1. 26 5月, 2019 14 次提交
  2. 22 5月, 2019 26 次提交
    • G
      Linux 4.19.45 · c3a07259
      Greg Kroah-Hartman 提交于
      c3a07259
    • A
      ext4: don't update s_rev_level if not required · e8816d3b
      Andreas Dilger 提交于
      commit c9e716eb9b3455a83ed7c5f5a81256a3da779a95 upstream.
      
      Don't update the superblock s_rev_level during mount if it isn't
      actually necessary, only if superblock features are being set by
      the kernel.  This was originally added for ext3 since it always
      set the INCOMPAT_RECOVER and HAS_JOURNAL features during mount,
      but this is not needed since no journal mode was added to ext4.
      
      That will allow Geert to mount his 20-year-old ext2 rev 0.0 m68k
      filesystem, as a testament of the backward compatibility of ext4.
      
      Fixes: 0390131b ("ext4: Allow ext4 to run without a journal")
      Signed-off-by: NAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8816d3b
    • Z
      ext4: fix compile error when using BUFFER_TRACE · 6172ae55
      zhangyi (F) 提交于
      commit ddccb6dbe780d68133191477571cb7c69e17bb8c upstream.
      
      Fix compile error below when using BUFFER_TRACE.
      
      fs/ext4/inode.c: In function ‘ext4_expand_extra_isize’:
      fs/ext4/inode.c:5979:19: error: request for member ‘bh’ in something not a structure or union
        BUFFER_TRACE(iloc.bh, "get_write_access");
      
      Fixes: c03b45b8 ("ext4, project: expand inode extra size if possible")
      Signed-off-by: Nzhangyi (F) <yi.zhang@huawei.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6172ae55
    • K
      pstore: Refactor compression initialization · 953e826e
      Kees Cook 提交于
      commit 95047b0519c17a28e09df5f38750f5354e3db4c4 upstream.
      
      This refactors compression initialization slightly to better handle
      getting potentially called twice (via early pstore_register() calls
      and later pstore_init()) and improves the comments and reporting to be
      more verbose.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NGuenter Roeck <groeck@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      953e826e
    • J
      pstore: Allocate compression during late_initcall() · fea8b847
      Joel Fernandes (Google) 提交于
      commit 416031653eb55f844e3547fb8f8576399a800da0 upstream.
      
      ramoops's call of pstore_register() was recently moved to run during
      late_initcall() because the crypto backend may not have been ready during
      postcore_initcall(). This meant early-boot crash dumps were not getting
      caught by pstore any more.
      
      Instead, lets allow calls to pstore_register() earlier, and once crypto
      is ready we can initialize the compression.
      Reported-by: NSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
      Signed-off-by: NJoel Fernandes (Google) <joel@joelfernandes.org>
      Tested-by: NSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
      Fixes: cb3bee03 ("pstore: Use crypto compress API")
      [kees: trivial rebase]
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NGuenter Roeck <groeck@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fea8b847
    • K
      pstore: Centralize init/exit routines · f4bf101b
      Kees Cook 提交于
      commit cb095afd44768bf495894b9ad063bd078e4bb201 upstream.
      
      In preparation for having additional actions during init/exit, this moves
      the init/exit into platform.c, centralizing the logic to make call outs
      to the fs init/exit.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NGuenter Roeck <groeck@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4bf101b
    • E
      iov_iter: optimize page_copy_sane() · 627bb2d9
      Eric Dumazet 提交于
      commit 6daef95b8c914866a46247232a048447fff97279 upstream.
      
      Avoid cache line miss dereferencing struct page if we can.
      
      page_copy_sane() mostly deals with order-0 pages.
      
      Extra cache line miss is visible on TCP recvmsg() calls dealing
      with GRO packets (typically 45 page frags are attached to one skb).
      
      Bringing the 45 struct pages into cpu cache while copying the data
      is not free, since the freeing of the skb (and associated
      page frags put_page()) can happen after cache lines have been evicted.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Cc: Matthew Wilcox <willy@infradead.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      627bb2d9
    • D
      libnvdimm/namespace: Fix label tracking error · 866f0111
      Dan Williams 提交于
      commit c4703ce11c23423d4b46e3d59aef7979814fd608 upstream.
      
