1. 24 Jan, 2018 22 commits
  2. 19 Jan, 2018 6 commits
    • Amir Goldstein's avatar
      ovl: take mnt_want_write() for removing impure xattr · a5a927a7
      Amir Goldstein authored
      The optimization in ovl_cache_get_impure() that tries to remove an
      unneeded "impure" xattr needs to take mnt_want_write() on upper fs.
      
      Fixes: 4edb83bb ("ovl: constant d_ino for non-merge dirs")
      Cc: <stable@vger.kernel.org> #v4.14
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      a5a927a7
    • Amir Goldstein's avatar
      ovl: take mnt_want_write() for work/index dir setup · 2ba9d57e
      Amir Goldstein authored
      There are several write operations on upper fs not covered by
      mnt_want_write():
      
      - test set/remove OPAQUE xattr
      - test create O_TMPFILE
      - set ORIGIN xattr in ovl_verify_origin()
      - cleanup of index entries in ovl_indexdir_cleanup()
      
      Some of these go way back, but this patch only applies over the
      v4.14 re-factoring of ovl_fill_super().
      
      Cc: <stable@vger.kernel.org> #v4.14
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      2ba9d57e
    • Amir Goldstein's avatar
      f8167817
    • Amir Goldstein's avatar
      ovl: take lower dir inode mutex outside upper sb_writers lock · 6d0a8a90
      Amir Goldstein authored
      The functions ovl_lower_positive() and ovl_check_empty_dir() both take
      inode mutex on the real lower dir under ovl_want_write() which takes
      the upper_mnt sb_writers lock.
      
      While this is not a clear locking order or layering violation, it creates
      an undesired lock dependency between two unrelated layers for no good
      reason.
      
      This lock dependency materializes to a false(?) positive lockdep warning
      when calling rmdir() on a nested overlayfs, where both nested and
      underlying overlayfs both use the same fs type as upper layer.
      
      rmdir() on the nested overlayfs creates the lock chain:
        sb_writers of upper_mnt (e.g. tmpfs) in ovl_do_remove()
        ovl_i_mutex_dir_key[] of lower overlay dir in ovl_lower_positive()
      
      rmdir() on the underlying overlayfs creates the lock chain in
      reverse order:
        ovl_i_mutex_dir_key[] of lower overlay dir in vfs_rmdir()
        sb_writers of nested upper_mnt (e.g. tmpfs) in ovl_do_remove()
      
      To rid of the unneeded locking dependency, move both ovl_lower_positive()
      and ovl_check_empty_dir() to before ovl_want_write() in rmdir() and
      rename() implementation.
      
      This change spreads the pieces of ovl_check_empty_and_clear() directly
      inside the rmdir()/rename() implementations so the helper is no longer
      needed and removed.
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      6d0a8a90
    • Amir Goldstein's avatar
      ovl: fix failure to fsync lower dir · d796e77f
      Amir Goldstein authored
      As a writable mount, it is not expected for overlayfs to return
      EINVAL/EROFS for fsync, even if dir/file is not changed.
      
      This commit fixes the case of fsync of directory, which is easier to
      address, because overlayfs already implements fsync file operation for
      directories.
      
      The problem reported by Raphael is that new PostgreSQL 10.0 with a
      database in overlayfs where lower layer in squashfs fails to start.
      The failure is due to fsync error, when PostgreSQL does fsync on all
      existing db directories on startup and a specific directory exists
      lower layer with no changes.
      Reported-by: default avatarRaphael Hertzog <raphael@ouaza.com>
      Cc: <stable@vger.kernel.org> # v3.18
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Tested-by: default avatarRaphaël Hertzog <hertzog@debian.org>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      d796e77f
    • Amir Goldstein's avatar
      ovl: hash directory inodes for fsnotify · 31747eda
      Amir Goldstein authored
      fsnotify pins a watched directory inode in cache, but if directory dentry
      is released, new lookup will allocate a new dentry and a new inode.
      Directory events will be notified on the new inode, while fsnotify listener
      is watching the old pinned inode.
      
      Hash all directory inodes to reuse the pinned inode on lookup. Pure upper
      dirs are hashes by real upper inode, merge and lower dirs are hashed by
      real lower inode.
      
      The reference to lower inode was being held by the lower dentry object
      in the overlay dentry (oe->lowerstack[0]). Releasing the overlay dentry
      may drop lower inode refcount to zero. Add a refcount on behalf of the
      overlay inode to prevent that.
      
      As a by-product, hashing directory inodes also detects multiple
      redirected dirs to the same lower dir and uncovered redirected dir
      target on and returns -ESTALE on lookup.
      
      The reported issue dates back to initial version of overlayfs, but this
      patch depends on ovl_inode code that was introduced in kernel v4.13.
      
