1. 05 Mar, 2016 2 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 2cdcb2b5
      Linus Torvalds authored
      Pull btrfs fix from Chris Mason:
       "Filipe nailed down a problem where tree log replay would do some work
        that orphan code wasn't expecting to be done yet, leading to BUG_ON"
      
      * 'for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix loading of orphan roots leading to BUG_ON
      2cdcb2b5
    • Linus Torvalds's avatar
      Merge tag 'trace-fixes-v4.5-rc6' of... · 78baab7a
      Linus Torvalds authored
      Merge tag 'trace-fixes-v4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
      
      Pull tracing fix from Steven Rostedt:
       "A feature was added in 4.3 that allowed users to filter trace points
        on a tasks "comm" field.  But this prevented filtering on a comm field
        that is within a trace event (like sched_migrate_task).
      
        When trying to filter on when a program migrated, this change
        prevented the filtering of the sched_migrate_task.
      
        To fix this, the event fields are examined first, and then the extra
        fields like "comm" and "cpu" are examined.  Also, instead of testing
        to assign the comm filter function based on the field's name, the
        generic comm field is given a new filter type (FILTER_COMM).  When
        this field is used to filter the type is checked.  The same is done
        for the cpu filter field.
      
        Two new special filter types are added: "COMM" and "CPU".  This allows
        users to still filter the tasks comm for events that have "comm" as
        one of their fields, in cases that users would like to filter
        sched_migrate_task on the comm of the task that called the event, and
        not the comm of the task that is being migrated"
      
      * tag 'trace-fixes-v4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Do not have 'comm' filter override event 'comm' field
      78baab7a
  2. 04 Mar, 2016 1 commit
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Do not have 'comm' filter override event 'comm' field · e57cbaf0
      Steven Rostedt (Red Hat) authored
      Commit 9f616680 "tracing: Allow triggers to filter for CPU ids and
      process names" added a 'comm' filter that will filter events based on the
      current tasks struct 'comm'. But this now hides the ability to filter events
      that have a 'comm' field too. For example, sched_migrate_task trace event.
      That has a 'comm' field of the task to be migrated.
      
       echo 'comm == "bash"' > events/sched_migrate_task/filter
      
      will now filter all sched_migrate_task events for tasks named "bash" that
      migrates other tasks (in interrupt context), instead of seeing when "bash"
      itself gets migrated.
      
      This fix requires a couple of changes.
      
      1) Change the look up order for filter predicates to look at the events
         fields before looking at the generic filters.
      
      2) Instead of basing the filter function off of the "comm" name, have the
         generic "comm" filter have its own filter_type (FILTER_COMM). Test
         against the type instead of the name to assign the filter function.
      
      3) Add a new "COMM" filter that works just like "comm" but will filter based
         on the current task, even if the trace event contains a "comm" field.
      
      Do the same for "cpu" field, adding a FILTER_CPU and a filter "CPU".
      
      Cc: stable@vger.kernel.org # v4.3+
      Fixes: 9f616680 "tracing: Allow triggers to filter for CPU ids and process names"
      Reported-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      e57cbaf0
  3. 03 Mar, 2016 8 commits
    • Filipe Manana's avatar
      Btrfs: fix loading of orphan roots leading to BUG_ON · 909c3a22
      Filipe Manana authored
      When looking for orphan roots during mount we can end up hitting a
      BUG_ON() (at root-item.c:btrfs_find_orphan_roots()) if a log tree is
      replayed and qgroups are enabled. This is because after a log tree is
      replayed, a transaction commit is made, which triggers qgroup extent
      accounting which in turn does backref walking which ends up reading and
      inserting all roots in the radix tree fs_info->fs_root_radix, including
      orphan roots (deleted snapshots). So after the log tree is replayed, when
      finding orphan roots we hit the BUG_ON with the following trace:
      