      Users have reported intermittent occurrences of DIMM initialization
      failures due to duplicate allocations of address capacity detected in
      the labels, or errors of the form below, both have the same root cause.
      
          nd namespace1.4: failed to track label: 0
          WARNING: CPU: 17 PID: 1381 at drivers/nvdimm/label.c:863
      
          RIP: 0010:__pmem_label_update+0x56c/0x590 [libnvdimm]
          Call Trace:
           ? nd_pmem_namespace_label_update+0xd6/0x160 [libnvdimm]
           nd_pmem_namespace_label_update+0xd6/0x160 [libnvdimm]
           uuid_store+0x17e/0x190 [libnvdimm]
           kernfs_fop_write+0xf0/0x1a0
           vfs_write+0xb7/0x1b0
           ksys_write+0x57/0xd0
           do_syscall_64+0x60/0x210
      
      Unfortunately those reports were typically with a busy parallel
      namespace creation / destruction loop making it difficult to see the
      components of the bug. However, Jane provided a simple reproducer using
      the work-in-progress sub-section implementation.
      
      When ndctl is reconfiguring a namespace it may take an existing defunct
      / disabled namespace and reconfigure it with a new uuid and other
      parameters. Critically namespace_update_uuid() takes existing address
      resources and renames them for the new namespace to use / reconfigure as
      it sees fit. The bug is that this rename only happens in the resource
      tracking tree. Existing labels with the old uuid are not reaped leading
      to a scenario where multiple active labels reference the same span of
      address range.
      
      Teach namespace_update_uuid() to flag any references to the old uuid for
      reaping at the next label update attempt.
      
      Cc: <stable@vger.kernel.org>
      Fixes: bf9bccc1 ("libnvdimm: pmem label sets and namespace instantiation")
      Link: https://github.com/pmem/ndctl/issues/91Reported-by: NJane Chu <jane.chu@oracle.com>
      Reported-by: NJeff Moyer <jmoyer@redhat.com>
      Reported-by: NErwin Tsaur <erwin.tsaur@oracle.com>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      866f0111
    • R
      xen/pvh: set xen_domain_type to HVM in xen_pvh_init · 756eda9b
      Roger Pau Monne 提交于
      commit c9f804d64bb93c8dbf957df1d7e9de11380e522d upstream.
      
      Or else xen_domain() returns false despite xen_pvh being set.
      Signed-off-by: NRoger Pau Monné <roger.pau@citrix.com>
      Reviewed-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org # 4.19+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      756eda9b
    • M
      kbuild: turn auto.conf.cmd into a mandatory include file · 98bdd338
      Masahiro Yamada 提交于
      commit d2f8ae0e4c5c754f1b2a7b8388d19a1a977e698a upstream.
      
      syncconfig is responsible for keeping auto.conf up-to-date, so if it
      fails for any reason, the build must be terminated immediately.
      
      However, since commit 9390dff66a52 ("kbuild: invoke syncconfig if
      include/config/auto.conf.cmd is missing"), Kbuild continues running
      even after syncconfig fails.
      
      You can confirm this by intentionally making syncconfig error out:
      
      #  diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
      #  index 08ba146..307b9de 100644
      #  --- a/scripts/kconfig/confdata.c
      #  +++ b/scripts/kconfig/confdata.c
      #  @@ -1023,6 +1023,9 @@ int conf_write_autoconf(int overwrite)
      #          FILE *out, *tristate, *out_h;
      #          int i;
      #
      #  +       if (overwrite)
      #  +               return 1;
      #  +
      #          if (!overwrite && is_present(autoconf_name))
      #                  return 0;
      
      Then, syncconfig fails, but Make would not stop:
      
        $ make -s mrproper allyesconfig defconfig
        $ make
        scripts/kconfig/conf  --syncconfig Kconfig
      
        *** Error during sync of the configuration.
      
        make[2]: *** [scripts/kconfig/Makefile;69: syncconfig] Error 1
        make[1]: *** [Makefile;557: syncconfig] Error 2
        make: *** [include/config/auto.conf.cmd] Deleting file 'include/config/tristate.conf'
        make: Failed to remake makefile 'include/config/auto.conf'.
          SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
          SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
          SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
          SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
        [ continue running ... ]
      
      The reason is in the behavior of a pattern rule with multi-targets.
      
