- Linux-stable-mirror - lists.linaro.org

patch "stm class: Fix a module refcount leak in policy creation error path" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled stm class: Fix a module refcount leak in policy creation error path to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From c18614a1a11276837bdd44403d84d207c9951538 Mon Sep 17 00:00:00 2001 From: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Date: Wed, 19 Dec 2018 17:19:20 +0200 Subject: stm class: Fix a module refcount leak in policy creation error path Commit c7fd62bc69d0 ("stm class: Introduce framing protocol drivers") adds a bug into the error path of policy creation, that would do a module_put() on a wrong module, if one tried to create a policy for an stm device which already has a policy, using a different protocol. IOW, | mkdir /config/stp-policy/dummy_stm.0:p_basic.test | mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # puts "p_basic" | mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # "p_basic" -> -1 throws: | general protection fault: 0000 [#1] SMP PTI | CPU: 3 PID: 2887 Comm: mkdir | RIP: 0010:module_put.part.31+0xe/0x90 | Call Trace: | module_put+0x13/0x20 | stm_put_protocol+0x11/0x20 [stm_core] | stp_policy_make+0xf1/0x210 [stm_core] | ? __kmalloc+0x183/0x220 | ? configfs_mkdir+0x10d/0x4c0 | configfs_mkdir+0x169/0x4c0 | vfs_mkdir+0x108/0x1c0 | do_mkdirat+0xe8/0x110 | __x64_sys_mkdir+0x1b/0x20 | do_syscall_64+0x5a/0x140 | entry_SYSCALL_64_after_hwframe+0x44/0xa9 Correct this sad mistake by calling calling 'put' on the correct reference, which happens to match another error path in the same function, so we consolidate the two at the same time. Signed-off-by: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Fixes: c7fd62bc69d0 ("stm class: Introduce framing protocol drivers") Reported-by: Ammy Yi <ammy.yi(a)intel.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/hwtracing/stm/policy.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/hwtracing/stm/policy.c b/drivers/hwtracing/stm/policy.c index 0910ec807187..4b9e44b227d8 100644 --- a/drivers/hwtracing/stm/policy.c +++ b/drivers/hwtracing/stm/policy.c @@ -440,10 +440,8 @@ stp_policy_make(struct config_group *group, const char *name) stm->policy = kzalloc(sizeof(*stm->policy), GFP_KERNEL); if (!stm->policy) { - mutex_unlock(&stm->policy_mutex); - stm_put_protocol(pdrv); - stm_put_device(stm); - return ERR_PTR(-ENOMEM); + ret = ERR_PTR(-ENOMEM); + goto unlock_policy; } config_group_init_type_name(&stm->policy->group, name, @@ -458,7 +456,11 @@ stp_policy_make(struct config_group *group, const char *name) mutex_unlock(&stm->policy_mutex); if (IS_ERR(ret)) { - stm_put_protocol(stm->pdrv); + /* + * pdrv and stm->pdrv at this point can be quite different, + * and only one of them needs to be 'put' + */ + stm_put_protocol(pdrv); stm_put_device(stm); } -- 2.20.1

6 years, 8 months

1
0
0 0

[PATCH v2 3/3] intel_th: msu: Fix an off-by-one in attribute store

by Alexander Shishkin

The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated list of window sizes, passed from userspace. However, there is a bug in the string parsing logic wherein it doesn't exclude the comma character from the range of characters as it consumes them. This leads to an out-of-bounds access given a sufficiently long list. For example: > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages > ================================================================== > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40 > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825 > > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+ > Call Trace: > dump_stack+0x7c/0xc0 > print_address_description+0x6c/0x23c > ? memchr+0x1e/0x40 > kasan_report.cold.5+0x241/0x308 > memchr+0x1e/0x40 > nr_pages_store+0x203/0xd00 [intel_th_msu] Fix this by accounting for the comma character. Signed-off-by: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") Cc: stable(a)vger.kernel.org # v4.4+ --- drivers/hwtracing/intel_th/msu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c index d293e55553bd..ba7aaf421f36 100644 --- a/drivers/hwtracing/intel_th/msu.c +++ b/drivers/hwtracing/intel_th/msu.c @@ -1423,7 +1423,8 @@ nr_pages_store(struct device *dev, struct device_attribute *attr, if (!end) break; - len -= end - p; + /* consume the number and the following comma, hence +1 */ + len -= end - p + 1; p = end + 1; } while (len); -- 2.19.2

6 years, 8 months

2
1
0 0

Linux 4.19.11

by Greg KH

I'm announcing the release of the 4.19.11 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts | 2 arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 2 arch/arm/boot/dts/qcom-apq8064-arrow-sd-600eval.dts | 5 arch/arm/mach-mmp/cputype.h | 6 arch/arm64/mm/dma-mapping.c | 2 arch/powerpc/kernel/legacy_serial.c | 6 arch/powerpc/kernel/msi.c | 7 arch/x86/Makefile | 10 - block/bio.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 36 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c | 3 drivers/gpu/drm/i915/gvt/fb_decoder.c | 2 drivers/gpu/drm/i915/intel_lrc.c | 7 drivers/gpu/drm/msm/disp/dpu1/dpu_dbg.c | 8 - drivers/gpu/drm/nouveau/dispnv50/disp.c | 30 ++- drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 drivers/i2c/busses/i2c-aspeed.c | 4 drivers/md/dm-cache-metadata.c | 4 drivers/md/dm-thin.c | 68 ++++---- drivers/md/dm-zoned-target.c | 122 ++++------------ drivers/md/dm.c | 2 drivers/media/common/videobuf2/videobuf2-core.c | 4 drivers/mmc/core/block.c | 15 + drivers/mmc/host/omap.c | 11 + drivers/mmc/host/sdhci-omap.c | 12 + drivers/mmc/host/sdhci.c | 18 +- drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 drivers/scsi/raid_class.c | 4 drivers/slimbus/qcom-ngd-ctrl.c | 6 drivers/staging/olpc_dcon/Kconfig | 1 fs/aio.c | 2 fs/fuse/dir.c | 2 fs/fuse/file.c | 21 +- fs/fuse/fuse_i.h | 2 fs/iomap.c | 7 fs/overlayfs/dir.c | 14 + fs/overlayfs/export.c | 6 fs/userfaultfd.c | 3 init/Kconfig | 5 kernel/sched/core.c | 7 kernel/sched/fair.c | 2 kernel/sched/pelt.c | 2 kernel/sched/pelt.h | 2 kernel/sched/sched.h | 5 kernel/trace/ftrace.c | 1 kernel/trace/trace_events_filter.c | 5 kernel/trace/trace_events_trigger.c | 6 scripts/spdxcheck.py | 6 53 files changed, 310 insertions(+), 218 deletions(-) Aaro Koskinen (1): MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Alek Du (1): mmc: sdhci: fix the timeout check window for clock and reset Alex Deucher (3): drm/amdkfd: add new vega10 pci ids drm/amdgpu: add some additional vega10 pci ids drm/amdgpu: update smu firmware images for VI variants (v2) Amir Goldstein (2): ovl: fix decode of dir file handle with multi lower layers ovl: fix missing override creds in link of a metacopy upper Andrea Arcangeli (1): userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Arnd Bergmann (5): scsi: raid_attrs: fix unused variable warning slimbus: ngd: mark PM functions as __maybe_unused i2c: aspeed: fix build warning ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning drm/msm: fix address space warning Ben Skeggs (1): drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer Benjamin Herrenschmidt (1): powerpc: Look for "stdout-path" when setting up legacy consoles Brian Norris (1): Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Chad Austin (1): fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Chen-Yu Tsai (1): pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Chris Wilson (1): drm/i915/execlists: Apply a full mb before execution for Braswell Damien Le Moal (1): dm zoned: Fix target BIO completion handling Faiz Abbas (1): mmc: sdhci-omap: Fix DCRC error handling during tuning Greg Kroah-Hartman (1): Linux 4.19.11 Hans Verkuil (1): media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Jeff Moyer (1): aio: fix spectre gadget in lookup_ioctx Junwei Zhang (1): drm/amdgpu: update SMC firmware image for polaris10 variants Keith Busch (1): block/bio: Do not zero user pages Kenneth Feng (1): drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI Lubomir Rintel (2): staging: olpc_dcon: add a missing dependency ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Lyude Paul (1): drm/nouveau/kms: Fix memory leak in nv50_mstm_del() Masahiro Yamada (1): x86/build: Fix compiler support check for CONFIG_RETPOLINE Mike Snitzer (3): dm thin: send event about thin-pool state change _after_ making it dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty() dm: call blk_queue_split() to impose device limits on bios Piotr Jaroszynski (1): fs/iomap.c: get/put the page in iomap_page_create/release() Radu Rendec (1): powerpc/msi: Fix NULL pointer access in teardown code Robin Murphy (1): arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing Stefan Wahren (1): ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs Steven Rostedt (VMware) (3): tracing: Fix memory leak in create_filter() tracing: Fix memory leak in set_trigger_filter() tracing: Fix memory leak of instance function hash filters Thierry Reding (1): scripts/spdxcheck.py: always open files in binary mode Tina Zhang (1): drm/i915/gvt: Fix tiled memory decoding bug on BDW Vincent Guittot (1): sched/pelt: Fix warning and clean up IRQ PELT config Wolfram Sang (1): mmc: core: use mrq->sbc when sending CMD23 for RPMB