      [118209.182438] ------------[ cut here ]------------
      [118209.183279] kernel BUG at fs/btrfs/root-tree.c:314!
      [118209.184074] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [118209.185123] Modules linked in: btrfs dm_flakey dm_mod crc32c_generic ppdev xor raid6_pq evdev sg parport_pc parport acpi_cpufreq tpm_tis tpm psmouse
      processor i2c_piix4 serio_raw pcspkr i2c_core button loop autofs4 ext4 crc16 mbcache jbd2 sd_mod sr_mod cdrom ata_generic virtio_scsi ata_piix libata
      virtio_pci virtio_ring virtio scsi_mod e1000 floppy [last unloaded: btrfs]
      [118209.186318] CPU: 14 PID: 28428 Comm: mount Tainted: G        W       4.5.0-rc5-btrfs-next-24+ #1
      [118209.186318] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
      [118209.186318] task: ffff8801ec131040 ti: ffff8800af34c000 task.ti: ffff8800af34c000
      [118209.186318] RIP: 0010:[<ffffffffa04237d7>]  [<ffffffffa04237d7>] btrfs_find_orphan_roots+0x1fc/0x244 [btrfs]
      [118209.186318] RSP: 0018:ffff8800af34faa8  EFLAGS: 00010246
      [118209.186318] RAX: 00000000ffffffef RBX: 00000000ffffffef RCX: 0000000000000001
      [118209.186318] RDX: 0000000080000000 RSI: 0000000000000001 RDI: 00000000ffffffff
      [118209.186318] RBP: ffff8800af34fb08 R08: 0000000000000001 R09: 0000000000000000
      [118209.186318] R10: ffff8800af34f9f0 R11: 6db6db6db6db6db7 R12: ffff880171b97000
      [118209.186318] R13: ffff8801ca9d65e0 R14: ffff8800afa2e000 R15: 0000160000000000
      [118209.186318] FS:  00007f5bcb914840(0000) GS:ffff88023edc0000(0000) knlGS:0000000000000000
      [118209.186318] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [118209.186318] CR2: 00007f5bcaceb5d9 CR3: 00000000b49b5000 CR4: 00000000000006e0
      [118209.186318] Stack:
      [118209.186318]  fffffbffffffffff 010230ffffffffff 0101000000000000 ff84000000000000
      [118209.186318]  fbffffffffffffff 30ffffffffffffff 0000000000000101 ffff880082348000
      [118209.186318]  0000000000000000 ffff8800afa2e000 ffff8800afa2e000 0000000000000000
      [118209.186318] Call Trace:
      [118209.186318]  [<ffffffffa042e2db>] open_ctree+0x1e37/0x21b9 [btrfs]
      [118209.186318]  [<ffffffffa040a753>] btrfs_mount+0x97e/0xaed [btrfs]
      [118209.186318]  [<ffffffff8108e1c0>] ? trace_hardirqs_on+0xd/0xf
      [118209.186318]  [<ffffffff8117b87e>] mount_fs+0x67/0x131
      [118209.186318]  [<ffffffff81192d2b>] vfs_kern_mount+0x6c/0xde
      [118209.186318]  [<ffffffffa0409f81>] btrfs_mount+0x1ac/0xaed [btrfs]
      [118209.186318]  [<ffffffff8108e1c0>] ? trace_hardirqs_on+0xd/0xf
      [118209.186318]  [<ffffffff8108c26b>] ? lockdep_init_map+0xb9/0x1b3
      [118209.186318]  [<ffffffff8117b87e>] mount_fs+0x67/0x131
      [118209.186318]  [<ffffffff81192d2b>] vfs_kern_mount+0x6c/0xde
      [118209.186318]  [<ffffffff81195637>] do_mount+0x8a6/0x9e8
      [118209.186318]  [<ffffffff8119598d>] SyS_mount+0x77/0x9f
      [118209.186318]  [<ffffffff81493017>] entry_SYSCALL_64_fastpath+0x12/0x6b
      [118209.186318] Code: 64 00 00 85 c0 89 c3 75 24 f0 41 80 4c 24 20 20 49 8b bc 24 f0 01 00 00 4c 89 e6 e8 e8 65 00 00 85 c0 89 c3 74 11 83 f8 ef 75 02 <0f> 0b
      4c 89 e7 e8 da 72 00 00 eb 1c 41 83 bc 24 00 01 00 00 00
      [118209.186318] RIP  [<ffffffffa04237d7>] btrfs_find_orphan_roots+0x1fc/0x244 [btrfs]
      [118209.186318]  RSP <ffff8800af34faa8>
      [118209.230735] ---[ end trace 83938f987d85d477 ]---
      
