1. 27 Mar, 2018 1 commit
  2. 26 Mar, 2018 1 commit
  3. 21 Mar, 2018 1 commit
  4. 19 Mar, 2018 2 commits
  5. 14 Mar, 2018 7 commits
  6. 13 Mar, 2018 1 commit
    • Taras Kondratiuk's avatar
      libata: add refcounting to ata_host · 2623c7a5
      Taras Kondratiuk authored
      After commit 9a6d6a2d ("ata: make ata port as parent device of scsi
      host") manual driver unbind/remove causes use-after-free.
      
      Unbind unconditionally invokes devres_release_all() which calls
      ata_host_release() and frees ata_host/ata_port memory while it is still
      being referenced as a parent of SCSI host. When SCSI host is finally
      released scsi_host_dev_release() calls put_device(parent) and accesses
      freed ata_port memory.
      
      Add reference counting to make sure that ata_host lives long enough.
      
      Bug report: https://lkml.org/lkml/2017/11/1/945
      Fixes: 9a6d6a2d ("ata: make ata port as parent device of scsi host")
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Lin Ming <minggr@gmail.com>
      Cc: linux-ide@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarTaras Kondratiuk <takondra@cisco.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      2623c7a5
  7. 01 Mar, 2018 2 commits
  8. 18 Feb, 2018 7 commits
  9. 13 Feb, 2018 3 commits
  10. 12 Feb, 2018 7 commits
    • Khiem Nguyen's avatar
      sata_rcar: Reset SATA PHY when Salvator-X board resumes · da77d76b
      Khiem Nguyen authored
      Because power of Salvator-X board is cut off in suspend,
      it needs to reset SATA PHY state in resume.
      Otherwise, SATA partition could not be accessed anymore.
      Signed-off-by: default avatarKhiem Nguyen <khiem.nguyen.xt@rvc.renesas.com>
      Signed-off-by: default avatarHien Dang <hien.dang.eb@rvc.renesas.com>
      [reinit phy in sata_rcar_resume() function on R-Car Gen3 only]
      [factor out SATA module init sequence]
      [fixed the prefix for the subject]
      Signed-off-by: default avatarYoshihiro Kaneko <ykaneko0929@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      da77d76b
    • Eric Biggers's avatar
      libata: don't try to pass through NCQ commands to non-NCQ devices · 2c1ec6fd
      Eric Biggers authored
      syzkaller hit a WARN() in ata_bmdma_qc_issue() when writing to /dev/sg0.
      This happened because it issued an ATA pass-through command (ATA_16)
      where the protocol field indicated that NCQ should be used -- but the
      device did not support NCQ.
      
      We could just remove the WARN() from libata-sff.c, but the real problem
      seems to be that the SCSI -> ATA translation code passes through NCQ
      commands without verifying that the device actually supports NCQ.
      
      Fix this by adding the appropriate check to ata_scsi_pass_thru().
      
      Here's reproducer that works in QEMU when /dev/sg0 refers to a disk of
      the default type ("82371SB PIIX3 IDE"):
      
          #include <fcntl.h>
          #include <unistd.h>
      
          int main()
          {
                  char buf[53] = { 0 };
      
      	    buf[36] = 0x85;		/* ATA_16 */
      	    buf[37] = (12 << 1);	/* FPDMA */
      	    buf[38] = 0x1;		/* Has data */
      	    buf[51] = 0xC8;		/* ATA_CMD_READ */
                  write(open("/dev/sg0", O_RDWR), buf, sizeof(buf));
          }
      
      Fixes: ee7fb331 ("libata: add support for NCQ commands for SG interface")
      Reported-by: syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org> # v4.4+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      2c1ec6fd
    • Eric Biggers's avatar
      libata: remove WARN() for DMA or PIO command without data · 9173e5e8
      Eric Biggers authored
      syzkaller hit a WARN() in ata_qc_issue() when writing to /dev/sg0.  This
      happened because it issued a READ_6 command with no data buffer.
      
      Just remove the WARN(), as it doesn't appear indicate a kernel bug.  The
      expected behavior is to fail the command, which the code does.
      
      Here's a reproducer that works in QEMU when /dev/sg0 refers to a disk of
      the default type ("82371SB PIIX3 IDE"):
      
          #include <fcntl.h>
          #include <unistd.h>
      
          int main()
          {
                  char buf[42] = { [36] = 0x8 /* READ_6 */ };
      
                  write(open("/dev/sg0", O_RDWR), buf, sizeof(buf));
          }
      
      Fixes: f92a2636 ("libata: change ATA_QCFLAG_DMAMAP semantics")
      Reported-by: syzbot+f7b556d1766502a69d85071d2ff08bd87be53d0f@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org> # v2.6.25+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      9173e5e8
    • Eric Biggers's avatar
      libata: fix length validation of ATAPI-relayed SCSI commands · 058f58e2
      Eric Biggers authored
      syzkaller reported a crash in ata_bmdma_fill_sg() when writing to
      /dev/sg1.  The immediate cause was that the ATA command's scatterlist
      was not DMA-mapped, which causes 'pi - 1' to underflow, resulting in a
      write to 'qc->ap->bmdma_prd[0xffffffff]'.
      
