1. 17 Oct, 2017 1 commit
    • Steffen Maier's avatar
      scsi: zfcp: fix erp_action use-before-initialize in REC action trace · ab31fd0c
      Steffen Maier authored
      v4.10 commit 6f2ce1c6 ("scsi: zfcp: fix rport unblock race with LUN
      recovery") extended accessing parent pointer fields of struct
      zfcp_erp_action for tracing.  If an erp_action has never been enqueued
      before, these parent pointer fields are uninitialized and NULL. Examples
      are zfcp objects freshly added to the parent object's children list,
      before enqueueing their first recovery subsequently. In
      zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action
      fields can cause a NULL pointer dereference.  Since the kernel can read
      from lowcore on s390, it does not immediately cause a kernel page
      fault. Instead it can cause hangs on trying to acquire the wrong
      erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl()
                            ^bogus^
      while holding already other locks with IRQs disabled.
      
      Real life example from attaching lots of LUNs in parallel on many CPUs:
      
      crash> bt 17723
      PID: 17723  TASK: ...               CPU: 25  COMMAND: "zfcperp0.0.1800"
       LOWCORE INFO:
        -psw      : 0x0404300180000000 0x000000000038e424
        -function : _raw_spin_lock_wait_flags at 38e424
      ...
       #0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp]
       #1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp]
       #2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp]
       #3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp]
       #4 [fdde8fe60] kthread at 173550
       #5 [fdde8feb8] kernel_thread_starter at 10add2
      
      zfcp_adapter
       zfcp_port
        zfcp_unit <address>, 0x404040d600000000
        scsi_device NULL, returning early!
      zfcp_scsi_dev.status = 0x40000000
      0x40000000 ZFCP_STATUS_COMMON_RUNNING
      
      crash> zfcp_unit <address>
      struct zfcp_unit {
        erp_action = {
          adapter = 0x0,
          port = 0x0,
          unit = 0x0,
        },
      }
      
      zfcp_erp_action is always fully embedded into its container object. Such
      container object is never moved in its object tree (only add or delete).
      Hence, erp_action parent pointers can never change.
      
      To fix the issue, initialize the erp_action parent pointers before
      adding the erp_action container to any list and thus before it becomes
      accessible from outside of its initializing function.
      
      In order to also close the time window between zfcp_erp_setup_act()
      memsetting the entire erp_action to zero and setting the parent pointers
      again, drop the memset and instead explicitly initialize individually
      all erp_action fields except for parent pointers. To be extra careful
      not to introduce any other unintended side effect, even keep zeroing the
      erp_action fields for list and timer. Also double-check with
      WARN_ON_ONCE that erp_action parent pointers never change, so we get to
      know when we would deviate from previous behavior.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 6f2ce1c6 ("scsi: zfcp: fix rport unblock race with LUN recovery")
      Cc: <stable@vger.kernel.org> #2.6.32+
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      ab31fd0c
  2. 11 Oct, 2017 3 commits
  3. 06 Oct, 2017 2 commits
  4. 03 Oct, 2017 5 commits
  5. 28 Sep, 2017 2 commits
    • Martin Wilck's avatar
      scsi: ILLEGAL REQUEST + ASC==27 => target failure · d0b7a909
      Martin Wilck authored
      ASC 0x27 is "WRITE PROTECTED". This error code is returned e.g.  by
      Fujitsu ETERNUS systems under certain conditions for WRITE SAME 16
      commands with UNMAP bit set. It should not be treated as a path
      error. In general, it makes sense to assume that being write protected
      is a target rather than a path property.
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Acked-by: default avatarLee Duncan <lduncan@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      d0b7a909
    • Guilherme G. Piccoli's avatar
      scsi: aacraid: Add a small delay after IOP reset · d1b49093
      Guilherme G. Piccoli authored
      Commit 0e9973ed ("scsi: aacraid: Add periodic checks to see IOP reset
      status") changed the way driver checks if a reset succeeded. Now, after an
      IOP reset, aacraid immediately start polling a register to verify the reset
      is complete.
      
      This behavior cause regressions on the reset path in PowerPC (at least).
      Since the delay after the IOP reset was removed by the aforementioned patch,
      the fact driver just starts to read a register instantly after the reset
      was issued (by writing in another register) "corrupts" the reset procedure,
      which ends up failing all the time.
      
      The issue highly impacted kdump on PowerPC, since on kdump path we
      proactively issue a reset in adapter (through the reset_devices kernel
      parameter).
      
