1. 15 Nov, 2019 3 commits
    • Al Viro's avatar
      fix dget_parent() fastpath race · e8400933
      Al Viro authored
      We are overoptimistic about taking the fast path there; seeing
      the same value in ->d_parent after having grabbed a reference
      to that parent does *not* mean that it has remained our parent
      all along.
      
      That wouldn't be a big deal (in the end it is our parent and
      we have grabbed the reference we are about to return), but...
      the situation with barriers is messed up.
      
      We might have hit the following sequence:
      
      d is a dentry of /tmp/a/b
      CPU1:					CPU2:
      parent = d->d_parent (i.e. dentry of /tmp/a)
      					rename /tmp/a/b to /tmp/b
      					rmdir /tmp/a, making its dentry negative
      grab reference to parent,
      end up with cached parent->d_inode (NULL)
      					mkdir /tmp/a, rename /tmp/b to /tmp/a/b
      recheck d->d_parent, which is back to original
      decide that everything's fine and return the reference we'd got.
      
      The trouble is, caller (on CPU1) will observe dget_parent()
      returning an apparently negative dentry.  It actually is positive,
      but CPU1 has stale ->d_inode cached.
      
      Use d->d_seq to see if it has been moved instead of rechecking ->d_parent.
      NOTE: we are *NOT* going to retry on any kind of ->d_seq mismatch;
      we just go into the slow path in such case.  We don't wait for ->d_seq
      to become even either - again, if we are racing with renames, we
      can bloody well go to slow path anyway.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e8400933
    • Al Viro's avatar
      new helper: lookup_positive_unlocked() · 6c2d4798
      Al Viro authored
      Most of the callers of lookup_one_len_unlocked() treat negatives are
      ERR_PTR(-ENOENT).  Provide a helper that would do just that.  Note
      that a pinned positive dentry remains positive - it's ->d_inode is
      stable, etc.; a pinned _negative_ dentry can become positive at any
      point as long as you are not holding its parent at least shared.
      So using lookup_one_len_unlocked() needs to be careful;
      lookup_positive_unlocked() is safer and that's what the callers
      end up open-coding anyway.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6c2d4798
    • Al Viro's avatar
      fs/namei.c: pull positivity check into follow_managed() · d41efb52
      Al Viro authored
      There are 4 callers; two proceed to check if result is positive and
      fail with ENOENT if it isn't; one (in handle_lookup_down()) is
      guaranteed to yield positive and one (in lookup_fast()) is _preceded_
      by positivity check.
      
      However, follow_managed() on a negative dentry is a (fairly cheap)
      no-op on anything other than autofs.  And negative autofs dentries
      are never hashed, so lookup_fast() is not going to run into one
      of those.  Moreover, successful follow_managed() on a _positive_
      dentry never yields a negative one (and we significantly rely upon
      that in callers of lookup_fast()).
      
      In other words, we can easily transpose the positivity check and
      the call of follow_managed() in lookup_fast().  And that allows
      to fold the positivity check *into* follow_managed(), simplifying
      life for the code downstream of its calls.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d41efb52
  2. 24 Nov, 2019 1 commit
  3. 10 Nov, 2019 6 commits
    • Al Viro's avatar
      ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either · 762c6968
      Al Viro authored
      We need to get the underlying dentry of parent; sure, absent the races
      it is the parent of underlying dentry, but there's nothing to prevent
      losing a timeslice to preemtion in the middle of evaluation of
      lower_dentry->d_parent->d_inode, having another process move lower_dentry
      around and have its (ex)parent not pinned anymore and freed on memory
      pressure.  Then we regain CPU and try to fetch ->d_inode from memory
      that is freed by that point.
      
      dentry->d_parent *is* stable here - it's an argument of ->lookup() and
      we are guaranteed that it won't be moved anywhere until we feed it
      to d_add/d_splice_alias.  So we safely go that way to get to its
      underlying dentry.
      
      Cc: stable@vger.kernel.org # since 2009 or so
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      762c6968
    • Al Viro's avatar
      ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable · e72b9dd6
      Al Viro authored
      lower_dentry can't go from positive to negative (we have it pinned),
      but it *can* go from negative to positive.  So fetching ->d_inode
      into a local variable, doing a blocking allocation, checking that
      now ->d_inode is non-NULL and feeding the value we'd fetched
      earlier to a function that won't accept NULL is not a good idea.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e72b9dd6
    • Al Viro's avatar
      ecryptfs: fix unlink and rmdir in face of underlying fs modifications · bcf0d9d4
      Al Viro authored
      A problem similar to the one caught in commit 74dd7c97 ("ecryptfs_rename():
      verify that lower dentries are still OK after lock_rename()") exists for
      unlink/rmdir as well.
      
