1. 02 5月, 2019 29 次提交
  2. 27 4月, 2019 11 次提交
    • G
      Linux 4.19.37 · 19bb613a
      Greg Kroah-Hartman 提交于
      19bb613a
    • W
      kernel/sysctl.c: fix out-of-bounds access when setting file-max · cdd369fe
      Will Deacon 提交于
      commit 9002b21465fa4d829edfc94a5a441005cffaa972 upstream.
      
      Commit 32a5ad9c2285 ("sysctl: handle overflow for file-max") hooked up
      min/max values for the file-max sysctl parameter via the .extra1 and
      .extra2 fields in the corresponding struct ctl_table entry.
      
      Unfortunately, the minimum value points at the global 'zero' variable,
      which is an int.  This results in a KASAN splat when accessed as a long
      by proc_doulongvec_minmax on 64-bit architectures:
      
        | BUG: KASAN: global-out-of-bounds in __do_proc_doulongvec_minmax+0x5d8/0x6a0
        | Read of size 8 at addr ffff2000133d1c20 by task systemd/1
        |
        | CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc3-00012-g40b114779944 #2
        | Hardware name: linux,dummy-virt (DT)
        | Call trace:
        |  dump_backtrace+0x0/0x228
        |  show_stack+0x14/0x20
        |  dump_stack+0xe8/0x124
        |  print_address_description+0x60/0x258
        |  kasan_report+0x140/0x1a0
        |  __asan_report_load8_noabort+0x18/0x20
        |  __do_proc_doulongvec_minmax+0x5d8/0x6a0
        |  proc_doulongvec_minmax+0x4c/0x78
        |  proc_sys_call_handler.isra.19+0x144/0x1d8
        |  proc_sys_write+0x34/0x58
        |  __vfs_write+0x54/0xe8
        |  vfs_write+0x124/0x3c0
        |  ksys_write+0xbc/0x168
        |  __arm64_sys_write+0x68/0x98
        |  el0_svc_common+0x100/0x258
        |  el0_svc_handler+0x48/0xc0
        |  el0_svc+0x8/0xc
        |
        | The buggy address belongs to the variable:
        |  zero+0x0/0x40
        |
        | Memory state around the buggy address:
        |  ffff2000133d1b00: 00 00 00 00 00 00 00 00 fa fa fa fa 04 fa fa fa
        |  ffff2000133d1b80: fa fa fa fa 04 fa fa fa fa fa fa fa 04 fa fa fa
        | >ffff2000133d1c00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
        |                                ^
        |  ffff2000133d1c80: fa fa fa fa 00 fa fa fa fa fa fa fa 00 00 00 00
        |  ffff2000133d1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Fix the splat by introducing a unsigned long 'zero_ul' and using that
      instead.
      
      Link: http://lkml.kernel.org/r/20190403153409.17307-1-will.deacon@arm.com
      Fixes: 32a5ad9c2285 ("sysctl: handle overflow for file-max")
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Acked-by: NChristian Brauner <christian@brauner.io>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Matteo Croce <mcroce@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cdd369fe
    • G
      Revert "locking/lockdep: Add debug_locks check in __lock_downgrade()" · ac54bc12
      Greg Kroah-Hartman 提交于
      This reverts commit 0e0f7b30 which was
      commit 71492580571467fb7177aade19c18ce7486267f5 upstream.
      
      Tetsuo rightly points out that the backport here is incorrect, as it
      touches the __lock_set_class function instead of the intended
      __lock_downgrade function.
      Reported-by: NTetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Cc: Waiman Long <longman@redhat.com>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Sasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac54bc12
    • L
      i2c-hid: properly terminate i2c_hid_dmi_desc_override_table[] array · 9c186256
      Linus Torvalds 提交于
      commit b59dfdaef173677b0b7e10f375226c0a1114fd20 upstream.
      
      Commit 9ee3e06610fd ("HID: i2c-hid: override HID descriptors for certain
      devices") added a new dmi_system_id quirk table to override certain HID
      report descriptors for some systems that lack them.
      
      But the table wasn't properly terminated, causing the dmi matching to
      walk off into la-la-land, and starting to treat random data as dmi
      descriptor pointers, causing boot-time oopses if you were at all
      unlucky.
      
      Terminate the array.
      
      We really should have some way to just statically check that arrays that
      should be terminated by an empty entry actually are so.  But the HID
      people really should have caught this themselves, rather than have me
      deal with an oops during the merge window.  Tssk, tssk.
      
      Cc: Julian Sax <jsbc@gmx.de>
      Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Ambrož Bizjak <abizjak.pro@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c186256
    • K
      ASoC: rockchip: add missing INTERLEAVED PCM attribute · 52dde116
      Katsuhiro Suzuki 提交于
      commit 24d6638302b48328a58c13439276d4531af4ca7d upstream.
      
      This patch adds SNDRV_PCM_INFO_INTERLEAVED into PCM hardware info.
      Signed-off-by: NKatsuhiro Suzuki <katsuhiro@katsuster.net>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52dde116
    • A
      tools include: Adopt linux/bits.h · a782f847
      Arnaldo Carvalho de Melo 提交于
      commit ba4aa02b417f08a0bee5e7b8ed70cac788a7c854 upstream.
      