      So fix this by not treating the error -EEXIST, returned when attempting
      to insert a root already inserted by the backref walking code, as an error.
      
      The following test case for xfstests reproduces the bug:
      
        seq=`basename $0`
        seqres=$RESULT_DIR/$seq
        echo "QA output created by $seq"
        tmp=/tmp/$$
        status=1	# failure is the default!
        trap "_cleanup; exit \$status" 0 1 2 3 15
      
        _cleanup()
        {
            _cleanup_flakey
            cd /
            rm -f $tmp.*
        }
      
        # get standard environment, filters and checks
        . ./common/rc
        . ./common/filter
        . ./common/dmflakey
      
        # real QA test starts here
        _supported_fs btrfs
        _supported_os Linux
        _require_scratch
        _require_dm_target flakey
        _require_metadata_journaling $SCRATCH_DEV
      
        rm -f $seqres.full
      
        _scratch_mkfs >>$seqres.full 2>&1
        _init_flakey
        _mount_flakey
      
        _run_btrfs_util_prog quota enable $SCRATCH_MNT
      
        # Create 2 directories with one file in one of them.
        # We use these just to trigger a transaction commit later, moving the file from
        # directory a to directory b and doing an fsync against directory a.
        mkdir $SCRATCH_MNT/a
        mkdir $SCRATCH_MNT/b
        touch $SCRATCH_MNT/a/f
        sync
      
        # Create our test file with 2 4K extents.
        $XFS_IO_PROG -f -s -c "pwrite -S 0xaa 0 8K" $SCRATCH_MNT/foobar | _filter_xfs_io
      
        # Create a snapshot and delete it. This doesn't really delete the snapshot
        # immediately, just makes it inaccessible and invisible to user space, the
        # snapshot is deleted later by a dedicated kernel thread (cleaner kthread)
        # which is woke up at the next transaction commit.
        # A root orphan item is inserted into the tree of tree roots, so that if a
        # power failure happens before the dedicated kernel thread does the snapshot
        # deletion, the next time the filesystem is mounted it resumes the snapshot
        # deletion.
        _run_btrfs_util_prog subvolume snapshot $SCRATCH_MNT $SCRATCH_MNT/snap
        _run_btrfs_util_prog subvolume delete $SCRATCH_MNT/snap
      
        # Now overwrite half of the extents we wrote before. Because we made a snapshpot
        # before, which isn't really deleted yet (since no transaction commit happened
        # after we did the snapshot delete request), the non overwritten extents get
        # referenced twice, once by the default subvolume and once by the snapshot.
        $XFS_IO_PROG -c "pwrite -S 0xbb 4K 8K" $SCRATCH_MNT/foobar | _filter_xfs_io
      
        # Now move file f from directory a to directory b and fsync directory a.
        # The fsync on the directory a triggers a transaction commit (because a file
        # was moved from it to another directory) and the file fsync leaves a log tree
        # with file extent items to replay.
        mv $SCRATCH_MNT/a/f $SCRATCH_MNT/a/b
        $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/a
        $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foobar
      
        echo "File digest before power failure:"
        md5sum $SCRATCH_MNT/foobar | _filter_scratch
      
        # Now simulate a power failure and mount the filesystem to replay the log tree.
        # After the log tree was replayed, we used to hit a BUG_ON() when processing
        # the root orphan item for the deleted snapshot. This is because when processing
        # an orphan root the code expected to be the first code inserting the root into
        # the fs_info->fs_root_radix radix tree, while in reallity it was the second
        # caller attempting to do it - the first caller was the transaction commit that
        # took place after replaying the log tree, when updating the qgroup counters.
        _flakey_drop_and_remount
      
        echo "File digest before after failure:"
        # Must match what he got before the power failure.
        md5sum $SCRATCH_MNT/foobar | _filter_scratch
      