      Instead of playing with dget_parent() of underlying dentry of victim
      and hoping it's the same as underlying dentry of our directory,
      do the following:
              * find the underlying dentry of victim
              * find the underlying directory of victim's parent (stable
      since the victim is ecryptfs dentry and inode of its parent is
      held exclusive by the caller).
              * lock the inode of dentry underlying the victim's parent
              * check that underlying dentry of victim is still hashed and
      has the right parent - it can be moved, but it can't be moved to/from
      the directory we are holding exclusive.  So while ->d_parent itself
      might not be stable, the result of comparison is.
      
      If the check passes, everything is fine - underlying directory is locked,
      underlying victim is still a child of that directory and we can go ahead
      and feed them to vfs_unlink().  As in the current mainline we need to
      pin the underlying dentry of victim, so that it wouldn't go negative under
      us, but that's the only temporary reference that needs to be grabbed there.
      Underlying dentry of parent won't go away (it's pinned by the parent,
      which is held by caller), so there's no need to grab it.
      
      The same problem (with the same solution) exists for rmdir.  Moreover,
      rename gets simpler and more robust with the same "don't bother with
      dget_parent()" approach.
      
      Fixes: 74dd7c97 "ecryptfs_rename(): verify that lower dentries are still OK after lock_rename()"
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      bcf0d9d4
    • Al Viro's avatar
      audit_get_nd(): don't unlock parent too early · 69924b89
      Al Viro authored
      if the child has been negative and just went positive
      under us, we want coherent d_is_positive() and ->d_inode.
      Don't unlock the parent until we'd done that work...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      69924b89
    • Al Viro's avatar
    • Al Viro's avatar
      cgroup: don't put ERR_PTR() into fc->root · 630faf81
      Al Viro authored
      the caller of ->get_tree() expects NULL left there on error...
      Reported-by: default avatarThibaut Sautereau <thibaut@sautereau.fr>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      630faf81
  4. 25 Oct, 2019 1 commit
  5. 21 Oct, 2019 1 commit
    • Guillem Jover's avatar
      aio: Fix io_pgetevents() struct __compat_aio_sigset layout · 97eba80f
      Guillem Jover authored
      This type is used to pass the sigset_t from userland to the kernel,
      but it was using the kernel native pointer type for the member
      representing the compat userland pointer to the userland sigset_t.
      
      This messes up the layout, and makes the kernel eat up both the
      userland pointer and the size members into the kernel pointer, and
      then reads garbage into the kernel sigsetsize. Which makes the sigset_t
      size consistency check fail, and consequently the syscall always
      returns -EINVAL.
      
      This breaks both libaio and strace on 32-bit userland running on 64-bit
      kernels. And there are apparently no users in the wild of the current
      broken layout (at least according to codesearch.debian.org and a brief
      check over github.com search). So it looks safe to fix this directly
      in the kernel, instead of either letting userland deal with this
      permanently with the additional overhead or trying to make the syscall
      infer what layout userland used, even though this is also being worked
      around in libaio to temporarily cope with kernels that have not yet
      been fixed.
      
      We use a proper compat_uptr_t instead of a compat_sigset_t pointer.
      
      Fixes: 7a074e96 ("aio: implement io_pgetevents")
      Signed-off-by: default avatarGuillem Jover <guillem@hadrons.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      97eba80f
  6. 17 Oct, 2019 1 commit
  7. 13 Oct, 2019 16 commits
  8. 12 Oct, 2019 11 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · da940012
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char/misc driver fixes for 5.4-rc3.
      
        Nothing huge here. Some binder driver fixes (although it is still
        being discussed if these all fix the reported issues or not, so more
        might be coming later), some mei device ids and fixes, and a google
        firmware driver bugfix that fixes a regression, as well as some other
        tiny fixes.
      
        All have been in linux-next with no reported issues"
      
      * tag 'char-misc-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        firmware: google: increment VPD key_len properly
        w1: ds250x: Fix build error without CRC16
        virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
        binder: Fix comment headers on binder_alloc_prepare_to_free()
        binder: prevent UAF read in print_binder_transaction_log_entry()
        misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
        mei: avoid FW version request on Ibex Peak and earlier
        mei: me: add comet point (lake) LP device ids
      da940012
    • Linus Torvalds's avatar
      Merge tag 'staging-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 9cbc6348
      Linus Torvalds authored
      Pull staging/IIO driver fixes from Greg KH:
       "Here are some staging and IIO driver fixes for 5.4-rc3.
      
        The "biggest" thing here is a removal of the fbtft device and flexfb
        code as they have been abandoned by their authors and are no longer
        needed for that hardware.
      
        Other than that, the usual amount of staging driver and iio driver
        fixes for reported issues, and some speakup sysfs file documentation,
        which has been long awaited for.
      
