1. 15 Oct, 2015 1 commit
    • David Howells's avatar
      KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring · f05819df
      David Howells authored
      The following sequence of commands:
      
          i=`keyctl add user a a @s`
          keyctl request2 keyring foo bar @t
          keyctl unlink $i @s
      
      tries to invoke an upcall to instantiate a keyring if one doesn't already
      exist by that name within the user's keyring set.  However, if the upcall
      fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
      other error code.  When the key is garbage collected, the key destroy
      function is called unconditionally and keyring_destroy() uses list_empty()
      on keyring->type_data.link - which is in a union with reject_error.
      Subsequently, the kernel tries to unlink the keyring from the keyring names
      list - which oopses like this:
      
      	BUG: unable to handle kernel paging request at 00000000ffffff8a
      	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
      	...
      	Workqueue: events key_garbage_collector
      	...
      	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
      	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
      	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
      	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
      	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
      	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
      	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
      	...
      	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
      	...
      	Call Trace:
      	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
      	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
      	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
      	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
      	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
      	 [<ffffffff810648ad>] kthread+0xf3/0xfb
      	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
      	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
      	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
      
      Note the value in RAX.  This is a 32-bit representation of -ENOKEY.
      
      The solution is to only call ->destroy() if the key was successfully
      instantiated.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      f05819df
  2. 13 Oct, 2015 5 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.3-2' of git://linux-nfs.org/~bfields/linux · 5b5f1455
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "Two nfsd fixes, one for an RDMA crash, one for a pnfs/block protocol
        bug"
      
      * tag 'nfsd-4.3-2' of git://linux-nfs.org/~bfields/linux:
        svcrdma: Fix NFS server crash triggered by 1MB NFS WRITE
        nfsd/blocklayout: accept any minlength
      5b5f1455
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 6006d452
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Fix AVX detection to prevent use of non-existent AESNI.
      
         - Some SPARC ciphers did not set their IV size which may lead to
           memory corruption"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: ahash - ensure statesize is non-zero
        crypto: camellia_aesni_avx - Fix CPU feature checks
        crypto: sparc - initialize blkcipher.ivsize
      6006d452
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 75542253
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "A few fixes piled up:
      
         - Fix for a suspend/resume issue where PCI probing code overwrote
           dev->irq for the MSI irq of the AMD IOMMU.
      
         - Fix for a kernel crash when a 32 bit PCI device was assigned to a
           KVM guest.
      
         - Fix for a possible memory leak in the VT-d driver
      
         - A couple of fixes for the ARM-SMMU driver"
      
      * tag 'iommu-fixes-v4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Fix NULL pointer deref on device detach
        iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices
        iommu/vt-d: Fix memory leak in dmar_insert_one_dev_info()
        iommu/arm-smmu: Use correct address mask for CMD_TLBI_S2_IPA
        iommu/arm-smmu: Ensure IAS is set correctly for AArch32-capable SMMUs
        iommu/io-pgtable-arm: Don't use dma_to_phys()
      75542253
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 06d1ee32
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "I got a bit behind last week, so here is a delayed fixes pull:
      
         - a bunch of radeon/amd gpu fixes
         - some nouveau regression fixes (ppc bios reading and runtime pm fix)
         - one drm core oops fix
         - two qxl locking fixes
         - one qxl regression fix"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau/bios: fix OF loading
        drm/nouveau/fbcon: take runpm reference when userspace has an open fd
        drm/nouveau/nouveau: Disable AGP for SiS 761
        drm/nouveau/display: allow up to 16k width/height for fermi+
        drm/nouveau/bios: translate devinit pri/sec i2c bus to internal identifiers
        drm: Fix locking for sysfs dpms file
        drm/amdgpu: fix memory leak in amdgpu_vm_update_page_directory
        drm/amdgpu: fix 32-bit compiler warning
        drm/qxl: avoid dependency lock
        drm/qxl: avoid buffer reservation in qxl_crtc_page_flip
        drm/qxl: fix framebuffer dirty rectangle tracking.
        drm/amdgpu: flag iceland as experimental
        drm/amdgpu: check before checking pci bridge registers
        drm/amdgpu: fix num_crtc on CZ
        drm/amdgpu: restore the fbdev mode in lastclose
        drm/radeon: restore the fbdev mode in lastclose
        drm/radeon: add quirk for ASUS R7 370
        drm/amdgpu: add pm sysfs files late
        drm/radeon: add pm sysfs files late
      06d1ee32
    • Russell King's avatar
      crypto: ahash - ensure statesize is non-zero · 8996eafd
      Russell King authored
      Unlike shash algorithms, ahash drivers must implement export
      and import as their descriptors may contain hardware state and
      cannot be exported as is.  Unfortunately some ahash drivers did
      not provide them and end up causing crashes with algif_hash.
      
      This patch adds a check to prevent these drivers from registering
      ahash algorithms until they are fixed.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8996eafd
  3. 12 Oct, 2015 7 commits
  4. 11 Oct, 2015 8 commits
  5. 10 Oct, 2015 12 commits
  6. 09 Oct, 2015 7 commits
    • Linus Torvalds's avatar
      Merge tag 'dm-4.3-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 04445556
      Linus Torvalds authored
      Pull dm fixes from Mike Snitzer:
       "Three stable fixes:
      
         - DM core AB-BA deadlock fix in the device destruction path (vs
           device creation's DM table swap).
      
