1. 14 2月, 2017 3 次提交
    • K
      MAINTAINERS: Adjust pstore git repo URI, add files · fc1b326e
      Kees Cook 提交于
      The tree used for staging pstore changes has moved to my repo. The -next
      tree already pulls from here, so update MAINTAINERS to reflect reality.
      While at it, add some more pstore-related files to track.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      fc1b326e
    • K
      pstore: Check for prz allocation in walker · 46418413
      Kees Cook 提交于
      Instead of needing additional checks in callers for unallocated przs,
      perform the check in the walker, which gives us a more universal way to
      handle the situation.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      46418413
    • K
      pstore: Correctly initialize spinlock and flags · 76d5692a
      Kees Cook 提交于
      The ram backend wasn't always initializing its spinlock correctly. Since
      it was coming from kzalloc memory, though, it was harmless on
      architectures that initialize unlocked spinlocks to 0 (at least x86 and
      ARM). This also fixes a possibly ignored flag setting too.
      
      When running under CONFIG_DEBUG_SPINLOCK, the following Oops was visible:
      
      [    0.760836] persistent_ram: found existing buffer, size 29988, start 29988
      [    0.765112] persistent_ram: found existing buffer, size 30105, start 30105
      [    0.769435] persistent_ram: found existing buffer, size 118542, start 118542
      [    0.785960] persistent_ram: found existing buffer, size 0, start 0
      [    0.786098] persistent_ram: found existing buffer, size 0, start 0
      [    0.786131] pstore: using zlib compression
      [    0.790716] BUG: spinlock bad magic on CPU#0, swapper/0/1
      [    0.790729]  lock: 0xffffffc0d1ca9bb0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
      [    0.790742] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc2+ #913
      [    0.790747] Hardware name: Google Kevin (DT)
      [    0.790750] Call trace:
      [    0.790768] [<ffffff900808ae88>] dump_backtrace+0x0/0x2bc
      [    0.790780] [<ffffff900808b164>] show_stack+0x20/0x28
      [    0.790794] [<ffffff9008460ee0>] dump_stack+0xa4/0xcc
      [    0.790809] [<ffffff9008113cfc>] spin_dump+0xe0/0xf0
      [    0.790821] [<ffffff9008113d3c>] spin_bug+0x30/0x3c
      [    0.790834] [<ffffff9008113e28>] do_raw_spin_lock+0x50/0x1b8
      [    0.790846] [<ffffff9008a2d2ec>] _raw_spin_lock_irqsave+0x54/0x6c
      [    0.790862] [<ffffff90083ac3b4>] buffer_size_add+0x48/0xcc
      [    0.790875] [<ffffff90083acb34>] persistent_ram_write+0x60/0x11c
      [    0.790888] [<ffffff90083aab1c>] ramoops_pstore_write_buf+0xd4/0x2a4
      [    0.790900] [<ffffff90083a9d3c>] pstore_console_write+0xf0/0x134
      [    0.790912] [<ffffff900811c304>] console_unlock+0x48c/0x5e8
      [    0.790923] [<ffffff900811da18>] register_console+0x3b0/0x4d4
      [    0.790935] [<ffffff90083aa7d0>] pstore_register+0x1a8/0x234
      [    0.790947] [<ffffff90083ac250>] ramoops_probe+0x6b8/0x7d4
      [    0.790961] [<ffffff90085ca548>] platform_drv_probe+0x7c/0xd0
      [    0.790972] [<ffffff90085c76ac>] driver_probe_device+0x1b4/0x3bc
      [    0.790982] [<ffffff90085c7ac8>] __device_attach_driver+0xc8/0xf4
      [    0.790996] [<ffffff90085c4bfc>] bus_for_each_drv+0xb4/0xe4
      [    0.791006] [<ffffff90085c7414>] __device_attach+0xd0/0x158
      [    0.791016] [<ffffff90085c7b18>] device_initial_probe+0x24/0x30
      [    0.791026] [<ffffff90085c648c>] bus_probe_device+0x50/0xe4
      [    0.791038] [<ffffff90085c35b8>] device_add+0x3a4/0x76c
      [    0.791051] [<ffffff90087d0e84>] of_device_add+0x74/0x84
      [    0.791062] [<ffffff90087d19b8>] of_platform_device_create_pdata+0xc0/0x100
      [    0.791073] [<ffffff90087d1a2c>] of_platform_device_create+0x34/0x40
      [    0.791086] [<ffffff900903c910>] of_platform_default_populate_init+0x58/0x78
      [    0.791097] [<ffffff90080831fc>] do_one_initcall+0x88/0x160
      [    0.791109] [<ffffff90090010ac>] kernel_init_freeable+0x264/0x31c
      [    0.791123] [<ffffff9008a25bd0>] kernel_init+0x18/0x11c
      [    0.791133] [<ffffff9008082ec0>] ret_from_fork+0x10/0x50
      [    0.793717] console [pstore-1] enabled
      [    0.797845] pstore: Registered ramoops as persistent store backend
      [    0.804647] ramoops: attached 0x100000@0xf7edc000, ecc: 0/0
      
