1. 24 Mar, 2018 25 commits
  2. 22 Mar, 2018 15 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.123 · 3753696b
      Greg Kroah-Hartman authored
      3753696b
    • Jann Horn's avatar
      bpf: fix incorrect sign extension in check_alu_op() · a6132276
      Jann Horn authored
      commit 95a762e2 upstream.
      
      Distinguish between
      BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
      and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
      only perform sign extension in the first case.
      
      This patch differs from the mainline one because the verifier's internals
      have changed in the meantime. Mainline tracks register values as 64-bit
      values; however, 4.4 still stores tracked register values as 32-bit
      values with sign extension. Therefore, in the case of a 32-bit op with
      negative immediate, the value can't be tracked; leave the register as
      UNKNOWN_VALUE (set by the preceding check_reg_arg() call).
      
      
      I have manually tested this patch on top of 4.4.122. For the following BPF
      bytecode:
      
              BPF_MOV64_IMM(BPF_REG_1, 1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_1, 1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV64_IMM(BPF_REG_1, -1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, -1, 1),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_1, -1),
              BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, -1, 2),
              BPF_MOV32_IMM(BPF_REG_0, 42),
              BPF_EXIT_INSN(),
      
              BPF_MOV32_IMM(BPF_REG_0, 43),
              BPF_EXIT_INSN()
      
      Verifier output on 4.4.122 without this patch:
      
      0: (b7) r1 = 1
      1: (15) if r1 == 0x1 goto pc+1
      3: (b4) (u32) r1 = (u32) 1
      4: (15) if r1 == 0x1 goto pc+1
      6: (b7) r1 = -1
      7: (15) if r1 == 0xffffffff goto pc+1
      9: (b4) (u32) r1 = (u32) -1
      10: (15) if r1 == 0xffffffff goto pc+2
      13: (b4) (u32) r0 = (u32) 43
      14: (95) exit
      
      Verifier output on 4.4.122+ with this patch:
      
      0: (b7) r1 = 1
      1: (15) if r1 == 0x1 goto pc+1
      3: (b4) (u32) r1 = (u32) 1
      4: (15) if r1 == 0x1 goto pc+1
      6: (b7) r1 = -1
      7: (15) if r1 == 0xffffffff goto pc+1
      9: (b4) (u32) r1 = (u32) -1
      10: (15) if r1 == 0xffffffff goto pc+2
       R1=inv R10=fp
      11: (b4) (u32) r0 = (u32) 42
      12: (95) exit
      
      from 10 to 13: R1=imm-1 R10=fp
      13: (b4) (u32) r0 = (u32) 43
      14: (95) exit
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6132276
    • Srinath Mannam's avatar
      usb: gadget: bdc: 64-bit pointer capability check · 5a876e87
      Srinath Mannam authored
      commit c8e4e5bd upstream.
      
      Corrected the register to check the 64-bit pointer
      capability state. 64-bit pointer implementation capability
      was checking in wrong register, which causes the BDC
      enumeration failure in 64-bit memory address.
      
      Fixes: efed421a ("usb: gadget: Add UDC driver for
      Broadcom USB3.0 device controller IP BDC")
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarSrinath Mannam <srinath.mannam@broadcom.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a876e87
    • Wei Yongjun's avatar
      USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() · a52a0a6c
      Wei Yongjun authored
      commit 8874ae5f upstream.
      
      Add the missing platform_device_put() before return from bdc_pci_probe()
      in the platform_device_add_resources() error handling case.
      
      Fixes: efed421a ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a52a0a6c
    • Nikolay Borisov's avatar
      btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device · e1994e4d
      Nikolay Borisov authored
      commit fd649f10 upstream.
      
