1. 09 7月, 2018 2 次提交
    • L
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 70a2dc6a
      Linus Torvalds 提交于
      Pull ext4 bugfixes from Ted Ts'o:
       "Bug fixes for ext4; most of which relate to vulnerabilities where a
        maliciously crafted file system image can result in a kernel OOPS or
        hang.
      
        At least one fix addresses an inline data bug could be triggered by
        userspace without the need of a crafted file system (although it does
        require that the inline data feature be enabled)"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: check superblock mapped prior to committing
        ext4: add more mount time checks of the superblock
        ext4: add more inode number paranoia checks
        ext4: avoid running out of journal credits when appending to an inline file
        jbd2: don't mark block as modified if the handle is out of credits
        ext4: never move the system.data xattr out of the inode body
        ext4: clear i_data in ext4_inode_info when removing inline data
        ext4: include the illegal physical block in the bad map ext4_error msg
        ext4: verify the depth of extent tree in ext4_find_extent()
        ext4: only look at the bg_flags field if it is valid
        ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
        ext4: always check block group bounds in ext4_init_block_bitmap()
        ext4: always verify the magic number in xattr blocks
        ext4: add corruption check in ext4_xattr_set_entry()
        ext4: add warn_on_error mount option
      70a2dc6a
    • L
      Merge tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 8979319f
      Linus Torvalds 提交于
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix a use-after-free in the endpoint code (Dan Carpenter)
      
       - Stop defaulting CONFIG_PCIE_DW_PLAT_HOST to yes (Geert Uytterhoeven)
      
       - Fix an nfp regression caused by a change in how we limit the number
         of VFs we can enable (Jakub Kicinski)
      
       - Fix failure path cleanup issues in the new R-Car gen3 PHY support
         (Marek Vasut)
      
       - Fix leaks of OF nodes in faraday, xilinx-nwl, xilinx (Nicholas Mc
         Guire)
      
      * tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        nfp: stop limiting VFs to 0
        PCI/IOV: Reset total_VFs limit after detaching PF driver
        PCI: faraday: Add missing of_node_put()
        PCI: xilinx-nwl: Add missing of_node_put()
        PCI: xilinx: Add missing of_node_put()
        PCI: endpoint: Use after free in pci_epf_unregister_driver()
        PCI: controller: dwc: Do not let PCIE_DW_PLAT_HOST default to yes
        PCI: rcar: Clean up PHY init on failure
        PCI: rcar: Shut the PHY down in failpath
      8979319f
  2. 08 7月, 2018 5 次提交
  3. 07 7月, 2018 5 次提交
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 624434af
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "This is two minor bug fixes (aacraid, target) and a fix for a
        potential exploit in the way sg handles teardown"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sg: mitigate read/write abuse
        scsi: aacraid: Fix PD performance regression over incorrect qd being set
        scsi: target: Fix truncated PR-in ReadKeys response
      624434af
    • L
      Merge tag 'for-linus-20180706' of git://git.kernel.dk/linux-block · 29119529
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "Two minor fixes for this series:
      
         - add LOOP_SET_BLOCK_SIZE as compat ioctl (Evan Green)
      
         - drbd use-after-free fix (Lars Ellenberg)"
      
      * tag 'for-linus-20180706' of git://git.kernel.dk/linux-block:
        loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl
        drbd: fix access after free
      29119529
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · c2b58149
      Linus Torvalds 提交于
      Pull clk fixes from Stephen Boyd:
       "The usual collection of driver fixlets:
      
         - build cleanup/fix for the sunxi makefile that tried to save size
           but failed and prevented dead code elimination from working
      
         - two Davinci clk driver fixes for a typo causing build failures in
           different configurations and an error check that checks the wrong
           variable.
      
         - undo the DT ABI breaking imx6ul binding header shuffle that got
           merged this cycle"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        dt-bindings: clock: imx6ul: Do not change the clock definition order
        clk: davinci: fix a typo (which leads to build failures)
        clk: davinci: cfgchip: testing the wrong variable
        clk: sunxi-ng: replace lib-y with obj-y
      c2b58149
    • L
      Merge tag 'vfio-v4.18-rc4' of git://github.com/awilliam/linux-vfio · 1bb15570
      Linus Torvalds 提交于
      Pull VFIO fixes from Alex Williamson:
      
       - Make vfio-pci IGD extensions optional via Kconfig (Alex Williamson)
      
