- 27 Apr, 2017 7 commits
-
-
Takashi Iwai authored
BugLink: http://bugs.launchpad.net/bugs/1681862 commit 2d7d5400 upstream. When a new event is queued while processing to resize the FIFO in snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool that is being queued gets removed. For avoiding this race, we need to close the pool to be deleted and sync its usage before actually deleting it. The issue was spotted by syzkaller. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
John Garry authored
BugLink: http://bugs.launchpad.net/bugs/1681862 commit 9702c67c upstream. The total ata xfer length may not be calculated properly, in that we do not use the proper method to get an sg element dma length. According to the code comment, sg_dma_len() should be used after dma_map_sg() is called. This issue was found by turning on the SMMUv3 in front of the hisi_sas controller in hip07. Multiple sg elements were being combined into a single element, but the original first element length was being use as the total xfer length. Fixes: ff2aeb1e ("libata: convert to chained sg") Signed-off-by: John Garry <john.garry@huawei.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
peter chang authored
BugLink: http://bugs.launchpad.net/bugs/1681862 commit bf33f87d upstream. The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
James Bottomley authored
BugLink: http://bugs.launchpad.net/bugs/1681862 commit ffb58456 upstream. mpt3sas has a firmware failure where it can only handle one pass through ATA command at a time. If another comes in, contrary to the SAT standard, it will hang until the first one completes (causing long commands like secure erase to timeout). The original fix was to block the device when an ATA command came in, but this caused a regression with commit 669f0441 Author: Bart Van Assche <bart.vanassche@sandisk.com> Date: Tue Nov 22 16:17:13 2016 -0800 scsi: srp_transport: Move queuecommand() wait code to SCSI core So fix the original fix of the secure erase timeout by properly returning SAM_STAT_BUSY like the SAT recommends. The original patch also had a concurrency problem since scsih_qcmd is lockless at that point (this is fixed by using atomic bitops to set and test the flag). [mkp: addressed feedback wrt. test_bit and fixed whitespace] Fixes: 18f6084a (mpt3sas: Fix secure erase premature termination) Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reported-by: Ingo Molnar <mingo@kernel.org> Tested-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Cc: Joe Korty <joe.korty@ccur.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Conflicts: drivers/scsi/mpt3sas/mpt3sas_base.h Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
Ross Lagerwall authored
BugLink: http://bugs.launchpad.net/bugs/1681862 commit 7ecec850 upstream. When relocating the p2m, take special care not to relocate it so that is overlaps with the current location of the p2m/initrd. This is needed since the full extent of the current location is not marked as a reserved region in the e820. This was seen to happen to a dom0 with a large initial p2m and a small reserved region in the middle of the initial p2m. Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
Ilya Dryomov authored
BugLink: http://bugs.launchpad.net/bugs/1681862 commit 633ee407 upstream. sock_alloc_inode() allocates socket+inode and socket_wq with GFP_KERNEL, which is not allowed on the writeback path: Workqueue: ceph-msgr con_work [libceph] ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000 0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00 ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148 Call Trace: [<ffffffff816dd629>] schedule+0x29/0x70 [<ffffffff816e066d>] schedule_timeout+0x1bd/0x200 [<ffffffff81093ffc>] ? ttwu_do_wakeup+0x2c/0x120 [<ffffffff81094266>] ? ttwu_do_activate.constprop.135+0x66/0x70 [<ffffffff816deb5f>] wait_for_completion+0xbf/0x180 [<ffffffff81097cd0>] ? try_to_wake_up+0x390/0x390 [<ffffffff81086335>] flush_work+0x165/0x250 [<ffffffff81082940>] ? worker_detach_from_pool+0xd0/0xd0 [<ffffffffa03b65b1>] xlog_cil_force_lsn+0x81/0x200 [xfs] [<ffffffff816d6b42>] ? __slab_free+0xee/0x234 [<ffffffffa03b4b1d>] _xfs_log_force_lsn+0x4d/0x2c0 [xfs] [<ffffffff811adc1e>] ? lookup_page_cgroup_used+0xe/0x30 [<ffffffffa039a723>] ? xfs_reclaim_inode+0xa3/0x330 [xfs] [<ffffffffa03b4dcf>] xfs_log_force_lsn+0x3f/0xf0 [xfs] [<ffffffffa039a723>] ? xfs_reclaim_inode+0xa3/0x330 [xfs] [<ffffffffa03a62c6>] xfs_iunpin_wait+0xc6/0x1a0 [xfs] [<ffffffff810aa250>] ? wake_atomic_t_function+0x40/0x40 [<ffffffffa039a723>] xfs_reclaim_inode+0xa3/0x330 [xfs] [<ffffffffa039ac07>] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs] [<ffffffffa039bb13>] xfs_reclaim_inodes_nr+0x33/0x40 [xfs] [<ffffffffa03ab745>] xfs_fs_free_cached_objects+0x15/0x20 [xfs] [<ffffffff811c0c18>] super_cache_scan+0x178/0x180 [<ffffffff8115912e>] shrink_slab_node+0x14e/0x340 [<ffffffff811afc3b>] ? mem_cgroup_iter+0x16b/0x450 [<ffffffff8115af70>] shrink_slab+0x100/0x140 [<ffffffff8115e425>] do_try_to_free_pages+0x335/0x490 [<ffffffff8115e7f9>] try_to_free_pages+0xb9/0x1f0 [<ffffffff816d56e4>] ? __alloc_pages_direct_compact+0x69/0x1be [<ffffffff81150cba>] __alloc_pages_nodemask+0x69a/0xb40 [<ffffffff8119743e>] alloc_pages_current+0x9e/0x110 [<ffffffff811a0ac5>] new_slab+0x2c5/0x390 [<ffffffff816d71c4>] __slab_alloc+0x33b/0x459 [<ffffffff815b906d>] ? sock_alloc_inode+0x2d/0xd0 [<ffffffff8164bda1>] ? inet_sendmsg+0x71/0xc0 [<ffffffff815b906d>] ? sock_alloc_inode+0x2d/0xd0 [<ffffffff811a21f2>] kmem_cache_alloc+0x1a2/0x1b0 [<ffffffff815b906d>] sock_alloc_inode+0x2d/0xd0 [<ffffffff811d8566>] alloc_inode+0x26/0xa0 [<ffffffff811da04a>] new_inode_pseudo+0x1a/0x70 [<ffffffff815b933e>] sock_alloc+0x1e/0x80 [<ffffffff815ba855>] __sock_create+0x95/0x220 [<ffffffff815baa04>] sock_create_kern+0x24/0x30 [<ffffffffa04794d9>] con_work+0xef9/0x2050 [libceph] [<ffffffffa04aa9ec>] ? rbd_img_request_submit+0x4c/0x60 [rbd] [<ffffffff81084c19>] process_one_work+0x159/0x4f0 [<ffffffff8108561b>] worker_thread+0x11b/0x530 [<ffffffff81085500>] ? create_worker+0x1d0/0x1d0 [<ffffffff8108b6f9>] kthread+0xc9/0xe0 [<ffffffff8108b630>] ? flush_kthread_worker+0x90/0x90 [<ffffffff816e1b98>] ret_from_fork+0x58/0x90 [<ffffffff8108b630>] ? flush_kthread_worker+0x90/0x90 Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here. Link: http://tracker.ceph.com/issues/19309Reported-by: Sergey Jerusalimov <wintchester@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
Thadeu Lima de Souza Cascardo authored
Ignore: yes Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
- 26 Apr, 2017 4 commits
-
-
Kleber Sacilotto de Souza authored
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Kleber Sacilotto de Souza authored
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Haiyang Zhang authored
BugLink: http://bugs.launchpad.net/bugs/1684971Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
BugLink: http://bugs.launchpad.net/bugs/1669672Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
- 25 Apr, 2017 5 commits
-
-
Shrirang Bagul authored
BugLink: http://bugs.launchpad.net/bugs/1669672 This patch updates the kernel config for latest Redpine Wifi-BT combo chip driver ver. 1.2.RC4 Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Shrirang Bagul authored
BugLink: http://bugs.launchpad.net/bugs/1669672 Vendor release ver: 1.2.RC4 Changelog: 1.2.RC4 - WLAN Bug Fixes: --------------- 1) Buffer status interrupt handling improved. 2) Scan results update in sta+bt dual mode issue resolved WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. BT Limitations/Features NOT Supported: ---------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.2.RC3 - WLAN Bug Fixes: --------------- 1) WoWLAN multiple cycles issue resolved. 2) Driver Version is correctly updated. 3) Default operating mode for Caracalla board is corrected. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. BT New Features: ---------------- 1) Multiple slaves issue in WLAN-BT coex mode resolved. BT Limitations/Features NOT Supported: -------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.2.RC2 - WLAN Bug Fixes: --------------- 1) Suspend/resume issues resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. 3) EAP not tested BT Limitations/Features NOT Supported: -------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.2.RC1 - WLAN New Features: ------------------ 1) Restrict functional modes as per device operating mode 2) Default operating mode for Caracalla board is 13 WLAN Bug Fixes: --------------- 1) Driver oops issue if more than 4 clients try to connect in operating mode 14 resolved. 2) Issue with connecting more than max clients and disconnection issue resolved. 3) L2 test stop when wlan interface down issue resolved. 4) Driver version corrected. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. 3) EAP not tested 4) For channels 12 and 13 in US region max TX power is coming 0 in beacons. BT Limitations/Features NOT Supported: ---------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.1 - Generic ------- 1) Firmware file name is displayed along with version information. at the driver load time. 2) Device operating mode is made available in the below files: /sys/module/rsi_sdio/parameters/dev_oper_mode /sys/module/rsi_usb/parameters/dev_oper_mode 3) Wi-Fi BT radio sharing has been improved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. 3) EAP not tested 4) For channels 12 and 13 in US region max TX power is coming 0 in beacons. BT Limitations/Features NOT Supported: -------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.0.RC7 - Generic ------- 1) Driver version, Firmware version and operating mode information is displayed at the driver load time. 2) Driver version is made available in the below files: /sys/module/rsi_91x/version /sys/module/rsi_sdio/version /sys/module/rsi_usb/version WLAN Bug Fixes: --------------- 1) Power save latencies resolved WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. 