1. 22 Aug, 2019 4 commits
    • Luis Henriques's avatar
      ceph: fix buffer free while holding i_ceph_lock in fill_inode() · af8a85a4
      Luis Henriques authored
      Calling ceph_buffer_put() in fill_inode() may result in freeing the
      i_xattrs.blob buffer while holding the i_ceph_lock.  This can be fixed by
      postponing the call until later, when the lock is released.
      
      The following backtrace was triggered by fstests generic/070.
      
        BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
        in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
        6 locks held by kworker/0:4/3852:
         #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
         #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0
         #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
         #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
         #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
         #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70
        CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
        Workqueue: ceph-msgr ceph_con_workfn
        Call Trace:
         dump_stack+0x67/0x90
         ___might_sleep.cold+0x9f/0xb1
         vfree+0x4b/0x60
         ceph_buffer_release+0x1b/0x60
         fill_inode.isra.0+0xa9b/0xf70
         ceph_fill_trace+0x13b/0xc70
         ? dispatch+0x2eb/0x1476
         dispatch+0x320/0x1476
         ? __mutex_unlock_slowpath+0x4d/0x2a0
         ceph_con_workfn+0xc97/0x2ec0
         ? process_one_work+0x1b8/0x5f0
         process_one_work+0x244/0x5f0
         worker_thread+0x4d/0x3e0
         kthread+0x105/0x140
         ? process_one_work+0x5f0/0x5f0
         ? kthread_park+0x90/0x90
         ret_from_fork+0x3a/0x50
      Signed-off-by: default avatarLuis Henriques <lhenriques@suse.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      af8a85a4
    • Luis Henriques's avatar
      ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() · 12fe3dda
      Luis Henriques authored
      Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
      freeing the i_xattrs.blob buffer while holding the i_ceph_lock.  This can
      be fixed by having this function returning the old blob buffer and have
      the callers of this function freeing it when the lock is released.
      
      The following backtrace was triggered by fstests generic/117.
      
        BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
        in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
        4 locks held by fsstress/649:
         #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
         #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
         #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
         #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
        CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x67/0x90
         ___might_sleep.cold+0x9f/0xb1
         vfree+0x4b/0x60
         ceph_buffer_release+0x1b/0x60
         __ceph_build_xattrs_blob+0x12b/0x170
         __send_cap+0x302/0x540
         ? __lock_acquire+0x23c/0x1e40
         ? __mark_caps_flushing+0x15c/0x280
         ? _raw_spin_unlock+0x24/0x30
         ceph_check_caps+0x5f0/0xc60
         ceph_flush_dirty_caps+0x7c/0x150
         ? __ia32_sys_fdatasync+0x20/0x20
         ceph_sync_fs+0x5a/0x130
         iterate_supers+0x8f/0xf0
         ksys_sync+0x4f/0xb0
         __ia32_sys_sync+0xa/0x10
         do_syscall_64+0x50/0x1c0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7fc6409ab617
      Signed-off-by: default avatarLuis Henriques <lhenriques@suse.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      12fe3dda
    • Luis Henriques's avatar
      ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() · 86968ef2
      Luis Henriques authored
      Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
      i_xattrs.prealloc_blob buffer while holding the i_ceph_lock.  This can be
      fixed by postponing the call until later, when the lock is released.
      
      The following backtrace was triggered by fstests generic/117.
      
        BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
        in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
        3 locks held by fsstress/650:
         #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
         #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
         #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810
        CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x67/0x90
         ___might_sleep.cold+0x9f/0xb1
         vfree+0x4b/0x60
         ceph_buffer_release+0x1b/0x60
         __ceph_setxattr+0x2b4/0x810
         __vfs_setxattr+0x66/0x80
         __vfs_setxattr_noperm+0x59/0xf0
         vfs_setxattr+0x81/0xa0
         setxattr+0x115/0x230
         ? filename_lookup+0xc9/0x140
         ? rcu_read_lock_sched_held+0x74/0x80
         ? rcu_sync_lockdep_assert+0x2e/0x60
         ? __sb_start_write+0x142/0x1a0
         ? mnt_want_write+0x20/0x50
         path_setxattr+0xba/0xd0
         __x64_sys_lsetxattr+0x24/0x30
         do_syscall_64+0x50/0x1c0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7ff23514359a
      Signed-off-by: default avatarLuis Henriques <lhenriques@suse.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      86968ef2
    • Luis Henriques's avatar
  2. 18 Aug, 2019 11 commits
    • Linus Torvalds's avatar
      Linux 5.3-rc5 · d1abaeb3
      Linus Torvalds authored
      d1abaeb3
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 6825e5a6
      Linus Torvalds authored
      Pull MTD fix from Richard Weinberger:
       "A single fix for MTD to correctly set the spi-nor WP pin"
      