      Cc: <stable@vger.kernel.org> #v4.13
      Reported-by: default avatarNiklas Cassel <niklas.cassel@axis.com>
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Tested-by: default avatarNiklas Cassel <niklas.cassel@axis.com>
      31747eda
  3. 14 Jan, 2018 9 commits
    • Linus Torvalds's avatar
      Linux 4.15-rc8 · a8750ddc
      Linus Torvalds authored
      a8750ddc
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · aaae98a8
      Linus Torvalds authored
      Pull x86 fixlet from Thomas Gleixner.
      
      Remove a warning about lack of compiler support for retpoline that most
      people can't do anything about, so it just annoys them needlessly.
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/retpoline: Remove compile time warning
      aaae98a8
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.15-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 6bb82119
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "One fix for an oops at boot if we take a hotplug interrupt before we
        are ready to handle it.
      
        The bulk is patches to implement mitigation for Meltdown, see the
        change logs for more details.
      
        Thanks to: Nicholas Piggin, Michael Neuling, Oliver O'Halloran, Jon
        Masters, Jose Ricardo Ziviani, David Gibson"
      
      * tag 'powerpc-4.15-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/powernv: Check device-tree for RFI flush settings
        powerpc/pseries: Query hypervisor for RFI flush settings
        powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti
        powerpc/64s: Add support for RFI flush of L1-D cache
        powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL
        powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL
        powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL
        powerpc/64s: Simple RFI macro conversions
        powerpc/64: Add macros for annotating the destination of rfid/hrfid
        powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
        powerpc/pseries: Make RAS IRQ explicitly dependent on DLPAR WQ
      6bb82119
    • Thomas Gleixner's avatar
      x86/retpoline: Remove compile time warning · b8b9ce4b
      Thomas Gleixner authored
      Remove the compile time warning when CONFIG_RETPOLINE=y and the compiler
      does not have retpoline support. Linus rationale for this is:
      
        It's wrong because it will just make people turn off RETPOLINE, and the
        asm updates - and return stack clearing - that are independent of the
        compiler are likely the most important parts because they are likely the
        ones easiest to target.
      
        And it's annoying because most people won't be able to do anything about
        it. The number of people building their own compiler? Very small. So if
        their distro hasn't got a compiler yet (and pretty much nobody does), the
        warning is just annoying crap.
      
        It is already properly reported as part of the sysfs interface. The
        compile-time warning only encourages bad things.
      
      Fixes: 76b04384 ("x86/retpoline: Add initial retpoline support")
      Requested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Cc: gnomes@lxorguk.ukuu.org.uk
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: thomas.lendacky@amd.com
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Kees Cook <keescook@google.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
      Link: https://lkml.kernel.org/r/CA+55aFzWgquv4i6Mab6bASqYXg3ErV3XDFEYf=GEcCDQg5uAtw@mail.gmail.com
      b8b9ce4b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 9443c168
      Linus Torvalds authored
      Pull NVMe fix from Jens Axboe:
       "Just a single fix for nvme over fabrics that should go into 4.15"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        nvme-fabrics: initialize default host->id in nvmf_host_default()
      9443c168
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 40548c6b
      Linus Torvalds authored
      Pull x86 pti updates from Thomas Gleixner:
       "This contains:
      
         - a PTI bugfix to avoid setting reserved CR3 bits when PCID is
           disabled. This seems to cause issues on a virtual machine at least
           and is incorrect according to the AMD manual.
      
         - a PTI bugfix which disables the perf BTS facility if PTI is
           enabled. The BTS AUX buffer is not globally visible and causes the
           CPU to fault when the mapping disappears on switching CR3 to user
           space. A full fix which restores BTS on PTI is non trivial and will
           be worked on.
      
         - PTI bugfixes for EFI and trusted boot which make sure that the user
           space visible page table entries have the NX bit cleared
      
         - removal of dead code in the PTI pagetable setup functions
      
         - add PTI documentation
      
         - add a selftest for vsyscall to verify that the kernel actually
           implements what it advertises.
      
         - a sysfs interface to expose vulnerability and mitigation
           information so there is a coherent way for users to retrieve the
           status.
      
