1. 29 Jul, 2018 1 commit
    • Linus Torvalds's avatar
      Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random · a26fb01c
      Linus Torvalds authored
      Pull random fixes from Ted Ts'o:
       "In reaction to the fixes to address CVE-2018-1108, some Linux
        distributions that have certain systemd versions in some cases
        combined with patches to libcrypt for FIPS/FEDRAMP compliance, have
        led to boot-time stalls for some hardware.
      
        The reaction by some distros and Linux sysadmins has been to install
        packages that try to do complicated things with the CPU and hope that
        leads to randomness.
      
        To mitigate this, if RDRAND is available, mix it into entropy provided
        by userspace. It won't hurt, and it will probably help"
      
      * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
        random: mix rdrand with entropy sent in from userspace
      a26fb01c
  2. 28 Jul, 2018 3 commits
  3. 27 Jul, 2018 23 commits
  4. 26 Jul, 2018 13 commits
    • Martin Wilck's avatar
      block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs · 17d51b10
      Martin Wilck authored
      bio_iov_iter_get_pages() currently only adds pages for the next non-zero
      segment from the iov_iter to the bio. That's suboptimal for callers,
      which typically try to pin as many pages as fit into the bio. This patch
      converts the current bio_iov_iter_get_pages() into a static helper, and
      introduces a new helper that allocates as many pages as
      
       1) fit into the bio,
       2) are present in the iov_iter,
       3) and can be pinned by MM.
      
      Error is returned only if zero pages could be pinned. Because of 3), a
      zero return value doesn't necessarily mean all pages have been pinned.
      Callers that have to pin every page in the iov_iter must still call this
      function in a loop (this is currently the case).
      
      This change matters most for __blkdev_direct_IO_simple(), which calls
      bio_iov_iter_get_pages() only once. If it obtains less pages than
      requested, it returns a "short write" or "short read", and
      __generic_file_write_iter() falls back to buffered writes, which may
      lead to data corruption.
      
      Fixes: 72ecad22 ("block: support a full bio worth of IO for simplified bdev direct-io")
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      17d51b10
    • Martin Wilck's avatar
      blkdev: __blkdev_direct_IO_simple: fix leak in error case · 9362dd11
      Martin Wilck authored
      Fixes: 72ecad22 ("block: support a full bio worth of IO for simplified bdev direct-io")
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      9362dd11
    • Martin Wilck's avatar
      block: bio_iov_iter_get_pages: fix size of last iovec · b403ea24
      Martin Wilck authored
      If the last page of the bio is not "full", the length of the last
      vector slot needs to be corrected. This slot has the index
      (bio->bi_vcnt - 1), but only in bio->bi_io_vec. In the "bv" helper
      array, which is shifted by the value of bio->bi_vcnt at function
      invocation, the correct index is (nr_pages - 1).
      
      v2: improved readability following suggestions from Ming Lei.
      v3: followed a formatting suggestion from Christoph Hellwig.
      
      Fixes: 2cefe4db ("block: add bio_iov_iter_get_pages()")
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      b403ea24
    • Jens Axboe's avatar
      Merge branch 'nvme-4.18' of git://git.infradead.org/nvme into for-linus · 78e18063
      Jens Axboe authored
      Pull NVMe fixes from Christoph:
      
      "Two small fixes each for the FC code and the target."
      
      * 'nvme-4.18' of git://git.infradead.org/nvme:
        nvmet: only check for filebacking on -ENOTBLK
        nvmet: fixup crash on NULL device path
        nvme: if_ready checks to fail io to deleting controller
        nvmet-fc: fix target sgl list on large transfers
      78e18063
    • Thomas Tai's avatar
      PCI/AER: Work around use-after-free in pcie_do_fatal_recovery() · bd91b56c
      Thomas Tai authored
      When an fatal error is received by a non-bridge device, the device is
      removed, and pci_stop_and_remove_bus_device() deallocates the device
      structure.  The freed device structure is used by subsequent code to send
      uevents and print messages.
      
