Reporting the crash: KASAN: null-ptr-deref Write in binder_update_page_range
This crash has been found in v4.18-rc3 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report.
Our analysis shows that the race occurs when invoking two syscalls
concurrently
On Mon, Aug 20, 2018 at 3:33 AM, NeilBrown wrote:
> On Sun, Aug 12 2018, Sergio Paracuellos wrote:
>
>> This patch series parse remaining port info from device tree storing
>> it in mt7621_pcie_port struct created for this.
>>
>> Also minor cleanups are performed here:
>> - Remove not used mac
Rename BaTimeoutValue to timeout_value. This clears checkpatch issue
with CamelCase naming.
This is a coding style change which should have no impact on runtime
code execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/rtl819x_BA.h| 2 +-
.../staging/rtl8192u/ieee
Remove old commented out structure and clean up the indentation.
These are coding style changes which should have no impact on runtime
code execution.
Signed-off-by: John Whitmore
---
.../staging/rtl8192u/ieee80211/rtl819x_BA.h | 47 ---
1 file changed, 20 insertions(+), 27 de
Rename BaStartSeqCtrl to start_seq_ctrl. This change clears the
checkpatch issue with CamelCase naming.
This is a coding style change which should not impact runtime code
execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/ieee80211_tx.c | 2 +-
drivers/staging/rtl
Rename the member variable Timer to all lowercase to clear the
checkpatch issue with CamelCase naming.
This change is purely a coding style change which should have no impact
on runtime code execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/rtl819x_BA.h | 2 +-
Refactor the union BA_PARAM_SET, firstly removing the 'typedef', this
clears the checkpatch issue with defining new types. Secondly the union
is renamed to lowercase to comply with the coding standard.
These are coding style changes which should have no impact on runtime
code execution.
Signed-of
Rename the member variable DialogToken to dialog_token. This clears
the checkpatch issue with CamelCase naming.
This is a coding style change which should have no impact on runtime
code execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/rtl819x_BA.h| 2 +-
.../s
Rename the member variable BaParamSet to param_set. This clears the
checkpatch issue with CamelCase naming.
This is a coding style change which should have no impact on runtime
code execution.
Signed-off-by: John Whitmore
---
.../staging/rtl8192u/ieee80211/rtl819x_BA.h | 2 +-
.../rtl8192u/i
Rename the member variable bValid to valid, this clears the checkpatch
issue with CamelCase naming.
This is a coding style change which should have no impatch on runtime
code execution.
Signed-off-by: John Whitmore
---
.../staging/rtl8192u/ieee80211/ieee80211_tx.c | 2 +-
.../staging/rtl8192u/
remove member 'charData' from the union delba_param_set, as it is not
used in code. The remaining member variables have all been renamed to
clear the checkpatch issue with CamelCase naming.
shortData to short_data
Reserved to reserved
Initiator to initiator
TIDto tid
These changes are
Remove the typedef directive from union DELBA_PARAM_SET, to clear the
checkpatch issue with CamelCase naming.
Rename the union to lowercase to comply with the coding standard.
These changes are coding style changes which should have no impact on
runtime code execution.
Signed-off-by: John Whitmo
Rename the member variables FragNum and SeqNum. This change clears
a checkpatch issue with CamelCase naming.
This is a coding style change and should have no impact on runtime
code execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/ieee80211_tx.c | 2 +-
drivers/st
Rename the member variables of union ba_param_set to clear the
checkpatch issue with CamelCase naming:
AMSDU_Support to amsdu_support
BAPolicy to ba_policy
TIDto tid
BufferSize to buffer_size
These are coding style changes which should have no impact on
runtime code exe
Remove the 'typedef' directive from the BA_RECORD structure, to clear
the checkpatch issue with defining new types.
Additionally rename the structure to lowercase to comply with the
coding style.
These changes are purely coding style changes which should have no
impact on runtime code execution.
The union ba_param_set contains the member variable charData which is
unused. The variable has been removed.
Additionally the member variable shortData has been renamed to clear
a checkpatch issue with CamelCase naming.
These are coding style changes which should not impact runtime code
execution
Rename the ShortData member variable to short_data. This clears a
checkpatch issue with CamelCase naming.
This is a coding style change which should not impact runtime
code execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/rtl819x_BA.h | 2 +-
drivers/staging/rt
Remove the 'typedef' from union SEQUENCE_CONTROL. This clears a
checkpatch issue with defining new types.
Additionally renamed the union to lowercase to comply with coding
standard.
These are coding style changes which should not impact runtime
code execution.
typedef union _SEQUENCE_CONTROL{
+u
Remove a number of unused constant definitions.
This is a coding style change which should have no impact on runtime
code execution.
Signed-off-by: John Whitmore
---
drivers/staging/rtl8192u/ieee80211/rtl819x_BA.h | 5 -
1 file changed, 5 deletions(-)
diff --git a/drivers/staging/rtl8192u/
This is a series of patches to clean up the header file:
drivers/staging/rtl8192u/ieee80211/rtl819x_BA.h
John Whitmore (17):
staging:rtl8192u: Remove unused defines - Style
staging:rtl8192u: Refactor SEQUENCE_CONTROL - Style
staging:rtl8192u: Rename ShortData - Style
staging:rtl8192u: Rena
From: Gao Xiang
This patch separates 'erofs_get_meta_page' into 'erofs_get_meta_page'
and 'erofs_get_meta_page_nofail'. The second one ensures that it
should not fail under memory pressure and should make best efforts
if IO errors occur.
