1. 27 Aug, 2016 6 commits
    • Linus Torvalds's avatar
      Merge tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm · 370f6017
      Linus Torvalds authored
      Pull dlm fix from David Teigland:
       "This fixes a bug introduced by recent debugfs cleanup"
      
      * tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm:
        dlm: fix malfunction of dlm_tool caused by debugfs changes
      370f6017
    • Linus Torvalds's avatar
      Merge tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 6ec675ed
      Linus Torvalds authored
      Pull device mapper fixes from Mike Snitzer:
      
       - another stable fix for DM flakey (that tweaks the previous fix that
         didn't factor in expected 'drop_writes' behavior for read IO).
      
       - a dm-log bio operation flags fix for the broader block changes that
         were merged during the 4.8 merge window.
      
      * tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm log: fix unitialized bio operation flags
        dm flakey: fix reads to be issued if drop_writes configured
      6ec675ed
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 67a8c7d6
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "Fixes from Will Deacon:
      
         - fix a couple of thinkos in the CMDQ error handling and
           short-descriptor page table code that have been there since day one
      
         - disable stalling faults, since they may result in hardware deadlock
      
         - fix an accidental BUG() when passing disable_bypass=1 on the
           cmdline"
      
      * tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass
        iommu/arm-smmu: Disable stalling faults for all endpoints
        iommu/arm-smmu: Fix CMDQ error handling
        iommu/io-pgtable-arm-v7s: Fix attributes when splitting blocks
      67a8c7d6
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · fd1ae514
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Here's a set of block fixes for the current 4.8-rc release.  This
        contains:
      
         - a fix for a secure erase regression, from Adrian.
      
         - a fix for an mmc use-after-free bug regression, also from Adrian.
      
         - potential zero pointer deference in bdev freezing, from Andrey.
      
         - a race fix for blk_set_queue_dying() from Bart.
      
         - a set of xen blkfront fixes from Bob Liu.
      
         - three small fixes for bcache, from Eric and Kent.
      
         - a fix for a potential invalid NVMe state transition, from Gabriel.
      
         - blk-mq CPU offline fix, preventing us from issuing and completing a
           request on the wrong queue.  From me.
      
         - revert two previous floppy changes, since they caused a user
           visibile regression.  A better fix is in the works.
      
         - ensure that we don't send down bios that have more than 256
           elements in them.  Fixes a crash with bcache, for example.  From
           Ming.
      
         - a fix for deferencing an error pointer with cgroup writeback.
           Fixes a regression.  From Vegard"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        mmc: fix use-after-free of struct request
        Revert "floppy: refactor open() flags handling"
        Revert "floppy: fix open(O_ACCMODE) for ioctl-only open"
        fs/block_dev: fix potential NULL ptr deref in freeze_bdev()
        blk-mq: improve warning for running a queue on the wrong CPU
        blk-mq: don't overwrite rq->mq_ctx
        block: make sure a big bio is split into at most 256 bvecs
        nvme: Fix nvme_get/set_features() with a NULL result pointer
        bdev: fix NULL pointer dereference
        xen-blkfront: free resources if xlvbd_alloc_gendisk fails
        xen-blkfront: introduce blkif_set_queue_limits()
        xen-blkfront: fix places not updated after introducing 64KB page granularity
        bcache: pr_err: more meaningful error message when nr_stripes is invalid
        bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two.
        bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
        block: Fix race triggered by blk_set_queue_dying()
        block: Fix secure erase
        nvme: Prevent controller state invalid transition
      fd1ae514
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · b09c412a
      Linus Torvalds authored
      Pull input subsystem fixes from Dmitry Torokhov:
       "Simply small driver fixups"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: ads7846 - remove redundant regulator_disable call
        Input: synaptics-rmi4 - fix register descriptor subpacket map construction
        Input: tegra-kbc - fix inverted reset logic
        Input: silead - use devm_gpiod_get
        Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
      b09c412a
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 219c04ce
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
       "Resource management:
         - Update "pci=resource_alignment" documentation (Mathias Koehrer)
      
        MSI:
         - Use positive flags in pci_alloc_irq_vectors() (Christoph Hellwig)
         - Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() (Christoph Hellwig)
      
        Intel VMD host bridge driver:
         - Fix infinite loop executing irq's (Keith Busch)"
      
      * tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        x86/PCI: VMD: Fix infinite loop executing irq's
        PCI: Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors()
        PCI: Use positive flags in pci_alloc_irq_vectors()
        PCI: Update "pci=resource_alignment" documentation
      219c04ce
  2. 26 Aug, 2016 1 commit
    • Eric Ren's avatar
      dlm: fix malfunction of dlm_tool caused by debugfs changes · 079d37df
      Eric Ren authored
      With the current kernel, `dlm_tool lockdebug` fails as below:
      
      "dlm_tool lockdebug ED0BD86DCE724393918A1AE8FDBF1EE3
      can't open /sys/kernel/debug/dlm/ED0BD86DCE724393918A1AE8FDBF1EE3:
      Operation not permitted"
      
      This is because table_open() depends on file->f_op to tell which
      seq_file ops should be passed down. But, the original file ops in
      file->f_op is replaced by "debugfs_full_proxy_file_operations" with
      commit 49d200de ("debugfs: prevent access to removed files'
      private data").
      