6 years, 8 months

1
1
0 0

[PATCH 4.19 00/44] 4.19.11-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.11 release. There are 44 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Dec 20 16:39:02 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.11-rc1 Masahiro Yamada <yamada.masahiro(a)socionext.com> x86/build: Fix compiler support check for CONFIG_RETPOLINE Damien Le Moal <damien.lemoal(a)wdc.com> dm zoned: Fix target BIO completion handling Junwei Zhang <Jerry.Zhang(a)amd.com> drm/amdgpu: update SMC firmware image for polaris10 variants Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: update smu firmware images for VI variants (v2) Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add some additional vega10 pci ids Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add new vega10 pci ids Kenneth Feng <kenneth.feng(a)amd.com> drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915/execlists: Apply a full mb before execution for Braswell Tina Zhang <tina.zhang(a)intel.com> drm/i915/gvt: Fix tiled memory decoding bug on BDW Brian Norris <briannorris(a)chromium.org> Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Ben Skeggs <bskeggs(a)redhat.com> drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer Lyude Paul <lyude(a)redhat.com> drm/nouveau/kms: Fix memory leak in nv50_mstm_del() Benjamin Herrenschmidt <benh(a)kernel.crashing.org> powerpc: Look for "stdout-path" when setting up legacy consoles Radu Rendec <radu.rendec(a)gmail.com> powerpc/msi: Fix NULL pointer access in teardown code Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix memory leak of instance function hash filters Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix memory leak in set_trigger_filter() Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix memory leak in create_filter() Mike Snitzer <snitzer(a)redhat.com> dm: call blk_queue_split() to impose device limits on bios Mike Snitzer <snitzer(a)redhat.com> dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty() Mike Snitzer <snitzer(a)redhat.com> dm thin: send event about thin-pool state change _after_ making it Stefan Wahren <stefan.wahren(a)i2se.com> ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs Lubomir Rintel <lkundrak(a)v3.sk> ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Chad Austin <chadaustin(a)fb.com> fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Alek Du <alek.du(a)intel.com> mmc: sdhci: fix the timeout check window for clock and reset Faiz Abbas <faiz_abbas(a)ti.com> mmc: sdhci-omap: Fix DCRC error handling during tuning Wolfram Sang <wsa+renesas(a)sang-engineering.com> mmc: core: use mrq->sbc when sending CMD23 for RPMB Aaro Koskinen <aaro.koskinen(a)iki.fi> MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Amir Goldstein <amir73il(a)gmail.com> ovl: fix missing override creds in link of a metacopy upper Amir Goldstein <amir73il(a)gmail.com> ovl: fix decode of dir file handle with multi lower layers Keith Busch <keith.busch(a)intel.com> block/bio: Do not zero user pages Robin Murphy <robin.murphy(a)arm.com> arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing Andrea Arcangeli <aarcange(a)redhat.com> userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Piotr Jaroszynski <pjaroszynski(a)nvidia.com> fs/iomap.c: get/put the page in iomap_page_create/release() Thierry Reding <treding(a)nvidia.com> scripts/spdxcheck.py: always open files in binary mode Jeff Moyer <jmoyer(a)redhat.com> aio: fix spectre gadget in lookup_ioctx Chen-Yu Tsai <wens(a)csie.org> pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Arnd Bergmann <arnd(a)arndb.de> drm/msm: fix address space warning Arnd Bergmann <arnd(a)arndb.de> ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning Arnd Bergmann <arnd(a)arndb.de> i2c: aspeed: fix build warning Arnd Bergmann <arnd(a)arndb.de> slimbus: ngd: mark PM functions as __maybe_unused Lubomir Rintel <lkundrak(a)v3.sk> staging: olpc_dcon: add a missing dependency Arnd Bergmann <arnd(a)arndb.de> scsi: raid_attrs: fix unused variable warning Vincent Guittot <vincent.guittot(a)linaro.org> sched/pelt: Fix warning and clean up IRQ PELT config ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts | 2 +- arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 2 +- .../arm/boot/dts/qcom-apq8064-arrow-sd-600eval.dts | 5 + arch/arm/mach-mmp/cputype.h | 6 +- arch/arm64/mm/dma-mapping.c | 2 +- arch/powerpc/kernel/legacy_serial.c | 6 +- arch/powerpc/kernel/msi.c | 7 +- arch/x86/Makefile | 10 +- block/bio.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 36 +++++- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 + drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 + .../drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 + drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c | 3 + drivers/gpu/drm/i915/gvt/fb_decoder.c | 2 +- drivers/gpu/drm/i915/intel_lrc.c | 7 +- drivers/gpu/drm/msm/disp/dpu1/dpu_dbg.c | 8 +- drivers/gpu/drm/nouveau/dispnv50/disp.c | 30 +++-- drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 - drivers/i2c/busses/i2c-aspeed.c | 4 +- drivers/md/dm-cache-metadata.c | 4 + drivers/md/dm-thin.c | 68 ++++++------ drivers/md/dm-zoned-target.c | 122 +++++++-------------- drivers/md/dm.c | 2 + drivers/media/common/videobuf2/videobuf2-core.c | 4 +- drivers/mmc/core/block.c | 15 ++- drivers/mmc/host/omap.c | 11 +- drivers/mmc/host/sdhci-omap.c | 12 +- drivers/mmc/host/sdhci.c | 18 ++- drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +- drivers/scsi/raid_class.c | 4 +- drivers/slimbus/qcom-ngd-ctrl.c | 6 +- drivers/staging/olpc_dcon/Kconfig | 1 + fs/aio.c | 2 + fs/fuse/dir.c | 2 +- fs/fuse/file.c | 21 ++-- fs/fuse/fuse_i.h | 2 +- fs/iomap.c | 7 ++ fs/overlayfs/dir.c | 14 ++- fs/overlayfs/export.c | 6 +- fs/userfaultfd.c | 3 +- init/Kconfig | 5 + kernel/sched/core.c | 7 +- kernel/sched/fair.c | 2 +- kernel/sched/pelt.c | 2 +- kernel/sched/pelt.h | 2 +- kernel/sched/sched.h | 5 +- kernel/trace/ftrace.c | 1 + kernel/trace/trace_events_filter.c | 5 +- kernel/trace/trace_events_trigger.c | 6 +- scripts/spdxcheck.py | 6 +- 53 files changed, 311 insertions(+), 219 deletions(-)

