Large values returned by bitmap_find_next_zero_area() can overflow
and become negative when stored in signed variable 'pageno' that
can lead to failure of condition 'pageno < dma_mem->nr_pages'.
Due to this, Use-after-free issue is observed in bitmap_set(),
When user requests to allocate large size buffer using ion calls.
BUG: KASAN: use-after-free in bitmap_set+0x9c/0xd4 at addr ffffffe774946cc0
Read of size 8 by task syz-executor0/19717
page:ffffffbe5dd25180 count:0 mapcount:-127 mapping:(null)
index:0xffffffe774947000 flags: 0x0()
page dumped because: kasan: bad access detected
page_owner info is not active (free page?)
CPU: 3 PID: 19717 Comm: syz-executor0 Tainted: G W 4.4.78+ #1
Call trace:
[<ffffffa10c68b6fc>] dump_backtrace+0x0/0x2fc
[<ffffffa10c68ba1c>] show_stack+0x24/0x30
[<ffffffa10cc29a34>] dump_stack+0xdc/0x134
[<ffffffa10c8b2c10>] kasan_report+0x380/0x508
[<ffffffa10c8b1f38>] __asan_load8+0x24/0x80
[<ffffffa10cc42218>] bitmap_set+0x9c/0xd4
[<ffffffa10d15941c>] removed_alloc+0x188/0x5e4
[<ffffffa10dba4f40>] ion_cma_allocate+0x164/0x3e0
[<ffffffa10db9cef4>] __ion_alloc+0x368/0x1044
[<ffffffa10db9e0c8>] ion_ioctl+0x25c/0x6ac
[<ffffffa10c8e2f40>] do_vfs_ioctl+0x844/0x9a8
[<ffffffa10c8e311c>] SyS_ioctl+0x78/0xbc
[<ffffffa10c683730>] el0_svc_naked+0x24/0x28
Change-Id: Ibbaa451250bdfa9ce2a6e2cb9d2ee357ee0c8385
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
For "chunk_list + chunk_list_len", if the chunk_list is type of u32*,
the chunk_list_len will be 4 * of original size. So we flushed a wrong
area size. In some condition like we enabled CONFIG_DEBUG_PAGEALLOC, it
may flush out of page bound of the invalid pte page.
Fix it by manually convert it as void* when doing the addition.
CRs-Fixed: 2309993
Change-Id: I2b88d78ba73d9904fa2bf6106937001715b6037f
Signed-off-by: Zhenhua Huang <zhenhuah@codeaurora.org>
API provision for WLAN host driver to check if WLAN PCIe device
is down.
Change-Id: I91efcd781af67c72b787c89e6b619c4cc49da34b
Signed-off-by: Yue Ma <yuem@codeaurora.org>
Subsystem notification for adsp and wlan in guest.
Change-Id: I49e3e0a160a2434ba9df8008a5ad5051fbeed194
Signed-off-by: Venkata Rao Kakani <vkakani@codeaurora.org>
ALARM_EN status is retained in PMIC register after device shutdown
if poweron_alarm is enabled. Read it to make sure the driver has
consistent value with the register status.
Change-Id: Iee0a19ba5126265b36a353c1d1b249d09185564a
Signed-off-by: Mao Jinlong <c_jmao@codeaurora.org>
* refs/heads/tmp-b3f777e
Linux 4.4.155
drm/drivers: add support for using the arch wc mapping API.
x86/io: add interface to reserve io memtype for a resource range. (v1.1)
fs/quota: Fix spectre gadget in do_quotactl
perf auxtrace: Fix queue resize
bcache: release dc->writeback_lock properly in bch_writeback_thread()
getxattr: use correct xattr length
udlfb: set optimal write delay
fb: fix lost console when the user unplugs a USB adapter
pwm: tiehrpwm: Fix disabling of output of PWMs
ubifs: Fix synced_i_size calculation for xattr inodes
ubifs: Check data node size before truncate
Revert "UBIFS: Fix potential integer overflow in allocation"
ubifs: Fix memory leak in lprobs self-check
userns: move user access out of the mutex
sys: don't hold uts_sem while accessing userspace memory
osf_getdomainname(): use copy_to_user()
iommu/vt-d: Fix dev iotlb pfsid use
iommu/vt-d: Add definitions for PFSID
mm/tlb: Remove tlb_remove_table() non-concurrent condition
ARM: tegra: Fix Tegra30 Cardhu PCA954x reset
pnfs/blocklayout: off by one in bl_map_stripe()
PM / sleep: wakeup: Fix build error caused by missing SRCU support
9p: fix multiple NULL-pointer-dereferences
uprobes: Use synchronize_rcu() not synchronize_sched()
kthread, tracing: Don't expose half-written comm when creating kthreads
tracing/blktrace: Fix to allow setting same value
tracing: Do not call start/stop() functions when tracing_on does not change
vmw_balloon: fix VMCI use when balloon built into kernel
vmw_balloon: VMCI_DOORBELL_SET does not check status
vmw_balloon: do not use 2MB without batching
vmw_balloon: fix inflation of 64-bit GFNs
iio: ad9523: Fix return value for ad952x_store()
iio: ad9523: Fix displayed phase
dm cache metadata: save in-core policy_hint_size to on-disk superblock
x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call
net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
net/9p/client.c: version pointer uninitialized
9p/virtio: fix off-by-one error in sg list bounds check
fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
powerpc/pseries: Fix endianness while restoring of r3 in MCE handler.