       - Remove unused and soon to be removed map_atomic callback from mbochs
         sample driver, add unmap callback to avoid dmabuf leaks (Gerd
         Hoffmann)
      
       - Fix usage of get_user_pages_longterm() (Jason Gunthorpe)
      
       - Fix sample mbochs driver vm_operations_struct.fault return type
         (Souptick Joarder)
      
      * tag 'vfio-v4.18-rc4' of git://github.com/awilliam/linux-vfio:
        sample/vfio-mdev: Change return type to vm_fault_t
        vfio: Use get_user_pages_longterm correctly
        sample/mdev/mbochs: add mbochs_kunmap_dmabuf
        sample/mdev/mbochs: remove mbochs_kmap_atomic_dmabuf
        vfio/pci: Make IGD support a configurable option
      1bb15570
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · b4d05621
      Linus Torvalds 提交于
      Pull s390 fixes from Martin Schwidefsky:
       "A few more changes for v4.18:
      
         - wire up the two new system calls io_pgetevents and rseq
      
         - fix a register corruption in the expolines code for machines
           without EXRL
      
         - drastically reduce the memory utilization of the dasd driver
      
         - fix reference counting for KVM page table pages"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: wire up rseq system call
        s390: wire up io_pgetevents system call
        s390/mm: fix refcount usage for 4K pgste
        s390/dasd: reduce the default queue depth and nr of hardware queues
        s390: Correct register corruption in critical section cleanup
      b4d05621
  4. 06 7月, 2018 22 次提交
    • L
      Merge tag 'drm-fixes-2018-07-06' of git://anongit.freedesktop.org/drm/drm · c42c12a9
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "This is the drm fixes for rc4.
      
        It's a bit larger than I'd like but the exynos cleanups are pretty
        mechanical, and I'd rather have them in sooner rather than later so we
        can avoid too much conflicts around them. The non-mechanincal exynos
        changes are mostly fixes for new feature recently introduced.
      
        Apart from the exynos updates, we have:
      
        i915:
         - GVT and GGTT mapping fixes
      
        amdgpu:
         - fix HDMI2.0 4K@60 Hz regression
         - Hotplug fixes for dual-GPU laptops to make power management better
         - misc vega12 bios fixes, a race fix and some typos.
      
        sii8620 bridge:
         - small fixes around mode setting
      
        core:
         - use kvzalloc to allocate blob property memory"
      
      * tag 'drm-fixes-2018-07-06' of git://anongit.freedesktop.org/drm/drm: (34 commits)
        drm/amd/display: add a check for display depth validity
        drm/amd/display: adding ycbcr420 pixel encoding for hdmi
        drm/udl: fix display corruption of the last line
        drm/bridge/sii8620: Fix link mode selection
        drm/bridge/sii8620: Fix display of packed pixel modes
        drm/bridge/sii8620: Send AVI infoframe in all MHL versions
        drm/amdgpu: fix user fence write race condition
        drm/i915: Try GGTT mmapping whole object as partial
        drm/amdgpu/pm: fix display count in non-DC path
        drm/amdgpu: fix swapped emit_ib_size in vce3
        drm: Use kvzalloc for allocating blob property memory
        drm/i915/gvt: changed DDI mode emulation type
        drm/i915/gvt: fix a bug of partially write ggtt enties
        drm/exynos: Replace drm_dev_unref with drm_dev_put
        drm/exynos: Replace drm_gem_object_unreference_unlocked with put function
        drm/exynos: Replace drm_framebuffer_{un/reference} with put,get functions
        drm/exynos: ipp: use correct enum type
        drm/exynos: decon5433: Fix WINCONx reset value
        drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
        drm/exynos: fimc: Use real buffer width for configuring the hardware
        ...
      c42c12a9
    • L
      Merge tag 'trace-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 97f4e142
      Linus Torvalds 提交于
      Pull tracing fixes and cleanups from Steven Rostedt:
       "While cleaning out my INBOX, I found a few patches that were lost in
        the noise. These are minor bug fixes and clean ups. Those include:
      
         - avoid a string overflow
      
         - code that didn't match the comment (but should)
      
         - a small code optimization (use of a conditional)
      
         - quiet printf warnings
      
         - nuke unused code
      
         - fix function graph interrupt annotation"
      