      So that we reduce the difference of tools/include/linux/bitops.h to the
      original kernel file, include/linux/bitops.h, trying to remove the need
      to define BITS_PER_LONG, to avoid clashes with asm/bitsperlong.h.
      
      And the things removed from tools/include/linux/bitops.h are really in
      linux/bits.h, so that we can have a copy and then
      tools/perf/check_headers.sh will tell us when new stuff gets added to
      linux/bits.h so that we can check if it is useful and if any adjustment
      needs to be done to the tools/{include,arch}/ copies.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Alexander Sverdlin <alexander.sverdlin@nokia.com>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Wang Nan <wangnan0@huawei.com>
      Link: https://lkml.kernel.org/n/tip-y1sqyydvfzo0bjjoj4zsl562@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a782f847
    • M
      percpu: stop printing kernel addresses · 6580376f
      Matteo Croce 提交于
      commit 00206a69ee32f03e6f40837684dcbe475ea02266 upstream.
      
      Since commit ad67b74d ("printk: hash addresses printed with %p"),
      at boot "____ptrval____" is printed instead of actual addresses:
      
          percpu: Embedded 38 pages/cpu @(____ptrval____) s124376 r0 d31272 u524288
      
      Instead of changing the print to "%px", and leaking kernel addresses,
      just remove the print completely, cfr. e.g. commit 071929db
      ("arm64: Stop printing the virtual memory layout").
      Signed-off-by: NMatteo Croce <mcroce@redhat.com>
      Signed-off-by: NDennis Zhou <dennis@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6580376f
    • T
      ALSA: info: Fix racy addition/deletion of nodes · 8a6f2ea0
      Takashi Iwai 提交于
      commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream.
      
      The ALSA proc helper manages the child nodes in a linked list, but its
      addition and deletion is done without any lock.  This leads to a
      corruption if they are operated concurrently.  Usually this isn't a
      problem because the proc entries are added sequentially in the driver
      probe procedure itself.  But the card registrations are done often
      asynchronously, and the crash could be actually reproduced with
      syzkaller.
      
      This patch papers over it by protecting the link addition and deletion
      with the parent's mutex.  There is "access" mutex that is used for the
      file access, and this can be reused for this purpose as well.
      
      Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a6f2ea0
    • K
      mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n · 1343fd8f
      Konstantin Khlebnikov 提交于
      commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream.
      
      Commit 58bc4c34 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
      depends on skipping vmstat entries with empty name introduced in
      7aaf7727 ("mm: don't show nr_indirectly_reclaimable in
      /proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change
      semantics of nr_indirectly_reclaimable_bytes").
      
      So skipping no longer works and /proc/vmstat has misformatted lines " 0".
      
      This patch simply shows debug counters "nr_tlb_remote_*" for UP.
      
      Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz
      Fixes: 58bc4c34 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Jann Horn <jannh@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1343fd8f
    • J
      device_cgroup: fix RCU imbalance in error case · 628c99a8
      Jann Horn 提交于
      commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream.
      
      When dev_exception_add() returns an error (due to a failed memory
      allocation), make sure that we move the RCU preemption count back to where
      it was before we were called. We dropped the RCU read lock inside the loop
      body, so we can't just "break".
      
      sparse complains about this, too:
      
      $ make -s C=2 security/device_cgroup.o
      ./include/linux/rcupdate.h:647:9: warning: context imbalance in
      'propagate_exception' - unexpected unlock
      
      Fixes: d591fb56 ("device_cgroup: simplify cgroup tree walk in propagate_exception()")
      Cc: stable@vger.kernel.org
      Signed-off-by: NJann Horn <jannh@google.com>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      628c99a8
    • P
      sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup · c3edd427
      Phil Auld 提交于
      [ Upstream commit 2e8e19226398db8265a8e675fcc0118b9e80c9e8 ]
      
      With extremely short cfs_period_us setting on a parent task group with a large
      number of children the for loop in sched_cfs_period_timer() can run until the
      watchdog fires. There is no guarantee that the call to hrtimer_forward_now()
      will ever return 0.  The large number of children can make
      do_sched_cfs_period_timer() take longer than the period.
      
       NMI watchdog: Watchdog detected hard LOCKUP on cpu 24
       RIP: 0010:tg_nop+0x0/0x10
        <IRQ>
        walk_tg_tree_from+0x29/0xb0
        unthrottle_cfs_rq+0xe0/0x1a0
        distribute_cfs_runtime+0xd3/0xf0
        sched_cfs_period_timer+0xcb/0x160
        ? sched_cfs_slack_timer+0xd0/0xd0
        __hrtimer_run_queues+0xfb/0x270
        hrtimer_interrupt+0x122/0x270
        smp_apic_timer_interrupt+0x6a/0x140
        apic_timer_interrupt+0xf/0x20
        </IRQ>
      
      To prevent this we add protection to the loop that detects when the loop has run
      too many times and scales the period and quota up, proportionally, so that the timer
      can complete before then next period expires.  This preserves the relative runtime
      quota while preventing the hard lockup.
      
      A warning is issued reporting this state and the new values.
      Signed-off-by: NPhil Auld <pauld@redhat.com>
      Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <stable@vger.kernel.org>
      Cc: Anton Blanchard <anton@ozlabs.org>
      Cc: Ben Segall <bsegall@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190319130005.25492-1-pauld@redhat.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c3edd427