- Nov 07, 2017
-
-
Arend van Spriel authored
commit 8f44c9a4 upstream. The lower level nl80211 code in cfg80211 ensures that "len" is between 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from "len" so thats's max of 2280. However, the action_frame->data[] buffer is only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can overflow. memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], le16_to_cpu(action_frame->len)); Fixes: 18e2f61d ("brcmfmac: P2P action frame tx.") Reported-by:
"freenerguo(郭大兴)" <freenerguo@tencent.com> Signed-off-by:
Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Oct 06, 2017
-
-
Andrey Ryabinin authored
This fixes CVE-2016-8650. If mpi_powm() is given a zero exponent, it wants to immediately return either 1 or 0, depending on the modulus. However, if the result was initalised with zero limb space, no limbs space is allocated and a NULL-pointer exception ensues. Fix this by allocating a minimal amount of limb space for the result when the 0-exponent case when the result is 1 and not touching the limb space when the result is 0. This affects the use of RSA keys and X.509 certificates that carry them. Bug: 33401771 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 task: ffff8804011944c0 task.stack: ffff880401294000 RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 Stack: ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 Call Trace: [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 [<ffffffff8132a95c>] rsa_verify+0x9d/0xee [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 [<ffffffff812fe227>] SyS_add_key+0x154/0x19e [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP <ffff880401297ad8> CR2: 0000000000000000 ---[ end trace d82015255d4a5d8d ]--- Basically, this is a backport of a libgcrypt patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)") Signed-off-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
David Howells <dhowells@redhat.com> cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org Signed-off-by:
James Morris <james.l.morris@oracle.com> Change-Id: I42a008d34a8ca31406fb545783156fca44fa16b4
-
Eric Dumazet authored
[ Upstream commit fdcee2cb ] SCTP needs fixes similar to 83eaddab ("ipv6/dccp: do not inherit ipv6_mc_list from parent"), otherwise bad things can happen. Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Tested-by:
-
Eric Biggers authored
commit 1b53cf98 upstream. Filesystem encryption ostensibly supported revoking a keyring key that had been used to "unlock" encrypted files, causing those files to become "locked" again. This was, however, buggy for several reasons, the most severe of which was that when key revocation happened to be detected for an inode, its fscrypt_info was immediately freed, even while other threads could be using it for encryption or decryption concurrently. This could be exploited to crash the kernel or worse. This patch fixes the use-after-free by removing the code which detects the keyring key having been revoked, invalidated, or expired. Instead, an encrypted inode that is "unlocked" now simply remains unlocked until it is evicted from memory. Note that this is no worse than the case for block device-level encryption, e.g. dm-crypt, and it still remains possible for a privileged user to evict unused pages, inodes, and dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by simply unmounting the filesystem. In fact, one of those actions was already needed anyway for key revocation to work even somewhat sanely. This change is not expected to break any applications. In the future I'd like to implement a real API for fscrypt key revocation that interacts sanely with ongoing filesystem operations --- waiting for existing operations to complete and blocking new operations, and invalidating and sanitizing key material and plaintext from the VFS caches. But this is a hard problem, and for now this bug must be fixed. This bug affected almost all versions of ext4, f2fs, and ubifs encryption, and it was potentially reachable in any kernel configured with encryption support (CONFIG_EXT4_ENCRYPTION=y, CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the shared fs/crypto/ code, but due to the potential security implications of this bug, it may still be worthwhile to backport this fix to them. Fixes: b7236e21 ("ext4 crypto: reorganize how we store keys in the inode") Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
Theodore Ts'o <tytso@mit.edu> Acked-by:
Michael Halcrow <mhalcrow@google.com> Signed-off-by:
-
Adrian Salido authored