      This patch (re-)adds a delay right after IOP reset is issued. Empirically
      we measured that 3 seconds is enough, but for safety reasons we delay
      for 5s (and since it was 30s before, 5s is still a small amount).
      
      For reference, without this patch we observe the following messages
      on kdump kernel boot process:
      
        [ 76.294] aacraid 0003:01:00.0: IOP reset failed
        [ 76.294] aacraid 0003:01:00.0: ARC Reset attempt failed
        [ 86.524] aacraid 0003:01:00.0: adapter kernel panic'd ff.
        [ 86.524] aacraid 0003:01:00.0: Controller reset type is 3
        [ 86.524] aacraid 0003:01:00.0: Issuing IOP reset
        [146.534] aacraid 0003:01:00.0: IOP reset failed
        [146.534] aacraid 0003:01:00.0: ARC Reset attempt failed
      
      Fixes: 0e9973ed ("scsi: aacraid: Add periodic checks to see IOP reset status")
      Cc: stable@vger.kernel.org # v4.13+
      Signed-off-by: default avatarGuilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Acked-by: default avatarDave Carroll <david.carroll@microsemi.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      d1b49093
  6. 26 Sep, 2017 1 commit
  7. 25 Sep, 2017 2 commits
    • Hannes Reinecke's avatar
      scsi: scsi_transport_fc: set scsi_target_id upon rescan · 675195d0
      Hannes Reinecke authored
      When an rport is found in the bindings array there is no guarantee that
      it had been a target port, so we need to call fc_remote_port_rolechg()
      here to ensure the scsi_target_id is set correctly.  Otherwise the port
      will never be scanned.
      Signed-off-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Tested-by: default avatarChad Dupuis <chad.dupuis@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      675195d0
    • Xin Long's avatar
      scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly · c88f0e6b
      Xin Long authored
      ChunYu found a kernel crash by syzkaller:
      
      [  651.617875] kasan: CONFIG_KASAN_INLINE enabled
      [  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  651.618731] general protection fault: 0000 [#1] SMP KASAN
      [  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
      [  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
      [  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
      [...]
      [  651.627260] Call Trace:
      [  651.629156]  skb_release_all+0x4f/0x60
      [  651.629450]  consume_skb+0x1a5/0x600
      [  651.630705]  netlink_unicast+0x505/0x720
      [  651.632345]  netlink_sendmsg+0xab2/0xe70
      [  651.633704]  sock_sendmsg+0xcf/0x110
      [  651.633942]  ___sys_sendmsg+0x833/0x980
      [  651.637117]  __sys_sendmsg+0xf3/0x240
      [  651.638820]  SyS_sendmsg+0x32/0x50
      [  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      It's caused by skb_shared_info at the end of sk_buff was overwritten by
      ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
      
      During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
      ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
      new value to skb_shinfo(SKB)->nr_frags by ev->type.
      
      This patch is to fix it by checking nlh->nlmsg_len properly there to
      avoid over accessing sk_buff.
      Reported-by: default avatarChunYu Wang <chunwang@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarChris Leech <cleech@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      c88f0e6b
  8. 16 Sep, 2017 2 commits
  9. 15 Sep, 2017 6 commits
  10. 13 Sep, 2017 12 commits
    • Linus Torvalds's avatar
      Fix up MAINTAINERS file sorting · 3882a734
      Linus Torvalds authored
      Another merge window, another MAINTAINERS file disaster.
      
      People have serious problems with the alphabet and sorting, and poor
      Jérôme Glisse and Radim Krčmář get their names mangled by locale issues,
      turning them into some mangled mess (probably others do too, but those
      two stood out when sorting things again).
      
      And we now have two copies of the same 'AS3645A LED FLASH CONTROLLER
      DRIVER' in the tree and in the MAINTAINERS file, but that's a separate
      issue - the duplication is real, and I left them as two entries for the
      same name.
      
      This does not try to sort the actual section pattern entries, although I
      may end up doing that later.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3882a734
    • Linus Torvalds's avatar
      Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · f60a2abf
      Linus Torvalds authored
      Pull clk updates from Stephen Boyd:
       "The diff is dominated by the Allwinner A10/A20 SoCs getting converted
        to the sunxi-ng framework. Otherwise, the heavy hitters are various
        drivers for SoCs like AT91, Amlogic, Renesas, and Rockchip. There are
        some other new clk drivers in here too but overall this is just a
        bunch of clk drivers for various different pieces of hardware and a
        collection of non-critical fixes for clk drivers.
      