      Strangely though, the flag ATA_QCFLAG_DMAMAP was set in qc->flags.  The
      root cause is that when __ata_scsi_queuecmd() is preparing to relay a
      SCSI command to an ATAPI device, it doesn't correctly validate the CDB
      length before copying it into the 16-byte buffer 'cdb' in 'struct
      ata_queued_cmd'.  Namely, it validates the fixed CDB length expected
      based on the SCSI opcode but not the actual CDB length, which can be
      larger due to the use of the SG_NEXT_CMD_LEN ioctl.  Since 'flags' is
      the next member in ata_queued_cmd, a buffer overflow corrupts it.
      
      Fix it by requiring that the actual CDB length be <= 16 (ATAPI_CDB_LEN).
      
      [Really it seems the length should be required to be <= dev->cdb_len,
      but the current behavior seems to have been intentionally introduced by
      commit 607126c2 ("libata-scsi: be tolerant of 12-byte ATAPI commands
      in 16-byte CDBs") to work around a userspace bug in mplayer.  Probably
      the workaround is no longer needed (mplayer was fixed in 2007), but
      continuing to allow lengths to up 16 appears harmless for now.]
      
      Here's a reproducer that works in QEMU when /dev/sg1 refers to the
      CD-ROM drive that qemu-system-x86_64 creates by default:
      
          #include <fcntl.h>
          #include <sys/ioctl.h>
          #include <unistd.h>
      
          #define SG_NEXT_CMD_LEN 0x2283
      
          int main()
          {
      	    char buf[53] = { [36] = 0x7e, [52] = 0x02 };
      	    int fd = open("/dev/sg1", O_RDWR);
      	    ioctl(fd, SG_NEXT_CMD_LEN, &(int){ 17 });
      	    write(fd, buf, sizeof(buf));
          }
      
      The crash was:
      
          BUG: unable to handle kernel paging request at ffff8cb97db37ffc
          IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2623 [inline]
          IP: ata_bmdma_qc_prep+0xa4/0xc0 drivers/ata/libata-sff.c:2727
          PGD fb6c067 P4D fb6c067 PUD 0
          Oops: 0002 [#1] SMP
          CPU: 1 PID: 150 Comm: syz_ata_bmdma_q Not tainted 4.15.0-next-20180202 #99
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
          [...]
          Call Trace:
           ata_qc_issue+0x100/0x1d0 drivers/ata/libata-core.c:5421
           ata_scsi_translate+0xc9/0x1a0 drivers/ata/libata-scsi.c:2024
           __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4326 [inline]
           ata_scsi_queuecmd+0x8c/0x210 drivers/ata/libata-scsi.c:4375
           scsi_dispatch_cmd+0xa2/0xe0 drivers/scsi/scsi_lib.c:1727
           scsi_request_fn+0x24c/0x530 drivers/scsi/scsi_lib.c:1865
           __blk_run_queue_uncond block/blk-core.c:412 [inline]
           __blk_run_queue+0x3a/0x60 block/blk-core.c:432
           blk_execute_rq_nowait+0x93/0xc0 block/blk-exec.c:78
           sg_common_write.isra.7+0x272/0x5a0 drivers/scsi/sg.c:806
           sg_write+0x1ef/0x340 drivers/scsi/sg.c:677
           __vfs_write+0x31/0x160 fs/read_write.c:480
           vfs_write+0xa7/0x160 fs/read_write.c:544
           SYSC_write fs/read_write.c:589 [inline]
           SyS_write+0x4d/0xc0 fs/read_write.c:581
           do_syscall_64+0x5e/0x110 arch/x86/entry/common.c:287
           entry_SYSCALL_64_after_hwframe+0x21/0x86
      
      Fixes: 607126c2 ("libata-scsi: be tolerant of 12-byte ATAPI commands in 16-byte CDBs")
      Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org> # v2.6.24+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      058f58e2
    • Baruch Siach's avatar
      ata: libahci: fix comment indentation · 9f2b51db
      Baruch Siach authored
      Indent the numbered item with one space like all other items in the same
      list.
      Signed-off-by: default avatarBaruch Siach <baruch@tkos.co.il>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      9f2b51db
    • Stefan Roese's avatar
      ahci: Add check for device presence (PCIe hot unplug) in ahci_stop_engine() · 3b61e512
      Stefan Roese authored
      Exit directly with ENODEV, if the AHCI controller is not available
      anymore. Otherwise a delay of 500ms for each port is added to the remove
      function while trying to issue a command on the non-existent controller.
      Signed-off-by: default avatarStefan Roese <sr@denx.de>
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      3b61e512
    • Dong Bo's avatar
      libata: Fix compile warning with ATA_DEBUG enabled · 0d3e45bc
      Dong Bo authored
      This fixs the following comile warnings with ATA_DEBUG enabled,
      which detected by Linaro GCC 5.2-2015.11:
      
        drivers/ata/libata-scsi.c: In function 'ata_scsi_dump_cdb':
        ./include/linux/kern_levels.h:5:18: warning: format '%d' expects
        argument of type 'int', but argument 6 has type 'u64 {aka long
         long unsigned int}' [-Wformat=]
      
      tj: Patch hand-applied and description trimmed.
      Signed-off-by: default avatarDong Bo <dongbo4@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      0d3e45bc
  11. 11 Feb, 2018 8 commits
    • Linus Torvalds's avatar
      Linux 4.16-rc1 · 7928b2cb
      Linus Torvalds authored
      7928b2cb
    • Al Viro's avatar
      unify {de,}mangle_poll(), get rid of kernel-side POLL... · 7a163b21
      Al Viro authored
      except, again, POLLFREE and POLL_BUSY_LOOP.
      