commit 62655397 upstream. The driver_override implementation is susceptible to race condition when different threads are reading vs storing a different driver override. Add locking to avoid race condition. Fixes: 3d713e0e ("driver core: platform: add device binding path 'driver_override'") Cc: stable@vger.kernel.org Signed-off-by:
Adrian Salido <salidoa@google.com> Signed-off-by:
-
Chris Salls authored
commit cf01fb99 upstream. In the case that compat_get_bitmap fails we do not want to copy the bitmap to the user as it will contain uninitialized stack data and leak sensitive data. Signed-off-by:
Chris Salls <salls@cs.ucsb.edu> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Jan Kara authored
Huang has reported that in his powerfail testing he is seeing stale block contents in some of recently allocated blocks although he mounts ext4 in data=ordered mode. After some investigation I have found out that indeed when delayed allocation is used, we don't add inode to transaction's list of inodes needing flushing before commit. Originally we were doing that but commit f3b59291 removed the logic with a flawed argument that it is not needed. The problem is that although for delayed allocated blocks we write their contents immediately after allocating them, there is no guarantee that the IO scheduler or device doesn't reorder things and thus transaction allocating blocks and attaching them to inode can reach stable storage before actual block contents. Actually whenever we attach freshly allocated blocks to inode using a written extent, we should add inode to transaction's ordered inode list to make sure we properly wait for block contents to be written before committing the transaction. So that is what we do in this patch. This also handles other cases where stale data exposure was possible - like filling hole via mmap in data=ordered,nodelalloc mode. The only exception to the above rule are extending direct IO writes where blkdev_direct_IO() waits for IO to complete before increasing i_size and thus stale data exposure is not possible. For now we don't complicate the code with optimizing this special case since the overhead is pretty low. In case this is observed to be a performance problem we can always handle it using a special flag to ext4_map_blocks(). CC: stable@vger.kernel.org Fixes: f3b59291 Reported-by:
"HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com> Tested-by:
Jan Kara <jack@suse.cz> Signed-off-by:
Connor O'Brien <connoro@google.com> Bug: 62198330 Change-Id: I94d10c119d5d53e3b652e654a7bdd1bd39d3f3e8
-
Eric Dumazet authored
[ Upstream commit 7892032c ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a ("gre: Support GRE over IPv6") Signed-off-by:
-
Eric Dumazet authored
commit d199fab6 upstream. Multiple threads can call fanout_add() at the same time. We need to grab fanout_mutex earlier to avoid races that could lead to one thread freeing po->rollover that was set by another thread. Do the same in fanout_release(), for peace of mind, and to help us finding lockdep issues earlier. [js] no rollover in 3.12 Fixes: dc99f600 ("packet: Add fanout support.") Fixes: 0648ab70 ("packet: rollover prepare: per-socket state") Signed-off-by:
Jiri Slaby <jslaby@suse.cz> Signed-off-by:
Willy Tarreau <w@1wt.eu> (cherry picked from commit 2a272abc4e543f488b3a73292ee75a06f20d077a) Bug: 37897645 Change-Id: I3b021869ee26b88d10f4d6408ce34d351543ce74
-
Eric Dumazet authored
[ Upstream commit ccf7abb9 ] Splicing from TCP socket is vulnerable when a packet with URG flag is received and stored into receive queue. __tcp_splice_read() returns 0, and sk_wait_data() immediately returns since there is the problematic skb in queue. This is a nice way to burn cpu (aka infinite loop) and trigger soft lockups. Again, this gem was found by syzkaller tool. Fixes: 9c55e01c ("[TCP]: Splice receive support.") Signed-off-by:
Dmitry Vyukov <dvyukov@google.com> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by:
-
Dan Carpenter authored
commit ee0d8d84 upstream. We should call ipxitf_put() if the copy_to_user() fails. Reported-by:
李强 <liqiang6-s@360.cn> Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
WANG Cong authored
Like commit 657831ff ("dccp/tcp: do not inherit mc_list from parent") we should clear ipv6_mc_list etc. for IPv6 sockets too. Cc: Eric Dumazet <edumazet@google.com> Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Acked-by:
-
Eric Dumazet authored
[ Upstream commit 657831ff ] syzkaller found a way to trigger double frees from ip_mc_drop_socket() It turns out that leave a copy of parent mc_list at accept() time, which is very bad. Very similar to commit 8b485ce6 ("tcp: do not inherit fastopen_req from parent") Initial report from Pray3r, completed by Andrey one. Thanks a lot to them ! Signed-off-by:
