1. 24 Apr, 2018 6 commits
    • Andrew Morton's avatar
      fs/reiserfs/journal.c: add missing resierfs_warning() arg · 52b329d6
      Andrew Morton authored
      commit 9ad553ab upstream.
      
      One use of the reiserfs_warning() macro in journal_init_dev() is missing
      a parameter, causing the following warning:
      
        REISERFS warning (device loop0): journal_init_dev: Cannot open '%s': %i journal_init_dev:
      
      This also causes a WARN_ONCE() warning in the vsprintf code, and then a
      panic if panic_on_warn is set.
      
        Please remove unsupported %/ in format string
        WARNING: CPU: 1 PID: 4480 at lib/vsprintf.c:2138 format_decode+0x77f/0x830 lib/vsprintf.c:2138
        Kernel panic - not syncing: panic_on_warn set ...
      
      Just add another string argument to the macro invocation.
      
      Addresses https://syzkaller.appspot.com/bug?id=0627d4551fdc39bf1ef5d82cd9eef587047f7718
      
      Link: http://lkml.kernel.org/r/d678ebe1-6f54-8090-df4c-b9affad62293@infradead.orgSigned-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reported-by: <syzbot+6bd77b88c1977c03f584@syzkaller.appspotmail.com>
      Tested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarJeff Mahoney <jeffm@suse.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jan Kara <jack@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52b329d6
    • Richard Weinberger's avatar
      ubi: Reject MLC NAND · c64c4c81
      Richard Weinberger authored
      commit b5094b7f upstream.
      
      While UBI and UBIFS seem to work at first sight with MLC NAND, you will
      most likely lose all your data upon a power-cut or due to read/write
      disturb.
      In order to protect users from bad surprises, refuse to attach to MLC
      NAND.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Acked-by: default avatarArtem Bityutskiy <dedekind1@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c64c4c81
    • Romain Izard's avatar
      ubi: Fix error for write access · 434a1dd2
      Romain Izard authored
      commit 78a8dfba upstream.
      
      When opening a device with write access, ubiblock_open returns an error
      code. Currently, this error code is -EPERM, but this is not the right
      value.
      
      The open function for other block devices returns -EROFS when opening
      read-only devices with FMODE_WRITE set. When used with dm-verity, the
      veritysetup userspace tool is expecting EROFS, and refuses to use the
      ubiblock device.
      
      Use -EROFS for ubiblock as well. As a result, veritysetup accepts the
      ubiblock device as valid.
      
      Cc: stable@vger.kernel.org
      Fixes: 9d54c8a3 (UBI: R/O block driver on top of UBI volumes)
      Signed-off-by: default avatarRomain Izard <romain.izard.pro@gmail.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      434a1dd2
    • Richard Weinberger's avatar
      ubi: fastmap: Don't flush fastmap work on detach · 00f308c0
      Richard Weinberger authored
      commit 29b7a6fa upstream.
      
      At this point UBI volumes have already been free()'ed and fastmap can no
      longer access these data structures.
      Reported-by: default avatarMartin Townsend <mtownsend1973@gmail.com>
      Fixes: 74cdaf24 ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00f308c0
    • Richard Weinberger's avatar
      ubifs: Check ubifs_wbuf_sync() return code · cf1595d8
      Richard Weinberger authored
      commit aac17948 upstream.
      
      If ubifs_wbuf_sync() fails we must not write a master node with the
      dirty marker cleared.
      Otherwise it is possible that in case of an IO error while syncing we
      mark the filesystem as clean and UBIFS refuses to recover upon next
      mount.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf1595d8
    • Tejun Heo's avatar
      tty: make n_tty_read() always abort if hangup is in progress · a7e19062
      Tejun Heo authored
      commit 28b0f8a6 upstream.
      
      A tty is hung up by __tty_hangup() setting file->f_op to
      hung_up_tty_fops, which is skipped on ttys whose write operation isn't
      tty_write().  This means that, for example, /dev/console whose write
      op is redirected_tty_write() is never actually marked hung up.
      
      Because n_tty_read() uses the hung up status to decide whether to
      abort the waiting readers, the lack of hung-up marking can lead to the
      following scenario.
      
       1. A session contains two processes.  The leader and its child.  The
          child ignores SIGHUP.
      
       2. The leader exits and starts disassociating from the controlling
          terminal (/dev/console).
      
       3. __tty_hangup() skips setting f_op to hung_up_tty_fops.
      
       4. SIGHUP is delivered and ignored.
      
       5. tty_ldisc_hangup() is invoked.  It wakes up the waits which should
          clear the read lockers of tty->ldisc_sem.
      
       6. The reader wakes up but because tty_hung_up_p() is false, it
          doesn't abort and goes back to sleep while read-holding
          tty->ldisc_sem.
      