        _unmount_flakey
        status=0
        exit
      
      Fixes: 2d9e9776 ("Btrfs: use btrfs_get_fs_root in resolve_indirect_ref")
      Cc: stable@vger.kernel.org  # 4.4+
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarQu Wenruo <quwenruo@cn.fujitsu.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      909c3a22
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.5-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · e3c2ef41
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
       "Freescale Layerscape host bridge driver:
          Fix MSG TLP drop setting (Minghuan Lian)
      
        TI Keystone host bridge driver:
          Fix MSI code that retrieves struct pcie_port pointer (Murali Karicheri)"
      
      * tag 'pci-v4.5-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: layerscape: Fix MSG TLP drop setting
        PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
      e3c2ef41
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · c2687cf9
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       - ARM/MIPS: Fixes for ioctls when copy_from_user returns nonzero
       - x86: Small fix for Skylake TSC scaling
       - x86: Improved fix for last week's missed hardware breakpoint bug
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: Update tsc multiplier on change.
        mips/kvm: fix ioctl error handling
        arm/arm64: KVM: Fix ioctl error handling
        KVM: x86: fix root cause for missed hardware breakpoints
      c2687cf9
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 4237b2e6
      Linus Torvalds authored
      Pull late GPIO fix from Linus Walleij:
       "Regressions never arrive when you want them to, so here is a late fix
        for the Renesas RCAR GPIO driver.  It only affects that driver on the
        very specific Renesas platforms:
      
         - Fix a runtime PM suspend/resume bug in the RCAR driver"
      
      * tag 'gpio-v4.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: rcar: Add Runtime PM handling for interrupts
      4237b2e6
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 19eab220
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "One fix for Intel VT-d:
      
         - Use BUS_NOTIFY_REMOVED_DEVICE notifier to unbind a device from its
           domain _after_ it has been unbound from its driver.  This fixes a
           BUG_ON being triggered in the PCI hotplug path.
      
        And three for AMD IOMMU:
      
         - Add a workaround for a hardware issue with ATS in use
      
         - Fix ATS enable/disable balance when a device is removed
      
         - Fix a boot warning being triggered when the system has IOMMU
           performance counters and PCI device 00:00.0 is not covered by the
           IOMMU"
      
      * tag 'iommu-fixes-v4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
        iommu/amd: Detach device from domain before removal
        iommu/amd: Apply workaround for ATS write permission check
        iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
      19eab220
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · f4bd9822
      Linus Torvalds authored
      Pull minor virtio/vhost fixes from Michael Tsirkin:
       "This fixes two minor bugs: error handling in vhost, and capability
        processing in virtio"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vhost: fix error path in vhost_init_used()
        virtio-pci: read the right virtio_pci_notify_cap field
      f4bd9822
    • Linus Torvalds's avatar
      Merge tag 'vfio-v4.5-rc7' of git://github.com/awilliam/linux-vfio · 52ad1296
      Linus Torvalds authored
      Pull VFIO fix from Alex Williamson:
       "Use -EFAULT for copy_to_user error in ioctl (Michael Tsirkin)"
      
      * tag 'vfio-v4.5-rc7' of git://github.com/awilliam/linux-vfio:
        vfio: fix ioctl error handling
      52ad1296
    • Linus Torvalds's avatar
      Merge tag 'fbdev-fixes-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux · 215b031b
      Linus Torvalds authored
      Pull fbdev fix from Tomi Valkeinen:
       "Fix hang caused by fbconsole blink timer"
      