         - DM raid fix to properly round up the region_size to the next
           power-of-2.
      
         - DM cache fix for a NULL pointer seen while switching from the
           "cleaner" cache policy.
      
        Two fixes for regressions introduced during the 4.3 merge:
      
         - request-based DM error propagation regressed due to incorrect
           changes introduced when adding the bi_error field to bio.
      
         - DM snapshot fix to only support snapshots that overflow if the
           client (e.g. lvm2) is prepared to deal with the associated
           snapshot status interface change"
      
      * tag 'dm-4.3-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm snapshot: add new persistent store option to support overflow
        dm cache: fix NULL pointer when switching from cleaner policy
        dm: fix request-based dm error reporting
        dm raid: fix round up of default region size
        dm: fix AB-BA deadlock in __dm_destroy()
      04445556
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 175d58cf
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "These are small and assorted.  Neil's is the oldest, I dropped the
        ball thinking he was going to send it in"
      
      * 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: support NFSv2 export
        Btrfs: open_ctree: Fix possible memory leak
        Btrfs: fix deadlock when finalizing block group creation
        Btrfs: update fix for read corruption of compressed and shared extents
        Btrfs: send, fix corner case for reference overwrite detection
      175d58cf
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.3-1' of git://linux-nfs.org/~bfields/linux · 38aa0a59
      Linus Torvalds authored
      Pull nfsd bugfix from Bruce Fields:
       "Just one RDMA bugfix"
      
      * tag 'nfsd-4.3-1' of git://linux-nfs.org/~bfields/linux:
        svcrdma: handle rdma read with a non-zero initial page offset
      38aa0a59
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 5163ac76
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "The fixes for this week include one small patch that was years in the
        making and that finally fixes using all eight CPUs on exynos542x.
      
        The rest are lots of minor changes for sunxi, imx, exynos and shmobile
      
         - fixing the minimum voltage for Allwinner A20
         - thermal boot issue on SMDK5250.
         - invalid clock used for FIMD IOMMU.
         - audio on Renesas r8a7790/r8a7791
         - invalid clock used for FIMD IOMMU
         - LEDs on exynos5422-odroidxu3-common
         - usb pin control for imx-rex
         - imx53: fix PMIC interrupt level
         - a Makefile typo"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: dts: Fix wrong clock binding for sysmmu_fimd1_1 on exynos5420
        ARM: dts: Fix bootup thermal issue on smdk5250
        ARM: shmobile: r8a7791 dtsi: Add CPG/MSTP Clock Domain for sound
        ARM: shmobile: r8a7790 dtsi: Add CPG/MSTP Clock Domain for sound
        arm-cci500: Don't enable PMU driver by default
        ARM: dts: fix usb pin control for imx-rex dts
        ARM: imx53: qsrb: fix PMIC interrupt level
        ARM: imx53: include IRQ dt-bindings header
        ARM: dts: add suspend opp to exynos4412
        ARM: dts: Fix LEDs on exynos5422-odroidxu3
        ARM: EXYNOS: reset Little cores when cpu is up
        ARM: dts: Fix Makefile target for sun4i-a10-itead-iteaduino-plus
        ARM: dts: sunxi: Raise minimum CPU voltage for sun7i-a20 to meet SoC specifications
      5163ac76
    • Mike Snitzer's avatar
      dm snapshot: add new persistent store option to support overflow · b0d3cc01
      Mike Snitzer authored
      Commit 76c44f6d introduced the possibly for "Overflow" to be reported
      by the snapshot device's status.  Older userspace (e.g. lvm2) does not
      handle the "Overflow" status response.
      
      Fix this incompatibility by requiring newer userspace code, that can
      cope with "Overflow", request the persistent store with overflow support
      by using "PO" (Persistent with Overflow) for the snapshot store type.
      Reported-by: default avatarZdenek Kabelac <zkabelac@redhat.com>
      Fixes: 76c44f6d ("dm snapshot: don't invalidate on-disk image on snapshot write overflow")
      Reviewed-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      b0d3cc01
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-devfreq' and 'pm-cpufreq' · 670aee3f
      Rafael J. Wysocki authored
      * pm-devfreq:
        PM / devfreq: fix double kfree
        PM / devfreq: Fix governor_store()
      
      * pm-cpufreq:
        cpufreq: prevent lockup on reading scaling_available_frequencies
        cpufreq: acpi_cpufreq: prevent crash on reading freqdomain_cpus
      670aee3f
    • Christoph Hellwig's avatar
      nfsd/blocklayout: accept any minlength · 8c3ad9cb
      Christoph Hellwig authored
      Recent Linux clients have started to send GETLAYOUT requests with
      minlength less than blocksize.
      
      Servers aren't really allowed to impose this kind of restriction on
      layouts; see RFC 5661 section 18.43.3 for details.
      
      This has been observed to cause indefinite hangs on fsx runs on some
      clients.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      8c3ad9cb