      Hold a reference on the device until we're finished using it.  This is not
      an ideal fix because pcie_do_fatal_recovery() should not use the device at
      all after removing it, but that's too big a project for right now.
      
      Fixes: 7e9084b3 ("PCI/AER: Handle ERR_FATAL with removal and re-enumeration of devices")
      Signed-off-by: default avatarThomas Tai <thomas.tai@oracle.com>
      [bhelgaas: changelog, reduce get/put coverage]
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      bd91b56c
    • Linus Torvalds's avatar
      Merge tag 'usb-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · cd3f77d7
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of USB fixes and new device ids for 4.18-rc7.
      
        The largest number are a bunch of gadget driver fixes that got delayed
        in being submitted earlier due to vacation schedules, but nothing
        really huge is present in them. There are some new device ids and some
        PHY driver fixes that were connected to some USB ones. Full details
        are in the shortlog.
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'usb-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (28 commits)
        usb: core: handle hub C_PORT_OVER_CURRENT condition
        usb: xhci: Fix memory leak in xhci_endpoint_reset()
        usb: typec: tcpm: Fix sink PDO starting index for PPS APDO selection
        usb: gadget: f_fs: Only return delayed status when len is 0
        usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
        usb: dwc2: Fix inefficient copy of unaligned buffers
        usb: dwc2: Fix DMA alignment to start at allocated boundary
        usb: dwc3: rockchip: Fix PHY documentation links.
        tools: usb: ffs-test: Fix build on big endian systems
        usb: gadget: aspeed: Workaround memory ordering issue
        usb: dwc3: gadget: remove redundant variable maxpacket
        usb: dwc2: avoid NULL dereferences
        usb/phy: fix PPC64 build errors in phy-fsl-usb.c
        usb: dwc2: host: do not delay retries for CONTROL IN transfers
        usb: gadget: u_audio: protect stream runtime fields with stream spinlock
        usb: gadget: u_audio: remove cached period bytes value
        usb: gadget: u_audio: remove caching of stream buffer parameters
        usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
        usb: gadget: u_audio: fix pcm/card naming in g_audio_setup()
        usb: gadget: f_uac2: fix error handling in afunc_bind (again)
        ...
      cd3f77d7
    • Linus Torvalds's avatar
      Merge tag 'staging-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · fd4f84fa
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are three small staging driver fixes for 4.18-rc7.
      
        One is a revert of an earlier patch that turned out to be incorrect,
        one is a fix for the speakup drivers, and the last a fix for the
        ks7010 driver to resolve a regression.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: speakup: fix wraparound in uaccess length check
        staging: ks7010: call 'hostif_mib_set_request_int' instead of 'hostif_mib_set_request_bool'
        Revert "staging:r8188eu: Use lib80211 to support TKIP"
      fd4f84fa
    • Linus Torvalds's avatar
      Merge tag 'driver-core-4.18-rc7' of... · a5f9e5da
      Linus Torvalds authored
      Merge tag 'driver-core-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fix from Greg KH:
       "This is a single driver core fix for 4.18-rc7. It partially reverts a
        previous commit to resolve some reported issues.
      
        It has been in linux-next for a while now with no reported issues"
      
      * tag 'driver-core-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        driver core: Partially revert "driver core: correct device's shutdown order"
      a5f9e5da
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 9bd59183
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "Fix a recent ACPICA regression causing the AML parser to get confused
        and fail in some situations involving incorrect AML in an ACPI table
        (Erik Schmauss)"
      
      * tag 'acpi-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: AML Parser: ignore dispatcher error status during table load
      9bd59183
    • Linus Torvalds's avatar
      Merge tag 'pm-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 99015e94
      Linus Torvalds authored
      Pull power management fix from Rafael Wysocki:
       "Fix up the recently introduced cpufreq driver for Qualcomm Kryo
        processors by adding a terminating NULL entry to its table of device
        IDs (YueHaibing)"
      
