udc
778 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Joel Fernandes (Google)
|
5223f53100 |
UPSTREAM: pidfd: add polling support
This patch adds polling support to pidfd. Android low memory killer (LMK) needs to know when a process dies once it is sent the kill signal. It does so by checking for the existence of /proc/pid which is both racy and slow. For example, if a PID is reused between when LMK sends a kill signal and checks for existence of the PID, since the wrong PID is now possibly checked for existence. Using the polling support, LMK will be able to get notified when a process exists in race-free and fast way, and allows the LMK to do other things (such as by polling on other fds) while awaiting the process being killed to die. For notification to polling processes, we follow the same existing mechanism in the kernel used when the parent of the task group is to be notified of a child's death (do_notify_parent). This is precisely when the tasks waiting on a poll of pidfd are also awakened in this patch. We have decided to include the waitqueue in struct pid for the following reasons: 1. The wait queue has to survive for the lifetime of the poll. Including it in task_struct would not be option in this case because the task can be reaped and destroyed before the poll returns. 2. By including the struct pid for the waitqueue means that during de_thread(), the new thread group leader automatically gets the new waitqueue/pid even though its task_struct is different. Appropriate test cases are added in the second patch to provide coverage of all the cases the patch is handling. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Daniel Colascione <dancol@google.com> Cc: Jann Horn <jannh@google.com> Cc: Tim Murray <timmurray@google.com> Cc: Jonathan Kowalski <bl0pbl33p@gmail.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Kees Cook <keescook@chromium.org> Cc: David Howells <dhowells@redhat.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: kernel-team@android.com Reviewed-by: Oleg Nesterov <oleg@redhat.com> Co-developed-by: Daniel Colascione <dancol@google.com> Signed-off-by: Daniel Colascione <dancol@google.com> Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Christian Brauner <christian@brauner.io> (cherry picked from commit b53b0b9d9a613c418057f6cb921c2f40a6f78c24) Bug: 135608568 Test: test program using syscall(__NR_sys_pidfd_open,..) and poll() Change-Id: I02f259d2875bec46b198d580edfbb067f077084e Signed-off-by: Suren Baghdasaryan <surenb@google.com> |
||
|
Christian Brauner
|
3f68bbed19 |
UPSTREAM: fork: do not release lock that wasn't taken
Avoid calling cgroup_threadgroup_change_end() without having called
cgroup_threadgroup_change_begin() first.
During process creation we need to check whether the cgroup we are in
allows us to fork. To perform this check the cgroup needs to guard itself
against threadgroup changes and takes a lock.
Prior to CLONE_PIDFD the cleanup target "bad_fork_free_pid" would also need
to call cgroup_threadgroup_change_end() because said lock had already been
taken.
However, this is not the case anymore with the addition of CLONE_PIDFD. We
are now allocating a pidfd before we check whether the cgroup we're in can
fork and thus prior to taking the lock. So when copy_process() fails at the
right step it would release a lock we haven't taken.
This bug is not even very subtle to be honest. It's just not very clear
from the naming of cgroup_threadgroup_change_{begin,end}() that a lock is
taken.
Here's the relevant splat:
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fec849
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90
90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffed5a8c EFLAGS: 00000246 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 0000000000003ffc RCX: 0000000000000000
RDX: 00000000200005c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(depth <= 0)
WARNING: CPU: 1 PID: 7744 at kernel/locking/lockdep.c:4052 __lock_release
kernel/locking/lockdep.c:4052 [inline]
WARNING: CPU: 1 PID: 7744 at kernel/locking/lockdep.c:4052
lock_release+0x667/0xa00 kernel/locking/lockdep.c:4321
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7744 Comm: syz-executor007 Not tainted 5.1.0+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x2cb/0x65c kernel/panic.c:214
__warn.cold+0x20/0x45 kernel/panic.c:566
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:972
RIP: 0010:__lock_release kernel/locking/lockdep.c:4052 [inline]
RIP: 0010:lock_release+0x667/0xa00 kernel/locking/lockdep.c:4321
Code: 0f 85 a0 03 00 00 8b 35 77 66 08 08 85 f6 75 23 48 c7 c6 a0 55 6b 87
48 c7 c7 40 25 6b 87 4c 89 85 70 ff ff ff e8 b7 a9 eb ff <0f> 0b 4c 8b 85
70 ff ff ff 4c 89 ea 4c 89 e6 4c 89 c7 e8 52 63 ff
RSP: 0018:ffff888094117b48 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 1ffff11012822f6f RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815af236 RDI: ffffed1012822f5b
RBP: ffff888094117c00 R08: ffff888092bfc400 R09: fffffbfff113301d
R10: fffffbfff113301c R11: ffffffff889980e3 R12: ffffffff8a451df8
R13: ffffffff8142e71f R14: ffffffff8a44cc80 R15: ffff888094117bd8
percpu_up_read.constprop.0+0xcb/0x110 include/linux/percpu-rwsem.h:92
cgroup_threadgroup_change_end include/linux/cgroup-defs.h:712 [inline]
copy_process.part.0+0x47ff/0x6710 kernel/fork.c:2222
copy_process kernel/fork.c:1772 [inline]
_do_fork+0x25d/0xfd0 kernel/fork.c:2338
__do_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline]
__se_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:236 [inline]
__ia32_compat_sys_x86_clone+0xbc/0x140 arch/x86/ia32/sys_ia32.c:236
do_syscall_32_irqs_on arch/x86/entry/common.c:334 [inline]
do_fast_syscall_32+0x281/0xd54 arch/x86/entry/common.c:405
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fec849
Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90
90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffed5a8c EFLAGS: 00000246 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 0000000000003ffc RCX: 0000000000000000
RDX: 00000000200005c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
Reported-and-tested-by: syzbot+3286e58549edc479faae@syzkaller.appspotmail.com
Fixes: b3e583825266 ("clone: add CLONE_PIDFD")
Signed-off-by: Christian Brauner <christian@brauner.io>
(cherry picked from commit c3b7112df86b769927a60a6d7175988ca3d60f09)
Bug: 135608568
Test: test program using syscall(__NR_sys_pidfd_open,..) and poll()
Change-Id: Ib9ecb1e5c0c6e2d062b89c25109ec571570eb497
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
|
||
|
Christian Brauner
|
e59f1dbeab |
BACKPORT: clone: add CLONE_PIDFD
This patchset makes it possible to retrieve pid file descriptors at process creation time by introducing the new flag CLONE_PIDFD to the clone() system call. Linus originally suggested to implement this as a new flag to clone() instead of making it a separate system call. As spotted by Linus, there is exactly one bit for clone() left. CLONE_PIDFD creates file descriptors based on the anonymous inode implementation in the kernel that will also be used to implement the new mount api. They serve as a simple opaque handle on pids. Logically, this makes it possible to interpret a pidfd differently, narrowing or widening the scope of various operations (e.g. signal sending). Thus, a pidfd cannot just refer to a tgid, but also a tid, or in theory - given appropriate flag arguments in relevant syscalls - a process group or session. A pidfd does not represent a privilege. This does not imply it cannot ever be that way but for now this is not the case. A pidfd comes with additional information in fdinfo if the kernel supports procfs. The fdinfo file contains the pid of the process in the callers pid namespace in the same format as the procfs status file, i.e. "Pid:\t%d". As suggested by Oleg, with CLONE_PIDFD the pidfd is returned in the parent_tidptr argument of clone. This has the advantage that we can give back the associated pid and the pidfd at the same time. To remove worries about missing metadata access this patchset comes with a sample program that illustrates how a combination of CLONE_PIDFD, and pidfd_send_signal() can be used to gain race-free access to process metadata through /proc/<pid>. The sample program can easily be translated into a helper that would be suitable for inclusion in libc so that users don't have to worry about writing it themselves. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Christian Brauner <christian@brauner.io> Co-developed-by: Jann Horn <jannh@google.com> Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: David Howells <dhowells@redhat.com> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> Cc: Andy Lutomirsky <luto@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit b3e5838252665ee4cfa76b82bdf1198dca81e5be) Conflicts: kernel/fork.c (1. Replaced proc_pid_ns() with its direct implementation.) Bug: 135608568 Test: test program using syscall(__NR_sys_pidfd_open,..) and poll() Change-Id: I3c804a92faea686e5bf7f99df893fe3a5d87ddf7 Signed-off-by: Suren Baghdasaryan <surenb@google.com> Signed-off-by: electimon <electimon@gmail.com> |
||
|
Aditya Kali
|
66bbf8312d |
cgroup: introduce cgroup namespaces
Introduce the ability to create new cgroup namespace. The newly created cgroup namespace remembers the cgroup of the process at the point of creation of the cgroup namespace (referred as cgroupns-root). The main purpose of cgroup namespace is to virtualize the contents of /proc/self/cgroup file. Processes inside a cgroup namespace are only able to see paths relative to their namespace root (unless they are moved outside of their cgroupns-root, at which point they will see a relative path from their cgroupns-root). For a correctly setup container this enables container-tools (like libcontainer, lxc, lmctfy, etc.) to create completely virtualized containers without leaking system level cgroup hierarchy to the task. This patch only implements the 'unshare' part of the cgroupns. Signed-off-by: Aditya Kali <adityakali@google.com> Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Chatur27 <jasonbright2709@gmail.com> Change-Id: Ifd2df9f562baa90b0fe7c986f86967602657c640 |
||
|
Oleg Nesterov
|
46628c4ce7 |
cgroup: kill cgrp_ss_priv[CGROUP_CANFORK_COUNT] and friends
Now that nobody use the "priv" arg passed to can_fork/cancel_fork/fork we can kill CGROUP_CANFORK_COUNT/SUBSYS_TAG/etc and cgrp_ss_priv[] in copy_process(). Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Chatur27 <jasonbright2709@gmail.com> Change-Id: I3d38130a199fa07b43aac95c201aecd9924e0879 |
||
|
Michael Bestas
|
29daf360fe |
Merge remote-tracking branch 'common/android-4.4-p' into android-msm-wahoo-4.4
# By Daniel Rosenberg (98) and others
# Via Greg Kroah-Hartman (219) and others
* google/common/android-4.4-p:
ANDROID: xt_qtaguid: fix UAF race
ANDROID: Make vsock virtio packet buff size configurable
ANDROID: cuttlefish_defconfig: add missing CONFIG_BLK_CGROUP
ANDROID: xt_qtaguid: Remove tag_entry from process list on untag
ANDROID: usb: f_accessory: Don't drop NULL reference in acc_disconnect()
ANDROID: usb: f_accessory: Avoid bitfields for shared variables
ANDROID: usb: f_accessory: Cancel any pending work before teardown
ANDROID: usb: f_accessory: Don't corrupt global state on double registration
ANDROID: usb: f_accessory: Fix teardown ordering in acc_release()
ANDROID: usb: f_accessory: Add refcounting to global 'acc_dev'
UPSTREAM: locking/atomic, kref: Add KREF_INIT()
ANDROID: usb: f_accessory: Wrap '_acc_dev' in get()/put() accessors
ANDROID: usb: f_accessory: Remove useless assignment
ANDROID: usb: f_accessory: Remove useless non-debug prints
ANDROID: usb: f_accessory: Remove stale comments
ANDROID: USB: f_accessory: Check dev pointer before decoding ctrl request
ANDROID: usb: gadget: f_accessory: fix CTS test stuck
ANDROID: cuttlefish_defconfig: Disable CONFIG_KSM
UPSTREAM: arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm
UPSTREAM: arm64: kaslr: Fix up the kernel image alignment
UPSTREAM: sched/fair: Fix FTQ noise bench regression
UPSTREAM: dm verity fec: fix bufio leaks
UPSTREAM: arm64: kernel: restrict /dev/mem read() calls to linear region
UPSTREAM: binder: fix incorrect cmd to binder_stat_br
UPSTREAM: arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb
UPSTREAM: KVM: arm/arm64: Check pagesize when allocating a hugepage at Stage 2
UPSTREAM: fs/proc/kcore.c: use probe_kernel_read() instead of memcpy()
UPSTREAM: arm64: fix unwind_frame() for filtered out fn for function graph tracing
UPSTREAM: arm64: kpti: Use early_param for kpti= command-line option
UPSTREAM: arm64: kaslr: ensure randomized quantities are clean to the PoC
UPSTREAM: arm64: kaslr: ensure randomized quantities are clean also when kaslr is off
UPSTREAM: staging: android: vsoc: fix copy_from_user overrun
UPSTREAM: arm64/mm: Inhibit huge-vmap with ptdump
UPSTREAM: drivers/perf: arm_pmu: Fix failure path in PM notifier
UPSTREAM: fs/posix_acl.c: fix kernel-doc warnings
UPSTREAM: ext2: fix debug reference to ext2_xattr_cache
UPSTREAM: arm64: alternative: fix build with clang integrated assembler
UPSTREAM: dm verity fec: fix hash block number in verity_fec_decode
ANDROID: Temporarily disable XFRM_USER_COMPAT filtering
BACKPORT: xfrm/compat: Translate 32-bit user_policy from sockptr
BACKPORT: xfrm/compat: Add 32=>64-bit messages translator
UPSTREAM: xfrm/compat: Attach xfrm dumps to 64=>32 bit translator
BACKPORT: xfrm/compat: Add 64=>32-bit messages translator
BACKPORT: xfrm: Provide API to register translator module
UPSTREAM: mm/sl[uo]b: export __kmalloc_track(_node)_caller
ANDROID: Publish uncompressed Image on aarch64
ANDROID: Makefile: append BUILD_NUMBER to version string when defined
UPSTREAM: binder: fix UAF when releasing todo list
ANDROID: fix a bug in quota2
UPSTREAM: binder: Prevent context manager from incrementing ref 0
BACKPORT: xtables: extend matches and targets with .usersize
UPSTREAM: ip6tables: use match, target and data copy_to_user helpers
UPSTREAM: iptables: use match, target and data copy_to_user helpers
UPSTREAM: xtables: add xt_match, xt_target and data copy_to_user functions
ANDROID: cuttlefish_defconfig: Drop built-in cmdline (except nopti)
ANDROID: cuttlefish defconfig - enable mount/net/uts namespaces.
ANDROID: hid: steam: remove BT controller matching
UPSTREAM: HID: steam: Fix input device disappearing
Revert "ext2: fix empty body warnings when -Wextra is used"
Revert "net: ipv6: Fix processing of RAs in presence of VRF"
UPSTREAM: net: socket: set sock->sk to NULL after calling proto_ops::release()
BACKPORT: xfrm: Allow Output Mark to be Updated Using UPDSA
UPSTREAM: socket: close race condition between sock_close() and sockfs_setattr()
UPSTREAM: net: ipv6: Use passed in table for nexthop lookups
ANDROID: cuttlefish_defconfig: Fix dm-verity related options
Revert "ANDROID: dm verity: add minimum prefetch size"
ANDROID: mnt: Propagate remount correctly
BACKPORT: loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl
UPSTREAM: loop: drop caches if offset or block_size are changed
UPSTREAM: loop: add ioctl for changing logical block size
BACKPORT: block/loop: set hw_sectors
ANDROID: cuttlefish_defconfig: Minimally enable EFI
UPSTREAM: bpf: Explicitly memset the bpf_attr structure
FROMLIST: HID: nintendo: add nintendo switch controller driver
UPSTREAM: staging: most: net: fix buffer overflow
UPSTREAM: ALSA: pcm: Add missing copy ops check before clearing buffer
ANDROID: selinux: modify RTM_GETLINK permission
UPSTREAM: HID: input: map digitizer battery usage
UPSTREAM: HID: input: ignore the battery in OKLICK Laser BTmouse
ANDROID: cuttlefish_defconfig: Disable TRANSPARENT_HUGEPAGE
commit e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()")
UPSTREAM: HID: steam: fix deadlock with input devices.
UPSTREAM: HID: steam: fix boot loop with bluetooth firmware
UPSTREAM: HID: steam: remove input device when a hid client is running.
UPSTREAM: HID: steam: use hid_device.driver_data instead of hid_set_drvdata()
UPSTREAM: HID: steam: add missing fields in client initialization
UPSTREAM: HID: steam: add battery device.
UPSTREAM: HID: add driver for Valve Steam Controller
UPSTREAM: HID: sony: Fix memory corruption issue on cleanup.
UPSTREAM: HID: sony: Fix race condition between rumble and device remove.
UPSTREAM: HID: sony: remove redundant check for -ve err
UPSTREAM: HID: sony: Make sure to unregister sensors on failure
UPSTREAM: HID: sony: Make DS4 bt poll interval adjustable
UPSTREAM: HID: sony: Set proper bit flags on DS4 output report
UPSTREAM: HID: sony: DS4 use brighter LED colors
UPSTREAM: HID: sony: Improve navigation controller axis/button mapping
UPSTREAM: HID: sony: Use DS3 MAC address as unique identifier on USB
UPSTREAM: HID: sony: Perform duplicate device check earlier on
UPSTREAM: HID: sony: Expose DS3 motion sensors through separate device
UPSTREAM: HID: sony: Print error on failure to active DS3 / Navigation controllers
UPSTREAM: HID: sony: DS3 comply to Linux gamepad spec
UPSTREAM: HID: sony: Mark DS4 touchpad device as a pointer
UPSTREAM: HID: sony: Support motion sensor calibration on dongle
UPSTREAM: HID: sony: Make work handling more generic
UPSTREAM: HID: sony: Treat the ds4 dongle as a separate device
UPSTREAM: HID: sony: Remove report descriptor fixup for DS4
UPSTREAM: HID: sony: Report hardware timestamp for DS4 sensor values
UPSTREAM: HID: sony: Calibrate DS4 motion sensors
UPSTREAM: HID: sony: Report DS4 motion sensors through a separate device
UPSTREAM: HID: sony: Fix input device leak when connecting a DS4 twice using USB/BT
UPSTREAM: HID: sony: Use LED_CORE_SUSPENDRESUME
UPSTREAM: HID: sony: Ignore DS4 dongle reports when no device is connected
UPSTREAM: HID: sony: Use DS4 MAC address as unique identifier on USB
UPSTREAM: HID: sony: Fix error handling bug when touchpad registration fails
UPSTREAM: HID: sony: Comply to Linux gamepad spec for DS4
UPSTREAM: HID: sony: Make the DS4 touchpad a separate device
UPSTREAM: HID: sony: Fix memory issue when connecting device using both Bluetooth and USB
UPSTREAM: HID: sony: Adjust value range for motion sensors
UPSTREAM: HID: sony: Handle multiple touch events input record
UPSTREAM: HID: sony: Send ds4 output reports on output end-point
UPSTREAM: HID: sony: Perform CRC check on bluetooth input packets
UPSTREAM: HID: sony: Adjust HID report size name definitions
UPSTREAM: HID: sony: Fix race condition in sony_probe
UPSTREAM: HID: sony: Update copyright and add Dualshock 4 rate control note
UPSTREAM: HID: sony: Defer the initial USB Sixaxis output report
UPSTREAM: HID: sony: Relax duplicate checking for USB-only devices
UPSTREAM: HID: sony: underscores are unnecessary for u8, u16, s32
UPSTREAM: HID: sony: fix some warnings from scripts/checkpatch.pl
UPSTREAM: HID: sony: fix errors from scripts/checkpatch.pl
UPSTREAM: HID: sony: fix a typo in descriptors comments s/Joystik/Joystick/
UPSTREAM: HID: sony: Fixup output reports for the nyko core controller
UPSTREAM: HID: sony: Remove the size check for the Dualshock 4 HID Descriptor
UPSTREAM: HID: sony: Save and restore the controller state on suspend and resume
UPSTREAM: HID: sony: Refactor the output report sending functions
ANDROID: cpufreq: times: add /proc/uid_concurrent_{active,policy}_time
rtlwifi: Fix potential overflow on P2P code
ANDROID: clang: update to 9.0.8 based on r365631c
ANDROID: move up spin_unlock_bh() ahead of remove_proc_entry()
ANDROID: refactor build.config files to remove duplication
ANDROID: usb: gadget: Fix dependency for f_accessory
Remove taskname from lowmemorykiller kill reports
ANDROID: Fixes to locking around handle_lmk_event
Revert "ANDROID: regression introduced override_creds=off"
ANDROID: regression introduced override_creds=off
Fix fallout from changes to bootparam_utils.h
ANDROID: sched: Disallow WALT with CFS bandwidth control
ANDROID: fiq_debugger: remove
ANDROID: arm64: fix leftover RWX when using CONFIG_UNMAP_KERNEL_AT_EL0
ANDROID: fix kernelci build-break in lowmemorykiller
ANDROID: Avoid taking multiple locks in handle_lmk_event
UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
ANDROID: fix binder change in merge of 4.4.183
Fix overlayfs build break
binder: binder: fix possible UAF when freeing buffer
ANDROID: Revert "f2fs: avoid out-of-range memory access"
ANDROID: overlayfs: Fix a regression in commit
|
||
|
Michael Bestas
|
fc5015d369 |
Squashed revert of CPU UID time commits
* Reverting the following wahoo commits to reduce merge conflicts with android-4.4-p * android-4.4-p has a more up to date version of these patches Revert "cpufreq: stats: optimize proc files" This reverts commit |
||
|
Michael Bestas
|
674a75a07c |
Merge tag 'v4.4.255' into android-msm-wahoo-4.4
This is the 4.4.255 stable release # gpg: Signature made Thu Feb 4 00:19:04 2021 EET # gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E # gpg: Good signature from "Greg Kroah-Hartman <gregkh@kernel.org>" [full] # gpg: gregkh@kernel.org: Verified 6 signatures in the past 2 hours. Encrypted # 0 messages. # By Thomas Gleixner (11) and others # Via Greg Kroah-Hartman * tag 'v4.4.255': Linux 4.4.255 NFC: fix possible resource leak NFC: fix resource leak when target index is invalid iommu/vt-d: Don't dereference iommu_device if IOMMU_API is not built iommu/vt-d: Gracefully handle DMAR units with no supported address widths can: dev: prevent potential information leak in can_fill_info() mac80211: pause TX while changing interface type RDMA/cxgb4: Fix the reported max_recv_sge value xfrm: Fix oops in xfrm_replay_advance_bmp netfilter: nft_dynset: add timeout extension to template ARM: imx: build suspend-imx6.S with arm instruction set futex: Prevent exit livelock futex: Provide distinct return value when owner is exiting futex: Add mutex around futex exit futex: Provide state handling for exec() as well futex: Sanitize exit state handling futex: Mark the begin of futex exit explicitly futex: Set task::futex_state to DEAD right after handling futex exit futex: Split futex_mm_release() for exit/exec exit/exec: Seperate mm_release() futex: Replace PF_EXITPIDONE with a state futex: Move futex exit handling into futex code y2038: futex: Move compat implementation into futex.c mt7601u: fix rx buffer refcounting mt7601u: fix kernel crash unplugging the device KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family wext: fix NULL-ptr-dereference with cfg80211's lack of commit() ACPI: sysfs: Prefer "compatible" modalias Conflicts: kernel/exit.c Change-Id: I3b1284150c424ac3c26810f7de88acc16b5b4b60 |
||
|
Greg Kroah-Hartman
|
0566f6529a |
Merge 4.4.255 into android-4.4-p
Changes in 4.4.255 ACPI: sysfs: Prefer "compatible" modalias wext: fix NULL-ptr-dereference with cfg80211's lack of commit() net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] mt7601u: fix kernel crash unplugging the device mt7601u: fix rx buffer refcounting y2038: futex: Move compat implementation into futex.c futex: Move futex exit handling into futex code futex: Replace PF_EXITPIDONE with a state exit/exec: Seperate mm_release() futex: Split futex_mm_release() for exit/exec futex: Set task::futex_state to DEAD right after handling futex exit futex: Mark the begin of futex exit explicitly futex: Sanitize exit state handling futex: Provide state handling for exec() as well futex: Add mutex around futex exit futex: Provide distinct return value when owner is exiting futex: Prevent exit livelock ARM: imx: build suspend-imx6.S with arm instruction set netfilter: nft_dynset: add timeout extension to template xfrm: Fix oops in xfrm_replay_advance_bmp RDMA/cxgb4: Fix the reported max_recv_sge value mac80211: pause TX while changing interface type can: dev: prevent potential information leak in can_fill_info() iommu/vt-d: Gracefully handle DMAR units with no supported address widths iommu/vt-d: Don't dereference iommu_device if IOMMU_API is not built NFC: fix resource leak when target index is invalid NFC: fix possible resource leak Linux 4.4.255 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I33bac27670b3cd649e2c8c1ce42efff148f8f202 |
||
|
Thomas Gleixner
|
7493738933 |
futex: Split futex_mm_release() for exit/exec
commit 150d71584b12809144b8145b817e83b81158ae5f upstream. To allow separate handling of the futex exit state in the futex exit code for exit and exec, split futex_mm_release() into two functions and invoke them from the corresponding exit/exec_mm_release() callsites. Preparatory only, no functional change. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Ingo Molnar <mingo@kernel.org> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20191106224556.332094221@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Thomas Gleixner
|
93d2eb4077 |
exit/exec: Seperate mm_release()
commit 4610ba7ad877fafc0a25a30c6c82015304120426 upstream. mm_release() contains the futex exit handling. mm_release() is called from do_exit()->exit_mm() and from exec()->exec_mm(). In the exit_mm() case PF_EXITING and the futex state is updated. In the exec_mm() case these states are not touched. As the futex exit code needs further protections against exit races, this needs to be split into two functions. Preparatory only, no functional change. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Ingo Molnar <mingo@kernel.org> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20191106224556.240518241@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Thomas Gleixner
|
8d2b511c52 |
futex: Move futex exit handling into futex code
commit ba31c1a48538992316cc71ce94fa9cd3e7b427c0 upstream. The futex exit handling is #ifdeffed into mm_release() which is not pretty to begin with. But upcoming changes to address futex exit races need to add more functionality to this exit code. Split it out into a function, move it into futex code and make the various futex exit functions static. Preparatory only and no functional change. Folded build fix from Borislav. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Ingo Molnar <mingo@kernel.org> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20191106224556.049705556@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Nathan Chancellor
|
de03ddc510 |
Merge 4.4.242 into android-msm-wahoo-4.4
Changes in 4.4.242: (87 commits)
SUNRPC: ECONNREFUSED should cause a rebind.