Pray3r <pray3r.z@gmail.com> Reported-by:
-
Jin Qian authored
commit 15d3042a upstream. Make sure segno and blkoff read from raw image are valid. Cc: stable@vger.kernel.org Signed-off-by:
Jin Qian <jinqian@google.com> [Jaegeuk Kim: adjust minor coding style] Signed-off-by:
Jaegeuk Kim <jaegeuk@kernel.org> [AmitP: Found in Android Security bulletin for Aug'17, fixes CVE-2017-10663] Signed-off-by:
Amit Pundir <amit.pundir@linaro.org> Signed-off-by:
-
Jin Qian authored
commit b9dd4618 upstream. F2FS uses 4 bytes to represent block address. As a result, supported size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments. Change-Id: I9dc3591ec9c2cd99aa5151acaf3299ce59ceae11 Signed-off-by:
-
Thomas Gleixner authored
commit 1e38da30 upstream. The handling of the might_cancel queueing is not properly protected, so parallel operations on the file descriptor can race with each other and lead to list corruptions or use after free. Protect the context for these operations with a seperate lock. The wait queue lock cannot be reused for this because that would create a lock inversion scenario vs. the cancel lock. Replacing might_cancel with an atomic (atomic_t or atomic bit) does not help either because it still can race vs. the actual list operation. Reported-by:
Thomas Gleixner <tglx@linutronix.de> Cc: "linux-fsdevel@vger.kernel.org" Cc: syzkaller <syzkaller@googlegroups.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos Signed-off-by:
-
Andrey Konovalov authored
[ Upstream commit bcc5364b ] When calculating po->tp_hdrlen + po->tp_reserve the result can overflow. Fix by checking that tp_reserve <= INT_MAX on assign. Signed-off-by:
-
Andrey Konovalov authored
[ Upstream commit 8f8d28e4 ] When calculating rb->frames_per_block * req->tp_block_nr the result can overflow. Add a check that tp_block_size * tp_block_nr <= UINT_MAX. Since frames_per_block <= tp_block_size, the expression would never overflow. Signed-off-by:
-
Andrey Konovalov authored
commit 2b6867c2 upstream. Subtracting tp_sizeof_priv from tp_block_size and casting to int to check whether one is less then the other doesn't always work (both of them are unsigned ints). Compare them as is instead. Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as it can overflow inside BLK_PLUS_PRIV otherwise. Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 34b2cef2 ] Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst is accessed. ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options are present. We could refine the test to the presence of ts_needtime or srr, but IP options are not often used, so let's be conservative. Thanks to syzkaller team for finding this bug. Fixes: d826eb14 ("ipv4: PKTINFO doesnt need dst reference") Signed-off-by:
-
Andrey Konovalov authored
[ Upstream commit 5edabca9 ] In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if dccp_v6_conn_request successfully returns. However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb is saved to ireq->pktopts and the ref count for skb is incremented in dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed in dccp_rcv_state_process. Fix by calling consume_skb instead of doing goto discard and therefore calling __kfree_skb. Similar fixes for TCP: fb7e2399 [TCP]: skb is unexpectedly freed. 0aea76d3 tcp: SYN packets are now simply consumed Signed-off-by:
-
Andy Whitcroft authored
commit f843ee6d upstream. Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to wrapping issues. To ensure we are correctly ensuring that the two ESN structures are the same size compare both the overall size as reported by xfrm_replay_state_esn_len() and the internal length are the same. CVE-2017-7184 Signed-off-by:
Andy Whitcroft <apw@canonical.com> Acked-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
-
Andy Whitcroft authored
commit 677e806d upstream. When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate the user supplied replay_esn to ensure that the size is valid and to ensure that the replay_window size is within the allocated buffer. However later it is possible to update this replay_esn via a XFRM_MSG_NEWAE call. There we again validate the size of the supplied buffer matches the existing state and if so inject the contents. We do not at this point check that the replay_window is within the allocated memory. This leads to out-of-bounds reads and writes triggered by netlink packets. This leads to memory corruption and the potential for priviledge escalation. We already attempt to validate the incoming replay information in xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user is not trying to change the size of the replay state buffer which includes the replay_esn. It however does not check the replay_window remains within that buffer. Add validation of the contained replay_window. CVE-2017-7184 Signed-off-by:
-
Lukas Czerner authored
commit 6934da92 upstream. There is a use-after-free possibility in __ext4_journal_stop() in the case that we free the handle in the first jbd2_journal_stop() because we're referencing handle->h_err afterwards. This was introduced in 9705acd6 and it is wrong. Fix it by storing the handle->h_err value beforehand and avoid referencing potentially freed handle. Fixes: 9705acd6 Signed-off-by:
Lukas Czerner <lczerner@redhat.com> Reviewed-by:
Andreas Dilger <adilger@dilger.ca> Signed-off-by:
-
Suzuki K. Poulose authored
commit 8fff105e upstream. The perf core implicitly rejects events spanning multiple HW PMUs, as in these cases the event->ctx will differ. However this validation is performed after pmu::event_init() is called in perf_init_event(), and thus pmu::event_init() may be called with a group leader from a different HW PMU. The ARM64 PMU driver does not take this fact into account, and when validating groups assumes that it can call to_arm_pmu(event->pmu) for any HW event. When the event in question is from another HW PMU this is wrong, and results in dereferencing garbage. This patch updates the ARM64 PMU driver to first test for and reject events from other PMUs, moving the to_arm_pmu and related logic after this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with a CCI PMU present: Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL) CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249 Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT) task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000 PC is at 0x0 LR is at validate_event+0x90/0xa8 pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145 sp : ffffffc07b0a3ba0 [< (null)>] (null) [<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc [<ffffffc00015d870>] perf_try_init_event+0x34/0x70 [<ffffffc000164094>] perf_init_event+0xe0/0x10c [<ffffffc000164348>] perf_event_alloc+0x288/0x358 [<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c Code: bad PC value Also cleans up the code to use the arm_pmu only when we know that we are dealing with an arm pmu event. Cc: Will Deacon <will.deacon@arm.com> Acked-by:
Mark Rutland <mark.rutland@arm.com> Acked-by:
Peter Ziljstra (Intel) <peterz@infradead.org> Signed-off-by:
Suzuki K. Poulose <suzuki.poulose@arm.com> Signed-off-by:
Will Deacon <will.deacon@arm.com> Signed-off-by:
-
- Oct 05, 2017
-
-
Takashi Iwai authored
commit 3567eb6a upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Hector Marco-Gisbert authored
Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. By default on i386 there are 8 bits for the randomization of the libraries, vDSO and mmaps which only uses 1MB of VA. This patch preserves the original randomness, using 1MB of VA out of 3GB or 4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR. The first obvious security benefit is that all objects are randomized (not only the stack and the executable) in legacy mode which highly increases the ASLR effectiveness, otherwise the attackers may use these non-randomized areas. But also sensitive setuid/setgid applications are more secure because currently, attackers can disable the randomization of these applications by setting the ulimit stack to "unlimited". This is a very old and widely known trick to disable the ASLR in i386 which has been allowed for too long. Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE personality flag, but fortunately this doesn't work on setuid/setgid applications because there is security checks which clear Security-relevant flags. This patch always randomizes the mmap_legacy_base address, removing the possibility to disable the ASLR by setting the stack to "unlimited". Signed-off-by:
Hector Marco-Gisbert <hecmargi@upv.es> Acked-by:
Ismael Ripoll Ripoll <iripoll@upv.es> Acked-by:
Kees Cook <keescook@chromium.org> Acked-by:
Arjan van de Ven <arjan@linux.intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: akpm@linux-foundation.org Cc: kees Cook <keescook@chromium.org> Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es Signed-off-by:
Ingo Molnar <mingo@kernel.org> Bug: 28763575 Change-Id: Icd128489c3c196ade64f79d4ea898d29f8471baf (cherry picked from commit 8b8addf8)
-
- Apr 04, 2017
-
-
Greg Kroah-Hartman authored
Somehow the config option forgot to be enabled in the 3.18 backport of this driver (it got renamed as well.) So enable it so that people know it is required. Bug: 35803310 Signed-off-by:Greg Kroah-Hartman <gregkh@google.com>
-
Dmitry Shmidt authored
