1. 11 Jan, 2016 2 commits
    • Linus Torvalds's avatar
      Merge branch 'work.symlinks' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 32fb3784
      Linus Torvalds authored
      Pull vfs RCU symlink updates from Al Viro:
       "Replacement of ->follow_link/->put_link, allowing to stay in RCU mode
        even if the symlink is not an embedded one.
      
        No changes since the mailbomb on Jan 1"
      
      * 'work.symlinks' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        switch ->get_link() to delayed_call, kill ->put_link()
        kill free_page_put_link()
        teach nfs_get_link() to work in RCU mode
        teach proc_self_get_link()/proc_thread_self_get_link() to work in RCU mode
        teach shmem_get_link() to work in RCU mode
        teach page_get_link() to work in RCU mode
        replace ->follow_link() with new method that could stay in RCU mode
        don't put symlink bodies in pagecache into highmem
        namei: page_getlink() and page_follow_link_light() are the same thing
        ufs: get rid of ->setattr() for symlinks
        udf: don't duplicate page_symlink_inode_operations
        logfs: don't duplicate page_symlink_inode_operations
        switch befs long symlinks to page_symlink_operations
      32fb3784
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 19ccb28e
      Linus Torvalds authored
      Pull vfs compat_ioctl fixes from Al Viro:
       "This is basically Jann's patches from last week.  I have _not_
        included the stuff like switching i2c to ->compat_ioctl() into this
        one - those need more testing.
      
        Ideally I would like fs/compat_ioctl.c shrunk a lot, but that's a
        separate story"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
        compat_ioctl: don't pass fd around when not needed
        compat_ioctl: don't look up the fd twice
      19ccb28e
  2. 10 Jan, 2016 1 commit
  3. 09 Jan, 2016 7 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · eac6f76a
      Linus Torvalds authored
      Pull SCSI fix from James Bottomley:
       "A single fix for machines with pages > 4k (PPC mostly).
      
        There's a bug in our optimal transfer size code where we don't account
        for pages > 4k and can set the transfer size to be less than the page
        size causing nasty failures"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        sd: Reject optimal transfer length smaller than page size
      eac6f76a
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.4-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · c0cb1393
      Linus Torvalds authored
      Pull PCI fixlet from Bjorn Helgaas:
       "This marks the TI DRA7xx host bridge driver as broken.  Apparently it
        has never worked without some additional out-of-tree code, so I'm
        going to mark it broken now and remove it completely next cycle unless
        it's fixed"
      
      * tag 'pci-v4.4-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: dra7xx: Mark driver as broken
      c0cb1393
    • Michal Hocko's avatar
      vmstat: allocate vmstat_wq before it is used · 751e5f5c
      Michal Hocko authored
      kernel test robot has reported the following crash:
      
        BUG: unable to handle kernel NULL pointer dereference at 00000100
        IP: [<c1074df6>] __queue_work+0x26/0x390
        *pdpt = 0000000000000000 *pde = f000ff53f000ff53 *pde = f000ff53f000ff53
        Oops: 0000 [#1] PREEMPT PREEMPT SMP SMP
        CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.4.0-rc4-00139-g373ccbe5 #1
        Workqueue: events vmstat_shepherd
        task: cb684600 ti: cb7ba000 task.ti: cb7ba000
        EIP: 0060:[<c1074df6>] EFLAGS: 00010046 CPU: 0
        EIP is at __queue_work+0x26/0x390
        EAX: 00000046 EBX: cbb37800 ECX: cbb37800 EDX: 00000000
        ESI: 00000000 EDI: 00000000 EBP: cb7bbe68 ESP: cb7bbe38
         DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
        CR0: 8005003b CR2: 00000100 CR3: 01fd5000 CR4: 000006b0
        Stack:
        Call Trace:
          __queue_delayed_work+0xa1/0x160
          queue_delayed_work_on+0x36/0x60
          vmstat_shepherd+0xad/0xf0
          process_one_work+0x1aa/0x4c0
          worker_thread+0x41/0x440
          kthread+0xb0/0xd0
          ret_from_kernel_thread+0x21/0x40
      
      The reason is that start_shepherd_timer schedules the shepherd work item
      which uses vmstat_wq (vmstat_shepherd) before setup_vmstat allocates
      that workqueue so if the further initialization takes more than HZ we
      might end up scheduling on a NULL vmstat_wq.  This is really unlikely
      but not impossible.
      
