1. 09 Dec, 2013 1 commit
    • Al Viro's avatar
      ext4: fix del_timer() misuse for ->s_err_report · 9105bb14
      Al Viro authored
      That thing should be del_timer_sync(); consider what happens
      if ext4_put_super() call of del_timer() happens to come just as it's
      getting run on another CPU.  Since that timer reschedules itself
      to run next day, you are pretty much guaranteed that you'll end up
      with kfree'd scheduled timer, with usual fun consequences.  AFAICS,
      that's -stable fodder all way back to 2010... [the second del_timer_sync()
      is almost certainly not needed, but it doesn't hurt either]
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      9105bb14
  2. 04 Dec, 2013 1 commit
    • Eryu Guan's avatar
      ext4: check for overlapping extents in ext4_valid_extent_entries() · 5946d089
      Eryu Guan authored
      A corrupted ext4 may have out of order leaf extents, i.e.
      
      extent: lblk 0--1023, len 1024, pblk 9217, flags: LEAF UNINIT
      extent: lblk 1000--2047, len 1024, pblk 10241, flags: LEAF UNINIT
                   ^^^^ overlap with previous extent
      
      Reading such extent could hit BUG_ON() in ext4_es_cache_extent().
      
      	BUG_ON(end < lblk);
      
      The problem is that __read_extent_tree_block() tries to cache holes as
      well but assumes 'lblk' is greater than 'prev' and passes underflowed
      length to ext4_es_cache_extent(). Fix it by checking for overlapping
      extents in ext4_valid_extent_entries().
      
      I hit this when fuzz testing ext4, and am able to reproduce it by
      modifying the on-disk extent by hand.
      
      Also add the check for (ee_block + len - 1) in ext4_valid_extent() to
      make sure the value is not overflow.
      
      Ran xfstests on patched ext4 and no regression.
      
      Cc: Lukáš Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      5946d089
  3. 03 Dec, 2013 1 commit
    • Junho Ryu's avatar
      ext4: fix use-after-free in ext4_mb_new_blocks · 4e8d2139
      Junho Ryu authored
      ext4_mb_put_pa should hold pa->pa_lock before accessing pa->pa_count.
      While ext4_mb_use_preallocated checks pa->pa_deleted first and then
      increments pa->count later, ext4_mb_put_pa decrements pa->pa_count
      before holding pa->pa_lock and then sets pa->pa_deleted.
      
      * Free sequence
      ext4_mb_put_pa (1):		atomic_dec_and_test pa->pa_count
      ext4_mb_put_pa (2):		lock pa->pa_lock
      ext4_mb_put_pa (3):			check pa->pa_deleted
      ext4_mb_put_pa (4):			set pa->pa_deleted=1
      ext4_mb_put_pa (5):		unlock pa->pa_lock
      ext4_mb_put_pa (6):		remove pa from a list
      ext4_mb_pa_callback:		free pa
      
      * Use sequence
      ext4_mb_use_preallocated (1):	iterate over preallocation
      ext4_mb_use_preallocated (2):	lock pa->pa_lock
      ext4_mb_use_preallocated (3):		check pa->pa_deleted
      ext4_mb_use_preallocated (4):		increase pa->pa_count
      ext4_mb_use_preallocated (5):	unlock pa->pa_lock
      ext4_mb_release_context:	access pa
      
      * Use-after-free sequence
      [initial status]		<pa->pa_deleted = 0, pa_count = 1>
      ext4_mb_use_preallocated (1):	iterate over preallocation
      ext4_mb_use_preallocated (2):	lock pa->pa_lock
      ext4_mb_use_preallocated (3):		check pa->pa_deleted
      ext4_mb_put_pa (1):		atomic_dec_and_test pa->pa_count
      [pa_count decremented]		<pa->pa_deleted = 0, pa_count = 0>
      ext4_mb_use_preallocated (4):		increase pa->pa_count
      [pa_count incremented]		<pa->pa_deleted = 0, pa_count = 1>
      ext4_mb_use_preallocated (5):	unlock pa->pa_lock
      ext4_mb_put_pa (2):		lock pa->pa_lock
      ext4_mb_put_pa (3):			check pa->pa_deleted
      ext4_mb_put_pa (4):			set pa->pa_deleted=1
      [race condition!]		<pa->pa_deleted = 1, pa_count = 1>
      ext4_mb_put_pa (5):		unlock pa->pa_lock
      ext4_mb_put_pa (6):		remove pa from a list
      ext4_mb_pa_callback:		free pa
      ext4_mb_release_context:	access pa
      
      AddressSanitizer has detected use-after-free in ext4_mb_new_blocks
      Bug report: http://goo.gl/rG1On3Signed-off-by: default avatarJunho Ryu <jayr@google.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      4e8d2139
  4. 02 Dec, 2013 1 commit
    • Theodore Ts'o's avatar
      ext4: call ext4_error_inode() if jbd2_journal_dirty_metadata() fails · ae1495b1
      Theodore Ts'o authored
      While it's true that errors can only happen if there is a bug in
      jbd2_journal_dirty_metadata(), if a bug does happen, we need to halt
      the kernel or remount the file system read-only in order to avoid
      further data loss.  The ext4_journal_abort_handle() function doesn't
      do any of this, and while it's likely that this call (since it doesn't
      adjust refcounts) will likely result in the file system eventually
      deadlocking since the current transaction will never be able to close,
      it's much cleaner to call let ext4's error handling system deal with
      this situation.
      