powerpc/fadump: handle crash memory ranges array index overflow
drm/i915/userptr: reject zero user_size
spi: davinci: fix a NULL pointer dereference
net: lan78xx: Fix misplaced tasklet_schedule() call
9p/net: Fix zero-copy path in the 9p virtio transport
net: mac802154: tx: expand tailroom if necessary
net: 6lowpan: fix reserved space for single frames
BACKPORT: arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
ANDROID: arm64: mm: fix 4.4.154 merge
Change-Id: Id5969245c97b88f9618cb6123e992ea4540ca434
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
* refs/heads/tmp-d762e28
Linux 4.4.154
cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
iscsi target: fix session creation failure handling
scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
MIPS: Correct the 64-bit DSP accumulator register size
kprobes: Make list and blacklist root user read only
s390/pci: fix out of bounds access during irq setup
s390/qdio: reset old sbal_state flags
s390: fix br_r1_trampoline for machines without exrl
x86/spectre: Add missing family 6 check to microcode check
x86/irqflags: Mark native_restore_fl extern inline
pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
ASoC: sirf: Fix potential NULL pointer dereference
ASoC: dpcm: don't merge format from invalid codec dai
udl-kms: fix crash due to uninitialized memory
udl-kms: handle allocation failure
udl-kms: change down_interruptible to down
fuse: Add missed unlock_page() to fuse_readpages_fill()
fuse: Fix oops at process_init_reply()
fuse: umount should wait for all requests
fuse: fix unlocked access to processing queue
fuse: fix double request_end()
fuse: Don't access pipe->buffers without pipe_lock()
x86/process: Re-export start_thread()
x86/speculation/l1tf: Suggest what to do on systems with too much RAM
x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
KVM: arm/arm64: Skip updating PMD entry if no change
KVM: arm/arm64: Skip updating PTE entry if no change
arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
ext4: reset error code in ext4_find_entry in fallback
ext4: sysfs: print ext4_super_block fields as little-endian
ext4: check for NUL characters in extended attribute's name
s390/kvm: fix deadlock when killed by oom
btrfs: don't leak ret from do_chunk_alloc
smb3: don't request leases in symlink creation and query
smb3: Do not send SMB3 SET_INFO if nothing changed
cifs: check kmalloc before use
cifs: add missing debug entries for kconfig options
mm/memory.c: check return value of ioremap_prot
scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
scsi: fcoe: drop frames in ELS LOGO error path
drivers: net: lmc: fix case value for target abort error
arc: fix type warnings in arc/mm/cache.c
arc: fix build errors in arc/include/asm/delay.h
enic: handle mtu change for vf properly
Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"
tools/power turbostat: Read extended processor family from CPUID
zswap: re-check zswap_is_full() after do zswap_shrink()
selftests/ftrace: Add snapshot and tracing_on test case
cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
cachefiles: Fix refcounting bug in backing-file read monitoring
fscache: Allow cancelled operations to be enqueued
net: axienet: Fix double deregister of mdio
bnx2x: Fix invalid memory access in rss hash config path.
media: staging: omap4iss: Include asm/cacheflush.h after generic includes
i2c: davinci: Avoid zero value of CLKH
can: mpc5xxx_can: check of_iomap return before use
net: prevent ISA drivers from building on PPC32
atl1c: reserve min skb headroom
qed: Fix possible race for the link state value.