      Fixes: 373ccbe5 ("mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress")
      Reported-by: default avatarkernel test robot <ying.huang@linux.intel.com>
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Tested-by: default avatarTetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      751e5f5c
    • Jann Horn's avatar
      compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS) · a7f61e89
      Jann Horn authored
      This replaces all code in fs/compat_ioctl.c that translated
      ioctl arguments into a in-kernel structure, then performed
      do_ioctl under set_fs(KERNEL_DS), with code that allocates
      data on the user stack and can call the VFS ioctl handler
      under USER_DS.
      
      This is done as a hardening measure because the caller
      does not know what kind of ioctl handler will be invoked,
      only that no corresponding compat_ioctl handler exists and
      what the ioctl command number is. The accidental
      invocation of an unlocked_ioctl handler that unexpectedly
      calls copy_to_user could be a severe security issue.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a7f61e89
    • Al Viro's avatar
      66cf191f
    • Jann Horn's avatar
      compat_ioctl: don't look up the fd twice · b4341721
      Jann Horn authored
      In code in fs/compat_ioctl.c that translates ioctl arguments
      into a in-kernel structure, then performs sys_ioctl, possibly
      under set_fs(KERNEL_DS), this commit changes the sys_ioctl
      calls to do_ioctl calls. do_ioctl is a new function that does
      the same thing as sys_ioctl, but doesn't look up the fd again.
      
      This change is made to avoid (potential) security issues
      because of ioctl handlers that accept one of the ioctl
      commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
      TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
      This can happen for multiple reasons:
      
       - The ioctl command number could be reused.
       - The ioctl handler might not check the full ioctl
         command. This is e.g. true for drm_ioctl.
       - The ioctl handler is very special, e.g. cuse_file_ioctl
      
      The real issue is that set_fs(KERNEL_DS) is used here,
      but that's fixed in a separate commit
      "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
      
      This change mitigates potential security issues by
      preventing a race that permits invocation of
      unlocked_ioctl handlers under KERNEL_DS through compat
      code even if a corresponding compat_ioctl handler exists.
      
      So far, no way has been identified to use this to damage
      kernel memory without having CAP_SYS_ADMIN in the init ns
      (with the capability, doing reads/writes at arbitrary
      kernel addresses should be easy through CUSE's ioctl
      handler with FUSE_IOCTL_UNRESTRICTED set).
      
      [AV: two missed sys_ioctl() taken care of]
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b4341721
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 44d8a7d5
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "This is the final small set of ARM SoC bug fixes for linux-4.4, almost
        all regressions:
      
        OMAP:
         - data corruption on the Nokia N900 flash
      
        Allwinner:
         - Two defconfig change to get USB working again
      
        ARM Versatile:
         - Interrupt numbers gone bad after an older bug fix
      
        Nomadik:
         - Crashes from incorrect L2 cache settings
      
        VIA vt8500:
         - SD/MMC support on WM8650 never worked"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        dts: vt8500: Add SDHC node to DTS file for WM8650
        ARM: Fix broken USB support in multi_v7_defconfig for sunxi devices
        ARM: versatile: fix MMC/SD interrupt assignment
        ARM: nomadik: set latencies to 8 cycles
        ARM: OMAP2+: Fix onenand rate detection to avoid filesystem corruption
        ARM: Fix broken USB support in sunxi_defconfig
      44d8a7d5
  4. 08 Jan, 2016 15 commits
  5. 07 Jan, 2016 15 commits