcc version 5.2.1 Signed-off-by: Tim Gardner Cc: Jayamohan Kallickal Cc: Minh Tran Cc: John Soni Jose Cc: "James E.J. Bottomley" Reported-by: Joel Stanley Reviewed-by: Manoj Kumar Signed-off-by: Martin K. Petersen Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/be2iscsi/be_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c index f4b9ac4ef16e..872ca84b3789 100644 --- a/drivers/scsi/be2iscsi/be_main.c +++ b/drivers/scsi/be2iscsi/be_main.c @@ -3172,7 +3172,7 @@ be_sgl_create_contiguous(void *virtual_address, { WARN_ON(!virtual_address); WARN_ON(!physical_address); - WARN_ON(!length > 0); + WARN_ON(!length); WARN_ON(!sgl); sgl->va = virtual_address; From ac98961e44fa5df4383f0a60f0c4923f368da1d8 Mon Sep 17 00:00:00 2001 From: James C Boyd Date: Wed, 27 May 2015 17:09:06 -0500 Subject: [PATCH 03/12] HID: hid-input: Add parentheses to quell gcc warning commit 09a5c34e8d6b05663ec4c3d22b1fbd9fec89aaf9 upstream. GCC reports a -Wlogical-not-parentheses warning here; therefore add parentheses to shut it up and to express our intent more. Signed-off-by: James C Boyd Signed-off-by: Jiri Kosina Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index a413f76e84d4..1b01adf1d406 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -1084,7 +1084,7 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct return; /* report the usage code as scancode if the key status has changed */ - if (usage->type == EV_KEY && !!test_bit(usage->code, input->key) != value) + if (usage->type == EV_KEY && (!!test_bit(usage->code, input->key)) != value) input_event(input, EV_MSC, MSC_SCAN, usage->hid); input_event(input, usage->type, usage->code, value); From 7ae8ffd384be9159cf057affd17caf2a687f493f Mon Sep 17 00:00:00 2001 From: Tomer Barletz Date: Sun, 2 Aug 2015 02:08:57 -0700 Subject: [PATCH 04/12] ALSA: oxygen: Fix logical-not-parentheses warning commit 8ec7cfce3762299ae289c384e281b2f4010ae231 upstream. This fixes the following warning, that is seen with gcc 5.1: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]. Signed-off-by: Tomer Barletz Signed-off-by: Takashi Iwai Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman --- sound/pci/oxygen/oxygen_mixer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/oxygen/oxygen_mixer.c b/sound/pci/oxygen/oxygen_mixer.c index 5988e044c519..259bf54a9df0 100644 --- a/sound/pci/oxygen/oxygen_mixer.c +++ b/sound/pci/oxygen/oxygen_mixer.c @@ -88,7 +88,7 @@ static int dac_mute_put(struct snd_kcontrol *ctl, int changed; mutex_lock(&chip->mutex); - changed = !value->value.integer.value[0] != chip->dac_mute; + changed = (!value->value.integer.value[0]) != chip->dac_mute; if (changed) { chip->dac_mute = !value->value.integer.value[0]; chip->model.update_dac_mute(chip); From a6e226c25157082a043cce63d14ecab68fdcc433 Mon Sep 17 00:00:00 2001 From: Alexander Shiyan Date: Tue, 25 Feb 2014 23:41:14 -0300 Subject: [PATCH 05/12] stb6100: fix buffer length check in stb6100_write_reg_range() commit 7e6bd12fb77b0067df13fb3ba3fadbdff2945396 upstream. We are checking sizeof() the wrong variable! Signed-off-by: Alexander Shiyan Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman --- drivers/media/dvb-frontends/stb6100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/stb6100.c b/drivers/media/dvb-frontends/stb6100.c index cea175d19890..4ef8a5c7003e 100644 --- a/drivers/media/dvb-frontends/stb6100.c +++ b/drivers/media/dvb-frontends/stb6100.c @@ -193,7 +193,7 @@ static int stb6100_write_reg_range(struct stb6100_state *state, u8 buf[], int st .len = len + 1 }; - if (1 + len > sizeof(buf)) { + if (1 + len > sizeof(cmdbuf)) { printk(KERN_WARNING "%s: i2c wr: len=%d is too big!\n", KBUILD_MODNAME, len); From 553a1f6d027a8e0c59ca7bbe0f26a25d1881cfef Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Mon, 1 Aug 2016 00:51:02 -0400 Subject: [PATCH 06/12] ext4: validate that metadata blocks do not overlap superblock commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream. A number of fuzzing failures seem to be caused by allocation bitmaps or other metadata blocks being pointed at the superblock. This can cause kernel BUG or WARNings once the superblock is overwritten, so validate the group descriptor blocks to make sure this doesn't happen. Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman --- fs/ext4/super.