6 years, 8 months

5
52
0 0

patch "usb: r8a66597: Fix a possible concurrency use-after-free bug in" added to usb-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: r8a66597: Fix a possible concurrency use-after-free bug in to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001 From: Jia-Ju Bai <baijiaju1990(a)gmail.com> Date: Tue, 18 Dec 2018 20:04:25 +0800 Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may be concurrently executed. The two functions both access a possible shared variable "hep->hcpriv". This shared variable is freed by r8a66597_endpoint_disable() via the call path: r8a66597_endpoint_disable kfree(hep->hcpriv) (line 1995 in Linux-4.19) This variable is read by r8a66597_urb_enqueue() via the call path: r8a66597_urb_enqueue spin_lock_irqsave(&r8a66597->lock) init_pipe_info enable_r8a66597_pipe pipe = hep->hcpriv (line 802 in Linux-4.19) The read operation is protected by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai <baijiaju1990(a)gmail.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/r8a66597-hcd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c index 984892dd72f5..42668aeca57c 100644 --- a/drivers/usb/host/r8a66597-hcd.c +++ b/drivers/usb/host/r8a66597-hcd.c @@ -1979,6 +1979,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, static void r8a66597_endpoint_disable(struct usb_hcd *hcd, struct usb_host_endpoint *hep) +__acquires(r8a66597->lock) +__releases(r8a66597->lock) { struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; @@ -1991,13 +1993,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, return; pipenum = pipe->info.pipenum; + spin_lock_irqsave(&r8a66597->lock, flags); if (pipenum == 0) { kfree(hep->hcpriv); hep->hcpriv = NULL; + spin_unlock_irqrestore(&r8a66597->lock, flags); return; } - spin_lock_irqsave(&r8a66597->lock, flags); pipe_stop(r8a66597, pipe); pipe_irq_disable(r8a66597, pipenum); disable_irq_empty(r8a66597, pipenum); -- 2.20.1

6 years, 8 months

1
0
0 0

patch "driver core: Add missing dev->bus->need_parent_lock checks" added to driver-core-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled driver core: Add missing dev->bus->need_parent_lock checks to my driver-core git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git in the driver-core-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From e121a833745b4708b660e3fe6776129c2956b041 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Thu, 13 Dec 2018 19:27:47 +0100 Subject: driver core: Add missing dev->bus->need_parent_lock checks __device_release_driver() has to check dev->bus->need_parent_lock before dropping the parent lock and acquiring it again as it may attempt to drop a lock that hasn't been acquired or lock a device that shouldn't be locked and create a lock imbalance. Fixes: 8c97a46af04b (driver core: hold dev's parent lock when needed) Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Cc: stable <stable(a)vger.kernel.org> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/base/dd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 88713f182086..8ac10af17c00 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -933,11 +933,11 @@ static void __device_release_driver(struct device *dev, struct device *parent) if (drv) { while (device_links_busy(dev)) { device_unlock(dev); - if (parent) + if (parent && dev->bus->need_parent_lock) device_unlock(parent); device_links_unbind_consumers(dev); - if (parent) + if (parent && dev->bus->need_parent_lock) device_lock(parent); device_lock(dev); -- 2.20.1

6 years, 8 months

1
0
0 0

[WRONG] KVM: arm/arm64: vgic: fix off-by-one bug in vgic_get_irq()

by Gustavo A. R. Silva

Hi Marc, This is wrong: commit 6022fcc0e87a0eb5e9a72b15ed70dd29ebcb7343 The above is not my original patch and it should not be tagged for stable, as it introduces the same kind of bug I intended to fix: array_index_nospec() can now return kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS and this is not what you want. So, in this case the following line of code is just fine as it is: intid = array_index_nospec(intid, kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS); As the commit log says, my patch fixes: commit 41b87599c74300027f305d7b34368ec558978ff2 not both: commit 41b87599c74300027f305d7b34368ec558978ff2 and commit bea2ef803ade3359026d5d357348842bca9edcf1 If you want to apply the fix on top of bea2ef803ade3359026d5d357348842bca9edcf1 then you should apply this instead: diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c index bb1a83345741..e607547c7bb0 100644 --- a/virt/kvm/arm/vgic/vgic.c +++ b/virt/kvm/arm/vgic/vgic.c @@ -103,7 +103,7 @@ struct vgic_irq *vgic_get_irq(struct kvm *kvm, struct kvm_vcpu *vcpu, { /* SGIs and PPIs */ if (intid <= VGIC_MAX_PRIVATE) { - intid = array_index_nospec(intid, VGIC_MAX_PRIVATE); + intid = array_index_nospec(intid, VGIC_MAX_PRIVATE + 1); return &vcpu->arch.vgic_cpu.private_irqs[intid]; } The commit log should remain the same. Thanks -- Gustavo

6 years, 8 months

2
1
0 0

[ANNOUNCE] Linux kernel CVE tracker

by Ben Hutchings

As part of my work for the Civil Infrastructure Platform, I've been tracking security issues in the kernel and trying to ensure that the fixes are applied to stable branches as necessary. The "kernel-sec" repository at <https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec> contains information about known issues and scripts to aid in maintaining and viewing that information. Issues are identified by CVE ID and their status is recorded for mainline and all live stable branches. I import most of the information from distribution security trackers, and from upstream commit references in stable branch commit messages. Manual editing is needed mostly to correct errors in these sources, or where the commits fixing an issue in a stable branch don't correspond exactly to the commits fixing it in mainline. I recently added a local web application that allows browsing the status of all branches and issues, complete with links to references and related commits. There is also a simple reporting script that lists open issues for each branch. If you're interested in security support for stable branches, please take a look at this. I would welcome merge requests to add to the issue data or to improve the scripts. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom

6 years, 8 months

1
0
0 0

patch "binder: fix use-after-free due to ksys_close() during fdget()" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled binder: fix use-after-free due to ksys_close() during fdget() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 80cd795630d6526ba729a089a435bf74a57af927 Mon Sep 17 00:00:00 2001 From: Todd Kjos <tkjos(a)android.com> Date: Fri, 14 Dec 2018 15:58:21 -0800 Subject: binder: fix use-after-free due to ksys_close() during fdget() 44d8047f1d8 ("binder: use standard functions to allocate fds") exposed a pre-existing issue in the binder driver. fdget() is used in ksys_ioctl() as a performance optimization. One of the rules associated with fdget() is that ksys_close() must not be called between the fdget() and the fdput(). There is a case where this requirement is not met in the binder driver which results in the reference count dropping to 0 when the device is still in use. This can result in use-after-free or other issues. If userpace has passed a file-descriptor for the binder driver using a BINDER_TYPE_FDA object, then kys_close() is called on it when handling a binder_ioctl(BC_FREE_BUFFER) command. This violates the assumptions for using fdget(). The problem is fixed by deferring the close using task_work_add(). A new variant of __close_fd() was created that returns a struct file with a reference. The fput() is deferred instead of using ksys_close(). Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds") Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Todd Kjos <tkjos(a)google.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/android/binder.c | 63 ++++++++++++++++++++++++++++++++++++++-- fs/file.c | 29 ++++++++++++++++++ include/linux/fdtable.h | 1 + 3 files changed, 91 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d653e8a474fc..210940bd0457 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -72,6 +72,7 @@ #include <linux/spinlock.h> #include <linux/ratelimit.h> #include <linux/syscalls.h> +#include <linux/task_work.h> #include <uapi/linux/android/binder.h> @@ -2170,6 +2171,64 @@ static bool binder_validate_fixup(struct binder_buffer *b, return (fixup_offset >= last_min_offset); } +/** + * struct binder_task_work_cb - for deferred close + * + * @twork: callback_head for task work + * @fd: fd to close + * + * Structure to pass task work to be handled after + * returning from binder_ioctl() via task_work_add(). + */ +struct binder_task_work_cb { + struct callback_head twork; + struct file *file; +}; + +/** + * binder_do_fd_close() - close list of file descriptors + * @twork: callback head for task work + * + * It is not safe to call ksys_close() during the binder_ioctl() + * function if there is a chance that binder's own file descriptor + * might be closed. This is to meet the requirements for using + * fdget() (see comments for __fget_light()). Therefore use + * task_work_add() to schedule the close operation once we have + * returned from binder_ioctl(). This function is a callback + * for that mechanism and does the actual ksys_close() on the + * given file descriptor. + */ +static void binder_do_fd_close(struct callback_head *twork) +{ + struct binder_task_work_cb *twcb = container_of(twork, + struct binder_task_work_cb, twork); + + fput(twcb->file); + kfree(twcb); +} + +/** + * binder_deferred_fd_close() - schedule a close for the given file-descriptor + * @fd: file-descriptor to close + * + * See comments in binder_do_fd_close(). This function is used to schedule + * a file-descriptor to be closed after returning from binder_ioctl(). + */ +static void binder_deferred_fd_close(int fd) +{ + struct binder_task_work_cb *twcb; + + twcb = kzalloc(sizeof(*twcb), GFP_KERNEL); + if (!twcb) + return; + init_task_work(&twcb->twork, binder_do_fd_close); + __close_fd_get_file(fd, &twcb->file); + if (twcb->file) + task_work_add(current, &twcb->twork, true); + else + kfree(twcb); +} + static void binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, binder_size_t *failed_at) @@ -2309,7 +2368,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, } fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); for (fd_index = 0; fd_index < fda->num_fds; fd_index++) - ksys_close(fd_array[fd_index]); + binder_deferred_fd_close(fd_array[fd_index]); } break; default: pr_err("transaction release %d bad object type %x\n", @@ -3928,7 +3987,7 @@ static int binder_apply_fd_fixups(struct binder_transaction *t) } else if (ret) { u32 *fdp = (u32 *)(t->buffer->data + fixup->offset); - ksys_close(*fdp); + binder_deferred_fd_close(*fdp); } list_del(&fixup->fixup_entry); kfree(fixup); diff --git a/fs/file.c b/fs/file.c index 7ffd6e9d103d..8d059d8973e9 100644 --- a/fs/file.c +++ b/fs/file.c @@ -640,6 +640,35 @@ int __close_fd(struct files_struct *files, unsigned fd) } EXPORT_SYMBOL(__close_fd); /* for ksys_close() */ +/* + * variant of __close_fd that gets a ref on the file for later fput + */ +int __close_fd_get_file(unsigned int fd, struct file **res) +{ + struct files_struct *files = current->files; + struct file *file; + struct fdtable *fdt; + + spin_lock(&files->file_lock); + fdt = files_fdtable(files); + if (fd >= fdt->max_fds) + goto out_unlock; + file = fdt->fd[fd]; + if (!file) + goto out_unlock; + rcu_assign_pointer(fdt->fd[fd], NULL); + __put_unused_fd(files, fd); + spin_unlock(&files->file_lock); + get_file(file); + *res = file; + return filp_close(file, files); + +out_unlock: + spin_unlock(&files->file_lock); + *res = NULL; + return -ENOENT; +} + void do_close_on_exec(struct files_struct *files) { unsigned i; diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h index 41615f38bcff..f07c55ea0c22 100644 --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -121,6 +121,7 @@ extern void __fd_install(struct files_struct *files, unsigned int fd, struct file *file); extern int __close_fd(struct files_struct *files, unsigned int fd); +extern int __close_fd_get_file(unsigned int fd, struct file **res); extern struct kmem_cache *files_cachep; -- 2.20.1

6 years, 8 months

1
0
0 0

Re: [PATCH 2/2] efi: efi_guid_t must be 64-bit aligned

by Ard Biesheuvel

On Tue, 18 Dec 2018 at 21:41, Sasha Levin <sashal(a)kernel.org> wrote: > > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v4.19.10, v4.14.89, v4.9.146, v4.4.168, v3.18.130, > Please disregard this patch for -stable until we decide how we are going to fix the 32-bit array packing issue. > v4.19.10: Build OK! > v4.14.89: Build OK! > v4.9.146: Failed to apply! Possible dependencies: > 2f74f09bce4f ("efi: parse ARM processor error") > 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API") > bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure") > c0020756315e ("efi: switch to use new generic UUID API") > > v4.4.168: Failed to apply! Possible dependencies: > 2c23b73c2d02 ("x86/efi: Prepare GOP handling code for reuse as generic code") > 2f74f09bce4f ("efi: parse ARM processor error") > 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API") > ba7e34b1bbd2 ("include/linux/efi.h: redefine type, constant, macro from generic code") > bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure") > c0020756315e ("efi: switch to use new generic UUID API") > > v3.18.130: Failed to apply! Possible dependencies: > 1bd0abb0c924 ("arm64/efi: set EFI_ALLOC_ALIGN to 64 KB") > 23a0d4e8fa6d ("efi: Disable interrupts around EFI calls, not in the epilog/prolog calls") > 2c23b73c2d02 ("x86/efi: Prepare GOP handling code for reuse as generic code") > 2f74f09bce4f ("efi: parse ARM processor error") > 4c62360d7562 ("efi: Handle memory error structures produced based on old versions of standard") > 4ee20980812b ("arm64: fix data type for physical address") > 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API") > 60305db98845 ("arm64/efi: move virtmap init to early initcall") > 744937b0b12a ("efi: Clean up the efi_call_phys_[prolog|epilog]() save/restore interaction") > 790a2ee24278 ("Merge tag 'efi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into core/efi") > 8a53554e12e9 ("x86/efi: Fix multiple GOP device support") > 8ce837cee8f5 ("arm64/mm: add create_pgd_mapping() to create private page tables") > 9679be103108 ("arm64/efi: remove idmap manipulations from UEFI code") > a352ea3e197b ("arm64/efi: set PE/COFF file alignment to 512 bytes") > b05b9f5f9dcf ("x86, mirror: x86 enabling - find mirrored memory ranges") > ba7e34b1bbd2 ("include/linux/efi.h: redefine type, constant, macro from generic code") > bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure") > c0020756315e ("efi: switch to use new generic UUID API") > d1ae8c005792 ("arm64: dmi: Add SMBIOS/DMI support") > da141706aea5 ("arm64: add better page protections to arm64") > e1e1fddae74b ("arm64/mm: add explicit struct_mm argument to __create_mapping()") > ea6bc80d1819 ("arm64/efi: set PE/COFF section alignment to 4 KB") > f3cdfd239da5 ("arm64/efi: move SetVirtualAddressMap() to UEFI stub") > > > How should we proceed with this patch? > > -- > Thanks, > Sasha

6 years, 8 months

2
1
0 0

[PATCH AUTOSEL 4.19 01/73] mac80211_hwsim: fix module init error paths for netlink

by Sasha Levin

From: Alexey Khoroshilov <khoroshilov(a)ispras.ru> [ Upstream commit 05cc09de4c017663a217630682041066f2f9a5cd ] There is no unregister netlink notifier and family on error paths in init_mac80211_hwsim(). Also there is an error path where hwsim_class is not destroyed. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Fixes: 62759361eb49 ("mac80211-hwsim: Provide multicast event for HWSIM_CMD_NEW_RADIO") Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/mac80211_hwsim.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 07442ada6dd0..6532cb25a333 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3712,16 +3712,16 @@ static int __init init_mac80211_hwsim(void) if (err) goto out_unregister_pernet; + err = hwsim_init_netlink(); + if (err) + goto out_unregister_driver; + hwsim_class = class_create(THIS_MODULE, "mac80211_hwsim"); if (IS_ERR(hwsim_class)) { err = PTR_ERR(hwsim_class); - goto out_unregister_driver; + goto out_exit_netlink; } - err = hwsim_init_netlink(); - if (err < 0) - goto out_unregister_driver; - for (i = 0; i < radios; i++) { struct hwsim_new_radio_params param = { 0 }; @@ -3827,6 +3827,8 @@ static int __init init_mac80211_hwsim(void) free_netdev(hwsim_mon); out_free_radios: mac80211_hwsim_free(); +out_exit_netlink: + hwsim_exit_netlink(); out_unregister_driver: platform_driver_unregister(&mac80211_hwsim_driver); out_unregister_pernet: -- 2.19.1