3) EAP not tested BT Limitations/Features NOT Supported: -------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.0 - WLAN New Features: ------------------ 1) Station mode 2) All Security modes (WEP/WPA/WPA2) 3) Station Power save (legacy and UAPSD) 4) Bgscan and roaming 5) External antenna selection 6) Neighbour report request in RRM 7) Regulatory (802)11d) support 8) Management frame protection support (802)11w) 9) Software RF-kill 10) AP mode 11) S3, S4 suspend and resume 12) WoWLAN 13) AP Power save 14) Wi-Fi direct WLAN Bug Fixes: --------------- 1) Allowed channels 12 and 13 in FCC region. 2) For the allowed channels 12 and 13 in any region, power configuration updated as per Caracalla regulatory rules. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S5 with WoWLAN does not work. 2) For GTK rekey, wakeup trigger send to host. 3) EAP not tested BT New Features: ---------------- 1) BT EDR mode 2) BT LE mode 3) BT coex mode (All the coex modes)) 4) Multi-slave mode supported) BT Limitations/Features NOT Supported: ---------------------------------------- 1) To connect multiple BT slaves, connection should be initiated from rsi module. 2) In coex mode, BT file transfer fails at times with certain mobiles. 1.0_RC3 - Gerenic: -------- 1) Device operating mode is changed as module parameter. Please check README or TRM on how to configure this while loading the modules. 2) Max number of stations supported in Wi-Fi AP alone mode is 32, and AP + BT coex mode is 4. 3) AP + BT-EDR + BLE support added. WLAN Bug Fixes: --------------- 1) Bgscan probe request issue resolved. 2) WoWLAN before association issue resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) S4 with and without WoWLAN works with the work-around implemented by Canonical. 2) S5 with WoWLAN does not work. 3) For GTK rekey, wakeup trigger send to host. 4) EAP not tested 5) To connect multiple BT slaves, connection should be initiated from rsi module. 6) In coex mode, BT file transfer fails at times with certain mobiles. BT New Features: ---------------- 1) Multi-slave mode supported. BT Bug Fixes: ------------- 1) Radio sharing of coex modes improved. 1.0.RC2 - WLAN Bug Fixes: --------------- 1) PVB preparation issue in AP mode resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Issue while Resume in S4 with or without WoWLAN. 3) S5 with WoWLAN does not work. 4) For GTK rekey, wakeup trigger send to host. BT Bug Fixes: ------------- 1) BT dual mode disconnection issue resolved 2) AP BT dual mode issue resolved 1.0_RC1 - WLAN Bug Fixes: --------------- 1) WoWLAN in Co-ex mode issue resolved. 2) AP beacon DTIM count update issue resolved. 3) Firmware assertion (0x5d) in bgscan issue is resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Issue while Resume in S4 with or without WoWLAN. 3) S5 with WoWLAN does not work. 4) For GTK rekey, wakeup trigger send to host. 0.9.8.5_RC6 - WLAN Bug Fixes: --------------- 1) Firmware CRC check fail issue resolved 2) Compilation fails on 4.10.1 kernel issue resolved 3) BG scan issues resolved 4) AP mode regulatory fixes 5) WoWLAN issues resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Issue while Resume in S4 with or without WoWLAN. 3) S5 with WoWLAN does not work. 4) For GTK rekey, wakeup trigger send to host. 0.9.8.5_RC4 - WLAN Bug Fixes: ------------------- 1) AP mode configuration in channels 12 and 13 for EU region issue resolved. 2) Data latencies in AP mode issue resolved. 3) Roaming issues resolved. 4) AP WEP mode issue resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Issue while Resume in S4 with or without WoWLAN. 3) S5 with WoWLAN does not work. 4) For GTK rekey, wakeup trigger send to host. 5) WoWLAN does not work in WEP mode. Others: ------- 1) USB binds only to RS9113, let upstream kernel driver handle other RSI chips 0.9.8.5_RC3 - WLAN Bug Fixes: ------------------- 1) Power save issue in station mode (By default UAPSD is enabled on Caracalla board) fixed. 2) WoWLAN with S3 issue resolved WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Not verified removing SDIO interrupt polling 3) S4/S5 sleep states not supported (with and without WoWLAN) 0.9.8.5_RC2 - WLAN Bug Fixes: ------------------- 1) Power save issue in station mode (By default UAPSD is enabled on Caracalla board) fixed. 2) Firmware assert 0x71 (while doing bgscan) issue fixed. 3) Keep alive functionality in station mode issue fixed. 