Change-Id: I67430b05eca8fd520d2795d3db60faf2ec0fab9e Signed-off-by:
Dmitry Shmidt <dimitrysh@google.com> (cherry picked from commit 03fbd079) Signed-off-by:
-
Rob Herring authored
Android won't boot without SELinux enabled, so make it the default. Link: http://lkml.kernel.org/r/20160908185934.18098-2-robh@kernel.org Signed-off-by:
Rob Herring <robh@kernel.org> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Rob Herring authored
CONFIG_MD is in recommended, but other dependent options like DM_CRYPT and DM_VERITY options are in base. The result is the options in base don't get enabled when applying both base and recommended fragments. Move all the options to recommended. Link: http://lkml.kernel.org/r/20160908185934.18098-1-robh@kernel.org Signed-off-by:
John Stultz <john.stultz@linaro.org> Cc: Amit Pundir <amit.pundir@linaro.org> Cc: Dmitry Shmidt <dimitrysh@google.com> Signed-off-by:
-
Greg Kroah-Hartman authored
This adds CONFIG_MODULES, CONFIG_MODULE_UNLOAD, and CONFIG_MODVERSIONS which are required by the O release. Bug: 35803310 Signed-off-by: -
Greg Kroah-Hartman authored
This adds CONFIG_IKCONFIG and CONFIG_IKCONFIG_PROC options, which are a requirement for the O release. Bug: 35803310 Signed-off-by: -
Greg Kroah-Hartman authored
It somehow got out of alphabetical order, fix it to make merges and testing easier. Signed-off-by: -
Greg Kroah-Hartman authored
Changes in 3.18.48: module: fix types of device tables aliases MODULE_DEVICE_TABLE: fix some callsites atm: iphase: fix misleading indention paride: fix the "verbose" module param net: caif: fix misleading indentation Disable "frame-address" warning netfilter: Fix switch statement warnings with recent gcc. Bluetooth: make hci_test_bit's addr const ata: hpt366: fix constant cast warning HID: hid-input: Add parentheses to quell gcc warning ALSA: oxygen: Fix logical-not-parentheses warning x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() s3c-camif: fix compiler warnings netfilter; Add some missing default cases to switch statements in nft_reject. mtd: blkdevs: fix switch-bool compilation warning media: remove unused variable that causes a warning drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer iwlegacy: avoid warning about missing braces be2iscsi: Fix bogus WARN_ON length check i40e: Reduce stack in i40e_dbg_dump_desc bfa: Fix indentation Staging: iio: adc: fix indent on break statement xilinx usb2 gadget: get rid of incredibly annoying compile warning Staging: lustre: missing curly braces in ll_setattr_raw() staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation usb: renesas_usbhs: fix build warning if 64-bit architecture x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h spi: dw-mid: refactor to use helpers blk: rq_data_dir() should not return a boolean net:Add sysctl_max_skb_frags drm/i915: cleanup some indenting Documentation: Remove ZBOOT MMC/SDHI utility and docs Fix "crypto: algif_hash - Require setkey before accept(2)" Fix "tunnels: Don't apply GRO to multiple layers of encapsulation." Fix "qla2xxx: terminate exchange when command is aborted by LIO" Linux 3.18.48 Signed-off-by: -
Greg Kroah-Hartman authored
Changes in 3.18.47: usb: gadget: composite: correctly initialize ep->maxpacket drm/gma500: Add compat ioctl scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset PCI: Check for PME in targeted sleep state USB: UHCI: report non-PME wakeup signalling for Intel hardware regulator: stw481x-vmmc: fix ages old enable error crypto: caam - fix AEAD givenc descriptors ext4: fix mballoc breakage with 64k block size ext4: fix stack memory corruption with 64k block size staging: comedi: ni_mio_common: fix M Series ni_ai_insn_read() data mask ssb: Fix error routine when fallback SPROM fails usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices ext4: sanity check the block and cluster size at mount time ext4: use more strict checks for inodes_per_block on mount ext4: add sanity checking to count_overhead() KVM: PPC: Book3S HV: Save/restore XER in checkpointed register state dm crypt: mark key as invalid until properly loaded ALSA: hda - fix headset-mic problem on a Dell laptop f2fs: set ->owner for debugfs status file's file_operations md/raid5: limit request size according to implementation limits thermal: hwmon: Properly report critical temperature in sysfs USB: serial: kl5kusb105: fix open error path powerpc/ps3: Fix system hang with GCC 5 builds Btrfs: fix tree search logic when replaying directory entry deletes block: protect iterate_bdevs() against concurrent close xfs: set AGI buffer type in xlog_recover_clear_agi_bucket ALSA: usb-audio: Fix race at stopping the stream mmc: sdhci: Fix recovery from tuning timeout