1. 04 Sep, 2019 1 commit
    • Jann Horn's avatar
      Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set · 3675f052
      Jann Horn authored
      There is a logic bug in the current smack_bprm_set_creds():
      If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be
      acceptable (e.g. because the ptracer detached in the meantime), the other
      ->unsafe flags aren't checked. As far as I can tell, this means that
      something like the following could work (but I haven't tested it):
      
       - task A: create task B with fork()
       - task B: set NO_NEW_PRIVS
       - task B: install a seccomp filter that makes open() return 0 under some
         conditions
       - task B: replace fd 0 with a malicious library
       - task A: attach to task B with PTRACE_ATTACH
       - task B: execve() a file with an SMACK64EXEC extended attribute
       - task A: while task B is still in the middle of execve(), exit (which
         destroys the ptrace relationship)
      
      Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in
      bprm->unsafe, we reject the execve().
      
      Cc: stable@vger.kernel.org
      Fixes: 5663884c ("Smack: unify all ptrace accesses in the smack")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      3675f052
  2. 07 Jul, 2019 1 commit
  3. 06 Jul, 2019 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190706' of git://git.kernel.dk/linux-block · 46713c3d
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single fix for a patch from Greg KH, which reportedly break
        block debugfs locations for certain setups. Trivial enough that I
        think we should include it now, rather than wait and release 5.2 with
        it, since it's a regression in this series"
      
      * tag 'for-linus-20190706' of git://git.kernel.dk/linux-block:
        blk-mq: fix up placement of debugfs directory of queue files
      46713c3d
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · bcc0e65f
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
       "A few more MIPS fixes:
      
         - Fix a silly typo in virt_addr_valid which led to completely bogus
           behavior (that happened to stop tripping up hardened usercopy
           despite being broken).
      
         - Fix UART parity setup on AR933x systems.
      
         - A build fix for non-Linux build machines.
      
         - Have the 'all' make target build DTBs, primarily to fit in with the
           behavior of scripts/package/builddeb.
      
         - Handle an execution hazard in TLB exceptions that use KScratch
           registers, which could inadvertently clobber the $1 register on
           some generally higher-end out-of-order CPUs.
      
         - A MAINTAINERS update to fix the path to the NAND driver for Ingenic
           systems"
      
      * tag 'mips_fixes_5.2_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MAINTAINERS: Correct path to moved files
        MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
        MIPS: have "plain" make calls build dtbs for selected platforms
        MIPS: fix build on non-linux hosts
        MIPS: ath79: fix ar933x uart parity mode
        MIPS: Fix bounds check virt_addr_valid
      bcc0e65f
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma · 2692982b
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - bam_dma fix for completed descriptor count
      
       - fix for imx-sdma remove BD_INTR for channel0 and use-after-free on
         probe error path
      
       - endian bug fix in jz4780 IRQ handler
      
      * tag 'dmaengine-fix-5.2' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: qcom: bam_dma: Fix completed descriptors count
        dmaengine: imx-sdma: remove BD_INTR for channel0
        dmaengine: imx-sdma: fix use-after-free on probe error path
        dmaengine: jz4780: Fix an endian bug in IRQ handler
      2692982b
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 4f8b4909
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two iscsi fixes.
      
        One for an oops in the client which can be triggered by the server
        authentication protocol and the other in the target code which causes
        data corruption"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
        scsi: target/iblock: Fix overrun in WRITE SAME emulation
      4f8b4909
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ceacbc0e
      Linus Torvalds authored
      Pull vfs fixlet from Al Viro:
       "Fix bogus default y in Kconfig (VALIDATE_FS_PARSER)
      
        That thing should not be turned on by default, especially since it's
        not quiet in case it finds no problems. Geert has sent the obvious fix
        quite a few times, but it fell through the cracks"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fs: VALIDATE_FS_PARSER should default to n
      ceacbc0e
    • Greg Kroah-Hartman's avatar
      blk-mq: fix up placement of debugfs directory of queue files · 7e41c3c9
      Greg Kroah-Hartman authored
      When the blk-mq debugfs file creation logic was "cleaned up" it was
      cleaned up too much, causing the queue file to not be created in the
      correct location.  Turns out the check for the directory being present
      is needed as if that has not happened yet, the files should not be
      created, and the function will be called later on in the initialization
      code so that the files can be created in the correct location.
      
      Fixes: 6cfc0081 ("blk-mq: no need to check return value of debugfs_create functions")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Cc: linux-block@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7e41c3c9
    • Linus Torvalds's avatar
      Revert "mm: page cache: store only head pages in i_pages" · 69bf4b6b
      Linus Torvalds authored
      This reverts commit 5fd4ca2d.
      