      Currently, I can think up 2 solutions: 1st, replace
      debugfs_create_file() with debugfs_create_file_unsafe();
      2nd, make different table_open#() accordingly. The 1st one
      is neat, but I don't thoroughly understand its risk. Maybe
      someone has a better one.
      Signed-off-by: default avatarEric Ren <zren@suse.com>
      Signed-off-by: default avatarDavid Teigland <teigland@redhat.com>
      079d37df
  3. 25 Aug, 2016 7 commits
  4. 24 Aug, 2016 11 commits
  5. 23 Aug, 2016 9 commits
    • Keith Busch's avatar
      x86/PCI: VMD: Fix infinite loop executing irq's · 21c80c9f
      Keith Busch authored
      We can't initialize the list head on deletion as this causes the node to
      point to itself, which causes an infinite loop if vmd_irq() happens to be
      servicing that node.
      
      The list initialization was trying to fix a bug from multiple calls to
      disable the same IRQ.  Fix this instead by having the VMD driver track if
      the interrupt is enabled.
      
      [bhelgaas: changelog, add "Fixes"]
      Fixes: 97e92306 ("x86/PCI: VMD: Initialize list item in IRQ disable")
      Reported-by: default avatarGrzegorz Koczot <grzegorz.koczot@intel.com>
      Tested-by: default avatarMiroslaw Drost <miroslaw.drost@intel.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by Jon Derrick: <jonathan.derrick@intel.com>
      21c80c9f
    • Andrey Ryabinin's avatar
      um: Don't discard .text.exit section · dad22328
      Andrey Ryabinin authored
      Commit e41f501d ("vmlinux.lds: account for destructor sections")
      added '.text.exit' to EXIT_TEXT which is discarded at link time by default.
      This breaks compilation of UML:
           `.text.exit' referenced in section `.fini_array' of
           /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(sdlerror.o):
           defined in discarded section `.text.exit' of
           /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(sdlerror.o)
      
      Apparently UML doesn't want to discard exit text, so let's place all EXIT_TEXT
      sections in .exit.text.
      
      Fixes: e41f501d ("vmlinux.lds: account for destructor sections")
      Reported-by: default avatarStefan Traby <stefan@hello-penguin.com>
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      dad22328
    • Richard Weinberger's avatar
      ubifs: Fix xattr generic handler usage · 17ce1eb0
      Richard Weinberger authored
      UBIFS uses full names to work with xattrs, therefore we have to use
      xattr_full_name() to obtain the xattr prefix as string.
      
      Cc: <stable@vger.kernel.org>
      Cc: Andreas Gruenbacher <agruenba@redhat.com>
      Fixes: 2b88fc21 ("ubifs: Switch to generic xattr handlers")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Tested-by: default avatarDongsheng Yang <dongsheng081251@gmail.com>
      17ce1eb0
    • Vincent Stehlé's avatar
      ubifs: Fix assertion in layout_in_gaps() · c0082e98
      Vincent Stehlé authored
      An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
      below the maximum bound. When computing this maximum bound the idx_lebs
      count is multiplied by sizeof(int), while C pointers arithmetic does take
      into account the size of the pointed elements implicitly already. Remove
      the multiplication to fix the assertion.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarVincent Stehlé <vincent.stehle@intel.com>
      Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c0082e98
    • Linus Torvalds's avatar
      Merge tag 'usercopy-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 7a1dcf6a
      Linus Torvalds authored
      Pull hardened usercopy fixes from Kees Cook:
       - avoid signed math problems on unexpected compilers
       - avoid false positives at very end of kernel text range checks
      
      * tag 'usercopy-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        usercopy: fix overlap check for kernel text
        usercopy: avoid potentially undefined behavior in pointer math
      7a1dcf6a
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · d1fdafa1
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes a number of memory corruption bugs in the newly added
        sha256-mb/sha256-mb code"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: sha512-mb - fix ctx pointer
        crypto: sha256-mb - fix ctx pointer and digest copy
      d1fdafa1
    • Benjamin Coddington's avatar
      vhost/scsi: fix reuse of &vq->iov[out] in response · a77ec83a
      Benjamin Coddington authored
      The address of the iovec &vq->iov[out] is not guaranteed to contain the scsi
      command's response iovec throughout the lifetime of the command.  Rather, it
      is more likely to contain an iovec from an immediately following command
      after looping back around to vhost_get_vq_desc().  Pass along the iovec
      entirely instead.
      