         - the initial spectre_v2 mitigations, aka retpoline:
      
            + The necessary ASM thunk and compiler support
      
            + The ASM variants of retpoline and the conversion of affected ASM
              code
      
            + Make LFENCE serializing on AMD so it can be used as speculation
              trap
      
            + The RSB fill after vmexit
      
         - initial objtool support for retpoline
      
        As I said in the status mail this is the most of the set of patches
        which should go into 4.15 except two straight forward patches still on
        hold:
      
         - the retpoline add on of LFENCE which waits for ACKs
      
         - the RSB fill after context switch
      
        Both should be ready to go early next week and with that we'll have
        covered the major holes of spectre_v2 and go back to normality"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (28 commits)
        x86,perf: Disable intel_bts when PTI
        security/Kconfig: Correct the Documentation reference for PTI
        x86/pti: Fix !PCID and sanitize defines
        selftests/x86: Add test_vsyscall
        x86/retpoline: Fill return stack buffer on vmexit
        x86/retpoline/irq32: Convert assembler indirect jumps
        x86/retpoline/checksum32: Convert assembler indirect jumps
        x86/retpoline/xen: Convert Xen hypercall indirect jumps
        x86/retpoline/hyperv: Convert assembler indirect jumps
        x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
        x86/retpoline/entry: Convert entry assembler indirect jumps
        x86/retpoline/crypto: Convert crypto assembler indirect jumps
        x86/spectre: Add boot time option to select Spectre v2 mitigation
        x86/retpoline: Add initial retpoline support
        objtool: Allow alternatives to be ignored
        objtool: Detect jumps to retpoline thunks
        x86/pti: Make unpoison of pgd for trusted boot work for real
        x86/alternatives: Fix optimize_nops() checking
        sysfs/cpu: Fix typos in vulnerability documentation
        x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC
        ...
      40548c6b
    • Peter Zijlstra's avatar
      x86,perf: Disable intel_bts when PTI · 99a9dc98
      Peter Zijlstra authored
      The intel_bts driver does not use the 'normal' BTS buffer which is exposed
      through the cpu_entry_area but instead uses the memory allocated for the
      perf AUX buffer.
      
      This obviously comes apart when using PTI because then the kernel mapping;
      which includes that AUX buffer memory; disappears. Fixing this requires to
      expose a mapping which is visible in all context and that's not trivial.
      
      As a quick fix disable this driver when PTI is enabled to prevent
      malfunction.
      
      Fixes: 385ce0ea ("x86/mm/pti: Add Kconfig")
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Reported-by: default avatarRobert Święcki <robert@swiecki.net>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: greg@kroah.com
      Cc: hughd@google.com
      Cc: luto@amacapital.net
      Cc: Vince Weaver <vince@deater.net>
      Cc: torvalds@linux-foundation.org
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180114102713.GB6166@worktop.programming.kicks-ass.net
      99a9dc98
    • W. Trevor King's avatar
      security/Kconfig: Correct the Documentation reference for PTI · a237f762
      W. Trevor King authored
      When the config option for PTI was added a reference to documentation was
      added as well. But the documentation did not exist at that point. The final
      documentation has a different file name.
      
      Fix it up to point to the proper file.
      
      Fixes: 385ce0ea ("x86/mm/pti: Add Kconfig")
      Signed-off-by: default avatarW. Trevor King <wking@tremily.us>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: linux-mm@kvack.org
      Cc: linux-security-module@vger.kernel.org
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/3009cc8ccbddcd897ec1e0cb6dda524929de0d14.1515799398.git.wking@tremily.us
      a237f762
    • Thomas Gleixner's avatar
      x86/pti: Fix !PCID and sanitize defines · f10ee3dc
      Thomas Gleixner authored
      The switch to the user space page tables in the low level ASM code sets
      unconditionally bit 12 and bit 11 of CR3. Bit 12 is switching the base
      address of the page directory to the user part, bit 11 is switching the
      PCID to the PCID associated with the user page tables.
      
      This fails on a machine which lacks PCID support because bit 11 is set in
      CR3. Bit 11 is reserved when PCID is inactive.
      
      While the Intel SDM claims that the reserved bits are ignored when PCID is
      disabled, the AMD APM states that they should be cleared.
      
      This went unnoticed as the AMD APM was not checked when the code was
      developed and reviewed and test systems with Intel CPUs never failed to
      boot. The report is against a Centos 6 host where the guest fails to boot,
      so it's not yet clear whether this is a virt issue or can happen on real
      hardware too, but thats irrelevant as the AMD APM clearly ask for clearing
      the reserved bits.
      
      Make sure that on non PCID machines bit 11 is not set by the page table
      switching code.
      
      Andy suggested to rename the related bits and masks so they are clearly
      describing what they should be used for, which is done as well for clarity.
      
      That split could have been done with alternatives but the macro hell is
      horrible and ugly. This can be done on top if someone cares to remove the
      extra orq. For now it's a straight forward fix.
      
      Fixes: 6fd166aa ("x86/mm: Use/Fix PCID to optimize user/kernel switches")
      Reported-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable <stable@vger.kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801140009150.2371@nanos
      f10ee3dc
  4. 13 Jan, 2018 3 commits