        All have been in linux-next with no reported issues"
      
      * tag 'staging-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (32 commits)
        iio: Fix an undefied reference error in noa1305_probe
        iio: light: opt3001: fix mutex unlock race
        iio: adc: ad799x: fix probe error handling
        iio: light: add missing vcnl4040 of_compatible
        iio: light: fix vcnl4000 devicetree hooks
        iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller
        iio: adc: axp288: Override TS pin bias current for some models
        iio: imu: adis16400: fix memory leak
        iio: imu: adis16400: release allocated memory on failure
        iio: adc: stm32-adc: fix a race when using several adcs with dma and irq
        iio: adc: stm32-adc: move registers definitions
        iio: accel: adxl372: Perform a reset at start up
        iio: accel: adxl372: Fix push to buffers lost samples
        iio: accel: adxl372: Fix/remove limitation for FIFO samples
        iio: adc: hx711: fix bug in sampling of data
        staging: vt6655: Fix memory leak in vt6655_probe
        staging: exfat: Use kvzalloc() instead of kzalloc() for exfat_sb_info
        Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
        staging: speakup: document sysfs attributes
        staging: rtl8188eu: fix HighestRate check in odm_ARFBRefresh_8188E()
        ...
      9cbc6348
    • Linus Torvalds's avatar
      Merge tag 'tty-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 82c87e7d
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small tty and serial driver fixes for 5.4-rc3 that
        resolve a number of reported issues and regressions.
      
        None of these are huge, full details are in the shortlog. There's also
        a MAINTAINERS update that I think you might have already taken in your
        tree already, but git should handle that merge easily.
      
        All have been in linux-next with no reported issues"
      
      * tag 'tty-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        MAINTAINERS: kgdb: Add myself as a reviewer for kgdb/kdb
        tty: serial: imx: Use platform_get_irq_optional() for optional IRQs
        serial: fix kernel-doc warning in comments
        serial: 8250_omap: Fix gpio check for auto RTS/CTS
        serial: mctrl_gpio: Check for NULL pointer
        tty: serial: fsl_lpuart: Fix lpuart_flush_buffer()
        tty: serial: Fix PORT_LINFLEXUART definition
        tty: n_hdlc: fix build on SPARC
        serial: uartps: Fix uartps_major handling
        serial: uartlite: fix exit path null pointer
        tty: serial: linflexuart: Fix magic SysRq handling
        serial: sh-sci: Use platform_get_irq_optional() for optional interrupts
        dt-bindings: serial: sh-sci: Document r8a774b1 bindings
        serial/sifive: select SERIAL_EARLYCON
        tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
        tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
      82c87e7d
    • Linus Torvalds's avatar
      Merge tag 'usb-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 6c90bbd0
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a lot of small USB driver fixes for 5.4-rc3.
      
        syzbot has stepped up its testing of the USB driver stack, now able to
        trigger fun race conditions between disconnect and probe functions.
        Because of that we have a lot of fixes in here from Johan and others
        fixing these reported issues that have been around since almost all
        time.
      
        We also are just deleting the rio500 driver, making all of the syzbot
        bugs found in it moot as it turns out no one has been using it for
        years as there is a userspace version that is being used instead.
      
        There are also a number of other small fixes in here, all resolving
        reported issues or regressions.
      
        All have been in linux-next without any reported issues"
      
