[PATCH 3.16 021/294] usb: storage: return on error to avoid a null pointer dereference

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit 446230f52a5bef593554510302465eabab45a372 upstream. When us->extra is null the driver is not initialized, however, a later call to

[PATCH 3.16 092/294] ipv6: set rt6i_protocol properly in the route when it is installed

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Xin Long commit b91d532928dff2141ea9c107c3e73104d9843767 upstream. After commit c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes"), ipv6 route checks

[PATCH 3.16 092/294] ipv6: set rt6i_protocol properly in the route when it is installed

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Xin Long commit b91d532928dff2141ea9c107c3e73104d9843767 upstream. After commit c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes"), ipv6 route checks rt protocol when

[PATCH 3.16 021/294] usb: storage: return on error to avoid a null pointer dereference

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit 446230f52a5bef593554510302465eabab45a372 upstream. When us->extra is null the driver is not initialized, however, a later call to osd200_scsi_to_ata is made that

[PATCH 3.16 118/294] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Thomas Bogendoerfer commit 4098116039911e8870d84c975e2ec22dab65a909 upstream. For 64bit kernels the lmmio_space_offset of the host bridge window isn't set correctly

[PATCH 3.16 048/294] IB/cma: Fix a race condition in iboe_addr_get_sgid()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit fba332b079029c2f4f7e84c1c1cd8e3867310c90 upstream. Code that dereferences the struct net_device ip_ptr member must be protected with an

[PATCH 3.16 118/294] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Thomas Bogendoerfer commit 4098116039911e8870d84c975e2ec22dab65a909 upstream. For 64bit kernels the lmmio_space_offset of the host bridge window isn't set correctly on systems with dino/cujo

[PATCH 3.16 048/294] IB/cma: Fix a race condition in iboe_addr_get_sgid()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit fba332b079029c2f4f7e84c1c1cd8e3867310c90 upstream. Code that dereferences the struct net_device ip_ptr member must be protected with an in_dev_get() / in_dev_put()

Re: [ata_scsi_offline_dev] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238

Hello, On Mon, Nov 06, 2017 at 03:12:31PM -0800, Linus Torvalds wrote: > But it does seem to be a new regression in 4.14, caused by commit > 8a97712e5314 ("scsi: make 'state' device attribute pollable"), because > that's what added the sysfs_notify() call to scsi_device_set_state(), > which made

[PATCH 3.16 136/294] qlge: avoid memcpy buffer overflow

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit e58f95831e7468d25eb6e41f234842ecfe6f014f upstream. gcc-8.0.0 (snapshot) points out that we copy a variable-length string into a fixed length field using

Re: [ata_scsi_offline_dev] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238

Hello, On Mon, Nov 06, 2017 at 03:12:31PM -0800, Linus Torvalds wrote: > But it does seem to be a new regression in 4.14, caused by commit > 8a97712e5314 ("scsi: make 'state' device attribute pollable"), because > that's what added the sysfs_notify() call to scsi_device_set_state(), > which made

[PATCH 3.16 136/294] qlge: avoid memcpy buffer overflow

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit e58f95831e7468d25eb6e41f234842ecfe6f014f upstream. gcc-8.0.0 (snapshot) points out that we copy a variable-length string into a fixed length field using memcpy() with the

[PATCH 3.16 133/294] cifs: Fix df output for users with quota limits

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Sachin Prabhu commit 42bec214d8bd432be6d32a1acb0a9079ecd4d142 upstream. The df for a SMB2 share triggers a GetInfo call for FS_FULL_SIZE_INFORMATION. The values returned

[PATCH 3.16 133/294] cifs: Fix df output for users with quota limits

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Sachin Prabhu commit 42bec214d8bd432be6d32a1acb0a9079ecd4d142 upstream. The df for a SMB2 share triggers a GetInfo call for FS_FULL_SIZE_INFORMATION. The values returned are used to populate

[PATCH 3.16 052/294] ipv4: initialize fib_trie prior to register_netdev_notifier call.