      * tag 'fixes-for-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: spi-nor: Fix the disabling of write protection at init
      6825e5a6
    • Linus Torvalds's avatar
      Merge tag 'for-5.3-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 3039fadf
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Two fixes that popped up during testing:
      
         - fix for sysfs-related code that adds/removes block groups, warnings
           appear during several fstests in connection with sysfs updates in
           5.3, the fix essentially replaces a workaround with scope NOFS and
           applies to 5.2-based branch too
      
         - add sanity check of trim range"
      
      * tag 'for-5.3-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: trim: Check the range passed into to prevent overflow
        Btrfs: fix sysfs warning and missing raid sysfs directories
      3039fadf
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c332f3a7
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of fixes for x86:
      
         - Fix the inconsistent error handling in the umwait init code
      
         - Rework the boot param zeroing so gcc9 stops complaining about out
           of bound memset. The resulting source code is actually more sane to
           read than the smart solution we had
      
         - Maintainers update so Tony gets involved when Intel models are
           added
      
         - Some more fallthrough fixes"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/boot: Save fields explicitly, zero out everything else
        MAINTAINERS, x86/CPU: Tony Luck will maintain asm/intel-family.h
        x86/fpu/math-emu: Address fallthrough warnings
        x86/apic/32: Fix yet another implicit fallthrough warning
        x86/umwait: Fix error handling in umwait_init()
      c332f3a7
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 645c03aa
      Linus Torvalds authored
      Pull EFI fix from Thomas Gleixner:
       "A single fix for a EFI mixed mode regression caused by recent rework
        which did not take the firmware bitwidth into account"
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi-stub: Fix get_efi_config_table on mixed-mode setups
      645c03aa
    • Linus Torvalds's avatar
      Merge tag 'spdx-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx · 5bba5c9c
      Linus Torvalds authored
      Pull SPDX fixes from Greg KH:
       "Here are four small SPDX fixes for 5.3-rc5.
      
        A few style fixes for some SPDX comments, added an SPDX tag for one
        file, and fix up some GPL boilerplate for another file.
      
        All of these have been in linux-next for a few weeks with no reported
        issues (they are comment changes only, so that's to be expected...)"
      
      * tag 'spdx-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx:
        i2c: stm32: Use the correct style for SPDX License Identifier
        intel_th: Use the correct style for SPDX License Identifier
        coccinelle: api/atomic_as_refcounter: add SPDX License Identifier
        kernel/configs: Replace GPL boilerplate code with SPDX identifier
      5bba5c9c
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 4503c0a4
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char and misc driver fixes for 5.3-rc5.
      
        These are two different subsystems needing some fixes, the habanalabs
        driver which is has some more big endian fixes for problems found. The
        other are some small soundwire fixes, including some Kconfig
        dependencies needed to resolve reported build errors.
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'char-misc-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        misc: xilinx-sdfec: fix dependency and build error
        habanalabs: fix device IRQ unmasking for BE host
        habanalabs: fix endianness handling for internal QMAN submission
        habanalabs: fix completion queue handling when host is BE
        habanalabs: fix endianness handling for packets from user
        habanalabs: fix DRAM usage accounting on context tear down
        habanalabs: Avoid double free in error flow
        soundwire: fix regmap dependencies and align with other serial links
        soundwire: cadence_master: fix definitions for INTSTAT0/1
        soundwire: cadence_master: fix register definition for SLAVE_STATE
      4503c0a4
    • Linus Torvalds's avatar
      Merge tag 'staging-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · ae1a616a
      Linus Torvalds authored
      Pull staging/IIO fixes from Greg KH:
       "Here are four small staging and iio driver fixes for 5.3-rc5
      
        Two are for the dt3000 comedi driver for some reported problems found
        in that codebase, and two are some small iio fixes.
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'staging-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: comedi: dt3000: Fix rounding up of timer divisor
        staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
        iio: adc: max9611: Fix temperature reading in probe
        iio: frequency: adf4371: Fix output frequency setting
      ae1a616a
    • Linus Torvalds's avatar
      Merge tag 'usb-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 359334ca
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are number of small USB fixes for 5.3-rc5.
      