      * tag 'fbdev-fixes-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux:
        fbcon: set a default value to blink interval
      215b031b
  4. 02 Mar, 2016 8 commits
  5. 01 Mar, 2016 8 commits
  6. 29 Feb, 2016 9 commits
    • Minghuan Lian's avatar
      PCI: layerscape: Fix MSG TLP drop setting · 1195c103
      Minghuan Lian authored
      Some kinds of Layerscape PCIe controllers will forward the received message
      TLPs to system application address space, which could corrupt system memory
      or lead to a system hang.  Enable MSG_DROP to fix this issue.
      Signed-off-by: default avatarMinghuan Lian <Minghuan.Lian@nxp.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      1195c103
    • Murali Karicheri's avatar
      PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer · 79e3f4a8
      Murali Karicheri authored
      Commit cbce7900 ("PCI: designware: Make driver arch-agnostic") changed
      the host bridge sysdata pointer from the ARM pci_sys_data to the DesignWare
      pcie_port structure, and changed pcie-designware.c to reflect that.  But it
      did not change the corresponding code in pci-keystone-dw.c, so it caused
      crashes on Keystone:
      
        Unable to handle kernel NULL pointer dereference at virtual address 00000030
        pgd = c0003000
        [00000030] *pgd=80000800004003, *pmd=00000000
        Internal error: Oops: 206 [#1] PREEMPT SMP ARM
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.4.2-00139-gb74f926 #2
        Hardware name: Keystone
        PC is at ks_dw_pcie_msi_irq_unmask+0x24/0x58
      
      Change pci-keystone-dw.c to expect sysdata to be the struct pcie_port
      pointer.
      
      [bhelgaas: changelog]
      Fixes: cbce7900 ("PCI: designware: Make driver arch-agnostic")
      Signed-off-by: default avatarMurali Karicheri <m-karicheri2@ti.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: stable@vger.kernel.org	# v4.4+
      CC: Zhou Wang <wangzhou1@hisilicon.com>
      79e3f4a8
    • Joerg Roedel's avatar
      iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path · e6a8c9b3
      Joerg Roedel authored
      In the PCI hotplug path of the Intel IOMMU driver, replace
      the usage of the BUS_NOTIFY_DEL_DEVICE notifier, which is
      executed before the driver is unbound from the device, with
      BUS_NOTIFY_REMOVED_DEVICE, which runs after that.
      
      This fixes a kernel BUG being triggered in the VT-d code
      when the device driver tries to unmap DMA buffers and the
      VT-d driver already destroyed all mappings.
      Reported-by: default avatarStefani Seibold <stefani@seibold.net>
      Cc: stable@vger.kernel.org # v4.3+
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      e6a8c9b3
    • Al Viro's avatar
      use ->d_seq to get coherency between ->d_inode and ->d_flags · a528aca7
      Al Viro authored
      Games with ordering and barriers are way too brittle.  Just
      bump ->d_seq before and after updating ->d_inode and ->d_flags
      type bits, so that verifying ->d_seq would guarantee they are
      coherent.
      
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a528aca7
    • Joerg Roedel's avatar
      iommu/amd: Detach device from domain before removal · b6809ee5
      Joerg Roedel authored
      Detach the device that is about to be removed from its
      domain (if it has one) to clear any related state like DTE
      entry and device's ATS state.
      Reported-by: default avatarKelly Zytaruk <Kelly.Zytaruk@amd.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      b6809ee5
    • Michael S. Tsirkin's avatar
      arm/arm64: KVM: Fix ioctl error handling · 4cad67fc
      Michael S. Tsirkin authored
      Calling return copy_to_user(...) in an ioctl will not
      do the right thing if there's a pagefault:
      copy_to_user returns the number of bytes not copied
      in this case.
      
      Fix up kvm to do
      	return copy_to_user(...)) ?  -EFAULT : 0;
      
      everywhere.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      4cad67fc
    • Yadan Fan's avatar
      Fix cifs_uniqueid_to_ino_t() function for s390x · 1ee9f4bd
      Yadan Fan authored
      This issue is caused by commit 02323db1 ("cifs: fix
      cifs_uniqueid_to_ino_t not to ever return 0"), when BITS_PER_LONG
      is 64 on s390x, the corresponding cifs_uniqueid_to_ino_t()
      function will cast 64-bit fileid to 32-bit by using (ino_t)fileid,
      because ino_t (typdefed __kernel_ino_t) is int type.
      