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Mahesh Bandewar commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 upstream. Net stack initialization currently initializes fib-trie after the first call to

[PATCH 3.16 106/294] x86/asm/64: Clear AC on NMI entries

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirski commit e93c17301ac55321fc18e0f8316e924e58a83c8c upstream. This closes a hole in our SMAP implementation. This patch comes from grsecurity. Good catch!

[PATCH 3.16 052/294] ipv4: initialize fib_trie prior to register_netdev_notifier call.

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Mahesh Bandewar commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 upstream. Net stack initialization currently initializes fib-trie after the first call to netdevice_notifier() call. In fact

[PATCH 3.16 106/294] x86/asm/64: Clear AC on NMI entries

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirski commit e93c17301ac55321fc18e0f8316e924e58a83c8c upstream. This closes a hole in our SMAP implementation. This patch comes from grsecurity. Good catch! Signed-off-by: Andy

Re: [PATCH] PCI: turn off PCIe services during shutdown

On Wed, Oct 25, 2017 at 03:01:02PM -0400, Sinan Kaya wrote: > Some of the PCIe services such as AER are being left enabled during > shutdown. This might cause spurious AER errors while SOC is being > powered down. > > Let's clean up the PCIe services gracefully during shutdown to clear > these

[PATCH 3.16 132/294] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream. Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the similar workaround for the inverted

Re: [PATCH] PCI: turn off PCIe services during shutdown

On Wed, Oct 25, 2017 at 03:01:02PM -0400, Sinan Kaya wrote: > Some of the PCIe services such as AER are being left enabled during > shutdown. This might cause spurious AER errors while SOC is being > powered down. > > Let's clean up the PCIe services gracefully during shutdown to clear > these

[PATCH 3.16 132/294] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream. Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the similar workaround for the inverted stereo dmic like

[PATCH 3.16 144/294] PM/hibernate: touch NMI watchdog when creating snapshot

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Chen Yu commit 556b969a1cfe2686aae149137fa1dfcac0eefe54 upstream. There is a problem that when counting the pages for creating the hibernation snapshot will take

[PATCH 3.16 144/294] PM/hibernate: touch NMI watchdog when creating snapshot

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Chen Yu commit 556b969a1cfe2686aae149137fa1dfcac0eefe54 upstream. There is a problem that when counting the pages for creating the hibernation snapshot will take significant amount of time,

[PATCH 3.16 096/294] ext4: fix overflow caused by missing cast in ext4_resize_fs()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Jerry Lee commit aec51758ce10a9c847a62a48a168f8c804c6e053 upstream. On a 32-bit platform, the value of n_blcoks_count may be wrong during the file system is resized to size

[PATCH 3.16 096/294] ext4: fix overflow caused by missing cast in ext4_resize_fs()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Jerry Lee commit aec51758ce10a9c847a62a48a168f8c804c6e053 upstream. On a 32-bit platform, the value of n_blcoks_count may be wrong during the file system is resized to size larger than 2^32

[PATCH 3.16 142/294] netvsc: fix deadlock betwen link status and removal

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: stephen hemminger commit 9b4e946ce14e20d7addbfb7d9139e604f9fda107 upstream. There is a deadlock possible when canceling the link status delayed work queue. The

[PATCH 3.16 142/294] netvsc: fix deadlock betwen link status and removal

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: stephen hemminger commit 9b4e946ce14e20d7addbfb7d9139e604f9fda107 upstream. There is a deadlock possible when canceling the link status delayed work queue. The removal process is run with

[PATCH 3.16 134/294] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Ronnie Sahlberg commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream. Add checking for the path component length and verify it is <= the maximum that the server

[PATCH 3.16 134/294] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Ronnie Sahlberg commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream. Add checking for the path component length and verify it is <= the maximum that the server advertizes via