scripts/setlocalversion: make git describe output more reliable
powerpc/powernv/opal-dump : Use IRQ_HANDLED instead of numbers in interrupt handler
efivarfs: Replace invalid slashes with exclamation marks in dentries.
ravb: Fix bit fields checking in ravb_hwtstamp_get()
tipc: fix memory leak caused by tipc_buf_append()
mtd: lpddr: Fix bad logic in print_drs_error
ata: sata_rcar: Fix DMA boundary mask
fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
f2fs crypto: avoid unneeded memory allocation in ->readdir
powerpc/powernv/smp: Fix spurious DBG() warning
sparc64: remove mm_cpumask clearing to fix kthread_use_mm race
f2fs: fix to check segment boundary during SIT page readahead
um: change sigio_spinlock to a mutex
xfs: fix realtime bitmap/summary file truncation when growing rt volume
video: fbdev: pvr2fb: initialize variables
ath10k: fix VHT NSS calculation when STBC is enabled
mmc: via-sdmmc: Fix data race bug
printk: reduce LOG_BUF_SHIFT range for H8300
kgdb: Make "kgdbcon" work properly with "kgdb_earlycon"
USB: adutux: fix debugging
drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values
power: supply: test_power: add missing newlines when printing parameters by sysfs
md/bitmap: md_bitmap_get_counter returns wrong blocks
clk: ti: clockdomain: fix static checker warning
net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid
drivers: watchdog: rdc321x_wdt: Fix race condition bugs
ext4: Detect already used quota file early
gfs2: add validation checks for size of superblock
memory: emif: Remove bogus debugfs error handling
ARM: dts: s5pv210: move PMU node out of clock controller
ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node
md/raid5: fix oops during stripe resizing
leds: bcm6328, bcm6358: use devres LED registering function
NFS: fix nfs_path in case of a rename retry
ACPI / extlog: Check for RDMSR failure
ACPI: video: use ACPI backlight for HP 635 Notebook
acpi-cpufreq: Honor _PSD table setting on new AMD CPUs
w1: mxc_w1: Fix timeout resolution problem leading to bus error
scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove()
btrfs: reschedule if necessary when logging directory items
vt: keyboard, simplify vt_kdgkbsent
vt: keyboard, extend func_buf_lock to readers
dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status
iio:gyro:itg3200: Fix timestamp alignment and prevent data leak.
powerpc/powernv/elog: Fix race while processing OPAL error log event.
ubifs: dent: Fix some potential memory leaks while iterating entries
ubi: check kthread_should_stop() after the setting of task state
ia64: fix build error with !COREDUMP
ceph: promote to unsigned long long before shifting
libceph: clear con->out_msg on Policy::stateful_server faults
9P: Cast to loff_t before multiplying
ring-buffer: Return 0 on success from ring_buffer_resize()
vringh: fix __vringh_iov() when riov and wiov are different
tty: make FONTX ioctl use the tty pointer they were actually passed
arm64: berlin: Select DW_APB_TIMER_OF
cachefiles: Handle readpage error correctly
hil/parisc: Disable HIL driver when it gets stuck
ARM: samsung: fix PM debug build with DEBUG_LL but !MMU
ARM: s3c24xx: fix missing system reset
device property: Keep secondary firmware node secondary by type
device property: Don't clear secondary pointer for shared primary firmware node
staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice
xen/events: don't use chip_data for legacy IRQs
tipc: fix use-after-free in tipc_bcast_get_mode
gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP
gianfar: Account for Tx PTP timestamp in the skb headroom
Fonts: Replace discarded const qualifier
ALSA: usb-audio: Add implicit feedback quirk for Qu-16
ftrace: Fix recursion check for NMI test
ftrace: Handle tracing when switching between context
ARM: dts: sun4i-a10: fix cpu_alert temperature
x86/kexec: Use up-to-dated screen_info copy to fill boot params
of: Fix reserved-memory overlap detection
scsi: core: Don't start concurrent async scan on same host
vsock: use ns_capable_noaudit() on socket create
vt: Disable KD_FONT_OP_COPY
fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent
serial: 8250_mtk: Fix uart_get_baud_rate warning
serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init
USB: serial: cyberjack: fix write-URB completion race
USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
USB: serial: option: add Telit FN980 composition 0x1055
USB: Add NO_LPM quirk for Kingston flash drive
ARC: stack unwinding: avoid indefinite looping
Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE"
Linux 4.4.242
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
scripts/setlocalversion
|
||
|
Greg Kroah-Hartman
|
885b093edb |
Merge 4.4.242 into android-4.4-p
Changes in 4.4.242 SUNRPC: ECONNREFUSED should cause a rebind. scripts/setlocalversion: make git describe output more reliable powerpc/powernv/opal-dump : Use IRQ_HANDLED instead of numbers in interrupt handler efivarfs: Replace invalid slashes with exclamation marks in dentries. ravb: Fix bit fields checking in ravb_hwtstamp_get() tipc: fix memory leak caused by tipc_buf_append() mtd: lpddr: Fix bad logic in print_drs_error ata: sata_rcar: Fix DMA boundary mask fscrypt: return -EXDEV for incompatible rename or link into encrypted dir f2fs crypto: avoid unneeded memory allocation in ->readdir powerpc/powernv/smp: Fix spurious DBG() warning sparc64: remove mm_cpumask clearing to fix kthread_use_mm race f2fs: fix to check segment boundary during SIT page readahead um: change sigio_spinlock to a mutex xfs: fix realtime bitmap/summary file truncation when growing rt volume video: fbdev: pvr2fb: initialize variables ath10k: fix VHT NSS calculation when STBC is enabled mmc: via-sdmmc: Fix data race bug printk: reduce LOG_BUF_SHIFT range for H8300 kgdb: Make "kgdbcon" work properly with "kgdb_earlycon" USB: adutux: fix debugging drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values power: supply: test_power: add missing newlines when printing parameters by sysfs md/bitmap: md_bitmap_get_counter returns wrong blocks clk: ti: clockdomain: fix static checker warning net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid drivers: watchdog: rdc321x_wdt: Fix race condition bugs ext4: Detect already used quota file early gfs2: add validation checks for size of superblock memory: emif: Remove bogus debugfs error handling ARM: dts: s5pv210: move PMU node out of clock controller ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node md/raid5: fix oops during stripe resizing leds: bcm6328, bcm6358: use devres LED registering function NFS: fix nfs_path in case of a rename retry ACPI / extlog: Check for RDMSR failure ACPI: video: use ACPI backlight for HP 635 Notebook acpi-cpufreq: Honor _PSD table setting on new AMD CPUs w1: mxc_w1: Fix timeout resolution problem leading to bus error scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() btrfs: reschedule if necessary when logging directory items vt: keyboard, simplify vt_kdgkbsent vt: keyboard, extend func_buf_lock to readers dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status iio:gyro:itg3200: Fix timestamp alignment and prevent data leak. powerpc/powernv/elog: Fix race while processing OPAL error log event. ubifs: dent: Fix some potential memory leaks while iterating entries ubi: check kthread_should_stop() after the setting of task state ia64: fix build error with !COREDUMP ceph: promote to unsigned long long before shifting libceph: clear con->out_msg on Policy::stateful_server faults 9P: Cast to loff_t before multiplying ring-buffer: Return 0 on success from ring_buffer_resize() vringh: fix __vringh_iov() when riov and wiov are different tty: make FONTX ioctl use the tty pointer they were actually passed arm64: berlin: Select DW_APB_TIMER_OF cachefiles: Handle readpage error correctly hil/parisc: Disable HIL driver when it gets stuck ARM: samsung: fix PM debug build with DEBUG_LL but !MMU ARM: s3c24xx: fix missing system reset device property: Keep secondary firmware node secondary by type device property: Don't clear secondary pointer for shared primary firmware node staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice xen/events: don't use chip_data for legacy IRQs tipc: fix use-after-free in tipc_bcast_get_mode gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP gianfar: Account for Tx PTP timestamp in the skb headroom Fonts: Replace discarded const qualifier ALSA: usb-audio: Add implicit feedback quirk for Qu-16 ftrace: Fix recursion check for NMI test ftrace: Handle tracing when switching between context ARM: dts: sun4i-a10: fix cpu_alert temperature x86/kexec: Use up-to-dated screen_info copy to fill boot params of: Fix reserved-memory overlap detection scsi: core: Don't start concurrent async scan on same host vsock: use ns_capable_noaudit() on socket create vt: Disable KD_FONT_OP_COPY fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent serial: 8250_mtk: Fix uart_get_baud_rate warning serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init USB: serial: cyberjack: fix write-URB completion race USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 USB: serial: option: add Telit FN980 composition 0x1055 USB: Add NO_LPM quirk for Kingston flash drive ARC: stack unwinding: avoid indefinite looping Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE" Linux 4.4.242 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9c6408c403a91272e8255725dc8de294e522dc90 |
||
|
Eddy Wu
|
33175e2d8f |
fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent
commit b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948 upstream. current->group_leader->exit_signal may change during copy_process() if current->real_parent exits. Move the assignment inside tasklist_lock to avoid the race. Signed-off-by: Eddy Wu <eddy_wu@trendmicro.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Nathan Chancellor
|
f91f03427e |
Merge 4.4.197 into android-msm-wahoo-4.4
Changes in 4.4.197: (80 commits)
KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
s390/topology: avoid firing events before kobjs are created
s390/cio: avoid calling strlen on null pointer
s390/cio: exclude subchannels with no parent from pseudo check
KVM: nVMX: handle page fault in vmread fix
ASoC: Define a set of DAPM pre/post-up events
powerpc/powernv: Restrict OPAL symbol map to only be readable by root
can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
crypto: qat - Silence smp_processor_id() warning
ieee802154: atusb: fix use-after-free at disconnect
cfg80211: initialize on-stack chandefs
ima: always return negative code for error
fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
9p: avoid attaching writeback_fid on mmap with type PRIVATE
xen/pci: reserve MCFG areas earlier
ceph: fix directories inode i_blkbits initialization
drm/amdgpu: Check for valid number of registers to read
thermal: Fix use-after-free when unregistering thermal zone device
fuse: fix memleak in cuse_channel_open
kernel/elfcore.c: include proper prototypes
tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure
perf stat: Fix a segmentation fault when using repeat forever
crypto: caam - fix concurrency issue in givencrypt descriptor
cfg80211: add and use strongly typed element iteration macros
cfg80211: Use const more consistently in for_each_element macros
nl80211: validate beacon head
ASoC: sgtl5000: Improve VAG power and mute control
panic: ensure preemption is disabled during panic()
USB: rio500: Remove Rio 500 kernel driver
USB: yurex: Don't retry on unexpected errors
USB: yurex: fix NULL-derefs on disconnect
USB: usb-skeleton: fix runtime PM after driver unbind
USB: usb-skeleton: fix NULL-deref on disconnect
xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
xhci: Check all endpoints for LPM timeout
usb: xhci: wait for CNR controller not ready bit in xhci resume
xhci: Increase STS_SAVE timeout in xhci_suspend()
USB: adutux: remove redundant variable minor
USB: adutux: fix use-after-free on disconnect
USB: adutux: fix NULL-derefs on disconnect
USB: adutux: fix use-after-free on release
USB: iowarrior: fix use-after-free on disconnect
USB: iowarrior: fix use-after-free on release
USB: iowarrior: fix use-after-free after driver unbind
USB: usblp: fix runtime PM after driver unbind
USB: chaoskey: fix use-after-free on release
USB: ldusb: fix NULL-derefs on driver unbind
serial: uartlite: fix exit path null pointer
USB: serial: keyspan: fix NULL-derefs on open() and write()
USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
USB: serial: option: add Telit FN980 compositions
USB: serial: option: add support for Cinterion CLS8 devices
USB: serial: fix runtime PM after driver unbind
USB: usblcd: fix I/O after disconnect
USB: microtek: fix info-leak at probe
USB: dummy-hcd: fix power budget for SuperSpeed mode
usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()
usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
USB: legousbtower: fix slab info leak at probe
USB: legousbtower: fix deadlock on disconnect
USB: legousbtower: fix potential NULL-deref on disconnect
USB: legousbtower: fix open after failed reset request
USB: legousbtower: fix use-after-free on release
staging: vt6655: Fix memory leak in vt6655_probe
iio: adc: ad799x: fix probe error handling
iio: light: opt3001: fix mutex unlock race
perf llvm: Don't access out-of-scope array
CIFS: Gracefully handle QueryInfo errors during open
CIFS: Force reval dentry if LOOKUP_REVAL flag is set
kernel/sysctl.c: do not override max_threads provided by userspace
arm64: capabilities: Handle sign of the feature bit
arm64: Rename cpuid_feature field extract routines
Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary
CIFS: Force revalidate inode when dentry is stale
media: stkwebcam: fix runtime PM after driver unbind
tracing: Get trace_array reference for available_tracers files
x86/asm: Fix MWAITX C-state hint value
xfs: clear sb->s_fs_info on mount failure
Linux 4.4.197
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
arch/arm64/mm/context.c
|
||
|
Greg Kroah-Hartman
|
93ec8fb82c |
Merge 4.4.197 into android-4.4-p
Changes in 4.4.197
KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
s390/topology: avoid firing events before kobjs are created
s390/cio: avoid calling strlen on null pointer
s390/cio: exclude subchannels with no parent from pseudo check
KVM: nVMX: handle page fault in vmread fix
ASoC: Define a set of DAPM pre/post-up events
powerpc/powernv: Restrict OPAL symbol map to only be readable by root
can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
crypto: qat - Silence smp_processor_id() warning
ieee802154: atusb: fix use-after-free at disconnect
cfg80211: initialize on-stack chandefs
ima: always return negative code for error
fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
9p: avoid attaching writeback_fid on mmap with type PRIVATE
xen/pci: reserve MCFG areas earlier
ceph: fix directories inode i_blkbits initialization
drm/amdgpu: Check for valid number of registers to read
thermal: Fix use-after-free when unregistering thermal zone device
fuse: fix memleak in cuse_channel_open
kernel/elfcore.c: include proper prototypes
tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure
perf stat: Fix a segmentation fault when using repeat forever
crypto: caam - fix concurrency issue in givencrypt descriptor
cfg80211: add and use strongly typed element iteration macros
cfg80211: Use const more consistently in for_each_element macros
nl80211: validate beacon head
ASoC: sgtl5000: Improve VAG power and mute control
panic: ensure preemption is disabled during panic()
USB: rio500: Remove Rio 500 kernel driver
USB: yurex: Don't retry on unexpected errors
USB: yurex: fix NULL-derefs on disconnect
USB: usb-skeleton: fix runtime PM after driver unbind
USB: usb-skeleton: fix NULL-deref on disconnect
xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
xhci: Check all endpoints for LPM timeout
usb: xhci: wait for CNR controller not ready bit in xhci resume
xhci: Increase STS_SAVE timeout in xhci_suspend()
USB: adutux: remove redundant variable minor
USB: adutux: fix use-after-free on disconnect
USB: adutux: fix NULL-derefs on disconnect
USB: adutux: fix use-after-free on release
USB: iowarrior: fix use-after-free on disconnect
USB: iowarrior: fix use-after-free on release
USB: iowarrior: fix use-after-free after driver unbind
USB: usblp: fix runtime PM after driver unbind
USB: chaoskey: fix use-after-free on release
USB: ldusb: fix NULL-derefs on driver unbind
serial: uartlite: fix exit path null pointer
USB: serial: keyspan: fix NULL-derefs on open() and write()
USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
USB: serial: option: add Telit FN980 compositions
USB: serial: option: add support for Cinterion CLS8 devices
USB: serial: fix runtime PM after driver unbind
USB: usblcd: fix I/O after disconnect
USB: microtek: fix info-leak at probe
USB: dummy-hcd: fix power budget for SuperSpeed mode
usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()
usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
USB: legousbtower: fix slab info leak at probe
USB: legousbtower: fix deadlock on disconnect
USB: legousbtower: fix potential NULL-deref on disconnect
USB: legousbtower: fix open after failed reset request
USB: legousbtower: fix use-after-free on release
staging: vt6655: Fix memory leak in vt6655_probe
iio: adc: ad799x: fix probe error handling
iio: light: opt3001: fix mutex unlock race
perf llvm: Don't access out-of-scope array
CIFS: Gracefully handle QueryInfo errors during open
CIFS: Force reval dentry if LOOKUP_REVAL flag is set
kernel/sysctl.c: do not override max_threads provided by userspace
arm64: capabilities: Handle sign of the feature bit
arm64: Rename cpuid_feature field extract routines
Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary
CIFS: Force revalidate inode when dentry is stale
media: stkwebcam: fix runtime PM after driver unbind
tracing: Get trace_array reference for available_tracers files
x86/asm: Fix MWAITX C-state hint value
xfs: clear sb->s_fs_info on mount failure
Linux 4.4.197
Change-Id: I0879b08629040431c71dae0d8b5474863d5e0391
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Michal Hocko
|
db02f78d96 |
kernel/sysctl.c: do not override max_threads provided by userspace
commit b0f53dbc4bc4c371f38b14c391095a3bb8a0bb40 upstream. Partially revert |
||
|
Nathan Chancellor
|
78d711b973 |
Merge branch 'android-msm-wahoo-4.4' into android-msm-wahoo-4.4-q-preview
* android-msm-wahoo-4.4:
Linux 4.4.189
x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
x86/entry/64: Use JMP instead of JMPQ
x86/speculation: Enable Spectre v1 swapgs mitigations
x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
x86/entry/64: Fix context tracking state warning when load_gs_index fails
x86: cpufeatures: Sort feature word 7
spi: bcm2835: Fix 3-wire mode if DMA is enabled
block: blk_init_allocated_queue() set q->fq as NULL in the fail case
compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
bnx2x: Disable multi-cos feature.
net/mlx5: Use reversed order when unregister devices
net: sched: Fix a possible null-pointer dereference in dequeue_func()
tipc: compat: allow tipc commands without arguments
net: fix ifindex collision during namespace removal
net: bridge: delete local fdb on device init failure
atm: iphase: Fix Spectre v1 vulnerability
tcp: be more careful in tcp_fragment()
HID: Add quirk for HP X1200 PIXART OEM mouse
netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
arm64: cpufeature: Fix CTR_EL0 field definitions
Linux 4.4.188
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
s390/dasd: fix endless loop after read unit address configuration
selinux: fix memory leak in policydb_init()
x86/kvm: Don't call kvm_spurious_fault() from .fixup
ipc/mqueue.c: only perform resource calculation if user valid
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
coda: fix build using bare-metal toolchain
coda: add error handling for fget
mm/cma.c: fail if fixed declaration can't be honored
x86: math-emu: Hide clang warnings for 16-bit overflow
x86/apic: Silence -Wtype-limits compiler warnings
be2net: Signal that the device cannot transmit during reconfiguration
ACPI: fix false-positive -Wuninitialized warning
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
ceph: fix improper use of smp_mb__before_atomic()
btrfs: fix minimum number of chunk errors for DUP
fs/adfs: super: fix use-after-free bug
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
MIPS: lantiq: Fix bitfield masking
kernel/module.c: Only return -EEXIST for modules that have finished loading
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
ARM: riscpc: fix DMA
Linux 4.4.187
ceph: hold i_ceph_lock when removing caps for freeing inode
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
sched/fair: Don't free p->numa_faults with concurrent readers
Bluetooth: hci_uart: check for missing tty operations
media: radio-raremono: change devm_k*alloc to k*alloc
media: cpia2_usb: first wake up, then free in disconnect
ISDN: hfcsusb: checking idx of ep configuration
tcp: reset sk_send_head in tcp_write_queue_purge
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
mm, vmstat: make quiet_vmstat lighter
vmstat: Remove BUG_ON from vmstat_update
access: avoid the RCU grace period for the temporary subjective credentials
powerpc/tm: Fix oops on sigreturn on systems without TM
ALSA: hda - Add a conexant codec entry to let mute led work
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
hpet: Fix division by zero in hpet_time_div()
x86/speculation/mds: Apply more accurate check on hypervisor platform
x86/sysfb_efi: Add quirks for some devices with swapped width and height
usb: pci-quirks: Correct AMD PLL quirk detection
usb: wusbcore: fix unbalanced get/put cluster_id
locking/lockdep: Hide unused 'class' variable
locking/lockdep: Fix lock used or unused stats error
mm/mmu_notifier: use hlist_add_head_rcu()
9p: pass the correct prototype to read_cache_page
mm/kmemleak.c: fix check for softirq context
sh: prevent warnings when using iounmap
powerpc/eeh: Handle hugepages in ioremap space
mailbox: handle failed named mailbox channel request
f2fs: avoid out-of-range memory access
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
kallsyms: exclude kasan local symbols on s390
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
um: Silence lockdep complaint about mmap_sem
mfd: arizona: Fix undefined behavior
mfd: core: Set fwnode for created devices
recordmcount: Fix spurious mcount entries on powerpc
iio: iio-utils: Fix possible incorrect mask calculation
PCI: sysfs: Ignore lockdep for remove attribute
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
usb: gadget: Zero ffs_io_data
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/virtio: Add memory barriers for capset cache.
tty: serial: msm_serial: avoid system lockup condition
tty/serial: digicolor: Fix digicolor-usart already registered warning
memstick: Fix error cleanup path of memstick_init
tty: serial: cpm_uart - fix init when SMC is relocated
pinctrl: rockchip: fix leaked of_node references
tty: max310x: Fix invalid baudrate divisors calculator
usb: core: hub: Disable hub-initiated U1/U2
drm/panel: simple: Fix panel_simple_dsi_probe
nfsd: Fix overflow causing non-working mounts on 1 TB machines
nfsd: fix performance-limiting session calculation
nfsd: give out fewer session slots as limit approaches
nfsd: increase DRC cache limit
NFSv4: Fix open create exclusive when the server reboots
elevator: fix truncation of icq_cache_name
net: bridge: stp: don't cache eth dest pointer before skb pull
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
bonding: validate ip header before check IPPROTO_IGMP
tcp: Reset bytes_acked and bytes_received when disconnecting
netrom: hold sock when setting skb->destructor
netrom: fix a memory leak in nr_rx_frame()
sky2: Disable MSI on ASUS P6T
nfc: fix potential illegal memory access
net: neigh: fix multiple neigh timer scheduling
net: bcmgenet: use promisc for unsupported filters
ipv4: don't set IPv6 only flags to IPv4 addresses
caif-hsi: fix possible deadlock in cfhsi_exit_module()
bnx2x: Prevent load reordering in tx completion processing
dm bufio: fix deadlock with loop device
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
intel_th: msu: Fix single mode with disabled IOMMU
eCryptfs: fix a couple type promotion bugs
powerpc/watchpoint: Restore NV GPRs while returning from exception
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
coda: pass the host file in vma->vm_file on mmap
floppy: fix out-of-bounds read in copy_buffer
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in next_valid_format
floppy: fix div-by-zero in setup_format_params
take floppy compat ioctls to sodding floppy.c
PCI: Do not poll for PME if the device is in D3cold
9p/virtio: Add cleanup path in p9_virtio_init
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
drm/nouveau/i2c: Enable i2c pads & busses during preinit
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
media: coda: Remove unbalanced and unneeded mutex unlock
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
ALSA: seq: Break too long mutex context in the write loop
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
NFSv4: Handle the special Linux file open access mode
tracing/snapshot: Resize spare buffer if size changed
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
Input: gtco - bounds check collection indent level
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: ghash - fix unaligned memory access in ghash_setkey()
Bluetooth: validate BLE connection interval updates
Bluetooth: Check state in l2cap_disconnect_rsp
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
ixgbe: Check DDM existence in transceiver before access
rslib: Fix handling of of caller provided syndrome
rslib: Fix decoding of shortened codes
ath10k: fix PCIE device wake up failed
mt7601u: fix possible memory leak when the device is disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: do not schedule rx_tasklet when the device has been disconnected
media: coda: increment sequence offset for the last returned frame
media: coda: fix mpeg2 sequence number handling
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
timer_list: Guard procfs specific code
ntp: Limit TAI-UTC offset
media: i2c: fix warning same module names
EDAC/sysfs: Fix memory leak when creating a csrow object
vhost_net: disable zerocopy by default
perf evsel: Make perf_evsel__name() accept a NULL argument
xfrm: fix sa selector validation
rcu: Force inlining of rcu_read_lock()
bpf: silence warning messages in core
regmap: fix bulk writes on paged registers
gpio: omap: ensure irq is enabled before wakeup
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
perf test 6: Fix missing kvm module load for s390
s390/qdio: handle PENDING state for QEBSM devices
net: axienet: Fix race condition causing TX hang
net: fec: Do not use netdev messages too early
cpupower : frequency-set -r option misses the last cpu in related cpu list
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
locking/lockdep: Fix merging of hlocks with non-zero references
tua6100: Avoid build warnings.
net: phy: Check against net_device being NULL
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
xfrm: Fix xfrm sel prefix length validation
af_key: fix leaks in key_pol_get_resp and dump_sp.
