569dbb8...
by
Linus Torvalds <email address hidden>
Linux 4.13
5e3b19d...
by
Linus Torvalds <email address hidden>
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"The two indirect syscall fixes have sat in linux-next for a few days.
I did check back with a hardware designer to ensure a SYNC is really
what's required for the GIC fix and so the GIC fix didn't make it into
to linux-next in time for this final pull request.
It builds in local build tests and passes Imagination's test system"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
irqchip: mips-gic: SYNC after enabling GIC region
MIPS: Remove pt_regs adjustments in indirect syscall handler
MIPS: seccomp: Fix indirect syscall args
d0fa6ea...
by
Linus Torvalds <email address hidden>
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
- Expand the space for uncompressing as the LZ4 worst case does not fit
into the currently reserved space
- Validate boot parameters more strictly to prevent out of bound access
in the decompressor/boot code
- Fix off by one errors in get_segment_base()
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/boot: Prevent faulty bootparams.screeninfo from causing harm
x86/boot: Provide more slack space during decompression
x86/ldt: Fix off by one in get_segment_base()
3b62dc6...
by
Linus Torvalds <email address hidden>
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Thomas Gleixner:
"A single fix for a thinko in the raw timekeeper update which causes
clock MONOTONIC_RAW to run with erratically increased frequency"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
time: Fix ktime_get_raw() incorrect base accumulation
e92d51a...
by
Linus Torvalds <email address hidden>
Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Thomas Gleixner:
- Prevent a potential inconistency in the perf user space access which
might lead to evading sanity checks.
- Prevent perf recording function trace entries twice
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf/ftrace: Fix double traces of perf on ftrace:function
perf/core: Fix potential double-fetch bug
d0d6ab5...
by
Linus Torvalds <email address hidden>
Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6
Pull cifs version warning fix from Steve French:
"As requested, additional kernel warning messages to clarify the
default dialect changes"
[ There is still some discussion about exactly which version should be
the new default. Longer-term we have auto-negotiation coming, but
that's not there yet.. - Linus ]
* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
Fix warning messages when mounting to older servers
54f70f5...
by
Linus Torvalds <email address hidden>
Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Olof Johansson:
"A couple of late-arriving fixes before final 4.13:
- A few reverts of DT bindings on Allwinner for their ethernet
driver. Discussion didn't converge, and since bindings are
considered ABI it makes sense to revert instead of having to
support two bindings long-term.
- A fix to enumerate GPIOs properly on Marvell Armada AP806"
* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
arm64: dts: marvell: fix number of GPIOs in Armada AP806 description
arm: dts: sunxi: Revert EMAC changes
arm64: dts: allwinner: Revert EMAC changes
dt-bindings: net: Revert sun8i dwmac binding
Merge tag 'mvebu-fixes-4.13-3' of git://git.infradead.org/linux-mvebu into fixes
mvebu fixes for 4.13 (part 3)
Fix number of GPIOs in AP806 description for Armada 7K/8K
* tag 'mvebu-fixes-4.13-3' of git://git.infradead.org/linux-mvebu:
arm64: dts: marvell: fix number of GPIOs in Armada AP806 description
Signed-off-by: Olof Johansson <email address hidden>
f8c6d72...
by
Linus Torvalds <email address hidden>
Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
"The ismt driver had a problem with a rarely used transaction type and
the designware driver was made even more robust against non standard
ACPI tables"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: designware: Round down ACPI provided clk to nearest supported clk
i2c: ismt: Return EMSGSIZE for block reads with bogus length
i2c: ismt: Don't duplicate the receive length for block reads
138e4ad...
by
Oleg Nesterov <email address hidden>
epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
The race was introduced by me in commit 971316f0503a ("epoll:
ep_unregister_pollwait() can use the freed pwq->whead"). I did not
realize that nothing can protect eventpoll after ep_poll_callback() sets
->whead = NULL, only whead->lock can save us from the race with
ep_free() or ep_remove().
Move ->whead = NULL to the end of ep_poll_callback() and add the
necessary barriers.
TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
before this patch.
Hopefully this explains use-after-free reported by syzcaller:
BUG: KASAN: use-after-free in debug_spin_lock_before
...
_raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148
this is spin_lock(eventpoll->lock),
...
Freed by task 17774:
...
kfree+0xe8/0x2c0 mm/slub.c:3883
ep_free+0x22c/0x2a0 fs/eventpoll.c:865
Fixes: 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
Reported-by: 范龙飞 <long7573@126.com>
Cc: <email address hidden>
Signed-off-by: Oleg Nesterov <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