[PATCH 3.16 139/294] net: bcmgenet: Be drop monitor friendly

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Florian Fainelli commit d4fec855905fa8bd5fb1c59f73ad2d74a944876a upstream. There are 3 spots where we call dev_kfree_skb() but we are actually just doing a normal SKB

[PATCH 3.16 139/294] net: bcmgenet: Be drop monitor friendly

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Florian Fainelli commit d4fec855905fa8bd5fb1c59f73ad2d74a944876a upstream. There are 3 spots where we call dev_kfree_skb() but we are actually just doing a normal SKB consumption:

[PATCH 3.16 169/294] CIFS: Fix maximum SMB2 header size

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Pavel Shilovsky commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream. Currently the maximum size of SMB2/3 header is set incorrectly which leads to hanging of

[PATCH 3.16 126/294] net_sched: fix order of queue length updates in qdisc_replace()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Konstantin Khlebnikov commit 68a66d149a8c78ec6720f268597302883e48e9fa upstream. This important to call qdisc_tree_reduce_backlog() after changing queue length.

[PATCH 3.16 169/294] CIFS: Fix maximum SMB2 header size

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Pavel Shilovsky commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream. Currently the maximum size of SMB2/3 header is set incorrectly which leads to hanging of directory listing operations

[PATCH 3.16 126/294] net_sched: fix order of queue length updates in qdisc_replace()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Konstantin Khlebnikov commit 68a66d149a8c78ec6720f268597302883e48e9fa upstream. This important to call qdisc_tree_reduce_backlog() after changing queue length. Parent qdisc should deactivate

[PATCH 3.16 137/294] nfsd: Limit end of page list when decoding NFSv4 WRITE

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Chuck Lever commit fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 upstream. When processing an NFSv4 WRITE operation, argp->end should never point past the end of the data

[PATCH 3.16 137/294] nfsd: Limit end of page list when decoding NFSv4 WRITE

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Chuck Lever commit fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 upstream. When processing an NFSv4 WRITE operation, argp->end should never point past the end of the data in the final page of the

[PATCH 3.16 163/294] ipv6: fix sparse warning on rt6i_node

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Wei Wang commit 4e587ea71bf924f7dac621f1351653bd41e446cb upstream. Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This generates a new sparse warning

[PATCH 3.16 148/294] r8169: Do not increment tx_dropped in TX ring cleaning

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Florian Fainelli commit 1089650d8837095f63e001bbf14d7b48043d67ad upstream. rtl8169_tx_clear_range() is responsible for cleaning up the TX ring during interface shutdown,

[PATCH 3.16 154/294] dm: fix printk() rate limiting code

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit 604407890ecf624c2fb41013c82b22aade59b455 upstream. Using the same rate limiting state for different kinds of messages is wrong because this can

[PATCH 3.16 135/294] tracing: Fix freeing of filter in create_filter() when set_str is false

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 8b0db1a5bdfcee0dbfa89607672598ae203c9045 upstream. Performing the following task with kmemleak enabled: # cd

[PATCH 3.16 163/294] ipv6: fix sparse warning on rt6i_node

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Wei Wang commit 4e587ea71bf924f7dac621f1351653bd41e446cb upstream. Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This generates a new sparse warning on rt->rt6i_node

[PATCH 3.16 148/294] r8169: Do not increment tx_dropped in TX ring cleaning

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Florian Fainelli commit 1089650d8837095f63e001bbf14d7b48043d67ad upstream. rtl8169_tx_clear_range() is responsible for cleaning up the TX ring during interface shutdown, incrementing

[PATCH 3.16 154/294] dm: fix printk() rate limiting code

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit 604407890ecf624c2fb41013c82b22aade59b455 upstream. Using the same rate limiting state for different kinds of messages is wrong because this can cause a high frequency

[PATCH 3.16 135/294] tracing: Fix freeing of filter in create_filter() when set_str is false

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 8b0db1a5bdfcee0dbfa89607672598ae203c9045 upstream. Performing the following task with kmemleak enabled: # cd