      * tag 'trace-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix missing return symbol in function_graph output
        ftrace: Nuke clear_ftrace_function
        tracing: Use __printf markup to silence compiler
        tracing: Optimize trace_buffer_iter() logic
        tracing: Make create_filter() code match the comments
        tracing: Avoid string overflow
      97f4e142
    • D
      Merge tag 'exynos-drm-fixes-for-v4.18-rc4' of... · c78d1f9d
      Dave Airlie 提交于
      Merge tag 'exynos-drm-fixes-for-v4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes
      
      Fixups
      - Fix several problems to IPPv2 merged to mainline recentely.
        . An align problem of width size that IPP driver incorrectly
          calculated the real buffer size.
        . Horizontal and vertical flip problem.
        . Per-plane global alpha for XRGB modes.
        . Incorrect variant of the YUV modes.
      - Fix plane overlapping problem.
        . The stange order of overlapping planes on XRGB modes
          by setting global alpha value to maximum value.
      
      Cleanup
      - Rename a enum type, drm_ipp_size_id, to one specific to Exynos,
        drm_exynos_ipp_limit_type.
      - Replace {un/reference} with {put,get} functions.
        . it replaces several reference/unreference functions with Linux
          kernel nameing standard.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      
      Link: https://patchwork.freedesktop.org/patch/msgid/1530512041-21392-1-git-send-email-inki.dae@samsung.com
      c78d1f9d
    • D
      Merge branch 'drm-fixes-4.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · c8440a70
      Dave Airlie 提交于
      - Fix an HDMI 2.0 4k@60 regression
      - Hotplug fixes for PX/HG laptops
      - Fixes for vbios changes in vega12
      - Fix a race in the user fence code
      - Fix a couple of misc typos
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180705155206.2752-1-alexander.deucher@amd.com
      c8440a70
    • D
      Merge tag 'drm-intel-fixes-2018-07-05' of... · 0581a5cb
      Dave Airlie 提交于
      Merge tag 'drm-intel-fixes-2018-07-05' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      A couple of GVT fixes, and a GGTT mmapping fix.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      
      Link: https://patchwork.freedesktop.org/patch/msgid/8736wxq35t.fsf@intel.com
      0581a5cb
    • D
      Merge tag 'drm-misc-fixes-2018-07-05' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · b7716735
      Dave Airlie 提交于
      Fixes for v4.18-rc4:
      - A few small fixes for the sii8620 bridge.
      - Allocate blob property memory using kvzalloc instead of kmalloc.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      
      Link: https://patchwork.freedesktop.org/patch/msgid/4267636e-bb7c-8f69-eeff-12e045b3e7e1@linux.intel.com
      b7716735
    • L
      Fix up non-directory creation in SGID directories · 0fa3ecd8
      Linus Torvalds 提交于
      sgid directories have special semantics, making newly created files in
      the directory belong to the group of the directory, and newly created
      subdirectories will also become sgid.  This is historically used for
      group-shared directories.
      
      But group directories writable by non-group members should not imply
      that such non-group members can magically join the group, so make sure
      to clear the sgid bit on non-directories for non-members (but remember
      that sgid without group execute means "mandatory locking", just to
      confuse things even more).
      Reported-by: NJann Horn <jannh@google.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0fa3ecd8
    • C
      Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up... · 7ec916f8
      Christoph Hellwig 提交于
      Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"
      
      This commit may cause a less than required dma mask to be used for
      some allocations, which apparently leads to module load failures for
      iwlwifi sometimes.
      
      This reverts commit d657c5c7.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reported-by: NFabio Coatti <fabio.coatti@gmail.com>
      Tested-by: NFabio Coatti <fabio.coatti@gmail.com>
      7ec916f8
    • S
      cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() · 729c0c9d
      Stefano Brivio 提交于
      smb{2,3}_create_lease_buf() store a lease key in the lease
      context for later usage on a lease break.
      
      In most paths, the key is currently sourced from data that
      happens to be on the stack near local variables for oplock in
      SMB2_open() callers, e.g. from open_shroot(), whereas
      smb2_open_file() properly allocates space on its stack for it.
      