        New Drivers:
         - Allwinner R40 SoCs
         - Renesas R-Car Gen3 USB 2.0 clock selector PHY
         - Atmel AT91 audio PLL
         - Uniphier PXs3 SoCs
         - ARC HSDK Board PLLs
         - AXS10X Board PLLs
         - STMicroelectronics STM32H743 SoCs
      
        Removed Drivers:
         - Non-compiling mb86s7x support
      
        Updates:
         - Allwinner A10/A20 SoCs converted to sunxi-ng framework
         - Allwinner H3 CPU clk fixes
         - Renesas R-Car D3 SoC
         - Renesas V2H and M3-W modules
         - Samsung Exynos5420/5422/5800 audio fixes
         - Rockchip fractional clk approximation fixes
         - Rockchip rk3126 SoC support within the rk3128 driver
         - Amlogic gxbb CEC32 and sd_emmc clks
         - Amlogic meson8b reset controller support
         - IDT VersaClock 5P49V5925/5P49V6901 support
         - Qualcomm MSM8996 SMMU clks
         - Various 'const' applications for struct clk_ops
         - si5351 PLL reset bugfix
         - Uniphier audio on LD11/LD20 and ethernet support on LD11/LD20/Pro4/PXs2
         - Assorted Tegra clk driver fixes"
      
      * tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: (120 commits)
        clk: si5351: fix PLL reset
        ASoC: atmel-classd: remove aclk clock
        ASoC: atmel-classd: remove aclk clock from DT binding
        clk: at91: clk-generated: make gclk determine audio_pll rate
        clk: at91: clk-generated: create function to find best_diff
        clk: at91: add audio pll clock drivers
        dt-bindings: clk: at91: add audio plls to the compatible list
        clk: at91: clk-generated: remove useless divisor loop
        clk: mb86s7x: Drop non-building driver
        clk: ti: check for null return in strrchr to avoid null dereferencing
        clk: Don't write error code into divider register
        clk: uniphier: add video input subsystem clock
        clk: uniphier: add audio system clock
        clk: stm32h7: Add stm32h743 clock driver
        clk: gate: expose clk_gate_ops::is_enabled
        clk: nxp: clk-lpc32xx: rename clk_gate_is_enabled()
        clk: uniphier: add PXs3 clock data
        clk: hi6220: change watchdog clock source
        clk: Kconfig: Name RK805 in Kconfig for COMMON_CLK_RK808
        clk: cs2000: Add cs2000_set_saved_rate
        ...
      f60a2abf
    • Linus Torvalds's avatar
      Merge tag 'rtc-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux · 561a8eb3
      Linus Torvalds authored
      Pull RTC updates from Alexandre Belloni:
       "Subsystem:
         - remove .open() and .release() RTC ops
         - constify i2c_device_id
      
        New driver:
         - Realtek RTD1295
         - Android emulator (goldfish) RTC
      
        Drivers:
         - ds1307: Beginning of a huge cleanup
         - s35390a: handle invalid RTC time
         - sun6i: external oscillator gate support"
      
      * tag 'rtc-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: (40 commits)
        rtc: ds1307: use octal permissions
        rtc: ds1307: fix braces
        rtc: ds1307: fix alignments and blank lines
        rtc: ds1307: use BIT
        rtc: ds1307: use u32
        rtc: ds1307: use sizeof
        rtc: ds1307: remove regs member
        rtc: Add Realtek RTD1295
        dt-bindings: rtc: Add Realtek RTD1295
        rtc: sun6i: Add support for the external oscillator gate
        rtc: goldfish: Add RTC driver for Android emulator
        dt-bindings: Add device tree binding for Goldfish RTC driver
        rtc: ds1307: add basic support for ds1341 chip
        rtc: ds1307: remove member nvram_offset from struct ds1307
        rtc: ds1307: factor out offset to struct chip_desc
        rtc: ds1307: factor out rtc_ops to struct chip_desc
        rtc: ds1307: factor out irq_handler to struct chip_desc
        rtc: ds1307: improve irq setup
        rtc: ds1307: constify struct chip_desc variables
        rtc: ds1307: improve trickle charger initialization
        ...
      561a8eb3
    • Linus Torvalds's avatar
      Merge tag 'sound-fix-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 2818d0d7
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Most of the commits are trivial cleanup patches, while one commit is a
        significant fix for the race at ALSA sequencer that was spotted by
        syzkaller"
      