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
net: stmmac: dwmac1000: Clear unused address entries
media: vpss: fix a potential NULL pointer dereference
media: marvell-ccic: fix DMA s/g desc number calculation
crypto: talitos - fix skcipher failure due to wrong output IV
media: dvb: usb: fix use after free in dvb_usb_device_exit
batman-adv: fix for leaked TVLV handler.
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
ath6kl: add some bounds checking
ath9k: Check for errors when reading SREV register
ath10k: Do not send probe response template for mesh
dmaengine: imx-sdma: fix use-after-free on probe error path
MIPS: fix build on non-linux hosts
MIPS: ath79: fix ar933x uart parity mode
Linux 4.4.186
KVM: x86: protect KVM_CREATE_PIT/KVM_CREATE_PIT2 with kvm->lock
s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
s390/qdio: (re-)initialize tiqdio list entries
s390: fix stfle zero padding
ARC: hide unused function unw_hdr_alloc
kvm: x86: avoid warning on repeated KVM_SET_TSS_ADDR
dm verity: use message limit for data block corruption message
sis900: fix TX completion
ppp: mppe: Add softdep to arc4
be2net: fix link failure after ethtool offline test
ARM: omap2: remove incorrect __init annotation
perf/core: Fix perf_sample_regs_user() mm check
e1000e: start network tx queue only when link is up
MIPS: Remove superfluous check for __linux__
VMCI: Fix integer overflow in VMCI handle arrays
carl9170: fix misuse of device driver API
staging: comedi: amplc_pci230: fix null pointer deref on interrupt
staging: comedi: dt282x: fix a null pointer deref on interrupt
usb: renesas_usbhs: add a workaround for a race condition of workqueue
usb: gadget: ether: Fix race between gether_disconnect and rx_submit
USB: serial: option: add support for GosunCn ME3630 RNDIS mode
USB: serial: ftdi_sio: add ID for isodebug v1
mwifiex: Don't abort on small, spec-compliant vendor IEs
fscrypt: don't set policy for a dead directory
mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
mwifiex: Abort at too short BSS descriptor element
x86/tls: Fix possible spectre-v1 in do_get_thread_area()
x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
bnx2x: Check if transceiver implements DDM before access
md: fix for divide error in status_resync
ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
ARM: davinci: da850-evm: call regulator_has_full_constraints()
Input: imx_keypad - make sure keyboard can always wake up system
can: mcp251x: add support for mcp25625
dt-bindings: can: mcp251x: add mcp25625 support
mwifiex: Fix possible buffer overflows at parsing bss descriptor
mac80211: mesh: fix RCU warning
samples, bpf: fix to change the buffer size for read()
Input: elantech - enable middle button support on 2 ThinkPads
icnss: Add check on msa region
qseecom: set rcv_req_flag to 0 when listener is just registered
qseecom: do not wake up listener to receive request if it is not ready
qseecom: check if listener is not ready to receive request
qseecom: set listener id before sending registration scm_call
qseecom: processing invalid listener request
qseecom: change check_blocked flag to an u32 value
qseecom: check if app is blocked when unloading app
qseecom: abort all listener threads before listener unregistration
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
|
||
|
Nathan Chancellor
|
3c9303b5f9 |
Merge 4.4.187 into android-msm-wahoo-4.4
Changes in 4.4.187: (157 commits)
MIPS: ath79: fix ar933x uart parity mode
MIPS: fix build on non-linux hosts
dmaengine: imx-sdma: fix use-after-free on probe error path
ath10k: Do not send probe response template for mesh
ath9k: Check for errors when reading SREV register
ath6kl: add some bounds checking
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
batman-adv: fix for leaked TVLV handler.
media: dvb: usb: fix use after free in dvb_usb_device_exit
crypto: talitos - fix skcipher failure due to wrong output IV
media: marvell-ccic: fix DMA s/g desc number calculation
media: vpss: fix a potential NULL pointer dereference
net: stmmac: dwmac1000: Clear unused address entries
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
af_key: fix leaks in key_pol_get_resp and dump_sp.
xfrm: Fix xfrm sel prefix length validation
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
net: phy: Check against net_device being NULL
tua6100: Avoid build warnings.
locking/lockdep: Fix merging of hlocks with non-zero references
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
cpupower : frequency-set -r option misses the last cpu in related cpu list
net: fec: Do not use netdev messages too early
net: axienet: Fix race condition causing TX hang
s390/qdio: handle PENDING state for QEBSM devices
perf test 6: Fix missing kvm module load for s390
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
gpio: omap: ensure irq is enabled before wakeup
regmap: fix bulk writes on paged registers
bpf: silence warning messages in core
rcu: Force inlining of rcu_read_lock()
xfrm: fix sa selector validation
perf evsel: Make perf_evsel__name() accept a NULL argument
vhost_net: disable zerocopy by default
EDAC/sysfs: Fix memory leak when creating a csrow object
media: i2c: fix warning same module names
ntp: Limit TAI-UTC offset
timer_list: Guard procfs specific code
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
media: coda: fix mpeg2 sequence number handling
media: coda: increment sequence offset for the last returned frame
mt7601u: do not schedule rx_tasklet when the device has been disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: fix possible memory leak when the device is disconnected
ath10k: fix PCIE device wake up failed
rslib: Fix decoding of shortened codes
rslib: Fix handling of of caller provided syndrome
ixgbe: Check DDM existence in transceiver before access
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: Check state in l2cap_disconnect_rsp
Bluetooth: validate BLE connection interval updates
crypto: ghash - fix unaligned memory access in ghash_setkey()
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: arm64/sha2-ce - correct digest for empty data in finup
Input: gtco - bounds check collection indent level
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
tracing/snapshot: Resize spare buffer if size changed
NFSv4: Handle the special Linux file open access mode
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
ALSA: seq: Break too long mutex context in the write loop
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
media: coda: Remove unbalanced and unneeded mutex unlock
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
drm/nouveau/i2c: Enable i2c pads & busses during preinit
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
9p/virtio: Add cleanup path in p9_virtio_init
PCI: Do not poll for PME if the device is in D3cold
take floppy compat ioctls to sodding floppy.c
floppy: fix div-by-zero in setup_format_params
floppy: fix out-of-bounds read in next_valid_format
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in copy_buffer
coda: pass the host file in vma->vm_file on mmap
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
powerpc/watchpoint: Restore NV GPRs while returning from exception
eCryptfs: fix a couple type promotion bugs
intel_th: msu: Fix single mode with disabled IOMMU
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
dm bufio: fix deadlock with loop device
bnx2x: Prevent load reordering in tx completion processing
caif-hsi: fix possible deadlock in cfhsi_exit_module()
ipv4: don't set IPv6 only flags to IPv4 addresses
net: bcmgenet: use promisc for unsupported filters
net: neigh: fix multiple neigh timer scheduling
nfc: fix potential illegal memory access
sky2: Disable MSI on ASUS P6T
netrom: fix a memory leak in nr_rx_frame()
netrom: hold sock when setting skb->destructor
tcp: Reset bytes_acked and bytes_received when disconnecting
bonding: validate ip header before check IPPROTO_IGMP
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: stp: don't cache eth dest pointer before skb pull
elevator: fix truncation of icq_cache_name
NFSv4: Fix open create exclusive when the server reboots
nfsd: increase DRC cache limit
nfsd: give out fewer session slots as limit approaches
nfsd: fix performance-limiting session calculation
nfsd: Fix overflow causing non-working mounts on 1 TB machines
drm/panel: simple: Fix panel_simple_dsi_probe
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
usb: gadget: Zero ffs_io_data
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
PCI: sysfs: Ignore lockdep for remove attribute
iio: iio-utils: Fix possible incorrect mask calculation
recordmcount: Fix spurious mcount entries on powerpc
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
kallsyms: exclude kasan local symbols on s390
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
powerpc/eeh: Handle hugepages in ioremap space
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/mmu_notifier: use hlist_add_head_rcu()
locking/lockdep: Fix lock used or unused stats error
locking/lockdep: Hide unused 'class' variable
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
hpet: Fix division by zero in hpet_time_div()
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/tm: Fix oops on sigreturn on systems without TM
access: avoid the RCU grace period for the temporary subjective credentials
vmstat: Remove BUG_ON from vmstat_update
mm, vmstat: make quiet_vmstat lighter
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
tcp: reset sk_send_head in tcp_write_queue_purge
ISDN: hfcsusb: checking idx of ep configuration
media: cpia2_usb: first wake up, then free in disconnect
media: radio-raremono: change devm_k*alloc to k*alloc
Bluetooth: hci_uart: check for missing tty operations
sched/fair: Don't free p->numa_faults with concurrent readers
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
ceph: hold i_ceph_lock when removing caps for freeing inode
Linux 4.4.187
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
fs/ecryptfs/crypto.c
mm/vmstat.c
|
||
|
Greg Kroah-Hartman
|
ebf4d7ea8d |
Merge 4.4.187 into android-4.4-p
Changes in 4.4.187 MIPS: ath79: fix ar933x uart parity mode MIPS: fix build on non-linux hosts dmaengine: imx-sdma: fix use-after-free on probe error path ath10k: Do not send probe response template for mesh ath9k: Check for errors when reading SREV register ath6kl: add some bounds checking ath: DFS JP domain W56 fixed pulse type 3 RADAR detection batman-adv: fix for leaked TVLV handler. media: dvb: usb: fix use after free in dvb_usb_device_exit crypto: talitos - fix skcipher failure due to wrong output IV media: marvell-ccic: fix DMA s/g desc number calculation media: vpss: fix a potential NULL pointer dereference net: stmmac: dwmac1000: Clear unused address entries signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig af_key: fix leaks in key_pol_get_resp and dump_sp. xfrm: Fix xfrm sel prefix length validation media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails. net: phy: Check against net_device being NULL tua6100: Avoid build warnings. locking/lockdep: Fix merging of hlocks with non-zero references media: wl128x: Fix some error handling in fm_v4l2_init_video_device() cpupower : frequency-set -r option misses the last cpu in related cpu list net: fec: Do not use netdev messages too early net: axienet: Fix race condition causing TX hang s390/qdio: handle PENDING state for QEBSM devices perf test 6: Fix missing kvm module load for s390 gpio: omap: fix lack of irqstatus_raw0 for OMAP4 gpio: omap: ensure irq is enabled before wakeup regmap: fix bulk writes on paged registers bpf: silence warning messages in core rcu: Force inlining of rcu_read_lock() xfrm: fix sa selector validation perf evsel: Make perf_evsel__name() accept a NULL argument vhost_net: disable zerocopy by default EDAC/sysfs: Fix memory leak when creating a csrow object media: i2c: fix warning same module names ntp: Limit TAI-UTC offset timer_list: Guard procfs specific code acpi/arm64: ignore 5.1 FADTs that are reported as 5.0 media: coda: fix mpeg2 sequence number handling media: coda: increment sequence offset for the last returned frame mt7601u: do not schedule rx_tasklet when the device has been disconnected x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c mt7601u: fix possible memory leak when the device is disconnected ath10k: fix PCIE device wake up failed rslib: Fix decoding of shortened codes rslib: Fix handling of of caller provided syndrome ixgbe: Check DDM existence in transceiver before access EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() Bluetooth: hci_bcsp: Fix memory leak in rx_skb Bluetooth: 6lowpan: search for destination address in all peers Bluetooth: Check state in l2cap_disconnect_rsp Bluetooth: validate BLE connection interval updates crypto: ghash - fix unaligned memory access in ghash_setkey() crypto: arm64/sha1-ce - correct digest for empty data in finup crypto: arm64/sha2-ce - correct digest for empty data in finup Input: gtco - bounds check collection indent level regulator: s2mps11: Fix buck7 and buck8 wrong voltages tracing/snapshot: Resize spare buffer if size changed NFSv4: Handle the special Linux file open access mode lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE ALSA: seq: Break too long mutex context in the write loop media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom() media: coda: Remove unbalanced and unneeded mutex unlock KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed drm/nouveau/i2c: Enable i2c pads & busses during preinit padata: use smp_mb in padata_reorder to avoid orphaned padata jobs 9p/virtio: Add cleanup path in p9_virtio_init PCI: Do not poll for PME if the device is in D3cold take floppy compat ioctls to sodding floppy.c floppy: fix div-by-zero in setup_format_params floppy: fix out-of-bounds read in next_valid_format floppy: fix invalid pointer dereference in drive_name floppy: fix out-of-bounds read in copy_buffer coda: pass the host file in vma->vm_file on mmap gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1 powerpc/32s: fix suspend/resume when IBATs 4-7 are used powerpc/watchpoint: Restore NV GPRs while returning from exception eCryptfs: fix a couple type promotion bugs intel_th: msu: Fix single mode with disabled IOMMU Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug usb: Handle USB3 remote wakeup for LPM enabled devices correctly dm bufio: fix deadlock with loop device bnx2x: Prevent load reordering in tx completion processing caif-hsi: fix possible deadlock in cfhsi_exit_module() ipv4: don't set IPv6 only flags to IPv4 addresses net: bcmgenet: use promisc for unsupported filters net: neigh: fix multiple neigh timer scheduling nfc: fix potential illegal memory access sky2: Disable MSI on ASUS P6T netrom: fix a memory leak in nr_rx_frame() netrom: hold sock when setting skb->destructor tcp: Reset bytes_acked and bytes_received when disconnecting bonding: validate ip header before check IPPROTO_IGMP net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query net: bridge: stp: don't cache eth dest pointer before skb pull elevator: fix truncation of icq_cache_name NFSv4: Fix open create exclusive when the server reboots nfsd: increase DRC cache limit nfsd: give out fewer session slots as limit approaches nfsd: fix performance-limiting session calculation nfsd: Fix overflow causing non-working mounts on 1 TB machines drm/panel: simple: Fix panel_simple_dsi_probe usb: core: hub: Disable hub-initiated U1/U2 tty: max310x: Fix invalid baudrate divisors calculator pinctrl: rockchip: fix leaked of_node references tty: serial: cpm_uart - fix init when SMC is relocated memstick: Fix error cleanup path of memstick_init tty/serial: digicolor: Fix digicolor-usart already registered warning tty: serial: msm_serial: avoid system lockup condition drm/virtio: Add memory barriers for capset cache. phy: renesas: rcar-gen2: Fix memory leak at error paths usb: gadget: Zero ffs_io_data powerpc/pci/of: Fix OF flags parsing for 64bit BARs PCI: sysfs: Ignore lockdep for remove attribute iio: iio-utils: Fix possible incorrect mask calculation recordmcount: Fix spurious mcount entries on powerpc mfd: core: Set fwnode for created devices mfd: arizona: Fix undefined behavior um: Silence lockdep complaint about mmap_sem powerpc/4xx/uic: clear pending interrupt after irq type/pol change serial: sh-sci: Fix TX DMA buffer flushing and workqueue races kallsyms: exclude kasan local symbols on s390 perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning f2fs: avoid out-of-range memory access mailbox: handle failed named mailbox channel request powerpc/eeh: Handle hugepages in ioremap space sh: prevent warnings when using iounmap mm/kmemleak.c: fix check for softirq context 9p: pass the correct prototype to read_cache_page mm/mmu_notifier: use hlist_add_head_rcu() locking/lockdep: Fix lock used or unused stats error locking/lockdep: Hide unused 'class' variable usb: wusbcore: fix unbalanced get/put cluster_id usb: pci-quirks: Correct AMD PLL quirk detection x86/sysfb_efi: Add quirks for some devices with swapped width and height x86/speculation/mds: Apply more accurate check on hypervisor platform hpet: Fix division by zero in hpet_time_div() ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1 ALSA: hda - Add a conexant codec entry to let mute led work powerpc/tm: Fix oops on sigreturn on systems without TM access: avoid the RCU grace period for the temporary subjective credentials vmstat: Remove BUG_ON from vmstat_update mm, vmstat: make quiet_vmstat lighter ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt tcp: reset sk_send_head in tcp_write_queue_purge ISDN: hfcsusb: checking idx of ep configuration media: cpia2_usb: first wake up, then free in disconnect media: radio-raremono: change devm_k*alloc to k*alloc Bluetooth: hci_uart: check for missing tty operations sched/fair: Don't free p->numa_faults with concurrent readers drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl ceph: hold i_ceph_lock when removing caps for freeing inode Linux 4.4.187 Change-Id: I6086b23376cdf9f6a905f727fb07175a7ebdd356 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Jann Horn
|
da358f365d |
sched/fair: Don't free p->numa_faults with concurrent readers
commit 16d51a590a8ce3befb1308e0e7ab77f3b661af33 upstream.
When going through execve(), zero out the NUMA fault statistics instead of
freeing them.
During execve, the task is reachable through procfs and the scheduler. A
concurrent /proc/*/sched reader can read data from a freed ->numa_faults
allocation (confirmed by KASAN) and write it back to userspace.
I believe that it would also be possible for a use-after-free read to occur
through a race between a NUMA fault and execve(): task_numa_fault() can
lead to task_numa_compare(), which invokes task_weight() on the currently
running task of a different CPU.
Another way to fix this would be to make ->numa_faults RCU-managed or add
extra locking, but it seems easier to wipe the NUMA fault statistics on
execve.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Fixes:
|
||
|
Nathan Chancellor
|
40d54d0977 |
Merge tag 'android-9.0.0_r0.75' into android-msm-wahoo-4.4
Android 9.0.0 Release 0.75 (PQ3A.190505.001,taimen/walleye) * tag 'android-9.0.0_r0.75': UPSTREAM: seccomp: Fix tracer exit notifications during fatal signals UPSTREAM: arm64/ptrace: run seccomp after ptrace UPSTREAM: arm/ptrace: run seccomp after ptrace BACKPORT: x86/ptrace: run seccomp after ptrace UPSTREAM: seccomp: recheck the syscall after RET_TRACE UPSTREAM: seccomp: remove 2-phase API BACKPORT: x86/entry: Get rid of two-phase syscall entry work BACKPORT: seccomp: Add a seccomp_data parameter secure_computing() BACKPORT: x86/entry/64: Always run ptregs-using syscalls on the slow path UPSTREAM: x86/syscalls: Add syscall entry qualifiers UPSTREAM: x86/syscalls: Move compat syscall entry handling into syscalltbl.sh UPSTREAM: x86/syscalls: Remove __SYSCALL_COMMON and __SYSCALL_X32 UPSTREAM: x86/syscalls: Refactor syscalltbl.sh msm:ipa:Prevent rt rule deletion if rt rule id is invalid qcacld-3.0: Check for minimum frame_len for action frames qcacld-3.0: Fix possible OOB access in lim_process_auth_frame qcacld-3.0: Fix OOB read in lim_process_deauth_frame USB: rndis: Honor dl_max_packet_size value sent by host Revert "LLVMLINUX: kbuild, LLVMLinux: Add better clang cross build support" ANDROID: fix up hwmon Makefile typo msm-ion build fixes/hacks for 4.4.156 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Conflicts: Makefile arch/x86/include/asm/uaccess_32.h drivers/gpu/msm/kgsl.c drivers/hwmon/Makefile drivers/misc/mnh/mnh-pcie.c drivers/staging/android/ion/msm/msm_ion.c fs/proc/task_mmu.c kernel/fork.c scripts/Kbuild.include |
||
|
Petri Gynther
|
9ec0674bcc |
Merge 4.4.170 into android-msm-wahoo-4.4-lts
Linux 4.4.170
power: supply: olpc_battery: correct the temperature units
intel_th: msu: Fix an off-by-one in attribute store
genwqe: Fix size check
ceph: don't update importing cap's mseq when handing cap export
iommu/vt-d: Handle domain agaw being less than iommu agaw
9p/net: put a lower bound on msize
b43: Fix error in cordic routine
gfs2: Fix loop in gfs2_rbm_find
dlm: memory leaks on error path in dlm_user_request()
dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
dlm: possible memory leak on error path in create_lkb()
dlm: fixed memory leaks after failed ls_remove_names allocation
* ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
sound/usb/quirks-table.h
* ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
sound/usb/mixer.c
ALSA: cs46xx: Potential NULL dereference in probe
crypto: x86/chacha20 - avoid sleeping with preemption disabled
sunrpc: use SVC_NET() in svcauth_gss_* functions
sunrpc: fix cache_head leak due to queued request
* mm, devm_memremap_pages: kill mapping "System RAM" support
kernel/memremap.c
* mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
kernel/memremap.c
hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
* fork: record start_time late
kernel/fork.c
scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown
Input: omap-keypad - fix idle configuration to not block SoC idle states
scsi: bnx2fc: Fix NULL dereference in error handling
* xfrm: Fix bucket count reported to userspace
net/xfrm/xfrm_state.c
checkstack.pl: fix for aarch64
* Input: restore EV_ABS ABS_RESERVED
include/uapi/linux/input-event-codes.h
ARM: imx: update the cpu power up timing setting on i.mx6sx
powerpc: Fix COFF zImage booting on old powermacs
spi: bcm2835: Unbreak the build of esoteric configs
x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested
CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem
MIPS: Align kernel load address to 64KB
MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
media: vivid: free bitmap_cap when updating std/timings/etc.
cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
spi: bcm2835: Fix book-keeping of DMA termination
spi: bcm2835: Fix race on DMA termination
* ext4: force inode writes when nfsd calls commit_metadata()
fs/ext4/super.c
include/trace/events/ext4.h
* ext4: fix EXT4_IOC_GROUP_ADD ioctl
fs/ext4/resize.c
* ext4: missing unlock/put_page() in ext4_try_to_write_inline_data()
fs/ext4/inline.c
* ext4: fix possible use after free in ext4_quota_enable
fs/ext4/super.c
perf pmu: Suppress potential format-truncation warning
KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G
usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
USB: serial: option: add Fibocom NL678 series
USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
ALSA: hda/tegra: clear pending irq handlers
ALSA: hda: add mute LED support for HP EliteBook 840 G4
ALSA: emux: Fix potential Spectre v1 vulnerabilities
* ALSA: pcm: Fix potential Spectre v1 vulnerability
sound/core/pcm.c
ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
ALSA: rme9652: Fix potential Spectre v1 vulnerability
* sock: Make sock->sk_stamp thread-safe
include/net/sock.h
net/compat.c
net/core/sock.c
* gro_cell: add napi_disable in gro_cells_destroy
include/net/gro_cells.h
xen/netfront: tolerate frags with no data
VSOCK: Send reset control packet when socket is partially bound
vhost: make sure used idx is seen before log in vhost_add_used_n()
sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
* packet: validate address length if non-zero
net/packet/af_packet.c
* packet: validate address length
net/packet/af_packet.c
netrom: fix locking in nr_find_socket()
isdn: fix kernel-infoleak in capi_unlocked_ioctl
* ipv6: explicitly initialize udp6_addr in udp_sock_create6()
net/ipv6/ip6_udp_tunnel.c
ieee802154: lowpan_header_create check must check daddr
ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
ax25: fix a use-after-free in ax25_fillin_cb()
ipv4: Fix potential Spectre v1 vulnerability
ip6mr: Fix potential Spectre v1 vulnerability
drm/ioctl: Fix Spectre v1 vulnerabilities
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
mmc: omap_hsmmc: fix DMA API warning
mmc: core: Reset HPI enabled state during re-init and in case of errors
USB: serial: option: add Telit LN940 series
USB: serial: option: add Fibocom NL668 series
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
USB: serial: option: add HP lt4132
USB: serial: option: add GosunCn ZTE WeLink ME3630
* xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
drivers/usb/host/xhci-hub.c
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
Change-Id: I4190e297d08136163b6ea825adaaa7e5ed63d31b
Signed-off-by: Petri Gynther <pgynther@google.com>
|
||
|
Nathan Chancellor
|
a1dbed8f62 |
Merge 4.4.170 into android-msm-wahoo-4.4
Changes in 4.4.170: (86 commits)
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
USB: serial: option: add GosunCn ZTE WeLink ME3630
USB: serial: option: add HP lt4132
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
USB: serial: option: add Fibocom NL668 series
USB: serial: option: add Telit LN940 series
mmc: core: Reset HPI enabled state during re-init and in case of errors
mmc: omap_hsmmc: fix DMA API warning
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
drm/ioctl: Fix Spectre v1 vulnerabilities
ip6mr: Fix potential Spectre v1 vulnerability
ipv4: Fix potential Spectre v1 vulnerability
ax25: fix a use-after-free in ax25_fillin_cb()
ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
ieee802154: lowpan_header_create check must check daddr
ipv6: explicitly initialize udp6_addr in udp_sock_create6()
isdn: fix kernel-infoleak in capi_unlocked_ioctl
netrom: fix locking in nr_find_socket()
packet: validate address length
packet: validate address length if non-zero
sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
vhost: make sure used idx is seen before log in vhost_add_used_n()
VSOCK: Send reset control packet when socket is partially bound
xen/netfront: tolerate frags with no data
gro_cell: add napi_disable in gro_cells_destroy
sock: Make sock->sk_stamp thread-safe
ALSA: rme9652: Fix potential Spectre v1 vulnerability
ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
ALSA: pcm: Fix potential Spectre v1 vulnerability
ALSA: emux: Fix potential Spectre v1 vulnerabilities
ALSA: hda: add mute LED support for HP EliteBook 840 G4
ALSA: hda/tegra: clear pending irq handlers
USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
USB: serial: option: add Fibocom NL678 series
usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G
KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
perf pmu: Suppress potential format-truncation warning
ext4: fix possible use after free in ext4_quota_enable
ext4: missing unlock/put_page() in ext4_try_to_write_inline_data()
ext4: fix EXT4_IOC_GROUP_ADD ioctl
ext4: force inode writes when nfsd calls commit_metadata()
spi: bcm2835: Fix race on DMA termination
spi: bcm2835: Fix book-keeping of DMA termination
spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
media: vivid: free bitmap_cap when updating std/timings/etc.
MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
MIPS: Align kernel load address to 64KB
CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem
x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested
spi: bcm2835: Unbreak the build of esoteric configs
powerpc: Fix COFF zImage booting on old powermacs
ARM: imx: update the cpu power up timing setting on i.mx6sx
Input: restore EV_ABS ABS_RESERVED
checkstack.pl: fix for aarch64
xfrm: Fix bucket count reported to userspace
scsi: bnx2fc: Fix NULL dereference in error handling
Input: omap-keypad - fix idle configuration to not block SoC idle states
scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown
fork: record start_time late
hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
mm, devm_memremap_pages: kill mapping "System RAM" support
sunrpc: fix cache_head leak due to queued request
sunrpc: use SVC_NET() in svcauth_gss_* functions
crypto: x86/chacha20 - avoid sleeping with preemption disabled
ALSA: cs46xx: Potential NULL dereference in probe
ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
dlm: fixed memory leaks after failed ls_remove_names allocation
dlm: possible memory leak on error path in create_lkb()
dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
dlm: memory leaks on error path in dlm_user_request()
gfs2: Fix loop in gfs2_rbm_find
b43: Fix error in cordic routine
9p/net: put a lower bound on msize
iommu/vt-d: Handle domain agaw being less than iommu agaw
ceph: don't update importing cap's mseq when handing cap export
genwqe: Fix size check
intel_th: msu: Fix an off-by-one in attribute store
power: supply: olpc_battery: correct the temperature units
Linux 4.4.170
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
mm/memory_hotplug.c
|
||
|
Greg Kroah-Hartman
|
79e1682f69 |
Merge 4.4.170 into android-4.4-p
Changes in 4.4.170 USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only USB: serial: option: add GosunCn ZTE WeLink ME3630 USB: serial: option: add HP lt4132 USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) USB: serial: option: add Fibocom NL668 series USB: serial: option: add Telit LN940 series mmc: core: Reset HPI enabled state during re-init and in case of errors mmc: omap_hsmmc: fix DMA API warning gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels x86/mtrr: Don't copy uninitialized gentry fields back to userspace drm/ioctl: Fix Spectre v1 vulnerabilities ip6mr: Fix potential Spectre v1 vulnerability ipv4: Fix potential Spectre v1 vulnerability ax25: fix a use-after-free in ax25_fillin_cb() ibmveth: fix DMA unmap error in ibmveth_xmit_start error path ieee802154: lowpan_header_create check must check daddr ipv6: explicitly initialize udp6_addr in udp_sock_create6() isdn: fix kernel-infoleak in capi_unlocked_ioctl netrom: fix locking in nr_find_socket() packet: validate address length packet: validate address length if non-zero sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event vhost: make sure used idx is seen before log in vhost_add_used_n() VSOCK: Send reset control packet when socket is partially bound xen/netfront: tolerate frags with no data gro_cell: add napi_disable in gro_cells_destroy sock: Make sock->sk_stamp thread-safe ALSA: rme9652: Fix potential Spectre v1 vulnerability ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities ALSA: pcm: Fix potential Spectre v1 vulnerability ALSA: emux: Fix potential Spectre v1 vulnerabilities ALSA: hda: add mute LED support for HP EliteBook 840 G4 ALSA: hda/tegra: clear pending irq handlers USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays USB: serial: option: add Fibocom NL678 series usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup perf pmu: Suppress potential format-truncation warning ext4: fix possible use after free in ext4_quota_enable ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() ext4: fix EXT4_IOC_GROUP_ADD ioctl ext4: force inode writes when nfsd calls commit_metadata() spi: bcm2835: Fix race on DMA termination spi: bcm2835: Fix book-keeping of DMA termination spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. media: vivid: free bitmap_cap when updating std/timings/etc. MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() MIPS: Align kernel load address to 64KB CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested spi: bcm2835: Unbreak the build of esoteric configs powerpc: Fix COFF zImage booting on old powermacs ARM: imx: update the cpu power up timing setting on i.mx6sx Input: restore EV_ABS ABS_RESERVED checkstack.pl: fix for aarch64 xfrm: Fix bucket count reported to userspace scsi: bnx2fc: Fix NULL dereference in error handling Input: omap-keypad - fix idle configuration to not block SoC idle states scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown fork: record start_time late hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL mm, devm_memremap_pages: kill mapping "System RAM" support sunrpc: fix cache_head leak due to queued request sunrpc: use SVC_NET() in svcauth_gss_* functions crypto: x86/chacha20 - avoid sleeping with preemption disabled ALSA: cs46xx: Potential NULL dereference in probe ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks dlm: fixed memory leaks after failed ls_remove_names allocation dlm: possible memory leak on error path in create_lkb() dlm: lost put_lkb on error path in receive_convert() and receive_unlock() dlm: memory leaks on error path in dlm_user_request() gfs2: Fix loop in gfs2_rbm_find b43: Fix error in cordic routine 9p/net: put a lower bound on msize iommu/vt-d: Handle domain agaw being less than iommu agaw ceph: don't update importing cap's mseq when handing cap export genwqe: Fix size check intel_th: msu: Fix an off-by-one in attribute store power: supply: olpc_battery: correct the temperature units Linux 4.4.170 Change-Id: I33c9750483716a6c44b40fbea8e729f96af41f52 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
David Herrmann
|
d447cf0cee |
fork: record start_time late
commit 7b55851367136b1efd84d98fea81ba57a98304cf upstream. This changes the fork(2) syscall to record the process start_time after initializing the basic task structure but still before making the new process visible to user-space. Technically, we could record the start_time anytime during fork(2). But this might lead to scenarios where a start_time is recorded long before a process becomes visible to user-space. For instance, with userfaultfd(2) and TLS, user-space can delay the execution of fork(2) for an indefinite amount of time (and will, if this causes network access, or similar). By recording the start_time late, it much closer reflects the point in time where the process becomes live and can be observed by other processes. Lastly, this makes it much harder for user-space to predict and control the start_time they get assigned. Previously, user-space could fork a process and stall it in copy_thread_tls() before its pid is allocated, but after its start_time is recorded. This can be misused to later-on cycle through PIDs and resume the stalled fork(2) yielding a process that has the same pid and start_time as a process that existed before. This can be used to circumvent security systems that identify processes by their pid+start_time combination. Even though user-space was always aware that start_time recording is flaky (but several projects are known to still rely on start_time-based identification), changing the start_time to be recorded late will help mitigate existing attacks and make it much harder for user-space to control the start_time a process gets assigned. Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Tom Gundersen <teg@jklm.no> Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Petri Gynther
|
27ed357f87 |
LTS: Merge 4.4.169 into android-msm-wahoo-4.4-pi-qpr3
Update Wahoo PI-QPR3 kernel to 4.4.169 LTS kernel. Bug: 115649143 Test: Manual testing Change-Id: I1d233ff287ded94ceefcc68ddbfc23387389c498 Signed-off-by: Petri Gynther <pgynther@google.com> |
||
|
Petri Gynther
|
0cb9d8c914 |
LTS: Merge 4.4.167 into android-msm-wahoo-4.4
Update Wahoo master kernel to 4.4.167 LTS kernel. Bug: 115649143 Test: Manual testing Change-Id: I6a01ce66e9d38869a579aeb816401c5bef170cce Signed-off-by: Petri Gynther <pgynther@google.com> |
||
|
Greg Kroah-Hartman
|
4de21d48fc |
Merge 4.4.157 into android-msm-wahoo-4.4-lts
Linux 4.4.157
* mm: get rid of vmacache_flush_all() entirely
include/linux/mm_types.h
include/linux/sched.h
include/linux/vm_event_item.h
include/linux/vmacache.h
mm/debug.c
mm/vmacache.c
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
autofs: fix autofs_sbi() does not check super block type
mtd: ubi: wl: Fix error return code in ubi_wl_init()
crypto: vmx - Fix sleep-in-atomic bugs
ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
net: ethernet: ti: cpsw: fix mdio device reference leak
drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
* netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
net/netfilter/x_tables.c
vmw_balloon: include asm/io.h
* xhci: Fix use-after-free in xhci_free_virt_device
drivers/usb/host/xhci.c
RDMA/cma: Do not ignore net namespace for unbound cm_id
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
* f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
fs/f2fs/super.c
mfd: ti_am335x_tscadc: Fix struct clk memory leak
iommu/ipmmu-vmsa: Fix allocation in atomic context
partitions/aix: fix usage of uninitialized lv_info and lvname structures
partitions/aix: append null character to print data from disk
Input: atmel_mxt_ts - only use first T9 instance
net: dcb: For wild-card lookups, use priority -1, not 0
MIPS: Octeon: add missing of_node_put()
net: mvneta: fix mtu change on port without link
gpio: ml-ioh: Fix buffer underwrite on probe error path
x86/mm: Remove in_nmi() warning from vmalloc_fault()
* Bluetooth: hidp: Fix handling of strncpy for hid->name information
net/bluetooth/hidp/core.c
ath10k: disable bundle mgmt tx completion event support
scsi: 3ware: fix return 0 on the error path of probe
ata: libahci: Correct setting of DEVSLP register
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ath10k: prevent active scans on potential unusable channels
macintosh/via-pmu: Add missing mmio accessors
NFSv4.0 fix client reference leak in callback
perf tools: Allow overriding MAX_NR_CPUS at compile time
f2fs: do not set free of current section
tty: rocket: Fix possible buffer overwrite on register_PCI
* uio: potential double frees if __uio_register_device() fails
drivers/uio/uio.c
misc: ti-st: Fix memory leak in the error path of probe()
md/raid5: fix data corruption of replacements after originals dropped
* scsi: target: fix __transport_register_session locking
drivers/target/target_core_transport.c
gpio: tegra: Move driver registration to subsys_init level
* Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
drivers/bluetooth/Kconfig
* ethtool: Remove trailing semicolon for static inline
include/uapi/linux/ethtool.h
misc: mic: SCIF Fix scif_get_new_port() error handling
ARC: [plat-axs*]: Enable SWAP
* locking/osq_lock: Fix osq_lock queue corruption
kernel/locking/osq_lock.c
* selinux: use GFP_NOWAIT in the AVC kmem_caches
security/selinux/avc.c
* locking/rwsem-xadd: Fix missed wakeup due to reordering of load
kernel/locking/rwsem-xadd.c
* block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
block/cfq-iosched.c
staging/rts5208: Fix read overflow in memcpy
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
kthread: fix boot hang (regression) on MIPS/OpenRISC
* kthread: Fix use-after-free if kthread fork fails
kernel/fork.c
* cfq: Give a chance for arming slice idle timer in case of group_idle
block/cfq-iosched.c
* ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
sound/pci/hda/hda_codec.c
i2c: i801: fix DNV's SMBCTRL register offset
i2c: xiic: Make the start and the byte count write atomic
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Minchan Kim
|
9c4b5888b8 |
mm: introduce per-process mm event tracking feature
Linux supports /proc/meminfo and /proc/vmstat stats as memory health metric.
Android uses them too. If user see something goes wrong(e.g., sluggish, jank)
on their system, they can capture and report system state to developers
for debugging.
It shows memory stat at the moment the bug is captured. However, it’s
not enough to investigate application's jank problem caused by memory
shortage. Because
1. It just shows event count which doesn’t quantify the latency of the
application well. Jank could happen by various reasons and one of simple
scenario is frame drop for a second. App should draw the frame every 16ms
interval. Just number of stats(e.g., allocstall or pgmajfault) couldn't
represnt how many of time the app spends for handling the event.
2. At bugreport, dump with vmstat and meminfo is never helpful because it's
too late to capture the moment when the problem happens.
When the user catch up the problem and try to capture the system state,
the problem has already gone.
3. Although we could capture MM stat at the moment bug happens, it couldn't
be helpful because MM stats are usually very flucuate so we need historical
data rather than one-time snapshot to see MM trend.
To solve above problems, this patch introduces per-process, light-weight,
mm event stat. Basically, it tracks minor/major faults, reclaim and compaction
latency of each process as well as event count and record the data into global
buffer.
To compromise memory overhead, it doesn't record every MM event of the process
to the buffer but just drain accumuated stats every 0.5sec interval to buffer.
If there isn't any event, it just skips the recording.
For latency data, it keeps average/max latency of each event in that period
With that, we could keep useful information with small buffer so that
we couldn't miss precious information any longer although the capture time
is rather late. This patch introduces basic facility of MM event stat.
After all patches in this patchset are applied, outout format is as follows,
dumpstate can use it for VM debugging in future.
<...>-1665 [001] d... 217.575173: mm_event_record: min_flt count=203 avg_lat=3 max_lat=58
<...>-1665 [001] d... 217.575183: mm_event_record: maj_flt count=1 avg_lat=1994 max_lat=1994
<...>-1665 [001] d... 217.575184: mm_event_record: kern_alloc count=227 avg_lat=0 max_lat=0
<...>-626 [000] d... 217.578096: mm_event_record: kern_alloc count=4 avg_lat=0 max_lat=0
<...>-6547 [000] .... 217.581913: mm_event_record: min_flt count=7 avg_lat=7 max_lat=20
<...>-6547 [000] .... 217.581955: mm_event_record: kern_alloc count=4 avg_lat=0 max_lat=0
This feature uses event trace for output buffer so that we could use all of
general benefit of event trace(e.g., buffer size management, filtering and
so on). To prevent overflow of the ring buffer by other random event race,
highly suggest that create separate instance of tracing
on /sys/kernel/debug/tracing/instances/
I had a concern of adding overhead. Actually, major|compaction/reclaim
are already heavy cost so it should be not a concern. Rather than,
minor fault and kern alloc would be severe so I tested a micro benchmark
to measure minor page fault overhead.
Test scenario is create 40 threads and each of them does minor
page fault for 25M range(ranges are not overwrapped).
I didn't see any noticible regression.
Base:
fault/wsec avg: 758489.8288
minor faults=13123118, major faults=0 ctx switch=139234
User System Wall fault/wsec
39.55s 41.73s 17.49s 749995.768
minor faults=13123135, major faults=0 ctx switch=139627
User System Wall fault/wsec
34.59s 41.61s 16.95s 773906.976
minor faults=13123061, major faults=0 ctx switch=139254
User System Wall fault/wsec
39.03s 41.55s 16.97s 772966.334
minor faults=13123131, major faults=0 ctx switch=139970
User System Wall fault/wsec
36.71s 42.12s 17.04s 769941.019
minor faults=13123027, major faults=0 ctx switch=138524
User System Wall fault/wsec
42.08s 42.24s 18.08s 725639.047
Base + MM event + event trace enable:
fault/wsec avg: 759626.1488
minor faults=13123488, major faults=0 ctx switch=140303
User System Wall fault/wsec
37.66s 42.21s 17.48s 750414.257
minor faults=13123066, major faults=0 ctx switch=138119
User System Wall fault/wsec
36.77s 42.14s 17.49s 750010.107
minor faults=13123505, major faults=0 ctx switch=140021
User System Wall fault/wsec
38.51s 42.50s 17.54s 748022.219
minor faults=13123431, major faults=0 ctx switch=138517
User System Wall fault/wsec
36.74s 41.49s 17.03s 770255.610
minor faults=13122955, major faults=0 ctx switch=137174
User System Wall fault/wsec
40.68s 40.97s 16.83s 779428.551
Bug: 116825025
Change-Id: I4e69c994f47402766481c58ab5ec2071180964b8
Signed-off-by: Minchan Kim <minchan@google.com>
|
||
|
Nathan Chancellor
|
b36fd78ef8 |
Merge tag 'android-9.0.0_r0.22' into android-msm-wahoo-4.4
Android 9.0.0 Release 0.22 * tag 'android-9.0.0_r0.22': ANDROID: sdcardfs: Don't use OVERRIDE_CRED macro ANDROID: sdcardfs: Change current->fs under lock cpufreq_stats: Reset cpufreq_task_stats right after dup_task_struct tracing: do not leak kernel addresses msm: ADSPRPC: Use msm_ion_do_cache_op to flush userspace buffers Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Conflicts: kernel/fork.c |
||
|
Greg Kroah-Hartman
|
444a0d3df9 |
Merge 4.4.156 into android-msm-wahoo-4.4-lts
Linux 4.4.156
btrfs: use correct compare function of dirty_metadata_bytes
ASoC: wm8994: Fix missing break in switch
s390/lib: use expoline for all bcr instructions
mei: me: allow runtime pm for platform with D0i3
sch_tbf: fix two null pointer dereferences on init failure
sch_netem: avoid null pointer deref on init failure
* sch_hhf: fix null pointer dereference on init failure
net/sched/sch_hhf.c
* sch_multiq: fix double free on init failure
net/sched/sch_multiq.c
* sch_htb: fix crash on init failure
net/sched/sch_htb.c
* ovl: proper cleanup of workdir
fs/overlayfs/readdir.c
* ovl: override creds with the ones from the superblock mounter
fs/overlayfs/readdir.c
* ovl: rename is_merge to is_lowest
fs/overlayfs/readdir.c
* irqchip/gic: Make interrupt ID 1020 invalid
drivers/irqchip/irq-gic.c
irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
* irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
drivers/irqchip/irq-gic-v3-its.c
* irqchip/gicv3-its: Fix memory leak in its_free_tables()
drivers/irqchip/irq-gic-v3-its.c
* irqchip/gic-v3-its: Recompute the number of pages on page size change
drivers/irqchip/irq-gic-v3-its.c
* genirq: Delay incrementing interrupt count if it's disabled/pending
kernel/irq/chip.c
* Fixes: Commit
|
||
|
Greg Kroah-Hartman
|
a29988a1dc |
Merge 4.4.157 into android-4.4-p
Changes in 4.4.157
i2c: xiic: Make the start and the byte count write atomic
i2c: i801: fix DNV's SMBCTRL register offset
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
cfq: Give a chance for arming slice idle timer in case of group_idle
kthread: Fix use-after-free if kthread fork fails
kthread: fix boot hang (regression) on MIPS/OpenRISC
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
staging/rts5208: Fix read overflow in memcpy
block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
locking/rwsem-xadd: Fix missed wakeup due to reordering of load
selinux: use GFP_NOWAIT in the AVC kmem_caches
locking/osq_lock: Fix osq_lock queue corruption
ARC: [plat-axs*]: Enable SWAP
misc: mic: SCIF Fix scif_get_new_port() error handling
ethtool: Remove trailing semicolon for static inline
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
gpio: tegra: Move driver registration to subsys_init level
scsi: target: fix __transport_register_session locking
md/raid5: fix data corruption of replacements after originals dropped
misc: ti-st: Fix memory leak in the error path of probe()
uio: potential double frees if __uio_register_device() fails
tty: rocket: Fix possible buffer overwrite on register_PCI
f2fs: do not set free of current section
perf tools: Allow overriding MAX_NR_CPUS at compile time
NFSv4.0 fix client reference leak in callback
macintosh/via-pmu: Add missing mmio accessors
ath10k: prevent active scans on potential unusable channels
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ata: libahci: Correct setting of DEVSLP register
scsi: 3ware: fix return 0 on the error path of probe
ath10k: disable bundle mgmt tx completion event support
Bluetooth: hidp: Fix handling of strncpy for hid->name information
x86/mm: Remove in_nmi() warning from vmalloc_fault()
gpio: ml-ioh: Fix buffer underwrite on probe error path
net: mvneta: fix mtu change on port without link
MIPS: Octeon: add missing of_node_put()
net: dcb: For wild-card lookups, use priority -1, not 0
Input: atmel_mxt_ts - only use first T9 instance
partitions/aix: append null character to print data from disk
partitions/aix: fix usage of uninitialized lv_info and lvname structures
iommu/ipmmu-vmsa: Fix allocation in atomic context
mfd: ti_am335x_tscadc: Fix struct clk memory leak
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
RDMA/cma: Do not ignore net namespace for unbound cm_id
xhci: Fix use-after-free in xhci_free_virt_device
vmw_balloon: include asm/io.h
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
net: ethernet: ti: cpsw: fix mdio device reference leak
ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
crypto: vmx - Fix sleep-in-atomic bugs
mtd: ubi: wl: Fix error return code in ubi_wl_init()
autofs: fix autofs_sbi() does not check super block type
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
mm: get rid of vmacache_flush_all() entirely
Linux 4.4.157
Change-Id: I08e4c24c1a22ef0e97f9185bc9da72f4a651ca73
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Nathan Chancellor
|
e875b3455a |
Merge 4.4.157 into android-msm-wahoo-4.4
Changes in 4.4.157: (57 commits)
i2c: xiic: Make the start and the byte count write atomic
i2c: i801: fix DNV's SMBCTRL register offset
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
cfq: Give a chance for arming slice idle timer in case of group_idle
kthread: Fix use-after-free if kthread fork fails
kthread: fix boot hang (regression) on MIPS/OpenRISC
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
staging/rts5208: Fix read overflow in memcpy
block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
locking/rwsem-xadd: Fix missed wakeup due to reordering of load
selinux: use GFP_NOWAIT in the AVC kmem_caches
locking/osq_lock: Fix osq_lock queue corruption
ARC: [plat-axs*]: Enable SWAP
misc: mic: SCIF Fix scif_get_new_port() error handling
ethtool: Remove trailing semicolon for static inline
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
gpio: tegra: Move driver registration to subsys_init level
scsi: target: fix __transport_register_session locking
md/raid5: fix data corruption of replacements after originals dropped
misc: ti-st: Fix memory leak in the error path of probe()
uio: potential double frees if __uio_register_device() fails
tty: rocket: Fix possible buffer overwrite on register_PCI
f2fs: do not set free of current section
perf tools: Allow overriding MAX_NR_CPUS at compile time
NFSv4.0 fix client reference leak in callback
macintosh/via-pmu: Add missing mmio accessors
ath10k: prevent active scans on potential unusable channels
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ata: libahci: Correct setting of DEVSLP register
scsi: 3ware: fix return 0 on the error path of probe
ath10k: disable bundle mgmt tx completion event support
Bluetooth: hidp: Fix handling of strncpy for hid->name information
x86/mm: Remove in_nmi() warning from vmalloc_fault()
gpio: ml-ioh: Fix buffer underwrite on probe error path
net: mvneta: fix mtu change on port without link
MIPS: Octeon: add missing of_node_put()
net: dcb: For wild-card lookups, use priority -1, not 0
Input: atmel_mxt_ts - only use first T9 instance
partitions/aix: append null character to print data from disk
partitions/aix: fix usage of uninitialized lv_info and lvname structures
iommu/ipmmu-vmsa: Fix allocation in atomic context
mfd: ti_am335x_tscadc: Fix struct clk memory leak
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
RDMA/cma: Do not ignore net namespace for unbound cm_id
xhci: Fix use-after-free in xhci_free_virt_device
vmw_balloon: include asm/io.h
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
net: ethernet: ti: cpsw: fix mdio device reference leak
ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
crypto: vmx - Fix sleep-in-atomic bugs
mtd: ubi: wl: Fix error return code in ubi_wl_init()
autofs: fix autofs_sbi() does not check super block type
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
mm: get rid of vmacache_flush_all() entirely
Linux 4.4.157
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
|
||
|
Vegard Nossum
|
798ef283a8 |
kthread: Fix use-after-free if kthread fork fails
commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream.