4) Data traffic stops when connected to multiple stations issue resolved 5) WoWLAN not working issue is resolved WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Not verified removing SDIO interrupt polling 3) S4/S5 sleep states not supported (with and without WoWLAN) 4) Wi-Fi direct testing is in progress 0.9.8.5_RC1 - WLAN Bug Fixes: ------------------- 1) Observed unicast probe requests during bgscan issue fixed 2) Firmware assert 0x71 (while doing bgscan) issue fixed. 3) Crash when doing rmmod while data traffic is going on issue resolved. 4) Beacons stopped after 5 minutes of data traffic issue fixed. 5) Keep alive functionality in station mode issue fixed 6) 11n data rates issue in station mode resolved. WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) EAP not supported 2) Not verified removing SDIO interrupt polling 3) S4/S5 sleep states not supported (with.without WoWLAN) 4) power save is not working consistently 5) WoWLAN is not working consistently 0.9.8.3 - WLAN New Features: ----------------------------------------- 1) AP Mode 2) S3, S4 suspend and resume 3) WoWLAN [Testing in progress] WLAN Bug Fixes: ------------------- 1) First EAPOL drop issue is resolved 2) Firmware Assert while roaming issue is resolved (Provide driver bgsan should be enabled along with supplicant bgscan) 3) Roaming takes longer time issue is resolved 4) Added polling support as a work-around for the SDIO interrupt issue on some platforms WLAN Limitations/Features NOT Supported: ---------------------------------------- 1) Wi-Fi Direct mode not supported 2) EAP not supported 3) SDIO interrupts are not being delivered to the 9113 driver 4) In S4 state 9113 device gets reset but device isn't getting re-enumerated. Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Shrirang Bagul authored
BugLink: http://bugs.launchpad.net/bugs/1669672 This patch adds a guard against changes in commit 2171e55 being applied to the complete SDHCI sub-system. PCI Subsystem ID 1028:07b9 is used to uniquely identify Dell IoT gateway. Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Shrirang Bagul authored
BugLink: http://bugs.launchpad.net/bugs/1685133 This patch adds the vendor release version on the Exar USB serial device. Features include: 1. Fix for RX fail after wake-up from sleep (S3/S4) 2. Removes unnecessary debug messages Changelog: Version 1B, 11/6/2015 Fixed Bug: The conditional logic to support kernel 3.9 was incorrect(line 396 in xr_usb_serial_common.c). Version 1A, 1/9/2015 This driver will work with any USB UART function in these Exar devices: XR21V1410/1412/1414 XR21B1411 XR21B1420/1422/1424 XR22801/802/804 Exar serial devices are typically enuremated as /dev/ttyXRUSB[0-3]. Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Kleber Sacilotto de Souza authored
Ignore: yes Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
- 20 Apr, 2017 2 commits
-
-
Stefan Bader authored
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
Vitaly Kuznetsov authored
BugLink: http://bugs.launchpad.net/bugs/1682561 Waiting for release_event in all three drivers introduced issues on release as on_reset() hook is not always called. E.g. if the device was never opened we will never get the completion. Move the waiting code to hvutil_transport_destroy() and make sure it is only called when the device is open. hvt->lock serialization should guarantee the absence of races. Fixes: 5a66fecb ("Drivers: hv: util: kvp: Fix a rescind processing issue") Fixes: 20951c75 ("Drivers: hv: util: Fcopy: Fix a rescind processing issue") Fixes: d77044d1 ("Drivers: hv: util: Backup: Fix a rescind processing issue") Reported-by: Dexuan Cui <decui@microsoft.com> Tested-by: Dexuan Cui <decui@microsoft.com> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e9c18ae6) Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Colin King <colin.king@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
- 19 Apr, 2017 1 commit
-
-
Stefan Bader authored
Ignore: yes Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
- 12 Apr, 2017 3 commits
-
-
Stefan Bader authored
-
Vitaly Kuznetsov authored
BugLink: http://bugs.launchpad.net/bugs/1681893 DoS protection conditions were altered in WS2016 and now it's easy to get -EAGAIN returned from vmbus_post_msg() (e.g. when we try changing MTU on a netvsc device in a loop). All vmbus_post_msg() callers don't retry the operation and we usually end up with a non-functional device or crash. While host's DoS protection conditions are unknown to me my tests show that it can take up to 10 seconds before the message is sent so doing udelay() is not an option, we really need to sleep. Almost all vmbus_post_msg() callers are ready to sleep but there is one special case: vmbus_initiate_unload() which can be called from interrupt/NMI context and we can't sleep there. I'm also not sure about the lonely vmbus_send_tl_connect_request() which has no in-tree users but its external users are most likely waiting for the host to reply so sleeping there is also appropriate. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c0bb0392) Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