      * tag 'sound-fix-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: seq: Cancel pending autoload work at unbinding device
        ALSA: firewire: Use common error handling code in snd_motu_stream_start_duplex()
        ALSA: asihpi: Kill BUG_ON() usages
        ALSA: core: Use %pS printk format for direct addresses
        ALSA: ymfpci: Use common error handling code in snd_ymfpci_create()
        ALSA: ymfpci: Use common error handling code in snd_card_ymfpci_probe()
        ALSA: 6fire: Use common error handling code in usb6fire_chip_probe()
        ALSA: usx2y: Use common error handling code in submit_urbs()
        ALSA: us122l: Use common error handling code in us122l_create_card()
        ALSA: hdspm: Use common error handling code in snd_hdspm_probe()
        ALSA: rme9652: Use common code in hdsp_get_iobox_version()
        ALSA: maestro3: Use common error handling code in two functions
      2818d0d7
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · cc4238bd
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "A tiny update: one patch corrects a Kconfig problem with the shift of
        the SAS SMP code to BSG and the other removes a vestige of user space
        target mode"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: scsi_transport_sas: select BLK_DEV_BSGLIB
        scsi: Remove Scsi_Host.uspace_req_q
      cc4238bd
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 80a0d644
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Small collection of fixes that would be nice to have in -rc1. This
        contains:
      
         - NVMe pull request form Christoph, mostly with fixes for nvme-pci,
           host memory buffer in particular.
      
         - Error handling fixup for cgwb_create(), in case allocation of 'wb'
           fails. From Christophe Jaillet.
      
         - Ensure that trace_block_getrq() gets the 'dev' in an appropriate
           fashion, to avoid a potential NULL deref. From Greg Thelen.
      
         - Regression fix for dm-mq with blk-mq, fixing a problem with
           stacking IO schedulers. From me.
      
         - string.h fixup, fixing an issue with memcpy_and_pad(). This
           original change came in through an NVMe dependency, which is why
           I'm including it here. From Martin Wilck.
      
         - Fix potential int overflow in __blkdev_sectors_to_bio_pages(), from
           Mikulas.
      
         - MBR enable fix for sed-opal, from Scott"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: directly insert blk-mq request from blk_insert_cloned_request()
        mm/backing-dev.c: fix an error handling path in 'cgwb_create()'
        string.h: un-fortify memcpy_and_pad
        nvme-pci: implement the HMB entry number and size limitations
        nvme-pci: propagate (some) errors from host memory buffer setup
        nvme-pci: use appropriate initial chunk size for HMB allocation
        nvme-pci: fix host memory buffer allocation fallback
        nvme: fix lightnvm check
        block: fix integer overflow in __blkdev_sectors_to_bio_pages()
        block: sed-opal: Set MBRDone on S3 resume path if TPER is MBREnabled
        block: tolerate tracing of NULL bio
      80a0d644
    • Linus Torvalds's avatar
      Merge tag 'docs-4.14' of git://git.lwn.net/linux · 20e52ee5
      Linus Torvalds authored
      Pull documentation fixes from Jonathan Corbet:
       "A cleanup from Mauro that needed to wait for the media pull, plus a
        handful of other fixes that wandered in"
      
      * tag 'docs-4.14' of git://git.lwn.net/linux:
        kokr/memory-barriers.txt: Apply atomic_t.txt change
        kokr/doc: Update memory-barriers.txt for read-to-write dependencies
        docs-rst: don't require adjustbox anymore
        docs-rst: conf.py: only setup notice box colors if Sphinx < 1.6
        docs-rst: conf.py: remove lscape from LaTeX preamble
      20e52ee5
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · e7989f97
      Linus Torvalds authored
      Pull fuse updates from Miklos Szeredi:
       "This fixes a regression (spotted by the Sandstorm.io folks) in the pid
        namespace handling introduced in 4.12.
      
        There's also a fix for honoring sync/dsync flags for pwritev2()"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: getattr cleanup
        fuse: honor iocb sync flags on write
        fuse: allow server to run in different pid_ns
      e7989f97
    • Linus Torvalds's avatar
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · c353f88f
      Linus Torvalds authored
      Pull overlayfs updates from Miklos Szeredi:
       "This fixes d_ino correctness in readdir, which brings overlayfs on par
        with normal filesystems regarding inode number semantics, as long as
        all layers are on the same filesystem.
      
        There are also some bug fixes, one in particular (random ioctl's
        shouldn't be able to modify lower layers) that touches some vfs code,
        but of course no-op for non-overlay fs"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: fix false positive ESTALE on lookup
        ovl: don't allow writing ioctl on lower layer
        ovl: fix relatime for directories
        vfs: add flags to d_real()
        ovl: cleanup d_real for negative
        ovl: constant d_ino for non-merge dirs
        ovl: constant d_ino across copy up
        ovl: fix readdir error value
        ovl: check snprintf return
      c353f88f
    • Linus Torvalds's avatar
      Merge tag 'f2fs-for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs · 6d8ef53e
      Linus Torvalds authored
      Pull f2fs updates from Jaegeuk Kim:
       "In this round, we've mostly tuned f2fs to provide better user
        experience for Android. Especially, we've worked on atomic write
        feature again with SQLite community in order to support it officially.
        And we added or modified several facilities to analyze and enhance IO
        behaviors.
      
        Major changes include:
         - add app/fs io stat
         - add inode checksum feature
         - support project/journalled quota
         - enhance atomic write with new ioctl() which exposes feature set
         - enhance background gc/discard/fstrim flows with new gc_urgent mode
         - add F2FS_IOC_FS{GET,SET}XATTR
         - fix some quota flows"
      
      * tag 'f2fs-for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs: (63 commits)
        f2fs: hurry up to issue discard after io interruption
        f2fs: fix to show correct discard_granularity in sysfs
        f2fs: detect dirty inode in evict_inode
        f2fs: clear radix tree dirty tag of pages whose dirty flag is cleared
        f2fs: speed up gc_urgent mode with SSR
        f2fs: better to wait for fstrim completion
        f2fs: avoid race in between read xattr & write xattr
        f2fs: make get_lock_data_page to handle encrypted inode
        f2fs: use generic terms used for encrypted block management
        f2fs: introduce f2fs_encrypted_file for clean-up
        Revert "f2fs: add a new function get_ssr_cost"
        f2fs: constify super_operations
        f2fs: fix to wake up all sleeping flusher
        f2fs: avoid race in between atomic_read & atomic_inc
        f2fs: remove unneeded parameter of change_curseg
        f2fs: update i_flags correctly
        f2fs: don't check inode's checksum if it was dirtied or writebacked
        f2fs: don't need to update inode checksum for recovery
        f2fs: trigger fdatasync for non-atomic_write file
        f2fs: fix to avoid race in between aio and gc
        ...
      6d8ef53e
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.14-rc1' of git://github.com/ceph/ceph-client · cdb897e3
      Linus Torvalds authored
      Pull ceph updates from Ilya Dryomov:
       "The highlights include:
      
         - a large series of fixes and improvements to the snapshot-handling
           code (Zheng Yan)
      
         - individual read/write OSD requests passed down to libceph are now
           limited to 16M in size to avoid hitting OSD-side limits (Zheng Yan)
      
         - encode MStatfs v2 message to allow for more accurate space usage
           reporting (Douglas Fuller)
      
         - switch to the new writeback error tracking infrastructure (Jeff
           Layton)"
      
      * tag 'ceph-for-4.14-rc1' of git://github.com/ceph/ceph-client: (35 commits)
        ceph: stop on-going cached readdir if mds revokes FILE_SHARED cap
        ceph: wait on writeback after writing snapshot data
        ceph: fix capsnap dirty pages accounting
        ceph: ignore wbc->range_{start,end} when write back snapshot data
        ceph: fix "range cyclic" mode writepages
        ceph: cleanup local variables in ceph_writepages_start()
        ceph: optimize pagevec iterating in ceph_writepages_start()
        ceph: make writepage_nounlock() invalidate page that beyonds EOF
        ceph: properly get capsnap's size in get_oldest_context()
        ceph: remove stale check in ceph_invalidatepage()
        ceph: queue cap snap only when snap realm's context changes
        ceph: handle race between vmtruncate and queuing cap snap
        ceph: fix message order check in handle_cap_export()
        ceph: fix NULL pointer dereference in ceph_flush_snaps()
        ceph: adjust 36 checks for NULL pointers
        ceph: delete an unnecessary return statement in update_dentry_lease()
        ceph: ENOMEM pr_err in __get_or_create_frag() is redundant
        ceph: check negative offsets in ceph_llseek()
        ceph: more accurate statfs
        ceph: properly set snap follows for cap reconnect
        ...
      cdb897e3
    • Richard Wareing's avatar
      xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present · b31ff3cd
      Richard Wareing authored
      If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
      a directory in a filesystem that does not have a realtime device and
      create a new file in that directory, it gets marked as a real time file.
      When data is written and a fsync is issued, the filesystem attempts to
      flush a non-existent rt device during the fsync process.
      
