user/sven/linux.git, branch v4.1.31 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.1.31 2016-08-22T13:50:48Z Linux 4.1.31 2016-08-22T13:50:48Z Sasha Levin alexander.levin@verizon.com 2016-08-22T13:50:48Z urn:sha1:99f614a3bb23603a947be2e95b78507112c484e5 Signed-off-by: Sasha Levin <alexander.levin@verizon.com> MIPS: KVM: Propagate kseg0/mapped tlb fault errors 2016-08-20T03:08:49Z James Hogan james.hogan@imgtec.com 2016-08-18T09:01:29Z urn:sha1:432273c710ae564a9530f44c0deb92b9e7a463d8 commit 9b731bcfdec4c159ad2e4312e25d69221709b96a upstream. Propagate errors from kvm_mips_handle_kseg0_tlb_fault() and kvm_mips_handle_mapped_seg_tlb_fault(), usually triggering an internal error since they normally indicate the guest accessed bad physical memory or the commpage in an unexpected way. Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> [james.hogan@imgtec.com: Backport to v4.7] Signed-off-by: James Hogan <james.hogan@imgtec.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> MIPS: KVM: Fix gfn range check in kseg0 tlb faults 2016-08-20T03:08:48Z James Hogan james.hogan@imgtec.com 2016-08-18T09:01:28Z urn:sha1:7fe3930e1f146476e81eca06ca0833bd477b3da8 commit 0741f52d1b980dbeb290afe67d88fc2928edd8ab upstream. Two consecutive gfns are loaded into host TLB, so ensure the range check isn't off by one if guest_pmap_npages is odd. Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> [james.hogan@imgtec.com: Backport to v4.7] Signed-off-by: James Hogan <james.hogan@imgtec.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> MIPS: KVM: Add missing gfn range check 2016-08-20T03:08:48Z James Hogan james.hogan@imgtec.com 2016-08-18T09:01:27Z urn:sha1:0fbddc006492a05e061bfa61170f155c989f6a15 commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream. kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number based on the guest TLB EntryLo values, however it is not range checked to ensure it lies within the guest_pmap. If the physical memory the guest refers to is out of range then dump the guest TLB and emit an internal error. Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> [james.hogan@imgtec.com: Backport to v4.7] Signed-off-by: James Hogan <james.hogan@imgtec.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> MIPS: KVM: Fix mapped fault broken commpage handling 2016-08-20T03:08:47Z James Hogan james.hogan@imgtec.com 2016-08-18T09:01:26Z urn:sha1:342b88eb5999fc0c2c587082c4dce6e40eb62a20 commit c604cffa93478f8888bec62b23d6073dad03d43a upstream. kvm_mips_handle_mapped_seg_tlb_fault() appears to map the guest page at virtual address 0 to PFN 0 if the guest has created its own mapping there. The intention is unclear, but it may have been an attempt to protect the zero page from being mapped to anything but the comm page in code paths you wouldn't expect from genuine commpage accesses (guest kernel mode cache instructions on that address, hitting trapping instructions when executing from that address with a coincidental TLB eviction during the KVM handling, and guest user mode accesses to that address). Fix this to check for mappings exactly at KVM_GUEST_COMMPAGE_ADDR (it may not be at address 0 since commit 42aa12e74e91 ("MIPS: KVM: Move commpage so 0x0 is unmapped")), and set the corresponding EntryLo to be interpreted as 0 (invalid). Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Radim Krčmář" <rkrcmar@redhat.com> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> [james.hogan@imgtec.com: Backport to v4.7] Signed-off-by: James Hogan <james.hogan@imgtec.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> ext4: verify extent header depth 2016-08-20T03:08:47Z Vegard Nossum vegard.nossum@oracle.com 2016-07-15T04:22:07Z urn:sha1:867df5e12818bca1d37fc4c9a35346764879f2af [ Upstream commit 7bc9491645118c9461bd21099c31755ff6783593 ] Although the extent tree depth of 5 should enough be for the worst case of 2*32 extents of length 1, the extent tree code does not currently to merge nodes which are less than half-full with a sibling node, or to shrink the tree depth if possible. So it's possible, at least in theory, for the tree depth to be greater than 5. However, even in the worst case, a tree depth of 32 is highly unlikely, and if the file system is maliciously corrupted, an insanely large eh_depth can cause memory allocation failures that will trigger kernel warnings (here, eh_depth = 65280): JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580 CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508 Stack: 604a8947 625badd8 0002fd09 00000000 60078643 00000000 62623910 601bf9bc 62623970 6002fc84 626239b0 900000125 Call Trace: [<6001c2dc>] show_stack+0xdc/0x1a0 [<601bf9bc>] dump_stack+0x2a/0x2e [<6002fc84>] __warn+0x114/0x140 [<6002fdff>] warn_slowpath_null+0x1f/0x30 [<60165829>] start_this_handle+0x569/0x580 [<60165d4e>] jbd2__journal_start+0x11e/0x220 [<60146690>] __ext4_journal_start_sb+0x60/0xa0 [<60120a81>] ext4_truncate+0x131/0x3a0 [<60123677>] ext4_setattr+0x757/0x840 [<600d5d0f>] notify_change+0x16f/0x2a0 [<600b2b16>] do_truncate+0x76/0xc0 [<600c3e56>] path_openat+0x806/0x1300 [<600c55c9>] do_filp_open+0x89/0xf0 [<600b4074>] do_sys_open+0x134/0x1e0 [<600b4140>] SyS_open+0x20/0x30 [<6001ea68>] handle_syscall+0x88/0x90 [<600295fd>] userspace+0x3fd/0x500 [<6001ac55>] fork_handler+0x85/0x90 ---[ end trace 08b0b88b6387a244 ]--- [ Commit message modified and the extent tree depath check changed from 5 to 32 -- tytso ] Cc: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt 2016-08-20T03:08:47Z Kangjie Lu kangjielu@gmail.com 2016-05-03T20:44:32Z urn:sha1:cd5108403bda69524fd07a035e804d64ee8ae5b8 [ Upstream commit e4ec8cc8039a7063e24204299b462bd1383184a5 ] The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> ALSA: timer: Fix leak in events via snd_timer_user_ccallback 2016-08-20T03:08:46Z Kangjie Lu kangjielu@gmail.com 2016-05-03T20:44:20Z urn:sha1:1fbc4fd13bd04fd7c7fd033fdfde97e96d2865e5 [ Upstream commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 ] The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS 2016-08-20T03:08:46Z Kangjie Lu kangjielu@gmail.com 2016-05-03T20:44:07Z urn:sha1:1b7d7bce7467cf10f21007a5c952688877ead95e [ Upstream commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e ] The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> USB: OHCI: Don't mark EDs as ED_OPER if scheduling fails 2016-08-20T03:08:45Z Michał Pecio michal.pecio@gmail.com 2016-06-07T10:34:45Z urn:sha1:c65b5c9c0085bab46706f35c4889dd03cf2b0c08 [ Upstream commit c66f59ee5050447b3da92d36f5385a847990a894 ] Since ed_schedule begins with marking the ED as "operational", the ED may be left in such state even if scheduling actually fails. This allows future submission attempts to smuggle this ED to the hardware behind the scheduler's back and without linking it to the ohci->eds_in_use list. The former causes bandwidth saturation and data loss on isoc endpoints, the latter crashes the kernel when attempt is made to unlink such ED from this list. Fix ed_schedule to update ED state only on successful return. Signed-off-by: Michal Pecio <michal.pecio@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>