6 years, 8 months

4
78
0 0

patch "driver core: Add missing dev->bus->need_parent_lock checks" added to driver-core-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled driver core: Add missing dev->bus->need_parent_lock checks to my driver-core git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git in the driver-core-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the driver-core-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From e121a833745b4708b660e3fe6776129c2956b041 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Thu, 13 Dec 2018 19:27:47 +0100 Subject: driver core: Add missing dev->bus->need_parent_lock checks __device_release_driver() has to check dev->bus->need_parent_lock before dropping the parent lock and acquiring it again as it may attempt to drop a lock that hasn't been acquired or lock a device that shouldn't be locked and create a lock imbalance. Fixes: 8c97a46af04b (driver core: hold dev's parent lock when needed) Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Cc: stable <stable(a)vger.kernel.org> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/base/dd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 88713f182086..8ac10af17c00 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -933,11 +933,11 @@ static void __device_release_driver(struct device *dev, struct device *parent) if (drv) { while (device_links_busy(dev)) { device_unlock(dev); - if (parent) + if (parent && dev->bus->need_parent_lock) device_unlock(parent); device_links_unbind_consumers(dev); - if (parent) + if (parent && dev->bus->need_parent_lock) device_lock(parent); device_lock(dev); -- 2.20.1

6 years, 8 months

1
0
0 0

RE: [PATCH 12/25] clocksource/drivers/arc_timer: Utilize generic sched_clock

by Alexey Brodkin

Hi Sasha, > -----Original Message----- > From: Sasha Levin [mailto:sashal@kernel.org] > Sent: Wednesday, December 19, 2018 4:25 AM > To: Sasha Levin <sashal(a)kernel.org>; Daniel Lezcano <daniel.lezcano(a)linaro.org>; Alexey Brodkin <alexey.brodkin(a)synopsys.com>; > tglx(a)linutronix.de > Cc: linux-kernel(a)vger.kernel.org; Daniel Lezcano <daniel.lezcano(a)linaro.org>; Vineet Gupta <vineet.gupta1(a)synopsys.com>; > Thomas Gleixner <tglx(a)linutronix.de>; stable(a)vger.kernel.org; stable(a)vger.kernel.org > Subject: Re: [PATCH 12/25] clocksource/drivers/arc_timer: Utilize generic sched_clock > > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v4.19.10, v4.14.89, v4.9.146, v4.4.168, v3.18.130, > > v4.19.10: Build OK! > v4.14.89: Failed to apply! Possible dependencies: > Unable to calculate Here we just need a bit updated hunk due to missing [1] which was only introduced in v4.15: -------------------------->8------------------------ --- a/drivers/clocksource/Kconfig +++ b/drivers/clocksource/Kconfig @@ -299,6 +299,7 @@ config CLKSRC_MPS2 config ARC_TIMERS bool "Support for 32-bit TIMERn counters in ARC Cores" if COMPILE_TEST depends on GENERIC_CLOCKEVENTS + depends on GENERIC_SCHED_CLOCK select TIMER_OF help These are legacy 32-bit TIMER0 and TIMER1 counters found on all ARC cores -------------------------->8------------------------ > v4.9.146: Failed to apply! Possible dependencies: > v4.4.168: Failed to apply! Possible dependencies: > v3.18.130: Failed to apply! Possible dependencies: Everything below v4.10 we'll need to drop as ARC timers were only imported in v4.10, see [2]. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -Alexey

6 years, 8 months

1
0
0 0

patch "binder: fix use-after-free due to ksys_close() during fdget()" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled binder: fix use-after-free due to ksys_close() during fdget() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 80cd795630d6526ba729a089a435bf74a57af927 Mon Sep 17 00:00:00 2001 From: Todd Kjos <tkjos(a)android.com> Date: Fri, 14 Dec 2018 15:58:21 -0800 Subject: binder: fix use-after-free due to ksys_close() during fdget() 44d8047f1d8 ("binder: use standard functions to allocate fds") exposed a pre-existing issue in the binder driver. fdget() is used in ksys_ioctl() as a performance optimization. One of the rules associated with fdget() is that ksys_close() must not be called between the fdget() and the fdput(). There is a case where this requirement is not met in the binder driver which results in the reference count dropping to 0 when the device is still in use. This can result in use-after-free or other issues. If userpace has passed a file-descriptor for the binder driver using a BINDER_TYPE_FDA object, then kys_close() is called on it when handling a binder_ioctl(BC_FREE_BUFFER) command. This violates the assumptions for using fdget(). The problem is fixed by deferring the close using task_work_add(). A new variant of __close_fd() was created that returns a struct file with a reference. The fput() is deferred instead of using ksys_close(). Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds") Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Todd Kjos <tkjos(a)google.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/android/binder.c | 63 ++++++++++++++++++++++++++++++++++++++-- fs/file.c | 29 ++++++++++++++++++ include/linux/fdtable.h | 1 + 3 files changed, 91 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d653e8a474fc..210940bd0457 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -72,6 +72,7 @@ #include <linux/spinlock.h> #include <linux/ratelimit.h> #include <linux/syscalls.h> +#include <linux/task_work.h> #include <uapi/linux/android/binder.h> @@ -2170,6 +2171,64 @@ static bool binder_validate_fixup(struct binder_buffer *b, return (fixup_offset >= last_min_offset); } +/** + * struct binder_task_work_cb - for deferred close + * + * @twork: callback_head for task work + * @fd: fd to close + * + * Structure to pass task work to be handled after + * returning from binder_ioctl() via task_work_add(). + */ +struct binder_task_work_cb { + struct callback_head twork; + struct file *file; +}; + +/** + * binder_do_fd_close() - close list of file descriptors + * @twork: callback head for task work + * + * It is not safe to call ksys_close() during the binder_ioctl() + * function if there is a chance that binder's own file descriptor + * might be closed. This is to meet the requirements for using + * fdget() (see comments for __fget_light()). Therefore use + * task_work_add() to schedule the close operation once we have + * returned from binder_ioctl(). This function is a callback + * for that mechanism and does the actual ksys_close() on the + * given file descriptor. + */ +static void binder_do_fd_close(struct callback_head *twork) +{ + struct binder_task_work_cb *twcb = container_of(twork, + struct binder_task_work_cb, twork); + + fput(twcb->file); + kfree(twcb); +} + +/** + * binder_deferred_fd_close() - schedule a close for the given file-descriptor + * @fd: file-descriptor to close + * + * See comments in binder_do_fd_close(). This function is used to schedule + * a file-descriptor to be closed after returning from binder_ioctl(). + */ +static void binder_deferred_fd_close(int fd) +{ + struct binder_task_work_cb *twcb; + + twcb = kzalloc(sizeof(*twcb), GFP_KERNEL); + if (!twcb) + return; + init_task_work(&twcb->twork, binder_do_fd_close); + __close_fd_get_file(fd, &twcb->file); + if (twcb->file) + task_work_add(current, &twcb->twork, true); + else + kfree(twcb); +} + static void binder_transaction_buffer_release(struct binder_proc *proc, struct binder_buffer *buffer, binder_size_t *failed_at) @@ -2309,7 +2368,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, } fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); for (fd_index = 0; fd_index < fda->num_fds; fd_index++) - ksys_close(fd_array[fd_index]); + binder_deferred_fd_close(fd_array[fd_index]); } break; default: pr_err("transaction release %d bad object type %x\n", @@ -3928,7 +3987,7 @@ static int binder_apply_fd_fixups(struct binder_transaction *t) } else if (ret) { u32 *fdp = (u32 *)(t->buffer->data + fixup->offset); - ksys_close(*fdp); + binder_deferred_fd_close(*fdp); } list_del(&fixup->fixup_entry); kfree(fixup); diff --git a/fs/file.c b/fs/file.c index 7ffd6e9d103d..8d059d8973e9 100644 --- a/fs/file.c +++ b/fs/file.c @@ -640,6 +640,35 @@ int __close_fd(struct files_struct *files, unsigned fd) } EXPORT_SYMBOL(__close_fd); /* for ksys_close() */ +/* + * variant of __close_fd that gets a ref on the file for later fput + */ +int __close_fd_get_file(unsigned int fd, struct file **res) +{ + struct files_struct *files = current->files; + struct file *file; + struct fdtable *fdt; + + spin_lock(&files->file_lock); + fdt = files_fdtable(files); + if (fd >= fdt->max_fds) + goto out_unlock; + file = fdt->fd[fd]; + if (!file) + goto out_unlock; + rcu_assign_pointer(fdt->fd[fd], NULL); + __put_unused_fd(files, fd); + spin_unlock(&files->file_lock); + get_file(file); + *res = file; + return filp_close(file, files); + +out_unlock: + spin_unlock(&files->file_lock); + *res = NULL; + return -ENOENT; +} + void do_close_on_exec(struct files_struct *files) { unsigned i; diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h index 41615f38bcff..f07c55ea0c22 100644 --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -121,6 +121,7 @@ extern void __fd_install(struct files_struct *files, unsigned int fd, struct file *file); extern int __close_fd(struct files_struct *files, unsigned int fd); +extern int __close_fd_get_file(unsigned int fd, struct file **res); extern struct kmem_cache *files_cachep; -- 2.20.1