      Mikhail Gavrilov reports that it causes the VM_BUG_ON_PAGE() in
      __delete_from_swap_cache() to trigger:
      
         page:ffffd6d34dff0000 refcount:1 mapcount:1 mapping:ffff97812323a689 index:0xfecec363
         anon
         flags: 0x17fffe00080034(uptodate|lru|active|swapbacked)
         raw: 0017fffe00080034 ffffd6d34c67c508 ffffd6d3504b8d48 ffff97812323a689
         raw: 00000000fecec363 0000000000000000 0000000100000000 ffff978433ace000
         page dumped because: VM_BUG_ON_PAGE(entry != page)
         page->mem_cgroup:ffff978433ace000
         ------------[ cut here ]------------
         kernel BUG at mm/swap_state.c:170!
         invalid opcode: 0000 [#1] SMP NOPTI
         CPU: 1 PID: 221 Comm: kswapd0 Not tainted 5.2.0-0.rc2.git0.1.fc31.x86_64 #1
         Hardware name: System manufacturer System Product Name/ROG STRIX X470-I GAMING, BIOS 2202 04/11/2019
         RIP: 0010:__delete_from_swap_cache+0x20d/0x240
         Code: 30 65 48 33 04 25 28 00 00 00 75 4a 48 83 c4 38 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c6 2f dc 0f 8a 48 89 c7 e8 93 1b fd ff <0f> 0b 48 c7 c6 a8 74 0f 8a e8 85 1b fd ff 0f 0b 48 c7 c6 a8 7d 0f
         RSP: 0018:ffffa982036e7980 EFLAGS: 00010046
         RAX: 0000000000000021 RBX: 0000000000000040 RCX: 0000000000000006
         RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff97843d657900
         RBP: 0000000000000001 R08: ffffa982036e7835 R09: 0000000000000535
         R10: ffff97845e21a46c R11: ffffa982036e7835 R12: ffff978426387120
         R13: 0000000000000000 R14: ffffd6d34dff0040 R15: ffffd6d34dff0000
         FS:  0000000000000000(0000) GS:ffff97843d640000(0000) knlGS:0000000000000000
         CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
         CR2: 00002cba88ef5000 CR3: 000000078a97c000 CR4: 00000000003406e0
         Call Trace:
          delete_from_swap_cache+0x46/0xa0
          try_to_free_swap+0xbc/0x110
          swap_writepage+0x13/0x70
          pageout.isra.0+0x13c/0x350
          shrink_page_list+0xc14/0xdf0
          shrink_inactive_list+0x1e5/0x3c0
          shrink_node_memcg+0x202/0x760
          shrink_node+0xe0/0x470
          balance_pgdat+0x2d1/0x510
          kswapd+0x220/0x420
          kthread+0xfb/0x130
          ret_from_fork+0x22/0x40
      
      and it's not immediately obvious why it happens.  It's too late in the
      rc cycle to do anything but revert for now.
      
      Link: https://lore.kernel.org/lkml/CABXGCsN9mYmBD-4GaaeW_NrDu+FDXLzr_6x+XNxfmFV6QkYCDg@mail.gmail.com/Reported-and-bisected-by: default avatarMikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
      Suggested-by: default avatarJan Kara <jack@suse.cz>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Kirill Shutemov <kirill@shutemov.name>
      Cc: William Kucharski <william.kucharski@oracle.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      69bf4b6b
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9fdb86c8
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "x86 bugfix patches and one compilation fix for ARM"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: arm64/sve: Fix vq_present() macro to yield a bool
        KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
        KVM: nVMX: Change KVM_STATE_NESTED_EVMCS to signal vmcs12 is copied from eVMCS
        KVM: nVMX: Allow restore nested-state to enable eVMCS when vCPU in SMM
        KVM: x86: degrade WARN to pr_warn_ratelimited
      9fdb86c8
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 0e63665a
      Linus Torvalds authored
      Pull mtf fixes from Miquel Raynal:
      
       - Fix the memory organization structure of a Macronix SPI-NAND chip.
      
       - Fix a build dependency wrongly described.
      
       - Fix the sunxi NAND driver for A23/A33 SoCs by (a) reverting the
         faulty commit introducing broken DMA support and (b) applying another
         commit bringing working DMA support.
      