        Syzbot has been on a tear recently now that it has some good USB
        debugging hooks integrated, so there's a number of fixes in here found
        by those tools for some _very_ old bugs. Also a handful of gadget
        driver fixes for reported issues, some hopefully-final dma fixes for
        host controller drivers, and some new USB serial gadget driver ids.
      
        All of these have been in linux-next this week with no reported issues
        (the usb-serial ones were in linux-next in its own branch, but merged
        into mine on Friday)"
      
      * tag 'usb-5.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: add a hcd_uses_dma helper
        usb: don't create dma pools for HCDs with a localmem_pool
        usb: chipidea: imx: fix EPROBE_DEFER support during driver probe
        usb: host: fotg2: restart hcd after port reset
        USB: CDC: fix sanity checks in CDC union parser
        usb: cdc-acm: make sure a refcount is taken early enough
        USB: serial: option: add the BroadMobi BM818 card
        USB: serial: option: Add Motorola modem UARTs
        USB: core: Fix races in character device registration and deregistraion
        usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt
        usb: gadget: composite: Clear "suspended" on reset/disconnect
        usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role"
        USB: serial: option: add D-Link DWM-222 device ID
        USB: serial: option: Add support for ZTE MF871A
      359334ca
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2019-08-17' of git://git.kernel.dk/linux-block · 8fde2832
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A collection of fixes that should go into this series. This contains:
      
         - Revert of the REQ_NOWAIT_INLINE and associated dio changes. There
           were still corner cases there, and even though I had a solution for
           it, it's too involved for this stage. (me)
      
         - Set of NVMe fixes (via Sagi)
      
         - io_uring fix for fixed buffers (Anthony)
      
         - io_uring defer issue fix (Jackie)
      
         - Regression fix for queue sync at exit time (zhengbin)
      
         - xen blk-back memory leak fix (Wenwen)"
      
      * tag 'for-linus-2019-08-17' of git://git.kernel.dk/linux-block:
        io_uring: fix an issue when IOSQE_IO_LINK is inserted into defer list
        block: remove REQ_NOWAIT_INLINE
        io_uring: fix manual setup of iov_iter for fixed buffers
        xen/blkback: fix memory leaks
        blk-mq: move cancel of requeue_work to the front of blk_exit_queue
        nvme-pci: Fix async probe remove race
        nvme: fix controller removal race with scan work
        nvme-rdma: fix possible use-after-free in connect error flow
        nvme: fix a possible deadlock when passthru commands sent to a multipath device
        nvme-core: Fix extra device_put() call on error path
        nvmet-file: fix nvmet_file_flush() always returning an error
        nvmet-loop: Flush nvme_delete_wq when removing the port
        nvmet: Fix use-after-free bug when a port is removed
        nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns
      8fde2832
    • Linus Torvalds's avatar
      Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux · 85d8d3b1
      Linus Torvalds authored
      Pull Hyper-V fixes from Sasha Levin:
      
       - A few fixes for the userspace hyper-v tools from Adrian Vladu.
      
       - A fix for the hyper-v MAINTAINERs entry from Lan Tianyu.
      
       - Fix for SPDX license identifier in the userspace tools from Nishad
         Kamdar.
      
      * tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
        MAINTAINERS: Fix Hyperv vIOMMU driver file name
        tools: hv: Use the correct style for SPDX License Identifier
        tools: hv: fix typos in toolchain
        tools: hv: fix KVP and VSS daemons exit code
        tools: hv: fixed Python pep8/flake8 warnings for lsvmbus
      85d8d3b1
  3. 17 Aug, 2019 9 commits
  4. 16 Aug, 2019 10 commits
  5. 15 Aug, 2019 6 commits
    • Hui Peng's avatar
      ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term · 19bce474
      Hui Peng authored
      `check_input_term` recursively calls itself with input from
      device side (e.g., uac_input_terminal_descriptor.bCSourceID)
      as argument (id). In `check_input_term`, if `check_input_term`
      is called with the same `id` argument as the caller, it triggers
      endless recursive call, resulting kernel space stack overflow.
      