6 years, 8 months

1
0
0 0

[PATCH V2] scsi: lpfc: Switch memcpy_fromio() to __read32_copy()

by Huacai Chen

In commit bc73905abf770192 ("[SCSI] lpfc 8.3.16: SLI Additions, updates, and code cleanup"), lpfc_memcpy_to_slim() have switched memcpy_toio() to __write32_copy() in order to prevent unaligned 64 bit copy. Recently, we found that lpfc_memcpy_from_slim() have similar issues, so let it switch memcpy_fromio() to __read32_copy(). As maintainer says, it seems that we can hardly see a real "unaligned 64 bit copy", but this patch is still useful. Because in our tests we found that lpfc doesn't support 128 bit access, but some optimized memcpy() use 128 bit access (at lease on Loongson). Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhc(a)lemote.com> --- V2: Update commit message. drivers/scsi/lpfc/lpfc_compat.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_compat.h b/drivers/scsi/lpfc/lpfc_compat.h index 43cf46a..0cd1e3c 100644 --- a/drivers/scsi/lpfc/lpfc_compat.h +++ b/drivers/scsi/lpfc/lpfc_compat.h @@ -91,8 +91,8 @@ lpfc_memcpy_to_slim( void __iomem *dest, void *src, unsigned int bytes) static inline void lpfc_memcpy_from_slim( void *dest, void __iomem *src, unsigned int bytes) { - /* actually returns 1 byte past dest */ - memcpy_fromio( dest, src, bytes); + /* convert bytes in argument list to word count for copy function */ + __ioread32_copy(dest, src, bytes / sizeof(uint32_t)); } #endif /* __BIG_ENDIAN */ -- 2.7.0

6 years, 8 months

1
0
0 0

patch "serial: uartps: Fix interrupt mask issue to handle the RX interrupts" added to tty-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled serial: uartps: Fix interrupt mask issue to handle the RX interrupts to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the tty-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 260683137ab5276113fc322fdbbc578024185fee Mon Sep 17 00:00:00 2001 From: Nava kishore Manne <nava.manne(a)xilinx.com> Date: Tue, 18 Dec 2018 13:18:42 +0100 Subject: serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly This patch Correct the RX interrupt mask value to handle the RX interrupts properly. Fixes: c8dbdc842d30 ("serial: xuartps: Rewrite the interrupt handling logic") Signed-off-by: Nava kishore Manne <nava.manne(a)xilinx.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Michal Simek <michal.simek(a)xilinx.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/xilinx_uartps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c index c6d38617d622..094f2958cb2b 100644 --- a/drivers/tty/serial/xilinx_uartps.c +++ b/drivers/tty/serial/xilinx_uartps.c @@ -123,7 +123,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout, 1-255"); #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */ #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */ #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */ -#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */ +#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */ /* * Do not enable parity error interrupt for the following @@ -364,7 +364,7 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id) cdns_uart_handle_tx(dev_id); isrstatus &= ~CDNS_UART_IXR_TXEMPTY; } - if (isrstatus & CDNS_UART_IXR_MASK) + if (isrstatus & CDNS_UART_IXR_RXMASK) cdns_uart_handle_rx(dev_id, isrstatus); spin_unlock(&port->lock); -- 2.20.1

6 years, 8 months

1
0
0 0

patch "usb: r8a66597: Fix a possible concurrency use-after-free bug in" added to usb-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: r8a66597: Fix a possible concurrency use-after-free bug in to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the usb-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001 From: Jia-Ju Bai <baijiaju1990(a)gmail.com> Date: Tue, 18 Dec 2018 20:04:25 +0800 Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may be concurrently executed. The two functions both access a possible shared variable "hep->hcpriv". This shared variable is freed by r8a66597_endpoint_disable() via the call path: r8a66597_endpoint_disable kfree(hep->hcpriv) (line 1995 in Linux-4.19) This variable is read by r8a66597_urb_enqueue() via the call path: r8a66597_urb_enqueue spin_lock_irqsave(&r8a66597->lock) init_pipe_info enable_r8a66597_pipe pipe = hep->hcpriv (line 802 in Linux-4.19) The read operation is protected by a spinlock, but the free operation is not protected by this spinlock, thus a concurrency use-after-free bug may occur. To fix this bug, the spin-lock and spin-unlock function calls in r8a66597_endpoint_disable() are moved to protect the free operation. Signed-off-by: Jia-Ju Bai <baijiaju1990(a)gmail.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/r8a66597-hcd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c index 984892dd72f5..42668aeca57c 100644 --- a/drivers/usb/host/r8a66597-hcd.c +++ b/drivers/usb/host/r8a66597-hcd.c @@ -1979,6 +1979,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, static void r8a66597_endpoint_disable(struct usb_hcd *hcd, struct usb_host_endpoint *hep) +__acquires(r8a66597->lock) +__releases(r8a66597->lock) { struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; @@ -1991,13 +1993,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, return; pipenum = pipe->info.pipenum; + spin_lock_irqsave(&r8a66597->lock, flags); if (pipenum == 0) { kfree(hep->hcpriv); hep->hcpriv = NULL; + spin_unlock_irqrestore(&r8a66597->lock, flags); return; } - spin_lock_irqsave(&r8a66597->lock, flags); pipe_stop(r8a66597, pipe); pipe_irq_disable(r8a66597, pipenum); disable_irq_empty(r8a66597, pipenum); -- 2.20.1

6 years, 8 months

1
0
0 0

Re: [PATCH] fs: fix possible Spectre V1 indexing in __close_fd()

by Greg KH

On Mon, Oct 15, 2018 at 06:54:31AM -0700, Omer Tripp wrote: > Hi Greg and all, > > Here is my analysis of the complete gadget, and looking forward to your > corrections/feedback if there are any inaccuracies: > > > 1. > > __close_fd() is reachable via the close() syscall with a user-controlled > fd. > 2. > > If said bounds check is mispredicted, then a user-controlled address > fdt->fd[fd] is obtained then dereferenced, and the value of a > user-controlled address is loaded into the local variable file. > 3. > > file is then passed as an argument to filp_close, where the cache > lines secret > + offsetof(f_op) and secret + offsetof(f_mode) are hot and vulnerable to > a timing channel attack. > > > The mitigation proposed by Greg Hackmann blocks this gadget. What ever happened to this patch? Did it get reposted? If not, can someone please do so with this text in the changelog? thanks, greg k-h

6 years, 8 months

1
0
0 0

[PATCH] xen/netfront: tolerate frags with no data

by Juergen Gross

At least old Xen net backends seem to send frags with no real data sometimes. In case such a fragment happens to occur with the frag limit already reached the frontend will BUG currently even if this situation is easily recoverable. Modify the BUG_ON() condition accordingly. Cc: stable(a)vger.kernel.org Tested-by: Dietmar Hahn <dietmar.hahn(a)ts.fujitsu.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> --- drivers/net/xen-netfront.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index f17f602e6171..5b97cc946d70 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -905,7 +905,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) { unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; - BUG_ON(pull_to <= skb_headlen(skb)); + BUG_ON(pull_to < skb_headlen(skb)); __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); } if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { -- 2.16.4