      The address of those local variables holding the oplock is then
      passed to create_lease_buf handlers via SMB2_open(), and 16
      bytes near oplock are used. This causes a stack out-of-bounds
      access as reported by KASAN on SMB2.1 and SMB3 mounts (first
      out-of-bounds access is shown here):
      
      [  111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
      [  111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
      [  111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
      [  111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [  111.536838] Call Trace:
      [  111.537528]  dump_stack+0xc2/0x16b
      [  111.540890]  print_address_description+0x6a/0x270
      [  111.542185]  kasan_report+0x258/0x380
      [  111.544701]  smb3_create_lease_buf+0x399/0x3b0 [cifs]
      [  111.546134]  SMB2_open+0x1ef8/0x4b70 [cifs]
      [  111.575883]  open_shroot+0x339/0x550 [cifs]
      [  111.591969]  smb3_qfs_tcon+0x32c/0x1e60 [cifs]
      [  111.617405]  cifs_mount+0x4f3/0x2fc0 [cifs]
      [  111.674332]  cifs_smb3_do_mount+0x263/0xf10 [cifs]
      [  111.677915]  mount_fs+0x55/0x2b0
      [  111.679504]  vfs_kern_mount.part.22+0xaa/0x430
      [  111.684511]  do_mount+0xc40/0x2660
      [  111.698301]  ksys_mount+0x80/0xd0
      [  111.701541]  do_syscall_64+0x14e/0x4b0
      [  111.711807]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  111.713665] RIP: 0033:0x7f372385b5fa
      [  111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
      [  111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
      [  111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
      [  111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
      [  111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
      [  111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000
      
      [  111.735448] The buggy address belongs to the page:
      [  111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  111.739890] flags: 0x17ffffc0000000()
      [  111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
      [  111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  111.746679] page dumped because: kasan: bad access detected
      
      [  111.750482] Memory state around the buggy address:
      [  111.752562]  ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
      [  111.754991]  ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      [  111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
      [  111.759801]                                               ^
      [  111.762034]  ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
      [  111.764486]  ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  111.766913] ==================================================================
      
      Lease keys are however already generated and stored in fid data
      on open and create paths: pass them down to the lease context
      creation handlers and use them.
      Suggested-by: NAurélien Aptel <aaptel@suse.com>
      Reviewed-by: NAurelien Aptel <aaptel@suse.com>
      Fixes: b8c32dbb ("CIFS: Request SMB2.1 leases")
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      729c0c9d
    • P
      cifs: Fix infinite loop when using hard mount option · 7ffbe655
      Paulo Alcantara 提交于
      For every request we send, whether it is SMB1 or SMB2+, we attempt to
      reconnect tcon (cifs_reconnect_tcon or smb2_reconnect) before carrying
      out the request.
      
      So, while server->tcpStatus != CifsNeedReconnect, we wait for the
      reconnection to succeed on wait_event_interruptible_timeout(). If it
      returns, that means that either the condition was evaluated to true, or
      timeout elapsed, or it was interrupted by a signal.
      
      Since we're not handling the case where the process woke up due to a
      received signal (-ERESTARTSYS), the next call to
      wait_event_interruptible_timeout() will _always_ fail and we end up
      looping forever inside either cifs_reconnect_tcon() or smb2_reconnect().
      
      Here's an example of how to trigger that:
      
      $ mount.cifs //foo/share /mnt/test -o
      username=foo,password=foo,vers=1.0,hard
      
      (break connection to server before executing bellow cmd)
      $ stat -f /mnt/test & sleep 140
      [1] 2511
      
      $ ps -aux -q 2511
      USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
      root      2511  0.0  0.0  12892  1008 pts/0    S    12:24   0:00 stat -f
      /mnt/test
      
      $ kill -9 2511
      
      (wait for a while; process is stuck in the kernel)
      $ ps -aux -q 2511
      USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
      root      2511 83.2  0.0  12892  1008 pts/0    R    12:24  30:01 stat -f
      /mnt/test
      
      By using 'hard' mount point means that cifs.ko will keep retrying
      indefinitely, however we must allow the process to be killed otherwise
      it would hang the system.
      Signed-off-by: NPaulo Alcantara <palcantara@suse.de>
      Cc: stable@vger.kernel.org
      Reviewed-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      7ffbe655
    • S
      cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting · f46ecbd9
      Stefano Brivio 提交于
      A "small" CIFS buffer is not big enough in general to hold a
      setacl request for SMB2, and we end up overflowing the buffer in
      send_set_info(). For instance:
      
       # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
       # touch /mnt/test/acltest
       # getcifsacl /mnt/test/acltest
       REVISION:0x1
       CONTROL:0x9004
       OWNER:S-1-5-21-2926364953-924364008-418108241-1000
       GROUP:S-1-22-2-1001
       ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
       ACL:S-1-22-2-1001:ALLOWED/0x0/R
       ACL:S-1-22-2-1001:ALLOWED/0x0/R
       ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
       ACL:S-1-1-0:ALLOWED/0x0/R
       # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest
      
      this setacl will cause the following KASAN splat:
      