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 4ce824197b81..712f84308bc8 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2071,6 +2071,7 @@ void ext4_group_desc_csum_set(struct super_block *sb, __u32 block_group, /* Called at mount-time, super-block is locked */ static int ext4_check_descriptors(struct super_block *sb, + ext4_fsblk_t sb_block, ext4_group_t *first_not_zeroed) { struct ext4_sb_info *sbi = EXT4_SB(sb); @@ -2101,6 +2102,11 @@ static int ext4_check_descriptors(struct super_block *sb, grp = i; block_bitmap = ext4_block_bitmap(sb, gdp); + if (block_bitmap == sb_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u overlaps " + "superblock", i); + } if (block_bitmap < first_block || block_bitmap > last_block) { ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " "Block bitmap for group %u not in group " @@ -2108,6 +2114,11 @@ static int ext4_check_descriptors(struct super_block *sb, return 0; } inode_bitmap = ext4_inode_bitmap(sb, gdp); + if (inode_bitmap == sb_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u overlaps " + "superblock", i); + } if (inode_bitmap < first_block || inode_bitmap > last_block) { ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " "Inode bitmap for group %u not in group " @@ -2115,6 +2126,11 @@ static int ext4_check_descriptors(struct super_block *sb, return 0; } inode_table = ext4_inode_table(sb, gdp); + if (inode_table == sb_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode table for group %u overlaps " + "superblock", i); + } if (inode_table < first_block || inode_table + sbi->s_itb_per_group - 1 > last_block) { ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " @@ -3869,7 +3885,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) goto failed_mount2; } } - if (!ext4_check_descriptors(sb, &first_not_zeroed)) { + if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) { ext4_msg(sb, KERN_ERR, "group descriptors corrupted!"); goto failed_mount2; } From f842188c4f4f63a5b6fb59f45ac121162c0ab4c4 Mon Sep 17 00:00:00 2001 From: Ian Abbott Date: Wed, 7 Sep 2016 15:33:12 +0100 Subject: [PATCH 07/12] staging: comedi: ni_mio_common: fix wrong insn_write handler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream. For counter subdevices, the `s->insn_write` handler is being set to the wrong function, `ni_tio_insn_read()`. It should be `ni_tio_insn_write()`. Signed-off-by: Ian Abbott Reported-by: Éric Piel Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)") Signed-off-by: Greg Kroah-Hartman --- drivers/staging/comedi/drivers/ni_mio_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c index 457b88481db0..3312ae622284 100644 --- a/drivers/staging/comedi/drivers/ni_mio_common.c +++ b/drivers/staging/comedi/drivers/ni_mio_common.c @@ -4404,7 +4404,7 @@ static int ni_E_init(struct comedi_device *dev) else s->maxdata = 0xffffff; s->insn_read = ni_tio_insn_read; - s->insn_write = ni_tio_insn_read; + s->insn_write = ni_tio_insn_write; s->insn_config = ni_tio_insn_config; #ifdef PCIDMA s->subdev_flags |= SDF_CMD_READ /* | SDF_CMD_WRITE */; From d57906c6850c5bb9a93841da3deb6df53135d133 Mon Sep 17 00:00:00 2001 From: Kangjie Lu Date: Thu, 2 Jun 2016 04:11:20 -0400 Subject: [PATCH 08/12] rds: fix an infoleak in rds_inc_info_copy commit 4116def2337991b39919f3b448326e21c40e0dbb upstream. The last field "flags" of object "minfo" is not initialized. Copying this object out may leak kernel stack data. Assign 0 to it to avoid leak. Signed-off-by: Kangjie Lu Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman --- net/rds/recv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/rds/recv.c b/net/rds/recv.c index bd82522534fc..f6839107d020 100644 --- a/net/rds/recv.c +++ b/net/rds/recv.c @@ -543,5 +543,7 @@ void rds_inc_info_copy(struct rds_incoming *inc, minfo.fport = inc->i_hdr.h_dport; } + minfo.flags = 0; + rds_info_copy(iter, &minfo, sizeof(minfo)); } From 78a4260f1fad5cfc6ad7cf6e01a93a2fed0d0e3e Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky Date: Mon, 25 Apr 2016 17:54:28 +0200 Subject: [PATCH 09/12] s390/sclp_ctl: fix potential information leak with /dev/sclp commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream. The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to retrieve the sclp request from user space. The first copy_from_user fetches the length of the request which is stored in the first two bytes of the request. The second copy_from_user gets the complete sclp request, but this copies the length field a second time. A malicious user may have changed the length in the meantime. Reported-by: Pengfei Wang Reviewed-by: Michael Holzheu Signed-off-by: Martin Schwidefsky Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman --- drivers/s390/char/sclp_ctl.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/s390/char/sclp_ctl.c b/drivers/s390/char/sclp_ctl.c index 648cb86afd42..ea607a4a1bdd 100644 --- a/drivers/s390/char/sclp_ctl.c +++ b/drivers/s390/char/sclp_ctl.c @@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area) { struct sclp_ctl_sccb ctl_sccb; struct sccb_header *sccb; + unsigned long copied; int rc; if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb))) @@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area) sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); if (!sccb) return -ENOMEM; - if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) { + copied = PAGE_SIZE - + copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE); + if (offsetof(struct sccb_header, length) + + sizeof(sccb->length) > copied || sccb->length > copied) { rc = -EFAULT; goto out_free; } - if (sccb->length > PAGE_SIZE || sccb->length < 8) - return -EINVAL; - if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) { - rc = -EFAULT; + if (sccb->length < 8) { + rc = -EINVAL; goto out_free; } rc = sclp_sync_request(ctl_sccb.cmdw, sccb); From 7cac57a69919afdf3bdda5242afdd535b2d9a2b0 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sat, 27 Aug 2016 11:31:35 +0200 Subject: [PATCH 10/12] fix d_walk()/non-delayed __d_free() race I checked Jari's explanation below and found that v3.14.77 and v3.12.62 are missing the same fix as 3.10. In fact Al's original commit 3d56c25 ("fix d_walk()/non-delayed __d_free() race") used to mention to check this __d_materialise_dentry() function in the Cc: stable line, but this got lost during the backports. Normally all of our 3 kernels need to apply the following patch that Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103 right now. On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote: > This patch for 3.10 branch appears to be missing one important > > + dentry->d_flags |= DCACHE_RCUACCESS; > > in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings > backported Al Viro's original fix to stable branches that he maintains, > he added that one additional line to both 3.2 and 3.16 branches. Please > consider including that additional one line fix for 3.10 stable branch > also. > > > Ben Hutchings said this on his 3.2.82-rc1 patch: > [bwh: Backported to 3.2: > - Adjust context > - Also set the flag in __d_materialise_dentry())] > > http://marc.info/?l=linux-kernel&m=147117565612275&w=2 > > > Ben Hutchings said this on his 3.16.37-rc1 patch: > [bwh: Backported to 3.16: > - Adjust context > - Also set the flag in __d_materialise_dentry())] > > http://marc.info/?l=linux-kernel&m=147117433412006&w=2 > > > Also mentioned by Sasha Levin on 3.18 and 4.1 commits: > Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry()) > > http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2 > http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2 Signed-off-by: Greg Kroah-Hartman --- fs/dcache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/dcache.c b/fs/dcache.c index 47c06888dc05..4d170433c647 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2652,6 +2652,7 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon) switch_names(dentry, anon); swap(dentry->d_name.hash, anon->d_name.hash); + dentry->d_flags |= DCACHE_RCUACCESS; dentry->d_parent = dentry; list_del_init(&dentry->d_child); anon->d_parent = dparent; From 09a2499466dc69d1e54e8e879d4591cdd0ca17c8 Mon Sep 17 00:00:00 2001 From: Andrea Arcangeli Date: Fri, 26 Feb 2016 15:19:28 -0800 Subject: [PATCH 11/12] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream. pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were introduced to locklessy (but atomically) detect when a pmd is a regular (stable) pmd or when the pmd is unstable and can infinitely transition from pmd_none() and pmd_trans_huge() from under us, while only holding the mmap_sem for reading (for writing not). While holding the mmap_sem only for reading, MADV_DONTNEED can run from under us and so before we can assume the pmd to be a regular stable pmd we need to compare it against pmd_none() and pmd_trans_huge() in an atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a tiny window for a race. Useful applications are unlikely to notice the difference as doing MADV_DONTNEED concurrently with a page fault would lead to undefined behavior. [js] 3.12 backport: no pmd_devmap in 3.12 yet. [akpm@linux-foundation.org: tidy up comment grammar/layout] Signed-off-by: Andrea Arcangeli Reported-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Vlastimil Babka Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman --- mm/memory.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index e9ddc7aceefa..43d45c9f7bf5 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3770,8 +3770,18 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(pmd_none(*pmd)) && unlikely(__pte_alloc(mm, vma, pmd, address))) return VM_FAULT_OOM; - /* if an huge pmd materialized from under us just retry later */ - if (unlikely(pmd_trans_huge(*pmd))) + /* + * If a huge pmd materialized under us just retry later. Use + * pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd + * didn't become pmd_trans_huge under us and then back to pmd_none, as + * a result of MADV_DONTNEED running immediately after a huge pmd fault + * in a different thread of this mm, in turn leading to a misleading + * pmd_trans_huge() retval. All we have to ensure is that it is a + * regular pmd that we can walk with pte_offset_map() and we can do that + * through an atomic read in C, which is what pmd_trans_unstable() + * provides. + */ + if (unlikely(pmd_trans_unstable(pmd))) return 0; /* * A regular pmd is established and it can't morph into a huge pmd From b65f2f457c49b2cfd7967c34b7a0b04c25587f13 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Sep 2016 10:00:18 +0200 Subject: [PATCH 12/12] Linux 3.14.79 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 74346f0d89c1..0ed6ce300543 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ VERSION = 3 PATCHLEVEL = 14 -SUBLEVEL = 78 +SUBLEVEL = 79 EXTRAVERSION = NAME = Remembering Coco