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
tools/power turbostat: fix -S on UP systems
usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
tools: usb: ffs-test: Fix build on big endian systems
usb/phy: fix PPC64 build errors in phy-fsl-usb.c
usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
drm/imx: imx-ldb: check if channel is enabled before printing warning
drm/imx: imx-ldb: disable LDB on driver bind
scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
drm/bridge: adv7511: Reset registers on hotplug
nl80211: Add a missing break in parse_station_flags
mac80211: add stations tied to AP_VLANs during hw reconfig
xfrm: free skb if nlsk pointer is NULL
xfrm: fix missing dst_release() after policy blocking lbcast and multicast
vti6: fix PMTU caching and reporting on xmit
Cipso: cipso_v4_optptr enter infinite loop
sched/sysctl: Check user input value of sysctl_sched_time_avg
BACKPORT: zram: drop max_zpage_size and use zs_huge_class_size()
BACKPORT: zsmalloc: introduce zs_huge_class_size()
ANDROID: tracing: fix race condition reading saved tgids
Conflicts:
mm/zsmalloc.c
Change-Id: I1add2f0311c887c135ddc6160963702beeb7bb88
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Remove kzfree() after kclient list iteration to avoid invalid
pointer deference.
Change-Id: I78922269e219fcb16d3cff05f8b168a75a3c05ae
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add the CPR configuration of Speed-bin 3 for the power
and performance cluster of SDM630.
Change-Id: I6bf9a837ae941cf3ad9413da6e44821916acf197
Signed-off-by: Anirudh Ghayal <aghayal@codeaurora.org>
Add mutex lock in rtac_open and rtac_release
to avoid usage count discrepancies leading
to multiple calls to unmap memory resulting in
null pointer dereference.
CRs-Fixed: 2271712
Change-Id: Ie6da28837c352030b8d7e377d68a70cf04e7072a
Signed-off-by: Tanya Dixit <tdixit@codeaurora.org>
Add support to dump complete ramdump of subsystem from start of first
segment to end of last segment without leaving any hole in between.
Change-Id: I0bcab1d4e04748d3934b7a4d99eec59727c3afb1
Signed-off-by: Naitik Bharadiya <bharad@codeaurora.org>
Since message received from spi cannot be trusted there is possibility
of out-of-bound read if received read_id is not in range of fifo.
The patch validate rx_fifo_read index of edge info for remote side.
Change-Id: I3d3fa749935f477e5f98f986adc24e6e6a682d4d
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Expand display type/id enumeration up to eight types.
Change-Id: I19c47e6b4aa57dc94020f909260e1de2218ca82d
Signed-off-by: Camus Wong <camusw@codeaurora.org>
Not all devices on an MDIO bus are PHYs. Meaning not all MDIO drivers
are PHY drivers. Add support for generic MDIO drivers.
Change-Id: I65c7c8a497bbac9ef67b3d21c869818a09378e3c
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-Commit: a9049e0c513c4521dbfaa302af8ed08b3366b41f
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Anthony Mah <amah@codeaurora.org>
Otherwise we might dereference an already freed file and/or inode
when aio_complete is called before we return from the read_iter or
write_iter method.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 0b944d3a4bba6b25f43aed530f4fa85c04d162a6)
Change-Id: I628a87b5036ba1ba5ba5152fa0329d02999d3649
Git-Commit: 0b944d3a4bba6b25f43aed530f4fa85c04d162a6
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
[riteshh@codeaurora.org: resolve trivial merge conflicts]
Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>
Align with android-base.cfg which is android kernel config
requirement for msm8998_defconfig.