      Fixes: 663deb47 ("pstore: Allow prz to control need for locking")
      Fixes: 10970449 ("pstore: Make spinlock per zone instead of global")
      Reported-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      76d5692a
  2. 13 2月, 2017 1 次提交
  3. 12 2月, 2017 7 次提交
  4. 11 2月, 2017 13 次提交
    • O
      Btrfs: fix btrfs_decompress_buf2page() · 6e78b3f7
      Omar Sandoval 提交于
      If btrfs_decompress_buf2page() is handed a bio with its page in the
      middle of the working buffer, then we adjust the offset into the working
      buffer. After we copy into the bio, we advance the iterator by the
      number of bytes we copied. Then, we have some logic to handle the case
      of discontiguous pages and adjust the offset into the working buffer
      again. However, if we didn't advance the bio to a new page, we may enter
      this case in error, essentially repeating the adjustment that we already
      made when we entered the function. The end result is bogus data in the
      bio.
      
      Previously, we only checked for this case when we advanced to a new
      page, but the conversion to bio iterators changed that. This restores
      the old, correct behavior.
      
      A case I saw when testing with zlib was:
      
          buf_start = 42769
          total_out = 46865
          working_bytes = total_out - buf_start = 4096
          start_byte = 45056
      
      The condition (total_out > start_byte && buf_start < start_byte) is
      true, so we adjust the offset:
      
          buf_offset = start_byte - buf_start = 2287
          working_bytes -= buf_offset = 1809
          current_buf_start = buf_start = 42769
      
      Then, we copy
      
          bytes = min(bvec.bv_len, PAGE_SIZE - buf_offset, working_bytes) = 1809
          buf_offset += bytes = 4096
          working_bytes -= bytes = 0
          current_buf_start += bytes = 44578
      
      After bio_advance(), we are still in the same page, so start_byte is the
      same. Then, we check (total_out > start_byte && current_buf_start < start_byte),
      which is true! So, we adjust the values again:
      
          buf_offset = start_byte - buf_start = 2287
          working_bytes = total_out - start_byte = 1809
          current_buf_start = buf_start + buf_offset = 45056
      
      But note that working_bytes was already zero before this, so we should
      have stopped copying.
      
      Fixes: 974b1adc ("btrfs: use bio iterators for the decompression handlers")
      Reported-by: NPat Erley <pat-lkml@erley.org>
      Reviewed-by: NChris Mason <clm@fb.com>
      Signed-off-by: NOmar Sandoval <osandov@fb.com>
      Signed-off-by: NChris Mason <clm@fb.com>
      Reviewed-by: NLiu Bo <bo.li.liu@oracle.com>
      Tested-by: NLiu Bo <bo.li.liu@oracle.com>
      6e78b3f7
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 1ee18329
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) If the timing is wrong we can indefinitely stop generating new ipv6
          temporary addresses, from Marcus Huewe.
      
       2) Don't double free per-cpu stats in ipv6 SIT tunnel driver, from Cong
          Wang.
      
       3) Put protections in place so that AF_PACKET is not able to submit
          packets which don't even have a link level header to drivers. From
          Willem de Bruijn.
      
       4) Fix memory leaks in ipv4 and ipv6 multicast code, from Hangbin Liu.
      