[PATCH 3.16 170/294] CIFS: remove endian related sparse warning

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Steve French commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream. Recent patch had an endian warning ie cifs: return ENAMETOOLONG for overlong names in

[PATCH 3.16 170/294] CIFS: remove endian related sparse warning

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Steve French commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream. Recent patch had an endian warning ie cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()

[PATCH 3.16 159/294] l2tp: hold tunnel while handling genl tunnel updates

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 8c0e421525c9eb50d68e8f633f703ca31680b746 upstream. We need to make sure the tunnel is not going to be destroyed by l2tp_tunnel_destruct()

[PATCH 3.16 159/294] l2tp: hold tunnel while handling genl tunnel updates

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 8c0e421525c9eb50d68e8f633f703ca31680b746 upstream. We need to make sure the tunnel is not going to be destroyed by l2tp_tunnel_destruct() concurrently. Fixes:

[PATCH 3.16 158/294] l2tp: hold tunnel while processing genl delete command

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit bb0a32ce4389e17e47e198d2cddaf141561581ad upstream. l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to prevent it from being

[PATCH 3.16 162/294] l2tp: hold tunnel used while creating sessions with netlink

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit e702c1204eb57788ef189c839c8c779368267d70 upstream. Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on us. Otherwise

[PATCH 3.16 158/294] l2tp: hold tunnel while processing genl delete command

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit bb0a32ce4389e17e47e198d2cddaf141561581ad upstream. l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to prevent it from being concurrently freed by

[PATCH 3.16 162/294] l2tp: hold tunnel used while creating sessions with netlink

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit e702c1204eb57788ef189c839c8c779368267d70 upstream. Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on us. Otherwise l2tp_tunnel_destruct() might

[PATCH 3.16 171/294] net_sched: fix error recovery at qdisc creation

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 87b60cfacf9f17cf71933c6e33b66e68160af71d upstream. Dmitry reported uses after free in qdisc code [1] The problem here is that ops->init() can return

[PATCH 3.16 171/294] net_sched: fix error recovery at qdisc creation

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 87b60cfacf9f17cf71933c6e33b66e68160af71d upstream. Dmitry reported uses after free in qdisc code [1] The problem here is that ops->init() can return an error.

[PATCH 3.16 157/294] l2tp: hold tunnel while looking up sessions in l2tp_netlink

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 54652eb12c1b72e9602d09cb2821d5760939190f upstream. l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to

[PATCH 3.16 157/294] l2tp: hold tunnel while looking up sessions in l2tp_netlink

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 54652eb12c1b72e9602d09cb2821d5760939190f upstream. l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the

[PATCH 3.16 172/294] sch_htb: fix crash on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which

[PATCH 3.16 172/294] sch_htb: fix crash on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 88c2ace69dbef696edba77712882af03879abc9c upstream. The commit below added a call to the ->destroy() callback for all qdiscs which failed in their ->init(), but some

[PATCH 3.16 161/294] l2tp: remove useless duplicate session detection in l2tp_netlink

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream. There's no point in checking for duplicate sessions at the beginning of

[PATCH 3.16 161/294] l2tp: remove useless duplicate session detection in l2tp_netlink

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream. There's no point in checking for duplicate sessions at the beginning of l2tp_nl_cmd_session_create(); the

[PATCH 3.16 166/294] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream. This fixes compiler errors in perf such as: tests/attr.c: In function 'store_event':

[PATCH 3.16 173/294] sch_multiq: fix double free on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream. The below commit added a call to ->destroy() on init failure, but multiq still frees

[PATCH 3.16 166/294] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream. This fixes compiler errors in perf such as: tests/attr.c: In function 'store_event': tests/attr.c:66:27: error: format

[PATCH 3.16 173/294] sch_multiq: fix double free on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream. The below commit added a call to ->destroy() on init failure, but multiq still frees ->queues on error in init,

[PATCH 3.16 181/294] epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Oleg Nesterov commit 138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0 upstream. The race was introduced by me in commit 971316f0503a ("epoll: ep_unregister_pollwait() can use the

[PATCH 3.16 174/294] sch_hhf: fix null pointer dereference on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream. If sch_hhf fails in its ->init() function (either due to wrong user-space arguments

[PATCH 3.16 181/294] epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Oleg Nesterov commit 138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0 upstream. The race was introduced by me in commit 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead").

[PATCH 3.16 174/294] sch_hhf: fix null pointer dereference on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream. If sch_hhf fails in its ->init() function (either due to wrong user-space arguments as below or memory alloc

[PATCH 3.16 260/294] video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit 9c8ee3c7341393811d5be5eb61b815e76f92c799 upstream. Commit 7edaa761ee81b ("video: mx3fb: Add backlight control support") changed the mx3fb driver so it

[PATCH 3.16 188/294] ALSA: seq: Fix use-after-free at creating a port

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 71105998845fb012937332fe2e806d443c09e026 upstream. There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing.

[PATCH 3.16 180/294] wl1251: add a missing spin_lock_init()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Cong Wang commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream. wl1251: add a missing spin_lock_init() This fixes the following kernel warning: [ 5668.771453]

[PATCH 3.16 260/294] video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit 9c8ee3c7341393811d5be5eb61b815e76f92c799 upstream. Commit 7edaa761ee81b ("video: mx3fb: Add backlight control support") changed the mx3fb driver so it always selects the

[PATCH 3.16 188/294] ALSA: seq: Fix use-after-free at creating a port

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 71105998845fb012937332fe2e806d443c09e026 upstream. There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing.

[PATCH 3.16 180/294] wl1251: add a missing spin_lock_init()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Cong Wang commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream. wl1251: add a missing spin_lock_init() This fixes the following kernel warning: [ 5668.771453] BUG: spinlock bad magic

[PATCH 3.16 182/294] cifs: check MaxPathNameComponentLength != 0 before using it

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Ronnie Sahlberg commit f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream. And fix tcon leak in error path. Signed-off-by: Ronnie Sahlberg

[PATCH 3.16 182/294] cifs: check MaxPathNameComponentLength != 0 before using it

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Ronnie Sahlberg commit f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream. And fix tcon leak in error path. Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Reviewed-by: David

[PATCH 3.16 192/294] ALSA: usb-audio: Kill stray URB at exiting

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. USB-audio driver may leave a stray URB for the mixer interrupt when it exits by some error during probe.

[PATCH 3.16 192/294] ALSA: usb-audio: Kill stray URB at exiting

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. USB-audio driver may leave a stray URB for the mixer interrupt when it exits by some error during probe. This leads to

[PATCH 3.16 190/294] packet: hold bind lock when rebinding to fanout hook

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Willem de Bruijn commit 008ba2a13f2d04c947adc536d19debb8fe66f110 upstream. Packet socket bind operations must hold the po->bind_lock. This keeps po->running consistent

[PATCH 3.16 190/294] packet: hold bind lock when rebinding to fanout hook

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Willem de Bruijn commit 008ba2a13f2d04c947adc536d19debb8fe66f110 upstream. Packet socket bind operations must hold the po->bind_lock. This keeps po->running consistent with whether the socket

[PATCH 3.16 179/294] sch_tbf: fix two null pointer dereferences on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream. sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy callbacks

[PATCH 3.16 179/294] sch_tbf: fix two null pointer dereferences on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream. sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy callbacks but it may fail before the

[PATCH 3.16 175/294] sch_hfsc: fix null pointer deref and double free on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a upstream. Depending on where ->init fails we can get a null pointer deref due to uninitialized