      This results in a crash dereferencing a null buftarg pointer in
      xfs_blkdev_issue_flush():
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: xfs_blkdev_issue_flush+0xd/0x20
        .....
        Call Trace:
          xfs_file_fsync+0x188/0x1c0
          vfs_fsync_range+0x3b/0xa0
          do_fsync+0x3d/0x70
          SyS_fsync+0x10/0x20
          do_syscall_64+0x4d/0xb0
          entry_SYSCALL64_slow_path+0x25/0x25
      
      Setting RT inode flags does not require special privileges so any
      unprivileged user can cause this oops to occur.  To reproduce, confirm
      kernel is compiled with CONFIG_XFS_RT=y and run:
      
        # mkfs.xfs -f /dev/pmem0
        # mount /dev/pmem0 /mnt/test
        # mkdir /mnt/test/foo
        # xfs_io -c 'chattr +t' /mnt/test/foo
        # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
      
      Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
      
      Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
      
      Fixes: f538d4da ("[XFS] write barrier support")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarRichard Wareing <rwareing@fb.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b31ff3cd
  11. 12 Sep, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.14' of git://git.infradead.org/users/hch/dma-mapping · 52269718
      Linus Torvalds authored
      Pull dma-mapping updates from Christoph Hellwig:
      
       - removal of the old dma_alloc_noncoherent interface
      
       - remove unused flags to dma_declare_coherent_memory
      
       - restrict OF DMA configuration to specific physical busses
      
       - use the iommu mailing list for dma-mapping questions and patches
      
      * tag 'dma-mapping-4.14' of git://git.infradead.org/users/hch/dma-mapping:
        dma-coherent: fix dma_declare_coherent_memory() logic error
        ARM: imx: mx31moboard: Remove unused 'dma' variable
        dma-coherent: remove an unused variable
        MAINTAINERS: use the iommu list for the dma-mapping subsystem
        dma-coherent: remove the DMA_MEMORY_MAP and DMA_MEMORY_IO flags
        dma-coherent: remove the DMA_MEMORY_INCLUDES_CHILDREN flag
        of: restrict DMA configuration
        dma-mapping: remove dma_alloc_noncoherent and dma_free_noncoherent
        i825xx: switch to switch to dma_alloc_attrs
        au1000_eth: switch to dma_alloc_attrs
        sgiseeq: switch to dma_alloc_attrs
        dma-mapping: reduce dma_mapping_error inline bloat
      52269718
    • Linus Torvalds's avatar
      Merge tag 'uuid-for-4.14' of git://git.infradead.org/users/hch/uuid · ae71948f
      Linus Torvalds authored
      Pull uuid updates from Christoph Hellwig:
       "Just a single conversion to the new UUID API for this merge window"
      
      * tag 'uuid-for-4.14' of git://git.infradead.org/users/hch/uuid:
        efi: switch to use new generic UUID API
      ae71948f
    • Linus Torvalds's avatar
      Merge tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · 7f85565a
      Linus Torvalds authored
      Pull selinux updates from Paul Moore:
       "A relatively quiet period for SELinux, 11 patches with only two/three
        having any substantive changes.
      
        These noteworthy changes include another tweak to the NNP/nosuid
        handling, per-file labeling for cgroups, and an object class fix for
        AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or
        administrative updates (Stephen's email update explains the file
        explosion in the diffstat).
      
        Everything passes the selinux-testsuite"
      
      [ Also a couple of small patches from the security tree from Tetsuo
        Handa for Tomoyo and LSM cleanup. The separation of security policy
        updates wasn't all that clean - Linus ]
      
      * tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        selinux: constify nf_hook_ops
        selinux: allow per-file labeling for cgroupfs
        lsm_audit: update my email address
        selinux: update my email address
        MAINTAINERS: update the NetLabel and Labeled Networking information
        selinux: use GFP_NOWAIT in the AVC kmem_caches
        selinux: Generalize support for NNP/nosuid SELinux domain transitions
        selinux: genheaders should fail if too many permissions are defined
        selinux: update the selinux info in MAINTAINERS
        credits: update Paul Moore's info
        selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
        tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
        LSM: Remove security_task_create() hook.
      7f85565a
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 680352bd
      Linus Torvalds authored
      Pull x86 fixes from Ingo Molnar:
       "Two fixes: dead code removal, plus a SME memory encryption fix on
        32-bit kernels that crashed Xen guests"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu: Remove unused and undefined __generic_processor_info() declaration
        x86/mm: Make the SME mask a u64
      680352bd