      [  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
      [  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012
      
      [  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
      [  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [  330.784395] Call Trace:
      [  330.784789]  dump_stack+0xc2/0x16b
      [  330.786777]  print_address_description+0x6a/0x270
      [  330.787520]  kasan_report+0x258/0x380
      [  330.788845]  memcpy+0x34/0x50
      [  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
      [  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
      [  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
      [  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
      [  330.840367]  __vfs_setxattr+0x84/0xb0
      [  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
      [  330.843848]  vfs_setxattr+0xc2/0xd0
      [  330.845519]  setxattr+0x258/0x320
      [  330.859211]  path_setxattr+0x15b/0x1b0
      [  330.864392]  __x64_sys_setxattr+0xc0/0x160
      [  330.866133]  do_syscall_64+0x14e/0x4b0
      [  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  330.878503] RIP: 0033:0x7ff2e507db0a
      [  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
      [  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
      [  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
      [  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
      [  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
      [  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
      [  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550
      
      [  330.901057] Allocated by task 1012:
      [  330.902888]  kasan_kmalloc+0xa0/0xd0
      [  330.904714]  kmem_cache_alloc+0xc8/0x1d0
      [  330.906615]  mempool_alloc+0x11e/0x380
      [  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
      [  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
      [  330.912551]  send_set_info+0x198/0xc20 [cifs]
      [  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
      [  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
      [  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
      [  330.920426]  __vfs_setxattr+0x84/0xb0
      [  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
      [  330.924213]  vfs_setxattr+0xc2/0xd0
      [  330.926008]  setxattr+0x258/0x320
      [  330.927762]  path_setxattr+0x15b/0x1b0
      [  330.929592]  __x64_sys_setxattr+0xc0/0x160
      [  330.931459]  do_syscall_64+0x14e/0x4b0
      [  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  330.936843] Freed by task 0:
      [  330.938588] (stack is not available)
      
      [  330.941886] The buggy address belongs to the object at ffff88010d5e2800
       which belongs to the cache cifs_small_rq of size 448
      [  330.946362] The buggy address is located 96 bytes inside of
       448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
      [  330.950722] The buggy address belongs to the page:
      [  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
      [  330.955665] flags: 0x17ffffc0008100(slab|head)
      [  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
      [  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      [  330.963005] page dumped because: kasan: bad access detected
      
      [  330.967039] Memory state around the buggy address:
      [  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      [  330.976956]                                            ^
      [  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  330.984225] ==================================================================
      
      Fix this by allocating a regular CIFS buffer in
      smb2_plain_req_init() if the request command is SMB2_SET_INFO.
      Reported-by: NJianhong Yin <jiyin@redhat.com>
      Fixes: 366ed846 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Reviewed-and-tested-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      f46ecbd9
    • P
      cifs: Fix memory leak in smb2_set_ea() · 6aa0c114
      Paulo Alcantara 提交于
      This patch fixes a memory leak when doing a setxattr(2) in SMB2+.
      Signed-off-by: NPaulo Alcantara <palcantara@suse.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NAurelien Aptel <aaptel@suse.com>
      6aa0c114
    • R
      cifs: fix SMB1 breakage · 81f39f95
      Ronnie Sahlberg 提交于
      SMB1 mounting broke in commit 35e2cc1b
      ("cifs: Use correct packet length in SMB2_TRANSFORM header")
      Fix it and also rename smb2_rqst_len to smb_rqst_len
      to make it less unobvious that the function is also called from
      CIFS/SMB1
      
      Good job by Paulo reviewing and cleaning up Ronnie's original patch.
      Signed-off-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: NPaulo Alcantara <palcantara@suse.de>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      81f39f95
    • P
      cifs: Fix validation of signed data in smb2 · 8de8c460
      Paulo Alcantara 提交于
      Fixes: c713c877 ("cifs: push rfc1002 generation down the stack")
      
      We failed to validate signed data returned by the server because
      __cifs_calc_signature() now expects to sign the actual data in iov but
      we were also passing down the rfc1002 length.
      
      Fix smb3_calc_signature() to calculate signature of rfc1002 length prior
      to passing only the actual data iov[1-N] to __cifs_calc_signature(). In
      addition, there are a few cases where no rfc1002 length is passed so we
      make sure there's one (iov_len == 4).
      Signed-off-by: NPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      8de8c460
    • P
      cifs: Fix validation of signed data in smb3+ · 27c32b49
      Paulo Alcantara 提交于
      Fixes: c713c877 ("cifs: push rfc1002 generation down the stack")
      
      We failed to validate signed data returned by the server because
      __cifs_calc_signature() now expects to sign the actual data in iov but
      we were also passing down the rfc1002 length.
      
      Fix smb3_calc_signature() to calculate signature of rfc1002 length prior
      to passing only the actual data iov[1-N] to __cifs_calc_signature(). In
      addition, there are a few cases where no rfc1002 length is passed so we
      make sure there's one (iov_len == 4).
      Signed-off-by: NPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      27c32b49
    • L
      cifs: Fix use after free of a mid_q_entry · 696e420b
      Lars Persson 提交于
      With protocol version 2.0 mounts we have seen crashes with corrupt mid
      entries. Either the server->pending_mid_q list becomes corrupt with a
      cyclic reference in one element or a mid object fetched by the
      demultiplexer thread becomes overwritten during use.
      
      Code review identified a race between the demultiplexer thread and the
      request issuing thread. The demultiplexer thread seems to be written
      with the assumption that it is the sole user of the mid object until
      it calls the mid callback which either wakes the issuer task or
      deletes the mid.
      
      This assumption is not true because the issuer task can be woken up
      earlier by a signal. If the demultiplexer thread has proceeded as far
      as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
      thread will happily end up calling cifs_delete_mid while the
      demultiplexer thread still is using the mid object.
      
      Inserting a delay in the cifs demultiplexer thread widens the race
      window and makes reproduction of the race very easy:
      
      		if (server->large_buf)
      			buf = server->bigbuf;
      
      +		usleep_range(500, 4000);
      
      		server->lstrp = jiffies;
      
      To resolve this I think the proper solution involves putting a
      reference count on the mid object. This patch makes sure that the
      demultiplexer thread holds a reference until it has finished
      processing the transaction.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NLars Persson <larper@axis.com>
      Acked-by: NPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      696e420b
    • L
      autofs: rename 'autofs' module back to 'autofs4' · d02d21ea
      Linus Torvalds 提交于
      It turns out that systemd has a bug: it wants to load the autofs module
      early because of some initialization ordering with udev, and it doesn't
      do that correctly.  Everywhere else it does the proper "look up module
      name" that does the proper alias resolution, but in that early code, it
      just uses a hardcoded "autofs4" for the module name.
      
      The result of that is that as of commit a2225d93 ("autofs: remove
      left-over autofs4 stubs"), you get
      
          systemd[1]: Failed to insert module 'autofs4': No such file or directory
      
      in the system logs, and a lack of module loading.  All this despite the
      fact that we had very clearly marked 'autofs4' as an alias for this
      module.
      
      What's so ridiculous about this is that literally everything else does
      the module alias handling correctly, including really old versions of
      systemd (that just used 'modprobe' to do this), and even all the other
      systemd module loading code.
      
      Only that special systemd early module load code is broken, hardcoding
      the module names for not just 'autofs4', but also "ipv6", "unix",
      "ip_tables" and "virtio_rng".  Very annoying.
      
      Instead of creating an _additional_ separate compatibility 'autofs4'
      module, just rely on the fact that everybody else gets this right, and
      just call the module 'autofs4' for compatibility reasons, with 'autofs'
      as the alias name.
      
      That will allow the systemd people to fix their bugs, adding the proper
      alias handling, and maybe even fix the name of the module to be just
      "autofs" (so that they can _test_ the alias handling).  And eventually,
      we can revert this silly compatibility hack.
      
      See also
      
          https://github.com/systemd/systemd/issues/9501
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902946
      
      for the systemd bug reports upstream and in the Debian bug tracker
      respectively.
      
      Fixes: a2225d93 ("autofs: remove left-over autofs4 stubs")
      Reported-by: NBen Hutchings <ben@decadent.org.uk>
      Reported-by: NMichael Biebl <biebl@debian.org>
      Cc: Ian Kent <raven@themaw.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d02d21ea
    • G
      arm64: remove no-op -p linker flag · 1a381d4a
      Greg Hackmann 提交于
      Linking the ARM64 defconfig kernel with LLVM lld fails with the error:
      
        ld.lld: error: unknown argument: -p
        Makefile:1015: recipe for target 'vmlinux' failed
      
      Without this flag, the ARM64 defconfig kernel successfully links with
      lld and boots on Dragonboard 410c.
      
      After digging through binutils source and changelogs, it turns out that
      -p is only relevant to ancient binutils installations targeting 32-bit
      ARM.  binutils accepts -p for AArch64 too, but it's always been
      undocumented and silently ignored.  A comment in
      ld/emultempl/aarch64elf.em explains that it's "Only here for backwards
      compatibility".
      
      Since this flag is a no-op on ARM64, we can safely drop it.
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NGreg Hackmann <ghackmann@google.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      1a381d4a
    • L
      Merge tag 'acpi-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 06c85639
      Linus Torvalds 提交于
      Pull ACPI fixes from Rafael Wysocki:
       "These fix a recent ACPICA regression, fix a battery driver regression
        introduced during the 4.17 cycle and fix up the recently added support
        for the PPTT ACPI table.
      
        Specifics:
      
         - Revert part of a recent ACPICA regression fix that added leading
           newlines to ACPICA error messages and made the kernel log look
           broken (Rafael Wysocki).
      
         - Fix an ACPI battery driver regression introduced during the 4.17
           cycle due to incorrect error handling that made Thinkpad 13 laptops
           crash on boot (Jouke Witteveen).
      
         - Fix up the recently added PPTT ACPI table support by covering the
           case when a PPTT structure represents a processors group correctly
           (Sudeep Holla)"
      
      * tag 'acpi-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / battery: Safe unregistering of hooks
        ACPI / PPTT: use ACPI ID whenever ACPI_PPTT_ACPI_PROCESSOR_ID_VALID is set
        ACPICA: Drop leading newlines from error messages
      06c85639
    • L
      Merge tag 'pm-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 90dc8b65
      Linus Torvalds 提交于
      Pull power management fixes from Rafael Wysocki:
       "These fix a PCI power management regression introduced during the 4.17
        cycle and fix up the recently added support for devices in multiple
        power domains.
      
        Specifics:
      
         - Resume parallel PCI (non-PCIe) bridges on suspend-to-RAM (ACP S3)
           to avoid confusing the platform firmware which started to happen
           after a core power management regression fix that went in during
           the 4.17 cycle (Rafael Wysocki).
      
         - Fix up the recently added support for devices in multiple power
           domains by avoiding to power up the entire domain unnecessarily
           when attaching a device to it (Ulf Hansson)"
      
      * tag 'pm-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM / Domains: Don't power on at attach for the multi PM domain case
        PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM
      90dc8b65
    • L
      Merge tag 'riscv-for-linus-4.18-rc4' of... · b19b9282
      Linus Torvalds 提交于
      Merge tag 'riscv-for-linus-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux
      
      Pull RISC-V fixes from Palmer Dabbelt:
       "This contains a handful of fixes for the RISC-V port:
      
         - A fix to R_RISCV_ADD32/R_RISCV_SUB32 relocations that allows
           modules that use these to load correctly.
      
         - The removal of of_platform_populate(), which is obselete.
      
         - The removal of irq-riscv-intc.h, which is obselete.
      
         - A fix to PTRACE_SETREGSET.
      
         - Fixes that allow the RV32I kernel to build (at least for Zong, I've
           got another patch on the mailing list that's necessary on my setup :)).
      
        I've just given these a defconfig build test"
      
      * tag 'riscv-for-linus-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux:
        RISC-V: Fix PTRACE_SETREGSET bug.
        RISC-V: Don't include irq-riscv-intc.h
        riscv: remove unnecessary of_platform_populate call
        RISC-V: fix R_RISCV_ADD32/R_RISCV_SUB32 relocations
        RISC-V: Change variable type for 32-bit compatible
        RISC-V: Add definiion of extract symbol's index and type for 32-bit
        RISC-V: Select GENERIC_UCMPDI2 on RV32I
        RISC-V: Add conditional macro for zone of DMA32
      b19b9282
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu · 760885f2
      Linus Torvalds 提交于
      Pull m68knommu fix from Greg Ungerer:
       "A single fix for breakage introduced in this merge window"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
        m68k: fix "bad page state" oops on ColdFire boot
      760885f2
  5. 05 7月, 2018 6 次提交