      There's a separate bug here which is that if certain jbd2 errors
      errors occur and file system is mounted errors=continue, the file
      system will probably eventually end grind to a halt as described
      above.  But things have been this way in a long time, and usually when
      we have these sorts of errors it's pretty much a disaster --- and
      that's why the jbd2 layer aggressively retries memory allocations,
      which is the most likely cause of these jbd2 errors.
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@vger.kernel.org
      ae1495b1
  5. 29 Nov, 2013 13 commits
    • Linus Torvalds's avatar
      Linux 3.13-rc2 · dc1ccc48
      Linus Torvalds authored
      dc1ccc48
    • Linus Torvalds's avatar
      Merge tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64 · d5ff835f
      Linus Torvalds authored
      Pull ARM64 fixes from Catalin Marinas:
       - Remove preempt_count modifications in the arm64 IRQ handling code
         since that's already dealt with in generic irq_enter/irq_exit
       - PTE_PROT_NONE bit moved higher up to avoid overlapping with the
         hardware bits (for PROT_NONE mappings which are pte_present)
       - Big-endian fixes for ptrace support
       - Asynchronous aborts unmasking while in the kernel
       - pgprot_writecombine() change to create Normal NonCacheable memory
         rather than Device GRE
      
      * tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
        arm64: Move PTE_PROT_NONE higher up
        arm64: Use Normal NonCacheable memory for writecombine
        arm64: debug: make aarch32 bkpt checking endian clean
        arm64: ptrace: fix compat registes get/set to be endian clean
        arm64: Unmask asynchronous aborts when in kernel mode
        arm64: dts: Reserve the memory used for secondary CPU release address
        arm64: let the core code deal with preempt_count
      d5ff835f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 033dbbde
      Linus Torvalds authored
      Pull s390 updates from Martin Schwidefsky:
       "One performance improvement and a few bug fixes.  Two of the fixes
        deal with the clock related problems we have seen on recent kernels"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: handle asce-type exceptions as normal page fault
        s390,time: revert direct ktime path for s390 clockevent device
        s390/time,vdso: convert to the new update_vsyscall interface
        s390/uaccess: add missing page table walk range check
        s390/mm: optimize copy_page
        s390/dasd: validate request size before building CCW/TCW request
        s390/signal: always restore saved runtime instrumentation psw bit
      033dbbde
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · dc418f6e
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Some easy but needed fixes for i2c drivers since rc1"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: bcm2835: Linking platform nodes to adapter nodes
        i2c: omap: raw read and write endian fix
        i2c: i2c-bcm-kona: Fix module build
        i2c: i2c-diolan-u2c: different usb endpoints for DLN-2-U2C
        i2c: bcm-kona: remove duplicated include
        i2c: davinci: raw read and write endian fix
      dc418f6e
    • Linus Torvalds's avatar
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 7224b31b
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "This contains one important fix.  The NUMA support added a while back
        broke ordering guarantees on ordered workqueues.  It was enforced by
        having single frontend interface with @max_active == 1 but the NUMA
        support puts multiple interfaces on unbound workqueues on NUMA
        machines thus breaking the ordered guarantee.  This is fixed by
        disabling NUMA support on ordered workqueues.
      
        The above and a couple other patches were sitting in for-3.12-fixes
        but I forgot to push that out, so they ended up waiting a bit too
        long.  My aplogies.
      
        Other fixes are minor"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: fix pool ID allocation leakage and remove BUILD_BUG_ON() in init_workqueues
        workqueue: fix comment typo for __queue_work()
        workqueue: fix ordered workqueues in NUMA setups
        workqueue: swap set_cpus_allowed_ptr() and PF_NO_SETAFFINITY
      7224b31b
    • Linus Torvalds's avatar
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · de92a058
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
       "libata device removal path was removing parent device node before its
        child, which is mostly harmless but triggers warning after recent
        sysfs changes.  Rafael's patch fixes the order.
      
