1. 14 Jun, 2018 4 commits
  2. 13 Jun, 2018 3 commits
  3. 25 May, 2018 1 commit
  4. 23 May, 2018 1 commit
    • Theodore Ts'o's avatar
      ext4: correctly handle a zero-length xattr with a non-zero e_value_offs · 8a2b307c
      Theodore Ts'o authored
      Ext4 will always create ext4 extended attributes which do not have a
      value (where e_value_size is zero) with e_value_offs set to zero.  In
      most places e_value_offs will not be used in a substantive way if
      e_value_size is zero.
      
      There was one exception to this, which is in ext4_xattr_set_entry(),
      where if there is a maliciously crafted file system where there is an
      extended attribute with e_value_offs is non-zero and e_value_size is
      0, the attempt to remove this xattr will result in a negative value
      getting passed to memmove, leading to the following sadness:
      
      [   41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
      [   44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000
      [   44.538733] IP: __memmove+0x81/0x1a0
      [   44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1
      [   44.538793] Oops: 0003 [#1] SMP PTI
      [   44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1
          ...
      [   44.539475] Call Trace:
      [   44.539832]  ext4_xattr_set_entry+0x9e7/0xf80
          ...
      [   44.539972]  ext4_xattr_block_set+0x212/0xea0
          ...
      [   44.540041]  ext4_xattr_set_handle+0x514/0x610
      [   44.540065]  ext4_xattr_set+0x7f/0x120
      [   44.540090]  __vfs_removexattr+0x4d/0x60
      [   44.540112]  vfs_removexattr+0x75/0xe0
      [   44.540132]  removexattr+0x4d/0x80
          ...
      [   44.540279]  path_removexattr+0x91/0xb0
      [   44.540300]  SyS_removexattr+0xf/0x20
      [   44.540322]  do_syscall_64+0x71/0x120
      [   44.540344]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      
      https://bugzilla.kernel.org/show_bug.cgi?id=199347
      
      This addresses CVE-2018-10840.
      Reported-by: default avatar"Xu, Wen" <wen.xu@gatech.edu>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Cc: stable@kernel.org
      Fixes: dec214d0 ("ext4: xattr inode deduplication")
      8a2b307c
  5. 22 May, 2018 2 commits
  6. 21 May, 2018 4 commits
  7. 14 May, 2018 4 commits
  8. 13 May, 2018 3 commits
  9. 12 May, 2018 5 commits
  10. 10 May, 2018 3 commits
    • Eryu Guan's avatar
      ext4: use raw i_version value for ea_inode · e254d1af
      Eryu Guan authored
      Currently, creating large xattr (e.g. 2k) in ea_inode would cause
      ea_inode refcount corruption, e.g.
      
        Pass 4: Checking reference counts
        Extended attribute inode 13 ref count is 0, should be 1. Fix? no
      
      This is because that we save the lower 32bit of refcount in
      inode->i_version and store it in raw_inode->i_disk_version on disk.
      But since commit ee73f9a5 ("ext4: convert to new i_version
      API"), we load/store modified i_disk_version from/to disk instead of
      raw value, which causes on-disk ea_inode refcount corruption.
      
      Fix it by loading/storing raw i_version/i_disk_version, because it's
      a self-managed value in this case.
      
      Fixes: ee73f9a5 ("ext4: convert to new i_version API")
      Cc: Tahsin Erdogan <tahsin@google.com>
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      e254d1af
    • Eryu Guan's avatar
      ext4: use XATTR_CREATE in ext4_initxattrs() · 3f706c8c
      Eryu Guan authored
      I hit ENOSPC error when creating new file in a newly created ext4
      with ea_inode feature enabled, if selinux is enabled and ext4 is
      mounted without any selinux context. e.g.
      
        mkfs -t ext4 -O ea_inode -F /dev/sda5
        mount /dev/sda5 /mnt/ext4
        touch /mnt/ext4/testfile  # got ENOSPC here
      
      It turns out that we run out of journal credits in
      ext4_xattr_set_handle() when creating new selinux label for the
      newly created inode.
      
      This is because that in __ext4_new_inode() we use
      __ext4_xattr_set_credits() to calculate the reserved credits for new
      xattr, with the 'is_create' argument being true, which implies less
      credits in the ea_inode case. But we calculate the required credits
      in ext4_xattr_set_handle() with 'is_create' being false, which means
      we need more credits if ea_inode feature is enabled. So we don't
      have enough credits and error out with ENOSPC.
      