USB: cdc-acm: add device id for GW Instek AFG-125 CIFS: Fix missing nls unload in smb2_reconnect() CIFS: Fix a possible memory corruption in push locks CIFS: Fix a possible memory corruption during reconnect drm/radeon: add additional pci revision to dpm workaround arm/xen: Use alloc_percpu rather than __alloc_percpu dm space map metadata: fix 'struct sm_metadata' leak on failed create ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 USB: serial: option: add dlink dwm-158 fgraph: Handle a case where a tracer ignores set_graph_notrace nfs_write_end(): fix handling of short copies ext4: return -ENOMEM instead of success SUNRPC: fix refcounting problems with auth_gss messages. kconfig/nconf: Fix hang when editing symbol with a long prompt s390/vmlogrdr: fix IUCV buffer allocation ALSA: hiface: Fix M2Tech hiFace driver sampling rate change libceph: verify authorize reply on connect Input: drv260x - fix input device's parent assignment block_dev: don't test bdev->bd_contains when it is not stable IPoIB: Avoid reading an uninitialized member variable scsi: avoid a permanent stop of the scsi device's request queue target/user: Fix use-after-free of tcmu_cmds if they are expired drivers/gpu/drm/ast: Fix infinite loop if read fails Revert "ALSA: usb-audio: Fix race at stopping the stream" IB/cma: Fix a race condition in iboe_addr_get_sgid() fs: exec: apply CLOEXEC before changing dumpable task flags sg_write()/bsg_write() is not fit to be called under KERNEL_DS ipip: Properly mark ipip GRO packets as encapsulated. net: ipv4: Convert IP network timestamps to be y2038 safe net: Use more bit fields in napi_gro_cb tunnels: Don't apply GRO to multiple layers of encapsulation. gro: Allow tunnel stacking in the case of FOU/GUE Linux 3.18.47 Signed-off-by: -
Greg Kroah-Hartman authored
Changes in 3.18.46: scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression bus: arm-ccn: Provide required event arguments bus: arm-ccn: Fix PMU handling of MN drm/msm: fix use of copy_from_user() while holding spinlock mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl cpuset: handle race between CPU hotplug and cpuset_hotplug_work can: dev: fix deadlock reported after bus-off mm,ksm: fix endless looping in allocating memory when ksm enable ARM: 8617/1: dma: fix dma_max_pfn() x86/init: Fix cr4_init_shadow() on CR4-less machines scripts/has-stack-protector: add -fno-PIE x86/kexec: add -fno-PIE tcp: fix use after free in tcp_xmit_retransmit_queue() fuse: Propagate dentry down to inode_change_ok() nfsd: Disable NFSv2 timestamp workaround for NFSv3+ scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Bluetooth: Fix potential NULL dereference in RFCOMM bind callback packet: fix race condition in packet_set_ring Linux 3.18.46 Signed-off-by: -
Greg Kroah-Hartman authored
Changes in 3.18.45: udp: properly support MSG_PEEK with truncated buffers mmc: core: Annotate cmd_hdr as __le32 scsi: Fix use-after-free jbd2: fix incorrect unlock on j_list_lock drm/radeon: change vblank_time's calculation method to reduce computational error. irqchip/gicv3: Handle loop timeout proper usb: gadget: function: u_ether: don't starve tx request queue mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted error mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led memstick: rtsx_usb_ms: Runtime resume the device when polling for cards memstick: rtsx_usb_ms: Manage runtime PM when accessing the device USB: serial: ftdi_sio: add support for Infineon TriBoard TC2X7 isofs: Do not return EACCES for unknown filesystems powerpc/mm: Prevent unlikely crash in copro_calculate_slb() ubifs: Fix xattr_names length in exit paths target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code libxfs: clean up _calc_dquots_per_chunk xhci: add restart quirk for Intel Wildcatpoint PCH USB: serial: fix potential NULL-dereference at probe usb: increase ohci watchdog delay to 275 msec dm table: fix missing dm_put_target_type() in dm_table_add_target() mei: txe: don't clean an unprocessed interrupt cause. hv: do not lose pending heartbeat vmbus packets KEYS: Fix short sprintf buffer in /proc/keys show function ALSA: usb-audio: Add quirk for Syntek STK1160 tty: limit terminal size to 4M chars vt: clear selection before resizing btrfs: fix races on root_log_ctx lists GenWQE: Fix bad page access during abort of resource allocation mac80211: discard multicast and 4-addr A-MSDUs Input: i8042 - add XMG C504 to keyboard reset table USB: serial: cp210x: fix tiocmget error handling drm/radeon/si/dpm: add workaround for for Jet parts drm/radeon/si_dpm: Limit clocks on HD86xx part powerpc: Convert cmp to cmpd in idle enter sequence scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices drm/radeon: drop register readback in cayman_cp_int_cntl_setup KVM: MIPS: Make ERET handle ERL before EXL drm/radeon/si_dpm: workaround for SI kickers scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware md: sync sync_completed has correct value as recovery finishes. md: be careful not lot leak internal curr_resync value into metadata. -- (all) virtio: console: Unlock vqs while freeing buffers ovl: fsync after copy-up parisc: Ensure consistent state when switching to kernel stack at syscall entry firewire: net: guard against rx buffer overflows firewire: net: fix fragmented datagram_size off-by-one kbuild: add -fno-PIE Linux 3.18.45 Signed-off-by: -
Greg Kroah-Hartman authored
Changes in 3.18.44: mm: remove gup_flags FOLL_WRITE games from __get_user_pages() x86/cpu: Fix SMAP check in PVOPS environments xhci: fix usb2 resume timing and races. Linux 3.18.44 Signed-off-by: -
Greg Kroah-Hartman authored
Changes in 3.18.43: MIPS: KVM: Check for pfn noslot case ovl: fix workdir creation ARM: OMAP3: hwmod data: Add sysc information for DSI Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" bus: arm-ccn: Do not attempt to configure XPs for cycle counter bus: arm-ccn: Fix XP watchpoint settings bitmask ARM: kirkwood: ib62x0: fix size of u-boot environment partition ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE ALSA: timer: fix NULL pointer dereference on memory allocation failure ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx ALSA: fireworks: accessing to user space outside spinlock iio: accel: kxsd9: Fix scaling bug sched/core: Fix a race between try_to_wake_up() and a woken up task usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Btrfs: add missing blk_finish_plug in btrfs_sync_log() Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns ipv6: addrconf: fix dev refcont leak when DAD failed crypto: cryptd - initialize child shash_desc on import powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET xhci: fix null pointer dereference in stop command timeout function ALSA: timer: Call notifier in the same spinlock ALSA: timer: Fix zero-division by continue of uninitialized instance kvm-arm: Unmap shadow pagetables properly arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() asm-generic: make copy_from_user() zero the destination properly USB: serial: simple: add support for another Infineon flashloader crypto: skcipher - Fix blkcipher walk OOM crash crypto: arm64/aes-ctr - fix NULL dereference in tail processing MIPS: paravirt: Fix undefined reference to smp_bootstrap genirq: Generic chip: Change irq_reg_{readl,writel} arguments genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers MIPS: Add a missing ".set pop" in an early commit nl80211: validate number of probe response CSA counters asm-generic: {get,put}_user ptr argument evaluate only 1 time asm-generic: make get_user() clear the destination on errors frv: fix clear_user() hexagon: fix strncpy_from_user() error return ia64: copy_from_user() should zero the destination on access_ok() failure metag: copy_from_user() should zero the destination on access_ok() failure ARC: uaccess: get_user to zero out dest in cause of fault mips: copy_from_user() must zero the destination on access_ok() failure mn10300: failing __get_user() and get_user() should zero mn10300: copy_from_user() should zero on access_ok() failure... openrisc: fix copy_from_user() parisc: fix copy_from_user() ppc32: fix copy_from_user() s390: get_user() should zero on failure score: fix __get_user/get_user score: fix copy_from_user() and friends sh64: failing __get_user() should zero sh: fix copy_from_user() sparc32: fix copy_from_user() blackfin: fix copy_from_user() m32r: fix __get_user() microblaze: fix copy_from_user() microblaze: fix __get_user() avr32: fix copy_from_user() fix minor infoleak in get_user_ex() USB: change bInterval default to 10 ms can: flexcan: fix resume function ocfs2/dlm: fix race between convert and migration autofs races autofs: use dentry flags to block walks during expire fsnotify: add a way to stop queueing events on group shutdown fanotify: fix list corruption in fanotify_get_response() ocfs2: fix start offset to ocfs2_zero_range_for_truncate() fix fault_in_multipages_...() on architectures with no-op access_ok() btrfs: ensure that file descriptor used with subvol ioctls is a dir block: Do a full clone when splitting discard bios hexagon: Fix build failures in linux-next avr32: fix 'undefined reference to `___copy_from_user' ARM: orion: convert the irq_reg_{readl,writel} calls to the new API openrisc: fix the fix of copy_from_user() Linux 3.18.43 Signed-off-by:
-
