commit ab35d16f66d63b625396edfba013dd258e13f560 Author: Greg Kroah-Hartman Date: Sat Jul 15 13:09:20 2017 +0200 Linux 4.12.2 commit 2607611714b9ed2da7ba0d0fa3a038578dc20462 Author: Mikulas Patocka Date: Tue Jul 4 19:04:23 2017 -0400 x86/mm/pat: Don't report PAT on CPUs that don't support it commit 99c13b8c8896d7bcb92753bf0c63a8de4326e78d upstream. The pat_enabled() logic is broken on CPUs which do not support PAT and where the initialization code fails to call pat_init(). Due to that the enabled flag stays true and pat_enabled() returns true wrongfully. As a consequence the mappings, e.g. for Xorg, are set up with the wrong caching mode and the required MTRR setups are omitted. To cure this the following changes are required: 1) Make pat_enabled() return true only if PAT initialization was invoked and successful. 2) Invoke init_cache_modes() unconditionally in setup_arch() and remove the extra callsites in pat_disable() and the pat disabled code path in pat_init(). Also rename __pat_enabled to pat_disabled to reflect the real purpose of this variable. Fixes: 9cd25aac1f44 ("x86/mm/pat: Emulate PAT when it is disabled") Signed-off-by: Mikulas Patocka Signed-off-by: Thomas Gleixner Cc: Bernhard Held Cc: Denys Vlasenko Cc: Peter Zijlstra Cc: Brian Gerst Cc: "Luis R. Rodriguez" Cc: Borislav Petkov Cc: Andy Lutomirski Cc: Josh Poimboeuf Cc: Andrew Morton Cc: Linus Torvalds Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1707041749300.3456@file01.intranet.prod.int.rdu2.redhat.com Signed-off-by: Greg Kroah-Hartman commit 20417e9a54561cfe70bd9d818d0c00f51bbc89c2 Author: Chao Yu Date: Fri Jun 23 01:08:22 2017 -0400 ext4: check return value of kstrtoull correctly in reserved_clusters_store commit 1ea1516fbbab2b30bf98c534ecaacba579a35208 upstream. kstrtoull returns 0 on success, however, in reserved_clusters_store we will return -EINVAL if kstrtoull returns 0, it makes us fail to update reserved_clusters value through sysfs. Fixes: 76d33bca5581b1dd5c3157fa168db849a784ada4 Signed-off-by: Chao Yu Signed-off-by: Miao Xie Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit f85a3c8f00bd687d26e70b0f58df0041aabde601 Author: Jason A. Donenfeld Date: Sun Jun 11 23:20:23 2017 +0200 crypto: rsa-pkcs1pad - use constant time memory comparison for MACs commit fec17cb2231733174e039ad9054fa16bb358e2ec upstream. Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld Suggested-by: Stephan Müller Cc: Herbert Xu Cc: linux-crypto@vger.kernel.org Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d56e029fc227ff6be9d780da1f3e9b893be47cea Author: Horia Geantă Date: Mon Jun 19 11:44:45 2017 +0300 crypto: caam - fix gfp allocation flags (part I) commit 42cfcafb91dabb0f9d9e08396c39824535948c67 upstream. Changes in the SW cts (ciphertext stealing) code in commit 0605c41cc53ca ("crypto: cts - Convert to skcipher") revealed a problem in the CAAM driver: when cts(cbc(aes)) is executed and cts runs in SW, cbc(aes) is offloaded in CAAM; cts encrypts the last block in atomic context and CAAM incorrectly decides to use GFP_KERNEL for memory allocation. Fix this by allowing GFP_KERNEL (sleeping) only when MAY_SLEEP flag is set, i.e. remove MAY_BACKLOG flag. We split the fix in two parts - first is sent to -stable, while the second is not (since there is no known failure case). Link: http://lkml.kernel.org/g/20170602122446.2427-1-david@sigma-star.at Reported-by: David Gstir Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 03cbf4a3066bb98a6143cec8161b9fbe8500b8a1 Author: Ian Abbott Date: Fri Jun 16 19:35:34 2017 +0100 staging: comedi: fix clean-up of comedi_class in comedi_init() commit a9332e9ad09c2644c99058fcf6ae2f355e93ce74 upstream. There is a clean-up bug in the core comedi module initialization functions, `comedi_init()`. If the `comedi_num_legacy_minors` module parameter is non-zero (and valid), it creates that many "legacy" devices and registers them in SysFS. A failure causes the function to clean up and return an error. Unfortunately, it fails to destroy the "comedi" class that was created earlier. Fix it by adding a call to `class_destroy(comedi_class)` at the appropriate place in the clean-up sequence. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 09d05eb32d7a720a160024ce707f5e6ee9d86ee4 Author: Malcolm Priestley Date: Sat Apr 29 13:03:44 2017 +0100 staging: vt6556: vnt_start Fix missing call to vnt_key_init_table. commit dc32190f2cd41c7dba25363ea7d618d4f5172b4e upstream. The key table is not intialized correctly without this call. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 0155f201e29d3886b28c6156b164238a660871ad Author: Kirill Tkhai Date: Fri Jun 16 16:44:34 2017 +0300 locking/rwsem-spinlock: Fix EINTR branch in __down_write_common() commit a0c4acd2c220376b4e9690e75782d0c0afdaab9f upstream. If a writer could been woken up, the above branch if (sem->count == 0) break; would have moved us to taking the sem. So, it's not the time to wake a writer now, and only readers are allowed now. Thus, 0 must be passed to __rwsem_do_wake(). Next, __rwsem_do_wake() wakes readers unconditionally. But we mustn't do that if the sem is owned by writer in the moment. Otherwise, writer and reader own the sem the same time, which leads to memory corruption in callers. rwsem-xadd.c does not need that, as: 1) the similar check is made lockless there, 2) in __rwsem_mark_wake::try_reader_grant we test, that sem is not owned by writer. Signed-off-by: Kirill Tkhai Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Niklas Cassel Cc: Peter Zijlstra (Intel) Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 17fcbd590d0c "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y" Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomain Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit dd236b3c9aa79d4ef8ce5700db2aa1727c98f8cf Author: Eric W. Biederman Date: Thu Jul 6 08:41:06 2017 -0500 proc: Fix proc_sys_prune_dcache to hold a sb reference commit 2fd1d2c4ceb2248a727696962cf3370dc9f5a0a4 upstream. Andrei Vagin writes: FYI: This bug has been reproduced on 4.11.7 > BUG: Dentry ffff895a3dd01240{i=4e7c09a,n=lo} still in use (1) [unmount of proc proc] > ------------[ cut here ]------------ > WARNING: CPU: 1 PID: 13588 at fs/dcache.c:1445 umount_check+0x6e/0x80 > CPU: 1 PID: 13588 Comm: kworker/1:1 Not tainted 4.11.7-200.fc25.x86_64 #1 > Hardware name: CompuLab sbc-flt1/fitlet, BIOS SBCFLT_0.08.04 06/27/2015 > Workqueue: events proc_cleanup_work > Call Trace: > dump_stack+0x63/0x86 > __warn+0xcb/0xf0 > warn_slowpath_null+0x1d/0x20 > umount_check+0x6e/0x80 > d_walk+0xc6/0x270 > ? dentry_free+0x80/0x80 > do_one_tree+0x26/0x40 > shrink_dcache_for_umount+0x2d/0x90 > generic_shutdown_super+0x1f/0xf0 > kill_anon_super+0x12/0x20 > proc_kill_sb+0x40/0x50 > deactivate_locked_super+0x43/0x70 > deactivate_super+0x5a/0x60 > cleanup_mnt+0x3f/0x90 > mntput_no_expire+0x13b/0x190 > kern_unmount+0x3e/0x50 > pid_ns_release_proc+0x15/0x20 > proc_cleanup_work+0x15/0x20 > process_one_work+0x197/0x450 > worker_thread+0x4e/0x4a0 > kthread+0x109/0x140 > ? process_one_work+0x450/0x450 > ? kthread_park+0x90/0x90 > ret_from_fork+0x2c/0x40 > ---[ end trace e1c109611e5d0b41 ]--- > VFS: Busy inodes after unmount of proc. Self-destruct in 5 seconds. Have a nice day... > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: _raw_spin_lock+0xc/0x30 > PGD 0 Fix this by taking a reference to the super block in proc_sys_prune_dcache. The superblock reference is the core of the fix however the sysctl_inodes list is converted to a hlist so that hlist_del_init_rcu may be used. This allows proc_sys_prune_dache to remove inodes the sysctl_inodes list, while not causing problems for proc_sys_evict_inode when if it later choses to remove the inode from the sysctl_inodes list. Removing inodes from the sysctl_inodes list allows proc_sys_prune_dcache to have a progress guarantee, while still being able to drop all locks. The fact that head->unregistering is set in start_unregistering ensures that no more inodes will be added to the the sysctl_inodes list. Previously the code did a dance where it delayed calling iput until the next entry in the list was being considered to ensure the inode remained on the sysctl_inodes list until the next entry was walked to. The structure of the loop in this patch does not need that so is much easier to understand and maintain. Reported-by: Andrei Vagin Tested-by: Andrei Vagin Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.") Fixes: d6cffbbe9a7e ("proc/sysctl: prune stale dentries during unregistering") Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 6399cc16dd18a310a46cccfaf110e1dc53132c7f Author: Peter Senna Tschudin Date: Sun May 14 14:35:15 2017 +0200 imx-serial: RX DMA startup latency commit 4dec2f119e86f9c91e60cdd8f0cc057452e331a9 upstream. 18a4208 introduced a change to reduce the RX DMA latency on the first reception when the serial port was opened for reading. However it was claiming a hardirq unsafe lock after a hardirq safe lock which is not allowed and causes lockdep to complain verbosely. This patch changes the code to always start RX DMA earlier, instead of relying on the flags used to open the serial port removing the code that was looking for the serial file flags. Signed-off-by: Peter Senna Tschudin Tested-by: Sascha Hauer Signed-off-by: Fabio Estevam Signed-off-by: Greg Kroah-Hartman commit 34bfc894734d56cca6c5924b5889e6308eeb66e1 Author: Cong Wang Date: Sun Jul 9 13:19:55 2017 -0700 mqueue: fix a use-after-free in sys_mq_notify() commit f991af3daabaecff34684fd51fac80319d1baad1 upstream. The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue Signed-off-by: Cong Wang Cc: Andrew Morton Cc: Manfred Spraul Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman