1. 15 Jul, 2017 6 commits
    • Ian Abbott's avatar
      staging: comedi: fix clean-up of comedi_class in comedi_init() · 03cbf4a3
      Ian Abbott authored
      commit a9332e9a upstream.
      
      There is a clean-up bug in the core comedi module initialization
      functions, `comedi_init()`.  If the `comedi_num_legacy_minors` module
      parameter is non-zero (and valid), it creates that many "legacy" devices
      and registers them in SysFS.  A failure causes the function to clean up
      and return an error.  Unfortunately, it fails to destroy the "comedi"
      class that was created earlier.  Fix it by adding a call to
      `class_destroy(comedi_class)` at the appropriate place in the clean-up
      sequence.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03cbf4a3
    • Malcolm Priestley's avatar
      staging: vt6556: vnt_start Fix missing call to vnt_key_init_table. · 09d05eb3
      Malcolm Priestley authored
      commit dc32190f upstream.
      
      The key table is not intialized correctly without this call.
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09d05eb3
    • Kirill Tkhai's avatar
      locking/rwsem-spinlock: Fix EINTR branch in __down_write_common() · 0155f201
      Kirill Tkhai authored
      commit a0c4acd2 upstream.
      
      If a writer could been woken up, the above branch
      
      	if (sem->count == 0)
      		break;
      
      would have moved us to taking the sem. So, it's
      not the time to wake a writer now, and only readers
      are allowed now. Thus, 0 must be passed to __rwsem_do_wake().
      
      Next, __rwsem_do_wake() wakes readers unconditionally.
      But we mustn't do that if the sem is owned by writer
      in the moment. Otherwise, writer and reader own the sem
      the same time, which leads to memory corruption in
      callers.
      
      rwsem-xadd.c does not need that, as:
      
        1) the similar check is made lockless there,
        2) in __rwsem_mark_wake::try_reader_grant we test,
      
      that sem is not owned by writer.
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Niklas Cassel <niklas.cassel@axis.com>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 17fcbd59 "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y"
      Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomainSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0155f201
    • Eric W. Biederman's avatar
      proc: Fix proc_sys_prune_dcache to hold a sb reference · dd236b3c
      Eric W. Biederman authored
      commit 2fd1d2c4 upstream.
      
      Andrei Vagin writes:
      FYI: This bug has been reproduced on 4.11.7
      > BUG: Dentry ffff895a3dd01240{i=4e7c09a,n=lo}  still in use (1) [unmount of proc proc]
      > ------------[ cut here ]------------
      > WARNING: CPU: 1 PID: 13588 at fs/dcache.c:1445 umount_check+0x6e/0x80
      > CPU: 1 PID: 13588 Comm: kworker/1:1 Not tainted 4.11.7-200.fc25.x86_64 #1
      > Hardware name: CompuLab sbc-flt1/fitlet, BIOS SBCFLT_0.08.04 06/27/2015
      > Workqueue: events proc_cleanup_work
      > Call Trace:
      >  dump_stack+0x63/0x86
      >  __warn+0xcb/0xf0
      >  warn_slowpath_null+0x1d/0x20
      >  umount_check+0x6e/0x80
      >  d_walk+0xc6/0x270
      >  ? dentry_free+0x80/0x80
      >  do_one_tree+0x26/0x40
      >  shrink_dcache_for_umount+0x2d/0x90
      >  generic_shutdown_super+0x1f/0xf0
      >  kill_anon_super+0x12/0x20
      >  proc_kill_sb+0x40/0x50
      >  deactivate_locked_super+0x43/0x70
      >  deactivate_super+0x5a/0x60
      >  cleanup_mnt+0x3f/0x90
      >  mntput_no_expire+0x13b/0x190
      >  kern_unmount+0x3e/0x50
      >  pid_ns_release_proc+0x15/0x20
      >  proc_cleanup_work+0x15/0x20
      >  process_one_work+0x197/0x450
      >  worker_thread+0x4e/0x4a0
      >  kthread+0x109/0x140
      >  ? process_one_work+0x450/0x450
      >  ? kthread_park+0x90/0x90
      >  ret_from_fork+0x2c/0x40
      > ---[ end trace e1c109611e5d0b41 ]---
      > VFS: Busy inodes after unmount of proc. Self-destruct in 5 seconds.  Have a nice day...
      > BUG: unable to handle kernel NULL pointer dereference at           (null)
      > IP: _raw_spin_lock+0xc/0x30
      > PGD 0
      
      Fix this by taking a reference to the super block in proc_sys_prune_dcache.
      
      The superblock reference is the core of the fix however the sysctl_inodes
      list is converted to a hlist so that hlist_del_init_rcu may be used.  This
      allows proc_sys_prune_dache to remove inodes the sysctl_inodes list, while
      not causing problems for proc_sys_evict_inode when if it later choses to
      remove the inode from the sysctl_inodes list.  Removing inodes from the
      sysctl_inodes list allows proc_sys_prune_dcache to have a progress
      guarantee, while still being able to drop all locks.  The fact that
      head->unregistering is set in start_unregistering ensures that no more
      inodes will be added to the the sysctl_inodes list.
      
      Previously the code did a dance where it delayed calling iput until the
      next entry in the list was being considered to ensure the inode remained on
      the sysctl_inodes list until the next entry was walked to.  The structure
      of the loop in this patch does not need that so is much easier to
      understand and maintain.
      Reported-by: default avatarAndrei Vagin <avagin@gmail.com>
      Tested-by: default avatarAndrei Vagin <avagin@openvz.org>
      Fixes: ace0c791 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
      Fixes: d6cffbbe ("proc/sysctl: prune stale dentries during unregistering")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd236b3c
    • Peter Senna Tschudin's avatar
      imx-serial: RX DMA startup latency · 6399cc16
      Peter Senna Tschudin authored
      commit 4dec2f11 upstream.
      
      18a42088 introduced a change to reduce the RX DMA latency on the first reception
      when the serial port was opened for reading. However it was claiming a hardirq
      unsafe lock after a hardirq safe lock which is not allowed and causes lockdep
      to complain verbosely.
      
      This patch changes the code to always start RX DMA earlier, instead of
      relying on the flags used to open the serial port removing the code that
      was looking for the serial file flags.
      Signed-off-by: default avatarPeter Senna Tschudin <peter.senna@collabora.com>
      Tested-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6399cc16
    • Cong Wang's avatar
      mqueue: fix a use-after-free in sys_mq_notify() · 34bfc894
      Cong Wang authored
      commit f991af3d upstream.
      
      The retry logic for netlink_attachskb() inside sys_mq_notify()
      is nasty and vulnerable:
      
      1) The sock refcnt is already released when retry is needed
      2) The fd is controllable by user-space because we already
         release the file refcnt
      
      so we when retry but the fd has been just closed by user-space
      during this small window, we end up calling netlink_detachskb()
      on the error path which releases the sock again, later when
      the user-space closes this socket a use-after-free could be
      triggered.
      
      Setting 'sock' to NULL here should be sufficient to fix it.
      Reported-by: default avatarGeneBlue <geneblue.mail@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34bfc894
  2. 12 Jul, 2017 28 commits
  3. 02 Jul, 2017 4 commits
  4. 01 Jul, 2017 2 commits