      Fixes: 79c14141 ("vhost/scsi: Convert completion path to use copy_to_iter")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      a77ec83a
    • Josh Poimboeuf's avatar
      usercopy: fix overlap check for kernel text · 94cd97af
      Josh Poimboeuf authored
      When running with a local patch which moves the '_stext' symbol to the
      very beginning of the kernel text area, I got the following panic with
      CONFIG_HARDENED_USERCOPY:
      
        usercopy: kernel memory exposure attempt detected from ffff88103dfff000 (<linear kernel text>) (4096 bytes)
        ------------[ cut here ]------------
        kernel BUG at mm/usercopy.c:79!
        invalid opcode: 0000 [#1] SMP
        ...
        CPU: 0 PID: 4800 Comm: cp Not tainted 4.8.0-rc3.after+ #1
        Hardware name: Dell Inc. PowerEdge R720/0X3D66, BIOS 2.5.4 01/22/2016
        task: ffff880817444140 task.stack: ffff880816274000
        RIP: 0010:[<ffffffff8121c796>] __check_object_size+0x76/0x413
        RSP: 0018:ffff880816277c40 EFLAGS: 00010246
        RAX: 000000000000006b RBX: ffff88103dfff000 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: ffff88081f80dfa8 RDI: ffff88081f80dfa8
        RBP: ffff880816277c90 R08: 000000000000054c R09: 0000000000000000
        R10: 0000000000000005 R11: 0000000000000006 R12: 0000000000001000
        R13: ffff88103e000000 R14: ffff88103dffffff R15: 0000000000000001
        FS:  00007fb9d1750800(0000) GS:ffff88081f800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000021d2000 CR3: 000000081a08f000 CR4: 00000000001406f0
        Stack:
         ffff880816277cc8 0000000000010000 000000043de07000 0000000000000000
         0000000000001000 ffff880816277e60 0000000000001000 ffff880816277e28
         000000000000c000 0000000000001000 ffff880816277ce8 ffffffff8136c3a6
        Call Trace:
         [<ffffffff8136c3a6>] copy_page_to_iter_iovec+0xa6/0x1c0
         [<ffffffff8136e766>] copy_page_to_iter+0x16/0x90
         [<ffffffff811970e3>] generic_file_read_iter+0x3e3/0x7c0
         [<ffffffffa06a738d>] ? xfs_file_buffered_aio_write+0xad/0x260 [xfs]
         [<ffffffff816e6262>] ? down_read+0x12/0x40
         [<ffffffffa06a61b1>] xfs_file_buffered_aio_read+0x51/0xc0 [xfs]
         [<ffffffffa06a6692>] xfs_file_read_iter+0x62/0xb0 [xfs]
         [<ffffffff812224cf>] __vfs_read+0xdf/0x130
         [<ffffffff81222c9e>] vfs_read+0x8e/0x140
         [<ffffffff81224195>] SyS_read+0x55/0xc0
         [<ffffffff81003a47>] do_syscall_64+0x67/0x160
         [<ffffffff816e8421>] entry_SYSCALL64_slow_path+0x25/0x25
        RIP: 0033:[<00007fb9d0c33c00>] 0x7fb9d0c33c00
        RSP: 002b:00007ffc9c262f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
        RAX: ffffffffffffffda RBX: fffffffffff8ffff RCX: 00007fb9d0c33c00
        RDX: 0000000000010000 RSI: 00000000021c3000 RDI: 0000000000000004
        RBP: 00000000021c3000 R08: 0000000000000000 R09: 00007ffc9c264d6c
        R10: 00007ffc9c262c50 R11: 0000000000000246 R12: 0000000000010000
        R13: 00007ffc9c2630b0 R14: 0000000000000004 R15: 0000000000010000
        Code: 81 48 0f 44 d0 48 c7 c6 90 4d a3 81 48 c7 c0 bb b3 a2 81 48 0f 44 f0 4d 89 e1 48 89 d9 48 c7 c7 68 16 a3 81 31 c0 e8 f4 57 f7 ff <0f> 0b 48 8d 90 00 40 00 00 48 39 d3 0f 83 22 01 00 00 48 39 c3
        RIP  [<ffffffff8121c796>] __check_object_size+0x76/0x413
         RSP <ffff880816277c40>
      
      The checked object's range [ffff88103dfff000, ffff88103e000000) is
      valid, so there shouldn't have been a BUG.  The hardened usercopy code
      got confused because the range's ending address is the same as the
      kernel's text starting address at 0xffff88103e000000.  The overlap check
      is slightly off.
      
      Fixes: f5509cc1 ("mm: Hardened usercopy")
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      94cd97af
    • Eric Biggers's avatar
      usercopy: avoid potentially undefined behavior in pointer math · 7329a655
      Eric Biggers authored
      check_bogus_address() checked for pointer overflow using this expression,
      where 'ptr' has type 'const void *':
      
      	ptr + n < ptr
      
      Since pointer wraparound is undefined behavior, gcc at -O2 by default
      treats it like the following, which would not behave as intended:
      
      	(long)n < 0
      
      Fortunately, this doesn't currently happen for kernel code because kernel
      code is compiled with -fno-strict-overflow.  But the expression should be
      fixed anyway to use well-defined integer arithmetic, since it could be
      treated differently by different compilers in the future or could be
      reported by tools checking for undefined behavior.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      7329a655
  6. 22 Aug, 2016 6 commits