Change-Id: I69cbca16705d25b5505792b11ae4f054be09457f
Signed-off-by: Naitik Bharadiya <bharad@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluVYLUACgkQONu9yGCS
aT5MxhAArBSShT0IXHg9oXGtkm6g3mkZ/EAXPrl3Tq2ayLjXeMfNfsdKkBvusjTr
b/Fs9ZLm1x7bI4+kD/6sTLtGlWBr6djocnBtB8PxQxxkmIZRZPjE9laemsyBn7XD
7amJEHuyaQU10da2obX7z+Gge+bgSoN4Q5+19ZESr4fCxa7bMaY+VmLCuROe6Flo
9kUaLFvxrsowFLrdKfWb/Zc7WHQfYtfTd2c9T+lz3wC4+X3zxkwHl0odvwe1yX9a
xDc674yWepl1D8wMB3i7O5KGoOSghhZZmH2Cnb/cNWoeSmFO8rttCWYiSVEIOWWN
5HOmHRqMDPFUqH5g9F3z1A9uM5uQa9uOu7BGcDJjeU3oXZRFzTjJLMZj4Zcv0hLM
WMo2+5iXFBByUVvUk2nKHotNNmnzxITW9CDWEuAv4jGlA8bjpIwkHUncqknTesan
SRf63jC2+7N0PV5pGCLHA92NA/w663YtMyPPuLsYmprK1OFC1+X8o2bDyfX5ey59
bgkIItNRbgaBRTjPhS1EwJjuNRE59636x9EpFeb0M16j4YHFvGq2fS2LDuymPA3P
JMVwsxpLtwHjI6KMcnIcDVphiJjLpTq6ijc727mTsHrTqHRa3/w6Ay/TZjRlDn00
YKpVKQtoUk0FURyVwdJjo0eH5O6MYfaw4uj4h1zEOFMXszkVmL4=
=WUY2
-----END PGP SIGNATURE-----
Merge 4.4.155 into android-4.4
Changes in 4.4.155
net: 6lowpan: fix reserved space for single frames
net: mac802154: tx: expand tailroom if necessary
9p/net: Fix zero-copy path in the 9p virtio transport
net: lan78xx: Fix misplaced tasklet_schedule() call
spi: davinci: fix a NULL pointer dereference
drm/i915/userptr: reject zero user_size
powerpc/fadump: handle crash memory ranges array index overflow
powerpc/pseries: Fix endianness while restoring of r3 in MCE handler.
fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
9p/virtio: fix off-by-one error in sg list bounds check
net/9p/client.c: version pointer uninitialized
net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call
dm cache metadata: save in-core policy_hint_size to on-disk superblock
iio: ad9523: Fix displayed phase
iio: ad9523: Fix return value for ad952x_store()
vmw_balloon: fix inflation of 64-bit GFNs
vmw_balloon: do not use 2MB without batching
vmw_balloon: VMCI_DOORBELL_SET does not check status
vmw_balloon: fix VMCI use when balloon built into kernel
tracing: Do not call start/stop() functions when tracing_on does not change
tracing/blktrace: Fix to allow setting same value
kthread, tracing: Don't expose half-written comm when creating kthreads
uprobes: Use synchronize_rcu() not synchronize_sched()
9p: fix multiple NULL-pointer-dereferences
PM / sleep: wakeup: Fix build error caused by missing SRCU support
pnfs/blocklayout: off by one in bl_map_stripe()
ARM: tegra: Fix Tegra30 Cardhu PCA954x reset
mm/tlb: Remove tlb_remove_table() non-concurrent condition
iommu/vt-d: Add definitions for PFSID
iommu/vt-d: Fix dev iotlb pfsid use
osf_getdomainname(): use copy_to_user()
sys: don't hold uts_sem while accessing userspace memory
userns: move user access out of the mutex
ubifs: Fix memory leak in lprobs self-check
Revert "UBIFS: Fix potential integer overflow in allocation"
ubifs: Check data node size before truncate
ubifs: Fix synced_i_size calculation for xattr inodes
pwm: tiehrpwm: Fix disabling of output of PWMs
fb: fix lost console when the user unplugs a USB adapter
udlfb: set optimal write delay
getxattr: use correct xattr length
bcache: release dc->writeback_lock properly in bch_writeback_thread()
perf auxtrace: Fix queue resize
fs/quota: Fix spectre gadget in do_quotactl
x86/io: add interface to reserve io memtype for a resource range. (v1.1)
drm/drivers: add support for using the arch wc mapping API.
Linux 4.4.155
Change-Id: Ie455609e00dd70d3fa723cd254f544109db8a788
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Add socinfo support for SDM455 Soc and update the
bindings fot the same.
Change-Id: I9b30795e202d84ae06020983b2d656772fb4f313
Signed-off-by: Teng Fei Fan <tengfei@codeaurora.org>
commit 7cf321d118a825c1541b43ca45294126fd474efa upstream.
This fixes a regression in all these drivers since the cache
mode tracking was fixed for mixed mappings. It uses the new
arch API to add the VRAM range to the PAT mapping tracking
tables.
Fixes: 87744ab3832 (mm: fix cache mode tracking in vm_insert_mixed())
Reviewed-by: Christian König <christian.koenig@amd.com>.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8ef4227615e158faa4ee85a1d6466782f7e22f2f upstream.