      * tag 'pm-4.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: qcom-kryo: add NULL entry to the end of_device_id array
      99015e94
    • Snild Dolkow's avatar
      kthread, tracing: Don't expose half-written comm when creating kthreads · 3e536e22
      Snild Dolkow authored
      There is a window for racing when printing directly to task->comm,
      allowing other threads to see a non-terminated string. The vsnprintf
      function fills the buffer, counts the truncated chars, then finally
      writes the \0 at the end.
      
      	creator                     other
      	vsnprintf:
      	  fill (not terminated)
      	  count the rest            trace_sched_waking(p):
      	  ...                         memcpy(comm, p->comm, TASK_COMM_LEN)
      	  write \0
      
      The consequences depend on how 'other' uses the string. In our case,
      it was copied into the tracing system's saved cmdlines, a buffer of
      adjacent TASK_COMM_LEN-byte buffers (note the 'n' where 0 should be):
      
      	crash-arm64> x/1024s savedcmd->saved_cmdlines | grep 'evenk'
      	0xffffffd5b3818640:     "irq/497-pwr_evenkworker/u16:12"
      
      ...and a strcpy out of there would cause stack corruption:
      
      	[224761.522292] Kernel panic - not syncing: stack-protector:
      	    Kernel stack is corrupted in: ffffff9bf9783c78
      
      	crash-arm64> kbt | grep 'comm\|trace_print_context'
      	#6  0xffffff9bf9783c78 in trace_print_context+0x18c(+396)
      	      comm (char [16]) =  "irq/497-pwr_even"
      
      	crash-arm64> rd 0xffffffd4d0e17d14 8
      	ffffffd4d0e17d14:  2f71726900000000 5f7277702d373934   ....irq/497-pwr_
      	ffffffd4d0e17d24:  726f776b6e657665 3a3631752f72656b   evenkworker/u16:
      	ffffffd4d0e17d34:  f9780248ff003231 cede60e0ffffff9b   12..H.x......`..
      	ffffffd4d0e17d44:  cede60c8ffffffd4 00000fffffffffd4   .....`..........
      
      The workaround in e09e2867 (use strlcpy in __trace_find_cmdline) was
      likely needed because of this same bug.
      
      Solved by vsnprintf:ing to a local buffer, then using set_task_comm().
      This way, there won't be a window where comm is not terminated.
      
      Link: http://lkml.kernel.org/r/20180726071539.188015-1-snild@sony.com
      
      Cc: stable@vger.kernel.org
      Fixes: bc0c38d1 ("ftrace: latency tracer infrastructure")
      Reviewed-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarSnild Dolkow <snild@sony.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      3e536e22
    • Steven Rostedt (VMware)'s avatar
      tracing: Quiet gcc warning about maybe unused link variable · 2519c1bb
      Steven Rostedt (VMware) authored
      Commit 57ea2a34 ("tracing/kprobes: Fix trace_probe flags on
      enable_trace_kprobe() failure") added an if statement that depends on another
      if statement that gcc doesn't see will initialize the "link" variable and
      gives the warning:
      
       "warning: 'link' may be used uninitialized in this function"
      
      It is really a false positive, but to quiet the warning, and also to make
      sure that it never actually is used uninitialized, initialize the "link"
      variable to NULL and add an if (!WARN_ON_ONCE(!link)) where the compiler
      thinks it could be used uninitialized.
      
      Cc: stable@vger.kernel.org
      Fixes: 57ea2a34 ("tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      2519c1bb
    • Steven Rostedt (VMware)'s avatar
      tracing: Fix possible double free in event_enable_trigger_func() · 15cc7864
      Steven Rostedt (VMware) authored
      There was a case that triggered a double free in event_trigger_callback()
      due to the called reg() function freeing the trigger_data and then it
      getting freed again by the error return by the caller. The solution there
      was to up the trigger_data ref count.
      
      Code inspection found that event_enable_trigger_func() has the same issue,
      but is not as easy to trigger (requires harder to trigger failures). It
      needs to be solved slightly different as it needs more to clean up when the
      reg() function fails.
      
      Link: http://lkml.kernel.org/r/20180725124008.7008e586@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Fixes: 7862ad18 ("tracing: Add 'enable_event' and 'disable_event' event trigger commands")
      Reivewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      15cc7864