       5) Don't use udp_ioctl() in l2tp code, UDP version expects a UDP socket
          and that doesn't go over very well when it is passed an L2TP one.
          Fix from Eric Dumazet.
      
       6) Don't crash on NULL pointer in phy_attach_direct(), from Florian
          Fainelli.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        l2tp: do not use udp_ioctl()
        xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
        NET: mkiss: Fix panic
        net: hns: Fix the device being used for dma mapping during TX
        net: phy: Initialize mdio clock at probe function
        igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
        xen-netfront: Improve error handling during initialization
        sierra_net: Skip validating irrelevant fields for IDLE LSIs
        sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications
        kcm: fix 0-length case for kcm_sendmsg()
        xen-netfront: Rework the fix for Rx stall during OOM and network stress
        net: phy: Fix PHY module checks and NULL deref in phy_attach_direct()
        net: thunderx: Fix PHY autoneg for SGMII QLM mode
        net: dsa: Do not destroy invalid network devices
        ping: fix a null pointer dereference
        packet: round up linear to header len
        net: introduce device min_header_len
        sit: fix a double free on error path
        lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled
        ipv6: addrconf: fix generation of new temporary addresses
      1ee18329
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · a9dbf5c8
      Linus Torvalds 提交于
      Pull rdma fixes from Doug Ledford:
       "Third round of -rc fixes for 4.10 kernel:
      
         - two security related issues in the rxe driver
      
         - one compile issue in the RDMA uapi header"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        RDMA: Don't reference kernel private header from UAPI header
        IB/rxe: Fix mem_check_range integer overflow
        IB/rxe: Fix resid update
      a9dbf5c8
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · aca9fa0c
      Linus Torvalds 提交于
      Pull i2c bugfixes from Wolfram Sang:
       "Two bugfixes (proper IO mapping and use of mutex) for a driver feature
        we introduced in this cycle"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: piix4: Request the SMBUS semaphore inside the mutex
        i2c: piix4: Fix request_region size
      aca9fa0c
    • L
      Merge tag 'mmc-v4.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · fc6f41ba
      Linus Torvalds 提交于
      Pull MMC host fix from Ulf Hansson:
       "mmci: Fix hang while waiting for busy-end interrupt"
      
      * tag 'mmc-v4.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: mmci: avoid clearing ST Micro busy end interrupt mistakenly
      fc6f41ba
    • L
      Merge tag 'sound-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1f369d16
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Here are some last-minute fixes: two fixes for races in ALSA sequencer
        queue spotted by syzkaller, a revert for a regression of LINE6 driver
        (since 4.9), and a trivial new codec ID addition for Nvidia HDMI"
      
      * tag 'sound-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
        ALSA: seq: Fix race at creating a queue
        Revert "ALSA: line6: Only determine control port properties if needed"
        ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
      1f369d16
    • L
      Merge tag 'nfsd-4.10-3' of git://linux-nfs.org/~bfields/linux · 7fe654dc
      Linus Torvalds 提交于
      Pull nfsd revert from Bruce Fields:
       "This patch turned out to have a couple problems. The problems are
        fixable, but at least one of the fixes is a little ugly. The original
        bug has always been there, so we can wait another week or two to get
        this right"
      
      * tag 'nfsd-4.10-3' of git://linux-nfs.org/~bfields/linux:
        nfsd: Revert "nfsd: special case truncates some more"
      7fe654dc
    • L
      Merge tag 'powerpc-4.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 3ebc7033
      Linus Torvalds 提交于
      Pull powerpc fixes friom Michael Ellerman:
       "Apologies for the late pull request, but Ben has been busy finding bugs.
      
         - Userspace was semi-randomly segfaulting on radix due to us
           incorrectly handling a fault triggered by autonuma, caused by a
           patch we merged earlier in v4.10 to prevent the kernel executing
           userspace.
      
         - We weren't marking host IPIs properly for KVM in the OPAL ICP
           backend.
      
         - The ERAT flushing on radix was missing an isync and was incorrectly
           marked as DD1 only.
      