        %/auto.conf %/auto.conf.cmd %/tristate.conf: $(KCONFIG_CONFIG)
                $(Q)$(MAKE) -f $(srctree)/Makefile syncconfig
      
      GNU Make knows this rule is responsible for making all the three files
      simultaneously. As far as examined, auto.conf.cmd is the target in
      question when this rule is invoked. It is probably because auto.conf.cmd
      is included below the inclusion of auto.conf.
      
      The inclusion of auto.conf is mandatory, while that of auto.conf.cmd
      is optional. GNU Make does not care about the failure in the process
      of updating optional include files.
      
      I filed this issue (https://savannah.gnu.org/bugs/?56301) in case this
      behavior could be improved somehow in future releases of GNU Make.
      Anyway, it is quite easy to fix our Makefile.
      
      Given that auto.conf is already a mandatory include file, there is no
      reason to stick auto.conf.cmd optional. Make it mandatory as well.
      
      Cc: linux-stable <stable@vger.kernel.org> # 5.0+
      Fixes: 9390dff66a52 ("kbuild: invoke syncconfig if include/config/auto.conf.cmd is missing")
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      [commented out diff above to keep patch happy - gregkh]
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98bdd338
    • S
      KVM: lapic: Busy wait for timer to expire when using hv_timer · 38f11488
      Sean Christopherson 提交于
      commit ee66e453db13d4837a0dcf9d43efa7a88603161b upstream.
      
      ...now that VMX's preemption timer, i.e. the hv_timer, also adjusts its
      programmed time based on lapic_timer_advance_ns.  Without the delay, a
      guest can see a timer interrupt arrive before the requested time when
      KVM is using the hv_timer to emulate the guest's interrupt.
      
      Fixes: c5ce8235 ("KVM: VMX: Optimize tscdeadline timer latency")
      Cc: <stable@vger.kernel.org>
      Cc: Wanpeng Li <wanpengli@tencent.com>
      Reviewed-by: NLiran Alon <liran.alon@oracle.com>
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38f11488
    • S
      KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes · 3b5ea2df
      Sean Christopherson 提交于
      commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream.
      
      KVM allows userspace to violate consistency checks related to the
      guest's CPUID model to some degree.  Generally speaking, userspace has
      carte blanche when it comes to guest state so long as jamming invalid
      state won't negatively affect the host.
      
      Currently this is seems to be a non-issue as most of the interesting
      EFER checks are missing, e.g. NX and LME, but those will be added
      shortly.  Proactively exempt userspace from the CPUID checks so as not
      to break userspace.
      
      Note, the efer_reserved_bits check still applies to userspace writes as
      that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
      guest to run with NX=1 if it has been disabled in the host.
      
      Fixes: d8017474 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3b5ea2df
    • C
      jbd2: fix potential double free · 5b856768
      Chengguang Xu 提交于
      commit 0d52154bb0a700abb459a2cbce0a30fc2549b67e upstream.
      
      When failing from creating cache jbd2_inode_cache, we will destroy the
      previously created cache jbd2_handle_cache twice.  This patch fixes
      this by moving each cache initialization/destruction to its own
      separate, individual function.
      Signed-off-by: NChengguang Xu <cgxu519@gmail.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b856768
    • M
      ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug · 95482af2
      Michał Wadowski 提交于
      commit 56df90b631fc027fe28b70d41352d820797239bb upstream.
      
      Add patch for realtek codec in Lenovo B50-70 that fixes inverted
      internal microphone channel.
      Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
      but first one is about fix the noise and it didn't seem help in a
      later kernel version.
      So I replaced IdeaPad Y410P device description with B50-70 and apply
      inverted microphone fix.
      
      Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215Signed-off-by: NMichał Wadowski <wadosm@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95482af2
    • K
      ALSA: hda/realtek - Fixup headphone noise via runtime suspend · e0e1dc65
      Kailang Yang 提交于
      commit dad3197da7a3817f27bb24f7fd3c135ffa707202 upstream.
      