[PATCH 3.16 175/294] sch_hfsc: fix null pointer deref and double free on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a upstream. Depending on where ->init fails we can get a null pointer deref due to uninitialized hires timer (watchdog) or a

linux-next: build warning after merge of the netfilter-next tree

Hi all, After merging the netfilter-next tree, today's linux-next build (powerpc ppc64_defconfig) produced this warning: net/netfilter/nf_conntrack_netlink.c:536:15: warning: 'ctnetlink_proto_size' defined but not used [-Wunused-function] static size_t ctnetlink_proto_size(const struct nf_conn

linux-next: build warning after merge of the netfilter-next tree

Hi all, After merging the netfilter-next tree, today's linux-next build (powerpc ppc64_defconfig) produced this warning: net/netfilter/nf_conntrack_netlink.c:536:15: warning: 'ctnetlink_proto_size' defined but not used [-Wunused-function] static size_t ctnetlink_proto_size(const struct nf_conn

[PATCH 3.16 185/294] KEYS: prevent KEYCTL_READ on negative key

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit 37863c43b2c6464f252862bf2e9768264e961678 upstream. Because keyctl_read_key() looks up the key with no permissions requested, it may find a negatively

[PATCH 3.16 185/294] KEYS: prevent KEYCTL_READ on negative key

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit 37863c43b2c6464f252862bf2e9768264e961678 upstream. Because keyctl_read_key() looks up the key with no permissions requested, it may find a negatively instantiated key. If

[PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 30c31d746d0eb458ae327f522bc8e4c44cbea0f0 upstream. It is very unlikely to happen but the backlogs memory allocation could fail and will

[PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Aleksandrov commit 30c31d746d0eb458ae327f522bc8e4c44cbea0f0 upstream. It is very unlikely to happen but the backlogs memory allocation could fail and will free q->flows, but then

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 6, 2017 at 6:39 PM, Serge E. Hallyn wrote: > Quoting Boris Lukashev (blukas...@sempervictus.com): >> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: >> > Quoting Daniel Micay (danielmi...@gmail.com): >> >> Substantial added attack surface

Re: [kernel-hardening] Re: [PATCH resend 2/2] userns: control capabilities of some user namespaces

On Mon, Nov 6, 2017 at 6:39 PM, Serge E. Hallyn wrote: > Quoting Boris Lukashev (blukas...@sempervictus.com): >> On Mon, Nov 6, 2017 at 5:14 PM, Serge E. Hallyn wrote: >> > Quoting Daniel Micay (danielmi...@gmail.com): >> >> Substantial added attack surface will never go away as a problem. There

[PATCH 3.16 189/294] KEYS: don't let add_key() update an uninstantiated key

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: David Howells commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream. Currently, when passed a key that already exists, add_key() will call the key's ->update() method

[PATCH 3.16 189/294] KEYS: don't let add_key() update an uninstantiated key

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: David Howells commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream. Currently, when passed a key that already exists, add_key() will call the key's ->update() method if such exists. But

Re: [PATCH v4] arm64: support __int128 on gcc 5+

On Tue, Nov 7, 2017 at 1:55 AM, Ard Biesheuvel wrote: > It appears your v4 adds __ashlti3() and __ashrti3, whereas the error > is about __lshrti3() being undefined. Whoopsie. v5 adds the final missing function. Looks like it now compiles for -next with the config you

Re: [PATCH v4] arm64: support __int128 on gcc 5+

On Tue, Nov 7, 2017 at 1:55 AM, Ard Biesheuvel wrote: > It appears your v4 adds __ashlti3() and __ashrti3, whereas the error > is about __lshrti3() being undefined. Whoopsie. v5 adds the final missing function. Looks like it now compiles for -next with the config you provided me.

[PATCH 3.16 183/294] brcmfmac: add length check in brcmf_cfg80211_escan_handler()

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Arend Van Spriel commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream. Upon handling the firmware notification for scans the length was checked properly and

[PATCH 3.16 187/294] mac80211: accept key reinstall without changing anything

3.16.50-rc1 review patch. If anyone has any objections, please let me know. -- From: Johannes Berg commit fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream. When a key is reinstalled we can reset the replay counters etc. which can lead to nonce reuse

<    5   6   7   8   9   10   11   12   13   14   >