      This patch fixes the bug by adding a bitmap to `struct mixer_build`
      to keep track of the checked ids and stop the execution if some id
      has been checked (similar to how parse_audio_unit handles unitid
      argument).
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      19bce474
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.3-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · a69e9051
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
      
       - Fix crashes when the attr fork isn't present due to errors but inode
         inactivation tries to zap the attr data anyway.
      
       - Convert more directory corruption debugging asserts to actual
         EFSCORRUPTED returns instead of blowing up later on.
      
       - Don't fail writeback just because we ran out of memory allocating
         metadata log data.
      
      * tag 'xfs-5.3-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: don't crash on null attr fork xfs_bmapi_read
        xfs: remove more ondisk directory corruption asserts
        fs: xfs: xfs_log: Don't use KM_MAYFAIL at xfs_log_reserve().
      a69e9051
    • Linus Torvalds's avatar
      Merge tag 'iomap-5.3-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 4ec1fa69
      Linus Torvalds authored
      Pull iomap fixlet from Darrick Wong:
       "A single update to the MAINTAINERS entry for iomap now that we've
        removed fs/iomap.c"
      
      * tag 'iomap-5.3-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        MAINTAINERS: iomap: Remove fs/iomap.c record
      4ec1fa69
    • Jackie Liu's avatar
      io_uring: fix an issue when IOSQE_IO_LINK is inserted into defer list · a982eeb0
      Jackie Liu authored
      This patch may fix two issues:
      
      First, when IOSQE_IO_DRAIN set, the next IOs need to be inserted into
      defer list to delay execution, but link io will be actively scheduled to
      run by calling io_queue_sqe.
      
      Second, when multiple LINK_IOs are inserted together with defer_list,
      the LINK_IO is no longer keep order.
      
         |-------------|
         |   LINK_IO   |      ----> insert to defer_list  -----------
         |-------------|                                            |
         |   LINK_IO   |      ----> insert to defer_list  ----------|
         |-------------|                                            |
         |   LINK_IO   |      ----> insert to defer_list  ----------|
         |-------------|                                            |
         |   NORMAL_IO |      ----> insert to defer_list  ----------|
         |-------------|                                            |
                                                                    |
                                    queue_work at same time   <-----|
      
      Fixes: 9e645e11 ("io_uring: add support for sqe links")
      Signed-off-by: default avatarJackie Liu <liuyun01@kylinos.cn>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      a982eeb0
    • Jens Axboe's avatar
      block: remove REQ_NOWAIT_INLINE · 7b6620d7
      Jens Axboe authored
      We had a few issues with this code, and there's still a problem around
      how we deal with error handling for chained/split bios. For now, just
      revert the code and we'll try again with a thoroug solution. This
      reverts commits:
      
      e15c2ffa ("block: fix O_DIRECT error handling for bio fragments")
      0eb6ddfb ("block: Fix __blkdev_direct_IO() for bio fragments")
      6a43074e ("block: properly handle IOCB_NOWAIT for async O_DIRECT IO")
      893a1c97 ("blk-mq: allow REQ_NOWAIT to return an error inline")
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7b6620d7
    • Aleix Roca Nonell's avatar
      io_uring: fix manual setup of iov_iter for fixed buffers · 99c79f66
      Aleix Roca Nonell authored
      Commit bd11b3a3 ("io_uring: don't use iov_iter_advance() for fixed
      buffers") introduced an optimization to avoid using the slow
      iov_iter_advance by manually populating the iov_iter iterator in some
      cases.
      
      However, the computation of the iterator count field was erroneous: The
      first bvec was always accounted for an extent of page size even if the
      bvec length was smaller.
      
      In consequence, some I/O operations on fixed buffers were unable to
      operate on the full extent of the buffer, consistently skipping some
      bytes at the end of it.
      
      Fixes: bd11b3a3 ("io_uring: don't use iov_iter_advance() for fixed buffers")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAleix Roca Nonell <aleix.rocanonell@bsc.es>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      99c79f66