      Dell platform with ALC298.
      system enter to runtime suspend. Headphone had noise.
      Let Headset Mic not shutup will solve this issue.
      
      [ Fixed minor coding style issues by tiwai ]
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0e1dc65
    • J
      ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14) · ae315512
      Jeremy Soller 提交于
      commit 891afcf2462d2cc4ef7caf94215358ca61fa32cb upstream.
      
      A mistake was made in the identification of the four variants of the
      System76 Gazelle (gaze14). This patch corrects the PCI ID of the
      17-inch, GTX 1660 Ti variant from 0x8560 to 0x8551. This patch also
      adds the correct fixups for the 15-inch and 17-inch GTX 1650 variants
      with PCI IDs 0x8560 and 0x8561.
      
      Tests were done on all four variants ensuring full audio capability.
      
      Fixes: 80a5052db751 ("ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)")
      Signed-off-by: NJeremy Soller <jeremy@system76.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae315512
    • J
      ext4: avoid panic during forced reboot due to aborted journal · 316063bf
      Jan Kara 提交于
      commit 2c1d0e3631e5732dba98ef49ac0bec1388776793 upstream.
      
      Handling of aborted journal is a special code path different from
      standard ext4_error() one and it can call panic() as well. Commit
      1dc1097ff60e ("ext4: avoid panic during forced reboot") forgot to update
      this path so fix that omission.
      
      Fixes: 1dc1097ff60e ("ext4: avoid panic during forced reboot")
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org # 5.1
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      316063bf
    • S
      ext4: fix use-after-free in dx_release() · c19db366
      Sahitya Tummala 提交于
      commit 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 upstream.
      
      The buffer_head (frames[0].bh) and it's corresping page can be
      potentially free'd once brelse() is done inside the for loop
      but before the for loop exits in dx_release(). It can be free'd
      in another context, when the page cache is flushed via
      drop_caches_sysctl_handler(). This results into below data abort
      when accessing info->indirect_levels in dx_release().
      
      Unable to handle kernel paging request at virtual address ffffffc17ac3e01e
      Call trace:
       dx_release+0x70/0x90
       ext4_htree_fill_tree+0x2d4/0x300
       ext4_readdir+0x244/0x6f8
       iterate_dir+0xbc/0x160
       SyS_getdents64+0x94/0x174
      Signed-off-by: NSahitya Tummala <stummala@codeaurora.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NAndreas Dilger <adilger@dilger.ca>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c19db366
    • L
      ext4: fix data corruption caused by overlapping unaligned and aligned IO · 0db24122
      Lukas Czerner 提交于
      commit 57a0da28ced8707cb9f79f071a016b9d005caf5a upstream.
      
      Unaligned AIO must be serialized because the zeroing of partial blocks
      of unaligned AIO can result in data corruption in case it's overlapping
      another in flight IO.
      
      Currently we wait for all unwritten extents before we submit unaligned
      AIO which protects data in case of unaligned AIO is following overlapping
      IO. However if a unaligned AIO is followed by overlapping aligned AIO we
      can still end up corrupting data.
      
      To fix this, we must make sure that the unaligned AIO is the only IO in
      flight by waiting for unwritten extents conversion not just before the
      IO submission, but right after it as well.
      
      This problem can be reproduced by xfstest generic/538
      Signed-off-by: NLukas Czerner <lczerner@redhat.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0db24122
    • S
      ext4: zero out the unused memory region in the extent tree block · 25d010f4
      Sriram Rajagopalan 提交于
      commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.
      
      This commit zeroes out the unused memory region in the buffer_head
      corresponding to the extent metablock after writing the extent header
      and the corresponding extent node entries.
      
      This is done to prevent random uninitialized data from getting into
      the filesystem when the extent block is synced.
      
      This fixes CVE-2019-11833.
      Signed-off-by: NSriram Rajagopalan <sriramr@arista.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25d010f4
    • A
      tty: Don't force RISCV SBI console as preferred console · c907ce3f
      Anup Patel 提交于
      commit f91253a3d005796404ae0e578b3394459b5f9b71 upstream.
      