If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but
fails in copy_process() between calling dup_task_struct() and setting
p->set_child_tid, then the value of p->set_child_tid will be inherited
from the parent and get prematurely freed by free_kthread_struct().
kthread()
- worker_thread()
- process_one_work()
| - call_usermodehelper_exec_work()
| - kernel_thread()
| - _do_fork()
| - copy_process()
| - dup_task_struct()
| - arch_dup_task_struct()
| - tsk->set_child_tid = current->set_child_tid // implied
| - ...
| - goto bad_fork_*
| - ...
| - free_task(tsk)
| - free_kthread_struct(tsk)
| - kfree(tsk->set_child_tid)
- ...
- schedule()
- __schedule()
- wq_worker_sleeping()
- kthread_data(task)->flags // UAF
The problem started showing up with commit 1da5c46fa965 since it reused
->set_child_tid for the kthread worker data.
A better long-term solution might be to get rid of the ->set_child_tid
abuse. The comment in set_kthread_struct() also looks slightly wrong.
Debugged-by: Jamie Iles <jamie.iles@oracle.com>
Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed")
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jamie Iles <jamie.iles@oracle.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
a015b93192 |
Merge 4.4.156 into android-4.4-p
Changes in 4.4.156
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
net: bcmgenet: use MAC link status for fixed phy
qlge: Fix netdev features configuration.
tcp: do not restart timewait timer on rst reception
vti6: remove !skb->ignore_df check from vti6_xmit()
cifs: check if SMB2 PDU size has been padded and suppress the warning
hfsplus: don't return 0 when fill_super() failed
hfs: prevent crash on exit from failed search
fork: don't copy inconsistent signal handler state to child
reiserfs: change j_timestamp type to time64_t
hfsplus: fix NULL dereference in hfsplus_lookup()
fat: validate ->i_start before using
scripts: modpost: check memory allocation results
mm/fadvise.c: fix signed overflow UBSAN complaint
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
mfd: sm501: Set coherent_dma_mask when creating subdevices
platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
net/9p: fix error path of p9_virtio_probe
powerpc: Fix size calculation using resource_size()
s390/dasd: fix hanging offline processing due to canceled worker
scsi: aic94xx: fix an error code in aic94xx_init()
PCI: mvebu: Fix I/O space end address calculation
dm kcopyd: avoid softlockup in run_complete_job
staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
selftests/powerpc: Kill child processes on SIGINT
smb3: fix reset of bytes read and written stats
SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
btrfs: replace: Reset on-disk dev stats value after replace
btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
btrfs: Don't remove block group that still has pinned down bytes
debugobjects: Make stack check warning more informative
x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
kbuild: make missing $DEPMOD a Warning instead of an Error
irda: Fix memory leak caused by repeated binds of irda socket
irda: Only insert new objects into the global database via setsockopt
Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
enic: do not call enic_change_mtu in enic_probe
Fixes: Commit
|
||
|
Nathan Chancellor
|
f7862b044c |
Merge 4.4.156 into android-msm-wahoo-4.4
Changes in 4.4.156: (61 commits)
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
net: bcmgenet: use MAC link status for fixed phy
qlge: Fix netdev features configuration.
tcp: do not restart timewait timer on rst reception
vti6: remove !skb->ignore_df check from vti6_xmit()
cifs: check if SMB2 PDU size has been padded and suppress the warning
hfsplus: don't return 0 when fill_super() failed
hfs: prevent crash on exit from failed search
fork: don't copy inconsistent signal handler state to child
reiserfs: change j_timestamp type to time64_t
hfsplus: fix NULL dereference in hfsplus_lookup()
fat: validate ->i_start before using
scripts: modpost: check memory allocation results
mm/fadvise.c: fix signed overflow UBSAN complaint
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
mfd: sm501: Set coherent_dma_mask when creating subdevices
platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
net/9p: fix error path of p9_virtio_probe
powerpc: Fix size calculation using resource_size()
s390/dasd: fix hanging offline processing due to canceled worker
scsi: aic94xx: fix an error code in aic94xx_init()
PCI: mvebu: Fix I/O space end address calculation
dm kcopyd: avoid softlockup in run_complete_job
staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
selftests/powerpc: Kill child processes on SIGINT
smb3: fix reset of bytes read and written stats
SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
btrfs: replace: Reset on-disk dev stats value after replace
btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
btrfs: Don't remove block group that still has pinned down bytes
debugobjects: Make stack check warning more informative
x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
kbuild: make missing $DEPMOD a Warning instead of an Error
irda: Fix memory leak caused by repeated binds of irda socket
irda: Only insert new objects into the global database via setsockopt
Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
enic: do not call enic_change_mtu in enic_probe
Fixes: Commit
|
||
|
Jann Horn
|
b7befd11e0 |
fork: don't copy inconsistent signal handler state to child
[ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ] Before this change, if a multithreaded process forks while one of its threads is changing a signal handler using sigaction(), the memcpy() in copy_sighand() can race with the struct assignment in do_sigaction(). It isn't clear whether this can cause corruption of the userspace signal handler pointer, but it definitely can cause inconsistency between different fields of struct sigaction. Take the appropriate spinlock to avoid this. I have tested that this patch prevents inconsistency between sa_sigaction and sa_flags, which is possible before this patch. Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Michal Hocko <mhocko@suse.com> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Rik van Riel <riel@redhat.com> Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org> Cc: Kees Cook <keescook@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Woody Lin
|
fdd792bd06 |
cpufreq_stats: Reset cpufreq_task_stats right after dup_task_struct
The `time_in_state' on current task (caller of fork) might be freed
because of error handler `bad_fork_free' of copy_process:
p = dup_task_struct(current, node);
...
... /* Field `time_in_state' on newly created `p' was cloned from
* `current' */
...
if /* some error condition */
goto bad_fork_free; ------> (0)
...
retval = sched_fork(clone_flags, p);
/* `time_in_state' is only reset by sched_fork ->
* __sched_fork -> cpufreq_task_stats_init, but which is not
* reached in this scenario. */
...
bad_fork_free: <------------------ (0)
free_task(p);
--> cpufreq_task_stats_free(tsk); /* p == tsk */
--> kfree(tsk->time_in_state); /* `time_in_state' of `current' is freed unexpectedly */
Later, when current task ifself exits or next failure of copy_process
happens, the `time_in_state' is freed again. Thus "KASAN: double-free or
invalid-free" is detected.
==================================================================
BUG: KASAN: double-free or invalid-free in (null)
CPU: 4 PID: 16252 Comm: syz-executor Tainted: G C 4.4.116-gcff1ae5d4f72 #1
Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
Call trace:
[<>] dump_backtrace+0x0/0x34c
[<>] show_stack+0x1c/0x24
[<>] dump_stack+0xb8/0xe8
[<>] print_address_description+0x94/0x334
[<>] kasan_report_double_free+0x74/0x8c
[<>] kasan_slab_free+0x164/0x1c0
[<>] kfree+0x8c/0x2b4
[<>] process_notifier+0xb8/0xe4
[<>] blocking_notifier_call_chain+0x9c/0xf4
[<>] profile_task_exit+0x2c/0x34
[<>] do_exit+0x3c/0x110c
[<>] do_group_exit+0x7c/0x128
[<>] get_signal+0x374/0x904
[<>] do_signal+0x230/0x1408
[<>] do_notify_resume+0x84/0x88
[<>] work_pending+0x10/0x14
Allocated by task 16248:
[<>] save_stack_trace_tsk+0x0/0x204
[<>] save_stack_trace+0x20/0x28
[<>] kasan_kmalloc.part.5+0x50/0x124
[<>] kasan_kmalloc+0xc4/0xe4
[<>] __kmalloc+0x138/0x29c
[<>] cpufreq_task_stats_alloc+0x70/0x140
[<>] sched_fork+0x1b4/0x4e8
[<>] copy_process.isra.66+0x7a4/0x276c
[<>] _do_fork+0x98/0x5c8
[<>] SyS_clone+0x40/0x4c
[<>] el0_svc_naked+0x24/0x28
Freed by task 16252:
[<>] save_stack_trace_tsk+0x0/0x204
[<>] save_stack_trace+0x20/0x28
[<>] kasan_slab_free+0xb0/0x1c0
[<>] kfree+0x8c/0x2b4
[<>] cpufreq_task_stats_free+0x24/0x50
[<>] free_task+0x28/0x18c
[<>] copy_process.isra.66+0x800/0x276c
[<>] _do_fork+0x98/0x5c8
[<>] SyS_clone+0x40/0x4c
[<>] el0_svc_naked+0x24/0x28
To fix this issue, add a `cpufreq_task_stats_init' before `goto
bad_fork_free' to make sure that all cpufreq stats relative structure
members are initialized before any chance the fields is being freed.
Verify: Not reproducible w/ original fuzz testing.
Bug: 111081202
Change-Id: I585dc28417fee740301e3ae1c1c974e84fdb19fe
Signed-off-by: Woody Lin <woodylin@google.com>
|
||
|
Woody Lin
|
9fdce3a6ec |
cpufreq_stats: Reset cpufreq_task_stats right after dup_task_struct
The `time_in_state' on current task (caller of fork) might be freed
because of error handler `bad_fork_free' of copy_process:
p = dup_task_struct(current, node);
...
... /* Field `time_in_state' on newly created `p' was cloned from
* `current' */
...
if /* some error condition */
goto bad_fork_free; ------> (0)
...
retval = sched_fork(clone_flags, p);
/* `time_in_state' is only reset by sched_fork ->
* __sched_fork -> cpufreq_task_stats_init, but which is not
* reached in this scenario. */
...
bad_fork_free: <------------------ (0)
free_task(p);
--> cpufreq_task_stats_free(tsk); /* p == tsk */
--> kfree(tsk->time_in_state); /* `time_in_state' of `current' is freed unexpectedly */
Later, when current task ifself exits or next failure of copy_process
happens, the `time_in_state' is freed again. Thus "KASAN: double-free or
invalid-free" is detected.
==================================================================
BUG: KASAN: double-free or invalid-free in (null)
CPU: 4 PID: 16252 Comm: syz-executor Tainted: G C 4.4.116-gcff1ae5d4f72 #1
Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
Call trace:
[<>] dump_backtrace+0x0/0x34c
[<>] show_stack+0x1c/0x24
[<>] dump_stack+0xb8/0xe8
[<>] print_address_description+0x94/0x334
[<>] kasan_report_double_free+0x74/0x8c
[<>] kasan_slab_free+0x164/0x1c0
[<>] kfree+0x8c/0x2b4
[<>] process_notifier+0xb8/0xe4
[<>] blocking_notifier_call_chain+0x9c/0xf4
[<>] profile_task_exit+0x2c/0x34
[<>] do_exit+0x3c/0x110c
[<>] do_group_exit+0x7c/0x128
[<>] get_signal+0x374/0x904
[<>] do_signal+0x230/0x1408
[<>] do_notify_resume+0x84/0x88
[<>] work_pending+0x10/0x14
Allocated by task 16248:
[<>] save_stack_trace_tsk+0x0/0x204
[<>] save_stack_trace+0x20/0x28
[<>] kasan_kmalloc.part.5+0x50/0x124
[<>] kasan_kmalloc+0xc4/0xe4
[<>] __kmalloc+0x138/0x29c
[<>] cpufreq_task_stats_alloc+0x70/0x140
[<>] sched_fork+0x1b4/0x4e8
[<>] copy_process.isra.66+0x7a4/0x276c
[<>] _do_fork+0x98/0x5c8
[<>] SyS_clone+0x40/0x4c
[<>] el0_svc_naked+0x24/0x28
Freed by task 16252:
[<>] save_stack_trace_tsk+0x0/0x204
[<>] save_stack_trace+0x20/0x28
[<>] kasan_slab_free+0xb0/0x1c0
[<>] kfree+0x8c/0x2b4
[<>] cpufreq_task_stats_free+0x24/0x50
[<>] free_task+0x28/0x18c
[<>] copy_process.isra.66+0x800/0x276c
[<>] _do_fork+0x98/0x5c8
[<>] SyS_clone+0x40/0x4c
[<>] el0_svc_naked+0x24/0x28
To fix this issue, add a `cpufreq_task_stats_init' before `goto
bad_fork_free' to make sure that all cpufreq stats relative structure
members are initialized before any chance the fields is being freed.
Verify: Not reproducible w/ original fuzz testing.
Bug: 111081202
Change-Id: I585dc28417fee740301e3ae1c1c974e84fdb19fe
Signed-off-by: Woody Lin <woodylin@google.com>
|
||
|
Sultan Alsawaf
|
1b37d68f4c |
ANDROID: Fix massive cpufreq_times memory leaks
Every time _cpu_up() is called for a CPU, idle_thread_get() is called which then re-initializes a CPU's idle thread that was already previously created and cached in a global variable in smpboot.c. idle_thread_get() calls init_idle() which then calls __sched_fork(). __sched_fork() is where cpufreq_task_times_init() is, and cpufreq_task_times_init() allocates memory for the task struct's time_in_state array. Since idle_thread_get() reuses a task struct instance that was already previously created, this means that every time it calls init_idle(), cpufreq_task_times_init() allocates this array again and overwrites the existing allocation that the idle thread already had. This causes memory to be leaked every time a CPU is onlined. In order to fix this, move allocation of time_in_state into _do_fork to avoid allocating it at all for idle threads. The cpufreq times interface is intended to be used for tracking userspace tasks, so we can safely remove it from the kernel's idle threads without killing any functionality. But that's not all! Task structs can be freed outside of release_task(), which creates another memory leak because a task struct can be freed without having its cpufreq times allocation freed. To fix this, free the cpufreq times allocation at the same time that task struct allocations are freed, in free_task(). Since free_task() can also be called in error paths of copy_process() after dup_task_struct(), set time_in_state to NULL immediately after calling dup_task_struct() to avoid possible double free. Bug description and fix adapted from patch submitted by Sultan Alsawaf <sultanxda@gmail.com> at https://android-review.googlesource.com/c/kernel/msm/+/700134 Bug: 110044919 Test: Hikey960 builds, boots & reports /proc/<pid>/time_in_state correctly Change-Id: I12fe7611fc88eb7f6c39f8f7629ad27b6ec4722c Signed-off-by: Connor O'Brien <connoro@google.com> |
||
|
Wei Wang
|
990b5d6095 |
kernel: initialize and free cpufreq stats properly
Initialize task's cpufreq to NULL including for idle Make sure free task's cpufreq when free task struct Bug: 110044919 Change-Id: Ie4629d0ebe3ef4b72dffea3ee613b15f40a57142 Signed-off-by: Wei Wang <wvw@google.com> |
||
|
Thierry Strudel
|
5308266998 |
Merge 4.4.116 into android-msm-wahoo-4.4
Linux 4.4.116
ftrace: Remove incorrect setting of glob search field
mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy
ovl: fix failure to fsync lower dir
ACPI: sbshc: remove raw pointer from printk() message
nvme: Fix managing degraded controllers
btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker
pktcdvd: Fix pkt_setup_dev() error path
EDAC, octeon: Fix an uninitialized variable warning
xtensa: fix futex_atomic_cmpxchg_inatomic
alpha: fix reboot on Avanti platform
alpha: fix crash if pthread_create races with signal delivery
signal/sh: Ensure si_signo is initialized in do_divide_error
signal/openrisc: Fix do_unaligned_access to send the proper signal
Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version
Revert "Bluetooth: btusb: fix QCA Rome suspend/resume"
Bluetooth: btsdio: Do not bind to non-removable BCM43341
* HID: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working
* kernel/async.c: revert "async: simplify lowest_in_progress()"
media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
media: ts2020: avoid integer overflows on 32 bit machines
watchdog: imx2_wdt: restore previous timeout after suspend+resume
KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2
arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
crypto: caam - fix endless loop when DECO acquire fails
* media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic
* media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors
* media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
* media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
* media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha
* media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs
* media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer
* media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
* media: v4l2-compat-ioctl32.c: avoid sizeof(type)
* media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32
* media: v4l2-compat-ioctl32.c: fix the indentation
* media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
* vb2: V4L2_BUF_FLAG_DONE is set after DQBUF
* media: v4l2-ioctl.c: don't copy back the result for -ENOTTY
* nsfs: mark dentry with DCACHE_RCUACCESS
crypto: poly1305 - remove ->setkey() method
* crypto: cryptd - pass through absence of ->setkey()
* crypto: hash - introduce crypto_hash_alg_has_setkey()
ahci: Add Intel Cannon Lake PCH-H PCI ID
ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
ahci: Annotate PCI ids for mobile Intel chipsets as such
* kernfs: fix regression in kernfs_fop_write caused by wrong type
NFS: reject request for id_legacy key without auxdata
NFS: commit direct writes even if they fail partially
NFS: Add a cond_resched() to nfs_commit_release_pages()
nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds
ubi: block: Fix locking for idr_alloc/idr_remove
mtd: nand: sunxi: Fix ECC strength choice
mtd: nand: Fix nand_do_read_oob() return value
mtd: nand: brcmnand: Disable prefetch by default
mtd: cfi: convert inline functions to macros
media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
dccp: CVE-2017-8824: use-after-free in DCCP code
* sched/rt: Up the root domain ref count when passing it around via IPIs
* sched/rt: Use container_of() to get root domain in rto_push_irq_work_func()
usb: gadget: uvc: Missing files for configfs interface
* posix-timer: Properly check sigevent->sigev_notify
* netfilter: nf_queue: Make the queue_handler pernet
kaiser: fix compile error without vsyscall
x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER
dmaengine: dmatest: fix container_of member in dmatest_callback
CIFS: zero sensitive data when freeing
cifs: Fix autonegotiate security settings mismatch
cifs: Fix missing put_xid in cifs_file_strict_mmap
powerpc/pseries: include linux/types.h in asm/hvcall.h
x86/microcode: Do the family check first
x86/microcode/AMD: Do not load when running on a hypervisor
crypto: tcrypt - fix S/G table for test_aead_speed()
* don't put symlink bodies in pagecache into highmem
KEYS: encrypted: fix buffer overread in valid_master_desc()
media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
vhost_net: stop device during reset owner
* tcp: release sk_frag.page in tcp_disconnect
r8169: fix RTL8168EP take too long to complete driver initialization.
qlcnic: fix deadlock bug
* net: igmp: add a missing rcu locking section
ip6mr: fix stale iterator
x86/asm: Fix inline asm call constraints for GCC 4.4
drm: rcar-du: Fix race condition when disabling planes at CRTC stop
drm: rcar-du: Use the VBK interrupt for vblank events
ASoC: rsnd: avoid duplicate free_irq()
ASoC: rsnd: don't call free_irq() on Parent SSI
ASoC: simple-card: Fix misleading error message
* net: cdc_ncm: initialize drvflags before usage
usbip: fix 3eee23c3ec14 tcp_socket address still in the status file
usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit
ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
powerpc/64s: Allow control of RFI flush via debugfs
powerpc/64s: Wire up cpu_show_meltdown()
powerpc/powernv: Check device-tree for RFI flush settings
powerpc/pseries: Query hypervisor for RFI flush settings
powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti
powerpc/64s: Add support for RFI flush of L1-D cache
powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
powerpc/64s: Simple RFI macro conversions
powerpc/64: Add macros for annotating the destination of rfid/hrfid
powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
* powerpc: Simplify module TOC handling
powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC
powerpc/64: Fix flush_(d|i)cache_range() called from modules
powerpc/bpf/jit: Disable classic BPF JIT on ppc64le
Linux 4.4.115
spi: imx: do not access registers while clocks disabled
serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS
* selinux: general protection fault in sock_has_perm
usb: uas: unconditionally bring back host after reset
* usb: f_fs: Prevent gadget unbind if it is already unbound
* USB: serial: simple: add Motorola Tetra driver
usbip: list: don't list devices attached to vhci_hcd
usbip: prevent bind loops on devices attached to vhci_hcd
USB: serial: io_edgeport: fix possible sleep-in-atomic
CDC-ACM: apply quirk for card reader
USB: cdc-acm: Do not log urb submission errors on disconnect
USB: serial: pl2303: new device id for Chilitag
usb: option: Add support for FS040U modem
staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID
* usb: gadget: don't dereference g until after it has been null checked
media: usbtv: add a new usbid
* scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg
scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path
xfs: ubsan fixes
drm/omap: Fix error handling path in 'omap_dmm_probe()'
kmemleak: add scheduling point to kmemleak_scan()
SUNRPC: Allow connect to return EHOSTUNREACH
* quota: Check for register_shrinker() failure.
* net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit
hwmon: (pmbus) Use 64bit math for DIRECT format values
lockd: fix "list_add double add" caused by legacy signal interface
nfsd: check for use of the closed special stateid
grace: replace BUG_ON by WARN_ONCE in exit_net hook
nfsd: Ensure we check stateid validity in the seqid operation checks
nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0)
xen-netfront: remove warning when unloading module
KVM: VMX: Fix rflags cache during vCPU reset
btrfs: fix deadlock when writing out space cache
mac80211: fix the update of path metric for RANN frame
openvswitch: fix the incorrect flow action alloc size
drm/amdkfd: Fix SDMA oversubsription handling
drm/amdkfd: Fix SDMA ring buffer size calculation
drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode
bcache: check return value of register_shrinker
* cpufreq: Add Loongson machine dependencies
* ACPI / bus: Leave modalias empty for devices which are not present
KVM: x86: ioapic: Preserve read-only values in the redirection table
KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered
KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race
KVM: X86: Fix operand/address-size during instruction decoding
KVM: x86: Don't re-execute instruction when not passing CR2 value
KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure
igb: Free IRQs when device is hotplugged
mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE
gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
crypto: af_alg - whitelist mask and type
crypto: aesni - handle zero length dst buffer
ALSA: seq: Make ioctls race-free
kaiser: fix intel_bts perf crashes
x86/pti: Make unpoison of pgd for trusted boot work for real
bpf: reject stores into ctx via st and xadd
* bpf: fix 32-bit divide by zero
* bpf: fix divides by zero
* bpf: avoid false sharing of map refcount with max_entries
bpf: arsh is not supported in 32 bit alu thus reject it
* bpf: introduce BPF_JIT_ALWAYS_ON config
* bpf: fix bpf_tail_call() x64 JIT
x86: bpf_jit: small optimization in emit_bpf_tail_call()
bpf: fix branch pruning logic
* loop: fix concurrent lo_open/lo_release
Linux 4.4.114
nfsd: auth: Fix gid sorting when rootsquash enabled
* net: tcp: close sock if net namespace is exiting
* flow_dissector: properly cap thoff field
* ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
* net: Allow neigh contructor functions ability to modify the primary_key
vmxnet3: repair memory leak
sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
sctp: do not allow the v4 socket to bind a v4mapped v6 address
r8169: fix memory corruption on retrieval of hardware statistics.