       7. The leader progresses to tty_ldisc_lock() in tty_ldisc_hangup()
          and is now stuck in D sleep indefinitely waiting for
          tty->ldisc_sem.
      
      The following is Alan's explanation on why some ttys aren't hung up.
      
       http://lkml.kernel.org/r/20171101170908.6ad08580@alans-desktop
      
       1. It broke the serial consoles because they would hang up and close
          down the hardware. With tty_port that *should* be fixable properly
          for any cases remaining.
      
       2. The console layer was (and still is) completely broken and doens't
          refcount properly. So if you turn on console hangups it breaks (as
          indeed does freeing consoles and half a dozen other things).
      
      As neither can be fixed quickly, this patch works around the problem
      by introducing a new flag, TTY_HUPPING, which is used solely to tell
      n_tty_read() that hang-up is in progress for the console and the
      readers should be aborted regardless of the hung-up status of the
      device.
      
      The following is a sample hung task warning caused by this issue.
      
        INFO: task agetty:2662 blocked for more than 120 seconds.
              Not tainted 4.11.3-dbg-tty-lockup-02478-gfd6c7ee-dirty #28
        "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
            0  2662      1 0x00000086
        Call Trace:
         __schedule+0x267/0x890
         schedule+0x36/0x80
         schedule_timeout+0x23c/0x2e0
         ldsem_down_write+0xce/0x1f6
         tty_ldisc_lock+0x16/0x30
         tty_ldisc_hangup+0xb3/0x1b0
         __tty_hangup+0x300/0x410
         disassociate_ctty+0x6c/0x290
         do_exit+0x7ef/0xb00
         do_group_exit+0x3f/0xa0
         get_signal+0x1b3/0x5d0
         do_signal+0x28/0x660
         exit_to_usermode_loop+0x46/0x86
         do_syscall_64+0x9c/0xb0
         entry_SYSCALL64_slow_path+0x25/0x25
      
      The following is the repro.  Run "$PROG /dev/console".  The parent
      process hangs in D state.
      
        #include <sys/types.h>
        #include <sys/stat.h>
        #include <sys/wait.h>
        #include <sys/ioctl.h>
        #include <fcntl.h>
        #include <unistd.h>
        #include <stdio.h>
        #include <stdlib.h>
        #include <errno.h>
        #include <signal.h>
        #include <time.h>
        #include <termios.h>
      
        int main(int argc, char **argv)
        {
      	  struct sigaction sact = { .sa_handler = SIG_IGN };
      	  struct timespec ts1s = { .tv_sec = 1 };
      	  pid_t pid;
      	  int fd;
      
      	  if (argc < 2) {
      		  fprintf(stderr, "test-hung-tty /dev/$TTY\n");
      		  return 1;
      	  }
      
      	  /* fork a child to ensure that it isn't already the session leader */
      	  pid = fork();
      	  if (pid < 0) {
      		  perror("fork");
      		  return 1;
      	  }
      
      	  if (pid > 0) {
      		  /* top parent, wait for everyone */
      		  while (waitpid(-1, NULL, 0) >= 0)
      			  ;
      		  if (errno != ECHILD)
      			  perror("waitpid");
      		  return 0;
      	  }
      
      	  /* new session, start a new session and set the controlling tty */
      	  if (setsid() < 0) {
      		  perror("setsid");
      		  return 1;
      	  }
      
      	  fd = open(argv[1], O_RDWR);
      	  if (fd < 0) {
      		  perror("open");
      		  return 1;
      	  }
      
      	  if (ioctl(fd, TIOCSCTTY, 1) < 0) {
      		  perror("ioctl");
      		  return 1;
      	  }
      
      	  /* fork a child, sleep a bit and exit */
      	  pid = fork();
      	  if (pid < 0) {
      		  perror("fork");
      		  return 1;
      	  }
      
      	  if (pid > 0) {
      		  nanosleep(&ts1s, NULL);
      		  printf("Session leader exiting\n");
      		  exit(0);
      	  }
      
      	  /*
      	   * The child ignores SIGHUP and keeps reading from the controlling
      	   * tty.  Because SIGHUP is ignored, the child doesn't get killed on
      	   * parent exit and the bug in n_tty makes the read(2) block the
      	   * parent's control terminal hangup attempt.  The parent ends up in
      	   * D sleep until the child is explicitly killed.
      	   */
      	  sigaction(SIGHUP, &sact, NULL);
      	  printf("Child reading tty\n");
      	  while (1) {
      		  char buf[1024];
      
      		  if (read(fd, buf, sizeof(buf)) < 0) {
      			  perror("read");
      			  return 1;
      		  }
      	  }
      
      	  return 0;
        }
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Alan Cox <alan@llwyncelyn.cymru>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7e19062
  2. 20 Apr, 2018 34 commits