      The Linux kernel will auto-disables all boot consoles whenever it
      gets a preferred real console.
      
      Currently on RISC-V systems, if we have a real console which is not
      RISCV SBI console then boot consoles (such as earlycon=sbi) are not
      auto-disabled when a real console (ttyS0 or ttySIF0) is available.
      This results in duplicate prints at boot-time after kernel starts
      using real console (i.e. ttyS0 or ttySIF0) if "earlycon=" kernel
      parameter was passed by bootloader.
      
      The reason for above issue is that RISCV SBI console always adds
      itself as preferred console which is causing other real consoles
      to be not used as preferred console.
      
      Ideally "console=" kernel parameter passed by bootloaders should
      be the one selecting a preferred real console.
      
      This patch fixes above issue by not forcing RISCV SBI console as
      preferred console.
      
      Fixes: afa6b1cc ("tty: New RISC-V SBI console driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: NAnup Patel <anup.patel@wdc.com>
      Reviewed-by: NAtish Patra <atish.patra@wdc.com>
      Signed-off-by: NPalmer Dabbelt <palmer@sifive.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c907ce3f
    • J
      fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount · 986d3453
      Jiufei Xue 提交于
      commit ec084de929e419e51bcdafaafe567d9e7d0273b7 upstream.
      
      synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb
      switch may not go to the workqueue after synchronize_rcu().  Thus
      previous scheduled switches was not finished even flushing the
      workqueue, which will cause a NULL pointer dereferenced followed below.
      
        VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds.  Have a nice day...
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000278
          evict+0xb3/0x180
          iput+0x1b0/0x230
          inode_switch_wbs_work_fn+0x3c0/0x6a0
          worker_thread+0x4e/0x490
          ? process_one_work+0x410/0x410
          kthread+0xe6/0x100
          ret_from_fork+0x39/0x50
      
      Replace the synchronize_rcu() call with a rcu_barrier() to wait for all
      pending callbacks to finish.  And inc isw_nr_in_flight after call_rcu()
      in inode_switch_wbs() to make more sense.
      
      Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.comSigned-off-by: NJiufei Xue <jiufei.xue@linux.alibaba.com>
      Acked-by: NTejun Heo <tj@kernel.org>
      Suggested-by: NTejun Heo <tj@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      986d3453
    • E
      crypto: ccm - fix incompatibility between "ccm" and "ccm_base" · a80da82d
      Eric Biggers 提交于
      commit 6a1faa4a43f5fabf9cbeaa742d916e7b5e73120f upstream.
      
      CCM instances can be created by either the "ccm" template, which only
      allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base",
      which allows choosing the ctr and cbcmac implementations, e.g.
      "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      However, a "ccm_base" instance prevents a "ccm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "ccm".  This can be used as a denial of service.
      Moreover, "ccm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "ccm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "ccm_base" instances set the same cra_name as "ccm" instances, e.g.
      "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      This requires extracting the block cipher name from the name of the ctr
      and cbcmac algorithms.  It also requires starting to verify that the
      algorithms are really ctr and cbcmac using the same block cipher, not
      something else entirely.  But it would be bizarre if anyone were
      actually using non-ccm-compatible algorithms with ccm_base, so this
      shouldn't break anyone in practice.
      
      Fixes: 4a49b499 ("[CRYPTO] ccm: Added CCM mode")
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      a80da82d
    • K
      ipmi:ssif: compare block number correctly for multi-part return messages · f6de0a3b
      Kamlakant Patel 提交于
      commit 55be8658c7e2feb11a5b5b33ee031791dbd23a69 upstream.
      
      According to ipmi spec, block number is a number that is incremented,
      starting with 0, for each new block of message data returned using the
      middle transaction.
      
      Here, the 'blocknum' is data[0] which always starts from zero(0) and
      'ssif_info->multi_pos' starts from 1.
      So, we need to add +1 to blocknum while comparing with multi_pos.
      
