From: Greg Kroah-Hartman Date: Fri, 31 Jul 2015 01:24:54 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v4.1.4~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2eea8ba8a3ded9959bfed9b2b20583f71419cf21;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: __bitmap_parselist-fix-bug-in-empty-string-handling.patch clocksource-exynos_mct-avoid-blocking-calls-in-the-cpu-hotplug-notifier.patch dell-laptop-fix-allocating-freeing-smi-buffer-page.patch ideapad-fix-software-rfkill-setting.patch mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch mmc-card-fixup-request-missing-in-mmc_blk_issue_rw_rq.patch pm-sleep-increase-default-dpm-watchdog-timeout-to-60.patch security_syslog-should-be-called-once-only.patch --- diff --git a/queue-3.14/__bitmap_parselist-fix-bug-in-empty-string-handling.patch b/queue-3.14/__bitmap_parselist-fix-bug-in-empty-string-handling.patch new file mode 100644 index 00000000000..53d2ebe7cf6 --- /dev/null +++ b/queue-3.14/__bitmap_parselist-fix-bug-in-empty-string-handling.patch @@ -0,0 +1,82 @@ +From 2528a8b8f457d7432552d0e2b6f0f4046bb702f4 Mon Sep 17 00:00:00 2001 +From: Chris Metcalf +Date: Thu, 25 Jun 2015 15:02:08 -0700 +Subject: __bitmap_parselist: fix bug in empty string handling + +From: Chris Metcalf + +commit 2528a8b8f457d7432552d0e2b6f0f4046bb702f4 upstream. + +bitmap_parselist("", &mask, nmaskbits) will erroneously set bit zero in +the mask. The same bug is visible in cpumask_parselist() since it is +layered on top of the bitmask code, e.g. if you boot with "isolcpus=", +you will actually end up with cpu zero isolated. + +The bug was introduced in commit 4b060420a596 ("bitmap, irq: add +smp_affinity_list interface to /proc/irq") when bitmap_parselist() was +generalized to support userspace as well as kernelspace. + +Fixes: 4b060420a596 ("bitmap, irq: add smp_affinity_list interface to /proc/irq") +Signed-off-by: Chris Metcalf +Cc: Rasmus Villemoes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/bitmap.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/lib/bitmap.c ++++ b/lib/bitmap.c +@@ -603,12 +603,12 @@ static int __bitmap_parselist(const char + unsigned a, b; + int c, old_c, totaldigits; + const char __user __force *ubuf = (const char __user __force *)buf; +- int exp_digit, in_range; ++ int at_start, in_range; + + totaldigits = c = 0; + bitmap_zero(maskp, nmaskbits); + do { +- exp_digit = 1; ++ at_start = 1; + in_range = 0; + a = b = 0; + +@@ -637,11 +637,10 @@ static int __bitmap_parselist(const char + break; + + if (c == '-') { +- if (exp_digit || in_range) ++ if (at_start || in_range) + return -EINVAL; + b = 0; + in_range = 1; +- exp_digit = 1; + continue; + } + +@@ -651,16 +650,18 @@ static int __bitmap_parselist(const char + b = b * 10 + (c - '0'); + if (!in_range) + a = b; +- exp_digit = 0; ++ at_start = 0; + totaldigits++; + } + if (!(a <= b)) + return -EINVAL; + if (b >= nmaskbits) + return -ERANGE; +- while (a <= b) { +- set_bit(a, maskp); +- a++; ++ if (!at_start) { ++ while (a <= b) { ++ set_bit(a, maskp); ++ a++; ++ } + } + } while (buflen && c == ','); + return 0; diff --git a/queue-3.14/clocksource-exynos_mct-avoid-blocking-calls-in-the-cpu-hotplug-notifier.patch b/queue-3.14/clocksource-exynos_mct-avoid-blocking-calls-in-the-cpu-hotplug-notifier.patch new file mode 100644 index 00000000000..a139d3e4e5a --- /dev/null +++ b/queue-3.14/clocksource-exynos_mct-avoid-blocking-calls-in-the-cpu-hotplug-notifier.patch @@ -0,0 +1,142 @@ +From 56a94f13919c0db5958611b388e1581b4852f3c9 Mon Sep 17 00:00:00 2001 +From: Damian Eppel +Date: Fri, 26 Jun 2015 15:23:04 +0200 +Subject: clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier + +From: Damian Eppel + +commit 56a94f13919c0db5958611b388e1581b4852f3c9 upstream. + +Whilst testing cpu hotplug events on kernel configured with +DEBUG_PREEMPT and DEBUG_ATOMIC_SLEEP we get following BUG message, +caused by calling request_irq() and free_irq() in the context of +hotplug notification (which is in this case atomic context). + +[ 40.785859] CPU1: Software reset +[ 40.786660] BUG: sleeping function called from invalid context at mm/slub.c:1241 +[ 40.786668] in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/1 +[ 40.786678] Preemption disabled at:[< (null)>] (null) +[ 40.786681] +[ 40.786692] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.19.0-rc4-00024-g7dca860 #36 +[ 40.786698] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +[ 40.786728] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 40.786747] [] (show_stack) from [] (dump_stack+0x70/0xbc) +[ 40.786767] [] (dump_stack) from [] (kmem_cache_alloc+0xd8/0x170) +[ 40.786785] [] (kmem_cache_alloc) from [] (request_threaded_irq+0x64/0x128) +[ 40.786804] [] (request_threaded_irq) from [] (exynos4_local_timer_setup+0xc0/0x13c) +[ 40.786820] [] (exynos4_local_timer_setup) from [] (exynos4_mct_cpu_notify+0x30/0xa8) +[ 40.786838] [] (exynos4_mct_cpu_notify) from [] (notifier_call_chain+0x44/0x84) +[ 40.786857] [] (notifier_call_chain) from [] (__cpu_notify+0x28/0x44) +[ 40.786873] [] (__cpu_notify) from [] (secondary_start_kernel+0xec/0x150) +[ 40.786886] [] (secondary_start_kernel) from [<40008764>] (0x40008764) + +Interrupts cannot be requested/freed in the CPU_STARTING/CPU_DYING +notifications which run on the hotplugged cpu with interrupts and +preemption disabled. + +To avoid the issue, request the interrupts for all possible cpus in +the boot code. The interrupts are marked NO_AUTOENABLE to avoid a racy +request_irq/disable_irq() sequence. The flag prevents the +request_irq() code from enabling the interrupt immediately. + +The interrupt is then enabled in the CPU_STARTING notifier of the +hotplugged cpu and again disabled with disable_irq_nosync() in the +CPU_DYING notifier. + +[ tglx: Massaged changelog to match the patch ] + +Fixes: 7114cd749a12 ("clocksource: exynos_mct: use (request/free)_irq calls for local timer registration") +Reported-by: Krzysztof Kozlowski +Reviewed-by: Krzysztof Kozlowski +Tested-by: Krzysztof Kozlowski +Tested-by: Marcin Jabrzyk +Signed-off-by: Damian Eppel +Cc: m.szyprowski@samsung.com +Cc: kyungmin.park@samsung.com +Cc: daniel.lezcano@linaro.org +Cc: kgene@kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/1435324984-7328-1-git-send-email-d.eppel@samsung.com +Signed-off-by: Thomas Gleixner +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/exynos_mct.c | 43 +++++++++++++++++++++++++++------------ + 1 file changed, 30 insertions(+), 13 deletions(-) + +--- a/drivers/clocksource/exynos_mct.c ++++ b/drivers/clocksource/exynos_mct.c +@@ -422,15 +422,12 @@ static int exynos4_local_timer_setup(str + exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET); + + if (mct_int_type == MCT_INT_SPI) { +- evt->irq = mct_irqs[MCT_L0_IRQ + cpu]; +- if (request_irq(evt->irq, exynos4_mct_tick_isr, +- IRQF_TIMER | IRQF_NOBALANCING, +- evt->name, mevt)) { +- pr_err("exynos-mct: cannot register IRQ %d\n", +- evt->irq); ++ ++ if (evt->irq == -1) + return -EIO; +- } +- irq_force_affinity(mct_irqs[MCT_L0_IRQ + cpu], cpumask_of(cpu)); ++ ++ irq_force_affinity(evt->irq, cpumask_of(cpu)); ++ enable_irq(evt->irq); + } else { + enable_percpu_irq(mct_irqs[MCT_L0_IRQ], 0); + } +@@ -443,10 +440,12 @@ static int exynos4_local_timer_setup(str + static void exynos4_local_timer_stop(struct clock_event_device *evt) + { + evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt); +- if (mct_int_type == MCT_INT_SPI) +- free_irq(evt->irq, this_cpu_ptr(&percpu_mct_tick)); +- else ++ if (mct_int_type == MCT_INT_SPI) { ++ if (evt->irq != -1) ++ disable_irq_nosync(evt->irq); ++ } else { + disable_percpu_irq(mct_irqs[MCT_L0_IRQ]); ++ } + } + + static int exynos4_mct_cpu_notify(struct notifier_block *self, +@@ -478,7 +477,7 @@ static struct notifier_block exynos4_mct + + static void __init exynos4_timer_resources(struct device_node *np, void __iomem *base) + { +- int err; ++ int err, cpu; + struct mct_clock_event_device *mevt = this_cpu_ptr(&percpu_mct_tick); + struct clk *mct_clk, *tick_clk; + +@@ -505,7 +504,25 @@ static void __init exynos4_timer_resourc + WARN(err, "MCT: can't request IRQ %d (%d)\n", + mct_irqs[MCT_L0_IRQ], err); + } else { +- irq_set_affinity(mct_irqs[MCT_L0_IRQ], cpumask_of(0)); ++ for_each_possible_cpu(cpu) { ++ int mct_irq = mct_irqs[MCT_L0_IRQ + cpu]; ++ struct mct_clock_event_device *pcpu_mevt = ++ per_cpu_ptr(&percpu_mct_tick, cpu); ++ ++ pcpu_mevt->evt.irq = -1; ++ ++ irq_set_status_flags(mct_irq, IRQ_NOAUTOEN); ++ if (request_irq(mct_irq, ++ exynos4_mct_tick_isr, ++ IRQF_TIMER | IRQF_NOBALANCING, ++ pcpu_mevt->name, pcpu_mevt)) { ++ pr_err("exynos-mct: cannot register IRQ (cpu%d)\n", ++ cpu); ++ ++ continue; ++ } ++ pcpu_mevt->evt.irq = mct_irq; ++ } + } + + err = register_cpu_notifier(&exynos4_mct_cpu_nb); diff --git a/queue-3.14/dell-laptop-fix-allocating-freeing-smi-buffer-page.patch b/queue-3.14/dell-laptop-fix-allocating-freeing-smi-buffer-page.patch new file mode 100644 index 00000000000..4eb2002059c --- /dev/null +++ b/queue-3.14/dell-laptop-fix-allocating-freeing-smi-buffer-page.patch @@ -0,0 +1,63 @@ +From b8830a4e71b15d0364ac8e6c55301eea73f211da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Tue, 23 Jun 2015 10:11:19 +0200 +Subject: dell-laptop: Fix allocating & freeing SMI buffer page +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= + +commit b8830a4e71b15d0364ac8e6c55301eea73f211da upstream. + +This commit fix kernel crash when probing for rfkill devices in dell-laptop +driver failed. Function free_page() was incorrectly used on struct page * +instead of virtual address of SMI buffer. + +This commit also simplify allocating page for SMI buffer by using +__get_free_page() function instead of sequential call of functions +alloc_page() and page_address(). + +Signed-off-by: Pali Rohár +Acked-by: Michal Hocko +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/dell-laptop.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -272,7 +272,6 @@ static struct dmi_system_id dell_quirks[ + }; + + static struct calling_interface_buffer *buffer; +-static struct page *bufferpage; + static DEFINE_MUTEX(buffer_mutex); + + static int hwswitch_state; +@@ -825,12 +824,11 @@ static int __init dell_init(void) + * Allocate buffer below 4GB for SMI data--only 32-bit physical addr + * is passed to SMI handler. + */ +- bufferpage = alloc_page(GFP_KERNEL | GFP_DMA32); +- if (!bufferpage) { ++ buffer = (void *)__get_free_page(GFP_KERNEL | GFP_DMA32); ++ if (!buffer) { + ret = -ENOMEM; + goto fail_buffer; + } +- buffer = page_address(bufferpage); + + ret = dell_setup_rfkill(); + +@@ -892,7 +890,7 @@ fail_backlight: + cancel_delayed_work_sync(&dell_rfkill_work); + dell_cleanup_rfkill(); + fail_rfkill: +- free_page((unsigned long)bufferpage); ++ free_page((unsigned long)buffer); + fail_buffer: + platform_device_del(platform_device); + fail_platform_device2: diff --git a/queue-3.14/ideapad-fix-software-rfkill-setting.patch b/queue-3.14/ideapad-fix-software-rfkill-setting.patch new file mode 100644 index 00000000000..0753598ee66 --- /dev/null +++ b/queue-3.14/ideapad-fix-software-rfkill-setting.patch @@ -0,0 +1,40 @@ +From 4b200b4604bec3388426159f1656109d19fadf6e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sat, 13 Jun 2015 15:23:33 +0200 +Subject: ideapad: fix software rfkill setting + +From: Arnd Bergmann + +commit 4b200b4604bec3388426159f1656109d19fadf6e upstream. + +This fixes a several year old regression that I found while trying +to get the Yoga 3 11 to work. The ideapad_rfk_set function is meant +to send a command to the embedded controller through ACPI, but +as of c1f73658ed, it sends the index of the rfkill device instead +of the command, and ignores the opcode field. + +This changes it back to the original behavior, which indeed +flips the rfkill state as seen in the debugfs interface. + +Signed-off-by: Arnd Bergmann +Fixes: c1f73658ed ("ideapad: pass ideapad_priv as argument (part 2)") +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/ideapad-laptop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -461,8 +461,9 @@ const struct ideapad_rfk_data ideapad_rf + static int ideapad_rfk_set(void *data, bool blocked) + { + struct ideapad_rfk_priv *priv = data; ++ int opcode = ideapad_rfk_data[priv->dev].opcode; + +- return write_ec_cmd(priv->priv->adev->handle, priv->dev, !blocked); ++ return write_ec_cmd(priv->priv->adev->handle, opcode, !blocked); + } + + static struct rfkill_ops ideapad_rfk_ops = { diff --git a/queue-3.14/mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch b/queue-3.14/mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch new file mode 100644 index 00000000000..f6739e2ee93 --- /dev/null +++ b/queue-3.14/mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch @@ -0,0 +1,59 @@ +From ab499db80fcf07c18e4053f91a619500f663e90e Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Fri, 22 May 2015 10:22:40 +0200 +Subject: mac80211: prevent possible crypto tx tailroom corruption + +From: Michal Kazior + +commit ab499db80fcf07c18e4053f91a619500f663e90e upstream. + +There was a possible race between +ieee80211_reconfig() and +ieee80211_delayed_tailroom_dec(). This could +result in inability to transmit data if driver +crashed during roaming or rekeying and subsequent +skbs with insufficient tailroom appeared. + +This race was probably never seen in the wild +because a device driver would have to crash AND +recover within 0.5s which is very unlikely. + +I was able to prove this race exists after +changing the delay to 10s locally and crashing +ath10k via debugfs immediately after GTK +rekeying. In case of ath10k the counter went below +0. This was harmless but other drivers which +actually require tailroom (e.g. for WEP ICV or +MMIC) could end up with the counter at 0 instead +of >0 and introduce insufficient skb tailroom +failures because mac80211 would not resize skbs +appropriately anymore. + +Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming") +Signed-off-by: Michal Kazior +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -248,6 +248,7 @@ static void ieee80211_restart_work(struc + { + struct ieee80211_local *local = + container_of(work, struct ieee80211_local, restart_work); ++ struct ieee80211_sub_if_data *sdata; + + /* wait for scan work complete */ + flush_workqueue(local->workqueue); +@@ -256,6 +257,8 @@ static void ieee80211_restart_work(struc + "%s called with hardware scan in progress\n", __func__); + + rtnl_lock(); ++ list_for_each_entry(sdata, &local->interfaces, list) ++ flush_delayed_work(&sdata->dec_tailroom_needed_wk); + ieee80211_scan_cancel(local); + ieee80211_reconfig(local); + rtnl_unlock(); diff --git a/queue-3.14/mmc-card-fixup-request-missing-in-mmc_blk_issue_rw_rq.patch b/queue-3.14/mmc-card-fixup-request-missing-in-mmc_blk_issue_rw_rq.patch new file mode 100644 index 00000000000..890d11bfa26 --- /dev/null +++ b/queue-3.14/mmc-card-fixup-request-missing-in-mmc_blk_issue_rw_rq.patch @@ -0,0 +1,55 @@ +From 29535f7b797df35cc9b6b3bca635591cdd3dd2a8 Mon Sep 17 00:00:00 2001 +From: Ding Wang +Date: Mon, 18 May 2015 20:14:15 +0800 +Subject: mmc: card: Fixup request missing in mmc_blk_issue_rw_rq + +From: Ding Wang + +commit 29535f7b797df35cc9b6b3bca635591cdd3dd2a8 upstream. + +The current handler of MMC_BLK_CMD_ERR in mmc_blk_issue_rw_rq function +may cause new coming request permanent missing when the ongoing +request (previoulsy started) complete end. + +The problem scenario is as follows: +(1) Request A is ongoing; +(2) Request B arrived, and finally mmc_blk_issue_rw_rq() is called; +(3) Request A encounters the MMC_BLK_CMD_ERR error; +(4) In the error handling of MMC_BLK_CMD_ERR, suppose mmc_blk_cmd_err() + end request A completed and return zero. Continue the error handling, + suppose mmc_blk_reset() reset device success; +(5) Continue the execution, while loop completed because variable ret + is zero now; +(6) Finally, mmc_blk_issue_rw_rq() return without processing request B. + +The process related to the missing request may wait that IO request +complete forever, possibly crashing the application or hanging the system. + +Fix this issue by starting new request when reset success. + +Signed-off-by: Ding Wang +Fixes: 67716327eec7 ("mmc: block: add eMMC hardware reset support") +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/card/block.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -1863,9 +1863,11 @@ static int mmc_blk_issue_rw_rq(struct mm + break; + case MMC_BLK_CMD_ERR: + ret = mmc_blk_cmd_err(md, card, brq, req, ret); +- if (!mmc_blk_reset(md, card->host, type)) +- break; +- goto cmd_abort; ++ if (mmc_blk_reset(md, card->host, type)) ++ goto cmd_abort; ++ if (!ret) ++ goto start_new_req; ++ break; + case MMC_BLK_RETRY: + if (retry++ < 5) + break; diff --git a/queue-3.14/pm-sleep-increase-default-dpm-watchdog-timeout-to-60.patch b/queue-3.14/pm-sleep-increase-default-dpm-watchdog-timeout-to-60.patch new file mode 100644 index 00000000000..206df31d652 --- /dev/null +++ b/queue-3.14/pm-sleep-increase-default-dpm-watchdog-timeout-to-60.patch @@ -0,0 +1,40 @@ +From fff3b16d2754a061a3549c4307a186423a0128fd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 25 Jun 2015 00:35:16 +0200 +Subject: PM / sleep: Increase default DPM watchdog timeout to 60 + +From: Takashi Iwai + +commit fff3b16d2754a061a3549c4307a186423a0128fd upstream. + +Many harddisks (mostly WD ones) have firmware problems and take too +long, more than 10 seconds, to resume from suspend. And this often +exceeds the default DPM watchdog timeout (12 seconds), resulting in a +kernel panic out of sudden. + +Since most distros just take the default as is, we should give a bit +more safer value. This patch increases the default value from 12 +seconds to one minute, which has been confirmed to be long enough for +such problematic disks. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=91921 +Fixes: 70fea60d888d (PM / Sleep: Detect device suspend/resume lockup and log event) +Signed-off-by: Takashi Iwai +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/power/Kconfig ++++ b/kernel/power/Kconfig +@@ -191,7 +191,7 @@ config DPM_WATCHDOG + config DPM_WATCHDOG_TIMEOUT + int "Watchdog timeout in seconds" + range 1 120 +- default 12 ++ default 60 + depends on DPM_WATCHDOG + + config PM_TRACE diff --git a/queue-3.14/security_syslog-should-be-called-once-only.patch b/queue-3.14/security_syslog-should-be-called-once-only.patch new file mode 100644 index 00000000000..5541999039e --- /dev/null +++ b/queue-3.14/security_syslog-should-be-called-once-only.patch @@ -0,0 +1,77 @@ +From d194e5d666225b04c7754471df0948f645b6ab3a Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 25 Jun 2015 15:01:44 -0700 +Subject: security_syslog() should be called once only + +From: Vasily Averin + +commit d194e5d666225b04c7754471df0948f645b6ab3a upstream. + +The final version of commit 637241a900cb ("kmsg: honor dmesg_restrict +sysctl on /dev/kmsg") lost few hooks, as result security_syslog() are +processed incorrectly: + +- open of /dev/kmsg checks syslog access permissions by using + check_syslog_permissions() where security_syslog() is not called if + dmesg_restrict is set. + +- syslog syscall and /proc/kmsg calls do_syslog() where security_syslog + can be executed twice (inside check_syslog_permissions() and then + directly in do_syslog()) + +With this patch security_syslog() is called once only in all +syslog-related operations regardless of dmesg_restrict value. + +Fixes: 637241a900cb ("kmsg: honor dmesg_restrict sysctl on /dev/kmsg") +Signed-off-by: Vasily Averin +Cc: Kees Cook +Cc: Josh Boyer +Cc: Eric Paris +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -383,11 +383,11 @@ static int check_syslog_permissions(int + * already done the capabilities checks at open time. + */ + if (from_file && type != SYSLOG_ACTION_OPEN) +- return 0; ++ goto ok; + + if (syslog_action_restricted(type)) { + if (capable(CAP_SYSLOG)) +- return 0; ++ goto ok; + /* + * For historical reasons, accept CAP_SYS_ADMIN too, with + * a warning. +@@ -397,10 +397,11 @@ static int check_syslog_permissions(int + "CAP_SYS_ADMIN but no CAP_SYSLOG " + "(deprecated).\n", + current->comm, task_pid_nr(current)); +- return 0; ++ goto ok; + } + return -EPERM; + } ++ok: + return security_syslog(type); + } + +@@ -1126,10 +1127,6 @@ int do_syslog(int type, char __user *buf + if (error) + goto out; + +- error = security_syslog(type); +- if (error) +- return error; +- + switch (type) { + case SYSLOG_ACTION_CLOSE: /* Close log */ + break; diff --git a/queue-3.14/series b/queue-3.14/series index f5e2838892c..9c9eb28add4 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -98,3 +98,11 @@ acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch iscsi-target-convert-iscsi_thread_set-usage-to-kthread.h.patch iser-target-fix-possible-deadlock-in-rdma_cm-connection-error.patch iser-target-release-stale-iser-connections.patch +mmc-card-fixup-request-missing-in-mmc_blk_issue_rw_rq.patch +pm-sleep-increase-default-dpm-watchdog-timeout-to-60.patch +__bitmap_parselist-fix-bug-in-empty-string-handling.patch +security_syslog-should-be-called-once-only.patch +mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch +clocksource-exynos_mct-avoid-blocking-calls-in-the-cpu-hotplug-notifier.patch +ideapad-fix-software-rfkill-setting.patch +dell-laptop-fix-allocating-freeing-smi-buffer-page.patch