* pppoe: take ->needed_headroom of lower device into account on xmit
* net: qdisc_pkt_len_init() should be more robust
* tcp: __tcp_hdrlen() helper
* net: igmp: fix source address check for IGMPv3 reports
lan78xx: Fix failure in USB Full Speed
* ipv6: ip6_make_skb() needs to clear cork.base.dst
* ipv6: fix udpv6 sendmsg crash caused by too small MTU
* ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL
dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
* hrtimer: Reset hrtimer cpu base proper on CPU hotplug
x86/microcode/intel: Extend BDW late-loading further with LLC size check
* eventpoll.h: add missing epoll event masks
vsyscall: Fix permissions for emulate mode with KAISER/PTI
um: link vmlinux with -no-pie
usbip: prevent leaking socket pointer address in messages
usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
usbip: fix stub_rx: get_pipe() to validate endpoint number
usb: usbip: Fix possible deadlocks reported by lockdep
Input: trackpoint - force 3 buttons if 0 button is reported
* Revert "module: Add retpoline tag to VERMAGIC"
scsi: libiscsi: fix shifting of DID_REQUEUE host byte
* fs/fcntl: f_setown, avoid undefined behaviour
reiserfs: Don't clear SGID when inheriting ACLs
reiserfs: don't preallocate blocks for extended attributes
reiserfs: fix race in prealloc discard
ext2: Don't clear SGID when inheriting ACLs
netfilter: xt_osf: Add missing permission checks
netfilter: nfnetlink_cthelper: Add missing permission checks
* netfilter: fix IS_ERR_VALUE usage
* netfilter: use fwmark_reflect in nf_send_reset
netfilter: nf_conntrack_sip: extend request line validation
* netfilter: restart search if moved to other chain
* netfilter: nfnetlink_queue: reject verdict request from different portid
* netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
* netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
* netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
* netfilter: x_tables: speed up jump target validation
* ACPICA: Namespace: fix operand cache leak
* ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
* ACPI / processor: Avoid reserving IO regions too early
x86/ioapic: Fix incorrect pointers in ioapic_setup_resources()
ipc: msg, make msgrcv work with LONG_MIN
* mm, page_alloc: fix potential false positive in __zone_watermark_ok
* cma: fix calculation of aligned offset
hwpoison, memcg: forcibly uncharge LRU pages
* mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
* fs/select: add vmalloc fallback for select(2)
mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version
PCI: layerscape: Fix MSG TLP drop setting
PCI: layerscape: Add "fsl,ls2085a-pcie" compatible ID
* drivers: base: cacheinfo: fix boot error message when acpi is enabled
* drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled
Prevent timer value 0 for MWAITX
* timers: Plug locking race vs. timer migration
* time: Avoid undefined behaviour in ktime_add_safe()
PM / sleep: declare __tracedata symbols as char[] rather than char
can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
* sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks
x86/retpoline: Fill RSB on context switch for affected CPUs
x86/cpu/intel: Introduce macros for Intel family numbers
x86/microcode/intel: Fix BDW late-loading revision check
usbip: Fix potential format overflow in userspace tools
usbip: Fix implicit fallthrough warning
usbip: prevent vhci_hcd driver from leaking a socket pointer address
x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels
Linux 4.4.113
MIPS: AR7: ensure the port type's FCR value is used
x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
x86/pti: Document fix wrong index
kprobes/x86: Disable optimizing on the function jumps to indirect thunk
kprobes/x86: Blacklist indirect thunk functions for kprobes
retpoline: Introduce start/end markers of indirect thunk
x86/mce: Make machine check speculation protected
* kbuild: modversions for EXPORT_SYMBOL() for asm
x86/cpu, x86/pti: Do not enable PTI on AMD processors
arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
dm btree: fix serious bug in btree_split_beneath()
libata: apply MAX_SEC_1024 to all LITEON EP1 series devices
can: peak: fix potential bug in packet fragmentation
ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
* phy: work around 'phys' references to usb-nop-xceiv devices
* tracing: Fix converting enum's from the map in trace_event_eval_update()
Input: twl4030-vibra - fix sibling-node lookup
Input: twl6040-vibra - fix child-node lookup
Input: twl6040-vibra - fix DT node memory management
Input: 88pm860x-ts - fix child-node lookup
x86/apic/vector: Fix off by one in error path
* pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
* module: Add retpoline tag to VERMAGIC
x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
* sched/deadline: Zero out positive runtime after throttling constrained tasks
scsi: hpsa: fix volume offline state
* af_key: fix buffer overread in parse_exthdrs()
* af_key: fix buffer overread in verify_address_len()
ALSA: hda - Apply the existing quirk to iMac 14,1
ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
* ALSA: pcm: Remove yet superfluous WARN_ON()
* futex: Prevent overflow by strengthen input validation
* scsi: sg: disable SET_FORCE_LOW_DMA
x86/retpoline: Remove compile time warning
x86/retpoline: Fill return stack buffer on vmexit
x86/retpoline/irq32: Convert assembler indirect jumps
x86/retpoline/checksum32: Convert assembler indirect jumps
x86/retpoline/xen: Convert Xen hypercall indirect jumps
x86/retpoline/hyperv: Convert assembler indirect jumps
x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
x86/retpoline/entry: Convert entry assembler indirect jumps
x86/retpoline/crypto: Convert crypto assembler indirect jumps
x86/spectre: Add boot time option to select Spectre v2 mitigation
x86/retpoline: Add initial retpoline support
* kconfig.h: use __is_defined() to check if MODULE is defined
EXPORT_SYMBOL() for asm
x86/asm: Make asm/alternative.h safe from assembly
x86/kbuild: enable modversions for symbols exported from asm
x86/asm: Use register variable to get stack pointer value
x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier
x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC
x86/cpu/AMD: Make LFENCE a serializing instruction
* gcov: disable for COMPILE_TEST
Linux 4.4.112
selftests/x86: Add test_vsyscall
x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
x86/alternatives: Fix optimize_nops() checking
sysfs/cpu: Fix typos in vulnerability documentation
x86/cpu: Implement CPU vulnerabilites sysfs functions
* sysfs/cpu: Add vulnerability folder
x86/cpu: Merge bugs.c and bugs_64.c
x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
x86/cpufeatures: Add X86_BUG_CPU_INSECURE
x86/cpufeatures: Make CPU bugs sticky
x86/cpu: Factor out application of forced CPU caps
x86/Documentation: Add PTI description
e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
uas: ignore UAS for Norelsys NS1068(X) chips
* Bluetooth: Prevent stack info leak from the EFS element.
* staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
usbip: remove kernel addresses from usb device and urb debug msgs
USB: fix usbmon BUG trigger
usb: misc: usb3503: make sure reset is low for at least 100us
USB: serial: cp210x: add new device ID ELV ALC 8xxx
USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
bpf, array: fix overflow in max_entries and undefined behavior in index_mask
* bpf: prevent out-of-bounds speculation
bpf: adjust insn_aux_data when patching insns
bpf: refactor fixup_bpf_calls()
bpf: move fixup_bpf_calls() function
bpf: don't (ab)use instructions to store state
* bpf: add bpf_patch_insn_single helper
kaiser: Set _PAGE_NX only if supported
drm/vmwgfx: Potential off by one in vmw_view_add()
KVM: x86: Add memory barrier on vmcs field lookup
x86/microcode/intel: Extend BDW late-loading with a revision check
rbd: set max_segments to USHRT_MAX
* crypto: algapi - fix NULL dereference in crypto_remove_spawns()
* ipv6: fix possible mem leaks in ipv6_make_skb()
* net: stmmac: enable EEE in MII, GMII or RGMII only
sh_eth: fix SH7757 GEther initialization
sh_eth: fix TSU resource handling
RDS: null pointer dereference in rds_atomic_free_op
RDS: Heap OOB write in rds_message_alloc_sgs()
* net: core: fix module type in sock_diag_bind
* ip6_tunnel: disable dst caching if tunnel is dual-stack
8021q: fix a memory leak for VLAN 0 device
x86/pti/efi: broken conversion from efi to kernel page table
Revert "userfaultfd: selftest: vm: allow to build in vm/ directory"
* xhci: Fix ring leak in failure path of xhci_alloc_virt_device()
* sysrq: Fix warning in sysrq generated crash.
* hwrng: core - sleep interruptible in read
* x86/mm/pat, /dev/mem: Remove superfluous error message
cx82310_eth: use skb_cow_head() to deal with cloned skbs
smsc75xx: use skb_cow_head() to deal with cloned skbs
sr9700: use skb_cow_head() to deal with cloned skbs
lan78xx: use skb_cow_head() to deal with cloned skbs
* r8152: adjust ALDPS function
* r8152: use test_and_clear_bit
* r8152: fix the wake event
usb: musb: ux500: Fix NULL pointer dereference at system PM
usbvision fix overflow of interfaces array
* locking/mutex: Allow next waiter lockless wakeup
* futex: Replace barrier() in unqueue_me() with READ_ONCE()
* locks: don't check for race with close when setting OFD lock
zswap: don't param_set_charp while holding spinlock
mm/zswap: use workqueue to destroy pool
* mm/page-writeback: fix dirty_ratelimit calculation
* mm/compaction: pass only pageblock aligned range to pageblock_pfn_to_page
* mm/compaction: fix invalid free_pfn and compact_cached_free_pfn
x86/acpi: Reduce code duplication in mp_override_legacy_irq()
ALSA: aloop: Fix racy hw constraints adjustment
ALSA: aloop: Fix inconsistent format due to incomplete rule
ALSA: aloop: Release cable upon open error path
ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
ALSA: pcm: Abort properly at pending signal in OSS read/write loops
ALSA: pcm: Add missing error checks in OSS emulation plugin builder
* ALSA: pcm: Remove incorrect snd_BUG_ON() usages
iommu/arm-smmu-v3: Don't free page table ops twice
x86/acpi: Handle SCI interrupts above legacy space gracefully
x86/vsdo: Fix build on PARAVIRT_CLOCK=y, KVM_GUEST=n
kvm: vmx: Scrub hardware GPRs at VM-exit
net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y
MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
MIPS: Consistently handle buffer counter with PTRACE_SETREGSET
MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
MIPS: Factor out NT_PRFPREG regset access helpers
MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task
IB/srpt: Disable RDMA access by the initiator
can: gs_usb: fix return value of the "set_bittiming" callback
KVM: Fix stack-out-of-bounds read in write_mmio
* dm bufio: fix shrinker scans when (nr_to_scan < retain_target)
Linux 4.4.111
Fix build error in vma.c
Map the vsyscall page with _PAGE_USER
* proc: much faster /proc/vmstat
* module: Issue warnings when tainting kernel
* module: keep percpu symbols in module's symtab
* genksyms: Handle string literals with spaces in reference files
x86/tlb: Drop the _GPL from the cpu_tlbstate export
parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel
x86/microcode/AMD: Add support for fam17h microcode loading
Input: elantech - add new icbody type 15
ARC: uaccess: dont use "l" gcc inline asm constraint modifier
* kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal()
* kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals
* kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL
* kernel: make groups_sort calling a responsibility group_info allocators
fscache: Fix the default for fscache_maybe_release_page()
sunxi-rsb: Include OF based modalias in device uevent
crypto: pcrypt - fix freeing pcrypt instances
crypto: chacha20poly1305 - validate the digest size
crypto: n2 - cure use after free
kernel/acct.c: fix the acct->needcheck check in check_free_space()
x86/kasan: Write protect kasan zero shadow
Linux 4.4.110
kaiser: Set _PAGE_NX only if supported
x86/kasan: Clear kasan_zero_page after TLB flush
x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap
x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader
KPTI: Report when enabled
* KPTI: Rename to PAGE_TABLE_ISOLATION
x86/kaiser: Move feature detection up
kaiser: disabled on Xen PV
* x86/kaiser: Reenable PARAVIRT
x86/paravirt: Dont patch flush_tlb_single
kaiser: kaiser_flush_tlb_on_return_to_user() check PCID
kaiser: asm/tlbflush.h handle noPGE at lower level
kaiser: drop is_atomic arg to kaiser_pagetable_walk()
kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush
x86/kaiser: Check boottime cmdline params
x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling
kaiser: add "nokaiser" boot option, using ALTERNATIVE
kaiser: fix unlikely error in alloc_ldt_struct()
kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls
kaiser: paranoid_entry pass cr3 need to paranoid_exit
kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user
kaiser: PCID 0 for kernel and 128 for user
kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user
kaiser: enhanced by kernel and user PCIDs
* kaiser: vmstat show NR_KAISERTABLE as nr_overhead
* kaiser: delete KAISER_REAL_SWITCH option
kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET
* kaiser: cleanups while trying for gold link
kaiser: kaiser_remove_mapping() move along the pgd
kaiser: tidied up kaiser_add/remove_mapping slightly
kaiser: tidied up asm/kaiser.h somewhat
kaiser: ENOMEM if kaiser_pagetable_walk() NULL
kaiser: fix perf crashes
kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER
* kaiser: KAISER depends on SMP
kaiser: fix build and FIXME in alloc_ldt_struct()
* kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE
kaiser: do not set _PAGE_NX on pgd_none
* kaiser: merged update
* KAISER: Kernel Address Isolation
x86/boot: Add early cmdline parsing for options with arguments
Linux 4.4.109
* mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP
* n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)
x86/smpboot: Remove stale TLB flush invocations
* nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()
* usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201
* USB: Fix off by one in type-specific length check of BOS SSP capability
* usb: add RESET_RESUME for ELSA MicroLink 56K
* usb: Add device quirk for Logitech HD Pro Webcam C925e
USB: serial: option: adding support for YUGA CLM920-NC5
USB: serial: option: add support for Telit ME910 PID 0x1101
USB: serial: qcserial: add Sierra Wireless EM7565
USB: serial: ftdi_sio: add id for Airbus DS P8GR
usbip: vhci: stop printing kernel pointer addresses in messages
usbip: stub: stop printing kernel pointer addresses in messages
usbip: fix usbip bind writing random string after command in match_busid
* sock: free skb in skb_complete_tx_timestamp on error
net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
* net: Fix double free and memory corruption in get_net_ns_by_id()
* net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks
* ipv4: Fix use-after-free when flushing FIB tables
sctp: Replace use of sockets_allocated with specified macro.
net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case
* net: ipv4: fix for a race condition in raw_sendmsg
tg3: Fix rx hang on MTU change with 5717/5719
* tcp md5sig: Use skb's saddr when replying to an incoming segment
* net: reevalulate autoflowlabel setting after sysctl setting
net: qmi_wwan: add Sierra EM7565 1199:9091
* netlink: Add netns check on taps
* net: igmp: Use correct source address on IGMPv3 reports
* ipv6: mcast: better catch silly mtu values
* ipv4: igmp: guard against silly MTU values
* kbuild: add '-fno-stack-check' to kernel build options
x86/mm/64: Fix reboot interaction with CR4.PCIDE
x86/mm: Enable CR4.PCIDE on supported systems
x86/mm: Add the 'nopcid' boot option to turn off PCID
x86/mm: Disable PCID on 32-bit kernels
x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code
x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range()
x86/mm: Make flush_tlb_mm_range() more predictable
x86/mm: Remove flush_tlb() and flush_tlb_current_task()
x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly()
ALSA: hda - fix headset mic detection issue on a Dell machine
ALSA: hda: Drop useless WARN_ON()
ASoC: twl4030: fix child-node lookup
ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure
iw_cxgb4: Only validate the MSN for successful completions
* ring-buffer: Mask out the info bits when returning buffer page length
* tracing: Fix crash when it fails to alloc ring buffer
* tracing: Fix possible double free on failure of allocating trace buffer
* tracing: Remove extra zeroing out of the ring buffer page
net: mvneta: clear interface link status on port disable
powerpc/perf: Dereference BHRB entries safely
kvm: x86: fix RSM when PCID is non-zero
KVM: X86: Fix load RFLAGS w/o the fixed bit
spi: xilinx: Detect stall with Unknown commands
parisc: Hide Diva-built-in serial aux and graphics card
* PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
* ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
* ALSA: rawmidi: Avoid racy info ioctl via ctl device
mfd: twl6040: Fix child-node lookup
mfd: twl4030-audio: Fix sibling-node lookup
mfd: cros ec: spi: Don't send first message too soon
crypto: mcryptd - protect the per-CPU queue with a lock
ACPI: APEI / ERST: Fix missing error handling in erst_reader()
Linux 4.4.108
alpha: fix build failures
ALSA: hda - Fix yet another i915 pointer leftover in error path
ALSA: hda - Degrade i915 binding failure message
ALSA: hda - Clear the leftover component assignment at snd_hdac_i915_exit()
Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature"
MIPS: math-emu: Fix final emulation phase for certain instructions
thermal: hisilicon: Handle return value of clk_prepare_enable
* cpuidle: fix broadcast control when broadcast can not be entered
* rtc: set the alarm to the next expiring timer
tcp: fix under-evaluated ssthresh in TCP Vegas
fm10k: ensure we process SM mbx when processing VF mbx
scsi: lpfc: PLOGI failures during NPIV testing
scsi: lpfc: Fix secure firmware updates
PCI/AER: Report non-fatal errors only to the affected endpoint
ixgbe: fix use of uninitialized padding
igb: check memory allocation failure
PCI: Create SR-IOV virtfn/physfn links before attaching driver
scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive
scsi: cxgb4i: fix Tx skb leak
* PCI: Avoid bus reset if bridge itself is broken
net: phy: at803x: Change error to EINVAL for invalid MAC
rtc: pl031: make interrupt optional
crypto: crypto4xx - increase context and scatter ring buffer elements
backlight: pwm_bl: Fix overflow condition
bnxt_en: Fix NULL pointer dereference in reopen failure path
cpuidle: powernv: Pass correct drv->cpumask for registration
ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory
* netfilter: nfnetlink_queue: fix secctx memory leak
* xhci: plat: Register shutdown for xhci_plat
isdn: kcapi: avoid uninitialized data
KVM: pci-assign: do not map smm memory slot pages in vt-d page tables
ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend
netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table
irda: vlsi_ir: fix check for DMA mapping errors
RDMA/iser: Fix possible mr leak on device removal event
i40e: Do not enable NAPI on q_vectors that have no rings
* net: Do not allow negative values for busy_read and busy_poll sysctl interfaces
bna: avoid writing uninitialized data into hw registers
s390/qeth: no ETH header for outbound AF_IUCV
* r8152: prevent the driver from transmitting packets with carrier off
* HID: xinmo: fix for out of range for THT 2P arcade controller.
hwmon: (asus_atk0110) fix uninitialized data access
ARM: dts: ti: fix PCI bus dtc warnings
KVM: VMX: Fix enable VPID conditions
KVM: x86: correct async page present tracepoint
scsi: lpfc: Fix PT2PT PRLI reject
pinctrl: st: add irq_request/release_resources callbacks
* inet: frag: release spinlock before calling icmp_send()
netfilter: nfnl_cthelper: Fix memory leak
netfilter: nfnl_cthelper: fix runtime expectation policy updates
usb: gadget: udc: remove pointer dereference after free
usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4
bna: integer overflow bug in debugfs
sch_dsmark: fix invalid skb_cow() usage
* crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
* r8152: fix the list rx_done may be used without initialization
* cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
arm: kprobes: Align stack to 8-bytes in test code
arm: kprobes: Fix the return address of multiple kretprobes
ALSA: hda - add support for docking station for HP 840 G3
ALSA: hda - add support for docking station for HP 820 G2
x86/irq: Do not substract irq_tlb_count from irq_call_count
* sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
ARM: Hide finish_arch_post_lock_switch() from modules
x86/mm, sched/core: Turn off IRQs in switch_mm()
x86/mm, sched/core: Uninline switch_mm()
x86/mm: Build arch/x86/mm/tlb.c even on !SMP
* sched/core: Add switch_mm_irqs_off() and use it in the scheduler
* mm/mmu_context, sched/core: Fix mmu_context.h assumption
* mm/rmap: batched invalidations should use existing api
x86/mm: If INVPCID is available, use it to flush global mappings
x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID
x86/mm: Fix INVPCID asm constraint
x86/mm: Add INVPCID helpers
cxl: Check if vphb exists before iterating over AFU devices
* arm64: Initialise high_memory global variable earlier
Linux 4.4.107
ath9k: fix tx99 potential info leak
IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop
RDMA/cma: Avoid triggering undefined behavior
macvlan: Only deliver one copy of the frame to the macvlan interface
udf: Avoid overflow when session starts at large offset
scsi: bfa: integer overflow in debugfs
* scsi: sd: change allow_restart to bool in sysfs interface
* scsi: sd: change manage_start_stop to bool in sysfs interface
vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend
* scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
raid5: Set R5_Expanded on parity devices as well as data.
* pinctrl: adi2: Fix Kconfig build problem
usb: musb: da8xx: fix babble condition handling
* tty fix oops when rmmod 8250
powerpc/perf/hv-24x7: Fix incorrect comparison in memord
scsi: hpsa: destroy sas transport properties before scsi_host
scsi: hpsa: cleanup sas_phy structures in sysfs when unloading
* PCI: Detach driver before procfs & sysfs teardown on device remove
xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real
xfs: fix log block underflow during recovery cycle verification
* l2tp: cleanup l2tp_tunnel_delete calls
bcache: fix wrong cache_misses statistics
bcache: explicitly destroy mutex while exiting
GFS2: Take inode off order_write list when setting jdata flag
* thermal/drivers/step_wise: Fix temperature regulation misbehavior
* ppp: Destroy the mutex when cleanup
clk: tegra: Fix cclk_lp divisor register
clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU
clk: mediatek: add the option for determining PLL source clock
* mm: Handle 0 flags in _calc_vm_trans() macro
crypto: tcrypt - fix buffer lengths in test_aead_speed()
arm-ccn: perf: Prevent module unload while PMU is in use
target/file: Do not return error for UNMAP if length is zero
target:fix condition return in core_pr_dump_initiator_port()
iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
powerpc/ipic: Fix status get and status clear
powerpc/opal: Fix EBUSY bug in acquiring tokens
netfilter: ipvs: Fix inappropriate output of procfs
powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
PCI/PME: Handle invalid data when reading Root Status
dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
rtc: pcf8563: fix output clock rate
video: fbdev: au1200fb: Return an error code if a memory allocation fails
video: fbdev: au1200fb: Release some resources if a memory allocation fails
video: udlfb: Fix read EDID timeout
fbdev: controlfb: Add missing modes to fix out of bounds access
sfc: don't warn on successful change of MAC
target: fix race during implicit transition work flushes
target: fix ALUA transition timeout handling
target: Use system workqueue for ALUA transitions
btrfs: add missing memset while reading compressed inline extents
NFSv4.1 respect server's max size in CREATE_SESSION
* efi/esrt: Cleanup bad memory map log messages
perf symbols: Fix symbols__fixup_end heuristic for corner cases
net/mlx4_core: Avoid delays during VF driver device shutdown
afs: Fix afs_kill_pages()
afs: Fix page leak in afs_write_begin()
afs: Populate and use client modification time
afs: Fix the maths in afs_fs_store_data()
afs: Prevent callback expiry timer overflow
afs: Migrate vlocation fields to 64-bit
afs: Flush outstanding writes when an fd is closed
afs: Adjust mode bits processing
afs: Populate group ID from vnode status
afs: Fix missing put_page()
drm/radeon: reinstate oland workaround for sclk
mmc: mediatek: Fixed bug where clock frequency could be set wrong
* sched/deadline: Use deadline instead of period when calculating overflow
* sched/deadline: Throttle a constrained deadline task activated after the deadline
* sched/deadline: Make sure the replenishment timer fires in the next period
drm/radeon/si: add dpm quirk for Oland
fjes: Fix wrong netdevice feature flags
scsi: hpsa: limit outstanding rescans
scsi: hpsa: update check for logical volume status
openrisc: fix issue handling 8 byte get_user calls
intel_th: pci: Add Gemini Lake support
mlxsw: reg: Fix SPVMLR max record count
mlxsw: reg: Fix SPVM max record count
* net: Resend IGMP memberships upon peer notification.
* dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
net: wimax/i2400m: fix NULL-deref at probe
* writeback: fix memory leak in wb_queue_work()
netfilter: bridge: honor frag_max_size when refragmenting
drm/omap: fix dmabuf mmap for dma_alloc'ed buffers
Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
NFSD: fix nfsd_reset_versions for NFSv4.
NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
net: bcmgenet: Power up the internal PHY before probing the MII
net: bcmgenet: power down internal phy if open or resume fails
net: bcmgenet: reserved phy revisions must be checked first
net: bcmgenet: correct MIB access of UniMAC RUNT counters
net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
* net: initialize msg.msg_flags in recvfrom
userfaultfd: selftest: vm: allow to build in vm/ directory
userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
md-cluster: free md_cluster_info if node leave cluster
usb: phy: isp1301: Add OF device ID table
mac80211: Fix addition of mesh configuration element
* KEYS: add missing permission check for request_key() destination
* ext4: fix crash when a directory's i_size is too small
* ext4: fix fdatasync(2) after fallocate(2) operation
dmaengine: dmatest: move callback wait queue to thread context
* sched/rt: Do not pull from current CPU if only one CPU to pull
* xhci: Don't add a virt_dev to the devs array before it's fully allocated
Bluetooth: btusb: driver to enable the usb-wakeup feature
ceph: drop negative child dentries before try pruning inode's alias
usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
* USB: core: prevent malicious bNumInterfaces overflow
* USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
* tracing: Allocate mask_str buffer dynamically
autofs: fix careless error in recent commit
crypto: salsa20 - fix blkcipher_walk API usage
* crypto: hmac - require that the underlying hash algorithm is unkeyed
Linux 4.4.106
* usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"
Revert "x86/efi: Hoist page table switching code into efi_call_virt()"
Revert "x86/efi: Build our own page table structures"
* net/packet: fix a race in packet_bind() and packet_notifier()
* packet: fix crash in fanout_demux_rollover()
* sit: update frag_off info
rds: Fix NULL pointer dereference in __rds_rdma_map
tipc: fix memory leak in tipc_accept_from_sock()
* more bio_map_user_iov() leak fixes
s390: always save and restore all registers on context switch
ipmi: Stop timers before cleaning up the module
* audit: ensure that 'audit=1' actually enables audit for PID 1
ipvlan: fix ipv6 outbound device
afs: Connect up the CB.ProbeUuid
IB/mlx5: Assign send CQ and recv CQ of UMR QP
IB/mlx4: Increase maximal message size under UD QP
* xfrm: Copy policy family in clone_policy
* jump_label: Invoke jump_label_test() via early_initcall()
atm: horizon: Fix irq release error
sctp: use the right sk after waking up from wait_buf sleep
sctp: do not free asoc when it is already dead in sctp_sendmsg
sparc64/mm: set fields in deferred pages
* block: wake up all tasks blocked in get_request()
sunrpc: Fix rpc_task_begin trace point
NFS: Fix a typo in nfs_rename()
* dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
* lib/genalloc.c: make the avail variable an atomic_long_t
* route: update fnhe_expires for redirect when the fnhe exists
* route: also update fnhe_genid when updating a route cache
mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
* kbuild: pkg: use --transform option to prefix paths in tar
EDAC, i5000, i5400: Fix definition of NRECMEMB register
EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
drm/amd/amdgpu: fix console deadlock if late init failed
axonram: Fix gendisk handling
* netfilter: don't track fragmented packets
* zram: set physical queue limits to avoid array out of bounds accesses
i2c: riic: fix restart condition
crypto: s5p-sss - Fix completing crypto request in IRQ handler
* ipv6: reorder icmpv6_init() and ip6_mr_init()
bnx2x: do not rollback VF MAC/VLAN filters we did not configure
bnx2x: fix possible overrun of VFPF multicast addresses array
bnx2x: prevent crash when accessing PTP with interface down
spi_ks8995: fix "BUG: key accdaa28 not in .data!"
arm64: KVM: Survive unknown traps from guests
arm: KVM: Survive unknown traps from guests
KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
irqchip/crossbar: Fix incorrect type of register size
scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
* workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
libata: drop WARN from protocol error in ata_sff_qc_issue()
kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
* usb: gadget: configs: plug memory leak
* HID: chicony: Add support for another ASUS Zen AiO keyboard
gpio: altera: Use handle_level_irq when configured as a level_high
ARM: OMAP2+: Release device node after it is no longer needed.
ARM: OMAP2+: Fix device node reference counts
* module: set __jump_table alignment to 8
selftest/powerpc: Fix false failures for skipped tests
x86/hpet: Prevent might sleep splat on resume
ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
* vti6: Don't report path MTU below IPV6_MIN_MTU.
Revert "s390/kbuild: enable modversions for symbols exported from asm"
* Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
* Revert "drm/armada: Fix compile fail"
* mm: drop unused pmdp_huge_get_and_clear_notify()
thp: fix MADV_DONTNEED vs. numa balancing race
thp: reduce indentation level in change_huge_pmd()
scsi: storvsc: Workaround for virtual DVD SCSI version
ARM: avoid faulting on qemu
ARM: BUG if jumping to usermode address in kernel mode
* arm64: fpsimd: Prevent registers leaking from dead tasks
KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
* arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
media: dvb: i2c transfers over usb cannot be done from stack
drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
drm: extra printk() wrapper macros
kdb: Fix handling of kallsyms_symbol_next() return value
s390: fix compat system call table
iommu/vt-d: Fix scatterlist offset handling
* ALSA: usb-audio: Add check return value for usb_string()
* ALSA: usb-audio: Fix out-of-bound error
ALSA: seq: Remove spurious WARN_ON() at timer check
* ALSA: pcm: prevent UAF in snd_pcm_info
x86/PCI: Make broadcom_postcore_init() check acpi_disabled
* X.509: reject invalid BIT STRING for subjectPublicKey
* ASN.1: check for error from ASN1_OP_END__ACT actions
* ASN.1: fix out-of-bounds read when parsing indefinite length item
* efi: Move some sysfs files to be read-only by root
scsi: libsas: align sata_device's rps_resp on a cacheline
isa: Prevent NULL dereference in isa_bus driver callbacks
hv: kvp: Avoid reading past allocated blocks from KVP file
virtio: release virtio index when fail to device_register
can: usb_8dev: cancel urb on -EPIPE and -EPROTO
can: esd_usb2: cancel urb on -EPIPE and -EPROTO
can: ems_usb: cancel urb on -EPIPE and -EPROTO
can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
can: kvaser_usb: ratelimit errors if incomplete messages are received
can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
can: kvaser_usb: free buf in error paths
can: ti_hecc: Fix napi poll return value for repoll
Linux 4.4.105
xen-netfront: avoid crashing on resume after a failure in talk_to_netback()
usb: host: fix incorrect updating of offset
* USB: usbfs: Filter flags passed in from user space
* USB: devio: Prevent integer overflow in proc_do_submiturb()
* USB: Increase usbfs transfer limit
* USB: core: Add type-specific length check of BOS descriptors
* usb: ch9: Add size macro for SSP dev cap descriptor
* usb: Add USB 3.1 Precision time measurement capability descriptor support
* usb: xhci: fix panic in xhci_free_virt_devices_depth_first
* usb: hub: Cycle HUB power when initialization fails
Revert "ocfs2: should wait dio before inode lock in ocfs2_setattr()"
net: fec: fix multicast filtering hardware setup
xen-netfront: Improve error handling during initialization
* mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
* tcp: correct memory barrier usage in tcp_check_space()
dmaengine: pl330: fix double lock
tipc: fix cleanup at module unload
net: sctp: fix array overrun read on sctp_timer_tbl
drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement
NFSv4: Fix client recovery when server reboots multiple times
KVM: arm/arm64: Fix occasional warning from the timer work function
nfs: Don't take a reference on fl->fl_file for LOCK operation
ravb: Remove Rx overflow log messages
net/appletalk: Fix kernel memory disclosure
* vti6: fix device register to report IFLA_INFO_KIND
ARM: OMAP1: DMA: Correct the number of logical channels
net: systemport: Pad packet before inserting TSB
net: systemport: Utilize skb_put_padto()
kprobes/x86: Disable preemption in ftrace-based jprobes
perf test attr: Fix ignored test case result
* sysrq : fix Show Regs call trace on ARM
EDAC, sb_edac: Fix missing break in switch
x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()
serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X
usb: phy: tahvo: fix error handling in tahvo_usb_probe()
spi: sh-msiof: Fix DMA transfer size check
serial: 8250_fintek: Fix rs485 disablement on invalid ioctl()
selftests/x86/ldt_get: Add a few additional tests for limits
s390/pci: do not require AIS facility
ima: fix hash algorithm initialization
USB: serial: option: add Quectel BG96 id
s390/runtime instrumentation: simplify task exit handling
serial: 8250_pci: Add Amazon PCI serial device ID
* usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
bcache: recover data from backing when data is clean
bcache: only permit to recovery read error when cache device is clean
Linux 4.4.104
nfsd: Fix another OPEN stateid race
nfsd: Fix stateid races between OPEN and CLOSE
nfsd: Make init_open_stateid() a bit more whole
drm/i915: Prevent zero length "index" write
drm/i915: Don't try indexed reads to alternate slave addresses
NFS: revalidate "." etc correctly on "open".
mtd: nand: Fix writing mtdoops to nand flash.
drm/panel: simple: Add missing panel_simple_unprepare() calls
drm/radeon: fix atombios on big endian
Revert "drm/radeon: dont switch vt on suspend"
bcache: Fix building error on MIPS
eeprom: at24: check at24_read/write arguments
mmc: core: Do not leave the block driver in a suspended state
KVM: x86: inject exceptions produced by x86_decode_insn
KVM: x86: Exit to user-mode on #UD intercept when emulator requires
KVM: x86: pvclock: Handle first-time write to pvclock-page contains random junk
btrfs: clear space cache inode generation always
* mm/madvise.c: fix madvise() infinite loop under special circumstances
mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()
x86/efi-bgrt: Replace early_memremap() with memremap()
* x86/efi-bgrt: Fix kernel panic when mapping BGRT data
ARM: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio
x86/efi: Build our own page table structures
x86/efi: Hoist page table switching code into efi_call_virt()
x86/mm/pat: Ensure cpa->pfn only contains page frame numbers
* ipsec: Fix aborted xfrm policy dump crash
* netlink: add a start callback for starting a netlink dump
Linux 4.4.103
Revert "sctp: do not peel off an assoc from one netns to another one"
xen: xenbus driver must not accept invalid transaction ids
s390/kbuild: enable modversions for symbols exported from asm
ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data
btrfs: return the actual error value from from btrfs_uuid_tree_iterate
ASoC: rsnd: don't double free kctrl
netfilter: nf_tables: fix oob access
netfilter: nft_queue: use raw_smp_processor_id()
* spi: SPI_FSL_DSPI should depend on HAS_DMA
staging: iio: cdc: fix improper return value
iio: light: fix improper return value
mac80211: Suppress NEW_PEER_CANDIDATE event if no room
mac80211: Remove invalid flag operations in mesh TSF synchronization
drm: Apply range restriction after color adjustment when allocation
ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE
ath10k: set CTS protection VDEV param only if VDEV is up
ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats()
ath10k: ignore configuring the incorrect board_id
ath10k: fix incorrect txpower set by P2P_DEVICE interface
* drm/armada: Fix compile fail
net: 3com: typhoon: typhoon_init_one: fix incorrect return values
net: 3com: typhoon: typhoon_init_one: make return values more specific
* net: Allow IP_MULTICAST_IF to set index to L3 slave
dmaengine: zx: set DMA_CYCLIC cap_mask bit
* PCI: Apply _HPX settings only to relevant devices
RDS: RDMA: return appropriate error on rdma map failures
e1000e: Separate signaling for link check/link up
e1000e: Fix return value test
e1000e: Fix error path in link detection
* PM / OPP: Add missing of_node_put(np)
net/9p: Switch to wait_event_killable()
* fscrypt: lock mutex before checking for bounce page pool
* sched/rt: Simplify the IPI based RT balancing logic
* media: v4l2-ctrl: Fix flags field on Control events
cx231xx-cards: fix NULL-deref on missing association descriptor
media: rc: check for integer overflow
media: Don't do DMA on stack for firmware upload in the AS102 driver
powerpc/signal: Properly handle return value from uprobe_deny_signal()
parisc: Fix validity check of pointer size argument in new CAS implementation
ixgbe: Fix skb list corruption on Power systems
fm10k: Use smp_rmb rather than read_barrier_depends
i40evf: Use smp_rmb rather than read_barrier_depends
ixgbevf: Use smp_rmb rather than read_barrier_depends
igbvf: Use smp_rmb rather than read_barrier_depends
igb: Use smp_rmb rather than read_barrier_depends
i40e: Use smp_rmb rather than read_barrier_depends
NFC: fix device-allocation error return
IB/srp: Avoid that a cable pull can trigger a kernel crash
IB/srpt: Do not accept invalid initiator port names
libnvdimm, namespace: make 'resource' attribute only readable by root
libnvdimm, namespace: fix label initialization to use valid seq numbers
clk: ti: dra7-atl-clock: fix child-node lookups
clk: ti: dra7-atl-clock: Fix of_node reference counting
SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status
KVM: SVM: obey guest PAT
KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
target: Fix QUEUE_FULL + SCSI task attribute handling
iscsi-target: Fix non-immediate TMR reference leak
fs/9p: Compare qid.path in v9fs_test_inode
fix a page leak in vhost_scsi_iov_to_sgl() error recovery
ALSA: hda/realtek - Fix ALC700 family no sound issue
* ALSA: timer: Remove kernel warning at compat ioctl error paths
* ALSA: usb-audio: Add sanity checks in v2 clock parsers
* ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
* ALSA: usb-audio: Add sanity checks to FE parser
* ALSA: pcm: update tstamp only if audio_tstamp changed
* ext4: fix interaction between i_size, fallocate, and delalloc after a crash
ata: fixes kernel crash while tracing ata_eh_link_autopsy event
rtlwifi: fix uninitialized rtlhal->last_suspend_sec time
rtlwifi: rtl8192ee: Fix memory leak when loading firmware
nfsd: deal with revoked delegations appropriately
nfs: Fix ugly referral attributes
NFS: Fix typo in nomigration mount option
isofs: fix timestamps beyond 2027
bcache: check ca->alloc_thread initialized before wake up it
eCryptfs: use after free in ecryptfs_release_messaging()
nilfs2: fix race condition that causes file system corruption
autofs: don't fail mount for transient error
MIPS: BCM47XX: Fix LED inversion for WRT54GSv1
MIPS: Fix an n32 core file generation regset support regression
* dm: fix race between dm_get_from_kobject() and __dm_destroy()
* dm bufio: fix integer overflow when limiting maximum cache size
ALSA: hda: Add Raven PCI ID
MIPS: ralink: Fix typo in mt7628 pinmux function
MIPS: ralink: Fix MT7628 pinmux
ARM: 8721/1: mm: dump: check hardware RO bit for LPAE
ARM: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE
x86/decoder: Add new TEST instruction pattern
* lib/mpi: call cond_resched() from mpi_powm() loop
* sched: Make resched_cpu() unconditional
vsock: use new wait API for vsock_stream_sendmsg()
AF_VSOCK: Shrink the area influenced by prepare_to_wait
* ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER
s390/disassembler: increase show_code buffer size
s390/disassembler: add missing end marker for e7 table
s390/runtime instrumention: fix possible memory corruption
s390: fix transactional execution control register handling
Linux 4.4.102
mm, hwpoison: fixup "mm: check the return value of lookup_page_ext for all call sites"
Linux 4.4.101
* mm/pagewalk.c: report holes in hugetlb ranges
mm/page_ext.c: check if page_ext is not prepared
* mm: check the return value of lookup_page_ext for all call sites
coda: fix 'kernel memory exposure attempt' in fsync
* mm/page_alloc.c: broken deferred calculation
ipmi: fix unsigned long underflow
ocfs2: should wait dio before inode lock in ocfs2_setattr()
nvme: Fix memory order on async queue deletion
* arm64: fix dump_instr when PAN and UAO are in use
serial: omap: Fix EFR write on RTS deassertion
ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
net/sctp: Always set scope_id in sctp_inet6_skb_msgname
fealnx: Fix building error on MIPS
sctp: do not peel off an assoc from one netns to another one
* af_netlink: ensure that NLMSG_DONE never fails in dumps
vlan: fix a use-after-free in vlan_device_event()
* bonding: discard lowest hash bit for 802.3ad layer3+4
* netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
* tcp: do not mangle skb->cb[] in tcp_make_synack()
Linux 4.4.100
USB: serial: garmin_gps: fix memory leak on probe errors
USB: serial: garmin_gps: fix I/O after failed probe and remove
USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update
* USB: Add delay-init quirk for Corsair K70 LUX keyboards
* USB: usbfs: compute urb->actual_length for isochronous
uapi: fix linux/rds.h userspace compilation errors
uapi: fix linux/rds.h userspace compilation error
Revert "uapi: fix linux/rds.h userspace compilation errors"
* Revert "crypto: xts - Add ECB dependency"
MIPS: Netlogic: Exclude netlogic,xlp-pic code from XLR builds
MIPS: init: Ensure reserved memory regions are not added to bootmem
MIPS: init: Ensure bootmem does not corrupt reserved memory
* mm: add PHYS_PFN, use it in __phys_to_pfn()
MIPS: End asm function prologue macros with .insn
staging: rtl8712: fixed little endian problem
ixgbe: do not disable FEC from the driver
ixgbe: add mask for 64 RSS queues
ixgbe: Reduce I2C retry count on X550 devices
ixgbe: handle close/suspend race with netif_device_detach/present
ixgbe: fix AER error handling
arm64: dts: NS2: reserve memory for Nitro firmware
ALSA: hda/realtek - Add new codec ID ALC299
gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap
backlight: adp5520: Fix error handling in adp5520_bl_probe()
backlight: lcd: Fix race condition during register
ALSA: vx: Fix possible transfer overflow
ALSA: vx: Don't try to update capture stream before running
scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload
scsi: lpfc: Correct issue leading to oops during link reset
scsi: lpfc: Correct host name in symbolic_name field
scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort
scsi: lpfc: Add missing memory barrier
staging: rtl8188eu: fix incorrect ERROR tags from logs
* scsi: ufs: add capability to keep auto bkops always enabled
* scsi: ufs-qcom: Fix module autoload
igb: Fix hw_dbg logging in igb_update_flash_i210
igb: close/suspend race in netif_device_detach
igb: reset the PHY before reading the PHY ID
drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache
* ata: SATA_MV should depend on HAS_DMA
* ata: SATA_HIGHBANK should depend on HAS_DMA
* ata: ATA_BMDMA should depend on HAS_DMA
ARM: dts: Fix omap3 off mode pull defines
ARM: OMAP2+: Fix init for multiple quirks for the same SoC
ARM: dts: Fix am335x and dm814x scm syscon to probe children
ARM: dts: Fix compatible for ti81xx uarts for 8250
fm10k: request reset when mbx->state changes
extcon: palmas: Check the parent instance to prevent the NULL
dmaengine: dmatest: warn user when dma test times out
Bluetooth: btusb: fix QCA Rome suspend/resume
arm: crypto: reduce priority of bit-sliced AES cipher
net: qmi_wwan: fix divide by 0 on bad descriptors
* net: cdc_ether: fix divide by 0 on bad descriptors
sctp: do not peel off an assoc from one netns to another one
xen-blkback: don't leak stack data via response ring
bpf: don't let ldimm64 leak map addresses on unprivileged
KVM: x86: fix singlestepping over syscall
* ext4: fix data exposure after a crash
media: dib0700: fix invalid dvb_detach argument
media: imon: Fix null-ptr-deref in imon_probe
Linux 4.4.99
misc: panel: properly restore atomic counter on error path
target: Fix node_acl demo-mode + uncached dynamic shutdown regression
target/iscsi: Fix iSCSI task reassignment handling
brcmfmac: remove setting IBSS mode when stopping AP
tipc: fix link attribute propagation bug
* security/keys: add CONFIG_KEYS_COMPAT to Kconfig
* tcp/dccp: fix other lockdep splats accessing ireq_opt
* tcp/dccp: fix lockdep splat in inet_csk_route_req()
* tcp/dccp: fix ireq->opt races
ipip: only increase err_count for some certain type icmp in ipip_err
* ppp: fix race in ppp device destruction
sctp: reset owner sk for data chunks on out queues when migrating a sock
* tun: allow positive return values on dev_get_valid_name() call
ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
net/unix: don't show information about sockets from other namespaces
* ipv6: flowlabel: do not leave opt->tot_len with garbage
* packet: avoid panic in packet_getsockopt()
sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
* tun: call dev_get_valid_name() before register_netdevice()
* l2tp: check ps->sock before running pppol2tp_session_ioctl()
* tcp: fix tcp_mtu_probe() vs highest_sack
* tun/tap: sanitize TUNSETSNDBUF input
ALSA: seq: Cancel pending autoload work at unbinding device
Input: ims-psu - check if CDC union descriptor is sane
usb: usbtest: fix NULL pointer dereference
mac80211: don't compare TKIP TX MIC key in reinstall prevention
mac80211: use constant time comparison with keys
mac80211: accept key reinstall without changing anything
Linux 4.4.98
* PKCS#7: fix unitialized boolean 'want'
x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
can: c_can: don't indicate triple sampling support for D_CAN
can: sun4i: handle overrun in RX FIFO
rbd: use GFP_NOIO for parent stat and data requests
drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
Input: elan_i2c - add ELAN060C to the ACPI table
MIPS: AR7: Ensure that serial ports are properly set up
MIPS: AR7: Defer registration of GPIO
tools: firmware: check for distro fallback udev cancel rule
selftests: firmware: send expected errors to /dev/null
selftests: firmware: add empty string and async tests
test: firmware_class: report errors properly on failure
MIPS: SMP: Fix deadlock & online race
MIPS: Fix race on setting and getting cpu_online_mask
MIPS: SMP: Use a completion event to signal CPU up
MIPS: Fix CM region target definitions
MIPS: microMIPS: Fix incorrect mask in insn_table_MM
ALSA: seq: Avoid invalid lockdep class warning
ALSA: seq: Fix OSS sysex delivery in OSS emulation
ARM: 8720/1: ensure dump_instr() checks addr_limit
* KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
crypto: x86/sha1-mb - fix panic due to unaligned access
* workqueue: Fix NULL pointer dereference
* x86/uaccess, sched/preempt: Verify access_ok() context
platform/x86: hp-wmi: Do not shadow error values
platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state
KEYS: trusted: fix writing past end of buffer in trusted_read()
KEYS: trusted: sanitize all key material
* cdc_ncm: Set NTB format again after altsetting switch for Huawei devices
platform/x86: hp-wmi: Fix detection for dock and tablet mode
* net: dsa: select NET_SWITCHDEV
s390/qeth: issue STARTLAN as first IPA command
IB/ipoib: Change list_del to list_del_init in the tx object
Input: mpr121 - set missing event capability
Input: mpr121 - handle multiple bits change of status register
* IPsec: do not ignore crypto err in ah4 input
netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
* usb: hcd: initialize hcd->flags to 0 when rm hcd
serial: sh-sci: Fix register offsets for the IRDA serial port
* phy: increase size of MII_BUS_ID_SIZE and bus_id
iio: trigger: free trigger resource correctly
crypto: vmx - disable preemption to enable vsx in aes_ctr.c
ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6
powerpc/corenet: explicitly disable the SDHC controller on kmcoge4
iommu/arm-smmu-v3: Clear prior settings when updating STEs
KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
drm: drm_minor_register(): Clean up debugfs on failure
xen/netback: set default upper limit of tx/rx queues to 8
PCI: mvebu: Handle changes to the bridge windows while enabled
video: fbdev: pmag-ba-fb: Remove bad `__init' annotation
adv7604: Initialize drive strength to default when using DT
Linux 4.4.97
staging: r8712u: Fix Sparse warning in rtl871x_xmit.c
xen: don't print error message in case of missing Xenstore entry
bt8xx: fix memory leak
s390/dasd: check for device error pointer within state change interrupts
mei: return error on notification request to a disconnected client
exynos4-is: fimc-is: Unmap region obtained by of_iomap()
staging: lustre: ptlrpc: skip lock if export failed
staging: lustre: hsm: stack overrun in hai_dump_data_field
staging: lustre: llite: don't invoke direct_IO for the EOF case
platform/x86: intel_mid_thermal: Fix module autoload
scsi: aacraid: Process Error for response I/O
xen/manage: correct return value check on xenbus_scanf()
cx231xx: Fix I2C on Internal Master 3 Bus
perf tools: Only increase index if perf_evsel__new_idx() succeeds
drm/amdgpu: when dpm disabled, also need to stop/start vce.
i2c: riic: correctly finish transfers
* ext4: do not use stripe_width if it is not set
* ext4: fix stripe-unaligned allocations
staging: rtl8712u: Fix endian settings for structs describing network packets
mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped
mfd: ab8500-sysctrl: Handle probe deferral
ARM: pxa: Don't rely on public mmc header to include leds.h
mmc: s3cmci: include linux/interrupt.h for tasklet_struct
* PM / wakeirq: report a wakeup_event on dedicated wekup irq
Fix tracing sample code warning.