      It's defined in arch/s390/include/uapi/asm/posix_types.h
      
          #ifndef __s390x__
      
          typedef unsigned long   __kernel_ino_t;
          ...
          #else /* __s390x__ */
      
          typedef unsigned int    __kernel_ino_t;
      
      So the #ifdef condition is wrong for s390x, we can just still use
      one cifs_uniqueid_to_ino_t() function with comparing sizeof(ino_t)
      and sizeof(u64) to choose the correct execution accordingly.
      Signed-off-by: default avatarYadan Fan <ydfan@suse.com>
      CC: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      1ee9f4bd
    • Pavel Shilovsky's avatar
      CIFS: Fix SMB2+ interim response processing for read requests · 6cc3b242
      Pavel Shilovsky authored
      For interim responses we only need to parse a header and update
      a number credits. Now it is done for all SMB2+ command except
      SMB2_READ which is wrong. Fix this by adding such processing.
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Tested-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      6cc3b242
    • Justin Maggard's avatar
      cifs: fix out-of-bounds access in lease parsing · deb7deff
      Justin Maggard authored
      When opening a file, SMB2_open() attempts to parse the lease state from the
      SMB2 CREATE Response.  However, the parsing code was not careful to ensure
      that the create contexts are not empty or invalid, which can lead to out-
      of-bounds memory access.  This can be seen easily by trying
      to read a file from a OSX 10.11 SMB3 server.  Here is sample crash output:
      
      BUG: unable to handle kernel paging request at ffff8800a1a77cc6
      IP: [<ffffffff8828a734>] SMB2_open+0x804/0x960
      PGD 8f77067 PUD 0
      Oops: 0000 [#1] SMP
      Modules linked in:
      CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
      Hardware name: NETGEAR ReadyNAS 314          /ReadyNAS 314          , BIOS 4.6.5 10/11/2012
      task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
      RIP: 0010:[<ffffffff8828a734>]  [<ffffffff8828a734>] SMB2_open+0x804/0x960
      RSP: 0018:ffff88005b31fa08  EFLAGS: 00010282
      RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
      RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
      R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
      R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
      FS:  00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
      Stack:
       ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
       ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
       ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
      Call Trace:
       [<ffffffff88278789>] ? cifsConvertToUTF16+0x159/0x2d0
       [<ffffffff8828cf68>] smb2_open_file+0x98/0x210
       [<ffffffff8811e80c>] ? __kmalloc+0x1c/0xe0
       [<ffffffff882685f4>] cifs_open+0x2a4/0x720
       [<ffffffff88122cef>] do_dentry_open+0x1ff/0x310
       [<ffffffff88268350>] ? cifsFileInfo_get+0x30/0x30
       [<ffffffff88123d92>] vfs_open+0x52/0x60
       [<ffffffff88131dd0>] path_openat+0x170/0xf70
       [<ffffffff88097d48>] ? remove_wait_queue+0x48/0x50
       [<ffffffff88133a29>] do_filp_open+0x79/0xd0
       [<ffffffff8813f2ca>] ? __alloc_fd+0x3a/0x170
       [<ffffffff881240c4>] do_sys_open+0x114/0x1e0
       [<ffffffff881241a9>] SyS_open+0x19/0x20
       [<ffffffff8896e257>] entry_SYSCALL_64_fastpath+0x12/0x6a
      Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff <45> 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
      RIP  [<ffffffff8828a734>] SMB2_open+0x804/0x960
       RSP <ffff88005b31fa08>
      CR2: ffff8800a1a77cc6
      ---[ end trace d9f69ba64feee469 ]---
      Signed-off-by: default avatarJustin Maggard <jmaggard@netgear.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      deb7deff
  7. 28 Feb, 2016 4 commits