      With this, we finally get to the promised end result:
      
       - POLL{IN,OUT,...} are plain integers and *not* in __poll_t, so any
         stray instances of ->poll() still using those will be caught by
         sparse.
      
       - eventpoll.c and select.c warning-free wrt __poll_t
      
       - no more kernel-side definitions of POLL... - userland ones are
         visible through the entire kernel (and used pretty much only for
         mangle/demangle)
      
       - same behavior as after the first series (i.e. sparc et.al. epoll(2)
         working correctly).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7a163b21
    • Linus Torvalds's avatar
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds authored
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845
    • Linus Torvalds's avatar
      Merge branch 'work.poll2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ee5daa13
      Linus Torvalds authored
      Pull more poll annotation updates from Al Viro:
       "This is preparation to solving the problems you've mentioned in the
        original poll series.
      
        After this series, the kernel is ready for running
      
            for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
                  L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
                  for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
            done
      
        as a for bulk search-and-replace.
      
        After that, the kernel is ready to apply the patch to unify
        {de,}mangle_poll(), and then get rid of kernel-side POLL... uses
        entirely, and we should be all done with that stuff.
      
        Basically, that's what you suggested wrt KPOLL..., except that we can
        use EPOLL... instead - they already are arch-independent (and equal to
        what is currently kernel-side POLL...).
      
        After the preparations (in this series) switch to returning EPOLL...
        from ->poll() instances is completely mechanical and kernel-side
        POLL... can go away. The last step (killing kernel-side POLL... and
        unifying {de,}mangle_poll() has to be done after the
        search-and-replace job, since we need userland-side POLL... for
        unified {de,}mangle_poll(), thus the cherry-pick at the last step.
      
        After that we will have:
      
         - POLL{IN,OUT,...} *not* in __poll_t, so any stray instances of
           ->poll() still using those will be caught by sparse.
      
         - eventpoll.c and select.c warning-free wrt __poll_t
      
         - no more kernel-side definitions of POLL... - userland ones are
           visible through the entire kernel (and used pretty much only for
           mangle/demangle)
      
         - same behavior as after the first series (i.e. sparc et.al. epoll(2)
           working correctly)"
      
      * 'work.poll2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        annotate ep_scan_ready_list()
        ep_send_events_proc(): return result via esed->res
        preparation to switching ->poll() to returning EPOLL...
        add EPOLLNVAL, annotate EPOLL... and event_poll->event
        use linux/poll.h instead of asm/poll.h
        xen: fix poll misannotation
        smc: missing poll annotations
      ee5daa13
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa · 3fc928dc
      Linus Torvalds authored
      Pull xtense fix from Max Filippov:
       "Build fix for xtensa architecture with KASAN enabled"
      
      * tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa:
        xtensa: fix build with KASAN
      3fc928dc
    • Linus Torvalds's avatar
      Merge tag 'nios2-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2 · 60d7a21a
      Linus Torvalds authored
      Pull nios2 update from Ley Foon Tan:
      
       - clean up old Kconfig options from defconfig
      
       - remove leading 0x and 0s from bindings notation in dts files
      
      * tag 'nios2-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2:
        nios2: defconfig: Cleanup from old Kconfig options
        nios2: dts: Remove leading 0x and 0s from bindings notation
      60d7a21a
    • Max Filippov's avatar
      xtensa: fix build with KASAN · f8d0cbf2
      Max Filippov authored
      The commit 917538e2 ("kasan: clean up KASAN_SHADOW_SCALE_SHIFT
      usage") removed KASAN_SHADOW_SCALE_SHIFT definition from
      include/linux/kasan.h and added it to architecture-specific headers,
      except for xtensa. This broke the xtensa build with KASAN enabled.
      Define KASAN_SHADOW_SCALE_SHIFT in arch/xtensa/include/asm/kasan.h
      
      Reported by: kbuild test robot <fengguang.wu@intel.com>
      Fixes: 917538e2 ("kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage")
      Acked-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      f8d0cbf2
    • Krzysztof Kozlowski's avatar
      nios2: defconfig: Cleanup from old Kconfig options · e0691ebb
      Krzysztof Kozlowski authored
      Remove old, dead Kconfig option INET_LRO. It is gone since
      commit 7bbf3cae ("ipv4: Remove inet_lro library").
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Acked-by: default avatarLey Foon Tan <ley.foon.tan@intel.com>
      e0691ebb