Stefan Bader authored
Ignore: yes Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-
- 06 Apr, 2017 18 commits
-
-
Thadeu Lima de Souza Cascardo authored
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
Marcelo Ricardo Leitner authored
commit 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") attempted to avoid a BUG_ON call when the association being used for a sendmsg() is blocked waiting for more sndbuf and another thread did a peeloff operation on such asoc, moving it to another socket. As Ben Hutchings noticed, then in such case it would return without locking back the socket and would cause two unlocks in a row. Further analysis also revealed that it could allow a double free if the application managed to peeloff the asoc that is created during the sendmsg call, because then sctp_sendmsg() would try to free the asoc that was created only for that call. This patch takes another approach. It will deny the peeloff operation if there is a thread sleeping on the asoc, so this situation doesn't exist anymore. This avoids the issues described above and also honors the syscalls that are already being handled (it can be multiple sendmsg calls). Joint work with Xin Long. Fixes: 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") Cc: Alexander Popov <alex.popov@linux.com> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit dfcb9f4f) CVE-2017-6353 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com>
-
Paolo Pisati authored
BugLink: http://bugs.launchpad.net/bugs/1677230Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
Tim Gardner authored
BugLink: http://bugs.launchpad.net/bugs/1678099Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
The lperms struct is uninitialized for use with auditing if there is an early failure due to a path name error. This can result in incorrect logging or in the extreme case apparmor killing the task with a signal which results in the failure in the referenced bug. BugLink: http://bugs.launchpad.net/bugs/1664912Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
The patch Fix no_new_privs blocking change_onexec when using stacked namespaces changed when the no_new_privs checks is processed so the test could be correctly applied in a stacked profile situation. However it changed the behavior of the error returned in complain mode, which will have both @error and @new set. Fix this by introducing a new var to indicate the no_new_privs condition instead of relying on error. While doing this allow the new label under no new privs to be audited, by having its reference put in the error path, instead of in the no_new_privs condition check. BugLink: http://bugs.launchpad.net/bugs/1661030 BugLink: http://bugs.launchpad.net/bugs/1648903Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Colin King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com>
-
John Johansen authored
null profiles that don't have the same control flags as the parent behave in unexpected ways and can cause failures. BugLink: http://bugs.launchpad.net/bugs/1656121Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
BugLink: http://bugs.launchpad.net/bugs/1660849Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
Push the no_new_privs logic into the per profile transition fns, so that the no_new_privs check can be done at the ns level instead of the aggregate stack level. BugLink: http://bugs.launchpad.net/bugs/1648143Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
Bind mounts can oops when devname lookup fails because the devname is uninitialized and used in auditing the denial. BugLink: http://bugs.launchpad.net/bugs/1660840Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
When an fd is disallowed from being inherited during exec, instead of closed it is duped to a special apparmor/.null file. This prevents the fd from being reused by another file in case the application expects the original file on a give fd (eg stdin/stdout etc). This results in a denial message like [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536 Further access to the fd is resultin in the rather useless denial message of [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" operation="file_perm" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0 since we have the original denial, the noisy and useless .null based denials can be skipped. BugLink: http://bugs.launchpad.net/bugs/1660836Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
When a new label is created, it is created with a proxy in a circular ref count that is broken by replacement. However if the label is not used it will never be replaced and the circular ref count will never be broken resulting in a leak. BugLink: http://bugs.launchpad.net/bugs/1660834Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