      * tag 'mtd/fixes-for-5.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration
        Revert "mtd: rawnand: sunxi: Add A23/A33 DMA support"
        mtd: rawnand: ingenic: Fix ingenic_ecc dependency
        mtd: spinand: Fix max_bad_eraseblocks_per_lun info in memorg
      0e63665a
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 881ed91f
      Linus Torvalds authored
      Pull i2c fixlet from Wolfram Sang:
       "I2C has a MAINTAINERS update which will be benfitial for developers,
        so let's add it right away"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: tegra: Add Dmitry as a reviewer
      881ed91f
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux · a8f46b5a
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "Two more quick bugfixes for nfsd: fixing a regression causing mount
        failures on high-memory machines and fixing the DRC over RDMA"
      
      * tag 'nfsd-5.2-2' of git://linux-nfs.org/~bfields/linux:
        nfsd: Fix overflow causing non-working mounts on 1 TB machines
        svcrdma: Ignore source port when computing DRC hash
      a8f46b5a
  4. 05 Jul, 2019 21 commits
  5. 04 Jul, 2019 6 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · c212ddae
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a collection of small fixes for:
      
         - A race with ASoC HD-audio registration
      
         - LINE6 usb-audio memory overwrite by malformed descriptor
      
         - FireWire MIDI handling
      
         - Missing cast for bit shifts in a few USB-audio quirks
      
         - The wrong function calls in minor OSS sequencer code paths
      
         - A couple of HD-audio quirks"
      
      * tag 'sound-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: line6: Fix write on zero-sized buffer
        ALSA: hda: Fix widget_mutex incomplete protection
        ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
        ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
        ALSA: hda/realtek - Change front mic location for Lenovo M710q
        ALSA: usb-audio: fix sign unintended sign extension on left shifts
        ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
      c212ddae
    • Jann Horn's avatar
      ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME · 6994eefb
      Jann Horn authored
      Fix two issues:
      
      When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
      reference to the parent's objective credentials, then give that pointer
      to get_cred().  However, the object lifetime rules for things like
      struct cred do not permit unconditionally turning an RCU reference into
      a stable reference.
      
      PTRACE_TRACEME records the parent's credentials as if the parent was
      acting as the subject, but that's not the case.  If a malicious
      unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
      at a later point, the parent process becomes attacker-controlled
      (because it drops privileges and calls execve()), the attacker ends up
      with control over two processes with a privileged ptrace relationship,
      which can be abused to ptrace a suid binary and obtain root privileges.
      
      Fix both of these by always recording the credentials of the process
      that is requesting the creation of the ptrace relationship:
      current_cred() can't change under us, and current is the proper subject
      for access control.
      
      This change is theoretically userspace-visible, but I am not aware of
      any code that it will actually break.
      
      Fixes: 64b875f7 ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6994eefb
    • Robert Beckett's avatar
      drm/imx: only send event on crtc disable if kept disabled · 5aeab2bf
      Robert Beckett authored
      The event will be sent as part of the vblank enable during the modeset
      if the crtc is not being kept disabled.
      
      Fixes: 5f2f9115 ("drm/imx: atomic phase 3 step 1: Use atomic configuration")
      Signed-off-by: default avatarRobert Beckett <bob.beckett@collabora.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      5aeab2bf
    • Robert Beckett's avatar
      drm/imx: notify drm core before sending event during crtc disable · 78c68e8f
      Robert Beckett authored
      Notify drm core before sending pending events during crtc disable.
      This fixes the first event after disable having an old stale timestamp
      by having drm_crtc_vblank_off update the timestamp to now.
      
      This was seen while debugging weston log message:
      Warning: computed repaint delay is insane: -8212 msec
      
      This occurred due to:
      1. driver starts up
      2. fbcon comes along and restores fbdev, enabling vblank
      3. vblank_disable_fn fires via timer disabling vblank, keeping vblank
      seq number and time set at current value
      (some time later)
      4. weston starts and does a modeset
      5. atomic commit disables crtc while it does the modeset
      6. ipu_crtc_atomic_disable sends vblank with old seq number and time
      
      Fixes: a4744786 ("drm/imx: fix crtc vblank state regression")
      Signed-off-by: default avatarRobert Beckett <bob.beckett@collabora.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      78c68e8f
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 550d1f5b
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "This includes three fixes:
      
         - Fix a deadlock from a previous fix to keep module loading and
           function tracing text modifications from stepping on each other
           (this has a few patches to help document the issue in comments)
      
         - Fix a crash when the snapshot buffer gets out of sync with the main
           ring buffer
      
         - Fix a memory leak when reading the memory logs"
      
      * tag 'trace-v5.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()
        tracing/snapshot: Resize spare buffer if size changed
        tracing: Fix memory leak in tracing_err_log_open()
        ftrace/x86: Add a comment to why we take text_mutex in ftrace_arch_code_modify_prepare()
        ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code()
      550d1f5b
    • Dave Airlie's avatar
      Merge branch 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux into drm-fixes · b5252bdf
      Dave Airlie authored
      Fix a kernel nullptr deref on module
      unload when any etnaviv GPU failed to initialize properly.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Lucas Stach <l.stach@pengutronix.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/1561974148.2321.1.camel@pengutronix.de
      b5252bdf