A recent change to the mm code in:
87744ab3832b mm: fix cache mode tracking in vm_insert_mixed()
started enforcing checking the memory type against the registered list for
amixed pfn insertion mappings. It happens that the drm drivers for a number
of gpus relied on this being broken. Currently the driver only inserted
VRAM mappings into the tracking table when they came from the kernel,
and userspace mappings never landed in the table. This led to a regression
where all the mapping end up as UC instead of WC now.
I've considered a number of solutions but since this needs to be fixed
in fixes and not next, and some of the solutions were going to introduce
overhead that hadn't been there before I didn't consider them viable at
this stage. These mainly concerned hooking into the TTM io reserve APIs,
but these API have a bunch of fast paths I didn't want to unwind to add
this to.
The solution I've decided on is to add a new API like the arch_phys_wc
APIs (these would have worked but wc_del didn't take a range), and
use them from the drivers to add a WC compatible mapping to the table
for all VRAM on those GPUs. This means we can then create userspace
mapping that won't get degraded to UC.
v1.1: use CONFIG_X86_PAT + add some comments in io.h
Cc: Toshi Kani <toshi.kani@hp.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: x86@kernel.org
Cc: mcgrof@suse.com
Cc: Dan Williams <dan.j.williams@intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 99cbbe56eb8bede625f410ab62ba34673ffa7d21 upstream.
When the number of queues grows beyond 32, the array of queues is
resized but not all members were being copied. Fix by also copying
'tid', 'cpu' and 'set'.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Fixes: e502789302 ("perf auxtrace: Add helpers for queuing AUX area tracing data")
Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3943b040f11ed0cc6d4585fd286a623ca8634547 upstream.
The writeback thread would exit with a lock held when the cache device
is detached via sysfs interface, fix it by releasing the held lock
before exiting the while-loop.
Fixes: fadd94e05c02 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set)
Signed-off-by: Shan Hai <shan.hai@oracle.com>
Signed-off-by: Coly Li <colyli@suse.de>
Tested-by: Shenghui Wang <shhuiw@foxmail.com>
Cc: stable@vger.kernel.org #4.17+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream.
When running in a container with a user namespace, if you call getxattr
with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
silently skips the user namespace fixup that it normally does resulting in
un-fixed-up data being returned.
This is caused by posix_acl_fix_xattr_to_user() being passed the total
buffer size and not the actual size of the xattr as returned by
vfs_getxattr().
This commit passes the actual length of the xattr as returned by
vfs_getxattr() down.
A reproducer for the issue is:
touch acl_posix
setfacl -m user:0:rwx acl_posix
and the compile:
#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <attr/xattr.h>
/* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
int main(int argc, void **argv)
{
ssize_t ret1, ret2;
char buf1[128], buf2[132];
int fret = EXIT_SUCCESS;
char *file;
if (argc < 2) {
fprintf(stderr,
"Please specify a file with "
"\"system.posix_acl_access\" permissions set\n");
_exit(EXIT_FAILURE);
}
file = argv[1];
ret1 = getxattr(file, "system.posix_acl_access",
buf1, sizeof(buf1));
if (ret1 < 0) {
fprintf(stderr, "%s - Failed to retrieve "
"\"system.posix_acl_access\" "
"from \"%s\"\n", strerror(errno), file);
_exit(EXIT_FAILURE);
}
ret2 = getxattr(file, "system.posix_acl_access",
buf2, sizeof(buf2));
if (ret2 < 0) {
fprintf(stderr, "%s - Failed to retrieve "
"\"system.posix_acl_access\" "
"from \"%s\"\n", strerror(errno), file);
_exit(EXIT_FAILURE);
}
if (ret1 != ret2) {
fprintf(stderr, "The value of \"system.posix_acl_"
"access\" for file \"%s\" changed "
"between two successive calls\n", file);
_exit(EXIT_FAILURE);
}
for (ssize_t i = 0; i < ret2; i++) {
if (buf1[i] == buf2[i])
continue;
fprintf(stderr,
"Unexpected different in byte %zd: "
"%02x != %02x\n", i, buf1[i], buf2[i]);
fret = EXIT_FAILURE;
}
if (fret == EXIT_SUCCESS)
fprintf(stderr, "Test passed\n");
else
fprintf(stderr, "Test failed\n");
_exit(fret);
}
and run:
./tester acl_posix
On a non-fixed up kernel this should return something like:
root@c1:/# ./t
Unexpected different in byte 16: ffffffa0 != 00
Unexpected different in byte 17: ffffff86 != 00
Unexpected different in byte 18: 01 != 00
and on a fixed kernel:
root@c1:~# ./t
Test passed
Cc: stable@vger.kernel.org
Fixes: 2f6f0654ab ("userns: Convert vfs posix_acl support to use kuids and kgids")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
Reported-by: Colin Watson <cjwatson@ubuntu.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bb24153a3f13dd0dbc1f8055ad97fe346d598f66 upstream.
