1. 14 Jan, 2018 1 commit
  2. 08 Jan, 2018 20 commits
  3. 04 Jan, 2018 2 commits
    • Nick Desaulniers's avatar
      posix-timers: Prevent UB from shifting negative signed value · 29f1b2b0
      Nick Desaulniers authored
      Shifting a negative signed number is undefined behavior. Looking at the
      macros MAKE_PROCESS_CPUCLOCK and FD_TO_CLOCKID, it seems that the
      subexpression:
      
      (~(clockid_t) (pid) << 3)
      
      where clockid_t resolves to a signed int, which once negated, is
      undefined behavior to shift the value of if the results thus far are
      negative.
      
      It was further suggested to make these macros into inline functions.
      Suggested-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarNick Desaulniers <nick.desaulniers@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Dimitri Sivanich <sivanich@hpe.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: linux-kselftest@vger.kernel.org
      Cc: Shuah Khan <shuah@kernel.org>
      Cc: Deepa Dinamani <deepa.kernel@gmail.com>
      Link: https://lkml.kernel.org/r/1514517100-18051-1-git-send-email-nick.desaulniers@gmail.com
      29f1b2b0
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 00a5ae21
      Linus Torvalds authored
      Pull x86 page table isolation fixes from Thomas Gleixner:
       "A couple of urgent fixes for PTI:
      
         - Fix a PTE mismatch between user and kernel visible mapping of the
           cpu entry area (differs vs. the GLB bit) and causes a TLB mismatch
           MCE on older AMD K8 machines
      
         - Fix the misplaced CR3 switch in the SYSCALL compat entry code which
           causes access to unmapped kernel memory resulting in double faults.
      
         - Fix the section mismatch of the cpu_tss_rw percpu storage caused by
           using a different mechanism for declaration and definition.
      
         - Two fixes for dumpstack which help to decode entry stack issues
           better
      
         - Enable PTI by default in Kconfig. We should have done that earlier,
           but it slipped through the cracks.
      
         - Exclude AMD from the PTI enforcement. Not necessarily a fix, but if
           AMD is so confident that they are not affected, then we should not
           burden users with the overhead"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/process: Define cpu_tss_rw in same section as declaration
        x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()
        x86/dumpstack: Print registers for first stack frame
        x86/dumpstack: Fix partial register dumps
        x86/pti: Make sure the user/kernel PTEs match
        x86/cpu, x86/pti: Do not enable PTI on AMD processors
        x86/pti: Enable PTI by default
      00a5ae21
  4. 03 Jan, 2018 11 commits
  5. 02 Jan, 2018 5 commits
    • David Howells's avatar
      afs: Fix missing error handling in afs_write_end() · afae457d
      David Howells authored
      afs_write_end() is missing page unlock and put if afs_fill_page() fails.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      afae457d
    • David Howells's avatar
      afs: Fix unlink · 440fbc3a
      David Howells authored
      Repeating creation and deletion of a file on an afs mount will run the box
      out of memory, e.g.:
      
      	dd if=/dev/zero of=/afs/scratch/m0 bs=$((1024*1024)) count=512
      	rm /afs/scratch/m0
      
      The problem seems to be that it's not properly decrementing the nlink count
      so that the inode can be scrapped.
      
      Note that this doesn't fix local creation followed by remote deletion.
      That's harder to handle and will require a separate patch as we're not told
      that the file has been deleted - only that the directory has changed.
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      440fbc3a
    • Dan Carpenter's avatar
      afs: Potential uninitialized variable in afs_extract_data() · 7888da95
      Dan Carpenter authored
      Smatch warns that:
      
          fs/afs/rxrpc.c:922 afs_extract_data()
          error: uninitialized symbol 'remote_abort'.
      
      Smatch is right that "remote_abort" might be uninitialized when we pass
      it to afs_set_call_complete().  I don't know if that function uses the
      uninitialized variable.  Anyway, the comment for rxrpc_kernel_recv_data(),
      says that "*_abort should also be initialised to 0." and this patch does
      that.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      7888da95
    • David Howells's avatar
      fscache: Fix the default for fscache_maybe_release_page() · 98801506
      David Howells authored
      Fix the default for fscache_maybe_release_page() for when the cookie isn't
      valid or the page isn't cached.  It mustn't return false as that indicates
      the page cannot yet be freed.
      
      The problem with the default is that if, say, there's no cache, but a
      network filesystem's pages are using up almost all the available memory, a
      system can OOM because the filesystem ->releasepage() op will not allow
      them to be released as fscache_maybe_release_page() incorrectly prevents
      it.
      
      This can be tested by writing a sequence of 512MiB files to an AFS mount.
      It does not affect NFS or CIFS because both of those wrap the call in a
      check of PG_fscache and it shouldn't bother Ceph as that only has
      PG_private set whilst writeback is in progress.  This might be an issue for
      9P, however.
      
      Note that the pages aren't entirely stuck.  Removing a file or unmounting
      will clear things because that uses ->invalidatepage() instead.
      
      Fixes: 201a1542 ("FS-Cache: Handle pages pending storage that get evicted under OOM conditions")
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Tested-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      cc: stable@vger.kernel.org # 2.6.32+
      98801506
    • Eric Biggers's avatar
      capabilities: fix buffer overread on very short xattr · dc32b5c3
      Eric Biggers authored
      If userspace attempted to set a "security.capability" xattr shorter than
      4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
      cap_convert_nscap() read past the end of the buffer containing the xattr
      value because it accessed the ->magic_etc field without verifying that
      the xattr value is long enough to contain that field.
      
      Fix it by validating the xattr value size first.
      
      This bug was found using syzkaller with KASAN.  The KASAN report was as
      follows (cleaned up slightly):
      
          BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
          Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852
      
          CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 #253
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
          Call Trace:
           __dump_stack lib/dump_stack.c:17 [inline]
           dump_stack+0xe3/0x195 lib/dump_stack.c:53
           print_address_description+0x73/0x260 mm/kasan/report.c:252
           kasan_report_error mm/kasan/report.c:351 [inline]
           kasan_report+0x235/0x350 mm/kasan/report.c:409
           cap_convert_nscap+0x514/0x630 security/commoncap.c:498
           setxattr+0x2bd/0x350 fs/xattr.c:446
           path_setxattr+0x168/0x1b0 fs/xattr.c:472
           SYSC_setxattr fs/xattr.c:487 [inline]
           SyS_setxattr+0x36/0x50 fs/xattr.c:483
           entry_SYSCALL_64_fastpath+0x18/0x85
      
      Fixes: 8db6c34f ("Introduce v3 namespaced file capabilities")
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      dc32b5c3
  6. 31 Dec, 2017 1 commit