      Commit 4fde46f0 ("Btrfs: free the stale device") introduced
      btrfs_free_stale_device which iterates the device lists for all
      registered btrfs filesystems and deletes those devices which aren't
      mounted. In a btrfs_devices structure has only 1 device attached to it
      and it is unused then btrfs_free_stale_devices will proceed to also free
      the btrfs_fs_devices struct itself. Currently this leads to a use after
      free since list_for_each_entry will try to perform a check on the
      already freed memory to see if it has to terminate the loop.
      
      The fix is to use 'break' when we know we are freeing the current
      fs_devs.
      
      Fixes: 4fde46f0 ("Btrfs: free the stale device")
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarAnand Jain <anand.jain@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1994e4d
    • Hans van Kranenburg's avatar
      btrfs: alloc_chunk: fix DUP stripe size handling · 97c3e46e
      Hans van Kranenburg authored
      commit 92e222df upstream.
      
      In case of using DUP, we search for enough unallocated disk space on a
      device to hold two stripes.
      
      The devices_info[ndevs-1].max_avail that holds the amount of unallocated
      space found is directly assigned to stripe_size, while it's actually
      twice the stripe size.
      
      Later on in the code, an unconditional division of stripe_size by
      dev_stripes corrects the value, but in the meantime there's a check to
      see if the stripe_size does not exceed max_chunk_size. Since during this
      check stripe_size is twice the amount as intended, the check will reduce
      the stripe_size to max_chunk_size if the actual correct to be used
      stripe_size is more than half the amount of max_chunk_size.
      
      The unconditional division later tries to correct stripe_size, but will
      actually make sure we can't allocate more than half the max_chunk_size.
      
      Fix this by moving the division by dev_stripes before the max chunk size
      check, so it always contains the right value, instead of putting a duct
      tape division in further on to get it fixed again.
      
      Since in all other cases than DUP, dev_stripes is 1, this change only
      affects DUP.
      
      Other attempts in the past were made to fix this:
      * 37db63a4 "Btrfs: fix max chunk size check in chunk allocator" tried
      to fix the same problem, but still resulted in part of the code acting
      on a wrongly doubled stripe_size value.
      * 86db2578 "Btrfs: fix max chunk size on raid5/6" unintentionally
      broke this fix again.
      
      The real problem was already introduced with the rest of the code in
      73c5de00.
      
      The user visible result however will be that the max chunk size for DUP
      will suddenly double, while it's actually acting according to the limits
      in the code again like it was 5 years ago.
      Reported-by: default avatarNaohiro Aota <naohiro.aota@wdc.com>
      Link: https://www.spinics.net/lists/linux-btrfs/msg69752.html
      Fixes: 73c5de00 ("btrfs: quasi-round-robin for chunk allocation")
      Fixes: 86db2578 ("Btrfs: fix max chunk size on raid5/6")
      Signed-off-by: default avatarHans van Kranenburg <hans.van.kranenburg@mendix.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      [ update comment ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97c3e46e
    • Adam Ford's avatar
      ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux · 29b20311
      Adam Ford authored
      commit 74402055 upstream.
      
      The pinmuxing was missing for I2C1 which was causing intermittent issues
      with the PMIC which is connected to I2C1.  The bootloader did not quite
      configure the I2C1 either, so when running at 2.6MHz, it was generating
      errors at time.
      
      This correctly sets the I2C1 pinmuxing so it can operate at 2.6MHz
      
      Fixes: 687c2767 ("ARM: dts: Add minimal support for LogicPD Torpedo
      DM3730 devkit")
      Signed-off-by: default avatarAdam Ford <aford173@gmail.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29b20311
    • Johannes Thumshirn's avatar
      scsi: sg: only check for dxfer_len greater than 256M · 036c4bdd
      Johannes Thumshirn authored
      commit f930c704 upstream.
      