6 years, 8 months

2
2
0 0

[PATCH] f2fs: fix missing unlock(sbi->gc_mutex)

by Jaegeuk Kim

This fixes missing unlock call. Cc: <stable(a)vger.kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> --- fs/f2fs/super.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index b79677639108..2689a2cb56cc 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -1462,6 +1462,9 @@ static int f2fs_disable_checkpoint(struct f2fs_sb_info *sbi) while (!f2fs_time_over(sbi, DISABLE_TIME)) { err = f2fs_gc(sbi, true, false, NULL_SEGNO); + + /* f2fs_gc guarantees unlock gc_mutex */ + mutex_lock(&sbi->gc_mutex); if (err == -ENODATA) break; if (err && err != -EAGAIN) { -- 2.19.0.605.g01d371f741-goog

6 years, 8 months

2
3
0 0

[PATCH] dm zoned: Fix target BIO completion handling

by Damien Le Moal

commit d57f9da890696af1484f4a47f7f123560197865a upstream. struct bioctx includes the ref refcount_t to track the number of I/O fragments used to process a target BIO as well as ensure that the zone of the BIO is kept in the active state throughout the lifetime of the BIO. However, since decrementing of this reference count is done in the target .end_io method, the function bio_endio() must be called multiple times for read and write target BIOs, which causes problems with the value of the __bi_remaining struct bio field for chained BIOs (e.g. the clone BIO passed by dm core is large and splits into fragments by the block layer), resulting in incorrect values and inconsistencies with the BIO_CHAIN flag setting. This is turn triggers the BUG_ON() call: BUG_ON(atomic_read(&bio->__bi_remaining) <= 0); in bio_remaining_done() called from bio_endio(). Fix this ensuring that bio_endio() is called only once for any target BIO by always using internal clone BIOs for processing any read or write target BIO. This allows reference counting using the target BIO context counter to trigger the target BIO completion bio_endio() call once all data, metadata and other zone work triggered by the BIO complete. Overall, this simplifies the code too as the target .end_io becomes unnecessary and differences between read and write BIO issuing and completion processing disappear. Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") Cc: stable(a)vger.kernel.org #4.14 Signed-off-by: Damien Le Moal <damien.lemoal(a)wdc.com> Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> --- drivers/md/dm-zoned-target.c | 122 +++++++++++------------------------ 1 file changed, 38 insertions(+), 84 deletions(-) diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c index ba6b0a90ecfb..532bfce7f072 100644 --- a/drivers/md/dm-zoned-target.c +++ b/drivers/md/dm-zoned-target.c @@ -20,7 +20,6 @@ struct dmz_bioctx { struct dm_zone *zone; struct bio *bio; atomic_t ref; - blk_status_t status; }; /* @@ -78,65 +77,66 @@ static inline void dmz_bio_endio(struct bio *bio, blk_status_t status) { struct dmz_bioctx *bioctx = dm_per_bio_data(bio, sizeof(struct dmz_bioctx)); - if (bioctx->status == BLK_STS_OK && status != BLK_STS_OK) - bioctx->status = status; - bio_endio(bio); + if (status != BLK_STS_OK && bio->bi_status == BLK_STS_OK) + bio->bi_status = status; + + if (atomic_dec_and_test(&bioctx->ref)) { + struct dm_zone *zone = bioctx->zone; + + if (zone) { + if (bio->bi_status != BLK_STS_OK && + bio_op(bio) == REQ_OP_WRITE && + dmz_is_seq(zone)) + set_bit(DMZ_SEQ_WRITE_ERR, &zone->flags); + dmz_deactivate_zone(zone); + } + bio_endio(bio); + } } /* - * Partial clone read BIO completion callback. This terminates the + * Completion callback for an internally cloned target BIO. This terminates the * target BIO when there are no more references to its context. */ -static void dmz_read_bio_end_io(struct bio *bio) +static void dmz_clone_endio(struct bio *clone) { - struct dmz_bioctx *bioctx = bio->bi_private; - blk_status_t status = bio->bi_status; + struct dmz_bioctx *bioctx = clone->bi_private; + blk_status_t status = clone->bi_status; - bio_put(bio); + bio_put(clone); dmz_bio_endio(bioctx->bio, status); } /* - * Issue a BIO to a zone. The BIO may only partially process the + * Issue a clone of a target BIO. The clone may only partially process the * original target BIO. */ -static int dmz_submit_read_bio(struct dmz_target *dmz, struct dm_zone *zone, - struct bio *bio, sector_t chunk_block, - unsigned int nr_blocks) +static int dmz_submit_bio(struct dmz_target *dmz, struct dm_zone *zone, + struct bio *bio, sector_t chunk_block, + unsigned int nr_blocks) { struct dmz_bioctx *bioctx = dm_per_bio_data(bio, sizeof(struct dmz_bioctx)); - sector_t sector; struct bio *clone; - /* BIO remap sector */ - sector = dmz_start_sect(dmz->metadata, zone) + dmz_blk2sect(chunk_block); - - /* If the read is not partial, there is no need to clone the BIO */ - if (nr_blocks == dmz_bio_blocks(bio)) { - /* Setup and submit the BIO */ - bio->bi_iter.bi_sector = sector; - atomic_inc(&bioctx->ref); - generic_make_request(bio); - return 0; - } - - /* Partial BIO: we need to clone the BIO */ clone = bio_clone_fast(bio, GFP_NOIO, dmz->bio_set); if (!clone) return -ENOMEM; - /* Setup the clone */ - clone->bi_iter.bi_sector = sector; + bio_set_dev(clone, dmz->dev->bdev); + clone->bi_iter.bi_sector = + dmz_start_sect(dmz->metadata, zone) + dmz_blk2sect(chunk_block); clone->bi_iter.bi_size = dmz_blk2sect(nr_blocks) << SECTOR_SHIFT; - clone->bi_end_io = dmz_read_bio_end_io; + clone->bi_end_io = dmz_clone_endio; clone->bi_private = bioctx; bio_advance(bio, clone->bi_iter.bi_size); - /* Submit the clone */ atomic_inc(&bioctx->ref); generic_make_request(clone); + if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone)) + zone->wp_block += nr_blocks; + return 0; } @@ -214,7 +214,7 @@ static int dmz_handle_read(struct dmz_target *dmz, struct dm_zone *zone, if (nr_blocks) { /* Valid blocks found: read them */ nr_blocks = min_t(unsigned int, nr_blocks, end_block - chunk_block); - ret = dmz_submit_read_bio(dmz, rzone, bio, chunk_block, nr_blocks); + ret = dmz_submit_bio(dmz, rzone, bio, chunk_block, nr_blocks); if (ret) return ret; chunk_block += nr_blocks; @@ -228,25 +228,6 @@ static int dmz_handle_read(struct dmz_target *dmz, struct dm_zone *zone, return 0; } -/* - * Issue a write BIO to a zone. - */ -static void dmz_submit_write_bio(struct dmz_target *dmz, struct dm_zone *zone, - struct bio *bio, sector_t chunk_block, - unsigned int nr_blocks) -{ - struct dmz_bioctx *bioctx = dm_per_bio_data(bio, sizeof(struct dmz_bioctx)); - - /* Setup and submit the BIO */ - bio_set_dev(bio, dmz->dev->bdev); - bio->bi_iter.bi_sector = dmz_start_sect(dmz->metadata, zone) + dmz_blk2sect(chunk_block); - atomic_inc(&bioctx->ref); - generic_make_request(bio); - - if (dmz_is_seq(zone)) - zone->wp_block += nr_blocks; -} - /* * Write blocks directly in a data zone, at the write pointer. * If a buffer zone is assigned, invalidate the blocks written @@ -265,7 +246,9 @@ static int dmz_handle_direct_write(struct dmz_target *dmz, return -EROFS; /* Submit write */ - dmz_submit_write_bio(dmz, zone, bio, chunk_block, nr_blocks); + ret = dmz_submit_bio(dmz, zone, bio, chunk_block, nr_blocks); + if (ret) + return ret; /* * Validate the blocks in the data zone and invalidate @@ -301,7 +284,9 @@ static int dmz_handle_buffered_write(struct dmz_target *dmz, return -EROFS; /* Submit write */ - dmz_submit_write_bio(dmz, bzone, bio, chunk_block, nr_blocks); + ret = dmz_submit_bio(dmz, bzone, bio, chunk_block, nr_blocks); + if (ret) + return ret; /* * Validate the blocks in the buffer zone @@ -600,7 +585,6 @@ static int dmz_map(struct dm_target *ti, struct bio *bio) bioctx->zone = NULL; bioctx->bio = bio; atomic_set(&bioctx->ref, 1); - bioctx->status = BLK_STS_OK; /* Set the BIO pending in the flush list */ if (!nr_sectors && bio_op(bio) == REQ_OP_WRITE) { @@ -623,35 +607,6 @@ static int dmz_map(struct dm_target *ti, struct bio *bio) return DM_MAPIO_SUBMITTED; } -/* - * Completed target BIO processing. - */ -static int dmz_end_io(struct dm_target *ti, struct bio *bio, blk_status_t *error) -{ - struct dmz_bioctx *bioctx = dm_per_bio_data(bio, sizeof(struct dmz_bioctx)); - - if (bioctx->status == BLK_STS_OK && *error) - bioctx->status = *error; - - if (!atomic_dec_and_test(&bioctx->ref)) - return DM_ENDIO_INCOMPLETE; - - /* Done */ - bio->bi_status = bioctx->status; - - if (bioctx->zone) { - struct dm_zone *zone = bioctx->zone; - - if (*error && bio_op(bio) == REQ_OP_WRITE) { - if (dmz_is_seq(zone)) - set_bit(DMZ_SEQ_WRITE_ERR, &zone->flags); - } - dmz_deactivate_zone(zone); - } - - return DM_ENDIO_DONE; -} - /* * Get zoned device information. */ @@ -946,7 +901,6 @@ static struct target_type dmz_type = { .ctr = dmz_ctr, .dtr = dmz_dtr, .map = dmz_map, - .end_io = dmz_end_io, .io_hints = dmz_io_hints, .prepare_ioctl = dmz_prepare_ioctl, .postsuspend = dmz_suspend, -- 2.19.2