      Fix it by simply calling ext4_xattr_set_handle() with XATTR_CREATE
      flag in ext4_initxattrs(), so we end up with requiring less credits
      than reserved. The semantic of XATTR_CREATE is "Perform a pure
      create, which fails if the named attribute exists already." (from
      setxattr(2)), which is fine in this case, because we only call
      ext4_initxattrs() on newly created inode.
      
      Fixes: af65207c ("ext4: fix __ext4_new_inode() journal credits calculation")
      Cc: Tahsin Erdogan <tahsin@google.com>
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      3f706c8c
    • Mathieu Malaterre's avatar
      ext4: make function ‘ext4_getfsmap_find_fixed_metadata’ static · 472d8ea1
      Mathieu Malaterre authored
      Since function ‘ext4_getfsmap_find_fixed_metadata’ can be made static,
      make it so. Remove the following gcc warning (W=1):
      
        fs/ext4/fsmap.c:405:5: warning: no previous prototype for ‘ext4_getfsmap_find_fixed_metadata’ [-Wmissing-prototypes]
      Signed-off-by: default avatarMathieu Malaterre <malat@debian.org>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      472d8ea1
  11. 07 May, 2018 1 commit
  12. 06 May, 2018 7 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 701e39d0
      Linus Torvalds authored
      Pll KVM fixes from Radim Krčmář:
       "ARM:
         - Fix proxying of GICv2 CPU interface accesses
         - Fix crash when switching to BE
         - Track source vcpu git GICv2 SGIs
         - Fix an outdated bit of documentation
      
        x86:
         - Speed up injection of expired timers (for stable)"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: remove APIC Timer periodic/oneshot spikes
        arm64: vgic-v2: Fix proxying of cpuif access
        KVM: arm/arm64: vgic_init: Cleanup reference to process_maintenance
        KVM: arm64: Fix order of vcpu_write_sys_reg() arguments
        KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
      701e39d0
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 772d4f84
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - fix a compile warning in the AMD IOMMU driver with irq remapping
         disabled
      
       - fix for VT-d interrupt remapping and invalidation size (caused a
         BUG_ON when trying to invalidate more than 4GB)
      
       - build fix and a regression fix for broken graphics with old DTS for
         the rockchip iommu driver
      
       - a revert in the PCI window reservation code which fixes a regression
         with VFIO.
      
      * tag 'iommu-fixes-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu: rockchip: fix building without CONFIG_OF
        iommu/vt-d: Use WARN_ON_ONCE instead of BUG_ON in qi_flush_dev_iotlb()
        iommu/vt-d: fix shift-out-of-bounds in bug checking
        iommu/dma: Move PCI window region reservation back into dma specific path.
        iommu/rockchip: Make clock handling optional
        iommu/amd: Hide unused iommu_table_lock
        iommu/vt-d: Fix usage of force parameter in intel_ir_reconfigure_irte()
      772d4f84
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9c48eb6a
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "Unbreak the CPUID CPUID_8000_0008_EBX reload which got dropped when
        the evaluation of physical and virtual bits which uses the same CPUID
        leaf was moved out of get_cpu_cap()"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu: Restore CPUID_8000_0008_EBX reload
      9c48eb6a
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fe282c60
      Linus Torvalds authored
      Pull clocksource fixes from Thomas Gleixner:
       "The recent addition of the early TSC clocksource breaks on machines
        which have an unstable TSC because in case that TSC is disabled, then
        the clocksource selection logic falls back to the early TSC which is
        obviously bogus.
      
        That also unearthed a few robustness issues in the clocksource
        derating code which are addressed as well"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource: Rework stale comment
        clocksource: Consistent de-rate when marking unstable
        x86/tsc: Fix mark_tsc_unstable()
        clocksource: Initialize cs->wd_list
        clocksource: Allow clocksource_mark_unstable() on unregistered clocksources
        x86/tsc: Always unregister clocksource_tsc_early
      fe282c60
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 03b5f0c1
      Linus Torvalds authored
      Pull irq fix from Thomas Gleixner:
       "A single fix to prevent false positives in the spurious interrupt
        detector when more than a single demultiplex register is evaluated in
        the Qualcom irq combiner driver"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/qcom: Fix check for spurious interrupts
      03b5f0c1
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.17-2' of git://git.infradead.org/linux-platform-drivers-x86 · ee946c36
      Linus Torvalds authored
      Pull x86 platform driver fixes from Darren Hart:
      
       - We missed a case in the Dell config dependencies resulting in a
         possible bad configuration, resolve it by giving up on trying to keep
         DELL_LAPTOP visible in the menu and make it depend on DELL_SMBIOS.
      