      Don't make any assumptions on the sg_io_hdr_t::dxfer_direction or the
      sg_io_hdr_t::dxferp in order to determine if it is a valid request. The
      only way we can check for bad requests is by checking if the length
      exceeds 256M.
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: 28676d86 (scsi: sg: check for valid direction before starting the request)
      Reported-by: default avatarJason L Tibbitts III <tibbs@math.uh.edu>
      Tested-by: default avatarJason L Tibbitts III <tibbs@math.uh.edu>
      Suggested-by: default avatarDoug Gilbert <dgilbert@interlog.com>
      Cc: Doug Gilbert <dgilbert@interlog.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      036c4bdd
    • Johannes Thumshirn's avatar
      scsi: sg: fix static checker warning in sg_is_valid_dxfer · db259b67
      Johannes Thumshirn authored
      commit 14074aba upstream.
      
      dxfer_len is an unsigned int and we always assign a value > 0 to it, so
      it doesn't make any sense to check if it is < 0. We can't really check
      dxferp as well as we have both NULL and not NULL cases in the possible
      call paths.
      
      So just return true for SG_DXFER_FROM_DEV transfer in
      sg_is_valid_dxfer().
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Reported-by: default avatarColin Ian King <colin.king@canonical.com>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Douglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db259b67
    • Johannes Thumshirn's avatar
      scsi: sg: fix SG_DXFER_FROM_DEV transfers · 6d858350
      Johannes Thumshirn authored
      commit 68c59fce upstream.
      
      SG_DXFER_FROM_DEV transfers do not necessarily have a dxferp as we set
      it to NULL for the old sg_io read/write interface, but must have a
      length bigger than 0. This fixes a regression introduced by commit
      28676d86 ("scsi: sg: check for valid direction before starting the
      request")
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: 28676d86 ("scsi: sg: check for valid direction before starting the request")
      Reported-by: default avatarChris Clayton <chris2553@googlemail.com>
      Tested-by: default avatarChris Clayton <chris2553@googlemail.com>
      Cc: Douglas Gilbert <dgilbert@interlog.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Tested-by: default avatarChris Clayton <chris2553@googlemail.com>
      Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: Cristian Crinteanu <crinteanu.cristian@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d858350
    • Ard Biesheuvel's avatar
      irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis · abca4633
      Ard Biesheuvel authored
      commit 4f2c7583 upstream.
      
      When struct its_device instances are created, the nr_ites member
      will be set to a power of 2 that equals or exceeds the requested
      number of MSIs passed to the msi_prepare() callback. At the same
      time, the LPI map is allocated to be some multiple of 32 in size,
      where the allocated size may be less than the requested size
      depending on whether a contiguous range of sufficient size is
      available in the global LPI bitmap.
      
      This may result in the situation where the nr_ites < nr_lpis, and
      since nr_ites is what we program into the hardware when we map the
      device, the additional LPIs will be non-functional.
      
      For bog standard hardware, this does not really matter. However,
      in cases where ITS device IDs are shared between different PCIe
      devices, we may end up allocating these additional LPIs without
      taking into account that they don't actually work.
      
      So let's make nr_ites at least 32. This ensures that all allocated
      LPIs are 'live', and that its_alloc_device_irq() will fail when
      attempts are made to allocate MSIs beyond what was allocated in
      the first place.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      [maz: updated comment]
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      [ardb: trivial tweak of unrelated context]
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abca4633
    • Tejun Heo's avatar
      fs/aio: Use RCU accessors for kioctx_table->table[] · 5ae91b40
      Tejun Heo authored
      commit d0264c01 upstream.
      
      While converting ioctx index from a list to a table, db446a08
      ("aio: convert the ioctx list to table lookup v3") missed tagging
      kioctx_table->table[] as an array of RCU pointers and using the
      appropriate RCU accessors.  This introduces a small window in the
      lookup path where init and access may race.
      
      Mark kioctx_table->table[] with __rcu and use the approriate RCU
      accessors when using the field.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: db446a08 ("aio: convert the ioctx list to table lookup v3")
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.12+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ae91b40
    • Tejun Heo's avatar
      fs/aio: Add explicit RCU grace period when freeing kioctx · c68e1f44
      Tejun Heo authored
      commit a6d7cff4 upstream.
      
      While fixing refcounting, e34ecee2 ("aio: Fix a trinity splat")
      incorrectly removed explicit RCU grace period before freeing kioctx.
      The intention seems to be depending on the internal RCU grace periods
      of percpu_ref; however, percpu_ref uses a different flavor of RCU,
      sched-RCU.  This can lead to kioctx being freed while RCU read
      protected dereferences are still in progress.
      
      Fix it by updating free_ioctx() to go through call_rcu() explicitly.
      
      v2: Comment added to explain double bouncing.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: e34ecee2 ("aio: Fix a trinity splat")
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c68e1f44
    • Al Viro's avatar
      lock_parent() needs to recheck if dentry got __dentry_kill'ed under it · 8dc6893e
      Al Viro authored
      commit 3b821409 upstream.
      
      In case when dentry passed to lock_parent() is protected from freeing only
      by the fact that it's on a shrink list and trylock of parent fails, we
      could get hit by __dentry_kill() (and subsequent dentry_kill(parent))
      between unlocking dentry and locking presumed parent.  We need to recheck
      that dentry is alive once we lock both it and parent *and* postpone
      rcu_read_unlock() until after that point.  Otherwise we could return
      a pointer to struct dentry that already is rcu-scheduled for freeing, with
      ->d_lock held on it; caller's subsequent attempt to unlock it can end
      up with memory corruption.
      
      Cc: stable@vger.kernel.org # 3.12+, counting backports
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8dc6893e
    • Eric W. Biederman's avatar
      fs: Teach path_connected to handle nfs filesystems with multiple roots. · c8c71406
      Eric W. Biederman authored
      commit 95dd7758 upstream.
      
      On nfsv2 and nfsv3 the nfs server can export subsets of the same
      filesystem and report the same filesystem identifier, so that the nfs
      client can know they are the same filesystem.  The subsets can be from
      disjoint directory trees.  The nfsv2 and nfsv3 filesystems provides no
      way to find the common root of all directory trees exported form the
      server with the same filesystem identifier.
      
      The practical result is that in struct super s_root for nfs s_root is
      not necessarily the root of the filesystem.  The nfs mount code sets
      s_root to the root of the first subset of the nfs filesystem that the
      kernel mounts.
      
      This effects the dcache invalidation code in generic_shutdown_super
      currently called shrunk_dcache_for_umount and that code for years
      has gone through an additional list of dentries that might be dentry
      trees that need to be freed to accomodate nfs.
      
      When I wrote path_connected I did not realize nfs was so special, and
      it's hueristic for avoiding calling is_subdir can fail.
      
      The practical case where this fails is when there is a move of a
      directory from the subtree exposed by one nfs mount to the subtree
      exposed by another nfs mount.  This move can happen either locally or
      remotely.  With the remote case requiring that the move directory be cached
      before the move and that after the move someone walks the path
      to where the move directory now exists and in so doing causes the
      already cached directory to be moved in the dcache through the magic
      of d_splice_alias.
      
      If someone whose working directory is in the move directory or a
      subdirectory and now starts calling .. from the initial mount of nfs
      (where s_root == mnt_root), then path_connected as a heuristic will
      not bother with the is_subdir check.  As s_root really is not the root
      of the nfs filesystem this heuristic is wrong, and the path may
      actually not be connected and path_connected can fail.
      
      The is_subdir function might be cheap enough that we can call it
      unconditionally.  Verifying that will take some benchmarking and
      the result may not be the same on all kernels this fix needs
      to be backported to.  So I am avoiding that for now.
      
      Filesystems with snapshots such as nilfs and btrfs do something
      similar.  But as the directory tree of the snapshots are disjoint
      from one another and from the main directory tree rename won't move
      things between them and this problem will not occur.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Fixes: 397d425d ("vfs: Test for and handle paths that are unreachable from their mnt_root")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8c71406