It also adds auxiliary variables in order to fulfill 80 ch
From: Gao Xiang
This patch fixes integer overflow on multiplication
of 32-bit `lcn' in z_erofs_map_blocks_iter.
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/unzip_vle.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
From: Gao Xiang
This patch introduces 'struct z_erofs_vle_work_finder' to clean up
arguments of z_erofs_vle_work_lookup and z_erofs_vle_work_register.
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/unzip_vle.c | 89 -
From: Chao Yu
This patchset mainly adds error handing code for erofs xattr subsystem.
In addition, some code cleanups are also included in this patchset.
P.S. Some other patches are still previewing in the linux-erofs mailing
list, which will be posted in the 2nd part later.
[changelog]
v1 -> v
From: Gao Xiang
Logical address of EOF LTP mapping should start at
`inode->i_size' rather than `inode->i_size - 1' to
`m_la(in)', fix it.
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/unzip_vle.c | 2 +-
1 file changed, 1 insertion(+), 1 delet
From: Chao Yu
As Dan reported in LKP's mailing list:
https://lists.01.org/pipermail/kbuild-all/2018-August/051419.html
New smatch warnings:
drivers/staging/erofs/internal.h:446 erofs_grab_bio() warn: should 'blkaddr <<
(12 - 9)' be a 64 bit type?
drivers/staging/erofs/data.c:78 __erofs_get_met
From: Gao Xiang
this patch renames prepare_bio to erofs_grab_bio, and
adds a nofail option in order to retry in the bio allocator
under memory pressure.
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/data.c | 12 +--
drivers/stagin
From: Gao Xiang
This patch adds error handing code, and fixes a missing
endian conversion in vle_decompressed_index_clusterofs.
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/unzip_vle.c | 26 +++---
1 file changed, 15 inser
From: Gao Xiang
This patch moves vle clustertype definitions to erofs_fs.h
since they are part of on-disk format.
It also adds compile time check for Z_EROFS_VLE_DI_CLUSTER_TYPE_BITS
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/erofs_fs.h |
From: Gao Xiang
This patch enhances the missing error handling code for
xattr submodule, which improves the stability for the rare cases.
Signed-off-by: Gao Xiang
Reviewed-by: Chao Yu
Signed-off-by: Chao Yu
---
drivers/staging/erofs/internal.h | 6 +-
drivers/staging/erofs/xattr.c| 122
From: Larry Finger
> Sent: 20 August 2018 18:51
> When strncpy() is called with source and destination strings the same
> length, gcc 8 warns that there may be an unterminated string. Using
> strlcpy() rather than strncpy() forces a null at the end and quiets the
> warning.
>
> Signed-off-by: Larr
Let's document the magic a bit, especially why device_hotplug_lock is
required when adding/removing memory and how it all play together with
requests to online/offline memory from user space.
Cc: Jonathan Corbet
Cc: Michal Hocko
Cc: Andrew Morton
Signed-off-by: David Hildenbrand
---
Documenta
Let's perform all checking + offlining + removing under
device_hotplug_lock, so nobody can mess with these devices via
sysfs concurrently.
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: Rashmica Gupta
Cc: Balbir Singh
Cc: Michael Neuling
Signed-off-by: David Hildenbra
device_online() should be called with device_hotplug_lock() held.
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Cc: Michael Ellerman
Cc: Rashmica Gupta
Cc: Balbir Singh
Cc: Michael Neuling
Signed-off-by: David Hildenbrand
---
arch/powerpc/platforms/powernv/memtrace.c | 2 ++
1 file changed
There seem to be some problems as result of 30467e0b3be ("mm, hotplug:
fix concurrent memory hot-add deadlock"), which tried to fix a possible
lock inversion reported and discussed in [1] due to the two locks
a) device_lock()
b) mem_hotplug_lock
While add_memory() first takes b), f
This is the same approach as in the first RFC, but this time without
exporting device_hotplug_lock (requested by Greg) and with some more
details and documentation regarding locking. Tested only on x86 so far.
--
Reading thro
add_memory() currently does not take the device_hotplug_lock, however
is aleady called under the lock from
arch/powerpc/platforms/pseries/hotplug-memory.c
drivers/acpi/acpi_memhotplug.c
to synchronize against CPU hot-remove and similar.
In general, we should hold the device_hotplug
remove_memory() is exported right now but requires the
device_hotplug_lock, which is not exported. So let's provide a variant
that takes the lock and only export that one.
The lock is already held in
arch/powerpc/platforms/pseries/hotplug-memory.c
drivers/acpi/acpi_memhotplug.c
So,
Great. Thanks!
regards,
dan carpenter
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Looks good. Thanks.
regards,
dan carpenter
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Sorry for replying to self...
On 2018-08-21 08:49, Peter Rosin wrote:
> On 2018-08-21 01:43, Janusz Krzysztofik wrote:
>> Most users of get/set array functions iterate consecutive bits of data,
>> usually a single integer, while or processing array of results obtained
>> from or building an array
On 2018-08-21 01:43, Janusz Krzysztofik wrote:
> Most users of get/set array functions iterate consecutive bits of data,
> usually a single integer, while or processing array of results obtained
> from or building an array of values to be passed to those functions.
> Save time wasted on those itera
42 matches
Mail list logo