@new does not have a reference taken locally and should not have its reference put locally either. BugLink: http://bugs.launchpad.net/bugs/1660833Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
The reading of rawdata is subject to a replacement race when the rawdata is read in chunks smaller than the data size. For each read the profile proxy is rechecked for the newest profile; Which means if a profile is replaced between reads later chunks will contain data from the new version of the profile while the earlier reads will contain data from the previous version. This can result in data that is inconsistent and corrupt. Instead of rechecking for the current profile at each read. Get the current profile at the time of the open and use the rawdata of the profile for the lifetime that the file handle is open. BugLink: http://bugs.launchpad.net/bugs/1638996Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
John Johansen authored
When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. The check should only be done again policy that is visible. BugLink: http://bugs.launchpad.net/bugs/1660832Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
Greg Kroah-Hartman authored
BugLink: http://bugs.launchpad.net/bugs/1678960Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
Sebastian Andrzej Siewior authored
BugLink: http://bugs.launchpad.net/bugs/1678960 commit 619bd4a7 upstream. Since the change in commit: fd7a4bed ("sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks") ... we don't reschedule a task under certain circumstances: Lets say task-A, SCHED_OTHER, is running on CPU0 (and it may run only on CPU0) and holds a PI lock. This task is removed from the CPU because it used up its time slice and another SCHED_OTHER task is running. Task-B on CPU1 runs at RT priority and asks for the lock owned by task-A. This results in a priority boost for task-A. Task-B goes to sleep until the lock has been made available. Task-A is already runnable (but not active), so it receives no wake up. The reality now is that task-A gets on the CPU once the scheduler decides to remove the current task despite the fact that a high priority task is enqueued and waiting. This may take a long time. The desired behaviour is that CPU0 immediately reschedules after the priority boost which made task-A the task with the lowest priority. Suggested-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Thomas Gleixner <tglx@linutronix.de> Fixes: fd7a4bed ("sched, rt: Convert switched_{from, to}_rt() prio_changed_rt() to balance callbacks") Link: http://lkml.kernel.org/r/20170124144006.29821-1-bigeasy@linutronix.deSigned-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
Eric Biggers authored
BugLink: http://bugs.launchpad.net/bugs/1678960 commit 1b53cf98 upstream. Filesystem encryption ostensibly supported revoking a keyring key that had been used to "unlock" encrypted files, causing those files to become "locked" again. This was, however, buggy for several reasons, the most severe of which was that when key revocation happened to be detected for an inode, its fscrypt_info was immediately freed, even while other threads could be using it for encryption or decryption concurrently. This could be exploited to crash the kernel or worse. This patch fixes the use-after-free by removing the code which detects the keyring key having been revoked, invalidated, or expired. Instead, an encrypted inode that is "unlocked" now simply remains unlocked until it is evicted from memory. Note that this is no worse than the case for block device-level encryption, e.g. dm-crypt, and it still remains possible for a privileged user to evict unused pages, inodes, and dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by simply unmounting the filesystem. In fact, one of those actions was already needed anyway for key revocation to work even somewhat sanely. This change is not expected to break any applications. In the future I'd like to implement a real API for fscrypt key revocation that interacts sanely with ongoing filesystem operations --- waiting for existing operations to complete and blocking new operations, and invalidating and sanitizing key material and plaintext from the VFS caches. But this is a hard problem, and for now this bug must be fixed. This bug affected almost all versions of ext4, f2fs, and ubifs encryption, and it was potentially reachable in any kernel configured with encryption support (CONFIG_EXT4_ENCRYPTION=y, CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the shared fs/crypto/ code, but due to the potential security implications of this bug, it may still be worthwhile to backport this fix to them. Fixes: b7236e21 ("ext4 crypto: reorganize how we store keys in the inode") Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Acked-by: Michael Halcrow <mhalcrow@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-