       - Fix a null pointer dereference at module unload for the asus-wireless
         driver.
      
      * tag 'platform-drivers-x86-v4.17-2' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: Kconfig: Fix dell-laptop dependency chain.
        platform/x86: asus-wireless: Fix NULL pointer dereference
      ee946c36
    • Linus Torvalds's avatar
      Merge tag 'usb-4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 8e95cb33
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some USB driver fixes for 4.17-rc4.
      
        The majority of them are some USB gadget fixes that missed my last
        pull request. The "largest" patch in here is a fix for the old visor
        driver that syzbot found 6 months or so ago and I finally remembered
        to fix it.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        Revert "usb: host: ehci: Use dma_pool_zalloc()"
        usb: typec: tps6598x: handle block reads separately with plain-I2C adapters
        usb: typec: tcpm: Release the role mux when exiting
        USB: Accept bulk endpoints with 1024-byte maxpacket
        xhci: Fix use-after-free in xhci_free_virt_device
        USB: serial: visor: handle potential invalid device configuration
        USB: serial: option: adding support for ublox R410M
        usb: musb: trace: fix NULL pointer dereference in musb_g_tx()
        usb: musb: host: fix potential NULL pointer dereference
        usb: gadget: composite Allow for larger configuration descriptors
        usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue
        usb: dwc3: gadget: dwc3_gadget_del_and_unmap_request() can be static
        usb: dwc2: pci: Fix error return code in dwc2_pci_probe()
        usb: dwc2: WA for Full speed ISOC IN in DDMA mode.
        usb: dwc2: dwc2_vbus_supply_init: fix error check
        usb: gadget: f_phonet: fix pn_net_xmit()'s return type
      8e95cb33
  13. 05 May, 2018 2 commits
    • Anthoine Bourgeois's avatar
      KVM: x86: remove APIC Timer periodic/oneshot spikes · ecf08dad
      Anthoine Bourgeois authored
      Since the commit "8003c9ae: add APIC Timer periodic/oneshot mode VMX
      preemption timer support", a Windows 10 guest has some erratic timer
      spikes.
      
      Here the results on a 150000 times 1ms timer without any load:
      	  Before 8003c9ae | After 8003c9ae
      Max           1834us          |  86000us
      Mean          1100us          |   1021us
      Deviation       59us          |    149us
      Here the results on a 150000 times 1ms timer with a cpu-z stress test:
      	  Before 8003c9ae | After 8003c9ae
      Max          32000us          | 140000us
      Mean          1006us          |   1997us
      Deviation      140us          |  11095us
      
      The root cause of the problem is starting hrtimer with an expiry time
      already in the past can take more than 20 milliseconds to trigger the
      timer function.  It can be solved by forward such past timers
      immediately, rather than submitting them to hrtimer_start().
      In case the timer is periodic, update the target expiration and call
      hrtimer_start with it.
      
      v2: Check if the tsc deadline is already expired. Thank you Mika.
      v3: Execute the past timers immediately rather than submitting them to
      hrtimer_start().
      v4: Rearm the periodic timer with advance_periodic_target_expiration() a
      simpler version of set_target_expiration(). Thank you Paolo.
      
      Cc: Mika Penttilä <mika.penttila@nextfour.com>
      Cc: Wanpeng Li <kernellwp@gmail.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAnthoine Bourgeois <anthoine.bourgeois@blade-group.com>
      8003c9ae ("KVM: LAPIC: add APIC Timer periodic/oneshot mode VMX preemption timer support")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      ecf08dad
    • Radim Krčmář's avatar
      Merge tag 'kvmarm-fixes-for-4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm · f3351c60
      Radim Krčmář authored
      KVM/arm fixes for 4.17, take #2
      
      - Fix proxying of GICv2 CPU interface accesses
      - Fix crash when switching to BE
      - Track source vcpu git GICv2 SGIs
      - Fix an outdated bit of documentation
      f3351c60