The default delay 5 jiffies is too much when the kernel is compiled with
HZ=100 - it results in jumpy cursor in Xwindow.
In order to find out the optimal delay, I benchmarked the driver on
1280x720x30fps video. I found out that with HZ=1000, 10ms is acceptable,
but with HZ=250 or HZ=300, we need 4ms, so that the video is played
without any frame skips.
This patch changes the delay to this value.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8c5b044299951acd91e830a688dd920477ea1eda upstream.
I have a USB display adapter using the udlfb driver and I use it on an ARM
board that doesn't have any graphics card. When I plug the adapter in, the
console is properly displayed, however when I unplug and re-plug the
adapter, the console is not displayed and I can't access it until I reboot
the board.
The reason is this:
When the adapter is unplugged, dlfb_usb_disconnect calls
unlink_framebuffer, then it waits until the reference count drops to zero
and then it deallocates the framebuffer. However, the console that is
attached to the framebuffer device keeps the reference count non-zero, so
the framebuffer device is never destroyed. When the USB adapter is plugged
again, it creates a new device /dev/fb1 and the console is not attached to
it.
This patch fixes the bug by unbinding the console from unlink_framebuffer.
The code to unbind the console is moved from do_unregister_framebuffer to
a function unbind_console. When the console is unbound, the reference
count drops to zero and the udlfb driver frees the framebuffer. When the
adapter is plugged back, a new framebuffer is created and the console is
attached to it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Bernie Thompson <bernie@plugable.com>
Cc: Ladislav Michl <ladis@linux-mips.org>
Cc: stable@vger.kernel.org
[b.zolnierkie: preserve old behavior for do_unregister_framebuffer()]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 38dabd91ff0bde33352ca3cc65ef515599b77a05 upstream.
pwm-tiehrpwm driver disables PWM output by putting it in low output
state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the
AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC
register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM
output), previous settings are lost as shadow register value is loaded
into active register. This results in things like PWMA getting enabled
automatically, when PWMB is enabled and vice versa. Fix this by
updating AQCSFRC shadow register as well during ehrpwm_pwm_disable().
Fixes: 19891b20e7 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
Cc: stable@vger.kernel.org
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream.
In ubifs_jnl_update() we sync parent and child inodes to the flash,
in case of xattrs, the parent inode (AKA host inode) has a non-zero
data_len. Therefore we need to adjust synced_i_size too.
This issue was reported by ubifs self tests unter a xattr related work
load.
UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean
UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4
Cc: <stable@vger.kernel.org>
Fixes: 1e51764a3c ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream.
Check whether the size is within bounds before using it.
If the size is not correct, abort and dump the bad data node.
Cc: Kees Cook <keescook@chromium.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>
Cc: stable@vger.kernel.org
Fixes: 1e51764a3c ("UBIFS: add new flash file system")
Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream.
This reverts commit 353748a359f1821ee934afc579cf04572406b420.
It bypassed the linux-mtd review process and fixes the issue not as it
should.
Cc: Kees Cook <keescook@chromium.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream.
Allocate the buffer after we return early.
Otherwise memory is being leaked.
Cc: <stable@vger.kernel.org>
Fixes: 1e51764a3c ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
The old code would hold the userns_state_mutex indefinitely if
memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
moving the memdup_user_nul in front of the mutex_lock().
Note: This changes the error precedence of invalid buf/count/*ppos vs
map already written / capabilities missing.
Fixes: 22d917d80e ("userns: Rework the user_namespace adding uid/gid...")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 42a0cc3478584d4d63f68f2f5af021ddbea771fa upstream.
Holding uts_sem as a writer while accessing userspace memory allows a
namespace admin to stall all processes that attempt to take uts_sem.
Instead, move data through stack buffers and don't access userspace memory
while uts_sem is held.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1c48db44924298ad0cb5a6386b88017539be8822 upstream.
PFSID should be used in the invalidation descriptor for flushing
device IOTLBs on SRIOV VFs.
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: stable@vger.kernel.org
Cc: "Ashok Raj" <ashok.raj@intel.com>
Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