        Other than that, minor controller-specific fixes and device ID
        additions"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ATA: Fix port removal ordering
        ahci: add Marvell 9230 to the AHCI PCI device list
        ata: fix acpi_bus_get_device() return value check
        pata_arasan_cf: add missing clk_disable_unprepare() on error path
        ahci: add support for IBM Akebono platform device
      de92a058
    • Linus Torvalds's avatar
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 2855987d
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Fixes for three issues.
      
         - cgroup destruction path could swamp system_wq possibly leading to
           deadlock.  This actually seems to happen in the wild with memcg
           because memcg destruction path adds nested dependency on system_wq.
      
           Resolved by isolating cgroup destruction work items on its
           dedicated workqueue.
      
         - Possible locking context deadlock through seqcount reported by
           lockdep
      
         - Memory leak under certain conditions"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: fix cgroup_subsys_state leak for seq_files
        cpuset: Fix memory allocator deadlock
        cgroup: use a dedicated workqueue for cgroup destruction
      2855987d
    • Linus Torvalds's avatar
      Merge tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · b8495995
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Quite a few HD-Audio fixes, a WUSB audio fix and a fix for FireWire
        audio.  The HD-audio part contains a couple of fixes for the generic
        parser, and these are the only intrusive fixes.  The rest are mostly
        device-specific fixes"
      
      * tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Add LFE chmap to ASUS ET2700
        ALSA: hda - Initialize missing bass speaker pin for ASUS AIO ET2700
        ALSA: hda - limit mic boost on Asus UX31[A,E]
        ALSA: hda - Check leaf nodes to find aamix amps
        ALSA: hda - Fix hp-mic mode without VREF bits
        ALSA: hda - Create Headhpone Mic Jack Mode when really needed
        ALSA: usb: use multiple packets per urb for Wireless USB inbound audio
        ALSA: hda - Enable mute/mic-mute LEDs for more Thinkpads with Conexant codec
        ALSA: hda - Drop bus->avoid_link_reset flag
        ALSA: hda/realtek - Set pcbeep amp for ALC668
        ALSA: hda/realtek - Add support of ALC231 codec
        ALSA: firewire-lib: fix wrong value for FDF field as an empty packet
      b8495995
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · b01537bf
      Linus Torvalds authored
      Pull vfs dentry reference count fix from Al Viro.
      
      This fixes a possible inode_permission NULL pointer dereference (and
      other problems) that were due to the root dentry count being decremented
      too much.  In commit 48a066e7 ("RCU'd vfsmounts") the placement of
      clearing the LOOKUP_RCU bit changed, and we then returned failure of
      incrementing the lockref on the parent dentry with LOOKUP_RCU cleared.
      
      But that meant we needed to go through the same cleanup routines that
      the later failures did wrt LOOKUP_ROOT and nd->root.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fix bogus path_put() of nd->root after some unlazy_walk() failures
      b01537bf
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 282c183b
      Linus Torvalds authored
      Pull drm qxl leak fix from Dave Airlie:
       "As usual 5 mins after I send a trivial pull fix I find a real bug!
      
        This fixes a memory leak and I'd like to get it into stable queue
        asap"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/qxl: fix memory leak in release list handling
      282c183b
    • Catalin Marinas's avatar
      arm64: Move PTE_PROT_NONE higher up · 3676f9ef
      Catalin Marinas authored
      PTE_PROT_NONE means that a pte is present but does not have any
      read/write attributes. However, setting the memory type like
      pgprot_writecombine() is allowed and such bits overlap with
      PTE_PROT_NONE. This causes mmap/munmap issues in drivers that change the
      vma->vm_pg_prot on PROT_NONE mappings.
      
      This patch reverts the PTE_FILE/PTE_PROT_NONE shift in commit
      59911ca4 (ARM64: mm: Move PTE_PROT_NONE bit) and moves PTE_PROT_NONE
      together with the other software bits.
      Signed-off-by: default avatarSteve Capper <steve.capper@linaro.org>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarSteve Capper <steve.capper@linaro.org>
      Cc: <stable@vger.kernel.org> # 3.11+
      3676f9ef
    • Catalin Marinas's avatar
      arm64: Use Normal NonCacheable memory for writecombine · 4f00130b
      Catalin Marinas authored
      This provides better performance compared to Device GRE and also allows
      unaligned accesses. Such memory is intended to be used with standard RAM
      (e.g. framebuffers) and not I/O.
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      4f00130b
    • Al Viro's avatar
      fix bogus path_put() of nd->root after some unlazy_walk() failures · d870b4a1
      Al Viro authored
      Failure to grab reference to parent dentry should go through the
      same cleanup as nd->seq mismatch.  As it is, we might end up with
      caller thinking it needs to path_put() nd->root, with obvious
      nasty results once we'd hit that bug enough times to drive the
      refcount of root dentry all the way to zero...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d870b4a1
  6. 28 Nov, 2013 23 commits