      Fixes: 7d6380cd40f79 ("ipmi:ssif: Fix handling of multi-part return messages").
      Reported-by: NKiran Kolukuluru <kirank@ami.com>
      Signed-off-by: NKamlakant Patel <kamlakantp@marvell.com>
      Message-Id: <1556106615-18722-1-git-send-email-kamlakantp@marvell.com>
      [Also added a debug log if the block numbers don't match.]
      Signed-off-by: NCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 4.4
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6de0a3b
    • C
      bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() · 88681649
      Coly Li 提交于
      commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream.
      
      In journal_reclaim() ja->cur_idx of each cache will be update to
      reclaim available journal buckets. Variable 'int n' is used to count how
      many cache is successfully reclaimed, then n is set to c->journal.key
      by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache()
      loop will write the jset data onto each cache.
      
      The problem is, if all jouranl buckets on each cache is full, the
      following code in journal_reclaim(),
      
      529 for_each_cache(ca, c, iter) {
      530       struct journal_device *ja = &ca->journal;
      531       unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets;
      532
      533       /* No space available on this device */
      534       if (next == ja->discard_idx)
      535               continue;
      536
      537       ja->cur_idx = next;
      538       k->ptr[n++] = MAKE_PTR(0,
      539                         bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
      540                         ca->sb.nr_this_dev);
      541 }
      542
      543 bkey_init(k);
      544 SET_KEY_PTRS(k, n);
      
      If there is no available bucket to reclaim, the if() condition at line
      534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS()
      will set KEY_PTRS field of c->journal.key to 0.
      
      Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in
      journal_write_unlocked() the journal data is written in following loop,
      
      649	for (i = 0; i < KEY_PTRS(k); i++) {
      650-671		submit journal data to cache device
      672	}
      
      If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data
      won't be written to cache device here. If system crahed or rebooted
      before bkeys of the lost journal entries written into btree nodes, data
      corruption will be reported during bcache reload after rebooting the
      system.
      
      Indeed there is only one cache in a cache set, there is no need to set
      KEY_PTRS field in journal_reclaim() at all. But in order to keep the
      for_each_cache() logic consistent for now, this patch fixes the above
      problem by not setting 0 KEY_PTRS of journal key, if there is no bucket
      available to reclaim.
      Signed-off-by: NColy Li <colyli@suse.de>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88681649
    • L
      bcache: fix a race between cache register and cacheset unregister · ecfc882f
      Liang Chen 提交于
      commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream.
      
      There is a race between cache device register and cache set unregister.
      For an already registered cache device, register_bcache will call
      bch_is_open to iterate through all cachesets and check every cache
      there. The race occurs if cache_set_free executes at the same time and
      clears the caches right before ca is dereferenced in bch_is_open_cache.
      To close the race, let's make sure the clean up work is protected by
      the bch_register_lock as well.
      
      This issue can be reproduced as follows,
      while true; do echo /dev/XXX> /sys/fs/bcache/register ; done&
      while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done &
      
      and results in the following oops,
      
      [  +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998
      [  +0.000457] #PF error: [normal kernel read fault]
      [  +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0
      [  +0.000388] Oops: 0000 [#1] SMP PTI
      [  +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6
      [  +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
      [  +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache]
      [  +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d
      [  +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202
      [  +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000
      [  +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001
      [  +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a
      [  +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0
      [  +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620
      [  +0.000384] FS:  00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000
      [  +0.000420] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0
      [  +0.000837] Call Trace:
      [  +0.000682]  ? _cond_resched+0x10/0x20
      [  +0.000691]  ? __kmalloc+0x131/0x1b0
      [  +0.000710]  kernfs_fop_write+0xfa/0x170
      [  +0.000733]  __vfs_write+0x2e/0x190
      [  +0.000688]  ? inode_security+0x10/0x30
      [  +0.000698]  ? selinux_file_permission+0xd2/0x120
      [  +0.000752]  ? security_file_permission+0x2b/0x100
      [  +0.000753]  vfs_write+0xa8/0x1a0
      [  +0.000676]  ksys_write+0x4d/0xb0
      [  +0.000699]  do_syscall_64+0x3a/0xf0
      [  +0.000692]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Signed-off-by: NLiang Chen <liangchen.linux@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NColy Li <colyli@suse.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ecfc882f