tracing/samples: Fix creation and deletion of simple_thread_fn creation
drm/msm: fix an integer overflow test
drm/msm: Fix potential buffer overflow issue
perf tools: Fix build failure on perl script context
ocfs2: fstrim: Fix start offset of first cluster group during fstrim
ARM: 8715/1: add a private asm/unaligned.h
ARM: dts: mvebu: pl310-cache disable double-linefill
* arm64: ensure __dump_instr() checks addr_limit
ASoC: adau17x1: Workaround for noise bug in ADC
* KEYS: fix out-of-bounds read during ASN.1 parsing
* KEYS: return full count in keyring_read() if buffer is too small
cifs: check MaxPathNameComponentLength != 0 before using it
ALSA: seq: Fix nested rwsem annotation for lockdep splat
* ALSA: timer: Add missing mutex lock for compat ioctls
Linux 4.4.96
Revert "drm: bridge: add DT bindings for TI ths8135"
* ecryptfs: fix dereference of NULL user_key_payload
x86/microcode/intel: Disable late loading on model 79
regulator: fan53555: fix I2C device ids
can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages
can: kvaser_usb: Correct return value in printout
can: sun4i: fix loopback mode
* scsi: sg: Re-fix off by one in sg_fill_request_table()
scsi: zfcp: fix erp_action use-before-initialize in REC action trace
* assoc_array: Fix a buggy node-splitting case
Input: gtco - fix potential out-of-bound access
Input: elan_i2c - add ELAN0611 to the ACPI table
xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()
* fuse: fix READDIRPLUS skipping an entry
* spi: uapi: spidev: add missing ioctl header
* usb: xhci: Handle error condition in xhci_stop_device()
ceph: unlock dangling spinlock in try_flush_caps()
ALSA: hda - fix headset mic problem for Dell machines with alc236
ALSA: hda/realtek - Add support for ALC236/ALC3204
* workqueue: replace pool->manager_arb mutex with a flag
Linux 4.4.95
FS-Cache: fix dereference of NULL user_key_payload
fscrypto: require write access to mount to set encryption policy
* KEYS: Fix race between updating and finding a negative key
* fscrypt: fix dereference of NULL user_key_payload
f2fs crypto: add missing locking for keyring_key access
f2fs crypto: replace some BUG_ON()'s with error checks
sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
parisc: Avoid trashing sr2 and sr3 in LWS code
* pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
* KEYS: don't let add_key() update an uninstantiated key
lib/digsig: fix dereference of NULL user_key_payload
KEYS: encrypted: fix dereference of NULL user_key_payload
rtlwifi: rtl8821ae: Fix connection lost problem
clockevents/drivers/cs5535: Improve resilience to spurious interrupts
bus: mbus: fix window size calculation for 4GB windows
brcmsmac: make some local variables 'static const' to reduce stack size
i2c: ismt: Separate I2C block read from SMBus block read
ALSA: hda: Remove superfluous '-' added by printk conversion
ALSA: seq: Enable 'use' locking in all configurations
drm/nouveau/mmu: flush tlbs before deleting page tables
drm/nouveau/bsp/g92: disable by default
can: esd_usb2: Fix can_dlc value for received RTR, frames
usb: musb: Check for host-mode using is_host_active() on reset interrupt
usb: musb: sunxi: Explicitly release USB PHY on exit
can: gs_usb: fix busy loop if no more TX context is available
* ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
* usb: hub: Allow reset retry for USB2 devices on connect bounce
* usb: quirks: add quirk for WORLDE MINI MIDI keyboard
usb: cdc_acm: Add quirk for Elatec TWN3
USB: serial: metro-usb: add MS7820 device id
* USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
* USB: devio: Revert "USB: devio: Don't corrupt user memory"
Linux 4.4.94
Revert "tty: goldfish: Fix a parameter of a call to free_irq"
* cpufreq: CPPC: add ACPI_PROCESSOR dependency
nfsd/callback: Cleanup callback cred on shutdown
target/iscsi: Fix unsolicited data seq_end_offset calculation
* uapi: fix linux/mroute6.h userspace compilation errors
uapi: fix linux/rds.h userspace compilation errors
ceph: clean up unsafe d_parent accesses in build_dentry_path
i2c: at91: ensure state is restored after suspending
net: mvpp2: release reference to txq_cpu[] entry after unmapping
scsi: scsi_dh_emc: return success in clariion_std_inquiry()
* slub: do not merge cache if slub_debug contains a never-merge flag
ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
* crypto: xts - Add ECB dependency
net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs
sparc64: Migrate hvcons irq to panicked cpu
* md/linear: shutup lockdep warnning
f2fs: do not wait for writeback in write_begin
Btrfs: send, fix failure to rename top level inode due to name collision
iio: adc: xilinx: Fix error handling
* netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
net/mlx4_en: fix overflow in mlx4_en_init_timestamp()
mac80211: fix power saving clients handling in iwlwifi
mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length
irqchip/crossbar: Fix incorrect type of local variables
watchdog: kempld: fix gcc-4.3 build
locking/lockdep: Add nest_lock integrity test
Revert "bsg-lib: don't free job in bsg_prepare_job"
tipc: use only positive error codes in messages
* net: Set sk_prot_creator when cloning sockets to the right proto
* packet: only test po->has_vnet_hdr once in packet_snd
* packet: in packet_do_bind, test fanout with bind_lock held
* tun: bail out from tun_get_user() if the skb is empty
* l2tp: fix race condition in l2tp_tunnel_delete
* l2tp: Avoid schedule while atomic in exit_net
* vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
isdn/i4l: fetch the ppp_write buffer in one shot
* bpf: one perf event close won't free bpf program attached by another perf event
* packet: hold bind lock when rebinding to fanout hook
net: emac: Fix napi poll list corruption
ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
* udpv6: Fix the checksum computation when HW checksum does not apply
bpf/verifier: reject BPF_ALU64|BPF_END
* sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
MIPS: Fix minimum alignment requirement of IRQ stack
drm/dp/mst: save vcpi with payloads
* percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
Linux 4.4.93
x86/alternatives: Fix alt_max_short macro to really be a max()
USB: serial: console: fix use-after-free after failed setup
USB: serial: qcserial: add Dell DW5818, DW5819
USB: serial: option: add support for TP-Link LTE module
USB: serial: cp210x: add support for ELV TFD500
USB: serial: ftdi_sio: add id for Cypress WICED dev board
* fix unbalanced page refcounting in bio_map_user_iov
* direct-io: Prevent NULL pointer access in submit_page_section
* usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
ALSA: line6: Fix leftover URB at error-path during probe
ALSA: caiaq: Fix stray URB at probe error path
ALSA: seq: Fix copy_from_user() call inside lock
ALSA: seq: Fix use-after-free at creating a port
* ALSA: usb-audio: Kill stray URB at exiting
iommu/amd: Finish TLB flush in amd_iommu_unmap()
usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
* crypto: shash - Fix zero-length shash ahash digest crash
* HID: usbhid: fix out-of-bounds bug
dmaengine: edma: Align the memcpy acnt array size with the transfer
MIPS: math-emu: Remove pr_err() calls from fpu_emu()
USB: dummy-hcd: Fix deadlock caused by disconnect detection
* rcu: Allow for page faults in NMI handlers
iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
* nl80211: Define policy for packet pattern attributes
CIFS: Reconnect expired SMB sessions
* ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
brcmfmac: add length check in brcmf_cfg80211_escan_handler()
Linux 4.4.92
* ext4: don't allow encrypted operations without keys
ext4: Don't clear SGID when inheriting ACLs
* ext4: fix data corruption for mmap writes
* sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
nvme: protect against simultaneous shutdown invocations
drm/i915/bios: ignore HDMI on port A
brcmfmac: setup passive scan if requested by user-space
uwb: ensure that endpoint is interrupt
uwb: properly check kthread_run return value
iio: adc: mcp320x: Fix oops on module unload
iio: adc: mcp320x: Fix readout of negative voltages
iio: ad7793: Fix the serial interface reset
* iio: core: Return error for failed read_reg
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
iio: ad_sigma_delta: Implement a dedicated reset function
iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
* xhci: fix finding correct bus_state structure for USB 3.1 hosts
* USB: fix out-of-bounds in usb_set_configuration
* usb: Increase quirk delay for USB devices
* USB: core: harden cdc_parse_cdc_header
USB: uas: fix bug in handling of alternate settings
* scsi: sd: Do not override max_sectors_kb sysfs setting
iwlwifi: add workaround to disable wide channels in 5GHz
HID: i2c-hid: allocate hid buffers for real worst case
ftrace: Fix kmemleak in unregister_ftrace_graph
stm class: Fix a use-after-free
Drivers: hv: fcopy: restore correct transfer length
* driver core: platform: Don't read past the end of "driver_override" buffer
ALSA: usx2y: Suppress kernel warning at page allocation failures
* ALSA: compress: Remove unused variable
* lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
* USB: g_mass_storage: Fix deadlock when driver is unbound
usb: gadget: mass_storage: set msg_registered after msg registered
* USB: devio: Don't corrupt user memory
USB: dummy-hcd: Fix erroneous synchronization change
USB: dummy-hcd: fix infinite-loop resubmission bug
USB: dummy-hcd: fix connection failures (wrong speed)
* usb: pci-quirks.c: Corrected timeout values used in handshake
* ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
* usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
usb: gadget: udc: atmel: set vbus irqflags explicitly
USB: gadgetfs: fix copy_to_user while holding spinlock
USB: gadgetfs: Fix crash caused by inadequate synchronization
usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write
Linux 4.4.91
ttpci: address stringop overflow warning
ALSA: au88x0: avoid theoretical uninitialized access
ARM: remove duplicate 'const' annotations'
IB/qib: fix false-postive maybe-uninitialized warning
* drivers: firmware: psci: drop duplicate const from psci_of_match
libata: transport: Remove circular dependency at free time
xfs: remove kmem_zalloc_greedy
i2c: meson: fix wrong variable usage in meson_i2c_put_data
md/raid10: submit bio directly to replacement disk
rds: ib: add error handle
* iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
parisc: perf: Fix potential NULL pointer dereference
netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
exynos-gsc: Do not swap cb/cr for semi planar formats
MIPS: IRQ Stack: Unwind IRQ stack onto task stack
* netfilter: invoke synchronize_rcu after set the _hook_ to NULL
* bridge: netlink: register netdevice before executing changelink
* mmc: sdio: fix alignment issue in struct sdio_func
* usb: plusb: Add support for PL-27A1
team: fix memory leaks
* net/packet: check length in getsockopt() called with PACKET_HDRLEN
* net: core: Prevent from dereferencing null pointer when releasing SKB
MIPS: Lantiq: Fix another request_mem_region() return code check
* ASoC: dapm: fix some pointer error handling
usb: chipidea: vbus event may exist before starting gadget
* audit: log 32-bit socketcalls
* ASoC: dapm: handle probe deferrals
* partitions/efi: Fix integer overflow in GPT size calculation
USB: serial: mos7840: fix control-message error handling
USB: serial: mos7720: fix control-message error handling
drm/amdkfd: fix improper return value on error
IB/ipoib: Replace list_del of the neigh->list with list_del_init
IB/ipoib: rtnl_unlock can not come after free_netdev
IB/ipoib: Fix deadlock over vlan_mutex
tty: goldfish: Fix a parameter of a call to free_irq
ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
iio: adc: hx711: Add DT binding for avia,hx711
iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications
hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes
sh_eth: use correct name for ECMR_MPDE bit
extcon: axp288: Use vbus-valid instead of -present to determine cable presence
igb: re-assign hw address pointer on reset after PCI error
MIPS: ralink: Fix incorrect assignment on ralink_soc
MIPS: Ensure bss section ends on a long-aligned address
ARM: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
RDS: RDMA: Fix the composite message user notification
GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
drm: bridge: add DT bindings for TI ths8135
drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
Linux 4.4.90
fix xen_swiotlb_dma_mmap prototype
swiotlb-xen: implement xen_swiotlb_dma_mmap callback
video: fbdev: aty: do not leak uninitialized padding in clk to userspace
KVM: VMX: use cmpxchg64
ARM: pxa: fix the number of DMA requestor lines
ARM: pxa: add the number of DMA requestor lines
dmaengine: mmp-pdma: add number of requestors
cxl: Fix driver use count
KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
KVM: VMX: do not change SN bit in vmx_update_pi_irte()
* timer/sysclt: Restrict timer migration sysctl values to 0 and 1
gfs2: Fix debugfs glocks dump
x86/fpu: Don't let userspace set bogus xcomp_bv
btrfs: prevent to set invalid default subvolid
btrfs: propagate error to btrfs_cmp_data_prepare caller
btrfs: fix NULL pointer dereference from free_reloc_roots()
* PCI: Fix race condition with driver_override
kvm: nVMX: Don't allow L2 to access the hardware CR8
KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
* arm64: fault: Route pte translation faults via do_translation_fault
* arm64: Make sure SPsel is always set
* seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
bsg-lib: don't free job in bsg_prepare_job
* nl80211: check for the required netlink attributes presence
* vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
SMB: Validate negotiate (to protect against downgrade) even if signing off
Fix SMB3.1.1 guest authentication to Samba
powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
* KEYS: prevent KEYCTL_READ on negative key
* KEYS: prevent creating a different user's keyrings
* KEYS: fix writing past end of user-supplied buffer in keyring_read()
crypto: talitos - fix sha224
crypto: talitos - Don't provide setkey for non hmac hashing algs.
scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
md/raid5: fix a race condition in stripe batch
* tracing: Erase irqsoff trace with empty write
* tracing: Fix trace_pipe behavior for instance traces
KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
mac80211: flush hw_roc_start work before cancelling the ROC
cifs: release auth_key.response for reconnect.
Linux 4.4.89
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled
bcache: fix bch_hprint crash and improve output
bcache: fix for gc and write-back race
bcache: Correct return value for sysfs attach errors
bcache: correct cache_dirty_target in __update_writeback_rate()
bcache: do not subtract sectors_to_gc for bypassed IO
bcache: Fix leak of bdev reference
bcache: initialize dirty stripes in flash_dev_run()
media: uvcvideo: Prevent heap overflow when accessing mapped controls
* media: v4l2-compat-ioctl32: Fix timespec conversion
PCI: shpchp: Enable bridge bus mastering if MSI is enabled
ARC: Re-enable MMU upon Machine Check exception
* tracing: Apply trace_clock changes to instance max buffer
ftrace: Fix selftest goto location on error
scsi: qla2xxx: Fix an integer overflow in sysfs code
* scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
* scsi: sg: factor out sg_fill_request_table()
* scsi: sg: off by one in sg_ioctl()
* scsi: sg: use standard lists for sg_requests
* scsi: sg: remove 'save_scat_len'
scsi: storvsc: fix memory leak on ring buffer busy
scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead
scsi: megaraid_sas: Check valid aen class range to avoid kernel panic
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers
scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA
scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
skd: Submit requests to firmware before triggering the doorbell
skd: Avoid that module unloading triggers a use-after-free
* md/bitmap: disable bitmap_resize for file-backed bitmaps.
* block: Relax a check in blk_start_queue()
powerpc: Fix DAR reporting when alignment handler faults
* ext4: fix quota inconsistency during orphan cleanup for read-only mounts
* ext4: fix incorrect quotaoff if the quota feature is enabled
crypto: AF_ALG - remove SGL terminator indicator when chaining
MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs
MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs
MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs
MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative
MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero
MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation
Input: i8042 - add Gigabyte P57 to the keyboard reset table
* tty: fix __tty_insert_flip_char regression
* tty: improve tty_insert_flip_char() slow path
* tty: improve tty_insert_flip_char() fast path
* mm: prevent double decrease of nr_reserved_highatomic
nfsd: Fix general protection fault in release_lock_stateid()
md/raid5: release/flush io in raid5_do_work()
x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps
f2fs: check hot_data for roll-forward recovery
* ipv6: fix typo in fib6_net_exit()
* ipv6: fix memory leak with multiple tables during netns destruction
gianfar: Fix Tx flow control deactivation
* Revert "net: fix percpu memory leaks"
* Revert "net: use lib/percpu_counter API for fragmentation mem accounting"
* tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
* Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
qlge: avoid memcpy buffer overflow
* ipv6: fix sparse warning on rt6i_node
* ipv6: add rcu grace period before freeing fib6_node
* ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
Conflicts:
arch/arm/include/asm/kvm_arm.h
arch/x86/include/asm/thread_info.h
drivers/gpu/drm/msm/msm_gem_submit.c
drivers/md/dm-bufio.c
drivers/media/v4l2-core/v4l2-compat-ioctl32.c
drivers/mmc/core/bus.c
drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
drivers/scsi/sg.c
drivers/scsi/ufs/ufshcd.h
drivers/usb/gadget/function/f_fs.c
drivers/usb/host/xhci-hub.c
kernel/fork.c
kernel/power/process.c
net/ipv4/raw.c
net/wireless/nl80211.c
scripts/Makefile.build
security/keys/keyctl.c
sound/usb/card.c
sound/usb/mixer.c
Change-Id: Ia5c1e792a3f23d9035d9843e7d520c67da04b03e
Signed-off-by: Thierry Strudel <tstrudel@google.com>
|
||
|
Greg Kroah-Hartman
|
5cc8c2ec61 |
Merge 4.4.110 into android-4.4
Changes in 4.4.110 x86/boot: Add early cmdline parsing for options with arguments KAISER: Kernel Address Isolation kaiser: merged update kaiser: do not set _PAGE_NX on pgd_none kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE kaiser: fix build and FIXME in alloc_ldt_struct() kaiser: KAISER depends on SMP kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER kaiser: fix perf crashes kaiser: ENOMEM if kaiser_pagetable_walk() NULL kaiser: tidied up asm/kaiser.h somewhat kaiser: tidied up kaiser_add/remove_mapping slightly kaiser: kaiser_remove_mapping() move along the pgd kaiser: cleanups while trying for gold link kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET kaiser: delete KAISER_REAL_SWITCH option kaiser: vmstat show NR_KAISERTABLE as nr_overhead kaiser: enhanced by kernel and user PCIDs kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user kaiser: PCID 0 for kernel and 128 for user kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user kaiser: paranoid_entry pass cr3 need to paranoid_exit kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls kaiser: fix unlikely error in alloc_ldt_struct() kaiser: add "nokaiser" boot option, using ALTERNATIVE x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling x86/kaiser: Check boottime cmdline params kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush kaiser: drop is_atomic arg to kaiser_pagetable_walk() kaiser: asm/tlbflush.h handle noPGE at lower level kaiser: kaiser_flush_tlb_on_return_to_user() check PCID x86/paravirt: Dont patch flush_tlb_single x86/kaiser: Reenable PARAVIRT kaiser: disabled on Xen PV x86/kaiser: Move feature detection up KPTI: Rename to PAGE_TABLE_ISOLATION KPTI: Report when enabled x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap x86/kasan: Clear kasan_zero_page after TLB flush kaiser: Set _PAGE_NX only if supported Linux 4.4.110 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Hugh Dickins
|
003e476716 |
kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE
Kaiser only needs to map one page of the stack; and kernel/fork.c did not build on powerpc (no __PAGE_KERNEL). It's all cleaner if linux/kaiser.h provides kaiser_map_thread_stack() and kaiser_unmap_thread_stack() wrappers around asm/kaiser.h's kaiser_add_mapping() and kaiser_remove_mapping(). And use linux/kaiser.h in init/main.c to avoid the #ifdefs there. Signed-off-by: Hugh Dickins <hughd@google.com> Acked-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Dave Hansen
|
bed9bb7f3e |
kaiser: merged update
Merged fixes and cleanups, rebased to 4.4.89 tree (no 5-level paging). Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Hugh Dickins <hughd@google.com> Acked-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Richard Fellner
|
8a43ddfb93 |
KAISER: Kernel Address Isolation
This patch introduces our implementation of KAISER (Kernel Address Isolation to
have Side-channels Efficiently Removed), a kernel isolation technique to close
hardware side channels on kernel address information.
More information about the patch can be found on:
https://github.com/IAIK/KAISER
From: Richard Fellner <richard.fellner@student.tugraz.at>
From: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
X-Subject: [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode
Date: Thu, 4 May 2017 14:26:50 +0200
Link: http://marc.info/?l=linux-kernel&m=149390087310405&w=2
Kaiser-4.10-SHA1: c4b1831d44c6144d3762ccc72f0c4e71a0c713e5
To: <linux-kernel@vger.kernel.org>
To: <kernel-hardening@lists.openwall.com>
Cc: <clementine.maurice@iaik.tugraz.at>
Cc: <moritz.lipp@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: <kirill.shutemov@linux.intel.com>
Cc: <anders.fogh@gdata-adan.de>
After several recent works [1,2,3] KASLR on x86_64 was basically
considered dead by many researchers. We have been working on an
efficient but effective fix for this problem and found that not mapping
the kernel space when running in user mode is the solution to this
problem [4] (the corresponding paper [5] will be presented at ESSoS17).
With this RFC patch we allow anybody to configure their kernel with the
flag CONFIG_KAISER to add our defense mechanism.
If there are any questions we would love to answer them.
We also appreciate any comments!
Cheers,
Daniel (+ the KAISER team from Graz University of Technology)
[1] http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
[2] https://www.blackhat.com/docs/us-16/materials/us-16-Fogh-Using-Undocumented-CPU-Behaviour-To-See-Into-Kernel-Mode-And-Break-KASLR-In-The-Process.pdf
[3] https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX.pdf
[4] https://github.com/IAIK/KAISER
[5] https://gruss.cc/files/kaiser.pdf
[patch based also on
https://raw.githubusercontent.com/IAIK/KAISER/master/KAISER/0001-KAISER-Kernel-Address-Isolation.patch]
Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Dmitry Vyukov
|
9b83f370dc |
BACKPORT: kernel: add kcov code coverage
kcov provides code coverage collection for coverage-guided fuzzing (randomized testing). Coverage-guided fuzzing is a testing technique that uses coverage feedback to determine new interesting inputs to a system. A notable user-space example is AFL (http://lcamtuf.coredump.cx/afl/). However, this technique is not widely used for kernel testing due to missing compiler and kernel support. kcov does not aim to collect as much coverage as possible. It aims to collect more or less stable coverage that is function of syscall inputs. To achieve this goal it does not collect coverage in soft/hard interrupts and instrumentation of some inherently non-deterministic or non-interesting parts of kernel is disbled (e.g. scheduler, locking). Currently there is a single coverage collection mode (tracing), but the API anticipates additional collection modes. Initially I also implemented a second mode which exposes coverage in a fixed-size hash table of counters (what Quentin used in his original patch). I've dropped the second mode for simplicity. This patch adds the necessary support on kernel side. The complimentary compiler support was added in gcc revision 231296. We've used this support to build syzkaller system call fuzzer, which has found 90 kernel bugs in just 2 months: https://github.com/google/syzkaller/wiki/Found-Bugs We've also found 30+ bugs in our internal systems with syzkaller. Another (yet unexplored) direction where kcov coverage would greatly help is more traditional "blob mutation". For example, mounting a random blob as a filesystem, or receiving a random blob over wire. Why not gcov. Typical fuzzing loop looks as follows: (1) reset coverage, (2) execute a bit of code, (3) collect coverage, repeat. A typical coverage can be just a dozen of basic blocks (e.g. an invalid input). In such context gcov becomes prohibitively expensive as reset/collect coverage steps depend on total number of basic blocks/edges in program (in case of kernel it is about 2M). Cost of kcov depends only on number of executed basic blocks/edges. On top of that, kernel requires per-thread coverage because there are always background threads and unrelated processes that also produce coverage. With inlined gcov instrumentation per-thread coverage is not possible. kcov exposes kernel PCs and control flow to user-space which is insecure. But debugfs should not be mapped as user accessible. Based on a patch by Quentin Casasnovas. [akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode'] [akpm@linux-foundation.org: unbreak allmodconfig] [akpm@linux-foundation.org: follow x86 Makefile layout standards] Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: syzkaller <syzkaller@googlegroups.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Tavis Ormandy <taviso@google.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com> Cc: Kostya Serebryany <kcc@google.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Kees Cook <keescook@google.com> Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: David Drysdale <drysdale@google.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Kirill A. Shutemov <kirill@shutemov.name> Cc: Jiri Slaby <jslaby@suse.cz> Cc: Ingo Molnar <mingo@elte.hu> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Bug: 64145065 (cherry-picked from 5c9a8750a6409c63a0f01d51a9024861022f6593) Change-Id: I17b5e04f6e89b241924e78ec32ead79c38b860ce Signed-off-by: Paul Lawrence <paullawrence@google.com> |
||
|
Michal Hocko
|
a8000ef564 |
BACKPORT: partial: mm, oom_reaper: do not mmput synchronously from the oom reaper context
(cherry picked from commit ec8d7c14ea14922fe21945b458a75e39f11dd832) Tetsuo has properly noted that mmput slow path might get blocked waiting for another party (e.g. exit_aio waits for an IO). If that happens the oom_reaper would be put out of the way and will not be able to process next oom victim. We should strive for making this context as reliable and independent on other subsystems as much as possible. Introduce mmput_async which will perform the slow path from an async (WQ) context. This will delay the operation but that shouldn't be a problem because the oom_reaper has reclaimed the victim's address space for most cases as much as possible and the remaining context shouldn't bind too much memory anymore. The only exception is when mmap_sem trylock has failed which shouldn't happen too often. The issue is only theoretical but not impossible. Signed-off-by: Michal Hocko <mhocko@suse.com> Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: David Rientjes <rientjes@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Only backports mmput_async. Change-Id: I5fe54abcc629e7d9eab9fe03908903d1174177f1 Signed-off-by: Arve Hjønnevåg <arve@android.com> |