         - The powernv CPU hotplug code was missing a wakeup type and failing
           to flush the interrupt correctly when using OPAL ICP
      
        Thanks to Benjamin Herrenschmidt"
      
      * tag 'powerpc-4.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/powernv: Properly set "host-ipi" on IPIs
        powerpc/powernv: Fix CPU hotplug to handle waking on HVI
        powerpc/mm/radix: Update ERAT flushes when invalidating TLB
        powerpc/mm: Fix spurrious segfaults on radix with autonuma
      3ebc7033
    • E
      l2tp: do not use udp_ioctl() · 72fb96e7
      Eric Dumazet 提交于
      udp_ioctl(), as its name suggests, is used by UDP protocols,
      but is also used by L2TP :(
      
      L2TP should use its own handler, because it really does not
      look the same.
      
      SIOCINQ for instance should not assume UDP checksum or headers.
      
      Thanks to Andrey and syzkaller team for providing the report
      and a nice reproducer.
      
      While crashes only happen on recent kernels (after commit
      7c13f97f ("udp: do fwd memory scheduling on dequeue")), this
      probably needs to be backported to older kernels.
      
      Fixes: 7c13f97f ("udp: do fwd memory scheduling on dequeue")
      Fixes: 85584672 ("udp: Fix udp_poll() and ioctl()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Acked-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      72fb96e7
    • C
      Merge branch 'for-chris' of... · f3c7bfbd
      Chris Mason 提交于
      Merge branch 'for-chris' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.10
      f3c7bfbd
    • B
      xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() · 74470954
      Boris Ostrovsky 提交于
      rx_refill_timer should be deleted as soon as we disconnect from the
      backend since otherwise it is possible for the timer to go off before
      we get to xennet_destroy_queues(). If this happens we may dereference
      queue->rx.sring which is set to NULL in xennet_disconnect_backend().
      Signed-off-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      CC: stable@vger.kernel.org
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      74470954
    • R
      NET: mkiss: Fix panic · 7ba1b689
      Ralf Baechle 提交于
      If a USB-to-serial adapter is unplugged, the driver re-initializes, with
      dev->hard_header_len and dev->addr_len set to zero, instead of the correct
      values.  If then a packet is sent through the half-dead interface, the
      kernel will panic due to running out of headroom in the skb when pushing
      for the AX.25 headers resulting in this panic:
      
      [<c0595468>] (skb_panic) from [<c0401f70>] (skb_push+0x4c/0x50)
      [<c0401f70>] (skb_push) from [<bf0bdad4>] (ax25_hard_header+0x34/0xf4 [ax25])
      [<bf0bdad4>] (ax25_hard_header [ax25]) from [<bf0d05d4>] (ax_header+0x38/0x40 [mkiss])
      [<bf0d05d4>] (ax_header [mkiss]) from [<c041b584>] (neigh_compat_output+0x8c/0xd8)
      [<c041b584>] (neigh_compat_output) from [<c043e7a8>] (ip_finish_output+0x2a0/0x914)
      [<c043e7a8>] (ip_finish_output) from [<c043f948>] (ip_output+0xd8/0xf0)
      [<c043f948>] (ip_output) from [<c043f04c>] (ip_local_out_sk+0x44/0x48)
      
      This patch makes mkiss behave like the 6pack driver. 6pack does not
      panic.  In 6pack.c sp_setup() (same function name here) the values for
      dev->hard_header_len and dev->addr_len are set to the same values as in
      my mkiss patch.
      
      [ralf@linux-mips.org: Massages original submission to conform to the usual
      standards for patch submissions.]
      Signed-off-by: NThomas Osterried <thomas@osterried.de>
      Signed-off-by: NRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ba1b689
    • K
      net: hns: Fix the device being used for dma mapping during TX · b85ea006
      Kejian Yan 提交于
      This patch fixes the device being used to DMA map skb->data.
      Erroneous device assignment causes the crash when SMMU is enabled.
      This happens during TX since buffer gets DMA mapped with device
      correspondign to net_device and gets unmapped using the device
      related to DSAF.
      Signed-off-by: NKejian Yan <yankejian@huawei.com>
      Reviewed-by: NYisen Zhuang <yisen.zhuang@huawei.com>
      Signed-off-by: NSalil Mehta <salil.mehta@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b85ea006
  5. 10 2月, 2017 16 次提交