      * tag 'usb-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (65 commits)
        USB: yurex: fix NULL-derefs on disconnect
        USB: iowarrior: use pr_err()
        USB: iowarrior: drop redundant iowarrior mutex
        USB: iowarrior: drop redundant disconnect mutex
        USB: iowarrior: fix use-after-free after driver unbind
        USB: iowarrior: fix use-after-free on release
        USB: iowarrior: fix use-after-free on disconnect
        USB: chaoskey: fix use-after-free on release
        USB: adutux: fix use-after-free on release
        USB: ldusb: fix NULL-derefs on driver unbind
        USB: legousbtower: fix use-after-free on release
        usb: cdns3: Fix for incorrect DMA mask.
        usb: cdns3: fix cdns3_core_init_role()
        usb: cdns3: gadget: Fix full-speed mode
        USB: usb-skeleton: drop redundant in-urb check
        USB: usb-skeleton: fix use-after-free after driver unbind
        USB: usb-skeleton: fix NULL-deref on disconnect
        usb:cdns3: Fix for CV CH9 running with g_zero driver.
        usb: dwc3: Remove dev_err() on platform_get_irq() failure
        usb: dwc3: Switch to platform_get_irq_byname_optional()
        ...
      6c90bbd0
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 328fefad
      Linus Torvalds authored
      Pull scheduler fixes from Ingo Molnar:
       "Two fixes: a guest-cputime accounting fix, and a cgroup bandwidth
        quota precision fix"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/vtime: Fix guest/system mis-accounting on task switch
        sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
      328fefad
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 465a7e29
      Linus Torvalds authored
      Pull perf fixes from Ingo Molnar:
       "Mostly tooling fixes, but also a couple of updates for new Intel
        models (which are technically hw-enablement, but to users it's a fix
        to perf behavior on those new CPUs - hope this is fine), an AUX
        inheritance fix, event time-sharing fix, and a fix for lost non-perf
        NMI events on AMD systems"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (36 commits)
        perf/x86/cstate: Add Tiger Lake CPU support
        perf/x86/msr: Add Tiger Lake CPU support
        perf/x86/intel: Add Tiger Lake CPU support
        perf/x86/cstate: Update C-state counters for Ice Lake
        perf/x86/msr: Add new CPU model numbers for Ice Lake
        perf/x86/cstate: Add Comet Lake CPU support
        perf/x86/msr: Add Comet Lake CPU support
        perf/x86/intel: Add Comet Lake CPU support
        perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
        perf/core: Fix corner case in perf_rotate_context()
        perf/core: Rework memory accounting in perf_mmap()
        perf/core: Fix inheritance of aux_output groups
        perf annotate: Don't return -1 for error when doing BPF disassembly
        perf annotate: Return appropriate error code for allocation failures
        perf annotate: Fix arch specific ->init() failure errors
        perf annotate: Propagate the symbol__annotate() error return
        perf annotate: Fix the signedness of failure returns
        perf annotate: Propagate perf_env__arch() error
        perf evsel: Fall back to global 'perf_env' in perf_evsel__env()
        perf tools: Propagate get_cpuid() error
        ...
      465a7e29
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9b4e40c8
      Linus Torvalds authored
      Pull EFI fixes from Ingo Molnar:
       "Misc EFI fixes all across the map: CPER error report fixes, fixes to
        TPM event log parsing, fix for a kexec hang, a Sparse fix and other
        fixes"
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi/tpm: Fix sanity check of unsigned tbl_size being less than zero
        efi/x86: Do not clean dummy variable in kexec path
        efi: Make unexported efi_rci2_sysfs_init() static
        efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing
        efi/tpm: Don't traverse an event log with no events
        efi/tpm: Don't access event->count when it isn't mapped
        efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified
        efi/cper: Fix endianness of PCIe class code
      9b4e40c8
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fcb45a28
      Linus Torvalds authored
      Pull x86 fixes from Ingo Molnar:
       "A handful of fixes: a kexec linking fix, an AMD MWAITX fix, a vmware
        guest support fix when built under Clang, and new CPU model number
        definitions"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu: Add Comet Lake to the Intel CPU models header
        lib/string: Make memzero_explicit() inline instead of external
        x86/cpu/vmware: Use the full form of INL in VMWARE_PORT
        x86/asm: Fix MWAITX C-state hint value
      fcb45a28
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · e9ec3588
      Linus Torvalds authored
      Pull x86 license tag fixlets from Ingo Molnar:
       "Fix a couple of SPDX tags in x86 headers to follow the canonical
        pattern"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86: Use the correct SPDX License Identifier in headers
      e9ec3588
    • Linus Torvalds's avatar
      Merge tag 'riscv/for-v5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 48acba98
      Linus Torvalds authored
      Pull RISC-V fixes from Paul Walmsley:
      
       - Fix several bugs in the breakpoint trap handler
      
       - Drop an unnecessary loop around calls to preempt_schedule_irq()
      
      * tag 'riscv/for-v5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: entry: Remove unneeded need_resched() loop
        riscv: Correct the handling of unexpected ebreak in do_trap_break()
        riscv: avoid sending a SIGTRAP to a user thread trapped in WARN()
        riscv: avoid kernel hangs when trapped in BUG()
      48acba98
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.4_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 63f9bff5
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
      
       - Build fixes for CONFIG_OPTIMIZE_INLINING=y builds in which the
         compiler may choose not to inline __xchg() & __cmpxchg().
      
       - A build fix for Loongson configurations with GCC 9.x.
      
       - Expose some extra HWCAP bits to indicate support for various
         instruction set extensions to userland.
      
       - Fix bad stack access in firmware handling code for old SNI
         RM200/300/400 machines.
      
      * tag 'mips_fixes_5.4_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: Disable Loongson MMI instructions for kernel build
        MIPS: elf_hwcap: Export userspace ASEs
        MIPS: fw: sni: Fix out of bounds init of o32 stack
        MIPS: include: Mark __xchg as __always_inline
        MIPS: include: Mark __cmpxchg as __always_inline
      63f9bff5