6 years, 8 months

1
0
0 0

Re: [PATCH 1/3] x86/pkeys: properly copy pkey state at fork()

by Thomas Gleixner

On Wed, 12 Dec 2018, Dave Hansen wrote: > From: Dave Hansen <dave.hansen(a)linux.intel.com> > > Memory protection key behavior should be the same in a child as it was > in the parent before a fork. But, there is a bug that resets the > state in the child at fork instead of preserving it. > > Our creation of new mm's is a bit convoluted. At fork(), the code > does: > > 1. memcpy() the parent mm to initialize child > 2. mm_init() to initalize some select stuff stuff > 3. dup_mmap() to create true copies that memcpy() > did not do right. > > For pkeys, we need to preserve two bits of state across a fork: > 'execute_only_pkey' and 'pkey_allocation_map'. Those are preserved by > the memcpy(), which I thought did the right thing. But, mm_init() > calls init_new_context(), which I thought was *only* for execve()-time > and overwrites 'execute_only_pkey' and 'pkey_allocation_map' with > "new" values. But, alas, init_new_context() is used at execve() and > fork(). > > The result is that, after a fork(), the child's pkey state ends up > looking like it does after an execve(), which is totally wrong. pkeys > that are already allocated can be allocated again, for instance. > > To fix this, add code called by dup_mmap() to copy the pkey state from > parent to child explicitly. Also add a comment above init_new_context() > to make it more clear to the next poor sod what this code is used for. > > Fixes: e8c24d3a23a ("x86/pkeys: Allocation/free syscalls") > Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> > Cc: Thomas Gleixner <tglx(a)linutronix.de> > Cc: Ingo Molnar <mingo(a)redhat.com> > Cc: Borislav Petkov <bp(a)alien8.de> > Cc: "H. Peter Anvin" <hpa(a)zytor.com> > Cc: x86(a)kernel.org > Cc: Dave Hansen <dave.hansen(a)linux.intel.com> > Cc: Peter Zijlstra <peterz(a)infradead.org> > Cc: Michael Ellerman <mpe(a)ellerman.id.au> > Cc: Will Deacon <will.deacon(a)arm.com> > Cc: Andy Lutomirski <luto(a)kernel.org> > Cc: Joerg Roedel <jroedel(a)suse.de> > Cc: stable(a)vger.kernel.org Reviewed-by: Thomas Gleixner <tglx(a)linutronix.de>

6 years, 8 months

1
0
0 0

[PATCH STABLE v4.9 00/10] Backport for "cache line starvation on x86

by Sebastian Andrzej Siewior

[ resending without broken headers ] this is a backport of commit 7aa54be297655 ("locking/qspinlock, x86: Provide liveness guarantee") for the v4.9 stable tree. For the v4.4 tree the ARCH_USE_QUEUED_SPINLOCKS option got disabled on x86. For v4.9 it has been decided to do a minimal backport of the final fix (including all its dependencies). With this backport I can't reproduce the issue in the latest v4.9-RT tree. I was able to boot (and use) an arm64 box with these patches so it is not broken in an abvious way. Sebastian

6 years, 8 months

2
11
0 0

[PATCH 2/3] hugetlbfs: Use i_mmap_rwsem to fix page fault/truncate race

by Mike Kravetz

hugetlbfs page faults can race with truncate and hole punch operations. Current code in the page fault path attempts to handle this by 'backing out' operations if we encounter the race. One obvious omission in the current code is removing a page newly added to the page cache. This is pretty straight forward to address, but there is a more subtle and difficult issue of backing out hugetlb reservations. To handle this correctly, the 'reservation state' before page allocation needs to be noted so that it can be properly backed out. There are four distinct possibilities for reservation state: shared/reserved, shared/no-resv, private/reserved and private/no-resv. Backing out a reservation may require memory allocation which could fail so that needs to be taken into account as well. Instead of writing the required complicated code for this rare occurrence, just eliminate the race. i_mmap_rwsem is now held in read mode for the duration of page fault processing. Hold i_mmap_rwsem longer in truncation and hold punch code to cover the call to remove_inode_hugepages. Cc: <stable(a)vger.kernel.org> Fixes: ebed4bfc8da8 ("hugetlb: fix absurd HugePages_Rsvd") Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com> --- fs/hugetlbfs/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 32920a10100e..3244147fc42b 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -505,8 +505,8 @@ static int hugetlb_vmtruncate(struct inode *inode, loff_t offset) i_mmap_lock_write(mapping); if (!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root)) hugetlb_vmdelete_list(&mapping->i_mmap, pgoff, 0); - i_mmap_unlock_write(mapping); remove_inode_hugepages(inode, offset, LLONG_MAX); + i_mmap_unlock_write(mapping); return 0; } @@ -540,8 +540,8 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) hugetlb_vmdelete_list(&mapping->i_mmap, hole_start >> PAGE_SHIFT, hole_end >> PAGE_SHIFT); - i_mmap_unlock_write(mapping); remove_inode_hugepages(inode, hole_start, hole_end); + i_mmap_unlock_write(mapping); inode_unlock(inode); } -- 2.17.2

6 years, 8 months

3
5
0 0

[PATCH STABLE v4.19 0/2] Backport for "cache line starvation on x86"

by Sebastian Andrzej Siewior

this is a backport of commit 7aa54be297655 ("locking/qspinlock, x86: Provide liveness guarantee") for the v4.19 stable tree. Initially I assumed that this was merged late in v4.19-rc but actually it is just part v4.20-rc1. For v4.19, most things are already in the tree. The GEN_BINARY_RMWcc macro is still "old" and I skipped the documentation update. Sebastian

6 years, 8 months

2
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror